0d9fbf7f23b3ea7ae568bfed75ce71fc24d94ad946247fe81c441b69c432c829

Analysis

max time kernel
94s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
04-06-2024 06:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

38ddee6fcf88ad42e95b57adb67a5e40_NeikiAnalytics.exe
Size

996KB
MD5

38ddee6fcf88ad42e95b57adb67a5e40
SHA1

ebbb01ee3ac322938fdb58d9b0dedfc6830eaa03
SHA256

0d9fbf7f23b3ea7ae568bfed75ce71fc24d94ad946247fe81c441b69c432c829
SHA512

e62a5f07c161aafe74501adf354063e0c4175a4514814cbb2824175ea8a53fb422de092203f9ccb15d39364b8edc233ad442d5cfa92483064edb0c68e8e7d5c8
SSDEEP

6144:yuj8NDF3OR9/Qe2HdklrSqjzQtJo3FCPDKjslq:NOF3ORK3d9QzQtJo3FCPDKjslq

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 16 IoCs

pid	Process
4968	casino_extensions.exe
4600	Casino_ext.exe
424	casino_extensions.exe
4316	Casino_ext.exe
3136	casino_extensions.exe
1432	Casino_ext.exe
1440	LiveMessageCenter.exe
2056	casino_extensions.exe
2460	Casino_ext.exe
4560	casino_extensions.exe
3880	Casino_ext.exe
1696	casino_extensions.exe
744	Casino_ext.exe
3460	LiveMessageCenter.exe
4008	casino_extensions.exe
3872	Casino_ext.exe

Drops file in System32 directory 16 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\LiveMessageCenter.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\LiveMessageCenter.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File created	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File created	C:\Windows\SysWOW64\LiveMessageCenter.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\LiveMessageCenter.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File created	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe

Drops file in Program Files directory 17 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	Casino_ext.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	Casino_ext.exe
File created	C:\Program Files (x86)\Internet Explorer\$$202803s.bat	casino_extensions.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	Casino_ext.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	LiveMessageCenter.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	Casino_ext.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	Casino_ext.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	Casino_ext.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	Casino_ext.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	LiveMessageCenter.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
4600	Casino_ext.exe
4600	Casino_ext.exe
4316	Casino_ext.exe
4316	Casino_ext.exe
1432	Casino_ext.exe
1432	Casino_ext.exe
1440	LiveMessageCenter.exe
1440	LiveMessageCenter.exe
2460	Casino_ext.exe
2460	Casino_ext.exe
3880	Casino_ext.exe
3880	Casino_ext.exe
744	Casino_ext.exe
744	Casino_ext.exe
3460	LiveMessageCenter.exe
3460	LiveMessageCenter.exe
3872	Casino_ext.exe
3872	Casino_ext.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
3664	38ddee6fcf88ad42e95b57adb67a5e40_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3664 wrote to memory of 3360	3664	38ddee6fcf88ad42e95b57adb67a5e40_NeikiAnalytics.exe	82
PID 3664 wrote to memory of 3360	3664	38ddee6fcf88ad42e95b57adb67a5e40_NeikiAnalytics.exe	82
PID 3664 wrote to memory of 3360	3664	38ddee6fcf88ad42e95b57adb67a5e40_NeikiAnalytics.exe	82
PID 3360 wrote to memory of 4968	3360	casino_extensions.exe	83
PID 3360 wrote to memory of 4968	3360	casino_extensions.exe	83
PID 3360 wrote to memory of 4968	3360	casino_extensions.exe	83
PID 4968 wrote to memory of 4600	4968	casino_extensions.exe	84
PID 4968 wrote to memory of 4600	4968	casino_extensions.exe	84
PID 4968 wrote to memory of 4600	4968	casino_extensions.exe	84
PID 4600 wrote to memory of 2012	4600	Casino_ext.exe	85
PID 4600 wrote to memory of 2012	4600	Casino_ext.exe	85
PID 4600 wrote to memory of 2012	4600	Casino_ext.exe	85
PID 2012 wrote to memory of 424	2012	casino_extensions.exe	86
PID 2012 wrote to memory of 424	2012	casino_extensions.exe	86
PID 2012 wrote to memory of 424	2012	casino_extensions.exe	86
PID 424 wrote to memory of 4316	424	casino_extensions.exe	88
PID 424 wrote to memory of 4316	424	casino_extensions.exe	88
PID 424 wrote to memory of 4316	424	casino_extensions.exe	88
PID 4316 wrote to memory of 2988	4316	Casino_ext.exe	89
PID 4316 wrote to memory of 2988	4316	Casino_ext.exe	89
PID 4316 wrote to memory of 2988	4316	Casino_ext.exe	89
PID 2988 wrote to memory of 3136	2988	casino_extensions.exe	91
PID 2988 wrote to memory of 3136	2988	casino_extensions.exe	91
PID 2988 wrote to memory of 3136	2988	casino_extensions.exe	91
PID 3136 wrote to memory of 1432	3136	casino_extensions.exe	92
PID 3136 wrote to memory of 1432	3136	casino_extensions.exe	92
PID 3136 wrote to memory of 1432	3136	casino_extensions.exe	92
PID 1432 wrote to memory of 620	1432	Casino_ext.exe	93
PID 1432 wrote to memory of 620	1432	Casino_ext.exe	93
PID 1432 wrote to memory of 620	1432	Casino_ext.exe	93
PID 620 wrote to memory of 1440	620	casino_extensions.exe	94
PID 620 wrote to memory of 1440	620	casino_extensions.exe	94
PID 620 wrote to memory of 1440	620	casino_extensions.exe	94
PID 1440 wrote to memory of 3232	1440	LiveMessageCenter.exe	95
PID 1440 wrote to memory of 3232	1440	LiveMessageCenter.exe	95
PID 1440 wrote to memory of 3232	1440	LiveMessageCenter.exe	95
PID 3232 wrote to memory of 2056	3232	casino_extensions.exe	96
PID 3232 wrote to memory of 2056	3232	casino_extensions.exe	96
PID 3232 wrote to memory of 2056	3232	casino_extensions.exe	96
PID 2056 wrote to memory of 2460	2056	casino_extensions.exe	97
PID 2056 wrote to memory of 2460	2056	casino_extensions.exe	97
PID 2056 wrote to memory of 2460	2056	casino_extensions.exe	97
PID 2460 wrote to memory of 2432	2460	Casino_ext.exe	98
PID 2460 wrote to memory of 2432	2460	Casino_ext.exe	98
PID 2460 wrote to memory of 2432	2460	Casino_ext.exe	98
PID 2432 wrote to memory of 4560	2432	casino_extensions.exe	99
PID 2432 wrote to memory of 4560	2432	casino_extensions.exe	99
PID 2432 wrote to memory of 4560	2432	casino_extensions.exe	99
PID 4560 wrote to memory of 3880	4560	casino_extensions.exe	100
PID 4560 wrote to memory of 3880	4560	casino_extensions.exe	100
PID 4560 wrote to memory of 3880	4560	casino_extensions.exe	100
PID 3880 wrote to memory of 3164	3880	Casino_ext.exe	101
PID 3880 wrote to memory of 3164	3880	Casino_ext.exe	101
PID 3880 wrote to memory of 3164	3880	Casino_ext.exe	101
PID 3164 wrote to memory of 1696	3164	casino_extensions.exe	103
PID 3164 wrote to memory of 1696	3164	casino_extensions.exe	103
PID 3164 wrote to memory of 1696	3164	casino_extensions.exe	103
PID 1696 wrote to memory of 744	1696	casino_extensions.exe	104
PID 1696 wrote to memory of 744	1696	casino_extensions.exe	104
PID 1696 wrote to memory of 744	1696	casino_extensions.exe	104
PID 744 wrote to memory of 4912	744	Casino_ext.exe	105
PID 744 wrote to memory of 4912	744	Casino_ext.exe	105
PID 744 wrote to memory of 4912	744	Casino_ext.exe	105
PID 4912 wrote to memory of 3460	4912	casino_extensions.exe	106

C:\Users\Admin\AppData\Local\Temp\38ddee6fcf88ad42e95b57adb67a5e40_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\38ddee6fcf88ad42e95b57adb67a5e40_NeikiAnalytics.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:3664
- C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
  "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
  2⤵
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:3360
- - C:\Windows\SysWOW64\casino_extensions.exe
    C:\Windows\system32\casino_extensions.exe
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - Suspicious use of WriteProcessMemory
    PID:4968
  - - C:\Windows\SysWOW64\Casino_ext.exe
      C:\Windows\SysWOW64\Casino_ext.exe
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:4600
    - - C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        5⤵
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2012
      - C:\Windows\SysWOW64\casino_extensions.exe
        
        C:\Windows\system32\casino_extensions.exe
        6⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of WriteProcessMemory
        
        PID:424
        
        C:\Windows\SysWOW64\Casino_ext.exe
        
        C:\Windows\SysWOW64\Casino_ext.exe
        7⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:4316
        
        C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        8⤵
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2988
        
        C:\Windows\SysWOW64\casino_extensions.exe
        
        C:\Windows\system32\casino_extensions.exe
        9⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of WriteProcessMemory
        
        PID:3136
        
        C:\Windows\SysWOW64\Casino_ext.exe
        
        C:\Windows\SysWOW64\Casino_ext.exe
        10⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1432
        
        C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        11⤵
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:620
        
        C:\Windows\SysWOW64\LiveMessageCenter.exe
        
        C:\Windows\system32\LiveMessageCenter.exe /part2
        12⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1440
        
        C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        13⤵
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3232
        
        C:\Windows\SysWOW64\casino_extensions.exe
        
        C:\Windows\system32\casino_extensions.exe
        14⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of WriteProcessMemory
        
        PID:2056
        
        C:\Windows\SysWOW64\Casino_ext.exe
        
        C:\Windows\SysWOW64\Casino_ext.exe
        15⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2460
        
        C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        16⤵
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2432
        
        C:\Windows\SysWOW64\casino_extensions.exe
        
        C:\Windows\system32\casino_extensions.exe
        17⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of WriteProcessMemory
        
        PID:4560
        
        C:\Windows\SysWOW64\Casino_ext.exe
        
        C:\Windows\SysWOW64\Casino_ext.exe
        18⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:3880
        
        C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        19⤵
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3164
        
        C:\Windows\SysWOW64\casino_extensions.exe
        
        C:\Windows\system32\casino_extensions.exe
        20⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of WriteProcessMemory
        
        PID:1696
        
        C:\Windows\SysWOW64\Casino_ext.exe
        
        C:\Windows\SysWOW64\Casino_ext.exe
        21⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:744
        
        C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        22⤵
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4912
        
        C:\Windows\SysWOW64\LiveMessageCenter.exe
        
        C:\Windows\system32\LiveMessageCenter.exe
        23⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:3460
        
        C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        24⤵
        Drops file in System32 directory
        
        PID:3668
        
        C:\Windows\SysWOW64\casino_extensions.exe
        
        C:\Windows\system32\casino_extensions.exe
        25⤵
        Executes dropped EXE
        Drops file in Program Files directory
        
        PID:4008
        
        C:\Windows\SysWOW64\Casino_ext.exe
        
        C:\Windows\SysWOW64\Casino_ext.exe
        26⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:3872
        
        C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        27⤵
        Drops file in System32 directory
        Drops file in Program Files directory
        
        PID:4900
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c $$2028~1.BAT
        28⤵
        
        PID:3468

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Internet Explorer\$$202803s.bat

Filesize
81B

MD5
4777bf695815d870d27ed4a38a8f0840

SHA1
565412b5182bca7a221448dba78369c42d1c4a0c

SHA256
c08018226d9a45ab277a01ca35f519ff7ea1cb450d080e24b0f590739654241d

SHA512
87e792d326c5a9d2d92984ec4c34d2af9d616a4676a7d69df73b09975fd077d96077ae2528b6fc05752110eb4e406c3e9d94d49d0a74eeaba6bc6a48bca8ac1d

Download Submit
C:\Windows\SysWOW64\LiveMessageCenter.exe

Filesize
1005KB

MD5
64c7aa5e1f906b9411e75111a1db9d70

SHA1
2027dcbbba122e351cc8de66da9523ea8c98805a

SHA256
f7bda011304c29785111cc9a9512ad5c5989f391c4ffe2418260abc72631991b

SHA512
0939abf05ffe7357435a58caf8fa6e81a504eb7268dc35863fda0faae0dc3204040f34e96adb8249e82cc8f97c3b1c94334d6fbd31e67e34d07a4fa82f501291

Download Submit
C:\Windows\SysWOW64\casino_extensions.exe

Filesize
1004KB

MD5
681d66bfd59113cc15f7e010a5183cd6

SHA1
23aa5dd7c55fa6c18c1e31a1e8c18ee17674aa1b

SHA256
c29abc557e57f6b3dd0c3caa361356e6f563a4cec0182584cf0c1fb03371b1e3

SHA512
d9761a5280e06b7989b50c76d9aa61d3e70e7d66407f01367b4a29bbb16913d56c47d119bdac3eb17e471dc44fecf800c49f22394c9bf62adf149990ba60a4bb

Download Submit
C:\Windows\SysWOW64\casino_extensions.exe

Filesize
1005KB

MD5
1bc493e767a23a3b37485594b94ee496

SHA1
a78e3900bb8a19c1cd8fff258b0008f315c79247

SHA256
307a6f60e15ba52ff45634aa6d7bae58b3164f4e53049d1bae85d489abb15843

SHA512
4f7c03967f6f2a975cdd068f54ee1050db786ac955fa7fe47e968cdc7a237c4c3604b22e6b7ba0b81f1520435fd97b4a9f293709076dca2cba71aa9134537581

Download Submit
memory/3664-8-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/4968-7-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download