6f9b43d4a5a9b823fa2be38c72bd7c67b14955a867ea7cb1187c9c975b9aba64

General

Target

6f9b43d4a5a9b823fa2be38c72bd7c67b14955a867ea7cb1187c9c975b9aba64_NeikiAnalytics.exe
Size

807KB
MD5

cf85fb07571c2f5d5df82a2bc1d786e0
SHA1

959c9cfabd3e19ea443d130d34b0fa0fe1d37e07
SHA256

6f9b43d4a5a9b823fa2be38c72bd7c67b14955a867ea7cb1187c9c975b9aba64
SHA512

763c016f8568e817cfee882cb4b0eb8b0368c17a3e76b3fb32df874bf21605d5621e08dddeb28f9c60e1c28a6e19517aeb4ec070c7d4591bc546651b3b804a56
SSDEEP

3072:49twizQTj8CSUYf8W3nSjen++Bj88OZS0/Qe2HdOLlqw1aQnj74y0+xkABerFFi5:4Xuj8NDF3OR9/Qe2Hdklrn4K3eP78l

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
3052	Casino_ext.exe

Executes dropped EXE 4 IoCs

pid	Process
2796	casino_extensions.exe
840	Casino_ext.exe
2880	casino_extensions.exe
3052	Casino_ext.exe

Loads dropped DLL 4 IoCs

pid	Process
1596	casino_extensions.exe
1596	casino_extensions.exe
2256	casino_extensions.exe
2256	casino_extensions.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File created	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Windows\SysWOW64\casino_extensions.exe	casino_extensions.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	Casino_ext.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	casino_extensions.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\casino_extensions.exe	Casino_ext.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
840	Casino_ext.exe
3052	Casino_ext.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1936	6f9b43d4a5a9b823fa2be38c72bd7c67b14955a867ea7cb1187c9c975b9aba64_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 1936 wrote to memory of 1596	1936	6f9b43d4a5a9b823fa2be38c72bd7c67b14955a867ea7cb1187c9c975b9aba64_NeikiAnalytics.exe	28
PID 1936 wrote to memory of 1596	1936	6f9b43d4a5a9b823fa2be38c72bd7c67b14955a867ea7cb1187c9c975b9aba64_NeikiAnalytics.exe	28
PID 1936 wrote to memory of 1596	1936	6f9b43d4a5a9b823fa2be38c72bd7c67b14955a867ea7cb1187c9c975b9aba64_NeikiAnalytics.exe	28
PID 1936 wrote to memory of 1596	1936	6f9b43d4a5a9b823fa2be38c72bd7c67b14955a867ea7cb1187c9c975b9aba64_NeikiAnalytics.exe	28
PID 1596 wrote to memory of 2796	1596	casino_extensions.exe	29
PID 1596 wrote to memory of 2796	1596	casino_extensions.exe	29
PID 1596 wrote to memory of 2796	1596	casino_extensions.exe	29
PID 1596 wrote to memory of 2796	1596	casino_extensions.exe	29
PID 2796 wrote to memory of 840	2796	casino_extensions.exe	30
PID 2796 wrote to memory of 840	2796	casino_extensions.exe	30
PID 2796 wrote to memory of 840	2796	casino_extensions.exe	30
PID 2796 wrote to memory of 840	2796	casino_extensions.exe	30
PID 840 wrote to memory of 2256	840	Casino_ext.exe	31
PID 840 wrote to memory of 2256	840	Casino_ext.exe	31
PID 840 wrote to memory of 2256	840	Casino_ext.exe	31
PID 840 wrote to memory of 2256	840	Casino_ext.exe	31
PID 2256 wrote to memory of 2880	2256	casino_extensions.exe	32
PID 2256 wrote to memory of 2880	2256	casino_extensions.exe	32
PID 2256 wrote to memory of 2880	2256	casino_extensions.exe	32
PID 2256 wrote to memory of 2880	2256	casino_extensions.exe	32
PID 2880 wrote to memory of 3052	2880	casino_extensions.exe	33
PID 2880 wrote to memory of 3052	2880	casino_extensions.exe	33
PID 2880 wrote to memory of 3052	2880	casino_extensions.exe	33
PID 2880 wrote to memory of 3052	2880	casino_extensions.exe	33

C:\Users\Admin\AppData\Local\Temp\6f9b43d4a5a9b823fa2be38c72bd7c67b14955a867ea7cb1187c9c975b9aba64_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\6f9b43d4a5a9b823fa2be38c72bd7c67b14955a867ea7cb1187c9c975b9aba64_NeikiAnalytics.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:1936
- C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
  "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
  2⤵
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:1596
- - C:\Windows\SysWOW64\casino_extensions.exe
    C:\Windows\system32\casino_extensions.exe
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - Suspicious use of WriteProcessMemory
    PID:2796
  - - C:\Windows\SysWOW64\Casino_ext.exe
      C:\Windows\SysWOW64\Casino_ext.exe
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:840
    - - C:\Program Files (x86)\Internet Explorer\casino_extensions.exe
        
        "C:\Program Files (x86)\Internet Explorer\casino_extensions.exe"
        5⤵
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2256
      - C:\Windows\SysWOW64\casino_extensions.exe
        
        C:\Windows\system32\casino_extensions.exe
        6⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of WriteProcessMemory
        
        PID:2880
        
        C:\Windows\SysWOW64\Casino_ext.exe
        
        C:\Windows\SysWOW64\Casino_ext.exe
        7⤵
        Deletes itself
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:3052

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

\Windows\SysWOW64\casino_extensions.exe

Filesize
822KB

MD5
918c5ee714963b40549df49a5bb5b0ab

SHA1
cea3616b4bc92acf6a7b54362124521117de6948

SHA256
03d5ca31db0aaf07724a57b77ede3217907153441ed8dc6770c880d075996efd

SHA512
c773920b1517616a964c8eec5ad516858abb826146b2e24a12ab99caa3fccff9eeabcec4581e6028797d8573d08f1caeb0654a8177ef72c4843f878de0733d48

Download Submit
\Windows\SysWOW64\casino_extensions.exe

Filesize
824KB

MD5
8c3b04318ec9ba169673d6e4c1908d46

SHA1
00beced3d7d029e6ca7245cc7581f29bc1a2569c

SHA256
60734cf5d2c1b9df024a55606adb86b06034c1f86e18bd6a38bf87988e9e118b

SHA512
9b99b920108fbae96f4f1743464031df57189c919147be963e1a1b31f19db584b210f2b71d847c987abd6604ad57c3d19fa34991eeead731b4d5954dbd1788ee

Download Submit
memory/1936-13-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/2796-12-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download

Analysis

Sharing