374203bac0b693b91e1d95843f71c909faa65a02738c3738be505da65834aeba

Analysis

max time kernel
144s
max time network
121s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
08/05/2024, 03:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b3e2aaaa118f78bf028ea9e54c5c7610_NEIKI.exe
Size

124KB
MD5

b3e2aaaa118f78bf028ea9e54c5c7610
SHA1

ecd58753bcc8c16079ee15c501528ebe0781346c
SHA256

374203bac0b693b91e1d95843f71c909faa65a02738c3738be505da65834aeba
SHA512

7cfccdd6c629780640cdd13acb55a09511f00fce43d8e47774d79754d00343775f4957b299f65da03c6bff99274d58957abc193b8f743d9588e5f14f265e2e1a
SSDEEP

768:50w981IshKQLro/4/wQozzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzX:CEGI0o/lVunMxVS3HgdoKjhLJhL

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DA88A008-1ABD-4d61-8D08-FD910013FAE6}	{0A8B84DC-8642-4116-8B35-CF5A235C6459}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DA88A008-1ABD-4d61-8D08-FD910013FAE6}\stubpath = "C:\\Windows\\{DA88A008-1ABD-4d61-8D08-FD910013FAE6}.exe"	{0A8B84DC-8642-4116-8B35-CF5A235C6459}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C4FA4A19-C3F5-4f1c-B28B-5A3F3E8587A3}	{DA88A008-1ABD-4d61-8D08-FD910013FAE6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C4BFF7F8-1F75-47af-9F1C-8CAC0687ADCB}\stubpath = "C:\\Windows\\{C4BFF7F8-1F75-47af-9F1C-8CAC0687ADCB}.exe"	b3e2aaaa118f78bf028ea9e54c5c7610_NEIKI.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{946879BB-ED0B-4eff-8ED1-53C7EDDF603A}	{71C750D7-E1C0-483a-9C75-DCFCD1506B7A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{946879BB-ED0B-4eff-8ED1-53C7EDDF603A}\stubpath = "C:\\Windows\\{946879BB-ED0B-4eff-8ED1-53C7EDDF603A}.exe"	{71C750D7-E1C0-483a-9C75-DCFCD1506B7A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DE879A00-0996-4e6b-A888-42EB96104EE4}\stubpath = "C:\\Windows\\{DE879A00-0996-4e6b-A888-42EB96104EE4}.exe"	{244BAE28-6AD8-482b-B013-C9C4DBA9B1D6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C28F3BDE-248A-4917-A8AF-BD01BF43DA07}	{DE879A00-0996-4e6b-A888-42EB96104EE4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{71C750D7-E1C0-483a-9C75-DCFCD1506B7A}	{C4BFF7F8-1F75-47af-9F1C-8CAC0687ADCB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AF6740CE-CB0C-4c01-8494-682FE202366A}	{946879BB-ED0B-4eff-8ED1-53C7EDDF603A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AF6740CE-CB0C-4c01-8494-682FE202366A}\stubpath = "C:\\Windows\\{AF6740CE-CB0C-4c01-8494-682FE202366A}.exe"	{946879BB-ED0B-4eff-8ED1-53C7EDDF603A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0A8B84DC-8642-4116-8B35-CF5A235C6459}	{C28F3BDE-248A-4917-A8AF-BD01BF43DA07}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C4FA4A19-C3F5-4f1c-B28B-5A3F3E8587A3}\stubpath = "C:\\Windows\\{C4FA4A19-C3F5-4f1c-B28B-5A3F3E8587A3}.exe"	{DA88A008-1ABD-4d61-8D08-FD910013FAE6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C4BFF7F8-1F75-47af-9F1C-8CAC0687ADCB}	b3e2aaaa118f78bf028ea9e54c5c7610_NEIKI.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{244BAE28-6AD8-482b-B013-C9C4DBA9B1D6}	{AF6740CE-CB0C-4c01-8494-682FE202366A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C28F3BDE-248A-4917-A8AF-BD01BF43DA07}\stubpath = "C:\\Windows\\{C28F3BDE-248A-4917-A8AF-BD01BF43DA07}.exe"	{DE879A00-0996-4e6b-A888-42EB96104EE4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9A2C7F16-F458-4dd6-AB3F-D94AA0150E5A}	{C4FA4A19-C3F5-4f1c-B28B-5A3F3E8587A3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9A2C7F16-F458-4dd6-AB3F-D94AA0150E5A}\stubpath = "C:\\Windows\\{9A2C7F16-F458-4dd6-AB3F-D94AA0150E5A}.exe"	{C4FA4A19-C3F5-4f1c-B28B-5A3F3E8587A3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{71C750D7-E1C0-483a-9C75-DCFCD1506B7A}\stubpath = "C:\\Windows\\{71C750D7-E1C0-483a-9C75-DCFCD1506B7A}.exe"	{C4BFF7F8-1F75-47af-9F1C-8CAC0687ADCB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{244BAE28-6AD8-482b-B013-C9C4DBA9B1D6}\stubpath = "C:\\Windows\\{244BAE28-6AD8-482b-B013-C9C4DBA9B1D6}.exe"	{AF6740CE-CB0C-4c01-8494-682FE202366A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DE879A00-0996-4e6b-A888-42EB96104EE4}	{244BAE28-6AD8-482b-B013-C9C4DBA9B1D6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0A8B84DC-8642-4116-8B35-CF5A235C6459}\stubpath = "C:\\Windows\\{0A8B84DC-8642-4116-8B35-CF5A235C6459}.exe"	{C28F3BDE-248A-4917-A8AF-BD01BF43DA07}.exe

Deletes itself 1 IoCs

pid	Process
2072	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2620	{C4BFF7F8-1F75-47af-9F1C-8CAC0687ADCB}.exe
2576	{71C750D7-E1C0-483a-9C75-DCFCD1506B7A}.exe
2628	{946879BB-ED0B-4eff-8ED1-53C7EDDF603A}.exe
3000	{AF6740CE-CB0C-4c01-8494-682FE202366A}.exe
2028	{244BAE28-6AD8-482b-B013-C9C4DBA9B1D6}.exe
2676	{DE879A00-0996-4e6b-A888-42EB96104EE4}.exe
2992	{C28F3BDE-248A-4917-A8AF-BD01BF43DA07}.exe
880	{0A8B84DC-8642-4116-8B35-CF5A235C6459}.exe
1940	{DA88A008-1ABD-4d61-8D08-FD910013FAE6}.exe
1092	{C4FA4A19-C3F5-4f1c-B28B-5A3F3E8587A3}.exe
1080	{9A2C7F16-F458-4dd6-AB3F-D94AA0150E5A}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{AF6740CE-CB0C-4c01-8494-682FE202366A}.exe	{946879BB-ED0B-4eff-8ED1-53C7EDDF603A}.exe
File created	C:\Windows\{C28F3BDE-248A-4917-A8AF-BD01BF43DA07}.exe	{DE879A00-0996-4e6b-A888-42EB96104EE4}.exe
File created	C:\Windows\{0A8B84DC-8642-4116-8B35-CF5A235C6459}.exe	{C28F3BDE-248A-4917-A8AF-BD01BF43DA07}.exe
File created	C:\Windows\{C4BFF7F8-1F75-47af-9F1C-8CAC0687ADCB}.exe	b3e2aaaa118f78bf028ea9e54c5c7610_NEIKI.exe
File created	C:\Windows\{71C750D7-E1C0-483a-9C75-DCFCD1506B7A}.exe	{C4BFF7F8-1F75-47af-9F1C-8CAC0687ADCB}.exe
File created	C:\Windows\{946879BB-ED0B-4eff-8ED1-53C7EDDF603A}.exe	{71C750D7-E1C0-483a-9C75-DCFCD1506B7A}.exe
File created	C:\Windows\{244BAE28-6AD8-482b-B013-C9C4DBA9B1D6}.exe	{AF6740CE-CB0C-4c01-8494-682FE202366A}.exe
File created	C:\Windows\{DE879A00-0996-4e6b-A888-42EB96104EE4}.exe	{244BAE28-6AD8-482b-B013-C9C4DBA9B1D6}.exe
File created	C:\Windows\{DA88A008-1ABD-4d61-8D08-FD910013FAE6}.exe	{0A8B84DC-8642-4116-8B35-CF5A235C6459}.exe
File created	C:\Windows\{C4FA4A19-C3F5-4f1c-B28B-5A3F3E8587A3}.exe	{DA88A008-1ABD-4d61-8D08-FD910013FAE6}.exe
File created	C:\Windows\{9A2C7F16-F458-4dd6-AB3F-D94AA0150E5A}.exe	{C4FA4A19-C3F5-4f1c-B28B-5A3F3E8587A3}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1628	b3e2aaaa118f78bf028ea9e54c5c7610_NEIKI.exe
Token: SeIncBasePriorityPrivilege	2620	{C4BFF7F8-1F75-47af-9F1C-8CAC0687ADCB}.exe
Token: SeIncBasePriorityPrivilege	2576	{71C750D7-E1C0-483a-9C75-DCFCD1506B7A}.exe
Token: SeIncBasePriorityPrivilege	2628	{946879BB-ED0B-4eff-8ED1-53C7EDDF603A}.exe
Token: SeIncBasePriorityPrivilege	3000	{AF6740CE-CB0C-4c01-8494-682FE202366A}.exe
Token: SeIncBasePriorityPrivilege	2028	{244BAE28-6AD8-482b-B013-C9C4DBA9B1D6}.exe
Token: SeIncBasePriorityPrivilege	2676	{DE879A00-0996-4e6b-A888-42EB96104EE4}.exe
Token: SeIncBasePriorityPrivilege	2992	{C28F3BDE-248A-4917-A8AF-BD01BF43DA07}.exe
Token: SeIncBasePriorityPrivilege	880	{0A8B84DC-8642-4116-8B35-CF5A235C6459}.exe
Token: SeIncBasePriorityPrivilege	1940	{DA88A008-1ABD-4d61-8D08-FD910013FAE6}.exe
Token: SeIncBasePriorityPrivilege	1092	{C4FA4A19-C3F5-4f1c-B28B-5A3F3E8587A3}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1628 wrote to memory of 2620	1628	b3e2aaaa118f78bf028ea9e54c5c7610_NEIKI.exe	28
PID 1628 wrote to memory of 2620	1628	b3e2aaaa118f78bf028ea9e54c5c7610_NEIKI.exe	28
PID 1628 wrote to memory of 2620	1628	b3e2aaaa118f78bf028ea9e54c5c7610_NEIKI.exe	28
PID 1628 wrote to memory of 2620	1628	b3e2aaaa118f78bf028ea9e54c5c7610_NEIKI.exe	28
PID 1628 wrote to memory of 2072	1628	b3e2aaaa118f78bf028ea9e54c5c7610_NEIKI.exe	29
PID 1628 wrote to memory of 2072	1628	b3e2aaaa118f78bf028ea9e54c5c7610_NEIKI.exe	29
PID 1628 wrote to memory of 2072	1628	b3e2aaaa118f78bf028ea9e54c5c7610_NEIKI.exe	29
PID 1628 wrote to memory of 2072	1628	b3e2aaaa118f78bf028ea9e54c5c7610_NEIKI.exe	29
PID 2620 wrote to memory of 2576	2620	{C4BFF7F8-1F75-47af-9F1C-8CAC0687ADCB}.exe	30
PID 2620 wrote to memory of 2576	2620	{C4BFF7F8-1F75-47af-9F1C-8CAC0687ADCB}.exe	30
PID 2620 wrote to memory of 2576	2620	{C4BFF7F8-1F75-47af-9F1C-8CAC0687ADCB}.exe	30
PID 2620 wrote to memory of 2576	2620	{C4BFF7F8-1F75-47af-9F1C-8CAC0687ADCB}.exe	30
PID 2620 wrote to memory of 2752	2620	{C4BFF7F8-1F75-47af-9F1C-8CAC0687ADCB}.exe	31
PID 2620 wrote to memory of 2752	2620	{C4BFF7F8-1F75-47af-9F1C-8CAC0687ADCB}.exe	31
PID 2620 wrote to memory of 2752	2620	{C4BFF7F8-1F75-47af-9F1C-8CAC0687ADCB}.exe	31
PID 2620 wrote to memory of 2752	2620	{C4BFF7F8-1F75-47af-9F1C-8CAC0687ADCB}.exe	31
PID 2576 wrote to memory of 2628	2576	{71C750D7-E1C0-483a-9C75-DCFCD1506B7A}.exe	32
PID 2576 wrote to memory of 2628	2576	{71C750D7-E1C0-483a-9C75-DCFCD1506B7A}.exe	32
PID 2576 wrote to memory of 2628	2576	{71C750D7-E1C0-483a-9C75-DCFCD1506B7A}.exe	32
PID 2576 wrote to memory of 2628	2576	{71C750D7-E1C0-483a-9C75-DCFCD1506B7A}.exe	32
PID 2576 wrote to memory of 2172	2576	{71C750D7-E1C0-483a-9C75-DCFCD1506B7A}.exe	33
PID 2576 wrote to memory of 2172	2576	{71C750D7-E1C0-483a-9C75-DCFCD1506B7A}.exe	33
PID 2576 wrote to memory of 2172	2576	{71C750D7-E1C0-483a-9C75-DCFCD1506B7A}.exe	33
PID 2576 wrote to memory of 2172	2576	{71C750D7-E1C0-483a-9C75-DCFCD1506B7A}.exe	33
PID 2628 wrote to memory of 3000	2628	{946879BB-ED0B-4eff-8ED1-53C7EDDF603A}.exe	36
PID 2628 wrote to memory of 3000	2628	{946879BB-ED0B-4eff-8ED1-53C7EDDF603A}.exe	36
PID 2628 wrote to memory of 3000	2628	{946879BB-ED0B-4eff-8ED1-53C7EDDF603A}.exe	36
PID 2628 wrote to memory of 3000	2628	{946879BB-ED0B-4eff-8ED1-53C7EDDF603A}.exe	36
PID 2628 wrote to memory of 2988	2628	{946879BB-ED0B-4eff-8ED1-53C7EDDF603A}.exe	37
PID 2628 wrote to memory of 2988	2628	{946879BB-ED0B-4eff-8ED1-53C7EDDF603A}.exe	37
PID 2628 wrote to memory of 2988	2628	{946879BB-ED0B-4eff-8ED1-53C7EDDF603A}.exe	37
PID 2628 wrote to memory of 2988	2628	{946879BB-ED0B-4eff-8ED1-53C7EDDF603A}.exe	37
PID 3000 wrote to memory of 2028	3000	{AF6740CE-CB0C-4c01-8494-682FE202366A}.exe	38
PID 3000 wrote to memory of 2028	3000	{AF6740CE-CB0C-4c01-8494-682FE202366A}.exe	38
PID 3000 wrote to memory of 2028	3000	{AF6740CE-CB0C-4c01-8494-682FE202366A}.exe	38
PID 3000 wrote to memory of 2028	3000	{AF6740CE-CB0C-4c01-8494-682FE202366A}.exe	38
PID 3000 wrote to memory of 2404	3000	{AF6740CE-CB0C-4c01-8494-682FE202366A}.exe	39
PID 3000 wrote to memory of 2404	3000	{AF6740CE-CB0C-4c01-8494-682FE202366A}.exe	39
PID 3000 wrote to memory of 2404	3000	{AF6740CE-CB0C-4c01-8494-682FE202366A}.exe	39
PID 3000 wrote to memory of 2404	3000	{AF6740CE-CB0C-4c01-8494-682FE202366A}.exe	39
PID 2028 wrote to memory of 2676	2028	{244BAE28-6AD8-482b-B013-C9C4DBA9B1D6}.exe	40
PID 2028 wrote to memory of 2676	2028	{244BAE28-6AD8-482b-B013-C9C4DBA9B1D6}.exe	40
PID 2028 wrote to memory of 2676	2028	{244BAE28-6AD8-482b-B013-C9C4DBA9B1D6}.exe	40
PID 2028 wrote to memory of 2676	2028	{244BAE28-6AD8-482b-B013-C9C4DBA9B1D6}.exe	40
PID 2028 wrote to memory of 2720	2028	{244BAE28-6AD8-482b-B013-C9C4DBA9B1D6}.exe	41
PID 2028 wrote to memory of 2720	2028	{244BAE28-6AD8-482b-B013-C9C4DBA9B1D6}.exe	41
PID 2028 wrote to memory of 2720	2028	{244BAE28-6AD8-482b-B013-C9C4DBA9B1D6}.exe	41
PID 2028 wrote to memory of 2720	2028	{244BAE28-6AD8-482b-B013-C9C4DBA9B1D6}.exe	41
PID 2676 wrote to memory of 2992	2676	{DE879A00-0996-4e6b-A888-42EB96104EE4}.exe	42
PID 2676 wrote to memory of 2992	2676	{DE879A00-0996-4e6b-A888-42EB96104EE4}.exe	42
PID 2676 wrote to memory of 2992	2676	{DE879A00-0996-4e6b-A888-42EB96104EE4}.exe	42
PID 2676 wrote to memory of 2992	2676	{DE879A00-0996-4e6b-A888-42EB96104EE4}.exe	42
PID 2676 wrote to memory of 2952	2676	{DE879A00-0996-4e6b-A888-42EB96104EE4}.exe	43
PID 2676 wrote to memory of 2952	2676	{DE879A00-0996-4e6b-A888-42EB96104EE4}.exe	43
PID 2676 wrote to memory of 2952	2676	{DE879A00-0996-4e6b-A888-42EB96104EE4}.exe	43
PID 2676 wrote to memory of 2952	2676	{DE879A00-0996-4e6b-A888-42EB96104EE4}.exe	43
PID 2992 wrote to memory of 880	2992	{C28F3BDE-248A-4917-A8AF-BD01BF43DA07}.exe	44
PID 2992 wrote to memory of 880	2992	{C28F3BDE-248A-4917-A8AF-BD01BF43DA07}.exe	44
PID 2992 wrote to memory of 880	2992	{C28F3BDE-248A-4917-A8AF-BD01BF43DA07}.exe	44
PID 2992 wrote to memory of 880	2992	{C28F3BDE-248A-4917-A8AF-BD01BF43DA07}.exe	44
PID 2992 wrote to memory of 1776	2992	{C28F3BDE-248A-4917-A8AF-BD01BF43DA07}.exe	45
PID 2992 wrote to memory of 1776	2992	{C28F3BDE-248A-4917-A8AF-BD01BF43DA07}.exe	45
PID 2992 wrote to memory of 1776	2992	{C28F3BDE-248A-4917-A8AF-BD01BF43DA07}.exe	45
PID 2992 wrote to memory of 1776	2992	{C28F3BDE-248A-4917-A8AF-BD01BF43DA07}.exe	45

C:\Users\Admin\AppData\Local\Temp\b3e2aaaa118f78bf028ea9e54c5c7610_NEIKI.exe
"C:\Users\Admin\AppData\Local\Temp\b3e2aaaa118f78bf028ea9e54c5c7610_NEIKI.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1628
- C:\Windows\{C4BFF7F8-1F75-47af-9F1C-8CAC0687ADCB}.exe
  C:\Windows\{C4BFF7F8-1F75-47af-9F1C-8CAC0687ADCB}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2620
- - C:\Windows\{71C750D7-E1C0-483a-9C75-DCFCD1506B7A}.exe
    C:\Windows\{71C750D7-E1C0-483a-9C75-DCFCD1506B7A}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2576
  - - C:\Windows\{946879BB-ED0B-4eff-8ED1-53C7EDDF603A}.exe
      C:\Windows\{946879BB-ED0B-4eff-8ED1-53C7EDDF603A}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2628
    - - C:\Windows\{AF6740CE-CB0C-4c01-8494-682FE202366A}.exe
        
        C:\Windows\{AF6740CE-CB0C-4c01-8494-682FE202366A}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3000
      - C:\Windows\{244BAE28-6AD8-482b-B013-C9C4DBA9B1D6}.exe
        
        C:\Windows\{244BAE28-6AD8-482b-B013-C9C4DBA9B1D6}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2028
        
        C:\Windows\{DE879A00-0996-4e6b-A888-42EB96104EE4}.exe
        
        C:\Windows\{DE879A00-0996-4e6b-A888-42EB96104EE4}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2676
        
        C:\Windows\{C28F3BDE-248A-4917-A8AF-BD01BF43DA07}.exe
        
        C:\Windows\{C28F3BDE-248A-4917-A8AF-BD01BF43DA07}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2992
        
        C:\Windows\{0A8B84DC-8642-4116-8B35-CF5A235C6459}.exe
        
        C:\Windows\{0A8B84DC-8642-4116-8B35-CF5A235C6459}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:880
        
        C:\Windows\{DA88A008-1ABD-4d61-8D08-FD910013FAE6}.exe
        
        C:\Windows\{DA88A008-1ABD-4d61-8D08-FD910013FAE6}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1940
        
        C:\Windows\{C4FA4A19-C3F5-4f1c-B28B-5A3F3E8587A3}.exe
        
        C:\Windows\{C4FA4A19-C3F5-4f1c-B28B-5A3F3E8587A3}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1092
        
        C:\Windows\{9A2C7F16-F458-4dd6-AB3F-D94AA0150E5A}.exe
        
        C:\Windows\{9A2C7F16-F458-4dd6-AB3F-D94AA0150E5A}.exe
        12⤵
        Executes dropped EXE
        
        PID:1080
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C4FA4~1.EXE > nul
        12⤵
        
        PID:2244
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DA88A~1.EXE > nul
        11⤵
        
        PID:1640
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0A8B8~1.EXE > nul
        10⤵
        
        PID:2672
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C28F3~1.EXE > nul
        9⤵
        
        PID:1776
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DE879~1.EXE > nul
        8⤵
        
        PID:2952
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{244BA~1.EXE > nul
        7⤵
        
        PID:2720
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AF674~1.EXE > nul
        6⤵
        
        PID:2404
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{94687~1.EXE > nul
        5⤵
        
        PID:2988
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{71C75~1.EXE > nul
      4⤵
      PID:2172
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{C4BFF~1.EXE > nul
    3⤵
    PID:2752
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\B3E2AA~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2072

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0A8B84DC-8642-4116-8B35-CF5A235C6459}.exe

Filesize
124KB

MD5
9f0f89b3f8aefacf5448544acf9e30dd

SHA1
7109aaef645baaa51a3205edd1f7195b3461f155

SHA256
fe245e5c680a43a62833679e9dfa83dfa2167a1def6a64b3532b156291726fec

SHA512
5b4c0c69538cd2052a4f2b5c3478e5b33fa79167f8523824f70bdb9483f99a02bdfcb732a1db337a90e2d56ead420d56fa2feac7cddcaa3795f6db674ac961b5

Download Submit
C:\Windows\{244BAE28-6AD8-482b-B013-C9C4DBA9B1D6}.exe

Filesize
124KB

MD5
d29c01d1e4e6e3c71e22dfc5391fa8c4

SHA1
b3c5d61bb657f0a9997c20afe8fbc5422493fac7

SHA256
8aba494482582c444c8219f5bd72d7ce070bd091a9bf26f585894b1e9e755f07

SHA512
528802edfd02c44c0e88fde0cf1ba15df18a5e6098e692b8ca6d279fdaec9b7a2c84b6cf31f040978c04b1b5a74501b5219be72065d2fbb72886a3fe999d9635

Download Submit
C:\Windows\{71C750D7-E1C0-483a-9C75-DCFCD1506B7A}.exe

Filesize
124KB

MD5
aa041b95d74232a4fa88a67984488767

SHA1
e6a17cde73dc0c6265fdfcd41ddebda66ceda98a

SHA256
f3a1d0c6b39cf1c9356b7ef6ac815df3ade898676bcfbe356bea25a4e9fcfa8d

SHA512
79fa9f73b4863f4a4ac67929a412b4293cdfdd55e1ca201a0cfeabffe3e8862c6cd333e16cf0ed088bb689c31016f2f2e7a89dc899bdf6a5cbb8ad047f00e7c0

Download Submit
C:\Windows\{946879BB-ED0B-4eff-8ED1-53C7EDDF603A}.exe

Filesize
124KB

MD5
27c2d1a3928420ff60a78a0552eba643

SHA1
7c501585a68ebd5ca617955c73b982db11c457f3

SHA256
8f70f6a78a1527a9324b3fc956ee435cce2408d164127d145a4a9ff07d60a75a

SHA512
40cbf1ef2844eb26a4ccd4981bfaf684a34a1a91dab94d1c52bda6e263a4b13ba6f57e4d82fbd0816d4afd9d84312defc09fb3199a7c5d6633f2b3678225e74c

Download Submit
C:\Windows\{9A2C7F16-F458-4dd6-AB3F-D94AA0150E5A}.exe

Filesize
124KB

MD5
c11d82f550d8e04228c75888bd4c5b4f

SHA1
0eef5930fb757b76da992a28fcf493c6f573de10

SHA256
797ab6187317b4394cf150aaf6e7272c7470cb75c4681ef65cab2c88ff475784

SHA512
4c72394b235a2ac4c7d4a428134934f4c94a467fa3bab7a4c37a88517eff8ea80ca5ff624738b357aa1f4048cbd1ed92d7a7d6b5f5bd7c2d5d7ddd6bd0cd5bfb

Download Submit
C:\Windows\{AF6740CE-CB0C-4c01-8494-682FE202366A}.exe

Filesize
124KB

MD5
04d8db41f13cc9e9e7c0ac2378dad715

SHA1
2a19c6dfdbccb2aaab17d60453f868643d169230

SHA256
027be090f869c7f94eda4e0281891da2a9a39a9152ac5585ce3842d48b525085

SHA512
40e820a8742765818a35a46dbd09f2da0095127c91a1a89c3dc24b77330d4f85bb3e71347dde230f6ad8d3d3c831ca24ced564b7d49f308faa398dea0f0e68ad

Download Submit
C:\Windows\{C28F3BDE-248A-4917-A8AF-BD01BF43DA07}.exe

Filesize
124KB

MD5
ddbc0e62aca561d035060b90e3491d5a

SHA1
a852d5f57cd191ef6e1a85bfc78763b05171ff1b

SHA256
97e8c4072aaeb2756753ecfc8fb7ea3063729c2b7b0b2c340fa4a3118c08f1b6

SHA512
21f9501ff45642137b9c7739daeb8c05b21eebd3292a74dc031f5bb2a3c269a1c295e08a02b133cda3cfd36503d70e471d049419dfce8cd50e8db2b78a768685

Download Submit
C:\Windows\{C4BFF7F8-1F75-47af-9F1C-8CAC0687ADCB}.exe

Filesize
124KB

MD5
2fe40567e0773dd9b6620c4999ab3ab9

SHA1
159eefb28c7e703f421580f96723bffe6219c7f6

SHA256
3c0d546e354431ca37d7a31a3f30d14152298611d358329e53f5ff59808ac8d3

SHA512
1ab54de9cb45633a98b7b78374ad687a06d585a7493acfcb6a156295b871642f063fe2a4a8f9f98cef6902674d1727700091da8b6680b24a4ce12191504b59b6

Download Submit
C:\Windows\{C4FA4A19-C3F5-4f1c-B28B-5A3F3E8587A3}.exe

Filesize
124KB

MD5
cbeb6726ffdcda13135cbe501aacf9aa

SHA1
60de239b28b7fa74d8e41657032bf4752dc65dcd

SHA256
ac03cb1fa4357c2448e152a1a1dd6cc1eda0e0359f09ec679ca0e884d9d36ca2

SHA512
652a039dc52838a4a74c95ad0589b8685574c2be37aaa86ce28505bc96b63914035bc2b3c1e8aff83762e8441bd433ec2c54105b018e490970ad56b878517b93

Download Submit
C:\Windows\{DA88A008-1ABD-4d61-8D08-FD910013FAE6}.exe

Filesize
124KB

MD5
11f6114361180783a56b5051e258c897

SHA1
9b3c8e38f33270fe9a80a71305e7376513251d76

SHA256
2a1f7376fd48df77433fc1bace11ed8cf454d2001ef3264518f1c5e563f15330

SHA512
a0711419aea799331956844aac1f85fdb99edb185ca6a166bb3d0ed67e6459dac96333fdd6503c4d5220060b71919b175b93eb01ba137d9fe41a3e8b5cb836f0

Download Submit
C:\Windows\{DE879A00-0996-4e6b-A888-42EB96104EE4}.exe

Filesize
124KB

MD5
b6d76fc4902c48771e648bd454ef76f0

SHA1
6baaad5a82f3d6441a2c5be9b06e86330a7f05e5

SHA256
2b523783d1d4320693a1f866cb38e78c3e8d6950898428f84a61bba468fc3d0b

SHA512
8de8f085afe2ff51276b2e330aa4749b1b5b594faa601cc4c9b0b124a4fe167dc25bb128f6abff590b34a6eec032d5b26afbcb8f7bf406afa5e1898419d298aa

Download Submit
memory/880-76-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1080-96-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1092-94-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1628-10-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1628-8-0x0000000000350000-0x0000000000361000-memory.dmp

Filesize
68KB

Download
memory/1628-0-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1628-3-0x0000000000350000-0x0000000000361000-memory.dmp

Filesize
68KB

Download
memory/1940-78-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1940-86-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2028-52-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2028-44-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2576-25-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2620-9-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2620-17-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2628-33-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2676-60-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2992-79-0x00000000002E0000-0x00000000002F1000-memory.dmp

Filesize
68KB

Download
memory/2992-67-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2992-68-0x00000000002E0000-0x00000000002F1000-memory.dmp

Filesize
68KB

Download
memory/3000-35-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3000-42-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads