203189b420a0513926fc2871c203b8e39e0ae439fd45dbd460b2ce3617543099

Analysis

max time kernel
149s
max time network
127s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
09-05-2024 14:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

64bab253ab95a039e7e44d52fcfb2930_NeikiAnalytics.exe
Size

90KB
MD5

64bab253ab95a039e7e44d52fcfb2930
SHA1

a822b7dd93a33e4c5933bc41da2ccc770709573c
SHA256

203189b420a0513926fc2871c203b8e39e0ae439fd45dbd460b2ce3617543099
SHA512

f146d108e72ac826579d001bed25b3e0477a098c26cdcbc19c6b20f12e04e833fddc16e16ce07a7b07090d7ccd78fe0a341012064698774043764af19b166eeb
SSDEEP

768:Qvw9816vhKQLro74/wQRNrfrunMxVFA3b7gl/:YEGh0o7l2unMxVS3HgR

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BBAC6B37-11B5-4c77-A17D-2117A76B9B6F}\stubpath = "C:\\Windows\\{BBAC6B37-11B5-4c77-A17D-2117A76B9B6F}.exe"	{65178CA4-D3E5-4555-9A07-DF41FA330227}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AAE914EF-A52E-43cf-953D-745BEB1CA140}\stubpath = "C:\\Windows\\{AAE914EF-A52E-43cf-953D-745BEB1CA140}.exe"	{9A61C993-D453-4d11-AC3E-B90F41BF5F8A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9D29E36D-AC27-4283-9103-122CEDB314A5}\stubpath = "C:\\Windows\\{9D29E36D-AC27-4283-9103-122CEDB314A5}.exe"	{FA53CCFB-D4F2-4bd7-9C2C-D87B398FA78E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F52BD84F-9035-48e0-8E37-891F15EB6D1E}	{36478557-CE12-4dea-93A3-B366EC81B4C4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F52BD84F-9035-48e0-8E37-891F15EB6D1E}\stubpath = "C:\\Windows\\{F52BD84F-9035-48e0-8E37-891F15EB6D1E}.exe"	{36478557-CE12-4dea-93A3-B366EC81B4C4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D3FB018E-577D-4526-94CC-8D9BC1552D48}	{9C8EE57A-6698-4495-9C13-2AA75B2C39DF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2D53C273-9755-4c1c-BFA1-CC420BA7643F}	{8FF32670-4398-4b78-8707-F4DFDE1FB57D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{65178CA4-D3E5-4555-9A07-DF41FA330227}	64bab253ab95a039e7e44d52fcfb2930_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BBAC6B37-11B5-4c77-A17D-2117A76B9B6F}	{65178CA4-D3E5-4555-9A07-DF41FA330227}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9A61C993-D453-4d11-AC3E-B90F41BF5F8A}\stubpath = "C:\\Windows\\{9A61C993-D453-4d11-AC3E-B90F41BF5F8A}.exe"	{BBAC6B37-11B5-4c77-A17D-2117A76B9B6F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{36478557-CE12-4dea-93A3-B366EC81B4C4}\stubpath = "C:\\Windows\\{36478557-CE12-4dea-93A3-B366EC81B4C4}.exe"	{9D29E36D-AC27-4283-9103-122CEDB314A5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8FF32670-4398-4b78-8707-F4DFDE1FB57D}	{D3FB018E-577D-4526-94CC-8D9BC1552D48}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2D53C273-9755-4c1c-BFA1-CC420BA7643F}\stubpath = "C:\\Windows\\{2D53C273-9755-4c1c-BFA1-CC420BA7643F}.exe"	{8FF32670-4398-4b78-8707-F4DFDE1FB57D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{65178CA4-D3E5-4555-9A07-DF41FA330227}\stubpath = "C:\\Windows\\{65178CA4-D3E5-4555-9A07-DF41FA330227}.exe"	64bab253ab95a039e7e44d52fcfb2930_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9A61C993-D453-4d11-AC3E-B90F41BF5F8A}	{BBAC6B37-11B5-4c77-A17D-2117A76B9B6F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8FF32670-4398-4b78-8707-F4DFDE1FB57D}\stubpath = "C:\\Windows\\{8FF32670-4398-4b78-8707-F4DFDE1FB57D}.exe"	{D3FB018E-577D-4526-94CC-8D9BC1552D48}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D3FB018E-577D-4526-94CC-8D9BC1552D48}\stubpath = "C:\\Windows\\{D3FB018E-577D-4526-94CC-8D9BC1552D48}.exe"	{9C8EE57A-6698-4495-9C13-2AA75B2C39DF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AAE914EF-A52E-43cf-953D-745BEB1CA140}	{9A61C993-D453-4d11-AC3E-B90F41BF5F8A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FA53CCFB-D4F2-4bd7-9C2C-D87B398FA78E}	{AAE914EF-A52E-43cf-953D-745BEB1CA140}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FA53CCFB-D4F2-4bd7-9C2C-D87B398FA78E}\stubpath = "C:\\Windows\\{FA53CCFB-D4F2-4bd7-9C2C-D87B398FA78E}.exe"	{AAE914EF-A52E-43cf-953D-745BEB1CA140}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9D29E36D-AC27-4283-9103-122CEDB314A5}	{FA53CCFB-D4F2-4bd7-9C2C-D87B398FA78E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{36478557-CE12-4dea-93A3-B366EC81B4C4}	{9D29E36D-AC27-4283-9103-122CEDB314A5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9C8EE57A-6698-4495-9C13-2AA75B2C39DF}	{F52BD84F-9035-48e0-8E37-891F15EB6D1E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9C8EE57A-6698-4495-9C13-2AA75B2C39DF}\stubpath = "C:\\Windows\\{9C8EE57A-6698-4495-9C13-2AA75B2C39DF}.exe"	{F52BD84F-9035-48e0-8E37-891F15EB6D1E}.exe

Executes dropped EXE 12 IoCs

pid	Process
4592	{65178CA4-D3E5-4555-9A07-DF41FA330227}.exe
2384	{BBAC6B37-11B5-4c77-A17D-2117A76B9B6F}.exe
864	{9A61C993-D453-4d11-AC3E-B90F41BF5F8A}.exe
1600	{AAE914EF-A52E-43cf-953D-745BEB1CA140}.exe
1968	{FA53CCFB-D4F2-4bd7-9C2C-D87B398FA78E}.exe
2964	{9D29E36D-AC27-4283-9103-122CEDB314A5}.exe
4820	{36478557-CE12-4dea-93A3-B366EC81B4C4}.exe
1640	{F52BD84F-9035-48e0-8E37-891F15EB6D1E}.exe
3084	{9C8EE57A-6698-4495-9C13-2AA75B2C39DF}.exe
4440	{D3FB018E-577D-4526-94CC-8D9BC1552D48}.exe
1836	{8FF32670-4398-4b78-8707-F4DFDE1FB57D}.exe
1548	{2D53C273-9755-4c1c-BFA1-CC420BA7643F}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{AAE914EF-A52E-43cf-953D-745BEB1CA140}.exe	{9A61C993-D453-4d11-AC3E-B90F41BF5F8A}.exe
File created	C:\Windows\{9D29E36D-AC27-4283-9103-122CEDB314A5}.exe	{FA53CCFB-D4F2-4bd7-9C2C-D87B398FA78E}.exe
File created	C:\Windows\{F52BD84F-9035-48e0-8E37-891F15EB6D1E}.exe	{36478557-CE12-4dea-93A3-B366EC81B4C4}.exe
File created	C:\Windows\{D3FB018E-577D-4526-94CC-8D9BC1552D48}.exe	{9C8EE57A-6698-4495-9C13-2AA75B2C39DF}.exe
File created	C:\Windows\{2D53C273-9755-4c1c-BFA1-CC420BA7643F}.exe	{8FF32670-4398-4b78-8707-F4DFDE1FB57D}.exe
File created	C:\Windows\{65178CA4-D3E5-4555-9A07-DF41FA330227}.exe	64bab253ab95a039e7e44d52fcfb2930_NeikiAnalytics.exe
File created	C:\Windows\{BBAC6B37-11B5-4c77-A17D-2117A76B9B6F}.exe	{65178CA4-D3E5-4555-9A07-DF41FA330227}.exe
File created	C:\Windows\{9A61C993-D453-4d11-AC3E-B90F41BF5F8A}.exe	{BBAC6B37-11B5-4c77-A17D-2117A76B9B6F}.exe
File created	C:\Windows\{FA53CCFB-D4F2-4bd7-9C2C-D87B398FA78E}.exe	{AAE914EF-A52E-43cf-953D-745BEB1CA140}.exe
File created	C:\Windows\{36478557-CE12-4dea-93A3-B366EC81B4C4}.exe	{9D29E36D-AC27-4283-9103-122CEDB314A5}.exe
File created	C:\Windows\{9C8EE57A-6698-4495-9C13-2AA75B2C39DF}.exe	{F52BD84F-9035-48e0-8E37-891F15EB6D1E}.exe
File created	C:\Windows\{8FF32670-4398-4b78-8707-F4DFDE1FB57D}.exe	{D3FB018E-577D-4526-94CC-8D9BC1552D48}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2304	64bab253ab95a039e7e44d52fcfb2930_NeikiAnalytics.exe
Token: SeIncBasePriorityPrivilege	4592	{65178CA4-D3E5-4555-9A07-DF41FA330227}.exe
Token: SeIncBasePriorityPrivilege	2384	{BBAC6B37-11B5-4c77-A17D-2117A76B9B6F}.exe
Token: SeIncBasePriorityPrivilege	864	{9A61C993-D453-4d11-AC3E-B90F41BF5F8A}.exe
Token: SeIncBasePriorityPrivilege	1600	{AAE914EF-A52E-43cf-953D-745BEB1CA140}.exe
Token: SeIncBasePriorityPrivilege	1968	{FA53CCFB-D4F2-4bd7-9C2C-D87B398FA78E}.exe
Token: SeIncBasePriorityPrivilege	2964	{9D29E36D-AC27-4283-9103-122CEDB314A5}.exe
Token: SeIncBasePriorityPrivilege	4820	{36478557-CE12-4dea-93A3-B366EC81B4C4}.exe
Token: SeIncBasePriorityPrivilege	1640	{F52BD84F-9035-48e0-8E37-891F15EB6D1E}.exe
Token: SeIncBasePriorityPrivilege	3084	{9C8EE57A-6698-4495-9C13-2AA75B2C39DF}.exe
Token: SeIncBasePriorityPrivilege	4440	{D3FB018E-577D-4526-94CC-8D9BC1552D48}.exe
Token: SeIncBasePriorityPrivilege	1836	{8FF32670-4398-4b78-8707-F4DFDE1FB57D}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2304 wrote to memory of 4592	2304	64bab253ab95a039e7e44d52fcfb2930_NeikiAnalytics.exe	86
PID 2304 wrote to memory of 4592	2304	64bab253ab95a039e7e44d52fcfb2930_NeikiAnalytics.exe	86
PID 2304 wrote to memory of 4592	2304	64bab253ab95a039e7e44d52fcfb2930_NeikiAnalytics.exe	86
PID 2304 wrote to memory of 564	2304	64bab253ab95a039e7e44d52fcfb2930_NeikiAnalytics.exe	87
PID 2304 wrote to memory of 564	2304	64bab253ab95a039e7e44d52fcfb2930_NeikiAnalytics.exe	87
PID 2304 wrote to memory of 564	2304	64bab253ab95a039e7e44d52fcfb2930_NeikiAnalytics.exe	87
PID 4592 wrote to memory of 2384	4592	{65178CA4-D3E5-4555-9A07-DF41FA330227}.exe	88
PID 4592 wrote to memory of 2384	4592	{65178CA4-D3E5-4555-9A07-DF41FA330227}.exe	88
PID 4592 wrote to memory of 2384	4592	{65178CA4-D3E5-4555-9A07-DF41FA330227}.exe	88
PID 4592 wrote to memory of 1088	4592	{65178CA4-D3E5-4555-9A07-DF41FA330227}.exe	89
PID 4592 wrote to memory of 1088	4592	{65178CA4-D3E5-4555-9A07-DF41FA330227}.exe	89
PID 4592 wrote to memory of 1088	4592	{65178CA4-D3E5-4555-9A07-DF41FA330227}.exe	89
PID 2384 wrote to memory of 864	2384	{BBAC6B37-11B5-4c77-A17D-2117A76B9B6F}.exe	93
PID 2384 wrote to memory of 864	2384	{BBAC6B37-11B5-4c77-A17D-2117A76B9B6F}.exe	93
PID 2384 wrote to memory of 864	2384	{BBAC6B37-11B5-4c77-A17D-2117A76B9B6F}.exe	93
PID 2384 wrote to memory of 4164	2384	{BBAC6B37-11B5-4c77-A17D-2117A76B9B6F}.exe	94
PID 2384 wrote to memory of 4164	2384	{BBAC6B37-11B5-4c77-A17D-2117A76B9B6F}.exe	94
PID 2384 wrote to memory of 4164	2384	{BBAC6B37-11B5-4c77-A17D-2117A76B9B6F}.exe	94
PID 864 wrote to memory of 1600	864	{9A61C993-D453-4d11-AC3E-B90F41BF5F8A}.exe	95
PID 864 wrote to memory of 1600	864	{9A61C993-D453-4d11-AC3E-B90F41BF5F8A}.exe	95
PID 864 wrote to memory of 1600	864	{9A61C993-D453-4d11-AC3E-B90F41BF5F8A}.exe	95
PID 864 wrote to memory of 4324	864	{9A61C993-D453-4d11-AC3E-B90F41BF5F8A}.exe	96
PID 864 wrote to memory of 4324	864	{9A61C993-D453-4d11-AC3E-B90F41BF5F8A}.exe	96
PID 864 wrote to memory of 4324	864	{9A61C993-D453-4d11-AC3E-B90F41BF5F8A}.exe	96
PID 1600 wrote to memory of 1968	1600	{AAE914EF-A52E-43cf-953D-745BEB1CA140}.exe	97
PID 1600 wrote to memory of 1968	1600	{AAE914EF-A52E-43cf-953D-745BEB1CA140}.exe	97
PID 1600 wrote to memory of 1968	1600	{AAE914EF-A52E-43cf-953D-745BEB1CA140}.exe	97
PID 1600 wrote to memory of 4132	1600	{AAE914EF-A52E-43cf-953D-745BEB1CA140}.exe	98
PID 1600 wrote to memory of 4132	1600	{AAE914EF-A52E-43cf-953D-745BEB1CA140}.exe	98
PID 1600 wrote to memory of 4132	1600	{AAE914EF-A52E-43cf-953D-745BEB1CA140}.exe	98
PID 1968 wrote to memory of 2964	1968	{FA53CCFB-D4F2-4bd7-9C2C-D87B398FA78E}.exe	99
PID 1968 wrote to memory of 2964	1968	{FA53CCFB-D4F2-4bd7-9C2C-D87B398FA78E}.exe	99
PID 1968 wrote to memory of 2964	1968	{FA53CCFB-D4F2-4bd7-9C2C-D87B398FA78E}.exe	99
PID 1968 wrote to memory of 3724	1968	{FA53CCFB-D4F2-4bd7-9C2C-D87B398FA78E}.exe	100
PID 1968 wrote to memory of 3724	1968	{FA53CCFB-D4F2-4bd7-9C2C-D87B398FA78E}.exe	100
PID 1968 wrote to memory of 3724	1968	{FA53CCFB-D4F2-4bd7-9C2C-D87B398FA78E}.exe	100
PID 2964 wrote to memory of 4820	2964	{9D29E36D-AC27-4283-9103-122CEDB314A5}.exe	101
PID 2964 wrote to memory of 4820	2964	{9D29E36D-AC27-4283-9103-122CEDB314A5}.exe	101
PID 2964 wrote to memory of 4820	2964	{9D29E36D-AC27-4283-9103-122CEDB314A5}.exe	101
PID 2964 wrote to memory of 3368	2964	{9D29E36D-AC27-4283-9103-122CEDB314A5}.exe	102
PID 2964 wrote to memory of 3368	2964	{9D29E36D-AC27-4283-9103-122CEDB314A5}.exe	102
PID 2964 wrote to memory of 3368	2964	{9D29E36D-AC27-4283-9103-122CEDB314A5}.exe	102
PID 4820 wrote to memory of 1640	4820	{36478557-CE12-4dea-93A3-B366EC81B4C4}.exe	103
PID 4820 wrote to memory of 1640	4820	{36478557-CE12-4dea-93A3-B366EC81B4C4}.exe	103
PID 4820 wrote to memory of 1640	4820	{36478557-CE12-4dea-93A3-B366EC81B4C4}.exe	103
PID 4820 wrote to memory of 3060	4820	{36478557-CE12-4dea-93A3-B366EC81B4C4}.exe	104
PID 4820 wrote to memory of 3060	4820	{36478557-CE12-4dea-93A3-B366EC81B4C4}.exe	104
PID 4820 wrote to memory of 3060	4820	{36478557-CE12-4dea-93A3-B366EC81B4C4}.exe	104
PID 1640 wrote to memory of 3084	1640	{F52BD84F-9035-48e0-8E37-891F15EB6D1E}.exe	105
PID 1640 wrote to memory of 3084	1640	{F52BD84F-9035-48e0-8E37-891F15EB6D1E}.exe	105
PID 1640 wrote to memory of 3084	1640	{F52BD84F-9035-48e0-8E37-891F15EB6D1E}.exe	105
PID 1640 wrote to memory of 1112	1640	{F52BD84F-9035-48e0-8E37-891F15EB6D1E}.exe	106
PID 1640 wrote to memory of 1112	1640	{F52BD84F-9035-48e0-8E37-891F15EB6D1E}.exe	106
PID 1640 wrote to memory of 1112	1640	{F52BD84F-9035-48e0-8E37-891F15EB6D1E}.exe	106
PID 3084 wrote to memory of 4440	3084	{9C8EE57A-6698-4495-9C13-2AA75B2C39DF}.exe	107
PID 3084 wrote to memory of 4440	3084	{9C8EE57A-6698-4495-9C13-2AA75B2C39DF}.exe	107
PID 3084 wrote to memory of 4440	3084	{9C8EE57A-6698-4495-9C13-2AA75B2C39DF}.exe	107
PID 3084 wrote to memory of 860	3084	{9C8EE57A-6698-4495-9C13-2AA75B2C39DF}.exe	108
PID 3084 wrote to memory of 860	3084	{9C8EE57A-6698-4495-9C13-2AA75B2C39DF}.exe	108
PID 3084 wrote to memory of 860	3084	{9C8EE57A-6698-4495-9C13-2AA75B2C39DF}.exe	108
PID 4440 wrote to memory of 1836	4440	{D3FB018E-577D-4526-94CC-8D9BC1552D48}.exe	109
PID 4440 wrote to memory of 1836	4440	{D3FB018E-577D-4526-94CC-8D9BC1552D48}.exe	109
PID 4440 wrote to memory of 1836	4440	{D3FB018E-577D-4526-94CC-8D9BC1552D48}.exe	109
PID 4440 wrote to memory of 452	4440	{D3FB018E-577D-4526-94CC-8D9BC1552D48}.exe	110

C:\Users\Admin\AppData\Local\Temp\64bab253ab95a039e7e44d52fcfb2930_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\64bab253ab95a039e7e44d52fcfb2930_NeikiAnalytics.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2304
- C:\Windows\{65178CA4-D3E5-4555-9A07-DF41FA330227}.exe
  C:\Windows\{65178CA4-D3E5-4555-9A07-DF41FA330227}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4592
- - C:\Windows\{BBAC6B37-11B5-4c77-A17D-2117A76B9B6F}.exe
    C:\Windows\{BBAC6B37-11B5-4c77-A17D-2117A76B9B6F}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2384
  - - C:\Windows\{9A61C993-D453-4d11-AC3E-B90F41BF5F8A}.exe
      C:\Windows\{9A61C993-D453-4d11-AC3E-B90F41BF5F8A}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:864
    - - C:\Windows\{AAE914EF-A52E-43cf-953D-745BEB1CA140}.exe
        
        C:\Windows\{AAE914EF-A52E-43cf-953D-745BEB1CA140}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1600
      - C:\Windows\{FA53CCFB-D4F2-4bd7-9C2C-D87B398FA78E}.exe
        
        C:\Windows\{FA53CCFB-D4F2-4bd7-9C2C-D87B398FA78E}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1968
        
        C:\Windows\{9D29E36D-AC27-4283-9103-122CEDB314A5}.exe
        
        C:\Windows\{9D29E36D-AC27-4283-9103-122CEDB314A5}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2964
        
        C:\Windows\{36478557-CE12-4dea-93A3-B366EC81B4C4}.exe
        
        C:\Windows\{36478557-CE12-4dea-93A3-B366EC81B4C4}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4820
        
        C:\Windows\{F52BD84F-9035-48e0-8E37-891F15EB6D1E}.exe
        
        C:\Windows\{F52BD84F-9035-48e0-8E37-891F15EB6D1E}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1640
        
        C:\Windows\{9C8EE57A-6698-4495-9C13-2AA75B2C39DF}.exe
        
        C:\Windows\{9C8EE57A-6698-4495-9C13-2AA75B2C39DF}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3084
        
        C:\Windows\{D3FB018E-577D-4526-94CC-8D9BC1552D48}.exe
        
        C:\Windows\{D3FB018E-577D-4526-94CC-8D9BC1552D48}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4440
        
        C:\Windows\{8FF32670-4398-4b78-8707-F4DFDE1FB57D}.exe
        
        C:\Windows\{8FF32670-4398-4b78-8707-F4DFDE1FB57D}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1836
        
        C:\Windows\{2D53C273-9755-4c1c-BFA1-CC420BA7643F}.exe
        
        C:\Windows\{2D53C273-9755-4c1c-BFA1-CC420BA7643F}.exe
        13⤵
        Executes dropped EXE
        
        PID:1548
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8FF32~1.EXE > nul
        13⤵
        
        PID:4116
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D3FB0~1.EXE > nul
        12⤵
        
        PID:452
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9C8EE~1.EXE > nul
        11⤵
        
        PID:860
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F52BD~1.EXE > nul
        10⤵
        
        PID:1112
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{36478~1.EXE > nul
        9⤵
        
        PID:3060
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9D29E~1.EXE > nul
        8⤵
        
        PID:3368
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FA53C~1.EXE > nul
        7⤵
        
        PID:3724
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AAE91~1.EXE > nul
        6⤵
        
        PID:4132
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9A61C~1.EXE > nul
        5⤵
        
        PID:4324
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{BBAC6~1.EXE > nul
      4⤵
      PID:4164
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{65178~1.EXE > nul
    3⤵
    PID:1088
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\64BAB2~1.EXE > nul
  2⤵
  PID:564

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{2D53C273-9755-4c1c-BFA1-CC420BA7643F}.exe

Filesize
90KB

MD5
9e3e05bfc27d3773421b1de066b055f9

SHA1
a6fbb7e80b5cab0e5be05a17012af5c906e5a30a

SHA256
ec3ea8aaf0fbad0bc14d0717e086e420c17cc22c780d1f442bba067d8d53bd4b

SHA512
497c5237e84ac1f0a91c78cdc3252116525920efcca84be281a430cfd0b2f73fa600492e74e4de4e0ceeb841260e4c82c3a440bc5c6cd5d0a715d13e091218a0

Download Submit
C:\Windows\{36478557-CE12-4dea-93A3-B366EC81B4C4}.exe

Filesize
90KB

MD5
95eec06a419042b02bed92772b16495a

SHA1
afe25e8c5cfee62eb5276d29b608b5736d36371f

SHA256
fce19fdf65c4abd4b6caa4d37d2d48fbd2520fdb39c7c709f1533a3ccfbda7cd

SHA512
7eef86ee980d56d50a147afb042253e394a67683ea30a84d71dccd13bbfc760d2de918b6b748066d3c5ed9877a3e68bd43cbb2db70c1bdc82df9564b5b0cadd6

Download Submit
C:\Windows\{65178CA4-D3E5-4555-9A07-DF41FA330227}.exe

Filesize
90KB

MD5
b53c3ba012778c900d0e1c4ad18c0fa9

SHA1
5cb63b5ed7c758163a0951dba253f85e47b2292c

SHA256
aefd7ac41efd7749884a5a89e72a47745f5ea22218e1df9ca579127e3ca24200

SHA512
86942053d0d664a4573089639d6bb953b74ae3da17bd7805dca6d54997e3f731254c9064015cfdb73701296d26a244ec44576f4ad9e1e910403ed67636cbcca6

Download Submit
C:\Windows\{8FF32670-4398-4b78-8707-F4DFDE1FB57D}.exe

Filesize
90KB

MD5
276fc2ec93dce5c0b07bc109b44b404a

SHA1
676cedbfb5ed9ecb8e4200efaa23074b1b30136d

SHA256
a1ee5fbca51ceaead2121245627956a8a19a4bc61adc29fb839cdb91db3b5208

SHA512
9686bdc89612d365c4b084f944bc24439bafc8efc14e4a4ed1e874f6292e4835bc319013d5debe3b362d54ce305e294469fbdc7c57878a8767605d3adf5ae6cd

Download Submit
C:\Windows\{9A61C993-D453-4d11-AC3E-B90F41BF5F8A}.exe

Filesize
90KB

MD5
1225bb3b37f537cea78f64357f8e866b

SHA1
f6b75723592aa72446fe6e8f99da946e73cc21dd

SHA256
85c706d733d3a6ee47a073ebd98ba1beaf6e8f0d63c76886ac387469adcdc469

SHA512
3713b4870093d58e8d40e363652d7e8b1060124cda94d4ebe4dd7b676985ccc340ce5c596a4a4c54cae652f36c83d963927cffdf841ab61f62486f8a45e29a5e

Download Submit
C:\Windows\{9C8EE57A-6698-4495-9C13-2AA75B2C39DF}.exe

Filesize
90KB

MD5
f0f702a28d83d05dfc9fac603ff021be

SHA1
254ad815069f29a759c0b321c59c9dfeaa323ecd

SHA256
94f2d45c79018d211f29e26a8c881939cc7919a983bffadb17a324f584599ecd

SHA512
db167be74929f336ef83c86717b212a95dbff4d4baf557ea28cae03e85755024f8e2ab9b90e3d863c1440905a3833b4d183717172a9c052a815e23ebd6e76698

Download Submit
C:\Windows\{9D29E36D-AC27-4283-9103-122CEDB314A5}.exe

Filesize
90KB

MD5
d117a060eb5850fedb94c7b09f3f8a42

SHA1
6678ace89a29eedd661d67b0b36c068cffc3d434

SHA256
95d1143df3e231d01da9457405ae360f636cb343cd0d46eedf75263fcc0da784

SHA512
2bb2a95150004bcea19b79d4f552a6d1a2d3153537ec86e208dc62cd212050a92a41ce913fe1ed6be58d783f2b22d1c3e578b13b55c894330ae8bcf58244f414

Download Submit
C:\Windows\{AAE914EF-A52E-43cf-953D-745BEB1CA140}.exe

Filesize
90KB

MD5
2fce544fe93c82080468d01e3e05dc68

SHA1
8c906e377c7f08150aeda33483f8ff804473727e

SHA256
083de654ecebf442801514a1cf37aea25ddb898bcbbf37a83752ef9d3d4469d3

SHA512
b0c010bede173ebcc91066c980d5dd416a09345fb84edc9616627f0ad5a7971d6278a16b72eb8c0ec23e4cbc06305868d7332d6181becd9143dc4bbd63f5eae9

Download Submit
C:\Windows\{BBAC6B37-11B5-4c77-A17D-2117A76B9B6F}.exe

Filesize
90KB

MD5
b610568d686ccf6ed55e04148c922758

SHA1
ed006ddff6a89dc1e64457633bfff63f01c05f89

SHA256
6e843beda437265de0de6c37e9e82912369a2cf0d42aae3fff47b79e57a4f912

SHA512
17959b645260ca37bf1a3dfb771614ea3a057de85c358705ce081fe6b39ddb4835102a96e4acc17f1040c0436c51019fc718f4bd12e3e27bdb26e59887ebec0c

Download Submit
C:\Windows\{D3FB018E-577D-4526-94CC-8D9BC1552D48}.exe

Filesize
90KB

MD5
1323e28ea41790e8c7de465e2a713926

SHA1
3af806d7c856254c04ef835431ab7c5da7c19552

SHA256
f901aacc583d8cee3843d24ac904797e64ddd732b3c0d8569ffb5891e2e1304f

SHA512
811d7d29e34899685bd206fe41950b7741ec0e7310f7197b7e6eb9294f669052153a83723be83b89314f2818023067dedf83e41b92e4c6573d19d8bdc8b9ce6d

Download Submit
C:\Windows\{F52BD84F-9035-48e0-8E37-891F15EB6D1E}.exe

Filesize
90KB

MD5
071f6626758a1f60b42ef10a522834e0

SHA1
b9204b081a81b13a0e367907222b00cc5b1d6ae5

SHA256
a7738e238a801329c641e1d514a78840a89f05e00419ac3ff7d980ce20f97dc3

SHA512
8be360c95dc1137dfa5a6b872968ef79f46a59ecf0f8070e789fd7350f54b372286c97ce37bd811ea624c219029c2e4afe9385d4a9d6f39a31c0f855561825b8

Download Submit
C:\Windows\{FA53CCFB-D4F2-4bd7-9C2C-D87B398FA78E}.exe

Filesize
90KB

MD5
7fa36f903aa98ab86e4078f6bed39808

SHA1
7b70eafc0077a80cd2ccac39cc1201637e5dfaab

SHA256
abf7c4f4b49e883c90d8c7dd4f06edec3b85f5b1d6e9d3cc28972e2b62d09a8f

SHA512
16e50afc104115b7202bf32617f8df7da1296adced49a12b865c388b9831d2db7b1be4a9dcc8d88251460f680617efdb28546402540937023477781c5c960952

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads