b7c8bf81db41528d60085c4c0e5e70c367b38446c69cee3d0e6051024e9bb92c

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
09/05/2024, 16:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9ad26993c84d8b7c527355995b177050_NeikiAnalytics.exe
Size

126KB
MD5

9ad26993c84d8b7c527355995b177050
SHA1

3e8f245fb0fe032dff264727e7611dd3d9689c5a
SHA256

b7c8bf81db41528d60085c4c0e5e70c367b38446c69cee3d0e6051024e9bb92c
SHA512

0c0f1315d20621642e688ce45661cd07255312e41722d07a614993d7399d76095797e7b4788a5418b680bf0f849fa7db41b6db99405e81c4380c9c170cf63014
SSDEEP

1536:aEGJ0o0lYunMxVS3HgdoKjhLJh731xvsr:aEGJ0o0llMUyNjhLJh731xvsr

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{80825016-7309-47e1-8C75-AF9DE1B6246A}	{65684595-2E10-4f04-BC4A-87DC82C660F0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{23FC7639-AD41-4472-AFCD-55CDEBA1B973}	{DF97E8D0-606C-4fa6-9297-3D15B0F9530D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{23FC7639-AD41-4472-AFCD-55CDEBA1B973}\stubpath = "C:\\Windows\\{23FC7639-AD41-4472-AFCD-55CDEBA1B973}.exe"	{DF97E8D0-606C-4fa6-9297-3D15B0F9530D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3CC763BD-CF8E-41bf-8FF1-F5D591DE8994}	{5AE4E515-9D43-4fe9-95B7-B961739E806E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{354E06BD-9C35-4f73-B61A-2C4E3FC2F016}	{3CC763BD-CF8E-41bf-8FF1-F5D591DE8994}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3EDB4720-7A1D-4a95-AF9F-0058FFC084B3}	{354E06BD-9C35-4f73-B61A-2C4E3FC2F016}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E47DD5CC-2374-49a1-BFD1-E3098805CDEC}\stubpath = "C:\\Windows\\{E47DD5CC-2374-49a1-BFD1-E3098805CDEC}.exe"	{3EDB4720-7A1D-4a95-AF9F-0058FFC084B3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F1D529B7-C432-4b28-8DCF-9E8F4346A51E}\stubpath = "C:\\Windows\\{F1D529B7-C432-4b28-8DCF-9E8F4346A51E}.exe"	{98FD5220-F7ED-4c86-A2E6-A9E6370DE79E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{80825016-7309-47e1-8C75-AF9DE1B6246A}\stubpath = "C:\\Windows\\{80825016-7309-47e1-8C75-AF9DE1B6246A}.exe"	{65684595-2E10-4f04-BC4A-87DC82C660F0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DF97E8D0-606C-4fa6-9297-3D15B0F9530D}\stubpath = "C:\\Windows\\{DF97E8D0-606C-4fa6-9297-3D15B0F9530D}.exe"	{80825016-7309-47e1-8C75-AF9DE1B6246A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BEC0D98F-6849-4b65-8105-9CEB99205635}\stubpath = "C:\\Windows\\{BEC0D98F-6849-4b65-8105-9CEB99205635}.exe"	{23FC7639-AD41-4472-AFCD-55CDEBA1B973}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3EDB4720-7A1D-4a95-AF9F-0058FFC084B3}\stubpath = "C:\\Windows\\{3EDB4720-7A1D-4a95-AF9F-0058FFC084B3}.exe"	{354E06BD-9C35-4f73-B61A-2C4E3FC2F016}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{98FD5220-F7ED-4c86-A2E6-A9E6370DE79E}	{E47DD5CC-2374-49a1-BFD1-E3098805CDEC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DF97E8D0-606C-4fa6-9297-3D15B0F9530D}	{80825016-7309-47e1-8C75-AF9DE1B6246A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5AE4E515-9D43-4fe9-95B7-B961739E806E}	{BEC0D98F-6849-4b65-8105-9CEB99205635}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E47DD5CC-2374-49a1-BFD1-E3098805CDEC}	{3EDB4720-7A1D-4a95-AF9F-0058FFC084B3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F1D529B7-C432-4b28-8DCF-9E8F4346A51E}	{98FD5220-F7ED-4c86-A2E6-A9E6370DE79E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{65684595-2E10-4f04-BC4A-87DC82C660F0}	9ad26993c84d8b7c527355995b177050_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{65684595-2E10-4f04-BC4A-87DC82C660F0}\stubpath = "C:\\Windows\\{65684595-2E10-4f04-BC4A-87DC82C660F0}.exe"	9ad26993c84d8b7c527355995b177050_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BEC0D98F-6849-4b65-8105-9CEB99205635}	{23FC7639-AD41-4472-AFCD-55CDEBA1B973}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5AE4E515-9D43-4fe9-95B7-B961739E806E}\stubpath = "C:\\Windows\\{5AE4E515-9D43-4fe9-95B7-B961739E806E}.exe"	{BEC0D98F-6849-4b65-8105-9CEB99205635}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3CC763BD-CF8E-41bf-8FF1-F5D591DE8994}\stubpath = "C:\\Windows\\{3CC763BD-CF8E-41bf-8FF1-F5D591DE8994}.exe"	{5AE4E515-9D43-4fe9-95B7-B961739E806E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{354E06BD-9C35-4f73-B61A-2C4E3FC2F016}\stubpath = "C:\\Windows\\{354E06BD-9C35-4f73-B61A-2C4E3FC2F016}.exe"	{3CC763BD-CF8E-41bf-8FF1-F5D591DE8994}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{98FD5220-F7ED-4c86-A2E6-A9E6370DE79E}\stubpath = "C:\\Windows\\{98FD5220-F7ED-4c86-A2E6-A9E6370DE79E}.exe"	{E47DD5CC-2374-49a1-BFD1-E3098805CDEC}.exe

Executes dropped EXE 12 IoCs

pid	Process
624	{65684595-2E10-4f04-BC4A-87DC82C660F0}.exe
872	{80825016-7309-47e1-8C75-AF9DE1B6246A}.exe
696	{DF97E8D0-606C-4fa6-9297-3D15B0F9530D}.exe
1088	{23FC7639-AD41-4472-AFCD-55CDEBA1B973}.exe
4364	{BEC0D98F-6849-4b65-8105-9CEB99205635}.exe
2016	{5AE4E515-9D43-4fe9-95B7-B961739E806E}.exe
5076	{3CC763BD-CF8E-41bf-8FF1-F5D591DE8994}.exe
3156	{354E06BD-9C35-4f73-B61A-2C4E3FC2F016}.exe
2556	{3EDB4720-7A1D-4a95-AF9F-0058FFC084B3}.exe
3780	{E47DD5CC-2374-49a1-BFD1-E3098805CDEC}.exe
392	{98FD5220-F7ED-4c86-A2E6-A9E6370DE79E}.exe
1124	{F1D529B7-C432-4b28-8DCF-9E8F4346A51E}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{E47DD5CC-2374-49a1-BFD1-E3098805CDEC}.exe	{3EDB4720-7A1D-4a95-AF9F-0058FFC084B3}.exe
File created	C:\Windows\{98FD5220-F7ED-4c86-A2E6-A9E6370DE79E}.exe	{E47DD5CC-2374-49a1-BFD1-E3098805CDEC}.exe
File created	C:\Windows\{F1D529B7-C432-4b28-8DCF-9E8F4346A51E}.exe	{98FD5220-F7ED-4c86-A2E6-A9E6370DE79E}.exe
File created	C:\Windows\{65684595-2E10-4f04-BC4A-87DC82C660F0}.exe	9ad26993c84d8b7c527355995b177050_NeikiAnalytics.exe
File created	C:\Windows\{DF97E8D0-606C-4fa6-9297-3D15B0F9530D}.exe	{80825016-7309-47e1-8C75-AF9DE1B6246A}.exe
File created	C:\Windows\{BEC0D98F-6849-4b65-8105-9CEB99205635}.exe	{23FC7639-AD41-4472-AFCD-55CDEBA1B973}.exe
File created	C:\Windows\{354E06BD-9C35-4f73-B61A-2C4E3FC2F016}.exe	{3CC763BD-CF8E-41bf-8FF1-F5D591DE8994}.exe
File created	C:\Windows\{3EDB4720-7A1D-4a95-AF9F-0058FFC084B3}.exe	{354E06BD-9C35-4f73-B61A-2C4E3FC2F016}.exe
File created	C:\Windows\{80825016-7309-47e1-8C75-AF9DE1B6246A}.exe	{65684595-2E10-4f04-BC4A-87DC82C660F0}.exe
File created	C:\Windows\{23FC7639-AD41-4472-AFCD-55CDEBA1B973}.exe	{DF97E8D0-606C-4fa6-9297-3D15B0F9530D}.exe
File created	C:\Windows\{5AE4E515-9D43-4fe9-95B7-B961739E806E}.exe	{BEC0D98F-6849-4b65-8105-9CEB99205635}.exe
File created	C:\Windows\{3CC763BD-CF8E-41bf-8FF1-F5D591DE8994}.exe	{5AE4E515-9D43-4fe9-95B7-B961739E806E}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1180	9ad26993c84d8b7c527355995b177050_NeikiAnalytics.exe
Token: SeIncBasePriorityPrivilege	624	{65684595-2E10-4f04-BC4A-87DC82C660F0}.exe
Token: SeIncBasePriorityPrivilege	872	{80825016-7309-47e1-8C75-AF9DE1B6246A}.exe
Token: SeIncBasePriorityPrivilege	696	{DF97E8D0-606C-4fa6-9297-3D15B0F9530D}.exe
Token: SeIncBasePriorityPrivilege	1088	{23FC7639-AD41-4472-AFCD-55CDEBA1B973}.exe
Token: SeIncBasePriorityPrivilege	4364	{BEC0D98F-6849-4b65-8105-9CEB99205635}.exe
Token: SeIncBasePriorityPrivilege	2016	{5AE4E515-9D43-4fe9-95B7-B961739E806E}.exe
Token: SeIncBasePriorityPrivilege	5076	{3CC763BD-CF8E-41bf-8FF1-F5D591DE8994}.exe
Token: SeIncBasePriorityPrivilege	3156	{354E06BD-9C35-4f73-B61A-2C4E3FC2F016}.exe
Token: SeIncBasePriorityPrivilege	2556	{3EDB4720-7A1D-4a95-AF9F-0058FFC084B3}.exe
Token: SeIncBasePriorityPrivilege	3780	{E47DD5CC-2374-49a1-BFD1-E3098805CDEC}.exe
Token: SeIncBasePriorityPrivilege	392	{98FD5220-F7ED-4c86-A2E6-A9E6370DE79E}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1180 wrote to memory of 624	1180	9ad26993c84d8b7c527355995b177050_NeikiAnalytics.exe	86
PID 1180 wrote to memory of 624	1180	9ad26993c84d8b7c527355995b177050_NeikiAnalytics.exe	86
PID 1180 wrote to memory of 624	1180	9ad26993c84d8b7c527355995b177050_NeikiAnalytics.exe	86
PID 1180 wrote to memory of 1108	1180	9ad26993c84d8b7c527355995b177050_NeikiAnalytics.exe	87
PID 1180 wrote to memory of 1108	1180	9ad26993c84d8b7c527355995b177050_NeikiAnalytics.exe	87
PID 1180 wrote to memory of 1108	1180	9ad26993c84d8b7c527355995b177050_NeikiAnalytics.exe	87
PID 624 wrote to memory of 872	624	{65684595-2E10-4f04-BC4A-87DC82C660F0}.exe	88
PID 624 wrote to memory of 872	624	{65684595-2E10-4f04-BC4A-87DC82C660F0}.exe	88
PID 624 wrote to memory of 872	624	{65684595-2E10-4f04-BC4A-87DC82C660F0}.exe	88
PID 624 wrote to memory of 2320	624	{65684595-2E10-4f04-BC4A-87DC82C660F0}.exe	89
PID 624 wrote to memory of 2320	624	{65684595-2E10-4f04-BC4A-87DC82C660F0}.exe	89
PID 624 wrote to memory of 2320	624	{65684595-2E10-4f04-BC4A-87DC82C660F0}.exe	89
PID 872 wrote to memory of 696	872	{80825016-7309-47e1-8C75-AF9DE1B6246A}.exe	93
PID 872 wrote to memory of 696	872	{80825016-7309-47e1-8C75-AF9DE1B6246A}.exe	93
PID 872 wrote to memory of 696	872	{80825016-7309-47e1-8C75-AF9DE1B6246A}.exe	93
PID 872 wrote to memory of 688	872	{80825016-7309-47e1-8C75-AF9DE1B6246A}.exe	94
PID 872 wrote to memory of 688	872	{80825016-7309-47e1-8C75-AF9DE1B6246A}.exe	94
PID 872 wrote to memory of 688	872	{80825016-7309-47e1-8C75-AF9DE1B6246A}.exe	94
PID 696 wrote to memory of 1088	696	{DF97E8D0-606C-4fa6-9297-3D15B0F9530D}.exe	95
PID 696 wrote to memory of 1088	696	{DF97E8D0-606C-4fa6-9297-3D15B0F9530D}.exe	95
PID 696 wrote to memory of 1088	696	{DF97E8D0-606C-4fa6-9297-3D15B0F9530D}.exe	95
PID 696 wrote to memory of 1276	696	{DF97E8D0-606C-4fa6-9297-3D15B0F9530D}.exe	96
PID 696 wrote to memory of 1276	696	{DF97E8D0-606C-4fa6-9297-3D15B0F9530D}.exe	96
PID 696 wrote to memory of 1276	696	{DF97E8D0-606C-4fa6-9297-3D15B0F9530D}.exe	96
PID 1088 wrote to memory of 4364	1088	{23FC7639-AD41-4472-AFCD-55CDEBA1B973}.exe	97
PID 1088 wrote to memory of 4364	1088	{23FC7639-AD41-4472-AFCD-55CDEBA1B973}.exe	97
PID 1088 wrote to memory of 4364	1088	{23FC7639-AD41-4472-AFCD-55CDEBA1B973}.exe	97
PID 1088 wrote to memory of 5056	1088	{23FC7639-AD41-4472-AFCD-55CDEBA1B973}.exe	98
PID 1088 wrote to memory of 5056	1088	{23FC7639-AD41-4472-AFCD-55CDEBA1B973}.exe	98
PID 1088 wrote to memory of 5056	1088	{23FC7639-AD41-4472-AFCD-55CDEBA1B973}.exe	98
PID 4364 wrote to memory of 2016	4364	{BEC0D98F-6849-4b65-8105-9CEB99205635}.exe	99
PID 4364 wrote to memory of 2016	4364	{BEC0D98F-6849-4b65-8105-9CEB99205635}.exe	99
PID 4364 wrote to memory of 2016	4364	{BEC0D98F-6849-4b65-8105-9CEB99205635}.exe	99
PID 4364 wrote to memory of 4536	4364	{BEC0D98F-6849-4b65-8105-9CEB99205635}.exe	100
PID 4364 wrote to memory of 4536	4364	{BEC0D98F-6849-4b65-8105-9CEB99205635}.exe	100
PID 4364 wrote to memory of 4536	4364	{BEC0D98F-6849-4b65-8105-9CEB99205635}.exe	100
PID 2016 wrote to memory of 5076	2016	{5AE4E515-9D43-4fe9-95B7-B961739E806E}.exe	101
PID 2016 wrote to memory of 5076	2016	{5AE4E515-9D43-4fe9-95B7-B961739E806E}.exe	101
PID 2016 wrote to memory of 5076	2016	{5AE4E515-9D43-4fe9-95B7-B961739E806E}.exe	101
PID 2016 wrote to memory of 4404	2016	{5AE4E515-9D43-4fe9-95B7-B961739E806E}.exe	102
PID 2016 wrote to memory of 4404	2016	{5AE4E515-9D43-4fe9-95B7-B961739E806E}.exe	102
PID 2016 wrote to memory of 4404	2016	{5AE4E515-9D43-4fe9-95B7-B961739E806E}.exe	102
PID 5076 wrote to memory of 3156	5076	{3CC763BD-CF8E-41bf-8FF1-F5D591DE8994}.exe	103
PID 5076 wrote to memory of 3156	5076	{3CC763BD-CF8E-41bf-8FF1-F5D591DE8994}.exe	103
PID 5076 wrote to memory of 3156	5076	{3CC763BD-CF8E-41bf-8FF1-F5D591DE8994}.exe	103
PID 5076 wrote to memory of 4164	5076	{3CC763BD-CF8E-41bf-8FF1-F5D591DE8994}.exe	104
PID 5076 wrote to memory of 4164	5076	{3CC763BD-CF8E-41bf-8FF1-F5D591DE8994}.exe	104
PID 5076 wrote to memory of 4164	5076	{3CC763BD-CF8E-41bf-8FF1-F5D591DE8994}.exe	104
PID 3156 wrote to memory of 2556	3156	{354E06BD-9C35-4f73-B61A-2C4E3FC2F016}.exe	105
PID 3156 wrote to memory of 2556	3156	{354E06BD-9C35-4f73-B61A-2C4E3FC2F016}.exe	105
PID 3156 wrote to memory of 2556	3156	{354E06BD-9C35-4f73-B61A-2C4E3FC2F016}.exe	105
PID 3156 wrote to memory of 1536	3156	{354E06BD-9C35-4f73-B61A-2C4E3FC2F016}.exe	106
PID 3156 wrote to memory of 1536	3156	{354E06BD-9C35-4f73-B61A-2C4E3FC2F016}.exe	106
PID 3156 wrote to memory of 1536	3156	{354E06BD-9C35-4f73-B61A-2C4E3FC2F016}.exe	106
PID 2556 wrote to memory of 3780	2556	{3EDB4720-7A1D-4a95-AF9F-0058FFC084B3}.exe	107
PID 2556 wrote to memory of 3780	2556	{3EDB4720-7A1D-4a95-AF9F-0058FFC084B3}.exe	107
PID 2556 wrote to memory of 3780	2556	{3EDB4720-7A1D-4a95-AF9F-0058FFC084B3}.exe	107
PID 2556 wrote to memory of 4588	2556	{3EDB4720-7A1D-4a95-AF9F-0058FFC084B3}.exe	108
PID 2556 wrote to memory of 4588	2556	{3EDB4720-7A1D-4a95-AF9F-0058FFC084B3}.exe	108
PID 2556 wrote to memory of 4588	2556	{3EDB4720-7A1D-4a95-AF9F-0058FFC084B3}.exe	108
PID 3780 wrote to memory of 392	3780	{E47DD5CC-2374-49a1-BFD1-E3098805CDEC}.exe	109
PID 3780 wrote to memory of 392	3780	{E47DD5CC-2374-49a1-BFD1-E3098805CDEC}.exe	109
PID 3780 wrote to memory of 392	3780	{E47DD5CC-2374-49a1-BFD1-E3098805CDEC}.exe	109
PID 3780 wrote to memory of 3060	3780	{E47DD5CC-2374-49a1-BFD1-E3098805CDEC}.exe	110

C:\Users\Admin\AppData\Local\Temp\9ad26993c84d8b7c527355995b177050_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\9ad26993c84d8b7c527355995b177050_NeikiAnalytics.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1180
- C:\Windows\{65684595-2E10-4f04-BC4A-87DC82C660F0}.exe
  C:\Windows\{65684595-2E10-4f04-BC4A-87DC82C660F0}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:624
- - C:\Windows\{80825016-7309-47e1-8C75-AF9DE1B6246A}.exe
    C:\Windows\{80825016-7309-47e1-8C75-AF9DE1B6246A}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:872
  - - C:\Windows\{DF97E8D0-606C-4fa6-9297-3D15B0F9530D}.exe
      C:\Windows\{DF97E8D0-606C-4fa6-9297-3D15B0F9530D}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:696
    - - C:\Windows\{23FC7639-AD41-4472-AFCD-55CDEBA1B973}.exe
        
        C:\Windows\{23FC7639-AD41-4472-AFCD-55CDEBA1B973}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1088
      - C:\Windows\{BEC0D98F-6849-4b65-8105-9CEB99205635}.exe
        
        C:\Windows\{BEC0D98F-6849-4b65-8105-9CEB99205635}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4364
        
        C:\Windows\{5AE4E515-9D43-4fe9-95B7-B961739E806E}.exe
        
        C:\Windows\{5AE4E515-9D43-4fe9-95B7-B961739E806E}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2016
        
        C:\Windows\{3CC763BD-CF8E-41bf-8FF1-F5D591DE8994}.exe
        
        C:\Windows\{3CC763BD-CF8E-41bf-8FF1-F5D591DE8994}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5076
        
        C:\Windows\{354E06BD-9C35-4f73-B61A-2C4E3FC2F016}.exe
        
        C:\Windows\{354E06BD-9C35-4f73-B61A-2C4E3FC2F016}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3156
        
        C:\Windows\{3EDB4720-7A1D-4a95-AF9F-0058FFC084B3}.exe
        
        C:\Windows\{3EDB4720-7A1D-4a95-AF9F-0058FFC084B3}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2556
        
        C:\Windows\{E47DD5CC-2374-49a1-BFD1-E3098805CDEC}.exe
        
        C:\Windows\{E47DD5CC-2374-49a1-BFD1-E3098805CDEC}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3780
        
        C:\Windows\{98FD5220-F7ED-4c86-A2E6-A9E6370DE79E}.exe
        
        C:\Windows\{98FD5220-F7ED-4c86-A2E6-A9E6370DE79E}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:392
        
        C:\Windows\{F1D529B7-C432-4b28-8DCF-9E8F4346A51E}.exe
        
        C:\Windows\{F1D529B7-C432-4b28-8DCF-9E8F4346A51E}.exe
        13⤵
        Executes dropped EXE
        
        PID:1124
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{98FD5~1.EXE > nul
        13⤵
        
        PID:2364
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E47DD~1.EXE > nul
        12⤵
        
        PID:3060
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3EDB4~1.EXE > nul
        11⤵
        
        PID:4588
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{354E0~1.EXE > nul
        10⤵
        
        PID:1536
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3CC76~1.EXE > nul
        9⤵
        
        PID:4164
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5AE4E~1.EXE > nul
        8⤵
        
        PID:4404
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BEC0D~1.EXE > nul
        7⤵
        
        PID:4536
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{23FC7~1.EXE > nul
        6⤵
        
        PID:5056
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DF97E~1.EXE > nul
        5⤵
        
        PID:1276
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{80825~1.EXE > nul
      4⤵
      PID:688
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{65684~1.EXE > nul
    3⤵
    PID:2320
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\9AD269~1.EXE > nul
  2⤵
  PID:1108

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{23FC7639-AD41-4472-AFCD-55CDEBA1B973}.exe

Filesize
126KB

MD5
ae8d969ea6e20409d5dd3ff349a19aca

SHA1
ff5494393a280979388e2d67fd5089c8ff7141dc

SHA256
1a82938aa7ecddf918bcb46365ec4eeee7beb339f69d4bd9f0c83b67ce5b30ab

SHA512
c8376c5246483be176eef5d6c465f56c5e58aedc5b1513733ea737643b16311e61db54cce0a7c1716811d0a071cc7db28d6f2d5d3ed2e23ef3c8cf0d88e516ba

Download Submit
C:\Windows\{354E06BD-9C35-4f73-B61A-2C4E3FC2F016}.exe

Filesize
126KB

MD5
676dad5b886fa64ef1059b7de0563621

SHA1
6b4ae0407728967a4aa5ceb50bc6a510458f018f

SHA256
97b780c7113120f0096f16b1208939fe4bd0ba0e8a1dc852ba4ded30a8681868

SHA512
94304768f97c989c624ee4649697b5806d3ea022b1d6928bae7e7ed64d601350cd3eae1d2853f38e21aa39c2aa041261d7830cb4577a324c33450e566dccea34

Download Submit
C:\Windows\{3CC763BD-CF8E-41bf-8FF1-F5D591DE8994}.exe

Filesize
126KB

MD5
321c310f4a3d0cbde99f718926585bb1

SHA1
fc7246c580a6661031e7191421afd2aa52345f04

SHA256
452cfa42d3606317bd4a9cfe0fa5fa9ee720b867797e66af600014096471036c

SHA512
3366309fb60af6fad425b7d315cfc62d93d2a2a0b2ebd9ee353fbdd6dcc85e86b25231d6bd1a8cd94bf7e00fa34444a9ba567293f256262e64f89a5cbd12ecdd

Download Submit
C:\Windows\{3EDB4720-7A1D-4a95-AF9F-0058FFC084B3}.exe

Filesize
126KB

MD5
c0e22eddd3d53a03944800b18651a9a8

SHA1
e90e1e56065a86171f2fd59fd42388c02dc282ea

SHA256
57375efd824423e1446197e8c88d04c6652d600dabcd9c320540bc2c2d9634c4

SHA512
0b0a16d61e8a87aa897e461a6ffbc08ab8f2f0fea76eef9558266dd0d0e149409bc365b2257b85a5cd8c636e9e5a5f522e659cea67e1e81c19c519bbad1e36fb

Download Submit
C:\Windows\{5AE4E515-9D43-4fe9-95B7-B961739E806E}.exe

Filesize
126KB

MD5
f1699899cea4dbcd2b8a602674bf4649

SHA1
3eea323067aa13b1ecfceb6e07fe66eac0bff588

SHA256
58e72f553939743c0bb18c41ebecab9eeb8c70d7f8cb681a77d3baa1174e5fe7

SHA512
ec3f45b2bd0d761a51c9eba1f900f120b55919a0825e9d2f093af4f435fb7c9394b801b5d21d007b04434eb576737569c2c62b0f3ee10999293b5eadb0cc585d

Download Submit
C:\Windows\{65684595-2E10-4f04-BC4A-87DC82C660F0}.exe

Filesize
126KB

MD5
bd17ed46473e6e78d0e907e1181f1a8b

SHA1
972b245570a7cc2a2e321d189d55490a53362ea3

SHA256
5cef2c66206522d32721abebb4f8d8d5e6d298bb727703d9609ea8be6036bc6d

SHA512
214af225c4d3310ccbbf94424ba22ddfb669bcdd45e7899149257cc99eeb11573cff1066ad17b7d1a190a24e255e9139eefd11a612899feb2972feeed1ebc34f

Download Submit
C:\Windows\{80825016-7309-47e1-8C75-AF9DE1B6246A}.exe

Filesize
126KB

MD5
d8127f166b702f66a1b3f76ea2ae524d

SHA1
8518c0489dbf751b37a8b5d5ae81f8ae37aa7b10

SHA256
f3ca2fa18b81d92e3d4e5cf8301f2871e6bcf65a68de9b70e07d5187cc69e530

SHA512
50075f37973f33b3970a72921ec16672179838412e30dffcef2c5fd13ac047f0c962b163b6fd5b92c36f6e239a80cfbd6450cd4318b5af836ea887f531cf7f3c

Download Submit
C:\Windows\{98FD5220-F7ED-4c86-A2E6-A9E6370DE79E}.exe

Filesize
126KB

MD5
da54361460023faec56b119d2579be21

SHA1
02dbaa1c33151845f45daee130bd3b04c597bc38

SHA256
cee688c9bdf96b88f96433ce0d058f9f50fd0f734ae0b13f3e23d13cdf56bf89

SHA512
4ccd2f577a2fd58d709b30ed3fa0feb2e0756e183f3659e706c05017cf6a56be59619b9a5e5d45e9bb4dcb2d7a82076b0e66a7688feb88a0f29c817561b0a86e

Download Submit
C:\Windows\{BEC0D98F-6849-4b65-8105-9CEB99205635}.exe

Filesize
126KB

MD5
b46b9ca82845c8e82fe5a526211f0ed0

SHA1
bfc75186a9bb342bfc7680a6f766b9f70afa3ebc

SHA256
de34084ebf338fab57ea6cf38816db151f497c567e0bb6a3b2c8fe128585e709

SHA512
e9b6f79249387f1323fd696831f6a64a3033960465c866656181d979b9cf98c307dba221f9a9eab79aca457413579628059c6c2f8c4c4004596c021490a001dd

Download Submit
C:\Windows\{DF97E8D0-606C-4fa6-9297-3D15B0F9530D}.exe

Filesize
126KB

MD5
f7f74f9bb546e12dd78289e6adfa4cd2

SHA1
e787bda3a6ff382a49f161882c577a394f7c98a1

SHA256
3f21970933722ba98e77b4fb77c6eda0ffa5ba946a87d6ade123a77fe4fb982b

SHA512
8f6c263c38cd6cdec575d641ce58ce6c3aad9fd3a593026dedc8a8785ea236b1702cd553467ec7cfcc93a590bc0624bcbef9c4dbb5afc69c8bc24bedebd175cf

Download Submit
C:\Windows\{E47DD5CC-2374-49a1-BFD1-E3098805CDEC}.exe

Filesize
126KB

MD5
2f897b8cdd0b53e98072c6e144e43dc9

SHA1
59e0b96a1de160f9b857d692ae6fa6ce01bedb1f

SHA256
9215f614ddd9cb901091f54aa7d950d0220198c8ec726ebd6def9a5753c7de59

SHA512
05cb1f98094d98c206573e3226c5db6f178ef4614527483101a48790d57fd920979a93b95fc5c276075927dc4fdbd6fa47d1c6e10113b7938158116ceb56e713

Download Submit
C:\Windows\{F1D529B7-C432-4b28-8DCF-9E8F4346A51E}.exe

Filesize
126KB

MD5
94a7b85528396db7069fd7c1147e0da7

SHA1
a69c8648210b36ec1f5d81db5030dff870311a41

SHA256
48451e63c40890c9b0e3a95665b641098d5aa22322abdf75e0038d6e4b286c41

SHA512
7542d755e6c7cc63c011966c56d9f32154e6b52922aeb692fca8f381a263f5978b852f97676b48638c8a3f55e5b4cb33f9cdbc961e63d50c16b1f9ae7bed6bac

Download Submit
memory/392-65-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/392-69-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/624-11-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/624-4-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/696-23-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/696-18-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/872-15-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/872-12-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1088-28-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1088-24-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1180-0-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1180-6-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2016-39-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2016-35-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2556-57-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2556-53-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3156-52-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3156-46-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3780-59-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3780-63-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4364-33-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/5076-45-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/5076-40-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads