31d23c9b12cff37fdf01d672d980908e42e932bb6f7dfa54605e8335fd8b398f

Analysis

max time kernel
144s
max time network
123s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
10-05-2024 21:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

11ddef887f798bff331e9c168d7df470_NeikiAnalytics.exe
Size

372KB
MD5

11ddef887f798bff331e9c168d7df470
SHA1

4a9056ea6e7db038a725e25629e2e44b94c9c050
SHA256

31d23c9b12cff37fdf01d672d980908e42e932bb6f7dfa54605e8335fd8b398f
SHA512

3a114d794266e2e4f30b57f770de5d3e37555e212de891a6c94ec58dcd534acbb8db8fb477f8c239dcf3f9628145ded599502c9c013e5379ab23606960caa0a5
SSDEEP

384:K7bLwOs8AHsc4sMfwhKQLroxx4/CFsrdb:Gvw9816vhKQLroxx4/wQR

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{75FD9E35-9249-4777-A7D7-23CC1517C211}	{41FCC455-21B3-4a6a-9662-31A64075FFD7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{04A5E56A-6078-4160-91B4-92FC7FC50EF8}	{C095C6EA-56EF-4115-93D6-134CB1CCC86B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E76F3601-9C93-46eb-A6AA-4481EFED82CF}\stubpath = "C:\\Windows\\{E76F3601-9C93-46eb-A6AA-4481EFED82CF}.exe"	{04A5E56A-6078-4160-91B4-92FC7FC50EF8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{292FFED1-4107-44c8-BFF1-A91009E72AF2}	{E76F3601-9C93-46eb-A6AA-4481EFED82CF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BD4B3FB9-DC05-4371-966F-78EB774C9716}	{292FFED1-4107-44c8-BFF1-A91009E72AF2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5FCBFA61-0E8E-48c7-ABBE-F7421CE28C6D}\stubpath = "C:\\Windows\\{5FCBFA61-0E8E-48c7-ABBE-F7421CE28C6D}.exe"	{BD4B3FB9-DC05-4371-966F-78EB774C9716}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F988E04E-8C68-4e07-A852-8884DF1696CF}	{A3D18C85-A275-47a8-B5AB-CB58C2CA8C97}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{75FD9E35-9249-4777-A7D7-23CC1517C211}\stubpath = "C:\\Windows\\{75FD9E35-9249-4777-A7D7-23CC1517C211}.exe"	{41FCC455-21B3-4a6a-9662-31A64075FFD7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C095C6EA-56EF-4115-93D6-134CB1CCC86B}	{75FD9E35-9249-4777-A7D7-23CC1517C211}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E76F3601-9C93-46eb-A6AA-4481EFED82CF}	{04A5E56A-6078-4160-91B4-92FC7FC50EF8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5FCBFA61-0E8E-48c7-ABBE-F7421CE28C6D}	{BD4B3FB9-DC05-4371-966F-78EB774C9716}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A3D18C85-A275-47a8-B5AB-CB58C2CA8C97}\stubpath = "C:\\Windows\\{A3D18C85-A275-47a8-B5AB-CB58C2CA8C97}.exe"	{5FCBFA61-0E8E-48c7-ABBE-F7421CE28C6D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F6F302C2-C3C4-49a5-851E-99003083A368}\stubpath = "C:\\Windows\\{F6F302C2-C3C4-49a5-851E-99003083A368}.exe"	{F988E04E-8C68-4e07-A852-8884DF1696CF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{41FCC455-21B3-4a6a-9662-31A64075FFD7}	11ddef887f798bff331e9c168d7df470_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{04A5E56A-6078-4160-91B4-92FC7FC50EF8}\stubpath = "C:\\Windows\\{04A5E56A-6078-4160-91B4-92FC7FC50EF8}.exe"	{C095C6EA-56EF-4115-93D6-134CB1CCC86B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BD4B3FB9-DC05-4371-966F-78EB774C9716}\stubpath = "C:\\Windows\\{BD4B3FB9-DC05-4371-966F-78EB774C9716}.exe"	{292FFED1-4107-44c8-BFF1-A91009E72AF2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A3D18C85-A275-47a8-B5AB-CB58C2CA8C97}	{5FCBFA61-0E8E-48c7-ABBE-F7421CE28C6D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F988E04E-8C68-4e07-A852-8884DF1696CF}\stubpath = "C:\\Windows\\{F988E04E-8C68-4e07-A852-8884DF1696CF}.exe"	{A3D18C85-A275-47a8-B5AB-CB58C2CA8C97}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{41FCC455-21B3-4a6a-9662-31A64075FFD7}\stubpath = "C:\\Windows\\{41FCC455-21B3-4a6a-9662-31A64075FFD7}.exe"	11ddef887f798bff331e9c168d7df470_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C095C6EA-56EF-4115-93D6-134CB1CCC86B}\stubpath = "C:\\Windows\\{C095C6EA-56EF-4115-93D6-134CB1CCC86B}.exe"	{75FD9E35-9249-4777-A7D7-23CC1517C211}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{292FFED1-4107-44c8-BFF1-A91009E72AF2}\stubpath = "C:\\Windows\\{292FFED1-4107-44c8-BFF1-A91009E72AF2}.exe"	{E76F3601-9C93-46eb-A6AA-4481EFED82CF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F6F302C2-C3C4-49a5-851E-99003083A368}	{F988E04E-8C68-4e07-A852-8884DF1696CF}.exe

Deletes itself 1 IoCs

pid	Process
2968	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
1708	{41FCC455-21B3-4a6a-9662-31A64075FFD7}.exe
2560	{75FD9E35-9249-4777-A7D7-23CC1517C211}.exe
2460	{C095C6EA-56EF-4115-93D6-134CB1CCC86B}.exe
1596	{04A5E56A-6078-4160-91B4-92FC7FC50EF8}.exe
2704	{E76F3601-9C93-46eb-A6AA-4481EFED82CF}.exe
292	{292FFED1-4107-44c8-BFF1-A91009E72AF2}.exe
1556	{BD4B3FB9-DC05-4371-966F-78EB774C9716}.exe
2100	{5FCBFA61-0E8E-48c7-ABBE-F7421CE28C6D}.exe
2532	{A3D18C85-A275-47a8-B5AB-CB58C2CA8C97}.exe
2216	{F988E04E-8C68-4e07-A852-8884DF1696CF}.exe
2844	{F6F302C2-C3C4-49a5-851E-99003083A368}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{75FD9E35-9249-4777-A7D7-23CC1517C211}.exe	{41FCC455-21B3-4a6a-9662-31A64075FFD7}.exe
File created	C:\Windows\{F988E04E-8C68-4e07-A852-8884DF1696CF}.exe	{A3D18C85-A275-47a8-B5AB-CB58C2CA8C97}.exe
File created	C:\Windows\{F6F302C2-C3C4-49a5-851E-99003083A368}.exe	{F988E04E-8C68-4e07-A852-8884DF1696CF}.exe
File created	C:\Windows\{5FCBFA61-0E8E-48c7-ABBE-F7421CE28C6D}.exe	{BD4B3FB9-DC05-4371-966F-78EB774C9716}.exe
File created	C:\Windows\{A3D18C85-A275-47a8-B5AB-CB58C2CA8C97}.exe	{5FCBFA61-0E8E-48c7-ABBE-F7421CE28C6D}.exe
File created	C:\Windows\{41FCC455-21B3-4a6a-9662-31A64075FFD7}.exe	11ddef887f798bff331e9c168d7df470_NeikiAnalytics.exe
File created	C:\Windows\{C095C6EA-56EF-4115-93D6-134CB1CCC86B}.exe	{75FD9E35-9249-4777-A7D7-23CC1517C211}.exe
File created	C:\Windows\{04A5E56A-6078-4160-91B4-92FC7FC50EF8}.exe	{C095C6EA-56EF-4115-93D6-134CB1CCC86B}.exe
File created	C:\Windows\{E76F3601-9C93-46eb-A6AA-4481EFED82CF}.exe	{04A5E56A-6078-4160-91B4-92FC7FC50EF8}.exe
File created	C:\Windows\{292FFED1-4107-44c8-BFF1-A91009E72AF2}.exe	{E76F3601-9C93-46eb-A6AA-4481EFED82CF}.exe
File created	C:\Windows\{BD4B3FB9-DC05-4371-966F-78EB774C9716}.exe	{292FFED1-4107-44c8-BFF1-A91009E72AF2}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2284	11ddef887f798bff331e9c168d7df470_NeikiAnalytics.exe
Token: SeIncBasePriorityPrivilege	1708	{41FCC455-21B3-4a6a-9662-31A64075FFD7}.exe
Token: SeIncBasePriorityPrivilege	2560	{75FD9E35-9249-4777-A7D7-23CC1517C211}.exe
Token: SeIncBasePriorityPrivilege	2460	{C095C6EA-56EF-4115-93D6-134CB1CCC86B}.exe
Token: SeIncBasePriorityPrivilege	1596	{04A5E56A-6078-4160-91B4-92FC7FC50EF8}.exe
Token: SeIncBasePriorityPrivilege	2704	{E76F3601-9C93-46eb-A6AA-4481EFED82CF}.exe
Token: SeIncBasePriorityPrivilege	292	{292FFED1-4107-44c8-BFF1-A91009E72AF2}.exe
Token: SeIncBasePriorityPrivilege	1556	{BD4B3FB9-DC05-4371-966F-78EB774C9716}.exe
Token: SeIncBasePriorityPrivilege	2100	{5FCBFA61-0E8E-48c7-ABBE-F7421CE28C6D}.exe
Token: SeIncBasePriorityPrivilege	2532	{A3D18C85-A275-47a8-B5AB-CB58C2CA8C97}.exe
Token: SeIncBasePriorityPrivilege	2216	{F988E04E-8C68-4e07-A852-8884DF1696CF}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2284 wrote to memory of 1708	2284	11ddef887f798bff331e9c168d7df470_NeikiAnalytics.exe	28
PID 2284 wrote to memory of 1708	2284	11ddef887f798bff331e9c168d7df470_NeikiAnalytics.exe	28
PID 2284 wrote to memory of 1708	2284	11ddef887f798bff331e9c168d7df470_NeikiAnalytics.exe	28
PID 2284 wrote to memory of 1708	2284	11ddef887f798bff331e9c168d7df470_NeikiAnalytics.exe	28
PID 2284 wrote to memory of 2968	2284	11ddef887f798bff331e9c168d7df470_NeikiAnalytics.exe	29
PID 2284 wrote to memory of 2968	2284	11ddef887f798bff331e9c168d7df470_NeikiAnalytics.exe	29
PID 2284 wrote to memory of 2968	2284	11ddef887f798bff331e9c168d7df470_NeikiAnalytics.exe	29
PID 2284 wrote to memory of 2968	2284	11ddef887f798bff331e9c168d7df470_NeikiAnalytics.exe	29
PID 1708 wrote to memory of 2560	1708	{41FCC455-21B3-4a6a-9662-31A64075FFD7}.exe	30
PID 1708 wrote to memory of 2560	1708	{41FCC455-21B3-4a6a-9662-31A64075FFD7}.exe	30
PID 1708 wrote to memory of 2560	1708	{41FCC455-21B3-4a6a-9662-31A64075FFD7}.exe	30
PID 1708 wrote to memory of 2560	1708	{41FCC455-21B3-4a6a-9662-31A64075FFD7}.exe	30
PID 1708 wrote to memory of 2568	1708	{41FCC455-21B3-4a6a-9662-31A64075FFD7}.exe	31
PID 1708 wrote to memory of 2568	1708	{41FCC455-21B3-4a6a-9662-31A64075FFD7}.exe	31
PID 1708 wrote to memory of 2568	1708	{41FCC455-21B3-4a6a-9662-31A64075FFD7}.exe	31
PID 1708 wrote to memory of 2568	1708	{41FCC455-21B3-4a6a-9662-31A64075FFD7}.exe	31
PID 2560 wrote to memory of 2460	2560	{75FD9E35-9249-4777-A7D7-23CC1517C211}.exe	32
PID 2560 wrote to memory of 2460	2560	{75FD9E35-9249-4777-A7D7-23CC1517C211}.exe	32
PID 2560 wrote to memory of 2460	2560	{75FD9E35-9249-4777-A7D7-23CC1517C211}.exe	32
PID 2560 wrote to memory of 2460	2560	{75FD9E35-9249-4777-A7D7-23CC1517C211}.exe	32
PID 2560 wrote to memory of 2484	2560	{75FD9E35-9249-4777-A7D7-23CC1517C211}.exe	33
PID 2560 wrote to memory of 2484	2560	{75FD9E35-9249-4777-A7D7-23CC1517C211}.exe	33
PID 2560 wrote to memory of 2484	2560	{75FD9E35-9249-4777-A7D7-23CC1517C211}.exe	33
PID 2560 wrote to memory of 2484	2560	{75FD9E35-9249-4777-A7D7-23CC1517C211}.exe	33
PID 2460 wrote to memory of 1596	2460	{C095C6EA-56EF-4115-93D6-134CB1CCC86B}.exe	36
PID 2460 wrote to memory of 1596	2460	{C095C6EA-56EF-4115-93D6-134CB1CCC86B}.exe	36
PID 2460 wrote to memory of 1596	2460	{C095C6EA-56EF-4115-93D6-134CB1CCC86B}.exe	36
PID 2460 wrote to memory of 1596	2460	{C095C6EA-56EF-4115-93D6-134CB1CCC86B}.exe	36
PID 2460 wrote to memory of 848	2460	{C095C6EA-56EF-4115-93D6-134CB1CCC86B}.exe	37
PID 2460 wrote to memory of 848	2460	{C095C6EA-56EF-4115-93D6-134CB1CCC86B}.exe	37
PID 2460 wrote to memory of 848	2460	{C095C6EA-56EF-4115-93D6-134CB1CCC86B}.exe	37
PID 2460 wrote to memory of 848	2460	{C095C6EA-56EF-4115-93D6-134CB1CCC86B}.exe	37
PID 1596 wrote to memory of 2704	1596	{04A5E56A-6078-4160-91B4-92FC7FC50EF8}.exe	38
PID 1596 wrote to memory of 2704	1596	{04A5E56A-6078-4160-91B4-92FC7FC50EF8}.exe	38
PID 1596 wrote to memory of 2704	1596	{04A5E56A-6078-4160-91B4-92FC7FC50EF8}.exe	38
PID 1596 wrote to memory of 2704	1596	{04A5E56A-6078-4160-91B4-92FC7FC50EF8}.exe	38
PID 1596 wrote to memory of 2684	1596	{04A5E56A-6078-4160-91B4-92FC7FC50EF8}.exe	39
PID 1596 wrote to memory of 2684	1596	{04A5E56A-6078-4160-91B4-92FC7FC50EF8}.exe	39
PID 1596 wrote to memory of 2684	1596	{04A5E56A-6078-4160-91B4-92FC7FC50EF8}.exe	39
PID 1596 wrote to memory of 2684	1596	{04A5E56A-6078-4160-91B4-92FC7FC50EF8}.exe	39
PID 2704 wrote to memory of 292	2704	{E76F3601-9C93-46eb-A6AA-4481EFED82CF}.exe	40
PID 2704 wrote to memory of 292	2704	{E76F3601-9C93-46eb-A6AA-4481EFED82CF}.exe	40
PID 2704 wrote to memory of 292	2704	{E76F3601-9C93-46eb-A6AA-4481EFED82CF}.exe	40
PID 2704 wrote to memory of 292	2704	{E76F3601-9C93-46eb-A6AA-4481EFED82CF}.exe	40
PID 2704 wrote to memory of 1028	2704	{E76F3601-9C93-46eb-A6AA-4481EFED82CF}.exe	41
PID 2704 wrote to memory of 1028	2704	{E76F3601-9C93-46eb-A6AA-4481EFED82CF}.exe	41
PID 2704 wrote to memory of 1028	2704	{E76F3601-9C93-46eb-A6AA-4481EFED82CF}.exe	41
PID 2704 wrote to memory of 1028	2704	{E76F3601-9C93-46eb-A6AA-4481EFED82CF}.exe	41
PID 292 wrote to memory of 1556	292	{292FFED1-4107-44c8-BFF1-A91009E72AF2}.exe	42
PID 292 wrote to memory of 1556	292	{292FFED1-4107-44c8-BFF1-A91009E72AF2}.exe	42
PID 292 wrote to memory of 1556	292	{292FFED1-4107-44c8-BFF1-A91009E72AF2}.exe	42
PID 292 wrote to memory of 1556	292	{292FFED1-4107-44c8-BFF1-A91009E72AF2}.exe	42
PID 292 wrote to memory of 1004	292	{292FFED1-4107-44c8-BFF1-A91009E72AF2}.exe	43
PID 292 wrote to memory of 1004	292	{292FFED1-4107-44c8-BFF1-A91009E72AF2}.exe	43
PID 292 wrote to memory of 1004	292	{292FFED1-4107-44c8-BFF1-A91009E72AF2}.exe	43
PID 292 wrote to memory of 1004	292	{292FFED1-4107-44c8-BFF1-A91009E72AF2}.exe	43
PID 1556 wrote to memory of 2100	1556	{BD4B3FB9-DC05-4371-966F-78EB774C9716}.exe	44
PID 1556 wrote to memory of 2100	1556	{BD4B3FB9-DC05-4371-966F-78EB774C9716}.exe	44
PID 1556 wrote to memory of 2100	1556	{BD4B3FB9-DC05-4371-966F-78EB774C9716}.exe	44
PID 1556 wrote to memory of 2100	1556	{BD4B3FB9-DC05-4371-966F-78EB774C9716}.exe	44
PID 1556 wrote to memory of 2040	1556	{BD4B3FB9-DC05-4371-966F-78EB774C9716}.exe	45
PID 1556 wrote to memory of 2040	1556	{BD4B3FB9-DC05-4371-966F-78EB774C9716}.exe	45
PID 1556 wrote to memory of 2040	1556	{BD4B3FB9-DC05-4371-966F-78EB774C9716}.exe	45
PID 1556 wrote to memory of 2040	1556	{BD4B3FB9-DC05-4371-966F-78EB774C9716}.exe	45

C:\Users\Admin\AppData\Local\Temp\11ddef887f798bff331e9c168d7df470_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\11ddef887f798bff331e9c168d7df470_NeikiAnalytics.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2284
- C:\Windows\{41FCC455-21B3-4a6a-9662-31A64075FFD7}.exe
  C:\Windows\{41FCC455-21B3-4a6a-9662-31A64075FFD7}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1708
- - C:\Windows\{75FD9E35-9249-4777-A7D7-23CC1517C211}.exe
    C:\Windows\{75FD9E35-9249-4777-A7D7-23CC1517C211}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2560
  - - C:\Windows\{C095C6EA-56EF-4115-93D6-134CB1CCC86B}.exe
      C:\Windows\{C095C6EA-56EF-4115-93D6-134CB1CCC86B}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2460
    - - C:\Windows\{04A5E56A-6078-4160-91B4-92FC7FC50EF8}.exe
        
        C:\Windows\{04A5E56A-6078-4160-91B4-92FC7FC50EF8}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1596
      - C:\Windows\{E76F3601-9C93-46eb-A6AA-4481EFED82CF}.exe
        
        C:\Windows\{E76F3601-9C93-46eb-A6AA-4481EFED82CF}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2704
        
        C:\Windows\{292FFED1-4107-44c8-BFF1-A91009E72AF2}.exe
        
        C:\Windows\{292FFED1-4107-44c8-BFF1-A91009E72AF2}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:292
        
        C:\Windows\{BD4B3FB9-DC05-4371-966F-78EB774C9716}.exe
        
        C:\Windows\{BD4B3FB9-DC05-4371-966F-78EB774C9716}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1556
        
        C:\Windows\{5FCBFA61-0E8E-48c7-ABBE-F7421CE28C6D}.exe
        
        C:\Windows\{5FCBFA61-0E8E-48c7-ABBE-F7421CE28C6D}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2100
        
        C:\Windows\{A3D18C85-A275-47a8-B5AB-CB58C2CA8C97}.exe
        
        C:\Windows\{A3D18C85-A275-47a8-B5AB-CB58C2CA8C97}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2532
        
        C:\Windows\{F988E04E-8C68-4e07-A852-8884DF1696CF}.exe
        
        C:\Windows\{F988E04E-8C68-4e07-A852-8884DF1696CF}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2216
        
        C:\Windows\{F6F302C2-C3C4-49a5-851E-99003083A368}.exe
        
        C:\Windows\{F6F302C2-C3C4-49a5-851E-99003083A368}.exe
        12⤵
        Executes dropped EXE
        
        PID:2844
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F988E~1.EXE > nul
        12⤵
        
        PID:576
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A3D18~1.EXE > nul
        11⤵
        
        PID:2416
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5FCBF~1.EXE > nul
        10⤵
        
        PID:2784
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BD4B3~1.EXE > nul
        9⤵
        
        PID:2040
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{292FF~1.EXE > nul
        8⤵
        
        PID:1004
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E76F3~1.EXE > nul
        7⤵
        
        PID:1028
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{04A5E~1.EXE > nul
        6⤵
        
        PID:2684
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C095C~1.EXE > nul
        5⤵
        
        PID:848
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{75FD9~1.EXE > nul
      4⤵
      PID:2484
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{41FCC~1.EXE > nul
    3⤵
    PID:2568
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\11DDEF~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2968

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{04A5E56A-6078-4160-91B4-92FC7FC50EF8}.exe

Filesize
372KB

MD5
63faf264f019af87f55c9ae52f1faee5

SHA1
1f58b5c89d29bb112360d0910adddfffaeaa01d9

SHA256
a907137e29dce5b318ac88da2f7cd5319bb2551546497c361b8dd8ee57eacb40

SHA512
c1ab5939860e39dfee0b1ffef46f4ab429693a26c531e1ff846fa9d1761640480281517e1d8a86e6486cda4a656373bba72893949b98c10dea6a38a0d0e99ca9

Download Submit
C:\Windows\{292FFED1-4107-44c8-BFF1-A91009E72AF2}.exe

Filesize
372KB

MD5
83c5d8e54f608c15d6a596cf7037686b

SHA1
89d0c3ebcb6d446758eaab0d56d9d5a7e2d55ca1

SHA256
b61aa41de4552b47c0d4a30f1993f286508f36224c499cae2da7bdecac3aa6f0

SHA512
e6941577777f5e1e930d8d0eacc4b68db85f262d9aed39bfd95798c4aa6927c290c7200d141b2d7ba39c4508a344ed215ece39095de4a577bbc8aaf59e7c3369

Download Submit
C:\Windows\{41FCC455-21B3-4a6a-9662-31A64075FFD7}.exe

Filesize
372KB

MD5
421569c573fb0e6663b009217c27a684

SHA1
2f6dd1bfa9d886001151eb665dc9217a9509dcf8

SHA256
b4994d77445a358ff1bdc7501ef51dde5474009d7060b089ec0c7ad17fd3c094

SHA512
dc836350c709854ba259c8ee3c6f746da6b403aa8063508b0b0574cc4d8d299e6d171aed4000a2c773b59d5887d3e376efde0f9ec9884377afb823064d74da59

Download Submit
C:\Windows\{5FCBFA61-0E8E-48c7-ABBE-F7421CE28C6D}.exe

Filesize
372KB

MD5
b50d0754cc752ad24cdd673a113c7dbf

SHA1
16b7918dc3501f6ee563178cd9c45671b7e2fac9

SHA256
988393a44d77d3af9aacae10c2c38883a13c28aaa37a9daed7307379b6bc4e55

SHA512
228fb8468d73109f0e4c50812a839a5699ed30069b95875e64071c71dc7bede0b10dab7e713cf248b5d295285804c9207ed4f75f252493cc6992c3b86e1fba7b

Download Submit
C:\Windows\{75FD9E35-9249-4777-A7D7-23CC1517C211}.exe

Filesize
372KB

MD5
b87f59393c8aa6e7f39c14d9efbbcca9

SHA1
cbfba4b99dbef51a97b9fa3e4244a4e800dd79df

SHA256
09b5407dda2888a83c21c829ce8e9ca4f8e6977e29677bdfc9324b31284da27f

SHA512
16eccb1706f951280e95878e6884371626204f897d904c10af9119d4b81bd5c2622e71899822795e8e23e253ecf61020f63cabeea562de2a73a3583b192a8e35

Download Submit
C:\Windows\{A3D18C85-A275-47a8-B5AB-CB58C2CA8C97}.exe

Filesize
372KB

MD5
34dc19b55400486716f3bb4d0c679724

SHA1
87951263018698b68710f8c27da45ea5f4f4d26d

SHA256
166467eb3a3cf9f80cd7cdbb5c20b79af007cec588f727cfde6bfd0114617f2c

SHA512
aa8d58ed211aeba82d941fff10583910b3a2b06eee25e4ff1215d809ba478c924bce559f562a0ed90870ced3c44fec7d9ef09d8228dc1b6bc6459ae90bdfa98a

Download Submit
C:\Windows\{BD4B3FB9-DC05-4371-966F-78EB774C9716}.exe

Filesize
372KB

MD5
2ee1f7f99b276ece74aa502563017cd7

SHA1
7f6f339da95dfcca06c1323c40caaa9b201360dd

SHA256
1c50ac31e6f947eeaea42ea25691f7d5532de73bce22d107f53cf069fe34d4e4

SHA512
ca0e90e0460bd1dac66b7bebc8ba849044b2adb8e5faa4dc1c69799c320795d9fc1a18730e8397645064b1ed36ee2a278f3c918fbf73eb9d083b11ead530f8e6

Download Submit
C:\Windows\{C095C6EA-56EF-4115-93D6-134CB1CCC86B}.exe

Filesize
372KB

MD5
5aaf1e0206e1425f8e087d8ad6c37be3

SHA1
3e9d44161393bf98d6ff01318af54555e051ea30

SHA256
e0b134d9d756d00fe9ed6743cc8c69fafe89a557c775042df4452bd15b8068e7

SHA512
27fedfcf72e81cda9fca2a95f893beac07d22422aeab8869d2f302ccfab8450f46149f8e727aee7ba943ced5c51bebc0d5c773609ee0500ea090c52259484d85

Download Submit
C:\Windows\{E76F3601-9C93-46eb-A6AA-4481EFED82CF}.exe

Filesize
372KB

MD5
408328954ad55744447ad09413e18fc9

SHA1
1fcf86ff99d565ec33bc607aa4675e7f1927f52e

SHA256
7634d972a69aaef7dce3cbfaadbea4cbe06b0af1c4e44c7d779d8e9db4cc92bd

SHA512
9c1a74a198968abbb9e8aec2c093f0031e8fe682a8b1a810aed1a870a55397f2ef5de216e634bf91c2d5c66c1f11b2e4088be14e9459b6cd8751cd597c1f7665

Download Submit
C:\Windows\{F6F302C2-C3C4-49a5-851E-99003083A368}.exe

Filesize
372KB

MD5
d7b932dd31ac2ce6390496c23d3dd318

SHA1
bb74c1b3f5c227238a2cd290e76706410d991e67

SHA256
5cc98c58a4dc93606fa2a2cf46e96da16835928934c04cd6c208867f712468c3

SHA512
14cc1df4d285beb8a5568f4193adc30daeae2537a44ec1f37a177781cd6f5d3f653eec168604893241b2c776f2360a08b0f010f57b8a8965f8435925f8cfaec1

Download Submit
C:\Windows\{F988E04E-8C68-4e07-A852-8884DF1696CF}.exe

Filesize
372KB

MD5
4215cb4d1fcb38b941657e5fedee184b

SHA1
975f634e3703f23cdc9d6c7c4b8547167d1f3d9f

SHA256
57eac4fd0d85db63ccf8000ede300b6af2206e81b967bac0b8b4fbe2add1ae51

SHA512
e4ae8099d8af9fcc0afbd18dfbe2d31881c8c267cf0c65e4b0edf34565e146aa093e9562ed08ad20107557648ab9e8c5f436f710fd0a4fe62e90d93302c90a01

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads