31d23c9b12cff37fdf01d672d980908e42e932bb6f7dfa54605e8335fd8b398f

Analysis

max time kernel
149s
max time network
98s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
10-05-2024 21:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

11ddef887f798bff331e9c168d7df470_NeikiAnalytics.exe
Size

372KB
MD5

11ddef887f798bff331e9c168d7df470
SHA1

4a9056ea6e7db038a725e25629e2e44b94c9c050
SHA256

31d23c9b12cff37fdf01d672d980908e42e932bb6f7dfa54605e8335fd8b398f
SHA512

3a114d794266e2e4f30b57f770de5d3e37555e212de891a6c94ec58dcd534acbb8db8fb477f8c239dcf3f9628145ded599502c9c013e5379ab23606960caa0a5
SSDEEP

384:K7bLwOs8AHsc4sMfwhKQLroxx4/CFsrdb:Gvw9816vhKQLroxx4/wQR

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C9D054B7-80A6-426b-8BF7-1EC80B19D814}	{6749BFE4-C669-4faf-ADEE-298E1416B464}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1DFBBBB0-FFB0-4e8a-AD1D-E78E2062335F}\stubpath = "C:\\Windows\\{1DFBBBB0-FFB0-4e8a-AD1D-E78E2062335F}.exe"	{E0ABA9B7-0425-42aa-89D0-8075B30EB72B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{935D4415-1352-4f41-93A1-F4D3153B198C}\stubpath = "C:\\Windows\\{935D4415-1352-4f41-93A1-F4D3153B198C}.exe"	{B888887B-5990-4522-BBD8-BFF885ED4BAD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6F8506E1-88D0-488d-9749-A9C8EE871A57}\stubpath = "C:\\Windows\\{6F8506E1-88D0-488d-9749-A9C8EE871A57}.exe"	{1DFBBBB0-FFB0-4e8a-AD1D-E78E2062335F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8FE89377-09F7-4030-A1FC-441B1C451CFC}	{6F8506E1-88D0-488d-9749-A9C8EE871A57}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B27EB92F-80D1-4c17-A185-4E2555820C95}\stubpath = "C:\\Windows\\{B27EB92F-80D1-4c17-A185-4E2555820C95}.exe"	{8FE89377-09F7-4030-A1FC-441B1C451CFC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{517EDD72-0D4B-4a1a-B1DE-D9625D1FE079}\stubpath = "C:\\Windows\\{517EDD72-0D4B-4a1a-B1DE-D9625D1FE079}.exe"	{B27EB92F-80D1-4c17-A185-4E2555820C95}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C9D054B7-80A6-426b-8BF7-1EC80B19D814}\stubpath = "C:\\Windows\\{C9D054B7-80A6-426b-8BF7-1EC80B19D814}.exe"	{6749BFE4-C669-4faf-ADEE-298E1416B464}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E0ABA9B7-0425-42aa-89D0-8075B30EB72B}	{5A36A558-EA0A-4cf6-828E-19C984A43D9B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E0ABA9B7-0425-42aa-89D0-8075B30EB72B}\stubpath = "C:\\Windows\\{E0ABA9B7-0425-42aa-89D0-8075B30EB72B}.exe"	{5A36A558-EA0A-4cf6-828E-19C984A43D9B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6F8506E1-88D0-488d-9749-A9C8EE871A57}	{1DFBBBB0-FFB0-4e8a-AD1D-E78E2062335F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6F96E1D5-E4FD-4506-8C2C-DD1B35F49807}	{517EDD72-0D4B-4a1a-B1DE-D9625D1FE079}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6F96E1D5-E4FD-4506-8C2C-DD1B35F49807}\stubpath = "C:\\Windows\\{6F96E1D5-E4FD-4506-8C2C-DD1B35F49807}.exe"	{517EDD72-0D4B-4a1a-B1DE-D9625D1FE079}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{935D4415-1352-4f41-93A1-F4D3153B198C}	{B888887B-5990-4522-BBD8-BFF885ED4BAD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6749BFE4-C669-4faf-ADEE-298E1416B464}	11ddef887f798bff331e9c168d7df470_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6749BFE4-C669-4faf-ADEE-298E1416B464}\stubpath = "C:\\Windows\\{6749BFE4-C669-4faf-ADEE-298E1416B464}.exe"	11ddef887f798bff331e9c168d7df470_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B888887B-5990-4522-BBD8-BFF885ED4BAD}\stubpath = "C:\\Windows\\{B888887B-5990-4522-BBD8-BFF885ED4BAD}.exe"	{6F96E1D5-E4FD-4506-8C2C-DD1B35F49807}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B27EB92F-80D1-4c17-A185-4E2555820C95}	{8FE89377-09F7-4030-A1FC-441B1C451CFC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{517EDD72-0D4B-4a1a-B1DE-D9625D1FE079}	{B27EB92F-80D1-4c17-A185-4E2555820C95}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B888887B-5990-4522-BBD8-BFF885ED4BAD}	{6F96E1D5-E4FD-4506-8C2C-DD1B35F49807}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5A36A558-EA0A-4cf6-828E-19C984A43D9B}	{C9D054B7-80A6-426b-8BF7-1EC80B19D814}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5A36A558-EA0A-4cf6-828E-19C984A43D9B}\stubpath = "C:\\Windows\\{5A36A558-EA0A-4cf6-828E-19C984A43D9B}.exe"	{C9D054B7-80A6-426b-8BF7-1EC80B19D814}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1DFBBBB0-FFB0-4e8a-AD1D-E78E2062335F}	{E0ABA9B7-0425-42aa-89D0-8075B30EB72B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8FE89377-09F7-4030-A1FC-441B1C451CFC}\stubpath = "C:\\Windows\\{8FE89377-09F7-4030-A1FC-441B1C451CFC}.exe"	{6F8506E1-88D0-488d-9749-A9C8EE871A57}.exe

Executes dropped EXE 12 IoCs

pid	Process
32	{6749BFE4-C669-4faf-ADEE-298E1416B464}.exe
2160	{C9D054B7-80A6-426b-8BF7-1EC80B19D814}.exe
3304	{5A36A558-EA0A-4cf6-828E-19C984A43D9B}.exe
4600	{E0ABA9B7-0425-42aa-89D0-8075B30EB72B}.exe
2920	{1DFBBBB0-FFB0-4e8a-AD1D-E78E2062335F}.exe
4656	{6F8506E1-88D0-488d-9749-A9C8EE871A57}.exe
1856	{8FE89377-09F7-4030-A1FC-441B1C451CFC}.exe
3272	{B27EB92F-80D1-4c17-A185-4E2555820C95}.exe
2420	{517EDD72-0D4B-4a1a-B1DE-D9625D1FE079}.exe
3224	{6F96E1D5-E4FD-4506-8C2C-DD1B35F49807}.exe
4888	{B888887B-5990-4522-BBD8-BFF885ED4BAD}.exe
4236	{935D4415-1352-4f41-93A1-F4D3153B198C}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{935D4415-1352-4f41-93A1-F4D3153B198C}.exe	{B888887B-5990-4522-BBD8-BFF885ED4BAD}.exe
File created	C:\Windows\{C9D054B7-80A6-426b-8BF7-1EC80B19D814}.exe	{6749BFE4-C669-4faf-ADEE-298E1416B464}.exe
File created	C:\Windows\{1DFBBBB0-FFB0-4e8a-AD1D-E78E2062335F}.exe	{E0ABA9B7-0425-42aa-89D0-8075B30EB72B}.exe
File created	C:\Windows\{B27EB92F-80D1-4c17-A185-4E2555820C95}.exe	{8FE89377-09F7-4030-A1FC-441B1C451CFC}.exe
File created	C:\Windows\{6F8506E1-88D0-488d-9749-A9C8EE871A57}.exe	{1DFBBBB0-FFB0-4e8a-AD1D-E78E2062335F}.exe
File created	C:\Windows\{8FE89377-09F7-4030-A1FC-441B1C451CFC}.exe	{6F8506E1-88D0-488d-9749-A9C8EE871A57}.exe
File created	C:\Windows\{517EDD72-0D4B-4a1a-B1DE-D9625D1FE079}.exe	{B27EB92F-80D1-4c17-A185-4E2555820C95}.exe
File created	C:\Windows\{6F96E1D5-E4FD-4506-8C2C-DD1B35F49807}.exe	{517EDD72-0D4B-4a1a-B1DE-D9625D1FE079}.exe
File created	C:\Windows\{B888887B-5990-4522-BBD8-BFF885ED4BAD}.exe	{6F96E1D5-E4FD-4506-8C2C-DD1B35F49807}.exe
File created	C:\Windows\{6749BFE4-C669-4faf-ADEE-298E1416B464}.exe	11ddef887f798bff331e9c168d7df470_NeikiAnalytics.exe
File created	C:\Windows\{5A36A558-EA0A-4cf6-828E-19C984A43D9B}.exe	{C9D054B7-80A6-426b-8BF7-1EC80B19D814}.exe
File created	C:\Windows\{E0ABA9B7-0425-42aa-89D0-8075B30EB72B}.exe	{5A36A558-EA0A-4cf6-828E-19C984A43D9B}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2356	11ddef887f798bff331e9c168d7df470_NeikiAnalytics.exe
Token: SeIncBasePriorityPrivilege	32	{6749BFE4-C669-4faf-ADEE-298E1416B464}.exe
Token: SeIncBasePriorityPrivilege	2160	{C9D054B7-80A6-426b-8BF7-1EC80B19D814}.exe
Token: SeIncBasePriorityPrivilege	3304	{5A36A558-EA0A-4cf6-828E-19C984A43D9B}.exe
Token: SeIncBasePriorityPrivilege	4600	{E0ABA9B7-0425-42aa-89D0-8075B30EB72B}.exe
Token: SeIncBasePriorityPrivilege	2920	{1DFBBBB0-FFB0-4e8a-AD1D-E78E2062335F}.exe
Token: SeIncBasePriorityPrivilege	4656	{6F8506E1-88D0-488d-9749-A9C8EE871A57}.exe
Token: SeIncBasePriorityPrivilege	1856	{8FE89377-09F7-4030-A1FC-441B1C451CFC}.exe
Token: SeIncBasePriorityPrivilege	3272	{B27EB92F-80D1-4c17-A185-4E2555820C95}.exe
Token: SeIncBasePriorityPrivilege	2420	{517EDD72-0D4B-4a1a-B1DE-D9625D1FE079}.exe
Token: SeIncBasePriorityPrivilege	3224	{6F96E1D5-E4FD-4506-8C2C-DD1B35F49807}.exe
Token: SeIncBasePriorityPrivilege	4888	{B888887B-5990-4522-BBD8-BFF885ED4BAD}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2356 wrote to memory of 32	2356	11ddef887f798bff331e9c168d7df470_NeikiAnalytics.exe	87
PID 2356 wrote to memory of 32	2356	11ddef887f798bff331e9c168d7df470_NeikiAnalytics.exe	87
PID 2356 wrote to memory of 32	2356	11ddef887f798bff331e9c168d7df470_NeikiAnalytics.exe	87
PID 2356 wrote to memory of 4896	2356	11ddef887f798bff331e9c168d7df470_NeikiAnalytics.exe	88
PID 2356 wrote to memory of 4896	2356	11ddef887f798bff331e9c168d7df470_NeikiAnalytics.exe	88
PID 2356 wrote to memory of 4896	2356	11ddef887f798bff331e9c168d7df470_NeikiAnalytics.exe	88
PID 32 wrote to memory of 2160	32	{6749BFE4-C669-4faf-ADEE-298E1416B464}.exe	89
PID 32 wrote to memory of 2160	32	{6749BFE4-C669-4faf-ADEE-298E1416B464}.exe	89
PID 32 wrote to memory of 2160	32	{6749BFE4-C669-4faf-ADEE-298E1416B464}.exe	89
PID 32 wrote to memory of 3068	32	{6749BFE4-C669-4faf-ADEE-298E1416B464}.exe	90
PID 32 wrote to memory of 3068	32	{6749BFE4-C669-4faf-ADEE-298E1416B464}.exe	90
PID 32 wrote to memory of 3068	32	{6749BFE4-C669-4faf-ADEE-298E1416B464}.exe	90
PID 2160 wrote to memory of 3304	2160	{C9D054B7-80A6-426b-8BF7-1EC80B19D814}.exe	94
PID 2160 wrote to memory of 3304	2160	{C9D054B7-80A6-426b-8BF7-1EC80B19D814}.exe	94
PID 2160 wrote to memory of 3304	2160	{C9D054B7-80A6-426b-8BF7-1EC80B19D814}.exe	94
PID 2160 wrote to memory of 2816	2160	{C9D054B7-80A6-426b-8BF7-1EC80B19D814}.exe	95
PID 2160 wrote to memory of 2816	2160	{C9D054B7-80A6-426b-8BF7-1EC80B19D814}.exe	95
PID 2160 wrote to memory of 2816	2160	{C9D054B7-80A6-426b-8BF7-1EC80B19D814}.exe	95
PID 3304 wrote to memory of 4600	3304	{5A36A558-EA0A-4cf6-828E-19C984A43D9B}.exe	96
PID 3304 wrote to memory of 4600	3304	{5A36A558-EA0A-4cf6-828E-19C984A43D9B}.exe	96
PID 3304 wrote to memory of 4600	3304	{5A36A558-EA0A-4cf6-828E-19C984A43D9B}.exe	96
PID 3304 wrote to memory of 4348	3304	{5A36A558-EA0A-4cf6-828E-19C984A43D9B}.exe	97
PID 3304 wrote to memory of 4348	3304	{5A36A558-EA0A-4cf6-828E-19C984A43D9B}.exe	97
PID 3304 wrote to memory of 4348	3304	{5A36A558-EA0A-4cf6-828E-19C984A43D9B}.exe	97
PID 4600 wrote to memory of 2920	4600	{E0ABA9B7-0425-42aa-89D0-8075B30EB72B}.exe	98
PID 4600 wrote to memory of 2920	4600	{E0ABA9B7-0425-42aa-89D0-8075B30EB72B}.exe	98
PID 4600 wrote to memory of 2920	4600	{E0ABA9B7-0425-42aa-89D0-8075B30EB72B}.exe	98
PID 4600 wrote to memory of 624	4600	{E0ABA9B7-0425-42aa-89D0-8075B30EB72B}.exe	99
PID 4600 wrote to memory of 624	4600	{E0ABA9B7-0425-42aa-89D0-8075B30EB72B}.exe	99
PID 4600 wrote to memory of 624	4600	{E0ABA9B7-0425-42aa-89D0-8075B30EB72B}.exe	99
PID 2920 wrote to memory of 4656	2920	{1DFBBBB0-FFB0-4e8a-AD1D-E78E2062335F}.exe	100
PID 2920 wrote to memory of 4656	2920	{1DFBBBB0-FFB0-4e8a-AD1D-E78E2062335F}.exe	100
PID 2920 wrote to memory of 4656	2920	{1DFBBBB0-FFB0-4e8a-AD1D-E78E2062335F}.exe	100
PID 2920 wrote to memory of 3572	2920	{1DFBBBB0-FFB0-4e8a-AD1D-E78E2062335F}.exe	101
PID 2920 wrote to memory of 3572	2920	{1DFBBBB0-FFB0-4e8a-AD1D-E78E2062335F}.exe	101
PID 2920 wrote to memory of 3572	2920	{1DFBBBB0-FFB0-4e8a-AD1D-E78E2062335F}.exe	101
PID 4656 wrote to memory of 1856	4656	{6F8506E1-88D0-488d-9749-A9C8EE871A57}.exe	102
PID 4656 wrote to memory of 1856	4656	{6F8506E1-88D0-488d-9749-A9C8EE871A57}.exe	102
PID 4656 wrote to memory of 1856	4656	{6F8506E1-88D0-488d-9749-A9C8EE871A57}.exe	102
PID 4656 wrote to memory of 2700	4656	{6F8506E1-88D0-488d-9749-A9C8EE871A57}.exe	103
PID 4656 wrote to memory of 2700	4656	{6F8506E1-88D0-488d-9749-A9C8EE871A57}.exe	103
PID 4656 wrote to memory of 2700	4656	{6F8506E1-88D0-488d-9749-A9C8EE871A57}.exe	103
PID 1856 wrote to memory of 3272	1856	{8FE89377-09F7-4030-A1FC-441B1C451CFC}.exe	104
PID 1856 wrote to memory of 3272	1856	{8FE89377-09F7-4030-A1FC-441B1C451CFC}.exe	104
PID 1856 wrote to memory of 3272	1856	{8FE89377-09F7-4030-A1FC-441B1C451CFC}.exe	104
PID 1856 wrote to memory of 4140	1856	{8FE89377-09F7-4030-A1FC-441B1C451CFC}.exe	105
PID 1856 wrote to memory of 4140	1856	{8FE89377-09F7-4030-A1FC-441B1C451CFC}.exe	105
PID 1856 wrote to memory of 4140	1856	{8FE89377-09F7-4030-A1FC-441B1C451CFC}.exe	105
PID 3272 wrote to memory of 2420	3272	{B27EB92F-80D1-4c17-A185-4E2555820C95}.exe	106
PID 3272 wrote to memory of 2420	3272	{B27EB92F-80D1-4c17-A185-4E2555820C95}.exe	106
PID 3272 wrote to memory of 2420	3272	{B27EB92F-80D1-4c17-A185-4E2555820C95}.exe	106
PID 3272 wrote to memory of 3908	3272	{B27EB92F-80D1-4c17-A185-4E2555820C95}.exe	107
PID 3272 wrote to memory of 3908	3272	{B27EB92F-80D1-4c17-A185-4E2555820C95}.exe	107
PID 3272 wrote to memory of 3908	3272	{B27EB92F-80D1-4c17-A185-4E2555820C95}.exe	107
PID 2420 wrote to memory of 3224	2420	{517EDD72-0D4B-4a1a-B1DE-D9625D1FE079}.exe	108
PID 2420 wrote to memory of 3224	2420	{517EDD72-0D4B-4a1a-B1DE-D9625D1FE079}.exe	108
PID 2420 wrote to memory of 3224	2420	{517EDD72-0D4B-4a1a-B1DE-D9625D1FE079}.exe	108
PID 2420 wrote to memory of 1480	2420	{517EDD72-0D4B-4a1a-B1DE-D9625D1FE079}.exe	109
PID 2420 wrote to memory of 1480	2420	{517EDD72-0D4B-4a1a-B1DE-D9625D1FE079}.exe	109
PID 2420 wrote to memory of 1480	2420	{517EDD72-0D4B-4a1a-B1DE-D9625D1FE079}.exe	109
PID 3224 wrote to memory of 4888	3224	{6F96E1D5-E4FD-4506-8C2C-DD1B35F49807}.exe	110
PID 3224 wrote to memory of 4888	3224	{6F96E1D5-E4FD-4506-8C2C-DD1B35F49807}.exe	110
PID 3224 wrote to memory of 4888	3224	{6F96E1D5-E4FD-4506-8C2C-DD1B35F49807}.exe	110
PID 3224 wrote to memory of 1592	3224	{6F96E1D5-E4FD-4506-8C2C-DD1B35F49807}.exe	111

C:\Users\Admin\AppData\Local\Temp\11ddef887f798bff331e9c168d7df470_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\11ddef887f798bff331e9c168d7df470_NeikiAnalytics.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2356
- C:\Windows\{6749BFE4-C669-4faf-ADEE-298E1416B464}.exe
  C:\Windows\{6749BFE4-C669-4faf-ADEE-298E1416B464}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:32
- - C:\Windows\{C9D054B7-80A6-426b-8BF7-1EC80B19D814}.exe
    C:\Windows\{C9D054B7-80A6-426b-8BF7-1EC80B19D814}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2160
  - - C:\Windows\{5A36A558-EA0A-4cf6-828E-19C984A43D9B}.exe
      C:\Windows\{5A36A558-EA0A-4cf6-828E-19C984A43D9B}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3304
    - - C:\Windows\{E0ABA9B7-0425-42aa-89D0-8075B30EB72B}.exe
        
        C:\Windows\{E0ABA9B7-0425-42aa-89D0-8075B30EB72B}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4600
      - C:\Windows\{1DFBBBB0-FFB0-4e8a-AD1D-E78E2062335F}.exe
        
        C:\Windows\{1DFBBBB0-FFB0-4e8a-AD1D-E78E2062335F}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2920
        
        C:\Windows\{6F8506E1-88D0-488d-9749-A9C8EE871A57}.exe
        
        C:\Windows\{6F8506E1-88D0-488d-9749-A9C8EE871A57}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4656
        
        C:\Windows\{8FE89377-09F7-4030-A1FC-441B1C451CFC}.exe
        
        C:\Windows\{8FE89377-09F7-4030-A1FC-441B1C451CFC}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1856
        
        C:\Windows\{B27EB92F-80D1-4c17-A185-4E2555820C95}.exe
        
        C:\Windows\{B27EB92F-80D1-4c17-A185-4E2555820C95}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3272
        
        C:\Windows\{517EDD72-0D4B-4a1a-B1DE-D9625D1FE079}.exe
        
        C:\Windows\{517EDD72-0D4B-4a1a-B1DE-D9625D1FE079}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2420
        
        C:\Windows\{6F96E1D5-E4FD-4506-8C2C-DD1B35F49807}.exe
        
        C:\Windows\{6F96E1D5-E4FD-4506-8C2C-DD1B35F49807}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3224
        
        C:\Windows\{B888887B-5990-4522-BBD8-BFF885ED4BAD}.exe
        
        C:\Windows\{B888887B-5990-4522-BBD8-BFF885ED4BAD}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4888
        
        C:\Windows\{935D4415-1352-4f41-93A1-F4D3153B198C}.exe
        
        C:\Windows\{935D4415-1352-4f41-93A1-F4D3153B198C}.exe
        13⤵
        Executes dropped EXE
        
        PID:4236
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B8888~1.EXE > nul
        13⤵
        
        PID:2356
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6F96E~1.EXE > nul
        12⤵
        
        PID:1592
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{517ED~1.EXE > nul
        11⤵
        
        PID:1480
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B27EB~1.EXE > nul
        10⤵
        
        PID:3908
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8FE89~1.EXE > nul
        9⤵
        
        PID:4140
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6F850~1.EXE > nul
        8⤵
        
        PID:2700
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1DFBB~1.EXE > nul
        7⤵
        
        PID:3572
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E0ABA~1.EXE > nul
        6⤵
        
        PID:624
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5A36A~1.EXE > nul
        5⤵
        
        PID:4348
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{C9D05~1.EXE > nul
      4⤵
      PID:2816
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{6749B~1.EXE > nul
    3⤵
    PID:3068
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\11DDEF~1.EXE > nul
  2⤵
  PID:4896

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{1DFBBBB0-FFB0-4e8a-AD1D-E78E2062335F}.exe

Filesize
372KB

MD5
417e8a8cec047b12827512abda59a2a3

SHA1
e66e0138cca06a701f2e2c2a48b0b22b95fb767d

SHA256
ff93bbd0461275eba8c23e9ff32676d1c0ef009de67817c69efb68b731de425b

SHA512
9dd9ec491484e0658d96f87abfd32a2aac4c78acbbfb442695531017fca1f050e1734ea7e733672680f6cc70e4dc0ecfc213af784970ceb80405b87719df4ade

Download Submit
C:\Windows\{517EDD72-0D4B-4a1a-B1DE-D9625D1FE079}.exe

Filesize
372KB

MD5
151da899f1bee2a330440a11865b60e6

SHA1
78669e845c698551c971c0b6b51e90d1a2a7db40

SHA256
42c0f3959542a7988d9bfcf0114964cebc7674cf27e2e4b608943ed14265a820

SHA512
a436f5544d9157f295ae1bd721a83db03854894f226de1df4aea26bdbceae6a7936a17f13634e393e8df7192625aeb72bc52428b13bf86251085be1eb558e629

Download Submit
C:\Windows\{5A36A558-EA0A-4cf6-828E-19C984A43D9B}.exe

Filesize
372KB

MD5
57e86ac1b5c8122b3d86b58f2289f056

SHA1
5ed4fd7ca7163c5adfc7a763c2a917698efdf351

SHA256
755914f8b60efe44648deddeabd5e62246d1d52fea2e46b0a30c91d17abd0a4d

SHA512
edac4e4791ba4e0712f63eeca3ce91825041eea5911cbbad78f0d18f6031d23ee182f8a3aaa883c34857801f06a4632959fef9d0617f867c33d187b3805e6419

Download Submit
C:\Windows\{6749BFE4-C669-4faf-ADEE-298E1416B464}.exe

Filesize
372KB

MD5
e478ed7a55e9a62116fd94884d67af42

SHA1
85bb604fb61f5f6fbc601362c1c783cee97283a2

SHA256
3e18e55e4c8e8672769d1352e28826e96bf7d8dab09a7d8a0a4b68b568dd8de2

SHA512
22fe7524b365028ec265fec09c617273f2b27689948a4a128ed3bddb2854533b1ef3308cff1fc4584c5a5b883a06848cac29660778ed8326b9fe939846ae42ad

Download Submit
C:\Windows\{6F8506E1-88D0-488d-9749-A9C8EE871A57}.exe

Filesize
372KB

MD5
4ce5dc66bb4677ef25a96ecda6e79e49

SHA1
07d9703e2924a5ed30f0f9d1b14a5073527cf3a9

SHA256
0af2388b186d7473a522473c04f810c208398647e95c2d3e57b942a1e192ab9d

SHA512
9eb24d44578765244595525cbd198901c7846d804f49dbdecbc56e2c782cc37a9403ec3e8ba259ae138ef04cb5f80652361cce92f44a1142171191a1cb18cefa

Download Submit
C:\Windows\{6F96E1D5-E4FD-4506-8C2C-DD1B35F49807}.exe

Filesize
372KB

MD5
3ae421a0bee4fffc686cb0777db8af50

SHA1
36ca8198410920667d7970eeddcaafba8813b02d

SHA256
64ac8928650daf2574b82475c7559c3fbb0e6d1d05ce71ffd1b829be3d2e924a

SHA512
a38fab7c474d81de3338f22a09aec588a4caea36bac542ab3e3fa3527bff16c51a0427314968c894b210165db11cc53e50d00491d3d07037dc8c7a000d0fb551

Download Submit
C:\Windows\{8FE89377-09F7-4030-A1FC-441B1C451CFC}.exe

Filesize
372KB

MD5
5b844ee132fec7fe864c2ba8d8dd7922

SHA1
716865528be7a2494a0b2b9cc17aa8e9be37be9c

SHA256
6d6771b60b626a3b4b1c8450af18fb7cc3e6533b794ba4ac18d710fca1c0dcba

SHA512
f03406b918637822d2df3c8513139eb9c770165135c4208af768d2adefd6ae72618e18412e7591732cc83929507bfe88dfb22d4b89ef6ade63d2014c6acd5bba

Download Submit
C:\Windows\{935D4415-1352-4f41-93A1-F4D3153B198C}.exe

Filesize
372KB

MD5
aa8d6631d8d55b9185906b4bc09ff5a0

SHA1
57a3fb4dba224867474d2f1a07978edbeef9710d

SHA256
34bdefafee733276f09cc43c1d687a4d7b62cb46038db30914f443ec2ce0722d

SHA512
210b0f4f1c5c8c52f5474c7cad22b798f1cbe55f7e0178d54850b0b3e13a56937516f80138c348474c14c7db611e88c9fbc7bc0922eb1b8c9f66fd123d33e6a9

Download Submit
C:\Windows\{B27EB92F-80D1-4c17-A185-4E2555820C95}.exe

Filesize
372KB

MD5
26023c68e657be31dc47fd46a340b91b

SHA1
ae631fc776a1b7bcb755c46b9866bc00375e2e68

SHA256
a1d2358c3585895867e4bc6d9f0a6793155e98689b18012e66438fed9849d995

SHA512
8468fc49f41453716f3707915383456741063399940274c2952e287173b01a9e6b1f1e9fcd8420fbd47ab435761896dc90ddb510f327233f956a84ff1a1f85e8

Download Submit
C:\Windows\{B888887B-5990-4522-BBD8-BFF885ED4BAD}.exe

Filesize
372KB

MD5
4c061e024fcf9642a6454ae78260f772

SHA1
e92e527a43aa4aa9611387e9b037603de86aa89a

SHA256
03a30a43dda10ccc5857bea1a7cd168d074dd245d91999c2cc908367dbfc9de4

SHA512
7fc9d125b3e4b84909040c1f72fb81846fcd3055e2a1a3e342405a59f1592c77e4640121e3a3372d42f7427e64deb0163f800fb1044f83ad3060c4a6440c9262

Download Submit
C:\Windows\{C9D054B7-80A6-426b-8BF7-1EC80B19D814}.exe

Filesize
372KB

MD5
ce9283c5aada940db14b16f1fa5db11a

SHA1
cb2c0b65819be4b5bbc45856613a921836dde64b

SHA256
6142c88777e0512804776b611171af925b2c389c8e0603653c8e262c9114f35c

SHA512
ab7389e8c03d3b67a42ba07ac968de6d489b24feb955f45cfa5c3dd59a9e985bec2e84df95e9702bff6c75304a3ec841a639ed099fd880b3ab3acced52b60947

Download Submit
C:\Windows\{E0ABA9B7-0425-42aa-89D0-8075B30EB72B}.exe

Filesize
372KB

MD5
f33efab3d3930d95f454dd65c53f326f

SHA1
0295fc6a918d619f9a2d3bb228ca1ee489ce7a50

SHA256
831b24ed3dd3e5eb77405c6256b8a3382b7cfde8030bf8b63f4180c546a1d991

SHA512
23285a39c9c38fdd06150ed0129bc6d0781a77266eea9ef4b61eec99c0268da4645667105f2b1d5b8f36c9589a3d14f8212ae8e47185d4b3f74d3618e7f69fa5

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads