79bb4cdbf56cdb0ad4ec86672df751a9063fae3757557c4d599a80fca6578d6e

Analysis

max time kernel
144s
max time network
119s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
10/05/2024, 00:46

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

323e02a3fe0d20056cb807a33df0c9c0_NeikiAnalytics.exe
Size

216KB
MD5

323e02a3fe0d20056cb807a33df0c9c0
SHA1

07c5b83b8c3fcd64c9fd44e04c32eccecbb76a20
SHA256

79bb4cdbf56cdb0ad4ec86672df751a9063fae3757557c4d599a80fca6578d6e
SHA512

85cb76459ee7b196b3759b18dd1ec961c6a518265378bc05455f16ac44bced907ad943b98c0fedba4aeeea27eef62d97aef9335972b96273064a6568809ec07c
SSDEEP

3072:jEGh0onl+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMUy:jEGRlEeKcAEcGy

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6615CF7D-A631-404b-93E5-26D82A08C0D2}	{7E6EA20A-7CE9-4837-ACD0-32B4288F16CC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E0E16CBD-57D1-417e-BB8C-ABCE6D204223}\stubpath = "C:\\Windows\\{E0E16CBD-57D1-417e-BB8C-ABCE6D204223}.exe"	{99258E65-156A-43fb-A0D0-22934734D36B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{558B3405-40D4-4e8f-B5EA-6789451AF3DC}	{E0E16CBD-57D1-417e-BB8C-ABCE6D204223}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8AF90E68-0326-4b2c-B0EE-FE8B4E6BCD56}	{558B3405-40D4-4e8f-B5EA-6789451AF3DC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B729E0B3-0E77-495b-9606-10852FA2C722}	{C11C704C-9E0E-4f1b-9D59-5D2D3C392F46}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B729E0B3-0E77-495b-9606-10852FA2C722}\stubpath = "C:\\Windows\\{B729E0B3-0E77-495b-9606-10852FA2C722}.exe"	{C11C704C-9E0E-4f1b-9D59-5D2D3C392F46}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7E6EA20A-7CE9-4837-ACD0-32B4288F16CC}	{2E52E769-3C64-44d7-8F68-10A4D5B3E343}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1796AE96-9568-4c56-B6B5-BD3AFBC1ED9D}\stubpath = "C:\\Windows\\{1796AE96-9568-4c56-B6B5-BD3AFBC1ED9D}.exe"	323e02a3fe0d20056cb807a33df0c9c0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7E6EA20A-7CE9-4837-ACD0-32B4288F16CC}\stubpath = "C:\\Windows\\{7E6EA20A-7CE9-4837-ACD0-32B4288F16CC}.exe"	{2E52E769-3C64-44d7-8F68-10A4D5B3E343}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{99258E65-156A-43fb-A0D0-22934734D36B}\stubpath = "C:\\Windows\\{99258E65-156A-43fb-A0D0-22934734D36B}.exe"	{6615CF7D-A631-404b-93E5-26D82A08C0D2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E0E16CBD-57D1-417e-BB8C-ABCE6D204223}	{99258E65-156A-43fb-A0D0-22934734D36B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C11C704C-9E0E-4f1b-9D59-5D2D3C392F46}	{4292CC37-0782-43ac-AB28-D7A984A3924B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1796AE96-9568-4c56-B6B5-BD3AFBC1ED9D}	323e02a3fe0d20056cb807a33df0c9c0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4292CC37-0782-43ac-AB28-D7A984A3924B}\stubpath = "C:\\Windows\\{4292CC37-0782-43ac-AB28-D7A984A3924B}.exe"	{8AF90E68-0326-4b2c-B0EE-FE8B4E6BCD56}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C11C704C-9E0E-4f1b-9D59-5D2D3C392F46}\stubpath = "C:\\Windows\\{C11C704C-9E0E-4f1b-9D59-5D2D3C392F46}.exe"	{4292CC37-0782-43ac-AB28-D7A984A3924B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2E52E769-3C64-44d7-8F68-10A4D5B3E343}	{1796AE96-9568-4c56-B6B5-BD3AFBC1ED9D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6615CF7D-A631-404b-93E5-26D82A08C0D2}\stubpath = "C:\\Windows\\{6615CF7D-A631-404b-93E5-26D82A08C0D2}.exe"	{7E6EA20A-7CE9-4837-ACD0-32B4288F16CC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{99258E65-156A-43fb-A0D0-22934734D36B}	{6615CF7D-A631-404b-93E5-26D82A08C0D2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{558B3405-40D4-4e8f-B5EA-6789451AF3DC}\stubpath = "C:\\Windows\\{558B3405-40D4-4e8f-B5EA-6789451AF3DC}.exe"	{E0E16CBD-57D1-417e-BB8C-ABCE6D204223}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8AF90E68-0326-4b2c-B0EE-FE8B4E6BCD56}\stubpath = "C:\\Windows\\{8AF90E68-0326-4b2c-B0EE-FE8B4E6BCD56}.exe"	{558B3405-40D4-4e8f-B5EA-6789451AF3DC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4292CC37-0782-43ac-AB28-D7A984A3924B}	{8AF90E68-0326-4b2c-B0EE-FE8B4E6BCD56}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2E52E769-3C64-44d7-8F68-10A4D5B3E343}\stubpath = "C:\\Windows\\{2E52E769-3C64-44d7-8F68-10A4D5B3E343}.exe"	{1796AE96-9568-4c56-B6B5-BD3AFBC1ED9D}.exe

Deletes itself 1 IoCs

pid	Process
2448	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2668	{1796AE96-9568-4c56-B6B5-BD3AFBC1ED9D}.exe
2464	{2E52E769-3C64-44d7-8F68-10A4D5B3E343}.exe
2812	{7E6EA20A-7CE9-4837-ACD0-32B4288F16CC}.exe
2272	{6615CF7D-A631-404b-93E5-26D82A08C0D2}.exe
1060	{99258E65-156A-43fb-A0D0-22934734D36B}.exe
328	{E0E16CBD-57D1-417e-BB8C-ABCE6D204223}.exe
2092	{558B3405-40D4-4e8f-B5EA-6789451AF3DC}.exe
1268	{8AF90E68-0326-4b2c-B0EE-FE8B4E6BCD56}.exe
2604	{4292CC37-0782-43ac-AB28-D7A984A3924B}.exe
2200	{C11C704C-9E0E-4f1b-9D59-5D2D3C392F46}.exe
1392	{B729E0B3-0E77-495b-9606-10852FA2C722}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{E0E16CBD-57D1-417e-BB8C-ABCE6D204223}.exe	{99258E65-156A-43fb-A0D0-22934734D36B}.exe
File created	C:\Windows\{558B3405-40D4-4e8f-B5EA-6789451AF3DC}.exe	{E0E16CBD-57D1-417e-BB8C-ABCE6D204223}.exe
File created	C:\Windows\{8AF90E68-0326-4b2c-B0EE-FE8B4E6BCD56}.exe	{558B3405-40D4-4e8f-B5EA-6789451AF3DC}.exe
File created	C:\Windows\{1796AE96-9568-4c56-B6B5-BD3AFBC1ED9D}.exe	323e02a3fe0d20056cb807a33df0c9c0_NeikiAnalytics.exe
File created	C:\Windows\{7E6EA20A-7CE9-4837-ACD0-32B4288F16CC}.exe	{2E52E769-3C64-44d7-8F68-10A4D5B3E343}.exe
File created	C:\Windows\{99258E65-156A-43fb-A0D0-22934734D36B}.exe	{6615CF7D-A631-404b-93E5-26D82A08C0D2}.exe
File created	C:\Windows\{4292CC37-0782-43ac-AB28-D7A984A3924B}.exe	{8AF90E68-0326-4b2c-B0EE-FE8B4E6BCD56}.exe
File created	C:\Windows\{C11C704C-9E0E-4f1b-9D59-5D2D3C392F46}.exe	{4292CC37-0782-43ac-AB28-D7A984A3924B}.exe
File created	C:\Windows\{B729E0B3-0E77-495b-9606-10852FA2C722}.exe	{C11C704C-9E0E-4f1b-9D59-5D2D3C392F46}.exe
File created	C:\Windows\{2E52E769-3C64-44d7-8F68-10A4D5B3E343}.exe	{1796AE96-9568-4c56-B6B5-BD3AFBC1ED9D}.exe
File created	C:\Windows\{6615CF7D-A631-404b-93E5-26D82A08C0D2}.exe	{7E6EA20A-7CE9-4837-ACD0-32B4288F16CC}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2924	323e02a3fe0d20056cb807a33df0c9c0_NeikiAnalytics.exe
Token: SeIncBasePriorityPrivilege	2668	{1796AE96-9568-4c56-B6B5-BD3AFBC1ED9D}.exe
Token: SeIncBasePriorityPrivilege	2464	{2E52E769-3C64-44d7-8F68-10A4D5B3E343}.exe
Token: SeIncBasePriorityPrivilege	2812	{7E6EA20A-7CE9-4837-ACD0-32B4288F16CC}.exe
Token: SeIncBasePriorityPrivilege	2272	{6615CF7D-A631-404b-93E5-26D82A08C0D2}.exe
Token: SeIncBasePriorityPrivilege	1060	{99258E65-156A-43fb-A0D0-22934734D36B}.exe
Token: SeIncBasePriorityPrivilege	328	{E0E16CBD-57D1-417e-BB8C-ABCE6D204223}.exe
Token: SeIncBasePriorityPrivilege	2092	{558B3405-40D4-4e8f-B5EA-6789451AF3DC}.exe
Token: SeIncBasePriorityPrivilege	1268	{8AF90E68-0326-4b2c-B0EE-FE8B4E6BCD56}.exe
Token: SeIncBasePriorityPrivilege	2604	{4292CC37-0782-43ac-AB28-D7A984A3924B}.exe
Token: SeIncBasePriorityPrivilege	2200	{C11C704C-9E0E-4f1b-9D59-5D2D3C392F46}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2924 wrote to memory of 2668	2924	323e02a3fe0d20056cb807a33df0c9c0_NeikiAnalytics.exe	28
PID 2924 wrote to memory of 2668	2924	323e02a3fe0d20056cb807a33df0c9c0_NeikiAnalytics.exe	28
PID 2924 wrote to memory of 2668	2924	323e02a3fe0d20056cb807a33df0c9c0_NeikiAnalytics.exe	28
PID 2924 wrote to memory of 2668	2924	323e02a3fe0d20056cb807a33df0c9c0_NeikiAnalytics.exe	28
PID 2924 wrote to memory of 2448	2924	323e02a3fe0d20056cb807a33df0c9c0_NeikiAnalytics.exe	29
PID 2924 wrote to memory of 2448	2924	323e02a3fe0d20056cb807a33df0c9c0_NeikiAnalytics.exe	29
PID 2924 wrote to memory of 2448	2924	323e02a3fe0d20056cb807a33df0c9c0_NeikiAnalytics.exe	29
PID 2924 wrote to memory of 2448	2924	323e02a3fe0d20056cb807a33df0c9c0_NeikiAnalytics.exe	29
PID 2668 wrote to memory of 2464	2668	{1796AE96-9568-4c56-B6B5-BD3AFBC1ED9D}.exe	30
PID 2668 wrote to memory of 2464	2668	{1796AE96-9568-4c56-B6B5-BD3AFBC1ED9D}.exe	30
PID 2668 wrote to memory of 2464	2668	{1796AE96-9568-4c56-B6B5-BD3AFBC1ED9D}.exe	30
PID 2668 wrote to memory of 2464	2668	{1796AE96-9568-4c56-B6B5-BD3AFBC1ED9D}.exe	30
PID 2668 wrote to memory of 2644	2668	{1796AE96-9568-4c56-B6B5-BD3AFBC1ED9D}.exe	31
PID 2668 wrote to memory of 2644	2668	{1796AE96-9568-4c56-B6B5-BD3AFBC1ED9D}.exe	31
PID 2668 wrote to memory of 2644	2668	{1796AE96-9568-4c56-B6B5-BD3AFBC1ED9D}.exe	31
PID 2668 wrote to memory of 2644	2668	{1796AE96-9568-4c56-B6B5-BD3AFBC1ED9D}.exe	31
PID 2464 wrote to memory of 2812	2464	{2E52E769-3C64-44d7-8F68-10A4D5B3E343}.exe	32
PID 2464 wrote to memory of 2812	2464	{2E52E769-3C64-44d7-8F68-10A4D5B3E343}.exe	32
PID 2464 wrote to memory of 2812	2464	{2E52E769-3C64-44d7-8F68-10A4D5B3E343}.exe	32
PID 2464 wrote to memory of 2812	2464	{2E52E769-3C64-44d7-8F68-10A4D5B3E343}.exe	32
PID 2464 wrote to memory of 2512	2464	{2E52E769-3C64-44d7-8F68-10A4D5B3E343}.exe	33
PID 2464 wrote to memory of 2512	2464	{2E52E769-3C64-44d7-8F68-10A4D5B3E343}.exe	33
PID 2464 wrote to memory of 2512	2464	{2E52E769-3C64-44d7-8F68-10A4D5B3E343}.exe	33
PID 2464 wrote to memory of 2512	2464	{2E52E769-3C64-44d7-8F68-10A4D5B3E343}.exe	33
PID 2812 wrote to memory of 2272	2812	{7E6EA20A-7CE9-4837-ACD0-32B4288F16CC}.exe	36
PID 2812 wrote to memory of 2272	2812	{7E6EA20A-7CE9-4837-ACD0-32B4288F16CC}.exe	36
PID 2812 wrote to memory of 2272	2812	{7E6EA20A-7CE9-4837-ACD0-32B4288F16CC}.exe	36
PID 2812 wrote to memory of 2272	2812	{7E6EA20A-7CE9-4837-ACD0-32B4288F16CC}.exe	36
PID 2812 wrote to memory of 2228	2812	{7E6EA20A-7CE9-4837-ACD0-32B4288F16CC}.exe	37
PID 2812 wrote to memory of 2228	2812	{7E6EA20A-7CE9-4837-ACD0-32B4288F16CC}.exe	37
PID 2812 wrote to memory of 2228	2812	{7E6EA20A-7CE9-4837-ACD0-32B4288F16CC}.exe	37
PID 2812 wrote to memory of 2228	2812	{7E6EA20A-7CE9-4837-ACD0-32B4288F16CC}.exe	37
PID 2272 wrote to memory of 1060	2272	{6615CF7D-A631-404b-93E5-26D82A08C0D2}.exe	38
PID 2272 wrote to memory of 1060	2272	{6615CF7D-A631-404b-93E5-26D82A08C0D2}.exe	38
PID 2272 wrote to memory of 1060	2272	{6615CF7D-A631-404b-93E5-26D82A08C0D2}.exe	38
PID 2272 wrote to memory of 1060	2272	{6615CF7D-A631-404b-93E5-26D82A08C0D2}.exe	38
PID 2272 wrote to memory of 1344	2272	{6615CF7D-A631-404b-93E5-26D82A08C0D2}.exe	39
PID 2272 wrote to memory of 1344	2272	{6615CF7D-A631-404b-93E5-26D82A08C0D2}.exe	39
PID 2272 wrote to memory of 1344	2272	{6615CF7D-A631-404b-93E5-26D82A08C0D2}.exe	39
PID 2272 wrote to memory of 1344	2272	{6615CF7D-A631-404b-93E5-26D82A08C0D2}.exe	39
PID 1060 wrote to memory of 328	1060	{99258E65-156A-43fb-A0D0-22934734D36B}.exe	40
PID 1060 wrote to memory of 328	1060	{99258E65-156A-43fb-A0D0-22934734D36B}.exe	40
PID 1060 wrote to memory of 328	1060	{99258E65-156A-43fb-A0D0-22934734D36B}.exe	40
PID 1060 wrote to memory of 328	1060	{99258E65-156A-43fb-A0D0-22934734D36B}.exe	40
PID 1060 wrote to memory of 352	1060	{99258E65-156A-43fb-A0D0-22934734D36B}.exe	41
PID 1060 wrote to memory of 352	1060	{99258E65-156A-43fb-A0D0-22934734D36B}.exe	41
PID 1060 wrote to memory of 352	1060	{99258E65-156A-43fb-A0D0-22934734D36B}.exe	41
PID 1060 wrote to memory of 352	1060	{99258E65-156A-43fb-A0D0-22934734D36B}.exe	41
PID 328 wrote to memory of 2092	328	{E0E16CBD-57D1-417e-BB8C-ABCE6D204223}.exe	42
PID 328 wrote to memory of 2092	328	{E0E16CBD-57D1-417e-BB8C-ABCE6D204223}.exe	42
PID 328 wrote to memory of 2092	328	{E0E16CBD-57D1-417e-BB8C-ABCE6D204223}.exe	42
PID 328 wrote to memory of 2092	328	{E0E16CBD-57D1-417e-BB8C-ABCE6D204223}.exe	42
PID 328 wrote to memory of 1784	328	{E0E16CBD-57D1-417e-BB8C-ABCE6D204223}.exe	43
PID 328 wrote to memory of 1784	328	{E0E16CBD-57D1-417e-BB8C-ABCE6D204223}.exe	43
PID 328 wrote to memory of 1784	328	{E0E16CBD-57D1-417e-BB8C-ABCE6D204223}.exe	43
PID 328 wrote to memory of 1784	328	{E0E16CBD-57D1-417e-BB8C-ABCE6D204223}.exe	43
PID 2092 wrote to memory of 1268	2092	{558B3405-40D4-4e8f-B5EA-6789451AF3DC}.exe	44
PID 2092 wrote to memory of 1268	2092	{558B3405-40D4-4e8f-B5EA-6789451AF3DC}.exe	44
PID 2092 wrote to memory of 1268	2092	{558B3405-40D4-4e8f-B5EA-6789451AF3DC}.exe	44
PID 2092 wrote to memory of 1268	2092	{558B3405-40D4-4e8f-B5EA-6789451AF3DC}.exe	44
PID 2092 wrote to memory of 2044	2092	{558B3405-40D4-4e8f-B5EA-6789451AF3DC}.exe	45
PID 2092 wrote to memory of 2044	2092	{558B3405-40D4-4e8f-B5EA-6789451AF3DC}.exe	45
PID 2092 wrote to memory of 2044	2092	{558B3405-40D4-4e8f-B5EA-6789451AF3DC}.exe	45
PID 2092 wrote to memory of 2044	2092	{558B3405-40D4-4e8f-B5EA-6789451AF3DC}.exe	45

C:\Users\Admin\AppData\Local\Temp\323e02a3fe0d20056cb807a33df0c9c0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\323e02a3fe0d20056cb807a33df0c9c0_NeikiAnalytics.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2924
- C:\Windows\{1796AE96-9568-4c56-B6B5-BD3AFBC1ED9D}.exe
  C:\Windows\{1796AE96-9568-4c56-B6B5-BD3AFBC1ED9D}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2668
- - C:\Windows\{2E52E769-3C64-44d7-8F68-10A4D5B3E343}.exe
    C:\Windows\{2E52E769-3C64-44d7-8F68-10A4D5B3E343}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2464
  - - C:\Windows\{7E6EA20A-7CE9-4837-ACD0-32B4288F16CC}.exe
      C:\Windows\{7E6EA20A-7CE9-4837-ACD0-32B4288F16CC}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2812
    - - C:\Windows\{6615CF7D-A631-404b-93E5-26D82A08C0D2}.exe
        
        C:\Windows\{6615CF7D-A631-404b-93E5-26D82A08C0D2}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2272
      - C:\Windows\{99258E65-156A-43fb-A0D0-22934734D36B}.exe
        
        C:\Windows\{99258E65-156A-43fb-A0D0-22934734D36B}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1060
        
        C:\Windows\{E0E16CBD-57D1-417e-BB8C-ABCE6D204223}.exe
        
        C:\Windows\{E0E16CBD-57D1-417e-BB8C-ABCE6D204223}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:328
        
        C:\Windows\{558B3405-40D4-4e8f-B5EA-6789451AF3DC}.exe
        
        C:\Windows\{558B3405-40D4-4e8f-B5EA-6789451AF3DC}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2092
        
        C:\Windows\{8AF90E68-0326-4b2c-B0EE-FE8B4E6BCD56}.exe
        
        C:\Windows\{8AF90E68-0326-4b2c-B0EE-FE8B4E6BCD56}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1268
        
        C:\Windows\{4292CC37-0782-43ac-AB28-D7A984A3924B}.exe
        
        C:\Windows\{4292CC37-0782-43ac-AB28-D7A984A3924B}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2604
        
        C:\Windows\{C11C704C-9E0E-4f1b-9D59-5D2D3C392F46}.exe
        
        C:\Windows\{C11C704C-9E0E-4f1b-9D59-5D2D3C392F46}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2200
        
        C:\Windows\{B729E0B3-0E77-495b-9606-10852FA2C722}.exe
        
        C:\Windows\{B729E0B3-0E77-495b-9606-10852FA2C722}.exe
        12⤵
        Executes dropped EXE
        
        PID:1392
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C11C7~1.EXE > nul
        12⤵
        
        PID:2408
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4292C~1.EXE > nul
        11⤵
        
        PID:480
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8AF90~1.EXE > nul
        10⤵
        
        PID:2152
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{558B3~1.EXE > nul
        9⤵
        
        PID:2044
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E0E16~1.EXE > nul
        8⤵
        
        PID:1784
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{99258~1.EXE > nul
        7⤵
        
        PID:352
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6615C~1.EXE > nul
        6⤵
        
        PID:1344
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7E6EA~1.EXE > nul
        5⤵
        
        PID:2228
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{2E52E~1.EXE > nul
      4⤵
      PID:2512
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{1796A~1.EXE > nul
    3⤵
    PID:2644
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\323E02~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2448

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{1796AE96-9568-4c56-B6B5-BD3AFBC1ED9D}.exe

Filesize
216KB

MD5
2ab2f468360c95e6e8679071cdf06787

SHA1
4c8a50bc39eda858b711f21d7cfa65a1c757df1d

SHA256
d17bf6fe3eee557edb4d72714844266429f155ea049467fed42aa1ad6b302dbe

SHA512
1675e0f5f8cfc2e47746719157848b9ad9b8aee64a181e3037b90cc562c7078de5c2e287668e4eb5c80c4673f0ae3d50ad8258cb9a92c60d9ce92b4fe931901f

Download Submit
C:\Windows\{2E52E769-3C64-44d7-8F68-10A4D5B3E343}.exe

Filesize
216KB

MD5
3e2cfe32ec77c9bf9c348fd666e9007e

SHA1
3fcdf6c83142f36a4d5d138f373a9057726bf7ce

SHA256
65385d6353fd85dc50ed3855b4d77941438a8a89c7c8d9aca64daa95a20755fb

SHA512
938185d61aa71c3cb743f3801bfcd49adbc504a5f097413cd71b3148e3957c843fcc661ea4f2435e812f6b309c886ddd6dedfcf684961e8f67a4269284968f01

Download Submit
C:\Windows\{4292CC37-0782-43ac-AB28-D7A984A3924B}.exe

Filesize
216KB

MD5
a0b2b8fabc55f83f3e0132b83bae934b

SHA1
778da11e92cbdf1a19fc6407077922b3fcf9693f

SHA256
adf06b78d5456fdacd56eb3f57e6137286585d742e23e54c16c38d68d4a67b67

SHA512
f9eb6fa41e1ddf52287b49cbc7f2a449e3cb5a9d9d5f1d8a9231ba6db72cc0e2a2112779df304aa74920e3ff77d2c0773f10f55d6a0790bee19bc7666a14be59

Download Submit
C:\Windows\{558B3405-40D4-4e8f-B5EA-6789451AF3DC}.exe

Filesize
216KB

MD5
82ce1c18bb87361fc6c2152365959b18

SHA1
d3620294b10e8a7e546b7a01e4317a4aa753a80e

SHA256
c3753386afb4b6e95665b6871f53ca0442be25e38b77c776414c0a89e9727036

SHA512
d2e42cf2dcd3519c7cf37f9772586aa0766179d82d7625b218efdb7a24035133a398164f288212fab9e344a54096a2314b754b4d7e98560a79d281dafbd7c4d4

Download Submit
C:\Windows\{6615CF7D-A631-404b-93E5-26D82A08C0D2}.exe

Filesize
216KB

MD5
bf17c4572bd547863c93f932fe18c8ee

SHA1
52b3583d57a9bc4b147e77bab3cbcf520dfe08aa

SHA256
78b4941240a961011ba56208a86252ee222c50fc22d03dbb92fe041d22fe7c80

SHA512
0c42fe7d915d544f0b0de47979864bca03ceb88b637d23597854bf569417d05d75aa368652c01ab0a2043879ed4cbf039f7d23d7581e24e0b47b78d26c8b9857

Download Submit
C:\Windows\{7E6EA20A-7CE9-4837-ACD0-32B4288F16CC}.exe

Filesize
216KB

MD5
0c52cb57514efb7c82317447b3ddd240

SHA1
5965a4a57cccdc39e26375c9ab692947658332c4

SHA256
224a326d39c5f5b4c3a816ce2821f969aba5c30986430ae81aa9cc083bcd3684

SHA512
18f1ca1b7a7bd5807edcb436186535ac2552618c6409bda1cc54c451eff9d31c942fbd45e09b81dcf12861c9ac937fe9dbc0b5ce8e7b2495bd9932f1f6394cf0

Download Submit
C:\Windows\{8AF90E68-0326-4b2c-B0EE-FE8B4E6BCD56}.exe

Filesize
216KB

MD5
7d074116b8cbbc1085a1e8e263f32279

SHA1
aa2aa4f6251140350d0a2798029a9879a32749e7

SHA256
c1ce187e48ce6da9f78f1850dd8ceb8c4c07b379fb7abf946480b23e83137ee5

SHA512
37f4a3fbb1893124c9af63377e7665bc2d830d7543b18fa61731bf4118b34e6c3f59371bc1d059c1cd116bbe24faf2fc7ca3564e6b7c527c7b2e13575728f875

Download Submit
C:\Windows\{99258E65-156A-43fb-A0D0-22934734D36B}.exe

Filesize
216KB

MD5
449f967b03ba4f821196c6d486d37438

SHA1
0a9b7ef589a54ca3705724f3bc9a78ef3a36ca2e

SHA256
bb6686260bc01ce63f47cf283ea29d3712b80bea49a92cd1670f46bd836ba03b

SHA512
e170e04f480f26d1202240fcf7f14e1e3aabdef29ad78f8de5c9e39858e1a8501804c14715ba8aa0079c3f6ba2de316018e0e2f7f15d16138d685ab25cee6ac3

Download Submit
C:\Windows\{B729E0B3-0E77-495b-9606-10852FA2C722}.exe

Filesize
216KB

MD5
e8f3d9ad29613745c251ed636b62f6de

SHA1
d177aba9bb387b4ab8ac246aeb9efc04732df29b

SHA256
75007197fe3217e6c0d31fb06fd91b4fef4ed771a1defc229d16b83c38c272f5

SHA512
b068c888125001a122eeb8c5521add40cd963427367f5e2712e6658c4998696961a84d18c12ef4db56668f90a969df2ba7ffde5f3b6b2001fa77b8fc22bb4803

Download Submit
C:\Windows\{C11C704C-9E0E-4f1b-9D59-5D2D3C392F46}.exe

Filesize
216KB

MD5
6955a1c1a2ab81bc2265d73454d3a4bd

SHA1
172e0e05bf47398fddd31a055af4a2454e087677

SHA256
dde7ee8bcfad5cfdbe6cd93abd7b3a293403fad0adc973fdf8e753e12b09a708

SHA512
ceff210394797aa66d6fd7d08acb206c7681e6008786b1a8f609d2df73873f3620f9a5d0dd70d5bdbecb1b9564e42e39cde48b89d19e7a2cb94f91ec2be7aaee

Download Submit
C:\Windows\{E0E16CBD-57D1-417e-BB8C-ABCE6D204223}.exe

Filesize
216KB

MD5
7883873ac6708cea9507b5cb8b4125bb

SHA1
aae5da1d4c6a1a2273f181418d4d470cdf7b8742

SHA256
952fdc6a4038dfc666a09378b51c1de4694832de473f0f1e6b51188252e7ddf1

SHA512
b81dda620566fca9c71c3ef565a0e495672ba3a4756f4582aa1e08f55a3bd8222695e20db2d23165cbeb078104b2f736b5a988b661dde58baa18ac51c5694ec2

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads