c1cb1e24c22776c73239c3cc322ba1b9f94028ad3c814a2192fddec282b1dc4b

Analysis

max time kernel
144s
max time network
119s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
10/05/2024, 06:20

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

8d322a87ee89698845ad23fcf91ecde0_NeikiAnalytics.exe
Size

64KB
MD5

8d322a87ee89698845ad23fcf91ecde0
SHA1

4372233c367ab4972ce801978ef337c7b4d2479b
SHA256

c1cb1e24c22776c73239c3cc322ba1b9f94028ad3c814a2192fddec282b1dc4b
SHA512

f2d0cdcb59a424e306c1e4d42eed4f34642db05940f23e3e242dfc07519c9946c67a2987e4ea4a6383e30366a0920c54a8c0094f722e4dd9d256555f31d783cf
SSDEEP

384:ObLwOs8AHsc4zMfwhKQLrod4/CFsrdHWMZy:Ovw981JvhKQLrod4/wQpWMZy

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7DA08251-6034-4554-8C9F-0D119747F35D}\stubpath = "C:\\Windows\\{7DA08251-6034-4554-8C9F-0D119747F35D}.exe"	8d322a87ee89698845ad23fcf91ecde0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{37880588-2E8A-4775-9CEA-4CFB4EBA2EEB}	{7DA08251-6034-4554-8C9F-0D119747F35D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{289A8279-4DF1-46f8-B427-D2A2ACD296CC}\stubpath = "C:\\Windows\\{289A8279-4DF1-46f8-B427-D2A2ACD296CC}.exe"	{37880588-2E8A-4775-9CEA-4CFB4EBA2EEB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{46F29CD6-4280-4a73-AF0E-DBEA3C545F22}	{289A8279-4DF1-46f8-B427-D2A2ACD296CC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{46F29CD6-4280-4a73-AF0E-DBEA3C545F22}\stubpath = "C:\\Windows\\{46F29CD6-4280-4a73-AF0E-DBEA3C545F22}.exe"	{289A8279-4DF1-46f8-B427-D2A2ACD296CC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2C17D62B-F2D0-43f9-9D77-582028B57C65}	{CCDFD99B-570A-4c92-B3C7-2D895629B47C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{51E4C196-521C-43e8-872B-D678B64EBF04}\stubpath = "C:\\Windows\\{51E4C196-521C-43e8-872B-D678B64EBF04}.exe"	{2C17D62B-F2D0-43f9-9D77-582028B57C65}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7DA08251-6034-4554-8C9F-0D119747F35D}	8d322a87ee89698845ad23fcf91ecde0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{48102456-C26C-497a-B94E-A7D298193C0D}	{B91C408E-404A-4828-8E0B-A40942429E1A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CCDFD99B-570A-4c92-B3C7-2D895629B47C}\stubpath = "C:\\Windows\\{CCDFD99B-570A-4c92-B3C7-2D895629B47C}.exe"	{46F29CD6-4280-4a73-AF0E-DBEA3C545F22}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{289A8279-4DF1-46f8-B427-D2A2ACD296CC}	{37880588-2E8A-4775-9CEA-4CFB4EBA2EEB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CCDFD99B-570A-4c92-B3C7-2D895629B47C}	{46F29CD6-4280-4a73-AF0E-DBEA3C545F22}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{51E4C196-521C-43e8-872B-D678B64EBF04}	{2C17D62B-F2D0-43f9-9D77-582028B57C65}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AE7312B9-26C1-4cbe-8B39-A0195E25368B}	{51E4C196-521C-43e8-872B-D678B64EBF04}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AE7312B9-26C1-4cbe-8B39-A0195E25368B}\stubpath = "C:\\Windows\\{AE7312B9-26C1-4cbe-8B39-A0195E25368B}.exe"	{51E4C196-521C-43e8-872B-D678B64EBF04}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3C59F97F-AAE9-4b84-99C5-3A13BC20F29C}\stubpath = "C:\\Windows\\{3C59F97F-AAE9-4b84-99C5-3A13BC20F29C}.exe"	{AE7312B9-26C1-4cbe-8B39-A0195E25368B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B91C408E-404A-4828-8E0B-A40942429E1A}	{3C59F97F-AAE9-4b84-99C5-3A13BC20F29C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{37880588-2E8A-4775-9CEA-4CFB4EBA2EEB}\stubpath = "C:\\Windows\\{37880588-2E8A-4775-9CEA-4CFB4EBA2EEB}.exe"	{7DA08251-6034-4554-8C9F-0D119747F35D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{48102456-C26C-497a-B94E-A7D298193C0D}\stubpath = "C:\\Windows\\{48102456-C26C-497a-B94E-A7D298193C0D}.exe"	{B91C408E-404A-4828-8E0B-A40942429E1A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B91C408E-404A-4828-8E0B-A40942429E1A}\stubpath = "C:\\Windows\\{B91C408E-404A-4828-8E0B-A40942429E1A}.exe"	{3C59F97F-AAE9-4b84-99C5-3A13BC20F29C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3C59F97F-AAE9-4b84-99C5-3A13BC20F29C}	{AE7312B9-26C1-4cbe-8B39-A0195E25368B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2C17D62B-F2D0-43f9-9D77-582028B57C65}\stubpath = "C:\\Windows\\{2C17D62B-F2D0-43f9-9D77-582028B57C65}.exe"	{CCDFD99B-570A-4c92-B3C7-2D895629B47C}.exe

Deletes itself 1 IoCs

pid	Process
3064	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
3004	{7DA08251-6034-4554-8C9F-0D119747F35D}.exe
2748	{37880588-2E8A-4775-9CEA-4CFB4EBA2EEB}.exe
2572	{289A8279-4DF1-46f8-B427-D2A2ACD296CC}.exe
2824	{46F29CD6-4280-4a73-AF0E-DBEA3C545F22}.exe
2436	{CCDFD99B-570A-4c92-B3C7-2D895629B47C}.exe
2344	{2C17D62B-F2D0-43f9-9D77-582028B57C65}.exe
2664	{51E4C196-521C-43e8-872B-D678B64EBF04}.exe
2120	{AE7312B9-26C1-4cbe-8B39-A0195E25368B}.exe
2096	{3C59F97F-AAE9-4b84-99C5-3A13BC20F29C}.exe
1396	{B91C408E-404A-4828-8E0B-A40942429E1A}.exe
1136	{48102456-C26C-497a-B94E-A7D298193C0D}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{7DA08251-6034-4554-8C9F-0D119747F35D}.exe	8d322a87ee89698845ad23fcf91ecde0_NeikiAnalytics.exe
File created	C:\Windows\{289A8279-4DF1-46f8-B427-D2A2ACD296CC}.exe	{37880588-2E8A-4775-9CEA-4CFB4EBA2EEB}.exe
File created	C:\Windows\{CCDFD99B-570A-4c92-B3C7-2D895629B47C}.exe	{46F29CD6-4280-4a73-AF0E-DBEA3C545F22}.exe
File created	C:\Windows\{AE7312B9-26C1-4cbe-8B39-A0195E25368B}.exe	{51E4C196-521C-43e8-872B-D678B64EBF04}.exe
File created	C:\Windows\{3C59F97F-AAE9-4b84-99C5-3A13BC20F29C}.exe	{AE7312B9-26C1-4cbe-8B39-A0195E25368B}.exe
File created	C:\Windows\{B91C408E-404A-4828-8E0B-A40942429E1A}.exe	{3C59F97F-AAE9-4b84-99C5-3A13BC20F29C}.exe
File created	C:\Windows\{37880588-2E8A-4775-9CEA-4CFB4EBA2EEB}.exe	{7DA08251-6034-4554-8C9F-0D119747F35D}.exe
File created	C:\Windows\{46F29CD6-4280-4a73-AF0E-DBEA3C545F22}.exe	{289A8279-4DF1-46f8-B427-D2A2ACD296CC}.exe
File created	C:\Windows\{2C17D62B-F2D0-43f9-9D77-582028B57C65}.exe	{CCDFD99B-570A-4c92-B3C7-2D895629B47C}.exe
File created	C:\Windows\{51E4C196-521C-43e8-872B-D678B64EBF04}.exe	{2C17D62B-F2D0-43f9-9D77-582028B57C65}.exe
File created	C:\Windows\{48102456-C26C-497a-B94E-A7D298193C0D}.exe	{B91C408E-404A-4828-8E0B-A40942429E1A}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2320	8d322a87ee89698845ad23fcf91ecde0_NeikiAnalytics.exe
Token: SeIncBasePriorityPrivilege	3004	{7DA08251-6034-4554-8C9F-0D119747F35D}.exe
Token: SeIncBasePriorityPrivilege	2748	{37880588-2E8A-4775-9CEA-4CFB4EBA2EEB}.exe
Token: SeIncBasePriorityPrivilege	2572	{289A8279-4DF1-46f8-B427-D2A2ACD296CC}.exe
Token: SeIncBasePriorityPrivilege	2824	{46F29CD6-4280-4a73-AF0E-DBEA3C545F22}.exe
Token: SeIncBasePriorityPrivilege	2436	{CCDFD99B-570A-4c92-B3C7-2D895629B47C}.exe
Token: SeIncBasePriorityPrivilege	2344	{2C17D62B-F2D0-43f9-9D77-582028B57C65}.exe
Token: SeIncBasePriorityPrivilege	2664	{51E4C196-521C-43e8-872B-D678B64EBF04}.exe
Token: SeIncBasePriorityPrivilege	2120	{AE7312B9-26C1-4cbe-8B39-A0195E25368B}.exe
Token: SeIncBasePriorityPrivilege	2096	{3C59F97F-AAE9-4b84-99C5-3A13BC20F29C}.exe
Token: SeIncBasePriorityPrivilege	1396	{B91C408E-404A-4828-8E0B-A40942429E1A}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2320 wrote to memory of 3004	2320	8d322a87ee89698845ad23fcf91ecde0_NeikiAnalytics.exe	28
PID 2320 wrote to memory of 3004	2320	8d322a87ee89698845ad23fcf91ecde0_NeikiAnalytics.exe	28
PID 2320 wrote to memory of 3004	2320	8d322a87ee89698845ad23fcf91ecde0_NeikiAnalytics.exe	28
PID 2320 wrote to memory of 3004	2320	8d322a87ee89698845ad23fcf91ecde0_NeikiAnalytics.exe	28
PID 2320 wrote to memory of 3064	2320	8d322a87ee89698845ad23fcf91ecde0_NeikiAnalytics.exe	29
PID 2320 wrote to memory of 3064	2320	8d322a87ee89698845ad23fcf91ecde0_NeikiAnalytics.exe	29
PID 2320 wrote to memory of 3064	2320	8d322a87ee89698845ad23fcf91ecde0_NeikiAnalytics.exe	29
PID 2320 wrote to memory of 3064	2320	8d322a87ee89698845ad23fcf91ecde0_NeikiAnalytics.exe	29
PID 3004 wrote to memory of 2748	3004	{7DA08251-6034-4554-8C9F-0D119747F35D}.exe	30
PID 3004 wrote to memory of 2748	3004	{7DA08251-6034-4554-8C9F-0D119747F35D}.exe	30
PID 3004 wrote to memory of 2748	3004	{7DA08251-6034-4554-8C9F-0D119747F35D}.exe	30
PID 3004 wrote to memory of 2748	3004	{7DA08251-6034-4554-8C9F-0D119747F35D}.exe	30
PID 3004 wrote to memory of 2896	3004	{7DA08251-6034-4554-8C9F-0D119747F35D}.exe	31
PID 3004 wrote to memory of 2896	3004	{7DA08251-6034-4554-8C9F-0D119747F35D}.exe	31
PID 3004 wrote to memory of 2896	3004	{7DA08251-6034-4554-8C9F-0D119747F35D}.exe	31
PID 3004 wrote to memory of 2896	3004	{7DA08251-6034-4554-8C9F-0D119747F35D}.exe	31
PID 2748 wrote to memory of 2572	2748	{37880588-2E8A-4775-9CEA-4CFB4EBA2EEB}.exe	32
PID 2748 wrote to memory of 2572	2748	{37880588-2E8A-4775-9CEA-4CFB4EBA2EEB}.exe	32
PID 2748 wrote to memory of 2572	2748	{37880588-2E8A-4775-9CEA-4CFB4EBA2EEB}.exe	32
PID 2748 wrote to memory of 2572	2748	{37880588-2E8A-4775-9CEA-4CFB4EBA2EEB}.exe	32
PID 2748 wrote to memory of 2460	2748	{37880588-2E8A-4775-9CEA-4CFB4EBA2EEB}.exe	33
PID 2748 wrote to memory of 2460	2748	{37880588-2E8A-4775-9CEA-4CFB4EBA2EEB}.exe	33
PID 2748 wrote to memory of 2460	2748	{37880588-2E8A-4775-9CEA-4CFB4EBA2EEB}.exe	33
PID 2748 wrote to memory of 2460	2748	{37880588-2E8A-4775-9CEA-4CFB4EBA2EEB}.exe	33
PID 2572 wrote to memory of 2824	2572	{289A8279-4DF1-46f8-B427-D2A2ACD296CC}.exe	36
PID 2572 wrote to memory of 2824	2572	{289A8279-4DF1-46f8-B427-D2A2ACD296CC}.exe	36
PID 2572 wrote to memory of 2824	2572	{289A8279-4DF1-46f8-B427-D2A2ACD296CC}.exe	36
PID 2572 wrote to memory of 2824	2572	{289A8279-4DF1-46f8-B427-D2A2ACD296CC}.exe	36
PID 2572 wrote to memory of 2880	2572	{289A8279-4DF1-46f8-B427-D2A2ACD296CC}.exe	37
PID 2572 wrote to memory of 2880	2572	{289A8279-4DF1-46f8-B427-D2A2ACD296CC}.exe	37
PID 2572 wrote to memory of 2880	2572	{289A8279-4DF1-46f8-B427-D2A2ACD296CC}.exe	37
PID 2572 wrote to memory of 2880	2572	{289A8279-4DF1-46f8-B427-D2A2ACD296CC}.exe	37
PID 2824 wrote to memory of 2436	2824	{46F29CD6-4280-4a73-AF0E-DBEA3C545F22}.exe	38
PID 2824 wrote to memory of 2436	2824	{46F29CD6-4280-4a73-AF0E-DBEA3C545F22}.exe	38
PID 2824 wrote to memory of 2436	2824	{46F29CD6-4280-4a73-AF0E-DBEA3C545F22}.exe	38
PID 2824 wrote to memory of 2436	2824	{46F29CD6-4280-4a73-AF0E-DBEA3C545F22}.exe	38
PID 2824 wrote to memory of 1284	2824	{46F29CD6-4280-4a73-AF0E-DBEA3C545F22}.exe	39
PID 2824 wrote to memory of 1284	2824	{46F29CD6-4280-4a73-AF0E-DBEA3C545F22}.exe	39
PID 2824 wrote to memory of 1284	2824	{46F29CD6-4280-4a73-AF0E-DBEA3C545F22}.exe	39
PID 2824 wrote to memory of 1284	2824	{46F29CD6-4280-4a73-AF0E-DBEA3C545F22}.exe	39
PID 2436 wrote to memory of 2344	2436	{CCDFD99B-570A-4c92-B3C7-2D895629B47C}.exe	40
PID 2436 wrote to memory of 2344	2436	{CCDFD99B-570A-4c92-B3C7-2D895629B47C}.exe	40
PID 2436 wrote to memory of 2344	2436	{CCDFD99B-570A-4c92-B3C7-2D895629B47C}.exe	40
PID 2436 wrote to memory of 2344	2436	{CCDFD99B-570A-4c92-B3C7-2D895629B47C}.exe	40
PID 2436 wrote to memory of 1948	2436	{CCDFD99B-570A-4c92-B3C7-2D895629B47C}.exe	41
PID 2436 wrote to memory of 1948	2436	{CCDFD99B-570A-4c92-B3C7-2D895629B47C}.exe	41
PID 2436 wrote to memory of 1948	2436	{CCDFD99B-570A-4c92-B3C7-2D895629B47C}.exe	41
PID 2436 wrote to memory of 1948	2436	{CCDFD99B-570A-4c92-B3C7-2D895629B47C}.exe	41
PID 2344 wrote to memory of 2664	2344	{2C17D62B-F2D0-43f9-9D77-582028B57C65}.exe	42
PID 2344 wrote to memory of 2664	2344	{2C17D62B-F2D0-43f9-9D77-582028B57C65}.exe	42
PID 2344 wrote to memory of 2664	2344	{2C17D62B-F2D0-43f9-9D77-582028B57C65}.exe	42
PID 2344 wrote to memory of 2664	2344	{2C17D62B-F2D0-43f9-9D77-582028B57C65}.exe	42
PID 2344 wrote to memory of 1824	2344	{2C17D62B-F2D0-43f9-9D77-582028B57C65}.exe	43
PID 2344 wrote to memory of 1824	2344	{2C17D62B-F2D0-43f9-9D77-582028B57C65}.exe	43
PID 2344 wrote to memory of 1824	2344	{2C17D62B-F2D0-43f9-9D77-582028B57C65}.exe	43
PID 2344 wrote to memory of 1824	2344	{2C17D62B-F2D0-43f9-9D77-582028B57C65}.exe	43
PID 2664 wrote to memory of 2120	2664	{51E4C196-521C-43e8-872B-D678B64EBF04}.exe	44
PID 2664 wrote to memory of 2120	2664	{51E4C196-521C-43e8-872B-D678B64EBF04}.exe	44
PID 2664 wrote to memory of 2120	2664	{51E4C196-521C-43e8-872B-D678B64EBF04}.exe	44
PID 2664 wrote to memory of 2120	2664	{51E4C196-521C-43e8-872B-D678B64EBF04}.exe	44
PID 2664 wrote to memory of 1336	2664	{51E4C196-521C-43e8-872B-D678B64EBF04}.exe	45
PID 2664 wrote to memory of 1336	2664	{51E4C196-521C-43e8-872B-D678B64EBF04}.exe	45
PID 2664 wrote to memory of 1336	2664	{51E4C196-521C-43e8-872B-D678B64EBF04}.exe	45
PID 2664 wrote to memory of 1336	2664	{51E4C196-521C-43e8-872B-D678B64EBF04}.exe	45

C:\Users\Admin\AppData\Local\Temp\8d322a87ee89698845ad23fcf91ecde0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\8d322a87ee89698845ad23fcf91ecde0_NeikiAnalytics.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2320
- C:\Windows\{7DA08251-6034-4554-8C9F-0D119747F35D}.exe
  C:\Windows\{7DA08251-6034-4554-8C9F-0D119747F35D}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3004
- - C:\Windows\{37880588-2E8A-4775-9CEA-4CFB4EBA2EEB}.exe
    C:\Windows\{37880588-2E8A-4775-9CEA-4CFB4EBA2EEB}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2748
  - - C:\Windows\{289A8279-4DF1-46f8-B427-D2A2ACD296CC}.exe
      C:\Windows\{289A8279-4DF1-46f8-B427-D2A2ACD296CC}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2572
    - - C:\Windows\{46F29CD6-4280-4a73-AF0E-DBEA3C545F22}.exe
        
        C:\Windows\{46F29CD6-4280-4a73-AF0E-DBEA3C545F22}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2824
      - C:\Windows\{CCDFD99B-570A-4c92-B3C7-2D895629B47C}.exe
        
        C:\Windows\{CCDFD99B-570A-4c92-B3C7-2D895629B47C}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2436
        
        C:\Windows\{2C17D62B-F2D0-43f9-9D77-582028B57C65}.exe
        
        C:\Windows\{2C17D62B-F2D0-43f9-9D77-582028B57C65}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2344
        
        C:\Windows\{51E4C196-521C-43e8-872B-D678B64EBF04}.exe
        
        C:\Windows\{51E4C196-521C-43e8-872B-D678B64EBF04}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2664
        
        C:\Windows\{AE7312B9-26C1-4cbe-8B39-A0195E25368B}.exe
        
        C:\Windows\{AE7312B9-26C1-4cbe-8B39-A0195E25368B}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2120
        
        C:\Windows\{3C59F97F-AAE9-4b84-99C5-3A13BC20F29C}.exe
        
        C:\Windows\{3C59F97F-AAE9-4b84-99C5-3A13BC20F29C}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2096
        
        C:\Windows\{B91C408E-404A-4828-8E0B-A40942429E1A}.exe
        
        C:\Windows\{B91C408E-404A-4828-8E0B-A40942429E1A}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1396
        
        C:\Windows\{48102456-C26C-497a-B94E-A7D298193C0D}.exe
        
        C:\Windows\{48102456-C26C-497a-B94E-A7D298193C0D}.exe
        12⤵
        Executes dropped EXE
        
        PID:1136
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B91C4~1.EXE > nul
        12⤵
        
        PID:708
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3C59F~1.EXE > nul
        11⤵
        
        PID:1652
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AE731~1.EXE > nul
        10⤵
        
        PID:268
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{51E4C~1.EXE > nul
        9⤵
        
        PID:1336
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2C17D~1.EXE > nul
        8⤵
        
        PID:1824
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CCDFD~1.EXE > nul
        7⤵
        
        PID:1948
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{46F29~1.EXE > nul
        6⤵
        
        PID:1284
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{289A8~1.EXE > nul
        5⤵
        
        PID:2880
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{37880~1.EXE > nul
      4⤵
      PID:2460
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{7DA08~1.EXE > nul
    3⤵
    PID:2896
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\8D322A~1.EXE > nul
  2⤵
  - Deletes itself
  PID:3064

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{289A8279-4DF1-46f8-B427-D2A2ACD296CC}.exe

Filesize
64KB

MD5
a85aa4fb6e3e01c898952243505439fa

SHA1
89e59cf4422c1fa37a789affe38b991315201736

SHA256
e713222d651d9330813fe45926a084e1228238edb53b384abdcc985cee69ac2b

SHA512
e953ff707bf2c545d497fe97feda958d1d79d80e8aefef784c8e65a44f62136d80549ae489c72a51990a8afb925af2b4828cd06c5d53e3d7bdcd85179245e948

Download Submit
C:\Windows\{2C17D62B-F2D0-43f9-9D77-582028B57C65}.exe

Filesize
64KB

MD5
5cc5c839953666b993530930381eff06

SHA1
65ac1173d63be37a1c790f7fca39568d406286de

SHA256
bbc43315804a27a386cf903cbce337f4422d9badb62cca0211f2ca3e3c8443cd

SHA512
56736abbcc327610d6729356be7b96186722644d54bf5ea8de430ca8b3c024720eaed488dd6d66c2e3247e041edca314b2ad2c23a6c1b4afdc872c8c908f55af

Download Submit
C:\Windows\{37880588-2E8A-4775-9CEA-4CFB4EBA2EEB}.exe

Filesize
64KB

MD5
769dfebda08542b2bd3be1d5a3a7d9d2

SHA1
a19e96fac1ba1844d0775cd5f39a3a5c297972c6

SHA256
40a67a64345ba0fcb970c2eb73020d18803ea412ff337db372bd2debce891c4d

SHA512
6884dfe11887ae28396ad3f285be95d035de6cfb47fce3e5c941f608a9cee49afa9a8335dd9237f58876ce395026093f02cf4930097502637cc81a41a0ec9caf

Download Submit
C:\Windows\{3C59F97F-AAE9-4b84-99C5-3A13BC20F29C}.exe

Filesize
64KB

MD5
d54ef68fb92d23d99efc9dabf3cb07fc

SHA1
b67c992de62e7933777b3608dcaa291c85d328f0

SHA256
f5a7f1f072da43cbed1bded6d6f6b2b3433fd2159bab79fb7e6568426042a8fd

SHA512
e1c65d32c63b24ab967144dd8b9879a8bae46caa3bdfa7e347494f5cca9001adcc52547aa20c586e8da619ff1ed84683f10fbe1ee52ef24b0b77ca98360d469d

Download Submit
C:\Windows\{46F29CD6-4280-4a73-AF0E-DBEA3C545F22}.exe

Filesize
64KB

MD5
03b17ac7ece133921e4c2d43c8a93ef7

SHA1
ecac952ac3c726ce54abf61b402f4885d5bb6544

SHA256
10db3591c4624ce00accf458d4b17b7961b22499ab72390ea97403efa5c1ef2c

SHA512
25067e15c1ea9b59ecf2de3a49e150ce1cf2e0167ae08ac2b66f25f19012d5f3267d9d3e8e954cafc48b202f0c318ab371f3b8cfa628b89a88e139f93ed73bb7

Download Submit
C:\Windows\{48102456-C26C-497a-B94E-A7D298193C0D}.exe

Filesize
64KB

MD5
2a53bd9bacb2b955996b3941004d17a7

SHA1
8f60a54b14a74a8c1fac6e45341a27d8b7381d69

SHA256
44b16651a4220c308db7befa6baa3d10bd720135f1322bf80a4e9748c08cf252

SHA512
ba89c093a5a5ca0bd3a7d27e03cfd5f60777b7e5d484c4e0554a6835a14a5231c1889a9dc98aaaf5aa0fc933f5b0a1e938b592cfc4f94d64ccf684648c49484f

Download Submit
C:\Windows\{51E4C196-521C-43e8-872B-D678B64EBF04}.exe

Filesize
64KB

MD5
3cf4b5d75d75c1a941c42c268cf2fe9a

SHA1
69593e410d872c2a8b02dcd18cb8787c9a93a426

SHA256
ccc890e10bbfc3302eed8f3e6ae81d3951b53d3759d73b2e0698e8876981442c

SHA512
8b0f7c4f37ebefd6a92f429580b7c3cbd3e92b812453346dba6e75710077cd14af2f56ade5cb061ac3c548d66a91c5095804478be14ab2dc20de57e19be507d6

Download Submit
C:\Windows\{7DA08251-6034-4554-8C9F-0D119747F35D}.exe

Filesize
64KB

MD5
0b0bb210f26248b461761115057e2447

SHA1
4e2d473c4218dd954e577714edc82469b71b7483

SHA256
a758973353e0a131d467cb27d32eeff4e40fbed0d034a3cf563529af9742f760

SHA512
21a54ead917773e421b5ef8952d41936a0e2c7e74549fbfdb60bec9c0ab0ffba05ee3f5b6184dfa733b298633ac327c3632ad24ceca22ac71046d2bf196c73f8

Download Submit
C:\Windows\{AE7312B9-26C1-4cbe-8B39-A0195E25368B}.exe

Filesize
64KB

MD5
d8f15b8b8e548cfec2737d9f7ea306da

SHA1
cb65d83a08d0733f5cb4fa50c7cdaa1cc82252e6

SHA256
dcd9b57e2308f9891e434b73ee19892eb32a4d6d026c31f36fc3336cc5ea9747

SHA512
9aa57008dd6efc602558b2dd2c76b278a69f2582aa0f5974e3af5200308456727911d6abeda140a548617f41864547db24cc14c3c5c2025d1fdeba12aef6da7f

Download Submit
C:\Windows\{B91C408E-404A-4828-8E0B-A40942429E1A}.exe

Filesize
64KB

MD5
35abe4f5ea3ee0c5f45205a2986b108b

SHA1
4cbd215d09e77c618e40752db29973cbc1cfd22c

SHA256
0f12afb9d7ada4127a36a2e932a15fed4322192463a913bba6b5e40d5f5721fe

SHA512
a838644dfd89d0f8b93ca10c5db46f954e9efc519ff298fe438b466825ba53737f0a8c418e9c770d7c55aac83614213e6a501429e5ee7eab0863b534dfc4cb48

Download Submit
C:\Windows\{CCDFD99B-570A-4c92-B3C7-2D895629B47C}.exe

Filesize
64KB

MD5
b521216e30db5bd6a1ece7b8e30e3ad3

SHA1
cae6bf68092e938d2f9d76e866989a5f01b0fb5a

SHA256
096370bd47585eca807b4bb197e50ff1db7586281ad6c3e1ce04bae1582385e4

SHA512
bbf75f8ae7fe415bd85cab5706074a546e6ed4aeab05bcd370135535a3016f97743cbbb8e77ec1094ed501cb2cdfcc69216791d0f8b86b6f474b8caefd961f0e

Download Submit
memory/1396-87-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1396-95-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2096-86-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2120-78-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2320-10-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2320-7-0x00000000003D0000-0x00000000003E0000-memory.dmp

Filesize
64KB

Download
memory/2320-0-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2320-8-0x00000000003D0000-0x00000000003E0000-memory.dmp

Filesize
64KB

Download
memory/2344-61-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2344-57-0x0000000000340000-0x0000000000350000-memory.dmp

Filesize
64KB

Download
memory/2436-53-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2436-45-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2572-34-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2664-69-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2748-27-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2748-19-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2824-44-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2824-36-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/3004-18-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/3004-9-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads