47f0a799d971820be72771946603ca1e87282732e38ba08452c0a984d356d973

Analysis

max time kernel
144s
max time network
125s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
10/05/2024, 05:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8026b8038e153f514f7918d4823a59b0_NeikiAnalytics.exe
Size

116KB
MD5

8026b8038e153f514f7918d4823a59b0
SHA1

21872ffc47b71aeb03be413e6d008d925ef72e2b
SHA256

47f0a799d971820be72771946603ca1e87282732e38ba08452c0a984d356d973
SHA512

a099745034f7bfd979e6b6edf89e8de5153faa4d04554dd4f94f101c3ff11b4847f83d4728a737f566dc33ede0cd6a04c086a1933e35f4f09ed846cc4874bd65
SSDEEP

768:Qvw9816vhKQLro74/wQRNrfrunMxVFA3b7glwRjMlfwGxEI5nWAwxt6sDntNiLJN:YEGh0o7l2unMxVS3HgdoKjhLJhL

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8E263281-1BA6-4e7e-9B9A-BBBD6598EACA}\stubpath = "C:\\Windows\\{8E263281-1BA6-4e7e-9B9A-BBBD6598EACA}.exe"	8026b8038e153f514f7918d4823a59b0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B527E516-B607-42cd-B91E-D15B30E69290}	{8E263281-1BA6-4e7e-9B9A-BBBD6598EACA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F618D3ED-D778-46df-A7C1-49C2EFF7AC90}\stubpath = "C:\\Windows\\{F618D3ED-D778-46df-A7C1-49C2EFF7AC90}.exe"	{86113BEA-D9CD-425d-A637-4D1BA437A14F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3934A7FD-6778-4b5a-890E-0A2689359546}\stubpath = "C:\\Windows\\{3934A7FD-6778-4b5a-890E-0A2689359546}.exe"	{F618D3ED-D778-46df-A7C1-49C2EFF7AC90}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2585D47C-518B-4d95-91E4-A6B18A72B1CA}	{3934A7FD-6778-4b5a-890E-0A2689359546}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2632340A-A0BA-41ac-BFE0-2C7DAC6A08E6}	{2585D47C-518B-4d95-91E4-A6B18A72B1CA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2632340A-A0BA-41ac-BFE0-2C7DAC6A08E6}\stubpath = "C:\\Windows\\{2632340A-A0BA-41ac-BFE0-2C7DAC6A08E6}.exe"	{2585D47C-518B-4d95-91E4-A6B18A72B1CA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{85CBE025-384F-470f-ABE3-826AD8897491}	{2632340A-A0BA-41ac-BFE0-2C7DAC6A08E6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5271A31A-9045-4d6b-AA07-1416FB075335}\stubpath = "C:\\Windows\\{5271A31A-9045-4d6b-AA07-1416FB075335}.exe"	{C83D2212-FF65-4b20-AFAA-3836047CC328}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3934A7FD-6778-4b5a-890E-0A2689359546}	{F618D3ED-D778-46df-A7C1-49C2EFF7AC90}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{85CBE025-384F-470f-ABE3-826AD8897491}\stubpath = "C:\\Windows\\{85CBE025-384F-470f-ABE3-826AD8897491}.exe"	{2632340A-A0BA-41ac-BFE0-2C7DAC6A08E6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C83D2212-FF65-4b20-AFAA-3836047CC328}	{85CBE025-384F-470f-ABE3-826AD8897491}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5271A31A-9045-4d6b-AA07-1416FB075335}	{C83D2212-FF65-4b20-AFAA-3836047CC328}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B527E516-B607-42cd-B91E-D15B30E69290}\stubpath = "C:\\Windows\\{B527E516-B607-42cd-B91E-D15B30E69290}.exe"	{8E263281-1BA6-4e7e-9B9A-BBBD6598EACA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9077319B-BDB6-4dcb-A0E0-1615C8BA1E6B}\stubpath = "C:\\Windows\\{9077319B-BDB6-4dcb-A0E0-1615C8BA1E6B}.exe"	{B527E516-B607-42cd-B91E-D15B30E69290}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{86113BEA-D9CD-425d-A637-4D1BA437A14F}	{9077319B-BDB6-4dcb-A0E0-1615C8BA1E6B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{86113BEA-D9CD-425d-A637-4D1BA437A14F}\stubpath = "C:\\Windows\\{86113BEA-D9CD-425d-A637-4D1BA437A14F}.exe"	{9077319B-BDB6-4dcb-A0E0-1615C8BA1E6B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F618D3ED-D778-46df-A7C1-49C2EFF7AC90}	{86113BEA-D9CD-425d-A637-4D1BA437A14F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C83D2212-FF65-4b20-AFAA-3836047CC328}\stubpath = "C:\\Windows\\{C83D2212-FF65-4b20-AFAA-3836047CC328}.exe"	{85CBE025-384F-470f-ABE3-826AD8897491}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8E263281-1BA6-4e7e-9B9A-BBBD6598EACA}	8026b8038e153f514f7918d4823a59b0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9077319B-BDB6-4dcb-A0E0-1615C8BA1E6B}	{B527E516-B607-42cd-B91E-D15B30E69290}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2585D47C-518B-4d95-91E4-A6B18A72B1CA}\stubpath = "C:\\Windows\\{2585D47C-518B-4d95-91E4-A6B18A72B1CA}.exe"	{3934A7FD-6778-4b5a-890E-0A2689359546}.exe

Deletes itself 1 IoCs

pid	Process
1580	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
1248	{8E263281-1BA6-4e7e-9B9A-BBBD6598EACA}.exe
2572	{B527E516-B607-42cd-B91E-D15B30E69290}.exe
2412	{9077319B-BDB6-4dcb-A0E0-1615C8BA1E6B}.exe
848	{86113BEA-D9CD-425d-A637-4D1BA437A14F}.exe
2752	{F618D3ED-D778-46df-A7C1-49C2EFF7AC90}.exe
2200	{3934A7FD-6778-4b5a-890E-0A2689359546}.exe
2372	{2585D47C-518B-4d95-91E4-A6B18A72B1CA}.exe
296	{2632340A-A0BA-41ac-BFE0-2C7DAC6A08E6}.exe
2940	{85CBE025-384F-470f-ABE3-826AD8897491}.exe
628	{C83D2212-FF65-4b20-AFAA-3836047CC328}.exe
944	{5271A31A-9045-4d6b-AA07-1416FB075335}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{8E263281-1BA6-4e7e-9B9A-BBBD6598EACA}.exe	8026b8038e153f514f7918d4823a59b0_NeikiAnalytics.exe
File created	C:\Windows\{86113BEA-D9CD-425d-A637-4D1BA437A14F}.exe	{9077319B-BDB6-4dcb-A0E0-1615C8BA1E6B}.exe
File created	C:\Windows\{F618D3ED-D778-46df-A7C1-49C2EFF7AC90}.exe	{86113BEA-D9CD-425d-A637-4D1BA437A14F}.exe
File created	C:\Windows\{2632340A-A0BA-41ac-BFE0-2C7DAC6A08E6}.exe	{2585D47C-518B-4d95-91E4-A6B18A72B1CA}.exe
File created	C:\Windows\{5271A31A-9045-4d6b-AA07-1416FB075335}.exe	{C83D2212-FF65-4b20-AFAA-3836047CC328}.exe
File created	C:\Windows\{B527E516-B607-42cd-B91E-D15B30E69290}.exe	{8E263281-1BA6-4e7e-9B9A-BBBD6598EACA}.exe
File created	C:\Windows\{9077319B-BDB6-4dcb-A0E0-1615C8BA1E6B}.exe	{B527E516-B607-42cd-B91E-D15B30E69290}.exe
File created	C:\Windows\{3934A7FD-6778-4b5a-890E-0A2689359546}.exe	{F618D3ED-D778-46df-A7C1-49C2EFF7AC90}.exe
File created	C:\Windows\{2585D47C-518B-4d95-91E4-A6B18A72B1CA}.exe	{3934A7FD-6778-4b5a-890E-0A2689359546}.exe
File created	C:\Windows\{85CBE025-384F-470f-ABE3-826AD8897491}.exe	{2632340A-A0BA-41ac-BFE0-2C7DAC6A08E6}.exe
File created	C:\Windows\{C83D2212-FF65-4b20-AFAA-3836047CC328}.exe	{85CBE025-384F-470f-ABE3-826AD8897491}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2132	8026b8038e153f514f7918d4823a59b0_NeikiAnalytics.exe
Token: SeIncBasePriorityPrivilege	1248	{8E263281-1BA6-4e7e-9B9A-BBBD6598EACA}.exe
Token: SeIncBasePriorityPrivilege	2572	{B527E516-B607-42cd-B91E-D15B30E69290}.exe
Token: SeIncBasePriorityPrivilege	2412	{9077319B-BDB6-4dcb-A0E0-1615C8BA1E6B}.exe
Token: SeIncBasePriorityPrivilege	848	{86113BEA-D9CD-425d-A637-4D1BA437A14F}.exe
Token: SeIncBasePriorityPrivilege	2752	{F618D3ED-D778-46df-A7C1-49C2EFF7AC90}.exe
Token: SeIncBasePriorityPrivilege	2200	{3934A7FD-6778-4b5a-890E-0A2689359546}.exe
Token: SeIncBasePriorityPrivilege	2372	{2585D47C-518B-4d95-91E4-A6B18A72B1CA}.exe
Token: SeIncBasePriorityPrivilege	296	{2632340A-A0BA-41ac-BFE0-2C7DAC6A08E6}.exe
Token: SeIncBasePriorityPrivilege	2940	{85CBE025-384F-470f-ABE3-826AD8897491}.exe
Token: SeIncBasePriorityPrivilege	628	{C83D2212-FF65-4b20-AFAA-3836047CC328}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2132 wrote to memory of 1248	2132	8026b8038e153f514f7918d4823a59b0_NeikiAnalytics.exe	28
PID 2132 wrote to memory of 1248	2132	8026b8038e153f514f7918d4823a59b0_NeikiAnalytics.exe	28
PID 2132 wrote to memory of 1248	2132	8026b8038e153f514f7918d4823a59b0_NeikiAnalytics.exe	28
PID 2132 wrote to memory of 1248	2132	8026b8038e153f514f7918d4823a59b0_NeikiAnalytics.exe	28
PID 2132 wrote to memory of 1580	2132	8026b8038e153f514f7918d4823a59b0_NeikiAnalytics.exe	29
PID 2132 wrote to memory of 1580	2132	8026b8038e153f514f7918d4823a59b0_NeikiAnalytics.exe	29
PID 2132 wrote to memory of 1580	2132	8026b8038e153f514f7918d4823a59b0_NeikiAnalytics.exe	29
PID 2132 wrote to memory of 1580	2132	8026b8038e153f514f7918d4823a59b0_NeikiAnalytics.exe	29
PID 1248 wrote to memory of 2572	1248	{8E263281-1BA6-4e7e-9B9A-BBBD6598EACA}.exe	30
PID 1248 wrote to memory of 2572	1248	{8E263281-1BA6-4e7e-9B9A-BBBD6598EACA}.exe	30
PID 1248 wrote to memory of 2572	1248	{8E263281-1BA6-4e7e-9B9A-BBBD6598EACA}.exe	30
PID 1248 wrote to memory of 2572	1248	{8E263281-1BA6-4e7e-9B9A-BBBD6598EACA}.exe	30
PID 1248 wrote to memory of 2516	1248	{8E263281-1BA6-4e7e-9B9A-BBBD6598EACA}.exe	31
PID 1248 wrote to memory of 2516	1248	{8E263281-1BA6-4e7e-9B9A-BBBD6598EACA}.exe	31
PID 1248 wrote to memory of 2516	1248	{8E263281-1BA6-4e7e-9B9A-BBBD6598EACA}.exe	31
PID 1248 wrote to memory of 2516	1248	{8E263281-1BA6-4e7e-9B9A-BBBD6598EACA}.exe	31
PID 2572 wrote to memory of 2412	2572	{B527E516-B607-42cd-B91E-D15B30E69290}.exe	32
PID 2572 wrote to memory of 2412	2572	{B527E516-B607-42cd-B91E-D15B30E69290}.exe	32
PID 2572 wrote to memory of 2412	2572	{B527E516-B607-42cd-B91E-D15B30E69290}.exe	32
PID 2572 wrote to memory of 2412	2572	{B527E516-B607-42cd-B91E-D15B30E69290}.exe	32
PID 2572 wrote to memory of 2316	2572	{B527E516-B607-42cd-B91E-D15B30E69290}.exe	33
PID 2572 wrote to memory of 2316	2572	{B527E516-B607-42cd-B91E-D15B30E69290}.exe	33
PID 2572 wrote to memory of 2316	2572	{B527E516-B607-42cd-B91E-D15B30E69290}.exe	33
PID 2572 wrote to memory of 2316	2572	{B527E516-B607-42cd-B91E-D15B30E69290}.exe	33
PID 2412 wrote to memory of 848	2412	{9077319B-BDB6-4dcb-A0E0-1615C8BA1E6B}.exe	36
PID 2412 wrote to memory of 848	2412	{9077319B-BDB6-4dcb-A0E0-1615C8BA1E6B}.exe	36
PID 2412 wrote to memory of 848	2412	{9077319B-BDB6-4dcb-A0E0-1615C8BA1E6B}.exe	36
PID 2412 wrote to memory of 848	2412	{9077319B-BDB6-4dcb-A0E0-1615C8BA1E6B}.exe	36
PID 2412 wrote to memory of 2272	2412	{9077319B-BDB6-4dcb-A0E0-1615C8BA1E6B}.exe	37
PID 2412 wrote to memory of 2272	2412	{9077319B-BDB6-4dcb-A0E0-1615C8BA1E6B}.exe	37
PID 2412 wrote to memory of 2272	2412	{9077319B-BDB6-4dcb-A0E0-1615C8BA1E6B}.exe	37
PID 2412 wrote to memory of 2272	2412	{9077319B-BDB6-4dcb-A0E0-1615C8BA1E6B}.exe	37
PID 848 wrote to memory of 2752	848	{86113BEA-D9CD-425d-A637-4D1BA437A14F}.exe	38
PID 848 wrote to memory of 2752	848	{86113BEA-D9CD-425d-A637-4D1BA437A14F}.exe	38
PID 848 wrote to memory of 2752	848	{86113BEA-D9CD-425d-A637-4D1BA437A14F}.exe	38
PID 848 wrote to memory of 2752	848	{86113BEA-D9CD-425d-A637-4D1BA437A14F}.exe	38
PID 848 wrote to memory of 2880	848	{86113BEA-D9CD-425d-A637-4D1BA437A14F}.exe	39
PID 848 wrote to memory of 2880	848	{86113BEA-D9CD-425d-A637-4D1BA437A14F}.exe	39
PID 848 wrote to memory of 2880	848	{86113BEA-D9CD-425d-A637-4D1BA437A14F}.exe	39
PID 848 wrote to memory of 2880	848	{86113BEA-D9CD-425d-A637-4D1BA437A14F}.exe	39
PID 2752 wrote to memory of 2200	2752	{F618D3ED-D778-46df-A7C1-49C2EFF7AC90}.exe	40
PID 2752 wrote to memory of 2200	2752	{F618D3ED-D778-46df-A7C1-49C2EFF7AC90}.exe	40
PID 2752 wrote to memory of 2200	2752	{F618D3ED-D778-46df-A7C1-49C2EFF7AC90}.exe	40
PID 2752 wrote to memory of 2200	2752	{F618D3ED-D778-46df-A7C1-49C2EFF7AC90}.exe	40
PID 2752 wrote to memory of 1232	2752	{F618D3ED-D778-46df-A7C1-49C2EFF7AC90}.exe	41
PID 2752 wrote to memory of 1232	2752	{F618D3ED-D778-46df-A7C1-49C2EFF7AC90}.exe	41
PID 2752 wrote to memory of 1232	2752	{F618D3ED-D778-46df-A7C1-49C2EFF7AC90}.exe	41
PID 2752 wrote to memory of 1232	2752	{F618D3ED-D778-46df-A7C1-49C2EFF7AC90}.exe	41
PID 2200 wrote to memory of 2372	2200	{3934A7FD-6778-4b5a-890E-0A2689359546}.exe	42
PID 2200 wrote to memory of 2372	2200	{3934A7FD-6778-4b5a-890E-0A2689359546}.exe	42
PID 2200 wrote to memory of 2372	2200	{3934A7FD-6778-4b5a-890E-0A2689359546}.exe	42
PID 2200 wrote to memory of 2372	2200	{3934A7FD-6778-4b5a-890E-0A2689359546}.exe	42
PID 2200 wrote to memory of 1896	2200	{3934A7FD-6778-4b5a-890E-0A2689359546}.exe	43
PID 2200 wrote to memory of 1896	2200	{3934A7FD-6778-4b5a-890E-0A2689359546}.exe	43
PID 2200 wrote to memory of 1896	2200	{3934A7FD-6778-4b5a-890E-0A2689359546}.exe	43
PID 2200 wrote to memory of 1896	2200	{3934A7FD-6778-4b5a-890E-0A2689359546}.exe	43
PID 2372 wrote to memory of 296	2372	{2585D47C-518B-4d95-91E4-A6B18A72B1CA}.exe	44
PID 2372 wrote to memory of 296	2372	{2585D47C-518B-4d95-91E4-A6B18A72B1CA}.exe	44
PID 2372 wrote to memory of 296	2372	{2585D47C-518B-4d95-91E4-A6B18A72B1CA}.exe	44
PID 2372 wrote to memory of 296	2372	{2585D47C-518B-4d95-91E4-A6B18A72B1CA}.exe	44
PID 2372 wrote to memory of 1004	2372	{2585D47C-518B-4d95-91E4-A6B18A72B1CA}.exe	45
PID 2372 wrote to memory of 1004	2372	{2585D47C-518B-4d95-91E4-A6B18A72B1CA}.exe	45
PID 2372 wrote to memory of 1004	2372	{2585D47C-518B-4d95-91E4-A6B18A72B1CA}.exe	45
PID 2372 wrote to memory of 1004	2372	{2585D47C-518B-4d95-91E4-A6B18A72B1CA}.exe	45

C:\Users\Admin\AppData\Local\Temp\8026b8038e153f514f7918d4823a59b0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\8026b8038e153f514f7918d4823a59b0_NeikiAnalytics.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2132
- C:\Windows\{8E263281-1BA6-4e7e-9B9A-BBBD6598EACA}.exe
  C:\Windows\{8E263281-1BA6-4e7e-9B9A-BBBD6598EACA}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1248
- - C:\Windows\{B527E516-B607-42cd-B91E-D15B30E69290}.exe
    C:\Windows\{B527E516-B607-42cd-B91E-D15B30E69290}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2572
  - - C:\Windows\{9077319B-BDB6-4dcb-A0E0-1615C8BA1E6B}.exe
      C:\Windows\{9077319B-BDB6-4dcb-A0E0-1615C8BA1E6B}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2412
    - - C:\Windows\{86113BEA-D9CD-425d-A637-4D1BA437A14F}.exe
        
        C:\Windows\{86113BEA-D9CD-425d-A637-4D1BA437A14F}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:848
      - C:\Windows\{F618D3ED-D778-46df-A7C1-49C2EFF7AC90}.exe
        
        C:\Windows\{F618D3ED-D778-46df-A7C1-49C2EFF7AC90}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2752
        
        C:\Windows\{3934A7FD-6778-4b5a-890E-0A2689359546}.exe
        
        C:\Windows\{3934A7FD-6778-4b5a-890E-0A2689359546}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2200
        
        C:\Windows\{2585D47C-518B-4d95-91E4-A6B18A72B1CA}.exe
        
        C:\Windows\{2585D47C-518B-4d95-91E4-A6B18A72B1CA}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2372
        
        C:\Windows\{2632340A-A0BA-41ac-BFE0-2C7DAC6A08E6}.exe
        
        C:\Windows\{2632340A-A0BA-41ac-BFE0-2C7DAC6A08E6}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:296
        
        C:\Windows\{85CBE025-384F-470f-ABE3-826AD8897491}.exe
        
        C:\Windows\{85CBE025-384F-470f-ABE3-826AD8897491}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2940
        
        C:\Windows\{C83D2212-FF65-4b20-AFAA-3836047CC328}.exe
        
        C:\Windows\{C83D2212-FF65-4b20-AFAA-3836047CC328}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:628
        
        C:\Windows\{5271A31A-9045-4d6b-AA07-1416FB075335}.exe
        
        C:\Windows\{5271A31A-9045-4d6b-AA07-1416FB075335}.exe
        12⤵
        Executes dropped EXE
        
        PID:944
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C83D2~1.EXE > nul
        12⤵
        
        PID:1468
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{85CBE~1.EXE > nul
        11⤵
        
        PID:868
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{26323~1.EXE > nul
        10⤵
        
        PID:1564
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2585D~1.EXE > nul
        9⤵
        
        PID:1004
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3934A~1.EXE > nul
        8⤵
        
        PID:1896
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F618D~1.EXE > nul
        7⤵
        
        PID:1232
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{86113~1.EXE > nul
        6⤵
        
        PID:2880
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{90773~1.EXE > nul
        5⤵
        
        PID:2272
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{B527E~1.EXE > nul
      4⤵
      PID:2316
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{8E263~1.EXE > nul
    3⤵
    PID:2516
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\8026B8~1.EXE > nul
  2⤵
  - Deletes itself
  PID:1580

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{2585D47C-518B-4d95-91E4-A6B18A72B1CA}.exe

Filesize
116KB

MD5
01531a1ef15be3d742ab24f22d177dac

SHA1
d6e15ddc4a0fb82bdcdb48a2862b709e9a3a4efe

SHA256
c7d28115145f70eaf51943f29bf61334e62cffb491e58c81cef0cda186259c1e

SHA512
fce3b9ceb8c397216fbcee81e7c83359b1c2f4610160163c49a30e21722656769731578a54fca6fecccb5afd1c67e08aa5d6791577cfc46e7c05feb29a8a63e8

Download Submit
C:\Windows\{2632340A-A0BA-41ac-BFE0-2C7DAC6A08E6}.exe

Filesize
116KB

MD5
5a393195da68b24f8f8b169bf3df2f62

SHA1
b50d8f1817fb8c5b4369fa8f2bdaacc91c3330fe

SHA256
98a6e8421908386a65b554dc5359614aa6b086125e88de352c1d73452c065e8c

SHA512
0946648045f104a105d69ea8834b456194d7593d35b63357416835f11915e6f4c25f425f424b9b3e05d2ba3616ab60ba4406fd3a6fc4ba5145f366e5a9a5fa56

Download Submit
C:\Windows\{3934A7FD-6778-4b5a-890E-0A2689359546}.exe

Filesize
116KB

MD5
f1ea317997295eff00279c2c7efbdc91

SHA1
799b619af174e204832edfc521ee2c100acb5893

SHA256
4c022badaff19aa93b6768ae087ccc5803694c0ec5845378eadcc83d8602b5f5

SHA512
0504a6327ebc21b6861a25b067a136eca04203f9e246e7be8ce52bbb9f89b2dc2f979610db274f42451ecb84581cc6e3266d70ffcd3ac0d1e2e42ed4d84d567e

Download Submit
C:\Windows\{5271A31A-9045-4d6b-AA07-1416FB075335}.exe

Filesize
116KB

MD5
f341d963b253b5378dac242187fcdfb6

SHA1
470cc2e81cc71d2b93ca8402a530f7874ad9c62f

SHA256
e40aa7a83fe83ea5550c0d9f193317663c9b401da403a5e290c693e0db909264

SHA512
454609bb408c782d1ef33f3c4f5d0da36d3302e56f442f20936651149a39c2951eb924b652ac32829c4fef01c7378af77ca52343c316e592f97b9a7fa62503f6

Download Submit
C:\Windows\{85CBE025-384F-470f-ABE3-826AD8897491}.exe

Filesize
116KB

MD5
65b52c681ee22baedebe49e6471f22f2

SHA1
096aa8a8ef2f499fd07c4f7556fb7384c98105dc

SHA256
9269fa818492e773fcaf11c43b1e9c58ed65ea16f5612d984bc8870be2215b59

SHA512
c81ea62028ed50eda50be60d91082e561eedff2b158dddef9e47cccd2bebde0b2faaab2789c8238259e2bdd71c08a1fda3b7b61dc36857141565f10cc181e0c9

Download Submit
C:\Windows\{86113BEA-D9CD-425d-A637-4D1BA437A14F}.exe

Filesize
116KB

MD5
94fba593bfdf13c05c707374ac3065d3

SHA1
d48a03954042669b1e64dad4839d4fdc2617df6d

SHA256
0d609ae7763264741109eb487ceb5e5e6dfc102dadb4ae334bbbce6266b98d0a

SHA512
a51f8a1a91a8084dff50f7f231249801bfa77ca14445aca7741ec7dcdb71c357842282c7af3d50476685b4e6e6c6318963fd3b33d6bfc7c95c1fb600580873d2

Download Submit
C:\Windows\{8E263281-1BA6-4e7e-9B9A-BBBD6598EACA}.exe

Filesize
116KB

MD5
8e56e04f332dd0df210ab9075ebc2588

SHA1
8c35e51cef166d7e359663dd2297adb1bcc02c02

SHA256
7c1d92107f41d903c3e82a8a50195d3518079dd2631f502981ab09760630375d

SHA512
2c4fd16a7114b16d6122959958517ef0d2642c8c0a08eb55991cbc858ed13ca1a8156a66cec4a885c83cfc19b96f7802d2475113b1d23a0ba6e291fd5f1281e3

Download Submit
C:\Windows\{9077319B-BDB6-4dcb-A0E0-1615C8BA1E6B}.exe

Filesize
116KB

MD5
a9eeced2464148c988eb4586d2d5ede2

SHA1
043f903d04ec871dabb7f5a9a2fe89d58ba60473

SHA256
7b75fcf41482af0ba199fc8d2ec3cc9a662dce1be6ec04244aafffca9c636f8a

SHA512
8d361459b7587b466bc88ea0d6a877de248d3df4f32d3b4ed0bf693aed45f9df07411b91fed2b6e7fd67b2ae24e9f96a042aa4acf144b7d5b48a65727088c16e

Download Submit
C:\Windows\{B527E516-B607-42cd-B91E-D15B30E69290}.exe

Filesize
116KB

MD5
5ad7e035e5c7ab2df7371f185ae049c1

SHA1
172e4bf920b990b02c408cd117e781d4abab278a

SHA256
7e1e61694b4283220d79515fa3a9107d76f1849cde4f54e43b3242c37ffc88b1

SHA512
b37790f83441d1091e56947ae0ee0155268084f667c038cc81f45cb0d63bba022c81230a50bd8b8a07a2d5b1c3d0533265b08f6225af41f76565310f9d68fed2

Download Submit
C:\Windows\{C83D2212-FF65-4b20-AFAA-3836047CC328}.exe

Filesize
116KB

MD5
bb8deffdffef07f88a7618b5ddb3349e

SHA1
452a3f28c32f84b1a18a0b8b4895b9c1a4b16551

SHA256
a54b293b78be199e0f0e58dff6467f7b6eb64c61d96f2bbed03f73a39b5c351e

SHA512
24fdd8bfdce272f9972f1af75b050d111bc6e0ec8c41d13d6f949d9b768aac1840a11e2cf47b07d77dc4503dd017baeb74e86471c57997de5c2fddbcf92ba883

Download Submit
C:\Windows\{F618D3ED-D778-46df-A7C1-49C2EFF7AC90}.exe

Filesize
116KB

MD5
d3931d2fa123c3e5a6143a4cac790e22

SHA1
5ebf033b8365423931da396e434032a4a9607c00

SHA256
8b9de503c68395f8f42029ece42afba8910ed6503090acbe5daa577ae43845a4

SHA512
c9f6c9dc166fbbb492da4b00fb14587525b65daeaec982fedcd83b972e9d6b5c6a3869479c2f0ac1e515f4283237071618a84f8f93dc71cc78cb45885db53d06

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads