c6b59c7231341253adc144ee6cdecd8f830db864ae55d88684987475af4149c4

Analysis

max time kernel
144s
max time network
122s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
10/05/2024, 06:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

87f5eb3f716a66a535767866c679a1f0_NeikiAnalytics.exe
Size

60KB
MD5

87f5eb3f716a66a535767866c679a1f0
SHA1

c10064ff627e36308360f99c601fa6e033384f1c
SHA256

c6b59c7231341253adc144ee6cdecd8f830db864ae55d88684987475af4149c4
SHA512

fefc0bf87b4a998d636f49d17fa888cde3a013a1696d9f0149dff7212bb743565f05762f7b23b8a9ceab91723b30d2b00bf1f9d38cca88ef6ea7eb688ca43d40
SSDEEP

384:vbLwOs8AHsc4sMfwhKQLroq4/CFsrdHWMZ:vvw9816vhKQLroq4/wQpWMZ

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{758A116D-3FE9-425c-A5D1-BDCE050BE523}\stubpath = "C:\\Windows\\{758A116D-3FE9-425c-A5D1-BDCE050BE523}.exe"	{19E2A570-8B88-4f38-A57F-DDE501835320}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CD64D261-4E46-4205-987E-A57D0C166EE7}	{84313B0E-935C-4c8e-BCAB-C650E7DAA395}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A4E7EA68-C16D-4526-9EE2-18939573E073}\stubpath = "C:\\Windows\\{A4E7EA68-C16D-4526-9EE2-18939573E073}.exe"	{70CE143E-17D1-435f-BD26-5CBC23DD9BEF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A4E7EA68-C16D-4526-9EE2-18939573E073}	{70CE143E-17D1-435f-BD26-5CBC23DD9BEF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E3CC3ACB-1C65-421c-BEEF-A91B8C1411B4}	{72835BD5-14D4-42e9-B9D0-67912779E222}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4089D798-AB94-4c12-8B8E-906DD99B4BE7}\stubpath = "C:\\Windows\\{4089D798-AB94-4c12-8B8E-906DD99B4BE7}.exe"	87f5eb3f716a66a535767866c679a1f0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{19E2A570-8B88-4f38-A57F-DDE501835320}	{4089D798-AB94-4c12-8B8E-906DD99B4BE7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{84313B0E-935C-4c8e-BCAB-C650E7DAA395}	{758A116D-3FE9-425c-A5D1-BDCE050BE523}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CD64D261-4E46-4205-987E-A57D0C166EE7}\stubpath = "C:\\Windows\\{CD64D261-4E46-4205-987E-A57D0C166EE7}.exe"	{84313B0E-935C-4c8e-BCAB-C650E7DAA395}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4C1D2B50-4292-4f28-A221-4629B466BD03}	{CD64D261-4E46-4205-987E-A57D0C166EE7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{70CE143E-17D1-435f-BD26-5CBC23DD9BEF}	{4C1D2B50-4292-4f28-A221-4629B466BD03}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4089D798-AB94-4c12-8B8E-906DD99B4BE7}	87f5eb3f716a66a535767866c679a1f0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{19E2A570-8B88-4f38-A57F-DDE501835320}\stubpath = "C:\\Windows\\{19E2A570-8B88-4f38-A57F-DDE501835320}.exe"	{4089D798-AB94-4c12-8B8E-906DD99B4BE7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{758A116D-3FE9-425c-A5D1-BDCE050BE523}	{19E2A570-8B88-4f38-A57F-DDE501835320}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{84313B0E-935C-4c8e-BCAB-C650E7DAA395}\stubpath = "C:\\Windows\\{84313B0E-935C-4c8e-BCAB-C650E7DAA395}.exe"	{758A116D-3FE9-425c-A5D1-BDCE050BE523}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4C1D2B50-4292-4f28-A221-4629B466BD03}\stubpath = "C:\\Windows\\{4C1D2B50-4292-4f28-A221-4629B466BD03}.exe"	{CD64D261-4E46-4205-987E-A57D0C166EE7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{72835BD5-14D4-42e9-B9D0-67912779E222}\stubpath = "C:\\Windows\\{72835BD5-14D4-42e9-B9D0-67912779E222}.exe"	{B3344406-EFE2-4140-8A3E-6FDE9486EEF8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{70CE143E-17D1-435f-BD26-5CBC23DD9BEF}\stubpath = "C:\\Windows\\{70CE143E-17D1-435f-BD26-5CBC23DD9BEF}.exe"	{4C1D2B50-4292-4f28-A221-4629B466BD03}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B3344406-EFE2-4140-8A3E-6FDE9486EEF8}	{A4E7EA68-C16D-4526-9EE2-18939573E073}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B3344406-EFE2-4140-8A3E-6FDE9486EEF8}\stubpath = "C:\\Windows\\{B3344406-EFE2-4140-8A3E-6FDE9486EEF8}.exe"	{A4E7EA68-C16D-4526-9EE2-18939573E073}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{72835BD5-14D4-42e9-B9D0-67912779E222}	{B3344406-EFE2-4140-8A3E-6FDE9486EEF8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E3CC3ACB-1C65-421c-BEEF-A91B8C1411B4}\stubpath = "C:\\Windows\\{E3CC3ACB-1C65-421c-BEEF-A91B8C1411B4}.exe"	{72835BD5-14D4-42e9-B9D0-67912779E222}.exe

Deletes itself 1 IoCs

pid	Process
2012	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2280	{4089D798-AB94-4c12-8B8E-906DD99B4BE7}.exe
2504	{19E2A570-8B88-4f38-A57F-DDE501835320}.exe
2528	{758A116D-3FE9-425c-A5D1-BDCE050BE523}.exe
2368	{84313B0E-935C-4c8e-BCAB-C650E7DAA395}.exe
552	{CD64D261-4E46-4205-987E-A57D0C166EE7}.exe
1660	{4C1D2B50-4292-4f28-A221-4629B466BD03}.exe
308	{70CE143E-17D1-435f-BD26-5CBC23DD9BEF}.exe
2216	{A4E7EA68-C16D-4526-9EE2-18939573E073}.exe
1556	{B3344406-EFE2-4140-8A3E-6FDE9486EEF8}.exe
1616	{72835BD5-14D4-42e9-B9D0-67912779E222}.exe
2152	{E3CC3ACB-1C65-421c-BEEF-A91B8C1411B4}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{4089D798-AB94-4c12-8B8E-906DD99B4BE7}.exe	87f5eb3f716a66a535767866c679a1f0_NeikiAnalytics.exe
File created	C:\Windows\{758A116D-3FE9-425c-A5D1-BDCE050BE523}.exe	{19E2A570-8B88-4f38-A57F-DDE501835320}.exe
File created	C:\Windows\{84313B0E-935C-4c8e-BCAB-C650E7DAA395}.exe	{758A116D-3FE9-425c-A5D1-BDCE050BE523}.exe
File created	C:\Windows\{CD64D261-4E46-4205-987E-A57D0C166EE7}.exe	{84313B0E-935C-4c8e-BCAB-C650E7DAA395}.exe
File created	C:\Windows\{72835BD5-14D4-42e9-B9D0-67912779E222}.exe	{B3344406-EFE2-4140-8A3E-6FDE9486EEF8}.exe
File created	C:\Windows\{E3CC3ACB-1C65-421c-BEEF-A91B8C1411B4}.exe	{72835BD5-14D4-42e9-B9D0-67912779E222}.exe
File created	C:\Windows\{19E2A570-8B88-4f38-A57F-DDE501835320}.exe	{4089D798-AB94-4c12-8B8E-906DD99B4BE7}.exe
File created	C:\Windows\{4C1D2B50-4292-4f28-A221-4629B466BD03}.exe	{CD64D261-4E46-4205-987E-A57D0C166EE7}.exe
File created	C:\Windows\{70CE143E-17D1-435f-BD26-5CBC23DD9BEF}.exe	{4C1D2B50-4292-4f28-A221-4629B466BD03}.exe
File created	C:\Windows\{A4E7EA68-C16D-4526-9EE2-18939573E073}.exe	{70CE143E-17D1-435f-BD26-5CBC23DD9BEF}.exe
File created	C:\Windows\{B3344406-EFE2-4140-8A3E-6FDE9486EEF8}.exe	{A4E7EA68-C16D-4526-9EE2-18939573E073}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1084	87f5eb3f716a66a535767866c679a1f0_NeikiAnalytics.exe
Token: SeIncBasePriorityPrivilege	2280	{4089D798-AB94-4c12-8B8E-906DD99B4BE7}.exe
Token: SeIncBasePriorityPrivilege	2504	{19E2A570-8B88-4f38-A57F-DDE501835320}.exe
Token: SeIncBasePriorityPrivilege	2528	{758A116D-3FE9-425c-A5D1-BDCE050BE523}.exe
Token: SeIncBasePriorityPrivilege	2368	{84313B0E-935C-4c8e-BCAB-C650E7DAA395}.exe
Token: SeIncBasePriorityPrivilege	552	{CD64D261-4E46-4205-987E-A57D0C166EE7}.exe
Token: SeIncBasePriorityPrivilege	1660	{4C1D2B50-4292-4f28-A221-4629B466BD03}.exe
Token: SeIncBasePriorityPrivilege	308	{70CE143E-17D1-435f-BD26-5CBC23DD9BEF}.exe
Token: SeIncBasePriorityPrivilege	2216	{A4E7EA68-C16D-4526-9EE2-18939573E073}.exe
Token: SeIncBasePriorityPrivilege	1556	{B3344406-EFE2-4140-8A3E-6FDE9486EEF8}.exe
Token: SeIncBasePriorityPrivilege	1616	{72835BD5-14D4-42e9-B9D0-67912779E222}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1084 wrote to memory of 2280	1084	87f5eb3f716a66a535767866c679a1f0_NeikiAnalytics.exe	28
PID 1084 wrote to memory of 2280	1084	87f5eb3f716a66a535767866c679a1f0_NeikiAnalytics.exe	28
PID 1084 wrote to memory of 2280	1084	87f5eb3f716a66a535767866c679a1f0_NeikiAnalytics.exe	28
PID 1084 wrote to memory of 2280	1084	87f5eb3f716a66a535767866c679a1f0_NeikiAnalytics.exe	28
PID 1084 wrote to memory of 2012	1084	87f5eb3f716a66a535767866c679a1f0_NeikiAnalytics.exe	29
PID 1084 wrote to memory of 2012	1084	87f5eb3f716a66a535767866c679a1f0_NeikiAnalytics.exe	29
PID 1084 wrote to memory of 2012	1084	87f5eb3f716a66a535767866c679a1f0_NeikiAnalytics.exe	29
PID 1084 wrote to memory of 2012	1084	87f5eb3f716a66a535767866c679a1f0_NeikiAnalytics.exe	29
PID 2280 wrote to memory of 2504	2280	{4089D798-AB94-4c12-8B8E-906DD99B4BE7}.exe	32
PID 2280 wrote to memory of 2504	2280	{4089D798-AB94-4c12-8B8E-906DD99B4BE7}.exe	32
PID 2280 wrote to memory of 2504	2280	{4089D798-AB94-4c12-8B8E-906DD99B4BE7}.exe	32
PID 2280 wrote to memory of 2504	2280	{4089D798-AB94-4c12-8B8E-906DD99B4BE7}.exe	32
PID 2280 wrote to memory of 2548	2280	{4089D798-AB94-4c12-8B8E-906DD99B4BE7}.exe	33
PID 2280 wrote to memory of 2548	2280	{4089D798-AB94-4c12-8B8E-906DD99B4BE7}.exe	33
PID 2280 wrote to memory of 2548	2280	{4089D798-AB94-4c12-8B8E-906DD99B4BE7}.exe	33
PID 2280 wrote to memory of 2548	2280	{4089D798-AB94-4c12-8B8E-906DD99B4BE7}.exe	33
PID 2504 wrote to memory of 2528	2504	{19E2A570-8B88-4f38-A57F-DDE501835320}.exe	34
PID 2504 wrote to memory of 2528	2504	{19E2A570-8B88-4f38-A57F-DDE501835320}.exe	34
PID 2504 wrote to memory of 2528	2504	{19E2A570-8B88-4f38-A57F-DDE501835320}.exe	34
PID 2504 wrote to memory of 2528	2504	{19E2A570-8B88-4f38-A57F-DDE501835320}.exe	34
PID 2504 wrote to memory of 2796	2504	{19E2A570-8B88-4f38-A57F-DDE501835320}.exe	35
PID 2504 wrote to memory of 2796	2504	{19E2A570-8B88-4f38-A57F-DDE501835320}.exe	35
PID 2504 wrote to memory of 2796	2504	{19E2A570-8B88-4f38-A57F-DDE501835320}.exe	35
PID 2504 wrote to memory of 2796	2504	{19E2A570-8B88-4f38-A57F-DDE501835320}.exe	35
PID 2528 wrote to memory of 2368	2528	{758A116D-3FE9-425c-A5D1-BDCE050BE523}.exe	36
PID 2528 wrote to memory of 2368	2528	{758A116D-3FE9-425c-A5D1-BDCE050BE523}.exe	36
PID 2528 wrote to memory of 2368	2528	{758A116D-3FE9-425c-A5D1-BDCE050BE523}.exe	36
PID 2528 wrote to memory of 2368	2528	{758A116D-3FE9-425c-A5D1-BDCE050BE523}.exe	36
PID 2528 wrote to memory of 2428	2528	{758A116D-3FE9-425c-A5D1-BDCE050BE523}.exe	37
PID 2528 wrote to memory of 2428	2528	{758A116D-3FE9-425c-A5D1-BDCE050BE523}.exe	37
PID 2528 wrote to memory of 2428	2528	{758A116D-3FE9-425c-A5D1-BDCE050BE523}.exe	37
PID 2528 wrote to memory of 2428	2528	{758A116D-3FE9-425c-A5D1-BDCE050BE523}.exe	37
PID 2368 wrote to memory of 552	2368	{84313B0E-935C-4c8e-BCAB-C650E7DAA395}.exe	38
PID 2368 wrote to memory of 552	2368	{84313B0E-935C-4c8e-BCAB-C650E7DAA395}.exe	38
PID 2368 wrote to memory of 552	2368	{84313B0E-935C-4c8e-BCAB-C650E7DAA395}.exe	38
PID 2368 wrote to memory of 552	2368	{84313B0E-935C-4c8e-BCAB-C650E7DAA395}.exe	38
PID 2368 wrote to memory of 1088	2368	{84313B0E-935C-4c8e-BCAB-C650E7DAA395}.exe	39
PID 2368 wrote to memory of 1088	2368	{84313B0E-935C-4c8e-BCAB-C650E7DAA395}.exe	39
PID 2368 wrote to memory of 1088	2368	{84313B0E-935C-4c8e-BCAB-C650E7DAA395}.exe	39
PID 2368 wrote to memory of 1088	2368	{84313B0E-935C-4c8e-BCAB-C650E7DAA395}.exe	39
PID 552 wrote to memory of 1660	552	{CD64D261-4E46-4205-987E-A57D0C166EE7}.exe	40
PID 552 wrote to memory of 1660	552	{CD64D261-4E46-4205-987E-A57D0C166EE7}.exe	40
PID 552 wrote to memory of 1660	552	{CD64D261-4E46-4205-987E-A57D0C166EE7}.exe	40
PID 552 wrote to memory of 1660	552	{CD64D261-4E46-4205-987E-A57D0C166EE7}.exe	40
PID 552 wrote to memory of 1516	552	{CD64D261-4E46-4205-987E-A57D0C166EE7}.exe	41
PID 552 wrote to memory of 1516	552	{CD64D261-4E46-4205-987E-A57D0C166EE7}.exe	41
PID 552 wrote to memory of 1516	552	{CD64D261-4E46-4205-987E-A57D0C166EE7}.exe	41
PID 552 wrote to memory of 1516	552	{CD64D261-4E46-4205-987E-A57D0C166EE7}.exe	41
PID 1660 wrote to memory of 308	1660	{4C1D2B50-4292-4f28-A221-4629B466BD03}.exe	42
PID 1660 wrote to memory of 308	1660	{4C1D2B50-4292-4f28-A221-4629B466BD03}.exe	42
PID 1660 wrote to memory of 308	1660	{4C1D2B50-4292-4f28-A221-4629B466BD03}.exe	42
PID 1660 wrote to memory of 308	1660	{4C1D2B50-4292-4f28-A221-4629B466BD03}.exe	42
PID 1660 wrote to memory of 2236	1660	{4C1D2B50-4292-4f28-A221-4629B466BD03}.exe	43
PID 1660 wrote to memory of 2236	1660	{4C1D2B50-4292-4f28-A221-4629B466BD03}.exe	43
PID 1660 wrote to memory of 2236	1660	{4C1D2B50-4292-4f28-A221-4629B466BD03}.exe	43
PID 1660 wrote to memory of 2236	1660	{4C1D2B50-4292-4f28-A221-4629B466BD03}.exe	43
PID 308 wrote to memory of 2216	308	{70CE143E-17D1-435f-BD26-5CBC23DD9BEF}.exe	44
PID 308 wrote to memory of 2216	308	{70CE143E-17D1-435f-BD26-5CBC23DD9BEF}.exe	44
PID 308 wrote to memory of 2216	308	{70CE143E-17D1-435f-BD26-5CBC23DD9BEF}.exe	44
PID 308 wrote to memory of 2216	308	{70CE143E-17D1-435f-BD26-5CBC23DD9BEF}.exe	44
PID 308 wrote to memory of 1928	308	{70CE143E-17D1-435f-BD26-5CBC23DD9BEF}.exe	45
PID 308 wrote to memory of 1928	308	{70CE143E-17D1-435f-BD26-5CBC23DD9BEF}.exe	45
PID 308 wrote to memory of 1928	308	{70CE143E-17D1-435f-BD26-5CBC23DD9BEF}.exe	45
PID 308 wrote to memory of 1928	308	{70CE143E-17D1-435f-BD26-5CBC23DD9BEF}.exe	45

C:\Users\Admin\AppData\Local\Temp\87f5eb3f716a66a535767866c679a1f0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\87f5eb3f716a66a535767866c679a1f0_NeikiAnalytics.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1084
- C:\Windows\{4089D798-AB94-4c12-8B8E-906DD99B4BE7}.exe
  C:\Windows\{4089D798-AB94-4c12-8B8E-906DD99B4BE7}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2280
- - C:\Windows\{19E2A570-8B88-4f38-A57F-DDE501835320}.exe
    C:\Windows\{19E2A570-8B88-4f38-A57F-DDE501835320}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2504
  - - C:\Windows\{758A116D-3FE9-425c-A5D1-BDCE050BE523}.exe
      C:\Windows\{758A116D-3FE9-425c-A5D1-BDCE050BE523}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2528
    - - C:\Windows\{84313B0E-935C-4c8e-BCAB-C650E7DAA395}.exe
        
        C:\Windows\{84313B0E-935C-4c8e-BCAB-C650E7DAA395}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2368
      - C:\Windows\{CD64D261-4E46-4205-987E-A57D0C166EE7}.exe
        
        C:\Windows\{CD64D261-4E46-4205-987E-A57D0C166EE7}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:552
        
        C:\Windows\{4C1D2B50-4292-4f28-A221-4629B466BD03}.exe
        
        C:\Windows\{4C1D2B50-4292-4f28-A221-4629B466BD03}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1660
        
        C:\Windows\{70CE143E-17D1-435f-BD26-5CBC23DD9BEF}.exe
        
        C:\Windows\{70CE143E-17D1-435f-BD26-5CBC23DD9BEF}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:308
        
        C:\Windows\{A4E7EA68-C16D-4526-9EE2-18939573E073}.exe
        
        C:\Windows\{A4E7EA68-C16D-4526-9EE2-18939573E073}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2216
        
        C:\Windows\{B3344406-EFE2-4140-8A3E-6FDE9486EEF8}.exe
        
        C:\Windows\{B3344406-EFE2-4140-8A3E-6FDE9486EEF8}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1556
        
        C:\Windows\{72835BD5-14D4-42e9-B9D0-67912779E222}.exe
        
        C:\Windows\{72835BD5-14D4-42e9-B9D0-67912779E222}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1616
        
        C:\Windows\{E3CC3ACB-1C65-421c-BEEF-A91B8C1411B4}.exe
        
        C:\Windows\{E3CC3ACB-1C65-421c-BEEF-A91B8C1411B4}.exe
        12⤵
        Executes dropped EXE
        
        PID:2152
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{72835~1.EXE > nul
        12⤵
        
        PID:2648
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B3344~1.EXE > nul
        11⤵
        
        PID:2908
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A4E7E~1.EXE > nul
        10⤵
        
        PID:1500
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{70CE1~1.EXE > nul
        9⤵
        
        PID:1928
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4C1D2~1.EXE > nul
        8⤵
        
        PID:2236
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CD64D~1.EXE > nul
        7⤵
        
        PID:1516
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{84313~1.EXE > nul
        6⤵
        
        PID:1088
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{758A1~1.EXE > nul
        5⤵
        
        PID:2428
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{19E2A~1.EXE > nul
      4⤵
      PID:2796
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{4089D~1.EXE > nul
    3⤵
    PID:2548
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\87F5EB~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2012

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{19E2A570-8B88-4f38-A57F-DDE501835320}.exe

Filesize
60KB

MD5
a89fe809e01cd3d861873c10dc366540

SHA1
af929b81409ac4abe7637f6ca1c9c08c70c01fa4

SHA256
95834753890c829253da0590dab90bc1f77a1c84227c505cd5c9261cd927d202

SHA512
497a2f22961992d45fb5aadf57577f6dde81d5664c1ba6e7834509c5eb6eb254ff6e2f82d14f8bbcc61f73254ed5ab74cff92d13cfa5c3fc0479b485c0f89fa1

Download Submit
C:\Windows\{4089D798-AB94-4c12-8B8E-906DD99B4BE7}.exe

Filesize
60KB

MD5
1605ddb32e2f7df61adf2cf75e9c8cc4

SHA1
4bdbf39e4104c3c00f4240a89b74d51e39a0a998

SHA256
54a369a096cf994e20215b0d7409dc95c1cc83172333d64cd8e135730d738958

SHA512
1f4aa16b41e062e9a5e2d362fb7500c4fcef961e45eb64e23dcff6def4c780043f6ceb716f77d7419f1b1c634f9f7cb1b5008af5e6282391eb6c158e0e83e854

Download Submit
C:\Windows\{4C1D2B50-4292-4f28-A221-4629B466BD03}.exe

Filesize
60KB

MD5
35647650366c16672d127debbf6269f4

SHA1
84ef71319da77dd5beba985302ce73675758fbaf

SHA256
299817618432093d6572c7fc3bb38686947094279df32a4dbec4d32534668c92

SHA512
aeeb5e13236d6f6d0da2581388e2e6d42ffb9647b1dbd66b833c65977011471248cd37151173085769e83adf8c9495474a067f6481ad7305e0baa5cfb4b3b8e7

Download Submit
C:\Windows\{70CE143E-17D1-435f-BD26-5CBC23DD9BEF}.exe

Filesize
60KB

MD5
37728999a52afc6f7f01ce4b7fa9f78c

SHA1
ea1e8520f3d6a682bb677c15ac130d27b7ebf87d

SHA256
b4645805abed689c7e269f913c8111a230cffa5b4f933aa44ee5e69183add527

SHA512
2c65656eabaae36597ed58cdb65edaf7a337b1b0a579108508d1284a5c6992902efb45e0a91c66e01a932cda127c4c31ad1c9c01c82e786fc5f9a6cb6c638bc2

Download Submit
C:\Windows\{72835BD5-14D4-42e9-B9D0-67912779E222}.exe

Filesize
60KB

MD5
a27655b71d9f2196527877987996640e

SHA1
5f7ec0816d32fe0acd9f8f528048a29767d55ef0

SHA256
c784339f65779fc7d727d670f89241b7121c6ee8ac15cfa43485dd727db981c8

SHA512
caa801c513972fab944ac1a639dfa3b365c077cce6dd0e3d57d0157a87554cd7ff02a0042bbe5b335a8c5258f4a1f17e69be1d7089fec31bc4f24d3f0db2cddd

Download Submit
C:\Windows\{758A116D-3FE9-425c-A5D1-BDCE050BE523}.exe

Filesize
60KB

MD5
0c643198756d190914deb45a56718928

SHA1
367130b45e62094064ae67b1ded8f5b768eed1ef

SHA256
f29ec6fcf440750f2c9a820944b2c46e42309743a25af020dc7b08f24a721327

SHA512
503fd4319f6bed3ff7b68fccea5c5ec9516d86b0b9366dad06e91783a36d5ba43e38f20bce59b6e9158b071512081f67c0e5c12991805bf38a65aad34c701b12

Download Submit
C:\Windows\{84313B0E-935C-4c8e-BCAB-C650E7DAA395}.exe

Filesize
60KB

MD5
f297008d48d704304851421821a8912f

SHA1
c58d8ac46f3cc0377aa6e3291b6dfc29069c4055

SHA256
f992559a5e131990a2f8c6bb1768029b1eec71329768487f6d9976393703c305

SHA512
9e8b19d7ccdbb31959895d33289e36c62dccde405df765fc1f2bd7bf7706b84e8485ac320b61ab1c01bf6223594b0635e9dae43827fe9d4f07ea9da409e60b52

Download Submit
C:\Windows\{A4E7EA68-C16D-4526-9EE2-18939573E073}.exe

Filesize
60KB

MD5
5363a23d0e4305f8bb06e4b833b64951

SHA1
57f72dec0fb0868b8b146b393d47188d3616ac69

SHA256
1c5450671ca0979d88e4063e39c07767da34d9cd1f7f2663844504afc9c0d325

SHA512
c1b4762d16449b4bf0fb752df2894a9d2c07c98c1196ffb38ebb9a664dbacb3011502ae9c776aadd5c634819e14547d91ce2e207a03cdb3cca6e4da3c928e4c0

Download Submit
C:\Windows\{B3344406-EFE2-4140-8A3E-6FDE9486EEF8}.exe

Filesize
60KB

MD5
049137c42662182b5708da45a71e9485

SHA1
d04734fd739fb0ef82631762fd5960ae929ce7f7

SHA256
2645fd91e9526071b659110e238cb44ade908bbc0c4da3d26cbbde6abcd8c5b8

SHA512
d4337e60b4dd6fdd3d3f28999b26eedabd2e44895f6d43e901a81dc58ff2e56593ed6f798e533cd3d128f913e8f8bd125d486f2ad82220c14a9d90736ac5cf07

Download Submit
C:\Windows\{CD64D261-4E46-4205-987E-A57D0C166EE7}.exe

Filesize
60KB

MD5
7776314f72ce34d2885840d715ed9d76

SHA1
b706cb1f7ec05965b423b4d1a886d34eec49181d

SHA256
85f7d8e2b5519d46f6ebe1e423e84f4cf5c268e1a18a96606ff836ded5b8f1cf

SHA512
7272256a805c4065b9e24c9eb62a6627cbf1f53a39e2e9fc20f82f1f641e3eef326ed70dcf58a82abfebf719bdd221b671a2b843dca30e3793a4738ddcb17114

Download Submit
C:\Windows\{E3CC3ACB-1C65-421c-BEEF-A91B8C1411B4}.exe

Filesize
60KB

MD5
52be7f976a4c5ac1ed1c28792e9d237f

SHA1
07c9035968df502f86c978b89912704ad661dc1a

SHA256
1c4062dcb87e51f7290b92b6f11a0ad06aff8a53db85f458cb0130a21b670d41

SHA512
35995107b6b9ca45a6f544e7083c65dc4a1a9397cc06e5900de8b1cd2a30516f6fd92f9e915abf62bf0ddf2274692ae89a3ccf8fe2d0ea3f966148142e6ee703

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads