c6b59c7231341253adc144ee6cdecd8f830db864ae55d88684987475af4149c4

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
10/05/2024, 06:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

87f5eb3f716a66a535767866c679a1f0_NeikiAnalytics.exe
Size

60KB
MD5

87f5eb3f716a66a535767866c679a1f0
SHA1

c10064ff627e36308360f99c601fa6e033384f1c
SHA256

c6b59c7231341253adc144ee6cdecd8f830db864ae55d88684987475af4149c4
SHA512

fefc0bf87b4a998d636f49d17fa888cde3a013a1696d9f0149dff7212bb743565f05762f7b23b8a9ceab91723b30d2b00bf1f9d38cca88ef6ea7eb688ca43d40
SSDEEP

384:vbLwOs8AHsc4sMfwhKQLroq4/CFsrdHWMZ:vvw9816vhKQLroq4/wQpWMZ

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A7CEC104-532B-4d1c-930E-08A234102CFE}\stubpath = "C:\\Windows\\{A7CEC104-532B-4d1c-930E-08A234102CFE}.exe"	{06ADED95-2BFF-4fa8-80E6-BD74B3CAA2B9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BD294F51-AAF6-400d-B064-C81B441CF3D7}\stubpath = "C:\\Windows\\{BD294F51-AAF6-400d-B064-C81B441CF3D7}.exe"	{F0342BB5-A940-492e-8575-C2289419C85E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C2FF98B1-B2EC-419d-B587-08B36DDB9B7D}	{BD294F51-AAF6-400d-B064-C81B441CF3D7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0D7775DE-208C-4b38-A9C1-6CF10506CCAB}\stubpath = "C:\\Windows\\{0D7775DE-208C-4b38-A9C1-6CF10506CCAB}.exe"	{C2FF98B1-B2EC-419d-B587-08B36DDB9B7D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6061AD58-B974-4493-A904-3046FA64FA7C}\stubpath = "C:\\Windows\\{6061AD58-B974-4493-A904-3046FA64FA7C}.exe"	{0D7775DE-208C-4b38-A9C1-6CF10506CCAB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F0FE11BB-9E41-499b-AD38-A0E1F71FA6F4}	{76F8C920-95BD-4deb-8073-5D3A307C3599}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{06ADED95-2BFF-4fa8-80E6-BD74B3CAA2B9}\stubpath = "C:\\Windows\\{06ADED95-2BFF-4fa8-80E6-BD74B3CAA2B9}.exe"	87f5eb3f716a66a535767866c679a1f0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7D9F42BF-1174-4aaf-AB12-2B2C4F1CA487}\stubpath = "C:\\Windows\\{7D9F42BF-1174-4aaf-AB12-2B2C4F1CA487}.exe"	{A7CEC104-532B-4d1c-930E-08A234102CFE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F0342BB5-A940-492e-8575-C2289419C85E}\stubpath = "C:\\Windows\\{F0342BB5-A940-492e-8575-C2289419C85E}.exe"	{7D9F42BF-1174-4aaf-AB12-2B2C4F1CA487}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{28A84C42-39A3-46b9-94E8-311DCD8D7302}	{6061AD58-B974-4493-A904-3046FA64FA7C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{83B07B09-19FF-4947-BE40-BA27E7A8F07D}\stubpath = "C:\\Windows\\{83B07B09-19FF-4947-BE40-BA27E7A8F07D}.exe"	{28A84C42-39A3-46b9-94E8-311DCD8D7302}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{76F8C920-95BD-4deb-8073-5D3A307C3599}\stubpath = "C:\\Windows\\{76F8C920-95BD-4deb-8073-5D3A307C3599}.exe"	{83B07B09-19FF-4947-BE40-BA27E7A8F07D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A7CEC104-532B-4d1c-930E-08A234102CFE}	{06ADED95-2BFF-4fa8-80E6-BD74B3CAA2B9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7D9F42BF-1174-4aaf-AB12-2B2C4F1CA487}	{A7CEC104-532B-4d1c-930E-08A234102CFE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F0342BB5-A940-492e-8575-C2289419C85E}	{7D9F42BF-1174-4aaf-AB12-2B2C4F1CA487}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0D7775DE-208C-4b38-A9C1-6CF10506CCAB}	{C2FF98B1-B2EC-419d-B587-08B36DDB9B7D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{28A84C42-39A3-46b9-94E8-311DCD8D7302}\stubpath = "C:\\Windows\\{28A84C42-39A3-46b9-94E8-311DCD8D7302}.exe"	{6061AD58-B974-4493-A904-3046FA64FA7C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{83B07B09-19FF-4947-BE40-BA27E7A8F07D}	{28A84C42-39A3-46b9-94E8-311DCD8D7302}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{06ADED95-2BFF-4fa8-80E6-BD74B3CAA2B9}	87f5eb3f716a66a535767866c679a1f0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BD294F51-AAF6-400d-B064-C81B441CF3D7}	{F0342BB5-A940-492e-8575-C2289419C85E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C2FF98B1-B2EC-419d-B587-08B36DDB9B7D}\stubpath = "C:\\Windows\\{C2FF98B1-B2EC-419d-B587-08B36DDB9B7D}.exe"	{BD294F51-AAF6-400d-B064-C81B441CF3D7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6061AD58-B974-4493-A904-3046FA64FA7C}	{0D7775DE-208C-4b38-A9C1-6CF10506CCAB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{76F8C920-95BD-4deb-8073-5D3A307C3599}	{83B07B09-19FF-4947-BE40-BA27E7A8F07D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F0FE11BB-9E41-499b-AD38-A0E1F71FA6F4}\stubpath = "C:\\Windows\\{F0FE11BB-9E41-499b-AD38-A0E1F71FA6F4}.exe"	{76F8C920-95BD-4deb-8073-5D3A307C3599}.exe

Executes dropped EXE 12 IoCs

pid	Process
2496	{06ADED95-2BFF-4fa8-80E6-BD74B3CAA2B9}.exe
2448	{A7CEC104-532B-4d1c-930E-08A234102CFE}.exe
4264	{7D9F42BF-1174-4aaf-AB12-2B2C4F1CA487}.exe
1184	{F0342BB5-A940-492e-8575-C2289419C85E}.exe
4416	{BD294F51-AAF6-400d-B064-C81B441CF3D7}.exe
2756	{C2FF98B1-B2EC-419d-B587-08B36DDB9B7D}.exe
1756	{0D7775DE-208C-4b38-A9C1-6CF10506CCAB}.exe
1784	{6061AD58-B974-4493-A904-3046FA64FA7C}.exe
2184	{28A84C42-39A3-46b9-94E8-311DCD8D7302}.exe
1548	{83B07B09-19FF-4947-BE40-BA27E7A8F07D}.exe
4440	{76F8C920-95BD-4deb-8073-5D3A307C3599}.exe
1324	{F0FE11BB-9E41-499b-AD38-A0E1F71FA6F4}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{06ADED95-2BFF-4fa8-80E6-BD74B3CAA2B9}.exe	87f5eb3f716a66a535767866c679a1f0_NeikiAnalytics.exe
File created	C:\Windows\{A7CEC104-532B-4d1c-930E-08A234102CFE}.exe	{06ADED95-2BFF-4fa8-80E6-BD74B3CAA2B9}.exe
File created	C:\Windows\{7D9F42BF-1174-4aaf-AB12-2B2C4F1CA487}.exe	{A7CEC104-532B-4d1c-930E-08A234102CFE}.exe
File created	C:\Windows\{BD294F51-AAF6-400d-B064-C81B441CF3D7}.exe	{F0342BB5-A940-492e-8575-C2289419C85E}.exe
File created	C:\Windows\{C2FF98B1-B2EC-419d-B587-08B36DDB9B7D}.exe	{BD294F51-AAF6-400d-B064-C81B441CF3D7}.exe
File created	C:\Windows\{6061AD58-B974-4493-A904-3046FA64FA7C}.exe	{0D7775DE-208C-4b38-A9C1-6CF10506CCAB}.exe
File created	C:\Windows\{28A84C42-39A3-46b9-94E8-311DCD8D7302}.exe	{6061AD58-B974-4493-A904-3046FA64FA7C}.exe
File created	C:\Windows\{F0342BB5-A940-492e-8575-C2289419C85E}.exe	{7D9F42BF-1174-4aaf-AB12-2B2C4F1CA487}.exe
File created	C:\Windows\{0D7775DE-208C-4b38-A9C1-6CF10506CCAB}.exe	{C2FF98B1-B2EC-419d-B587-08B36DDB9B7D}.exe
File created	C:\Windows\{83B07B09-19FF-4947-BE40-BA27E7A8F07D}.exe	{28A84C42-39A3-46b9-94E8-311DCD8D7302}.exe
File created	C:\Windows\{76F8C920-95BD-4deb-8073-5D3A307C3599}.exe	{83B07B09-19FF-4947-BE40-BA27E7A8F07D}.exe
File created	C:\Windows\{F0FE11BB-9E41-499b-AD38-A0E1F71FA6F4}.exe	{76F8C920-95BD-4deb-8073-5D3A307C3599}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3840	87f5eb3f716a66a535767866c679a1f0_NeikiAnalytics.exe
Token: SeIncBasePriorityPrivilege	2496	{06ADED95-2BFF-4fa8-80E6-BD74B3CAA2B9}.exe
Token: SeIncBasePriorityPrivilege	2448	{A7CEC104-532B-4d1c-930E-08A234102CFE}.exe
Token: SeIncBasePriorityPrivilege	4264	{7D9F42BF-1174-4aaf-AB12-2B2C4F1CA487}.exe
Token: SeIncBasePriorityPrivilege	1184	{F0342BB5-A940-492e-8575-C2289419C85E}.exe
Token: SeIncBasePriorityPrivilege	4416	{BD294F51-AAF6-400d-B064-C81B441CF3D7}.exe
Token: SeIncBasePriorityPrivilege	2756	{C2FF98B1-B2EC-419d-B587-08B36DDB9B7D}.exe
Token: SeIncBasePriorityPrivilege	1756	{0D7775DE-208C-4b38-A9C1-6CF10506CCAB}.exe
Token: SeIncBasePriorityPrivilege	1784	{6061AD58-B974-4493-A904-3046FA64FA7C}.exe
Token: SeIncBasePriorityPrivilege	2184	{28A84C42-39A3-46b9-94E8-311DCD8D7302}.exe
Token: SeIncBasePriorityPrivilege	1548	{83B07B09-19FF-4947-BE40-BA27E7A8F07D}.exe
Token: SeIncBasePriorityPrivilege	4440	{76F8C920-95BD-4deb-8073-5D3A307C3599}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3840 wrote to memory of 2496	3840	87f5eb3f716a66a535767866c679a1f0_NeikiAnalytics.exe	84
PID 3840 wrote to memory of 2496	3840	87f5eb3f716a66a535767866c679a1f0_NeikiAnalytics.exe	84
PID 3840 wrote to memory of 2496	3840	87f5eb3f716a66a535767866c679a1f0_NeikiAnalytics.exe	84
PID 3840 wrote to memory of 1796	3840	87f5eb3f716a66a535767866c679a1f0_NeikiAnalytics.exe	85
PID 3840 wrote to memory of 1796	3840	87f5eb3f716a66a535767866c679a1f0_NeikiAnalytics.exe	85
PID 3840 wrote to memory of 1796	3840	87f5eb3f716a66a535767866c679a1f0_NeikiAnalytics.exe	85
PID 2496 wrote to memory of 2448	2496	{06ADED95-2BFF-4fa8-80E6-BD74B3CAA2B9}.exe	86
PID 2496 wrote to memory of 2448	2496	{06ADED95-2BFF-4fa8-80E6-BD74B3CAA2B9}.exe	86
PID 2496 wrote to memory of 2448	2496	{06ADED95-2BFF-4fa8-80E6-BD74B3CAA2B9}.exe	86
PID 2496 wrote to memory of 2392	2496	{06ADED95-2BFF-4fa8-80E6-BD74B3CAA2B9}.exe	87
PID 2496 wrote to memory of 2392	2496	{06ADED95-2BFF-4fa8-80E6-BD74B3CAA2B9}.exe	87
PID 2496 wrote to memory of 2392	2496	{06ADED95-2BFF-4fa8-80E6-BD74B3CAA2B9}.exe	87
PID 2448 wrote to memory of 4264	2448	{A7CEC104-532B-4d1c-930E-08A234102CFE}.exe	92
PID 2448 wrote to memory of 4264	2448	{A7CEC104-532B-4d1c-930E-08A234102CFE}.exe	92
PID 2448 wrote to memory of 4264	2448	{A7CEC104-532B-4d1c-930E-08A234102CFE}.exe	92
PID 2448 wrote to memory of 5084	2448	{A7CEC104-532B-4d1c-930E-08A234102CFE}.exe	93
PID 2448 wrote to memory of 5084	2448	{A7CEC104-532B-4d1c-930E-08A234102CFE}.exe	93
PID 2448 wrote to memory of 5084	2448	{A7CEC104-532B-4d1c-930E-08A234102CFE}.exe	93
PID 4264 wrote to memory of 1184	4264	{7D9F42BF-1174-4aaf-AB12-2B2C4F1CA487}.exe	94
PID 4264 wrote to memory of 1184	4264	{7D9F42BF-1174-4aaf-AB12-2B2C4F1CA487}.exe	94
PID 4264 wrote to memory of 1184	4264	{7D9F42BF-1174-4aaf-AB12-2B2C4F1CA487}.exe	94
PID 4264 wrote to memory of 3988	4264	{7D9F42BF-1174-4aaf-AB12-2B2C4F1CA487}.exe	95
PID 4264 wrote to memory of 3988	4264	{7D9F42BF-1174-4aaf-AB12-2B2C4F1CA487}.exe	95
PID 4264 wrote to memory of 3988	4264	{7D9F42BF-1174-4aaf-AB12-2B2C4F1CA487}.exe	95
PID 1184 wrote to memory of 4416	1184	{F0342BB5-A940-492e-8575-C2289419C85E}.exe	96
PID 1184 wrote to memory of 4416	1184	{F0342BB5-A940-492e-8575-C2289419C85E}.exe	96
PID 1184 wrote to memory of 4416	1184	{F0342BB5-A940-492e-8575-C2289419C85E}.exe	96
PID 1184 wrote to memory of 1100	1184	{F0342BB5-A940-492e-8575-C2289419C85E}.exe	97
PID 1184 wrote to memory of 1100	1184	{F0342BB5-A940-492e-8575-C2289419C85E}.exe	97
PID 1184 wrote to memory of 1100	1184	{F0342BB5-A940-492e-8575-C2289419C85E}.exe	97
PID 4416 wrote to memory of 2756	4416	{BD294F51-AAF6-400d-B064-C81B441CF3D7}.exe	98
PID 4416 wrote to memory of 2756	4416	{BD294F51-AAF6-400d-B064-C81B441CF3D7}.exe	98
PID 4416 wrote to memory of 2756	4416	{BD294F51-AAF6-400d-B064-C81B441CF3D7}.exe	98
PID 4416 wrote to memory of 2992	4416	{BD294F51-AAF6-400d-B064-C81B441CF3D7}.exe	99
PID 4416 wrote to memory of 2992	4416	{BD294F51-AAF6-400d-B064-C81B441CF3D7}.exe	99
PID 4416 wrote to memory of 2992	4416	{BD294F51-AAF6-400d-B064-C81B441CF3D7}.exe	99
PID 2756 wrote to memory of 1756	2756	{C2FF98B1-B2EC-419d-B587-08B36DDB9B7D}.exe	100
PID 2756 wrote to memory of 1756	2756	{C2FF98B1-B2EC-419d-B587-08B36DDB9B7D}.exe	100
PID 2756 wrote to memory of 1756	2756	{C2FF98B1-B2EC-419d-B587-08B36DDB9B7D}.exe	100
PID 2756 wrote to memory of 3764	2756	{C2FF98B1-B2EC-419d-B587-08B36DDB9B7D}.exe	101
PID 2756 wrote to memory of 3764	2756	{C2FF98B1-B2EC-419d-B587-08B36DDB9B7D}.exe	101
PID 2756 wrote to memory of 3764	2756	{C2FF98B1-B2EC-419d-B587-08B36DDB9B7D}.exe	101
PID 1756 wrote to memory of 1784	1756	{0D7775DE-208C-4b38-A9C1-6CF10506CCAB}.exe	102
PID 1756 wrote to memory of 1784	1756	{0D7775DE-208C-4b38-A9C1-6CF10506CCAB}.exe	102
PID 1756 wrote to memory of 1784	1756	{0D7775DE-208C-4b38-A9C1-6CF10506CCAB}.exe	102
PID 1756 wrote to memory of 4712	1756	{0D7775DE-208C-4b38-A9C1-6CF10506CCAB}.exe	103
PID 1756 wrote to memory of 4712	1756	{0D7775DE-208C-4b38-A9C1-6CF10506CCAB}.exe	103
PID 1756 wrote to memory of 4712	1756	{0D7775DE-208C-4b38-A9C1-6CF10506CCAB}.exe	103
PID 1784 wrote to memory of 2184	1784	{6061AD58-B974-4493-A904-3046FA64FA7C}.exe	104
PID 1784 wrote to memory of 2184	1784	{6061AD58-B974-4493-A904-3046FA64FA7C}.exe	104
PID 1784 wrote to memory of 2184	1784	{6061AD58-B974-4493-A904-3046FA64FA7C}.exe	104
PID 1784 wrote to memory of 3284	1784	{6061AD58-B974-4493-A904-3046FA64FA7C}.exe	105
PID 1784 wrote to memory of 3284	1784	{6061AD58-B974-4493-A904-3046FA64FA7C}.exe	105
PID 1784 wrote to memory of 3284	1784	{6061AD58-B974-4493-A904-3046FA64FA7C}.exe	105
PID 2184 wrote to memory of 1548	2184	{28A84C42-39A3-46b9-94E8-311DCD8D7302}.exe	110
PID 2184 wrote to memory of 1548	2184	{28A84C42-39A3-46b9-94E8-311DCD8D7302}.exe	110
PID 2184 wrote to memory of 1548	2184	{28A84C42-39A3-46b9-94E8-311DCD8D7302}.exe	110
PID 2184 wrote to memory of 3800	2184	{28A84C42-39A3-46b9-94E8-311DCD8D7302}.exe	111
PID 2184 wrote to memory of 3800	2184	{28A84C42-39A3-46b9-94E8-311DCD8D7302}.exe	111
PID 2184 wrote to memory of 3800	2184	{28A84C42-39A3-46b9-94E8-311DCD8D7302}.exe	111
PID 1548 wrote to memory of 4440	1548	{83B07B09-19FF-4947-BE40-BA27E7A8F07D}.exe	112
PID 1548 wrote to memory of 4440	1548	{83B07B09-19FF-4947-BE40-BA27E7A8F07D}.exe	112
PID 1548 wrote to memory of 4440	1548	{83B07B09-19FF-4947-BE40-BA27E7A8F07D}.exe	112
PID 1548 wrote to memory of 960	1548	{83B07B09-19FF-4947-BE40-BA27E7A8F07D}.exe	113

C:\Users\Admin\AppData\Local\Temp\87f5eb3f716a66a535767866c679a1f0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\87f5eb3f716a66a535767866c679a1f0_NeikiAnalytics.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3840
- C:\Windows\{06ADED95-2BFF-4fa8-80E6-BD74B3CAA2B9}.exe
  C:\Windows\{06ADED95-2BFF-4fa8-80E6-BD74B3CAA2B9}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2496
- - C:\Windows\{A7CEC104-532B-4d1c-930E-08A234102CFE}.exe
    C:\Windows\{A7CEC104-532B-4d1c-930E-08A234102CFE}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2448
  - - C:\Windows\{7D9F42BF-1174-4aaf-AB12-2B2C4F1CA487}.exe
      C:\Windows\{7D9F42BF-1174-4aaf-AB12-2B2C4F1CA487}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4264
    - - C:\Windows\{F0342BB5-A940-492e-8575-C2289419C85E}.exe
        
        C:\Windows\{F0342BB5-A940-492e-8575-C2289419C85E}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1184
      - C:\Windows\{BD294F51-AAF6-400d-B064-C81B441CF3D7}.exe
        
        C:\Windows\{BD294F51-AAF6-400d-B064-C81B441CF3D7}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4416
        
        C:\Windows\{C2FF98B1-B2EC-419d-B587-08B36DDB9B7D}.exe
        
        C:\Windows\{C2FF98B1-B2EC-419d-B587-08B36DDB9B7D}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2756
        
        C:\Windows\{0D7775DE-208C-4b38-A9C1-6CF10506CCAB}.exe
        
        C:\Windows\{0D7775DE-208C-4b38-A9C1-6CF10506CCAB}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1756
        
        C:\Windows\{6061AD58-B974-4493-A904-3046FA64FA7C}.exe
        
        C:\Windows\{6061AD58-B974-4493-A904-3046FA64FA7C}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1784
        
        C:\Windows\{28A84C42-39A3-46b9-94E8-311DCD8D7302}.exe
        
        C:\Windows\{28A84C42-39A3-46b9-94E8-311DCD8D7302}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2184
        
        C:\Windows\{83B07B09-19FF-4947-BE40-BA27E7A8F07D}.exe
        
        C:\Windows\{83B07B09-19FF-4947-BE40-BA27E7A8F07D}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1548
        
        C:\Windows\{76F8C920-95BD-4deb-8073-5D3A307C3599}.exe
        
        C:\Windows\{76F8C920-95BD-4deb-8073-5D3A307C3599}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4440
        
        C:\Windows\{F0FE11BB-9E41-499b-AD38-A0E1F71FA6F4}.exe
        
        C:\Windows\{F0FE11BB-9E41-499b-AD38-A0E1F71FA6F4}.exe
        13⤵
        Executes dropped EXE
        
        PID:1324
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{76F8C~1.EXE > nul
        13⤵
        
        PID:3880
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{83B07~1.EXE > nul
        12⤵
        
        PID:960
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{28A84~1.EXE > nul
        11⤵
        
        PID:3800
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6061A~1.EXE > nul
        10⤵
        
        PID:3284
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0D777~1.EXE > nul
        9⤵
        
        PID:4712
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C2FF9~1.EXE > nul
        8⤵
        
        PID:3764
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BD294~1.EXE > nul
        7⤵
        
        PID:2992
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F0342~1.EXE > nul
        6⤵
        
        PID:1100
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7D9F4~1.EXE > nul
        5⤵
        
        PID:3988
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{A7CEC~1.EXE > nul
      4⤵
      PID:5084
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{06ADE~1.EXE > nul
    3⤵
    PID:2392
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\87F5EB~1.EXE > nul
  2⤵
  PID:1796

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{06ADED95-2BFF-4fa8-80E6-BD74B3CAA2B9}.exe

Filesize
60KB

MD5
8d2dda50f4f7b71677f8a21d9d32a3d9

SHA1
7e21b2756606ffeec7155fcab1fe57e60bebc742

SHA256
8812a9f5c4050ba447b9a126efcdf83bf24dc989fdd279f890a298cde42c025c

SHA512
906ef85dd5edebe3e0150092dda0c6e61b83788e62f3b499297e7fbfbc41bbcc77af9e399ef0fbd4eb3a5a9dea926a5587e7b95f9ec32d876aec7d2c48abf2e0

Download Submit
C:\Windows\{0D7775DE-208C-4b38-A9C1-6CF10506CCAB}.exe

Filesize
60KB

MD5
c778088be1dad2fba3528ffb89b7b46b

SHA1
e333fa3eafa7803242931580b05d81e270d1a7f5

SHA256
c76bfcf696bbd37af2acff6ef1888183a768fa797ca5633908a8ac4075367e9f

SHA512
b6c8a93b88f2798821cb035515e6d639ccd7ad052b9d78404d2642dce42a21dc8e70b441113d0213ace73615fa1df2483ff4dbda18c7f22c90ebf216cce0d126

Download Submit
C:\Windows\{28A84C42-39A3-46b9-94E8-311DCD8D7302}.exe

Filesize
60KB

MD5
e753d504b1a892268bf1a9b5bcdbf40d

SHA1
6ea7f0d3de8dc58aceb746d87f81e454f98d17d3

SHA256
9ba94c8bccf4471d647f860d02df8b9f40be84f1595efb3959e71f677c0d2135

SHA512
6785f19a1f96e8ce7a9c6b585379d6562a9bab32382673551bd3967c85c9efc447bb4ef595347bf182f05edb4d83d31c22576cda43f963b9efa69bf39089bb07

Download Submit
C:\Windows\{6061AD58-B974-4493-A904-3046FA64FA7C}.exe

Filesize
60KB

MD5
5f8c65468c13cb59d71b16ac0fc6cc43

SHA1
aa098e716e5ea8e3ec1e3cea731c44fb736a62ef

SHA256
b20bd022d98e8ca6fcf9c280c41ee0251cd999352fe91dc8ff7ccf0e3b5c7920

SHA512
bad8f54b069b665367e9b6ffbc138180693561d00e237e75766d91321d7c04a98941b5c67baee4fda073e23ff40817e5cc5384acb7a62e11faa2cb4c602a1dc2

Download Submit
C:\Windows\{76F8C920-95BD-4deb-8073-5D3A307C3599}.exe

Filesize
60KB

MD5
2aa70d25d505b1ef5b9546c75c9abde4

SHA1
2dc7fbeb35f925b39097b63a88d91400045e13b1

SHA256
82e8751964d6ab9721491c50b06e9e1cf814f2942eec06127fd1e2e314748fac

SHA512
19de0dc3215eb300630507290806b6bedc74ba99216eef53e348d90c7074a05d5d7ce0a94515b1716750ddf66d3c6de78c18241b25cfde67029084450d8178e3

Download Submit
C:\Windows\{7D9F42BF-1174-4aaf-AB12-2B2C4F1CA487}.exe

Filesize
60KB

MD5
928abc78db23ffff490a0752cce25a74

SHA1
4a4acfc6580a7cff769ab09ab0f479479f9c3030

SHA256
03e3bca68830ff1974a5783bbef5074a1ca0488eff48b94787effb425aa7ecc0

SHA512
d047ae4fcc5b398347e00823bc5be8fd3586594994af1bf1c026fae709d19310025d9b2bc605e38aad419b1d43b16ec91295ff3e569c7a825406f3a49a61bbab

Download Submit
C:\Windows\{83B07B09-19FF-4947-BE40-BA27E7A8F07D}.exe

Filesize
60KB

MD5
2fcef8bf1a86778a9ceff8c631da22e9

SHA1
4ffbb468d8fa5e82682e6018bb0f0483ffc75dbf

SHA256
7b6da690c8f252a3c624053c6ddee7b0f3d5b1d75a9cc5e7949140826934fc97

SHA512
ffbcdca40ab4d8b97bfa04448be5691fa132f1d5754f2831d4da9671b7072c9bba0eb87bf8743a4187fbfefd24ed413cd76d80d192fcd375d8031288636406e0

Download Submit
C:\Windows\{A7CEC104-532B-4d1c-930E-08A234102CFE}.exe

Filesize
60KB

MD5
439ac7a9163e67a121e6211fee13a40e

SHA1
82be701c1e4333cb2c8855e662a5f8e5366d1cab

SHA256
c573a0414ef1906064fb8b1d2dbccebda53357d0bd418ef6cf4f39a9133693f3

SHA512
ae3653389d3f315a68deeac4d2318d0ab93737eac539f678bb10b7433500e6c83b1ca79abf25840edd426bec0f0c32e4caa0f9747cb8578292c7d8ae52475c62

Download Submit
C:\Windows\{BD294F51-AAF6-400d-B064-C81B441CF3D7}.exe

Filesize
60KB

MD5
1bf9fd2800aebee0a3b9db0d2d574a89

SHA1
cf96b5fdf7ddfd673767b316803a2b5099b4c350

SHA256
5b48600887fa45e6cb10654b6b58907a01d2b1887180a4ee593d3729419a5b0d

SHA512
a61a3db89dde08cd2dfc3915f34fd3957c6ac5c40ad88cade3a97ca996a23f992d8641e6a64f7bd88fc2359393648692ae6a585cefb166191bdb8cb0222f96ec

Download Submit
C:\Windows\{C2FF98B1-B2EC-419d-B587-08B36DDB9B7D}.exe

Filesize
60KB

MD5
c27f2325c6539fad2eb043a7d40ae143

SHA1
b483b3b920d13c249811cb350fc1c6786c94ce73

SHA256
00636bcc8c62f66429cd6cb38373bbb2d73e1630e023431d0fd71775610bbefe

SHA512
473f35c553e1a76ab91b3087c26e021c27944bc0b89bffe948520189a3cf81bb23c2cfc78c4e8477bcba030b49824b8cf3ea8e6a4ade474238c3daa65a17e27e

Download Submit
C:\Windows\{F0342BB5-A940-492e-8575-C2289419C85E}.exe

Filesize
60KB

MD5
dcdeb18d964a67dba659512379c3d94f

SHA1
cbd8897a51026d1a5512dd28aa654e1a029cacd9

SHA256
99f42d24bde7d2def25b60b2c02ce4687f8c5c8eee3b351a892ed4efd734a494

SHA512
11d2720ede51b5e4ad9a3776ac638cd04ba64ecda46b8c154dd9afc3b3542b339e2a618b9a2ded88600e22626465e0ba586010738ef42966bdccfd35a7594089

Download Submit
C:\Windows\{F0FE11BB-9E41-499b-AD38-A0E1F71FA6F4}.exe

Filesize
60KB

MD5
76efd6c417b65094b6d12141ab499af1

SHA1
b5669689cb0205099e4f23cac05ba6742fa3fdb8

SHA256
88074ec1f10c7a20df17f451e7e09aa94c203bf2b4a18dc32eef1299db987f30

SHA512
255d1c4e4b6ae6cda954b5ab37c1e9fd6e2d66781b0e30cc88250d405659a5789081d0d9402a1dcb0fde240071a19c3d67194aaa0792359aeb519f59ad39f41e

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads