d887e27b8ac8a61826803d518d93e3c64a0a40a1b55b5bf98431f28c25a94f16

Analysis

max time kernel
144s
max time network
119s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
12/05/2024, 12:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0b9233f1de711561e8c0c4058c378ef0_NeikiAnalytics.exe
Size

60KB
MD5

0b9233f1de711561e8c0c4058c378ef0
SHA1

8d5cef2819752ef9fb19bf7068c0e24190a386e2
SHA256

d887e27b8ac8a61826803d518d93e3c64a0a40a1b55b5bf98431f28c25a94f16
SHA512

a12d8ed8daf4430c926b2ae5ade6fc7605a87d2041d0aa4ae72dbda073f1bde93e2f8a864547e73c1f96af00b56560fde0757abfb4932de9e60dc9bd2198d42a
SSDEEP

384:vbLwOs8AHsc4sMfwhKQLroLk4/CFsrdHWMZ:vvw9816vhKQLroLk4/wQpWMZ

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4774189F-6F3C-4f77-ABE7-CAEC7C931A9E}\stubpath = "C:\\Windows\\{4774189F-6F3C-4f77-ABE7-CAEC7C931A9E}.exe"	0b9233f1de711561e8c0c4058c378ef0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0B442955-48D0-45fa-8837-CA521804DF2A}\stubpath = "C:\\Windows\\{0B442955-48D0-45fa-8837-CA521804DF2A}.exe"	{567E342E-830E-4bd7-BB3E-A744784EC121}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3F8972D9-5538-47a4-BF8B-095FCBE52B6F}\stubpath = "C:\\Windows\\{3F8972D9-5538-47a4-BF8B-095FCBE52B6F}.exe"	{0B442955-48D0-45fa-8837-CA521804DF2A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8CDB2F67-4CF7-40b8-922A-FFE72C762A2A}\stubpath = "C:\\Windows\\{8CDB2F67-4CF7-40b8-922A-FFE72C762A2A}.exe"	{3F8972D9-5538-47a4-BF8B-095FCBE52B6F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7594575A-CD0C-4622-B450-706AB9AE5B24}\stubpath = "C:\\Windows\\{7594575A-CD0C-4622-B450-706AB9AE5B24}.exe"	{03B41726-B1CA-466b-86F6-CDCC437515E1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4F8D81C1-A24F-4afb-8E11-0FAA421722D5}\stubpath = "C:\\Windows\\{4F8D81C1-A24F-4afb-8E11-0FAA421722D5}.exe"	{D18656B0-8B4F-47c2-918A-E42C442C66DE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{567E342E-830E-4bd7-BB3E-A744784EC121}	{4774189F-6F3C-4f77-ABE7-CAEC7C931A9E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{567E342E-830E-4bd7-BB3E-A744784EC121}\stubpath = "C:\\Windows\\{567E342E-830E-4bd7-BB3E-A744784EC121}.exe"	{4774189F-6F3C-4f77-ABE7-CAEC7C931A9E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0B442955-48D0-45fa-8837-CA521804DF2A}	{567E342E-830E-4bd7-BB3E-A744784EC121}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3F8972D9-5538-47a4-BF8B-095FCBE52B6F}	{0B442955-48D0-45fa-8837-CA521804DF2A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{03B41726-B1CA-466b-86F6-CDCC437515E1}	{8CDB2F67-4CF7-40b8-922A-FFE72C762A2A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{03B41726-B1CA-466b-86F6-CDCC437515E1}\stubpath = "C:\\Windows\\{03B41726-B1CA-466b-86F6-CDCC437515E1}.exe"	{8CDB2F67-4CF7-40b8-922A-FFE72C762A2A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D18656B0-8B4F-47c2-918A-E42C442C66DE}\stubpath = "C:\\Windows\\{D18656B0-8B4F-47c2-918A-E42C442C66DE}.exe"	{7594575A-CD0C-4622-B450-706AB9AE5B24}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1F981542-A32A-4011-B2AE-664D8751F13C}	{4F8D81C1-A24F-4afb-8E11-0FAA421722D5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4774189F-6F3C-4f77-ABE7-CAEC7C931A9E}	0b9233f1de711561e8c0c4058c378ef0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8CDB2F67-4CF7-40b8-922A-FFE72C762A2A}	{3F8972D9-5538-47a4-BF8B-095FCBE52B6F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D18656B0-8B4F-47c2-918A-E42C442C66DE}	{7594575A-CD0C-4622-B450-706AB9AE5B24}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1F981542-A32A-4011-B2AE-664D8751F13C}\stubpath = "C:\\Windows\\{1F981542-A32A-4011-B2AE-664D8751F13C}.exe"	{4F8D81C1-A24F-4afb-8E11-0FAA421722D5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{08FEDBD0-8588-4f95-83DF-7E0D8F3DA9B7}	{1F981542-A32A-4011-B2AE-664D8751F13C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7594575A-CD0C-4622-B450-706AB9AE5B24}	{03B41726-B1CA-466b-86F6-CDCC437515E1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4F8D81C1-A24F-4afb-8E11-0FAA421722D5}	{D18656B0-8B4F-47c2-918A-E42C442C66DE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{08FEDBD0-8588-4f95-83DF-7E0D8F3DA9B7}\stubpath = "C:\\Windows\\{08FEDBD0-8588-4f95-83DF-7E0D8F3DA9B7}.exe"	{1F981542-A32A-4011-B2AE-664D8751F13C}.exe

Deletes itself 1 IoCs

pid	Process
2772	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2344	{4774189F-6F3C-4f77-ABE7-CAEC7C931A9E}.exe
2696	{567E342E-830E-4bd7-BB3E-A744784EC121}.exe
2708	{0B442955-48D0-45fa-8837-CA521804DF2A}.exe
3032	{3F8972D9-5538-47a4-BF8B-095FCBE52B6F}.exe
2676	{8CDB2F67-4CF7-40b8-922A-FFE72C762A2A}.exe
1032	{03B41726-B1CA-466b-86F6-CDCC437515E1}.exe
2180	{7594575A-CD0C-4622-B450-706AB9AE5B24}.exe
1432	{D18656B0-8B4F-47c2-918A-E42C442C66DE}.exe
2120	{4F8D81C1-A24F-4afb-8E11-0FAA421722D5}.exe
2036	{1F981542-A32A-4011-B2AE-664D8751F13C}.exe
1480	{08FEDBD0-8588-4f95-83DF-7E0D8F3DA9B7}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{4774189F-6F3C-4f77-ABE7-CAEC7C931A9E}.exe	0b9233f1de711561e8c0c4058c378ef0_NeikiAnalytics.exe
File created	C:\Windows\{0B442955-48D0-45fa-8837-CA521804DF2A}.exe	{567E342E-830E-4bd7-BB3E-A744784EC121}.exe
File created	C:\Windows\{7594575A-CD0C-4622-B450-706AB9AE5B24}.exe	{03B41726-B1CA-466b-86F6-CDCC437515E1}.exe
File created	C:\Windows\{D18656B0-8B4F-47c2-918A-E42C442C66DE}.exe	{7594575A-CD0C-4622-B450-706AB9AE5B24}.exe
File created	C:\Windows\{08FEDBD0-8588-4f95-83DF-7E0D8F3DA9B7}.exe	{1F981542-A32A-4011-B2AE-664D8751F13C}.exe
File created	C:\Windows\{567E342E-830E-4bd7-BB3E-A744784EC121}.exe	{4774189F-6F3C-4f77-ABE7-CAEC7C931A9E}.exe
File created	C:\Windows\{3F8972D9-5538-47a4-BF8B-095FCBE52B6F}.exe	{0B442955-48D0-45fa-8837-CA521804DF2A}.exe
File created	C:\Windows\{8CDB2F67-4CF7-40b8-922A-FFE72C762A2A}.exe	{3F8972D9-5538-47a4-BF8B-095FCBE52B6F}.exe
File created	C:\Windows\{03B41726-B1CA-466b-86F6-CDCC437515E1}.exe	{8CDB2F67-4CF7-40b8-922A-FFE72C762A2A}.exe
File created	C:\Windows\{4F8D81C1-A24F-4afb-8E11-0FAA421722D5}.exe	{D18656B0-8B4F-47c2-918A-E42C442C66DE}.exe
File created	C:\Windows\{1F981542-A32A-4011-B2AE-664D8751F13C}.exe	{4F8D81C1-A24F-4afb-8E11-0FAA421722D5}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2732	0b9233f1de711561e8c0c4058c378ef0_NeikiAnalytics.exe
Token: SeIncBasePriorityPrivilege	2344	{4774189F-6F3C-4f77-ABE7-CAEC7C931A9E}.exe
Token: SeIncBasePriorityPrivilege	2696	{567E342E-830E-4bd7-BB3E-A744784EC121}.exe
Token: SeIncBasePriorityPrivilege	2708	{0B442955-48D0-45fa-8837-CA521804DF2A}.exe
Token: SeIncBasePriorityPrivilege	3032	{3F8972D9-5538-47a4-BF8B-095FCBE52B6F}.exe
Token: SeIncBasePriorityPrivilege	2676	{8CDB2F67-4CF7-40b8-922A-FFE72C762A2A}.exe
Token: SeIncBasePriorityPrivilege	1032	{03B41726-B1CA-466b-86F6-CDCC437515E1}.exe
Token: SeIncBasePriorityPrivilege	2180	{7594575A-CD0C-4622-B450-706AB9AE5B24}.exe
Token: SeIncBasePriorityPrivilege	1432	{D18656B0-8B4F-47c2-918A-E42C442C66DE}.exe
Token: SeIncBasePriorityPrivilege	2120	{4F8D81C1-A24F-4afb-8E11-0FAA421722D5}.exe
Token: SeIncBasePriorityPrivilege	2036	{1F981542-A32A-4011-B2AE-664D8751F13C}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2732 wrote to memory of 2344	2732	0b9233f1de711561e8c0c4058c378ef0_NeikiAnalytics.exe	28
PID 2732 wrote to memory of 2344	2732	0b9233f1de711561e8c0c4058c378ef0_NeikiAnalytics.exe	28
PID 2732 wrote to memory of 2344	2732	0b9233f1de711561e8c0c4058c378ef0_NeikiAnalytics.exe	28
PID 2732 wrote to memory of 2344	2732	0b9233f1de711561e8c0c4058c378ef0_NeikiAnalytics.exe	28
PID 2732 wrote to memory of 2772	2732	0b9233f1de711561e8c0c4058c378ef0_NeikiAnalytics.exe	29
PID 2732 wrote to memory of 2772	2732	0b9233f1de711561e8c0c4058c378ef0_NeikiAnalytics.exe	29
PID 2732 wrote to memory of 2772	2732	0b9233f1de711561e8c0c4058c378ef0_NeikiAnalytics.exe	29
PID 2732 wrote to memory of 2772	2732	0b9233f1de711561e8c0c4058c378ef0_NeikiAnalytics.exe	29
PID 2344 wrote to memory of 2696	2344	{4774189F-6F3C-4f77-ABE7-CAEC7C931A9E}.exe	30
PID 2344 wrote to memory of 2696	2344	{4774189F-6F3C-4f77-ABE7-CAEC7C931A9E}.exe	30
PID 2344 wrote to memory of 2696	2344	{4774189F-6F3C-4f77-ABE7-CAEC7C931A9E}.exe	30
PID 2344 wrote to memory of 2696	2344	{4774189F-6F3C-4f77-ABE7-CAEC7C931A9E}.exe	30
PID 2344 wrote to memory of 1152	2344	{4774189F-6F3C-4f77-ABE7-CAEC7C931A9E}.exe	31
PID 2344 wrote to memory of 1152	2344	{4774189F-6F3C-4f77-ABE7-CAEC7C931A9E}.exe	31
PID 2344 wrote to memory of 1152	2344	{4774189F-6F3C-4f77-ABE7-CAEC7C931A9E}.exe	31
PID 2344 wrote to memory of 1152	2344	{4774189F-6F3C-4f77-ABE7-CAEC7C931A9E}.exe	31
PID 2696 wrote to memory of 2708	2696	{567E342E-830E-4bd7-BB3E-A744784EC121}.exe	32
PID 2696 wrote to memory of 2708	2696	{567E342E-830E-4bd7-BB3E-A744784EC121}.exe	32
PID 2696 wrote to memory of 2708	2696	{567E342E-830E-4bd7-BB3E-A744784EC121}.exe	32
PID 2696 wrote to memory of 2708	2696	{567E342E-830E-4bd7-BB3E-A744784EC121}.exe	32
PID 2696 wrote to memory of 2756	2696	{567E342E-830E-4bd7-BB3E-A744784EC121}.exe	33
PID 2696 wrote to memory of 2756	2696	{567E342E-830E-4bd7-BB3E-A744784EC121}.exe	33
PID 2696 wrote to memory of 2756	2696	{567E342E-830E-4bd7-BB3E-A744784EC121}.exe	33
PID 2696 wrote to memory of 2756	2696	{567E342E-830E-4bd7-BB3E-A744784EC121}.exe	33
PID 2708 wrote to memory of 3032	2708	{0B442955-48D0-45fa-8837-CA521804DF2A}.exe	36
PID 2708 wrote to memory of 3032	2708	{0B442955-48D0-45fa-8837-CA521804DF2A}.exe	36
PID 2708 wrote to memory of 3032	2708	{0B442955-48D0-45fa-8837-CA521804DF2A}.exe	36
PID 2708 wrote to memory of 3032	2708	{0B442955-48D0-45fa-8837-CA521804DF2A}.exe	36
PID 2708 wrote to memory of 2360	2708	{0B442955-48D0-45fa-8837-CA521804DF2A}.exe	37
PID 2708 wrote to memory of 2360	2708	{0B442955-48D0-45fa-8837-CA521804DF2A}.exe	37
PID 2708 wrote to memory of 2360	2708	{0B442955-48D0-45fa-8837-CA521804DF2A}.exe	37
PID 2708 wrote to memory of 2360	2708	{0B442955-48D0-45fa-8837-CA521804DF2A}.exe	37
PID 3032 wrote to memory of 2676	3032	{3F8972D9-5538-47a4-BF8B-095FCBE52B6F}.exe	38
PID 3032 wrote to memory of 2676	3032	{3F8972D9-5538-47a4-BF8B-095FCBE52B6F}.exe	38
PID 3032 wrote to memory of 2676	3032	{3F8972D9-5538-47a4-BF8B-095FCBE52B6F}.exe	38
PID 3032 wrote to memory of 2676	3032	{3F8972D9-5538-47a4-BF8B-095FCBE52B6F}.exe	38
PID 3032 wrote to memory of 2628	3032	{3F8972D9-5538-47a4-BF8B-095FCBE52B6F}.exe	39
PID 3032 wrote to memory of 2628	3032	{3F8972D9-5538-47a4-BF8B-095FCBE52B6F}.exe	39
PID 3032 wrote to memory of 2628	3032	{3F8972D9-5538-47a4-BF8B-095FCBE52B6F}.exe	39
PID 3032 wrote to memory of 2628	3032	{3F8972D9-5538-47a4-BF8B-095FCBE52B6F}.exe	39
PID 2676 wrote to memory of 1032	2676	{8CDB2F67-4CF7-40b8-922A-FFE72C762A2A}.exe	40
PID 2676 wrote to memory of 1032	2676	{8CDB2F67-4CF7-40b8-922A-FFE72C762A2A}.exe	40
PID 2676 wrote to memory of 1032	2676	{8CDB2F67-4CF7-40b8-922A-FFE72C762A2A}.exe	40
PID 2676 wrote to memory of 1032	2676	{8CDB2F67-4CF7-40b8-922A-FFE72C762A2A}.exe	40
PID 2676 wrote to memory of 1020	2676	{8CDB2F67-4CF7-40b8-922A-FFE72C762A2A}.exe	41
PID 2676 wrote to memory of 1020	2676	{8CDB2F67-4CF7-40b8-922A-FFE72C762A2A}.exe	41
PID 2676 wrote to memory of 1020	2676	{8CDB2F67-4CF7-40b8-922A-FFE72C762A2A}.exe	41
PID 2676 wrote to memory of 1020	2676	{8CDB2F67-4CF7-40b8-922A-FFE72C762A2A}.exe	41
PID 1032 wrote to memory of 2180	1032	{03B41726-B1CA-466b-86F6-CDCC437515E1}.exe	42
PID 1032 wrote to memory of 2180	1032	{03B41726-B1CA-466b-86F6-CDCC437515E1}.exe	42
PID 1032 wrote to memory of 2180	1032	{03B41726-B1CA-466b-86F6-CDCC437515E1}.exe	42
PID 1032 wrote to memory of 2180	1032	{03B41726-B1CA-466b-86F6-CDCC437515E1}.exe	42
PID 1032 wrote to memory of 900	1032	{03B41726-B1CA-466b-86F6-CDCC437515E1}.exe	43
PID 1032 wrote to memory of 900	1032	{03B41726-B1CA-466b-86F6-CDCC437515E1}.exe	43
PID 1032 wrote to memory of 900	1032	{03B41726-B1CA-466b-86F6-CDCC437515E1}.exe	43
PID 1032 wrote to memory of 900	1032	{03B41726-B1CA-466b-86F6-CDCC437515E1}.exe	43
PID 2180 wrote to memory of 1432	2180	{7594575A-CD0C-4622-B450-706AB9AE5B24}.exe	44
PID 2180 wrote to memory of 1432	2180	{7594575A-CD0C-4622-B450-706AB9AE5B24}.exe	44
PID 2180 wrote to memory of 1432	2180	{7594575A-CD0C-4622-B450-706AB9AE5B24}.exe	44
PID 2180 wrote to memory of 1432	2180	{7594575A-CD0C-4622-B450-706AB9AE5B24}.exe	44
PID 2180 wrote to memory of 1876	2180	{7594575A-CD0C-4622-B450-706AB9AE5B24}.exe	45
PID 2180 wrote to memory of 1876	2180	{7594575A-CD0C-4622-B450-706AB9AE5B24}.exe	45
PID 2180 wrote to memory of 1876	2180	{7594575A-CD0C-4622-B450-706AB9AE5B24}.exe	45
PID 2180 wrote to memory of 1876	2180	{7594575A-CD0C-4622-B450-706AB9AE5B24}.exe	45

C:\Users\Admin\AppData\Local\Temp\0b9233f1de711561e8c0c4058c378ef0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\0b9233f1de711561e8c0c4058c378ef0_NeikiAnalytics.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2732
- C:\Windows\{4774189F-6F3C-4f77-ABE7-CAEC7C931A9E}.exe
  C:\Windows\{4774189F-6F3C-4f77-ABE7-CAEC7C931A9E}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2344
- - C:\Windows\{567E342E-830E-4bd7-BB3E-A744784EC121}.exe
    C:\Windows\{567E342E-830E-4bd7-BB3E-A744784EC121}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2696
  - - C:\Windows\{0B442955-48D0-45fa-8837-CA521804DF2A}.exe
      C:\Windows\{0B442955-48D0-45fa-8837-CA521804DF2A}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2708
    - - C:\Windows\{3F8972D9-5538-47a4-BF8B-095FCBE52B6F}.exe
        
        C:\Windows\{3F8972D9-5538-47a4-BF8B-095FCBE52B6F}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3032
      - C:\Windows\{8CDB2F67-4CF7-40b8-922A-FFE72C762A2A}.exe
        
        C:\Windows\{8CDB2F67-4CF7-40b8-922A-FFE72C762A2A}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2676
        
        C:\Windows\{03B41726-B1CA-466b-86F6-CDCC437515E1}.exe
        
        C:\Windows\{03B41726-B1CA-466b-86F6-CDCC437515E1}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1032
        
        C:\Windows\{7594575A-CD0C-4622-B450-706AB9AE5B24}.exe
        
        C:\Windows\{7594575A-CD0C-4622-B450-706AB9AE5B24}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2180
        
        C:\Windows\{D18656B0-8B4F-47c2-918A-E42C442C66DE}.exe
        
        C:\Windows\{D18656B0-8B4F-47c2-918A-E42C442C66DE}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1432
        
        C:\Windows\{4F8D81C1-A24F-4afb-8E11-0FAA421722D5}.exe
        
        C:\Windows\{4F8D81C1-A24F-4afb-8E11-0FAA421722D5}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2120
        
        C:\Windows\{1F981542-A32A-4011-B2AE-664D8751F13C}.exe
        
        C:\Windows\{1F981542-A32A-4011-B2AE-664D8751F13C}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2036
        
        C:\Windows\{08FEDBD0-8588-4f95-83DF-7E0D8F3DA9B7}.exe
        
        C:\Windows\{08FEDBD0-8588-4f95-83DF-7E0D8F3DA9B7}.exe
        12⤵
        Executes dropped EXE
        
        PID:1480
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1F981~1.EXE > nul
        12⤵
        
        PID:936
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4F8D8~1.EXE > nul
        11⤵
        
        PID:1984
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D1865~1.EXE > nul
        10⤵
        
        PID:2252
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{75945~1.EXE > nul
        9⤵
        
        PID:1876
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{03B41~1.EXE > nul
        8⤵
        
        PID:900
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8CDB2~1.EXE > nul
        7⤵
        
        PID:1020
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3F897~1.EXE > nul
        6⤵
        
        PID:2628
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0B442~1.EXE > nul
        5⤵
        
        PID:2360
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{567E3~1.EXE > nul
      4⤵
      PID:2756
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{47741~1.EXE > nul
    3⤵
    PID:1152
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\0B9233~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2772

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{03B41726-B1CA-466b-86F6-CDCC437515E1}.exe

Filesize
60KB

MD5
80267b3f00ca6815cfdd796805407157

SHA1
52a5a870d9f74cb061dd477e2eb2f534d7b581e2

SHA256
9f674cd45d95b58be3baf6870d9a4702d57971d749e19cfa39fc95bbc33acff2

SHA512
23346aaad58fe35aa5a7caaf14fd12847a0c1533b2765b2c0420b4ad2cc9d0d7cfaafa14b1fd907bbb0545e990521612ad23605f2e8b28c664014394156c577f

Download Submit
C:\Windows\{08FEDBD0-8588-4f95-83DF-7E0D8F3DA9B7}.exe

Filesize
60KB

MD5
618107a4e0c19fe9db08faaec42fe1ee

SHA1
af46f5a36f2e5ded79f90fa79093db6aa50ed546

SHA256
f8299383c5d1e69eb905408bda1b170b4afbc498620d64c57decf94f2d618983

SHA512
d08dcd03a9c61692fcc13694fd90c5d1b22e7a26df99af14936861f44911c115f3abf7abbe39e466956e850f614578958cc475ebf223520409c2f0b3f2629499

Download Submit
C:\Windows\{0B442955-48D0-45fa-8837-CA521804DF2A}.exe

Filesize
60KB

MD5
9f447fb0143bb6bb50aaf85a8b7a39ef

SHA1
724b94c993972517fdeb032b1e2ab0da34d67930

SHA256
4490264bcfa6f15eba66232045019f71e3131859e33406782567d7377d0d885e

SHA512
b2311405eb20a36734a1a85946ade6afe8b3a1a2577935b59a12c695749bb0b04b73e686550eaa4b19b2608948bb4e6c3cf91beb8ab636667a8ebbdc2249edb0

Download Submit
C:\Windows\{1F981542-A32A-4011-B2AE-664D8751F13C}.exe

Filesize
60KB

MD5
2a180925838523aced7295925b320b73

SHA1
bc1fa8a89b55e52d91ec7ccb2c04f8e2b5e2b9e1

SHA256
d34a09001907412eeedadd383aa0be27de3b3ebd67c7d350c310768d38de17cb

SHA512
f021b83c6086a11fc1618638b8b554575f8961d01f67dec61da511fb48606f9b953cdbbc22307f2799e9fbaddff8bba439a02f9b54dc74b3246208588666af10

Download Submit
C:\Windows\{3F8972D9-5538-47a4-BF8B-095FCBE52B6F}.exe

Filesize
60KB

MD5
c45189593575ffee97359e51d69d8840

SHA1
746bab2d8f38c79c0a72585952d3cd72f9cd2c03

SHA256
19492d6215d922552894849919c9528132817cb8bb27aae204f25d294be8aadd

SHA512
76545396ab788249c313379b7f85469dcab1f51198062c69ef2498547d09176293ab94f750ba1cd296c217eed080df7459d7648ed078b563ba65a8ec1fa2c1b2

Download Submit
C:\Windows\{4774189F-6F3C-4f77-ABE7-CAEC7C931A9E}.exe

Filesize
60KB

MD5
b4dd58febe2f802c289fb5e9fa1f59de

SHA1
1ff7e285095c2f7995272efebde918fcf86339bc

SHA256
b01107836026e9b2918b0a84ee7ff0e700815c35486eafeae9f17e20493cf9da

SHA512
757e12d78f0369994441ade996846fe8c28815fcb2f53a42c73bd8a7090f7b6e4638991d32d2251d43b60ab7676dae7625dc7a700b9b195a4626aaee33905000

Download Submit
C:\Windows\{4F8D81C1-A24F-4afb-8E11-0FAA421722D5}.exe

Filesize
60KB

MD5
d964814749fe3dbd9937209d1d6e3032

SHA1
ff805ca0e724e34e42072c3a456b4b5504fb66e8

SHA256
b5f84732438bf39fbe9ad3f40288565229ef590c0ec279603c3d0230142da602

SHA512
82265e8d0fd3fc1fef769d08a7927407e6ce592177b7a0fdf9ffaa3fdfb8f4cb3be407590bb248de0010a9fb4fba5ab9c8d3a93a787a1eca9f836f511622eec4

Download Submit
C:\Windows\{567E342E-830E-4bd7-BB3E-A744784EC121}.exe

Filesize
60KB

MD5
918e544f541a5bb5e81440bc997b7b6a

SHA1
1ef21a00eb1fe83ff8bc15ab80dcdc5b68e2e9fa

SHA256
f15cc54b7838c60c63cb6ea683a10930a53b41a6a76e7c2fcd9ebc84f257772f

SHA512
ea407fc75867a290d89e934685146ee86c0cc864d9c67d70502cff29433556c8c48b453bcf98bc5b8dbfb06a17b586df633e1bae3587a8a4d78bfa62dd542692

Download Submit
C:\Windows\{7594575A-CD0C-4622-B450-706AB9AE5B24}.exe

Filesize
60KB

MD5
5595030ff1e3c0deecb23a2d4c7bd62e

SHA1
1f5ea048cff6fc5aa4da69dc6431d74ec7af43ec

SHA256
e0d8169dfced9519b79c5c7be60838bf40cf34e17a3896bc157a1fb82a0af046

SHA512
08e6bbc368368c83cac18888a411709a719fbd9396ac352408fa43d10d06f160c8f6925dbd516f8fd76af90b4e3ef0a0dc8b30181f19b5e6b96575671f06e34d

Download Submit
C:\Windows\{8CDB2F67-4CF7-40b8-922A-FFE72C762A2A}.exe

Filesize
60KB

MD5
599c382dc8afb89794dc73d8bcdb08c1

SHA1
a5e9a6239cec0e244661516d7f3972fafc9004cd

SHA256
a415afff4956bee93c1e9f4e1bb545fb5c39c0cc9c3923121a1dc0e611130252

SHA512
3237d99f290ae4f3ad1a5284a8e2b11fe10d3da4c3dfdb7de7f5df5465a659ad4c894fe2d5891fb8fca850c251f4680011873b998a6ddfe7506e400425b8bc7c

Download Submit
C:\Windows\{D18656B0-8B4F-47c2-918A-E42C442C66DE}.exe

Filesize
60KB

MD5
a689c9ce2d70bbfdbc3caac74ab4b981

SHA1
3507a6fd0c95bae87e628da2980a4860085796f6

SHA256
8f07b4457c7f975079f07c82803f87dccbd20dbc098b08a739cf9e4b673f12ce

SHA512
1b2133adc41b7a0c8a6c35122a2aec0544c01201793968cbece4948b90bf0c21988d5380b276687aeeb953e12b524290b24a1ead281b734b1ffae145c1e5e93c

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads