69a54cbf289a6ae5b968fbe10a487419fc09543edf80afe95f05a601f18c897d

Analysis

max time kernel
144s
max time network
118s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
13/05/2024, 19:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0b95975f27f2ea9ac103f806a2815920_NeikiAnalytics.exe
Size

98KB
MD5

0b95975f27f2ea9ac103f806a2815920
SHA1

9360c00f54c052b5fa5f773f1a6c5bead9f6e1cf
SHA256

69a54cbf289a6ae5b968fbe10a487419fc09543edf80afe95f05a601f18c897d
SHA512

75b102e121b99d1469c70d5012d662006a45d3564c7d8f710d01669292d86960c6d5f16a91f892916ddef242bdf77ad5e857bc025494284a2c9fda3714df7780
SSDEEP

768:5vw9816thKQLroz4/wQkNrfrunMxVFA3b7glws:lEG/0ozlbunMxVS3Hgz

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9C9C6DA0-6FB5-49c2-8366-8D79EA3E9C3A}\stubpath = "C:\\Windows\\{9C9C6DA0-6FB5-49c2-8366-8D79EA3E9C3A}.exe"	{13E5E497-4AA5-4636-8968-B5CF27A8C00D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0A91D4B4-D2F0-4abf-90B2-2C7FD6791476}\stubpath = "C:\\Windows\\{0A91D4B4-D2F0-4abf-90B2-2C7FD6791476}.exe"	{9C9C6DA0-6FB5-49c2-8366-8D79EA3E9C3A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{261D21F6-6F5C-4859-A27B-76620BA7E23C}\stubpath = "C:\\Windows\\{261D21F6-6F5C-4859-A27B-76620BA7E23C}.exe"	{BF62BFF9-46B7-4588-9CC4-C609335034E0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FE94AB31-77A7-4339-9D0E-EC917AAAD097}\stubpath = "C:\\Windows\\{FE94AB31-77A7-4339-9D0E-EC917AAAD097}.exe"	{F657FC52-19A8-4be6-A0C6-8623BEE9BD51}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5AC24BFF-C6B8-4049-8C73-888DD47EBDA5}	{FE94AB31-77A7-4339-9D0E-EC917AAAD097}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C849F2EB-E346-43f2-AD2D-CDD37F1AB87F}\stubpath = "C:\\Windows\\{C849F2EB-E346-43f2-AD2D-CDD37F1AB87F}.exe"	0b95975f27f2ea9ac103f806a2815920_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{13E5E497-4AA5-4636-8968-B5CF27A8C00D}	{2FC23B46-F001-4444-8CE2-26F3EE509AEC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C623983F-6845-43af-8600-8C9675EE09C9}\stubpath = "C:\\Windows\\{C623983F-6845-43af-8600-8C9675EE09C9}.exe"	{0A91D4B4-D2F0-4abf-90B2-2C7FD6791476}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F657FC52-19A8-4be6-A0C6-8623BEE9BD51}	{261D21F6-6F5C-4859-A27B-76620BA7E23C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F657FC52-19A8-4be6-A0C6-8623BEE9BD51}\stubpath = "C:\\Windows\\{F657FC52-19A8-4be6-A0C6-8623BEE9BD51}.exe"	{261D21F6-6F5C-4859-A27B-76620BA7E23C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{13E5E497-4AA5-4636-8968-B5CF27A8C00D}\stubpath = "C:\\Windows\\{13E5E497-4AA5-4636-8968-B5CF27A8C00D}.exe"	{2FC23B46-F001-4444-8CE2-26F3EE509AEC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0A91D4B4-D2F0-4abf-90B2-2C7FD6791476}	{9C9C6DA0-6FB5-49c2-8366-8D79EA3E9C3A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2FC23B46-F001-4444-8CE2-26F3EE509AEC}\stubpath = "C:\\Windows\\{2FC23B46-F001-4444-8CE2-26F3EE509AEC}.exe"	{C849F2EB-E346-43f2-AD2D-CDD37F1AB87F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BF62BFF9-46B7-4588-9CC4-C609335034E0}	{C623983F-6845-43af-8600-8C9675EE09C9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5AC24BFF-C6B8-4049-8C73-888DD47EBDA5}\stubpath = "C:\\Windows\\{5AC24BFF-C6B8-4049-8C73-888DD47EBDA5}.exe"	{FE94AB31-77A7-4339-9D0E-EC917AAAD097}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C849F2EB-E346-43f2-AD2D-CDD37F1AB87F}	0b95975f27f2ea9ac103f806a2815920_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2FC23B46-F001-4444-8CE2-26F3EE509AEC}	{C849F2EB-E346-43f2-AD2D-CDD37F1AB87F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BF62BFF9-46B7-4588-9CC4-C609335034E0}\stubpath = "C:\\Windows\\{BF62BFF9-46B7-4588-9CC4-C609335034E0}.exe"	{C623983F-6845-43af-8600-8C9675EE09C9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{261D21F6-6F5C-4859-A27B-76620BA7E23C}	{BF62BFF9-46B7-4588-9CC4-C609335034E0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FE94AB31-77A7-4339-9D0E-EC917AAAD097}	{F657FC52-19A8-4be6-A0C6-8623BEE9BD51}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9C9C6DA0-6FB5-49c2-8366-8D79EA3E9C3A}	{13E5E497-4AA5-4636-8968-B5CF27A8C00D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C623983F-6845-43af-8600-8C9675EE09C9}	{0A91D4B4-D2F0-4abf-90B2-2C7FD6791476}.exe

Deletes itself 1 IoCs

pid	Process
2088	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2064	{C849F2EB-E346-43f2-AD2D-CDD37F1AB87F}.exe
2608	{2FC23B46-F001-4444-8CE2-26F3EE509AEC}.exe
2148	{13E5E497-4AA5-4636-8968-B5CF27A8C00D}.exe
2524	{9C9C6DA0-6FB5-49c2-8366-8D79EA3E9C3A}.exe
2444	{0A91D4B4-D2F0-4abf-90B2-2C7FD6791476}.exe
1756	{C623983F-6845-43af-8600-8C9675EE09C9}.exe
2772	{BF62BFF9-46B7-4588-9CC4-C609335034E0}.exe
2144	{261D21F6-6F5C-4859-A27B-76620BA7E23C}.exe
2324	{F657FC52-19A8-4be6-A0C6-8623BEE9BD51}.exe
1436	{FE94AB31-77A7-4339-9D0E-EC917AAAD097}.exe
1472	{5AC24BFF-C6B8-4049-8C73-888DD47EBDA5}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{13E5E497-4AA5-4636-8968-B5CF27A8C00D}.exe	{2FC23B46-F001-4444-8CE2-26F3EE509AEC}.exe
File created	C:\Windows\{0A91D4B4-D2F0-4abf-90B2-2C7FD6791476}.exe	{9C9C6DA0-6FB5-49c2-8366-8D79EA3E9C3A}.exe
File created	C:\Windows\{BF62BFF9-46B7-4588-9CC4-C609335034E0}.exe	{C623983F-6845-43af-8600-8C9675EE09C9}.exe
File created	C:\Windows\{261D21F6-6F5C-4859-A27B-76620BA7E23C}.exe	{BF62BFF9-46B7-4588-9CC4-C609335034E0}.exe
File created	C:\Windows\{F657FC52-19A8-4be6-A0C6-8623BEE9BD51}.exe	{261D21F6-6F5C-4859-A27B-76620BA7E23C}.exe
File created	C:\Windows\{C849F2EB-E346-43f2-AD2D-CDD37F1AB87F}.exe	0b95975f27f2ea9ac103f806a2815920_NeikiAnalytics.exe
File created	C:\Windows\{2FC23B46-F001-4444-8CE2-26F3EE509AEC}.exe	{C849F2EB-E346-43f2-AD2D-CDD37F1AB87F}.exe
File created	C:\Windows\{9C9C6DA0-6FB5-49c2-8366-8D79EA3E9C3A}.exe	{13E5E497-4AA5-4636-8968-B5CF27A8C00D}.exe
File created	C:\Windows\{C623983F-6845-43af-8600-8C9675EE09C9}.exe	{0A91D4B4-D2F0-4abf-90B2-2C7FD6791476}.exe
File created	C:\Windows\{FE94AB31-77A7-4339-9D0E-EC917AAAD097}.exe	{F657FC52-19A8-4be6-A0C6-8623BEE9BD51}.exe
File created	C:\Windows\{5AC24BFF-C6B8-4049-8C73-888DD47EBDA5}.exe	{FE94AB31-77A7-4339-9D0E-EC917AAAD097}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1936	0b95975f27f2ea9ac103f806a2815920_NeikiAnalytics.exe
Token: SeIncBasePriorityPrivilege	2064	{C849F2EB-E346-43f2-AD2D-CDD37F1AB87F}.exe
Token: SeIncBasePriorityPrivilege	2608	{2FC23B46-F001-4444-8CE2-26F3EE509AEC}.exe
Token: SeIncBasePriorityPrivilege	2148	{13E5E497-4AA5-4636-8968-B5CF27A8C00D}.exe
Token: SeIncBasePriorityPrivilege	2524	{9C9C6DA0-6FB5-49c2-8366-8D79EA3E9C3A}.exe
Token: SeIncBasePriorityPrivilege	2444	{0A91D4B4-D2F0-4abf-90B2-2C7FD6791476}.exe
Token: SeIncBasePriorityPrivilege	1756	{C623983F-6845-43af-8600-8C9675EE09C9}.exe
Token: SeIncBasePriorityPrivilege	2772	{BF62BFF9-46B7-4588-9CC4-C609335034E0}.exe
Token: SeIncBasePriorityPrivilege	2144	{261D21F6-6F5C-4859-A27B-76620BA7E23C}.exe
Token: SeIncBasePriorityPrivilege	2324	{F657FC52-19A8-4be6-A0C6-8623BEE9BD51}.exe
Token: SeIncBasePriorityPrivilege	1436	{FE94AB31-77A7-4339-9D0E-EC917AAAD097}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1936 wrote to memory of 2064	1936	0b95975f27f2ea9ac103f806a2815920_NeikiAnalytics.exe	28
PID 1936 wrote to memory of 2064	1936	0b95975f27f2ea9ac103f806a2815920_NeikiAnalytics.exe	28
PID 1936 wrote to memory of 2064	1936	0b95975f27f2ea9ac103f806a2815920_NeikiAnalytics.exe	28
PID 1936 wrote to memory of 2064	1936	0b95975f27f2ea9ac103f806a2815920_NeikiAnalytics.exe	28
PID 1936 wrote to memory of 2088	1936	0b95975f27f2ea9ac103f806a2815920_NeikiAnalytics.exe	29
PID 1936 wrote to memory of 2088	1936	0b95975f27f2ea9ac103f806a2815920_NeikiAnalytics.exe	29
PID 1936 wrote to memory of 2088	1936	0b95975f27f2ea9ac103f806a2815920_NeikiAnalytics.exe	29
PID 1936 wrote to memory of 2088	1936	0b95975f27f2ea9ac103f806a2815920_NeikiAnalytics.exe	29
PID 2064 wrote to memory of 2608	2064	{C849F2EB-E346-43f2-AD2D-CDD37F1AB87F}.exe	30
PID 2064 wrote to memory of 2608	2064	{C849F2EB-E346-43f2-AD2D-CDD37F1AB87F}.exe	30
PID 2064 wrote to memory of 2608	2064	{C849F2EB-E346-43f2-AD2D-CDD37F1AB87F}.exe	30
PID 2064 wrote to memory of 2608	2064	{C849F2EB-E346-43f2-AD2D-CDD37F1AB87F}.exe	30
PID 2064 wrote to memory of 2692	2064	{C849F2EB-E346-43f2-AD2D-CDD37F1AB87F}.exe	31
PID 2064 wrote to memory of 2692	2064	{C849F2EB-E346-43f2-AD2D-CDD37F1AB87F}.exe	31
PID 2064 wrote to memory of 2692	2064	{C849F2EB-E346-43f2-AD2D-CDD37F1AB87F}.exe	31
PID 2064 wrote to memory of 2692	2064	{C849F2EB-E346-43f2-AD2D-CDD37F1AB87F}.exe	31
PID 2608 wrote to memory of 2148	2608	{2FC23B46-F001-4444-8CE2-26F3EE509AEC}.exe	32
PID 2608 wrote to memory of 2148	2608	{2FC23B46-F001-4444-8CE2-26F3EE509AEC}.exe	32
PID 2608 wrote to memory of 2148	2608	{2FC23B46-F001-4444-8CE2-26F3EE509AEC}.exe	32
PID 2608 wrote to memory of 2148	2608	{2FC23B46-F001-4444-8CE2-26F3EE509AEC}.exe	32
PID 2608 wrote to memory of 2620	2608	{2FC23B46-F001-4444-8CE2-26F3EE509AEC}.exe	33
PID 2608 wrote to memory of 2620	2608	{2FC23B46-F001-4444-8CE2-26F3EE509AEC}.exe	33
PID 2608 wrote to memory of 2620	2608	{2FC23B46-F001-4444-8CE2-26F3EE509AEC}.exe	33
PID 2608 wrote to memory of 2620	2608	{2FC23B46-F001-4444-8CE2-26F3EE509AEC}.exe	33
PID 2148 wrote to memory of 2524	2148	{13E5E497-4AA5-4636-8968-B5CF27A8C00D}.exe	36
PID 2148 wrote to memory of 2524	2148	{13E5E497-4AA5-4636-8968-B5CF27A8C00D}.exe	36
PID 2148 wrote to memory of 2524	2148	{13E5E497-4AA5-4636-8968-B5CF27A8C00D}.exe	36
PID 2148 wrote to memory of 2524	2148	{13E5E497-4AA5-4636-8968-B5CF27A8C00D}.exe	36
PID 2148 wrote to memory of 2960	2148	{13E5E497-4AA5-4636-8968-B5CF27A8C00D}.exe	37
PID 2148 wrote to memory of 2960	2148	{13E5E497-4AA5-4636-8968-B5CF27A8C00D}.exe	37
PID 2148 wrote to memory of 2960	2148	{13E5E497-4AA5-4636-8968-B5CF27A8C00D}.exe	37
PID 2148 wrote to memory of 2960	2148	{13E5E497-4AA5-4636-8968-B5CF27A8C00D}.exe	37
PID 2524 wrote to memory of 2444	2524	{9C9C6DA0-6FB5-49c2-8366-8D79EA3E9C3A}.exe	38
PID 2524 wrote to memory of 2444	2524	{9C9C6DA0-6FB5-49c2-8366-8D79EA3E9C3A}.exe	38
PID 2524 wrote to memory of 2444	2524	{9C9C6DA0-6FB5-49c2-8366-8D79EA3E9C3A}.exe	38
PID 2524 wrote to memory of 2444	2524	{9C9C6DA0-6FB5-49c2-8366-8D79EA3E9C3A}.exe	38
PID 2524 wrote to memory of 1952	2524	{9C9C6DA0-6FB5-49c2-8366-8D79EA3E9C3A}.exe	39
PID 2524 wrote to memory of 1952	2524	{9C9C6DA0-6FB5-49c2-8366-8D79EA3E9C3A}.exe	39
PID 2524 wrote to memory of 1952	2524	{9C9C6DA0-6FB5-49c2-8366-8D79EA3E9C3A}.exe	39
PID 2524 wrote to memory of 1952	2524	{9C9C6DA0-6FB5-49c2-8366-8D79EA3E9C3A}.exe	39
PID 2444 wrote to memory of 1756	2444	{0A91D4B4-D2F0-4abf-90B2-2C7FD6791476}.exe	40
PID 2444 wrote to memory of 1756	2444	{0A91D4B4-D2F0-4abf-90B2-2C7FD6791476}.exe	40
PID 2444 wrote to memory of 1756	2444	{0A91D4B4-D2F0-4abf-90B2-2C7FD6791476}.exe	40
PID 2444 wrote to memory of 1756	2444	{0A91D4B4-D2F0-4abf-90B2-2C7FD6791476}.exe	40
PID 2444 wrote to memory of 1808	2444	{0A91D4B4-D2F0-4abf-90B2-2C7FD6791476}.exe	41
PID 2444 wrote to memory of 1808	2444	{0A91D4B4-D2F0-4abf-90B2-2C7FD6791476}.exe	41
PID 2444 wrote to memory of 1808	2444	{0A91D4B4-D2F0-4abf-90B2-2C7FD6791476}.exe	41
PID 2444 wrote to memory of 1808	2444	{0A91D4B4-D2F0-4abf-90B2-2C7FD6791476}.exe	41
PID 1756 wrote to memory of 2772	1756	{C623983F-6845-43af-8600-8C9675EE09C9}.exe	42
PID 1756 wrote to memory of 2772	1756	{C623983F-6845-43af-8600-8C9675EE09C9}.exe	42
PID 1756 wrote to memory of 2772	1756	{C623983F-6845-43af-8600-8C9675EE09C9}.exe	42
PID 1756 wrote to memory of 2772	1756	{C623983F-6845-43af-8600-8C9675EE09C9}.exe	42
PID 1756 wrote to memory of 2180	1756	{C623983F-6845-43af-8600-8C9675EE09C9}.exe	43
PID 1756 wrote to memory of 2180	1756	{C623983F-6845-43af-8600-8C9675EE09C9}.exe	43
PID 1756 wrote to memory of 2180	1756	{C623983F-6845-43af-8600-8C9675EE09C9}.exe	43
PID 1756 wrote to memory of 2180	1756	{C623983F-6845-43af-8600-8C9675EE09C9}.exe	43
PID 2772 wrote to memory of 2144	2772	{BF62BFF9-46B7-4588-9CC4-C609335034E0}.exe	44
PID 2772 wrote to memory of 2144	2772	{BF62BFF9-46B7-4588-9CC4-C609335034E0}.exe	44
PID 2772 wrote to memory of 2144	2772	{BF62BFF9-46B7-4588-9CC4-C609335034E0}.exe	44
PID 2772 wrote to memory of 2144	2772	{BF62BFF9-46B7-4588-9CC4-C609335034E0}.exe	44
PID 2772 wrote to memory of 2952	2772	{BF62BFF9-46B7-4588-9CC4-C609335034E0}.exe	45
PID 2772 wrote to memory of 2952	2772	{BF62BFF9-46B7-4588-9CC4-C609335034E0}.exe	45
PID 2772 wrote to memory of 2952	2772	{BF62BFF9-46B7-4588-9CC4-C609335034E0}.exe	45
PID 2772 wrote to memory of 2952	2772	{BF62BFF9-46B7-4588-9CC4-C609335034E0}.exe	45

C:\Users\Admin\AppData\Local\Temp\0b95975f27f2ea9ac103f806a2815920_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\0b95975f27f2ea9ac103f806a2815920_NeikiAnalytics.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1936
- C:\Windows\{C849F2EB-E346-43f2-AD2D-CDD37F1AB87F}.exe
  C:\Windows\{C849F2EB-E346-43f2-AD2D-CDD37F1AB87F}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2064
- - C:\Windows\{2FC23B46-F001-4444-8CE2-26F3EE509AEC}.exe
    C:\Windows\{2FC23B46-F001-4444-8CE2-26F3EE509AEC}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2608
  - - C:\Windows\{13E5E497-4AA5-4636-8968-B5CF27A8C00D}.exe
      C:\Windows\{13E5E497-4AA5-4636-8968-B5CF27A8C00D}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2148
    - - C:\Windows\{9C9C6DA0-6FB5-49c2-8366-8D79EA3E9C3A}.exe
        
        C:\Windows\{9C9C6DA0-6FB5-49c2-8366-8D79EA3E9C3A}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2524
      - C:\Windows\{0A91D4B4-D2F0-4abf-90B2-2C7FD6791476}.exe
        
        C:\Windows\{0A91D4B4-D2F0-4abf-90B2-2C7FD6791476}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2444
        
        C:\Windows\{C623983F-6845-43af-8600-8C9675EE09C9}.exe
        
        C:\Windows\{C623983F-6845-43af-8600-8C9675EE09C9}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1756
        
        C:\Windows\{BF62BFF9-46B7-4588-9CC4-C609335034E0}.exe
        
        C:\Windows\{BF62BFF9-46B7-4588-9CC4-C609335034E0}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2772
        
        C:\Windows\{261D21F6-6F5C-4859-A27B-76620BA7E23C}.exe
        
        C:\Windows\{261D21F6-6F5C-4859-A27B-76620BA7E23C}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2144
        
        C:\Windows\{F657FC52-19A8-4be6-A0C6-8623BEE9BD51}.exe
        
        C:\Windows\{F657FC52-19A8-4be6-A0C6-8623BEE9BD51}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2324
        
        C:\Windows\{FE94AB31-77A7-4339-9D0E-EC917AAAD097}.exe
        
        C:\Windows\{FE94AB31-77A7-4339-9D0E-EC917AAAD097}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1436
        
        C:\Windows\{5AC24BFF-C6B8-4049-8C73-888DD47EBDA5}.exe
        
        C:\Windows\{5AC24BFF-C6B8-4049-8C73-888DD47EBDA5}.exe
        12⤵
        Executes dropped EXE
        
        PID:1472
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FE94A~1.EXE > nul
        12⤵
        
        PID:412
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F657F~1.EXE > nul
        11⤵
        
        PID:2560
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{261D2~1.EXE > nul
        10⤵
        
        PID:2248
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BF62B~1.EXE > nul
        9⤵
        
        PID:2952
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C6239~1.EXE > nul
        8⤵
        
        PID:2180
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0A91D~1.EXE > nul
        7⤵
        
        PID:1808
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9C9C6~1.EXE > nul
        6⤵
        
        PID:1952
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{13E5E~1.EXE > nul
        5⤵
        
        PID:2960
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{2FC23~1.EXE > nul
      4⤵
      PID:2620
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{C849F~1.EXE > nul
    3⤵
    PID:2692
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\0B9597~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2088

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0A91D4B4-D2F0-4abf-90B2-2C7FD6791476}.exe

Filesize
98KB

MD5
f865acac99080e3b4107b248ea590ce7

SHA1
ddc25a4e2fc1050ceae4c6c735e8d78406a94fbe

SHA256
64b1e959ac73fb0344ceb5256d1ad92d56d6dc7ac0e3488ec37e80b132a9bbb5

SHA512
ef2ec67de069ce4543d90ac424aefcaf07e2d86263561fcfcf2236634bcb31762d168f1610eafc4a9ec9a1cd909df7291666265b7f257e0554cf0b23f9ba9763

Download Submit
C:\Windows\{13E5E497-4AA5-4636-8968-B5CF27A8C00D}.exe

Filesize
98KB

MD5
ed5fe08a08cafbca905eabd4fd8128cb

SHA1
37ebb1ce0a904b0d8582d86f1611007377d65b93

SHA256
78350a3f319eff9ebd2560d7650a4c7d2227690e816061d57bf3ae095c77ff40

SHA512
9f64008ec111265dfcb730d214233ec639f1d7b3921295fca513a3e398f1db2942d2038a9eccd3791815d16a6f4de42b1339567d3ed7d6377f73a0a930ddfac3

Download Submit
C:\Windows\{261D21F6-6F5C-4859-A27B-76620BA7E23C}.exe

Filesize
98KB

MD5
698a3c1c27785fbe51e20c3b64b6e695

SHA1
52d8e85b0eb601028c9313196389225643fade0a

SHA256
df9b0f33bda16d1b9b80c1e2a3eef20a38b631f26914645a930813758587795e

SHA512
077ff32008139b4e7c636188a0866b035916dc2649465a8bbcf8367a5d332b3a9f4bde49e0df1bb6c0291e8dd20b59a7e97ee338ed8d1a2ae8ee64285009fc40

Download Submit
C:\Windows\{2FC23B46-F001-4444-8CE2-26F3EE509AEC}.exe

Filesize
98KB

MD5
71ad665bd7a6e6f9bc666f89fabc2114

SHA1
4d4a35f085610d6f27a8408bf16f82c23a3c9ea1

SHA256
ad9776cc00979bd312714b7ad078e83996d94d0d9f3fe04838762a0b5f923866

SHA512
4c57ad4cdd88139192592e9f259aca443064d82cc8f86f745ec060e2a3ee31461bfd07106c5fe4f27726abce1bcf9ef6fd99441aa470dedb05225b718904717a

Download Submit
C:\Windows\{5AC24BFF-C6B8-4049-8C73-888DD47EBDA5}.exe

Filesize
98KB

MD5
b58a6416aed42dfd0b91672d7f5467f5

SHA1
448c8242567b0f50ad1105dec1068cd5e091f1f1

SHA256
112bc79f23d16d8d3e86e53f4603297fa32692bae035f923e805148701ba3f06

SHA512
e6cb8f33fe75cd00fad7e7aa14be05e21dc9fd85678c01a857e939ed111ea1763d8b859f9489ecb64f13990bfac8808e7f17dc558ed644ecd0f135af054fd0df

Download Submit
C:\Windows\{9C9C6DA0-6FB5-49c2-8366-8D79EA3E9C3A}.exe

Filesize
98KB

MD5
c01291466033436039e2c9ae4c86f572

SHA1
07b29b4417ef6a049475d02ea7d857a5ea6c2a94

SHA256
d47913331097283b7ca9b65265ee6243ba890027251eba0015d5479a6925b5af

SHA512
8ccf82b227c379d7b23af56be7a515256790685d94b1a2a292a77441daf02db9c70825bcac86fdb4220ac793ebeb32f9d4f4fdfa8002e7a7f99c603be6b75c5b

Download Submit
C:\Windows\{BF62BFF9-46B7-4588-9CC4-C609335034E0}.exe

Filesize
98KB

MD5
0da92abf6dcab1ccefaff0f167edb32a

SHA1
603b7bb2670a2d73ae5e4b075c04f76c9e706407

SHA256
632e3a6193c8406e0f29741e015a0e5cdf3455a8008b4ba1f46560ca1b5de621

SHA512
90035a3138f6c44a4b8eb362b78b0433a41a21296c61acfce5f566af8840e44c0612414b5ccf3382ebe1a21290f52841965dd0bbf43476d9b7d789de857e5898

Download Submit
C:\Windows\{C623983F-6845-43af-8600-8C9675EE09C9}.exe

Filesize
98KB

MD5
8602dfb6db33d8eb85a25ae44926d760

SHA1
1b213fe0ce927be6c4f07f478d5cea3812ecadc5

SHA256
6a163b860d889953ccd0d2ae5b7d04250fa23fa5f3e1ad34c9adfb9fede4c5bf

SHA512
498bf66cb424531295f57baede4ef5a711f07b2ac06447b2d3b866daa7baf14187f52b0288353cde2ac144731404d563b747a2a7d4d9d4097bfa98d3d182760a

Download Submit
C:\Windows\{C849F2EB-E346-43f2-AD2D-CDD37F1AB87F}.exe

Filesize
98KB

MD5
010f04e7129e56e58374219236695bdf

SHA1
e5d96b2889666175497c6432dfff6416ce07d184

SHA256
58660474cebf06ca832498de7bd55829a50f786cff51cf0e23aaa5b13b3daa3e

SHA512
b9215c8940575235b536f972e99e1165143c834b761127f2d63420c0114df7e673a2a2e7fffec5482220547b395f06b8c629e1518504aa5e40d12179e84451e8

Download Submit
C:\Windows\{F657FC52-19A8-4be6-A0C6-8623BEE9BD51}.exe

Filesize
98KB

MD5
79f71dedcb6da903e2ea2fb86b768f7d

SHA1
5a25d880d851e10fb414c5f330331f785dddc49a

SHA256
99df549e5e2d19854fbd325402450fb0f1471d5f51bfee1480329f0793239921

SHA512
72e462fa627eee56f6a95b47c2ede0bcf31d81d1019d20a91a76d4a78b6440e248c671f6b8e2c9a4359db2726fc8035417f59245e175f361d2a09b7c69a150a3

Download Submit
C:\Windows\{FE94AB31-77A7-4339-9D0E-EC917AAAD097}.exe

Filesize
98KB

MD5
04cab737bdde2a08ddda86c6e12a3918

SHA1
b67e9234de35880b665edcb407bfb9ad4dbc084b

SHA256
11aa0f137d5898f72ff7fd1338239248911c402c53ab5d05e47d472087645ca2

SHA512
a93894b84c1277b1043328502ccb6368a4d61106d497dc9e8b821c882b2b7821f7ac96761a5124b6019b46f043fb9b506e1b98d4a6b270c77ab2c37b91b08432

Download Submit
memory/1436-96-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1756-62-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1756-54-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1936-9-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1936-7-0x0000000000390000-0x00000000003A1000-memory.dmp

Filesize
68KB

Download
memory/1936-0-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2064-17-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2064-8-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2144-80-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2144-73-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2148-34-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2324-89-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2444-45-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2444-53-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2524-41-0x0000000000390000-0x00000000003A1000-memory.dmp

Filesize
68KB

Download
memory/2524-44-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2524-42-0x0000000000390000-0x00000000003A1000-memory.dmp

Filesize
68KB

Download
memory/2608-26-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2608-18-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2772-67-0x00000000003B0000-0x00000000003C1000-memory.dmp

Filesize
68KB

Download
memory/2772-71-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2772-63-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads