696d62e69796c91a909ef32361aaf873ec09ec0a794e38239d05ca2f98343a27

Analysis

max time kernel
144s
max time network
122s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
15/05/2024, 00:31

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

4ee3d706f41d3798e33494b3a97d9be0_NeikiAnalytics.exe
Size

92KB
MD5

4ee3d706f41d3798e33494b3a97d9be0
SHA1

e893bb6fc4994e59280631bc7bbcdc19707ad4d4
SHA256

696d62e69796c91a909ef32361aaf873ec09ec0a794e38239d05ca2f98343a27
SHA512

9a849d39ec61bc53db72598aaf88e8b61455ac381872e2c7695d44ce4f9d0e80938ab36ecc2343330e708839d19afdca436d7e4af22cbc327f42c716f542156e
SSDEEP

192:ubizawOs81elJHsc45sTcRZOgtShcWaOT2QLrCqwbY04/CFxyNhoy5tP:ubHwOs8AHsc4KMfwhKQLrod4/CFsrdP

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8BCCA189-5206-440e-B4BC-719C6C312A8F}\stubpath = "C:\\Windows\\{8BCCA189-5206-440e-B4BC-719C6C312A8F}.exe"	{60F45C20-6B72-4f08-AAD0-FB482DB85D06}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8B5889C7-84AE-4f3e-B557-F3665B2B83B5}	{73F35E39-E78F-4ff1-BEE1-C8589F24B02C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{30F5654D-5255-4433-9997-169D8A09884A}	{8B5889C7-84AE-4f3e-B557-F3665B2B83B5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7D5FAC7F-A409-410c-AD1D-A65E6B0CF826}\stubpath = "C:\\Windows\\{7D5FAC7F-A409-410c-AD1D-A65E6B0CF826}.exe"	{0BB773F8-CFE1-4a2e-84D8-790A96580638}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6716B8CC-3DBD-4db7-8600-A7AA873BEB0C}	{DBD288D9-A443-4156-B67B-A98839CE1F55}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{60F45C20-6B72-4f08-AAD0-FB482DB85D06}	4ee3d706f41d3798e33494b3a97d9be0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8BCCA189-5206-440e-B4BC-719C6C312A8F}	{60F45C20-6B72-4f08-AAD0-FB482DB85D06}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{73F35E39-E78F-4ff1-BEE1-C8589F24B02C}	{8BCCA189-5206-440e-B4BC-719C6C312A8F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0BB773F8-CFE1-4a2e-84D8-790A96580638}\stubpath = "C:\\Windows\\{0BB773F8-CFE1-4a2e-84D8-790A96580638}.exe"	{EF73A3E1-8608-4248-B9A6-2DD4BD98E2FC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EF73A3E1-8608-4248-B9A6-2DD4BD98E2FC}	{3CA698A7-19CA-4efd-8989-B9DDB45A4156}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0BB773F8-CFE1-4a2e-84D8-790A96580638}	{EF73A3E1-8608-4248-B9A6-2DD4BD98E2FC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7D5FAC7F-A409-410c-AD1D-A65E6B0CF826}	{0BB773F8-CFE1-4a2e-84D8-790A96580638}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DBD288D9-A443-4156-B67B-A98839CE1F55}	{7D5FAC7F-A409-410c-AD1D-A65E6B0CF826}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{60F45C20-6B72-4f08-AAD0-FB482DB85D06}\stubpath = "C:\\Windows\\{60F45C20-6B72-4f08-AAD0-FB482DB85D06}.exe"	4ee3d706f41d3798e33494b3a97d9be0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8B5889C7-84AE-4f3e-B557-F3665B2B83B5}\stubpath = "C:\\Windows\\{8B5889C7-84AE-4f3e-B557-F3665B2B83B5}.exe"	{73F35E39-E78F-4ff1-BEE1-C8589F24B02C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{30F5654D-5255-4433-9997-169D8A09884A}\stubpath = "C:\\Windows\\{30F5654D-5255-4433-9997-169D8A09884A}.exe"	{8B5889C7-84AE-4f3e-B557-F3665B2B83B5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3CA698A7-19CA-4efd-8989-B9DDB45A4156}	{30F5654D-5255-4433-9997-169D8A09884A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6716B8CC-3DBD-4db7-8600-A7AA873BEB0C}\stubpath = "C:\\Windows\\{6716B8CC-3DBD-4db7-8600-A7AA873BEB0C}.exe"	{DBD288D9-A443-4156-B67B-A98839CE1F55}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{73F35E39-E78F-4ff1-BEE1-C8589F24B02C}\stubpath = "C:\\Windows\\{73F35E39-E78F-4ff1-BEE1-C8589F24B02C}.exe"	{8BCCA189-5206-440e-B4BC-719C6C312A8F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3CA698A7-19CA-4efd-8989-B9DDB45A4156}\stubpath = "C:\\Windows\\{3CA698A7-19CA-4efd-8989-B9DDB45A4156}.exe"	{30F5654D-5255-4433-9997-169D8A09884A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EF73A3E1-8608-4248-B9A6-2DD4BD98E2FC}\stubpath = "C:\\Windows\\{EF73A3E1-8608-4248-B9A6-2DD4BD98E2FC}.exe"	{3CA698A7-19CA-4efd-8989-B9DDB45A4156}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DBD288D9-A443-4156-B67B-A98839CE1F55}\stubpath = "C:\\Windows\\{DBD288D9-A443-4156-B67B-A98839CE1F55}.exe"	{7D5FAC7F-A409-410c-AD1D-A65E6B0CF826}.exe

Deletes itself 1 IoCs

pid	Process
2940	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2892	{60F45C20-6B72-4f08-AAD0-FB482DB85D06}.exe
2680	{8BCCA189-5206-440e-B4BC-719C6C312A8F}.exe
2804	{73F35E39-E78F-4ff1-BEE1-C8589F24B02C}.exe
2428	{8B5889C7-84AE-4f3e-B557-F3665B2B83B5}.exe
2760	{30F5654D-5255-4433-9997-169D8A09884A}.exe
1708	{3CA698A7-19CA-4efd-8989-B9DDB45A4156}.exe
1812	{EF73A3E1-8608-4248-B9A6-2DD4BD98E2FC}.exe
1500	{0BB773F8-CFE1-4a2e-84D8-790A96580638}.exe
2032	{7D5FAC7F-A409-410c-AD1D-A65E6B0CF826}.exe
776	{DBD288D9-A443-4156-B67B-A98839CE1F55}.exe
2528	{6716B8CC-3DBD-4db7-8600-A7AA873BEB0C}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{3CA698A7-19CA-4efd-8989-B9DDB45A4156}.exe	{30F5654D-5255-4433-9997-169D8A09884A}.exe
File created	C:\Windows\{EF73A3E1-8608-4248-B9A6-2DD4BD98E2FC}.exe	{3CA698A7-19CA-4efd-8989-B9DDB45A4156}.exe
File created	C:\Windows\{7D5FAC7F-A409-410c-AD1D-A65E6B0CF826}.exe	{0BB773F8-CFE1-4a2e-84D8-790A96580638}.exe
File created	C:\Windows\{6716B8CC-3DBD-4db7-8600-A7AA873BEB0C}.exe	{DBD288D9-A443-4156-B67B-A98839CE1F55}.exe
File created	C:\Windows\{73F35E39-E78F-4ff1-BEE1-C8589F24B02C}.exe	{8BCCA189-5206-440e-B4BC-719C6C312A8F}.exe
File created	C:\Windows\{30F5654D-5255-4433-9997-169D8A09884A}.exe	{8B5889C7-84AE-4f3e-B557-F3665B2B83B5}.exe
File created	C:\Windows\{8B5889C7-84AE-4f3e-B557-F3665B2B83B5}.exe	{73F35E39-E78F-4ff1-BEE1-C8589F24B02C}.exe
File created	C:\Windows\{0BB773F8-CFE1-4a2e-84D8-790A96580638}.exe	{EF73A3E1-8608-4248-B9A6-2DD4BD98E2FC}.exe
File created	C:\Windows\{DBD288D9-A443-4156-B67B-A98839CE1F55}.exe	{7D5FAC7F-A409-410c-AD1D-A65E6B0CF826}.exe
File created	C:\Windows\{60F45C20-6B72-4f08-AAD0-FB482DB85D06}.exe	4ee3d706f41d3798e33494b3a97d9be0_NeikiAnalytics.exe
File created	C:\Windows\{8BCCA189-5206-440e-B4BC-719C6C312A8F}.exe	{60F45C20-6B72-4f08-AAD0-FB482DB85D06}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2136	4ee3d706f41d3798e33494b3a97d9be0_NeikiAnalytics.exe
Token: SeIncBasePriorityPrivilege	2892	{60F45C20-6B72-4f08-AAD0-FB482DB85D06}.exe
Token: SeIncBasePriorityPrivilege	2680	{8BCCA189-5206-440e-B4BC-719C6C312A8F}.exe
Token: SeIncBasePriorityPrivilege	2804	{73F35E39-E78F-4ff1-BEE1-C8589F24B02C}.exe
Token: SeIncBasePriorityPrivilege	2428	{8B5889C7-84AE-4f3e-B557-F3665B2B83B5}.exe
Token: SeIncBasePriorityPrivilege	2760	{30F5654D-5255-4433-9997-169D8A09884A}.exe
Token: SeIncBasePriorityPrivilege	1708	{3CA698A7-19CA-4efd-8989-B9DDB45A4156}.exe
Token: SeIncBasePriorityPrivilege	1812	{EF73A3E1-8608-4248-B9A6-2DD4BD98E2FC}.exe
Token: SeIncBasePriorityPrivilege	1500	{0BB773F8-CFE1-4a2e-84D8-790A96580638}.exe
Token: SeIncBasePriorityPrivilege	2032	{7D5FAC7F-A409-410c-AD1D-A65E6B0CF826}.exe
Token: SeIncBasePriorityPrivilege	776	{DBD288D9-A443-4156-B67B-A98839CE1F55}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2136 wrote to memory of 2892	2136	4ee3d706f41d3798e33494b3a97d9be0_NeikiAnalytics.exe	29
PID 2136 wrote to memory of 2892	2136	4ee3d706f41d3798e33494b3a97d9be0_NeikiAnalytics.exe	29
PID 2136 wrote to memory of 2892	2136	4ee3d706f41d3798e33494b3a97d9be0_NeikiAnalytics.exe	29
PID 2136 wrote to memory of 2892	2136	4ee3d706f41d3798e33494b3a97d9be0_NeikiAnalytics.exe	29
PID 2136 wrote to memory of 2940	2136	4ee3d706f41d3798e33494b3a97d9be0_NeikiAnalytics.exe	30
PID 2136 wrote to memory of 2940	2136	4ee3d706f41d3798e33494b3a97d9be0_NeikiAnalytics.exe	30
PID 2136 wrote to memory of 2940	2136	4ee3d706f41d3798e33494b3a97d9be0_NeikiAnalytics.exe	30
PID 2136 wrote to memory of 2940	2136	4ee3d706f41d3798e33494b3a97d9be0_NeikiAnalytics.exe	30
PID 2892 wrote to memory of 2680	2892	{60F45C20-6B72-4f08-AAD0-FB482DB85D06}.exe	31
PID 2892 wrote to memory of 2680	2892	{60F45C20-6B72-4f08-AAD0-FB482DB85D06}.exe	31
PID 2892 wrote to memory of 2680	2892	{60F45C20-6B72-4f08-AAD0-FB482DB85D06}.exe	31
PID 2892 wrote to memory of 2680	2892	{60F45C20-6B72-4f08-AAD0-FB482DB85D06}.exe	31
PID 2892 wrote to memory of 2624	2892	{60F45C20-6B72-4f08-AAD0-FB482DB85D06}.exe	32
PID 2892 wrote to memory of 2624	2892	{60F45C20-6B72-4f08-AAD0-FB482DB85D06}.exe	32
PID 2892 wrote to memory of 2624	2892	{60F45C20-6B72-4f08-AAD0-FB482DB85D06}.exe	32
PID 2892 wrote to memory of 2624	2892	{60F45C20-6B72-4f08-AAD0-FB482DB85D06}.exe	32
PID 2680 wrote to memory of 2804	2680	{8BCCA189-5206-440e-B4BC-719C6C312A8F}.exe	33
PID 2680 wrote to memory of 2804	2680	{8BCCA189-5206-440e-B4BC-719C6C312A8F}.exe	33
PID 2680 wrote to memory of 2804	2680	{8BCCA189-5206-440e-B4BC-719C6C312A8F}.exe	33
PID 2680 wrote to memory of 2804	2680	{8BCCA189-5206-440e-B4BC-719C6C312A8F}.exe	33
PID 2680 wrote to memory of 2604	2680	{8BCCA189-5206-440e-B4BC-719C6C312A8F}.exe	34
PID 2680 wrote to memory of 2604	2680	{8BCCA189-5206-440e-B4BC-719C6C312A8F}.exe	34
PID 2680 wrote to memory of 2604	2680	{8BCCA189-5206-440e-B4BC-719C6C312A8F}.exe	34
PID 2680 wrote to memory of 2604	2680	{8BCCA189-5206-440e-B4BC-719C6C312A8F}.exe	34
PID 2804 wrote to memory of 2428	2804	{73F35E39-E78F-4ff1-BEE1-C8589F24B02C}.exe	37
PID 2804 wrote to memory of 2428	2804	{73F35E39-E78F-4ff1-BEE1-C8589F24B02C}.exe	37
PID 2804 wrote to memory of 2428	2804	{73F35E39-E78F-4ff1-BEE1-C8589F24B02C}.exe	37
PID 2804 wrote to memory of 2428	2804	{73F35E39-E78F-4ff1-BEE1-C8589F24B02C}.exe	37
PID 2804 wrote to memory of 2424	2804	{73F35E39-E78F-4ff1-BEE1-C8589F24B02C}.exe	38
PID 2804 wrote to memory of 2424	2804	{73F35E39-E78F-4ff1-BEE1-C8589F24B02C}.exe	38
PID 2804 wrote to memory of 2424	2804	{73F35E39-E78F-4ff1-BEE1-C8589F24B02C}.exe	38
PID 2804 wrote to memory of 2424	2804	{73F35E39-E78F-4ff1-BEE1-C8589F24B02C}.exe	38
PID 2428 wrote to memory of 2760	2428	{8B5889C7-84AE-4f3e-B557-F3665B2B83B5}.exe	39
PID 2428 wrote to memory of 2760	2428	{8B5889C7-84AE-4f3e-B557-F3665B2B83B5}.exe	39
PID 2428 wrote to memory of 2760	2428	{8B5889C7-84AE-4f3e-B557-F3665B2B83B5}.exe	39
PID 2428 wrote to memory of 2760	2428	{8B5889C7-84AE-4f3e-B557-F3665B2B83B5}.exe	39
PID 2428 wrote to memory of 2192	2428	{8B5889C7-84AE-4f3e-B557-F3665B2B83B5}.exe	40
PID 2428 wrote to memory of 2192	2428	{8B5889C7-84AE-4f3e-B557-F3665B2B83B5}.exe	40
PID 2428 wrote to memory of 2192	2428	{8B5889C7-84AE-4f3e-B557-F3665B2B83B5}.exe	40
PID 2428 wrote to memory of 2192	2428	{8B5889C7-84AE-4f3e-B557-F3665B2B83B5}.exe	40
PID 2760 wrote to memory of 1708	2760	{30F5654D-5255-4433-9997-169D8A09884A}.exe	41
PID 2760 wrote to memory of 1708	2760	{30F5654D-5255-4433-9997-169D8A09884A}.exe	41
PID 2760 wrote to memory of 1708	2760	{30F5654D-5255-4433-9997-169D8A09884A}.exe	41
PID 2760 wrote to memory of 1708	2760	{30F5654D-5255-4433-9997-169D8A09884A}.exe	41
PID 2760 wrote to memory of 1364	2760	{30F5654D-5255-4433-9997-169D8A09884A}.exe	42
PID 2760 wrote to memory of 1364	2760	{30F5654D-5255-4433-9997-169D8A09884A}.exe	42
PID 2760 wrote to memory of 1364	2760	{30F5654D-5255-4433-9997-169D8A09884A}.exe	42
PID 2760 wrote to memory of 1364	2760	{30F5654D-5255-4433-9997-169D8A09884A}.exe	42
PID 1708 wrote to memory of 1812	1708	{3CA698A7-19CA-4efd-8989-B9DDB45A4156}.exe	43
PID 1708 wrote to memory of 1812	1708	{3CA698A7-19CA-4efd-8989-B9DDB45A4156}.exe	43
PID 1708 wrote to memory of 1812	1708	{3CA698A7-19CA-4efd-8989-B9DDB45A4156}.exe	43
PID 1708 wrote to memory of 1812	1708	{3CA698A7-19CA-4efd-8989-B9DDB45A4156}.exe	43
PID 1708 wrote to memory of 2348	1708	{3CA698A7-19CA-4efd-8989-B9DDB45A4156}.exe	44
PID 1708 wrote to memory of 2348	1708	{3CA698A7-19CA-4efd-8989-B9DDB45A4156}.exe	44
PID 1708 wrote to memory of 2348	1708	{3CA698A7-19CA-4efd-8989-B9DDB45A4156}.exe	44
PID 1708 wrote to memory of 2348	1708	{3CA698A7-19CA-4efd-8989-B9DDB45A4156}.exe	44
PID 1812 wrote to memory of 1500	1812	{EF73A3E1-8608-4248-B9A6-2DD4BD98E2FC}.exe	45
PID 1812 wrote to memory of 1500	1812	{EF73A3E1-8608-4248-B9A6-2DD4BD98E2FC}.exe	45
PID 1812 wrote to memory of 1500	1812	{EF73A3E1-8608-4248-B9A6-2DD4BD98E2FC}.exe	45
PID 1812 wrote to memory of 1500	1812	{EF73A3E1-8608-4248-B9A6-2DD4BD98E2FC}.exe	45
PID 1812 wrote to memory of 2564	1812	{EF73A3E1-8608-4248-B9A6-2DD4BD98E2FC}.exe	46
PID 1812 wrote to memory of 2564	1812	{EF73A3E1-8608-4248-B9A6-2DD4BD98E2FC}.exe	46
PID 1812 wrote to memory of 2564	1812	{EF73A3E1-8608-4248-B9A6-2DD4BD98E2FC}.exe	46
PID 1812 wrote to memory of 2564	1812	{EF73A3E1-8608-4248-B9A6-2DD4BD98E2FC}.exe	46

C:\Users\Admin\AppData\Local\Temp\4ee3d706f41d3798e33494b3a97d9be0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\4ee3d706f41d3798e33494b3a97d9be0_NeikiAnalytics.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2136
- C:\Windows\{60F45C20-6B72-4f08-AAD0-FB482DB85D06}.exe
  C:\Windows\{60F45C20-6B72-4f08-AAD0-FB482DB85D06}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2892
- - C:\Windows\{8BCCA189-5206-440e-B4BC-719C6C312A8F}.exe
    C:\Windows\{8BCCA189-5206-440e-B4BC-719C6C312A8F}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2680
  - - C:\Windows\{73F35E39-E78F-4ff1-BEE1-C8589F24B02C}.exe
      C:\Windows\{73F35E39-E78F-4ff1-BEE1-C8589F24B02C}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2804
    - - C:\Windows\{8B5889C7-84AE-4f3e-B557-F3665B2B83B5}.exe
        
        C:\Windows\{8B5889C7-84AE-4f3e-B557-F3665B2B83B5}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2428
      - C:\Windows\{30F5654D-5255-4433-9997-169D8A09884A}.exe
        
        C:\Windows\{30F5654D-5255-4433-9997-169D8A09884A}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2760
        
        C:\Windows\{3CA698A7-19CA-4efd-8989-B9DDB45A4156}.exe
        
        C:\Windows\{3CA698A7-19CA-4efd-8989-B9DDB45A4156}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1708
        
        C:\Windows\{EF73A3E1-8608-4248-B9A6-2DD4BD98E2FC}.exe
        
        C:\Windows\{EF73A3E1-8608-4248-B9A6-2DD4BD98E2FC}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1812
        
        C:\Windows\{0BB773F8-CFE1-4a2e-84D8-790A96580638}.exe
        
        C:\Windows\{0BB773F8-CFE1-4a2e-84D8-790A96580638}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1500
        
        C:\Windows\{7D5FAC7F-A409-410c-AD1D-A65E6B0CF826}.exe
        
        C:\Windows\{7D5FAC7F-A409-410c-AD1D-A65E6B0CF826}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2032
        
        C:\Windows\{DBD288D9-A443-4156-B67B-A98839CE1F55}.exe
        
        C:\Windows\{DBD288D9-A443-4156-B67B-A98839CE1F55}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:776
        
        C:\Windows\{6716B8CC-3DBD-4db7-8600-A7AA873BEB0C}.exe
        
        C:\Windows\{6716B8CC-3DBD-4db7-8600-A7AA873BEB0C}.exe
        12⤵
        Executes dropped EXE
        
        PID:2528
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DBD28~1.EXE > nul
        12⤵
        
        PID:2440
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7D5FA~1.EXE > nul
        11⤵
        
        PID:1112
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0BB77~1.EXE > nul
        10⤵
        
        PID:2448
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EF73A~1.EXE > nul
        9⤵
        
        PID:2564
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3CA69~1.EXE > nul
        8⤵
        
        PID:2348
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{30F56~1.EXE > nul
        7⤵
        
        PID:1364
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8B588~1.EXE > nul
        6⤵
        
        PID:2192
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{73F35~1.EXE > nul
        5⤵
        
        PID:2424
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{8BCCA~1.EXE > nul
      4⤵
      PID:2604
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{60F45~1.EXE > nul
    3⤵
    PID:2624
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\4EE3D7~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2940

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0BB773F8-CFE1-4a2e-84D8-790A96580638}.exe

Filesize
92KB

MD5
f62da345e93448dd11aabe9279984553

SHA1
384a6394b2ebe573f5abb291aa5b2ef1bbe273c1

SHA256
7aaf17b072f66b4340b887cf4404ac2f552a617d121ebbb6d81064a92533afb8

SHA512
4d23a5b70315a03db596b4322f3194c9898a0eaed2913f5b9eda7c3d962c9251f437371a2ca97eaaf08c9d336c683d0cc4a8748c77162d5cbd051169c056ec99

Download Submit
C:\Windows\{30F5654D-5255-4433-9997-169D8A09884A}.exe

Filesize
92KB

MD5
7a2fe1757c90b9ef45f18c3a8adf565b

SHA1
39325f1938be383fab24bc6b0c84f809f1a41070

SHA256
a3bc38b7f53b9ee84c78aa4b71c343d8114c5f9c8634e58dad44d3cc5eeea42e

SHA512
f2ca8a8cc4a8ce9eff1f4fbd48d51deebe63ddfdbc6d81b9228dd75b54c47816c0b22640b0b0e8a72355a2293841c1df0d14d6fbb45f32831d4d5df5579b7396

Download Submit
C:\Windows\{3CA698A7-19CA-4efd-8989-B9DDB45A4156}.exe

Filesize
92KB

MD5
e9752b97c5d83015d4485aab17084dd9

SHA1
fad4b3b871e7959adc5dd164dbc1e6a575fcc646

SHA256
f0d46c1f2988a2cfdb762e46ecef80464c1a1837544b994a7048993f9e4a7dc7

SHA512
ed7995eff6e00201f4a2aabaf2431938f893bbc99e63029675775df536e40ded92cc51f7818f46ae90e21d0db974456f13004171dbf733ae0b74c1e26ba3238f

Download Submit
C:\Windows\{60F45C20-6B72-4f08-AAD0-FB482DB85D06}.exe

Filesize
92KB

MD5
8ff9d9762649b5aa1c36afb23449dc80

SHA1
c1abe68097866e941d48542d5c47489e01348174

SHA256
4a79bc7e6c433946fda7bdbbb36f1f01ccfe0ae3cea24f65b0ade784ca5e77b2

SHA512
1af030ac65dcc755d51aca912f4706136397d51e5fb3798d8e38beba43a752475ddba4d9b21c1dbb235f219fc45c2bd9d3d1ed82791da96a1689f1bda5443370

Download Submit
C:\Windows\{6716B8CC-3DBD-4db7-8600-A7AA873BEB0C}.exe

Filesize
92KB

MD5
664d350b0b9e6d3683ec22047614cac7

SHA1
b6710bdaf009e8ef9c3bd551ac5597001e0ffb70

SHA256
e1e008dbeaa2e3a2a432877e14594530bead715405bfc993002752457542db2e

SHA512
0c95550422000c809ef86993297b3ae6a9bb9b00bd388fdf2d6f01906751765b0ee550e1dd8fb0daaac00df1fe19b40e375ed84ada137cc7b1cf5b68a620224f

Download Submit
C:\Windows\{73F35E39-E78F-4ff1-BEE1-C8589F24B02C}.exe

Filesize
92KB

MD5
0afc931a985e1a782b27d14bc2d15837

SHA1
412e4ed2f3a5a8cd627868ecd98f5ddfc106b471

SHA256
3f7df483e70518d232ef6400f4b9863a24712b91ce0789902703eee84ef81ea7

SHA512
0de01f51d599b01e70f17eadb6e1f5c2b6a3299eb6e0c4d60ac53fe74194876e560c378c0a9f06a4ac8971d40caa9e909411c80a83832aaca94dd2f23721d175

Download Submit
C:\Windows\{7D5FAC7F-A409-410c-AD1D-A65E6B0CF826}.exe

Filesize
92KB

MD5
9fbdb93c2a96992a37bad5a1a48b7fd7

SHA1
e98a59b4e0a4ee22d21d563468d7fed744299359

SHA256
2de00b9002916f291b1ce82fa6a8e5475e1716ee5614d8cfd478941c886f5e60

SHA512
12ad82ddd023fd548a9bf6cc16eb5297ce387a39c1d533e3eef45283269959e8452c2dc90589ba7c3c1af18fb2a23e97cf01f655c6802737da38cdb88ebf211e

Download Submit
C:\Windows\{8B5889C7-84AE-4f3e-B557-F3665B2B83B5}.exe

Filesize
92KB

MD5
e519b9e2d21ea9c97b9eb91cd8d8c88a

SHA1
359208b5fa600f2a624b2bce8fb69d3f9bed2084

SHA256
c4630e86915980e0d25d66c5f709b3b07e1a48f98c8bc08ef61b3fdf9beecddd

SHA512
e84641b4a518b8f9a839df594c4dcc2461ef07cb951b1b0b896055b0d3dbc4f6c8fb3e22e1832227a0d1d7d9e6efe738e32c22722fc54c7fba61908aa7811d92

Download Submit
C:\Windows\{8BCCA189-5206-440e-B4BC-719C6C312A8F}.exe

Filesize
92KB

MD5
379d4e48ab54ee05e36362011d6434a9

SHA1
0c7081ab32b47630e9caa9517d03ac6cd5cd0dac

SHA256
4f949fadd6316c2a8922fbd0eac6fe4b9276ff28f968bfa2e9c9d0809b9578b5

SHA512
3ae0fe35a4e6175350232866275c6d9f35c94b632fb30c7083df5f486c1af2cf47519f89735f63e067be1deb70841d27c419f3d1a2da01e1e6059c765a25c91f

Download Submit
C:\Windows\{DBD288D9-A443-4156-B67B-A98839CE1F55}.exe

Filesize
92KB

MD5
6f66342ec1fbda8ee44e011009f6622e

SHA1
aa683e63329b3d3c7d4d1f0747d37158030ac644

SHA256
f6f914990f0af3e2980d61559b06316e8fc47e81d9140737f28f5fbdb93facac

SHA512
6ab46e1277ed4218f58ecb3f868be5b0bc9a024fcc7a8a91856abd1e982967154bcbfcf479487959f16b5735e91c1d99cff313af6c98cb33a873f7901b7b7863

Download Submit
C:\Windows\{EF73A3E1-8608-4248-B9A6-2DD4BD98E2FC}.exe

Filesize
92KB

MD5
9f38fb65434219f1a0fd27828d54ff4a

SHA1
686f66ce211d8ae9c7773ef3f78dec9e98f7a2c5

SHA256
b8f7925342b34d388a84e1374c72c8bb1edbb9f5a1647e0f52ac3549bc001721

SHA512
c87c9ade7b4a66389f9b5f5fb1515d9f97ce6baa746cdf9847456d1c707c38d7aaeedbc1a0e062d7f62179cc9d4329216c491135ec5afd3e756460be83bef2e5

Download Submit
memory/776-99-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/776-91-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1500-82-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1500-74-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1708-57-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1708-65-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1812-72-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2032-90-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2136-9-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2136-7-0x0000000000290000-0x00000000002A7000-memory.dmp

Filesize
92KB

Download
memory/2136-0-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2428-46-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2428-39-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2680-26-0x00000000005B0000-0x00000000005C7000-memory.dmp

Filesize
92KB

Download
memory/2680-19-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2680-27-0x00000000005B0000-0x00000000005C7000-memory.dmp

Filesize
92KB

Download
memory/2680-29-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2760-56-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2760-48-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2804-30-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2804-37-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2892-17-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2892-13-0x00000000002A0000-0x00000000002B7000-memory.dmp

Filesize
92KB

Download
memory/2892-8-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads