abf139494d21ed67996d0ddf1d0b2e1fc2e5e8c0ec973d941e2a50dc2120198c

Analysis

max time kernel
144s
max time network
122s
platform
windows7_x64
resource
win7-20240419-en
resource tags

arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
submitted
15/05/2024, 02:08

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

6168d949d195617e81781856b621b650_NeikiAnalytics.exe
Size

90KB
MD5

6168d949d195617e81781856b621b650
SHA1

54bc0ea51de5e4f3534e1504a203351e0879f450
SHA256

abf139494d21ed67996d0ddf1d0b2e1fc2e5e8c0ec973d941e2a50dc2120198c
SHA512

5de03cc1e3ae24546800778aa02b55666b744bec55c1f026c29519dca37bacad3b1177ac0cf733fc971200abcdf40bc7cb70025255919f9ccba91290b67048f2
SSDEEP

768:50w981IshKQLro34/wQozzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzv:CEGI0o3lVunMxVS3c

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{483D146B-E0B1-4cda-82BB-002B577EE822}\stubpath = "C:\\Windows\\{483D146B-E0B1-4cda-82BB-002B577EE822}.exe"	{D0780C88-E77B-465c-BD32-F1CF135465BD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9BB51CAF-404B-4d7c-92C1-225B09437676}\stubpath = "C:\\Windows\\{9BB51CAF-404B-4d7c-92C1-225B09437676}.exe"	{483D146B-E0B1-4cda-82BB-002B577EE822}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4AF41D00-BDDD-4c53-BCA7-44B168B8B0A9}	{9BB51CAF-404B-4d7c-92C1-225B09437676}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C23C9C45-A17B-4e31-9EF3-D8FB09985F10}	{47444159-3245-495c-8E88-5D76D26899C2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BCBA2801-8085-4de6-B4BC-5437BD0164D6}	{C23C9C45-A17B-4e31-9EF3-D8FB09985F10}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6F1FD586-1BB1-48b0-B069-922526567CD2}	{95508F21-1393-40c4-9B11-AC7649060222}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AE6CF74A-21C3-436b-B970-DCF82D2C7B1B}	6168d949d195617e81781856b621b650_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D0780C88-E77B-465c-BD32-F1CF135465BD}\stubpath = "C:\\Windows\\{D0780C88-E77B-465c-BD32-F1CF135465BD}.exe"	{AE6CF74A-21C3-436b-B970-DCF82D2C7B1B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{483D146B-E0B1-4cda-82BB-002B577EE822}	{D0780C88-E77B-465c-BD32-F1CF135465BD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9BB51CAF-404B-4d7c-92C1-225B09437676}	{483D146B-E0B1-4cda-82BB-002B577EE822}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{47444159-3245-495c-8E88-5D76D26899C2}	{4AF41D00-BDDD-4c53-BCA7-44B168B8B0A9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{47444159-3245-495c-8E88-5D76D26899C2}\stubpath = "C:\\Windows\\{47444159-3245-495c-8E88-5D76D26899C2}.exe"	{4AF41D00-BDDD-4c53-BCA7-44B168B8B0A9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BCBA2801-8085-4de6-B4BC-5437BD0164D6}\stubpath = "C:\\Windows\\{BCBA2801-8085-4de6-B4BC-5437BD0164D6}.exe"	{C23C9C45-A17B-4e31-9EF3-D8FB09985F10}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AE6CF74A-21C3-436b-B970-DCF82D2C7B1B}\stubpath = "C:\\Windows\\{AE6CF74A-21C3-436b-B970-DCF82D2C7B1B}.exe"	6168d949d195617e81781856b621b650_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D0780C88-E77B-465c-BD32-F1CF135465BD}	{AE6CF74A-21C3-436b-B970-DCF82D2C7B1B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C23C9C45-A17B-4e31-9EF3-D8FB09985F10}\stubpath = "C:\\Windows\\{C23C9C45-A17B-4e31-9EF3-D8FB09985F10}.exe"	{47444159-3245-495c-8E88-5D76D26899C2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4AF41D00-BDDD-4c53-BCA7-44B168B8B0A9}\stubpath = "C:\\Windows\\{4AF41D00-BDDD-4c53-BCA7-44B168B8B0A9}.exe"	{9BB51CAF-404B-4d7c-92C1-225B09437676}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9D97BFEF-A564-40b1-ABA1-D40814B0C9DE}	{BCBA2801-8085-4de6-B4BC-5437BD0164D6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9D97BFEF-A564-40b1-ABA1-D40814B0C9DE}\stubpath = "C:\\Windows\\{9D97BFEF-A564-40b1-ABA1-D40814B0C9DE}.exe"	{BCBA2801-8085-4de6-B4BC-5437BD0164D6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{95508F21-1393-40c4-9B11-AC7649060222}	{9D97BFEF-A564-40b1-ABA1-D40814B0C9DE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{95508F21-1393-40c4-9B11-AC7649060222}\stubpath = "C:\\Windows\\{95508F21-1393-40c4-9B11-AC7649060222}.exe"	{9D97BFEF-A564-40b1-ABA1-D40814B0C9DE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6F1FD586-1BB1-48b0-B069-922526567CD2}\stubpath = "C:\\Windows\\{6F1FD586-1BB1-48b0-B069-922526567CD2}.exe"	{95508F21-1393-40c4-9B11-AC7649060222}.exe

Deletes itself 1 IoCs

pid	Process
2596	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
3032	{AE6CF74A-21C3-436b-B970-DCF82D2C7B1B}.exe
3048	{D0780C88-E77B-465c-BD32-F1CF135465BD}.exe
2568	{483D146B-E0B1-4cda-82BB-002B577EE822}.exe
2524	{9BB51CAF-404B-4d7c-92C1-225B09437676}.exe
1752	{4AF41D00-BDDD-4c53-BCA7-44B168B8B0A9}.exe
1436	{47444159-3245-495c-8E88-5D76D26899C2}.exe
836	{C23C9C45-A17B-4e31-9EF3-D8FB09985F10}.exe
3016	{BCBA2801-8085-4de6-B4BC-5437BD0164D6}.exe
2852	{9D97BFEF-A564-40b1-ABA1-D40814B0C9DE}.exe
1056	{95508F21-1393-40c4-9B11-AC7649060222}.exe
1096	{6F1FD586-1BB1-48b0-B069-922526567CD2}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{C23C9C45-A17B-4e31-9EF3-D8FB09985F10}.exe	{47444159-3245-495c-8E88-5D76D26899C2}.exe
File created	C:\Windows\{BCBA2801-8085-4de6-B4BC-5437BD0164D6}.exe	{C23C9C45-A17B-4e31-9EF3-D8FB09985F10}.exe
File created	C:\Windows\{9D97BFEF-A564-40b1-ABA1-D40814B0C9DE}.exe	{BCBA2801-8085-4de6-B4BC-5437BD0164D6}.exe
File created	C:\Windows\{D0780C88-E77B-465c-BD32-F1CF135465BD}.exe	{AE6CF74A-21C3-436b-B970-DCF82D2C7B1B}.exe
File created	C:\Windows\{483D146B-E0B1-4cda-82BB-002B577EE822}.exe	{D0780C88-E77B-465c-BD32-F1CF135465BD}.exe
File created	C:\Windows\{9BB51CAF-404B-4d7c-92C1-225B09437676}.exe	{483D146B-E0B1-4cda-82BB-002B577EE822}.exe
File created	C:\Windows\{95508F21-1393-40c4-9B11-AC7649060222}.exe	{9D97BFEF-A564-40b1-ABA1-D40814B0C9DE}.exe
File created	C:\Windows\{6F1FD586-1BB1-48b0-B069-922526567CD2}.exe	{95508F21-1393-40c4-9B11-AC7649060222}.exe
File created	C:\Windows\{AE6CF74A-21C3-436b-B970-DCF82D2C7B1B}.exe	6168d949d195617e81781856b621b650_NeikiAnalytics.exe
File created	C:\Windows\{4AF41D00-BDDD-4c53-BCA7-44B168B8B0A9}.exe	{9BB51CAF-404B-4d7c-92C1-225B09437676}.exe
File created	C:\Windows\{47444159-3245-495c-8E88-5D76D26899C2}.exe	{4AF41D00-BDDD-4c53-BCA7-44B168B8B0A9}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2236	6168d949d195617e81781856b621b650_NeikiAnalytics.exe
Token: SeIncBasePriorityPrivilege	3032	{AE6CF74A-21C3-436b-B970-DCF82D2C7B1B}.exe
Token: SeIncBasePriorityPrivilege	3048	{D0780C88-E77B-465c-BD32-F1CF135465BD}.exe
Token: SeIncBasePriorityPrivilege	2568	{483D146B-E0B1-4cda-82BB-002B577EE822}.exe
Token: SeIncBasePriorityPrivilege	2524	{9BB51CAF-404B-4d7c-92C1-225B09437676}.exe
Token: SeIncBasePriorityPrivilege	1752	{4AF41D00-BDDD-4c53-BCA7-44B168B8B0A9}.exe
Token: SeIncBasePriorityPrivilege	1436	{47444159-3245-495c-8E88-5D76D26899C2}.exe
Token: SeIncBasePriorityPrivilege	836	{C23C9C45-A17B-4e31-9EF3-D8FB09985F10}.exe
Token: SeIncBasePriorityPrivilege	3016	{BCBA2801-8085-4de6-B4BC-5437BD0164D6}.exe
Token: SeIncBasePriorityPrivilege	2852	{9D97BFEF-A564-40b1-ABA1-D40814B0C9DE}.exe
Token: SeIncBasePriorityPrivilege	1056	{95508F21-1393-40c4-9B11-AC7649060222}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2236 wrote to memory of 3032	2236	6168d949d195617e81781856b621b650_NeikiAnalytics.exe	28
PID 2236 wrote to memory of 3032	2236	6168d949d195617e81781856b621b650_NeikiAnalytics.exe	28
PID 2236 wrote to memory of 3032	2236	6168d949d195617e81781856b621b650_NeikiAnalytics.exe	28
PID 2236 wrote to memory of 3032	2236	6168d949d195617e81781856b621b650_NeikiAnalytics.exe	28
PID 2236 wrote to memory of 2596	2236	6168d949d195617e81781856b621b650_NeikiAnalytics.exe	29
PID 2236 wrote to memory of 2596	2236	6168d949d195617e81781856b621b650_NeikiAnalytics.exe	29
PID 2236 wrote to memory of 2596	2236	6168d949d195617e81781856b621b650_NeikiAnalytics.exe	29
PID 2236 wrote to memory of 2596	2236	6168d949d195617e81781856b621b650_NeikiAnalytics.exe	29
PID 3032 wrote to memory of 3048	3032	{AE6CF74A-21C3-436b-B970-DCF82D2C7B1B}.exe	30
PID 3032 wrote to memory of 3048	3032	{AE6CF74A-21C3-436b-B970-DCF82D2C7B1B}.exe	30
PID 3032 wrote to memory of 3048	3032	{AE6CF74A-21C3-436b-B970-DCF82D2C7B1B}.exe	30
PID 3032 wrote to memory of 3048	3032	{AE6CF74A-21C3-436b-B970-DCF82D2C7B1B}.exe	30
PID 3032 wrote to memory of 2732	3032	{AE6CF74A-21C3-436b-B970-DCF82D2C7B1B}.exe	31
PID 3032 wrote to memory of 2732	3032	{AE6CF74A-21C3-436b-B970-DCF82D2C7B1B}.exe	31
PID 3032 wrote to memory of 2732	3032	{AE6CF74A-21C3-436b-B970-DCF82D2C7B1B}.exe	31
PID 3032 wrote to memory of 2732	3032	{AE6CF74A-21C3-436b-B970-DCF82D2C7B1B}.exe	31
PID 3048 wrote to memory of 2568	3048	{D0780C88-E77B-465c-BD32-F1CF135465BD}.exe	32
PID 3048 wrote to memory of 2568	3048	{D0780C88-E77B-465c-BD32-F1CF135465BD}.exe	32
PID 3048 wrote to memory of 2568	3048	{D0780C88-E77B-465c-BD32-F1CF135465BD}.exe	32
PID 3048 wrote to memory of 2568	3048	{D0780C88-E77B-465c-BD32-F1CF135465BD}.exe	32
PID 3048 wrote to memory of 2440	3048	{D0780C88-E77B-465c-BD32-F1CF135465BD}.exe	33
PID 3048 wrote to memory of 2440	3048	{D0780C88-E77B-465c-BD32-F1CF135465BD}.exe	33
PID 3048 wrote to memory of 2440	3048	{D0780C88-E77B-465c-BD32-F1CF135465BD}.exe	33
PID 3048 wrote to memory of 2440	3048	{D0780C88-E77B-465c-BD32-F1CF135465BD}.exe	33
PID 2568 wrote to memory of 2524	2568	{483D146B-E0B1-4cda-82BB-002B577EE822}.exe	36
PID 2568 wrote to memory of 2524	2568	{483D146B-E0B1-4cda-82BB-002B577EE822}.exe	36
PID 2568 wrote to memory of 2524	2568	{483D146B-E0B1-4cda-82BB-002B577EE822}.exe	36
PID 2568 wrote to memory of 2524	2568	{483D146B-E0B1-4cda-82BB-002B577EE822}.exe	36
PID 2568 wrote to memory of 2688	2568	{483D146B-E0B1-4cda-82BB-002B577EE822}.exe	37
PID 2568 wrote to memory of 2688	2568	{483D146B-E0B1-4cda-82BB-002B577EE822}.exe	37
PID 2568 wrote to memory of 2688	2568	{483D146B-E0B1-4cda-82BB-002B577EE822}.exe	37
PID 2568 wrote to memory of 2688	2568	{483D146B-E0B1-4cda-82BB-002B577EE822}.exe	37
PID 2524 wrote to memory of 1752	2524	{9BB51CAF-404B-4d7c-92C1-225B09437676}.exe	38
PID 2524 wrote to memory of 1752	2524	{9BB51CAF-404B-4d7c-92C1-225B09437676}.exe	38
PID 2524 wrote to memory of 1752	2524	{9BB51CAF-404B-4d7c-92C1-225B09437676}.exe	38
PID 2524 wrote to memory of 1752	2524	{9BB51CAF-404B-4d7c-92C1-225B09437676}.exe	38
PID 2524 wrote to memory of 468	2524	{9BB51CAF-404B-4d7c-92C1-225B09437676}.exe	39
PID 2524 wrote to memory of 468	2524	{9BB51CAF-404B-4d7c-92C1-225B09437676}.exe	39
PID 2524 wrote to memory of 468	2524	{9BB51CAF-404B-4d7c-92C1-225B09437676}.exe	39
PID 2524 wrote to memory of 468	2524	{9BB51CAF-404B-4d7c-92C1-225B09437676}.exe	39
PID 1752 wrote to memory of 1436	1752	{4AF41D00-BDDD-4c53-BCA7-44B168B8B0A9}.exe	40
PID 1752 wrote to memory of 1436	1752	{4AF41D00-BDDD-4c53-BCA7-44B168B8B0A9}.exe	40
PID 1752 wrote to memory of 1436	1752	{4AF41D00-BDDD-4c53-BCA7-44B168B8B0A9}.exe	40
PID 1752 wrote to memory of 1436	1752	{4AF41D00-BDDD-4c53-BCA7-44B168B8B0A9}.exe	40
PID 1752 wrote to memory of 1216	1752	{4AF41D00-BDDD-4c53-BCA7-44B168B8B0A9}.exe	41
PID 1752 wrote to memory of 1216	1752	{4AF41D00-BDDD-4c53-BCA7-44B168B8B0A9}.exe	41
PID 1752 wrote to memory of 1216	1752	{4AF41D00-BDDD-4c53-BCA7-44B168B8B0A9}.exe	41
PID 1752 wrote to memory of 1216	1752	{4AF41D00-BDDD-4c53-BCA7-44B168B8B0A9}.exe	41
PID 1436 wrote to memory of 836	1436	{47444159-3245-495c-8E88-5D76D26899C2}.exe	42
PID 1436 wrote to memory of 836	1436	{47444159-3245-495c-8E88-5D76D26899C2}.exe	42
PID 1436 wrote to memory of 836	1436	{47444159-3245-495c-8E88-5D76D26899C2}.exe	42
PID 1436 wrote to memory of 836	1436	{47444159-3245-495c-8E88-5D76D26899C2}.exe	42
PID 1436 wrote to memory of 1556	1436	{47444159-3245-495c-8E88-5D76D26899C2}.exe	43
PID 1436 wrote to memory of 1556	1436	{47444159-3245-495c-8E88-5D76D26899C2}.exe	43
PID 1436 wrote to memory of 1556	1436	{47444159-3245-495c-8E88-5D76D26899C2}.exe	43
PID 1436 wrote to memory of 1556	1436	{47444159-3245-495c-8E88-5D76D26899C2}.exe	43
PID 836 wrote to memory of 3016	836	{C23C9C45-A17B-4e31-9EF3-D8FB09985F10}.exe	44
PID 836 wrote to memory of 3016	836	{C23C9C45-A17B-4e31-9EF3-D8FB09985F10}.exe	44
PID 836 wrote to memory of 3016	836	{C23C9C45-A17B-4e31-9EF3-D8FB09985F10}.exe	44
PID 836 wrote to memory of 3016	836	{C23C9C45-A17B-4e31-9EF3-D8FB09985F10}.exe	44
PID 836 wrote to memory of 2856	836	{C23C9C45-A17B-4e31-9EF3-D8FB09985F10}.exe	45
PID 836 wrote to memory of 2856	836	{C23C9C45-A17B-4e31-9EF3-D8FB09985F10}.exe	45
PID 836 wrote to memory of 2856	836	{C23C9C45-A17B-4e31-9EF3-D8FB09985F10}.exe	45
PID 836 wrote to memory of 2856	836	{C23C9C45-A17B-4e31-9EF3-D8FB09985F10}.exe	45

C:\Users\Admin\AppData\Local\Temp\6168d949d195617e81781856b621b650_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\6168d949d195617e81781856b621b650_NeikiAnalytics.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2236
- C:\Windows\{AE6CF74A-21C3-436b-B970-DCF82D2C7B1B}.exe
  C:\Windows\{AE6CF74A-21C3-436b-B970-DCF82D2C7B1B}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3032
- - C:\Windows\{D0780C88-E77B-465c-BD32-F1CF135465BD}.exe
    C:\Windows\{D0780C88-E77B-465c-BD32-F1CF135465BD}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3048
  - - C:\Windows\{483D146B-E0B1-4cda-82BB-002B577EE822}.exe
      C:\Windows\{483D146B-E0B1-4cda-82BB-002B577EE822}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2568
    - - C:\Windows\{9BB51CAF-404B-4d7c-92C1-225B09437676}.exe
        
        C:\Windows\{9BB51CAF-404B-4d7c-92C1-225B09437676}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2524
      - C:\Windows\{4AF41D00-BDDD-4c53-BCA7-44B168B8B0A9}.exe
        
        C:\Windows\{4AF41D00-BDDD-4c53-BCA7-44B168B8B0A9}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1752
        
        C:\Windows\{47444159-3245-495c-8E88-5D76D26899C2}.exe
        
        C:\Windows\{47444159-3245-495c-8E88-5D76D26899C2}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1436
        
        C:\Windows\{C23C9C45-A17B-4e31-9EF3-D8FB09985F10}.exe
        
        C:\Windows\{C23C9C45-A17B-4e31-9EF3-D8FB09985F10}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:836
        
        C:\Windows\{BCBA2801-8085-4de6-B4BC-5437BD0164D6}.exe
        
        C:\Windows\{BCBA2801-8085-4de6-B4BC-5437BD0164D6}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3016
        
        C:\Windows\{9D97BFEF-A564-40b1-ABA1-D40814B0C9DE}.exe
        
        C:\Windows\{9D97BFEF-A564-40b1-ABA1-D40814B0C9DE}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2852
        
        C:\Windows\{95508F21-1393-40c4-9B11-AC7649060222}.exe
        
        C:\Windows\{95508F21-1393-40c4-9B11-AC7649060222}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1056
        
        C:\Windows\{6F1FD586-1BB1-48b0-B069-922526567CD2}.exe
        
        C:\Windows\{6F1FD586-1BB1-48b0-B069-922526567CD2}.exe
        12⤵
        Executes dropped EXE
        
        PID:1096
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{95508~1.EXE > nul
        12⤵
        
        PID:1016
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9D97B~1.EXE > nul
        11⤵
        
        PID:1396
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BCBA2~1.EXE > nul
        10⤵
        
        PID:1616
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C23C9~1.EXE > nul
        9⤵
        
        PID:2856
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{47444~1.EXE > nul
        8⤵
        
        PID:1556
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4AF41~1.EXE > nul
        7⤵
        
        PID:1216
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9BB51~1.EXE > nul
        6⤵
        
        PID:468
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{483D1~1.EXE > nul
        5⤵
        
        PID:2688
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{D0780~1.EXE > nul
      4⤵
      PID:2440
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{AE6CF~1.EXE > nul
    3⤵
    PID:2732
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\6168D9~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2596

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{47444159-3245-495c-8E88-5D76D26899C2}.exe

Filesize
90KB

MD5
d8d791f80bef7834883f25863b8aee0a

SHA1
eb7b1be772ab04924549f539d5a27e57be3ae63f

SHA256
5eaaf6dbd53de145bee039469b137815b6cc0fb1a16805e112af2d4c05304074

SHA512
c39ad79b4b23cdfa2b4c69418509e6db4ea1839bfc49204d2efd77bad8be19aee96e8e9388850ff1243320c4516b62d2c901b301dde79ef83edd626d07915ddd

Download Submit
C:\Windows\{483D146B-E0B1-4cda-82BB-002B577EE822}.exe

Filesize
90KB

MD5
bfd4ccfd3612c0a86b49d6968fe33f39

SHA1
7b676926a07ad60cb10ab8891f504967bc5340d4

SHA256
7c0e2e73663cf23f4d27ca03774e51b47fcea6d841a38d823a3e070635e78321

SHA512
6cc920d8c55a37b441748955dbdcc2d68e45537560ab9c9514c5c3f6bbad19607a37bed35d1140eef8c1cde13da7e7620fea7c61bc558d468711de9cf78e8569

Download Submit
C:\Windows\{4AF41D00-BDDD-4c53-BCA7-44B168B8B0A9}.exe

Filesize
90KB

MD5
08e997027a18ed18e70850bcae76ef22

SHA1
bbc0d62bb8becb7fb6d6753f7a8451eeec1ea5d7

SHA256
e20e66123174bbb0a08671e49a6105fca382d86637119ec5ed3c107af2c179b9

SHA512
c3fb8694127efc482afd8703451346e96d282a1f391c766f0f982822467faf2d40c7195f85cca8efcb0795e7970fa4dbd1cd980bcd7c74583421ccbe6542ddb3

Download Submit
C:\Windows\{6F1FD586-1BB1-48b0-B069-922526567CD2}.exe

Filesize
90KB

MD5
25516c83118cb871839833e8733599bd

SHA1
36179191d16a2ea34fcd41945f95e52f3c7aaada

SHA256
ba52125cbc7f98dea7582b02431ca8b440968996b679f995fc7a84a5e65a7beb

SHA512
1de5801cd71e874f400a1fb316f677f30ef8a31cee3241d1c025e5bc1f03001780cab49169b4511647506712cbb0ab8bf87f068c5ccf03360a8cbed9730bd69d

Download Submit
C:\Windows\{95508F21-1393-40c4-9B11-AC7649060222}.exe

Filesize
90KB

MD5
e5688f6e3c440d29d35cdc39398333fa

SHA1
91d328b9fc13828e51fbbbbf68f89d2915f1a228

SHA256
6e1f149b45459ef741e852e2c4b8bb11884456dc99dfa155eeef1e471bff8c40

SHA512
a15b4dcaea57cb98ae85ea1d9038cae40960811d76dd3a297af804adb035ef491b63c8f5a9a70d4f4bd1c8ec5ae5824987b48926de264e519cab81a3c46136b8

Download Submit
C:\Windows\{9BB51CAF-404B-4d7c-92C1-225B09437676}.exe

Filesize
90KB

MD5
f709aa30fa18954aee26cf993c6f4e89

SHA1
2c31dafaef00109b5b4b6ed35415f98aadadcfa9

SHA256
535d58beb9555f4306576ee3d2b148020efafb378cd0a8a20b24e0a2e26fd0e1

SHA512
0f2a0fa2a54e5bb6b0a6335bb86d8df484a3246d83934f7ceafe0f91a1a7b13e4484f6e3b9a627df1a5ad6d9eb4479320372787bea6912a30171f361e374473c

Download Submit
C:\Windows\{9D97BFEF-A564-40b1-ABA1-D40814B0C9DE}.exe

Filesize
90KB

MD5
cddf8d902c36140ed91ddb1a9e9524fe

SHA1
1ea74d3692d4b325eb24425743a805431f51f92c

SHA256
d057970ff4985c4594443ec390debcbefa0184db5db45eb256ffdb2b2fe7a121

SHA512
dd20363f248fa6cb0dabcd87149f8d2efb6e251f5e8b076f5afa82ea0dca3d9854c938f0f5eb405f6661164562891d0d48e603b206a202cc9c7c1d7e153ac270

Download Submit
C:\Windows\{AE6CF74A-21C3-436b-B970-DCF82D2C7B1B}.exe

Filesize
90KB

MD5
60f8cffb0d540ca7450ade6de5483db6

SHA1
dd7d521b0f4d04debc37d558e3a260f94090970b

SHA256
1847e6a4c9a471264c2fa1edde5e5db7e83a497f1209df6270e2cd89c08cb85e

SHA512
a3484502b31aa57b5a510dea860778b8caed5592202c051829398b4a8350f0a34cb51403e8fe617f8896428750f1504bfab6d4c582083277849caeb080ef1282

Download Submit
C:\Windows\{BCBA2801-8085-4de6-B4BC-5437BD0164D6}.exe

Filesize
90KB

MD5
eed0fb5fb3761ae6edea6da7de2e4a6e

SHA1
454d0e87f46d2dd9494da31d2824420165157c50

SHA256
c0a297b4343e645f09bace7d3ddb01ba8f555f18a31fbd528ecd75a009a8bde9

SHA512
2c296f797c679eec546dfb87e275b30c21b0c0f5cd107140b1c95f6888bfffc0c28729c5d789f84b47e84ec076b3d7d96855f857a1adaff6688de0d42caec5aa

Download Submit
C:\Windows\{C23C9C45-A17B-4e31-9EF3-D8FB09985F10}.exe

Filesize
90KB

MD5
49e7eb650f53cdd6b9fe87d9a4d7ada3

SHA1
66095b8b6f40d7ab001fcf3f4bfededbe215bd71

SHA256
0e8f100ddca2bb61be498d4b32167abee1584a6075dca7c97cfe2e52a32c2377

SHA512
5f614d8f12166e3518b22f91b3a05e14f181023d80fe1dc0fae4197eec17dfff68693f13f2d99875ebfc885a95b3aa9ea94d506a796e70e4d8005b2230daa014

Download Submit
C:\Windows\{D0780C88-E77B-465c-BD32-F1CF135465BD}.exe

Filesize
90KB

MD5
f0c1c2407b0c415796ccae0e463d73a0

SHA1
80017c084adcbf8164e37d2c358e831ba40bd764

SHA256
d016ab29c7f330c451125b78a20800cc078eb6ce517db3fa25cac557f4a2cbb4

SHA512
67ab7cf4192a37987be0f4f7971dca7a7f66d343395abd74b37e69651ba6ccbef4eef629c54f3fff4fc0f317d278e2fb7b363f1dd0c435d3cea36f53bbb279cd

Download Submit
memory/836-67-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/836-63-0x0000000000360000-0x0000000000371000-memory.dmp

Filesize
68KB

Download
memory/1056-93-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1436-58-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1752-51-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2236-0-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2236-9-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2236-3-0x00000000004B0000-0x00000000004C1000-memory.dmp

Filesize
68KB

Download
memory/2524-42-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2568-34-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2568-27-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2852-77-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2852-84-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3016-76-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3032-17-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3032-8-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3048-26-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3048-18-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads