2d0d1e28cb5365c0aef237c5356cd18b900898b999cbe0894712b6d2a8bf0eb4

Analysis

max time kernel
144s
max time network
121s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
15/05/2024, 14:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d5832c0f7c7dbabb3e08e67ae81b37a0_NeikiAnalytics.exe
Size

90KB
MD5

d5832c0f7c7dbabb3e08e67ae81b37a0
SHA1

6eb8a9726b0182ae799b9b6338e9753789129634
SHA256

2d0d1e28cb5365c0aef237c5356cd18b900898b999cbe0894712b6d2a8bf0eb4
SHA512

2f36af1d7e0d9f7a8aa89446e229c688c05b64f01bd8a532cfa4c8eeb179794dd0166f29dc786baea4f682cbb3f91e9eecc902b17b02d673bd4ae29d99eec334
SSDEEP

768:50w981IshKQLro24/wQozzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzS:CEGI0o2lVunMxVS3

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5CD6DB92-456B-49c2-A608-A92D1EBE2748}\stubpath = "C:\\Windows\\{5CD6DB92-456B-49c2-A608-A92D1EBE2748}.exe"	{C864EA53-789B-4051-8860-E51086A52C8F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EA4A2563-5040-4128-85E3-16A2291344B6}	{5CD6DB92-456B-49c2-A608-A92D1EBE2748}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{962438D6-3FC5-40ae-B71F-C0FD57790FEC}	{3478496E-0053-42f6-A2E2-FDEF34923848}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{86001680-15E9-40fb-8267-0BCD1C250491}\stubpath = "C:\\Windows\\{86001680-15E9-40fb-8267-0BCD1C250491}.exe"	{8114A98E-29ED-4426-BC60-1CE829D243C5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F3B311D5-1384-402a-8893-1746D51CFC97}	{86001680-15E9-40fb-8267-0BCD1C250491}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D3861A99-68DB-469d-88AB-85AB3F71DF7F}\stubpath = "C:\\Windows\\{D3861A99-68DB-469d-88AB-85AB3F71DF7F}.exe"	{F3B311D5-1384-402a-8893-1746D51CFC97}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C864EA53-789B-4051-8860-E51086A52C8F}	{D3861A99-68DB-469d-88AB-85AB3F71DF7F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EA4A2563-5040-4128-85E3-16A2291344B6}\stubpath = "C:\\Windows\\{EA4A2563-5040-4128-85E3-16A2291344B6}.exe"	{5CD6DB92-456B-49c2-A608-A92D1EBE2748}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9C8CC683-2429-45f5-8EFA-304A4F87D41A}	{A3456FB9-DA21-4200-A3D3-28BA75AC7272}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9C8CC683-2429-45f5-8EFA-304A4F87D41A}\stubpath = "C:\\Windows\\{9C8CC683-2429-45f5-8EFA-304A4F87D41A}.exe"	{A3456FB9-DA21-4200-A3D3-28BA75AC7272}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{962438D6-3FC5-40ae-B71F-C0FD57790FEC}\stubpath = "C:\\Windows\\{962438D6-3FC5-40ae-B71F-C0FD57790FEC}.exe"	{3478496E-0053-42f6-A2E2-FDEF34923848}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{86001680-15E9-40fb-8267-0BCD1C250491}	{8114A98E-29ED-4426-BC60-1CE829D243C5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D3861A99-68DB-469d-88AB-85AB3F71DF7F}	{F3B311D5-1384-402a-8893-1746D51CFC97}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A3456FB9-DA21-4200-A3D3-28BA75AC7272}\stubpath = "C:\\Windows\\{A3456FB9-DA21-4200-A3D3-28BA75AC7272}.exe"	{EA4A2563-5040-4128-85E3-16A2291344B6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C864EA53-789B-4051-8860-E51086A52C8F}\stubpath = "C:\\Windows\\{C864EA53-789B-4051-8860-E51086A52C8F}.exe"	{D3861A99-68DB-469d-88AB-85AB3F71DF7F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5CD6DB92-456B-49c2-A608-A92D1EBE2748}	{C864EA53-789B-4051-8860-E51086A52C8F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A3456FB9-DA21-4200-A3D3-28BA75AC7272}	{EA4A2563-5040-4128-85E3-16A2291344B6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3478496E-0053-42f6-A2E2-FDEF34923848}	d5832c0f7c7dbabb3e08e67ae81b37a0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3478496E-0053-42f6-A2E2-FDEF34923848}\stubpath = "C:\\Windows\\{3478496E-0053-42f6-A2E2-FDEF34923848}.exe"	d5832c0f7c7dbabb3e08e67ae81b37a0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8114A98E-29ED-4426-BC60-1CE829D243C5}	{962438D6-3FC5-40ae-B71F-C0FD57790FEC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8114A98E-29ED-4426-BC60-1CE829D243C5}\stubpath = "C:\\Windows\\{8114A98E-29ED-4426-BC60-1CE829D243C5}.exe"	{962438D6-3FC5-40ae-B71F-C0FD57790FEC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F3B311D5-1384-402a-8893-1746D51CFC97}\stubpath = "C:\\Windows\\{F3B311D5-1384-402a-8893-1746D51CFC97}.exe"	{86001680-15E9-40fb-8267-0BCD1C250491}.exe

Deletes itself 1 IoCs

pid	Process
2616	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2204	{3478496E-0053-42f6-A2E2-FDEF34923848}.exe
2448	{962438D6-3FC5-40ae-B71F-C0FD57790FEC}.exe
2416	{8114A98E-29ED-4426-BC60-1CE829D243C5}.exe
2748	{86001680-15E9-40fb-8267-0BCD1C250491}.exe
2164	{F3B311D5-1384-402a-8893-1746D51CFC97}.exe
1900	{D3861A99-68DB-469d-88AB-85AB3F71DF7F}.exe
2156	{C864EA53-789B-4051-8860-E51086A52C8F}.exe
1556	{5CD6DB92-456B-49c2-A608-A92D1EBE2748}.exe
2820	{EA4A2563-5040-4128-85E3-16A2291344B6}.exe
584	{A3456FB9-DA21-4200-A3D3-28BA75AC7272}.exe
1476	{9C8CC683-2429-45f5-8EFA-304A4F87D41A}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{962438D6-3FC5-40ae-B71F-C0FD57790FEC}.exe	{3478496E-0053-42f6-A2E2-FDEF34923848}.exe
File created	C:\Windows\{8114A98E-29ED-4426-BC60-1CE829D243C5}.exe	{962438D6-3FC5-40ae-B71F-C0FD57790FEC}.exe
File created	C:\Windows\{86001680-15E9-40fb-8267-0BCD1C250491}.exe	{8114A98E-29ED-4426-BC60-1CE829D243C5}.exe
File created	C:\Windows\{F3B311D5-1384-402a-8893-1746D51CFC97}.exe	{86001680-15E9-40fb-8267-0BCD1C250491}.exe
File created	C:\Windows\{C864EA53-789B-4051-8860-E51086A52C8F}.exe	{D3861A99-68DB-469d-88AB-85AB3F71DF7F}.exe
File created	C:\Windows\{5CD6DB92-456B-49c2-A608-A92D1EBE2748}.exe	{C864EA53-789B-4051-8860-E51086A52C8F}.exe
File created	C:\Windows\{3478496E-0053-42f6-A2E2-FDEF34923848}.exe	d5832c0f7c7dbabb3e08e67ae81b37a0_NeikiAnalytics.exe
File created	C:\Windows\{D3861A99-68DB-469d-88AB-85AB3F71DF7F}.exe	{F3B311D5-1384-402a-8893-1746D51CFC97}.exe
File created	C:\Windows\{EA4A2563-5040-4128-85E3-16A2291344B6}.exe	{5CD6DB92-456B-49c2-A608-A92D1EBE2748}.exe
File created	C:\Windows\{A3456FB9-DA21-4200-A3D3-28BA75AC7272}.exe	{EA4A2563-5040-4128-85E3-16A2291344B6}.exe
File created	C:\Windows\{9C8CC683-2429-45f5-8EFA-304A4F87D41A}.exe	{A3456FB9-DA21-4200-A3D3-28BA75AC7272}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2036	d5832c0f7c7dbabb3e08e67ae81b37a0_NeikiAnalytics.exe
Token: SeIncBasePriorityPrivilege	2204	{3478496E-0053-42f6-A2E2-FDEF34923848}.exe
Token: SeIncBasePriorityPrivilege	2448	{962438D6-3FC5-40ae-B71F-C0FD57790FEC}.exe
Token: SeIncBasePriorityPrivilege	2416	{8114A98E-29ED-4426-BC60-1CE829D243C5}.exe
Token: SeIncBasePriorityPrivilege	2748	{86001680-15E9-40fb-8267-0BCD1C250491}.exe
Token: SeIncBasePriorityPrivilege	2164	{F3B311D5-1384-402a-8893-1746D51CFC97}.exe
Token: SeIncBasePriorityPrivilege	1900	{D3861A99-68DB-469d-88AB-85AB3F71DF7F}.exe
Token: SeIncBasePriorityPrivilege	2156	{C864EA53-789B-4051-8860-E51086A52C8F}.exe
Token: SeIncBasePriorityPrivilege	1556	{5CD6DB92-456B-49c2-A608-A92D1EBE2748}.exe
Token: SeIncBasePriorityPrivilege	2820	{EA4A2563-5040-4128-85E3-16A2291344B6}.exe
Token: SeIncBasePriorityPrivilege	584	{A3456FB9-DA21-4200-A3D3-28BA75AC7272}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2036 wrote to memory of 2204	2036	d5832c0f7c7dbabb3e08e67ae81b37a0_NeikiAnalytics.exe	28
PID 2036 wrote to memory of 2204	2036	d5832c0f7c7dbabb3e08e67ae81b37a0_NeikiAnalytics.exe	28
PID 2036 wrote to memory of 2204	2036	d5832c0f7c7dbabb3e08e67ae81b37a0_NeikiAnalytics.exe	28
PID 2036 wrote to memory of 2204	2036	d5832c0f7c7dbabb3e08e67ae81b37a0_NeikiAnalytics.exe	28
PID 2036 wrote to memory of 2616	2036	d5832c0f7c7dbabb3e08e67ae81b37a0_NeikiAnalytics.exe	29
PID 2036 wrote to memory of 2616	2036	d5832c0f7c7dbabb3e08e67ae81b37a0_NeikiAnalytics.exe	29
PID 2036 wrote to memory of 2616	2036	d5832c0f7c7dbabb3e08e67ae81b37a0_NeikiAnalytics.exe	29
PID 2036 wrote to memory of 2616	2036	d5832c0f7c7dbabb3e08e67ae81b37a0_NeikiAnalytics.exe	29
PID 2204 wrote to memory of 2448	2204	{3478496E-0053-42f6-A2E2-FDEF34923848}.exe	30
PID 2204 wrote to memory of 2448	2204	{3478496E-0053-42f6-A2E2-FDEF34923848}.exe	30
PID 2204 wrote to memory of 2448	2204	{3478496E-0053-42f6-A2E2-FDEF34923848}.exe	30
PID 2204 wrote to memory of 2448	2204	{3478496E-0053-42f6-A2E2-FDEF34923848}.exe	30
PID 2204 wrote to memory of 2716	2204	{3478496E-0053-42f6-A2E2-FDEF34923848}.exe	31
PID 2204 wrote to memory of 2716	2204	{3478496E-0053-42f6-A2E2-FDEF34923848}.exe	31
PID 2204 wrote to memory of 2716	2204	{3478496E-0053-42f6-A2E2-FDEF34923848}.exe	31
PID 2204 wrote to memory of 2716	2204	{3478496E-0053-42f6-A2E2-FDEF34923848}.exe	31
PID 2448 wrote to memory of 2416	2448	{962438D6-3FC5-40ae-B71F-C0FD57790FEC}.exe	32
PID 2448 wrote to memory of 2416	2448	{962438D6-3FC5-40ae-B71F-C0FD57790FEC}.exe	32
PID 2448 wrote to memory of 2416	2448	{962438D6-3FC5-40ae-B71F-C0FD57790FEC}.exe	32
PID 2448 wrote to memory of 2416	2448	{962438D6-3FC5-40ae-B71F-C0FD57790FEC}.exe	32
PID 2448 wrote to memory of 2460	2448	{962438D6-3FC5-40ae-B71F-C0FD57790FEC}.exe	33
PID 2448 wrote to memory of 2460	2448	{962438D6-3FC5-40ae-B71F-C0FD57790FEC}.exe	33
PID 2448 wrote to memory of 2460	2448	{962438D6-3FC5-40ae-B71F-C0FD57790FEC}.exe	33
PID 2448 wrote to memory of 2460	2448	{962438D6-3FC5-40ae-B71F-C0FD57790FEC}.exe	33
PID 2416 wrote to memory of 2748	2416	{8114A98E-29ED-4426-BC60-1CE829D243C5}.exe	36
PID 2416 wrote to memory of 2748	2416	{8114A98E-29ED-4426-BC60-1CE829D243C5}.exe	36
PID 2416 wrote to memory of 2748	2416	{8114A98E-29ED-4426-BC60-1CE829D243C5}.exe	36
PID 2416 wrote to memory of 2748	2416	{8114A98E-29ED-4426-BC60-1CE829D243C5}.exe	36
PID 2416 wrote to memory of 2744	2416	{8114A98E-29ED-4426-BC60-1CE829D243C5}.exe	37
PID 2416 wrote to memory of 2744	2416	{8114A98E-29ED-4426-BC60-1CE829D243C5}.exe	37
PID 2416 wrote to memory of 2744	2416	{8114A98E-29ED-4426-BC60-1CE829D243C5}.exe	37
PID 2416 wrote to memory of 2744	2416	{8114A98E-29ED-4426-BC60-1CE829D243C5}.exe	37
PID 2748 wrote to memory of 2164	2748	{86001680-15E9-40fb-8267-0BCD1C250491}.exe	38
PID 2748 wrote to memory of 2164	2748	{86001680-15E9-40fb-8267-0BCD1C250491}.exe	38
PID 2748 wrote to memory of 2164	2748	{86001680-15E9-40fb-8267-0BCD1C250491}.exe	38
PID 2748 wrote to memory of 2164	2748	{86001680-15E9-40fb-8267-0BCD1C250491}.exe	38
PID 2748 wrote to memory of 1260	2748	{86001680-15E9-40fb-8267-0BCD1C250491}.exe	39
PID 2748 wrote to memory of 1260	2748	{86001680-15E9-40fb-8267-0BCD1C250491}.exe	39
PID 2748 wrote to memory of 1260	2748	{86001680-15E9-40fb-8267-0BCD1C250491}.exe	39
PID 2748 wrote to memory of 1260	2748	{86001680-15E9-40fb-8267-0BCD1C250491}.exe	39
PID 2164 wrote to memory of 1900	2164	{F3B311D5-1384-402a-8893-1746D51CFC97}.exe	40
PID 2164 wrote to memory of 1900	2164	{F3B311D5-1384-402a-8893-1746D51CFC97}.exe	40
PID 2164 wrote to memory of 1900	2164	{F3B311D5-1384-402a-8893-1746D51CFC97}.exe	40
PID 2164 wrote to memory of 1900	2164	{F3B311D5-1384-402a-8893-1746D51CFC97}.exe	40
PID 2164 wrote to memory of 1968	2164	{F3B311D5-1384-402a-8893-1746D51CFC97}.exe	41
PID 2164 wrote to memory of 1968	2164	{F3B311D5-1384-402a-8893-1746D51CFC97}.exe	41
PID 2164 wrote to memory of 1968	2164	{F3B311D5-1384-402a-8893-1746D51CFC97}.exe	41
PID 2164 wrote to memory of 1968	2164	{F3B311D5-1384-402a-8893-1746D51CFC97}.exe	41
PID 1900 wrote to memory of 2156	1900	{D3861A99-68DB-469d-88AB-85AB3F71DF7F}.exe	42
PID 1900 wrote to memory of 2156	1900	{D3861A99-68DB-469d-88AB-85AB3F71DF7F}.exe	42
PID 1900 wrote to memory of 2156	1900	{D3861A99-68DB-469d-88AB-85AB3F71DF7F}.exe	42
PID 1900 wrote to memory of 2156	1900	{D3861A99-68DB-469d-88AB-85AB3F71DF7F}.exe	42
PID 1900 wrote to memory of 1380	1900	{D3861A99-68DB-469d-88AB-85AB3F71DF7F}.exe	43
PID 1900 wrote to memory of 1380	1900	{D3861A99-68DB-469d-88AB-85AB3F71DF7F}.exe	43
PID 1900 wrote to memory of 1380	1900	{D3861A99-68DB-469d-88AB-85AB3F71DF7F}.exe	43
PID 1900 wrote to memory of 1380	1900	{D3861A99-68DB-469d-88AB-85AB3F71DF7F}.exe	43
PID 2156 wrote to memory of 1556	2156	{C864EA53-789B-4051-8860-E51086A52C8F}.exe	44
PID 2156 wrote to memory of 1556	2156	{C864EA53-789B-4051-8860-E51086A52C8F}.exe	44
PID 2156 wrote to memory of 1556	2156	{C864EA53-789B-4051-8860-E51086A52C8F}.exe	44
PID 2156 wrote to memory of 1556	2156	{C864EA53-789B-4051-8860-E51086A52C8F}.exe	44
PID 2156 wrote to memory of 2932	2156	{C864EA53-789B-4051-8860-E51086A52C8F}.exe	45
PID 2156 wrote to memory of 2932	2156	{C864EA53-789B-4051-8860-E51086A52C8F}.exe	45
PID 2156 wrote to memory of 2932	2156	{C864EA53-789B-4051-8860-E51086A52C8F}.exe	45
PID 2156 wrote to memory of 2932	2156	{C864EA53-789B-4051-8860-E51086A52C8F}.exe	45

C:\Users\Admin\AppData\Local\Temp\d5832c0f7c7dbabb3e08e67ae81b37a0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\d5832c0f7c7dbabb3e08e67ae81b37a0_NeikiAnalytics.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2036
- C:\Windows\{3478496E-0053-42f6-A2E2-FDEF34923848}.exe
  C:\Windows\{3478496E-0053-42f6-A2E2-FDEF34923848}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2204
- - C:\Windows\{962438D6-3FC5-40ae-B71F-C0FD57790FEC}.exe
    C:\Windows\{962438D6-3FC5-40ae-B71F-C0FD57790FEC}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2448
  - - C:\Windows\{8114A98E-29ED-4426-BC60-1CE829D243C5}.exe
      C:\Windows\{8114A98E-29ED-4426-BC60-1CE829D243C5}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2416
    - - C:\Windows\{86001680-15E9-40fb-8267-0BCD1C250491}.exe
        
        C:\Windows\{86001680-15E9-40fb-8267-0BCD1C250491}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2748
      - C:\Windows\{F3B311D5-1384-402a-8893-1746D51CFC97}.exe
        
        C:\Windows\{F3B311D5-1384-402a-8893-1746D51CFC97}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2164
        
        C:\Windows\{D3861A99-68DB-469d-88AB-85AB3F71DF7F}.exe
        
        C:\Windows\{D3861A99-68DB-469d-88AB-85AB3F71DF7F}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1900
        
        C:\Windows\{C864EA53-789B-4051-8860-E51086A52C8F}.exe
        
        C:\Windows\{C864EA53-789B-4051-8860-E51086A52C8F}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2156
        
        C:\Windows\{5CD6DB92-456B-49c2-A608-A92D1EBE2748}.exe
        
        C:\Windows\{5CD6DB92-456B-49c2-A608-A92D1EBE2748}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1556
        
        C:\Windows\{EA4A2563-5040-4128-85E3-16A2291344B6}.exe
        
        C:\Windows\{EA4A2563-5040-4128-85E3-16A2291344B6}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2820
        
        C:\Windows\{A3456FB9-DA21-4200-A3D3-28BA75AC7272}.exe
        
        C:\Windows\{A3456FB9-DA21-4200-A3D3-28BA75AC7272}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:584
        
        C:\Windows\{9C8CC683-2429-45f5-8EFA-304A4F87D41A}.exe
        
        C:\Windows\{9C8CC683-2429-45f5-8EFA-304A4F87D41A}.exe
        12⤵
        Executes dropped EXE
        
        PID:1476
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A3456~1.EXE > nul
        12⤵
        
        PID:2948
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EA4A2~1.EXE > nul
        11⤵
        
        PID:3008
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5CD6D~1.EXE > nul
        10⤵
        
        PID:2508
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C864E~1.EXE > nul
        9⤵
        
        PID:2932
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D3861~1.EXE > nul
        8⤵
        
        PID:1380
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F3B31~1.EXE > nul
        7⤵
        
        PID:1968
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{86001~1.EXE > nul
        6⤵
        
        PID:1260
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8114A~1.EXE > nul
        5⤵
        
        PID:2744
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{96243~1.EXE > nul
      4⤵
      PID:2460
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{34784~1.EXE > nul
    3⤵
    PID:2716
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\D5832C~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2616

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{3478496E-0053-42f6-A2E2-FDEF34923848}.exe

Filesize
90KB

MD5
918329f3c0f310b0c8c0fea12e5858f5

SHA1
314cc6d1d769532182247835fa80cf312104c9c3

SHA256
55ba0234fb27bd178a6268e0570380957e998839472578bb500ff5c9ccb9dbc3

SHA512
41795ebe477acb5a5378a1af4234b9f6bd27754b53dc5e1bc5b0a0fd8c30ea63a1130e2e56d41145a796dc9766990a2c936be8388662b5326407ff877067b5ee

Download Submit
C:\Windows\{5CD6DB92-456B-49c2-A608-A92D1EBE2748}.exe

Filesize
90KB

MD5
79cb3c1c08f17b0d368fce46c73ff69b

SHA1
1b9312e82d6e383bd88423accf472805adc0a9b1

SHA256
aba7e1b6ff1af0bcc10e092a03a5e1b2d5354d3e414c9734c4b10cdc8ad84f75

SHA512
cd350155a1c8eaacfad0ea36390e61b87fcd30d084044af49010bb168caf4e300a470241b4e6dc3aabb48cd326c3001519cc72980c2a55ef6d87051e8f41a36c

Download Submit
C:\Windows\{8114A98E-29ED-4426-BC60-1CE829D243C5}.exe

Filesize
90KB

MD5
4a679f2ffbc6f58a3555ac8ceebb4e15

SHA1
f94257ccac26c091bfc45a9470aa3bb2352e300d

SHA256
92bcb67791af1b8f616164892957a8886cdb93acb77d14210c862f78270dd7be

SHA512
ab2321a5aaed2c35b6142ae109e2209dc49e37683fd283ec6cb3e05ff7ebba65e4d5c01d43e7965e6f300cb34fc6acd267f62df9252cb4f26932ecec7bd71684

Download Submit
C:\Windows\{86001680-15E9-40fb-8267-0BCD1C250491}.exe

Filesize
90KB

MD5
84a6de5103e902a58d20048c4bb964b5

SHA1
00916710fa99a2c0bbd5ebc40bad9dc2182de837

SHA256
2fd9ab3b49a4866876b621f3a34b574063e0dd66c272fcee8ef59405f21d2d83

SHA512
bd663b3fe25d792fec332b00c7ca23ffacb563c369653676a864d76221ae2000e2e1222d75f39059f28019640a35c3c2d73d8ed77fe49a14fd7ef3bc6c5893fa

Download Submit
C:\Windows\{962438D6-3FC5-40ae-B71F-C0FD57790FEC}.exe

Filesize
90KB

MD5
aab290f965b19da38173ebd174924020

SHA1
8ad4e4f2d40f65ff4338f3290b46a655fa1ee3dd

SHA256
d939d7b2c892097b573303a9307e437caa91522dfcb92f72316f88a38d41fd6e

SHA512
1a31a98fefb88d90e9785319489e0a95b1b5b9192e3ec5dc4a3c5c3fd4049b168de21605a3a751bf9b56dd78202a81bf251063494093b1594b4de7687a373834

Download Submit
C:\Windows\{9C8CC683-2429-45f5-8EFA-304A4F87D41A}.exe

Filesize
90KB

MD5
060c6698ad7d9d94255349dbfd228520

SHA1
f967173504cf7c313dd05f2bd08fe196b3142484

SHA256
3453f571966f0168c9fd6b0e8cfae64b039b25cea502db951cc2bfedc8f6e54e

SHA512
f306c8212f2476aee8e45f76b4325102e86e8f001a114311503abbba9a5fc3a7ad204b77ab7fdb1364e3f95aa60dbd74be3d7a2d96ce7d62dcb4fbdff5045fad

Download Submit
C:\Windows\{A3456FB9-DA21-4200-A3D3-28BA75AC7272}.exe

Filesize
90KB

MD5
ac86f63b6e7c55586c41e68f6cde5bce

SHA1
987d8ade0cd4b3a85d1f7a787b416beac776c852

SHA256
366b1192049ce04860e19efe288c69630543dead9e03083cc10a8d455992518a

SHA512
f506f998b83152e20f963b697d7793337c554a4468489e6e0264ba9954c17b6ae191b315a39d08f206fdd373f17e4e98b6e8a806d53b3f0b8ff6f48bc7ff1f4e

Download Submit
C:\Windows\{C864EA53-789B-4051-8860-E51086A52C8F}.exe

Filesize
90KB

MD5
01bad37fa318ecc5e081fce2322250b8

SHA1
82691841ddb582ebf532bec809848ed6a62f99a5

SHA256
c52694c9b135ae7ac7b550dedc55c1907d834c1c90539a5b01365430416dc562

SHA512
9320d58d6a2874e3d1a903fde8542962e22cb3afe71d5e4da24cba30dab90f7ba5c90c739b3fcf14c5143898a6100da5b247e005b4e53dd20dbc50a849c8bd2e

Download Submit
C:\Windows\{D3861A99-68DB-469d-88AB-85AB3F71DF7F}.exe

Filesize
90KB

MD5
3fc9e6e73e02b84781354f0213439302

SHA1
a4776f58a2adbda04d30586c2e7150abf48ef1d8

SHA256
2936800434019bce84469f45712e3e72bb11c8520ae43bb4f59e363f67242d39

SHA512
a920162e4fb4a8f415749c9a3b5e0f7a7ea9b170ff865f31d1ca76bb547c8dbfa57d4430541268a061179c38f3ae414cae9b57bcc702cb8a3f3dbe340d6f6739

Download Submit
C:\Windows\{EA4A2563-5040-4128-85E3-16A2291344B6}.exe

Filesize
90KB

MD5
fd13ed330a8901cac1c3b67e4c806b82

SHA1
56a864fc5145e4b46986ddb9f99e1142f7f99815

SHA256
63f79f42b288160776453805b6b8b9b96374b3fe7550d93e2509f01c4cb04e15

SHA512
8b9eb04f6463b6d5f5b2e5efe45250aa727f057e21abbe0ebec8ac160f3497f9190faab697568e4bef14857607b3421a65a904166e780385d0528e61df949e44

Download Submit
C:\Windows\{F3B311D5-1384-402a-8893-1746D51CFC97}.exe

Filesize
90KB

MD5
5cf932988f56de8acca239c3cbf34fe3

SHA1
dad25e1e7d929a3bbfb96d4d83afb0bc789d1509

SHA256
475efd127cff881e67b525a1ed6ed0d4de76cc74e1c8f41f1bbbe0f17035e034

SHA512
04ffd937ce639179c3d0e11369e0f159530c0347f714d33213afaa8f4caa7c9dae6280231b5d424617b5b67e40e37f7db2d798919b6fd81b6e37cf3e26833e1c

Download Submit
memory/584-93-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1476-94-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1556-76-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1900-53-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1900-60-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2036-0-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2036-10-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2036-3-0x00000000003A0000-0x00000000003B1000-memory.dmp

Filesize
68KB

Download
memory/2036-7-0x00000000003A0000-0x00000000003B1000-memory.dmp

Filesize
68KB

Download
memory/2156-68-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2164-51-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2204-18-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2204-9-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2416-35-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2416-28-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2448-19-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2448-27-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2748-44-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2820-84-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads