8b669763c98de54b1f5de0d3a472080557d70e88196da563d22cd46b268c6553

Analysis

max time kernel
144s
max time network
126s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
16-05-2024 04:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9e24b2a767bd2be6a51b77d18416dd60_NeikiAnalytics.exe
Size

98KB
MD5

9e24b2a767bd2be6a51b77d18416dd60
SHA1

c381e536da419772da5ee692e198027e2eab33f8
SHA256

8b669763c98de54b1f5de0d3a472080557d70e88196da563d22cd46b268c6553
SHA512

120068f301a0988a3720907fbd8dff7f22c595424ebf9aac6f0ee4a56b0a07db602c941f31912106d3381fbaa29916701eca8e2f5f7a1d05b7e5f6f66d14f6ae
SSDEEP

768:5vw981sthKQLroH4/wQDNrfrunMxVFA3b7glws:lEGN0oHlounMxVS3Hgz

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BD4D7228-99B7-42cc-87B0-D9BDC2F3E659}	9e24b2a767bd2be6a51b77d18416dd60_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D6C76F09-5B7A-4274-90E5-1D5AB78D89EF}	{199CEC11-10EF-48ff-8934-3F7F40745AAB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D6C76F09-5B7A-4274-90E5-1D5AB78D89EF}\stubpath = "C:\\Windows\\{D6C76F09-5B7A-4274-90E5-1D5AB78D89EF}.exe"	{199CEC11-10EF-48ff-8934-3F7F40745AAB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AB0A3557-0DC2-439d-9AD8-D22A208ED8AB}\stubpath = "C:\\Windows\\{AB0A3557-0DC2-439d-9AD8-D22A208ED8AB}.exe"	{D6C76F09-5B7A-4274-90E5-1D5AB78D89EF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5CE32D05-502C-4978-907A-43E55F3D1F76}	{AB0A3557-0DC2-439d-9AD8-D22A208ED8AB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B7B2D010-C5E8-4dea-865D-4F9DD17A9C2A}\stubpath = "C:\\Windows\\{B7B2D010-C5E8-4dea-865D-4F9DD17A9C2A}.exe"	{5CE32D05-502C-4978-907A-43E55F3D1F76}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BD4D7228-99B7-42cc-87B0-D9BDC2F3E659}\stubpath = "C:\\Windows\\{BD4D7228-99B7-42cc-87B0-D9BDC2F3E659}.exe"	9e24b2a767bd2be6a51b77d18416dd60_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E4426D10-D328-4485-927E-292902E092E1}	{BD4D7228-99B7-42cc-87B0-D9BDC2F3E659}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E4426D10-D328-4485-927E-292902E092E1}\stubpath = "C:\\Windows\\{E4426D10-D328-4485-927E-292902E092E1}.exe"	{BD4D7228-99B7-42cc-87B0-D9BDC2F3E659}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{199CEC11-10EF-48ff-8934-3F7F40745AAB}\stubpath = "C:\\Windows\\{199CEC11-10EF-48ff-8934-3F7F40745AAB}.exe"	{F429ACDC-8C5E-47f2-BDD5-2FC3F7EB700F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{79953D12-7C22-4021-9AD5-226DB9BE04A5}\stubpath = "C:\\Windows\\{79953D12-7C22-4021-9AD5-226DB9BE04A5}.exe"	{B7B2D010-C5E8-4dea-865D-4F9DD17A9C2A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{901C684E-BE0A-4720-A02F-C397DC4CA221}	{79953D12-7C22-4021-9AD5-226DB9BE04A5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5CE32D05-502C-4978-907A-43E55F3D1F76}\stubpath = "C:\\Windows\\{5CE32D05-502C-4978-907A-43E55F3D1F76}.exe"	{AB0A3557-0DC2-439d-9AD8-D22A208ED8AB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B7B2D010-C5E8-4dea-865D-4F9DD17A9C2A}	{5CE32D05-502C-4978-907A-43E55F3D1F76}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{79953D12-7C22-4021-9AD5-226DB9BE04A5}	{B7B2D010-C5E8-4dea-865D-4F9DD17A9C2A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{901C684E-BE0A-4720-A02F-C397DC4CA221}\stubpath = "C:\\Windows\\{901C684E-BE0A-4720-A02F-C397DC4CA221}.exe"	{79953D12-7C22-4021-9AD5-226DB9BE04A5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{52C67FA3-A1FC-49aa-B180-2EA7C56F874A}\stubpath = "C:\\Windows\\{52C67FA3-A1FC-49aa-B180-2EA7C56F874A}.exe"	{E4426D10-D328-4485-927E-292902E092E1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F429ACDC-8C5E-47f2-BDD5-2FC3F7EB700F}	{52C67FA3-A1FC-49aa-B180-2EA7C56F874A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{199CEC11-10EF-48ff-8934-3F7F40745AAB}	{F429ACDC-8C5E-47f2-BDD5-2FC3F7EB700F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AB0A3557-0DC2-439d-9AD8-D22A208ED8AB}	{D6C76F09-5B7A-4274-90E5-1D5AB78D89EF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{52C67FA3-A1FC-49aa-B180-2EA7C56F874A}	{E4426D10-D328-4485-927E-292902E092E1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F429ACDC-8C5E-47f2-BDD5-2FC3F7EB700F}\stubpath = "C:\\Windows\\{F429ACDC-8C5E-47f2-BDD5-2FC3F7EB700F}.exe"	{52C67FA3-A1FC-49aa-B180-2EA7C56F874A}.exe

Deletes itself 1 IoCs

pid	Process
2588	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2484	{BD4D7228-99B7-42cc-87B0-D9BDC2F3E659}.exe
2600	{E4426D10-D328-4485-927E-292902E092E1}.exe
2100	{52C67FA3-A1FC-49aa-B180-2EA7C56F874A}.exe
2320	{F429ACDC-8C5E-47f2-BDD5-2FC3F7EB700F}.exe
1200	{199CEC11-10EF-48ff-8934-3F7F40745AAB}.exe
956	{D6C76F09-5B7A-4274-90E5-1D5AB78D89EF}.exe
1592	{AB0A3557-0DC2-439d-9AD8-D22A208ED8AB}.exe
636	{5CE32D05-502C-4978-907A-43E55F3D1F76}.exe
584	{B7B2D010-C5E8-4dea-865D-4F9DD17A9C2A}.exe
1924	{79953D12-7C22-4021-9AD5-226DB9BE04A5}.exe
848	{901C684E-BE0A-4720-A02F-C397DC4CA221}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{B7B2D010-C5E8-4dea-865D-4F9DD17A9C2A}.exe	{5CE32D05-502C-4978-907A-43E55F3D1F76}.exe
File created	C:\Windows\{79953D12-7C22-4021-9AD5-226DB9BE04A5}.exe	{B7B2D010-C5E8-4dea-865D-4F9DD17A9C2A}.exe
File created	C:\Windows\{E4426D10-D328-4485-927E-292902E092E1}.exe	{BD4D7228-99B7-42cc-87B0-D9BDC2F3E659}.exe
File created	C:\Windows\{F429ACDC-8C5E-47f2-BDD5-2FC3F7EB700F}.exe	{52C67FA3-A1FC-49aa-B180-2EA7C56F874A}.exe
File created	C:\Windows\{AB0A3557-0DC2-439d-9AD8-D22A208ED8AB}.exe	{D6C76F09-5B7A-4274-90E5-1D5AB78D89EF}.exe
File created	C:\Windows\{5CE32D05-502C-4978-907A-43E55F3D1F76}.exe	{AB0A3557-0DC2-439d-9AD8-D22A208ED8AB}.exe
File created	C:\Windows\{901C684E-BE0A-4720-A02F-C397DC4CA221}.exe	{79953D12-7C22-4021-9AD5-226DB9BE04A5}.exe
File created	C:\Windows\{BD4D7228-99B7-42cc-87B0-D9BDC2F3E659}.exe	9e24b2a767bd2be6a51b77d18416dd60_NeikiAnalytics.exe
File created	C:\Windows\{52C67FA3-A1FC-49aa-B180-2EA7C56F874A}.exe	{E4426D10-D328-4485-927E-292902E092E1}.exe
File created	C:\Windows\{199CEC11-10EF-48ff-8934-3F7F40745AAB}.exe	{F429ACDC-8C5E-47f2-BDD5-2FC3F7EB700F}.exe
File created	C:\Windows\{D6C76F09-5B7A-4274-90E5-1D5AB78D89EF}.exe	{199CEC11-10EF-48ff-8934-3F7F40745AAB}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2612	9e24b2a767bd2be6a51b77d18416dd60_NeikiAnalytics.exe
Token: SeIncBasePriorityPrivilege	2484	{BD4D7228-99B7-42cc-87B0-D9BDC2F3E659}.exe
Token: SeIncBasePriorityPrivilege	2600	{E4426D10-D328-4485-927E-292902E092E1}.exe
Token: SeIncBasePriorityPrivilege	2100	{52C67FA3-A1FC-49aa-B180-2EA7C56F874A}.exe
Token: SeIncBasePriorityPrivilege	2320	{F429ACDC-8C5E-47f2-BDD5-2FC3F7EB700F}.exe
Token: SeIncBasePriorityPrivilege	1200	{199CEC11-10EF-48ff-8934-3F7F40745AAB}.exe
Token: SeIncBasePriorityPrivilege	956	{D6C76F09-5B7A-4274-90E5-1D5AB78D89EF}.exe
Token: SeIncBasePriorityPrivilege	1592	{AB0A3557-0DC2-439d-9AD8-D22A208ED8AB}.exe
Token: SeIncBasePriorityPrivilege	636	{5CE32D05-502C-4978-907A-43E55F3D1F76}.exe
Token: SeIncBasePriorityPrivilege	584	{B7B2D010-C5E8-4dea-865D-4F9DD17A9C2A}.exe
Token: SeIncBasePriorityPrivilege	1924	{79953D12-7C22-4021-9AD5-226DB9BE04A5}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2612 wrote to memory of 2484	2612	9e24b2a767bd2be6a51b77d18416dd60_NeikiAnalytics.exe	28
PID 2612 wrote to memory of 2484	2612	9e24b2a767bd2be6a51b77d18416dd60_NeikiAnalytics.exe	28
PID 2612 wrote to memory of 2484	2612	9e24b2a767bd2be6a51b77d18416dd60_NeikiAnalytics.exe	28
PID 2612 wrote to memory of 2484	2612	9e24b2a767bd2be6a51b77d18416dd60_NeikiAnalytics.exe	28
PID 2612 wrote to memory of 2588	2612	9e24b2a767bd2be6a51b77d18416dd60_NeikiAnalytics.exe	29
PID 2612 wrote to memory of 2588	2612	9e24b2a767bd2be6a51b77d18416dd60_NeikiAnalytics.exe	29
PID 2612 wrote to memory of 2588	2612	9e24b2a767bd2be6a51b77d18416dd60_NeikiAnalytics.exe	29
PID 2612 wrote to memory of 2588	2612	9e24b2a767bd2be6a51b77d18416dd60_NeikiAnalytics.exe	29
PID 2484 wrote to memory of 2600	2484	{BD4D7228-99B7-42cc-87B0-D9BDC2F3E659}.exe	32
PID 2484 wrote to memory of 2600	2484	{BD4D7228-99B7-42cc-87B0-D9BDC2F3E659}.exe	32
PID 2484 wrote to memory of 2600	2484	{BD4D7228-99B7-42cc-87B0-D9BDC2F3E659}.exe	32
PID 2484 wrote to memory of 2600	2484	{BD4D7228-99B7-42cc-87B0-D9BDC2F3E659}.exe	32
PID 2484 wrote to memory of 2368	2484	{BD4D7228-99B7-42cc-87B0-D9BDC2F3E659}.exe	33
PID 2484 wrote to memory of 2368	2484	{BD4D7228-99B7-42cc-87B0-D9BDC2F3E659}.exe	33
PID 2484 wrote to memory of 2368	2484	{BD4D7228-99B7-42cc-87B0-D9BDC2F3E659}.exe	33
PID 2484 wrote to memory of 2368	2484	{BD4D7228-99B7-42cc-87B0-D9BDC2F3E659}.exe	33
PID 2600 wrote to memory of 2100	2600	{E4426D10-D328-4485-927E-292902E092E1}.exe	34
PID 2600 wrote to memory of 2100	2600	{E4426D10-D328-4485-927E-292902E092E1}.exe	34
PID 2600 wrote to memory of 2100	2600	{E4426D10-D328-4485-927E-292902E092E1}.exe	34
PID 2600 wrote to memory of 2100	2600	{E4426D10-D328-4485-927E-292902E092E1}.exe	34
PID 2600 wrote to memory of 112	2600	{E4426D10-D328-4485-927E-292902E092E1}.exe	35
PID 2600 wrote to memory of 112	2600	{E4426D10-D328-4485-927E-292902E092E1}.exe	35
PID 2600 wrote to memory of 112	2600	{E4426D10-D328-4485-927E-292902E092E1}.exe	35
PID 2600 wrote to memory of 112	2600	{E4426D10-D328-4485-927E-292902E092E1}.exe	35
PID 2100 wrote to memory of 2320	2100	{52C67FA3-A1FC-49aa-B180-2EA7C56F874A}.exe	36
PID 2100 wrote to memory of 2320	2100	{52C67FA3-A1FC-49aa-B180-2EA7C56F874A}.exe	36
PID 2100 wrote to memory of 2320	2100	{52C67FA3-A1FC-49aa-B180-2EA7C56F874A}.exe	36
PID 2100 wrote to memory of 2320	2100	{52C67FA3-A1FC-49aa-B180-2EA7C56F874A}.exe	36
PID 2100 wrote to memory of 1808	2100	{52C67FA3-A1FC-49aa-B180-2EA7C56F874A}.exe	37
PID 2100 wrote to memory of 1808	2100	{52C67FA3-A1FC-49aa-B180-2EA7C56F874A}.exe	37
PID 2100 wrote to memory of 1808	2100	{52C67FA3-A1FC-49aa-B180-2EA7C56F874A}.exe	37
PID 2100 wrote to memory of 1808	2100	{52C67FA3-A1FC-49aa-B180-2EA7C56F874A}.exe	37
PID 2320 wrote to memory of 1200	2320	{F429ACDC-8C5E-47f2-BDD5-2FC3F7EB700F}.exe	38
PID 2320 wrote to memory of 1200	2320	{F429ACDC-8C5E-47f2-BDD5-2FC3F7EB700F}.exe	38
PID 2320 wrote to memory of 1200	2320	{F429ACDC-8C5E-47f2-BDD5-2FC3F7EB700F}.exe	38
PID 2320 wrote to memory of 1200	2320	{F429ACDC-8C5E-47f2-BDD5-2FC3F7EB700F}.exe	38
PID 2320 wrote to memory of 1620	2320	{F429ACDC-8C5E-47f2-BDD5-2FC3F7EB700F}.exe	39
PID 2320 wrote to memory of 1620	2320	{F429ACDC-8C5E-47f2-BDD5-2FC3F7EB700F}.exe	39
PID 2320 wrote to memory of 1620	2320	{F429ACDC-8C5E-47f2-BDD5-2FC3F7EB700F}.exe	39
PID 2320 wrote to memory of 1620	2320	{F429ACDC-8C5E-47f2-BDD5-2FC3F7EB700F}.exe	39
PID 1200 wrote to memory of 956	1200	{199CEC11-10EF-48ff-8934-3F7F40745AAB}.exe	40
PID 1200 wrote to memory of 956	1200	{199CEC11-10EF-48ff-8934-3F7F40745AAB}.exe	40
PID 1200 wrote to memory of 956	1200	{199CEC11-10EF-48ff-8934-3F7F40745AAB}.exe	40
PID 1200 wrote to memory of 956	1200	{199CEC11-10EF-48ff-8934-3F7F40745AAB}.exe	40
PID 1200 wrote to memory of 1700	1200	{199CEC11-10EF-48ff-8934-3F7F40745AAB}.exe	41
PID 1200 wrote to memory of 1700	1200	{199CEC11-10EF-48ff-8934-3F7F40745AAB}.exe	41
PID 1200 wrote to memory of 1700	1200	{199CEC11-10EF-48ff-8934-3F7F40745AAB}.exe	41
PID 1200 wrote to memory of 1700	1200	{199CEC11-10EF-48ff-8934-3F7F40745AAB}.exe	41
PID 956 wrote to memory of 1592	956	{D6C76F09-5B7A-4274-90E5-1D5AB78D89EF}.exe	42
PID 956 wrote to memory of 1592	956	{D6C76F09-5B7A-4274-90E5-1D5AB78D89EF}.exe	42
PID 956 wrote to memory of 1592	956	{D6C76F09-5B7A-4274-90E5-1D5AB78D89EF}.exe	42
PID 956 wrote to memory of 1592	956	{D6C76F09-5B7A-4274-90E5-1D5AB78D89EF}.exe	42
PID 956 wrote to memory of 1748	956	{D6C76F09-5B7A-4274-90E5-1D5AB78D89EF}.exe	43
PID 956 wrote to memory of 1748	956	{D6C76F09-5B7A-4274-90E5-1D5AB78D89EF}.exe	43
PID 956 wrote to memory of 1748	956	{D6C76F09-5B7A-4274-90E5-1D5AB78D89EF}.exe	43
PID 956 wrote to memory of 1748	956	{D6C76F09-5B7A-4274-90E5-1D5AB78D89EF}.exe	43
PID 1592 wrote to memory of 636	1592	{AB0A3557-0DC2-439d-9AD8-D22A208ED8AB}.exe	44
PID 1592 wrote to memory of 636	1592	{AB0A3557-0DC2-439d-9AD8-D22A208ED8AB}.exe	44
PID 1592 wrote to memory of 636	1592	{AB0A3557-0DC2-439d-9AD8-D22A208ED8AB}.exe	44
PID 1592 wrote to memory of 636	1592	{AB0A3557-0DC2-439d-9AD8-D22A208ED8AB}.exe	44
PID 1592 wrote to memory of 2412	1592	{AB0A3557-0DC2-439d-9AD8-D22A208ED8AB}.exe	45
PID 1592 wrote to memory of 2412	1592	{AB0A3557-0DC2-439d-9AD8-D22A208ED8AB}.exe	45
PID 1592 wrote to memory of 2412	1592	{AB0A3557-0DC2-439d-9AD8-D22A208ED8AB}.exe	45
PID 1592 wrote to memory of 2412	1592	{AB0A3557-0DC2-439d-9AD8-D22A208ED8AB}.exe	45

C:\Users\Admin\AppData\Local\Temp\9e24b2a767bd2be6a51b77d18416dd60_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\9e24b2a767bd2be6a51b77d18416dd60_NeikiAnalytics.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2612
- C:\Windows\{BD4D7228-99B7-42cc-87B0-D9BDC2F3E659}.exe
  C:\Windows\{BD4D7228-99B7-42cc-87B0-D9BDC2F3E659}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2484
- - C:\Windows\{E4426D10-D328-4485-927E-292902E092E1}.exe
    C:\Windows\{E4426D10-D328-4485-927E-292902E092E1}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2600
  - - C:\Windows\{52C67FA3-A1FC-49aa-B180-2EA7C56F874A}.exe
      C:\Windows\{52C67FA3-A1FC-49aa-B180-2EA7C56F874A}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2100
    - - C:\Windows\{F429ACDC-8C5E-47f2-BDD5-2FC3F7EB700F}.exe
        
        C:\Windows\{F429ACDC-8C5E-47f2-BDD5-2FC3F7EB700F}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2320
      - C:\Windows\{199CEC11-10EF-48ff-8934-3F7F40745AAB}.exe
        
        C:\Windows\{199CEC11-10EF-48ff-8934-3F7F40745AAB}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1200
        
        C:\Windows\{D6C76F09-5B7A-4274-90E5-1D5AB78D89EF}.exe
        
        C:\Windows\{D6C76F09-5B7A-4274-90E5-1D5AB78D89EF}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:956
        
        C:\Windows\{AB0A3557-0DC2-439d-9AD8-D22A208ED8AB}.exe
        
        C:\Windows\{AB0A3557-0DC2-439d-9AD8-D22A208ED8AB}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1592
        
        C:\Windows\{5CE32D05-502C-4978-907A-43E55F3D1F76}.exe
        
        C:\Windows\{5CE32D05-502C-4978-907A-43E55F3D1F76}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:636
        
        C:\Windows\{B7B2D010-C5E8-4dea-865D-4F9DD17A9C2A}.exe
        
        C:\Windows\{B7B2D010-C5E8-4dea-865D-4F9DD17A9C2A}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:584
        
        C:\Windows\{79953D12-7C22-4021-9AD5-226DB9BE04A5}.exe
        
        C:\Windows\{79953D12-7C22-4021-9AD5-226DB9BE04A5}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1924
        
        C:\Windows\{901C684E-BE0A-4720-A02F-C397DC4CA221}.exe
        
        C:\Windows\{901C684E-BE0A-4720-A02F-C397DC4CA221}.exe
        12⤵
        Executes dropped EXE
        
        PID:848
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{79953~1.EXE > nul
        12⤵
        
        PID:2316
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B7B2D~1.EXE > nul
        11⤵
        
        PID:1964
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5CE32~1.EXE > nul
        10⤵
        
        PID:1948
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AB0A3~1.EXE > nul
        9⤵
        
        PID:2412
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D6C76~1.EXE > nul
        8⤵
        
        PID:1748
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{199CE~1.EXE > nul
        7⤵
        
        PID:1700
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F429A~1.EXE > nul
        6⤵
        
        PID:1620
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{52C67~1.EXE > nul
        5⤵
        
        PID:1808
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{E4426~1.EXE > nul
      4⤵
      PID:112
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{BD4D7~1.EXE > nul
    3⤵
    PID:2368
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\9E24B2~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2588

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{199CEC11-10EF-48ff-8934-3F7F40745AAB}.exe

Filesize
98KB

MD5
d7708b904d8eb2375f650250ab65793f

SHA1
10d1877225608f695331f990a5618e1dd884b211

SHA256
80fcd35bd356a8d77cc61e8b0b38cfdbfd2c0d474f38143d66fd660e67f4fbc8

SHA512
ad297c8aad34bcb21a9f009156bef77f3016f59bfbe72811b065c2bee11b2964fd4b6c0882ef8c082d6b768267c2786274309a378c8bb9748c344c56cda0425b

Download Submit
C:\Windows\{52C67FA3-A1FC-49aa-B180-2EA7C56F874A}.exe

Filesize
98KB

MD5
8eac072ce24d29b8a3db62744fe7e828

SHA1
d651986d132b4bf1383595dc89f249d5f50afc60

SHA256
1d12dd41cbb538b59b8b2d95631b450674d432b5c147c38d4cbdedd5bdf9de83

SHA512
9071d26b47eed8292116230e81b3a77502cb58c9a765649790c844aaed70e85dd056c631df05a4865fd079cfcfaa299bacb5d30e83fafbb3f77ee8926c3d9c68

Download Submit
C:\Windows\{5CE32D05-502C-4978-907A-43E55F3D1F76}.exe

Filesize
98KB

MD5
61839d21368537265ba2160be24d0d7d

SHA1
9eef0ac5d12cd33580bf2c76375e8f18cdda7e7d

SHA256
3c4bfe4134c9538cb41a358ef52f591d53347d9de91e793675280fd746601df3

SHA512
1763b2feb1c05845d5c2375afd0ed7d827ec90b71e59e38a362d809c4787a047a368b41033d443232782bc609fe7ac993cffc049faf07e3e5e2e33ed5546c6a8

Download Submit
C:\Windows\{79953D12-7C22-4021-9AD5-226DB9BE04A5}.exe

Filesize
98KB

MD5
baa69c2bb28fafaa0d976d9eb4d54826

SHA1
8ce908e1b601ef0571afa635d63aa56f14f89377

SHA256
614550c636ca3a34d10d184b6dc2b874b8fd317b23abf2e6ff1ce4d2dc4f2bd8

SHA512
54ca275b34e429e32fe0862e7482e75620774b26f0413eb94d21706b8916b837f2838f7f389ebcde00dafd30a43dd6219829f3269ad8a9e311ece90a61451c3e

Download Submit
C:\Windows\{901C684E-BE0A-4720-A02F-C397DC4CA221}.exe

Filesize
98KB

MD5
758858a02b47f9ebf7d669a34e962603

SHA1
bd3af4e1a545789dbc94702f41313d938cff97ec

SHA256
9313ad6d8da3d544fbd82054b8112933d4d9d5687dda29fef2e8bd264836bea7

SHA512
4c45042b06a5d057091b9c6e45869519e54b31ba00b8cb15bd28c71ba1120ac836f9623977f9c789f0c52a1aba4e5a2ec5264a71c8e36b172bef5d8148f92421

Download Submit
C:\Windows\{AB0A3557-0DC2-439d-9AD8-D22A208ED8AB}.exe

Filesize
98KB

MD5
ea56d24c70666b0a7112774b54126df5

SHA1
d60d1294bd7796656c7c3f3e49943d35c0e7023b

SHA256
244ebedeffe692d858b662431b87ca73c69a8f698ebd13b52b6b9a21fde7086b

SHA512
02e75a62918dc6c380f55ee177f009bbf1add2a4647695e2a55e301dfea718b4755704d79e4e69df099aed5557aa9c516d33d310c89797fa55512a61172a74d0

Download Submit
C:\Windows\{B7B2D010-C5E8-4dea-865D-4F9DD17A9C2A}.exe

Filesize
98KB

MD5
1c67136ac45412aa16a27b9dbad10f14

SHA1
299e4d96edc9b6374d0963fed6bea496a69d80e9

SHA256
3c04d9b2582753cf948f4fcd0a3b9ce703fa93e85e72c65e9e5825dd41ac4c75

SHA512
844c79c5d74868c6f9d7f6f0cad446af399939021ff83a6aff00568157e17698749b626d4aa550c916bc48b3c65fe530f95802a6a98d2b5dee20fd546dae306f

Download Submit
C:\Windows\{BD4D7228-99B7-42cc-87B0-D9BDC2F3E659}.exe

Filesize
98KB

MD5
a2406ed647c35f3fb1a29fa239772f1a

SHA1
7dc7bb5d527faaf4866079cbfe6c3ea22782b5ff

SHA256
c687905d82e9dd502ef34e622acd8909c1f56c147d0880828269ede07ba19515

SHA512
a7e4efad6e4c663b97d982cbf4973b64279fd710ef4c2b4277f57ee299faca08d6424d5b1f51156fa9207909753e38fd835bdd3dcb86262514b85ec3cf73a0e6

Download Submit
C:\Windows\{D6C76F09-5B7A-4274-90E5-1D5AB78D89EF}.exe

Filesize
98KB

MD5
534d83b1391535e80ac2d8e40ba44b09

SHA1
cb9a2459de7b771d685dac722290067e4bedd07c

SHA256
77a75617390540a50caf7db41ffb0f8e3c9b4bcbfcff005fc932c3ff240daa63

SHA512
ced32b4c8dd45ea56c1e65699e490713d435385950fe4fe5043d6377d856b0487e9b5bf04907bf9d03e61e64215839fb287893f0acd163b68d68d9ff91abca11

Download Submit
C:\Windows\{E4426D10-D328-4485-927E-292902E092E1}.exe

Filesize
98KB

MD5
f2a537dbe404fe8c5c908e5bb70ebcfb

SHA1
63dfdad9d36b74eb61828e22b9850d2b6a10a2a5

SHA256
3c07b5b72a70d7881587adc8577a22f6da757c3f23c3e600423ad52f4342eaf4

SHA512
a9df805a1b4837238491d9fda4e603560440abb8a827647474e44a4c8287360abdb7697845d7113da4a9ae7416ad58b8ecb43f6578122e18d2849d43c9dd4f2a

Download Submit
C:\Windows\{F429ACDC-8C5E-47f2-BDD5-2FC3F7EB700F}.exe

Filesize
98KB

MD5
4b809816da66f5a6110e13264ae80434

SHA1
1ae5456ec1c05cc084c8c8049313a19509af5e14

SHA256
9c615b0d7c0d3c29420827790967e0a90599d09d49fd778105cd40d1d278f860

SHA512
55ae4241630a358060f5a2b4cf0bd325d540514f71ecfcacf25844ae6138231295855523c471bb293b109c15fea677717892f2c1743f41177eec3f38a02dcf1a

Download Submit
memory/584-93-0x0000000000270000-0x0000000000281000-memory.dmp

Filesize
68KB

Download
memory/584-92-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/584-85-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/636-84-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/636-80-0x0000000000250000-0x0000000000261000-memory.dmp

Filesize
68KB

Download
memory/636-82-0x0000000000250000-0x0000000000261000-memory.dmp

Filesize
68KB

Download
memory/956-65-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1200-49-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1200-56-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1592-69-0x0000000000300000-0x0000000000311000-memory.dmp

Filesize
68KB

Download
memory/1592-73-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1924-103-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1924-95-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1924-102-0x0000000000280000-0x0000000000291000-memory.dmp

Filesize
68KB

Download
memory/2100-35-0x0000000000290000-0x00000000002A1000-memory.dmp

Filesize
68KB

Download
memory/2100-38-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2100-36-0x0000000000290000-0x00000000002A1000-memory.dmp

Filesize
68KB

Download
memory/2320-43-0x0000000000420000-0x0000000000431000-memory.dmp

Filesize
68KB

Download
memory/2320-48-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2320-39-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2484-17-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2484-8-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2600-28-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2600-23-0x00000000002F0000-0x0000000000301000-memory.dmp

Filesize
68KB

Download
memory/2600-19-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2612-0-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2612-10-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2612-7-0x00000000003C0000-0x00000000003D1000-memory.dmp

Filesize
68KB

Download
memory/2612-9-0x00000000003C0000-0x00000000003D1000-memory.dmp

Filesize
68KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads