87df040698da9b5d064813ae7ac55167d3314a4a87f1edab6a37a26703fcdbae

Analysis

max time kernel
144s
max time network
122s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
16/05/2024, 08:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ce959c8f6828a2b67619d5f4fc219c00_NeikiAnalytics.exe
Size

90KB
MD5

ce959c8f6828a2b67619d5f4fc219c00
SHA1

acef6c8d084aeb9309e6917b51b9be56aa33f7cd
SHA256

87df040698da9b5d064813ae7ac55167d3314a4a87f1edab6a37a26703fcdbae
SHA512

f51cc54a5ed86bbc25c1b67a768f745748a6bf1cba5b314c852d33e86fcf92ea4b37a7b03879b0e1f52775bb413651f118f5545a39ce853e5c4c736cbd40fe8d
SSDEEP

768:50w981IshKQLroL4/wQozzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzS:CEGI0oLlVunMxVS3

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1704029D-A933-4f29-93C8-F74C3B3368B6}\stubpath = "C:\\Windows\\{1704029D-A933-4f29-93C8-F74C3B3368B6}.exe"	{A2657D82-C46B-4d49-977C-01016F67E16B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E243A091-40F1-4040-AE3B-4F846BF7B78C}	{1704029D-A933-4f29-93C8-F74C3B3368B6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E243A091-40F1-4040-AE3B-4F846BF7B78C}\stubpath = "C:\\Windows\\{E243A091-40F1-4040-AE3B-4F846BF7B78C}.exe"	{1704029D-A933-4f29-93C8-F74C3B3368B6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C6A8A061-D8E6-4ed2-9F31-A8C2E8B3B0D9}	{C75D6507-914C-4136-8E3E-3A6ABB5FE92C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{55E6A017-4B82-49b2-A747-F22BCD5CDCB4}\stubpath = "C:\\Windows\\{55E6A017-4B82-49b2-A747-F22BCD5CDCB4}.exe"	{C6A8A061-D8E6-4ed2-9F31-A8C2E8B3B0D9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{17F9BF56-8AD1-41d2-ADFE-7A3ADA1D55C6}\stubpath = "C:\\Windows\\{17F9BF56-8AD1-41d2-ADFE-7A3ADA1D55C6}.exe"	{1ED55179-D782-48eb-9CA6-5C23B96442C5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A1A4A967-E4EC-423c-8812-10B7A973EB19}\stubpath = "C:\\Windows\\{A1A4A967-E4EC-423c-8812-10B7A973EB19}.exe"	{6E592633-C720-458b-A650-F04BB8F77BEA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A78459E0-3D70-4378-9AE3-69930AA60CC1}\stubpath = "C:\\Windows\\{A78459E0-3D70-4378-9AE3-69930AA60CC1}.exe"	{A1A4A967-E4EC-423c-8812-10B7A973EB19}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1ED55179-D782-48eb-9CA6-5C23B96442C5}	{A78459E0-3D70-4378-9AE3-69930AA60CC1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1ED55179-D782-48eb-9CA6-5C23B96442C5}\stubpath = "C:\\Windows\\{1ED55179-D782-48eb-9CA6-5C23B96442C5}.exe"	{A78459E0-3D70-4378-9AE3-69930AA60CC1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{17F9BF56-8AD1-41d2-ADFE-7A3ADA1D55C6}	{1ED55179-D782-48eb-9CA6-5C23B96442C5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6E592633-C720-458b-A650-F04BB8F77BEA}	ce959c8f6828a2b67619d5f4fc219c00_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A1A4A967-E4EC-423c-8812-10B7A973EB19}	{6E592633-C720-458b-A650-F04BB8F77BEA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A78459E0-3D70-4378-9AE3-69930AA60CC1}	{A1A4A967-E4EC-423c-8812-10B7A973EB19}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A2657D82-C46B-4d49-977C-01016F67E16B}	{17F9BF56-8AD1-41d2-ADFE-7A3ADA1D55C6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A2657D82-C46B-4d49-977C-01016F67E16B}\stubpath = "C:\\Windows\\{A2657D82-C46B-4d49-977C-01016F67E16B}.exe"	{17F9BF56-8AD1-41d2-ADFE-7A3ADA1D55C6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C75D6507-914C-4136-8E3E-3A6ABB5FE92C}\stubpath = "C:\\Windows\\{C75D6507-914C-4136-8E3E-3A6ABB5FE92C}.exe"	{E243A091-40F1-4040-AE3B-4F846BF7B78C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{55E6A017-4B82-49b2-A747-F22BCD5CDCB4}	{C6A8A061-D8E6-4ed2-9F31-A8C2E8B3B0D9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6E592633-C720-458b-A650-F04BB8F77BEA}\stubpath = "C:\\Windows\\{6E592633-C720-458b-A650-F04BB8F77BEA}.exe"	ce959c8f6828a2b67619d5f4fc219c00_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C75D6507-914C-4136-8E3E-3A6ABB5FE92C}	{E243A091-40F1-4040-AE3B-4F846BF7B78C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C6A8A061-D8E6-4ed2-9F31-A8C2E8B3B0D9}\stubpath = "C:\\Windows\\{C6A8A061-D8E6-4ed2-9F31-A8C2E8B3B0D9}.exe"	{C75D6507-914C-4136-8E3E-3A6ABB5FE92C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1704029D-A933-4f29-93C8-F74C3B3368B6}	{A2657D82-C46B-4d49-977C-01016F67E16B}.exe

Deletes itself 1 IoCs

pid	Process
2072	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
3052	{6E592633-C720-458b-A650-F04BB8F77BEA}.exe
2596	{A1A4A967-E4EC-423c-8812-10B7A973EB19}.exe
2460	{A78459E0-3D70-4378-9AE3-69930AA60CC1}.exe
1612	{1ED55179-D782-48eb-9CA6-5C23B96442C5}.exe
1928	{17F9BF56-8AD1-41d2-ADFE-7A3ADA1D55C6}.exe
1788	{A2657D82-C46B-4d49-977C-01016F67E16B}.exe
2800	{1704029D-A933-4f29-93C8-F74C3B3368B6}.exe
1260	{E243A091-40F1-4040-AE3B-4F846BF7B78C}.exe
2416	{C75D6507-914C-4136-8E3E-3A6ABB5FE92C}.exe
1248	{C6A8A061-D8E6-4ed2-9F31-A8C2E8B3B0D9}.exe
1804	{55E6A017-4B82-49b2-A747-F22BCD5CDCB4}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{6E592633-C720-458b-A650-F04BB8F77BEA}.exe	ce959c8f6828a2b67619d5f4fc219c00_NeikiAnalytics.exe
File created	C:\Windows\{A1A4A967-E4EC-423c-8812-10B7A973EB19}.exe	{6E592633-C720-458b-A650-F04BB8F77BEA}.exe
File created	C:\Windows\{1ED55179-D782-48eb-9CA6-5C23B96442C5}.exe	{A78459E0-3D70-4378-9AE3-69930AA60CC1}.exe
File created	C:\Windows\{A2657D82-C46B-4d49-977C-01016F67E16B}.exe	{17F9BF56-8AD1-41d2-ADFE-7A3ADA1D55C6}.exe
File created	C:\Windows\{1704029D-A933-4f29-93C8-F74C3B3368B6}.exe	{A2657D82-C46B-4d49-977C-01016F67E16B}.exe
File created	C:\Windows\{C75D6507-914C-4136-8E3E-3A6ABB5FE92C}.exe	{E243A091-40F1-4040-AE3B-4F846BF7B78C}.exe
File created	C:\Windows\{C6A8A061-D8E6-4ed2-9F31-A8C2E8B3B0D9}.exe	{C75D6507-914C-4136-8E3E-3A6ABB5FE92C}.exe
File created	C:\Windows\{A78459E0-3D70-4378-9AE3-69930AA60CC1}.exe	{A1A4A967-E4EC-423c-8812-10B7A973EB19}.exe
File created	C:\Windows\{17F9BF56-8AD1-41d2-ADFE-7A3ADA1D55C6}.exe	{1ED55179-D782-48eb-9CA6-5C23B96442C5}.exe
File created	C:\Windows\{E243A091-40F1-4040-AE3B-4F846BF7B78C}.exe	{1704029D-A933-4f29-93C8-F74C3B3368B6}.exe
File created	C:\Windows\{55E6A017-4B82-49b2-A747-F22BCD5CDCB4}.exe	{C6A8A061-D8E6-4ed2-9F31-A8C2E8B3B0D9}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3056	ce959c8f6828a2b67619d5f4fc219c00_NeikiAnalytics.exe
Token: SeIncBasePriorityPrivilege	3052	{6E592633-C720-458b-A650-F04BB8F77BEA}.exe
Token: SeIncBasePriorityPrivilege	2596	{A1A4A967-E4EC-423c-8812-10B7A973EB19}.exe
Token: SeIncBasePriorityPrivilege	2460	{A78459E0-3D70-4378-9AE3-69930AA60CC1}.exe
Token: SeIncBasePriorityPrivilege	1612	{1ED55179-D782-48eb-9CA6-5C23B96442C5}.exe
Token: SeIncBasePriorityPrivilege	1928	{17F9BF56-8AD1-41d2-ADFE-7A3ADA1D55C6}.exe
Token: SeIncBasePriorityPrivilege	1788	{A2657D82-C46B-4d49-977C-01016F67E16B}.exe
Token: SeIncBasePriorityPrivilege	2800	{1704029D-A933-4f29-93C8-F74C3B3368B6}.exe
Token: SeIncBasePriorityPrivilege	1260	{E243A091-40F1-4040-AE3B-4F846BF7B78C}.exe
Token: SeIncBasePriorityPrivilege	2416	{C75D6507-914C-4136-8E3E-3A6ABB5FE92C}.exe
Token: SeIncBasePriorityPrivilege	1248	{C6A8A061-D8E6-4ed2-9F31-A8C2E8B3B0D9}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3056 wrote to memory of 3052	3056	ce959c8f6828a2b67619d5f4fc219c00_NeikiAnalytics.exe	28
PID 3056 wrote to memory of 3052	3056	ce959c8f6828a2b67619d5f4fc219c00_NeikiAnalytics.exe	28
PID 3056 wrote to memory of 3052	3056	ce959c8f6828a2b67619d5f4fc219c00_NeikiAnalytics.exe	28
PID 3056 wrote to memory of 3052	3056	ce959c8f6828a2b67619d5f4fc219c00_NeikiAnalytics.exe	28
PID 3056 wrote to memory of 2072	3056	ce959c8f6828a2b67619d5f4fc219c00_NeikiAnalytics.exe	29
PID 3056 wrote to memory of 2072	3056	ce959c8f6828a2b67619d5f4fc219c00_NeikiAnalytics.exe	29
PID 3056 wrote to memory of 2072	3056	ce959c8f6828a2b67619d5f4fc219c00_NeikiAnalytics.exe	29
PID 3056 wrote to memory of 2072	3056	ce959c8f6828a2b67619d5f4fc219c00_NeikiAnalytics.exe	29
PID 3052 wrote to memory of 2596	3052	{6E592633-C720-458b-A650-F04BB8F77BEA}.exe	30
PID 3052 wrote to memory of 2596	3052	{6E592633-C720-458b-A650-F04BB8F77BEA}.exe	30
PID 3052 wrote to memory of 2596	3052	{6E592633-C720-458b-A650-F04BB8F77BEA}.exe	30
PID 3052 wrote to memory of 2596	3052	{6E592633-C720-458b-A650-F04BB8F77BEA}.exe	30
PID 3052 wrote to memory of 2584	3052	{6E592633-C720-458b-A650-F04BB8F77BEA}.exe	31
PID 3052 wrote to memory of 2584	3052	{6E592633-C720-458b-A650-F04BB8F77BEA}.exe	31
PID 3052 wrote to memory of 2584	3052	{6E592633-C720-458b-A650-F04BB8F77BEA}.exe	31
PID 3052 wrote to memory of 2584	3052	{6E592633-C720-458b-A650-F04BB8F77BEA}.exe	31
PID 2596 wrote to memory of 2460	2596	{A1A4A967-E4EC-423c-8812-10B7A973EB19}.exe	32
PID 2596 wrote to memory of 2460	2596	{A1A4A967-E4EC-423c-8812-10B7A973EB19}.exe	32
PID 2596 wrote to memory of 2460	2596	{A1A4A967-E4EC-423c-8812-10B7A973EB19}.exe	32
PID 2596 wrote to memory of 2460	2596	{A1A4A967-E4EC-423c-8812-10B7A973EB19}.exe	32
PID 2596 wrote to memory of 2484	2596	{A1A4A967-E4EC-423c-8812-10B7A973EB19}.exe	33
PID 2596 wrote to memory of 2484	2596	{A1A4A967-E4EC-423c-8812-10B7A973EB19}.exe	33
PID 2596 wrote to memory of 2484	2596	{A1A4A967-E4EC-423c-8812-10B7A973EB19}.exe	33
PID 2596 wrote to memory of 2484	2596	{A1A4A967-E4EC-423c-8812-10B7A973EB19}.exe	33
PID 2460 wrote to memory of 1612	2460	{A78459E0-3D70-4378-9AE3-69930AA60CC1}.exe	36
PID 2460 wrote to memory of 1612	2460	{A78459E0-3D70-4378-9AE3-69930AA60CC1}.exe	36
PID 2460 wrote to memory of 1612	2460	{A78459E0-3D70-4378-9AE3-69930AA60CC1}.exe	36
PID 2460 wrote to memory of 1612	2460	{A78459E0-3D70-4378-9AE3-69930AA60CC1}.exe	36
PID 2460 wrote to memory of 2928	2460	{A78459E0-3D70-4378-9AE3-69930AA60CC1}.exe	37
PID 2460 wrote to memory of 2928	2460	{A78459E0-3D70-4378-9AE3-69930AA60CC1}.exe	37
PID 2460 wrote to memory of 2928	2460	{A78459E0-3D70-4378-9AE3-69930AA60CC1}.exe	37
PID 2460 wrote to memory of 2928	2460	{A78459E0-3D70-4378-9AE3-69930AA60CC1}.exe	37
PID 1612 wrote to memory of 1928	1612	{1ED55179-D782-48eb-9CA6-5C23B96442C5}.exe	38
PID 1612 wrote to memory of 1928	1612	{1ED55179-D782-48eb-9CA6-5C23B96442C5}.exe	38
PID 1612 wrote to memory of 1928	1612	{1ED55179-D782-48eb-9CA6-5C23B96442C5}.exe	38
PID 1612 wrote to memory of 1928	1612	{1ED55179-D782-48eb-9CA6-5C23B96442C5}.exe	38
PID 1612 wrote to memory of 1908	1612	{1ED55179-D782-48eb-9CA6-5C23B96442C5}.exe	39
PID 1612 wrote to memory of 1908	1612	{1ED55179-D782-48eb-9CA6-5C23B96442C5}.exe	39
PID 1612 wrote to memory of 1908	1612	{1ED55179-D782-48eb-9CA6-5C23B96442C5}.exe	39
PID 1612 wrote to memory of 1908	1612	{1ED55179-D782-48eb-9CA6-5C23B96442C5}.exe	39
PID 1928 wrote to memory of 1788	1928	{17F9BF56-8AD1-41d2-ADFE-7A3ADA1D55C6}.exe	40
PID 1928 wrote to memory of 1788	1928	{17F9BF56-8AD1-41d2-ADFE-7A3ADA1D55C6}.exe	40
PID 1928 wrote to memory of 1788	1928	{17F9BF56-8AD1-41d2-ADFE-7A3ADA1D55C6}.exe	40
PID 1928 wrote to memory of 1788	1928	{17F9BF56-8AD1-41d2-ADFE-7A3ADA1D55C6}.exe	40
PID 1928 wrote to memory of 1448	1928	{17F9BF56-8AD1-41d2-ADFE-7A3ADA1D55C6}.exe	41
PID 1928 wrote to memory of 1448	1928	{17F9BF56-8AD1-41d2-ADFE-7A3ADA1D55C6}.exe	41
PID 1928 wrote to memory of 1448	1928	{17F9BF56-8AD1-41d2-ADFE-7A3ADA1D55C6}.exe	41
PID 1928 wrote to memory of 1448	1928	{17F9BF56-8AD1-41d2-ADFE-7A3ADA1D55C6}.exe	41
PID 1788 wrote to memory of 2800	1788	{A2657D82-C46B-4d49-977C-01016F67E16B}.exe	42
PID 1788 wrote to memory of 2800	1788	{A2657D82-C46B-4d49-977C-01016F67E16B}.exe	42
PID 1788 wrote to memory of 2800	1788	{A2657D82-C46B-4d49-977C-01016F67E16B}.exe	42
PID 1788 wrote to memory of 2800	1788	{A2657D82-C46B-4d49-977C-01016F67E16B}.exe	42
PID 1788 wrote to memory of 2804	1788	{A2657D82-C46B-4d49-977C-01016F67E16B}.exe	43
PID 1788 wrote to memory of 2804	1788	{A2657D82-C46B-4d49-977C-01016F67E16B}.exe	43
PID 1788 wrote to memory of 2804	1788	{A2657D82-C46B-4d49-977C-01016F67E16B}.exe	43
PID 1788 wrote to memory of 2804	1788	{A2657D82-C46B-4d49-977C-01016F67E16B}.exe	43
PID 2800 wrote to memory of 1260	2800	{1704029D-A933-4f29-93C8-F74C3B3368B6}.exe	44
PID 2800 wrote to memory of 1260	2800	{1704029D-A933-4f29-93C8-F74C3B3368B6}.exe	44
PID 2800 wrote to memory of 1260	2800	{1704029D-A933-4f29-93C8-F74C3B3368B6}.exe	44
PID 2800 wrote to memory of 1260	2800	{1704029D-A933-4f29-93C8-F74C3B3368B6}.exe	44
PID 2800 wrote to memory of 2040	2800	{1704029D-A933-4f29-93C8-F74C3B3368B6}.exe	45
PID 2800 wrote to memory of 2040	2800	{1704029D-A933-4f29-93C8-F74C3B3368B6}.exe	45
PID 2800 wrote to memory of 2040	2800	{1704029D-A933-4f29-93C8-F74C3B3368B6}.exe	45
PID 2800 wrote to memory of 2040	2800	{1704029D-A933-4f29-93C8-F74C3B3368B6}.exe	45

C:\Users\Admin\AppData\Local\Temp\ce959c8f6828a2b67619d5f4fc219c00_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\ce959c8f6828a2b67619d5f4fc219c00_NeikiAnalytics.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3056
- C:\Windows\{6E592633-C720-458b-A650-F04BB8F77BEA}.exe
  C:\Windows\{6E592633-C720-458b-A650-F04BB8F77BEA}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3052
- - C:\Windows\{A1A4A967-E4EC-423c-8812-10B7A973EB19}.exe
    C:\Windows\{A1A4A967-E4EC-423c-8812-10B7A973EB19}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2596
  - - C:\Windows\{A78459E0-3D70-4378-9AE3-69930AA60CC1}.exe
      C:\Windows\{A78459E0-3D70-4378-9AE3-69930AA60CC1}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2460
    - - C:\Windows\{1ED55179-D782-48eb-9CA6-5C23B96442C5}.exe
        
        C:\Windows\{1ED55179-D782-48eb-9CA6-5C23B96442C5}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1612
      - C:\Windows\{17F9BF56-8AD1-41d2-ADFE-7A3ADA1D55C6}.exe
        
        C:\Windows\{17F9BF56-8AD1-41d2-ADFE-7A3ADA1D55C6}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1928
        
        C:\Windows\{A2657D82-C46B-4d49-977C-01016F67E16B}.exe
        
        C:\Windows\{A2657D82-C46B-4d49-977C-01016F67E16B}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1788
        
        C:\Windows\{1704029D-A933-4f29-93C8-F74C3B3368B6}.exe
        
        C:\Windows\{1704029D-A933-4f29-93C8-F74C3B3368B6}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2800
        
        C:\Windows\{E243A091-40F1-4040-AE3B-4F846BF7B78C}.exe
        
        C:\Windows\{E243A091-40F1-4040-AE3B-4F846BF7B78C}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1260
        
        C:\Windows\{C75D6507-914C-4136-8E3E-3A6ABB5FE92C}.exe
        
        C:\Windows\{C75D6507-914C-4136-8E3E-3A6ABB5FE92C}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2416
        
        C:\Windows\{C6A8A061-D8E6-4ed2-9F31-A8C2E8B3B0D9}.exe
        
        C:\Windows\{C6A8A061-D8E6-4ed2-9F31-A8C2E8B3B0D9}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1248
        
        C:\Windows\{55E6A017-4B82-49b2-A747-F22BCD5CDCB4}.exe
        
        C:\Windows\{55E6A017-4B82-49b2-A747-F22BCD5CDCB4}.exe
        12⤵
        Executes dropped EXE
        
        PID:1804
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C6A8A~1.EXE > nul
        12⤵
        
        PID:1592
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C75D6~1.EXE > nul
        11⤵
        
        PID:1488
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E243A~1.EXE > nul
        10⤵
        
        PID:1732
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{17040~1.EXE > nul
        9⤵
        
        PID:2040
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A2657~1.EXE > nul
        8⤵
        
        PID:2804
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{17F9B~1.EXE > nul
        7⤵
        
        PID:1448
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1ED55~1.EXE > nul
        6⤵
        
        PID:1908
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A7845~1.EXE > nul
        5⤵
        
        PID:2928
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{A1A4A~1.EXE > nul
      4⤵
      PID:2484
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{6E592~1.EXE > nul
    3⤵
    PID:2584
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\CE959C~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2072

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{1704029D-A933-4f29-93C8-F74C3B3368B6}.exe

Filesize
90KB

MD5
e04353fd1784069d48a62629e5f452d8

SHA1
fe8e8ff7e025a5d5b8b94cc6af6726f72260123e

SHA256
629b69b3437203ff5ad8257dcf0835074f77b6104b47b52d14bdd46bdc70d80d

SHA512
79e0b8bb389a69f80de5742d900bae253d4c565ace6a911f4e57272285a054e6932c057c3495f0ecaf4b3037babdba417b36f5b9d5b6990a3ed6fe17358c4e6d

Download Submit
C:\Windows\{17F9BF56-8AD1-41d2-ADFE-7A3ADA1D55C6}.exe

Filesize
90KB

MD5
b082ee0bd029b1fc68edbf284fe1997e

SHA1
015589a4aac7438f2abea4d9c651e0c5f9dd3017

SHA256
6b056745efe355d1d2532addc756b974152eaac5167d41c6318890384b69247c

SHA512
b37275b76f3d158826a130f895b9c34a149e8e2d1c0ddbed278d310bb536bdad8a3251e48005988827200a9f1620276c2a5056a4585e7b3ebf638e6f34e5b1db

Download Submit
C:\Windows\{1ED55179-D782-48eb-9CA6-5C23B96442C5}.exe

Filesize
90KB

MD5
a617bed86fe807c1b4c3ed6a0d80cedf

SHA1
490d1631dbfed292cc4f3e30c1be928290ebb09b

SHA256
fc9f7f9d4c1126884f3d074541e8eb32ebcfecb47b7c36518162cd3284427064

SHA512
b8e8cf2528e2c9092a8895b97dfb770bfb6f1d223e2b55ffabbaf34b5b20b9b7daf02697b5535c4517e8be2e7cd1aa80c17d771839fd26a4e677c9ae31d1d7e6

Download Submit
C:\Windows\{55E6A017-4B82-49b2-A747-F22BCD5CDCB4}.exe

Filesize
90KB

MD5
5b24204e9d1d9da59a57c342166a58e3

SHA1
02a73cf07a45084338c9d403801acd16759dcd64

SHA256
47acb6a1ad75cc408d821233802194150126063e2e9a8445e0c159235438cc8d

SHA512
7e0fa5e28d1bc0a0ec378c9046e9ee78128dd7ba58d436ce2d7232b0d211bf812ff87bb9b089de0abf54d41c23e2895c29765b1cea9c6527a078e299cc2156dc

Download Submit
C:\Windows\{6E592633-C720-458b-A650-F04BB8F77BEA}.exe

Filesize
90KB

MD5
8162c1ac68f663102cd46bc237cfca8e

SHA1
74a3915d0b005d175c496e5d3683c021f7b358eb

SHA256
8192459173a10a684682ebff1682bb590e1099e7cabf155f2889d781ce2c448c

SHA512
5345501e794747375950f4283891568df8771367aacc93e7bcd0aff203ab9415fcfe9115945e78d9e5ae92fa6d4008e3f072a3b8dd8eccbaf188e0ae43957561

Download Submit
C:\Windows\{A1A4A967-E4EC-423c-8812-10B7A973EB19}.exe

Filesize
90KB

MD5
bbe2746c60475bd22554c8837378c760

SHA1
2f0d6b5182d99828581a78f5c086327701011af4

SHA256
9ad4b8a087ea11d967f97b7e32237c83c2ae142e0c0c99288e16e2c1994b8ec0

SHA512
936c827dc01569aa972dd69ff9b5811cfba1ed32668cfe070e56655b8b089855987cfd2a7bb644e4e1d90ce5885a3b6f6323fbb35a96665adddbce76926d4cd8

Download Submit
C:\Windows\{A2657D82-C46B-4d49-977C-01016F67E16B}.exe

Filesize
90KB

MD5
5688395ea8d03047dfcbb1b318501f80

SHA1
48be009c6a013ced4a57d311ceeacd6623791bc4

SHA256
22d2eb65fb1d7a5836bdf1665396a0e4a5706d34c7612346f542dbff3060cbe8

SHA512
cdd23ee7e75afa223c8f5e15d9e8d9aeb3cb288558730f163dd1e17892d858fa34de4e3a087af58e295c180c3743301f40e9197993a3f8c0c959de58112f6fcc

Download Submit
C:\Windows\{A78459E0-3D70-4378-9AE3-69930AA60CC1}.exe

Filesize
90KB

MD5
205627f612f0098f5be8da8c96b9c55d

SHA1
4a2259edc4ad41f1e27f44d7bc2512c2670c68e1

SHA256
6b01bb80b6cbd50cb3340c4239e25abe4fbf9405144168040c5ac3c0b1c255ce

SHA512
85b6fb3dce3aa8ff3cc8e3863e201a30ccda96c81e017f46c2d9042d43cb745be11331e887b487289922e46ab9084808c39616a51eb3d50bf08fdc86caea582a

Download Submit
C:\Windows\{C6A8A061-D8E6-4ed2-9F31-A8C2E8B3B0D9}.exe

Filesize
90KB

MD5
6cfc706f90807b272c95ac83c5d39f2f

SHA1
6ce9f29a6e5b437285be72574e10413c346f75f8

SHA256
f7f953e85d2f282a6955dd214c248faaab704888eaafdf7f99ff7b23398b5c7d

SHA512
bd6d123063c3dec7333d2e6d60a5779c3731cf30535f6cfb1aef47746bb455e89a9d5da4ef8f6420ee6d620676aaf8c57d239222fba6224f7171ce28927697d3

Download Submit
C:\Windows\{C75D6507-914C-4136-8E3E-3A6ABB5FE92C}.exe

Filesize
90KB

MD5
d81c9ca9a619d1539548d2745e387b99

SHA1
b49bd58869bb97780e21d110f42c417fb0231b6a

SHA256
f9842c3b633be4b7a9f4afcb64d74caa928e0aed101e42c0a6b67f374cad3d1c

SHA512
bff9f889bd1e988f085db4b807d9b32ab4cc2edd1e6c0c8e1291661197d81033990cbcf501d4ba706b87b06256544c83bbf7e0752c2af0bad4c3f710e9556452

Download Submit
C:\Windows\{E243A091-40F1-4040-AE3B-4F846BF7B78C}.exe

Filesize
90KB

MD5
b19fac58734bda81cf062ff479e403ef

SHA1
9f9bbd781cd584841f5799ef51879aace2e5cacb

SHA256
c3fa8e0517c5a37443d42787e6dfa924829dc07a2af8e8fa34f70dd2dd1572f1

SHA512
7fe0480dcb7fefe75bbeb1c5847a979f2e03a7909bca10864ac110f0d4d5abe6b60c0f53b1b307ad2c110439775387761aacaa22fb9fb24b9656f0634c8f32e3

Download Submit
memory/1248-100-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1260-77-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1260-85-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1612-45-0x00000000003D0000-0x00000000003E1000-memory.dmp

Filesize
68KB

Download
memory/1612-38-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1612-47-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1612-46-0x00000000003D0000-0x00000000003E1000-memory.dmp

Filesize
68KB

Download
memory/1788-58-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1788-65-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1928-49-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1928-56-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2416-92-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2460-28-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2460-32-0x0000000000490000-0x00000000004A1000-memory.dmp

Filesize
68KB

Download
memory/2460-37-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2596-26-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2596-19-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2800-75-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2800-74-0x0000000001B70000-0x0000000001B81000-memory.dmp

Filesize
68KB

Download
memory/2800-72-0x0000000001B70000-0x0000000001B81000-memory.dmp

Filesize
68KB

Download
memory/3052-9-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3052-18-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3056-0-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3056-7-0x0000000001BE0000-0x0000000001BF1000-memory.dmp

Filesize
68KB

Download
memory/3056-8-0x0000000001BE0000-0x0000000001BF1000-memory.dmp

Filesize
68KB

Download
memory/3056-10-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads