8f96e7c46536ed8940c7950aa8525fcd57f40d118a2c417bbae4682a0bebc14b

Analysis

max time kernel
144s
max time network
123s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
17/05/2024, 20:27

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2be9233367cf3a95c63505a0a5132080_NeikiAnalytics.exe
Size

64KB
MD5

2be9233367cf3a95c63505a0a5132080
SHA1

b9211a5d347fe4719ed90c2291e184bc19156bd2
SHA256

8f96e7c46536ed8940c7950aa8525fcd57f40d118a2c417bbae4682a0bebc14b
SHA512

c145ddd1ffacfa29be69537659a506ab6971f76121125f5f4c5ec69ff812ae0f6b996110a576ecebe00bb9909520d1b598485dbb48a00834f7fde349ebd7b46a
SSDEEP

384:ObIwOs8AHsc4sMDwhKQLro64/CFsrdHWMZp:OEw9816vhKQLro64/wQpWMZp

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F7325D02-7560-4465-B653-86C1ACBCF517}\stubpath = "C:\\Windows\\{F7325D02-7560-4465-B653-86C1ACBCF517}.exe"	{F23BF9C7-1A89-4b44-B228-A9C94927BC1B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{90950E97-0162-41cd-AD40-9610C0FBD7D5}\stubpath = "C:\\Windows\\{90950E97-0162-41cd-AD40-9610C0FBD7D5}.exe"	{393497B7-F928-42db-8552-724E0423C261}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D40B53E0-7A22-47b0-9018-D2938CE3FDF6}\stubpath = "C:\\Windows\\{D40B53E0-7A22-47b0-9018-D2938CE3FDF6}.exe"	{1105D1D9-5986-46db-B6DC-838E188B0799}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FE893C90-3A51-4186-AA22-46E252A2B8E2}	{D40B53E0-7A22-47b0-9018-D2938CE3FDF6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F23BF9C7-1A89-4b44-B228-A9C94927BC1B}\stubpath = "C:\\Windows\\{F23BF9C7-1A89-4b44-B228-A9C94927BC1B}.exe"	{A15D8488-D575-4660-AAF7-3E8E30A4A112}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D40B53E0-7A22-47b0-9018-D2938CE3FDF6}	{1105D1D9-5986-46db-B6DC-838E188B0799}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A15D8488-D575-4660-AAF7-3E8E30A4A112}	{FE893C90-3A51-4186-AA22-46E252A2B8E2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A15D8488-D575-4660-AAF7-3E8E30A4A112}\stubpath = "C:\\Windows\\{A15D8488-D575-4660-AAF7-3E8E30A4A112}.exe"	{FE893C90-3A51-4186-AA22-46E252A2B8E2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6F29CE69-C003-40a0-8015-2AACEE21106E}	{90950E97-0162-41cd-AD40-9610C0FBD7D5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D7A9ECF3-FE88-4748-A7B6-980F7320A71D}	{02DB8AC4-F1C6-4203-800D-398417C26FD9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D7A9ECF3-FE88-4748-A7B6-980F7320A71D}\stubpath = "C:\\Windows\\{D7A9ECF3-FE88-4748-A7B6-980F7320A71D}.exe"	{02DB8AC4-F1C6-4203-800D-398417C26FD9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1105D1D9-5986-46db-B6DC-838E188B0799}	{D7A9ECF3-FE88-4748-A7B6-980F7320A71D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{393497B7-F928-42db-8552-724E0423C261}	2be9233367cf3a95c63505a0a5132080_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6F29CE69-C003-40a0-8015-2AACEE21106E}\stubpath = "C:\\Windows\\{6F29CE69-C003-40a0-8015-2AACEE21106E}.exe"	{90950E97-0162-41cd-AD40-9610C0FBD7D5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FE893C90-3A51-4186-AA22-46E252A2B8E2}\stubpath = "C:\\Windows\\{FE893C90-3A51-4186-AA22-46E252A2B8E2}.exe"	{D40B53E0-7A22-47b0-9018-D2938CE3FDF6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1105D1D9-5986-46db-B6DC-838E188B0799}\stubpath = "C:\\Windows\\{1105D1D9-5986-46db-B6DC-838E188B0799}.exe"	{D7A9ECF3-FE88-4748-A7B6-980F7320A71D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F23BF9C7-1A89-4b44-B228-A9C94927BC1B}	{A15D8488-D575-4660-AAF7-3E8E30A4A112}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F7325D02-7560-4465-B653-86C1ACBCF517}	{F23BF9C7-1A89-4b44-B228-A9C94927BC1B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{393497B7-F928-42db-8552-724E0423C261}\stubpath = "C:\\Windows\\{393497B7-F928-42db-8552-724E0423C261}.exe"	2be9233367cf3a95c63505a0a5132080_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{90950E97-0162-41cd-AD40-9610C0FBD7D5}	{393497B7-F928-42db-8552-724E0423C261}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{02DB8AC4-F1C6-4203-800D-398417C26FD9}	{6F29CE69-C003-40a0-8015-2AACEE21106E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{02DB8AC4-F1C6-4203-800D-398417C26FD9}\stubpath = "C:\\Windows\\{02DB8AC4-F1C6-4203-800D-398417C26FD9}.exe"	{6F29CE69-C003-40a0-8015-2AACEE21106E}.exe

Deletes itself 1 IoCs

pid	Process
2544	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2200	{393497B7-F928-42db-8552-724E0423C261}.exe
2580	{90950E97-0162-41cd-AD40-9610C0FBD7D5}.exe
2916	{6F29CE69-C003-40a0-8015-2AACEE21106E}.exe
1960	{02DB8AC4-F1C6-4203-800D-398417C26FD9}.exe
1988	{D7A9ECF3-FE88-4748-A7B6-980F7320A71D}.exe
876	{1105D1D9-5986-46db-B6DC-838E188B0799}.exe
2328	{D40B53E0-7A22-47b0-9018-D2938CE3FDF6}.exe
284	{FE893C90-3A51-4186-AA22-46E252A2B8E2}.exe
1712	{A15D8488-D575-4660-AAF7-3E8E30A4A112}.exe
788	{F23BF9C7-1A89-4b44-B228-A9C94927BC1B}.exe
1828	{F7325D02-7560-4465-B653-86C1ACBCF517}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{393497B7-F928-42db-8552-724E0423C261}.exe	2be9233367cf3a95c63505a0a5132080_NeikiAnalytics.exe
File created	C:\Windows\{6F29CE69-C003-40a0-8015-2AACEE21106E}.exe	{90950E97-0162-41cd-AD40-9610C0FBD7D5}.exe
File created	C:\Windows\{D40B53E0-7A22-47b0-9018-D2938CE3FDF6}.exe	{1105D1D9-5986-46db-B6DC-838E188B0799}.exe
File created	C:\Windows\{F23BF9C7-1A89-4b44-B228-A9C94927BC1B}.exe	{A15D8488-D575-4660-AAF7-3E8E30A4A112}.exe
File created	C:\Windows\{F7325D02-7560-4465-B653-86C1ACBCF517}.exe	{F23BF9C7-1A89-4b44-B228-A9C94927BC1B}.exe
File created	C:\Windows\{90950E97-0162-41cd-AD40-9610C0FBD7D5}.exe	{393497B7-F928-42db-8552-724E0423C261}.exe
File created	C:\Windows\{02DB8AC4-F1C6-4203-800D-398417C26FD9}.exe	{6F29CE69-C003-40a0-8015-2AACEE21106E}.exe
File created	C:\Windows\{D7A9ECF3-FE88-4748-A7B6-980F7320A71D}.exe	{02DB8AC4-F1C6-4203-800D-398417C26FD9}.exe
File created	C:\Windows\{1105D1D9-5986-46db-B6DC-838E188B0799}.exe	{D7A9ECF3-FE88-4748-A7B6-980F7320A71D}.exe
File created	C:\Windows\{FE893C90-3A51-4186-AA22-46E252A2B8E2}.exe	{D40B53E0-7A22-47b0-9018-D2938CE3FDF6}.exe
File created	C:\Windows\{A15D8488-D575-4660-AAF7-3E8E30A4A112}.exe	{FE893C90-3A51-4186-AA22-46E252A2B8E2}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1276	2be9233367cf3a95c63505a0a5132080_NeikiAnalytics.exe
Token: SeIncBasePriorityPrivilege	2200	{393497B7-F928-42db-8552-724E0423C261}.exe
Token: SeIncBasePriorityPrivilege	2580	{90950E97-0162-41cd-AD40-9610C0FBD7D5}.exe
Token: SeIncBasePriorityPrivilege	2916	{6F29CE69-C003-40a0-8015-2AACEE21106E}.exe
Token: SeIncBasePriorityPrivilege	1960	{02DB8AC4-F1C6-4203-800D-398417C26FD9}.exe
Token: SeIncBasePriorityPrivilege	1988	{D7A9ECF3-FE88-4748-A7B6-980F7320A71D}.exe
Token: SeIncBasePriorityPrivilege	876	{1105D1D9-5986-46db-B6DC-838E188B0799}.exe
Token: SeIncBasePriorityPrivilege	2328	{D40B53E0-7A22-47b0-9018-D2938CE3FDF6}.exe
Token: SeIncBasePriorityPrivilege	284	{FE893C90-3A51-4186-AA22-46E252A2B8E2}.exe
Token: SeIncBasePriorityPrivilege	1712	{A15D8488-D575-4660-AAF7-3E8E30A4A112}.exe
Token: SeIncBasePriorityPrivilege	788	{F23BF9C7-1A89-4b44-B228-A9C94927BC1B}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1276 wrote to memory of 2200	1276	2be9233367cf3a95c63505a0a5132080_NeikiAnalytics.exe	28
PID 1276 wrote to memory of 2200	1276	2be9233367cf3a95c63505a0a5132080_NeikiAnalytics.exe	28
PID 1276 wrote to memory of 2200	1276	2be9233367cf3a95c63505a0a5132080_NeikiAnalytics.exe	28
PID 1276 wrote to memory of 2200	1276	2be9233367cf3a95c63505a0a5132080_NeikiAnalytics.exe	28
PID 1276 wrote to memory of 2544	1276	2be9233367cf3a95c63505a0a5132080_NeikiAnalytics.exe	29
PID 1276 wrote to memory of 2544	1276	2be9233367cf3a95c63505a0a5132080_NeikiAnalytics.exe	29
PID 1276 wrote to memory of 2544	1276	2be9233367cf3a95c63505a0a5132080_NeikiAnalytics.exe	29
PID 1276 wrote to memory of 2544	1276	2be9233367cf3a95c63505a0a5132080_NeikiAnalytics.exe	29
PID 2200 wrote to memory of 2580	2200	{393497B7-F928-42db-8552-724E0423C261}.exe	30
PID 2200 wrote to memory of 2580	2200	{393497B7-F928-42db-8552-724E0423C261}.exe	30
PID 2200 wrote to memory of 2580	2200	{393497B7-F928-42db-8552-724E0423C261}.exe	30
PID 2200 wrote to memory of 2580	2200	{393497B7-F928-42db-8552-724E0423C261}.exe	30
PID 2200 wrote to memory of 2952	2200	{393497B7-F928-42db-8552-724E0423C261}.exe	31
PID 2200 wrote to memory of 2952	2200	{393497B7-F928-42db-8552-724E0423C261}.exe	31
PID 2200 wrote to memory of 2952	2200	{393497B7-F928-42db-8552-724E0423C261}.exe	31
PID 2200 wrote to memory of 2952	2200	{393497B7-F928-42db-8552-724E0423C261}.exe	31
PID 2580 wrote to memory of 2916	2580	{90950E97-0162-41cd-AD40-9610C0FBD7D5}.exe	32
PID 2580 wrote to memory of 2916	2580	{90950E97-0162-41cd-AD40-9610C0FBD7D5}.exe	32
PID 2580 wrote to memory of 2916	2580	{90950E97-0162-41cd-AD40-9610C0FBD7D5}.exe	32
PID 2580 wrote to memory of 2916	2580	{90950E97-0162-41cd-AD40-9610C0FBD7D5}.exe	32
PID 2580 wrote to memory of 2624	2580	{90950E97-0162-41cd-AD40-9610C0FBD7D5}.exe	33
PID 2580 wrote to memory of 2624	2580	{90950E97-0162-41cd-AD40-9610C0FBD7D5}.exe	33
PID 2580 wrote to memory of 2624	2580	{90950E97-0162-41cd-AD40-9610C0FBD7D5}.exe	33
PID 2580 wrote to memory of 2624	2580	{90950E97-0162-41cd-AD40-9610C0FBD7D5}.exe	33
PID 2916 wrote to memory of 1960	2916	{6F29CE69-C003-40a0-8015-2AACEE21106E}.exe	36
PID 2916 wrote to memory of 1960	2916	{6F29CE69-C003-40a0-8015-2AACEE21106E}.exe	36
PID 2916 wrote to memory of 1960	2916	{6F29CE69-C003-40a0-8015-2AACEE21106E}.exe	36
PID 2916 wrote to memory of 1960	2916	{6F29CE69-C003-40a0-8015-2AACEE21106E}.exe	36
PID 2916 wrote to memory of 2684	2916	{6F29CE69-C003-40a0-8015-2AACEE21106E}.exe	37
PID 2916 wrote to memory of 2684	2916	{6F29CE69-C003-40a0-8015-2AACEE21106E}.exe	37
PID 2916 wrote to memory of 2684	2916	{6F29CE69-C003-40a0-8015-2AACEE21106E}.exe	37
PID 2916 wrote to memory of 2684	2916	{6F29CE69-C003-40a0-8015-2AACEE21106E}.exe	37
PID 1960 wrote to memory of 1988	1960	{02DB8AC4-F1C6-4203-800D-398417C26FD9}.exe	38
PID 1960 wrote to memory of 1988	1960	{02DB8AC4-F1C6-4203-800D-398417C26FD9}.exe	38
PID 1960 wrote to memory of 1988	1960	{02DB8AC4-F1C6-4203-800D-398417C26FD9}.exe	38
PID 1960 wrote to memory of 1988	1960	{02DB8AC4-F1C6-4203-800D-398417C26FD9}.exe	38
PID 1960 wrote to memory of 1844	1960	{02DB8AC4-F1C6-4203-800D-398417C26FD9}.exe	39
PID 1960 wrote to memory of 1844	1960	{02DB8AC4-F1C6-4203-800D-398417C26FD9}.exe	39
PID 1960 wrote to memory of 1844	1960	{02DB8AC4-F1C6-4203-800D-398417C26FD9}.exe	39
PID 1960 wrote to memory of 1844	1960	{02DB8AC4-F1C6-4203-800D-398417C26FD9}.exe	39
PID 1988 wrote to memory of 876	1988	{D7A9ECF3-FE88-4748-A7B6-980F7320A71D}.exe	40
PID 1988 wrote to memory of 876	1988	{D7A9ECF3-FE88-4748-A7B6-980F7320A71D}.exe	40
PID 1988 wrote to memory of 876	1988	{D7A9ECF3-FE88-4748-A7B6-980F7320A71D}.exe	40
PID 1988 wrote to memory of 876	1988	{D7A9ECF3-FE88-4748-A7B6-980F7320A71D}.exe	40
PID 1988 wrote to memory of 2032	1988	{D7A9ECF3-FE88-4748-A7B6-980F7320A71D}.exe	41
PID 1988 wrote to memory of 2032	1988	{D7A9ECF3-FE88-4748-A7B6-980F7320A71D}.exe	41
PID 1988 wrote to memory of 2032	1988	{D7A9ECF3-FE88-4748-A7B6-980F7320A71D}.exe	41
PID 1988 wrote to memory of 2032	1988	{D7A9ECF3-FE88-4748-A7B6-980F7320A71D}.exe	41
PID 876 wrote to memory of 2328	876	{1105D1D9-5986-46db-B6DC-838E188B0799}.exe	42
PID 876 wrote to memory of 2328	876	{1105D1D9-5986-46db-B6DC-838E188B0799}.exe	42
PID 876 wrote to memory of 2328	876	{1105D1D9-5986-46db-B6DC-838E188B0799}.exe	42
PID 876 wrote to memory of 2328	876	{1105D1D9-5986-46db-B6DC-838E188B0799}.exe	42
PID 876 wrote to memory of 1440	876	{1105D1D9-5986-46db-B6DC-838E188B0799}.exe	43
PID 876 wrote to memory of 1440	876	{1105D1D9-5986-46db-B6DC-838E188B0799}.exe	43
PID 876 wrote to memory of 1440	876	{1105D1D9-5986-46db-B6DC-838E188B0799}.exe	43
PID 876 wrote to memory of 1440	876	{1105D1D9-5986-46db-B6DC-838E188B0799}.exe	43
PID 2328 wrote to memory of 284	2328	{D40B53E0-7A22-47b0-9018-D2938CE3FDF6}.exe	44
PID 2328 wrote to memory of 284	2328	{D40B53E0-7A22-47b0-9018-D2938CE3FDF6}.exe	44
PID 2328 wrote to memory of 284	2328	{D40B53E0-7A22-47b0-9018-D2938CE3FDF6}.exe	44
PID 2328 wrote to memory of 284	2328	{D40B53E0-7A22-47b0-9018-D2938CE3FDF6}.exe	44
PID 2328 wrote to memory of 1776	2328	{D40B53E0-7A22-47b0-9018-D2938CE3FDF6}.exe	45
PID 2328 wrote to memory of 1776	2328	{D40B53E0-7A22-47b0-9018-D2938CE3FDF6}.exe	45
PID 2328 wrote to memory of 1776	2328	{D40B53E0-7A22-47b0-9018-D2938CE3FDF6}.exe	45
PID 2328 wrote to memory of 1776	2328	{D40B53E0-7A22-47b0-9018-D2938CE3FDF6}.exe	45

C:\Users\Admin\AppData\Local\Temp\2be9233367cf3a95c63505a0a5132080_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\2be9233367cf3a95c63505a0a5132080_NeikiAnalytics.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1276
- C:\Windows\{393497B7-F928-42db-8552-724E0423C261}.exe
  C:\Windows\{393497B7-F928-42db-8552-724E0423C261}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2200
- - C:\Windows\{90950E97-0162-41cd-AD40-9610C0FBD7D5}.exe
    C:\Windows\{90950E97-0162-41cd-AD40-9610C0FBD7D5}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2580
  - - C:\Windows\{6F29CE69-C003-40a0-8015-2AACEE21106E}.exe
      C:\Windows\{6F29CE69-C003-40a0-8015-2AACEE21106E}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2916
    - - C:\Windows\{02DB8AC4-F1C6-4203-800D-398417C26FD9}.exe
        
        C:\Windows\{02DB8AC4-F1C6-4203-800D-398417C26FD9}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1960
      - C:\Windows\{D7A9ECF3-FE88-4748-A7B6-980F7320A71D}.exe
        
        C:\Windows\{D7A9ECF3-FE88-4748-A7B6-980F7320A71D}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1988
        
        C:\Windows\{1105D1D9-5986-46db-B6DC-838E188B0799}.exe
        
        C:\Windows\{1105D1D9-5986-46db-B6DC-838E188B0799}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:876
        
        C:\Windows\{D40B53E0-7A22-47b0-9018-D2938CE3FDF6}.exe
        
        C:\Windows\{D40B53E0-7A22-47b0-9018-D2938CE3FDF6}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2328
        
        C:\Windows\{FE893C90-3A51-4186-AA22-46E252A2B8E2}.exe
        
        C:\Windows\{FE893C90-3A51-4186-AA22-46E252A2B8E2}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:284
        
        C:\Windows\{A15D8488-D575-4660-AAF7-3E8E30A4A112}.exe
        
        C:\Windows\{A15D8488-D575-4660-AAF7-3E8E30A4A112}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1712
        
        C:\Windows\{F23BF9C7-1A89-4b44-B228-A9C94927BC1B}.exe
        
        C:\Windows\{F23BF9C7-1A89-4b44-B228-A9C94927BC1B}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:788
        
        C:\Windows\{F7325D02-7560-4465-B653-86C1ACBCF517}.exe
        
        C:\Windows\{F7325D02-7560-4465-B653-86C1ACBCF517}.exe
        12⤵
        Executes dropped EXE
        
        PID:1828
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F23BF~1.EXE > nul
        12⤵
        
        PID:3064
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A15D8~1.EXE > nul
        11⤵
        
        PID:600
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FE893~1.EXE > nul
        10⤵
        
        PID:2816
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D40B5~1.EXE > nul
        9⤵
        
        PID:1776
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1105D~1.EXE > nul
        8⤵
        
        PID:1440
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D7A9E~1.EXE > nul
        7⤵
        
        PID:2032
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{02DB8~1.EXE > nul
        6⤵
        
        PID:1844
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6F29C~1.EXE > nul
        5⤵
        
        PID:2684
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{90950~1.EXE > nul
      4⤵
      PID:2624
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{39349~1.EXE > nul
    3⤵
    PID:2952
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2BE923~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2544

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{02DB8AC4-F1C6-4203-800D-398417C26FD9}.exe

Filesize
64KB

MD5
b8a4deb160eb274e221f3453554b0437

SHA1
c552e59f09dfc2afaa86241cccae5ad506afe0bf

SHA256
74e32cca82ba5ce09caa8506b60619d9366f8a67baf574be0efeeff26d79d7e2

SHA512
437e0bcac83bd4ef4eade8f6100e1170f5e209ee6c3e531ef6624307ea5934405beb60e8a94e971f417d5a148bff3aff8d22f9f970c8b4665b3226fb99c556ef

Download Submit
C:\Windows\{1105D1D9-5986-46db-B6DC-838E188B0799}.exe

Filesize
64KB

MD5
3d0cda757eb1d39d68523d759d0e83a4

SHA1
ca70d6579576fc4c6fcfd86a0436519a80f57d8d

SHA256
5d888c2112eb74d86b1a6fdd1b0fbd34c696504e52ddb1c551fc809f7e52a50b

SHA512
4cc08caa5248feb1787e32d9aee341e7adcc630245a8a69c34dcd90a921edb295171d06e7d3518c8d8d30df39f458daa3446fd5d36434e158c2132ca30114e6b

Download Submit
C:\Windows\{393497B7-F928-42db-8552-724E0423C261}.exe

Filesize
64KB

MD5
5549643ae2196e3dd6415d76dc287e22

SHA1
537ec634a471787198b6145b961cb5e9c119799c

SHA256
4cc4207d90287ad4ad2c892cef0e240a8d9934ddf726924985cc2089c71fdc08

SHA512
9405e8df91e1e809b741104d252a9b281e993663c21c63ea88eac3514e9f23e0139390627ccc877bd7edff1f373be88f5920bca4fa7c38d3216a493a6aece153

Download Submit
C:\Windows\{6F29CE69-C003-40a0-8015-2AACEE21106E}.exe

Filesize
64KB

MD5
e9bedb4554441ed76d3fb5ae783759a8

SHA1
64bd7a8a05c992e8c87ed6f60b31d7043426ace3

SHA256
2711058cbe232ce43cc1ec201f56c74706bb15a63dd0b5209039e96912e23a10

SHA512
13d733237bef1a9c3222993533e05b8abdee52647deafb32e318bcbef4b4454c052953fea25a47fd7ca21cfe5f39f3949c14b52c863e412c361cb9851155be83

Download Submit
C:\Windows\{90950E97-0162-41cd-AD40-9610C0FBD7D5}.exe

Filesize
64KB

MD5
598c5f3d7a2e29e594c6fa9a58f5f2f3

SHA1
2134f649f394c525360f32955978962a9dca8370

SHA256
e3c9af9d77e472f04ab05682c284b8baf3a7afa5d3a2e0461a0c1a799bf7d405

SHA512
bd5e5061b924f26bc734b8f851a8ea5023e735ebab4ecb412c66994243ec9dac3c57f6f76ac15f96a5e003264b3a02a291727bfa445d3386fcafe5c8d835ea45

Download Submit
C:\Windows\{A15D8488-D575-4660-AAF7-3E8E30A4A112}.exe

Filesize
64KB

MD5
73867f447f5dbdb6e5e731bf6420311b

SHA1
73e64a7c1689bf7c96b44f2c0d8d9f02dec8cc58

SHA256
468f04b9c5118fc7fa7a24645ccd5c376d003cb246b855e0764faf0b01073c84

SHA512
bb39eb01cfce709e58d9cc8d8f454e0f8f677c9cdb0aee929b5c77a8b058a70d6fab72f24bd62b35f2c3de69a54c7be8a0d19f8fc59c56e9edc802ed704057de

Download Submit
C:\Windows\{D40B53E0-7A22-47b0-9018-D2938CE3FDF6}.exe

Filesize
64KB

MD5
38ef25d5335686df51c631e1a4ff932a

SHA1
df5d853140d8909485d1b4c9e5502ec9686498f9

SHA256
a98a50a48b5d806d60d642ce3629d81f3467aa51b8f32820b439f12f0d28713d

SHA512
6471bb5afc8892d65a02ece427e60e9a75ca27f916a028a461e37868812d1e063f348307d843294a73d562f59ac5198229b7179c3f7f85a074c80a2e7918dea9

Download Submit
C:\Windows\{D7A9ECF3-FE88-4748-A7B6-980F7320A71D}.exe

Filesize
64KB

MD5
51d77b685f5726c9b1f0fa154f27b9c5

SHA1
6a972fc995bfad59d81569a987a047360bf7c375

SHA256
f18f4d8d93f596620c06b14ce23829724fc4548175170c5ac93d954354ad3919

SHA512
31592e116bd0af57ce993030137c5cbaa6d73d314ec72d7cd4f91cfcda6d20370635336740037d88132781b62f464d53d9069988ee8294449490b3822fe05151

Download Submit
C:\Windows\{F23BF9C7-1A89-4b44-B228-A9C94927BC1B}.exe

Filesize
64KB

MD5
d8a1cceced43ac395f7eed2d6d5ea9eb

SHA1
4ff72899f6f3762ee645cb595951ba03a79f5b3b

SHA256
840aa46a41c830beff5ec743b60e7074c21de4741a480e39cf7049a1e324ae97

SHA512
092f6de20a28492b4108b84254bc59d2eb1f3b0e5337f15854a30976b9f083dce831cc0913ce17faea0cd8793d0205d79f92cd1717f30a70339b4fe7d116213d

Download Submit
C:\Windows\{F7325D02-7560-4465-B653-86C1ACBCF517}.exe

Filesize
64KB

MD5
f10e27d018f1da01a9c395f2d9b52128

SHA1
fe314b892483faace81f12fdef8fdbcbc3f1a52a

SHA256
fc9cdbfecc89eef5ae4b91a9f8c7876532b9d7cd8bd3b8f14819084c37880843

SHA512
58bc7e83a6571e7b03a33ae13c25373d1b355786517cd25cc30e37d2d69c8673d7b10b1b1c2be239af7c7b4bb0865ce2a2ccc481c07940596319e46182fd37ca

Download Submit
C:\Windows\{FE893C90-3A51-4186-AA22-46E252A2B8E2}.exe

Filesize
64KB

MD5
de8d841b804319b5baf17422b7c33b1a

SHA1
817448b34847263eadeead6a8fd19cf48e66096d

SHA256
2222530c2d172f62c06aebafa485f3f4574546aff7f9292590aaf53158cdb3cb

SHA512
4f3ff0734a51c536a80dd1c5272392c04a7e6f640d470a7535d088a0e56a2d4c71364a209388e5f0e632516f2f489eb4eb8c26832bfb0f969ba9451b9557585e

Download Submit
memory/284-71-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/284-79-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/788-96-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/876-60-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/876-53-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1276-10-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1276-0-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1276-8-0x0000000000280000-0x0000000000290000-memory.dmp

Filesize
64KB

Download
memory/1276-7-0x0000000000280000-0x0000000000290000-memory.dmp

Filesize
64KB

Download
memory/1712-88-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1712-80-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1960-42-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1988-52-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1988-44-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2200-18-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2200-9-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2328-70-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2328-62-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2580-26-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2580-19-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2916-35-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads