220a3e41da75327c03a554dce99936da7bc6ee906ab79e0372a6b728b18e319c

Analysis

max time kernel
144s
max time network
126s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
19/05/2024, 20:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

32629ce1f77416657b7a279dd5d50790_NeikiAnalytics.exe
Size

64KB
MD5

32629ce1f77416657b7a279dd5d50790
SHA1

e1c7943e2ae5f6502fdd16cab61f606e605befe3
SHA256

220a3e41da75327c03a554dce99936da7bc6ee906ab79e0372a6b728b18e319c
SHA512

ce1d663e5fa1fdb35b2ad975c46d55a1bf10bea717fe2608475ca5fc6199950407a28fbefedaac29a390bfd240eaae682e80ab7e741ebeccf0deec0c54a0a364
SSDEEP

384:ObLwOs8AHsc4HMPwhKQLrof4/CFsrdHWMZw:Ovw981xvhKQLrof4/wQpWMZw

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2AC62F6B-1477-4a43-82EB-8279922B86B2}	{101A7EFF-A891-4d7b-A108-D5F195F0E700}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2EBAEAA3-C3B5-40be-B228-58A2F5888A80}\stubpath = "C:\\Windows\\{2EBAEAA3-C3B5-40be-B228-58A2F5888A80}.exe"	{15722C4D-3C14-43c8-904B-85E9BBAFD681}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8A434880-F80D-4460-B7E2-C0A721E08F4D}	{9546F819-EB61-4648-8B4F-FC55880B461A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{101A7EFF-A891-4d7b-A108-D5F195F0E700}\stubpath = "C:\\Windows\\{101A7EFF-A891-4d7b-A108-D5F195F0E700}.exe"	{8A434880-F80D-4460-B7E2-C0A721E08F4D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9546F819-EB61-4648-8B4F-FC55880B461A}\stubpath = "C:\\Windows\\{9546F819-EB61-4648-8B4F-FC55880B461A}.exe"	{20EE6A2D-63DC-4366-ACF4-FC06E1378674}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{101A7EFF-A891-4d7b-A108-D5F195F0E700}	{8A434880-F80D-4460-B7E2-C0A721E08F4D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B9B1454C-1B29-4462-B1C8-C5B775DE5B86}	{2EBAEAA3-C3B5-40be-B228-58A2F5888A80}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B9B1454C-1B29-4462-B1C8-C5B775DE5B86}\stubpath = "C:\\Windows\\{B9B1454C-1B29-4462-B1C8-C5B775DE5B86}.exe"	{2EBAEAA3-C3B5-40be-B228-58A2F5888A80}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2FD3B00E-542B-47bf-91D7-26BB4DB9524D}\stubpath = "C:\\Windows\\{2FD3B00E-542B-47bf-91D7-26BB4DB9524D}.exe"	32629ce1f77416657b7a279dd5d50790_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F63C26B6-6C78-4b50-A5E6-4271BC55B597}	{2FD3B00E-542B-47bf-91D7-26BB4DB9524D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9546F819-EB61-4648-8B4F-FC55880B461A}	{20EE6A2D-63DC-4366-ACF4-FC06E1378674}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8A434880-F80D-4460-B7E2-C0A721E08F4D}\stubpath = "C:\\Windows\\{8A434880-F80D-4460-B7E2-C0A721E08F4D}.exe"	{9546F819-EB61-4648-8B4F-FC55880B461A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2EBAEAA3-C3B5-40be-B228-58A2F5888A80}	{15722C4D-3C14-43c8-904B-85E9BBAFD681}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B8AF1F1F-6FD6-4dd3-AE88-072E2BC9BD70}\stubpath = "C:\\Windows\\{B8AF1F1F-6FD6-4dd3-AE88-072E2BC9BD70}.exe"	{B9B1454C-1B29-4462-B1C8-C5B775DE5B86}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2FD3B00E-542B-47bf-91D7-26BB4DB9524D}	32629ce1f77416657b7a279dd5d50790_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{20EE6A2D-63DC-4366-ACF4-FC06E1378674}\stubpath = "C:\\Windows\\{20EE6A2D-63DC-4366-ACF4-FC06E1378674}.exe"	{F63C26B6-6C78-4b50-A5E6-4271BC55B597}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2AC62F6B-1477-4a43-82EB-8279922B86B2}\stubpath = "C:\\Windows\\{2AC62F6B-1477-4a43-82EB-8279922B86B2}.exe"	{101A7EFF-A891-4d7b-A108-D5F195F0E700}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{15722C4D-3C14-43c8-904B-85E9BBAFD681}	{2AC62F6B-1477-4a43-82EB-8279922B86B2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{15722C4D-3C14-43c8-904B-85E9BBAFD681}\stubpath = "C:\\Windows\\{15722C4D-3C14-43c8-904B-85E9BBAFD681}.exe"	{2AC62F6B-1477-4a43-82EB-8279922B86B2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B8AF1F1F-6FD6-4dd3-AE88-072E2BC9BD70}	{B9B1454C-1B29-4462-B1C8-C5B775DE5B86}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F63C26B6-6C78-4b50-A5E6-4271BC55B597}\stubpath = "C:\\Windows\\{F63C26B6-6C78-4b50-A5E6-4271BC55B597}.exe"	{2FD3B00E-542B-47bf-91D7-26BB4DB9524D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{20EE6A2D-63DC-4366-ACF4-FC06E1378674}	{F63C26B6-6C78-4b50-A5E6-4271BC55B597}.exe

Deletes itself 1 IoCs

pid	Process
2068	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2344	{2FD3B00E-542B-47bf-91D7-26BB4DB9524D}.exe
2996	{F63C26B6-6C78-4b50-A5E6-4271BC55B597}.exe
2600	{20EE6A2D-63DC-4366-ACF4-FC06E1378674}.exe
2740	{9546F819-EB61-4648-8B4F-FC55880B461A}.exe
2908	{8A434880-F80D-4460-B7E2-C0A721E08F4D}.exe
1492	{101A7EFF-A891-4d7b-A108-D5F195F0E700}.exe
2412	{2AC62F6B-1477-4a43-82EB-8279922B86B2}.exe
1236	{15722C4D-3C14-43c8-904B-85E9BBAFD681}.exe
2664	{2EBAEAA3-C3B5-40be-B228-58A2F5888A80}.exe
1484	{B9B1454C-1B29-4462-B1C8-C5B775DE5B86}.exe
2392	{B8AF1F1F-6FD6-4dd3-AE88-072E2BC9BD70}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{2FD3B00E-542B-47bf-91D7-26BB4DB9524D}.exe	32629ce1f77416657b7a279dd5d50790_NeikiAnalytics.exe
File created	C:\Windows\{F63C26B6-6C78-4b50-A5E6-4271BC55B597}.exe	{2FD3B00E-542B-47bf-91D7-26BB4DB9524D}.exe
File created	C:\Windows\{9546F819-EB61-4648-8B4F-FC55880B461A}.exe	{20EE6A2D-63DC-4366-ACF4-FC06E1378674}.exe
File created	C:\Windows\{15722C4D-3C14-43c8-904B-85E9BBAFD681}.exe	{2AC62F6B-1477-4a43-82EB-8279922B86B2}.exe
File created	C:\Windows\{B9B1454C-1B29-4462-B1C8-C5B775DE5B86}.exe	{2EBAEAA3-C3B5-40be-B228-58A2F5888A80}.exe
File created	C:\Windows\{B8AF1F1F-6FD6-4dd3-AE88-072E2BC9BD70}.exe	{B9B1454C-1B29-4462-B1C8-C5B775DE5B86}.exe
File created	C:\Windows\{20EE6A2D-63DC-4366-ACF4-FC06E1378674}.exe	{F63C26B6-6C78-4b50-A5E6-4271BC55B597}.exe
File created	C:\Windows\{8A434880-F80D-4460-B7E2-C0A721E08F4D}.exe	{9546F819-EB61-4648-8B4F-FC55880B461A}.exe
File created	C:\Windows\{101A7EFF-A891-4d7b-A108-D5F195F0E700}.exe	{8A434880-F80D-4460-B7E2-C0A721E08F4D}.exe
File created	C:\Windows\{2AC62F6B-1477-4a43-82EB-8279922B86B2}.exe	{101A7EFF-A891-4d7b-A108-D5F195F0E700}.exe
File created	C:\Windows\{2EBAEAA3-C3B5-40be-B228-58A2F5888A80}.exe	{15722C4D-3C14-43c8-904B-85E9BBAFD681}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2612	32629ce1f77416657b7a279dd5d50790_NeikiAnalytics.exe
Token: SeIncBasePriorityPrivilege	2344	{2FD3B00E-542B-47bf-91D7-26BB4DB9524D}.exe
Token: SeIncBasePriorityPrivilege	2996	{F63C26B6-6C78-4b50-A5E6-4271BC55B597}.exe
Token: SeIncBasePriorityPrivilege	2600	{20EE6A2D-63DC-4366-ACF4-FC06E1378674}.exe
Token: SeIncBasePriorityPrivilege	2740	{9546F819-EB61-4648-8B4F-FC55880B461A}.exe
Token: SeIncBasePriorityPrivilege	2908	{8A434880-F80D-4460-B7E2-C0A721E08F4D}.exe
Token: SeIncBasePriorityPrivilege	1492	{101A7EFF-A891-4d7b-A108-D5F195F0E700}.exe
Token: SeIncBasePriorityPrivilege	2412	{2AC62F6B-1477-4a43-82EB-8279922B86B2}.exe
Token: SeIncBasePriorityPrivilege	1236	{15722C4D-3C14-43c8-904B-85E9BBAFD681}.exe
Token: SeIncBasePriorityPrivilege	2664	{2EBAEAA3-C3B5-40be-B228-58A2F5888A80}.exe
Token: SeIncBasePriorityPrivilege	1484	{B9B1454C-1B29-4462-B1C8-C5B775DE5B86}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2612 wrote to memory of 2344	2612	32629ce1f77416657b7a279dd5d50790_NeikiAnalytics.exe	28
PID 2612 wrote to memory of 2344	2612	32629ce1f77416657b7a279dd5d50790_NeikiAnalytics.exe	28
PID 2612 wrote to memory of 2344	2612	32629ce1f77416657b7a279dd5d50790_NeikiAnalytics.exe	28
PID 2612 wrote to memory of 2344	2612	32629ce1f77416657b7a279dd5d50790_NeikiAnalytics.exe	28
PID 2612 wrote to memory of 2068	2612	32629ce1f77416657b7a279dd5d50790_NeikiAnalytics.exe	29
PID 2612 wrote to memory of 2068	2612	32629ce1f77416657b7a279dd5d50790_NeikiAnalytics.exe	29
PID 2612 wrote to memory of 2068	2612	32629ce1f77416657b7a279dd5d50790_NeikiAnalytics.exe	29
PID 2612 wrote to memory of 2068	2612	32629ce1f77416657b7a279dd5d50790_NeikiAnalytics.exe	29
PID 2344 wrote to memory of 2996	2344	{2FD3B00E-542B-47bf-91D7-26BB4DB9524D}.exe	30
PID 2344 wrote to memory of 2996	2344	{2FD3B00E-542B-47bf-91D7-26BB4DB9524D}.exe	30
PID 2344 wrote to memory of 2996	2344	{2FD3B00E-542B-47bf-91D7-26BB4DB9524D}.exe	30
PID 2344 wrote to memory of 2996	2344	{2FD3B00E-542B-47bf-91D7-26BB4DB9524D}.exe	30
PID 2344 wrote to memory of 2244	2344	{2FD3B00E-542B-47bf-91D7-26BB4DB9524D}.exe	31
PID 2344 wrote to memory of 2244	2344	{2FD3B00E-542B-47bf-91D7-26BB4DB9524D}.exe	31
PID 2344 wrote to memory of 2244	2344	{2FD3B00E-542B-47bf-91D7-26BB4DB9524D}.exe	31
PID 2344 wrote to memory of 2244	2344	{2FD3B00E-542B-47bf-91D7-26BB4DB9524D}.exe	31
PID 2996 wrote to memory of 2600	2996	{F63C26B6-6C78-4b50-A5E6-4271BC55B597}.exe	32
PID 2996 wrote to memory of 2600	2996	{F63C26B6-6C78-4b50-A5E6-4271BC55B597}.exe	32
PID 2996 wrote to memory of 2600	2996	{F63C26B6-6C78-4b50-A5E6-4271BC55B597}.exe	32
PID 2996 wrote to memory of 2600	2996	{F63C26B6-6C78-4b50-A5E6-4271BC55B597}.exe	32
PID 2996 wrote to memory of 2192	2996	{F63C26B6-6C78-4b50-A5E6-4271BC55B597}.exe	33
PID 2996 wrote to memory of 2192	2996	{F63C26B6-6C78-4b50-A5E6-4271BC55B597}.exe	33
PID 2996 wrote to memory of 2192	2996	{F63C26B6-6C78-4b50-A5E6-4271BC55B597}.exe	33
PID 2996 wrote to memory of 2192	2996	{F63C26B6-6C78-4b50-A5E6-4271BC55B597}.exe	33
PID 2600 wrote to memory of 2740	2600	{20EE6A2D-63DC-4366-ACF4-FC06E1378674}.exe	36
PID 2600 wrote to memory of 2740	2600	{20EE6A2D-63DC-4366-ACF4-FC06E1378674}.exe	36
PID 2600 wrote to memory of 2740	2600	{20EE6A2D-63DC-4366-ACF4-FC06E1378674}.exe	36
PID 2600 wrote to memory of 2740	2600	{20EE6A2D-63DC-4366-ACF4-FC06E1378674}.exe	36
PID 2600 wrote to memory of 2756	2600	{20EE6A2D-63DC-4366-ACF4-FC06E1378674}.exe	37
PID 2600 wrote to memory of 2756	2600	{20EE6A2D-63DC-4366-ACF4-FC06E1378674}.exe	37
PID 2600 wrote to memory of 2756	2600	{20EE6A2D-63DC-4366-ACF4-FC06E1378674}.exe	37
PID 2600 wrote to memory of 2756	2600	{20EE6A2D-63DC-4366-ACF4-FC06E1378674}.exe	37
PID 2740 wrote to memory of 2908	2740	{9546F819-EB61-4648-8B4F-FC55880B461A}.exe	38
PID 2740 wrote to memory of 2908	2740	{9546F819-EB61-4648-8B4F-FC55880B461A}.exe	38
PID 2740 wrote to memory of 2908	2740	{9546F819-EB61-4648-8B4F-FC55880B461A}.exe	38
PID 2740 wrote to memory of 2908	2740	{9546F819-EB61-4648-8B4F-FC55880B461A}.exe	38
PID 2740 wrote to memory of 1628	2740	{9546F819-EB61-4648-8B4F-FC55880B461A}.exe	39
PID 2740 wrote to memory of 1628	2740	{9546F819-EB61-4648-8B4F-FC55880B461A}.exe	39
PID 2740 wrote to memory of 1628	2740	{9546F819-EB61-4648-8B4F-FC55880B461A}.exe	39
PID 2740 wrote to memory of 1628	2740	{9546F819-EB61-4648-8B4F-FC55880B461A}.exe	39
PID 2908 wrote to memory of 1492	2908	{8A434880-F80D-4460-B7E2-C0A721E08F4D}.exe	40
PID 2908 wrote to memory of 1492	2908	{8A434880-F80D-4460-B7E2-C0A721E08F4D}.exe	40
PID 2908 wrote to memory of 1492	2908	{8A434880-F80D-4460-B7E2-C0A721E08F4D}.exe	40
PID 2908 wrote to memory of 1492	2908	{8A434880-F80D-4460-B7E2-C0A721E08F4D}.exe	40
PID 2908 wrote to memory of 2184	2908	{8A434880-F80D-4460-B7E2-C0A721E08F4D}.exe	41
PID 2908 wrote to memory of 2184	2908	{8A434880-F80D-4460-B7E2-C0A721E08F4D}.exe	41
PID 2908 wrote to memory of 2184	2908	{8A434880-F80D-4460-B7E2-C0A721E08F4D}.exe	41
PID 2908 wrote to memory of 2184	2908	{8A434880-F80D-4460-B7E2-C0A721E08F4D}.exe	41
PID 1492 wrote to memory of 2412	1492	{101A7EFF-A891-4d7b-A108-D5F195F0E700}.exe	42
PID 1492 wrote to memory of 2412	1492	{101A7EFF-A891-4d7b-A108-D5F195F0E700}.exe	42
PID 1492 wrote to memory of 2412	1492	{101A7EFF-A891-4d7b-A108-D5F195F0E700}.exe	42
PID 1492 wrote to memory of 2412	1492	{101A7EFF-A891-4d7b-A108-D5F195F0E700}.exe	42
PID 1492 wrote to memory of 2200	1492	{101A7EFF-A891-4d7b-A108-D5F195F0E700}.exe	43
PID 1492 wrote to memory of 2200	1492	{101A7EFF-A891-4d7b-A108-D5F195F0E700}.exe	43
PID 1492 wrote to memory of 2200	1492	{101A7EFF-A891-4d7b-A108-D5F195F0E700}.exe	43
PID 1492 wrote to memory of 2200	1492	{101A7EFF-A891-4d7b-A108-D5F195F0E700}.exe	43
PID 2412 wrote to memory of 1236	2412	{2AC62F6B-1477-4a43-82EB-8279922B86B2}.exe	44
PID 2412 wrote to memory of 1236	2412	{2AC62F6B-1477-4a43-82EB-8279922B86B2}.exe	44
PID 2412 wrote to memory of 1236	2412	{2AC62F6B-1477-4a43-82EB-8279922B86B2}.exe	44
PID 2412 wrote to memory of 1236	2412	{2AC62F6B-1477-4a43-82EB-8279922B86B2}.exe	44
PID 2412 wrote to memory of 2208	2412	{2AC62F6B-1477-4a43-82EB-8279922B86B2}.exe	45
PID 2412 wrote to memory of 2208	2412	{2AC62F6B-1477-4a43-82EB-8279922B86B2}.exe	45
PID 2412 wrote to memory of 2208	2412	{2AC62F6B-1477-4a43-82EB-8279922B86B2}.exe	45
PID 2412 wrote to memory of 2208	2412	{2AC62F6B-1477-4a43-82EB-8279922B86B2}.exe	45

C:\Users\Admin\AppData\Local\Temp\32629ce1f77416657b7a279dd5d50790_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\32629ce1f77416657b7a279dd5d50790_NeikiAnalytics.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2612
- C:\Windows\{2FD3B00E-542B-47bf-91D7-26BB4DB9524D}.exe
  C:\Windows\{2FD3B00E-542B-47bf-91D7-26BB4DB9524D}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2344
- - C:\Windows\{F63C26B6-6C78-4b50-A5E6-4271BC55B597}.exe
    C:\Windows\{F63C26B6-6C78-4b50-A5E6-4271BC55B597}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2996
  - - C:\Windows\{20EE6A2D-63DC-4366-ACF4-FC06E1378674}.exe
      C:\Windows\{20EE6A2D-63DC-4366-ACF4-FC06E1378674}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2600
    - - C:\Windows\{9546F819-EB61-4648-8B4F-FC55880B461A}.exe
        
        C:\Windows\{9546F819-EB61-4648-8B4F-FC55880B461A}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2740
      - C:\Windows\{8A434880-F80D-4460-B7E2-C0A721E08F4D}.exe
        
        C:\Windows\{8A434880-F80D-4460-B7E2-C0A721E08F4D}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2908
        
        C:\Windows\{101A7EFF-A891-4d7b-A108-D5F195F0E700}.exe
        
        C:\Windows\{101A7EFF-A891-4d7b-A108-D5F195F0E700}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1492
        
        C:\Windows\{2AC62F6B-1477-4a43-82EB-8279922B86B2}.exe
        
        C:\Windows\{2AC62F6B-1477-4a43-82EB-8279922B86B2}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2412
        
        C:\Windows\{15722C4D-3C14-43c8-904B-85E9BBAFD681}.exe
        
        C:\Windows\{15722C4D-3C14-43c8-904B-85E9BBAFD681}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1236
        
        C:\Windows\{2EBAEAA3-C3B5-40be-B228-58A2F5888A80}.exe
        
        C:\Windows\{2EBAEAA3-C3B5-40be-B228-58A2F5888A80}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2664
        
        C:\Windows\{B9B1454C-1B29-4462-B1C8-C5B775DE5B86}.exe
        
        C:\Windows\{B9B1454C-1B29-4462-B1C8-C5B775DE5B86}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1484
        
        C:\Windows\{B8AF1F1F-6FD6-4dd3-AE88-072E2BC9BD70}.exe
        
        C:\Windows\{B8AF1F1F-6FD6-4dd3-AE88-072E2BC9BD70}.exe
        12⤵
        Executes dropped EXE
        
        PID:2392
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B9B14~1.EXE > nul
        12⤵
        
        PID:916
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2EBAE~1.EXE > nul
        11⤵
        
        PID:956
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{15722~1.EXE > nul
        10⤵
        
        PID:1900
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2AC62~1.EXE > nul
        9⤵
        
        PID:2208
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{101A7~1.EXE > nul
        8⤵
        
        PID:2200
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8A434~1.EXE > nul
        7⤵
        
        PID:2184
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9546F~1.EXE > nul
        6⤵
        
        PID:1628
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{20EE6~1.EXE > nul
        5⤵
        
        PID:2756
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{F63C2~1.EXE > nul
      4⤵
      PID:2192
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{2FD3B~1.EXE > nul
    3⤵
    PID:2244
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\32629C~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2068

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{101A7EFF-A891-4d7b-A108-D5F195F0E700}.exe

Filesize
64KB

MD5
61fba7536c9b0ff973be06d896700f0e

SHA1
24f64e75cc5c7f48ac20ab211331a98eb8fe11de

SHA256
ccd246d3f115494e400b3ecffdbfb884a3345e18d6c3c906a3a5d2985f4c28e3

SHA512
33c05f719644d8f597e5fe90c7861b2c39ee605142780c1d38ab35025e60efce303c56b46d7f08834950e16a4293127a77bc094f7ea47e54b378f6762b792258

Download Submit
C:\Windows\{15722C4D-3C14-43c8-904B-85E9BBAFD681}.exe

Filesize
64KB

MD5
3cb655e546faa728349de2a62ecabe74

SHA1
3995f00ec6d1e9302b63befcf47e2dc342717273

SHA256
95cff6c821e1a6c60fd90edc169146f28138aae81b224c0dfbb250fc74c0ef10

SHA512
a788bcaa82c091b0777fe4e3edfde54161351068db871087070839fab4a8d466eeba2724092c6829638a8ac5cfc2d0f82cd10cb3a225d8fde754122c738d76b1

Download Submit
C:\Windows\{20EE6A2D-63DC-4366-ACF4-FC06E1378674}.exe

Filesize
64KB

MD5
7a3cd0c67a34ff1333e8849ba22b4c82

SHA1
61dfa270d47cf3eb68693941b66aded0e09b7e94

SHA256
f82f2f89ba2f423168d2f563fb46d5ca3aa46e73a0e6e4d6fce8682f72057d6c

SHA512
6a34279035d656de3f9f33787357b9133eef1d6e6e9c701764a16eacc94a6b4731fe092903317872dcb7bda5c2879f8992f33dd857cc037a08b04629d21c2cdc

Download Submit
C:\Windows\{2AC62F6B-1477-4a43-82EB-8279922B86B2}.exe

Filesize
64KB

MD5
99c5dc7cf5cd01082177445069fd1642

SHA1
542ed16ec1730dec908d50650ca8fd140dcca3c9

SHA256
d24b22a8c9906c4170d04aeb67a36f8a535876e2975271fe7cc8310a862ac534

SHA512
de4b29e128dc1db780f23a334062affc50058e6f833a04e0abe0a871fd60d76f10b5666188c03b111b75768ab2304f169640e3aac809459ef4a9c98dc721d363

Download Submit
C:\Windows\{2EBAEAA3-C3B5-40be-B228-58A2F5888A80}.exe

Filesize
64KB

MD5
f594ac58d8df39974d6533cde3b166d7

SHA1
e75b37b67a0bd94db919bafc88d86013818dd7b6

SHA256
a45791dc3ff567731d359f745200d1b60908f34a0c5f659a2dbcec3d067b4568

SHA512
072507f7b011ddfe662139eff23e017fba1740aaf20c31f3d65fab47d199ed59925a3fa83da86cfbfcc38c76102f200581eb6137484615cc2ea7e1ab9fbdb9a2

Download Submit
C:\Windows\{2FD3B00E-542B-47bf-91D7-26BB4DB9524D}.exe

Filesize
64KB

MD5
e0099d37a9be947d85b7e62b8c7a8d28

SHA1
37c6e114892314ae1984ba8e006d96ed10fa2780

SHA256
155b58258ccc04ff5a125c55f77e3e01df96605a65299b51c07974b543543d09

SHA512
ab7e0fb7aef95c2f2954642efd7e7a80390d38298fb28537121f0b82a3aefddb05b003ed1d3c30bf60cb0055c95beeda6b22aa7d5766f9bcae5529cb15bf78af

Download Submit
C:\Windows\{8A434880-F80D-4460-B7E2-C0A721E08F4D}.exe

Filesize
64KB

MD5
73c8fa03dce1ccde76f8368f3911b963

SHA1
7838a86b45838ec72b70936a83db362ba6fe9ca3

SHA256
66b13a9d6133df0bc6de59d0ac89e67e425484bf245e7058c47519b10c83db89

SHA512
105ed9330f58a8b9d6484d7549ea46d0b8b8df0c1426bc5ae70207400412dba21203273f7f69995adba67ea6d12aa29e19c22077e5585660870c52d1b04b44bb

Download Submit
C:\Windows\{9546F819-EB61-4648-8B4F-FC55880B461A}.exe

Filesize
64KB

MD5
aa50d162e54db801ad070c5d0d26f824

SHA1
73e7ce4de5142b90fdb3951ea326f40bf7409ca0

SHA256
82877e2839cfa36c4050433be189604f7f8416c85c905a9d93a32a549a7235a1

SHA512
eb29fb3dcd5ae7d291d9f8b7bb4fbf39cb251637ba6f767b00bb722614e10d692c2dfb93159a9f7d51b610d763c411fa5f639920f3bc9405fe45164388a4e4f4

Download Submit
C:\Windows\{B8AF1F1F-6FD6-4dd3-AE88-072E2BC9BD70}.exe

Filesize
64KB

MD5
b18ab5f2256af9642173ef706e8df8b7

SHA1
2997e390884953422891e009ab413fa2a66f67dc

SHA256
0fd5647480d9171a97959f6b4638c6143ba85b5bba0832a989f077ca5c155eb6

SHA512
6a9eef2f4db834573d4653c29f97283755e31fa24a682dc8d365ebf2623a1ff887c2c4af8132ee8818a86e1abb87a0aa9cefda668029e12ea4cbacab4987b756

Download Submit
C:\Windows\{B9B1454C-1B29-4462-B1C8-C5B775DE5B86}.exe

Filesize
64KB

MD5
dded16324b20acdf2ff2a2ebcb86fee9

SHA1
d2f78bea54a4c3f4a7f52fe0261c5f55be534d8f

SHA256
b941247634103973a61c6ae79e5084b105b1d616c1ddc42342b2b1e7abdc5a43

SHA512
f5756e7bf27a6f088efca06822f5fca6e4864a5b0f2eb12a32c64417313b9940422e6c2a36bda8ff90ea5019049b843f3fecf93d139958b8c8509f6aaa61433c

Download Submit
C:\Windows\{F63C26B6-6C78-4b50-A5E6-4271BC55B597}.exe

Filesize
64KB

MD5
4cc5ee7e6fc5773ff6df2d273a16cf3a

SHA1
121203c92fdd1aa53d1573f59277e57f9c7d8514

SHA256
1216e8b8ad26b9cf47619ffe53a4712318e804e95219e22dcd272031e4913d94

SHA512
0298ae5f6bd440231dde49b93db447a1b2bd115582c9c3a59670202f8c6eb93b3a9f2040322a5e8445858723a60ea3b9215a3e942d898c1ac8a42a48339d338e

Download Submit
memory/1236-78-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1236-71-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1484-95-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1492-54-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1492-62-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2344-17-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2344-9-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2412-69-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2600-28-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2600-36-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2612-7-0x00000000002F0000-0x0000000000300000-memory.dmp

Filesize
64KB

Download
memory/2612-0-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2612-8-0x00000000002F0000-0x0000000000300000-memory.dmp

Filesize
64KB

Download
memory/2612-10-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2664-87-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2740-37-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2740-44-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2908-53-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2996-19-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2996-27-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads