5aacee84668ce3f096ec5ab320fede7bd1906beab06c6a21d1ed79d7bfa2c2b7

Analysis

max time kernel
144s
max time network
121s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
20-05-2024 04:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ab79f43b8f39395142b361b9b1b2ded0_NeikiAnalytics.exe
Size

380KB
MD5

ab79f43b8f39395142b361b9b1b2ded0
SHA1

ac5030bd410df2601371f9e2ffacf8359fa1afe0
SHA256

5aacee84668ce3f096ec5ab320fede7bd1906beab06c6a21d1ed79d7bfa2c2b7
SHA512

7560650ecc9b4de4e8b1a0dbf210a3690660aa9c631eda2d90e7e2b14835da7671c0f669432a825ac6601208df8dd30a3f041617ef5c7b322d9995f1b20185a1
SSDEEP

3072:mEGh0oElPOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGw:mEGSl7Oe2MUVg3v2IneKcAEcARy

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{04D68D5B-93A5-42a7-B134-54385F441235}\stubpath = "C:\\Windows\\{04D68D5B-93A5-42a7-B134-54385F441235}.exe"	ab79f43b8f39395142b361b9b1b2ded0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C7191E70-9501-47a5-9C59-4D51CD69C821}\stubpath = "C:\\Windows\\{C7191E70-9501-47a5-9C59-4D51CD69C821}.exe"	{04D68D5B-93A5-42a7-B134-54385F441235}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9FAB0E80-28CD-47f7-92B7-7B3DFB7664C3}	{C7191E70-9501-47a5-9C59-4D51CD69C821}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{895409E6-FE1E-424c-8E74-58E2BAE09A2B}	{376D0CB8-F93F-46f2-B305-F32EEE06A9D6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{53C64D89-C275-47ec-A893-88A92ACF2F27}\stubpath = "C:\\Windows\\{53C64D89-C275-47ec-A893-88A92ACF2F27}.exe"	{117D35A1-528A-4799-99E3-85DF6F992AC7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BBDF7BB5-6056-459f-8AB2-C57E58D7B3A7}\stubpath = "C:\\Windows\\{BBDF7BB5-6056-459f-8AB2-C57E58D7B3A7}.exe"	{53C64D89-C275-47ec-A893-88A92ACF2F27}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{04D68D5B-93A5-42a7-B134-54385F441235}	ab79f43b8f39395142b361b9b1b2ded0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C7191E70-9501-47a5-9C59-4D51CD69C821}	{04D68D5B-93A5-42a7-B134-54385F441235}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{895409E6-FE1E-424c-8E74-58E2BAE09A2B}\stubpath = "C:\\Windows\\{895409E6-FE1E-424c-8E74-58E2BAE09A2B}.exe"	{376D0CB8-F93F-46f2-B305-F32EEE06A9D6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{717E8F12-F519-4a29-8B24-A3153B2C9D63}	{9FAB0E80-28CD-47f7-92B7-7B3DFB7664C3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4C9CFD7F-D178-4851-AF84-EC2E3F82D97B}	{717E8F12-F519-4a29-8B24-A3153B2C9D63}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4C9CFD7F-D178-4851-AF84-EC2E3F82D97B}\stubpath = "C:\\Windows\\{4C9CFD7F-D178-4851-AF84-EC2E3F82D97B}.exe"	{717E8F12-F519-4a29-8B24-A3153B2C9D63}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{376D0CB8-F93F-46f2-B305-F32EEE06A9D6}\stubpath = "C:\\Windows\\{376D0CB8-F93F-46f2-B305-F32EEE06A9D6}.exe"	{4C9CFD7F-D178-4851-AF84-EC2E3F82D97B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{117D35A1-528A-4799-99E3-85DF6F992AC7}	{D23352E4-94DF-4ddb-B299-B549C6D87C27}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BBDF7BB5-6056-459f-8AB2-C57E58D7B3A7}	{53C64D89-C275-47ec-A893-88A92ACF2F27}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9FAB0E80-28CD-47f7-92B7-7B3DFB7664C3}\stubpath = "C:\\Windows\\{9FAB0E80-28CD-47f7-92B7-7B3DFB7664C3}.exe"	{C7191E70-9501-47a5-9C59-4D51CD69C821}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{717E8F12-F519-4a29-8B24-A3153B2C9D63}\stubpath = "C:\\Windows\\{717E8F12-F519-4a29-8B24-A3153B2C9D63}.exe"	{9FAB0E80-28CD-47f7-92B7-7B3DFB7664C3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{376D0CB8-F93F-46f2-B305-F32EEE06A9D6}	{4C9CFD7F-D178-4851-AF84-EC2E3F82D97B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D23352E4-94DF-4ddb-B299-B549C6D87C27}	{895409E6-FE1E-424c-8E74-58E2BAE09A2B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D23352E4-94DF-4ddb-B299-B549C6D87C27}\stubpath = "C:\\Windows\\{D23352E4-94DF-4ddb-B299-B549C6D87C27}.exe"	{895409E6-FE1E-424c-8E74-58E2BAE09A2B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{117D35A1-528A-4799-99E3-85DF6F992AC7}\stubpath = "C:\\Windows\\{117D35A1-528A-4799-99E3-85DF6F992AC7}.exe"	{D23352E4-94DF-4ddb-B299-B549C6D87C27}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{53C64D89-C275-47ec-A893-88A92ACF2F27}	{117D35A1-528A-4799-99E3-85DF6F992AC7}.exe

Deletes itself 1 IoCs

pid	Process
2636	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2540	{04D68D5B-93A5-42a7-B134-54385F441235}.exe
2932	{C7191E70-9501-47a5-9C59-4D51CD69C821}.exe
2476	{9FAB0E80-28CD-47f7-92B7-7B3DFB7664C3}.exe
1660	{717E8F12-F519-4a29-8B24-A3153B2C9D63}.exe
1268	{4C9CFD7F-D178-4851-AF84-EC2E3F82D97B}.exe
1792	{376D0CB8-F93F-46f2-B305-F32EEE06A9D6}.exe
1808	{895409E6-FE1E-424c-8E74-58E2BAE09A2B}.exe
1044	{D23352E4-94DF-4ddb-B299-B549C6D87C27}.exe
1984	{117D35A1-528A-4799-99E3-85DF6F992AC7}.exe
680	{53C64D89-C275-47ec-A893-88A92ACF2F27}.exe
576	{BBDF7BB5-6056-459f-8AB2-C57E58D7B3A7}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{717E8F12-F519-4a29-8B24-A3153B2C9D63}.exe	{9FAB0E80-28CD-47f7-92B7-7B3DFB7664C3}.exe
File created	C:\Windows\{376D0CB8-F93F-46f2-B305-F32EEE06A9D6}.exe	{4C9CFD7F-D178-4851-AF84-EC2E3F82D97B}.exe
File created	C:\Windows\{117D35A1-528A-4799-99E3-85DF6F992AC7}.exe	{D23352E4-94DF-4ddb-B299-B549C6D87C27}.exe
File created	C:\Windows\{53C64D89-C275-47ec-A893-88A92ACF2F27}.exe	{117D35A1-528A-4799-99E3-85DF6F992AC7}.exe
File created	C:\Windows\{04D68D5B-93A5-42a7-B134-54385F441235}.exe	ab79f43b8f39395142b361b9b1b2ded0_NeikiAnalytics.exe
File created	C:\Windows\{C7191E70-9501-47a5-9C59-4D51CD69C821}.exe	{04D68D5B-93A5-42a7-B134-54385F441235}.exe
File created	C:\Windows\{895409E6-FE1E-424c-8E74-58E2BAE09A2B}.exe	{376D0CB8-F93F-46f2-B305-F32EEE06A9D6}.exe
File created	C:\Windows\{D23352E4-94DF-4ddb-B299-B549C6D87C27}.exe	{895409E6-FE1E-424c-8E74-58E2BAE09A2B}.exe
File created	C:\Windows\{BBDF7BB5-6056-459f-8AB2-C57E58D7B3A7}.exe	{53C64D89-C275-47ec-A893-88A92ACF2F27}.exe
File created	C:\Windows\{9FAB0E80-28CD-47f7-92B7-7B3DFB7664C3}.exe	{C7191E70-9501-47a5-9C59-4D51CD69C821}.exe
File created	C:\Windows\{4C9CFD7F-D178-4851-AF84-EC2E3F82D97B}.exe	{717E8F12-F519-4a29-8B24-A3153B2C9D63}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2200	ab79f43b8f39395142b361b9b1b2ded0_NeikiAnalytics.exe
Token: SeIncBasePriorityPrivilege	2540	{04D68D5B-93A5-42a7-B134-54385F441235}.exe
Token: SeIncBasePriorityPrivilege	2932	{C7191E70-9501-47a5-9C59-4D51CD69C821}.exe
Token: SeIncBasePriorityPrivilege	2476	{9FAB0E80-28CD-47f7-92B7-7B3DFB7664C3}.exe
Token: SeIncBasePriorityPrivilege	1660	{717E8F12-F519-4a29-8B24-A3153B2C9D63}.exe
Token: SeIncBasePriorityPrivilege	1268	{4C9CFD7F-D178-4851-AF84-EC2E3F82D97B}.exe
Token: SeIncBasePriorityPrivilege	1792	{376D0CB8-F93F-46f2-B305-F32EEE06A9D6}.exe
Token: SeIncBasePriorityPrivilege	1808	{895409E6-FE1E-424c-8E74-58E2BAE09A2B}.exe
Token: SeIncBasePriorityPrivilege	1044	{D23352E4-94DF-4ddb-B299-B549C6D87C27}.exe
Token: SeIncBasePriorityPrivilege	1984	{117D35A1-528A-4799-99E3-85DF6F992AC7}.exe
Token: SeIncBasePriorityPrivilege	680	{53C64D89-C275-47ec-A893-88A92ACF2F27}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2200 wrote to memory of 2540	2200	ab79f43b8f39395142b361b9b1b2ded0_NeikiAnalytics.exe	28
PID 2200 wrote to memory of 2540	2200	ab79f43b8f39395142b361b9b1b2ded0_NeikiAnalytics.exe	28
PID 2200 wrote to memory of 2540	2200	ab79f43b8f39395142b361b9b1b2ded0_NeikiAnalytics.exe	28
PID 2200 wrote to memory of 2540	2200	ab79f43b8f39395142b361b9b1b2ded0_NeikiAnalytics.exe	28
PID 2200 wrote to memory of 2636	2200	ab79f43b8f39395142b361b9b1b2ded0_NeikiAnalytics.exe	29
PID 2200 wrote to memory of 2636	2200	ab79f43b8f39395142b361b9b1b2ded0_NeikiAnalytics.exe	29
PID 2200 wrote to memory of 2636	2200	ab79f43b8f39395142b361b9b1b2ded0_NeikiAnalytics.exe	29
PID 2200 wrote to memory of 2636	2200	ab79f43b8f39395142b361b9b1b2ded0_NeikiAnalytics.exe	29
PID 2540 wrote to memory of 2932	2540	{04D68D5B-93A5-42a7-B134-54385F441235}.exe	30
PID 2540 wrote to memory of 2932	2540	{04D68D5B-93A5-42a7-B134-54385F441235}.exe	30
PID 2540 wrote to memory of 2932	2540	{04D68D5B-93A5-42a7-B134-54385F441235}.exe	30
PID 2540 wrote to memory of 2932	2540	{04D68D5B-93A5-42a7-B134-54385F441235}.exe	30
PID 2540 wrote to memory of 2696	2540	{04D68D5B-93A5-42a7-B134-54385F441235}.exe	31
PID 2540 wrote to memory of 2696	2540	{04D68D5B-93A5-42a7-B134-54385F441235}.exe	31
PID 2540 wrote to memory of 2696	2540	{04D68D5B-93A5-42a7-B134-54385F441235}.exe	31
PID 2540 wrote to memory of 2696	2540	{04D68D5B-93A5-42a7-B134-54385F441235}.exe	31
PID 2932 wrote to memory of 2476	2932	{C7191E70-9501-47a5-9C59-4D51CD69C821}.exe	32
PID 2932 wrote to memory of 2476	2932	{C7191E70-9501-47a5-9C59-4D51CD69C821}.exe	32
PID 2932 wrote to memory of 2476	2932	{C7191E70-9501-47a5-9C59-4D51CD69C821}.exe	32
PID 2932 wrote to memory of 2476	2932	{C7191E70-9501-47a5-9C59-4D51CD69C821}.exe	32
PID 2932 wrote to memory of 2432	2932	{C7191E70-9501-47a5-9C59-4D51CD69C821}.exe	33
PID 2932 wrote to memory of 2432	2932	{C7191E70-9501-47a5-9C59-4D51CD69C821}.exe	33
PID 2932 wrote to memory of 2432	2932	{C7191E70-9501-47a5-9C59-4D51CD69C821}.exe	33
PID 2932 wrote to memory of 2432	2932	{C7191E70-9501-47a5-9C59-4D51CD69C821}.exe	33
PID 2476 wrote to memory of 1660	2476	{9FAB0E80-28CD-47f7-92B7-7B3DFB7664C3}.exe	36
PID 2476 wrote to memory of 1660	2476	{9FAB0E80-28CD-47f7-92B7-7B3DFB7664C3}.exe	36
PID 2476 wrote to memory of 1660	2476	{9FAB0E80-28CD-47f7-92B7-7B3DFB7664C3}.exe	36
PID 2476 wrote to memory of 1660	2476	{9FAB0E80-28CD-47f7-92B7-7B3DFB7664C3}.exe	36
PID 2476 wrote to memory of 280	2476	{9FAB0E80-28CD-47f7-92B7-7B3DFB7664C3}.exe	37
PID 2476 wrote to memory of 280	2476	{9FAB0E80-28CD-47f7-92B7-7B3DFB7664C3}.exe	37
PID 2476 wrote to memory of 280	2476	{9FAB0E80-28CD-47f7-92B7-7B3DFB7664C3}.exe	37
PID 2476 wrote to memory of 280	2476	{9FAB0E80-28CD-47f7-92B7-7B3DFB7664C3}.exe	37
PID 1660 wrote to memory of 1268	1660	{717E8F12-F519-4a29-8B24-A3153B2C9D63}.exe	38
PID 1660 wrote to memory of 1268	1660	{717E8F12-F519-4a29-8B24-A3153B2C9D63}.exe	38
PID 1660 wrote to memory of 1268	1660	{717E8F12-F519-4a29-8B24-A3153B2C9D63}.exe	38
PID 1660 wrote to memory of 1268	1660	{717E8F12-F519-4a29-8B24-A3153B2C9D63}.exe	38
PID 1660 wrote to memory of 1140	1660	{717E8F12-F519-4a29-8B24-A3153B2C9D63}.exe	39
PID 1660 wrote to memory of 1140	1660	{717E8F12-F519-4a29-8B24-A3153B2C9D63}.exe	39
PID 1660 wrote to memory of 1140	1660	{717E8F12-F519-4a29-8B24-A3153B2C9D63}.exe	39
PID 1660 wrote to memory of 1140	1660	{717E8F12-F519-4a29-8B24-A3153B2C9D63}.exe	39
PID 1268 wrote to memory of 1792	1268	{4C9CFD7F-D178-4851-AF84-EC2E3F82D97B}.exe	40
PID 1268 wrote to memory of 1792	1268	{4C9CFD7F-D178-4851-AF84-EC2E3F82D97B}.exe	40
PID 1268 wrote to memory of 1792	1268	{4C9CFD7F-D178-4851-AF84-EC2E3F82D97B}.exe	40
PID 1268 wrote to memory of 1792	1268	{4C9CFD7F-D178-4851-AF84-EC2E3F82D97B}.exe	40
PID 1268 wrote to memory of 2388	1268	{4C9CFD7F-D178-4851-AF84-EC2E3F82D97B}.exe	41
PID 1268 wrote to memory of 2388	1268	{4C9CFD7F-D178-4851-AF84-EC2E3F82D97B}.exe	41
PID 1268 wrote to memory of 2388	1268	{4C9CFD7F-D178-4851-AF84-EC2E3F82D97B}.exe	41
PID 1268 wrote to memory of 2388	1268	{4C9CFD7F-D178-4851-AF84-EC2E3F82D97B}.exe	41
PID 1792 wrote to memory of 1808	1792	{376D0CB8-F93F-46f2-B305-F32EEE06A9D6}.exe	42
PID 1792 wrote to memory of 1808	1792	{376D0CB8-F93F-46f2-B305-F32EEE06A9D6}.exe	42
PID 1792 wrote to memory of 1808	1792	{376D0CB8-F93F-46f2-B305-F32EEE06A9D6}.exe	42
PID 1792 wrote to memory of 1808	1792	{376D0CB8-F93F-46f2-B305-F32EEE06A9D6}.exe	42
PID 1792 wrote to memory of 1592	1792	{376D0CB8-F93F-46f2-B305-F32EEE06A9D6}.exe	43
PID 1792 wrote to memory of 1592	1792	{376D0CB8-F93F-46f2-B305-F32EEE06A9D6}.exe	43
PID 1792 wrote to memory of 1592	1792	{376D0CB8-F93F-46f2-B305-F32EEE06A9D6}.exe	43
PID 1792 wrote to memory of 1592	1792	{376D0CB8-F93F-46f2-B305-F32EEE06A9D6}.exe	43
PID 1808 wrote to memory of 1044	1808	{895409E6-FE1E-424c-8E74-58E2BAE09A2B}.exe	44
PID 1808 wrote to memory of 1044	1808	{895409E6-FE1E-424c-8E74-58E2BAE09A2B}.exe	44
PID 1808 wrote to memory of 1044	1808	{895409E6-FE1E-424c-8E74-58E2BAE09A2B}.exe	44
PID 1808 wrote to memory of 1044	1808	{895409E6-FE1E-424c-8E74-58E2BAE09A2B}.exe	44
PID 1808 wrote to memory of 2828	1808	{895409E6-FE1E-424c-8E74-58E2BAE09A2B}.exe	45
PID 1808 wrote to memory of 2828	1808	{895409E6-FE1E-424c-8E74-58E2BAE09A2B}.exe	45
PID 1808 wrote to memory of 2828	1808	{895409E6-FE1E-424c-8E74-58E2BAE09A2B}.exe	45
PID 1808 wrote to memory of 2828	1808	{895409E6-FE1E-424c-8E74-58E2BAE09A2B}.exe	45

C:\Users\Admin\AppData\Local\Temp\ab79f43b8f39395142b361b9b1b2ded0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\ab79f43b8f39395142b361b9b1b2ded0_NeikiAnalytics.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2200
- C:\Windows\{04D68D5B-93A5-42a7-B134-54385F441235}.exe
  C:\Windows\{04D68D5B-93A5-42a7-B134-54385F441235}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2540
- - C:\Windows\{C7191E70-9501-47a5-9C59-4D51CD69C821}.exe
    C:\Windows\{C7191E70-9501-47a5-9C59-4D51CD69C821}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2932
  - - C:\Windows\{9FAB0E80-28CD-47f7-92B7-7B3DFB7664C3}.exe
      C:\Windows\{9FAB0E80-28CD-47f7-92B7-7B3DFB7664C3}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2476
    - - C:\Windows\{717E8F12-F519-4a29-8B24-A3153B2C9D63}.exe
        
        C:\Windows\{717E8F12-F519-4a29-8B24-A3153B2C9D63}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1660
      - C:\Windows\{4C9CFD7F-D178-4851-AF84-EC2E3F82D97B}.exe
        
        C:\Windows\{4C9CFD7F-D178-4851-AF84-EC2E3F82D97B}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1268
        
        C:\Windows\{376D0CB8-F93F-46f2-B305-F32EEE06A9D6}.exe
        
        C:\Windows\{376D0CB8-F93F-46f2-B305-F32EEE06A9D6}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1792
        
        C:\Windows\{895409E6-FE1E-424c-8E74-58E2BAE09A2B}.exe
        
        C:\Windows\{895409E6-FE1E-424c-8E74-58E2BAE09A2B}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1808
        
        C:\Windows\{D23352E4-94DF-4ddb-B299-B549C6D87C27}.exe
        
        C:\Windows\{D23352E4-94DF-4ddb-B299-B549C6D87C27}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1044
        
        C:\Windows\{117D35A1-528A-4799-99E3-85DF6F992AC7}.exe
        
        C:\Windows\{117D35A1-528A-4799-99E3-85DF6F992AC7}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1984
        
        C:\Windows\{53C64D89-C275-47ec-A893-88A92ACF2F27}.exe
        
        C:\Windows\{53C64D89-C275-47ec-A893-88A92ACF2F27}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:680
        
        C:\Windows\{BBDF7BB5-6056-459f-8AB2-C57E58D7B3A7}.exe
        
        C:\Windows\{BBDF7BB5-6056-459f-8AB2-C57E58D7B3A7}.exe
        12⤵
        Executes dropped EXE
        
        PID:576
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{53C64~1.EXE > nul
        12⤵
        
        PID:992
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{117D3~1.EXE > nul
        11⤵
        
        PID:880
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D2335~1.EXE > nul
        10⤵
        
        PID:1876
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{89540~1.EXE > nul
        9⤵
        
        PID:2828
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{376D0~1.EXE > nul
        8⤵
        
        PID:1592
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4C9CF~1.EXE > nul
        7⤵
        
        PID:2388
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{717E8~1.EXE > nul
        6⤵
        
        PID:1140
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9FAB0~1.EXE > nul
        5⤵
        
        PID:280
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{C7191~1.EXE > nul
      4⤵
      PID:2432
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{04D68~1.EXE > nul
    3⤵
    PID:2696
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\AB79F4~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2636

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{04D68D5B-93A5-42a7-B134-54385F441235}.exe

Filesize
380KB

MD5
8b89536053c3c50b0d8a7f393c385546

SHA1
6e41a49b87bdbfc4cbb9825b6755966bd69a799d

SHA256
f8dc550e374a81c3e64601266b9a24378eda321b9e2e63454ff3c5e2d06e6575

SHA512
fd8912ac843a76ec7126e4adaf0bca6c5b1b09f9a687d2419ea7bc43b0216ddcdbcbad0237bd68834cc9bbc40bac55539cb0981aacfbb8af811f86e40b822efa

Download Submit
C:\Windows\{117D35A1-528A-4799-99E3-85DF6F992AC7}.exe

Filesize
380KB

MD5
f7104762d256633069a7b4fc7fb515a3

SHA1
683c98a49b06c1e41b53bdd7756a49587e9bd58c

SHA256
2f9b9f6e246d9fa3609badf3cd12e7ae05a34db859d11ffe3f3516c1ac358db2

SHA512
2dff1b2e38ceab98e3d8c15771e798f0fc54df6425282bbd497f92a90a7a573b1341cbe332c9a8d8b35f76cbe72a586b63a8c815770797990fc18c106cb29f9f

Download Submit
C:\Windows\{376D0CB8-F93F-46f2-B305-F32EEE06A9D6}.exe

Filesize
380KB

MD5
997af70dd0cdb535e7a11ee458bae984

SHA1
1cc7a55315265355fcae47b42265f4c8d7f72827

SHA256
c2b0fe5bd99b7ca465ee5d9cba0fe0ba46d25effc7022db0ae5ffd02b50549c1

SHA512
381712fb7da14a21ce44c9b4604a5446eb64c94f435af0c951b0f8c631d0da5abd349307be2a22058349c19ec18e8a9f034dff085e93d6ade9e474260680faca

Download Submit
C:\Windows\{4C9CFD7F-D178-4851-AF84-EC2E3F82D97B}.exe

Filesize
380KB

MD5
5ca92f7319314566d90d564faf47178a

SHA1
20ed93bcb4157b43e856ab7e5dc41d3daef24557

SHA256
585860aa5c3bae34647d27ccdcd8783b32d688ad62e8f5d63cc6e1de8a4a31dd

SHA512
6cc5a71ed24c7ea8900c0e89c4993c7742858da1750ff74c1089aaffd4bb054c2ec71afc3cd5e26e06c15eb1b5ebf4da59a83e51ec55eb1bf52051daab3ffc9f

Download Submit
C:\Windows\{53C64D89-C275-47ec-A893-88A92ACF2F27}.exe

Filesize
380KB

MD5
93d0b34b08fb7e57852d37a2c45ed263

SHA1
29169cc025a13c462b74490acc65c9c7f01c4015

SHA256
7b2cd43a71c75723b1532095d9e45f1f988e9fb197eb979d5d35b460d91c74ee

SHA512
1d843d67e2b0bfc6704b0fc20c8d14ecdd13264176513d2e3ec48b68ce38aedb7272cd88caa4d2fee6d1a4ec93e23fc7ed3f72f55c68b8c4c6918b70fab94e4d

Download Submit
C:\Windows\{717E8F12-F519-4a29-8B24-A3153B2C9D63}.exe

Filesize
380KB

MD5
5e557cc8ae65eaf153edfc6e649cbe8f

SHA1
410148f0f4919b9a4e924bd4899a603c81d56f52

SHA256
d0b3a40595cb8d36ab815d0c164a2eb0e6eb7c1b58204f9a03e3ccd3f181a56b

SHA512
ad5c380c36133789c89cb40c432c023dd53058e718945f8c1a7475b43b612c4014ea8c4f97ce3cb9d121040d7b00a2b2d3728b74388398528c4f153c6a9387e5

Download Submit
C:\Windows\{895409E6-FE1E-424c-8E74-58E2BAE09A2B}.exe

Filesize
380KB

MD5
d246e74451ed84f51a401960d58d98a2

SHA1
0cb6cf5b05caf85fb35389d07490bb24ddaa470e

SHA256
28904d7dcc3b1edd0485a3758792397aef427222f543bd56d02064b0f5b56f28

SHA512
67f1e4d51365245500b48af4b1093e29247c43faa4dac7cef5f69ce3d37d916e73c3253f4bc0ae969ef9a9eda5b7f325e8efeedb8af2d7c9f2c7e1661df6c45e

Download Submit
C:\Windows\{9FAB0E80-28CD-47f7-92B7-7B3DFB7664C3}.exe

Filesize
380KB

MD5
1c65efa5f0bd7eec59df0db4e71d6697

SHA1
06a119866c375380e9351bfe8577d827bd319d44

SHA256
d0559b8261ef4147b5a87bfdfee16c78060e2f7b34c765e509c6be082c62fc07

SHA512
8d96ccf85f2c0669aac6de6ea9a822fc9aa718ca7c7418cbdfae0136c6887b603b47d44361d586182cf1d574b5ec62f0cd8509a8800c5a3c621fbd8d61e6b755

Download Submit
C:\Windows\{BBDF7BB5-6056-459f-8AB2-C57E58D7B3A7}.exe

Filesize
380KB

MD5
37a2593a3fcfdeff7b59a50ceb07e99b

SHA1
27c9fdbf843825ce952ca003cc733dbd47fbdae5

SHA256
c1149ff4bc81b0b0caa847144aeffdf2adb842f3cd267652717ab57646c0850e

SHA512
4dedfc913947a9ef4758bfb754f6cc8df8fdc4040b5cbbdc23344ce01de734098316df974f88f82a5e943fb9ae5fa677594e7f5f7eefd40ebcd384882247b810

Download Submit
C:\Windows\{C7191E70-9501-47a5-9C59-4D51CD69C821}.exe

Filesize
380KB

MD5
15eac41105c069357e2d3b65cc846650

SHA1
1768ce9a4846472288ba8e757ed2319b60ff9551

SHA256
6e967afc62390742b5a034fcd33c81a7685f7400e3b0cee141f1ad57d65321e0

SHA512
3fd4b145f571eb972d81db7874b0548f7984646bdbe0e9c96401da9d7133bd124942d0eac631e3cbe227670c13293062b0a9449f331e9fd9d7886088cfcf91c6

Download Submit
C:\Windows\{D23352E4-94DF-4ddb-B299-B549C6D87C27}.exe

Filesize
380KB

MD5
77d2a9eff67bcca05fa606c651989e7c

SHA1
115f08d978bea157e2c0e6808ff0710057f4ffb3

SHA256
55ffaa852ae700f9c0cc171988213dc0e873138b2d1b19d2ca779b0c3e1d815a

SHA512
434015e72732bb670d6ef8f2e89605b7a194d8827167159a07d8c249ba648c310ebabe88e005d6ee58b642d568abe8b5445e9f287e6fdb0859a3744059cd75b3

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads