5aacee84668ce3f096ec5ab320fede7bd1906beab06c6a21d1ed79d7bfa2c2b7

Analysis

max time kernel
149s
max time network
102s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
20/05/2024, 04:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ab79f43b8f39395142b361b9b1b2ded0_NeikiAnalytics.exe
Size

380KB
MD5

ab79f43b8f39395142b361b9b1b2ded0
SHA1

ac5030bd410df2601371f9e2ffacf8359fa1afe0
SHA256

5aacee84668ce3f096ec5ab320fede7bd1906beab06c6a21d1ed79d7bfa2c2b7
SHA512

7560650ecc9b4de4e8b1a0dbf210a3690660aa9c631eda2d90e7e2b14835da7671c0f669432a825ac6601208df8dd30a3f041617ef5c7b322d9995f1b20185a1
SSDEEP

3072:mEGh0oElPOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGw:mEGSl7Oe2MUVg3v2IneKcAEcARy

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8563E5AC-30E1-4ecb-80C6-D58D5CC466A5}\stubpath = "C:\\Windows\\{8563E5AC-30E1-4ecb-80C6-D58D5CC466A5}.exe"	{CD267A98-533A-4804-91BD-1535B6432D61}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6AF03F0C-CA0D-4710-8398-67E5E218907B}	{8563E5AC-30E1-4ecb-80C6-D58D5CC466A5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1851DF38-DA60-42c3-B533-29340D93A62A}	{41722FBC-91FC-4bc0-83A7-C1FEAD136C92}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D8E085AF-D90B-431b-8C17-30F51A44405A}	{AD1E33AC-C376-41e2-91E7-B1904A01DF64}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CA3B483A-F4DC-40d3-9258-7092F20175A6}\stubpath = "C:\\Windows\\{CA3B483A-F4DC-40d3-9258-7092F20175A6}.exe"	{D8E085AF-D90B-431b-8C17-30F51A44405A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{579D14D4-5704-4542-8B9E-A1C7FABE952A}	{CA3B483A-F4DC-40d3-9258-7092F20175A6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{579D14D4-5704-4542-8B9E-A1C7FABE952A}\stubpath = "C:\\Windows\\{579D14D4-5704-4542-8B9E-A1C7FABE952A}.exe"	{CA3B483A-F4DC-40d3-9258-7092F20175A6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CD267A98-533A-4804-91BD-1535B6432D61}\stubpath = "C:\\Windows\\{CD267A98-533A-4804-91BD-1535B6432D61}.exe"	ab79f43b8f39395142b361b9b1b2ded0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6AF03F0C-CA0D-4710-8398-67E5E218907B}\stubpath = "C:\\Windows\\{6AF03F0C-CA0D-4710-8398-67E5E218907B}.exe"	{8563E5AC-30E1-4ecb-80C6-D58D5CC466A5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0516A72E-D9FF-4ca4-9900-357EAF0C8E17}	{6AF03F0C-CA0D-4710-8398-67E5E218907B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{62E23B1C-D3BB-498d-B75F-D1607FAD770F}	{937D300F-FAC2-46b4-956E-A6CBE3E787FB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AD1E33AC-C376-41e2-91E7-B1904A01DF64}	{62E23B1C-D3BB-498d-B75F-D1607FAD770F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AD1E33AC-C376-41e2-91E7-B1904A01DF64}\stubpath = "C:\\Windows\\{AD1E33AC-C376-41e2-91E7-B1904A01DF64}.exe"	{62E23B1C-D3BB-498d-B75F-D1607FAD770F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D8E085AF-D90B-431b-8C17-30F51A44405A}\stubpath = "C:\\Windows\\{D8E085AF-D90B-431b-8C17-30F51A44405A}.exe"	{AD1E33AC-C376-41e2-91E7-B1904A01DF64}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CD267A98-533A-4804-91BD-1535B6432D61}	ab79f43b8f39395142b361b9b1b2ded0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0516A72E-D9FF-4ca4-9900-357EAF0C8E17}\stubpath = "C:\\Windows\\{0516A72E-D9FF-4ca4-9900-357EAF0C8E17}.exe"	{6AF03F0C-CA0D-4710-8398-67E5E218907B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1851DF38-DA60-42c3-B533-29340D93A62A}\stubpath = "C:\\Windows\\{1851DF38-DA60-42c3-B533-29340D93A62A}.exe"	{41722FBC-91FC-4bc0-83A7-C1FEAD136C92}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8563E5AC-30E1-4ecb-80C6-D58D5CC466A5}	{CD267A98-533A-4804-91BD-1535B6432D61}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{41722FBC-91FC-4bc0-83A7-C1FEAD136C92}	{0516A72E-D9FF-4ca4-9900-357EAF0C8E17}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{41722FBC-91FC-4bc0-83A7-C1FEAD136C92}\stubpath = "C:\\Windows\\{41722FBC-91FC-4bc0-83A7-C1FEAD136C92}.exe"	{0516A72E-D9FF-4ca4-9900-357EAF0C8E17}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{937D300F-FAC2-46b4-956E-A6CBE3E787FB}	{1851DF38-DA60-42c3-B533-29340D93A62A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{937D300F-FAC2-46b4-956E-A6CBE3E787FB}\stubpath = "C:\\Windows\\{937D300F-FAC2-46b4-956E-A6CBE3E787FB}.exe"	{1851DF38-DA60-42c3-B533-29340D93A62A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{62E23B1C-D3BB-498d-B75F-D1607FAD770F}\stubpath = "C:\\Windows\\{62E23B1C-D3BB-498d-B75F-D1607FAD770F}.exe"	{937D300F-FAC2-46b4-956E-A6CBE3E787FB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CA3B483A-F4DC-40d3-9258-7092F20175A6}	{D8E085AF-D90B-431b-8C17-30F51A44405A}.exe

Executes dropped EXE 12 IoCs

pid	Process
4768	{CD267A98-533A-4804-91BD-1535B6432D61}.exe
1884	{8563E5AC-30E1-4ecb-80C6-D58D5CC466A5}.exe
3088	{6AF03F0C-CA0D-4710-8398-67E5E218907B}.exe
3972	{0516A72E-D9FF-4ca4-9900-357EAF0C8E17}.exe
2544	{41722FBC-91FC-4bc0-83A7-C1FEAD136C92}.exe
1824	{1851DF38-DA60-42c3-B533-29340D93A62A}.exe
3660	{937D300F-FAC2-46b4-956E-A6CBE3E787FB}.exe
4940	{62E23B1C-D3BB-498d-B75F-D1607FAD770F}.exe
1360	{AD1E33AC-C376-41e2-91E7-B1904A01DF64}.exe
3776	{D8E085AF-D90B-431b-8C17-30F51A44405A}.exe
4508	{CA3B483A-F4DC-40d3-9258-7092F20175A6}.exe
1168	{579D14D4-5704-4542-8B9E-A1C7FABE952A}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{8563E5AC-30E1-4ecb-80C6-D58D5CC466A5}.exe	{CD267A98-533A-4804-91BD-1535B6432D61}.exe
File created	C:\Windows\{6AF03F0C-CA0D-4710-8398-67E5E218907B}.exe	{8563E5AC-30E1-4ecb-80C6-D58D5CC466A5}.exe
File created	C:\Windows\{937D300F-FAC2-46b4-956E-A6CBE3E787FB}.exe	{1851DF38-DA60-42c3-B533-29340D93A62A}.exe
File created	C:\Windows\{CD267A98-533A-4804-91BD-1535B6432D61}.exe	ab79f43b8f39395142b361b9b1b2ded0_NeikiAnalytics.exe
File created	C:\Windows\{0516A72E-D9FF-4ca4-9900-357EAF0C8E17}.exe	{6AF03F0C-CA0D-4710-8398-67E5E218907B}.exe
File created	C:\Windows\{41722FBC-91FC-4bc0-83A7-C1FEAD136C92}.exe	{0516A72E-D9FF-4ca4-9900-357EAF0C8E17}.exe
File created	C:\Windows\{1851DF38-DA60-42c3-B533-29340D93A62A}.exe	{41722FBC-91FC-4bc0-83A7-C1FEAD136C92}.exe
File created	C:\Windows\{62E23B1C-D3BB-498d-B75F-D1607FAD770F}.exe	{937D300F-FAC2-46b4-956E-A6CBE3E787FB}.exe
File created	C:\Windows\{AD1E33AC-C376-41e2-91E7-B1904A01DF64}.exe	{62E23B1C-D3BB-498d-B75F-D1607FAD770F}.exe
File created	C:\Windows\{D8E085AF-D90B-431b-8C17-30F51A44405A}.exe	{AD1E33AC-C376-41e2-91E7-B1904A01DF64}.exe
File created	C:\Windows\{CA3B483A-F4DC-40d3-9258-7092F20175A6}.exe	{D8E085AF-D90B-431b-8C17-30F51A44405A}.exe
File created	C:\Windows\{579D14D4-5704-4542-8B9E-A1C7FABE952A}.exe	{CA3B483A-F4DC-40d3-9258-7092F20175A6}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1872	ab79f43b8f39395142b361b9b1b2ded0_NeikiAnalytics.exe
Token: SeIncBasePriorityPrivilege	4768	{CD267A98-533A-4804-91BD-1535B6432D61}.exe
Token: SeIncBasePriorityPrivilege	1884	{8563E5AC-30E1-4ecb-80C6-D58D5CC466A5}.exe
Token: SeIncBasePriorityPrivilege	3088	{6AF03F0C-CA0D-4710-8398-67E5E218907B}.exe
Token: SeIncBasePriorityPrivilege	3972	{0516A72E-D9FF-4ca4-9900-357EAF0C8E17}.exe
Token: SeIncBasePriorityPrivilege	2544	{41722FBC-91FC-4bc0-83A7-C1FEAD136C92}.exe
Token: SeIncBasePriorityPrivilege	1824	{1851DF38-DA60-42c3-B533-29340D93A62A}.exe
Token: SeIncBasePriorityPrivilege	3660	{937D300F-FAC2-46b4-956E-A6CBE3E787FB}.exe
Token: SeIncBasePriorityPrivilege	4940	{62E23B1C-D3BB-498d-B75F-D1607FAD770F}.exe
Token: SeIncBasePriorityPrivilege	1360	{AD1E33AC-C376-41e2-91E7-B1904A01DF64}.exe
Token: SeIncBasePriorityPrivilege	3776	{D8E085AF-D90B-431b-8C17-30F51A44405A}.exe
Token: SeIncBasePriorityPrivilege	4508	{CA3B483A-F4DC-40d3-9258-7092F20175A6}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1872 wrote to memory of 4768	1872	ab79f43b8f39395142b361b9b1b2ded0_NeikiAnalytics.exe	92
PID 1872 wrote to memory of 4768	1872	ab79f43b8f39395142b361b9b1b2ded0_NeikiAnalytics.exe	92
PID 1872 wrote to memory of 4768	1872	ab79f43b8f39395142b361b9b1b2ded0_NeikiAnalytics.exe	92
PID 1872 wrote to memory of 1464	1872	ab79f43b8f39395142b361b9b1b2ded0_NeikiAnalytics.exe	93
PID 1872 wrote to memory of 1464	1872	ab79f43b8f39395142b361b9b1b2ded0_NeikiAnalytics.exe	93
PID 1872 wrote to memory of 1464	1872	ab79f43b8f39395142b361b9b1b2ded0_NeikiAnalytics.exe	93
PID 4768 wrote to memory of 1884	4768	{CD267A98-533A-4804-91BD-1535B6432D61}.exe	94
PID 4768 wrote to memory of 1884	4768	{CD267A98-533A-4804-91BD-1535B6432D61}.exe	94
PID 4768 wrote to memory of 1884	4768	{CD267A98-533A-4804-91BD-1535B6432D61}.exe	94
PID 4768 wrote to memory of 432	4768	{CD267A98-533A-4804-91BD-1535B6432D61}.exe	95
PID 4768 wrote to memory of 432	4768	{CD267A98-533A-4804-91BD-1535B6432D61}.exe	95
PID 4768 wrote to memory of 432	4768	{CD267A98-533A-4804-91BD-1535B6432D61}.exe	95
PID 1884 wrote to memory of 3088	1884	{8563E5AC-30E1-4ecb-80C6-D58D5CC466A5}.exe	99
PID 1884 wrote to memory of 3088	1884	{8563E5AC-30E1-4ecb-80C6-D58D5CC466A5}.exe	99
PID 1884 wrote to memory of 3088	1884	{8563E5AC-30E1-4ecb-80C6-D58D5CC466A5}.exe	99
PID 1884 wrote to memory of 3012	1884	{8563E5AC-30E1-4ecb-80C6-D58D5CC466A5}.exe	100
PID 1884 wrote to memory of 3012	1884	{8563E5AC-30E1-4ecb-80C6-D58D5CC466A5}.exe	100
PID 1884 wrote to memory of 3012	1884	{8563E5AC-30E1-4ecb-80C6-D58D5CC466A5}.exe	100
PID 3088 wrote to memory of 3972	3088	{6AF03F0C-CA0D-4710-8398-67E5E218907B}.exe	101
PID 3088 wrote to memory of 3972	3088	{6AF03F0C-CA0D-4710-8398-67E5E218907B}.exe	101
PID 3088 wrote to memory of 3972	3088	{6AF03F0C-CA0D-4710-8398-67E5E218907B}.exe	101
PID 3088 wrote to memory of 3736	3088	{6AF03F0C-CA0D-4710-8398-67E5E218907B}.exe	102
PID 3088 wrote to memory of 3736	3088	{6AF03F0C-CA0D-4710-8398-67E5E218907B}.exe	102
PID 3088 wrote to memory of 3736	3088	{6AF03F0C-CA0D-4710-8398-67E5E218907B}.exe	102
PID 3972 wrote to memory of 2544	3972	{0516A72E-D9FF-4ca4-9900-357EAF0C8E17}.exe	104
PID 3972 wrote to memory of 2544	3972	{0516A72E-D9FF-4ca4-9900-357EAF0C8E17}.exe	104
PID 3972 wrote to memory of 2544	3972	{0516A72E-D9FF-4ca4-9900-357EAF0C8E17}.exe	104
PID 3972 wrote to memory of 2188	3972	{0516A72E-D9FF-4ca4-9900-357EAF0C8E17}.exe	105
PID 3972 wrote to memory of 2188	3972	{0516A72E-D9FF-4ca4-9900-357EAF0C8E17}.exe	105
PID 3972 wrote to memory of 2188	3972	{0516A72E-D9FF-4ca4-9900-357EAF0C8E17}.exe	105
PID 2544 wrote to memory of 1824	2544	{41722FBC-91FC-4bc0-83A7-C1FEAD136C92}.exe	107
PID 2544 wrote to memory of 1824	2544	{41722FBC-91FC-4bc0-83A7-C1FEAD136C92}.exe	107
PID 2544 wrote to memory of 1824	2544	{41722FBC-91FC-4bc0-83A7-C1FEAD136C92}.exe	107
PID 2544 wrote to memory of 1956	2544	{41722FBC-91FC-4bc0-83A7-C1FEAD136C92}.exe	108
PID 2544 wrote to memory of 1956	2544	{41722FBC-91FC-4bc0-83A7-C1FEAD136C92}.exe	108
PID 2544 wrote to memory of 1956	2544	{41722FBC-91FC-4bc0-83A7-C1FEAD136C92}.exe	108
PID 1824 wrote to memory of 3660	1824	{1851DF38-DA60-42c3-B533-29340D93A62A}.exe	109
PID 1824 wrote to memory of 3660	1824	{1851DF38-DA60-42c3-B533-29340D93A62A}.exe	109
PID 1824 wrote to memory of 3660	1824	{1851DF38-DA60-42c3-B533-29340D93A62A}.exe	109
PID 1824 wrote to memory of 1492	1824	{1851DF38-DA60-42c3-B533-29340D93A62A}.exe	110
PID 1824 wrote to memory of 1492	1824	{1851DF38-DA60-42c3-B533-29340D93A62A}.exe	110
PID 1824 wrote to memory of 1492	1824	{1851DF38-DA60-42c3-B533-29340D93A62A}.exe	110
PID 3660 wrote to memory of 4940	3660	{937D300F-FAC2-46b4-956E-A6CBE3E787FB}.exe	118
PID 3660 wrote to memory of 4940	3660	{937D300F-FAC2-46b4-956E-A6CBE3E787FB}.exe	118
PID 3660 wrote to memory of 4940	3660	{937D300F-FAC2-46b4-956E-A6CBE3E787FB}.exe	118
PID 3660 wrote to memory of 4984	3660	{937D300F-FAC2-46b4-956E-A6CBE3E787FB}.exe	119
PID 3660 wrote to memory of 4984	3660	{937D300F-FAC2-46b4-956E-A6CBE3E787FB}.exe	119
PID 3660 wrote to memory of 4984	3660	{937D300F-FAC2-46b4-956E-A6CBE3E787FB}.exe	119
PID 4940 wrote to memory of 1360	4940	{62E23B1C-D3BB-498d-B75F-D1607FAD770F}.exe	122
PID 4940 wrote to memory of 1360	4940	{62E23B1C-D3BB-498d-B75F-D1607FAD770F}.exe	122
PID 4940 wrote to memory of 1360	4940	{62E23B1C-D3BB-498d-B75F-D1607FAD770F}.exe	122
PID 4940 wrote to memory of 4128	4940	{62E23B1C-D3BB-498d-B75F-D1607FAD770F}.exe	123
PID 4940 wrote to memory of 4128	4940	{62E23B1C-D3BB-498d-B75F-D1607FAD770F}.exe	123
PID 4940 wrote to memory of 4128	4940	{62E23B1C-D3BB-498d-B75F-D1607FAD770F}.exe	123
PID 1360 wrote to memory of 3776	1360	{AD1E33AC-C376-41e2-91E7-B1904A01DF64}.exe	124
PID 1360 wrote to memory of 3776	1360	{AD1E33AC-C376-41e2-91E7-B1904A01DF64}.exe	124
PID 1360 wrote to memory of 3776	1360	{AD1E33AC-C376-41e2-91E7-B1904A01DF64}.exe	124
PID 1360 wrote to memory of 3464	1360	{AD1E33AC-C376-41e2-91E7-B1904A01DF64}.exe	125
PID 1360 wrote to memory of 3464	1360	{AD1E33AC-C376-41e2-91E7-B1904A01DF64}.exe	125
PID 1360 wrote to memory of 3464	1360	{AD1E33AC-C376-41e2-91E7-B1904A01DF64}.exe	125
PID 3776 wrote to memory of 4508	3776	{D8E085AF-D90B-431b-8C17-30F51A44405A}.exe	128
PID 3776 wrote to memory of 4508	3776	{D8E085AF-D90B-431b-8C17-30F51A44405A}.exe	128
PID 3776 wrote to memory of 4508	3776	{D8E085AF-D90B-431b-8C17-30F51A44405A}.exe	128
PID 3776 wrote to memory of 2416	3776	{D8E085AF-D90B-431b-8C17-30F51A44405A}.exe	129

C:\Users\Admin\AppData\Local\Temp\ab79f43b8f39395142b361b9b1b2ded0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\ab79f43b8f39395142b361b9b1b2ded0_NeikiAnalytics.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1872
- C:\Windows\{CD267A98-533A-4804-91BD-1535B6432D61}.exe
  C:\Windows\{CD267A98-533A-4804-91BD-1535B6432D61}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4768
- - C:\Windows\{8563E5AC-30E1-4ecb-80C6-D58D5CC466A5}.exe
    C:\Windows\{8563E5AC-30E1-4ecb-80C6-D58D5CC466A5}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1884
  - - C:\Windows\{6AF03F0C-CA0D-4710-8398-67E5E218907B}.exe
      C:\Windows\{6AF03F0C-CA0D-4710-8398-67E5E218907B}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3088
    - - C:\Windows\{0516A72E-D9FF-4ca4-9900-357EAF0C8E17}.exe
        
        C:\Windows\{0516A72E-D9FF-4ca4-9900-357EAF0C8E17}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3972
      - C:\Windows\{41722FBC-91FC-4bc0-83A7-C1FEAD136C92}.exe
        
        C:\Windows\{41722FBC-91FC-4bc0-83A7-C1FEAD136C92}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2544
        
        C:\Windows\{1851DF38-DA60-42c3-B533-29340D93A62A}.exe
        
        C:\Windows\{1851DF38-DA60-42c3-B533-29340D93A62A}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1824
        
        C:\Windows\{937D300F-FAC2-46b4-956E-A6CBE3E787FB}.exe
        
        C:\Windows\{937D300F-FAC2-46b4-956E-A6CBE3E787FB}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3660
        
        C:\Windows\{62E23B1C-D3BB-498d-B75F-D1607FAD770F}.exe
        
        C:\Windows\{62E23B1C-D3BB-498d-B75F-D1607FAD770F}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4940
        
        C:\Windows\{AD1E33AC-C376-41e2-91E7-B1904A01DF64}.exe
        
        C:\Windows\{AD1E33AC-C376-41e2-91E7-B1904A01DF64}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1360
        
        C:\Windows\{D8E085AF-D90B-431b-8C17-30F51A44405A}.exe
        
        C:\Windows\{D8E085AF-D90B-431b-8C17-30F51A44405A}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3776
        
        C:\Windows\{CA3B483A-F4DC-40d3-9258-7092F20175A6}.exe
        
        C:\Windows\{CA3B483A-F4DC-40d3-9258-7092F20175A6}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4508
        
        C:\Windows\{579D14D4-5704-4542-8B9E-A1C7FABE952A}.exe
        
        C:\Windows\{579D14D4-5704-4542-8B9E-A1C7FABE952A}.exe
        13⤵
        Executes dropped EXE
        
        PID:1168
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CA3B4~1.EXE > nul
        13⤵
        
        PID:4992
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D8E08~1.EXE > nul
        12⤵
        
        PID:2416
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AD1E3~1.EXE > nul
        11⤵
        
        PID:3464
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{62E23~1.EXE > nul
        10⤵
        
        PID:4128
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{937D3~1.EXE > nul
        9⤵
        
        PID:4984
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1851D~1.EXE > nul
        8⤵
        
        PID:1492
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{41722~1.EXE > nul
        7⤵
        
        PID:1956
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0516A~1.EXE > nul
        6⤵
        
        PID:2188
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6AF03~1.EXE > nul
        5⤵
        
        PID:3736
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{8563E~1.EXE > nul
      4⤵
      PID:3012
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{CD267~1.EXE > nul
    3⤵
    PID:432
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\AB79F4~1.EXE > nul
  2⤵
  PID:1464

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0516A72E-D9FF-4ca4-9900-357EAF0C8E17}.exe

Filesize
380KB

MD5
1b634add7fe259963a19ac786f024755

SHA1
247776ac1e2d5ff9c33f9b2f2ffd17ca4842e027

SHA256
6325734ea55b8a58f6268edb25c78144892f6d7384e8f5ab032d386d905224b0

SHA512
825386d7c5eeeb39eb060dbc52619cfb75a5c9f35644a518ed3f26ac92c277e6a3b8dbba529da4418aaada7f7519c44f14125fefb47d29a1ec0e32f7f242c68a

Download Submit
C:\Windows\{1851DF38-DA60-42c3-B533-29340D93A62A}.exe

Filesize
380KB

MD5
2d99fd44c246d95dcfb4869412e5b888

SHA1
78983911479311d1df24c3253ec07e82f2669374

SHA256
cad1c8136874460a8be6113c592223ef3575be84065886c8fe78978a3b1685a7

SHA512
6d0d948dee94c56061bde59f2ea55134a7f12e3c42fb5a8274d8f0ad7121c2219563f4376066b90352e7f01c886ac0213066fb2a8b31623fbe460f3193abada5

Download Submit
C:\Windows\{41722FBC-91FC-4bc0-83A7-C1FEAD136C92}.exe

Filesize
380KB

MD5
e7fe84f5d0e8f03028e23c74dd2694e4

SHA1
3ddf6a16c504dce6a5d574a21a1051ee0232271b

SHA256
24eb4186e7e3bf21b8732c0b4d18fddbf2a498fc5d3a32a16d13946eaed87e65

SHA512
f6ffc8af82c77a9871fc4bd41828129aebdf7cee9fc1ff4b5e65e032114b14fd53e967e09d28744dec90acc6c03858c62f5378483463d5d84fd04f0222173b69

Download Submit
C:\Windows\{579D14D4-5704-4542-8B9E-A1C7FABE952A}.exe

Filesize
380KB

MD5
940e14d9d9764be6b1b4c28d5330bd10

SHA1
5b42e1d250c4ad14f2c08a1d761321ef2918db59

SHA256
0ee4e354a0eb2c259117771b6934344b605c177f3b4bb5bc194ce1bdd8a5a796

SHA512
629a377d163d7ad19e7ba8db0ac620a7a2c56656229ead1a377d54934620db0d682a714337652c1af64fbde1638e3667f2f438829fa9ece35cf84df41449ebdc

Download Submit
C:\Windows\{62E23B1C-D3BB-498d-B75F-D1607FAD770F}.exe

Filesize
380KB

MD5
6d2fe166a62f8772090216dcb1fb9290

SHA1
0c213ded4f784f49fe4d028f20f025b35eee32f0

SHA256
f0615a6737cd44cd3e4ffce441b0b983710cba368c2e67040ae2040e4d8365a7

SHA512
daa58ff0a801872979416cd3230b9d1a40c4e65eb7c50ac1b6c101175fe213286ed94b13a8afc6a65a5a01d7bac367ba486d2167e2b4002fb33be20c35fc1b8e

Download Submit
C:\Windows\{6AF03F0C-CA0D-4710-8398-67E5E218907B}.exe

Filesize
380KB

MD5
9dfbfc89a46ddb709612473fb437f32a

SHA1
6122fb149a3f46967a61e1995545c91809f02f9d

SHA256
55e60336e7979bbe0386f6a3ce47a6a24b928bcc9c1667373dabfd47bb23640a

SHA512
91fc42fde064634fffa2731d89b02efae0c6bc5d5a8da92231964485492c9361b427c89821d2a859cc211b70fd85d531f5daf6ddb5f8877d8f1f64c4e9c6fbee

Download Submit
C:\Windows\{8563E5AC-30E1-4ecb-80C6-D58D5CC466A5}.exe

Filesize
380KB

MD5
60a8a7f4e43910fc199f7aefc74d032d

SHA1
8d029e55404249a16b670737c4da48a32464b2c0

SHA256
9787431b1fa192cf82c64940591a0b9776404747ca0fef54e2ea50430f84c766

SHA512
59e101cb7545661b5d75d7b77182996ab393188f99fcf420ef46c367dc7d764cf3874acbe798caff7d272db7b5b652549b6d40faa150c8c7a64349f8147c0b88

Download Submit
C:\Windows\{937D300F-FAC2-46b4-956E-A6CBE3E787FB}.exe

Filesize
380KB

MD5
da26ba8a7439bea450265b043c67b60c

SHA1
d07127ba174225eb2d83bd8ad740b4d965f8a671

SHA256
760110a5d51b547a4956a261db9b4202d259c27f8399c51fc092dba4681e512b

SHA512
528377a791cdf7c88536217cf20cb2c554ec7914ade20b2cefe106bb344cd488e65b9f1cb8b3b850d154e1ca4f0ac5d57109bb7aa5f2aa7a3da7b2b17f742bc3

Download Submit
C:\Windows\{AD1E33AC-C376-41e2-91E7-B1904A01DF64}.exe

Filesize
380KB

MD5
cd53b4b5fe7b56083d4d8c6e5513f9aa

SHA1
6567053a7a542ab1efaa24cb1d218a6fa70d5b74

SHA256
2243f551d0987b1b4b1f5c31bd6e010749dbec9dcffd90768c3104f82576ac67

SHA512
db767f25e097e0520e960bf5267b27d430ebb4e62af5bccfa76a1d05b544a1542058a21c403c72024a795f58a021d99f6c0c5e6a16545ba82fa7b0927f3609ad

Download Submit
C:\Windows\{CA3B483A-F4DC-40d3-9258-7092F20175A6}.exe

Filesize
380KB

MD5
d682c3ac843453d1b26ed8f7675dd26f

SHA1
336199b76a79fdd8215185f39806414af4e0c038

SHA256
730284d3fe24039cdc77fd20a953dd7986a4ada68f8dd8ed5e3deea83b5a7481

SHA512
a6b1168619e8b760674717becaf56909e1a7afccc21613c6175a2b9275753f7b7adab1d398dd5f45f2dffff6b19d3ee44026a26972afd9b6b2043a2a7c631f7e

Download Submit
C:\Windows\{CD267A98-533A-4804-91BD-1535B6432D61}.exe

Filesize
380KB

MD5
5d3de73f1a5b1e60b45d57fc3119d3d4

SHA1
37b0779e5fd0d1ab69d6cc97a5e8efd576e5f4fc

SHA256
909295684aa2a340fbc475261727a3049befa4c764d94905e3acd3b757d7f13c

SHA512
9bdb96792128da376b393fb4e3eeefeadb5200c90e315e852b82bdd077701a829d605d66e5689937490f930fd7a0eb547edea4726901fcbf9d512bd0404f2b8c

Download Submit
C:\Windows\{D8E085AF-D90B-431b-8C17-30F51A44405A}.exe

Filesize
380KB

MD5
4238553cbddb5d485684719f63f2edcd

SHA1
b224186e29221ef9a25e2f00885c337ee899feef

SHA256
8332b24d9adbf829cacc6a190f3829082bdb7b8f026221984e6b9d439de7cc54

SHA512
8a177c912f0eeff55fea64746b0fe6c6956ff206cf93972f159d6efb8cb87a9bb000f16a215affa4b2364e586c9b8053755c21977b7020ac61fabd8316df918f

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads