2652b7dfaa2b437c9af0922158d34f8e298c6cc20d9f7bf44bf414174e9e271c

Analysis

max time kernel
150s
max time network
123s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
21/05/2024, 08:55

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2652b7dfaa2b437c9af0922158d34f8e298c6cc20d9f7bf44bf414174e9e271c_NeikiAnalytics.exe
Size

64KB
MD5

9a7c228b58d1bbac7e2cad290712fe10
SHA1

7646372dc4d0461b7f40a8504eed7091d273912d
SHA256

2652b7dfaa2b437c9af0922158d34f8e298c6cc20d9f7bf44bf414174e9e271c
SHA512

3d3bf0f0c1471e940e3792918e05bf65a6e237399ffefc2ce6c38a37029d156d9b0656bf5dd13587e00ba792c5513b0fdf55c09a5ccce4ac18f8814f9d4e723f
SSDEEP

384:ObIwOs8AHsc4sMDwhKQLroL4/CFsrdHWMZp:OEw9816vhKQLroL4/wQpWMZp

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{120C7CB0-F619-4037-80EB-227DD5A3EE66}\stubpath = "C:\\Windows\\{120C7CB0-F619-4037-80EB-227DD5A3EE66}.exe"	{2610D075-1C4A-4b7c-B646-061397C69C23}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{868FC6D2-E9C2-42e5-9289-B0C265DBCC38}	{120C7CB0-F619-4037-80EB-227DD5A3EE66}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{457893FB-C29E-4c57-BC3E-62AAC7C969AC}	{D351B37A-5BAF-4341-8268-F36F64F6220F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CBC3AD4F-8F03-4f17-9F4B-370EC921C546}	{CD12C44A-A4C8-48f5-8613-D8220CE8120B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8BD6374A-6FD3-4f0e-8B97-5EF8A96FD948}	{CBC3AD4F-8F03-4f17-9F4B-370EC921C546}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8BD6374A-6FD3-4f0e-8B97-5EF8A96FD948}\stubpath = "C:\\Windows\\{8BD6374A-6FD3-4f0e-8B97-5EF8A96FD948}.exe"	{CBC3AD4F-8F03-4f17-9F4B-370EC921C546}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5A1E3573-8BA6-458e-B7A3-99B9E585FACB}	{8BD6374A-6FD3-4f0e-8B97-5EF8A96FD948}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2610D075-1C4A-4b7c-B646-061397C69C23}	2652b7dfaa2b437c9af0922158d34f8e298c6cc20d9f7bf44bf414174e9e271c_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FD91412B-4E4C-4d9d-B2F7-CB481220228D}\stubpath = "C:\\Windows\\{FD91412B-4E4C-4d9d-B2F7-CB481220228D}.exe"	{5A1E3573-8BA6-458e-B7A3-99B9E585FACB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FA0B24B0-826B-44b9-AE30-2AC7367EB6C1}	{FD91412B-4E4C-4d9d-B2F7-CB481220228D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FD91412B-4E4C-4d9d-B2F7-CB481220228D}	{5A1E3573-8BA6-458e-B7A3-99B9E585FACB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2610D075-1C4A-4b7c-B646-061397C69C23}\stubpath = "C:\\Windows\\{2610D075-1C4A-4b7c-B646-061397C69C23}.exe"	2652b7dfaa2b437c9af0922158d34f8e298c6cc20d9f7bf44bf414174e9e271c_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D351B37A-5BAF-4341-8268-F36F64F6220F}	{868FC6D2-E9C2-42e5-9289-B0C265DBCC38}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D351B37A-5BAF-4341-8268-F36F64F6220F}\stubpath = "C:\\Windows\\{D351B37A-5BAF-4341-8268-F36F64F6220F}.exe"	{868FC6D2-E9C2-42e5-9289-B0C265DBCC38}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{457893FB-C29E-4c57-BC3E-62AAC7C969AC}\stubpath = "C:\\Windows\\{457893FB-C29E-4c57-BC3E-62AAC7C969AC}.exe"	{D351B37A-5BAF-4341-8268-F36F64F6220F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7E4599D1-B3A3-4b33-8C77-3AE27D73A8AF}	{457893FB-C29E-4c57-BC3E-62AAC7C969AC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7E4599D1-B3A3-4b33-8C77-3AE27D73A8AF}\stubpath = "C:\\Windows\\{7E4599D1-B3A3-4b33-8C77-3AE27D73A8AF}.exe"	{457893FB-C29E-4c57-BC3E-62AAC7C969AC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5A1E3573-8BA6-458e-B7A3-99B9E585FACB}\stubpath = "C:\\Windows\\{5A1E3573-8BA6-458e-B7A3-99B9E585FACB}.exe"	{8BD6374A-6FD3-4f0e-8B97-5EF8A96FD948}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FA0B24B0-826B-44b9-AE30-2AC7367EB6C1}\stubpath = "C:\\Windows\\{FA0B24B0-826B-44b9-AE30-2AC7367EB6C1}.exe"	{FD91412B-4E4C-4d9d-B2F7-CB481220228D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{120C7CB0-F619-4037-80EB-227DD5A3EE66}	{2610D075-1C4A-4b7c-B646-061397C69C23}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{868FC6D2-E9C2-42e5-9289-B0C265DBCC38}\stubpath = "C:\\Windows\\{868FC6D2-E9C2-42e5-9289-B0C265DBCC38}.exe"	{120C7CB0-F619-4037-80EB-227DD5A3EE66}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CD12C44A-A4C8-48f5-8613-D8220CE8120B}	{7E4599D1-B3A3-4b33-8C77-3AE27D73A8AF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CD12C44A-A4C8-48f5-8613-D8220CE8120B}\stubpath = "C:\\Windows\\{CD12C44A-A4C8-48f5-8613-D8220CE8120B}.exe"	{7E4599D1-B3A3-4b33-8C77-3AE27D73A8AF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CBC3AD4F-8F03-4f17-9F4B-370EC921C546}\stubpath = "C:\\Windows\\{CBC3AD4F-8F03-4f17-9F4B-370EC921C546}.exe"	{CD12C44A-A4C8-48f5-8613-D8220CE8120B}.exe

Deletes itself 1 IoCs

pid	Process
2620	cmd.exe

Executes dropped EXE 12 IoCs

pid	Process
2032	{2610D075-1C4A-4b7c-B646-061397C69C23}.exe
2572	{120C7CB0-F619-4037-80EB-227DD5A3EE66}.exe
2164	{868FC6D2-E9C2-42e5-9289-B0C265DBCC38}.exe
1256	{D351B37A-5BAF-4341-8268-F36F64F6220F}.exe
2864	{457893FB-C29E-4c57-BC3E-62AAC7C969AC}.exe
1460	{7E4599D1-B3A3-4b33-8C77-3AE27D73A8AF}.exe
804	{CD12C44A-A4C8-48f5-8613-D8220CE8120B}.exe
1100	{CBC3AD4F-8F03-4f17-9F4B-370EC921C546}.exe
2316	{8BD6374A-6FD3-4f0e-8B97-5EF8A96FD948}.exe
2080	{5A1E3573-8BA6-458e-B7A3-99B9E585FACB}.exe
2360	{FD91412B-4E4C-4d9d-B2F7-CB481220228D}.exe
1080	{FA0B24B0-826B-44b9-AE30-2AC7367EB6C1}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{5A1E3573-8BA6-458e-B7A3-99B9E585FACB}.exe	{8BD6374A-6FD3-4f0e-8B97-5EF8A96FD948}.exe
File created	C:\Windows\{FD91412B-4E4C-4d9d-B2F7-CB481220228D}.exe	{5A1E3573-8BA6-458e-B7A3-99B9E585FACB}.exe
File created	C:\Windows\{868FC6D2-E9C2-42e5-9289-B0C265DBCC38}.exe	{120C7CB0-F619-4037-80EB-227DD5A3EE66}.exe
File created	C:\Windows\{8BD6374A-6FD3-4f0e-8B97-5EF8A96FD948}.exe	{CBC3AD4F-8F03-4f17-9F4B-370EC921C546}.exe
File created	C:\Windows\{D351B37A-5BAF-4341-8268-F36F64F6220F}.exe	{868FC6D2-E9C2-42e5-9289-B0C265DBCC38}.exe
File created	C:\Windows\{457893FB-C29E-4c57-BC3E-62AAC7C969AC}.exe	{D351B37A-5BAF-4341-8268-F36F64F6220F}.exe
File created	C:\Windows\{7E4599D1-B3A3-4b33-8C77-3AE27D73A8AF}.exe	{457893FB-C29E-4c57-BC3E-62AAC7C969AC}.exe
File created	C:\Windows\{CD12C44A-A4C8-48f5-8613-D8220CE8120B}.exe	{7E4599D1-B3A3-4b33-8C77-3AE27D73A8AF}.exe
File created	C:\Windows\{CBC3AD4F-8F03-4f17-9F4B-370EC921C546}.exe	{CD12C44A-A4C8-48f5-8613-D8220CE8120B}.exe
File created	C:\Windows\{FA0B24B0-826B-44b9-AE30-2AC7367EB6C1}.exe	{FD91412B-4E4C-4d9d-B2F7-CB481220228D}.exe
File created	C:\Windows\{2610D075-1C4A-4b7c-B646-061397C69C23}.exe	2652b7dfaa2b437c9af0922158d34f8e298c6cc20d9f7bf44bf414174e9e271c_NeikiAnalytics.exe
File created	C:\Windows\{120C7CB0-F619-4037-80EB-227DD5A3EE66}.exe	{2610D075-1C4A-4b7c-B646-061397C69C23}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2120	2652b7dfaa2b437c9af0922158d34f8e298c6cc20d9f7bf44bf414174e9e271c_NeikiAnalytics.exe
Token: SeIncBasePriorityPrivilege	2032	{2610D075-1C4A-4b7c-B646-061397C69C23}.exe
Token: SeIncBasePriorityPrivilege	2572	{120C7CB0-F619-4037-80EB-227DD5A3EE66}.exe
Token: SeIncBasePriorityPrivilege	2164	{868FC6D2-E9C2-42e5-9289-B0C265DBCC38}.exe
Token: SeIncBasePriorityPrivilege	1256	{D351B37A-5BAF-4341-8268-F36F64F6220F}.exe
Token: SeIncBasePriorityPrivilege	2864	{457893FB-C29E-4c57-BC3E-62AAC7C969AC}.exe
Token: SeIncBasePriorityPrivilege	1460	{7E4599D1-B3A3-4b33-8C77-3AE27D73A8AF}.exe
Token: SeIncBasePriorityPrivilege	804	{CD12C44A-A4C8-48f5-8613-D8220CE8120B}.exe
Token: SeIncBasePriorityPrivilege	1100	{CBC3AD4F-8F03-4f17-9F4B-370EC921C546}.exe
Token: SeIncBasePriorityPrivilege	2316	{8BD6374A-6FD3-4f0e-8B97-5EF8A96FD948}.exe
Token: SeIncBasePriorityPrivilege	2080	{5A1E3573-8BA6-458e-B7A3-99B9E585FACB}.exe
Token: SeIncBasePriorityPrivilege	2360	{FD91412B-4E4C-4d9d-B2F7-CB481220228D}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2120 wrote to memory of 2032	2120	2652b7dfaa2b437c9af0922158d34f8e298c6cc20d9f7bf44bf414174e9e271c_NeikiAnalytics.exe	28
PID 2120 wrote to memory of 2032	2120	2652b7dfaa2b437c9af0922158d34f8e298c6cc20d9f7bf44bf414174e9e271c_NeikiAnalytics.exe	28
PID 2120 wrote to memory of 2032	2120	2652b7dfaa2b437c9af0922158d34f8e298c6cc20d9f7bf44bf414174e9e271c_NeikiAnalytics.exe	28
PID 2120 wrote to memory of 2032	2120	2652b7dfaa2b437c9af0922158d34f8e298c6cc20d9f7bf44bf414174e9e271c_NeikiAnalytics.exe	28
PID 2120 wrote to memory of 2620	2120	2652b7dfaa2b437c9af0922158d34f8e298c6cc20d9f7bf44bf414174e9e271c_NeikiAnalytics.exe	29
PID 2120 wrote to memory of 2620	2120	2652b7dfaa2b437c9af0922158d34f8e298c6cc20d9f7bf44bf414174e9e271c_NeikiAnalytics.exe	29
PID 2120 wrote to memory of 2620	2120	2652b7dfaa2b437c9af0922158d34f8e298c6cc20d9f7bf44bf414174e9e271c_NeikiAnalytics.exe	29
PID 2120 wrote to memory of 2620	2120	2652b7dfaa2b437c9af0922158d34f8e298c6cc20d9f7bf44bf414174e9e271c_NeikiAnalytics.exe	29
PID 2032 wrote to memory of 2572	2032	{2610D075-1C4A-4b7c-B646-061397C69C23}.exe	30
PID 2032 wrote to memory of 2572	2032	{2610D075-1C4A-4b7c-B646-061397C69C23}.exe	30
PID 2032 wrote to memory of 2572	2032	{2610D075-1C4A-4b7c-B646-061397C69C23}.exe	30
PID 2032 wrote to memory of 2572	2032	{2610D075-1C4A-4b7c-B646-061397C69C23}.exe	30
PID 2032 wrote to memory of 2868	2032	{2610D075-1C4A-4b7c-B646-061397C69C23}.exe	31
PID 2032 wrote to memory of 2868	2032	{2610D075-1C4A-4b7c-B646-061397C69C23}.exe	31
PID 2032 wrote to memory of 2868	2032	{2610D075-1C4A-4b7c-B646-061397C69C23}.exe	31
PID 2032 wrote to memory of 2868	2032	{2610D075-1C4A-4b7c-B646-061397C69C23}.exe	31
PID 2572 wrote to memory of 2164	2572	{120C7CB0-F619-4037-80EB-227DD5A3EE66}.exe	34
PID 2572 wrote to memory of 2164	2572	{120C7CB0-F619-4037-80EB-227DD5A3EE66}.exe	34
PID 2572 wrote to memory of 2164	2572	{120C7CB0-F619-4037-80EB-227DD5A3EE66}.exe	34
PID 2572 wrote to memory of 2164	2572	{120C7CB0-F619-4037-80EB-227DD5A3EE66}.exe	34
PID 2572 wrote to memory of 676	2572	{120C7CB0-F619-4037-80EB-227DD5A3EE66}.exe	35
PID 2572 wrote to memory of 676	2572	{120C7CB0-F619-4037-80EB-227DD5A3EE66}.exe	35
PID 2572 wrote to memory of 676	2572	{120C7CB0-F619-4037-80EB-227DD5A3EE66}.exe	35
PID 2572 wrote to memory of 676	2572	{120C7CB0-F619-4037-80EB-227DD5A3EE66}.exe	35
PID 2164 wrote to memory of 1256	2164	{868FC6D2-E9C2-42e5-9289-B0C265DBCC38}.exe	36
PID 2164 wrote to memory of 1256	2164	{868FC6D2-E9C2-42e5-9289-B0C265DBCC38}.exe	36
PID 2164 wrote to memory of 1256	2164	{868FC6D2-E9C2-42e5-9289-B0C265DBCC38}.exe	36
PID 2164 wrote to memory of 1256	2164	{868FC6D2-E9C2-42e5-9289-B0C265DBCC38}.exe	36
PID 2164 wrote to memory of 1468	2164	{868FC6D2-E9C2-42e5-9289-B0C265DBCC38}.exe	37
PID 2164 wrote to memory of 1468	2164	{868FC6D2-E9C2-42e5-9289-B0C265DBCC38}.exe	37
PID 2164 wrote to memory of 1468	2164	{868FC6D2-E9C2-42e5-9289-B0C265DBCC38}.exe	37
PID 2164 wrote to memory of 1468	2164	{868FC6D2-E9C2-42e5-9289-B0C265DBCC38}.exe	37
PID 1256 wrote to memory of 2864	1256	{D351B37A-5BAF-4341-8268-F36F64F6220F}.exe	38
PID 1256 wrote to memory of 2864	1256	{D351B37A-5BAF-4341-8268-F36F64F6220F}.exe	38
PID 1256 wrote to memory of 2864	1256	{D351B37A-5BAF-4341-8268-F36F64F6220F}.exe	38
PID 1256 wrote to memory of 2864	1256	{D351B37A-5BAF-4341-8268-F36F64F6220F}.exe	38
PID 1256 wrote to memory of 1656	1256	{D351B37A-5BAF-4341-8268-F36F64F6220F}.exe	39
PID 1256 wrote to memory of 1656	1256	{D351B37A-5BAF-4341-8268-F36F64F6220F}.exe	39
PID 1256 wrote to memory of 1656	1256	{D351B37A-5BAF-4341-8268-F36F64F6220F}.exe	39
PID 1256 wrote to memory of 1656	1256	{D351B37A-5BAF-4341-8268-F36F64F6220F}.exe	39
PID 2864 wrote to memory of 1460	2864	{457893FB-C29E-4c57-BC3E-62AAC7C969AC}.exe	40
PID 2864 wrote to memory of 1460	2864	{457893FB-C29E-4c57-BC3E-62AAC7C969AC}.exe	40
PID 2864 wrote to memory of 1460	2864	{457893FB-C29E-4c57-BC3E-62AAC7C969AC}.exe	40
PID 2864 wrote to memory of 1460	2864	{457893FB-C29E-4c57-BC3E-62AAC7C969AC}.exe	40
PID 2864 wrote to memory of 2664	2864	{457893FB-C29E-4c57-BC3E-62AAC7C969AC}.exe	41
PID 2864 wrote to memory of 2664	2864	{457893FB-C29E-4c57-BC3E-62AAC7C969AC}.exe	41
PID 2864 wrote to memory of 2664	2864	{457893FB-C29E-4c57-BC3E-62AAC7C969AC}.exe	41
PID 2864 wrote to memory of 2664	2864	{457893FB-C29E-4c57-BC3E-62AAC7C969AC}.exe	41
PID 1460 wrote to memory of 804	1460	{7E4599D1-B3A3-4b33-8C77-3AE27D73A8AF}.exe	42
PID 1460 wrote to memory of 804	1460	{7E4599D1-B3A3-4b33-8C77-3AE27D73A8AF}.exe	42
PID 1460 wrote to memory of 804	1460	{7E4599D1-B3A3-4b33-8C77-3AE27D73A8AF}.exe	42
PID 1460 wrote to memory of 804	1460	{7E4599D1-B3A3-4b33-8C77-3AE27D73A8AF}.exe	42
PID 1460 wrote to memory of 972	1460	{7E4599D1-B3A3-4b33-8C77-3AE27D73A8AF}.exe	43
PID 1460 wrote to memory of 972	1460	{7E4599D1-B3A3-4b33-8C77-3AE27D73A8AF}.exe	43
PID 1460 wrote to memory of 972	1460	{7E4599D1-B3A3-4b33-8C77-3AE27D73A8AF}.exe	43
PID 1460 wrote to memory of 972	1460	{7E4599D1-B3A3-4b33-8C77-3AE27D73A8AF}.exe	43
PID 804 wrote to memory of 1100	804	{CD12C44A-A4C8-48f5-8613-D8220CE8120B}.exe	44
PID 804 wrote to memory of 1100	804	{CD12C44A-A4C8-48f5-8613-D8220CE8120B}.exe	44
PID 804 wrote to memory of 1100	804	{CD12C44A-A4C8-48f5-8613-D8220CE8120B}.exe	44
PID 804 wrote to memory of 1100	804	{CD12C44A-A4C8-48f5-8613-D8220CE8120B}.exe	44
PID 804 wrote to memory of 1128	804	{CD12C44A-A4C8-48f5-8613-D8220CE8120B}.exe	45
PID 804 wrote to memory of 1128	804	{CD12C44A-A4C8-48f5-8613-D8220CE8120B}.exe	45
PID 804 wrote to memory of 1128	804	{CD12C44A-A4C8-48f5-8613-D8220CE8120B}.exe	45
PID 804 wrote to memory of 1128	804	{CD12C44A-A4C8-48f5-8613-D8220CE8120B}.exe	45

C:\Users\Admin\AppData\Local\Temp\2652b7dfaa2b437c9af0922158d34f8e298c6cc20d9f7bf44bf414174e9e271c_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\2652b7dfaa2b437c9af0922158d34f8e298c6cc20d9f7bf44bf414174e9e271c_NeikiAnalytics.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2120
- C:\Windows\{2610D075-1C4A-4b7c-B646-061397C69C23}.exe
  C:\Windows\{2610D075-1C4A-4b7c-B646-061397C69C23}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2032
- - C:\Windows\{120C7CB0-F619-4037-80EB-227DD5A3EE66}.exe
    C:\Windows\{120C7CB0-F619-4037-80EB-227DD5A3EE66}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2572
  - - C:\Windows\{868FC6D2-E9C2-42e5-9289-B0C265DBCC38}.exe
      C:\Windows\{868FC6D2-E9C2-42e5-9289-B0C265DBCC38}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2164
    - - C:\Windows\{D351B37A-5BAF-4341-8268-F36F64F6220F}.exe
        
        C:\Windows\{D351B37A-5BAF-4341-8268-F36F64F6220F}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1256
      - C:\Windows\{457893FB-C29E-4c57-BC3E-62AAC7C969AC}.exe
        
        C:\Windows\{457893FB-C29E-4c57-BC3E-62AAC7C969AC}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2864
        
        C:\Windows\{7E4599D1-B3A3-4b33-8C77-3AE27D73A8AF}.exe
        
        C:\Windows\{7E4599D1-B3A3-4b33-8C77-3AE27D73A8AF}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1460
        
        C:\Windows\{CD12C44A-A4C8-48f5-8613-D8220CE8120B}.exe
        
        C:\Windows\{CD12C44A-A4C8-48f5-8613-D8220CE8120B}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:804
        
        C:\Windows\{CBC3AD4F-8F03-4f17-9F4B-370EC921C546}.exe
        
        C:\Windows\{CBC3AD4F-8F03-4f17-9F4B-370EC921C546}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1100
        
        C:\Windows\{8BD6374A-6FD3-4f0e-8B97-5EF8A96FD948}.exe
        
        C:\Windows\{8BD6374A-6FD3-4f0e-8B97-5EF8A96FD948}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2316
        
        C:\Windows\{5A1E3573-8BA6-458e-B7A3-99B9E585FACB}.exe
        
        C:\Windows\{5A1E3573-8BA6-458e-B7A3-99B9E585FACB}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2080
        
        C:\Windows\{FD91412B-4E4C-4d9d-B2F7-CB481220228D}.exe
        
        C:\Windows\{FD91412B-4E4C-4d9d-B2F7-CB481220228D}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2360
        
        C:\Windows\{FA0B24B0-826B-44b9-AE30-2AC7367EB6C1}.exe
        
        C:\Windows\{FA0B24B0-826B-44b9-AE30-2AC7367EB6C1}.exe
        13⤵
        Executes dropped EXE
        
        PID:1080
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FD914~1.EXE > nul
        13⤵
        
        PID:1152
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5A1E3~1.EXE > nul
        12⤵
        
        PID:1316
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8BD63~1.EXE > nul
        11⤵
        
        PID:2904
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CBC3A~1.EXE > nul
        10⤵
        
        PID:2044
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CD12C~1.EXE > nul
        9⤵
        
        PID:1128
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7E459~1.EXE > nul
        8⤵
        
        PID:972
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{45789~1.EXE > nul
        7⤵
        
        PID:2664
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D351B~1.EXE > nul
        6⤵
        
        PID:1656
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{868FC~1.EXE > nul
        5⤵
        
        PID:1468
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{120C7~1.EXE > nul
      4⤵
      PID:676
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{2610D~1.EXE > nul
    3⤵
    PID:2868
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2652B7~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2620

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{120C7CB0-F619-4037-80EB-227DD5A3EE66}.exe

Filesize
64KB

MD5
db334e9e1bcbf3091f97dec686ac186f

SHA1
6aa8bcad1192e0c5edb8ca3cba452aa6191ace2d

SHA256
b18a08c14f25004de4865a56b0af7fc42354f34a581e0af31ea7329c3908272e

SHA512
0eaea1af09f854724105b32fcceb39e34720860c56e04ea0953d4e2c683bd422854fada642ad421f070eccd0e121805e09547366c5c93bfef1fe90f6ccf12e55

Download Submit
C:\Windows\{2610D075-1C4A-4b7c-B646-061397C69C23}.exe

Filesize
64KB

MD5
93a1f7dbd127c22625479b826e626216

SHA1
566f411516675922811ea4502f250fb295f03d6b

SHA256
bfd3de9fc22f28b8de18658d4c2fde717def28935b8e04cc871ed41aa431be4a

SHA512
8c58e9110a4c24cff2ec1e65da3525e21109f4da26d592b54cad6afdc03df9c308e71bc5c95f80a23ab78b286545c01baf679860b729d63471421389553fb650

Download Submit
C:\Windows\{457893FB-C29E-4c57-BC3E-62AAC7C969AC}.exe

Filesize
64KB

MD5
dc59316b53783e48af0102a2409369a0

SHA1
a5eb55daacde10ca84311c17ce8d2254b963d606

SHA256
2a3bc3f918a5233e7bc6c6aedbff323483ef8c12706114987ccf249fa9ed5d7b

SHA512
855fff78e31365fa074c03426cdc1155ec20dd3526351b58a7b1771095fac4df62038c1f5404a5c156b91559ca79ccde35a04ac59c709f26557210498cb8991b

Download Submit
C:\Windows\{5A1E3573-8BA6-458e-B7A3-99B9E585FACB}.exe

Filesize
64KB

MD5
f2b301f574a556041080098f1b79c5cf

SHA1
081bf621cfce9c99ad0328414cfa20beb0496dda

SHA256
aca07a7c08432f5893807b572d071e7460361743c5b6c93630d7cc9b1afcf235

SHA512
ab24c73184e2ab9912f6d9e1fd24386c9553d54b8c2377c20d1b685092495c41cacc098fbb9c440f6b8650e318bfe45af5ab3dc0feb381a0e3c72ec93817d5cf

Download Submit
C:\Windows\{7E4599D1-B3A3-4b33-8C77-3AE27D73A8AF}.exe

Filesize
64KB

MD5
255395455a90ef453ceb648fdd66b778

SHA1
0fabf19f52c803b0113c9c32b4cdb4cd29cd4043

SHA256
2acc8b82920f4bf96a4a9d9a7f97c25a227f383d41d305ae36363a62153671e2

SHA512
29cda11026cb242a2d90e3874cd1412d2dd65dbab41406f8273a55d84fc2f7a38f22859df3e196b62008e2d8a6f316b6de826295203998700b7affe92dece91d

Download Submit
C:\Windows\{868FC6D2-E9C2-42e5-9289-B0C265DBCC38}.exe

Filesize
64KB

MD5
f2f072ae3ecf8539881a6c9940a28a40

SHA1
a9493110be3cdfcb33c7b0fc5393a12adb78b229

SHA256
d780b74c8f53d5bb02362b45c28e588667cb0cca7beb07638b254743b59dd2ce

SHA512
7eb4b1ae978eefaaeb63d24b775c90e9c0ec5814bdac712f52e0a5f77b34cfb138206195d9af9f96ba3361d206d02ef9bfb7cabd784f5e5e9b15faab2220b7af

Download Submit
C:\Windows\{8BD6374A-6FD3-4f0e-8B97-5EF8A96FD948}.exe

Filesize
64KB

MD5
3f1d12a719a1615a045432721223c462

SHA1
59aa1a5e864c015ae59d155096ef7d652cfcf80b

SHA256
e8b177e27331da3f6f0904420ed577f092d4f8be88c97566544302d2e2002548

SHA512
939af04e362fb007aa758e88b952d87a251add51099e302e187d82e55da58d31d3483b1341b6c587fc484426173fe71452fbbe1825f7544a60139fdb406d63ed

Download Submit
C:\Windows\{CBC3AD4F-8F03-4f17-9F4B-370EC921C546}.exe

Filesize
64KB

MD5
4cc850b5ced9bfe000368d4f6754dff4

SHA1
1c9c50d73389096c2f3cfa8b9b0dd8ffe7a250c7

SHA256
b4d94853b2d9176c68930d743d0583491af6447d96e54d54b58c29f585d99647

SHA512
0068b903f06803e4497d6e9fc1c84db94db49a80fe10fdd531507a7e7861af5192720424954a155bc1eb44ad7ab4b888482e1a1174ac39dce7bdcf0b0860c60b

Download Submit
C:\Windows\{CD12C44A-A4C8-48f5-8613-D8220CE8120B}.exe

Filesize
64KB

MD5
c9215d84c9961e608adc3d357fe3b501

SHA1
abdd1ad361f7e9c3e1e784b63b2de5483be5c855

SHA256
6d1a2ab872af4ddd2b340118635214e1b9fb4ad17c865495f51ba06201aa29be

SHA512
37cbec62e166c10c1318968d37f826ae8f2952b89a9d2f0a4a5995bae2fc45c24d79ec2fd9ab25c5f6e37f4d18339b3089197d65852cb3de81b1db81f852b058

Download Submit
C:\Windows\{D351B37A-5BAF-4341-8268-F36F64F6220F}.exe

Filesize
64KB

MD5
531b599aed5e28f3b39d85d7208b5dc1

SHA1
82c9c2588d61dc66a4565a11cea84da2b836f69f

SHA256
87e9f1bc0501f9bc8aed48ee368e8af9c8c538242a75f885e3d3d2eda5c39289

SHA512
6ac84f42b8d090361bd58defabd0c19db6555ca38d1e29e2e87d53c434190f445d054e3b0583a16bc984c09a72616bc3a33a5634b7e5f6d66276d5d69444148c

Download Submit
C:\Windows\{FA0B24B0-826B-44b9-AE30-2AC7367EB6C1}.exe

Filesize
64KB

MD5
d44d307482b182997c9ca91eb0ef5f2e

SHA1
f8724d060f802bf547e7c762f5f329554e3d4fd4

SHA256
a8ef1fa09cce26d77ea387a5717366ae02a73c79e504b76623425dd4dd6b9876

SHA512
8ffc809bbafef65a61be0af322b97300275e5662be84d17174a94fea50e5674f641509cae1ba40c421221684ca9188ddb0515154593b4f1ad12af2f6e6535934

Download Submit
C:\Windows\{FD91412B-4E4C-4d9d-B2F7-CB481220228D}.exe

Filesize
64KB

MD5
a6be051b8f85dadb437c27b3857444bb

SHA1
a73836c0509c8120ad3358567bb4b7d0470cf32b

SHA256
c6cd9077a5cd7487495c08d5bbbaf6d1cf18b68a6a063925326e1496ee274e5c

SHA512
2e048256abc6cddbdbbeed0c2273859cf7677f61231e4bc0ed4896acf422d0d375392fdcdee17b69741b373ca0e3269cbf62685c6a3c32efe402ee26fedae982

Download Submit
memory/804-65-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/804-69-0x00000000003D0000-0x00000000003E0000-memory.dmp

Filesize
64KB

Download
memory/804-74-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1080-110-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1100-82-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1256-44-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1256-43-0x0000000000310000-0x0000000000320000-memory.dmp

Filesize
64KB

Download
memory/1460-59-0x0000000000310000-0x0000000000320000-memory.dmp

Filesize
64KB

Download
memory/1460-64-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2032-17-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2032-8-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2080-91-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2080-98-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2120-9-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2120-0-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2120-7-0x0000000000260000-0x0000000000270000-memory.dmp

Filesize
64KB

Download
memory/2164-31-0x0000000000260000-0x0000000000270000-memory.dmp

Filesize
64KB

Download
memory/2164-36-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2316-90-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2360-100-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2360-109-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2360-104-0x00000000002D0000-0x00000000002E0000-memory.dmp

Filesize
64KB

Download
memory/2572-26-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2572-22-0x0000000000250000-0x0000000000260000-memory.dmp

Filesize
64KB

Download
memory/2572-18-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2864-53-0x0000000000250000-0x0000000000260000-memory.dmp

Filesize
64KB

Download
memory/2864-55-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2864-46-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads