27b37066505c1eb7a17c99aedfbee5af35eb094c90bbb63b3162bd5d8fc3974a

Analysis

max time kernel
144s
max time network
119s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
22/05/2024, 05:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

21eebd87d1af5cfcd790b8448f2f0ae0_NeikiAnalytics.exe
Size

60KB
MD5

21eebd87d1af5cfcd790b8448f2f0ae0
SHA1

8e5b9cb0afa3570fb7c0f6275e4ce80d28f5f1bd
SHA256

27b37066505c1eb7a17c99aedfbee5af35eb094c90bbb63b3162bd5d8fc3974a
SHA512

df28d2c5b867f256c1227d57c6592261289426678b92450efd8fbcf0a0aca824cc1412323d3c8fe8898f9e2f903036f5be82a200d058af696c34079622f35f0d
SSDEEP

192:vbOzawOs81elJHsc45CcRZOgtShcWaOT2QLrCqw7h4/CFxyNhoy5t:vbLwOs8AHsc4sMfwhKQLroN4/CFsrd

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D9D26F7E-ECF6-4ed6-BC99-98E10F89F4B0}	{08369ABE-86A8-4023-9F8A-4CA895A77C6C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0E7966D7-0506-460d-BB9C-43BB6E50F4F5}	{0C3FD920-B357-4647-964B-092A059E78B4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{420139A4-E802-45a0-860E-65B93EF7A3AA}	{5075C9BC-5EB3-48ee-9DB7-D7549B0A64EE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{94190B44-D605-4101-AB20-6A1DD5E2D7BC}\stubpath = "C:\\Windows\\{94190B44-D605-4101-AB20-6A1DD5E2D7BC}.exe"	21eebd87d1af5cfcd790b8448f2f0ae0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{08369ABE-86A8-4023-9F8A-4CA895A77C6C}\stubpath = "C:\\Windows\\{08369ABE-86A8-4023-9F8A-4CA895A77C6C}.exe"	{2D9F361F-AE7D-438a-9D42-88D70DB3A56B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8D5D2871-9D6A-45f6-93B6-468501CDE399}\stubpath = "C:\\Windows\\{8D5D2871-9D6A-45f6-93B6-468501CDE399}.exe"	{9BB23C23-9A12-4430-9F41-D06A40C34F4B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{08369ABE-86A8-4023-9F8A-4CA895A77C6C}	{2D9F361F-AE7D-438a-9D42-88D70DB3A56B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{20AB4256-D743-4a28-9F1E-A43E3668943B}	{94190B44-D605-4101-AB20-6A1DD5E2D7BC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8D5D2871-9D6A-45f6-93B6-468501CDE399}	{9BB23C23-9A12-4430-9F41-D06A40C34F4B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9BB23C23-9A12-4430-9F41-D06A40C34F4B}	{20AB4256-D743-4a28-9F1E-A43E3668943B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9BB23C23-9A12-4430-9F41-D06A40C34F4B}\stubpath = "C:\\Windows\\{9BB23C23-9A12-4430-9F41-D06A40C34F4B}.exe"	{20AB4256-D743-4a28-9F1E-A43E3668943B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2D9F361F-AE7D-438a-9D42-88D70DB3A56B}	{8D5D2871-9D6A-45f6-93B6-468501CDE399}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D9D26F7E-ECF6-4ed6-BC99-98E10F89F4B0}\stubpath = "C:\\Windows\\{D9D26F7E-ECF6-4ed6-BC99-98E10F89F4B0}.exe"	{08369ABE-86A8-4023-9F8A-4CA895A77C6C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0E7966D7-0506-460d-BB9C-43BB6E50F4F5}\stubpath = "C:\\Windows\\{0E7966D7-0506-460d-BB9C-43BB6E50F4F5}.exe"	{0C3FD920-B357-4647-964B-092A059E78B4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5075C9BC-5EB3-48ee-9DB7-D7549B0A64EE}	{0E7966D7-0506-460d-BB9C-43BB6E50F4F5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{94190B44-D605-4101-AB20-6A1DD5E2D7BC}	21eebd87d1af5cfcd790b8448f2f0ae0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{20AB4256-D743-4a28-9F1E-A43E3668943B}\stubpath = "C:\\Windows\\{20AB4256-D743-4a28-9F1E-A43E3668943B}.exe"	{94190B44-D605-4101-AB20-6A1DD5E2D7BC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{420139A4-E802-45a0-860E-65B93EF7A3AA}\stubpath = "C:\\Windows\\{420139A4-E802-45a0-860E-65B93EF7A3AA}.exe"	{5075C9BC-5EB3-48ee-9DB7-D7549B0A64EE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0C3FD920-B357-4647-964B-092A059E78B4}\stubpath = "C:\\Windows\\{0C3FD920-B357-4647-964B-092A059E78B4}.exe"	{D9D26F7E-ECF6-4ed6-BC99-98E10F89F4B0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5075C9BC-5EB3-48ee-9DB7-D7549B0A64EE}\stubpath = "C:\\Windows\\{5075C9BC-5EB3-48ee-9DB7-D7549B0A64EE}.exe"	{0E7966D7-0506-460d-BB9C-43BB6E50F4F5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2D9F361F-AE7D-438a-9D42-88D70DB3A56B}\stubpath = "C:\\Windows\\{2D9F361F-AE7D-438a-9D42-88D70DB3A56B}.exe"	{8D5D2871-9D6A-45f6-93B6-468501CDE399}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0C3FD920-B357-4647-964B-092A059E78B4}	{D9D26F7E-ECF6-4ed6-BC99-98E10F89F4B0}.exe

Deletes itself 1 IoCs

pid	Process
1728	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
3008	{94190B44-D605-4101-AB20-6A1DD5E2D7BC}.exe
2636	{20AB4256-D743-4a28-9F1E-A43E3668943B}.exe
2452	{9BB23C23-9A12-4430-9F41-D06A40C34F4B}.exe
2568	{8D5D2871-9D6A-45f6-93B6-468501CDE399}.exe
1508	{2D9F361F-AE7D-438a-9D42-88D70DB3A56B}.exe
1472	{08369ABE-86A8-4023-9F8A-4CA895A77C6C}.exe
2688	{D9D26F7E-ECF6-4ed6-BC99-98E10F89F4B0}.exe
1136	{0C3FD920-B357-4647-964B-092A059E78B4}.exe
2852	{0E7966D7-0506-460d-BB9C-43BB6E50F4F5}.exe
1744	{5075C9BC-5EB3-48ee-9DB7-D7549B0A64EE}.exe
1376	{420139A4-E802-45a0-860E-65B93EF7A3AA}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{08369ABE-86A8-4023-9F8A-4CA895A77C6C}.exe	{2D9F361F-AE7D-438a-9D42-88D70DB3A56B}.exe
File created	C:\Windows\{0E7966D7-0506-460d-BB9C-43BB6E50F4F5}.exe	{0C3FD920-B357-4647-964B-092A059E78B4}.exe
File created	C:\Windows\{5075C9BC-5EB3-48ee-9DB7-D7549B0A64EE}.exe	{0E7966D7-0506-460d-BB9C-43BB6E50F4F5}.exe
File created	C:\Windows\{420139A4-E802-45a0-860E-65B93EF7A3AA}.exe	{5075C9BC-5EB3-48ee-9DB7-D7549B0A64EE}.exe
File created	C:\Windows\{20AB4256-D743-4a28-9F1E-A43E3668943B}.exe	{94190B44-D605-4101-AB20-6A1DD5E2D7BC}.exe
File created	C:\Windows\{9BB23C23-9A12-4430-9F41-D06A40C34F4B}.exe	{20AB4256-D743-4a28-9F1E-A43E3668943B}.exe
File created	C:\Windows\{2D9F361F-AE7D-438a-9D42-88D70DB3A56B}.exe	{8D5D2871-9D6A-45f6-93B6-468501CDE399}.exe
File created	C:\Windows\{D9D26F7E-ECF6-4ed6-BC99-98E10F89F4B0}.exe	{08369ABE-86A8-4023-9F8A-4CA895A77C6C}.exe
File created	C:\Windows\{0C3FD920-B357-4647-964B-092A059E78B4}.exe	{D9D26F7E-ECF6-4ed6-BC99-98E10F89F4B0}.exe
File created	C:\Windows\{94190B44-D605-4101-AB20-6A1DD5E2D7BC}.exe	21eebd87d1af5cfcd790b8448f2f0ae0_NeikiAnalytics.exe
File created	C:\Windows\{8D5D2871-9D6A-45f6-93B6-468501CDE399}.exe	{9BB23C23-9A12-4430-9F41-D06A40C34F4B}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2344	21eebd87d1af5cfcd790b8448f2f0ae0_NeikiAnalytics.exe
Token: SeIncBasePriorityPrivilege	3008	{94190B44-D605-4101-AB20-6A1DD5E2D7BC}.exe
Token: SeIncBasePriorityPrivilege	2636	{20AB4256-D743-4a28-9F1E-A43E3668943B}.exe
Token: SeIncBasePriorityPrivilege	2452	{9BB23C23-9A12-4430-9F41-D06A40C34F4B}.exe
Token: SeIncBasePriorityPrivilege	2568	{8D5D2871-9D6A-45f6-93B6-468501CDE399}.exe
Token: SeIncBasePriorityPrivilege	1508	{2D9F361F-AE7D-438a-9D42-88D70DB3A56B}.exe
Token: SeIncBasePriorityPrivilege	1472	{08369ABE-86A8-4023-9F8A-4CA895A77C6C}.exe
Token: SeIncBasePriorityPrivilege	2688	{D9D26F7E-ECF6-4ed6-BC99-98E10F89F4B0}.exe
Token: SeIncBasePriorityPrivilege	1136	{0C3FD920-B357-4647-964B-092A059E78B4}.exe
Token: SeIncBasePriorityPrivilege	2852	{0E7966D7-0506-460d-BB9C-43BB6E50F4F5}.exe
Token: SeIncBasePriorityPrivilege	1744	{5075C9BC-5EB3-48ee-9DB7-D7549B0A64EE}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2344 wrote to memory of 3008	2344	21eebd87d1af5cfcd790b8448f2f0ae0_NeikiAnalytics.exe	28
PID 2344 wrote to memory of 3008	2344	21eebd87d1af5cfcd790b8448f2f0ae0_NeikiAnalytics.exe	28
PID 2344 wrote to memory of 3008	2344	21eebd87d1af5cfcd790b8448f2f0ae0_NeikiAnalytics.exe	28
PID 2344 wrote to memory of 3008	2344	21eebd87d1af5cfcd790b8448f2f0ae0_NeikiAnalytics.exe	28
PID 2344 wrote to memory of 1728	2344	21eebd87d1af5cfcd790b8448f2f0ae0_NeikiAnalytics.exe	29
PID 2344 wrote to memory of 1728	2344	21eebd87d1af5cfcd790b8448f2f0ae0_NeikiAnalytics.exe	29
PID 2344 wrote to memory of 1728	2344	21eebd87d1af5cfcd790b8448f2f0ae0_NeikiAnalytics.exe	29
PID 2344 wrote to memory of 1728	2344	21eebd87d1af5cfcd790b8448f2f0ae0_NeikiAnalytics.exe	29
PID 3008 wrote to memory of 2636	3008	{94190B44-D605-4101-AB20-6A1DD5E2D7BC}.exe	30
PID 3008 wrote to memory of 2636	3008	{94190B44-D605-4101-AB20-6A1DD5E2D7BC}.exe	30
PID 3008 wrote to memory of 2636	3008	{94190B44-D605-4101-AB20-6A1DD5E2D7BC}.exe	30
PID 3008 wrote to memory of 2636	3008	{94190B44-D605-4101-AB20-6A1DD5E2D7BC}.exe	30
PID 3008 wrote to memory of 2672	3008	{94190B44-D605-4101-AB20-6A1DD5E2D7BC}.exe	31
PID 3008 wrote to memory of 2672	3008	{94190B44-D605-4101-AB20-6A1DD5E2D7BC}.exe	31
PID 3008 wrote to memory of 2672	3008	{94190B44-D605-4101-AB20-6A1DD5E2D7BC}.exe	31
PID 3008 wrote to memory of 2672	3008	{94190B44-D605-4101-AB20-6A1DD5E2D7BC}.exe	31
PID 2636 wrote to memory of 2452	2636	{20AB4256-D743-4a28-9F1E-A43E3668943B}.exe	32
PID 2636 wrote to memory of 2452	2636	{20AB4256-D743-4a28-9F1E-A43E3668943B}.exe	32
PID 2636 wrote to memory of 2452	2636	{20AB4256-D743-4a28-9F1E-A43E3668943B}.exe	32
PID 2636 wrote to memory of 2452	2636	{20AB4256-D743-4a28-9F1E-A43E3668943B}.exe	32
PID 2636 wrote to memory of 2564	2636	{20AB4256-D743-4a28-9F1E-A43E3668943B}.exe	33
PID 2636 wrote to memory of 2564	2636	{20AB4256-D743-4a28-9F1E-A43E3668943B}.exe	33
PID 2636 wrote to memory of 2564	2636	{20AB4256-D743-4a28-9F1E-A43E3668943B}.exe	33
PID 2636 wrote to memory of 2564	2636	{20AB4256-D743-4a28-9F1E-A43E3668943B}.exe	33
PID 2452 wrote to memory of 2568	2452	{9BB23C23-9A12-4430-9F41-D06A40C34F4B}.exe	36
PID 2452 wrote to memory of 2568	2452	{9BB23C23-9A12-4430-9F41-D06A40C34F4B}.exe	36
PID 2452 wrote to memory of 2568	2452	{9BB23C23-9A12-4430-9F41-D06A40C34F4B}.exe	36
PID 2452 wrote to memory of 2568	2452	{9BB23C23-9A12-4430-9F41-D06A40C34F4B}.exe	36
PID 2452 wrote to memory of 2952	2452	{9BB23C23-9A12-4430-9F41-D06A40C34F4B}.exe	37
PID 2452 wrote to memory of 2952	2452	{9BB23C23-9A12-4430-9F41-D06A40C34F4B}.exe	37
PID 2452 wrote to memory of 2952	2452	{9BB23C23-9A12-4430-9F41-D06A40C34F4B}.exe	37
PID 2452 wrote to memory of 2952	2452	{9BB23C23-9A12-4430-9F41-D06A40C34F4B}.exe	37
PID 2568 wrote to memory of 1508	2568	{8D5D2871-9D6A-45f6-93B6-468501CDE399}.exe	38
PID 2568 wrote to memory of 1508	2568	{8D5D2871-9D6A-45f6-93B6-468501CDE399}.exe	38
PID 2568 wrote to memory of 1508	2568	{8D5D2871-9D6A-45f6-93B6-468501CDE399}.exe	38
PID 2568 wrote to memory of 1508	2568	{8D5D2871-9D6A-45f6-93B6-468501CDE399}.exe	38
PID 2568 wrote to memory of 944	2568	{8D5D2871-9D6A-45f6-93B6-468501CDE399}.exe	39
PID 2568 wrote to memory of 944	2568	{8D5D2871-9D6A-45f6-93B6-468501CDE399}.exe	39
PID 2568 wrote to memory of 944	2568	{8D5D2871-9D6A-45f6-93B6-468501CDE399}.exe	39
PID 2568 wrote to memory of 944	2568	{8D5D2871-9D6A-45f6-93B6-468501CDE399}.exe	39
PID 1508 wrote to memory of 1472	1508	{2D9F361F-AE7D-438a-9D42-88D70DB3A56B}.exe	40
PID 1508 wrote to memory of 1472	1508	{2D9F361F-AE7D-438a-9D42-88D70DB3A56B}.exe	40
PID 1508 wrote to memory of 1472	1508	{2D9F361F-AE7D-438a-9D42-88D70DB3A56B}.exe	40
PID 1508 wrote to memory of 1472	1508	{2D9F361F-AE7D-438a-9D42-88D70DB3A56B}.exe	40
PID 1508 wrote to memory of 2732	1508	{2D9F361F-AE7D-438a-9D42-88D70DB3A56B}.exe	41
PID 1508 wrote to memory of 2732	1508	{2D9F361F-AE7D-438a-9D42-88D70DB3A56B}.exe	41
PID 1508 wrote to memory of 2732	1508	{2D9F361F-AE7D-438a-9D42-88D70DB3A56B}.exe	41
PID 1508 wrote to memory of 2732	1508	{2D9F361F-AE7D-438a-9D42-88D70DB3A56B}.exe	41
PID 1472 wrote to memory of 2688	1472	{08369ABE-86A8-4023-9F8A-4CA895A77C6C}.exe	42
PID 1472 wrote to memory of 2688	1472	{08369ABE-86A8-4023-9F8A-4CA895A77C6C}.exe	42
PID 1472 wrote to memory of 2688	1472	{08369ABE-86A8-4023-9F8A-4CA895A77C6C}.exe	42
PID 1472 wrote to memory of 2688	1472	{08369ABE-86A8-4023-9F8A-4CA895A77C6C}.exe	42
PID 1472 wrote to memory of 2692	1472	{08369ABE-86A8-4023-9F8A-4CA895A77C6C}.exe	43
PID 1472 wrote to memory of 2692	1472	{08369ABE-86A8-4023-9F8A-4CA895A77C6C}.exe	43
PID 1472 wrote to memory of 2692	1472	{08369ABE-86A8-4023-9F8A-4CA895A77C6C}.exe	43
PID 1472 wrote to memory of 2692	1472	{08369ABE-86A8-4023-9F8A-4CA895A77C6C}.exe	43
PID 2688 wrote to memory of 1136	2688	{D9D26F7E-ECF6-4ed6-BC99-98E10F89F4B0}.exe	44
PID 2688 wrote to memory of 1136	2688	{D9D26F7E-ECF6-4ed6-BC99-98E10F89F4B0}.exe	44
PID 2688 wrote to memory of 1136	2688	{D9D26F7E-ECF6-4ed6-BC99-98E10F89F4B0}.exe	44
PID 2688 wrote to memory of 1136	2688	{D9D26F7E-ECF6-4ed6-BC99-98E10F89F4B0}.exe	44
PID 2688 wrote to memory of 2824	2688	{D9D26F7E-ECF6-4ed6-BC99-98E10F89F4B0}.exe	45
PID 2688 wrote to memory of 2824	2688	{D9D26F7E-ECF6-4ed6-BC99-98E10F89F4B0}.exe	45
PID 2688 wrote to memory of 2824	2688	{D9D26F7E-ECF6-4ed6-BC99-98E10F89F4B0}.exe	45
PID 2688 wrote to memory of 2824	2688	{D9D26F7E-ECF6-4ed6-BC99-98E10F89F4B0}.exe	45

C:\Users\Admin\AppData\Local\Temp\21eebd87d1af5cfcd790b8448f2f0ae0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\21eebd87d1af5cfcd790b8448f2f0ae0_NeikiAnalytics.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2344
- C:\Windows\{94190B44-D605-4101-AB20-6A1DD5E2D7BC}.exe
  C:\Windows\{94190B44-D605-4101-AB20-6A1DD5E2D7BC}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3008
- - C:\Windows\{20AB4256-D743-4a28-9F1E-A43E3668943B}.exe
    C:\Windows\{20AB4256-D743-4a28-9F1E-A43E3668943B}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2636
  - - C:\Windows\{9BB23C23-9A12-4430-9F41-D06A40C34F4B}.exe
      C:\Windows\{9BB23C23-9A12-4430-9F41-D06A40C34F4B}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2452
    - - C:\Windows\{8D5D2871-9D6A-45f6-93B6-468501CDE399}.exe
        
        C:\Windows\{8D5D2871-9D6A-45f6-93B6-468501CDE399}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2568
      - C:\Windows\{2D9F361F-AE7D-438a-9D42-88D70DB3A56B}.exe
        
        C:\Windows\{2D9F361F-AE7D-438a-9D42-88D70DB3A56B}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1508
        
        C:\Windows\{08369ABE-86A8-4023-9F8A-4CA895A77C6C}.exe
        
        C:\Windows\{08369ABE-86A8-4023-9F8A-4CA895A77C6C}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1472
        
        C:\Windows\{D9D26F7E-ECF6-4ed6-BC99-98E10F89F4B0}.exe
        
        C:\Windows\{D9D26F7E-ECF6-4ed6-BC99-98E10F89F4B0}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2688
        
        C:\Windows\{0C3FD920-B357-4647-964B-092A059E78B4}.exe
        
        C:\Windows\{0C3FD920-B357-4647-964B-092A059E78B4}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1136
        
        C:\Windows\{0E7966D7-0506-460d-BB9C-43BB6E50F4F5}.exe
        
        C:\Windows\{0E7966D7-0506-460d-BB9C-43BB6E50F4F5}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2852
        
        C:\Windows\{5075C9BC-5EB3-48ee-9DB7-D7549B0A64EE}.exe
        
        C:\Windows\{5075C9BC-5EB3-48ee-9DB7-D7549B0A64EE}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1744
        
        C:\Windows\{420139A4-E802-45a0-860E-65B93EF7A3AA}.exe
        
        C:\Windows\{420139A4-E802-45a0-860E-65B93EF7A3AA}.exe
        12⤵
        Executes dropped EXE
        
        PID:1376
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5075C~1.EXE > nul
        12⤵
        
        PID:2424
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0E796~1.EXE > nul
        11⤵
        
        PID:596
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0C3FD~1.EXE > nul
        10⤵
        
        PID:2312
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D9D26~1.EXE > nul
        9⤵
        
        PID:2824
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{08369~1.EXE > nul
        8⤵
        
        PID:2692
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2D9F3~1.EXE > nul
        7⤵
        
        PID:2732
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8D5D2~1.EXE > nul
        6⤵
        
        PID:944
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9BB23~1.EXE > nul
        5⤵
        
        PID:2952
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{20AB4~1.EXE > nul
      4⤵
      PID:2564
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{94190~1.EXE > nul
    3⤵
    PID:2672
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\21EEBD~1.EXE > nul
  2⤵
  - Deletes itself
  PID:1728

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{08369ABE-86A8-4023-9F8A-4CA895A77C6C}.exe

Filesize
60KB

MD5
50215a97ddaea7724af4ffaa66b51bb1

SHA1
11c0d649821d6a62072a30adee974c31ede08823

SHA256
105bf3d1bf0ad9ddf5676be9f8bdb2331306111617e3d973476675c38f379b98

SHA512
dcc9df5e26264812ddbbecd5d74fb4646eb6815e00e26c77819b5ccf918d652778eff11dbf766e758365f7ae27962e7806f51d05c0c48f6e157b4f7e045a6e9c

Download Submit
C:\Windows\{0C3FD920-B357-4647-964B-092A059E78B4}.exe

Filesize
60KB

MD5
e38047a805b1f8f8e18006897c1f94e7

SHA1
cd6f778854202bdca622fc6bbf3e810525349241

SHA256
9317a5b84c6bff3b89acc0c24bbdcd429b623cd22d161153055df248993634df

SHA512
27eb26776626547107c6736c523c2e9197f2349150ea07aa7463f538ab4ef06a9bd5c7436a10c861b68961e7241f9fcb9d31383d32b7ff9bd78f7395848be209

Download Submit
C:\Windows\{0E7966D7-0506-460d-BB9C-43BB6E50F4F5}.exe

Filesize
60KB

MD5
a3618b579236b8f4bdf5f07e1a31f623

SHA1
9fae0ad6f908911f32b770c53cb961a699d6c62a

SHA256
9842dfe60e1c84a34fa4e06c184708d33650ac775d880d8c8f7832811c5f69c1

SHA512
b32d58ae6e37517b190c27ceb6009caf1538eb9407c67ff2e29abc3583c2fbd3ccc537e01cc81aadc3736d686ac8dae4f9748d8ee40aad7908731a3196540683

Download Submit
C:\Windows\{20AB4256-D743-4a28-9F1E-A43E3668943B}.exe

Filesize
60KB

MD5
9c17412c6bfc90c4d41aab77df86eb04

SHA1
bfd57f758341d88dd669d560a1a768a06c953e36

SHA256
2a90df46b8142bed96c85ff96f85f9e6f121e8d5d691e8d1c8133a3c803db81f

SHA512
81c62820d642453634d45ccc72465684b3796c1940815f10c9f3ff51de36aab9324b839dd649c22302d7995c51f5aab5c00192be75207a2f7977030f3c39df8d

Download Submit
C:\Windows\{2D9F361F-AE7D-438a-9D42-88D70DB3A56B}.exe

Filesize
60KB

MD5
c6836d26020236db09016ca3542d180f

SHA1
6c42544eb34ae135c04dff9aee7ccb9cc387cb14

SHA256
ce3dd5a1aa5d85d14c1ddad6222fe50e1ac2afbfa3c5e97cc367e939e0664d66

SHA512
1c822b39014b5bade0b28ad7808dcb45a1c999184dc2ee916d8126d3f567d2df425e911926b0aeec6d636965c6f3199796109bb6add93e6666d0a45e7d9a167e

Download Submit
C:\Windows\{420139A4-E802-45a0-860E-65B93EF7A3AA}.exe

Filesize
60KB

MD5
18e124b6b4fa9feafc83d358e6aa03cf

SHA1
b49a162c4dca479ba678c1600410fb02eee8354a

SHA256
dbca179b966145517db28daa8ef96e3c5a5cfed3a3adf7d61f190b8a5f6a2409

SHA512
8eb0a7519ef84363af9852200c709d6102256cf1a90316ab34ca8fc7db4706e1777e3a7e86b53b93247198e22df286e1b1b7b0dfcef5dcca9c23f870d97ab884

Download Submit
C:\Windows\{5075C9BC-5EB3-48ee-9DB7-D7549B0A64EE}.exe

Filesize
60KB

MD5
90a5f9892f3990953ec5d3fbe3fe36bc

SHA1
a5749d29dd65fc6ebd65d21721d96db45e06a5ad

SHA256
9c53852c8980e950ca546f9312a23ac8417fa2e2ac2f1344e906688b07c88ec9

SHA512
524500e30392772eb55370d23661fc407e10f3ccba24fa7c09825ca8a48d7b4d5ea38c4397a6e7bc55f0bfe1dc70706e67d2c0d0baf11792cc8b9588f7224141

Download Submit
C:\Windows\{8D5D2871-9D6A-45f6-93B6-468501CDE399}.exe

Filesize
60KB

MD5
e3bf7e184e94910e0b399367286d0aea

SHA1
b7d10b14fa3cda3852608b85087a3e3b177d19fd

SHA256
5dce6509c219f18496ce93a233a5f4c5ef1bca48c88062335d76ee3466986326

SHA512
63b8f16e1ce99ce5dd436c4460d1af6fcc6bf3db1f30f31bfb42459ea625681cc0581bc1cff4a7c69c4262dd3ee09ef0d921e4588a42981e7cdbfdeacb57a53d

Download Submit
C:\Windows\{94190B44-D605-4101-AB20-6A1DD5E2D7BC}.exe

Filesize
60KB

MD5
f9c77d6e5317fa2b7f7970b5faa9ef3e

SHA1
1a0d7287168ca47ad2e77fd7c47e7d4504d57274

SHA256
f33deb222c4f77e3f03cf5f360eab374a7724de8c22591d36d0e7a7e2e8c2fb2

SHA512
ac80bb278795d5a72d303a5c4ed406296bd2b20783e3d322b9b47e05e194b8a382f41ff675648e17e2841aa94f90edfd9774244346b7edfcf52b53022957775f

Download Submit
C:\Windows\{9BB23C23-9A12-4430-9F41-D06A40C34F4B}.exe

Filesize
60KB

MD5
7337b11609dd1abda245e84e50241745

SHA1
50a25340cac67827015ebf8af13b8f12646ad163

SHA256
d3911114b878079079355ed68818281db79ca78938b3e639db4cf11b5e7e884f

SHA512
f429bd374a1dd5f7759f0ef516cf74980927a91846dcf5ab22f490934477b613d822042eadaa4ff242f935210d968cc461776ce9347963fd80a3e7f4df0a7b9b

Download Submit
C:\Windows\{D9D26F7E-ECF6-4ed6-BC99-98E10F89F4B0}.exe

Filesize
60KB

MD5
ffbfc1d9f36061fa72e6d3f4712445b8

SHA1
607ff0a246443a8ecbfcef72084934c849597d99

SHA256
92962ab6adad883b52bec2fc45352c4230909540e7ef618d788a04371b4e43ac

SHA512
1ccb02e03b8d7a1975b0b9cd39e9186f8ccb6d90a3acd17ac57df0aa7dfb5889581374d622d034c4304d15a75a8041c6bb216ffdac4f4cd4cf7f1eb69e3b3b58

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads