d35fba75d05df718acf99dc34a4fdf50e9f3b6edde90a731b7248caa2ba4c7fc

Analysis

max time kernel
144s
max time network
119s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
24-05-2024 05:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7abae39050b21603339f64cd6d228590_NeikiAnalytics.exe
Size

64KB
MD5

7abae39050b21603339f64cd6d228590
SHA1

0ac1780652eb03bad6a883d9ddd6024a34a35eed
SHA256

d35fba75d05df718acf99dc34a4fdf50e9f3b6edde90a731b7248caa2ba4c7fc
SHA512

2dd7f3a2a29db81b2a956a838cb57cf5ef8a5c396fe31c8915b0c7d6f5fb450870545796b58aa22bd8d539528cf75126e5c31c3f03931f771adf893d78612404
SSDEEP

384:ObLwOs8AHsc4HMPwhKQLrog4/CFsrdHWMZw:Ovw981xvhKQLrog4/wQpWMZw

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{84A751C5-AC1A-4936-B730-7DB5E0650205}\stubpath = "C:\\Windows\\{84A751C5-AC1A-4936-B730-7DB5E0650205}.exe"	{A6026755-1390-4ac4-9B13-C4B36D550C26}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C1B175AD-0F9B-4376-A43F-6EA690FCA706}	{FB2C1091-FA8F-4541-A83A-A52C86AB9FEC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A6026755-1390-4ac4-9B13-C4B36D550C26}\stubpath = "C:\\Windows\\{A6026755-1390-4ac4-9B13-C4B36D550C26}.exe"	{6BD88C7B-0028-457f-BCDA-D9414B7ADC69}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C1B175AD-0F9B-4376-A43F-6EA690FCA706}\stubpath = "C:\\Windows\\{C1B175AD-0F9B-4376-A43F-6EA690FCA706}.exe"	{FB2C1091-FA8F-4541-A83A-A52C86AB9FEC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FD7C4B97-20AC-4f60-A2EF-CC5CFC00B2F1}	{2EF3C962-569A-4e19-9ECA-D7C1144ECD75}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FD7C4B97-20AC-4f60-A2EF-CC5CFC00B2F1}\stubpath = "C:\\Windows\\{FD7C4B97-20AC-4f60-A2EF-CC5CFC00B2F1}.exe"	{2EF3C962-569A-4e19-9ECA-D7C1144ECD75}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7B9BAB6C-0D72-49f4-AD5B-FD81870DDD27}	7abae39050b21603339f64cd6d228590_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4EFFFEC5-D6C5-4892-841C-355F1D7BBF20}	{7B9BAB6C-0D72-49f4-AD5B-FD81870DDD27}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{84A751C5-AC1A-4936-B730-7DB5E0650205}	{A6026755-1390-4ac4-9B13-C4B36D550C26}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FB2C1091-FA8F-4541-A83A-A52C86AB9FEC}	{84A751C5-AC1A-4936-B730-7DB5E0650205}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FB2C1091-FA8F-4541-A83A-A52C86AB9FEC}\stubpath = "C:\\Windows\\{FB2C1091-FA8F-4541-A83A-A52C86AB9FEC}.exe"	{84A751C5-AC1A-4936-B730-7DB5E0650205}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B6E70D3C-5170-48a2-B910-C6034C76C3D9}	{C1B175AD-0F9B-4376-A43F-6EA690FCA706}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2EF3C962-569A-4e19-9ECA-D7C1144ECD75}	{B6E70D3C-5170-48a2-B910-C6034C76C3D9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7B9BAB6C-0D72-49f4-AD5B-FD81870DDD27}\stubpath = "C:\\Windows\\{7B9BAB6C-0D72-49f4-AD5B-FD81870DDD27}.exe"	7abae39050b21603339f64cd6d228590_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6BD88C7B-0028-457f-BCDA-D9414B7ADC69}	{4EFFFEC5-D6C5-4892-841C-355F1D7BBF20}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A6026755-1390-4ac4-9B13-C4B36D550C26}	{6BD88C7B-0028-457f-BCDA-D9414B7ADC69}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B6E70D3C-5170-48a2-B910-C6034C76C3D9}\stubpath = "C:\\Windows\\{B6E70D3C-5170-48a2-B910-C6034C76C3D9}.exe"	{C1B175AD-0F9B-4376-A43F-6EA690FCA706}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2EF3C962-569A-4e19-9ECA-D7C1144ECD75}\stubpath = "C:\\Windows\\{2EF3C962-569A-4e19-9ECA-D7C1144ECD75}.exe"	{B6E70D3C-5170-48a2-B910-C6034C76C3D9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D380029B-736D-4a1d-8925-657DB60FA860}	{FD7C4B97-20AC-4f60-A2EF-CC5CFC00B2F1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D380029B-736D-4a1d-8925-657DB60FA860}\stubpath = "C:\\Windows\\{D380029B-736D-4a1d-8925-657DB60FA860}.exe"	{FD7C4B97-20AC-4f60-A2EF-CC5CFC00B2F1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4EFFFEC5-D6C5-4892-841C-355F1D7BBF20}\stubpath = "C:\\Windows\\{4EFFFEC5-D6C5-4892-841C-355F1D7BBF20}.exe"	{7B9BAB6C-0D72-49f4-AD5B-FD81870DDD27}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6BD88C7B-0028-457f-BCDA-D9414B7ADC69}\stubpath = "C:\\Windows\\{6BD88C7B-0028-457f-BCDA-D9414B7ADC69}.exe"	{4EFFFEC5-D6C5-4892-841C-355F1D7BBF20}.exe

Deletes itself 1 IoCs

pid	Process
2520	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2484	{7B9BAB6C-0D72-49f4-AD5B-FD81870DDD27}.exe
2960	{4EFFFEC5-D6C5-4892-841C-355F1D7BBF20}.exe
2324	{6BD88C7B-0028-457f-BCDA-D9414B7ADC69}.exe
2368	{A6026755-1390-4ac4-9B13-C4B36D550C26}.exe
328	{84A751C5-AC1A-4936-B730-7DB5E0650205}.exe
2280	{FB2C1091-FA8F-4541-A83A-A52C86AB9FEC}.exe
2136	{C1B175AD-0F9B-4376-A43F-6EA690FCA706}.exe
3000	{B6E70D3C-5170-48a2-B910-C6034C76C3D9}.exe
3040	{2EF3C962-569A-4e19-9ECA-D7C1144ECD75}.exe
1404	{FD7C4B97-20AC-4f60-A2EF-CC5CFC00B2F1}.exe
1896	{D380029B-736D-4a1d-8925-657DB60FA860}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{6BD88C7B-0028-457f-BCDA-D9414B7ADC69}.exe	{4EFFFEC5-D6C5-4892-841C-355F1D7BBF20}.exe
File created	C:\Windows\{A6026755-1390-4ac4-9B13-C4B36D550C26}.exe	{6BD88C7B-0028-457f-BCDA-D9414B7ADC69}.exe
File created	C:\Windows\{C1B175AD-0F9B-4376-A43F-6EA690FCA706}.exe	{FB2C1091-FA8F-4541-A83A-A52C86AB9FEC}.exe
File created	C:\Windows\{B6E70D3C-5170-48a2-B910-C6034C76C3D9}.exe	{C1B175AD-0F9B-4376-A43F-6EA690FCA706}.exe
File created	C:\Windows\{2EF3C962-569A-4e19-9ECA-D7C1144ECD75}.exe	{B6E70D3C-5170-48a2-B910-C6034C76C3D9}.exe
File created	C:\Windows\{FD7C4B97-20AC-4f60-A2EF-CC5CFC00B2F1}.exe	{2EF3C962-569A-4e19-9ECA-D7C1144ECD75}.exe
File created	C:\Windows\{D380029B-736D-4a1d-8925-657DB60FA860}.exe	{FD7C4B97-20AC-4f60-A2EF-CC5CFC00B2F1}.exe
File created	C:\Windows\{7B9BAB6C-0D72-49f4-AD5B-FD81870DDD27}.exe	7abae39050b21603339f64cd6d228590_NeikiAnalytics.exe
File created	C:\Windows\{4EFFFEC5-D6C5-4892-841C-355F1D7BBF20}.exe	{7B9BAB6C-0D72-49f4-AD5B-FD81870DDD27}.exe
File created	C:\Windows\{84A751C5-AC1A-4936-B730-7DB5E0650205}.exe	{A6026755-1390-4ac4-9B13-C4B36D550C26}.exe
File created	C:\Windows\{FB2C1091-FA8F-4541-A83A-A52C86AB9FEC}.exe	{84A751C5-AC1A-4936-B730-7DB5E0650205}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2904	7abae39050b21603339f64cd6d228590_NeikiAnalytics.exe
Token: SeIncBasePriorityPrivilege	2484	{7B9BAB6C-0D72-49f4-AD5B-FD81870DDD27}.exe
Token: SeIncBasePriorityPrivilege	2960	{4EFFFEC5-D6C5-4892-841C-355F1D7BBF20}.exe
Token: SeIncBasePriorityPrivilege	2324	{6BD88C7B-0028-457f-BCDA-D9414B7ADC69}.exe
Token: SeIncBasePriorityPrivilege	2368	{A6026755-1390-4ac4-9B13-C4B36D550C26}.exe
Token: SeIncBasePriorityPrivilege	328	{84A751C5-AC1A-4936-B730-7DB5E0650205}.exe
Token: SeIncBasePriorityPrivilege	2280	{FB2C1091-FA8F-4541-A83A-A52C86AB9FEC}.exe
Token: SeIncBasePriorityPrivilege	2136	{C1B175AD-0F9B-4376-A43F-6EA690FCA706}.exe
Token: SeIncBasePriorityPrivilege	3000	{B6E70D3C-5170-48a2-B910-C6034C76C3D9}.exe
Token: SeIncBasePriorityPrivilege	3040	{2EF3C962-569A-4e19-9ECA-D7C1144ECD75}.exe
Token: SeIncBasePriorityPrivilege	1404	{FD7C4B97-20AC-4f60-A2EF-CC5CFC00B2F1}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2904 wrote to memory of 2484	2904	7abae39050b21603339f64cd6d228590_NeikiAnalytics.exe	28
PID 2904 wrote to memory of 2484	2904	7abae39050b21603339f64cd6d228590_NeikiAnalytics.exe	28
PID 2904 wrote to memory of 2484	2904	7abae39050b21603339f64cd6d228590_NeikiAnalytics.exe	28
PID 2904 wrote to memory of 2484	2904	7abae39050b21603339f64cd6d228590_NeikiAnalytics.exe	28
PID 2904 wrote to memory of 2520	2904	7abae39050b21603339f64cd6d228590_NeikiAnalytics.exe	29
PID 2904 wrote to memory of 2520	2904	7abae39050b21603339f64cd6d228590_NeikiAnalytics.exe	29
PID 2904 wrote to memory of 2520	2904	7abae39050b21603339f64cd6d228590_NeikiAnalytics.exe	29
PID 2904 wrote to memory of 2520	2904	7abae39050b21603339f64cd6d228590_NeikiAnalytics.exe	29
PID 2484 wrote to memory of 2960	2484	{7B9BAB6C-0D72-49f4-AD5B-FD81870DDD27}.exe	30
PID 2484 wrote to memory of 2960	2484	{7B9BAB6C-0D72-49f4-AD5B-FD81870DDD27}.exe	30
PID 2484 wrote to memory of 2960	2484	{7B9BAB6C-0D72-49f4-AD5B-FD81870DDD27}.exe	30
PID 2484 wrote to memory of 2960	2484	{7B9BAB6C-0D72-49f4-AD5B-FD81870DDD27}.exe	30
PID 2484 wrote to memory of 2708	2484	{7B9BAB6C-0D72-49f4-AD5B-FD81870DDD27}.exe	31
PID 2484 wrote to memory of 2708	2484	{7B9BAB6C-0D72-49f4-AD5B-FD81870DDD27}.exe	31
PID 2484 wrote to memory of 2708	2484	{7B9BAB6C-0D72-49f4-AD5B-FD81870DDD27}.exe	31
PID 2484 wrote to memory of 2708	2484	{7B9BAB6C-0D72-49f4-AD5B-FD81870DDD27}.exe	31
PID 2960 wrote to memory of 2324	2960	{4EFFFEC5-D6C5-4892-841C-355F1D7BBF20}.exe	32
PID 2960 wrote to memory of 2324	2960	{4EFFFEC5-D6C5-4892-841C-355F1D7BBF20}.exe	32
PID 2960 wrote to memory of 2324	2960	{4EFFFEC5-D6C5-4892-841C-355F1D7BBF20}.exe	32
PID 2960 wrote to memory of 2324	2960	{4EFFFEC5-D6C5-4892-841C-355F1D7BBF20}.exe	32
PID 2960 wrote to memory of 2396	2960	{4EFFFEC5-D6C5-4892-841C-355F1D7BBF20}.exe	33
PID 2960 wrote to memory of 2396	2960	{4EFFFEC5-D6C5-4892-841C-355F1D7BBF20}.exe	33
PID 2960 wrote to memory of 2396	2960	{4EFFFEC5-D6C5-4892-841C-355F1D7BBF20}.exe	33
PID 2960 wrote to memory of 2396	2960	{4EFFFEC5-D6C5-4892-841C-355F1D7BBF20}.exe	33
PID 2324 wrote to memory of 2368	2324	{6BD88C7B-0028-457f-BCDA-D9414B7ADC69}.exe	36
PID 2324 wrote to memory of 2368	2324	{6BD88C7B-0028-457f-BCDA-D9414B7ADC69}.exe	36
PID 2324 wrote to memory of 2368	2324	{6BD88C7B-0028-457f-BCDA-D9414B7ADC69}.exe	36
PID 2324 wrote to memory of 2368	2324	{6BD88C7B-0028-457f-BCDA-D9414B7ADC69}.exe	36
PID 2324 wrote to memory of 2696	2324	{6BD88C7B-0028-457f-BCDA-D9414B7ADC69}.exe	37
PID 2324 wrote to memory of 2696	2324	{6BD88C7B-0028-457f-BCDA-D9414B7ADC69}.exe	37
PID 2324 wrote to memory of 2696	2324	{6BD88C7B-0028-457f-BCDA-D9414B7ADC69}.exe	37
PID 2324 wrote to memory of 2696	2324	{6BD88C7B-0028-457f-BCDA-D9414B7ADC69}.exe	37
PID 2368 wrote to memory of 328	2368	{A6026755-1390-4ac4-9B13-C4B36D550C26}.exe	38
PID 2368 wrote to memory of 328	2368	{A6026755-1390-4ac4-9B13-C4B36D550C26}.exe	38
PID 2368 wrote to memory of 328	2368	{A6026755-1390-4ac4-9B13-C4B36D550C26}.exe	38
PID 2368 wrote to memory of 328	2368	{A6026755-1390-4ac4-9B13-C4B36D550C26}.exe	38
PID 2368 wrote to memory of 1248	2368	{A6026755-1390-4ac4-9B13-C4B36D550C26}.exe	39
PID 2368 wrote to memory of 1248	2368	{A6026755-1390-4ac4-9B13-C4B36D550C26}.exe	39
PID 2368 wrote to memory of 1248	2368	{A6026755-1390-4ac4-9B13-C4B36D550C26}.exe	39
PID 2368 wrote to memory of 1248	2368	{A6026755-1390-4ac4-9B13-C4B36D550C26}.exe	39
PID 328 wrote to memory of 2280	328	{84A751C5-AC1A-4936-B730-7DB5E0650205}.exe	40
PID 328 wrote to memory of 2280	328	{84A751C5-AC1A-4936-B730-7DB5E0650205}.exe	40
PID 328 wrote to memory of 2280	328	{84A751C5-AC1A-4936-B730-7DB5E0650205}.exe	40
PID 328 wrote to memory of 2280	328	{84A751C5-AC1A-4936-B730-7DB5E0650205}.exe	40
PID 328 wrote to memory of 860	328	{84A751C5-AC1A-4936-B730-7DB5E0650205}.exe	41
PID 328 wrote to memory of 860	328	{84A751C5-AC1A-4936-B730-7DB5E0650205}.exe	41
PID 328 wrote to memory of 860	328	{84A751C5-AC1A-4936-B730-7DB5E0650205}.exe	41
PID 328 wrote to memory of 860	328	{84A751C5-AC1A-4936-B730-7DB5E0650205}.exe	41
PID 2280 wrote to memory of 2136	2280	{FB2C1091-FA8F-4541-A83A-A52C86AB9FEC}.exe	42
PID 2280 wrote to memory of 2136	2280	{FB2C1091-FA8F-4541-A83A-A52C86AB9FEC}.exe	42
PID 2280 wrote to memory of 2136	2280	{FB2C1091-FA8F-4541-A83A-A52C86AB9FEC}.exe	42
PID 2280 wrote to memory of 2136	2280	{FB2C1091-FA8F-4541-A83A-A52C86AB9FEC}.exe	42
PID 2280 wrote to memory of 1360	2280	{FB2C1091-FA8F-4541-A83A-A52C86AB9FEC}.exe	43
PID 2280 wrote to memory of 1360	2280	{FB2C1091-FA8F-4541-A83A-A52C86AB9FEC}.exe	43
PID 2280 wrote to memory of 1360	2280	{FB2C1091-FA8F-4541-A83A-A52C86AB9FEC}.exe	43
PID 2280 wrote to memory of 1360	2280	{FB2C1091-FA8F-4541-A83A-A52C86AB9FEC}.exe	43
PID 2136 wrote to memory of 3000	2136	{C1B175AD-0F9B-4376-A43F-6EA690FCA706}.exe	44
PID 2136 wrote to memory of 3000	2136	{C1B175AD-0F9B-4376-A43F-6EA690FCA706}.exe	44
PID 2136 wrote to memory of 3000	2136	{C1B175AD-0F9B-4376-A43F-6EA690FCA706}.exe	44
PID 2136 wrote to memory of 3000	2136	{C1B175AD-0F9B-4376-A43F-6EA690FCA706}.exe	44
PID 2136 wrote to memory of 2756	2136	{C1B175AD-0F9B-4376-A43F-6EA690FCA706}.exe	45
PID 2136 wrote to memory of 2756	2136	{C1B175AD-0F9B-4376-A43F-6EA690FCA706}.exe	45
PID 2136 wrote to memory of 2756	2136	{C1B175AD-0F9B-4376-A43F-6EA690FCA706}.exe	45
PID 2136 wrote to memory of 2756	2136	{C1B175AD-0F9B-4376-A43F-6EA690FCA706}.exe	45

C:\Users\Admin\AppData\Local\Temp\7abae39050b21603339f64cd6d228590_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\7abae39050b21603339f64cd6d228590_NeikiAnalytics.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2904
- C:\Windows\{7B9BAB6C-0D72-49f4-AD5B-FD81870DDD27}.exe
  C:\Windows\{7B9BAB6C-0D72-49f4-AD5B-FD81870DDD27}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2484
- - C:\Windows\{4EFFFEC5-D6C5-4892-841C-355F1D7BBF20}.exe
    C:\Windows\{4EFFFEC5-D6C5-4892-841C-355F1D7BBF20}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2960
  - - C:\Windows\{6BD88C7B-0028-457f-BCDA-D9414B7ADC69}.exe
      C:\Windows\{6BD88C7B-0028-457f-BCDA-D9414B7ADC69}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2324
    - - C:\Windows\{A6026755-1390-4ac4-9B13-C4B36D550C26}.exe
        
        C:\Windows\{A6026755-1390-4ac4-9B13-C4B36D550C26}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2368
      - C:\Windows\{84A751C5-AC1A-4936-B730-7DB5E0650205}.exe
        
        C:\Windows\{84A751C5-AC1A-4936-B730-7DB5E0650205}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:328
        
        C:\Windows\{FB2C1091-FA8F-4541-A83A-A52C86AB9FEC}.exe
        
        C:\Windows\{FB2C1091-FA8F-4541-A83A-A52C86AB9FEC}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2280
        
        C:\Windows\{C1B175AD-0F9B-4376-A43F-6EA690FCA706}.exe
        
        C:\Windows\{C1B175AD-0F9B-4376-A43F-6EA690FCA706}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2136
        
        C:\Windows\{B6E70D3C-5170-48a2-B910-C6034C76C3D9}.exe
        
        C:\Windows\{B6E70D3C-5170-48a2-B910-C6034C76C3D9}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3000
        
        C:\Windows\{2EF3C962-569A-4e19-9ECA-D7C1144ECD75}.exe
        
        C:\Windows\{2EF3C962-569A-4e19-9ECA-D7C1144ECD75}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3040
        
        C:\Windows\{FD7C4B97-20AC-4f60-A2EF-CC5CFC00B2F1}.exe
        
        C:\Windows\{FD7C4B97-20AC-4f60-A2EF-CC5CFC00B2F1}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1404
        
        C:\Windows\{D380029B-736D-4a1d-8925-657DB60FA860}.exe
        
        C:\Windows\{D380029B-736D-4a1d-8925-657DB60FA860}.exe
        12⤵
        Executes dropped EXE
        
        PID:1896
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FD7C4~1.EXE > nul
        12⤵
        
        PID:1920
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2EF3C~1.EXE > nul
        11⤵
        
        PID:2812
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B6E70~1.EXE > nul
        10⤵
        
        PID:604
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C1B17~1.EXE > nul
        9⤵
        
        PID:2756
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FB2C1~1.EXE > nul
        8⤵
        
        PID:1360
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{84A75~1.EXE > nul
        7⤵
        
        PID:860
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A6026~1.EXE > nul
        6⤵
        
        PID:1248
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6BD88~1.EXE > nul
        5⤵
        
        PID:2696
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{4EFFF~1.EXE > nul
      4⤵
      PID:2396
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{7B9BA~1.EXE > nul
    3⤵
    PID:2708
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\7ABAE3~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2520

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{2EF3C962-569A-4e19-9ECA-D7C1144ECD75}.exe

Filesize
64KB

MD5
397104cea1c77dada103f430e7228828

SHA1
ed660806df0184493faac9a7818099a07d4d35f5

SHA256
96527a90376f09e328adcbcb89423e97515d14c7655c3cd28b85516c94377eb6

SHA512
b138b912bc710f2da2ee986a7b48e9da393dd03a6caf0ba66b1d2310464b36480f197dc0c88654c3a987f0f755bf9cca4ed367b9b465e04eb90bc325530fca28

Download Submit
C:\Windows\{4EFFFEC5-D6C5-4892-841C-355F1D7BBF20}.exe

Filesize
64KB

MD5
2723b3bbc908cd915dbe4b1c1760b762

SHA1
1554ed43a7022a5363593b5c29a6ba76f928e08d

SHA256
0135f2f245a506158cfd955f02f2cbc8beca23588d4c0bd13c9b6a003542cb5a

SHA512
6cb44f1ac1e9eb5d1f5c7eaa6ce89f1fa793a9b5c0ae9b00fbd957363d68d4bfddcfad127da30f9083e4145b292ffce8c61ecb99728e0ccbbd1bda3825e78367

Download Submit
C:\Windows\{6BD88C7B-0028-457f-BCDA-D9414B7ADC69}.exe

Filesize
64KB

MD5
b5f59c6be9eedf60d9fd202f6eb40ccf

SHA1
d14075aa411b02eb476195776a0daea2a2a8a583

SHA256
72054c1af087f311f6225e7c5f9cf3dca001aaaff39a306188f05cf5588ca161

SHA512
7b4cfe91a22c218725c358cca28f462e8c708ddf5171520a4bcf2948e4b25be6bbb886ff31d0e5f2712863be75239444e6a9b145cdff59c62d0f25464772dc51

Download Submit
C:\Windows\{7B9BAB6C-0D72-49f4-AD5B-FD81870DDD27}.exe

Filesize
64KB

MD5
29718684001ff741374d607e190ebe65

SHA1
bf9404a3ea691a721d696122809754056fadbb2e

SHA256
ce54ea65ffc0da0590b741aacf4b65c49f6e6b6a314de00a0bc65dc8af8e9c33

SHA512
c22429c1cc99cc66b1bace7f82e3497914e15befc219005a943c40806c6c3531a1e5698b7b569afb27e0989ad0ea2bb9c789454ffe8ba4c1cb3a518b8534fc8d

Download Submit
C:\Windows\{84A751C5-AC1A-4936-B730-7DB5E0650205}.exe

Filesize
64KB

MD5
e39dcebfc3dd97e7a97403411ef7cebd

SHA1
21e33ecb228ec364307712c3c0eeda7e6ef51f39

SHA256
377abe72a641d07129101150d0b34a1da767cc4885f2138e45ad16a58ea1a1e8

SHA512
d9611017bd8790f2ff87cda359aeb42b89934022730cb20571683da7ea57e15887ff5a30198ca8e250c9252234638a13a7e161efc31a7b7735df86f469d51c80

Download Submit
C:\Windows\{A6026755-1390-4ac4-9B13-C4B36D550C26}.exe

Filesize
64KB

MD5
9c79a6887b7f3b2e4e4e647b4032f20e

SHA1
4d7ee86ac37e18004d0224890a01139c2e62d317

SHA256
81b0c54d0492261a53952322d68bcd7669979616f601cf932546e9afabc3f603

SHA512
c8d98df3b4caf44ef640bbace95eec9b2d2d0fc646d96a3cd9da3babe80479fd973e806cc1ed7b31823ea3a8602d23c260e9cb3e8a21f7254d9cbe04ae3f208c

Download Submit
C:\Windows\{B6E70D3C-5170-48a2-B910-C6034C76C3D9}.exe

Filesize
64KB

MD5
9bcbdcd517b5f1e9be321b1307891a3a

SHA1
606b8d70b2921d49fcb2586f09b1e9704a490f4a

SHA256
344d5dddda9a3444d3a8692edd4c197df8a4a6962e58ac35aac76c55cec51508

SHA512
5debfb918037c7784510c8a8928a98bd4480e0566d9cd0f9fd05e1ebf6257e8a3fb7c43a53326b3ded02336e4824b308334c755638e2de142c369d12d5408a11

Download Submit
C:\Windows\{C1B175AD-0F9B-4376-A43F-6EA690FCA706}.exe

Filesize
64KB

MD5
c9d4b00dd00878914ec63576d0628ba1

SHA1
13cddf082413407a2b29f79e59cfef7c542b099a

SHA256
7967ed5f2be4839b9c0f216498891d1bef03cb14f5c8aa88785de527096eeb1f

SHA512
ad9e6d02f77c21a351efdb8f8b8dcdca3daf3f87db82d6eaceb89406fffa6bfd1fa4f6cbc3fc28b6176feb0824111d9afde110d28bd78e9a67ebf9e9df66ff9c

Download Submit
C:\Windows\{D380029B-736D-4a1d-8925-657DB60FA860}.exe

Filesize
64KB

MD5
d408ef77445162f6391b32ddd057ebf9

SHA1
6a02194b7b4a15690fd55bd956e478e1b97c55c2

SHA256
358f5e1cef9d1241b200b1e8a1cf9ceb8343e7d4339942ee0020691d647f4e19

SHA512
03fbb0ed7ee2c62038d8d401d4eaa7a2510e8e30abb43f271b2d1f02debe8b6830da885cc77487e56b26f8fe24083fc5f19663a85da9f6896fadf87c0de1e8c5

Download Submit
C:\Windows\{FB2C1091-FA8F-4541-A83A-A52C86AB9FEC}.exe

Filesize
64KB

MD5
69b087d7c93a7dcf751429b51d97dde0

SHA1
bf6d05b89fa2225f62e48bdec54198a8b8134cae

SHA256
b6007d9493c2f37e0c313a715e7d3a008691ede2d6e7f264becf65930137c2ce

SHA512
7b6cb60958212bf770b15a5fb69af81cb0ef5803e43cfa9080038d75468aa46679895ddc0fecc4663259742d8e3f66c9ba18e33ec2ef24a9c923f2d3f064ff3a

Download Submit
C:\Windows\{FD7C4B97-20AC-4f60-A2EF-CC5CFC00B2F1}.exe

Filesize
64KB

MD5
cf8e29b0731565027fb8b3c22fb9888a

SHA1
4cd84ab36a105e39cbbf2c7df5da537313d975dd

SHA256
7ddbed9ee6f017e0d814a81adb66901935bb42e54c2b1859effab06b5128996b

SHA512
7c64d4c8a8c1900d223ac3f91a7454e295c28bfc64568ef73066b69c244433ddf115d9d8bf3cdae771f00d54fd7f72de326961ef8c11f2b98395e31fcc75182f

Download Submit
memory/328-46-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/328-53-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1404-90-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1404-97-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1896-99-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2136-71-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2136-64-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2280-63-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2280-55-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2324-35-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2324-28-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2368-37-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2368-45-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2484-9-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2484-17-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2904-0-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2904-8-0x0000000000270000-0x0000000000280000-memory.dmp

Filesize
64KB

Download
memory/2904-7-0x0000000000270000-0x0000000000280000-memory.dmp

Filesize
64KB

Download
memory/2904-10-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2960-27-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2960-19-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/3000-73-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/3000-80-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/3040-89-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads