d35fba75d05df718acf99dc34a4fdf50e9f3b6edde90a731b7248caa2ba4c7fc

Analysis

max time kernel
149s
max time network
101s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
24-05-2024 05:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7abae39050b21603339f64cd6d228590_NeikiAnalytics.exe
Size

64KB
MD5

7abae39050b21603339f64cd6d228590
SHA1

0ac1780652eb03bad6a883d9ddd6024a34a35eed
SHA256

d35fba75d05df718acf99dc34a4fdf50e9f3b6edde90a731b7248caa2ba4c7fc
SHA512

2dd7f3a2a29db81b2a956a838cb57cf5ef8a5c396fe31c8915b0c7d6f5fb450870545796b58aa22bd8d539528cf75126e5c31c3f03931f771adf893d78612404
SSDEEP

384:ObLwOs8AHsc4HMPwhKQLrog4/CFsrdHWMZw:Ovw981xvhKQLrog4/wQpWMZw

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{309C3F18-F078-46fb-8C66-137ECE4E5F94}\stubpath = "C:\\Windows\\{309C3F18-F078-46fb-8C66-137ECE4E5F94}.exe"	{906AB8F6-4CC8-47bf-8A0D-FDD338D0DACE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3B85B032-CDAC-4855-B52F-1BB9B71BEE98}	{72B33383-9756-4fc0-AD4E-8DE62FCB713A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1EC9E976-4ED8-4560-A3A4-60BE2A5650DD}\stubpath = "C:\\Windows\\{1EC9E976-4ED8-4560-A3A4-60BE2A5650DD}.exe"	{3B85B032-CDAC-4855-B52F-1BB9B71BEE98}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{82FAB796-0698-4708-92EE-B77A3B7AFE61}	{2C008995-5CAC-4d8f-A2BF-E778A7C36C4A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{72B33383-9756-4fc0-AD4E-8DE62FCB713A}	{82FAB796-0698-4708-92EE-B77A3B7AFE61}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{72B33383-9756-4fc0-AD4E-8DE62FCB713A}\stubpath = "C:\\Windows\\{72B33383-9756-4fc0-AD4E-8DE62FCB713A}.exe"	{82FAB796-0698-4708-92EE-B77A3B7AFE61}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{26A0F5A6-31D5-4fcd-A9C6-CBBF8125AE2C}\stubpath = "C:\\Windows\\{26A0F5A6-31D5-4fcd-A9C6-CBBF8125AE2C}.exe"	7abae39050b21603339f64cd6d228590_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{854C5374-3AA8-4300-BFF9-7DB25A05673F}\stubpath = "C:\\Windows\\{854C5374-3AA8-4300-BFF9-7DB25A05673F}.exe"	{26A0F5A6-31D5-4fcd-A9C6-CBBF8125AE2C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F9706835-B702-42d8-A726-5704461EC494}	{309C3F18-F078-46fb-8C66-137ECE4E5F94}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1EC9E976-4ED8-4560-A3A4-60BE2A5650DD}	{3B85B032-CDAC-4855-B52F-1BB9B71BEE98}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C2DD8506-CEE3-4313-B048-333AD0BCEF6B}	{1EC9E976-4ED8-4560-A3A4-60BE2A5650DD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{309C3F18-F078-46fb-8C66-137ECE4E5F94}	{906AB8F6-4CC8-47bf-8A0D-FDD338D0DACE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F9706835-B702-42d8-A726-5704461EC494}\stubpath = "C:\\Windows\\{F9706835-B702-42d8-A726-5704461EC494}.exe"	{309C3F18-F078-46fb-8C66-137ECE4E5F94}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2C008995-5CAC-4d8f-A2BF-E778A7C36C4A}\stubpath = "C:\\Windows\\{2C008995-5CAC-4d8f-A2BF-E778A7C36C4A}.exe"	{2B94999A-286C-4865-A18B-2E8686118FD6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{906AB8F6-4CC8-47bf-8A0D-FDD338D0DACE}\stubpath = "C:\\Windows\\{906AB8F6-4CC8-47bf-8A0D-FDD338D0DACE}.exe"	{854C5374-3AA8-4300-BFF9-7DB25A05673F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2B94999A-286C-4865-A18B-2E8686118FD6}	{F9706835-B702-42d8-A726-5704461EC494}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2B94999A-286C-4865-A18B-2E8686118FD6}\stubpath = "C:\\Windows\\{2B94999A-286C-4865-A18B-2E8686118FD6}.exe"	{F9706835-B702-42d8-A726-5704461EC494}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2C008995-5CAC-4d8f-A2BF-E778A7C36C4A}	{2B94999A-286C-4865-A18B-2E8686118FD6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{82FAB796-0698-4708-92EE-B77A3B7AFE61}\stubpath = "C:\\Windows\\{82FAB796-0698-4708-92EE-B77A3B7AFE61}.exe"	{2C008995-5CAC-4d8f-A2BF-E778A7C36C4A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{26A0F5A6-31D5-4fcd-A9C6-CBBF8125AE2C}	7abae39050b21603339f64cd6d228590_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{854C5374-3AA8-4300-BFF9-7DB25A05673F}	{26A0F5A6-31D5-4fcd-A9C6-CBBF8125AE2C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{906AB8F6-4CC8-47bf-8A0D-FDD338D0DACE}	{854C5374-3AA8-4300-BFF9-7DB25A05673F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3B85B032-CDAC-4855-B52F-1BB9B71BEE98}\stubpath = "C:\\Windows\\{3B85B032-CDAC-4855-B52F-1BB9B71BEE98}.exe"	{72B33383-9756-4fc0-AD4E-8DE62FCB713A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C2DD8506-CEE3-4313-B048-333AD0BCEF6B}\stubpath = "C:\\Windows\\{C2DD8506-CEE3-4313-B048-333AD0BCEF6B}.exe"	{1EC9E976-4ED8-4560-A3A4-60BE2A5650DD}.exe

Executes dropped EXE 12 IoCs

pid	Process
3112	{26A0F5A6-31D5-4fcd-A9C6-CBBF8125AE2C}.exe
3976	{854C5374-3AA8-4300-BFF9-7DB25A05673F}.exe
780	{906AB8F6-4CC8-47bf-8A0D-FDD338D0DACE}.exe
2656	{309C3F18-F078-46fb-8C66-137ECE4E5F94}.exe
1924	{F9706835-B702-42d8-A726-5704461EC494}.exe
1144	{2B94999A-286C-4865-A18B-2E8686118FD6}.exe
5116	{2C008995-5CAC-4d8f-A2BF-E778A7C36C4A}.exe
2920	{82FAB796-0698-4708-92EE-B77A3B7AFE61}.exe
2948	{72B33383-9756-4fc0-AD4E-8DE62FCB713A}.exe
2540	{3B85B032-CDAC-4855-B52F-1BB9B71BEE98}.exe
3652	{1EC9E976-4ED8-4560-A3A4-60BE2A5650DD}.exe
1200	{C2DD8506-CEE3-4313-B048-333AD0BCEF6B}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{309C3F18-F078-46fb-8C66-137ECE4E5F94}.exe	{906AB8F6-4CC8-47bf-8A0D-FDD338D0DACE}.exe
File created	C:\Windows\{F9706835-B702-42d8-A726-5704461EC494}.exe	{309C3F18-F078-46fb-8C66-137ECE4E5F94}.exe
File created	C:\Windows\{2B94999A-286C-4865-A18B-2E8686118FD6}.exe	{F9706835-B702-42d8-A726-5704461EC494}.exe
File created	C:\Windows\{2C008995-5CAC-4d8f-A2BF-E778A7C36C4A}.exe	{2B94999A-286C-4865-A18B-2E8686118FD6}.exe
File created	C:\Windows\{82FAB796-0698-4708-92EE-B77A3B7AFE61}.exe	{2C008995-5CAC-4d8f-A2BF-E778A7C36C4A}.exe
File created	C:\Windows\{72B33383-9756-4fc0-AD4E-8DE62FCB713A}.exe	{82FAB796-0698-4708-92EE-B77A3B7AFE61}.exe
File created	C:\Windows\{854C5374-3AA8-4300-BFF9-7DB25A05673F}.exe	{26A0F5A6-31D5-4fcd-A9C6-CBBF8125AE2C}.exe
File created	C:\Windows\{906AB8F6-4CC8-47bf-8A0D-FDD338D0DACE}.exe	{854C5374-3AA8-4300-BFF9-7DB25A05673F}.exe
File created	C:\Windows\{C2DD8506-CEE3-4313-B048-333AD0BCEF6B}.exe	{1EC9E976-4ED8-4560-A3A4-60BE2A5650DD}.exe
File created	C:\Windows\{1EC9E976-4ED8-4560-A3A4-60BE2A5650DD}.exe	{3B85B032-CDAC-4855-B52F-1BB9B71BEE98}.exe
File created	C:\Windows\{26A0F5A6-31D5-4fcd-A9C6-CBBF8125AE2C}.exe	7abae39050b21603339f64cd6d228590_NeikiAnalytics.exe
File created	C:\Windows\{3B85B032-CDAC-4855-B52F-1BB9B71BEE98}.exe	{72B33383-9756-4fc0-AD4E-8DE62FCB713A}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3440	7abae39050b21603339f64cd6d228590_NeikiAnalytics.exe
Token: SeIncBasePriorityPrivilege	3112	{26A0F5A6-31D5-4fcd-A9C6-CBBF8125AE2C}.exe
Token: SeIncBasePriorityPrivilege	3976	{854C5374-3AA8-4300-BFF9-7DB25A05673F}.exe
Token: SeIncBasePriorityPrivilege	780	{906AB8F6-4CC8-47bf-8A0D-FDD338D0DACE}.exe
Token: SeIncBasePriorityPrivilege	2656	{309C3F18-F078-46fb-8C66-137ECE4E5F94}.exe
Token: SeIncBasePriorityPrivilege	1924	{F9706835-B702-42d8-A726-5704461EC494}.exe
Token: SeIncBasePriorityPrivilege	1144	{2B94999A-286C-4865-A18B-2E8686118FD6}.exe
Token: SeIncBasePriorityPrivilege	5116	{2C008995-5CAC-4d8f-A2BF-E778A7C36C4A}.exe
Token: SeIncBasePriorityPrivilege	2920	{82FAB796-0698-4708-92EE-B77A3B7AFE61}.exe
Token: SeIncBasePriorityPrivilege	2948	{72B33383-9756-4fc0-AD4E-8DE62FCB713A}.exe
Token: SeIncBasePriorityPrivilege	2540	{3B85B032-CDAC-4855-B52F-1BB9B71BEE98}.exe
Token: SeIncBasePriorityPrivilege	3652	{1EC9E976-4ED8-4560-A3A4-60BE2A5650DD}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3440 wrote to memory of 3112	3440	7abae39050b21603339f64cd6d228590_NeikiAnalytics.exe	97
PID 3440 wrote to memory of 3112	3440	7abae39050b21603339f64cd6d228590_NeikiAnalytics.exe	97
PID 3440 wrote to memory of 3112	3440	7abae39050b21603339f64cd6d228590_NeikiAnalytics.exe	97
PID 3440 wrote to memory of 1708	3440	7abae39050b21603339f64cd6d228590_NeikiAnalytics.exe	98
PID 3440 wrote to memory of 1708	3440	7abae39050b21603339f64cd6d228590_NeikiAnalytics.exe	98
PID 3440 wrote to memory of 1708	3440	7abae39050b21603339f64cd6d228590_NeikiAnalytics.exe	98
PID 3112 wrote to memory of 3976	3112	{26A0F5A6-31D5-4fcd-A9C6-CBBF8125AE2C}.exe	99
PID 3112 wrote to memory of 3976	3112	{26A0F5A6-31D5-4fcd-A9C6-CBBF8125AE2C}.exe	99
PID 3112 wrote to memory of 3976	3112	{26A0F5A6-31D5-4fcd-A9C6-CBBF8125AE2C}.exe	99
PID 3112 wrote to memory of 884	3112	{26A0F5A6-31D5-4fcd-A9C6-CBBF8125AE2C}.exe	100
PID 3112 wrote to memory of 884	3112	{26A0F5A6-31D5-4fcd-A9C6-CBBF8125AE2C}.exe	100
PID 3112 wrote to memory of 884	3112	{26A0F5A6-31D5-4fcd-A9C6-CBBF8125AE2C}.exe	100
PID 3976 wrote to memory of 780	3976	{854C5374-3AA8-4300-BFF9-7DB25A05673F}.exe	103
PID 3976 wrote to memory of 780	3976	{854C5374-3AA8-4300-BFF9-7DB25A05673F}.exe	103
PID 3976 wrote to memory of 780	3976	{854C5374-3AA8-4300-BFF9-7DB25A05673F}.exe	103
PID 3976 wrote to memory of 3144	3976	{854C5374-3AA8-4300-BFF9-7DB25A05673F}.exe	104
PID 3976 wrote to memory of 3144	3976	{854C5374-3AA8-4300-BFF9-7DB25A05673F}.exe	104
PID 3976 wrote to memory of 3144	3976	{854C5374-3AA8-4300-BFF9-7DB25A05673F}.exe	104
PID 780 wrote to memory of 2656	780	{906AB8F6-4CC8-47bf-8A0D-FDD338D0DACE}.exe	105
PID 780 wrote to memory of 2656	780	{906AB8F6-4CC8-47bf-8A0D-FDD338D0DACE}.exe	105
PID 780 wrote to memory of 2656	780	{906AB8F6-4CC8-47bf-8A0D-FDD338D0DACE}.exe	105
PID 780 wrote to memory of 4588	780	{906AB8F6-4CC8-47bf-8A0D-FDD338D0DACE}.exe	106
PID 780 wrote to memory of 4588	780	{906AB8F6-4CC8-47bf-8A0D-FDD338D0DACE}.exe	106
PID 780 wrote to memory of 4588	780	{906AB8F6-4CC8-47bf-8A0D-FDD338D0DACE}.exe	106
PID 2656 wrote to memory of 1924	2656	{309C3F18-F078-46fb-8C66-137ECE4E5F94}.exe	107
PID 2656 wrote to memory of 1924	2656	{309C3F18-F078-46fb-8C66-137ECE4E5F94}.exe	107
PID 2656 wrote to memory of 1924	2656	{309C3F18-F078-46fb-8C66-137ECE4E5F94}.exe	107
PID 2656 wrote to memory of 3780	2656	{309C3F18-F078-46fb-8C66-137ECE4E5F94}.exe	108
PID 2656 wrote to memory of 3780	2656	{309C3F18-F078-46fb-8C66-137ECE4E5F94}.exe	108
PID 2656 wrote to memory of 3780	2656	{309C3F18-F078-46fb-8C66-137ECE4E5F94}.exe	108
PID 1924 wrote to memory of 1144	1924	{F9706835-B702-42d8-A726-5704461EC494}.exe	110
PID 1924 wrote to memory of 1144	1924	{F9706835-B702-42d8-A726-5704461EC494}.exe	110
PID 1924 wrote to memory of 1144	1924	{F9706835-B702-42d8-A726-5704461EC494}.exe	110
PID 1924 wrote to memory of 2292	1924	{F9706835-B702-42d8-A726-5704461EC494}.exe	111
PID 1924 wrote to memory of 2292	1924	{F9706835-B702-42d8-A726-5704461EC494}.exe	111
PID 1924 wrote to memory of 2292	1924	{F9706835-B702-42d8-A726-5704461EC494}.exe	111
PID 1144 wrote to memory of 5116	1144	{2B94999A-286C-4865-A18B-2E8686118FD6}.exe	112
PID 1144 wrote to memory of 5116	1144	{2B94999A-286C-4865-A18B-2E8686118FD6}.exe	112
PID 1144 wrote to memory of 5116	1144	{2B94999A-286C-4865-A18B-2E8686118FD6}.exe	112
PID 1144 wrote to memory of 2300	1144	{2B94999A-286C-4865-A18B-2E8686118FD6}.exe	113
PID 1144 wrote to memory of 2300	1144	{2B94999A-286C-4865-A18B-2E8686118FD6}.exe	113
PID 1144 wrote to memory of 2300	1144	{2B94999A-286C-4865-A18B-2E8686118FD6}.exe	113
PID 5116 wrote to memory of 2920	5116	{2C008995-5CAC-4d8f-A2BF-E778A7C36C4A}.exe	117
PID 5116 wrote to memory of 2920	5116	{2C008995-5CAC-4d8f-A2BF-E778A7C36C4A}.exe	117
PID 5116 wrote to memory of 2920	5116	{2C008995-5CAC-4d8f-A2BF-E778A7C36C4A}.exe	117
PID 5116 wrote to memory of 1692	5116	{2C008995-5CAC-4d8f-A2BF-E778A7C36C4A}.exe	118
PID 5116 wrote to memory of 1692	5116	{2C008995-5CAC-4d8f-A2BF-E778A7C36C4A}.exe	118
PID 5116 wrote to memory of 1692	5116	{2C008995-5CAC-4d8f-A2BF-E778A7C36C4A}.exe	118
PID 2920 wrote to memory of 2948	2920	{82FAB796-0698-4708-92EE-B77A3B7AFE61}.exe	122
PID 2920 wrote to memory of 2948	2920	{82FAB796-0698-4708-92EE-B77A3B7AFE61}.exe	122
PID 2920 wrote to memory of 2948	2920	{82FAB796-0698-4708-92EE-B77A3B7AFE61}.exe	122
PID 2920 wrote to memory of 1856	2920	{82FAB796-0698-4708-92EE-B77A3B7AFE61}.exe	123
PID 2920 wrote to memory of 1856	2920	{82FAB796-0698-4708-92EE-B77A3B7AFE61}.exe	123
PID 2920 wrote to memory of 1856	2920	{82FAB796-0698-4708-92EE-B77A3B7AFE61}.exe	123
PID 2948 wrote to memory of 2540	2948	{72B33383-9756-4fc0-AD4E-8DE62FCB713A}.exe	124
PID 2948 wrote to memory of 2540	2948	{72B33383-9756-4fc0-AD4E-8DE62FCB713A}.exe	124
PID 2948 wrote to memory of 2540	2948	{72B33383-9756-4fc0-AD4E-8DE62FCB713A}.exe	124
PID 2948 wrote to memory of 3020	2948	{72B33383-9756-4fc0-AD4E-8DE62FCB713A}.exe	125
PID 2948 wrote to memory of 3020	2948	{72B33383-9756-4fc0-AD4E-8DE62FCB713A}.exe	125
PID 2948 wrote to memory of 3020	2948	{72B33383-9756-4fc0-AD4E-8DE62FCB713A}.exe	125
PID 2540 wrote to memory of 3652	2540	{3B85B032-CDAC-4855-B52F-1BB9B71BEE98}.exe	128
PID 2540 wrote to memory of 3652	2540	{3B85B032-CDAC-4855-B52F-1BB9B71BEE98}.exe	128
PID 2540 wrote to memory of 3652	2540	{3B85B032-CDAC-4855-B52F-1BB9B71BEE98}.exe	128
PID 2540 wrote to memory of 1048	2540	{3B85B032-CDAC-4855-B52F-1BB9B71BEE98}.exe	129

C:\Users\Admin\AppData\Local\Temp\7abae39050b21603339f64cd6d228590_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\7abae39050b21603339f64cd6d228590_NeikiAnalytics.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3440
- C:\Windows\{26A0F5A6-31D5-4fcd-A9C6-CBBF8125AE2C}.exe
  C:\Windows\{26A0F5A6-31D5-4fcd-A9C6-CBBF8125AE2C}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3112
- - C:\Windows\{854C5374-3AA8-4300-BFF9-7DB25A05673F}.exe
    C:\Windows\{854C5374-3AA8-4300-BFF9-7DB25A05673F}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3976
  - - C:\Windows\{906AB8F6-4CC8-47bf-8A0D-FDD338D0DACE}.exe
      C:\Windows\{906AB8F6-4CC8-47bf-8A0D-FDD338D0DACE}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:780
    - - C:\Windows\{309C3F18-F078-46fb-8C66-137ECE4E5F94}.exe
        
        C:\Windows\{309C3F18-F078-46fb-8C66-137ECE4E5F94}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2656
      - C:\Windows\{F9706835-B702-42d8-A726-5704461EC494}.exe
        
        C:\Windows\{F9706835-B702-42d8-A726-5704461EC494}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1924
        
        C:\Windows\{2B94999A-286C-4865-A18B-2E8686118FD6}.exe
        
        C:\Windows\{2B94999A-286C-4865-A18B-2E8686118FD6}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1144
        
        C:\Windows\{2C008995-5CAC-4d8f-A2BF-E778A7C36C4A}.exe
        
        C:\Windows\{2C008995-5CAC-4d8f-A2BF-E778A7C36C4A}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5116
        
        C:\Windows\{82FAB796-0698-4708-92EE-B77A3B7AFE61}.exe
        
        C:\Windows\{82FAB796-0698-4708-92EE-B77A3B7AFE61}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2920
        
        C:\Windows\{72B33383-9756-4fc0-AD4E-8DE62FCB713A}.exe
        
        C:\Windows\{72B33383-9756-4fc0-AD4E-8DE62FCB713A}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2948
        
        C:\Windows\{3B85B032-CDAC-4855-B52F-1BB9B71BEE98}.exe
        
        C:\Windows\{3B85B032-CDAC-4855-B52F-1BB9B71BEE98}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2540
        
        C:\Windows\{1EC9E976-4ED8-4560-A3A4-60BE2A5650DD}.exe
        
        C:\Windows\{1EC9E976-4ED8-4560-A3A4-60BE2A5650DD}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3652
        
        C:\Windows\{C2DD8506-CEE3-4313-B048-333AD0BCEF6B}.exe
        
        C:\Windows\{C2DD8506-CEE3-4313-B048-333AD0BCEF6B}.exe
        13⤵
        Executes dropped EXE
        
        PID:1200
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1EC9E~1.EXE > nul
        13⤵
        
        PID:832
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3B85B~1.EXE > nul
        12⤵
        
        PID:1048
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{72B33~1.EXE > nul
        11⤵
        
        PID:3020
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{82FAB~1.EXE > nul
        10⤵
        
        PID:1856
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2C008~1.EXE > nul
        9⤵
        
        PID:1692
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2B949~1.EXE > nul
        8⤵
        
        PID:2300
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F9706~1.EXE > nul
        7⤵
        
        PID:2292
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{309C3~1.EXE > nul
        6⤵
        
        PID:3780
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{906AB~1.EXE > nul
        5⤵
        
        PID:4588
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{854C5~1.EXE > nul
      4⤵
      PID:3144
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{26A0F~1.EXE > nul
    3⤵
    PID:884
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\7ABAE3~1.EXE > nul
  2⤵
  PID:1708

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{1EC9E976-4ED8-4560-A3A4-60BE2A5650DD}.exe

Filesize
64KB

MD5
24cb34fefa5c6c95e2b19cdf146df4aa

SHA1
245c9099141ff479ed2cbda06a69d65bdc0baf17

SHA256
a201f9e63d38786da1de3f4d03908d5864b837e417ff310fca0252ef7cc01c63

SHA512
4a7e61fde29e9ff49fa03ce1c28582ff35236f65fe68cc8aae67b094ed23642162be33633079d514124474dc368de494bad631f132327b67e147142bdd1553bc

Download Submit
C:\Windows\{26A0F5A6-31D5-4fcd-A9C6-CBBF8125AE2C}.exe

Filesize
64KB

MD5
5e9137a39b22f2f6fe833b2ad57d12c6

SHA1
44ec8fe20c720f10ff6b749a31fe8e1508548f2d

SHA256
d04c817e7ea9de628c46c3fb3432883909bfe5ec9d4b950ef7af0bc53afc97a2

SHA512
d2ff57b013181121a9e75eb6d43726749691cfc7522ae7cf79c2f75dfc4616e35757305b6923ca931f3a9c88d9fb4a36cb5d40cdec607d3629ee8e204ea44608

Download Submit
C:\Windows\{2B94999A-286C-4865-A18B-2E8686118FD6}.exe

Filesize
64KB

MD5
e3873f0e05c848390a79db3a5fea404d

SHA1
44ec8af4e16be40139dc9d665119c4032e92c020

SHA256
b75d024e6269f650010364d63a5a217d1c0d85d512c7c3f0e538ce4e200edb13

SHA512
7b2a93cd59ed07e2d61c6bd78ce1689eb7c5357665262d73d9a9e6a434b3d35d9f81cfb404055e561d7fb29e1be4b6793d04a4c3e9fda907be3a62355fb40ef5

Download Submit
C:\Windows\{2C008995-5CAC-4d8f-A2BF-E778A7C36C4A}.exe

Filesize
64KB

MD5
26deba8eab015fb9f295772750e26288

SHA1
1a3f36cc3493e1cb110ed519c1ca26608ef60135

SHA256
78d52b3b18f8aacdf5bc1485d55cab3de710fe0ddc299b81300a0dfd576d1c78

SHA512
2920ac30d85a4d4ffef8f5a6986564a70d294e15f3d633ea53ab20fa14e99facb09b3d40112aef48f6bc02867cb4b545d85cbd237af27d9640b98b6ae18794a6

Download Submit
C:\Windows\{309C3F18-F078-46fb-8C66-137ECE4E5F94}.exe

Filesize
64KB

MD5
98f5b8d6c58987f5a6ce2294b26b74da

SHA1
14a148745d5aa5cae2f0021e7fd6fc4abee98704

SHA256
ac0d356cff12f4ac244cee20f9cbb303f6c35752fea09f39e4be4562ab174482

SHA512
63543e50e67ab7b375e9bb9a6fa04331198d1343ee6fc1515cfd11cc6104a36e7df13c4aaac61d278fdef2ec02d4eeebc412465a1dc5535ae9d229045bf50638

Download Submit
C:\Windows\{3B85B032-CDAC-4855-B52F-1BB9B71BEE98}.exe

Filesize
64KB

MD5
01ecbf5b5ccb0d58fc0f9766a8ebffd2

SHA1
123c343ba1b377570c74966d89ec0176613692f0

SHA256
f8b34e83ba2b3767bc39b7216b790d3c652c04cf78d98e241c25ff766dfd3717

SHA512
28d656db885e5b38ab43436329d0bbff7e01306ebb27a690f023940d372f186b8281484c992aba490690c7f57f3fe166981e3552da5dc729eb0e5ea6ff0e8397

Download Submit
C:\Windows\{72B33383-9756-4fc0-AD4E-8DE62FCB713A}.exe

Filesize
64KB

MD5
6c8a43bb6b4658432981c2f83f8ec91d

SHA1
85a7c13fb3c2e02ecf90b6a0bba1ce6e4997b4fe

SHA256
01b33a9a1e94289d2cc215b2486b2b2bfaca3d620c96ab92de20c37ed51d4d3d

SHA512
4531b1960a9bdbd418a5ef05a1eb9763cb210f20fb0c5021d44ba69f662dcb8fbadd632d129235b4f488ee32332d92b838ae1f0266279eee0cac8dc3f2c210e6

Download Submit
C:\Windows\{82FAB796-0698-4708-92EE-B77A3B7AFE61}.exe

Filesize
64KB

MD5
cd5354f1d60fc27ca58407fa91832b9e

SHA1
fd265abba6a07aa6bf891649139a41b4b1629e57

SHA256
1c7a6bb5c1de3bfc7e1fc1c02657be7cf54854124ebbdfa92a262dbf2487529b

SHA512
a8bf6c75187267277ee356fbf29dde14f14d6a2c84963e6cc86da45ca7ba1b5d85bc0e96855888a16262d3728e5ac34120199e6423d993a07f8fd929a62cc5bd

Download Submit
C:\Windows\{854C5374-3AA8-4300-BFF9-7DB25A05673F}.exe

Filesize
64KB

MD5
81a059fce40eac8825ada43f2ddf020c

SHA1
98b9e882eff4acb8cfed1d76eefc50b02502fc04

SHA256
0d141c1553c0f7c1a345c0aeb7b4f76ca50b55d0be96347073422446298b9932

SHA512
135686991dcfdf0a4ebdac08ed171ed3bf5b9fd354250ff242b68e17719c2edef8de290da50a996cb4abb08fbb64037b62220f017e288ea6c78e897e7cab9592

Download Submit
C:\Windows\{906AB8F6-4CC8-47bf-8A0D-FDD338D0DACE}.exe

Filesize
64KB

MD5
53d6653eebb0857f366be2a9e7372a7d

SHA1
e62a329b1928b34c07ba97262022c81af3f255f6

SHA256
c02153eb3f3dde60521edf901502703aee523949eb6ee3711be805341b31c925

SHA512
1e6a73aaaaf2d76284964fbc865782d3a416177bebe0d30153890c9fbe3d150a25350a7017d253956cabfbf110a6d43a1176b0c56fea1f006991a2d17d2baa37

Download Submit
C:\Windows\{C2DD8506-CEE3-4313-B048-333AD0BCEF6B}.exe

Filesize
64KB

MD5
11b22a0355315e082523a787bf933594

SHA1
f98fc28ae92d0bdfac9779f3ca9c7a1264d5183b

SHA256
aae050d7b16e8be82fd5bd7c5f0aed6f72fff11155df2706d12ccb4cac926fc7

SHA512
0e3d30fed3b6369644a567106cb7c7ce584b5126c37fa5191f09140e09268d4974abab559105e14cb25a314e46c978eb8d8c37dc0b474cbf4d034e5c894dc853

Download Submit
C:\Windows\{F9706835-B702-42d8-A726-5704461EC494}.exe

Filesize
64KB

MD5
10dec0f4148b6ae7ccd5f43f7be4af05

SHA1
41e426b38b3f022f74c24a1328fe6966947c1e28

SHA256
3718dd866e5a2a0ac3223d7d11947174d48f65b9de0403b93d9757f07bdba6ce

SHA512
54120b6f577fee795e64ea36b65ba563d4b5cf764a2c9ff3dbcff898e48543068cd85beef49364289a00fbdc3a83028e37c211d09f3de01236a1c29aefef2f25

Download Submit
memory/780-17-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/780-22-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1144-39-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1200-71-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1924-30-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1924-35-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2540-63-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2540-58-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2656-28-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2656-24-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2920-51-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2920-47-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2948-52-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2948-57-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/3112-5-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/3112-10-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/3440-4-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/3440-0-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/3652-65-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/3652-69-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/3976-12-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/3976-15-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/5116-40-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/5116-45-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads