a4489eab1bc9c0b1fe97569156da34613352a63a405b41d418712dc1ea47af3b

Analysis

max time kernel
144s
max time network
118s
platform
windows7_x64
resource
win7-20240419-en
resource tags

arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
submitted
24-05-2024 07:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f6261aafb1f7ffab4d9439e8d4f727d0_NeikiAnalytics.exe
Size

90KB
MD5

f6261aafb1f7ffab4d9439e8d4f727d0
SHA1

c9ade454aa474033d94308e5c1637aa4d2acadc1
SHA256

a4489eab1bc9c0b1fe97569156da34613352a63a405b41d418712dc1ea47af3b
SHA512

4ebc7abaa38d6e2bfa70556971c06b8379b3b54679c797853f3f71d8ac2c70cf3f463b643142ad06bff2cdf3a1b852bba33206d9d7c99c4a2923a6c494ca5d20
SSDEEP

768:50w981IshKQLroxV4/wQozzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzm:CEGI0oxVlVunMxVS3

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{83121612-2D16-4dfa-B895-F11F857E655C}	{FA580668-48AD-4716-BC4A-0CEAC05D0A55}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{89DE96AB-EB81-4b37-A438-2FEF265C5FD0}	{83121612-2D16-4dfa-B895-F11F857E655C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{20AFFDC0-8BF9-4651-B06B-A7C5B322D4FE}\stubpath = "C:\\Windows\\{20AFFDC0-8BF9-4651-B06B-A7C5B322D4FE}.exe"	{37F83036-A192-4206-BB6F-8A32D1E639F1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7D291500-80C4-49f4-815C-29DA3DDB3EA1}\stubpath = "C:\\Windows\\{7D291500-80C4-49f4-815C-29DA3DDB3EA1}.exe"	{3530A4E2-7458-4a5b-952A-F74197E6F576}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{59E15ACA-664D-43ba-A92E-6111491A1CE0}	{7D291500-80C4-49f4-815C-29DA3DDB3EA1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{37F83036-A192-4206-BB6F-8A32D1E639F1}	{620EC34E-8647-4a51-BDF3-A8C6C5DEC0E5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3530A4E2-7458-4a5b-952A-F74197E6F576}\stubpath = "C:\\Windows\\{3530A4E2-7458-4a5b-952A-F74197E6F576}.exe"	{20AFFDC0-8BF9-4651-B06B-A7C5B322D4FE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7D291500-80C4-49f4-815C-29DA3DDB3EA1}	{3530A4E2-7458-4a5b-952A-F74197E6F576}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2F8B09C1-74F5-40d2-AED9-6FE7D9F752DE}	f6261aafb1f7ffab4d9439e8d4f727d0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2F8B09C1-74F5-40d2-AED9-6FE7D9F752DE}\stubpath = "C:\\Windows\\{2F8B09C1-74F5-40d2-AED9-6FE7D9F752DE}.exe"	f6261aafb1f7ffab4d9439e8d4f727d0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{89DE96AB-EB81-4b37-A438-2FEF265C5FD0}\stubpath = "C:\\Windows\\{89DE96AB-EB81-4b37-A438-2FEF265C5FD0}.exe"	{83121612-2D16-4dfa-B895-F11F857E655C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{620EC34E-8647-4a51-BDF3-A8C6C5DEC0E5}	{89DE96AB-EB81-4b37-A438-2FEF265C5FD0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{620EC34E-8647-4a51-BDF3-A8C6C5DEC0E5}\stubpath = "C:\\Windows\\{620EC34E-8647-4a51-BDF3-A8C6C5DEC0E5}.exe"	{89DE96AB-EB81-4b37-A438-2FEF265C5FD0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3530A4E2-7458-4a5b-952A-F74197E6F576}	{20AFFDC0-8BF9-4651-B06B-A7C5B322D4FE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{59E15ACA-664D-43ba-A92E-6111491A1CE0}\stubpath = "C:\\Windows\\{59E15ACA-664D-43ba-A92E-6111491A1CE0}.exe"	{7D291500-80C4-49f4-815C-29DA3DDB3EA1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9AC79DA1-0987-476a-ADBE-305119CC6217}	{2F8B09C1-74F5-40d2-AED9-6FE7D9F752DE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9AC79DA1-0987-476a-ADBE-305119CC6217}\stubpath = "C:\\Windows\\{9AC79DA1-0987-476a-ADBE-305119CC6217}.exe"	{2F8B09C1-74F5-40d2-AED9-6FE7D9F752DE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FA580668-48AD-4716-BC4A-0CEAC05D0A55}	{9AC79DA1-0987-476a-ADBE-305119CC6217}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FA580668-48AD-4716-BC4A-0CEAC05D0A55}\stubpath = "C:\\Windows\\{FA580668-48AD-4716-BC4A-0CEAC05D0A55}.exe"	{9AC79DA1-0987-476a-ADBE-305119CC6217}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{20AFFDC0-8BF9-4651-B06B-A7C5B322D4FE}	{37F83036-A192-4206-BB6F-8A32D1E639F1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{83121612-2D16-4dfa-B895-F11F857E655C}\stubpath = "C:\\Windows\\{83121612-2D16-4dfa-B895-F11F857E655C}.exe"	{FA580668-48AD-4716-BC4A-0CEAC05D0A55}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{37F83036-A192-4206-BB6F-8A32D1E639F1}\stubpath = "C:\\Windows\\{37F83036-A192-4206-BB6F-8A32D1E639F1}.exe"	{620EC34E-8647-4a51-BDF3-A8C6C5DEC0E5}.exe

Deletes itself 1 IoCs

pid	Process
2244	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2228	{2F8B09C1-74F5-40d2-AED9-6FE7D9F752DE}.exe
2256	{9AC79DA1-0987-476a-ADBE-305119CC6217}.exe
2844	{FA580668-48AD-4716-BC4A-0CEAC05D0A55}.exe
1900	{83121612-2D16-4dfa-B895-F11F857E655C}.exe
2876	{89DE96AB-EB81-4b37-A438-2FEF265C5FD0}.exe
788	{620EC34E-8647-4a51-BDF3-A8C6C5DEC0E5}.exe
2588	{37F83036-A192-4206-BB6F-8A32D1E639F1}.exe
1340	{20AFFDC0-8BF9-4651-B06B-A7C5B322D4FE}.exe
1996	{3530A4E2-7458-4a5b-952A-F74197E6F576}.exe
484	{7D291500-80C4-49f4-815C-29DA3DDB3EA1}.exe
1788	{59E15ACA-664D-43ba-A92E-6111491A1CE0}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{FA580668-48AD-4716-BC4A-0CEAC05D0A55}.exe	{9AC79DA1-0987-476a-ADBE-305119CC6217}.exe
File created	C:\Windows\{37F83036-A192-4206-BB6F-8A32D1E639F1}.exe	{620EC34E-8647-4a51-BDF3-A8C6C5DEC0E5}.exe
File created	C:\Windows\{20AFFDC0-8BF9-4651-B06B-A7C5B322D4FE}.exe	{37F83036-A192-4206-BB6F-8A32D1E639F1}.exe
File created	C:\Windows\{7D291500-80C4-49f4-815C-29DA3DDB3EA1}.exe	{3530A4E2-7458-4a5b-952A-F74197E6F576}.exe
File created	C:\Windows\{59E15ACA-664D-43ba-A92E-6111491A1CE0}.exe	{7D291500-80C4-49f4-815C-29DA3DDB3EA1}.exe
File created	C:\Windows\{2F8B09C1-74F5-40d2-AED9-6FE7D9F752DE}.exe	f6261aafb1f7ffab4d9439e8d4f727d0_NeikiAnalytics.exe
File created	C:\Windows\{9AC79DA1-0987-476a-ADBE-305119CC6217}.exe	{2F8B09C1-74F5-40d2-AED9-6FE7D9F752DE}.exe
File created	C:\Windows\{83121612-2D16-4dfa-B895-F11F857E655C}.exe	{FA580668-48AD-4716-BC4A-0CEAC05D0A55}.exe
File created	C:\Windows\{89DE96AB-EB81-4b37-A438-2FEF265C5FD0}.exe	{83121612-2D16-4dfa-B895-F11F857E655C}.exe
File created	C:\Windows\{620EC34E-8647-4a51-BDF3-A8C6C5DEC0E5}.exe	{89DE96AB-EB81-4b37-A438-2FEF265C5FD0}.exe
File created	C:\Windows\{3530A4E2-7458-4a5b-952A-F74197E6F576}.exe	{20AFFDC0-8BF9-4651-B06B-A7C5B322D4FE}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2424	f6261aafb1f7ffab4d9439e8d4f727d0_NeikiAnalytics.exe
Token: SeIncBasePriorityPrivilege	2228	{2F8B09C1-74F5-40d2-AED9-6FE7D9F752DE}.exe
Token: SeIncBasePriorityPrivilege	2256	{9AC79DA1-0987-476a-ADBE-305119CC6217}.exe
Token: SeIncBasePriorityPrivilege	2844	{FA580668-48AD-4716-BC4A-0CEAC05D0A55}.exe
Token: SeIncBasePriorityPrivilege	1900	{83121612-2D16-4dfa-B895-F11F857E655C}.exe
Token: SeIncBasePriorityPrivilege	2876	{89DE96AB-EB81-4b37-A438-2FEF265C5FD0}.exe
Token: SeIncBasePriorityPrivilege	788	{620EC34E-8647-4a51-BDF3-A8C6C5DEC0E5}.exe
Token: SeIncBasePriorityPrivilege	2588	{37F83036-A192-4206-BB6F-8A32D1E639F1}.exe
Token: SeIncBasePriorityPrivilege	1340	{20AFFDC0-8BF9-4651-B06B-A7C5B322D4FE}.exe
Token: SeIncBasePriorityPrivilege	1996	{3530A4E2-7458-4a5b-952A-F74197E6F576}.exe
Token: SeIncBasePriorityPrivilege	484	{7D291500-80C4-49f4-815C-29DA3DDB3EA1}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2424 wrote to memory of 2228	2424	f6261aafb1f7ffab4d9439e8d4f727d0_NeikiAnalytics.exe	28
PID 2424 wrote to memory of 2228	2424	f6261aafb1f7ffab4d9439e8d4f727d0_NeikiAnalytics.exe	28
PID 2424 wrote to memory of 2228	2424	f6261aafb1f7ffab4d9439e8d4f727d0_NeikiAnalytics.exe	28
PID 2424 wrote to memory of 2228	2424	f6261aafb1f7ffab4d9439e8d4f727d0_NeikiAnalytics.exe	28
PID 2424 wrote to memory of 2244	2424	f6261aafb1f7ffab4d9439e8d4f727d0_NeikiAnalytics.exe	29
PID 2424 wrote to memory of 2244	2424	f6261aafb1f7ffab4d9439e8d4f727d0_NeikiAnalytics.exe	29
PID 2424 wrote to memory of 2244	2424	f6261aafb1f7ffab4d9439e8d4f727d0_NeikiAnalytics.exe	29
PID 2424 wrote to memory of 2244	2424	f6261aafb1f7ffab4d9439e8d4f727d0_NeikiAnalytics.exe	29
PID 2228 wrote to memory of 2256	2228	{2F8B09C1-74F5-40d2-AED9-6FE7D9F752DE}.exe	30
PID 2228 wrote to memory of 2256	2228	{2F8B09C1-74F5-40d2-AED9-6FE7D9F752DE}.exe	30
PID 2228 wrote to memory of 2256	2228	{2F8B09C1-74F5-40d2-AED9-6FE7D9F752DE}.exe	30
PID 2228 wrote to memory of 2256	2228	{2F8B09C1-74F5-40d2-AED9-6FE7D9F752DE}.exe	30
PID 2228 wrote to memory of 2772	2228	{2F8B09C1-74F5-40d2-AED9-6FE7D9F752DE}.exe	31
PID 2228 wrote to memory of 2772	2228	{2F8B09C1-74F5-40d2-AED9-6FE7D9F752DE}.exe	31
PID 2228 wrote to memory of 2772	2228	{2F8B09C1-74F5-40d2-AED9-6FE7D9F752DE}.exe	31
PID 2228 wrote to memory of 2772	2228	{2F8B09C1-74F5-40d2-AED9-6FE7D9F752DE}.exe	31
PID 2256 wrote to memory of 2844	2256	{9AC79DA1-0987-476a-ADBE-305119CC6217}.exe	32
PID 2256 wrote to memory of 2844	2256	{9AC79DA1-0987-476a-ADBE-305119CC6217}.exe	32
PID 2256 wrote to memory of 2844	2256	{9AC79DA1-0987-476a-ADBE-305119CC6217}.exe	32
PID 2256 wrote to memory of 2844	2256	{9AC79DA1-0987-476a-ADBE-305119CC6217}.exe	32
PID 2256 wrote to memory of 2656	2256	{9AC79DA1-0987-476a-ADBE-305119CC6217}.exe	33
PID 2256 wrote to memory of 2656	2256	{9AC79DA1-0987-476a-ADBE-305119CC6217}.exe	33
PID 2256 wrote to memory of 2656	2256	{9AC79DA1-0987-476a-ADBE-305119CC6217}.exe	33
PID 2256 wrote to memory of 2656	2256	{9AC79DA1-0987-476a-ADBE-305119CC6217}.exe	33
PID 2844 wrote to memory of 1900	2844	{FA580668-48AD-4716-BC4A-0CEAC05D0A55}.exe	36
PID 2844 wrote to memory of 1900	2844	{FA580668-48AD-4716-BC4A-0CEAC05D0A55}.exe	36
PID 2844 wrote to memory of 1900	2844	{FA580668-48AD-4716-BC4A-0CEAC05D0A55}.exe	36
PID 2844 wrote to memory of 1900	2844	{FA580668-48AD-4716-BC4A-0CEAC05D0A55}.exe	36
PID 2844 wrote to memory of 2756	2844	{FA580668-48AD-4716-BC4A-0CEAC05D0A55}.exe	37
PID 2844 wrote to memory of 2756	2844	{FA580668-48AD-4716-BC4A-0CEAC05D0A55}.exe	37
PID 2844 wrote to memory of 2756	2844	{FA580668-48AD-4716-BC4A-0CEAC05D0A55}.exe	37
PID 2844 wrote to memory of 2756	2844	{FA580668-48AD-4716-BC4A-0CEAC05D0A55}.exe	37
PID 1900 wrote to memory of 2876	1900	{83121612-2D16-4dfa-B895-F11F857E655C}.exe	38
PID 1900 wrote to memory of 2876	1900	{83121612-2D16-4dfa-B895-F11F857E655C}.exe	38
PID 1900 wrote to memory of 2876	1900	{83121612-2D16-4dfa-B895-F11F857E655C}.exe	38
PID 1900 wrote to memory of 2876	1900	{83121612-2D16-4dfa-B895-F11F857E655C}.exe	38
PID 1900 wrote to memory of 1560	1900	{83121612-2D16-4dfa-B895-F11F857E655C}.exe	39
PID 1900 wrote to memory of 1560	1900	{83121612-2D16-4dfa-B895-F11F857E655C}.exe	39
PID 1900 wrote to memory of 1560	1900	{83121612-2D16-4dfa-B895-F11F857E655C}.exe	39
PID 1900 wrote to memory of 1560	1900	{83121612-2D16-4dfa-B895-F11F857E655C}.exe	39
PID 2876 wrote to memory of 788	2876	{89DE96AB-EB81-4b37-A438-2FEF265C5FD0}.exe	40
PID 2876 wrote to memory of 788	2876	{89DE96AB-EB81-4b37-A438-2FEF265C5FD0}.exe	40
PID 2876 wrote to memory of 788	2876	{89DE96AB-EB81-4b37-A438-2FEF265C5FD0}.exe	40
PID 2876 wrote to memory of 788	2876	{89DE96AB-EB81-4b37-A438-2FEF265C5FD0}.exe	40
PID 2876 wrote to memory of 1940	2876	{89DE96AB-EB81-4b37-A438-2FEF265C5FD0}.exe	41
PID 2876 wrote to memory of 1940	2876	{89DE96AB-EB81-4b37-A438-2FEF265C5FD0}.exe	41
PID 2876 wrote to memory of 1940	2876	{89DE96AB-EB81-4b37-A438-2FEF265C5FD0}.exe	41
PID 2876 wrote to memory of 1940	2876	{89DE96AB-EB81-4b37-A438-2FEF265C5FD0}.exe	41
PID 788 wrote to memory of 2588	788	{620EC34E-8647-4a51-BDF3-A8C6C5DEC0E5}.exe	42
PID 788 wrote to memory of 2588	788	{620EC34E-8647-4a51-BDF3-A8C6C5DEC0E5}.exe	42
PID 788 wrote to memory of 2588	788	{620EC34E-8647-4a51-BDF3-A8C6C5DEC0E5}.exe	42
PID 788 wrote to memory of 2588	788	{620EC34E-8647-4a51-BDF3-A8C6C5DEC0E5}.exe	42
PID 788 wrote to memory of 1536	788	{620EC34E-8647-4a51-BDF3-A8C6C5DEC0E5}.exe	43
PID 788 wrote to memory of 1536	788	{620EC34E-8647-4a51-BDF3-A8C6C5DEC0E5}.exe	43
PID 788 wrote to memory of 1536	788	{620EC34E-8647-4a51-BDF3-A8C6C5DEC0E5}.exe	43
PID 788 wrote to memory of 1536	788	{620EC34E-8647-4a51-BDF3-A8C6C5DEC0E5}.exe	43
PID 2588 wrote to memory of 1340	2588	{37F83036-A192-4206-BB6F-8A32D1E639F1}.exe	44
PID 2588 wrote to memory of 1340	2588	{37F83036-A192-4206-BB6F-8A32D1E639F1}.exe	44
PID 2588 wrote to memory of 1340	2588	{37F83036-A192-4206-BB6F-8A32D1E639F1}.exe	44
PID 2588 wrote to memory of 1340	2588	{37F83036-A192-4206-BB6F-8A32D1E639F1}.exe	44
PID 2588 wrote to memory of 2056	2588	{37F83036-A192-4206-BB6F-8A32D1E639F1}.exe	45
PID 2588 wrote to memory of 2056	2588	{37F83036-A192-4206-BB6F-8A32D1E639F1}.exe	45
PID 2588 wrote to memory of 2056	2588	{37F83036-A192-4206-BB6F-8A32D1E639F1}.exe	45
PID 2588 wrote to memory of 2056	2588	{37F83036-A192-4206-BB6F-8A32D1E639F1}.exe	45

C:\Users\Admin\AppData\Local\Temp\f6261aafb1f7ffab4d9439e8d4f727d0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\f6261aafb1f7ffab4d9439e8d4f727d0_NeikiAnalytics.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2424
- C:\Windows\{2F8B09C1-74F5-40d2-AED9-6FE7D9F752DE}.exe
  C:\Windows\{2F8B09C1-74F5-40d2-AED9-6FE7D9F752DE}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2228
- - C:\Windows\{9AC79DA1-0987-476a-ADBE-305119CC6217}.exe
    C:\Windows\{9AC79DA1-0987-476a-ADBE-305119CC6217}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2256
  - - C:\Windows\{FA580668-48AD-4716-BC4A-0CEAC05D0A55}.exe
      C:\Windows\{FA580668-48AD-4716-BC4A-0CEAC05D0A55}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2844
    - - C:\Windows\{83121612-2D16-4dfa-B895-F11F857E655C}.exe
        
        C:\Windows\{83121612-2D16-4dfa-B895-F11F857E655C}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1900
      - C:\Windows\{89DE96AB-EB81-4b37-A438-2FEF265C5FD0}.exe
        
        C:\Windows\{89DE96AB-EB81-4b37-A438-2FEF265C5FD0}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2876
        
        C:\Windows\{620EC34E-8647-4a51-BDF3-A8C6C5DEC0E5}.exe
        
        C:\Windows\{620EC34E-8647-4a51-BDF3-A8C6C5DEC0E5}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:788
        
        C:\Windows\{37F83036-A192-4206-BB6F-8A32D1E639F1}.exe
        
        C:\Windows\{37F83036-A192-4206-BB6F-8A32D1E639F1}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2588
        
        C:\Windows\{20AFFDC0-8BF9-4651-B06B-A7C5B322D4FE}.exe
        
        C:\Windows\{20AFFDC0-8BF9-4651-B06B-A7C5B322D4FE}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1340
        
        C:\Windows\{3530A4E2-7458-4a5b-952A-F74197E6F576}.exe
        
        C:\Windows\{3530A4E2-7458-4a5b-952A-F74197E6F576}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1996
        
        C:\Windows\{7D291500-80C4-49f4-815C-29DA3DDB3EA1}.exe
        
        C:\Windows\{7D291500-80C4-49f4-815C-29DA3DDB3EA1}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:484
        
        C:\Windows\{59E15ACA-664D-43ba-A92E-6111491A1CE0}.exe
        
        C:\Windows\{59E15ACA-664D-43ba-A92E-6111491A1CE0}.exe
        12⤵
        Executes dropped EXE
        
        PID:1788
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7D291~1.EXE > nul
        12⤵
        
        PID:1720
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3530A~1.EXE > nul
        11⤵
        
        PID:1028
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{20AFF~1.EXE > nul
        10⤵
        
        PID:2472
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{37F83~1.EXE > nul
        9⤵
        
        PID:2056
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{620EC~1.EXE > nul
        8⤵
        
        PID:1536
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{89DE9~1.EXE > nul
        7⤵
        
        PID:1940
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{83121~1.EXE > nul
        6⤵
        
        PID:1560
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FA580~1.EXE > nul
        5⤵
        
        PID:2756
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{9AC79~1.EXE > nul
      4⤵
      PID:2656
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{2F8B0~1.EXE > nul
    3⤵
    PID:2772
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\F6261A~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2244

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{20AFFDC0-8BF9-4651-B06B-A7C5B322D4FE}.exe

Filesize
90KB

MD5
b37dc5d40ae3d7846019b699bd447e68

SHA1
a3d24a3c1d01aeac3ce7d00b8d261c708fb1418e

SHA256
5a60bc8ef9ff2434dc3531f3b9c3c3819aaf485c393cc64205eb32df33f8c19a

SHA512
250a7780ae3af6576d1612ba8810bbe24a014d7a1286740ef9996c866c47268dd69313a5cb92add53bcc24a2e0e6b96188100346a15bf2aae916ad78ccd11f6d

Download Submit
C:\Windows\{2F8B09C1-74F5-40d2-AED9-6FE7D9F752DE}.exe

Filesize
90KB

MD5
f0a74fb4aac7ad1bb6ed1584f79a844b

SHA1
94162190e25e13ca669d1c275d783abe36748ba4

SHA256
68584ad0e19cc93dfa10af4ad5ca81848823c381e21179aa885f2b74bb3cfec6

SHA512
5613730cdd6054062279e93cc1924d97b8a89a9bffacef34d7471404392a4312370e23c8c6f38d68acc161dd091050b1881e886f1effbbded6d04f9446a2c19f

Download Submit
C:\Windows\{3530A4E2-7458-4a5b-952A-F74197E6F576}.exe

Filesize
90KB

MD5
ed8973bc97f95d1175bef6df14b77ab1

SHA1
e2c556cd14185495e5eff5af122c22d315961b21

SHA256
ce1277542bf0e888826427533d7b43563bc6c906bbf8cda95380a35f096e45df

SHA512
fbd06c9e20b7c2a0a1e8c2a91f185b033e759796673dd76af3c1a416dede18632c17c898ddc24c273c1428df090672cf8714d2ddf7887305d31143f13ddfd15e

Download Submit
C:\Windows\{37F83036-A192-4206-BB6F-8A32D1E639F1}.exe

Filesize
90KB

MD5
6c48d2f36ddf228f3a1910dfba400806

SHA1
0a6bc94a503a446fc43bd4c9012bbebda043644c

SHA256
8eba140c1979ba6c8f99d8587db9bb3b36f95bd518e70602ba5c6020e3f1e0b0

SHA512
8a08b49291958fe90c5e9d6153d6edb9650dc50e2b88df6731de9d45e5a13ee776ba16c7fcfe80abab8f7936704c7cb87e2863ecb45b4b031cf32a178ca45ef0

Download Submit
C:\Windows\{59E15ACA-664D-43ba-A92E-6111491A1CE0}.exe

Filesize
90KB

MD5
d6d82644c6c3437c507f0a8e858d7aee

SHA1
763b8ff0a5e9e6d7de99e950a96a02b7ef275deb

SHA256
a8af27a8ff431dcc2736169db9573a1bb3b888453d0201c32f08703118e8d595

SHA512
49678d8da0f9226d283ee96d2518cff273fa007f5e66996f6a0a5ed5eb5fdae7d9780637aac427f71e3d5f0fa5705e17b74a99511a8bb8c52a812599be3c9a49

Download Submit
C:\Windows\{620EC34E-8647-4a51-BDF3-A8C6C5DEC0E5}.exe

Filesize
90KB

MD5
f10367ba131cbf127d2f62a0d56f18d4

SHA1
a0685d278ddc6427aecb9328800a024eb18dc18a

SHA256
2c3ecb0067f5ae577da8b1175b2cada0957d339a0f30917d7b9287e9a0eff31f

SHA512
c94812307b49d22e804adecd7473310c2755ab056267336d01827fd493775fe487a31ce9fcb7519e82f903fddfa217909c9d0db4021c445e1fdb6cb7652d2ab2

Download Submit
C:\Windows\{7D291500-80C4-49f4-815C-29DA3DDB3EA1}.exe

Filesize
90KB

MD5
0a8eca844330d3c27eff461c05cf0fbf

SHA1
42644fad9ed9f1ac886345b851a7fa1f66c1dfac

SHA256
1fcfc8bf547ac44c8eb180de570817f00444e1daad4658b03cd53a115f2963a3

SHA512
a9ea653306cf01e391a30080ba6fac5f8d25098251819b2d0279202d1be9590fbcffb6a2ce22117ad314f9aadf67e29f823cccd83e986825cf3fcdaadd38fa13

Download Submit
C:\Windows\{83121612-2D16-4dfa-B895-F11F857E655C}.exe

Filesize
90KB

MD5
fdca51337e3bb55f6cb76c75e1b5650e

SHA1
afa82aacb9fbaa4c5690b0b2d824a8dc980d25cb

SHA256
dd28271de895da1529cdba75af8376d527de70852aad82da5e954da948ef7053

SHA512
c2290a9a57907d12d73bc222d503285eca4773bedb53e4b51e7f4b53eacb2a27608fe14aae07b41bd612c1f0d90fb2294c600a78b9f9e1542f969b43d7a04770

Download Submit
C:\Windows\{89DE96AB-EB81-4b37-A438-2FEF265C5FD0}.exe

Filesize
90KB

MD5
2a44755fd0a195be4dde9adc2ff6db64

SHA1
9619fb375856a80c30e5d366b061fbde5ec71cdb

SHA256
ed15f915a84afe198984f17d7da2dbe5586881ceafe56a5b57907afa110f4467

SHA512
d1b3d8d7767b2142808f109867e20f0d4d30fd9726960e1d7c57283e29b3ffd7b66d536cb892a14784bd8a03ba2cde58f4ce7eeea7b2ce2aa4832a3108d069e7

Download Submit
C:\Windows\{9AC79DA1-0987-476a-ADBE-305119CC6217}.exe

Filesize
90KB

MD5
ecbd37518e940dd265e1583851138922

SHA1
bd752810eaeedcec8f21e67fffef08799489db5b

SHA256
76499b7962a98d11eece9d3057cad18aa2bff97ed3006a764831224254484281

SHA512
db236792947944786cf6993f9a76b946b95cf63c7207447d5f4611c22cdd4beceefbb41405e8148b8d1cc397517c3fe7125487d368509d3043e0920497995370

Download Submit
C:\Windows\{FA580668-48AD-4716-BC4A-0CEAC05D0A55}.exe

Filesize
90KB

MD5
b29acf8fc58784f644c94d37f10b5aaf

SHA1
df6c6392f651133b516f793f5a759dc83fd48256

SHA256
57e07596e6aeb9fdc5464b601eecfd0706d43406c8d2a7f57a8772ee64b474a1

SHA512
076cd8d575c602f78583db049998ad704b5127d81f0cecb98e8e2d907316c6c92313dea794df0585dd7a7331f611b7e528bb521ff366ddd1c9f129bc72525cf6

Download Submit
memory/484-87-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/484-95-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/788-52-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/788-59-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1340-70-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1340-77-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1788-96-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1900-42-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1996-85-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2228-16-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2228-8-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2256-25-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2256-18-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2424-0-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2424-9-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2424-7-0x00000000002B0000-0x00000000002C1000-memory.dmp

Filesize
68KB

Download
memory/2588-68-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2588-61-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2844-34-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2844-27-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2876-50-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads