ff66ea209a92bc02fff6e62ce0515a0dbaecd103983d6decddb377b4a5feeaaa

Analysis

max time kernel
144s
max time network
122s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
24/05/2024, 18:52

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

fdb89067b1ffa6ece1b8e9bcae4d1140_NeikiAnalytics.exe
Size

60KB
MD5

fdb89067b1ffa6ece1b8e9bcae4d1140
SHA1

668bb27b71d1ddfd36a6951634ff3867d7e10f82
SHA256

ff66ea209a92bc02fff6e62ce0515a0dbaecd103983d6decddb377b4a5feeaaa
SHA512

914b327f59ed7c61b1e3ea935af9f7170353d5b0e57e862fac743764527d6017fc04ede022838946cbbfda55fddf01892a5a931aa46506c0cf86fdef50ed41d3
SSDEEP

192:vbOzawOs81elJHsc45CcRZOgtShcWaOT2QLrCqwnh4/CFxyNhoy5t:vbLwOs8AHsc4sMfwhKQLroh4/CFsrd

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{71B6476F-EF62-4e76-9408-D2BA8941BA82}\stubpath = "C:\\Windows\\{71B6476F-EF62-4e76-9408-D2BA8941BA82}.exe"	{486B8941-7578-4b5e-A280-871FE51673AA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{58D6402A-FA53-453d-BE60-A59F56E9FAD9}	{E5CE73E7-FF04-4381-8E2D-F186E4D0E3F9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9B1E5C49-E46E-4d2b-B155-2656DF24FB3C}\stubpath = "C:\\Windows\\{9B1E5C49-E46E-4d2b-B155-2656DF24FB3C}.exe"	{9168B936-D438-4574-A4BC-DE5381234067}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6640FD06-3106-4fa0-B413-2AA8E9EB10B8}\stubpath = "C:\\Windows\\{6640FD06-3106-4fa0-B413-2AA8E9EB10B8}.exe"	{9203D674-8E7A-40e0-B978-0368B476453A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AF0BBE6C-DB91-4a8a-8882-EFEE614951AD}\stubpath = "C:\\Windows\\{AF0BBE6C-DB91-4a8a-8882-EFEE614951AD}.exe"	{6640FD06-3106-4fa0-B413-2AA8E9EB10B8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{71B6476F-EF62-4e76-9408-D2BA8941BA82}	{486B8941-7578-4b5e-A280-871FE51673AA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{58D6402A-FA53-453d-BE60-A59F56E9FAD9}\stubpath = "C:\\Windows\\{58D6402A-FA53-453d-BE60-A59F56E9FAD9}.exe"	{E5CE73E7-FF04-4381-8E2D-F186E4D0E3F9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9203D674-8E7A-40e0-B978-0368B476453A}	{AF753B19-C0D9-4e19-B435-3CD98A0FB2C8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FF4463E3-D14C-4ee5-8209-BF9201DF69FF}	{AF0BBE6C-DB91-4a8a-8882-EFEE614951AD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FF4463E3-D14C-4ee5-8209-BF9201DF69FF}\stubpath = "C:\\Windows\\{FF4463E3-D14C-4ee5-8209-BF9201DF69FF}.exe"	{AF0BBE6C-DB91-4a8a-8882-EFEE614951AD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{486B8941-7578-4b5e-A280-871FE51673AA}	{FF4463E3-D14C-4ee5-8209-BF9201DF69FF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E5CE73E7-FF04-4381-8E2D-F186E4D0E3F9}	fdb89067b1ffa6ece1b8e9bcae4d1140_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E5CE73E7-FF04-4381-8E2D-F186E4D0E3F9}\stubpath = "C:\\Windows\\{E5CE73E7-FF04-4381-8E2D-F186E4D0E3F9}.exe"	fdb89067b1ffa6ece1b8e9bcae4d1140_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AF753B19-C0D9-4e19-B435-3CD98A0FB2C8}	{9B1E5C49-E46E-4d2b-B155-2656DF24FB3C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AF753B19-C0D9-4e19-B435-3CD98A0FB2C8}\stubpath = "C:\\Windows\\{AF753B19-C0D9-4e19-B435-3CD98A0FB2C8}.exe"	{9B1E5C49-E46E-4d2b-B155-2656DF24FB3C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AF0BBE6C-DB91-4a8a-8882-EFEE614951AD}	{6640FD06-3106-4fa0-B413-2AA8E9EB10B8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{486B8941-7578-4b5e-A280-871FE51673AA}\stubpath = "C:\\Windows\\{486B8941-7578-4b5e-A280-871FE51673AA}.exe"	{FF4463E3-D14C-4ee5-8209-BF9201DF69FF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9168B936-D438-4574-A4BC-DE5381234067}	{58D6402A-FA53-453d-BE60-A59F56E9FAD9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9168B936-D438-4574-A4BC-DE5381234067}\stubpath = "C:\\Windows\\{9168B936-D438-4574-A4BC-DE5381234067}.exe"	{58D6402A-FA53-453d-BE60-A59F56E9FAD9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9B1E5C49-E46E-4d2b-B155-2656DF24FB3C}	{9168B936-D438-4574-A4BC-DE5381234067}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9203D674-8E7A-40e0-B978-0368B476453A}\stubpath = "C:\\Windows\\{9203D674-8E7A-40e0-B978-0368B476453A}.exe"	{AF753B19-C0D9-4e19-B435-3CD98A0FB2C8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6640FD06-3106-4fa0-B413-2AA8E9EB10B8}	{9203D674-8E7A-40e0-B978-0368B476453A}.exe

Deletes itself 1 IoCs

pid	Process
2120	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2716	{E5CE73E7-FF04-4381-8E2D-F186E4D0E3F9}.exe
2632	{58D6402A-FA53-453d-BE60-A59F56E9FAD9}.exe
2468	{9168B936-D438-4574-A4BC-DE5381234067}.exe
2896	{9B1E5C49-E46E-4d2b-B155-2656DF24FB3C}.exe
2732	{AF753B19-C0D9-4e19-B435-3CD98A0FB2C8}.exe
1984	{9203D674-8E7A-40e0-B978-0368B476453A}.exe
1976	{6640FD06-3106-4fa0-B413-2AA8E9EB10B8}.exe
1572	{AF0BBE6C-DB91-4a8a-8882-EFEE614951AD}.exe
2112	{FF4463E3-D14C-4ee5-8209-BF9201DF69FF}.exe
2832	{486B8941-7578-4b5e-A280-871FE51673AA}.exe
1116	{71B6476F-EF62-4e76-9408-D2BA8941BA82}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{9B1E5C49-E46E-4d2b-B155-2656DF24FB3C}.exe	{9168B936-D438-4574-A4BC-DE5381234067}.exe
File created	C:\Windows\{AF753B19-C0D9-4e19-B435-3CD98A0FB2C8}.exe	{9B1E5C49-E46E-4d2b-B155-2656DF24FB3C}.exe
File created	C:\Windows\{9203D674-8E7A-40e0-B978-0368B476453A}.exe	{AF753B19-C0D9-4e19-B435-3CD98A0FB2C8}.exe
File created	C:\Windows\{FF4463E3-D14C-4ee5-8209-BF9201DF69FF}.exe	{AF0BBE6C-DB91-4a8a-8882-EFEE614951AD}.exe
File created	C:\Windows\{71B6476F-EF62-4e76-9408-D2BA8941BA82}.exe	{486B8941-7578-4b5e-A280-871FE51673AA}.exe
File created	C:\Windows\{9168B936-D438-4574-A4BC-DE5381234067}.exe	{58D6402A-FA53-453d-BE60-A59F56E9FAD9}.exe
File created	C:\Windows\{58D6402A-FA53-453d-BE60-A59F56E9FAD9}.exe	{E5CE73E7-FF04-4381-8E2D-F186E4D0E3F9}.exe
File created	C:\Windows\{6640FD06-3106-4fa0-B413-2AA8E9EB10B8}.exe	{9203D674-8E7A-40e0-B978-0368B476453A}.exe
File created	C:\Windows\{AF0BBE6C-DB91-4a8a-8882-EFEE614951AD}.exe	{6640FD06-3106-4fa0-B413-2AA8E9EB10B8}.exe
File created	C:\Windows\{486B8941-7578-4b5e-A280-871FE51673AA}.exe	{FF4463E3-D14C-4ee5-8209-BF9201DF69FF}.exe
File created	C:\Windows\{E5CE73E7-FF04-4381-8E2D-F186E4D0E3F9}.exe	fdb89067b1ffa6ece1b8e9bcae4d1140_NeikiAnalytics.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	340	fdb89067b1ffa6ece1b8e9bcae4d1140_NeikiAnalytics.exe
Token: SeIncBasePriorityPrivilege	2716	{E5CE73E7-FF04-4381-8E2D-F186E4D0E3F9}.exe
Token: SeIncBasePriorityPrivilege	2632	{58D6402A-FA53-453d-BE60-A59F56E9FAD9}.exe
Token: SeIncBasePriorityPrivilege	2468	{9168B936-D438-4574-A4BC-DE5381234067}.exe
Token: SeIncBasePriorityPrivilege	2896	{9B1E5C49-E46E-4d2b-B155-2656DF24FB3C}.exe
Token: SeIncBasePriorityPrivilege	2732	{AF753B19-C0D9-4e19-B435-3CD98A0FB2C8}.exe
Token: SeIncBasePriorityPrivilege	1984	{9203D674-8E7A-40e0-B978-0368B476453A}.exe
Token: SeIncBasePriorityPrivilege	1976	{6640FD06-3106-4fa0-B413-2AA8E9EB10B8}.exe
Token: SeIncBasePriorityPrivilege	1572	{AF0BBE6C-DB91-4a8a-8882-EFEE614951AD}.exe
Token: SeIncBasePriorityPrivilege	2112	{FF4463E3-D14C-4ee5-8209-BF9201DF69FF}.exe
Token: SeIncBasePriorityPrivilege	2832	{486B8941-7578-4b5e-A280-871FE51673AA}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 340 wrote to memory of 2716	340	fdb89067b1ffa6ece1b8e9bcae4d1140_NeikiAnalytics.exe	28
PID 340 wrote to memory of 2716	340	fdb89067b1ffa6ece1b8e9bcae4d1140_NeikiAnalytics.exe	28
PID 340 wrote to memory of 2716	340	fdb89067b1ffa6ece1b8e9bcae4d1140_NeikiAnalytics.exe	28
PID 340 wrote to memory of 2716	340	fdb89067b1ffa6ece1b8e9bcae4d1140_NeikiAnalytics.exe	28
PID 340 wrote to memory of 2120	340	fdb89067b1ffa6ece1b8e9bcae4d1140_NeikiAnalytics.exe	29
PID 340 wrote to memory of 2120	340	fdb89067b1ffa6ece1b8e9bcae4d1140_NeikiAnalytics.exe	29
PID 340 wrote to memory of 2120	340	fdb89067b1ffa6ece1b8e9bcae4d1140_NeikiAnalytics.exe	29
PID 340 wrote to memory of 2120	340	fdb89067b1ffa6ece1b8e9bcae4d1140_NeikiAnalytics.exe	29
PID 2716 wrote to memory of 2632	2716	{E5CE73E7-FF04-4381-8E2D-F186E4D0E3F9}.exe	30
PID 2716 wrote to memory of 2632	2716	{E5CE73E7-FF04-4381-8E2D-F186E4D0E3F9}.exe	30
PID 2716 wrote to memory of 2632	2716	{E5CE73E7-FF04-4381-8E2D-F186E4D0E3F9}.exe	30
PID 2716 wrote to memory of 2632	2716	{E5CE73E7-FF04-4381-8E2D-F186E4D0E3F9}.exe	30
PID 2716 wrote to memory of 2264	2716	{E5CE73E7-FF04-4381-8E2D-F186E4D0E3F9}.exe	31
PID 2716 wrote to memory of 2264	2716	{E5CE73E7-FF04-4381-8E2D-F186E4D0E3F9}.exe	31
PID 2716 wrote to memory of 2264	2716	{E5CE73E7-FF04-4381-8E2D-F186E4D0E3F9}.exe	31
PID 2716 wrote to memory of 2264	2716	{E5CE73E7-FF04-4381-8E2D-F186E4D0E3F9}.exe	31
PID 2632 wrote to memory of 2468	2632	{58D6402A-FA53-453d-BE60-A59F56E9FAD9}.exe	32
PID 2632 wrote to memory of 2468	2632	{58D6402A-FA53-453d-BE60-A59F56E9FAD9}.exe	32
PID 2632 wrote to memory of 2468	2632	{58D6402A-FA53-453d-BE60-A59F56E9FAD9}.exe	32
PID 2632 wrote to memory of 2468	2632	{58D6402A-FA53-453d-BE60-A59F56E9FAD9}.exe	32
PID 2632 wrote to memory of 2736	2632	{58D6402A-FA53-453d-BE60-A59F56E9FAD9}.exe	33
PID 2632 wrote to memory of 2736	2632	{58D6402A-FA53-453d-BE60-A59F56E9FAD9}.exe	33
PID 2632 wrote to memory of 2736	2632	{58D6402A-FA53-453d-BE60-A59F56E9FAD9}.exe	33
PID 2632 wrote to memory of 2736	2632	{58D6402A-FA53-453d-BE60-A59F56E9FAD9}.exe	33
PID 2468 wrote to memory of 2896	2468	{9168B936-D438-4574-A4BC-DE5381234067}.exe	36
PID 2468 wrote to memory of 2896	2468	{9168B936-D438-4574-A4BC-DE5381234067}.exe	36
PID 2468 wrote to memory of 2896	2468	{9168B936-D438-4574-A4BC-DE5381234067}.exe	36
PID 2468 wrote to memory of 2896	2468	{9168B936-D438-4574-A4BC-DE5381234067}.exe	36
PID 2468 wrote to memory of 628	2468	{9168B936-D438-4574-A4BC-DE5381234067}.exe	37
PID 2468 wrote to memory of 628	2468	{9168B936-D438-4574-A4BC-DE5381234067}.exe	37
PID 2468 wrote to memory of 628	2468	{9168B936-D438-4574-A4BC-DE5381234067}.exe	37
PID 2468 wrote to memory of 628	2468	{9168B936-D438-4574-A4BC-DE5381234067}.exe	37
PID 2896 wrote to memory of 2732	2896	{9B1E5C49-E46E-4d2b-B155-2656DF24FB3C}.exe	38
PID 2896 wrote to memory of 2732	2896	{9B1E5C49-E46E-4d2b-B155-2656DF24FB3C}.exe	38
PID 2896 wrote to memory of 2732	2896	{9B1E5C49-E46E-4d2b-B155-2656DF24FB3C}.exe	38
PID 2896 wrote to memory of 2732	2896	{9B1E5C49-E46E-4d2b-B155-2656DF24FB3C}.exe	38
PID 2896 wrote to memory of 2784	2896	{9B1E5C49-E46E-4d2b-B155-2656DF24FB3C}.exe	39
PID 2896 wrote to memory of 2784	2896	{9B1E5C49-E46E-4d2b-B155-2656DF24FB3C}.exe	39
PID 2896 wrote to memory of 2784	2896	{9B1E5C49-E46E-4d2b-B155-2656DF24FB3C}.exe	39
PID 2896 wrote to memory of 2784	2896	{9B1E5C49-E46E-4d2b-B155-2656DF24FB3C}.exe	39
PID 2732 wrote to memory of 1984	2732	{AF753B19-C0D9-4e19-B435-3CD98A0FB2C8}.exe	40
PID 2732 wrote to memory of 1984	2732	{AF753B19-C0D9-4e19-B435-3CD98A0FB2C8}.exe	40
PID 2732 wrote to memory of 1984	2732	{AF753B19-C0D9-4e19-B435-3CD98A0FB2C8}.exe	40
PID 2732 wrote to memory of 1984	2732	{AF753B19-C0D9-4e19-B435-3CD98A0FB2C8}.exe	40
PID 2732 wrote to memory of 2392	2732	{AF753B19-C0D9-4e19-B435-3CD98A0FB2C8}.exe	41
PID 2732 wrote to memory of 2392	2732	{AF753B19-C0D9-4e19-B435-3CD98A0FB2C8}.exe	41
PID 2732 wrote to memory of 2392	2732	{AF753B19-C0D9-4e19-B435-3CD98A0FB2C8}.exe	41
PID 2732 wrote to memory of 2392	2732	{AF753B19-C0D9-4e19-B435-3CD98A0FB2C8}.exe	41
PID 1984 wrote to memory of 1976	1984	{9203D674-8E7A-40e0-B978-0368B476453A}.exe	42
PID 1984 wrote to memory of 1976	1984	{9203D674-8E7A-40e0-B978-0368B476453A}.exe	42
PID 1984 wrote to memory of 1976	1984	{9203D674-8E7A-40e0-B978-0368B476453A}.exe	42
PID 1984 wrote to memory of 1976	1984	{9203D674-8E7A-40e0-B978-0368B476453A}.exe	42
PID 1984 wrote to memory of 1616	1984	{9203D674-8E7A-40e0-B978-0368B476453A}.exe	43
PID 1984 wrote to memory of 1616	1984	{9203D674-8E7A-40e0-B978-0368B476453A}.exe	43
PID 1984 wrote to memory of 1616	1984	{9203D674-8E7A-40e0-B978-0368B476453A}.exe	43
PID 1984 wrote to memory of 1616	1984	{9203D674-8E7A-40e0-B978-0368B476453A}.exe	43
PID 1976 wrote to memory of 1572	1976	{6640FD06-3106-4fa0-B413-2AA8E9EB10B8}.exe	44
PID 1976 wrote to memory of 1572	1976	{6640FD06-3106-4fa0-B413-2AA8E9EB10B8}.exe	44
PID 1976 wrote to memory of 1572	1976	{6640FD06-3106-4fa0-B413-2AA8E9EB10B8}.exe	44
PID 1976 wrote to memory of 1572	1976	{6640FD06-3106-4fa0-B413-2AA8E9EB10B8}.exe	44
PID 1976 wrote to memory of 3028	1976	{6640FD06-3106-4fa0-B413-2AA8E9EB10B8}.exe	45
PID 1976 wrote to memory of 3028	1976	{6640FD06-3106-4fa0-B413-2AA8E9EB10B8}.exe	45
PID 1976 wrote to memory of 3028	1976	{6640FD06-3106-4fa0-B413-2AA8E9EB10B8}.exe	45
PID 1976 wrote to memory of 3028	1976	{6640FD06-3106-4fa0-B413-2AA8E9EB10B8}.exe	45

C:\Users\Admin\AppData\Local\Temp\fdb89067b1ffa6ece1b8e9bcae4d1140_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\fdb89067b1ffa6ece1b8e9bcae4d1140_NeikiAnalytics.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:340
- C:\Windows\{E5CE73E7-FF04-4381-8E2D-F186E4D0E3F9}.exe
  C:\Windows\{E5CE73E7-FF04-4381-8E2D-F186E4D0E3F9}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2716
- - C:\Windows\{58D6402A-FA53-453d-BE60-A59F56E9FAD9}.exe
    C:\Windows\{58D6402A-FA53-453d-BE60-A59F56E9FAD9}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2632
  - - C:\Windows\{9168B936-D438-4574-A4BC-DE5381234067}.exe
      C:\Windows\{9168B936-D438-4574-A4BC-DE5381234067}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2468
    - - C:\Windows\{9B1E5C49-E46E-4d2b-B155-2656DF24FB3C}.exe
        
        C:\Windows\{9B1E5C49-E46E-4d2b-B155-2656DF24FB3C}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2896
      - C:\Windows\{AF753B19-C0D9-4e19-B435-3CD98A0FB2C8}.exe
        
        C:\Windows\{AF753B19-C0D9-4e19-B435-3CD98A0FB2C8}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2732
        
        C:\Windows\{9203D674-8E7A-40e0-B978-0368B476453A}.exe
        
        C:\Windows\{9203D674-8E7A-40e0-B978-0368B476453A}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1984
        
        C:\Windows\{6640FD06-3106-4fa0-B413-2AA8E9EB10B8}.exe
        
        C:\Windows\{6640FD06-3106-4fa0-B413-2AA8E9EB10B8}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1976
        
        C:\Windows\{AF0BBE6C-DB91-4a8a-8882-EFEE614951AD}.exe
        
        C:\Windows\{AF0BBE6C-DB91-4a8a-8882-EFEE614951AD}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1572
        
        C:\Windows\{FF4463E3-D14C-4ee5-8209-BF9201DF69FF}.exe
        
        C:\Windows\{FF4463E3-D14C-4ee5-8209-BF9201DF69FF}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2112
        
        C:\Windows\{486B8941-7578-4b5e-A280-871FE51673AA}.exe
        
        C:\Windows\{486B8941-7578-4b5e-A280-871FE51673AA}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2832
        
        C:\Windows\{71B6476F-EF62-4e76-9408-D2BA8941BA82}.exe
        
        C:\Windows\{71B6476F-EF62-4e76-9408-D2BA8941BA82}.exe
        12⤵
        Executes dropped EXE
        
        PID:1116
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{486B8~1.EXE > nul
        12⤵
        
        PID:576
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FF446~1.EXE > nul
        11⤵
        
        PID:2232
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AF0BB~1.EXE > nul
        10⤵
        
        PID:2088
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6640F~1.EXE > nul
        9⤵
        
        PID:3028
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9203D~1.EXE > nul
        8⤵
        
        PID:1616
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AF753~1.EXE > nul
        7⤵
        
        PID:2392
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9B1E5~1.EXE > nul
        6⤵
        
        PID:2784
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9168B~1.EXE > nul
        5⤵
        
        PID:628
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{58D64~1.EXE > nul
      4⤵
      PID:2736
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{E5CE7~1.EXE > nul
    3⤵
    PID:2264
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\FDB890~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2120

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{486B8941-7578-4b5e-A280-871FE51673AA}.exe

Filesize
60KB

MD5
21a67835005ed230ae073b774b5a8069

SHA1
96e5b1e9eb7af394edad9c20f9763464e3a170ba

SHA256
fcdfea351d825c4c466cbd3c5be266d125bea655eab0e8c44e8ed6b6ff299e48

SHA512
b53d0f64f5889f637fa3628192a0d1478108870c75e46197b2643113fe859215070fb4078059e468389d74bd248429f1e4abcddde03316cbd0b1751aab903bc6

Download Submit
C:\Windows\{58D6402A-FA53-453d-BE60-A59F56E9FAD9}.exe

Filesize
60KB

MD5
e2af8f9555fcff62da2ecb0de355f6ad

SHA1
bd2d12b47f6abaafb4821e62fc1e9205ae631ba6

SHA256
5ecea0a784173de7e8cec359dde3235e840b873031546456390e4ad4a921aeb9

SHA512
7fe559dec77495cad018e76561d05ff12de97b1db069b197fd87568be3809fe31cd6c2636e40953e590473e956604e519c9c75a36d92b4c82c94e8e11438561b

Download Submit
C:\Windows\{6640FD06-3106-4fa0-B413-2AA8E9EB10B8}.exe

Filesize
60KB

MD5
cd68c0d7dcf3ab8f3ed95cb22e2efd4f

SHA1
2093b3fd902ce8da3af5010111f51ed408919fdc

SHA256
f0b442e243006a52b65bc83b3fefe53e7b13de6ec4bd06025b467a6edea1fd43

SHA512
09bb192dabfc3231bf1138702bb0b6c44930aab7bebce22d34fd1852504488f6fbc17e034f52c7b9c23f008ad7c028d8309882097de46fd049cb9dcbf8a6642f

Download Submit
C:\Windows\{71B6476F-EF62-4e76-9408-D2BA8941BA82}.exe

Filesize
60KB

MD5
5f093c28d92c81da90b42802cc1ef083

SHA1
24c8bf92fe1649cbea4585a9973bdf5ea69ae4f3

SHA256
723c5f2fc6b2a6af5a766d273112aceab402ebfba812a7cc11669ab70bb47b35

SHA512
78527d34bc2a4f9d56be10bcd37eb6e304eaf721dad1f5e8a3ad973f2c450ad6998fe8d9a898fbe8ec0e0dfa718d73fc5492548964fea5b61ccedafbe0b50f6a

Download Submit
C:\Windows\{9168B936-D438-4574-A4BC-DE5381234067}.exe

Filesize
60KB

MD5
fcd94f688add91ad6570838f00be17aa

SHA1
370c20f1c0d76fa1ca0a98a885117d9bb381a54b

SHA256
ee37864e1056e8fecaceb3b94c2f5f1f7159296a4e7ea527dffa61a2c3ed52f6

SHA512
aa57e3077ee91ea1abe2714409624a08e15084da1941d6a3d022f58dec2676e7db7c608d3bd7c3e5e4f7de30bd1bbad3e8a141264764b94ad0aa9f4847a3ed02

Download Submit
C:\Windows\{9203D674-8E7A-40e0-B978-0368B476453A}.exe

Filesize
60KB

MD5
b6ed93862fe713808f2a9e6689f027fa

SHA1
1f731f94b9d4660e315cfad8d91282a139c919f1

SHA256
89635932953068130651fb4ace5dcea95bb98b10c2a94e5c11d02f9bc1689cdc

SHA512
89f323141915995a2e1fcbb2d6fafa380ecd99c766e136f0f1ff041eed7d9fdc8490af7e46e9365e3a42a8556ac416af6df8d9870c2386cb04bfeff504bf761c

Download Submit
C:\Windows\{9B1E5C49-E46E-4d2b-B155-2656DF24FB3C}.exe

Filesize
60KB

MD5
cdf95e5204217910ab79e6234ed9e248

SHA1
2a9d1b7c7e734f8a21ab5fbab202a64b3d0a754a

SHA256
629dee7da3c4195e833ee09cd7ad3660e1bb515e8442f45939478198057a889e

SHA512
c4591b3b6f0f06d82d06ef9aa06c471d46033669e6c0050fbda2ac8af0970850cc317d35816c0f750a24a456532ff65b5feb84ff833fb25b27933800ef812ac3

Download Submit
C:\Windows\{AF0BBE6C-DB91-4a8a-8882-EFEE614951AD}.exe

Filesize
60KB

MD5
17f23393612fde3b5e40d7d9c4758e58

SHA1
d8104ed353c75497ffd3bb83a5bb85f25774def4

SHA256
d33fddc62c4f7b4bffcce04f4913b5bf09630ddaa94c1dfd1eab8d4c5b04ddb2

SHA512
1faeb1c1a3138be52fc7bdc418ec2e05559cc6ff7cc7b9c07ab91dc84bfe3285a1da25534d0bdcd38887283101bd000d2f7281c1f3a5cdc3b717dccf60c7ce99

Download Submit
C:\Windows\{AF753B19-C0D9-4e19-B435-3CD98A0FB2C8}.exe

Filesize
60KB

MD5
f952208afeb5387ce01c4e052e45a19d

SHA1
d98b9dd0e6d364ec33efa5bf9d068e97895a843f

SHA256
31ce0ab94ae658d6ed3aacf70451b5c861e723a75ca4518883246e1d7b89da1c

SHA512
aa0eb6f705ffb528dae0c82077e71bce6df21285bcfff369981bfa240f8ab873af74124ecec2b7f6bd77f0af78c1d91b61dd34d458333c61d8f58bd58d3f1b63

Download Submit
C:\Windows\{E5CE73E7-FF04-4381-8E2D-F186E4D0E3F9}.exe

Filesize
60KB

MD5
e840ba6a5c866371b9875161e99b15f1

SHA1
5339953ef65cf992c4ec46ec82b934d3a29fc334

SHA256
7d3770611ce747e25ee87050a9a18123aac09fd9828409900ceb702c4ff9e2ab

SHA512
aacf902d24d19f10023390266bf1a9809d2c4f0cb6d0a881288c8c72f3b7d73a5fac3636b9af6ee0732f5d9175a76f33d47b2a3a347bb10c3f55dc69a6e3d8ef

Download Submit
C:\Windows\{FF4463E3-D14C-4ee5-8209-BF9201DF69FF}.exe

Filesize
60KB

MD5
012aa101881546c5b2c5422d9752d29e

SHA1
04981be5358c997db0b3fc6846385225586958dd

SHA256
e2cbfebad7a879c343bdba636bc9b93c7339adb497b18f529a596d635a9f83df

SHA512
71e3ce9dba61307738850d29f9108101b294bc853b311b302bd0f2d30bb83cd1e67c1bb2d26ea600ee5c9f1e16178409c6056db3e5a0588294f5a743104251f3

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads