99121c8c83275d1de3d651d9c7c407babda1cef3ce82f723d7a1a3f5411e3ba2

Analysis

max time kernel
144s
max time network
118s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
29-05-2024 02:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

31c251ad1ebf3c9ee205f8b28b335b30_NeikiAnalytics.exe
Size

98KB
MD5

31c251ad1ebf3c9ee205f8b28b335b30
SHA1

6b0cc2ee0dba27226e916203e69b92116e7e174a
SHA256

99121c8c83275d1de3d651d9c7c407babda1cef3ce82f723d7a1a3f5411e3ba2
SHA512

0832b6a626eedec5f5c522e5e8108188824bc37a9aaa6a96db9db1c75624bb09bfb6864c480474e6ccee1f9cdc3697e08c2e62737c559f4db643e90a6f684445
SSDEEP

768:5vw981sthKQLrod4/wQDNrfrunMxVFA3b7glws:lEGN0odlounMxVS3Hgz

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6177572A-149D-4364-BCB6-8134EA055DD8}\stubpath = "C:\\Windows\\{6177572A-149D-4364-BCB6-8134EA055DD8}.exe"	{60AD4D4D-33B3-4859-9028-6EDE5D3694A7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E99DECCF-2FC5-4c6d-AEBF-04AEEB26EB91}	{6177572A-149D-4364-BCB6-8134EA055DD8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C8248E03-7441-469d-8D52-B92A8D179EBC}\stubpath = "C:\\Windows\\{C8248E03-7441-469d-8D52-B92A8D179EBC}.exe"	{BEA99A69-40E7-4650-9F97-900FA88AE60A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2A966E26-FB00-4424-B66E-2E6E209E98A2}\stubpath = "C:\\Windows\\{2A966E26-FB00-4424-B66E-2E6E209E98A2}.exe"	{50201C06-F6D2-487a-BEAD-AE1885C7D91E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{55AD51FB-CE49-4608-8DED-5F780BE7ADB0}	{D0914E6A-8A9E-44e3-A237-6EE60E6533E5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6177572A-149D-4364-BCB6-8134EA055DD8}	{60AD4D4D-33B3-4859-9028-6EDE5D3694A7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{60AD4D4D-33B3-4859-9028-6EDE5D3694A7}\stubpath = "C:\\Windows\\{60AD4D4D-33B3-4859-9028-6EDE5D3694A7}.exe"	{55AD51FB-CE49-4608-8DED-5F780BE7ADB0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2562BC77-3C0C-4348-A8DD-BCCB55F5B0D6}	{EF80A2CA-7580-49aa-BEED-B1D9E0DB70FE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BEA99A69-40E7-4650-9F97-900FA88AE60A}\stubpath = "C:\\Windows\\{BEA99A69-40E7-4650-9F97-900FA88AE60A}.exe"	{2562BC77-3C0C-4348-A8DD-BCCB55F5B0D6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{50201C06-F6D2-487a-BEAD-AE1885C7D91E}	{C8248E03-7441-469d-8D52-B92A8D179EBC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{50201C06-F6D2-487a-BEAD-AE1885C7D91E}\stubpath = "C:\\Windows\\{50201C06-F6D2-487a-BEAD-AE1885C7D91E}.exe"	{C8248E03-7441-469d-8D52-B92A8D179EBC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2A966E26-FB00-4424-B66E-2E6E209E98A2}	{50201C06-F6D2-487a-BEAD-AE1885C7D91E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D0914E6A-8A9E-44e3-A237-6EE60E6533E5}	31c251ad1ebf3c9ee205f8b28b335b30_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{55AD51FB-CE49-4608-8DED-5F780BE7ADB0}\stubpath = "C:\\Windows\\{55AD51FB-CE49-4608-8DED-5F780BE7ADB0}.exe"	{D0914E6A-8A9E-44e3-A237-6EE60E6533E5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EF80A2CA-7580-49aa-BEED-B1D9E0DB70FE}	{E99DECCF-2FC5-4c6d-AEBF-04AEEB26EB91}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BEA99A69-40E7-4650-9F97-900FA88AE60A}	{2562BC77-3C0C-4348-A8DD-BCCB55F5B0D6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D0914E6A-8A9E-44e3-A237-6EE60E6533E5}\stubpath = "C:\\Windows\\{D0914E6A-8A9E-44e3-A237-6EE60E6533E5}.exe"	31c251ad1ebf3c9ee205f8b28b335b30_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E99DECCF-2FC5-4c6d-AEBF-04AEEB26EB91}\stubpath = "C:\\Windows\\{E99DECCF-2FC5-4c6d-AEBF-04AEEB26EB91}.exe"	{6177572A-149D-4364-BCB6-8134EA055DD8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2562BC77-3C0C-4348-A8DD-BCCB55F5B0D6}\stubpath = "C:\\Windows\\{2562BC77-3C0C-4348-A8DD-BCCB55F5B0D6}.exe"	{EF80A2CA-7580-49aa-BEED-B1D9E0DB70FE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C8248E03-7441-469d-8D52-B92A8D179EBC}	{BEA99A69-40E7-4650-9F97-900FA88AE60A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{60AD4D4D-33B3-4859-9028-6EDE5D3694A7}	{55AD51FB-CE49-4608-8DED-5F780BE7ADB0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EF80A2CA-7580-49aa-BEED-B1D9E0DB70FE}\stubpath = "C:\\Windows\\{EF80A2CA-7580-49aa-BEED-B1D9E0DB70FE}.exe"	{E99DECCF-2FC5-4c6d-AEBF-04AEEB26EB91}.exe

Deletes itself 1 IoCs

pid	Process
2332	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2492	{D0914E6A-8A9E-44e3-A237-6EE60E6533E5}.exe
2272	{55AD51FB-CE49-4608-8DED-5F780BE7ADB0}.exe
2876	{60AD4D4D-33B3-4859-9028-6EDE5D3694A7}.exe
1996	{6177572A-149D-4364-BCB6-8134EA055DD8}.exe
2384	{E99DECCF-2FC5-4c6d-AEBF-04AEEB26EB91}.exe
2268	{EF80A2CA-7580-49aa-BEED-B1D9E0DB70FE}.exe
2832	{2562BC77-3C0C-4348-A8DD-BCCB55F5B0D6}.exe
552	{BEA99A69-40E7-4650-9F97-900FA88AE60A}.exe
2796	{C8248E03-7441-469d-8D52-B92A8D179EBC}.exe
984	{50201C06-F6D2-487a-BEAD-AE1885C7D91E}.exe
1120	{2A966E26-FB00-4424-B66E-2E6E209E98A2}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{EF80A2CA-7580-49aa-BEED-B1D9E0DB70FE}.exe	{E99DECCF-2FC5-4c6d-AEBF-04AEEB26EB91}.exe
File created	C:\Windows\{2562BC77-3C0C-4348-A8DD-BCCB55F5B0D6}.exe	{EF80A2CA-7580-49aa-BEED-B1D9E0DB70FE}.exe
File created	C:\Windows\{BEA99A69-40E7-4650-9F97-900FA88AE60A}.exe	{2562BC77-3C0C-4348-A8DD-BCCB55F5B0D6}.exe
File created	C:\Windows\{C8248E03-7441-469d-8D52-B92A8D179EBC}.exe	{BEA99A69-40E7-4650-9F97-900FA88AE60A}.exe
File created	C:\Windows\{D0914E6A-8A9E-44e3-A237-6EE60E6533E5}.exe	31c251ad1ebf3c9ee205f8b28b335b30_NeikiAnalytics.exe
File created	C:\Windows\{60AD4D4D-33B3-4859-9028-6EDE5D3694A7}.exe	{55AD51FB-CE49-4608-8DED-5F780BE7ADB0}.exe
File created	C:\Windows\{E99DECCF-2FC5-4c6d-AEBF-04AEEB26EB91}.exe	{6177572A-149D-4364-BCB6-8134EA055DD8}.exe
File created	C:\Windows\{2A966E26-FB00-4424-B66E-2E6E209E98A2}.exe	{50201C06-F6D2-487a-BEAD-AE1885C7D91E}.exe
File created	C:\Windows\{55AD51FB-CE49-4608-8DED-5F780BE7ADB0}.exe	{D0914E6A-8A9E-44e3-A237-6EE60E6533E5}.exe
File created	C:\Windows\{6177572A-149D-4364-BCB6-8134EA055DD8}.exe	{60AD4D4D-33B3-4859-9028-6EDE5D3694A7}.exe
File created	C:\Windows\{50201C06-F6D2-487a-BEAD-AE1885C7D91E}.exe	{C8248E03-7441-469d-8D52-B92A8D179EBC}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2228	31c251ad1ebf3c9ee205f8b28b335b30_NeikiAnalytics.exe
Token: SeIncBasePriorityPrivilege	2492	{D0914E6A-8A9E-44e3-A237-6EE60E6533E5}.exe
Token: SeIncBasePriorityPrivilege	2272	{55AD51FB-CE49-4608-8DED-5F780BE7ADB0}.exe
Token: SeIncBasePriorityPrivilege	2876	{60AD4D4D-33B3-4859-9028-6EDE5D3694A7}.exe
Token: SeIncBasePriorityPrivilege	1996	{6177572A-149D-4364-BCB6-8134EA055DD8}.exe
Token: SeIncBasePriorityPrivilege	2384	{E99DECCF-2FC5-4c6d-AEBF-04AEEB26EB91}.exe
Token: SeIncBasePriorityPrivilege	2268	{EF80A2CA-7580-49aa-BEED-B1D9E0DB70FE}.exe
Token: SeIncBasePriorityPrivilege	2832	{2562BC77-3C0C-4348-A8DD-BCCB55F5B0D6}.exe
Token: SeIncBasePriorityPrivilege	552	{BEA99A69-40E7-4650-9F97-900FA88AE60A}.exe
Token: SeIncBasePriorityPrivilege	2796	{C8248E03-7441-469d-8D52-B92A8D179EBC}.exe
Token: SeIncBasePriorityPrivilege	984	{50201C06-F6D2-487a-BEAD-AE1885C7D91E}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2228 wrote to memory of 2492	2228	31c251ad1ebf3c9ee205f8b28b335b30_NeikiAnalytics.exe	28
PID 2228 wrote to memory of 2492	2228	31c251ad1ebf3c9ee205f8b28b335b30_NeikiAnalytics.exe	28
PID 2228 wrote to memory of 2492	2228	31c251ad1ebf3c9ee205f8b28b335b30_NeikiAnalytics.exe	28
PID 2228 wrote to memory of 2492	2228	31c251ad1ebf3c9ee205f8b28b335b30_NeikiAnalytics.exe	28
PID 2228 wrote to memory of 2332	2228	31c251ad1ebf3c9ee205f8b28b335b30_NeikiAnalytics.exe	29
PID 2228 wrote to memory of 2332	2228	31c251ad1ebf3c9ee205f8b28b335b30_NeikiAnalytics.exe	29
PID 2228 wrote to memory of 2332	2228	31c251ad1ebf3c9ee205f8b28b335b30_NeikiAnalytics.exe	29
PID 2228 wrote to memory of 2332	2228	31c251ad1ebf3c9ee205f8b28b335b30_NeikiAnalytics.exe	29
PID 2492 wrote to memory of 2272	2492	{D0914E6A-8A9E-44e3-A237-6EE60E6533E5}.exe	30
PID 2492 wrote to memory of 2272	2492	{D0914E6A-8A9E-44e3-A237-6EE60E6533E5}.exe	30
PID 2492 wrote to memory of 2272	2492	{D0914E6A-8A9E-44e3-A237-6EE60E6533E5}.exe	30
PID 2492 wrote to memory of 2272	2492	{D0914E6A-8A9E-44e3-A237-6EE60E6533E5}.exe	30
PID 2492 wrote to memory of 2756	2492	{D0914E6A-8A9E-44e3-A237-6EE60E6533E5}.exe	31
PID 2492 wrote to memory of 2756	2492	{D0914E6A-8A9E-44e3-A237-6EE60E6533E5}.exe	31
PID 2492 wrote to memory of 2756	2492	{D0914E6A-8A9E-44e3-A237-6EE60E6533E5}.exe	31
PID 2492 wrote to memory of 2756	2492	{D0914E6A-8A9E-44e3-A237-6EE60E6533E5}.exe	31
PID 2272 wrote to memory of 2876	2272	{55AD51FB-CE49-4608-8DED-5F780BE7ADB0}.exe	32
PID 2272 wrote to memory of 2876	2272	{55AD51FB-CE49-4608-8DED-5F780BE7ADB0}.exe	32
PID 2272 wrote to memory of 2876	2272	{55AD51FB-CE49-4608-8DED-5F780BE7ADB0}.exe	32
PID 2272 wrote to memory of 2876	2272	{55AD51FB-CE49-4608-8DED-5F780BE7ADB0}.exe	32
PID 2272 wrote to memory of 2684	2272	{55AD51FB-CE49-4608-8DED-5F780BE7ADB0}.exe	33
PID 2272 wrote to memory of 2684	2272	{55AD51FB-CE49-4608-8DED-5F780BE7ADB0}.exe	33
PID 2272 wrote to memory of 2684	2272	{55AD51FB-CE49-4608-8DED-5F780BE7ADB0}.exe	33
PID 2272 wrote to memory of 2684	2272	{55AD51FB-CE49-4608-8DED-5F780BE7ADB0}.exe	33
PID 2876 wrote to memory of 1996	2876	{60AD4D4D-33B3-4859-9028-6EDE5D3694A7}.exe	36
PID 2876 wrote to memory of 1996	2876	{60AD4D4D-33B3-4859-9028-6EDE5D3694A7}.exe	36
PID 2876 wrote to memory of 1996	2876	{60AD4D4D-33B3-4859-9028-6EDE5D3694A7}.exe	36
PID 2876 wrote to memory of 1996	2876	{60AD4D4D-33B3-4859-9028-6EDE5D3694A7}.exe	36
PID 2876 wrote to memory of 2872	2876	{60AD4D4D-33B3-4859-9028-6EDE5D3694A7}.exe	37
PID 2876 wrote to memory of 2872	2876	{60AD4D4D-33B3-4859-9028-6EDE5D3694A7}.exe	37
PID 2876 wrote to memory of 2872	2876	{60AD4D4D-33B3-4859-9028-6EDE5D3694A7}.exe	37
PID 2876 wrote to memory of 2872	2876	{60AD4D4D-33B3-4859-9028-6EDE5D3694A7}.exe	37
PID 1996 wrote to memory of 2384	1996	{6177572A-149D-4364-BCB6-8134EA055DD8}.exe	38
PID 1996 wrote to memory of 2384	1996	{6177572A-149D-4364-BCB6-8134EA055DD8}.exe	38
PID 1996 wrote to memory of 2384	1996	{6177572A-149D-4364-BCB6-8134EA055DD8}.exe	38
PID 1996 wrote to memory of 2384	1996	{6177572A-149D-4364-BCB6-8134EA055DD8}.exe	38
PID 1996 wrote to memory of 1756	1996	{6177572A-149D-4364-BCB6-8134EA055DD8}.exe	39
PID 1996 wrote to memory of 1756	1996	{6177572A-149D-4364-BCB6-8134EA055DD8}.exe	39
PID 1996 wrote to memory of 1756	1996	{6177572A-149D-4364-BCB6-8134EA055DD8}.exe	39
PID 1996 wrote to memory of 1756	1996	{6177572A-149D-4364-BCB6-8134EA055DD8}.exe	39
PID 2384 wrote to memory of 2268	2384	{E99DECCF-2FC5-4c6d-AEBF-04AEEB26EB91}.exe	40
PID 2384 wrote to memory of 2268	2384	{E99DECCF-2FC5-4c6d-AEBF-04AEEB26EB91}.exe	40
PID 2384 wrote to memory of 2268	2384	{E99DECCF-2FC5-4c6d-AEBF-04AEEB26EB91}.exe	40
PID 2384 wrote to memory of 2268	2384	{E99DECCF-2FC5-4c6d-AEBF-04AEEB26EB91}.exe	40
PID 2384 wrote to memory of 2004	2384	{E99DECCF-2FC5-4c6d-AEBF-04AEEB26EB91}.exe	41
PID 2384 wrote to memory of 2004	2384	{E99DECCF-2FC5-4c6d-AEBF-04AEEB26EB91}.exe	41
PID 2384 wrote to memory of 2004	2384	{E99DECCF-2FC5-4c6d-AEBF-04AEEB26EB91}.exe	41
PID 2384 wrote to memory of 2004	2384	{E99DECCF-2FC5-4c6d-AEBF-04AEEB26EB91}.exe	41
PID 2268 wrote to memory of 2832	2268	{EF80A2CA-7580-49aa-BEED-B1D9E0DB70FE}.exe	42
PID 2268 wrote to memory of 2832	2268	{EF80A2CA-7580-49aa-BEED-B1D9E0DB70FE}.exe	42
PID 2268 wrote to memory of 2832	2268	{EF80A2CA-7580-49aa-BEED-B1D9E0DB70FE}.exe	42
PID 2268 wrote to memory of 2832	2268	{EF80A2CA-7580-49aa-BEED-B1D9E0DB70FE}.exe	42
PID 2268 wrote to memory of 2620	2268	{EF80A2CA-7580-49aa-BEED-B1D9E0DB70FE}.exe	43
PID 2268 wrote to memory of 2620	2268	{EF80A2CA-7580-49aa-BEED-B1D9E0DB70FE}.exe	43
PID 2268 wrote to memory of 2620	2268	{EF80A2CA-7580-49aa-BEED-B1D9E0DB70FE}.exe	43
PID 2268 wrote to memory of 2620	2268	{EF80A2CA-7580-49aa-BEED-B1D9E0DB70FE}.exe	43
PID 2832 wrote to memory of 552	2832	{2562BC77-3C0C-4348-A8DD-BCCB55F5B0D6}.exe	44
PID 2832 wrote to memory of 552	2832	{2562BC77-3C0C-4348-A8DD-BCCB55F5B0D6}.exe	44
PID 2832 wrote to memory of 552	2832	{2562BC77-3C0C-4348-A8DD-BCCB55F5B0D6}.exe	44
PID 2832 wrote to memory of 552	2832	{2562BC77-3C0C-4348-A8DD-BCCB55F5B0D6}.exe	44
PID 2832 wrote to memory of 1760	2832	{2562BC77-3C0C-4348-A8DD-BCCB55F5B0D6}.exe	45
PID 2832 wrote to memory of 1760	2832	{2562BC77-3C0C-4348-A8DD-BCCB55F5B0D6}.exe	45
PID 2832 wrote to memory of 1760	2832	{2562BC77-3C0C-4348-A8DD-BCCB55F5B0D6}.exe	45
PID 2832 wrote to memory of 1760	2832	{2562BC77-3C0C-4348-A8DD-BCCB55F5B0D6}.exe	45

C:\Users\Admin\AppData\Local\Temp\31c251ad1ebf3c9ee205f8b28b335b30_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\31c251ad1ebf3c9ee205f8b28b335b30_NeikiAnalytics.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2228
- C:\Windows\{D0914E6A-8A9E-44e3-A237-6EE60E6533E5}.exe
  C:\Windows\{D0914E6A-8A9E-44e3-A237-6EE60E6533E5}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2492
- - C:\Windows\{55AD51FB-CE49-4608-8DED-5F780BE7ADB0}.exe
    C:\Windows\{55AD51FB-CE49-4608-8DED-5F780BE7ADB0}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2272
  - - C:\Windows\{60AD4D4D-33B3-4859-9028-6EDE5D3694A7}.exe
      C:\Windows\{60AD4D4D-33B3-4859-9028-6EDE5D3694A7}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2876
    - - C:\Windows\{6177572A-149D-4364-BCB6-8134EA055DD8}.exe
        
        C:\Windows\{6177572A-149D-4364-BCB6-8134EA055DD8}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1996
      - C:\Windows\{E99DECCF-2FC5-4c6d-AEBF-04AEEB26EB91}.exe
        
        C:\Windows\{E99DECCF-2FC5-4c6d-AEBF-04AEEB26EB91}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2384
        
        C:\Windows\{EF80A2CA-7580-49aa-BEED-B1D9E0DB70FE}.exe
        
        C:\Windows\{EF80A2CA-7580-49aa-BEED-B1D9E0DB70FE}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2268
        
        C:\Windows\{2562BC77-3C0C-4348-A8DD-BCCB55F5B0D6}.exe
        
        C:\Windows\{2562BC77-3C0C-4348-A8DD-BCCB55F5B0D6}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2832
        
        C:\Windows\{BEA99A69-40E7-4650-9F97-900FA88AE60A}.exe
        
        C:\Windows\{BEA99A69-40E7-4650-9F97-900FA88AE60A}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:552
        
        C:\Windows\{C8248E03-7441-469d-8D52-B92A8D179EBC}.exe
        
        C:\Windows\{C8248E03-7441-469d-8D52-B92A8D179EBC}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2796
        
        C:\Windows\{50201C06-F6D2-487a-BEAD-AE1885C7D91E}.exe
        
        C:\Windows\{50201C06-F6D2-487a-BEAD-AE1885C7D91E}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:984
        
        C:\Windows\{2A966E26-FB00-4424-B66E-2E6E209E98A2}.exe
        
        C:\Windows\{2A966E26-FB00-4424-B66E-2E6E209E98A2}.exe
        12⤵
        Executes dropped EXE
        
        PID:1120
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{50201~1.EXE > nul
        12⤵
        
        PID:1992
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C8248~1.EXE > nul
        11⤵
        
        PID:1032
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BEA99~1.EXE > nul
        10⤵
        
        PID:2700
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2562B~1.EXE > nul
        9⤵
        
        PID:1760
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EF80A~1.EXE > nul
        8⤵
        
        PID:2620
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E99DE~1.EXE > nul
        7⤵
        
        PID:2004
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{61775~1.EXE > nul
        6⤵
        
        PID:1756
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{60AD4~1.EXE > nul
        5⤵
        
        PID:2872
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{55AD5~1.EXE > nul
      4⤵
      PID:2684
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{D0914~1.EXE > nul
    3⤵
    PID:2756
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\31C251~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2332

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{2562BC77-3C0C-4348-A8DD-BCCB55F5B0D6}.exe

Filesize
98KB

MD5
b14723440a225c742805957ceae423a8

SHA1
a12ffbdd8dd79df17e6e6ee6584220181dabb8a5

SHA256
a2c52c2921b11d04682d026b06c425b5cf24d05f4b36a97467a06e300716be3a

SHA512
83806be715d773ad25ba2de05588e8c899107e3d49c1180346512f48f7c4ba981850d561fdeb99dfdcac90180363cd03362d043cb69a4a36f7755fd9cb3ce49a

Download Submit
C:\Windows\{2A966E26-FB00-4424-B66E-2E6E209E98A2}.exe

Filesize
98KB

MD5
826f74c651f58edd3d9480042ab0d5ee

SHA1
7ec7d8489006b6f1381433114c4cf230758ea300

SHA256
98281dda13f2d3801ae2d12fcc9571237b3017023bac5b8486d97b83bee2a606

SHA512
45fc0f42f1bfa4196b6c0041a958c305159080775bf0537e7b312b0cd3952ec9683062ec721213768fb06cf3fde872418e92ce4f86bad6f68355aa4840b03917

Download Submit
C:\Windows\{50201C06-F6D2-487a-BEAD-AE1885C7D91E}.exe

Filesize
98KB

MD5
2ca0944708028efe2705de391f1ef2ae

SHA1
ea9b7926b90ad06e750bbd09c5359c6cd3e63030

SHA256
20d455b8262a2bb1f4aae1711b69f1d5d70091bdfe3bd9b6a3dda03689806432

SHA512
3ddb76a507115b75b030e4d36755ecc890c49c77c107861c0e891d651027c917647ec82e074e04930db2e5e3749cd4b936021e4621e2133bc995b169ab756819

Download Submit
C:\Windows\{55AD51FB-CE49-4608-8DED-5F780BE7ADB0}.exe

Filesize
98KB

MD5
fc66732d7bc677b03a8b6327ef997d99

SHA1
42bd5cfb984ba7652aa577919a5a3731dff83cd2

SHA256
7fc828fde0d78347773ca423ee4714a8ae3a93b0f29c1d5771a0a0fd82c757e4

SHA512
6ac14e766c358c216521fe0d5ab709be5a7e859b3218426c7b087597cce4f28b5260e16cb2338a178c6e526719115ef7dca28ea2e7a1e09a721d60368bab83b8

Download Submit
C:\Windows\{60AD4D4D-33B3-4859-9028-6EDE5D3694A7}.exe

Filesize
98KB

MD5
1aaadc77bca5ae5fefcfa00e3e829e7e

SHA1
46a907d4b25a489ecfbde869600bc40ceb441514

SHA256
e903b71dfaf1de370b43efaac92b542352ff9d88ecd4a33817e6dd6d44d38f55

SHA512
11cc29275783fca1afedd55bf748f76479a2b94343c763cbf27472ff0460c54b2075021c8bc47cc5124854e71d96034129f6df57c7c979b892ecef8db728492c

Download Submit
C:\Windows\{6177572A-149D-4364-BCB6-8134EA055DD8}.exe

Filesize
98KB

MD5
e8c293f6af9464c3b7c8f80755673226

SHA1
77181031b4f82b484501e4916d0ae2214517b82e

SHA256
b0b703d69402bf11f7a857defad18e0480fe00a5d89067a82b9bb91818ad5569

SHA512
6068dc765096610999c13f94b4f278e32893020888f6b9295bbadf2b669b49714e2b0b57f88f1ef3a714ea215b3b291c0b41af77ec9a2d4f72140640806ee9f2

Download Submit
C:\Windows\{BEA99A69-40E7-4650-9F97-900FA88AE60A}.exe

Filesize
98KB

MD5
30538464b65442ef3e46df7783dc530a

SHA1
c37c15cb383f00dcf77c604893f5eb593ad7c295

SHA256
729b61af7b36630a7230a7e7e08a6fadebaba5a0a320728960c86a2c8de9cb23

SHA512
4fee1ae8edbeeeac50599bf08339f94ff0357f2ce20811932de3ace855bfb5c3e96fdce4d66f3e1a6df022ec7cdd03c7d28004318cfbfcf73aee098abb055c49

Download Submit
C:\Windows\{C8248E03-7441-469d-8D52-B92A8D179EBC}.exe

Filesize
98KB

MD5
58379bf6268e3aaa1c2054adbf6b3ccb

SHA1
2100a430bd0831e851a3b19fc021fea00c9015a8

SHA256
4655aaffbc7530b75e6da25254bae72bc2dc80869f82d1046e273a43f2caa33a

SHA512
d942876c2c05b6747dd210ed57e81201a4e8d591e2d4c0dd5cf8c3e9826d5e0b8808573a7b323f53bb399d493d92a89d4cde254adfe230e3e6e0fc0601a75658

Download Submit
C:\Windows\{D0914E6A-8A9E-44e3-A237-6EE60E6533E5}.exe

Filesize
98KB

MD5
fdd7181825b93fb2f2f139e048051d68

SHA1
e233f0d6d61751ffde0fefd034f78fadd0f9e967

SHA256
4b70b3815cee6128731a8647a3c7978547f9dc8cee68c4dfff5a9e0c6d8bac11

SHA512
213fec0d60179ad69de19fe31a40bad4447f239525e4bfb26b68dc4e0a3ab50f69f9c0af27aafe6dc0a3fbf08efde6cc505d8d93516cb4e09e60eee925c4b923

Download Submit
C:\Windows\{E99DECCF-2FC5-4c6d-AEBF-04AEEB26EB91}.exe

Filesize
98KB

MD5
7f248feae8324957f5f3df2d8e5d433f

SHA1
02d1ad8cbb6be665b2299ea03afc015f1803a91d

SHA256
cc857a6b318bbceef1ec5546c10567dbb65c0441e018601f8a52021c1207acbe

SHA512
a6dd2d5f370e5fa81526a22ed32c80ea13518383d127e3017fad512044febd31424d73491c5b553c6eb41b60e075cf020868d829ad820d854b2527b1aaa38d66

Download Submit
C:\Windows\{EF80A2CA-7580-49aa-BEED-B1D9E0DB70FE}.exe

Filesize
98KB

MD5
467af716db50d3a36c6865e8acb3142a

SHA1
3aac786ffca3722c45cb347c8d3417c69837f9e0

SHA256
ed042979506ad208e427b47d45d6f15b5a1d0bc5f72921713dc30656a6e109de

SHA512
b4ddc6923dfa7835deb945d669a34cb40731ae17ad012cdf9ec95657a4db7951e57e80d59ec5648fc13b7e4a90475c699b5b07d0cade6b3864fb0c8eb8a626ca

Download Submit
memory/552-79-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/984-96-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1996-44-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1996-37-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2228-10-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2228-0-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2228-8-0x00000000003E0000-0x00000000003F1000-memory.dmp

Filesize
68KB

Download
memory/2228-7-0x00000000003E0000-0x00000000003F1000-memory.dmp

Filesize
68KB

Download
memory/2268-55-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2268-62-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2272-26-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2272-19-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2384-46-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2384-54-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2492-17-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2492-9-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2796-81-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2796-88-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2832-71-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2832-64-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2876-36-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2876-28-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads