07d8e1f10ec94f2e40807b25aa3b81474c0c3baf1a22a6d5a88a857d914c48a6

Analysis

max time kernel
144s
max time network
121s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
30/05/2024, 02:35

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

60c1107bb3d6d8f930111de5bf4ca410_NeikiAnalytics.exe
Size

64KB
MD5

60c1107bb3d6d8f930111de5bf4ca410
SHA1

0d0abb32d66494bc73475eb8fdc699f96e1f3bad
SHA256

07d8e1f10ec94f2e40807b25aa3b81474c0c3baf1a22a6d5a88a857d914c48a6
SHA512

337c49054f6c0d2ade55379ffbd099ef418cfdb7b0436f5cf1262db8f76f162a7ed49dd7577dda0983bba52ed7480e18b22b3ac4be3eb776e59eebe43324e6af
SSDEEP

768:O0w981AvhKQLroCn4/wQxWMZQcpFM1FgDagXP2TyS1tl7lfqvocqcdT3WVdB:pEG70oCnlwWMZQcpmgDagIyS1loL7WrB

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{74557763-DB69-4ecc-979A-052A7A660BFF}	{F02AAAC1-5FA6-4819-8AE8-216AAF7E3CF9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{74557763-DB69-4ecc-979A-052A7A660BFF}\stubpath = "C:\\Windows\\{74557763-DB69-4ecc-979A-052A7A660BFF}.exe"	{F02AAAC1-5FA6-4819-8AE8-216AAF7E3CF9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E46B9F63-5134-4460-B8A1-5A5473B774F3}\stubpath = "C:\\Windows\\{E46B9F63-5134-4460-B8A1-5A5473B774F3}.exe"	{F04A5E05-9C8B-48cf-A8FE-E28664491730}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D43B6033-9303-4a3c-AA80-4DB73E8C5EA5}	{95C6DB63-C507-48ba-BBB5-204ACE4FD0E6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D43B6033-9303-4a3c-AA80-4DB73E8C5EA5}\stubpath = "C:\\Windows\\{D43B6033-9303-4a3c-AA80-4DB73E8C5EA5}.exe"	{95C6DB63-C507-48ba-BBB5-204ACE4FD0E6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9E504C42-5FC8-43e0-B1A0-6447570B30B8}	{D43B6033-9303-4a3c-AA80-4DB73E8C5EA5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9E504C42-5FC8-43e0-B1A0-6447570B30B8}\stubpath = "C:\\Windows\\{9E504C42-5FC8-43e0-B1A0-6447570B30B8}.exe"	{D43B6033-9303-4a3c-AA80-4DB73E8C5EA5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6AE5EFEF-097C-45cc-A015-D1C60048CAD8}	{C26B8460-D28C-4d04-B7C3-0D18B2D3F21D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F02AAAC1-5FA6-4819-8AE8-216AAF7E3CF9}	{6AE5EFEF-097C-45cc-A015-D1C60048CAD8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1F1D7673-4E43-430f-8FE9-844708EEEC6A}\stubpath = "C:\\Windows\\{1F1D7673-4E43-430f-8FE9-844708EEEC6A}.exe"	{E46B9F63-5134-4460-B8A1-5A5473B774F3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9A219B18-52B3-4cf3-B0E7-DB3BCECC8092}	60c1107bb3d6d8f930111de5bf4ca410_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{95C6DB63-C507-48ba-BBB5-204ACE4FD0E6}\stubpath = "C:\\Windows\\{95C6DB63-C507-48ba-BBB5-204ACE4FD0E6}.exe"	{9A219B18-52B3-4cf3-B0E7-DB3BCECC8092}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C26B8460-D28C-4d04-B7C3-0D18B2D3F21D}	{9E504C42-5FC8-43e0-B1A0-6447570B30B8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6AE5EFEF-097C-45cc-A015-D1C60048CAD8}\stubpath = "C:\\Windows\\{6AE5EFEF-097C-45cc-A015-D1C60048CAD8}.exe"	{C26B8460-D28C-4d04-B7C3-0D18B2D3F21D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E46B9F63-5134-4460-B8A1-5A5473B774F3}	{F04A5E05-9C8B-48cf-A8FE-E28664491730}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1F1D7673-4E43-430f-8FE9-844708EEEC6A}	{E46B9F63-5134-4460-B8A1-5A5473B774F3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{95C6DB63-C507-48ba-BBB5-204ACE4FD0E6}	{9A219B18-52B3-4cf3-B0E7-DB3BCECC8092}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C26B8460-D28C-4d04-B7C3-0D18B2D3F21D}\stubpath = "C:\\Windows\\{C26B8460-D28C-4d04-B7C3-0D18B2D3F21D}.exe"	{9E504C42-5FC8-43e0-B1A0-6447570B30B8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F02AAAC1-5FA6-4819-8AE8-216AAF7E3CF9}\stubpath = "C:\\Windows\\{F02AAAC1-5FA6-4819-8AE8-216AAF7E3CF9}.exe"	{6AE5EFEF-097C-45cc-A015-D1C60048CAD8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F04A5E05-9C8B-48cf-A8FE-E28664491730}	{74557763-DB69-4ecc-979A-052A7A660BFF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F04A5E05-9C8B-48cf-A8FE-E28664491730}\stubpath = "C:\\Windows\\{F04A5E05-9C8B-48cf-A8FE-E28664491730}.exe"	{74557763-DB69-4ecc-979A-052A7A660BFF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9A219B18-52B3-4cf3-B0E7-DB3BCECC8092}\stubpath = "C:\\Windows\\{9A219B18-52B3-4cf3-B0E7-DB3BCECC8092}.exe"	60c1107bb3d6d8f930111de5bf4ca410_NeikiAnalytics.exe

Deletes itself 1 IoCs

pid	Process
2880	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2688	{9A219B18-52B3-4cf3-B0E7-DB3BCECC8092}.exe
2708	{95C6DB63-C507-48ba-BBB5-204ACE4FD0E6}.exe
1652	{D43B6033-9303-4a3c-AA80-4DB73E8C5EA5}.exe
2316	{9E504C42-5FC8-43e0-B1A0-6447570B30B8}.exe
1724	{C26B8460-D28C-4d04-B7C3-0D18B2D3F21D}.exe
2088	{6AE5EFEF-097C-45cc-A015-D1C60048CAD8}.exe
2180	{F02AAAC1-5FA6-4819-8AE8-216AAF7E3CF9}.exe
2804	{74557763-DB69-4ecc-979A-052A7A660BFF}.exe
2052	{F04A5E05-9C8B-48cf-A8FE-E28664491730}.exe
1404	{E46B9F63-5134-4460-B8A1-5A5473B774F3}.exe
1700	{1F1D7673-4E43-430f-8FE9-844708EEEC6A}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{D43B6033-9303-4a3c-AA80-4DB73E8C5EA5}.exe	{95C6DB63-C507-48ba-BBB5-204ACE4FD0E6}.exe
File created	C:\Windows\{9E504C42-5FC8-43e0-B1A0-6447570B30B8}.exe	{D43B6033-9303-4a3c-AA80-4DB73E8C5EA5}.exe
File created	C:\Windows\{6AE5EFEF-097C-45cc-A015-D1C60048CAD8}.exe	{C26B8460-D28C-4d04-B7C3-0D18B2D3F21D}.exe
File created	C:\Windows\{F02AAAC1-5FA6-4819-8AE8-216AAF7E3CF9}.exe	{6AE5EFEF-097C-45cc-A015-D1C60048CAD8}.exe
File created	C:\Windows\{74557763-DB69-4ecc-979A-052A7A660BFF}.exe	{F02AAAC1-5FA6-4819-8AE8-216AAF7E3CF9}.exe
File created	C:\Windows\{9A219B18-52B3-4cf3-B0E7-DB3BCECC8092}.exe	60c1107bb3d6d8f930111de5bf4ca410_NeikiAnalytics.exe
File created	C:\Windows\{95C6DB63-C507-48ba-BBB5-204ACE4FD0E6}.exe	{9A219B18-52B3-4cf3-B0E7-DB3BCECC8092}.exe
File created	C:\Windows\{E46B9F63-5134-4460-B8A1-5A5473B774F3}.exe	{F04A5E05-9C8B-48cf-A8FE-E28664491730}.exe
File created	C:\Windows\{1F1D7673-4E43-430f-8FE9-844708EEEC6A}.exe	{E46B9F63-5134-4460-B8A1-5A5473B774F3}.exe
File created	C:\Windows\{C26B8460-D28C-4d04-B7C3-0D18B2D3F21D}.exe	{9E504C42-5FC8-43e0-B1A0-6447570B30B8}.exe
File created	C:\Windows\{F04A5E05-9C8B-48cf-A8FE-E28664491730}.exe	{74557763-DB69-4ecc-979A-052A7A660BFF}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1656	60c1107bb3d6d8f930111de5bf4ca410_NeikiAnalytics.exe
Token: SeIncBasePriorityPrivilege	2688	{9A219B18-52B3-4cf3-B0E7-DB3BCECC8092}.exe
Token: SeIncBasePriorityPrivilege	2708	{95C6DB63-C507-48ba-BBB5-204ACE4FD0E6}.exe
Token: SeIncBasePriorityPrivilege	1652	{D43B6033-9303-4a3c-AA80-4DB73E8C5EA5}.exe
Token: SeIncBasePriorityPrivilege	2316	{9E504C42-5FC8-43e0-B1A0-6447570B30B8}.exe
Token: SeIncBasePriorityPrivilege	1724	{C26B8460-D28C-4d04-B7C3-0D18B2D3F21D}.exe
Token: SeIncBasePriorityPrivilege	2088	{6AE5EFEF-097C-45cc-A015-D1C60048CAD8}.exe
Token: SeIncBasePriorityPrivilege	2180	{F02AAAC1-5FA6-4819-8AE8-216AAF7E3CF9}.exe
Token: SeIncBasePriorityPrivilege	2804	{74557763-DB69-4ecc-979A-052A7A660BFF}.exe
Token: SeIncBasePriorityPrivilege	2052	{F04A5E05-9C8B-48cf-A8FE-E28664491730}.exe
Token: SeIncBasePriorityPrivilege	1404	{E46B9F63-5134-4460-B8A1-5A5473B774F3}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1656 wrote to memory of 2688	1656	60c1107bb3d6d8f930111de5bf4ca410_NeikiAnalytics.exe	28
PID 1656 wrote to memory of 2688	1656	60c1107bb3d6d8f930111de5bf4ca410_NeikiAnalytics.exe	28
PID 1656 wrote to memory of 2688	1656	60c1107bb3d6d8f930111de5bf4ca410_NeikiAnalytics.exe	28
PID 1656 wrote to memory of 2688	1656	60c1107bb3d6d8f930111de5bf4ca410_NeikiAnalytics.exe	28
PID 1656 wrote to memory of 2880	1656	60c1107bb3d6d8f930111de5bf4ca410_NeikiAnalytics.exe	29
PID 1656 wrote to memory of 2880	1656	60c1107bb3d6d8f930111de5bf4ca410_NeikiAnalytics.exe	29
PID 1656 wrote to memory of 2880	1656	60c1107bb3d6d8f930111de5bf4ca410_NeikiAnalytics.exe	29
PID 1656 wrote to memory of 2880	1656	60c1107bb3d6d8f930111de5bf4ca410_NeikiAnalytics.exe	29
PID 2688 wrote to memory of 2708	2688	{9A219B18-52B3-4cf3-B0E7-DB3BCECC8092}.exe	30
PID 2688 wrote to memory of 2708	2688	{9A219B18-52B3-4cf3-B0E7-DB3BCECC8092}.exe	30
PID 2688 wrote to memory of 2708	2688	{9A219B18-52B3-4cf3-B0E7-DB3BCECC8092}.exe	30
PID 2688 wrote to memory of 2708	2688	{9A219B18-52B3-4cf3-B0E7-DB3BCECC8092}.exe	30
PID 2688 wrote to memory of 2072	2688	{9A219B18-52B3-4cf3-B0E7-DB3BCECC8092}.exe	31
PID 2688 wrote to memory of 2072	2688	{9A219B18-52B3-4cf3-B0E7-DB3BCECC8092}.exe	31
PID 2688 wrote to memory of 2072	2688	{9A219B18-52B3-4cf3-B0E7-DB3BCECC8092}.exe	31
PID 2688 wrote to memory of 2072	2688	{9A219B18-52B3-4cf3-B0E7-DB3BCECC8092}.exe	31
PID 2708 wrote to memory of 1652	2708	{95C6DB63-C507-48ba-BBB5-204ACE4FD0E6}.exe	32
PID 2708 wrote to memory of 1652	2708	{95C6DB63-C507-48ba-BBB5-204ACE4FD0E6}.exe	32
PID 2708 wrote to memory of 1652	2708	{95C6DB63-C507-48ba-BBB5-204ACE4FD0E6}.exe	32
PID 2708 wrote to memory of 1652	2708	{95C6DB63-C507-48ba-BBB5-204ACE4FD0E6}.exe	32
PID 2708 wrote to memory of 2260	2708	{95C6DB63-C507-48ba-BBB5-204ACE4FD0E6}.exe	33
PID 2708 wrote to memory of 2260	2708	{95C6DB63-C507-48ba-BBB5-204ACE4FD0E6}.exe	33
PID 2708 wrote to memory of 2260	2708	{95C6DB63-C507-48ba-BBB5-204ACE4FD0E6}.exe	33
PID 2708 wrote to memory of 2260	2708	{95C6DB63-C507-48ba-BBB5-204ACE4FD0E6}.exe	33
PID 1652 wrote to memory of 2316	1652	{D43B6033-9303-4a3c-AA80-4DB73E8C5EA5}.exe	36
PID 1652 wrote to memory of 2316	1652	{D43B6033-9303-4a3c-AA80-4DB73E8C5EA5}.exe	36
PID 1652 wrote to memory of 2316	1652	{D43B6033-9303-4a3c-AA80-4DB73E8C5EA5}.exe	36
PID 1652 wrote to memory of 2316	1652	{D43B6033-9303-4a3c-AA80-4DB73E8C5EA5}.exe	36
PID 1652 wrote to memory of 1228	1652	{D43B6033-9303-4a3c-AA80-4DB73E8C5EA5}.exe	37
PID 1652 wrote to memory of 1228	1652	{D43B6033-9303-4a3c-AA80-4DB73E8C5EA5}.exe	37
PID 1652 wrote to memory of 1228	1652	{D43B6033-9303-4a3c-AA80-4DB73E8C5EA5}.exe	37
PID 1652 wrote to memory of 1228	1652	{D43B6033-9303-4a3c-AA80-4DB73E8C5EA5}.exe	37
PID 2316 wrote to memory of 1724	2316	{9E504C42-5FC8-43e0-B1A0-6447570B30B8}.exe	38
PID 2316 wrote to memory of 1724	2316	{9E504C42-5FC8-43e0-B1A0-6447570B30B8}.exe	38
PID 2316 wrote to memory of 1724	2316	{9E504C42-5FC8-43e0-B1A0-6447570B30B8}.exe	38
PID 2316 wrote to memory of 1724	2316	{9E504C42-5FC8-43e0-B1A0-6447570B30B8}.exe	38
PID 2316 wrote to memory of 1728	2316	{9E504C42-5FC8-43e0-B1A0-6447570B30B8}.exe	39
PID 2316 wrote to memory of 1728	2316	{9E504C42-5FC8-43e0-B1A0-6447570B30B8}.exe	39
PID 2316 wrote to memory of 1728	2316	{9E504C42-5FC8-43e0-B1A0-6447570B30B8}.exe	39
PID 2316 wrote to memory of 1728	2316	{9E504C42-5FC8-43e0-B1A0-6447570B30B8}.exe	39
PID 1724 wrote to memory of 2088	1724	{C26B8460-D28C-4d04-B7C3-0D18B2D3F21D}.exe	40
PID 1724 wrote to memory of 2088	1724	{C26B8460-D28C-4d04-B7C3-0D18B2D3F21D}.exe	40
PID 1724 wrote to memory of 2088	1724	{C26B8460-D28C-4d04-B7C3-0D18B2D3F21D}.exe	40
PID 1724 wrote to memory of 2088	1724	{C26B8460-D28C-4d04-B7C3-0D18B2D3F21D}.exe	40
PID 1724 wrote to memory of 2248	1724	{C26B8460-D28C-4d04-B7C3-0D18B2D3F21D}.exe	41
PID 1724 wrote to memory of 2248	1724	{C26B8460-D28C-4d04-B7C3-0D18B2D3F21D}.exe	41
PID 1724 wrote to memory of 2248	1724	{C26B8460-D28C-4d04-B7C3-0D18B2D3F21D}.exe	41
PID 1724 wrote to memory of 2248	1724	{C26B8460-D28C-4d04-B7C3-0D18B2D3F21D}.exe	41
PID 2088 wrote to memory of 2180	2088	{6AE5EFEF-097C-45cc-A015-D1C60048CAD8}.exe	42
PID 2088 wrote to memory of 2180	2088	{6AE5EFEF-097C-45cc-A015-D1C60048CAD8}.exe	42
PID 2088 wrote to memory of 2180	2088	{6AE5EFEF-097C-45cc-A015-D1C60048CAD8}.exe	42
PID 2088 wrote to memory of 2180	2088	{6AE5EFEF-097C-45cc-A015-D1C60048CAD8}.exe	42
PID 2088 wrote to memory of 2264	2088	{6AE5EFEF-097C-45cc-A015-D1C60048CAD8}.exe	43
PID 2088 wrote to memory of 2264	2088	{6AE5EFEF-097C-45cc-A015-D1C60048CAD8}.exe	43
PID 2088 wrote to memory of 2264	2088	{6AE5EFEF-097C-45cc-A015-D1C60048CAD8}.exe	43
PID 2088 wrote to memory of 2264	2088	{6AE5EFEF-097C-45cc-A015-D1C60048CAD8}.exe	43
PID 2180 wrote to memory of 2804	2180	{F02AAAC1-5FA6-4819-8AE8-216AAF7E3CF9}.exe	44
PID 2180 wrote to memory of 2804	2180	{F02AAAC1-5FA6-4819-8AE8-216AAF7E3CF9}.exe	44
PID 2180 wrote to memory of 2804	2180	{F02AAAC1-5FA6-4819-8AE8-216AAF7E3CF9}.exe	44
PID 2180 wrote to memory of 2804	2180	{F02AAAC1-5FA6-4819-8AE8-216AAF7E3CF9}.exe	44
PID 2180 wrote to memory of 2764	2180	{F02AAAC1-5FA6-4819-8AE8-216AAF7E3CF9}.exe	45
PID 2180 wrote to memory of 2764	2180	{F02AAAC1-5FA6-4819-8AE8-216AAF7E3CF9}.exe	45
PID 2180 wrote to memory of 2764	2180	{F02AAAC1-5FA6-4819-8AE8-216AAF7E3CF9}.exe	45
PID 2180 wrote to memory of 2764	2180	{F02AAAC1-5FA6-4819-8AE8-216AAF7E3CF9}.exe	45

C:\Users\Admin\AppData\Local\Temp\60c1107bb3d6d8f930111de5bf4ca410_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\60c1107bb3d6d8f930111de5bf4ca410_NeikiAnalytics.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1656
- C:\Windows\{9A219B18-52B3-4cf3-B0E7-DB3BCECC8092}.exe
  C:\Windows\{9A219B18-52B3-4cf3-B0E7-DB3BCECC8092}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2688
- - C:\Windows\{95C6DB63-C507-48ba-BBB5-204ACE4FD0E6}.exe
    C:\Windows\{95C6DB63-C507-48ba-BBB5-204ACE4FD0E6}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2708
  - - C:\Windows\{D43B6033-9303-4a3c-AA80-4DB73E8C5EA5}.exe
      C:\Windows\{D43B6033-9303-4a3c-AA80-4DB73E8C5EA5}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1652
    - - C:\Windows\{9E504C42-5FC8-43e0-B1A0-6447570B30B8}.exe
        
        C:\Windows\{9E504C42-5FC8-43e0-B1A0-6447570B30B8}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2316
      - C:\Windows\{C26B8460-D28C-4d04-B7C3-0D18B2D3F21D}.exe
        
        C:\Windows\{C26B8460-D28C-4d04-B7C3-0D18B2D3F21D}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1724
        
        C:\Windows\{6AE5EFEF-097C-45cc-A015-D1C60048CAD8}.exe
        
        C:\Windows\{6AE5EFEF-097C-45cc-A015-D1C60048CAD8}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2088
        
        C:\Windows\{F02AAAC1-5FA6-4819-8AE8-216AAF7E3CF9}.exe
        
        C:\Windows\{F02AAAC1-5FA6-4819-8AE8-216AAF7E3CF9}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2180
        
        C:\Windows\{74557763-DB69-4ecc-979A-052A7A660BFF}.exe
        
        C:\Windows\{74557763-DB69-4ecc-979A-052A7A660BFF}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2804
        
        C:\Windows\{F04A5E05-9C8B-48cf-A8FE-E28664491730}.exe
        
        C:\Windows\{F04A5E05-9C8B-48cf-A8FE-E28664491730}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2052
        
        C:\Windows\{E46B9F63-5134-4460-B8A1-5A5473B774F3}.exe
        
        C:\Windows\{E46B9F63-5134-4460-B8A1-5A5473B774F3}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1404
        
        C:\Windows\{1F1D7673-4E43-430f-8FE9-844708EEEC6A}.exe
        
        C:\Windows\{1F1D7673-4E43-430f-8FE9-844708EEEC6A}.exe
        12⤵
        Executes dropped EXE
        
        PID:1700
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E46B9~1.EXE > nul
        12⤵
        
        PID:2992
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F04A5~1.EXE > nul
        11⤵
        
        PID:1612
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{74557~1.EXE > nul
        10⤵
        
        PID:536
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F02AA~1.EXE > nul
        9⤵
        
        PID:2764
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6AE5E~1.EXE > nul
        8⤵
        
        PID:2264
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C26B8~1.EXE > nul
        7⤵
        
        PID:2248
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9E504~1.EXE > nul
        6⤵
        
        PID:1728
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D43B6~1.EXE > nul
        5⤵
        
        PID:1228
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{95C6D~1.EXE > nul
      4⤵
      PID:2260
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{9A219~1.EXE > nul
    3⤵
    PID:2072
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\60C110~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2880

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{1F1D7673-4E43-430f-8FE9-844708EEEC6A}.exe

Filesize
64KB

MD5
e20d14c292808cb931c044c6698bd182

SHA1
a167b750277d931afb4541e9d0904f5f86ca00eb

SHA256
d442222de649b9f24758046739334d248de48076551aa4ce6c5405346fda9f8a

SHA512
442fc3a212af1bcda8bf228db043d2261c81861ab3972a2b6cf9b96b80fc2ccfd697f39e1c1d7e87536d6c61862ebcbb2c96779a81f89c74ad19947984f4737a

Download Submit
C:\Windows\{6AE5EFEF-097C-45cc-A015-D1C60048CAD8}.exe

Filesize
64KB

MD5
af995a81d07199bab852aed02e2e90bf

SHA1
bfb11494ffced3246e9f915877141cbee32c67b3

SHA256
5b4db4c7fff2dbbebf2d6ae739553c844351017d88167978253843a5351448a4

SHA512
97e7fac69519c7888c10bc4b8b7c027b6a4896f3cc09d81bb9dbdc5157edc8a534b8cef5ef2fa7306f3bcd476ad1a83a52b7c02933e261a0c1a48a8a6095e44a

Download Submit
C:\Windows\{74557763-DB69-4ecc-979A-052A7A660BFF}.exe

Filesize
64KB

MD5
a64784a605075662d95674bff5b4c09f

SHA1
f45adfdd388e7f3b53dbc89af6cc5cb420c982ce

SHA256
ee09a1d8dd5c3b0878a39893df792309349076a2a8176b44d13c36f0ae86f221

SHA512
1de6baf700c3c50ed7300d073ba1117733ebd4f1595b2d051c7e3da579fe16c5bda704b9837d8e605a803ea7d96efde1053fee500cb3e7e0c178558a197fa3a5

Download Submit
C:\Windows\{95C6DB63-C507-48ba-BBB5-204ACE4FD0E6}.exe

Filesize
64KB

MD5
aeaf365a90483a3f6c30c82a1e7699bb

SHA1
e526920f4323e11069f361513aa4a6b85c71a585

SHA256
67d09eaa806ce5eedae952aafba4694764d55704d5ae733d2668522c0f7d8405

SHA512
4fa80784b0f56c4d619afc02b562ef5a7e6b0e3463240cc76a89acc8898f40dba3c3d5c60eb6701a48afd3d563a0220edece28e938d3c213978387cfe9768828

Download Submit
C:\Windows\{9A219B18-52B3-4cf3-B0E7-DB3BCECC8092}.exe

Filesize
64KB

MD5
63af14be2e5f786feca070ea892140b9

SHA1
8ff0503d6abe31bbf3d73ae80ba73e98d38ecd62

SHA256
34e611e831731bd8246417104a23fc697e7741ffd943bf9b8c7c50d6e246251e

SHA512
1e2982d9f280cc607cbed87ee60e8a1161d9e40c07b3a149c8593a629ce1baf0218ec80eaf9c06930262878f12f8fa978fa629a2f176c929e3397943e4fcf75a

Download Submit
C:\Windows\{9E504C42-5FC8-43e0-B1A0-6447570B30B8}.exe

Filesize
64KB

MD5
824f5b3aa29a42f39818d6cac9d5bd0d

SHA1
42008858e80cb918f348a306d32f900fdf6a0b60

SHA256
0ef7465a53ab819abb5a418f91b945d6b2385475200481de2067a5eb021dfdcf

SHA512
3de23930f8e48def287b9f960901bea7d246cbd1536bc0658d6aff1a2e42e21660c20d3314529d3960a1720dbe3e077a89fa3a041b57654b1378fc6f03544983

Download Submit
C:\Windows\{C26B8460-D28C-4d04-B7C3-0D18B2D3F21D}.exe

Filesize
64KB

MD5
efc0e93ecfab0efe60e4048c0d604b67

SHA1
5c4864fb4b9a78396c746b25357293444090be89

SHA256
63e0864a5112dbf5da18e039360aa24f99d0dbabe007e27e4727378f63f89443

SHA512
08945b8c243fc5774bd52656eafb8bbfe4516a6b102c591b28f1a1b84cc6bb9aa3e8135404a5a5851b66b95c5b77a8957290d7df1db0fafdd1abb6703832450c

Download Submit
C:\Windows\{D43B6033-9303-4a3c-AA80-4DB73E8C5EA5}.exe

Filesize
64KB

MD5
6cd76c01ffac44c266f5d9c4681a6ebd

SHA1
8534ffa87ee0871e477709ff92c64079411d561e

SHA256
65350242342ce976d247fc2afafdf71938b18800faec44e96c76ca5d42a1133d

SHA512
c6a5f968ee045c5f6a6eb5c62af27f4eabbce58b7a5bfb22af63300ef604a9f17c3a9faf7b4138ae87f6f3c6092a06b99db7c8f6dbfd914a777d59638e05b19f

Download Submit
C:\Windows\{E46B9F63-5134-4460-B8A1-5A5473B774F3}.exe

Filesize
64KB

MD5
fc9b54e6dced5c8c7770b96ec58947eb

SHA1
8566b186bd48903cd99f8b93b96ac221850eaee5

SHA256
59c1822c3a0d004506e0aeea57cf991940909855c6cedffcdd7b26b3501e9b43

SHA512
785ace937d405e39a4d4619cd763dd68ce7e0bac26fa83ded5befbd392142c3bb8e3a640edbeae4555b15d8e6db0b4cbfca3b7a407d5fc41e1767db881088722

Download Submit
C:\Windows\{F02AAAC1-5FA6-4819-8AE8-216AAF7E3CF9}.exe

Filesize
64KB

MD5
b3c13e55603db41288e9f57e88f5c5ab

SHA1
0697c52e7e910cdb3165e2a5c5caffb7a77de25c

SHA256
9ec495bf85668c8a483c2e466b72a7daa73d8593c60ea2d5a2e4bd6eeee21ed6

SHA512
61f5ee822f2b72e1152839755e967cc57f3e4e7943885095853750c959373ccc96b7bc1729517321eb18944b3e062e5b0305740e77197749a31f599ce7279db3

Download Submit
C:\Windows\{F04A5E05-9C8B-48cf-A8FE-E28664491730}.exe

Filesize
64KB

MD5
5c35417b36d8e5e505d4d20d3ae52af0

SHA1
effa8c1e3c7ccfc3b10031f4f88618996cf99f6c

SHA256
79d5d37a276ccfb6bc6b9691a3abb6cdc4435e82474b9303a7352326d6dba7ad

SHA512
827bccaa6aacb09475920239c553e9122a8cf28e77172733221a4dbefb7f13036ef201b2d5b5609453e6e1057f0839a264afd099b1170cb1723238e1a090e646

Download Submit
memory/1404-98-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1652-29-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1652-37-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1656-9-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1656-7-0x00000000002C0000-0x00000000002D0000-memory.dmp

Filesize
64KB

Download
memory/1656-0-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1724-46-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1724-54-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2052-82-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2052-90-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2088-55-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2088-63-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2180-73-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2180-64-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2316-45-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2688-18-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2688-13-0x00000000002F0000-0x0000000000300000-memory.dmp

Filesize
64KB

Download
memory/2688-8-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2708-28-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2708-23-0x00000000002F0000-0x0000000000300000-memory.dmp

Filesize
64KB

Download
memory/2708-19-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2804-72-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2804-81-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads