c5b64b14c81c8a01e31f1df394679f6b0e90cf9e19aa043eacdf8f62999a1143

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
31/05/2024, 05:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

78b946447ff56636422972b7c642b240_NeikiAnalytics.exe
Size

64KB
MD5

78b946447ff56636422972b7c642b240
SHA1

8b8076671b5456b08a34a0dde9e8039685cf7929
SHA256

c5b64b14c81c8a01e31f1df394679f6b0e90cf9e19aa043eacdf8f62999a1143
SHA512

fb2170bf427aa96b36ba02a20f15f91810f2b09dde3f5f1d18245f22f049f370a12aee99654e5f839b046b1d283fb1224d2ad5b6b5e8dd46f9b06ea727380d63
SSDEEP

384:ObLwOs8AHsc4HMPwhKQLroTr4/CFsrdHWMZw:Ovw981xvhKQLroTr4/wQpWMZw

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6BC7EFA7-D3ED-426e-954E-BD06B898F5D2}\stubpath = "C:\\Windows\\{6BC7EFA7-D3ED-426e-954E-BD06B898F5D2}.exe"	78b946447ff56636422972b7c642b240_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{08820FD8-0DBE-4c9c-B4A5-45ECB2D882E6}	{6BC7EFA7-D3ED-426e-954E-BD06B898F5D2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{08820FD8-0DBE-4c9c-B4A5-45ECB2D882E6}\stubpath = "C:\\Windows\\{08820FD8-0DBE-4c9c-B4A5-45ECB2D882E6}.exe"	{6BC7EFA7-D3ED-426e-954E-BD06B898F5D2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4516E70F-5013-4019-BA16-0A9E0B720A49}	{1D9BF7D2-D821-4289-AC0C-B5662F704539}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0D3040B5-C3B4-43a1-BC57-D4F78691BE6D}\stubpath = "C:\\Windows\\{0D3040B5-C3B4-43a1-BC57-D4F78691BE6D}.exe"	{6EA255C6-06E0-4768-8C47-F87AB7FF03FD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{891C8123-5A7C-4ade-B377-858390DB755E}	{08820FD8-0DBE-4c9c-B4A5-45ECB2D882E6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7F92134D-4E8D-4d43-858F-5DD4DEE03599}	{6C199548-0746-4ce4-BFE2-47EE5FFCFFCE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2150F3FF-3A4C-4132-8E12-7DDB34C020F1}\stubpath = "C:\\Windows\\{2150F3FF-3A4C-4132-8E12-7DDB34C020F1}.exe"	{7F92134D-4E8D-4d43-858F-5DD4DEE03599}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0D3040B5-C3B4-43a1-BC57-D4F78691BE6D}	{6EA255C6-06E0-4768-8C47-F87AB7FF03FD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6BC7EFA7-D3ED-426e-954E-BD06B898F5D2}	78b946447ff56636422972b7c642b240_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6C199548-0746-4ce4-BFE2-47EE5FFCFFCE}	{4516E70F-5013-4019-BA16-0A9E0B720A49}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6C199548-0746-4ce4-BFE2-47EE5FFCFFCE}\stubpath = "C:\\Windows\\{6C199548-0746-4ce4-BFE2-47EE5FFCFFCE}.exe"	{4516E70F-5013-4019-BA16-0A9E0B720A49}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7F92134D-4E8D-4d43-858F-5DD4DEE03599}\stubpath = "C:\\Windows\\{7F92134D-4E8D-4d43-858F-5DD4DEE03599}.exe"	{6C199548-0746-4ce4-BFE2-47EE5FFCFFCE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C47AC954-7BBF-4412-BA4F-FA5037854319}	{2150F3FF-3A4C-4132-8E12-7DDB34C020F1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C47AC954-7BBF-4412-BA4F-FA5037854319}\stubpath = "C:\\Windows\\{C47AC954-7BBF-4412-BA4F-FA5037854319}.exe"	{2150F3FF-3A4C-4132-8E12-7DDB34C020F1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B47289EB-7118-4803-A37C-125CF6D496B8}\stubpath = "C:\\Windows\\{B47289EB-7118-4803-A37C-125CF6D496B8}.exe"	{0D3040B5-C3B4-43a1-BC57-D4F78691BE6D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B47289EB-7118-4803-A37C-125CF6D496B8}	{0D3040B5-C3B4-43a1-BC57-D4F78691BE6D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{891C8123-5A7C-4ade-B377-858390DB755E}\stubpath = "C:\\Windows\\{891C8123-5A7C-4ade-B377-858390DB755E}.exe"	{08820FD8-0DBE-4c9c-B4A5-45ECB2D882E6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1D9BF7D2-D821-4289-AC0C-B5662F704539}	{891C8123-5A7C-4ade-B377-858390DB755E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1D9BF7D2-D821-4289-AC0C-B5662F704539}\stubpath = "C:\\Windows\\{1D9BF7D2-D821-4289-AC0C-B5662F704539}.exe"	{891C8123-5A7C-4ade-B377-858390DB755E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4516E70F-5013-4019-BA16-0A9E0B720A49}\stubpath = "C:\\Windows\\{4516E70F-5013-4019-BA16-0A9E0B720A49}.exe"	{1D9BF7D2-D821-4289-AC0C-B5662F704539}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2150F3FF-3A4C-4132-8E12-7DDB34C020F1}	{7F92134D-4E8D-4d43-858F-5DD4DEE03599}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6EA255C6-06E0-4768-8C47-F87AB7FF03FD}	{C47AC954-7BBF-4412-BA4F-FA5037854319}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6EA255C6-06E0-4768-8C47-F87AB7FF03FD}\stubpath = "C:\\Windows\\{6EA255C6-06E0-4768-8C47-F87AB7FF03FD}.exe"	{C47AC954-7BBF-4412-BA4F-FA5037854319}.exe

Executes dropped EXE 12 IoCs

pid	Process
3684	{6BC7EFA7-D3ED-426e-954E-BD06B898F5D2}.exe
1064	{08820FD8-0DBE-4c9c-B4A5-45ECB2D882E6}.exe
1448	{891C8123-5A7C-4ade-B377-858390DB755E}.exe
3300	{1D9BF7D2-D821-4289-AC0C-B5662F704539}.exe
4336	{4516E70F-5013-4019-BA16-0A9E0B720A49}.exe
4216	{6C199548-0746-4ce4-BFE2-47EE5FFCFFCE}.exe
3880	{7F92134D-4E8D-4d43-858F-5DD4DEE03599}.exe
4720	{2150F3FF-3A4C-4132-8E12-7DDB34C020F1}.exe
4188	{C47AC954-7BBF-4412-BA4F-FA5037854319}.exe
1232	{6EA255C6-06E0-4768-8C47-F87AB7FF03FD}.exe
1828	{0D3040B5-C3B4-43a1-BC57-D4F78691BE6D}.exe
952	{B47289EB-7118-4803-A37C-125CF6D496B8}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{4516E70F-5013-4019-BA16-0A9E0B720A49}.exe	{1D9BF7D2-D821-4289-AC0C-B5662F704539}.exe
File created	C:\Windows\{6C199548-0746-4ce4-BFE2-47EE5FFCFFCE}.exe	{4516E70F-5013-4019-BA16-0A9E0B720A49}.exe
File created	C:\Windows\{7F92134D-4E8D-4d43-858F-5DD4DEE03599}.exe	{6C199548-0746-4ce4-BFE2-47EE5FFCFFCE}.exe
File created	C:\Windows\{2150F3FF-3A4C-4132-8E12-7DDB34C020F1}.exe	{7F92134D-4E8D-4d43-858F-5DD4DEE03599}.exe
File created	C:\Windows\{C47AC954-7BBF-4412-BA4F-FA5037854319}.exe	{2150F3FF-3A4C-4132-8E12-7DDB34C020F1}.exe
File created	C:\Windows\{08820FD8-0DBE-4c9c-B4A5-45ECB2D882E6}.exe	{6BC7EFA7-D3ED-426e-954E-BD06B898F5D2}.exe
File created	C:\Windows\{1D9BF7D2-D821-4289-AC0C-B5662F704539}.exe	{891C8123-5A7C-4ade-B377-858390DB755E}.exe
File created	C:\Windows\{6EA255C6-06E0-4768-8C47-F87AB7FF03FD}.exe	{C47AC954-7BBF-4412-BA4F-FA5037854319}.exe
File created	C:\Windows\{0D3040B5-C3B4-43a1-BC57-D4F78691BE6D}.exe	{6EA255C6-06E0-4768-8C47-F87AB7FF03FD}.exe
File created	C:\Windows\{B47289EB-7118-4803-A37C-125CF6D496B8}.exe	{0D3040B5-C3B4-43a1-BC57-D4F78691BE6D}.exe
File created	C:\Windows\{6BC7EFA7-D3ED-426e-954E-BD06B898F5D2}.exe	78b946447ff56636422972b7c642b240_NeikiAnalytics.exe
File created	C:\Windows\{891C8123-5A7C-4ade-B377-858390DB755E}.exe	{08820FD8-0DBE-4c9c-B4A5-45ECB2D882E6}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3404	78b946447ff56636422972b7c642b240_NeikiAnalytics.exe
Token: SeIncBasePriorityPrivilege	3684	{6BC7EFA7-D3ED-426e-954E-BD06B898F5D2}.exe
Token: SeIncBasePriorityPrivilege	1064	{08820FD8-0DBE-4c9c-B4A5-45ECB2D882E6}.exe
Token: SeIncBasePriorityPrivilege	1448	{891C8123-5A7C-4ade-B377-858390DB755E}.exe
Token: SeIncBasePriorityPrivilege	3300	{1D9BF7D2-D821-4289-AC0C-B5662F704539}.exe
Token: SeIncBasePriorityPrivilege	4336	{4516E70F-5013-4019-BA16-0A9E0B720A49}.exe
Token: SeIncBasePriorityPrivilege	4216	{6C199548-0746-4ce4-BFE2-47EE5FFCFFCE}.exe
Token: SeIncBasePriorityPrivilege	3880	{7F92134D-4E8D-4d43-858F-5DD4DEE03599}.exe
Token: SeIncBasePriorityPrivilege	4720	{2150F3FF-3A4C-4132-8E12-7DDB34C020F1}.exe
Token: SeIncBasePriorityPrivilege	4188	{C47AC954-7BBF-4412-BA4F-FA5037854319}.exe
Token: SeIncBasePriorityPrivilege	1232	{6EA255C6-06E0-4768-8C47-F87AB7FF03FD}.exe
Token: SeIncBasePriorityPrivilege	1828	{0D3040B5-C3B4-43a1-BC57-D4F78691BE6D}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3404 wrote to memory of 3684	3404	78b946447ff56636422972b7c642b240_NeikiAnalytics.exe	92
PID 3404 wrote to memory of 3684	3404	78b946447ff56636422972b7c642b240_NeikiAnalytics.exe	92
PID 3404 wrote to memory of 3684	3404	78b946447ff56636422972b7c642b240_NeikiAnalytics.exe	92
PID 3404 wrote to memory of 2320	3404	78b946447ff56636422972b7c642b240_NeikiAnalytics.exe	93
PID 3404 wrote to memory of 2320	3404	78b946447ff56636422972b7c642b240_NeikiAnalytics.exe	93
PID 3404 wrote to memory of 2320	3404	78b946447ff56636422972b7c642b240_NeikiAnalytics.exe	93
PID 3684 wrote to memory of 1064	3684	{6BC7EFA7-D3ED-426e-954E-BD06B898F5D2}.exe	94
PID 3684 wrote to memory of 1064	3684	{6BC7EFA7-D3ED-426e-954E-BD06B898F5D2}.exe	94
PID 3684 wrote to memory of 1064	3684	{6BC7EFA7-D3ED-426e-954E-BD06B898F5D2}.exe	94
PID 3684 wrote to memory of 608	3684	{6BC7EFA7-D3ED-426e-954E-BD06B898F5D2}.exe	95
PID 3684 wrote to memory of 608	3684	{6BC7EFA7-D3ED-426e-954E-BD06B898F5D2}.exe	95
PID 3684 wrote to memory of 608	3684	{6BC7EFA7-D3ED-426e-954E-BD06B898F5D2}.exe	95
PID 1064 wrote to memory of 1448	1064	{08820FD8-0DBE-4c9c-B4A5-45ECB2D882E6}.exe	97
PID 1064 wrote to memory of 1448	1064	{08820FD8-0DBE-4c9c-B4A5-45ECB2D882E6}.exe	97
PID 1064 wrote to memory of 1448	1064	{08820FD8-0DBE-4c9c-B4A5-45ECB2D882E6}.exe	97
PID 1064 wrote to memory of 1412	1064	{08820FD8-0DBE-4c9c-B4A5-45ECB2D882E6}.exe	98
PID 1064 wrote to memory of 1412	1064	{08820FD8-0DBE-4c9c-B4A5-45ECB2D882E6}.exe	98
PID 1064 wrote to memory of 1412	1064	{08820FD8-0DBE-4c9c-B4A5-45ECB2D882E6}.exe	98
PID 1448 wrote to memory of 3300	1448	{891C8123-5A7C-4ade-B377-858390DB755E}.exe	99
PID 1448 wrote to memory of 3300	1448	{891C8123-5A7C-4ade-B377-858390DB755E}.exe	99
PID 1448 wrote to memory of 3300	1448	{891C8123-5A7C-4ade-B377-858390DB755E}.exe	99
PID 1448 wrote to memory of 4732	1448	{891C8123-5A7C-4ade-B377-858390DB755E}.exe	100
PID 1448 wrote to memory of 4732	1448	{891C8123-5A7C-4ade-B377-858390DB755E}.exe	100
PID 1448 wrote to memory of 4732	1448	{891C8123-5A7C-4ade-B377-858390DB755E}.exe	100
PID 3300 wrote to memory of 4336	3300	{1D9BF7D2-D821-4289-AC0C-B5662F704539}.exe	101
PID 3300 wrote to memory of 4336	3300	{1D9BF7D2-D821-4289-AC0C-B5662F704539}.exe	101
PID 3300 wrote to memory of 4336	3300	{1D9BF7D2-D821-4289-AC0C-B5662F704539}.exe	101
PID 3300 wrote to memory of 4984	3300	{1D9BF7D2-D821-4289-AC0C-B5662F704539}.exe	102
PID 3300 wrote to memory of 4984	3300	{1D9BF7D2-D821-4289-AC0C-B5662F704539}.exe	102
PID 3300 wrote to memory of 4984	3300	{1D9BF7D2-D821-4289-AC0C-B5662F704539}.exe	102
PID 4336 wrote to memory of 4216	4336	{4516E70F-5013-4019-BA16-0A9E0B720A49}.exe	103
PID 4336 wrote to memory of 4216	4336	{4516E70F-5013-4019-BA16-0A9E0B720A49}.exe	103
PID 4336 wrote to memory of 4216	4336	{4516E70F-5013-4019-BA16-0A9E0B720A49}.exe	103
PID 4336 wrote to memory of 3540	4336	{4516E70F-5013-4019-BA16-0A9E0B720A49}.exe	104
PID 4336 wrote to memory of 3540	4336	{4516E70F-5013-4019-BA16-0A9E0B720A49}.exe	104
PID 4336 wrote to memory of 3540	4336	{4516E70F-5013-4019-BA16-0A9E0B720A49}.exe	104
PID 4216 wrote to memory of 3880	4216	{6C199548-0746-4ce4-BFE2-47EE5FFCFFCE}.exe	105
PID 4216 wrote to memory of 3880	4216	{6C199548-0746-4ce4-BFE2-47EE5FFCFFCE}.exe	105
PID 4216 wrote to memory of 3880	4216	{6C199548-0746-4ce4-BFE2-47EE5FFCFFCE}.exe	105
PID 4216 wrote to memory of 4636	4216	{6C199548-0746-4ce4-BFE2-47EE5FFCFFCE}.exe	106
PID 4216 wrote to memory of 4636	4216	{6C199548-0746-4ce4-BFE2-47EE5FFCFFCE}.exe	106
PID 4216 wrote to memory of 4636	4216	{6C199548-0746-4ce4-BFE2-47EE5FFCFFCE}.exe	106
PID 3880 wrote to memory of 4720	3880	{7F92134D-4E8D-4d43-858F-5DD4DEE03599}.exe	107
PID 3880 wrote to memory of 4720	3880	{7F92134D-4E8D-4d43-858F-5DD4DEE03599}.exe	107
PID 3880 wrote to memory of 4720	3880	{7F92134D-4E8D-4d43-858F-5DD4DEE03599}.exe	107
PID 3880 wrote to memory of 4092	3880	{7F92134D-4E8D-4d43-858F-5DD4DEE03599}.exe	108
PID 3880 wrote to memory of 4092	3880	{7F92134D-4E8D-4d43-858F-5DD4DEE03599}.exe	108
PID 3880 wrote to memory of 4092	3880	{7F92134D-4E8D-4d43-858F-5DD4DEE03599}.exe	108
PID 4720 wrote to memory of 4188	4720	{2150F3FF-3A4C-4132-8E12-7DDB34C020F1}.exe	109
PID 4720 wrote to memory of 4188	4720	{2150F3FF-3A4C-4132-8E12-7DDB34C020F1}.exe	109
PID 4720 wrote to memory of 4188	4720	{2150F3FF-3A4C-4132-8E12-7DDB34C020F1}.exe	109
PID 4720 wrote to memory of 632	4720	{2150F3FF-3A4C-4132-8E12-7DDB34C020F1}.exe	110
PID 4720 wrote to memory of 632	4720	{2150F3FF-3A4C-4132-8E12-7DDB34C020F1}.exe	110
PID 4720 wrote to memory of 632	4720	{2150F3FF-3A4C-4132-8E12-7DDB34C020F1}.exe	110
PID 4188 wrote to memory of 1232	4188	{C47AC954-7BBF-4412-BA4F-FA5037854319}.exe	111
PID 4188 wrote to memory of 1232	4188	{C47AC954-7BBF-4412-BA4F-FA5037854319}.exe	111
PID 4188 wrote to memory of 1232	4188	{C47AC954-7BBF-4412-BA4F-FA5037854319}.exe	111
PID 4188 wrote to memory of 4404	4188	{C47AC954-7BBF-4412-BA4F-FA5037854319}.exe	112
PID 4188 wrote to memory of 4404	4188	{C47AC954-7BBF-4412-BA4F-FA5037854319}.exe	112
PID 4188 wrote to memory of 4404	4188	{C47AC954-7BBF-4412-BA4F-FA5037854319}.exe	112
PID 1232 wrote to memory of 1828	1232	{6EA255C6-06E0-4768-8C47-F87AB7FF03FD}.exe	113
PID 1232 wrote to memory of 1828	1232	{6EA255C6-06E0-4768-8C47-F87AB7FF03FD}.exe	113
PID 1232 wrote to memory of 1828	1232	{6EA255C6-06E0-4768-8C47-F87AB7FF03FD}.exe	113
PID 1232 wrote to memory of 1816	1232	{6EA255C6-06E0-4768-8C47-F87AB7FF03FD}.exe	114

C:\Users\Admin\AppData\Local\Temp\78b946447ff56636422972b7c642b240_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\78b946447ff56636422972b7c642b240_NeikiAnalytics.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3404
- C:\Windows\{6BC7EFA7-D3ED-426e-954E-BD06B898F5D2}.exe
  C:\Windows\{6BC7EFA7-D3ED-426e-954E-BD06B898F5D2}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3684
- - C:\Windows\{08820FD8-0DBE-4c9c-B4A5-45ECB2D882E6}.exe
    C:\Windows\{08820FD8-0DBE-4c9c-B4A5-45ECB2D882E6}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1064
  - - C:\Windows\{891C8123-5A7C-4ade-B377-858390DB755E}.exe
      C:\Windows\{891C8123-5A7C-4ade-B377-858390DB755E}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1448
    - - C:\Windows\{1D9BF7D2-D821-4289-AC0C-B5662F704539}.exe
        
        C:\Windows\{1D9BF7D2-D821-4289-AC0C-B5662F704539}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3300
      - C:\Windows\{4516E70F-5013-4019-BA16-0A9E0B720A49}.exe
        
        C:\Windows\{4516E70F-5013-4019-BA16-0A9E0B720A49}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4336
        
        C:\Windows\{6C199548-0746-4ce4-BFE2-47EE5FFCFFCE}.exe
        
        C:\Windows\{6C199548-0746-4ce4-BFE2-47EE5FFCFFCE}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4216
        
        C:\Windows\{7F92134D-4E8D-4d43-858F-5DD4DEE03599}.exe
        
        C:\Windows\{7F92134D-4E8D-4d43-858F-5DD4DEE03599}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3880
        
        C:\Windows\{2150F3FF-3A4C-4132-8E12-7DDB34C020F1}.exe
        
        C:\Windows\{2150F3FF-3A4C-4132-8E12-7DDB34C020F1}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4720
        
        C:\Windows\{C47AC954-7BBF-4412-BA4F-FA5037854319}.exe
        
        C:\Windows\{C47AC954-7BBF-4412-BA4F-FA5037854319}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4188
        
        C:\Windows\{6EA255C6-06E0-4768-8C47-F87AB7FF03FD}.exe
        
        C:\Windows\{6EA255C6-06E0-4768-8C47-F87AB7FF03FD}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1232
        
        C:\Windows\{0D3040B5-C3B4-43a1-BC57-D4F78691BE6D}.exe
        
        C:\Windows\{0D3040B5-C3B4-43a1-BC57-D4F78691BE6D}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1828
        
        C:\Windows\{B47289EB-7118-4803-A37C-125CF6D496B8}.exe
        
        C:\Windows\{B47289EB-7118-4803-A37C-125CF6D496B8}.exe
        13⤵
        Executes dropped EXE
        
        PID:952
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0D304~1.EXE > nul
        13⤵
        
        PID:2996
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6EA25~1.EXE > nul
        12⤵
        
        PID:1816
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C47AC~1.EXE > nul
        11⤵
        
        PID:4404
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2150F~1.EXE > nul
        10⤵
        
        PID:632
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7F921~1.EXE > nul
        9⤵
        
        PID:4092
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6C199~1.EXE > nul
        8⤵
        
        PID:4636
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4516E~1.EXE > nul
        7⤵
        
        PID:3540
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1D9BF~1.EXE > nul
        6⤵
        
        PID:4984
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{891C8~1.EXE > nul
        5⤵
        
        PID:4732
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{08820~1.EXE > nul
      4⤵
      PID:1412
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{6BC7E~1.EXE > nul
    3⤵
    PID:608
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\78B946~1.EXE > nul
  2⤵
  PID:2320

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{08820FD8-0DBE-4c9c-B4A5-45ECB2D882E6}.exe

Filesize
64KB

MD5
c5cc48911e1b033fc32f99500ec5fe97

SHA1
563cd1e6088620b4d885bdb8983e53dd98061afd

SHA256
74f733819a7ee0e8b2a781457aeab21d5dff0cce2075b072156061b725630893

SHA512
bf9b3b3671c3c57eced848556fd7cd0cdcf5db9a59ea84a64f32925bfc265ec19380c780a6ff273194115befd3fa47d053210b2a4656e7d85bb9663aff1e2cbd

Download Submit
C:\Windows\{0D3040B5-C3B4-43a1-BC57-D4F78691BE6D}.exe

Filesize
64KB

MD5
81060aa9f24ddf7d2f9d3495ee26769a

SHA1
2c10d4cf93e59d973419a02479e29b6af7bf3f9f

SHA256
92390bb389e036862fb7975de9664464e083fba61d203993c9acc38f6e17b7a2

SHA512
1424059ce3c31145d072ceca71d50aed27689e3d71e21437083b2c4e27fa5daaebad27df482bc3a915106ec622c99a79d0e0dcd20d813c6ef2414844be361b1c

Download Submit
C:\Windows\{1D9BF7D2-D821-4289-AC0C-B5662F704539}.exe

Filesize
64KB

MD5
b142683e478d038f6e71d9360b6a4871

SHA1
17a368dc5d0f97db3b1b5ac98f5845e10834d04d

SHA256
644128b5534dd9978777e63ddf93b1266f2b33ff906b1c92b2e05c94d1ffab52

SHA512
711518c655b6d9192d228eac385970dfaff2e3845c8bd440dcbc2516b8488e1f2d099ce49b527739ce81433619adb35b6f881d10f84adadc1aac6cfa3b20a427

Download Submit
C:\Windows\{2150F3FF-3A4C-4132-8E12-7DDB34C020F1}.exe

Filesize
64KB

MD5
c279ccfba825e5b5c7b41889db796b0c

SHA1
cac8cdccdd3fda6cd4fa8b72bca6a3c82a7767ab

SHA256
fdfd906320df0e9aa56b4703a3580100df74e37afffd361562f5de08e820a3df

SHA512
9c05d86dcb0c7b9fa9e52a0508612c06c4a3f0764ed6f97c5ade5f89676312cae10007757e9a66d164ba36545fccecd10e7c518145556e8714da63862083d322

Download Submit
C:\Windows\{4516E70F-5013-4019-BA16-0A9E0B720A49}.exe

Filesize
64KB

MD5
a2986acb65e1bdf639d00d6e918d1561

SHA1
0a32bbba840118f66aa8d151a92172ba45a3dcf9

SHA256
6d44767ab2f44d6faefccd162e06586f02cf3b0c7df6aaefbfa49f599cbfa6c9

SHA512
5bbd20d9c22f3e4fd0718630748984feb20e7056ca590c3b054794be9538b3a0a6aaa9f89894ef18774096fcb5e67ee0ca28ba969ea9fe7e87ce8a75b22bb762

Download Submit
C:\Windows\{6BC7EFA7-D3ED-426e-954E-BD06B898F5D2}.exe

Filesize
64KB

MD5
01d2452ff44a191190d4a572d9f2ff17

SHA1
271a2ef72d32ab488422d16ab9166efa7aa46dab

SHA256
41596b1ab37e794ecea139ef22bbebb92a29d6ce590fbce44fbe9e85217d3bfa

SHA512
a3d72ddd1755da3dc915c7ee78caeaee32a62eab84f6faef89ea153b97602285f0675e9113ea29a7bca9afa61e041c1824c5bbaf9ee9da66dd77d4d7fed62f18

Download Submit
C:\Windows\{6C199548-0746-4ce4-BFE2-47EE5FFCFFCE}.exe

Filesize
64KB

MD5
16bd9991bfbbabab7868e3753e1be23d

SHA1
0adaa0e36b50c85e4ce828f19545e19738f80871

SHA256
c6f9d4f19ccdde1f0e721d928729e86e54466ca3078e40b1e87d99a2c8385703

SHA512
bdecd7919c6c3fc84399852b19a1bad19c8a4f68484e3196ff238aa68aa758a1abe928f550454f72245bb921080c89388d02ca7403ba049cd191a47b9ed08431

Download Submit
C:\Windows\{6EA255C6-06E0-4768-8C47-F87AB7FF03FD}.exe

Filesize
64KB

MD5
d3e56311992a633def4e1fa6e55a2215

SHA1
eef65ac63939aefb81937e0ead423143fe18e64f

SHA256
7dcecad6934db60550de5fe509fb2c28d8514101100563d4cba40fce7bdf3663

SHA512
c586b85222752dc81f36fa9dcbaa063b4dfb51fff5469c7a0ae6645f4676b80578bb88c73ac39f3532847d4144a0222993f3f69d5dd20bbb31ff0c72ce8d3200

Download Submit
C:\Windows\{7F92134D-4E8D-4d43-858F-5DD4DEE03599}.exe

Filesize
64KB

MD5
fb6b3c0748c21777a754b363b9642b56

SHA1
7137777cb1ba4e8a4265e8becf4b96b7e6deec49

SHA256
23e9e0e41064782505b3be914b4d50e714f4ee2cb04687723ae8aa31fece53e5

SHA512
0bbdce4bc49cb0901bdf119468885bb27564210c3243593d802ba3204f8cea345b807e5077abf41176a9191beaa808a9e5316779a91a89ae14637d04b1b57d25

Download Submit
C:\Windows\{891C8123-5A7C-4ade-B377-858390DB755E}.exe

Filesize
64KB

MD5
03c88885ec6dd4c68b55b8398e3bad00

SHA1
9d4fb364421caa98733a88507e9caf4c1f2e77a9

SHA256
6a00b526c583342b5a196e60e421b886a1a23228872a1f4ecc8180906d43513c

SHA512
3007d25d54b9f55cae0f3828966ad7da4e3f12508e1096c015478f96ae028d5352e39625ef95293401e58815a37a0e5f422489820058db65be023f0cf3b9a24f

Download Submit
C:\Windows\{B47289EB-7118-4803-A37C-125CF6D496B8}.exe

Filesize
64KB

MD5
5c4dc244f479669b4fabf6f92aad7ee5

SHA1
20a1c5d60dc3dcbc6b3cdd0744e2242e3275b9e3

SHA256
7e56560bf1d08d33316bfafeabe791206b51187e0e6e265a77c46bec9b325245

SHA512
ffa3e7249fb6d1827ee94eabd873e7f966edb893c556ec8fff6b1e6aa2b6c80e9913dd2f053d320b1a735717213a5c9eb7a890d143629ddff7954d886b529994

Download Submit
C:\Windows\{C47AC954-7BBF-4412-BA4F-FA5037854319}.exe

Filesize
64KB

MD5
ec4ff35fff720b9c7bb686830e08f6a0

SHA1
147d56bc2be068136cdb296b938a384d56cd2975

SHA256
ed925b7ff680acbaa2c25f5a9d7aab8e5599d42b3dd6c319b33b18739e00ba93

SHA512
c4902a21c253a599f7fd16e969fc994f20dc4869f62fc5d9005d66b536e2025bc8945bb2ec3cbb2dfe39959ef1e78fe7381d899e45f0ff88f5b5e82c215bb8c7

Download Submit
memory/952-69-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1064-16-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1064-11-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1232-63-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1232-58-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1448-22-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1448-18-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1828-68-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/3300-28-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/3404-0-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/3404-6-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/3684-10-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/3684-4-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/3880-43-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/3880-40-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/4188-52-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/4188-57-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/4216-39-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/4216-34-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/4336-32-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/4720-50-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/4720-45-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads