Analysis
-
max time kernel
144s -
max time network
127s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
02/06/2024, 22:29
Static task
static1
Behavioral task
behavioral1
Sample
76f33b38bc9569b5155b7245f15e8d30_NeikiAnalytics.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
76f33b38bc9569b5155b7245f15e8d30_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
General
-
Target
76f33b38bc9569b5155b7245f15e8d30_NeikiAnalytics.exe
-
Size
90KB
-
MD5
76f33b38bc9569b5155b7245f15e8d30
-
SHA1
cd86c322b5b4bbb98e75e2f0d9368036f884a343
-
SHA256
b12ed006872e73b97ba1e8ff1312311a8abb22605380d600f1ade592bef7bfe6
-
SHA512
2160c0601e0c679565bd78fddfe1b18e4d699b439ad4d134f89c45349f92c278f8906def10cf35a22f81b835c6ffdb08901ce5dc97148acb590ec2361f5a3447
-
SSDEEP
768:5vw98169hKjro34/wQCNrfrunMxVFA3b:lEG/Ho3lxunMxVS3
Malware Config
Signatures
-
Modifies Installed Components in the registry 2 TTPs 22 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B81E48E0-7917-400f-8577-AF0FF1E58E24}\stubpath = "C:\\Windows\\{B81E48E0-7917-400f-8577-AF0FF1E58E24}.exe" {58A064CF-0401-4fb9-816D-16F9BF7DFA66}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9CF670F4-5586-41e1-B3A4-09927E8E0451} {3C47E1BE-F2BB-42ba-A772-90AF0A94D698}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{17A4B9B9-EE95-4a64-9C7D-227D5639A113}\stubpath = "C:\\Windows\\{17A4B9B9-EE95-4a64-9C7D-227D5639A113}.exe" {D4E32D79-8B6E-461e-87F3-E05949CB41B1}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{41887EE2-F7D1-455e-B5D5-FA39BA4AE6BF} {22D7A410-9F2B-43c1-9055-2DCCDF356E81}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{14D6A6F3-ABC4-4840-802B-2BA9E3503664}\stubpath = "C:\\Windows\\{14D6A6F3-ABC4-4840-802B-2BA9E3503664}.exe" {41887EE2-F7D1-455e-B5D5-FA39BA4AE6BF}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B81E48E0-7917-400f-8577-AF0FF1E58E24} {58A064CF-0401-4fb9-816D-16F9BF7DFA66}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9CF670F4-5586-41e1-B3A4-09927E8E0451}\stubpath = "C:\\Windows\\{9CF670F4-5586-41e1-B3A4-09927E8E0451}.exe" {3C47E1BE-F2BB-42ba-A772-90AF0A94D698}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D4E32D79-8B6E-461e-87F3-E05949CB41B1}\stubpath = "C:\\Windows\\{D4E32D79-8B6E-461e-87F3-E05949CB41B1}.exe" {9CF670F4-5586-41e1-B3A4-09927E8E0451}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{17A4B9B9-EE95-4a64-9C7D-227D5639A113} {D4E32D79-8B6E-461e-87F3-E05949CB41B1}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{14D6A6F3-ABC4-4840-802B-2BA9E3503664} {41887EE2-F7D1-455e-B5D5-FA39BA4AE6BF}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D4E32D79-8B6E-461e-87F3-E05949CB41B1} {9CF670F4-5586-41e1-B3A4-09927E8E0451}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{22D7A410-9F2B-43c1-9055-2DCCDF356E81}\stubpath = "C:\\Windows\\{22D7A410-9F2B-43c1-9055-2DCCDF356E81}.exe" {C72A8AD7-9E67-4113-AA3C-3AA356C1A3E6}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{41887EE2-F7D1-455e-B5D5-FA39BA4AE6BF}\stubpath = "C:\\Windows\\{41887EE2-F7D1-455e-B5D5-FA39BA4AE6BF}.exe" {22D7A410-9F2B-43c1-9055-2DCCDF356E81}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5DA0068D-092B-4de2-BD89-1AD0542A84F2} {14D6A6F3-ABC4-4840-802B-2BA9E3503664}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5DA0068D-092B-4de2-BD89-1AD0542A84F2}\stubpath = "C:\\Windows\\{5DA0068D-092B-4de2-BD89-1AD0542A84F2}.exe" {14D6A6F3-ABC4-4840-802B-2BA9E3503664}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{58A064CF-0401-4fb9-816D-16F9BF7DFA66} {5DA0068D-092B-4de2-BD89-1AD0542A84F2}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3C47E1BE-F2BB-42ba-A772-90AF0A94D698} 76f33b38bc9569b5155b7245f15e8d30_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3C47E1BE-F2BB-42ba-A772-90AF0A94D698}\stubpath = "C:\\Windows\\{3C47E1BE-F2BB-42ba-A772-90AF0A94D698}.exe" 76f33b38bc9569b5155b7245f15e8d30_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C72A8AD7-9E67-4113-AA3C-3AA356C1A3E6} {17A4B9B9-EE95-4a64-9C7D-227D5639A113}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C72A8AD7-9E67-4113-AA3C-3AA356C1A3E6}\stubpath = "C:\\Windows\\{C72A8AD7-9E67-4113-AA3C-3AA356C1A3E6}.exe" {17A4B9B9-EE95-4a64-9C7D-227D5639A113}.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{22D7A410-9F2B-43c1-9055-2DCCDF356E81} {C72A8AD7-9E67-4113-AA3C-3AA356C1A3E6}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{58A064CF-0401-4fb9-816D-16F9BF7DFA66}\stubpath = "C:\\Windows\\{58A064CF-0401-4fb9-816D-16F9BF7DFA66}.exe" {5DA0068D-092B-4de2-BD89-1AD0542A84F2}.exe -
Deletes itself 1 IoCs
pid Process 3012 cmd.exe -
Executes dropped EXE 11 IoCs
pid Process 2224 {3C47E1BE-F2BB-42ba-A772-90AF0A94D698}.exe 2264 {9CF670F4-5586-41e1-B3A4-09927E8E0451}.exe 2340 {D4E32D79-8B6E-461e-87F3-E05949CB41B1}.exe 1808 {17A4B9B9-EE95-4a64-9C7D-227D5639A113}.exe 2780 {C72A8AD7-9E67-4113-AA3C-3AA356C1A3E6}.exe 1924 {22D7A410-9F2B-43c1-9055-2DCCDF356E81}.exe 1436 {41887EE2-F7D1-455e-B5D5-FA39BA4AE6BF}.exe 1216 {14D6A6F3-ABC4-4840-802B-2BA9E3503664}.exe 2092 {5DA0068D-092B-4de2-BD89-1AD0542A84F2}.exe 480 {58A064CF-0401-4fb9-816D-16F9BF7DFA66}.exe 1996 {B81E48E0-7917-400f-8577-AF0FF1E58E24}.exe -
Drops file in Windows directory 11 IoCs
description ioc Process File created C:\Windows\{D4E32D79-8B6E-461e-87F3-E05949CB41B1}.exe {9CF670F4-5586-41e1-B3A4-09927E8E0451}.exe File created C:\Windows\{17A4B9B9-EE95-4a64-9C7D-227D5639A113}.exe {D4E32D79-8B6E-461e-87F3-E05949CB41B1}.exe File created C:\Windows\{C72A8AD7-9E67-4113-AA3C-3AA356C1A3E6}.exe {17A4B9B9-EE95-4a64-9C7D-227D5639A113}.exe File created C:\Windows\{22D7A410-9F2B-43c1-9055-2DCCDF356E81}.exe {C72A8AD7-9E67-4113-AA3C-3AA356C1A3E6}.exe File created C:\Windows\{41887EE2-F7D1-455e-B5D5-FA39BA4AE6BF}.exe {22D7A410-9F2B-43c1-9055-2DCCDF356E81}.exe File created C:\Windows\{5DA0068D-092B-4de2-BD89-1AD0542A84F2}.exe {14D6A6F3-ABC4-4840-802B-2BA9E3503664}.exe File created C:\Windows\{58A064CF-0401-4fb9-816D-16F9BF7DFA66}.exe {5DA0068D-092B-4de2-BD89-1AD0542A84F2}.exe File created C:\Windows\{9CF670F4-5586-41e1-B3A4-09927E8E0451}.exe {3C47E1BE-F2BB-42ba-A772-90AF0A94D698}.exe File created C:\Windows\{B81E48E0-7917-400f-8577-AF0FF1E58E24}.exe {58A064CF-0401-4fb9-816D-16F9BF7DFA66}.exe File created C:\Windows\{14D6A6F3-ABC4-4840-802B-2BA9E3503664}.exe {41887EE2-F7D1-455e-B5D5-FA39BA4AE6BF}.exe File created C:\Windows\{3C47E1BE-F2BB-42ba-A772-90AF0A94D698}.exe 76f33b38bc9569b5155b7245f15e8d30_NeikiAnalytics.exe -
Suspicious use of AdjustPrivilegeToken 11 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 2388 76f33b38bc9569b5155b7245f15e8d30_NeikiAnalytics.exe Token: SeIncBasePriorityPrivilege 2224 {3C47E1BE-F2BB-42ba-A772-90AF0A94D698}.exe Token: SeIncBasePriorityPrivilege 2264 {9CF670F4-5586-41e1-B3A4-09927E8E0451}.exe Token: SeIncBasePriorityPrivilege 2340 {D4E32D79-8B6E-461e-87F3-E05949CB41B1}.exe Token: SeIncBasePriorityPrivilege 1808 {17A4B9B9-EE95-4a64-9C7D-227D5639A113}.exe Token: SeIncBasePriorityPrivilege 2780 {C72A8AD7-9E67-4113-AA3C-3AA356C1A3E6}.exe Token: SeIncBasePriorityPrivilege 1924 {22D7A410-9F2B-43c1-9055-2DCCDF356E81}.exe Token: SeIncBasePriorityPrivilege 1436 {41887EE2-F7D1-455e-B5D5-FA39BA4AE6BF}.exe Token: SeIncBasePriorityPrivilege 1216 {14D6A6F3-ABC4-4840-802B-2BA9E3503664}.exe Token: SeIncBasePriorityPrivilege 2092 {5DA0068D-092B-4de2-BD89-1AD0542A84F2}.exe Token: SeIncBasePriorityPrivilege 480 {58A064CF-0401-4fb9-816D-16F9BF7DFA66}.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2388 wrote to memory of 2224 2388 76f33b38bc9569b5155b7245f15e8d30_NeikiAnalytics.exe 28 PID 2388 wrote to memory of 2224 2388 76f33b38bc9569b5155b7245f15e8d30_NeikiAnalytics.exe 28 PID 2388 wrote to memory of 2224 2388 76f33b38bc9569b5155b7245f15e8d30_NeikiAnalytics.exe 28 PID 2388 wrote to memory of 2224 2388 76f33b38bc9569b5155b7245f15e8d30_NeikiAnalytics.exe 28 PID 2388 wrote to memory of 3012 2388 76f33b38bc9569b5155b7245f15e8d30_NeikiAnalytics.exe 29 PID 2388 wrote to memory of 3012 2388 76f33b38bc9569b5155b7245f15e8d30_NeikiAnalytics.exe 29 PID 2388 wrote to memory of 3012 2388 76f33b38bc9569b5155b7245f15e8d30_NeikiAnalytics.exe 29 PID 2388 wrote to memory of 3012 2388 76f33b38bc9569b5155b7245f15e8d30_NeikiAnalytics.exe 29 PID 2224 wrote to memory of 2264 2224 {3C47E1BE-F2BB-42ba-A772-90AF0A94D698}.exe 30 PID 2224 wrote to memory of 2264 2224 {3C47E1BE-F2BB-42ba-A772-90AF0A94D698}.exe 30 PID 2224 wrote to memory of 2264 2224 {3C47E1BE-F2BB-42ba-A772-90AF0A94D698}.exe 30 PID 2224 wrote to memory of 2264 2224 {3C47E1BE-F2BB-42ba-A772-90AF0A94D698}.exe 30 PID 2224 wrote to memory of 2800 2224 {3C47E1BE-F2BB-42ba-A772-90AF0A94D698}.exe 31 PID 2224 wrote to memory of 2800 2224 {3C47E1BE-F2BB-42ba-A772-90AF0A94D698}.exe 31 PID 2224 wrote to memory of 2800 2224 {3C47E1BE-F2BB-42ba-A772-90AF0A94D698}.exe 31 PID 2224 wrote to memory of 2800 2224 {3C47E1BE-F2BB-42ba-A772-90AF0A94D698}.exe 31 PID 2264 wrote to memory of 2340 2264 {9CF670F4-5586-41e1-B3A4-09927E8E0451}.exe 32 PID 2264 wrote to memory of 2340 2264 {9CF670F4-5586-41e1-B3A4-09927E8E0451}.exe 32 PID 2264 wrote to memory of 2340 2264 {9CF670F4-5586-41e1-B3A4-09927E8E0451}.exe 32 PID 2264 wrote to memory of 2340 2264 {9CF670F4-5586-41e1-B3A4-09927E8E0451}.exe 32 PID 2264 wrote to memory of 2544 2264 {9CF670F4-5586-41e1-B3A4-09927E8E0451}.exe 33 PID 2264 wrote to memory of 2544 2264 {9CF670F4-5586-41e1-B3A4-09927E8E0451}.exe 33 PID 2264 wrote to memory of 2544 2264 {9CF670F4-5586-41e1-B3A4-09927E8E0451}.exe 33 PID 2264 wrote to memory of 2544 2264 {9CF670F4-5586-41e1-B3A4-09927E8E0451}.exe 33 PID 2340 wrote to memory of 1808 2340 {D4E32D79-8B6E-461e-87F3-E05949CB41B1}.exe 36 PID 2340 wrote to memory of 1808 2340 {D4E32D79-8B6E-461e-87F3-E05949CB41B1}.exe 36 PID 2340 wrote to memory of 1808 2340 {D4E32D79-8B6E-461e-87F3-E05949CB41B1}.exe 36 PID 2340 wrote to memory of 1808 2340 {D4E32D79-8B6E-461e-87F3-E05949CB41B1}.exe 36 PID 2340 wrote to memory of 2672 2340 {D4E32D79-8B6E-461e-87F3-E05949CB41B1}.exe 37 PID 2340 wrote to memory of 2672 2340 {D4E32D79-8B6E-461e-87F3-E05949CB41B1}.exe 37 PID 2340 wrote to memory of 2672 2340 {D4E32D79-8B6E-461e-87F3-E05949CB41B1}.exe 37 PID 2340 wrote to memory of 2672 2340 {D4E32D79-8B6E-461e-87F3-E05949CB41B1}.exe 37 PID 1808 wrote to memory of 2780 1808 {17A4B9B9-EE95-4a64-9C7D-227D5639A113}.exe 38 PID 1808 wrote to memory of 2780 1808 {17A4B9B9-EE95-4a64-9C7D-227D5639A113}.exe 38 PID 1808 wrote to memory of 2780 1808 {17A4B9B9-EE95-4a64-9C7D-227D5639A113}.exe 38 PID 1808 wrote to memory of 2780 1808 {17A4B9B9-EE95-4a64-9C7D-227D5639A113}.exe 38 PID 1808 wrote to memory of 2320 1808 {17A4B9B9-EE95-4a64-9C7D-227D5639A113}.exe 39 PID 1808 wrote to memory of 2320 1808 {17A4B9B9-EE95-4a64-9C7D-227D5639A113}.exe 39 PID 1808 wrote to memory of 2320 1808 {17A4B9B9-EE95-4a64-9C7D-227D5639A113}.exe 39 PID 1808 wrote to memory of 2320 1808 {17A4B9B9-EE95-4a64-9C7D-227D5639A113}.exe 39 PID 2780 wrote to memory of 1924 2780 {C72A8AD7-9E67-4113-AA3C-3AA356C1A3E6}.exe 40 PID 2780 wrote to memory of 1924 2780 {C72A8AD7-9E67-4113-AA3C-3AA356C1A3E6}.exe 40 PID 2780 wrote to memory of 1924 2780 {C72A8AD7-9E67-4113-AA3C-3AA356C1A3E6}.exe 40 PID 2780 wrote to memory of 1924 2780 {C72A8AD7-9E67-4113-AA3C-3AA356C1A3E6}.exe 40 PID 2780 wrote to memory of 2156 2780 {C72A8AD7-9E67-4113-AA3C-3AA356C1A3E6}.exe 41 PID 2780 wrote to memory of 2156 2780 {C72A8AD7-9E67-4113-AA3C-3AA356C1A3E6}.exe 41 PID 2780 wrote to memory of 2156 2780 {C72A8AD7-9E67-4113-AA3C-3AA356C1A3E6}.exe 41 PID 2780 wrote to memory of 2156 2780 {C72A8AD7-9E67-4113-AA3C-3AA356C1A3E6}.exe 41 PID 1924 wrote to memory of 1436 1924 {22D7A410-9F2B-43c1-9055-2DCCDF356E81}.exe 42 PID 1924 wrote to memory of 1436 1924 {22D7A410-9F2B-43c1-9055-2DCCDF356E81}.exe 42 PID 1924 wrote to memory of 1436 1924 {22D7A410-9F2B-43c1-9055-2DCCDF356E81}.exe 42 PID 1924 wrote to memory of 1436 1924 {22D7A410-9F2B-43c1-9055-2DCCDF356E81}.exe 42 PID 1924 wrote to memory of 1628 1924 {22D7A410-9F2B-43c1-9055-2DCCDF356E81}.exe 43 PID 1924 wrote to memory of 1628 1924 {22D7A410-9F2B-43c1-9055-2DCCDF356E81}.exe 43 PID 1924 wrote to memory of 1628 1924 {22D7A410-9F2B-43c1-9055-2DCCDF356E81}.exe 43 PID 1924 wrote to memory of 1628 1924 {22D7A410-9F2B-43c1-9055-2DCCDF356E81}.exe 43 PID 1436 wrote to memory of 1216 1436 {41887EE2-F7D1-455e-B5D5-FA39BA4AE6BF}.exe 44 PID 1436 wrote to memory of 1216 1436 {41887EE2-F7D1-455e-B5D5-FA39BA4AE6BF}.exe 44 PID 1436 wrote to memory of 1216 1436 {41887EE2-F7D1-455e-B5D5-FA39BA4AE6BF}.exe 44 PID 1436 wrote to memory of 1216 1436 {41887EE2-F7D1-455e-B5D5-FA39BA4AE6BF}.exe 44 PID 1436 wrote to memory of 2112 1436 {41887EE2-F7D1-455e-B5D5-FA39BA4AE6BF}.exe 45 PID 1436 wrote to memory of 2112 1436 {41887EE2-F7D1-455e-B5D5-FA39BA4AE6BF}.exe 45 PID 1436 wrote to memory of 2112 1436 {41887EE2-F7D1-455e-B5D5-FA39BA4AE6BF}.exe 45 PID 1436 wrote to memory of 2112 1436 {41887EE2-F7D1-455e-B5D5-FA39BA4AE6BF}.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\76f33b38bc9569b5155b7245f15e8d30_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\76f33b38bc9569b5155b7245f15e8d30_NeikiAnalytics.exe"1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2388 -
C:\Windows\{3C47E1BE-F2BB-42ba-A772-90AF0A94D698}.exeC:\Windows\{3C47E1BE-F2BB-42ba-A772-90AF0A94D698}.exe2⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2224 -
C:\Windows\{9CF670F4-5586-41e1-B3A4-09927E8E0451}.exeC:\Windows\{9CF670F4-5586-41e1-B3A4-09927E8E0451}.exe3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2264 -
C:\Windows\{D4E32D79-8B6E-461e-87F3-E05949CB41B1}.exeC:\Windows\{D4E32D79-8B6E-461e-87F3-E05949CB41B1}.exe4⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2340 -
C:\Windows\{17A4B9B9-EE95-4a64-9C7D-227D5639A113}.exeC:\Windows\{17A4B9B9-EE95-4a64-9C7D-227D5639A113}.exe5⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1808 -
C:\Windows\{C72A8AD7-9E67-4113-AA3C-3AA356C1A3E6}.exeC:\Windows\{C72A8AD7-9E67-4113-AA3C-3AA356C1A3E6}.exe6⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2780 -
C:\Windows\{22D7A410-9F2B-43c1-9055-2DCCDF356E81}.exeC:\Windows\{22D7A410-9F2B-43c1-9055-2DCCDF356E81}.exe7⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1924 -
C:\Windows\{41887EE2-F7D1-455e-B5D5-FA39BA4AE6BF}.exeC:\Windows\{41887EE2-F7D1-455e-B5D5-FA39BA4AE6BF}.exe8⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1436 -
C:\Windows\{14D6A6F3-ABC4-4840-802B-2BA9E3503664}.exeC:\Windows\{14D6A6F3-ABC4-4840-802B-2BA9E3503664}.exe9⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1216 -
C:\Windows\{5DA0068D-092B-4de2-BD89-1AD0542A84F2}.exeC:\Windows\{5DA0068D-092B-4de2-BD89-1AD0542A84F2}.exe10⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2092 -
C:\Windows\{58A064CF-0401-4fb9-816D-16F9BF7DFA66}.exeC:\Windows\{58A064CF-0401-4fb9-816D-16F9BF7DFA66}.exe11⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:480 -
C:\Windows\{B81E48E0-7917-400f-8577-AF0FF1E58E24}.exeC:\Windows\{B81E48E0-7917-400f-8577-AF0FF1E58E24}.exe12⤵
- Executes dropped EXE
PID:1996
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{58A06~1.EXE > nul12⤵PID:1000
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{5DA00~1.EXE > nul11⤵PID:1476
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{14D6A~1.EXE > nul10⤵PID:1076
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{41887~1.EXE > nul9⤵PID:2112
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{22D7A~1.EXE > nul8⤵PID:1628
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{C72A8~1.EXE > nul7⤵PID:2156
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{17A4B~1.EXE > nul6⤵PID:2320
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{D4E32~1.EXE > nul5⤵PID:2672
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{9CF67~1.EXE > nul4⤵PID:2544
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{3C47E~1.EXE > nul3⤵PID:2800
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\76F33B~1.EXE > nul2⤵
- Deletes itself
PID:3012
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
90KB
MD527053cdf77bfe4a3a43cd6afb70bfa67
SHA1bd4f9450e7229bda5732892211d1501a0b572fe3
SHA25623be8da2fcb70f704753595a87659a00ebb5de987d864911f4cf0dca1079b700
SHA5124fb9caa3c9684b82123b9f73aee113fa618f0eeff8e7ca55b09756bb2a2357ae10129617a303d1386c0a0cad6e017fc28edcce8fdf48bac4ff30f3b5d17b6655
-
Filesize
90KB
MD501186c6a3d74142e9e0a20abdd32428d
SHA1803aefa5af48e9afa19b6a8e9b888691c505bdbf
SHA2563c866b8b8ec2ed07e57e2c1a1147ce94f65989c454e29e67e7c9ff5de70dcd9f
SHA512bd70c8534531b8455cef73b4b816773010947f39cff833e82ea293161d56315e2064ad2deab29cc0c972e3e5212ac4f942a3c5be625367aca015de42d01241de
-
Filesize
90KB
MD55470fa53c13328289ddb444c81c2c95f
SHA1b7631d2f216b88f6f9895040ae9b033a3ca09b58
SHA256140ef0206f9339aa03b4d61575368e6ba72ac091da01cac452fbe446073bb0d9
SHA5126345f52bf79729a749f13bdb894ad9db68b9552cffa96c124ac183fab42462f4f7ece6ee9505fd4ded76cadc90d5eae11fc713eec99bdb62e24116c60c95dcf1
-
Filesize
90KB
MD56771e8e01066c1159b75ea89c2ea88e1
SHA188700e14c8f63d8c80ab3fa19e6fb2c876af7b8d
SHA2563fd8873cfac8a0bcc176cfa46d7409204198492038e65144cb5d36a6f50f41a6
SHA5120f3632ac672005cb47df5a512d17ab4d9256d57c8bee3c2b7cac7851a08b02c231f72d2f25c377dc92f100fd6ba8bc1a46426f3325ea3a07c9103274894ef913
-
Filesize
90KB
MD55ea279b73fa9c6b3132e41294b5489c2
SHA16aca2b8ee644b06da05a7360401576a6464fc353
SHA2569e5c78634f4b14e986c5b7c55b1eef6621995bf2d4259ccff9dfc85e35fdfe18
SHA51239f0b3ac0e02301b8c52673768a8a853918bae01b240ad663645599404891ac3749237ba454af563e1cb942d8df08231b68c795663eb8b7346d04b9c834eca11
-
Filesize
90KB
MD5105da8033eb2fdd24702ef1becf2d2aa
SHA14ce80a72da0e78cb6270380dbc6a151068a2f6a8
SHA25678161082a541bf6aaebc9dc6d53fb566d3d0a9bf37b7f2e8e8be163da30402a6
SHA51207ed6e03a4c5571485df0d5a12b62b7cc3bbdc0b3aeaf4ce8ec2a500b17f32cbcd9f1ca69687fefed7a17b155c62ae5532f1cd988288c394cccc3a6a16daad62
-
Filesize
90KB
MD5962476d67cfa49c9c69eb3e9268022e0
SHA19539125e1dee564b4d81a41d68546ba2d9f7ea9a
SHA25677be4731273fc7503fc96760b0f796ec0f525ea319ea0f04bdd6acb563d4cf33
SHA512373c1ec083b6c14ab0864bf5419dc53b20b9fc58b983a8426f2ede20081c2607f478d6991c65878051dd058e1aff8040a5ce4f49542766a74e74aac9e8fc0a6e
-
Filesize
90KB
MD54a885e9855cc7145b8d14ba68d05ae74
SHA1b4d563597a6f3f40c1710fd5489cdf23bdca23b6
SHA256671321a56daeab0f75ea7063afcc5eecdecb617ba43347df6088fbae9be4fc4f
SHA512a0bc0339d495fd3c323ff98b267224b14eab621452c26e86c2f9a2bfbf940a8f69861eb6d8a8482e30de5ca438a8be484ef6cf98aa75120ccbe552c5402b1be2
-
Filesize
90KB
MD55b127b9403627053949bf1f304f78ac7
SHA1b3f804b3dd77bad1d2f72c52ed6c3b7e6c829865
SHA256073c7b5cd136c2ed57d0421e2cfaf41cfd8f9e6f7e4aa8bb49b4ecc5205b4b3f
SHA512512dc0e889f38d4d5221bf7ae473dc7ee6d727490bc7623e5853b189a374ebd7cc254ff0a291c52278713d81f4171f6ab5ddd4ec5dd2ea38b35e56684bc0bd05
-
Filesize
90KB
MD5cda3bcc2af1f8b5d8c8331f0a05f5604
SHA104e73d462618eca03724fae3a3643bd6091f3660
SHA2569b241c87222c05a1ee7ac2436748aa4e09aa46fca2380bee527a20c9aaa7802a
SHA512ecf29e8ca6f94b563f909ea5cd7f8a5f8192db317f3369506b34c242d314cedb34cf893dff49a3080bad18d9a262a7a3933971bfe51a9f0d0adfbfc42b285408
-
Filesize
90KB
MD558101828d1995687a19dc53bf29fca68
SHA1220eb4e984baa33936db4e3ba215a002bd68d456
SHA2566dcbe9374d80baf39688708a46560703118ec0ba62e567373f8f9ec83f172e41
SHA5128b4d0433b82e371cdad3ace9f58b30a29f152036a43a5296d223f2a09971d7ffdbce0c6318977a0935e84f141a44e2bc43de6364087fd7afbf6a2352d20a900f