29e77c171cb98f383b5832906eb8e5ac43227ef0bf966adaa137cd3b476ce39f

Analysis

max time kernel
144s
max time network
124s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
02-06-2024 23:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

86873cd458b3b51982b3b158a1c25fb0_NeikiAnalytics.exe
Size

64KB
MD5

86873cd458b3b51982b3b158a1c25fb0
SHA1

b46fc369ef55caf3b0301a6144a490d6704b0200
SHA256

29e77c171cb98f383b5832906eb8e5ac43227ef0bf966adaa137cd3b476ce39f
SHA512

b69f3555a75cdb0654e30bbb092aa51028d21899e9e21c3b6aaae050f865558966ce897ddbb3c8f2cfea9d1b0e5d2b361f34b24d89783012057f8a8b5a8c464a
SSDEEP

384:ObLwOs8AHsc4HMPwhKQLroE4/CFsrdHWMZw:Ovw981xvhKQLroE4/wQpWMZw

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2645CE4C-9DB2-4a1d-800A-FC1C596890CA}	{53A6E7A8-FF16-4044-BA58-93DD80AE987C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C0050783-B4E9-4aba-A739-0208D2B51082}	{2645CE4C-9DB2-4a1d-800A-FC1C596890CA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D18DF5B8-F863-4201-80F5-897D7D2F7F28}\stubpath = "C:\\Windows\\{D18DF5B8-F863-4201-80F5-897D7D2F7F28}.exe"	{01CE4FA4-9312-42e6-AA56-A432A2D43D22}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{68846FDA-0576-4162-82BA-CEC12952A493}	{53A40CF8-6222-4dbb-9561-F97BD323D068}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{68846FDA-0576-4162-82BA-CEC12952A493}\stubpath = "C:\\Windows\\{68846FDA-0576-4162-82BA-CEC12952A493}.exe"	{53A40CF8-6222-4dbb-9561-F97BD323D068}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{856254D4-BAAC-46c6-BCC1-2D8A23F62322}	{623274B9-7774-46f7-9428-832878DDE195}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{53A6E7A8-FF16-4044-BA58-93DD80AE987C}\stubpath = "C:\\Windows\\{53A6E7A8-FF16-4044-BA58-93DD80AE987C}.exe"	{5AFF374B-BA81-44c4-9A41-CEDF1BFCD1FF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C0050783-B4E9-4aba-A739-0208D2B51082}\stubpath = "C:\\Windows\\{C0050783-B4E9-4aba-A739-0208D2B51082}.exe"	{2645CE4C-9DB2-4a1d-800A-FC1C596890CA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{01CE4FA4-9312-42e6-AA56-A432A2D43D22}\stubpath = "C:\\Windows\\{01CE4FA4-9312-42e6-AA56-A432A2D43D22}.exe"	{C0050783-B4E9-4aba-A739-0208D2B51082}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{623274B9-7774-46f7-9428-832878DDE195}	{68846FDA-0576-4162-82BA-CEC12952A493}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5AFF374B-BA81-44c4-9A41-CEDF1BFCD1FF}	{856254D4-BAAC-46c6-BCC1-2D8A23F62322}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{53A6E7A8-FF16-4044-BA58-93DD80AE987C}	{5AFF374B-BA81-44c4-9A41-CEDF1BFCD1FF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{623274B9-7774-46f7-9428-832878DDE195}\stubpath = "C:\\Windows\\{623274B9-7774-46f7-9428-832878DDE195}.exe"	{68846FDA-0576-4162-82BA-CEC12952A493}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{856254D4-BAAC-46c6-BCC1-2D8A23F62322}\stubpath = "C:\\Windows\\{856254D4-BAAC-46c6-BCC1-2D8A23F62322}.exe"	{623274B9-7774-46f7-9428-832878DDE195}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2645CE4C-9DB2-4a1d-800A-FC1C596890CA}\stubpath = "C:\\Windows\\{2645CE4C-9DB2-4a1d-800A-FC1C596890CA}.exe"	{53A6E7A8-FF16-4044-BA58-93DD80AE987C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{01CE4FA4-9312-42e6-AA56-A432A2D43D22}	{C0050783-B4E9-4aba-A739-0208D2B51082}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5D57558D-BD20-4c40-BDE8-C99ABFA04AF6}	86873cd458b3b51982b3b158a1c25fb0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{53A40CF8-6222-4dbb-9561-F97BD323D068}	{5D57558D-BD20-4c40-BDE8-C99ABFA04AF6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{53A40CF8-6222-4dbb-9561-F97BD323D068}\stubpath = "C:\\Windows\\{53A40CF8-6222-4dbb-9561-F97BD323D068}.exe"	{5D57558D-BD20-4c40-BDE8-C99ABFA04AF6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5D57558D-BD20-4c40-BDE8-C99ABFA04AF6}\stubpath = "C:\\Windows\\{5D57558D-BD20-4c40-BDE8-C99ABFA04AF6}.exe"	86873cd458b3b51982b3b158a1c25fb0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5AFF374B-BA81-44c4-9A41-CEDF1BFCD1FF}\stubpath = "C:\\Windows\\{5AFF374B-BA81-44c4-9A41-CEDF1BFCD1FF}.exe"	{856254D4-BAAC-46c6-BCC1-2D8A23F62322}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D18DF5B8-F863-4201-80F5-897D7D2F7F28}	{01CE4FA4-9312-42e6-AA56-A432A2D43D22}.exe

Deletes itself 1 IoCs

pid	Process
2680	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2556	{5D57558D-BD20-4c40-BDE8-C99ABFA04AF6}.exe
2628	{53A40CF8-6222-4dbb-9561-F97BD323D068}.exe
2192	{68846FDA-0576-4162-82BA-CEC12952A493}.exe
1264	{623274B9-7774-46f7-9428-832878DDE195}.exe
2500	{856254D4-BAAC-46c6-BCC1-2D8A23F62322}.exe
1680	{5AFF374B-BA81-44c4-9A41-CEDF1BFCD1FF}.exe
1920	{53A6E7A8-FF16-4044-BA58-93DD80AE987C}.exe
1128	{2645CE4C-9DB2-4a1d-800A-FC1C596890CA}.exe
1656	{C0050783-B4E9-4aba-A739-0208D2B51082}.exe
2976	{01CE4FA4-9312-42e6-AA56-A432A2D43D22}.exe
1548	{D18DF5B8-F863-4201-80F5-897D7D2F7F28}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{2645CE4C-9DB2-4a1d-800A-FC1C596890CA}.exe	{53A6E7A8-FF16-4044-BA58-93DD80AE987C}.exe
File created	C:\Windows\{C0050783-B4E9-4aba-A739-0208D2B51082}.exe	{2645CE4C-9DB2-4a1d-800A-FC1C596890CA}.exe
File created	C:\Windows\{01CE4FA4-9312-42e6-AA56-A432A2D43D22}.exe	{C0050783-B4E9-4aba-A739-0208D2B51082}.exe
File created	C:\Windows\{5D57558D-BD20-4c40-BDE8-C99ABFA04AF6}.exe	86873cd458b3b51982b3b158a1c25fb0_NeikiAnalytics.exe
File created	C:\Windows\{53A40CF8-6222-4dbb-9561-F97BD323D068}.exe	{5D57558D-BD20-4c40-BDE8-C99ABFA04AF6}.exe
File created	C:\Windows\{5AFF374B-BA81-44c4-9A41-CEDF1BFCD1FF}.exe	{856254D4-BAAC-46c6-BCC1-2D8A23F62322}.exe
File created	C:\Windows\{53A6E7A8-FF16-4044-BA58-93DD80AE987C}.exe	{5AFF374B-BA81-44c4-9A41-CEDF1BFCD1FF}.exe
File created	C:\Windows\{68846FDA-0576-4162-82BA-CEC12952A493}.exe	{53A40CF8-6222-4dbb-9561-F97BD323D068}.exe
File created	C:\Windows\{623274B9-7774-46f7-9428-832878DDE195}.exe	{68846FDA-0576-4162-82BA-CEC12952A493}.exe
File created	C:\Windows\{856254D4-BAAC-46c6-BCC1-2D8A23F62322}.exe	{623274B9-7774-46f7-9428-832878DDE195}.exe
File created	C:\Windows\{D18DF5B8-F863-4201-80F5-897D7D2F7F28}.exe	{01CE4FA4-9312-42e6-AA56-A432A2D43D22}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2884	86873cd458b3b51982b3b158a1c25fb0_NeikiAnalytics.exe
Token: SeIncBasePriorityPrivilege	2556	{5D57558D-BD20-4c40-BDE8-C99ABFA04AF6}.exe
Token: SeIncBasePriorityPrivilege	2628	{53A40CF8-6222-4dbb-9561-F97BD323D068}.exe
Token: SeIncBasePriorityPrivilege	2192	{68846FDA-0576-4162-82BA-CEC12952A493}.exe
Token: SeIncBasePriorityPrivilege	1264	{623274B9-7774-46f7-9428-832878DDE195}.exe
Token: SeIncBasePriorityPrivilege	2500	{856254D4-BAAC-46c6-BCC1-2D8A23F62322}.exe
Token: SeIncBasePriorityPrivilege	1680	{5AFF374B-BA81-44c4-9A41-CEDF1BFCD1FF}.exe
Token: SeIncBasePriorityPrivilege	1920	{53A6E7A8-FF16-4044-BA58-93DD80AE987C}.exe
Token: SeIncBasePriorityPrivilege	1128	{2645CE4C-9DB2-4a1d-800A-FC1C596890CA}.exe
Token: SeIncBasePriorityPrivilege	1656	{C0050783-B4E9-4aba-A739-0208D2B51082}.exe
Token: SeIncBasePriorityPrivilege	2976	{01CE4FA4-9312-42e6-AA56-A432A2D43D22}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2884 wrote to memory of 2556	2884	86873cd458b3b51982b3b158a1c25fb0_NeikiAnalytics.exe	28
PID 2884 wrote to memory of 2556	2884	86873cd458b3b51982b3b158a1c25fb0_NeikiAnalytics.exe	28
PID 2884 wrote to memory of 2556	2884	86873cd458b3b51982b3b158a1c25fb0_NeikiAnalytics.exe	28
PID 2884 wrote to memory of 2556	2884	86873cd458b3b51982b3b158a1c25fb0_NeikiAnalytics.exe	28
PID 2884 wrote to memory of 2680	2884	86873cd458b3b51982b3b158a1c25fb0_NeikiAnalytics.exe	29
PID 2884 wrote to memory of 2680	2884	86873cd458b3b51982b3b158a1c25fb0_NeikiAnalytics.exe	29
PID 2884 wrote to memory of 2680	2884	86873cd458b3b51982b3b158a1c25fb0_NeikiAnalytics.exe	29
PID 2884 wrote to memory of 2680	2884	86873cd458b3b51982b3b158a1c25fb0_NeikiAnalytics.exe	29
PID 2556 wrote to memory of 2628	2556	{5D57558D-BD20-4c40-BDE8-C99ABFA04AF6}.exe	30
PID 2556 wrote to memory of 2628	2556	{5D57558D-BD20-4c40-BDE8-C99ABFA04AF6}.exe	30
PID 2556 wrote to memory of 2628	2556	{5D57558D-BD20-4c40-BDE8-C99ABFA04AF6}.exe	30
PID 2556 wrote to memory of 2628	2556	{5D57558D-BD20-4c40-BDE8-C99ABFA04AF6}.exe	30
PID 2556 wrote to memory of 2104	2556	{5D57558D-BD20-4c40-BDE8-C99ABFA04AF6}.exe	31
PID 2556 wrote to memory of 2104	2556	{5D57558D-BD20-4c40-BDE8-C99ABFA04AF6}.exe	31
PID 2556 wrote to memory of 2104	2556	{5D57558D-BD20-4c40-BDE8-C99ABFA04AF6}.exe	31
PID 2556 wrote to memory of 2104	2556	{5D57558D-BD20-4c40-BDE8-C99ABFA04AF6}.exe	31
PID 2628 wrote to memory of 2192	2628	{53A40CF8-6222-4dbb-9561-F97BD323D068}.exe	34
PID 2628 wrote to memory of 2192	2628	{53A40CF8-6222-4dbb-9561-F97BD323D068}.exe	34
PID 2628 wrote to memory of 2192	2628	{53A40CF8-6222-4dbb-9561-F97BD323D068}.exe	34
PID 2628 wrote to memory of 2192	2628	{53A40CF8-6222-4dbb-9561-F97BD323D068}.exe	34
PID 2628 wrote to memory of 592	2628	{53A40CF8-6222-4dbb-9561-F97BD323D068}.exe	35
PID 2628 wrote to memory of 592	2628	{53A40CF8-6222-4dbb-9561-F97BD323D068}.exe	35
PID 2628 wrote to memory of 592	2628	{53A40CF8-6222-4dbb-9561-F97BD323D068}.exe	35
PID 2628 wrote to memory of 592	2628	{53A40CF8-6222-4dbb-9561-F97BD323D068}.exe	35
PID 2192 wrote to memory of 1264	2192	{68846FDA-0576-4162-82BA-CEC12952A493}.exe	36
PID 2192 wrote to memory of 1264	2192	{68846FDA-0576-4162-82BA-CEC12952A493}.exe	36
PID 2192 wrote to memory of 1264	2192	{68846FDA-0576-4162-82BA-CEC12952A493}.exe	36
PID 2192 wrote to memory of 1264	2192	{68846FDA-0576-4162-82BA-CEC12952A493}.exe	36
PID 2192 wrote to memory of 976	2192	{68846FDA-0576-4162-82BA-CEC12952A493}.exe	37
PID 2192 wrote to memory of 976	2192	{68846FDA-0576-4162-82BA-CEC12952A493}.exe	37
PID 2192 wrote to memory of 976	2192	{68846FDA-0576-4162-82BA-CEC12952A493}.exe	37
PID 2192 wrote to memory of 976	2192	{68846FDA-0576-4162-82BA-CEC12952A493}.exe	37
PID 1264 wrote to memory of 2500	1264	{623274B9-7774-46f7-9428-832878DDE195}.exe	38
PID 1264 wrote to memory of 2500	1264	{623274B9-7774-46f7-9428-832878DDE195}.exe	38
PID 1264 wrote to memory of 2500	1264	{623274B9-7774-46f7-9428-832878DDE195}.exe	38
PID 1264 wrote to memory of 2500	1264	{623274B9-7774-46f7-9428-832878DDE195}.exe	38
PID 1264 wrote to memory of 2732	1264	{623274B9-7774-46f7-9428-832878DDE195}.exe	39
PID 1264 wrote to memory of 2732	1264	{623274B9-7774-46f7-9428-832878DDE195}.exe	39
PID 1264 wrote to memory of 2732	1264	{623274B9-7774-46f7-9428-832878DDE195}.exe	39
PID 1264 wrote to memory of 2732	1264	{623274B9-7774-46f7-9428-832878DDE195}.exe	39
PID 2500 wrote to memory of 1680	2500	{856254D4-BAAC-46c6-BCC1-2D8A23F62322}.exe	40
PID 2500 wrote to memory of 1680	2500	{856254D4-BAAC-46c6-BCC1-2D8A23F62322}.exe	40
PID 2500 wrote to memory of 1680	2500	{856254D4-BAAC-46c6-BCC1-2D8A23F62322}.exe	40
PID 2500 wrote to memory of 1680	2500	{856254D4-BAAC-46c6-BCC1-2D8A23F62322}.exe	40
PID 2500 wrote to memory of 2020	2500	{856254D4-BAAC-46c6-BCC1-2D8A23F62322}.exe	41
PID 2500 wrote to memory of 2020	2500	{856254D4-BAAC-46c6-BCC1-2D8A23F62322}.exe	41
PID 2500 wrote to memory of 2020	2500	{856254D4-BAAC-46c6-BCC1-2D8A23F62322}.exe	41
PID 2500 wrote to memory of 2020	2500	{856254D4-BAAC-46c6-BCC1-2D8A23F62322}.exe	41
PID 1680 wrote to memory of 1920	1680	{5AFF374B-BA81-44c4-9A41-CEDF1BFCD1FF}.exe	42
PID 1680 wrote to memory of 1920	1680	{5AFF374B-BA81-44c4-9A41-CEDF1BFCD1FF}.exe	42
PID 1680 wrote to memory of 1920	1680	{5AFF374B-BA81-44c4-9A41-CEDF1BFCD1FF}.exe	42
PID 1680 wrote to memory of 1920	1680	{5AFF374B-BA81-44c4-9A41-CEDF1BFCD1FF}.exe	42
PID 1680 wrote to memory of 1908	1680	{5AFF374B-BA81-44c4-9A41-CEDF1BFCD1FF}.exe	43
PID 1680 wrote to memory of 1908	1680	{5AFF374B-BA81-44c4-9A41-CEDF1BFCD1FF}.exe	43
PID 1680 wrote to memory of 1908	1680	{5AFF374B-BA81-44c4-9A41-CEDF1BFCD1FF}.exe	43
PID 1680 wrote to memory of 1908	1680	{5AFF374B-BA81-44c4-9A41-CEDF1BFCD1FF}.exe	43
PID 1920 wrote to memory of 1128	1920	{53A6E7A8-FF16-4044-BA58-93DD80AE987C}.exe	44
PID 1920 wrote to memory of 1128	1920	{53A6E7A8-FF16-4044-BA58-93DD80AE987C}.exe	44
PID 1920 wrote to memory of 1128	1920	{53A6E7A8-FF16-4044-BA58-93DD80AE987C}.exe	44
PID 1920 wrote to memory of 1128	1920	{53A6E7A8-FF16-4044-BA58-93DD80AE987C}.exe	44
PID 1920 wrote to memory of 776	1920	{53A6E7A8-FF16-4044-BA58-93DD80AE987C}.exe	45
PID 1920 wrote to memory of 776	1920	{53A6E7A8-FF16-4044-BA58-93DD80AE987C}.exe	45
PID 1920 wrote to memory of 776	1920	{53A6E7A8-FF16-4044-BA58-93DD80AE987C}.exe	45
PID 1920 wrote to memory of 776	1920	{53A6E7A8-FF16-4044-BA58-93DD80AE987C}.exe	45

C:\Users\Admin\AppData\Local\Temp\86873cd458b3b51982b3b158a1c25fb0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\86873cd458b3b51982b3b158a1c25fb0_NeikiAnalytics.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2884
- C:\Windows\{5D57558D-BD20-4c40-BDE8-C99ABFA04AF6}.exe
  C:\Windows\{5D57558D-BD20-4c40-BDE8-C99ABFA04AF6}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2556
- - C:\Windows\{53A40CF8-6222-4dbb-9561-F97BD323D068}.exe
    C:\Windows\{53A40CF8-6222-4dbb-9561-F97BD323D068}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2628
  - - C:\Windows\{68846FDA-0576-4162-82BA-CEC12952A493}.exe
      C:\Windows\{68846FDA-0576-4162-82BA-CEC12952A493}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2192
    - - C:\Windows\{623274B9-7774-46f7-9428-832878DDE195}.exe
        
        C:\Windows\{623274B9-7774-46f7-9428-832878DDE195}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1264
      - C:\Windows\{856254D4-BAAC-46c6-BCC1-2D8A23F62322}.exe
        
        C:\Windows\{856254D4-BAAC-46c6-BCC1-2D8A23F62322}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2500
        
        C:\Windows\{5AFF374B-BA81-44c4-9A41-CEDF1BFCD1FF}.exe
        
        C:\Windows\{5AFF374B-BA81-44c4-9A41-CEDF1BFCD1FF}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1680
        
        C:\Windows\{53A6E7A8-FF16-4044-BA58-93DD80AE987C}.exe
        
        C:\Windows\{53A6E7A8-FF16-4044-BA58-93DD80AE987C}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1920
        
        C:\Windows\{2645CE4C-9DB2-4a1d-800A-FC1C596890CA}.exe
        
        C:\Windows\{2645CE4C-9DB2-4a1d-800A-FC1C596890CA}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1128
        
        C:\Windows\{C0050783-B4E9-4aba-A739-0208D2B51082}.exe
        
        C:\Windows\{C0050783-B4E9-4aba-A739-0208D2B51082}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1656
        
        C:\Windows\{01CE4FA4-9312-42e6-AA56-A432A2D43D22}.exe
        
        C:\Windows\{01CE4FA4-9312-42e6-AA56-A432A2D43D22}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2976
        
        C:\Windows\{D18DF5B8-F863-4201-80F5-897D7D2F7F28}.exe
        
        C:\Windows\{D18DF5B8-F863-4201-80F5-897D7D2F7F28}.exe
        12⤵
        Executes dropped EXE
        
        PID:1548
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{01CE4~1.EXE > nul
        12⤵
        
        PID:1124
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C0050~1.EXE > nul
        11⤵
        
        PID:1692
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2645C~1.EXE > nul
        10⤵
        
        PID:2776
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{53A6E~1.EXE > nul
        9⤵
        
        PID:776
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5AFF3~1.EXE > nul
        8⤵
        
        PID:1908
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{85625~1.EXE > nul
        7⤵
        
        PID:2020
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{62327~1.EXE > nul
        6⤵
        
        PID:2732
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{68846~1.EXE > nul
        5⤵
        
        PID:976
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{53A40~1.EXE > nul
      4⤵
      PID:592
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{5D575~1.EXE > nul
    3⤵
    PID:2104
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\86873C~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2680

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{01CE4FA4-9312-42e6-AA56-A432A2D43D22}.exe

Filesize
64KB

MD5
d15d63ba874373af61b3844843c20e05

SHA1
0a761684d0fc46d01597569a40d10c52bd505d73

SHA256
70f41c2894426d7e48c66132da37e583ad14c7288ced9022304e457e464e97e9

SHA512
1e7714e52ce2aa3b8ad9d8b4bf3e06dc1befd0f86e6f1b64bce3042eb24c9716cbc96da477d1f012576bcbf028aa5c922732db68bbf67171a586e8a8b5026082

Download Submit
C:\Windows\{2645CE4C-9DB2-4a1d-800A-FC1C596890CA}.exe

Filesize
64KB

MD5
9c55f21d94dcd8bfc40bc037c85f90a3

SHA1
38880fa58df2321aea515d5301362e3796e38e9b

SHA256
b4211c402380796576f0153d3f67b0b2562549aa1a43a1a367441490858fdace

SHA512
2c716ed56249260bf49caf8388e55ced49b1b7cfd1d92e7d19454398df637cecee0d5cfc116bcd70dc7bccbb01496b0f2087d548ac20e582302845613ad39a72

Download Submit
C:\Windows\{53A40CF8-6222-4dbb-9561-F97BD323D068}.exe

Filesize
64KB

MD5
10f3c63331e653d4c76ea39844c062a5

SHA1
348297ba59383ca9a52b9103049721808a254f2b

SHA256
ffaa27bd7866aaa82257e4ebd1c716b504ea9b3be1d8a06a6070efe8aace695c

SHA512
5fc218a089384916c693fa8bf20c435975625fbb3dd8b83214b3aac857a192d352a8121cdcb9b0a59fd385759d4e5164a7de38361efee0a37bd097e2ffa6c6bd

Download Submit
C:\Windows\{53A6E7A8-FF16-4044-BA58-93DD80AE987C}.exe

Filesize
64KB

MD5
1890fd026e77939b54df5b8c48daca2a

SHA1
67e2d8965ceeca1e80d74f13a3553b881bd673cc

SHA256
390c4dfde0bd4c7d7961966831ecd343c0fdf86bc740d4cf5995297b22f6efbe

SHA512
723bd7ebf1b3e96bc6f1d34d76f70dcefed9838c6aaa7808bc7b761b4adfeef22d3a8bc2c233e0467945c0fc6be849ea39bf443227de03942335359097f43c27

Download Submit
C:\Windows\{5AFF374B-BA81-44c4-9A41-CEDF1BFCD1FF}.exe

Filesize
64KB

MD5
c92f938d852b5a24ad3c70bc25939461

SHA1
4e761c53717d61e3475a559a2ec9bf302b3d5e2c

SHA256
bab958ae36f96bbdae36554fe2db08a56fdfc4d6554fa319a38eed5cc9ac61e3

SHA512
3daf179f2b71eb9150cea0fe5091a10fc3f27e726d40bd43a9f7d2aa62f51f202458a7524f5ac225ed183289c7f1ab67769ecf0e114b0fbe89a29ff117cdd598

Download Submit
C:\Windows\{5D57558D-BD20-4c40-BDE8-C99ABFA04AF6}.exe

Filesize
64KB

MD5
3d2341f8cadb20d4db6561e6f388ca73

SHA1
6a0c66a4f291c5ba09f1cd3e003d6516e435d098

SHA256
f2307c7ddf888c0fb8639ac7ad3eb6a7d7830ee8f5e623be8dd77a6b4b357849

SHA512
32a69f1ab94c39c4aba074eaeee6489e1ec0203458e0b9020cc9f1ef8faf50ac95849ecce3e181844b875ed2e538cef0cbcdd96e865e5ba20b4afc70f3dc3b11

Download Submit
C:\Windows\{623274B9-7774-46f7-9428-832878DDE195}.exe

Filesize
64KB

MD5
bdfe60abbebe538ab2ae91052194dedd

SHA1
982e3530d3d4de540927a5da5b7e3a688f62ca14

SHA256
daaf9256341db887b8c4ede7e025fb0fd76660aa58ba115b03b8286f185f4f38

SHA512
b24cad65d610ff2cbe46159e3cb106d361b029b13d7d2d36348af0d0c529d408d753d6d63910747928c6c398bcbdaa12770977227a08897f4fe9054e2b99399c

Download Submit
C:\Windows\{68846FDA-0576-4162-82BA-CEC12952A493}.exe

Filesize
64KB

MD5
8f2d88156b40db84343b66e59bd4a40c

SHA1
c26fdf53e0c038419016908bf61b7c1a7db9d501

SHA256
674418be1aba61c73807a95a019a0ae3d5849719950854bcd461e3918f5b0138

SHA512
b214dee6f4531d6c26b44f0bd14235cb2768bea52c7b50f01d453e17baf286aa76cc935ff5f9b19c6395e32ff953233ce2957dfe97a820a7ccf5720d5ec80e85

Download Submit
C:\Windows\{856254D4-BAAC-46c6-BCC1-2D8A23F62322}.exe

Filesize
64KB

MD5
1607d9d4c882adfedb1f68b001ee4be1

SHA1
c54b9f4e3d0cfcea7a6684fd50d06158afb8ea49

SHA256
3c76f6ea8e36c4a0617521202dea1c783fd1e88dcf60d330ae34ceb4bec46ae3

SHA512
f9196c8be434daa887aee01f0c0df9310b31439458071b1587c2f31f60931300f9c19df0d6d677fb19659b48870a972bad7b3f12a140c6233e0e0fc4d9c587b4

Download Submit
C:\Windows\{C0050783-B4E9-4aba-A739-0208D2B51082}.exe

Filesize
64KB

MD5
74722b3bd5ac285461db8409d5057c54

SHA1
47e12f40b4fb282c8d6d0260f09a1c42b0f6e111

SHA256
cc74958c322f5b898f72424dba8038f4e268a373826f3984c546f999a45d8102

SHA512
21b44ec9a8e3ea6834a8f7bf744531fdb9714fff74fafadaf68c78257600bdd8d1401c29cad7531622733ff5f00ed6e05ec0d277c7ac095db7003b2c986e4517

Download Submit
C:\Windows\{D18DF5B8-F863-4201-80F5-897D7D2F7F28}.exe

Filesize
64KB

MD5
19a3fbb6d2b641cd46f4069bfd2b4cd1

SHA1
ac0c65d87c1a14d4031637867a07e9db8f0e2fa1

SHA256
ad3f0e70a52b6e854f961af1871b3ae72d2e4047eba23dc7770adb3c07fc30ce

SHA512
cceca9e429c402ab009ea0f2a0f79cbfdb36d2e7a5c6a7830c375d3fce75c47330593a136b7ff840764e109453a6111d81c76c58185854654f28073181b6be67

Download Submit
memory/1128-80-0x0000000000350000-0x0000000000360000-memory.dmp

Filesize
64KB

Download
memory/1128-85-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1128-76-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1264-38-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1264-42-0x0000000000250000-0x0000000000260000-memory.dmp

Filesize
64KB

Download
memory/1264-47-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1548-105-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1656-90-0x00000000002D0000-0x00000000002E0000-memory.dmp

Filesize
64KB

Download
memory/1656-86-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1656-95-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1680-57-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1680-61-0x0000000000250000-0x0000000000260000-memory.dmp

Filesize
64KB

Download
memory/1680-67-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1680-66-0x0000000000250000-0x0000000000260000-memory.dmp

Filesize
64KB

Download
memory/1920-74-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2192-28-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2192-32-0x00000000002E0000-0x00000000002F0000-memory.dmp

Filesize
64KB

Download
memory/2192-36-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2500-56-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2500-51-0x00000000002D0000-0x00000000002E0000-memory.dmp

Filesize
64KB

Download
memory/2556-17-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2556-8-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2628-18-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2628-22-0x0000000000250000-0x0000000000260000-memory.dmp

Filesize
64KB

Download
memory/2628-26-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2884-9-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2884-0-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2884-3-0x0000000000260000-0x0000000000270000-memory.dmp

Filesize
64KB

Download
memory/2976-99-0x0000000000260000-0x0000000000270000-memory.dmp

Filesize
64KB

Download
memory/2976-104-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads