29cd46889c97ce06b400547815cfb5a9ce5b4b38123c55441370e9475153f07b

Analysis

max time kernel
144s
max time network
123s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
03/06/2024, 03:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9ab6ffcf6854763f80664caf5fcda820_NeikiAnalytics.exe
Size

90KB
MD5

9ab6ffcf6854763f80664caf5fcda820
SHA1

84c7555020048d2c31c3919a1d8067777a234343
SHA256

29cd46889c97ce06b400547815cfb5a9ce5b4b38123c55441370e9475153f07b
SHA512

518500c1da26c0a588764eda181f57243dd6f753e368eb3b3d9a1fbe7bdc40263b72b8c20bcb3c224f9dbbf8d4de661a5b3bb42e3e4c18383afa5737d9bb8466
SSDEEP

768:Qvw9816vhKQLrow4/wQRNrfrunMxVFA3b7glws:YEGh0owl2unMxVS3Hgz

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7F9C9F63-5E39-4fde-AC2D-6DAE15AE6A2C}	{2B7EE79A-C96A-4e09-A1C0-E8A5F26FB695}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7F9C9F63-5E39-4fde-AC2D-6DAE15AE6A2C}\stubpath = "C:\\Windows\\{7F9C9F63-5E39-4fde-AC2D-6DAE15AE6A2C}.exe"	{2B7EE79A-C96A-4e09-A1C0-E8A5F26FB695}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2C955710-6ACF-4daf-B58D-7DF93568272D}	{F8D71164-909A-44e6-83B6-3FDA22F73CBF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{333FC587-2A8D-4000-9531-DD056840559C}	{2C955710-6ACF-4daf-B58D-7DF93568272D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4E046165-BB01-4f70-B2D8-BF627CE1080D}	{3B1B7BE2-61F3-4f98-BB9B-8930EB1F0722}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4E046165-BB01-4f70-B2D8-BF627CE1080D}\stubpath = "C:\\Windows\\{4E046165-BB01-4f70-B2D8-BF627CE1080D}.exe"	{3B1B7BE2-61F3-4f98-BB9B-8930EB1F0722}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2B7EE79A-C96A-4e09-A1C0-E8A5F26FB695}	{AC80C224-C2E8-4ab7-9F77-20CC2B0ED24A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2C955710-6ACF-4daf-B58D-7DF93568272D}\stubpath = "C:\\Windows\\{2C955710-6ACF-4daf-B58D-7DF93568272D}.exe"	{F8D71164-909A-44e6-83B6-3FDA22F73CBF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{333FC587-2A8D-4000-9531-DD056840559C}\stubpath = "C:\\Windows\\{333FC587-2A8D-4000-9531-DD056840559C}.exe"	{2C955710-6ACF-4daf-B58D-7DF93568272D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F76AC6CF-1FF6-4fdd-9179-72EFC0CDF45C}\stubpath = "C:\\Windows\\{F76AC6CF-1FF6-4fdd-9179-72EFC0CDF45C}.exe"	{333FC587-2A8D-4000-9531-DD056840559C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3B1B7BE2-61F3-4f98-BB9B-8930EB1F0722}\stubpath = "C:\\Windows\\{3B1B7BE2-61F3-4f98-BB9B-8930EB1F0722}.exe"	{9AA96A21-50CF-43b1-8C07-8B399788781A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CC8626A1-08DC-41c1-9378-6EBE56218615}\stubpath = "C:\\Windows\\{CC8626A1-08DC-41c1-9378-6EBE56218615}.exe"	{7F9C9F63-5E39-4fde-AC2D-6DAE15AE6A2C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F8D71164-909A-44e6-83B6-3FDA22F73CBF}\stubpath = "C:\\Windows\\{F8D71164-909A-44e6-83B6-3FDA22F73CBF}.exe"	{CC8626A1-08DC-41c1-9378-6EBE56218615}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9AA96A21-50CF-43b1-8C07-8B399788781A}\stubpath = "C:\\Windows\\{9AA96A21-50CF-43b1-8C07-8B399788781A}.exe"	{F76AC6CF-1FF6-4fdd-9179-72EFC0CDF45C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AC80C224-C2E8-4ab7-9F77-20CC2B0ED24A}	9ab6ffcf6854763f80664caf5fcda820_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2B7EE79A-C96A-4e09-A1C0-E8A5F26FB695}\stubpath = "C:\\Windows\\{2B7EE79A-C96A-4e09-A1C0-E8A5F26FB695}.exe"	{AC80C224-C2E8-4ab7-9F77-20CC2B0ED24A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CC8626A1-08DC-41c1-9378-6EBE56218615}	{7F9C9F63-5E39-4fde-AC2D-6DAE15AE6A2C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F8D71164-909A-44e6-83B6-3FDA22F73CBF}	{CC8626A1-08DC-41c1-9378-6EBE56218615}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F76AC6CF-1FF6-4fdd-9179-72EFC0CDF45C}	{333FC587-2A8D-4000-9531-DD056840559C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9AA96A21-50CF-43b1-8C07-8B399788781A}	{F76AC6CF-1FF6-4fdd-9179-72EFC0CDF45C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3B1B7BE2-61F3-4f98-BB9B-8930EB1F0722}	{9AA96A21-50CF-43b1-8C07-8B399788781A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AC80C224-C2E8-4ab7-9F77-20CC2B0ED24A}\stubpath = "C:\\Windows\\{AC80C224-C2E8-4ab7-9F77-20CC2B0ED24A}.exe"	9ab6ffcf6854763f80664caf5fcda820_NeikiAnalytics.exe

Deletes itself 1 IoCs

pid	Process
2508	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2896	{AC80C224-C2E8-4ab7-9F77-20CC2B0ED24A}.exe
2920	{2B7EE79A-C96A-4e09-A1C0-E8A5F26FB695}.exe
1656	{7F9C9F63-5E39-4fde-AC2D-6DAE15AE6A2C}.exe
2108	{CC8626A1-08DC-41c1-9378-6EBE56218615}.exe
2692	{F8D71164-909A-44e6-83B6-3FDA22F73CBF}.exe
1580	{2C955710-6ACF-4daf-B58D-7DF93568272D}.exe
1280	{333FC587-2A8D-4000-9531-DD056840559C}.exe
2032	{F76AC6CF-1FF6-4fdd-9179-72EFC0CDF45C}.exe
2188	{9AA96A21-50CF-43b1-8C07-8B399788781A}.exe
2764	{3B1B7BE2-61F3-4f98-BB9B-8930EB1F0722}.exe
1172	{4E046165-BB01-4f70-B2D8-BF627CE1080D}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{2B7EE79A-C96A-4e09-A1C0-E8A5F26FB695}.exe	{AC80C224-C2E8-4ab7-9F77-20CC2B0ED24A}.exe
File created	C:\Windows\{F8D71164-909A-44e6-83B6-3FDA22F73CBF}.exe	{CC8626A1-08DC-41c1-9378-6EBE56218615}.exe
File created	C:\Windows\{F76AC6CF-1FF6-4fdd-9179-72EFC0CDF45C}.exe	{333FC587-2A8D-4000-9531-DD056840559C}.exe
File created	C:\Windows\{9AA96A21-50CF-43b1-8C07-8B399788781A}.exe	{F76AC6CF-1FF6-4fdd-9179-72EFC0CDF45C}.exe
File created	C:\Windows\{4E046165-BB01-4f70-B2D8-BF627CE1080D}.exe	{3B1B7BE2-61F3-4f98-BB9B-8930EB1F0722}.exe
File created	C:\Windows\{AC80C224-C2E8-4ab7-9F77-20CC2B0ED24A}.exe	9ab6ffcf6854763f80664caf5fcda820_NeikiAnalytics.exe
File created	C:\Windows\{7F9C9F63-5E39-4fde-AC2D-6DAE15AE6A2C}.exe	{2B7EE79A-C96A-4e09-A1C0-E8A5F26FB695}.exe
File created	C:\Windows\{CC8626A1-08DC-41c1-9378-6EBE56218615}.exe	{7F9C9F63-5E39-4fde-AC2D-6DAE15AE6A2C}.exe
File created	C:\Windows\{2C955710-6ACF-4daf-B58D-7DF93568272D}.exe	{F8D71164-909A-44e6-83B6-3FDA22F73CBF}.exe
File created	C:\Windows\{333FC587-2A8D-4000-9531-DD056840559C}.exe	{2C955710-6ACF-4daf-B58D-7DF93568272D}.exe
File created	C:\Windows\{3B1B7BE2-61F3-4f98-BB9B-8930EB1F0722}.exe	{9AA96A21-50CF-43b1-8C07-8B399788781A}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2460	9ab6ffcf6854763f80664caf5fcda820_NeikiAnalytics.exe
Token: SeIncBasePriorityPrivilege	2896	{AC80C224-C2E8-4ab7-9F77-20CC2B0ED24A}.exe
Token: SeIncBasePriorityPrivilege	2920	{2B7EE79A-C96A-4e09-A1C0-E8A5F26FB695}.exe
Token: SeIncBasePriorityPrivilege	1656	{7F9C9F63-5E39-4fde-AC2D-6DAE15AE6A2C}.exe
Token: SeIncBasePriorityPrivilege	2108	{CC8626A1-08DC-41c1-9378-6EBE56218615}.exe
Token: SeIncBasePriorityPrivilege	2692	{F8D71164-909A-44e6-83B6-3FDA22F73CBF}.exe
Token: SeIncBasePriorityPrivilege	1580	{2C955710-6ACF-4daf-B58D-7DF93568272D}.exe
Token: SeIncBasePriorityPrivilege	1280	{333FC587-2A8D-4000-9531-DD056840559C}.exe
Token: SeIncBasePriorityPrivilege	2032	{F76AC6CF-1FF6-4fdd-9179-72EFC0CDF45C}.exe
Token: SeIncBasePriorityPrivilege	2188	{9AA96A21-50CF-43b1-8C07-8B399788781A}.exe
Token: SeIncBasePriorityPrivilege	2764	{3B1B7BE2-61F3-4f98-BB9B-8930EB1F0722}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2460 wrote to memory of 2896	2460	9ab6ffcf6854763f80664caf5fcda820_NeikiAnalytics.exe	28
PID 2460 wrote to memory of 2896	2460	9ab6ffcf6854763f80664caf5fcda820_NeikiAnalytics.exe	28
PID 2460 wrote to memory of 2896	2460	9ab6ffcf6854763f80664caf5fcda820_NeikiAnalytics.exe	28
PID 2460 wrote to memory of 2896	2460	9ab6ffcf6854763f80664caf5fcda820_NeikiAnalytics.exe	28
PID 2460 wrote to memory of 2508	2460	9ab6ffcf6854763f80664caf5fcda820_NeikiAnalytics.exe	29
PID 2460 wrote to memory of 2508	2460	9ab6ffcf6854763f80664caf5fcda820_NeikiAnalytics.exe	29
PID 2460 wrote to memory of 2508	2460	9ab6ffcf6854763f80664caf5fcda820_NeikiAnalytics.exe	29
PID 2460 wrote to memory of 2508	2460	9ab6ffcf6854763f80664caf5fcda820_NeikiAnalytics.exe	29
PID 2896 wrote to memory of 2920	2896	{AC80C224-C2E8-4ab7-9F77-20CC2B0ED24A}.exe	30
PID 2896 wrote to memory of 2920	2896	{AC80C224-C2E8-4ab7-9F77-20CC2B0ED24A}.exe	30
PID 2896 wrote to memory of 2920	2896	{AC80C224-C2E8-4ab7-9F77-20CC2B0ED24A}.exe	30
PID 2896 wrote to memory of 2920	2896	{AC80C224-C2E8-4ab7-9F77-20CC2B0ED24A}.exe	30
PID 2896 wrote to memory of 2412	2896	{AC80C224-C2E8-4ab7-9F77-20CC2B0ED24A}.exe	31
PID 2896 wrote to memory of 2412	2896	{AC80C224-C2E8-4ab7-9F77-20CC2B0ED24A}.exe	31
PID 2896 wrote to memory of 2412	2896	{AC80C224-C2E8-4ab7-9F77-20CC2B0ED24A}.exe	31
PID 2896 wrote to memory of 2412	2896	{AC80C224-C2E8-4ab7-9F77-20CC2B0ED24A}.exe	31
PID 2920 wrote to memory of 1656	2920	{2B7EE79A-C96A-4e09-A1C0-E8A5F26FB695}.exe	32
PID 2920 wrote to memory of 1656	2920	{2B7EE79A-C96A-4e09-A1C0-E8A5F26FB695}.exe	32
PID 2920 wrote to memory of 1656	2920	{2B7EE79A-C96A-4e09-A1C0-E8A5F26FB695}.exe	32
PID 2920 wrote to memory of 1656	2920	{2B7EE79A-C96A-4e09-A1C0-E8A5F26FB695}.exe	32
PID 2920 wrote to memory of 2432	2920	{2B7EE79A-C96A-4e09-A1C0-E8A5F26FB695}.exe	33
PID 2920 wrote to memory of 2432	2920	{2B7EE79A-C96A-4e09-A1C0-E8A5F26FB695}.exe	33
PID 2920 wrote to memory of 2432	2920	{2B7EE79A-C96A-4e09-A1C0-E8A5F26FB695}.exe	33
PID 2920 wrote to memory of 2432	2920	{2B7EE79A-C96A-4e09-A1C0-E8A5F26FB695}.exe	33
PID 1656 wrote to memory of 2108	1656	{7F9C9F63-5E39-4fde-AC2D-6DAE15AE6A2C}.exe	36
PID 1656 wrote to memory of 2108	1656	{7F9C9F63-5E39-4fde-AC2D-6DAE15AE6A2C}.exe	36
PID 1656 wrote to memory of 2108	1656	{7F9C9F63-5E39-4fde-AC2D-6DAE15AE6A2C}.exe	36
PID 1656 wrote to memory of 2108	1656	{7F9C9F63-5E39-4fde-AC2D-6DAE15AE6A2C}.exe	36
PID 1656 wrote to memory of 884	1656	{7F9C9F63-5E39-4fde-AC2D-6DAE15AE6A2C}.exe	37
PID 1656 wrote to memory of 884	1656	{7F9C9F63-5E39-4fde-AC2D-6DAE15AE6A2C}.exe	37
PID 1656 wrote to memory of 884	1656	{7F9C9F63-5E39-4fde-AC2D-6DAE15AE6A2C}.exe	37
PID 1656 wrote to memory of 884	1656	{7F9C9F63-5E39-4fde-AC2D-6DAE15AE6A2C}.exe	37
PID 2108 wrote to memory of 2692	2108	{CC8626A1-08DC-41c1-9378-6EBE56218615}.exe	38
PID 2108 wrote to memory of 2692	2108	{CC8626A1-08DC-41c1-9378-6EBE56218615}.exe	38
PID 2108 wrote to memory of 2692	2108	{CC8626A1-08DC-41c1-9378-6EBE56218615}.exe	38
PID 2108 wrote to memory of 2692	2108	{CC8626A1-08DC-41c1-9378-6EBE56218615}.exe	38
PID 2108 wrote to memory of 1976	2108	{CC8626A1-08DC-41c1-9378-6EBE56218615}.exe	39
PID 2108 wrote to memory of 1976	2108	{CC8626A1-08DC-41c1-9378-6EBE56218615}.exe	39
PID 2108 wrote to memory of 1976	2108	{CC8626A1-08DC-41c1-9378-6EBE56218615}.exe	39
PID 2108 wrote to memory of 1976	2108	{CC8626A1-08DC-41c1-9378-6EBE56218615}.exe	39
PID 2692 wrote to memory of 1580	2692	{F8D71164-909A-44e6-83B6-3FDA22F73CBF}.exe	40
PID 2692 wrote to memory of 1580	2692	{F8D71164-909A-44e6-83B6-3FDA22F73CBF}.exe	40
PID 2692 wrote to memory of 1580	2692	{F8D71164-909A-44e6-83B6-3FDA22F73CBF}.exe	40
PID 2692 wrote to memory of 1580	2692	{F8D71164-909A-44e6-83B6-3FDA22F73CBF}.exe	40
PID 2692 wrote to memory of 1576	2692	{F8D71164-909A-44e6-83B6-3FDA22F73CBF}.exe	41
PID 2692 wrote to memory of 1576	2692	{F8D71164-909A-44e6-83B6-3FDA22F73CBF}.exe	41
PID 2692 wrote to memory of 1576	2692	{F8D71164-909A-44e6-83B6-3FDA22F73CBF}.exe	41
PID 2692 wrote to memory of 1576	2692	{F8D71164-909A-44e6-83B6-3FDA22F73CBF}.exe	41
PID 1580 wrote to memory of 1280	1580	{2C955710-6ACF-4daf-B58D-7DF93568272D}.exe	42
PID 1580 wrote to memory of 1280	1580	{2C955710-6ACF-4daf-B58D-7DF93568272D}.exe	42
PID 1580 wrote to memory of 1280	1580	{2C955710-6ACF-4daf-B58D-7DF93568272D}.exe	42
PID 1580 wrote to memory of 1280	1580	{2C955710-6ACF-4daf-B58D-7DF93568272D}.exe	42
PID 1580 wrote to memory of 1404	1580	{2C955710-6ACF-4daf-B58D-7DF93568272D}.exe	43
PID 1580 wrote to memory of 1404	1580	{2C955710-6ACF-4daf-B58D-7DF93568272D}.exe	43
PID 1580 wrote to memory of 1404	1580	{2C955710-6ACF-4daf-B58D-7DF93568272D}.exe	43
PID 1580 wrote to memory of 1404	1580	{2C955710-6ACF-4daf-B58D-7DF93568272D}.exe	43
PID 1280 wrote to memory of 2032	1280	{333FC587-2A8D-4000-9531-DD056840559C}.exe	44
PID 1280 wrote to memory of 2032	1280	{333FC587-2A8D-4000-9531-DD056840559C}.exe	44
PID 1280 wrote to memory of 2032	1280	{333FC587-2A8D-4000-9531-DD056840559C}.exe	44
PID 1280 wrote to memory of 2032	1280	{333FC587-2A8D-4000-9531-DD056840559C}.exe	44
PID 1280 wrote to memory of 2792	1280	{333FC587-2A8D-4000-9531-DD056840559C}.exe	45
PID 1280 wrote to memory of 2792	1280	{333FC587-2A8D-4000-9531-DD056840559C}.exe	45
PID 1280 wrote to memory of 2792	1280	{333FC587-2A8D-4000-9531-DD056840559C}.exe	45
PID 1280 wrote to memory of 2792	1280	{333FC587-2A8D-4000-9531-DD056840559C}.exe	45

C:\Users\Admin\AppData\Local\Temp\9ab6ffcf6854763f80664caf5fcda820_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\9ab6ffcf6854763f80664caf5fcda820_NeikiAnalytics.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2460
- C:\Windows\{AC80C224-C2E8-4ab7-9F77-20CC2B0ED24A}.exe
  C:\Windows\{AC80C224-C2E8-4ab7-9F77-20CC2B0ED24A}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2896
- - C:\Windows\{2B7EE79A-C96A-4e09-A1C0-E8A5F26FB695}.exe
    C:\Windows\{2B7EE79A-C96A-4e09-A1C0-E8A5F26FB695}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2920
  - - C:\Windows\{7F9C9F63-5E39-4fde-AC2D-6DAE15AE6A2C}.exe
      C:\Windows\{7F9C9F63-5E39-4fde-AC2D-6DAE15AE6A2C}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1656
    - - C:\Windows\{CC8626A1-08DC-41c1-9378-6EBE56218615}.exe
        
        C:\Windows\{CC8626A1-08DC-41c1-9378-6EBE56218615}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2108
      - C:\Windows\{F8D71164-909A-44e6-83B6-3FDA22F73CBF}.exe
        
        C:\Windows\{F8D71164-909A-44e6-83B6-3FDA22F73CBF}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2692
        
        C:\Windows\{2C955710-6ACF-4daf-B58D-7DF93568272D}.exe
        
        C:\Windows\{2C955710-6ACF-4daf-B58D-7DF93568272D}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1580
        
        C:\Windows\{333FC587-2A8D-4000-9531-DD056840559C}.exe
        
        C:\Windows\{333FC587-2A8D-4000-9531-DD056840559C}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1280
        
        C:\Windows\{F76AC6CF-1FF6-4fdd-9179-72EFC0CDF45C}.exe
        
        C:\Windows\{F76AC6CF-1FF6-4fdd-9179-72EFC0CDF45C}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2032
        
        C:\Windows\{9AA96A21-50CF-43b1-8C07-8B399788781A}.exe
        
        C:\Windows\{9AA96A21-50CF-43b1-8C07-8B399788781A}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2188
        
        C:\Windows\{3B1B7BE2-61F3-4f98-BB9B-8930EB1F0722}.exe
        
        C:\Windows\{3B1B7BE2-61F3-4f98-BB9B-8930EB1F0722}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2764
        
        C:\Windows\{4E046165-BB01-4f70-B2D8-BF627CE1080D}.exe
        
        C:\Windows\{4E046165-BB01-4f70-B2D8-BF627CE1080D}.exe
        12⤵
        Executes dropped EXE
        
        PID:1172
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3B1B7~1.EXE > nul
        12⤵
        
        PID:1784
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9AA96~1.EXE > nul
        11⤵
        
        PID:480
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F76AC~1.EXE > nul
        10⤵
        
        PID:1620
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{333FC~1.EXE > nul
        9⤵
        
        PID:2792
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2C955~1.EXE > nul
        8⤵
        
        PID:1404
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F8D71~1.EXE > nul
        7⤵
        
        PID:1576
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CC862~1.EXE > nul
        6⤵
        
        PID:1976
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7F9C9~1.EXE > nul
        5⤵
        
        PID:884
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{2B7EE~1.EXE > nul
      4⤵
      PID:2432
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{AC80C~1.EXE > nul
    3⤵
    PID:2412
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\9AB6FF~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2508

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{2B7EE79A-C96A-4e09-A1C0-E8A5F26FB695}.exe

Filesize
90KB

MD5
e591f8d63e5f39ec5b9cbe76d9c422ac

SHA1
4ec791b33b67fd4968a00fedc103036b19f37c37

SHA256
e14002c72c8371a1c1f1ec62b165f716298a715a3a94b942fd2f39f264fee16f

SHA512
ef7a00cc3ef6213f44dc05a68d4cd91f001f11108782815ff6ad4efbd4bb754e3b2542620aa38fb0158d12c1fd197103090a0a04dae216c41e05e94bae6b4542

Download Submit
C:\Windows\{2C955710-6ACF-4daf-B58D-7DF93568272D}.exe

Filesize
90KB

MD5
5a672d37842541c7edc7ad9d0df0681c

SHA1
0e48b64383411ed27f4a69c9763e5ad40c2d28bd

SHA256
e27d18d6f48571bad05e212dae47e94e5f1cd34fa055896ff0a9f1cb5e93033b

SHA512
2dadf60663ea815db88cc09316edf858cf3e9d6f7546b35696fb801bf31723448f1a76ed06b1c1f5651d091e47de0a7c05d1f773b074d5f49d09af04f78950a0

Download Submit
C:\Windows\{333FC587-2A8D-4000-9531-DD056840559C}.exe

Filesize
90KB

MD5
011742709e170a2819423b464bab5de5

SHA1
d182e6e72538a626a8e1df98592c86e3eec8e6a2

SHA256
5bd71895eb52e6fd45b98c872131779ec897002368ac2bad550e5d00de95ee15

SHA512
833b8aa140945f73043eebbb3d2a4c32ba4b3e05b4ea9fb2c9049928a49bfad32e5a776e4782d0e7227a01b018728fb11a161e391f5746320648729d1e24e008

Download Submit
C:\Windows\{3B1B7BE2-61F3-4f98-BB9B-8930EB1F0722}.exe

Filesize
90KB

MD5
213efd3de0e482f93f870c35d8d6d38e

SHA1
fb114bee5837161ca3ea8c2db01e7cf3097ae79e

SHA256
517879dc1f4a2aba1a158cf08872c0d24445e9b4e06b5e27ece77cc300dbf1db

SHA512
439f78f22527e8c59a0ae6c6fe88fb78f899780529f32ace5def296fcbc09d1b9d313ef5f84b05da2bddc93f0edd628f48f05efbd3c43ff79e7b2a654b37aa14

Download Submit
C:\Windows\{4E046165-BB01-4f70-B2D8-BF627CE1080D}.exe

Filesize
90KB

MD5
7fad0eae53f1c0d565654b72569f1e41

SHA1
fec971a24c23c375d726efbbe56ea6d7ec90d6a0

SHA256
3d4b3a3a85ea20daedc6040cccf3e3d8cbf4a8071fc65f9c89808ef876e7ed5f

SHA512
1a401d49971f70c50f8376cf9eef8b0aa3627c0a2e66a835217ab4e13369c886c1e386bbb6f8958f229c961e8caa6573344571da16420f48cf0102dbb9725124

Download Submit
C:\Windows\{7F9C9F63-5E39-4fde-AC2D-6DAE15AE6A2C}.exe

Filesize
90KB

MD5
d7d3bafcb59e2044a9c329f9d88918a9

SHA1
5742400a6a590046fbb17e46b497650dd912c022

SHA256
19c096b3e91c9ced978a91e9661e14ad6096b461960061b5fe85b1399ba24b91

SHA512
dfc457ea790f13808c7bfa6c7ed380c902a388f4624d2b8a170cce89be88acf85e4a59501968f73a708d57e6600503ef4d8cb3189c419f597a4621b270c98065

Download Submit
C:\Windows\{9AA96A21-50CF-43b1-8C07-8B399788781A}.exe

Filesize
90KB

MD5
035bd5cdde14c23ed437e55a21c2abff

SHA1
c568e1992298ebfa9dea47f39dc7aa037b62e889

SHA256
e88e4ef50f41f2c251600d4435e354e0d2d9f9b99dcc7ea0afb2adb637156ecb

SHA512
5874ac3e0c43ffe7bb39702f6d8e6a1dd7e74a1a9be121a7efe0a01d36e976c5b51531a7374ba7d6f25c1d7b6a1f2c5711f6485ca0b4e51b1b130b951959172c

Download Submit
C:\Windows\{AC80C224-C2E8-4ab7-9F77-20CC2B0ED24A}.exe

Filesize
90KB

MD5
c37bf2c503153ac6976388f8e0350af0

SHA1
c5ca89b3061b79e0c0c63e37b6002be6a458ae3f

SHA256
58904beacf78f02fce4f94745271df18c7312e93c1188c69a8679b812afff123

SHA512
96b9541ed659a98b544c04b8e4fb9a80bdc08e44f0092d917d9144c9ba271b7b916729795eb3aac5bb25439197c524d0b01887607062bac7dacad98c2e1bac4c

Download Submit
C:\Windows\{CC8626A1-08DC-41c1-9378-6EBE56218615}.exe

Filesize
90KB

MD5
d907dba8a7c6ac49924a832abf92864c

SHA1
ae665bd52656eaa3f9ebebdef2cce10c8d7f4859

SHA256
de8d51e7a3bc48e0ee4d73ad9ce939e28c636db3eaa2eed5878f669067df808d

SHA512
ef8238c612d624a881ba66ecd7e906583fbe84cf797bcca0e249e5fa3fb45b19d8606fbaad21b730d8973cc541e9ac7e0dbd9db13d27396099883078fd3bbb72

Download Submit
C:\Windows\{F76AC6CF-1FF6-4fdd-9179-72EFC0CDF45C}.exe

Filesize
90KB

MD5
8e708d8a52d6ac521db6c2bdbde43246

SHA1
10683f5b22543ddffebbb7fcc536bc24fa759746

SHA256
29d53c729a787d4860b72547268a323a2b759556a797718d66b814d508adf94e

SHA512
0eef12b2635dbab566c17243652ab4abc27f596d46a2ab3691dcec04f5838f800ddd649388e757fc74cf4dde2f49dc42f4259533ec5c07885556fd5e7d14aa72

Download Submit
C:\Windows\{F8D71164-909A-44e6-83B6-3FDA22F73CBF}.exe

Filesize
90KB

MD5
c70394557aff77b982627eb1a9b371b7

SHA1
c8ed60864ebe3edfd94cc9cb64d7f18d22f98abf

SHA256
ab1136a9754d8ed8613e7de3bdb1d4359717614bde3c618e2cd8e02f1bd04f4a

SHA512
657ce6f8c4ec149b6efcba74f7a5c3333cb9a3c823b0d190b5cc07c7d58727c47eacea92fcb91f261e0328939936b561d70334a5db416e0e9525784ba91b13c1

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads