408ea9970bd865b054d71182a86ee64eb13417776e1238e415db8bc9af86bbe3

Analysis

max time kernel
149s
max time network
96s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
03-06-2024 18:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1da93f00adc213e137e8125eb649b1e0_NeikiAnalytics.exe
Size

64KB
MD5

1da93f00adc213e137e8125eb649b1e0
SHA1

e0d9e1cb58b88bdd80d10d06dede287ff90089be
SHA256

408ea9970bd865b054d71182a86ee64eb13417776e1238e415db8bc9af86bbe3
SHA512

1935bdccffa0d103f5c9c3571f3e570e6734940aceafa461dab1d9194e8c228b91df4ea7af03e86a104ebf21b5353be8b607d39f19e4c7699637c6264297591c
SSDEEP

768:O0w9816vhKQLroCU4/wQxWMZQcpFM1FgDagXP2TyS1tl7lfqvocqcdT3WVdM:pEGh0oCUlwWMZQcpmgDagIyS1loL7WrM

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E9189E11-8BB5-470e-9CFD-D5FCE79C8815}\stubpath = "C:\\Windows\\{E9189E11-8BB5-470e-9CFD-D5FCE79C8815}.exe"	{D71FAAEB-16A5-44d2-8174-F796671C4E19}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{26B9A622-16FD-4908-A59B-F93923151B2C}\stubpath = "C:\\Windows\\{26B9A622-16FD-4908-A59B-F93923151B2C}.exe"	{E9189E11-8BB5-470e-9CFD-D5FCE79C8815}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3EA95D5E-3816-402f-8184-F4CAD4773ED5}	1da93f00adc213e137e8125eb649b1e0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D71FAAEB-16A5-44d2-8174-F796671C4E19}	{6C5936B4-0415-489d-9570-C1CCED7E9FFA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E050173B-D1C5-4ff1-9510-20262FC16AE8}\stubpath = "C:\\Windows\\{E050173B-D1C5-4ff1-9510-20262FC16AE8}.exe"	{8C0B259F-C9F3-463a-9EC7-0C465F014238}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6C5936B4-0415-489d-9570-C1CCED7E9FFA}	{83A4F6B5-1ED6-4a38-8A3B-3DF9FD48E0DC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DB78B5B4-E6AA-4a9e-B1DA-0D7B2F54CA43}\stubpath = "C:\\Windows\\{DB78B5B4-E6AA-4a9e-B1DA-0D7B2F54CA43}.exe"	{26B9A622-16FD-4908-A59B-F93923151B2C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8C0B259F-C9F3-463a-9EC7-0C465F014238}\stubpath = "C:\\Windows\\{8C0B259F-C9F3-463a-9EC7-0C465F014238}.exe"	{5B0E3708-B8FC-43e0-BCB8-199AFDF2D982}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E050173B-D1C5-4ff1-9510-20262FC16AE8}	{8C0B259F-C9F3-463a-9EC7-0C465F014238}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C9A8B1F6-E5C0-45d4-94A4-1140ACE2108C}\stubpath = "C:\\Windows\\{C9A8B1F6-E5C0-45d4-94A4-1140ACE2108C}.exe"	{322E33E5-9D5B-4870-A7DB-A28AFBED1582}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D71FAAEB-16A5-44d2-8174-F796671C4E19}\stubpath = "C:\\Windows\\{D71FAAEB-16A5-44d2-8174-F796671C4E19}.exe"	{6C5936B4-0415-489d-9570-C1CCED7E9FFA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E9189E11-8BB5-470e-9CFD-D5FCE79C8815}	{D71FAAEB-16A5-44d2-8174-F796671C4E19}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DB78B5B4-E6AA-4a9e-B1DA-0D7B2F54CA43}	{26B9A622-16FD-4908-A59B-F93923151B2C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5B0E3708-B8FC-43e0-BCB8-199AFDF2D982}\stubpath = "C:\\Windows\\{5B0E3708-B8FC-43e0-BCB8-199AFDF2D982}.exe"	{3EA95D5E-3816-402f-8184-F4CAD4773ED5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C9A8B1F6-E5C0-45d4-94A4-1140ACE2108C}	{322E33E5-9D5B-4870-A7DB-A28AFBED1582}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8C0B259F-C9F3-463a-9EC7-0C465F014238}	{5B0E3708-B8FC-43e0-BCB8-199AFDF2D982}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{322E33E5-9D5B-4870-A7DB-A28AFBED1582}	{E050173B-D1C5-4ff1-9510-20262FC16AE8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{322E33E5-9D5B-4870-A7DB-A28AFBED1582}\stubpath = "C:\\Windows\\{322E33E5-9D5B-4870-A7DB-A28AFBED1582}.exe"	{E050173B-D1C5-4ff1-9510-20262FC16AE8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{83A4F6B5-1ED6-4a38-8A3B-3DF9FD48E0DC}	{C9A8B1F6-E5C0-45d4-94A4-1140ACE2108C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{83A4F6B5-1ED6-4a38-8A3B-3DF9FD48E0DC}\stubpath = "C:\\Windows\\{83A4F6B5-1ED6-4a38-8A3B-3DF9FD48E0DC}.exe"	{C9A8B1F6-E5C0-45d4-94A4-1140ACE2108C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6C5936B4-0415-489d-9570-C1CCED7E9FFA}\stubpath = "C:\\Windows\\{6C5936B4-0415-489d-9570-C1CCED7E9FFA}.exe"	{83A4F6B5-1ED6-4a38-8A3B-3DF9FD48E0DC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3EA95D5E-3816-402f-8184-F4CAD4773ED5}\stubpath = "C:\\Windows\\{3EA95D5E-3816-402f-8184-F4CAD4773ED5}.exe"	1da93f00adc213e137e8125eb649b1e0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5B0E3708-B8FC-43e0-BCB8-199AFDF2D982}	{3EA95D5E-3816-402f-8184-F4CAD4773ED5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{26B9A622-16FD-4908-A59B-F93923151B2C}	{E9189E11-8BB5-470e-9CFD-D5FCE79C8815}.exe

Executes dropped EXE 12 IoCs

pid	Process
3304	{3EA95D5E-3816-402f-8184-F4CAD4773ED5}.exe
2064	{5B0E3708-B8FC-43e0-BCB8-199AFDF2D982}.exe
1172	{8C0B259F-C9F3-463a-9EC7-0C465F014238}.exe
1764	{E050173B-D1C5-4ff1-9510-20262FC16AE8}.exe
1384	{322E33E5-9D5B-4870-A7DB-A28AFBED1582}.exe
3248	{C9A8B1F6-E5C0-45d4-94A4-1140ACE2108C}.exe
3324	{83A4F6B5-1ED6-4a38-8A3B-3DF9FD48E0DC}.exe
2296	{6C5936B4-0415-489d-9570-C1CCED7E9FFA}.exe
1816	{D71FAAEB-16A5-44d2-8174-F796671C4E19}.exe
4952	{E9189E11-8BB5-470e-9CFD-D5FCE79C8815}.exe
2792	{26B9A622-16FD-4908-A59B-F93923151B2C}.exe
3052	{DB78B5B4-E6AA-4a9e-B1DA-0D7B2F54CA43}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{3EA95D5E-3816-402f-8184-F4CAD4773ED5}.exe	1da93f00adc213e137e8125eb649b1e0_NeikiAnalytics.exe
File created	C:\Windows\{E050173B-D1C5-4ff1-9510-20262FC16AE8}.exe	{8C0B259F-C9F3-463a-9EC7-0C465F014238}.exe
File created	C:\Windows\{C9A8B1F6-E5C0-45d4-94A4-1140ACE2108C}.exe	{322E33E5-9D5B-4870-A7DB-A28AFBED1582}.exe
File created	C:\Windows\{26B9A622-16FD-4908-A59B-F93923151B2C}.exe	{E9189E11-8BB5-470e-9CFD-D5FCE79C8815}.exe
File created	C:\Windows\{DB78B5B4-E6AA-4a9e-B1DA-0D7B2F54CA43}.exe	{26B9A622-16FD-4908-A59B-F93923151B2C}.exe
File created	C:\Windows\{D71FAAEB-16A5-44d2-8174-F796671C4E19}.exe	{6C5936B4-0415-489d-9570-C1CCED7E9FFA}.exe
File created	C:\Windows\{E9189E11-8BB5-470e-9CFD-D5FCE79C8815}.exe	{D71FAAEB-16A5-44d2-8174-F796671C4E19}.exe
File created	C:\Windows\{5B0E3708-B8FC-43e0-BCB8-199AFDF2D982}.exe	{3EA95D5E-3816-402f-8184-F4CAD4773ED5}.exe
File created	C:\Windows\{8C0B259F-C9F3-463a-9EC7-0C465F014238}.exe	{5B0E3708-B8FC-43e0-BCB8-199AFDF2D982}.exe
File created	C:\Windows\{322E33E5-9D5B-4870-A7DB-A28AFBED1582}.exe	{E050173B-D1C5-4ff1-9510-20262FC16AE8}.exe
File created	C:\Windows\{83A4F6B5-1ED6-4a38-8A3B-3DF9FD48E0DC}.exe	{C9A8B1F6-E5C0-45d4-94A4-1140ACE2108C}.exe
File created	C:\Windows\{6C5936B4-0415-489d-9570-C1CCED7E9FFA}.exe	{83A4F6B5-1ED6-4a38-8A3B-3DF9FD48E0DC}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1020	1da93f00adc213e137e8125eb649b1e0_NeikiAnalytics.exe
Token: SeIncBasePriorityPrivilege	3304	{3EA95D5E-3816-402f-8184-F4CAD4773ED5}.exe
Token: SeIncBasePriorityPrivilege	2064	{5B0E3708-B8FC-43e0-BCB8-199AFDF2D982}.exe
Token: SeIncBasePriorityPrivilege	1172	{8C0B259F-C9F3-463a-9EC7-0C465F014238}.exe
Token: SeIncBasePriorityPrivilege	1764	{E050173B-D1C5-4ff1-9510-20262FC16AE8}.exe
Token: SeIncBasePriorityPrivilege	1384	{322E33E5-9D5B-4870-A7DB-A28AFBED1582}.exe
Token: SeIncBasePriorityPrivilege	3248	{C9A8B1F6-E5C0-45d4-94A4-1140ACE2108C}.exe
Token: SeIncBasePriorityPrivilege	3324	{83A4F6B5-1ED6-4a38-8A3B-3DF9FD48E0DC}.exe
Token: SeIncBasePriorityPrivilege	2296	{6C5936B4-0415-489d-9570-C1CCED7E9FFA}.exe
Token: SeIncBasePriorityPrivilege	1816	{D71FAAEB-16A5-44d2-8174-F796671C4E19}.exe
Token: SeIncBasePriorityPrivilege	4952	{E9189E11-8BB5-470e-9CFD-D5FCE79C8815}.exe
Token: SeIncBasePriorityPrivilege	2792	{26B9A622-16FD-4908-A59B-F93923151B2C}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1020 wrote to memory of 3304	1020	1da93f00adc213e137e8125eb649b1e0_NeikiAnalytics.exe	89
PID 1020 wrote to memory of 3304	1020	1da93f00adc213e137e8125eb649b1e0_NeikiAnalytics.exe	89
PID 1020 wrote to memory of 3304	1020	1da93f00adc213e137e8125eb649b1e0_NeikiAnalytics.exe	89
PID 1020 wrote to memory of 5072	1020	1da93f00adc213e137e8125eb649b1e0_NeikiAnalytics.exe	90
PID 1020 wrote to memory of 5072	1020	1da93f00adc213e137e8125eb649b1e0_NeikiAnalytics.exe	90
PID 1020 wrote to memory of 5072	1020	1da93f00adc213e137e8125eb649b1e0_NeikiAnalytics.exe	90
PID 3304 wrote to memory of 2064	3304	{3EA95D5E-3816-402f-8184-F4CAD4773ED5}.exe	91
PID 3304 wrote to memory of 2064	3304	{3EA95D5E-3816-402f-8184-F4CAD4773ED5}.exe	91
PID 3304 wrote to memory of 2064	3304	{3EA95D5E-3816-402f-8184-F4CAD4773ED5}.exe	91
PID 3304 wrote to memory of 32	3304	{3EA95D5E-3816-402f-8184-F4CAD4773ED5}.exe	92
PID 3304 wrote to memory of 32	3304	{3EA95D5E-3816-402f-8184-F4CAD4773ED5}.exe	92
PID 3304 wrote to memory of 32	3304	{3EA95D5E-3816-402f-8184-F4CAD4773ED5}.exe	92
PID 2064 wrote to memory of 1172	2064	{5B0E3708-B8FC-43e0-BCB8-199AFDF2D982}.exe	94
PID 2064 wrote to memory of 1172	2064	{5B0E3708-B8FC-43e0-BCB8-199AFDF2D982}.exe	94
PID 2064 wrote to memory of 1172	2064	{5B0E3708-B8FC-43e0-BCB8-199AFDF2D982}.exe	94
PID 2064 wrote to memory of 2104	2064	{5B0E3708-B8FC-43e0-BCB8-199AFDF2D982}.exe	95
PID 2064 wrote to memory of 2104	2064	{5B0E3708-B8FC-43e0-BCB8-199AFDF2D982}.exe	95
PID 2064 wrote to memory of 2104	2064	{5B0E3708-B8FC-43e0-BCB8-199AFDF2D982}.exe	95
PID 1172 wrote to memory of 1764	1172	{8C0B259F-C9F3-463a-9EC7-0C465F014238}.exe	96
PID 1172 wrote to memory of 1764	1172	{8C0B259F-C9F3-463a-9EC7-0C465F014238}.exe	96
PID 1172 wrote to memory of 1764	1172	{8C0B259F-C9F3-463a-9EC7-0C465F014238}.exe	96
PID 1172 wrote to memory of 3484	1172	{8C0B259F-C9F3-463a-9EC7-0C465F014238}.exe	97
PID 1172 wrote to memory of 3484	1172	{8C0B259F-C9F3-463a-9EC7-0C465F014238}.exe	97
PID 1172 wrote to memory of 3484	1172	{8C0B259F-C9F3-463a-9EC7-0C465F014238}.exe	97
PID 1764 wrote to memory of 1384	1764	{E050173B-D1C5-4ff1-9510-20262FC16AE8}.exe	98
PID 1764 wrote to memory of 1384	1764	{E050173B-D1C5-4ff1-9510-20262FC16AE8}.exe	98
PID 1764 wrote to memory of 1384	1764	{E050173B-D1C5-4ff1-9510-20262FC16AE8}.exe	98
PID 1764 wrote to memory of 4412	1764	{E050173B-D1C5-4ff1-9510-20262FC16AE8}.exe	99
PID 1764 wrote to memory of 4412	1764	{E050173B-D1C5-4ff1-9510-20262FC16AE8}.exe	99
PID 1764 wrote to memory of 4412	1764	{E050173B-D1C5-4ff1-9510-20262FC16AE8}.exe	99
PID 1384 wrote to memory of 3248	1384	{322E33E5-9D5B-4870-A7DB-A28AFBED1582}.exe	100
PID 1384 wrote to memory of 3248	1384	{322E33E5-9D5B-4870-A7DB-A28AFBED1582}.exe	100
PID 1384 wrote to memory of 3248	1384	{322E33E5-9D5B-4870-A7DB-A28AFBED1582}.exe	100
PID 1384 wrote to memory of 3844	1384	{322E33E5-9D5B-4870-A7DB-A28AFBED1582}.exe	101
PID 1384 wrote to memory of 3844	1384	{322E33E5-9D5B-4870-A7DB-A28AFBED1582}.exe	101
PID 1384 wrote to memory of 3844	1384	{322E33E5-9D5B-4870-A7DB-A28AFBED1582}.exe	101
PID 3248 wrote to memory of 3324	3248	{C9A8B1F6-E5C0-45d4-94A4-1140ACE2108C}.exe	102
PID 3248 wrote to memory of 3324	3248	{C9A8B1F6-E5C0-45d4-94A4-1140ACE2108C}.exe	102
PID 3248 wrote to memory of 3324	3248	{C9A8B1F6-E5C0-45d4-94A4-1140ACE2108C}.exe	102
PID 3248 wrote to memory of 540	3248	{C9A8B1F6-E5C0-45d4-94A4-1140ACE2108C}.exe	103
PID 3248 wrote to memory of 540	3248	{C9A8B1F6-E5C0-45d4-94A4-1140ACE2108C}.exe	103
PID 3248 wrote to memory of 540	3248	{C9A8B1F6-E5C0-45d4-94A4-1140ACE2108C}.exe	103
PID 3324 wrote to memory of 2296	3324	{83A4F6B5-1ED6-4a38-8A3B-3DF9FD48E0DC}.exe	104
PID 3324 wrote to memory of 2296	3324	{83A4F6B5-1ED6-4a38-8A3B-3DF9FD48E0DC}.exe	104
PID 3324 wrote to memory of 2296	3324	{83A4F6B5-1ED6-4a38-8A3B-3DF9FD48E0DC}.exe	104
PID 3324 wrote to memory of 3380	3324	{83A4F6B5-1ED6-4a38-8A3B-3DF9FD48E0DC}.exe	105
PID 3324 wrote to memory of 3380	3324	{83A4F6B5-1ED6-4a38-8A3B-3DF9FD48E0DC}.exe	105
PID 3324 wrote to memory of 3380	3324	{83A4F6B5-1ED6-4a38-8A3B-3DF9FD48E0DC}.exe	105
PID 2296 wrote to memory of 1816	2296	{6C5936B4-0415-489d-9570-C1CCED7E9FFA}.exe	106
PID 2296 wrote to memory of 1816	2296	{6C5936B4-0415-489d-9570-C1CCED7E9FFA}.exe	106
PID 2296 wrote to memory of 1816	2296	{6C5936B4-0415-489d-9570-C1CCED7E9FFA}.exe	106
PID 2296 wrote to memory of 2044	2296	{6C5936B4-0415-489d-9570-C1CCED7E9FFA}.exe	107
PID 2296 wrote to memory of 2044	2296	{6C5936B4-0415-489d-9570-C1CCED7E9FFA}.exe	107
PID 2296 wrote to memory of 2044	2296	{6C5936B4-0415-489d-9570-C1CCED7E9FFA}.exe	107
PID 1816 wrote to memory of 4952	1816	{D71FAAEB-16A5-44d2-8174-F796671C4E19}.exe	108
PID 1816 wrote to memory of 4952	1816	{D71FAAEB-16A5-44d2-8174-F796671C4E19}.exe	108
PID 1816 wrote to memory of 4952	1816	{D71FAAEB-16A5-44d2-8174-F796671C4E19}.exe	108
PID 1816 wrote to memory of 3116	1816	{D71FAAEB-16A5-44d2-8174-F796671C4E19}.exe	109
PID 1816 wrote to memory of 3116	1816	{D71FAAEB-16A5-44d2-8174-F796671C4E19}.exe	109
PID 1816 wrote to memory of 3116	1816	{D71FAAEB-16A5-44d2-8174-F796671C4E19}.exe	109
PID 4952 wrote to memory of 2792	4952	{E9189E11-8BB5-470e-9CFD-D5FCE79C8815}.exe	110
PID 4952 wrote to memory of 2792	4952	{E9189E11-8BB5-470e-9CFD-D5FCE79C8815}.exe	110
PID 4952 wrote to memory of 2792	4952	{E9189E11-8BB5-470e-9CFD-D5FCE79C8815}.exe	110
PID 4952 wrote to memory of 3660	4952	{E9189E11-8BB5-470e-9CFD-D5FCE79C8815}.exe	111

C:\Users\Admin\AppData\Local\Temp\1da93f00adc213e137e8125eb649b1e0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\1da93f00adc213e137e8125eb649b1e0_NeikiAnalytics.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1020
- C:\Windows\{3EA95D5E-3816-402f-8184-F4CAD4773ED5}.exe
  C:\Windows\{3EA95D5E-3816-402f-8184-F4CAD4773ED5}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3304
- - C:\Windows\{5B0E3708-B8FC-43e0-BCB8-199AFDF2D982}.exe
    C:\Windows\{5B0E3708-B8FC-43e0-BCB8-199AFDF2D982}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2064
  - - C:\Windows\{8C0B259F-C9F3-463a-9EC7-0C465F014238}.exe
      C:\Windows\{8C0B259F-C9F3-463a-9EC7-0C465F014238}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1172
    - - C:\Windows\{E050173B-D1C5-4ff1-9510-20262FC16AE8}.exe
        
        C:\Windows\{E050173B-D1C5-4ff1-9510-20262FC16AE8}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1764
      - C:\Windows\{322E33E5-9D5B-4870-A7DB-A28AFBED1582}.exe
        
        C:\Windows\{322E33E5-9D5B-4870-A7DB-A28AFBED1582}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1384
        
        C:\Windows\{C9A8B1F6-E5C0-45d4-94A4-1140ACE2108C}.exe
        
        C:\Windows\{C9A8B1F6-E5C0-45d4-94A4-1140ACE2108C}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3248
        
        C:\Windows\{83A4F6B5-1ED6-4a38-8A3B-3DF9FD48E0DC}.exe
        
        C:\Windows\{83A4F6B5-1ED6-4a38-8A3B-3DF9FD48E0DC}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3324
        
        C:\Windows\{6C5936B4-0415-489d-9570-C1CCED7E9FFA}.exe
        
        C:\Windows\{6C5936B4-0415-489d-9570-C1CCED7E9FFA}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2296
        
        C:\Windows\{D71FAAEB-16A5-44d2-8174-F796671C4E19}.exe
        
        C:\Windows\{D71FAAEB-16A5-44d2-8174-F796671C4E19}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1816
        
        C:\Windows\{E9189E11-8BB5-470e-9CFD-D5FCE79C8815}.exe
        
        C:\Windows\{E9189E11-8BB5-470e-9CFD-D5FCE79C8815}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4952
        
        C:\Windows\{26B9A622-16FD-4908-A59B-F93923151B2C}.exe
        
        C:\Windows\{26B9A622-16FD-4908-A59B-F93923151B2C}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2792
        
        C:\Windows\{DB78B5B4-E6AA-4a9e-B1DA-0D7B2F54CA43}.exe
        
        C:\Windows\{DB78B5B4-E6AA-4a9e-B1DA-0D7B2F54CA43}.exe
        13⤵
        Executes dropped EXE
        
        PID:3052
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{26B9A~1.EXE > nul
        13⤵
        
        PID:4456
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E9189~1.EXE > nul
        12⤵
        
        PID:3660
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D71FA~1.EXE > nul
        11⤵
        
        PID:3116
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6C593~1.EXE > nul
        10⤵
        
        PID:2044
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{83A4F~1.EXE > nul
        9⤵
        
        PID:3380
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C9A8B~1.EXE > nul
        8⤵
        
        PID:540
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{322E3~1.EXE > nul
        7⤵
        
        PID:3844
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E0501~1.EXE > nul
        6⤵
        
        PID:4412
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8C0B2~1.EXE > nul
        5⤵
        
        PID:3484
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{5B0E3~1.EXE > nul
      4⤵
      PID:2104
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{3EA95~1.EXE > nul
    3⤵
    PID:32
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\1DA93F~1.EXE > nul
  2⤵
  PID:5072

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{26B9A622-16FD-4908-A59B-F93923151B2C}.exe

Filesize
64KB

MD5
61204de3dde9b1c6571d5f92909f862b

SHA1
aed3ab756b8e88dbfd100c8193a7343fbd80b462

SHA256
4d85e01e1e15a0c5e2d07ba74917aea576d61c4afcc5bd6e65465c0b08012923

SHA512
35f62b534c4ed8c0c8884e5e51201c8ea7af2b71c0fbde269531c55b0acdd0091f80c10e86202e280032416bef9de8cd02255caadbad27b6093ae0351e8fc160

Download Submit
C:\Windows\{322E33E5-9D5B-4870-A7DB-A28AFBED1582}.exe

Filesize
64KB

MD5
f2c4572575d35032ebae8f3dcfd6c482

SHA1
cf21f8b5c532a6ed3586fc061804a0e8ef30550a

SHA256
17d90d3307618b95bc3063d338b439720886be865a02f95cdfb6a750256e7785

SHA512
1c4b3b9fc44ef0a9d47c26dad828da513aa5f78d2ae4cfd3c8741c396d08ea089587239cf844445c8b932713a9856da436944b2b1683372181b81a83c03eb661

Download Submit
C:\Windows\{3EA95D5E-3816-402f-8184-F4CAD4773ED5}.exe

Filesize
64KB

MD5
a44c421692b4f44de94e68ff8fb1ce8a

SHA1
c4260e896d7cf57df90aa4967a605f93870b5097

SHA256
6f1f692ac7903de91b07d306c39756d296fd9366d75b7b766e292b76f2e9140c

SHA512
de21383c8d2420a950da8a48d8b0cd1ae62c9f9ae08916fa2501b5e8e1c7bd25dce6ec3358e923eaae547329ba83de55cbbad55f6b3e1a22f94e4ce6663a92ca

Download Submit
C:\Windows\{5B0E3708-B8FC-43e0-BCB8-199AFDF2D982}.exe

Filesize
64KB

MD5
f05431ad7e7f1f7aa469c5d166530138

SHA1
c1b98ae05c3509eb644dd2d94d9ccadc69981693

SHA256
28c2cf6daa04b38ece00f6e01a03d695ab248c838bfa42653bf6ca12600e7dff

SHA512
667d540f1d7bae007931a2823591e7358a5336b22ad4d453c4648cd9642b35a3cbcd246f677d2b4e391cb353684a7b54e5fa8a24ab68d956d4511b9b986085a9

Download Submit
C:\Windows\{6C5936B4-0415-489d-9570-C1CCED7E9FFA}.exe

Filesize
64KB

MD5
1eba4dbfc519ce98587232b0fd162b40

SHA1
a0b8c992e6f5b77f6ba0b4e54ec17c6bb156efa5

SHA256
3e91a6eeaa60f37fff5eadc1b4b05b69f5745999fb07e78e761cebbd303fd925

SHA512
18fe0155a0143d6022af254b1dff2e3b19dfe2fdfc145ce9943c30bb07f5bb70364cdcc6d33464668095af8c199196d1b5a4d770ef2e8eec0933f93548201300

Download Submit
C:\Windows\{83A4F6B5-1ED6-4a38-8A3B-3DF9FD48E0DC}.exe

Filesize
64KB

MD5
d7fb48b0b4e17a43ae88a364c9c1bcba

SHA1
3cbc726dd70c3d7ff6499bc8fb6e3541057fcb8c

SHA256
078f7ed2eb62536436683c0ab23145f52913043f16977f3eea26acebe937f395

SHA512
62a2ae1e923a067ecbbe424ac42459b498cb681bc2273563c8362375994e7bc4ce61fc950b04bba2d43ae8d79cd6c32e10ce38169a246b3dca3cb49afa5d939c

Download Submit
C:\Windows\{8C0B259F-C9F3-463a-9EC7-0C465F014238}.exe

Filesize
64KB

MD5
28d68272062fba18cf9bf2808cc56852

SHA1
fc4221b76250c17a0e98643627af05d449b61e4a

SHA256
885bb9378b7ceb294e63379e3fe625bb429eaee01fc4d8830285aadc42fce104

SHA512
7e20193aacd7fe9b384a7fddd7dc74491190bdc05d49af9c2131c7f058ab3768d35bde73da9fe1dd8676dfbaee3f7d7353123cede2b511135dc11c2373c62487

Download Submit
C:\Windows\{C9A8B1F6-E5C0-45d4-94A4-1140ACE2108C}.exe

Filesize
64KB

MD5
70cbe5f0d04167b974aea7dc43e8c612

SHA1
60b55764dd12ee705a7384380dfbc3056a941694

SHA256
df0085ab3aa58a745e47e5666d13c0512cf58c0dd19eebcae0a4f3898074f1d4

SHA512
40bc1a5309105e5f8502907ee1136ed3ed91763020f74eac6f0565757fd651781f7d34aabe28703d61feb57b035a50b89aea9d1df6c6518a87d773dfc97b4911

Download Submit
C:\Windows\{D71FAAEB-16A5-44d2-8174-F796671C4E19}.exe

Filesize
64KB

MD5
fe9d9469ecd5671b2e432d3df2f4af09

SHA1
3d2692d584468dd1ba8128b284e6b649d3bef95b

SHA256
907c2feb59726c6b1ad196536b9cce0171bd2dd5a99dee027e79691f33e5b7e4

SHA512
8d69b50635c2cd53be42ae27bc70c203f7e6222ed60beaaf46f7a6ae02be0423593349a98757a452d529cea268db8a14f1cf95d7292a4a682652e81f57854584

Download Submit
C:\Windows\{DB78B5B4-E6AA-4a9e-B1DA-0D7B2F54CA43}.exe

Filesize
64KB

MD5
5fb7ef2312a9d284c5600e8a4af2df5e

SHA1
f3a3f6bcfbb388356416104e770237eee9d396ca

SHA256
fae42eba87f2777bb8c29bbb4f1e7624ecd7c6d574c7fe761ee6e2d7fa4ff1e7

SHA512
7b88d2a69328060da498128a28aa469ffc56331b143b7964848fa943c95699274c02b72cd9f5fa14a8bacb5fd88a34f6dd5b2fea504f7064aa4c5efea053bce0

Download Submit
C:\Windows\{E050173B-D1C5-4ff1-9510-20262FC16AE8}.exe

Filesize
64KB

MD5
3e70d8a8c2d9f5a317d31adce241bba8

SHA1
2e81701f89cfbc93c20b11ae2aa222ae19563782

SHA256
aec26422e89af766b46eb0a9dcb11a0a6c558aba2c0efc87871dd7325775be8f

SHA512
df3a167d9bcab647dc82530a97e0258f9648e1fc7a0300a7a14193ceec178bc9d22d66dfb6494ab6035563b4073cbc4a6203fbadc353cfc76cf34165d04e2e4d

Download Submit
C:\Windows\{E9189E11-8BB5-470e-9CFD-D5FCE79C8815}.exe

Filesize
64KB

MD5
f6abc8107744e734fa5e500f95daf89d

SHA1
81947e2da5e4ef7245c336e1b37e31c3513c6e26

SHA256
c6d073f641294f949637c5fd965066e0de848ea29f32f140c9173c3f40495350

SHA512
f60565151b25fc7b149cf1b7850b4f9736fd1479832e6a4d7cd0ae5bde0f2f9675dc258cca95f60a83c48f34aaf63ccf6edf684fc6325630db4ccaeb50787b62

Download Submit
memory/1020-0-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1020-4-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1172-21-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1172-18-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1384-29-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1384-34-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1764-23-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1764-27-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1816-52-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1816-57-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2064-17-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2064-12-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2296-46-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2296-51-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2792-69-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/3052-70-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/3248-40-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/3304-11-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/3304-6-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/3324-44-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/3324-41-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/4952-59-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/4952-64-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads