5dd3b3f9bc7fe3ba2fbf8f3cb9bbebd2804eb2af4979c028a4ecc30060db9ddb

Analysis

max time kernel
144s
max time network
120s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
04/06/2024, 22:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0bd89d5bb47e6638e0c3560a06bdbc10_NeikiAnalytics.exe
Size

80KB
MD5

0bd89d5bb47e6638e0c3560a06bdbc10
SHA1

d34ceb7145722e2bee9471970cc3023467b8a679
SHA256

5dd3b3f9bc7fe3ba2fbf8f3cb9bbebd2804eb2af4979c028a4ecc30060db9ddb
SHA512

1c69ae73e6bb4016430d0187a09460a40bcdb9b798bf6c2c6c389848432deaed38d4867b651417f94a41bf4ee9bc2efd39fa58f2b230233000f0e34a400e5711
SSDEEP

384:vbLwOs8AHsc4sMfwhKQLroH4/CFsrdOI1Nb7g7FX7XYfruVDtM9tQ/FKlnVwUUOV:vvw9816vhKQLroH4/wQRNrfrunMxVFAi

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2678B5AF-1AA5-4f5e-A598-00F7F6ABBDB6}	{7EF138F0-C671-4712-91C4-87A82A2CC87F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FAC7E50A-3BBD-4b8c-B61F-AAD25B27E5F7}\stubpath = "C:\\Windows\\{FAC7E50A-3BBD-4b8c-B61F-AAD25B27E5F7}.exe"	{2678B5AF-1AA5-4f5e-A598-00F7F6ABBDB6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9BE27B2C-C9E5-4375-A709-927A55754698}	{D5C69F6B-4681-4537-8FE9-186025C3F332}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9BE27B2C-C9E5-4375-A709-927A55754698}\stubpath = "C:\\Windows\\{9BE27B2C-C9E5-4375-A709-927A55754698}.exe"	{D5C69F6B-4681-4537-8FE9-186025C3F332}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A98C69DA-527C-49b6-9656-9E6C078C1CC9}\stubpath = "C:\\Windows\\{A98C69DA-527C-49b6-9656-9E6C078C1CC9}.exe"	{B4140A8A-D9FB-40d3-A00E-2FB9F867FBD3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CF1BA4E1-05D0-4c16-AB0C-1989E615C30F}	0bd89d5bb47e6638e0c3560a06bdbc10_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7EF138F0-C671-4712-91C4-87A82A2CC87F}\stubpath = "C:\\Windows\\{7EF138F0-C671-4712-91C4-87A82A2CC87F}.exe"	{4FD37927-57B6-43f0-A3EB-9E1AE30415B2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B4140A8A-D9FB-40d3-A00E-2FB9F867FBD3}\stubpath = "C:\\Windows\\{B4140A8A-D9FB-40d3-A00E-2FB9F867FBD3}.exe"	{E885A0BD-03B2-40a7-B34C-1AD367712B3B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{505576D6-CBAE-49b2-8DCC-BCF244B0A139}	{A98C69DA-527C-49b6-9656-9E6C078C1CC9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4FD37927-57B6-43f0-A3EB-9E1AE30415B2}\stubpath = "C:\\Windows\\{4FD37927-57B6-43f0-A3EB-9E1AE30415B2}.exe"	{CF1BA4E1-05D0-4c16-AB0C-1989E615C30F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D5C69F6B-4681-4537-8FE9-186025C3F332}	{FAC7E50A-3BBD-4b8c-B61F-AAD25B27E5F7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7EF138F0-C671-4712-91C4-87A82A2CC87F}	{4FD37927-57B6-43f0-A3EB-9E1AE30415B2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FAC7E50A-3BBD-4b8c-B61F-AAD25B27E5F7}	{2678B5AF-1AA5-4f5e-A598-00F7F6ABBDB6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E885A0BD-03B2-40a7-B34C-1AD367712B3B}	{9BE27B2C-C9E5-4375-A709-927A55754698}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E885A0BD-03B2-40a7-B34C-1AD367712B3B}\stubpath = "C:\\Windows\\{E885A0BD-03B2-40a7-B34C-1AD367712B3B}.exe"	{9BE27B2C-C9E5-4375-A709-927A55754698}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{505576D6-CBAE-49b2-8DCC-BCF244B0A139}\stubpath = "C:\\Windows\\{505576D6-CBAE-49b2-8DCC-BCF244B0A139}.exe"	{A98C69DA-527C-49b6-9656-9E6C078C1CC9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CF1BA4E1-05D0-4c16-AB0C-1989E615C30F}\stubpath = "C:\\Windows\\{CF1BA4E1-05D0-4c16-AB0C-1989E615C30F}.exe"	0bd89d5bb47e6638e0c3560a06bdbc10_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4FD37927-57B6-43f0-A3EB-9E1AE30415B2}	{CF1BA4E1-05D0-4c16-AB0C-1989E615C30F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B4140A8A-D9FB-40d3-A00E-2FB9F867FBD3}	{E885A0BD-03B2-40a7-B34C-1AD367712B3B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A98C69DA-527C-49b6-9656-9E6C078C1CC9}	{B4140A8A-D9FB-40d3-A00E-2FB9F867FBD3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2678B5AF-1AA5-4f5e-A598-00F7F6ABBDB6}\stubpath = "C:\\Windows\\{2678B5AF-1AA5-4f5e-A598-00F7F6ABBDB6}.exe"	{7EF138F0-C671-4712-91C4-87A82A2CC87F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D5C69F6B-4681-4537-8FE9-186025C3F332}\stubpath = "C:\\Windows\\{D5C69F6B-4681-4537-8FE9-186025C3F332}.exe"	{FAC7E50A-3BBD-4b8c-B61F-AAD25B27E5F7}.exe

Deletes itself 1 IoCs

pid	Process
2872	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
1384	{CF1BA4E1-05D0-4c16-AB0C-1989E615C30F}.exe
2516	{4FD37927-57B6-43f0-A3EB-9E1AE30415B2}.exe
2720	{7EF138F0-C671-4712-91C4-87A82A2CC87F}.exe
2428	{2678B5AF-1AA5-4f5e-A598-00F7F6ABBDB6}.exe
1552	{FAC7E50A-3BBD-4b8c-B61F-AAD25B27E5F7}.exe
1848	{D5C69F6B-4681-4537-8FE9-186025C3F332}.exe
2164	{9BE27B2C-C9E5-4375-A709-927A55754698}.exe
1260	{E885A0BD-03B2-40a7-B34C-1AD367712B3B}.exe
2772	{B4140A8A-D9FB-40d3-A00E-2FB9F867FBD3}.exe
596	{A98C69DA-527C-49b6-9656-9E6C078C1CC9}.exe
2116	{505576D6-CBAE-49b2-8DCC-BCF244B0A139}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{FAC7E50A-3BBD-4b8c-B61F-AAD25B27E5F7}.exe	{2678B5AF-1AA5-4f5e-A598-00F7F6ABBDB6}.exe
File created	C:\Windows\{9BE27B2C-C9E5-4375-A709-927A55754698}.exe	{D5C69F6B-4681-4537-8FE9-186025C3F332}.exe
File created	C:\Windows\{E885A0BD-03B2-40a7-B34C-1AD367712B3B}.exe	{9BE27B2C-C9E5-4375-A709-927A55754698}.exe
File created	C:\Windows\{B4140A8A-D9FB-40d3-A00E-2FB9F867FBD3}.exe	{E885A0BD-03B2-40a7-B34C-1AD367712B3B}.exe
File created	C:\Windows\{505576D6-CBAE-49b2-8DCC-BCF244B0A139}.exe	{A98C69DA-527C-49b6-9656-9E6C078C1CC9}.exe
File created	C:\Windows\{7EF138F0-C671-4712-91C4-87A82A2CC87F}.exe	{4FD37927-57B6-43f0-A3EB-9E1AE30415B2}.exe
File created	C:\Windows\{2678B5AF-1AA5-4f5e-A598-00F7F6ABBDB6}.exe	{7EF138F0-C671-4712-91C4-87A82A2CC87F}.exe
File created	C:\Windows\{D5C69F6B-4681-4537-8FE9-186025C3F332}.exe	{FAC7E50A-3BBD-4b8c-B61F-AAD25B27E5F7}.exe
File created	C:\Windows\{A98C69DA-527C-49b6-9656-9E6C078C1CC9}.exe	{B4140A8A-D9FB-40d3-A00E-2FB9F867FBD3}.exe
File created	C:\Windows\{CF1BA4E1-05D0-4c16-AB0C-1989E615C30F}.exe	0bd89d5bb47e6638e0c3560a06bdbc10_NeikiAnalytics.exe
File created	C:\Windows\{4FD37927-57B6-43f0-A3EB-9E1AE30415B2}.exe	{CF1BA4E1-05D0-4c16-AB0C-1989E615C30F}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2816	0bd89d5bb47e6638e0c3560a06bdbc10_NeikiAnalytics.exe
Token: SeIncBasePriorityPrivilege	1384	{CF1BA4E1-05D0-4c16-AB0C-1989E615C30F}.exe
Token: SeIncBasePriorityPrivilege	2516	{4FD37927-57B6-43f0-A3EB-9E1AE30415B2}.exe
Token: SeIncBasePriorityPrivilege	2720	{7EF138F0-C671-4712-91C4-87A82A2CC87F}.exe
Token: SeIncBasePriorityPrivilege	2428	{2678B5AF-1AA5-4f5e-A598-00F7F6ABBDB6}.exe
Token: SeIncBasePriorityPrivilege	1552	{FAC7E50A-3BBD-4b8c-B61F-AAD25B27E5F7}.exe
Token: SeIncBasePriorityPrivilege	1848	{D5C69F6B-4681-4537-8FE9-186025C3F332}.exe
Token: SeIncBasePriorityPrivilege	2164	{9BE27B2C-C9E5-4375-A709-927A55754698}.exe
Token: SeIncBasePriorityPrivilege	1260	{E885A0BD-03B2-40a7-B34C-1AD367712B3B}.exe
Token: SeIncBasePriorityPrivilege	2772	{B4140A8A-D9FB-40d3-A00E-2FB9F867FBD3}.exe
Token: SeIncBasePriorityPrivilege	596	{A98C69DA-527C-49b6-9656-9E6C078C1CC9}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2816 wrote to memory of 1384	2816	0bd89d5bb47e6638e0c3560a06bdbc10_NeikiAnalytics.exe	28
PID 2816 wrote to memory of 1384	2816	0bd89d5bb47e6638e0c3560a06bdbc10_NeikiAnalytics.exe	28
PID 2816 wrote to memory of 1384	2816	0bd89d5bb47e6638e0c3560a06bdbc10_NeikiAnalytics.exe	28
PID 2816 wrote to memory of 1384	2816	0bd89d5bb47e6638e0c3560a06bdbc10_NeikiAnalytics.exe	28
PID 2816 wrote to memory of 2872	2816	0bd89d5bb47e6638e0c3560a06bdbc10_NeikiAnalytics.exe	29
PID 2816 wrote to memory of 2872	2816	0bd89d5bb47e6638e0c3560a06bdbc10_NeikiAnalytics.exe	29
PID 2816 wrote to memory of 2872	2816	0bd89d5bb47e6638e0c3560a06bdbc10_NeikiAnalytics.exe	29
PID 2816 wrote to memory of 2872	2816	0bd89d5bb47e6638e0c3560a06bdbc10_NeikiAnalytics.exe	29
PID 1384 wrote to memory of 2516	1384	{CF1BA4E1-05D0-4c16-AB0C-1989E615C30F}.exe	30
PID 1384 wrote to memory of 2516	1384	{CF1BA4E1-05D0-4c16-AB0C-1989E615C30F}.exe	30
PID 1384 wrote to memory of 2516	1384	{CF1BA4E1-05D0-4c16-AB0C-1989E615C30F}.exe	30
PID 1384 wrote to memory of 2516	1384	{CF1BA4E1-05D0-4c16-AB0C-1989E615C30F}.exe	30
PID 1384 wrote to memory of 2600	1384	{CF1BA4E1-05D0-4c16-AB0C-1989E615C30F}.exe	31
PID 1384 wrote to memory of 2600	1384	{CF1BA4E1-05D0-4c16-AB0C-1989E615C30F}.exe	31
PID 1384 wrote to memory of 2600	1384	{CF1BA4E1-05D0-4c16-AB0C-1989E615C30F}.exe	31
PID 1384 wrote to memory of 2600	1384	{CF1BA4E1-05D0-4c16-AB0C-1989E615C30F}.exe	31
PID 2516 wrote to memory of 2720	2516	{4FD37927-57B6-43f0-A3EB-9E1AE30415B2}.exe	32
PID 2516 wrote to memory of 2720	2516	{4FD37927-57B6-43f0-A3EB-9E1AE30415B2}.exe	32
PID 2516 wrote to memory of 2720	2516	{4FD37927-57B6-43f0-A3EB-9E1AE30415B2}.exe	32
PID 2516 wrote to memory of 2720	2516	{4FD37927-57B6-43f0-A3EB-9E1AE30415B2}.exe	32
PID 2516 wrote to memory of 2652	2516	{4FD37927-57B6-43f0-A3EB-9E1AE30415B2}.exe	33
PID 2516 wrote to memory of 2652	2516	{4FD37927-57B6-43f0-A3EB-9E1AE30415B2}.exe	33
PID 2516 wrote to memory of 2652	2516	{4FD37927-57B6-43f0-A3EB-9E1AE30415B2}.exe	33
PID 2516 wrote to memory of 2652	2516	{4FD37927-57B6-43f0-A3EB-9E1AE30415B2}.exe	33
PID 2720 wrote to memory of 2428	2720	{7EF138F0-C671-4712-91C4-87A82A2CC87F}.exe	36
PID 2720 wrote to memory of 2428	2720	{7EF138F0-C671-4712-91C4-87A82A2CC87F}.exe	36
PID 2720 wrote to memory of 2428	2720	{7EF138F0-C671-4712-91C4-87A82A2CC87F}.exe	36
PID 2720 wrote to memory of 2428	2720	{7EF138F0-C671-4712-91C4-87A82A2CC87F}.exe	36
PID 2720 wrote to memory of 2528	2720	{7EF138F0-C671-4712-91C4-87A82A2CC87F}.exe	37
PID 2720 wrote to memory of 2528	2720	{7EF138F0-C671-4712-91C4-87A82A2CC87F}.exe	37
PID 2720 wrote to memory of 2528	2720	{7EF138F0-C671-4712-91C4-87A82A2CC87F}.exe	37
PID 2720 wrote to memory of 2528	2720	{7EF138F0-C671-4712-91C4-87A82A2CC87F}.exe	37
PID 2428 wrote to memory of 1552	2428	{2678B5AF-1AA5-4f5e-A598-00F7F6ABBDB6}.exe	38
PID 2428 wrote to memory of 1552	2428	{2678B5AF-1AA5-4f5e-A598-00F7F6ABBDB6}.exe	38
PID 2428 wrote to memory of 1552	2428	{2678B5AF-1AA5-4f5e-A598-00F7F6ABBDB6}.exe	38
PID 2428 wrote to memory of 1552	2428	{2678B5AF-1AA5-4f5e-A598-00F7F6ABBDB6}.exe	38
PID 2428 wrote to memory of 2012	2428	{2678B5AF-1AA5-4f5e-A598-00F7F6ABBDB6}.exe	39
PID 2428 wrote to memory of 2012	2428	{2678B5AF-1AA5-4f5e-A598-00F7F6ABBDB6}.exe	39
PID 2428 wrote to memory of 2012	2428	{2678B5AF-1AA5-4f5e-A598-00F7F6ABBDB6}.exe	39
PID 2428 wrote to memory of 2012	2428	{2678B5AF-1AA5-4f5e-A598-00F7F6ABBDB6}.exe	39
PID 1552 wrote to memory of 1848	1552	{FAC7E50A-3BBD-4b8c-B61F-AAD25B27E5F7}.exe	40
PID 1552 wrote to memory of 1848	1552	{FAC7E50A-3BBD-4b8c-B61F-AAD25B27E5F7}.exe	40
PID 1552 wrote to memory of 1848	1552	{FAC7E50A-3BBD-4b8c-B61F-AAD25B27E5F7}.exe	40
PID 1552 wrote to memory of 1848	1552	{FAC7E50A-3BBD-4b8c-B61F-AAD25B27E5F7}.exe	40
PID 1552 wrote to memory of 2028	1552	{FAC7E50A-3BBD-4b8c-B61F-AAD25B27E5F7}.exe	41
PID 1552 wrote to memory of 2028	1552	{FAC7E50A-3BBD-4b8c-B61F-AAD25B27E5F7}.exe	41
PID 1552 wrote to memory of 2028	1552	{FAC7E50A-3BBD-4b8c-B61F-AAD25B27E5F7}.exe	41
PID 1552 wrote to memory of 2028	1552	{FAC7E50A-3BBD-4b8c-B61F-AAD25B27E5F7}.exe	41
PID 1848 wrote to memory of 2164	1848	{D5C69F6B-4681-4537-8FE9-186025C3F332}.exe	42
PID 1848 wrote to memory of 2164	1848	{D5C69F6B-4681-4537-8FE9-186025C3F332}.exe	42
PID 1848 wrote to memory of 2164	1848	{D5C69F6B-4681-4537-8FE9-186025C3F332}.exe	42
PID 1848 wrote to memory of 2164	1848	{D5C69F6B-4681-4537-8FE9-186025C3F332}.exe	42
PID 1848 wrote to memory of 2008	1848	{D5C69F6B-4681-4537-8FE9-186025C3F332}.exe	43
PID 1848 wrote to memory of 2008	1848	{D5C69F6B-4681-4537-8FE9-186025C3F332}.exe	43
PID 1848 wrote to memory of 2008	1848	{D5C69F6B-4681-4537-8FE9-186025C3F332}.exe	43
PID 1848 wrote to memory of 2008	1848	{D5C69F6B-4681-4537-8FE9-186025C3F332}.exe	43
PID 2164 wrote to memory of 1260	2164	{9BE27B2C-C9E5-4375-A709-927A55754698}.exe	44
PID 2164 wrote to memory of 1260	2164	{9BE27B2C-C9E5-4375-A709-927A55754698}.exe	44
PID 2164 wrote to memory of 1260	2164	{9BE27B2C-C9E5-4375-A709-927A55754698}.exe	44
PID 2164 wrote to memory of 1260	2164	{9BE27B2C-C9E5-4375-A709-927A55754698}.exe	44
PID 2164 wrote to memory of 292	2164	{9BE27B2C-C9E5-4375-A709-927A55754698}.exe	45
PID 2164 wrote to memory of 292	2164	{9BE27B2C-C9E5-4375-A709-927A55754698}.exe	45
PID 2164 wrote to memory of 292	2164	{9BE27B2C-C9E5-4375-A709-927A55754698}.exe	45
PID 2164 wrote to memory of 292	2164	{9BE27B2C-C9E5-4375-A709-927A55754698}.exe	45

C:\Users\Admin\AppData\Local\Temp\0bd89d5bb47e6638e0c3560a06bdbc10_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\0bd89d5bb47e6638e0c3560a06bdbc10_NeikiAnalytics.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2816
- C:\Windows\{CF1BA4E1-05D0-4c16-AB0C-1989E615C30F}.exe
  C:\Windows\{CF1BA4E1-05D0-4c16-AB0C-1989E615C30F}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1384
- - C:\Windows\{4FD37927-57B6-43f0-A3EB-9E1AE30415B2}.exe
    C:\Windows\{4FD37927-57B6-43f0-A3EB-9E1AE30415B2}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2516
  - - C:\Windows\{7EF138F0-C671-4712-91C4-87A82A2CC87F}.exe
      C:\Windows\{7EF138F0-C671-4712-91C4-87A82A2CC87F}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2720
    - - C:\Windows\{2678B5AF-1AA5-4f5e-A598-00F7F6ABBDB6}.exe
        
        C:\Windows\{2678B5AF-1AA5-4f5e-A598-00F7F6ABBDB6}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2428
      - C:\Windows\{FAC7E50A-3BBD-4b8c-B61F-AAD25B27E5F7}.exe
        
        C:\Windows\{FAC7E50A-3BBD-4b8c-B61F-AAD25B27E5F7}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1552
        
        C:\Windows\{D5C69F6B-4681-4537-8FE9-186025C3F332}.exe
        
        C:\Windows\{D5C69F6B-4681-4537-8FE9-186025C3F332}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1848
        
        C:\Windows\{9BE27B2C-C9E5-4375-A709-927A55754698}.exe
        
        C:\Windows\{9BE27B2C-C9E5-4375-A709-927A55754698}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2164
        
        C:\Windows\{E885A0BD-03B2-40a7-B34C-1AD367712B3B}.exe
        
        C:\Windows\{E885A0BD-03B2-40a7-B34C-1AD367712B3B}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1260
        
        C:\Windows\{B4140A8A-D9FB-40d3-A00E-2FB9F867FBD3}.exe
        
        C:\Windows\{B4140A8A-D9FB-40d3-A00E-2FB9F867FBD3}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2772
        
        C:\Windows\{A98C69DA-527C-49b6-9656-9E6C078C1CC9}.exe
        
        C:\Windows\{A98C69DA-527C-49b6-9656-9E6C078C1CC9}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:596
        
        C:\Windows\{505576D6-CBAE-49b2-8DCC-BCF244B0A139}.exe
        
        C:\Windows\{505576D6-CBAE-49b2-8DCC-BCF244B0A139}.exe
        12⤵
        Executes dropped EXE
        
        PID:2116
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A98C6~1.EXE > nul
        12⤵
        
        PID:1712
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B4140~1.EXE > nul
        11⤵
        
        PID:800
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E885A~1.EXE > nul
        10⤵
        
        PID:1528
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9BE27~1.EXE > nul
        9⤵
        
        PID:292
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D5C69~1.EXE > nul
        8⤵
        
        PID:2008
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FAC7E~1.EXE > nul
        7⤵
        
        PID:2028
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2678B~1.EXE > nul
        6⤵
        
        PID:2012
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7EF13~1.EXE > nul
        5⤵
        
        PID:2528
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{4FD37~1.EXE > nul
      4⤵
      PID:2652
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{CF1BA~1.EXE > nul
    3⤵
    PID:2600
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\0BD89D~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2872

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{2678B5AF-1AA5-4f5e-A598-00F7F6ABBDB6}.exe

Filesize
80KB

MD5
d4e66fa165e2e4478de34e5424b59fe7

SHA1
844e026ad7da204d8f3b07738127812f4b7c3bb5

SHA256
e27be37d076a917a1c5d7af69dccd302a442e0a92b70fce6e2dfc50a03f1a5e3

SHA512
c5b942ae7768a91fff258cda2ad01daaaf59a64b915426d27ad42ac5ee76845ea3c9082d4840db81a768470d10f92a2d85e78222688e04cc05654efc1359f28a

Download Submit
C:\Windows\{4FD37927-57B6-43f0-A3EB-9E1AE30415B2}.exe

Filesize
80KB

MD5
cbd8e22141d841c58ba5697e59178a2c

SHA1
0b4b5e0fe7db6f3cb104d18a1a01234f1aadce0a

SHA256
dde2b9a2d6b1b6356389c7124a2a37036a3a2b17a05aceface43ed8371259c30

SHA512
14c51360b8e29758f06de1ad68ba2c22bff845191ff94c07592c2e8af0efa229b96162cd114bb1ef826dc966177efee989dce93960dfd79c87e3968acca0708d

Download Submit
C:\Windows\{505576D6-CBAE-49b2-8DCC-BCF244B0A139}.exe

Filesize
80KB

MD5
ac251c11df48c88398faf1e2670354ae

SHA1
c42e150f27a66c90e206fe77372ced511730fe51

SHA256
a8b4a3207ed25359550cde75a55df5dccf23ba9da11deeeb20c220fee94dd853

SHA512
5ba65abc08d9c2e9b0bd08ceb04dd48df6c532ea60ee7dd2c2cdd244d607f28f7631326c02fb53c5fdf1e381cc018c68f13d77a5de63c8c81c46738cce1f9c60

Download Submit
C:\Windows\{7EF138F0-C671-4712-91C4-87A82A2CC87F}.exe

Filesize
80KB

MD5
b0fa126c313be6e2cb5b77b0f7705d42

SHA1
b9b0c5349e98fcd88dfdec5e588a0cc87b4f89f5

SHA256
fd25d9e8cf34d0a235c70e56a9ec6374617e3558197d33689ffe703c24b82192

SHA512
87944bd3e8c8a71f150fa6fd094aa4e2684eee1b396e4787418d4a4996ff02780880fcf8222bfe9ae88691eeae2e2e5381665cb5eb3fbf6c9be0cefccd08f7f6

Download Submit
C:\Windows\{9BE27B2C-C9E5-4375-A709-927A55754698}.exe

Filesize
80KB

MD5
a56a6a0e2b0a9494e40552239ca2ce05

SHA1
5fa461e0e7dcfafa5e72cd5d9f1bb46f58097261

SHA256
2ef30d70bc2979e7dd2144f3a37b8d30c0bd28041c5e6918e3cbe636d99a484f

SHA512
b43c4dc2fb31b3cfb1a9ac3bb419e5a1273dab6ccaeb1747fc20d70738c28dfad3d0eb1aa438e011281e0944d9f2cf2e10a4db180c53aa91776e86076ad00f8f

Download Submit
C:\Windows\{A98C69DA-527C-49b6-9656-9E6C078C1CC9}.exe

Filesize
80KB

MD5
553fda7127e9defbac7e66147dd8f78c

SHA1
356f1aa0c8afbc559518ec63fa7d61427c8f1c5d

SHA256
aee006ebde6c0d732691bd14347eee32e7881b42e73640ab5962cd747885d014

SHA512
c8f58d60d4fd7f296cb3f60177a67bc89f59bc467a14cf1458d0943346d9060f7be6dd3929b4d7e87a193cde10ccb27fe78e63dd5b25b391dda9fad6f3bf32f1

Download Submit
C:\Windows\{B4140A8A-D9FB-40d3-A00E-2FB9F867FBD3}.exe

Filesize
80KB

MD5
389623b4ce5d2820123698f01f47db7f

SHA1
7a07d8f314d432e0ac7744e12a4a0ba65d4c6844

SHA256
217556d8b57b1391e8175ffe7d30940f218e690b3f6083b4e6ec08600c19b5ec

SHA512
999895eb7ea785af491f2ce725424eb856166706d6543f771b0f13c95d3139139209521d121d8fa6389c82694c729a5f871ae7a37175a3c9d3184df2bbf26572

Download Submit
C:\Windows\{CF1BA4E1-05D0-4c16-AB0C-1989E615C30F}.exe

Filesize
80KB

MD5
e33735f2def4b5995eb6fc76343648fa

SHA1
d739d59421a3171d917534561d53aa3ee69972c7

SHA256
54c024a481f05e6dea2603bc635704407cca13f6a6a56fcfe4d8c45363cac4bb

SHA512
e220b547fc8e007f43320facb72aa29d5fa89b6c28b48d9e6dff2aabd4485f0ba68c6dd39d45b4ea98710e702a4c33786eda221a5a7cb27653d2067d56447ac5

Download Submit
C:\Windows\{D5C69F6B-4681-4537-8FE9-186025C3F332}.exe

Filesize
80KB

MD5
7daec0d9007326f6bd149d8bab15cd1a

SHA1
74701d4dddeb2be5a3eced9125b2839bc2f2161c

SHA256
e976590de238c6a59d689eb0addedd5817343b8db91ae2d63c257ee3bd0492c9

SHA512
3be2eeafba7a3ca9efb07b5743cea7a00855857d147aa372ed6f865a785ea53688335a84c303e5c33dc151ec121d8bc66f131a1b7c03e4423e3c9ff34a8c123d

Download Submit
C:\Windows\{E885A0BD-03B2-40a7-B34C-1AD367712B3B}.exe

Filesize
80KB

MD5
aa0d009bf31591d010a2897dd5eb5e38

SHA1
74bdc30e074656a73062ec94939941c1fbf2b98f

SHA256
03ee79f1e257ddb957886ebb8641412695c681196d39f045486769fce9c34749

SHA512
839925201e24c227a25ba76b1469d672c492978933d450ba43f9dac60dfa7f8b46e948aba978f43fbeb2914553f7185632133a766919890b4072124aaa4960b4

Download Submit
C:\Windows\{FAC7E50A-3BBD-4b8c-B61F-AAD25B27E5F7}.exe

Filesize
80KB

MD5
94508190b9952f9242c3c9dcca0c709e

SHA1
1ec9dd93a58d3b6cd028cf413a93abf1ab4e425b

SHA256
5347862058c4e22e74f7de2bdb4cfdb97a9b722b9aa1acd935adc46159c6a619

SHA512
449bb67a4bcb019f18490a9f0eb45ab00579533af6fa3ca2b204cb545f85a9d98dc7c1ee6428c15df0f3722a4327c9500abf0541b99411fb05e20275cafe4384

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads