4833e727e9eb9d3707fbab7b540408f8275a58e710afe1b901bf0aa8cef10a98

Analysis

max time kernel
144s
max time network
121s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
04-06-2024 09:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

aaf106d3cdb9a3210ce740577b0e5430_NeikiAnalytics.exe
Size

64KB
MD5

aaf106d3cdb9a3210ce740577b0e5430
SHA1

e23f5271b98b91370db523e364ccadd2049d32b7
SHA256

4833e727e9eb9d3707fbab7b540408f8275a58e710afe1b901bf0aa8cef10a98
SHA512

22a5274a13214a2ff4da5f183a8ef2028016668e5823deb5b8c1a5c91365b04e7c8b51e05c8002b619f4213a576372daab7ce3bd111df549eec77a16dd956c69
SSDEEP

768:Ovw9816JhKQLroC+4/wQxWMZQcpFM1FgDagXP2TyS1tl7lfqvocqcdT3WVdA:6EG70oC+lwWMZQcpmgDagIyS1loL7WrA

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{16AB41F8-697F-492e-87AA-05E0534B9524}\stubpath = "C:\\Windows\\{16AB41F8-697F-492e-87AA-05E0534B9524}.exe"	{4FCEE387-5AC3-425d-BB21-AF8920B1B90F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F02D41E3-DC5B-4a0b-B36A-6AF406902B0A}\stubpath = "C:\\Windows\\{F02D41E3-DC5B-4a0b-B36A-6AF406902B0A}.exe"	{16AB41F8-697F-492e-87AA-05E0534B9524}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8E0159AA-A305-48d8-B6CE-E6892F5F020F}	{0A8276F8-5DAA-4673-B82C-15311C3A15A3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8E0159AA-A305-48d8-B6CE-E6892F5F020F}\stubpath = "C:\\Windows\\{8E0159AA-A305-48d8-B6CE-E6892F5F020F}.exe"	{0A8276F8-5DAA-4673-B82C-15311C3A15A3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C926AE72-927D-4e85-9A99-9E3DFFB3B7F7}	{EEE855FB-CA9E-4399-9B40-9D7EF41FF7FF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EEE855FB-CA9E-4399-9B40-9D7EF41FF7FF}\stubpath = "C:\\Windows\\{EEE855FB-CA9E-4399-9B40-9D7EF41FF7FF}.exe"	{5286B84E-5D05-474d-9DBC-E8746A069316}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F02D41E3-DC5B-4a0b-B36A-6AF406902B0A}	{16AB41F8-697F-492e-87AA-05E0534B9524}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0A8276F8-5DAA-4673-B82C-15311C3A15A3}\stubpath = "C:\\Windows\\{0A8276F8-5DAA-4673-B82C-15311C3A15A3}.exe"	{B1BA5156-27BF-45fd-8087-0F0E355D30B3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5B56136D-45A5-4a76-95FB-724A99D4FF94}	{8E0159AA-A305-48d8-B6CE-E6892F5F020F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EEE855FB-CA9E-4399-9B40-9D7EF41FF7FF}	{5286B84E-5D05-474d-9DBC-E8746A069316}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{232717BE-26A2-468b-934F-E2F258A0A43C}\stubpath = "C:\\Windows\\{232717BE-26A2-468b-934F-E2F258A0A43C}.exe"	aaf106d3cdb9a3210ce740577b0e5430_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5286B84E-5D05-474d-9DBC-E8746A069316}\stubpath = "C:\\Windows\\{5286B84E-5D05-474d-9DBC-E8746A069316}.exe"	{232717BE-26A2-468b-934F-E2F258A0A43C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4FCEE387-5AC3-425d-BB21-AF8920B1B90F}\stubpath = "C:\\Windows\\{4FCEE387-5AC3-425d-BB21-AF8920B1B90F}.exe"	{C926AE72-927D-4e85-9A99-9E3DFFB3B7F7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{16AB41F8-697F-492e-87AA-05E0534B9524}	{4FCEE387-5AC3-425d-BB21-AF8920B1B90F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B1BA5156-27BF-45fd-8087-0F0E355D30B3}	{F02D41E3-DC5B-4a0b-B36A-6AF406902B0A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{232717BE-26A2-468b-934F-E2F258A0A43C}	aaf106d3cdb9a3210ce740577b0e5430_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C926AE72-927D-4e85-9A99-9E3DFFB3B7F7}\stubpath = "C:\\Windows\\{C926AE72-927D-4e85-9A99-9E3DFFB3B7F7}.exe"	{EEE855FB-CA9E-4399-9B40-9D7EF41FF7FF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4FCEE387-5AC3-425d-BB21-AF8920B1B90F}	{C926AE72-927D-4e85-9A99-9E3DFFB3B7F7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B1BA5156-27BF-45fd-8087-0F0E355D30B3}\stubpath = "C:\\Windows\\{B1BA5156-27BF-45fd-8087-0F0E355D30B3}.exe"	{F02D41E3-DC5B-4a0b-B36A-6AF406902B0A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0A8276F8-5DAA-4673-B82C-15311C3A15A3}	{B1BA5156-27BF-45fd-8087-0F0E355D30B3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5B56136D-45A5-4a76-95FB-724A99D4FF94}\stubpath = "C:\\Windows\\{5B56136D-45A5-4a76-95FB-724A99D4FF94}.exe"	{8E0159AA-A305-48d8-B6CE-E6892F5F020F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5286B84E-5D05-474d-9DBC-E8746A069316}	{232717BE-26A2-468b-934F-E2F258A0A43C}.exe

Deletes itself 1 IoCs

pid	Process
2852	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2856	{232717BE-26A2-468b-934F-E2F258A0A43C}.exe
1212	{5286B84E-5D05-474d-9DBC-E8746A069316}.exe
2056	{EEE855FB-CA9E-4399-9B40-9D7EF41FF7FF}.exe
1108	{C926AE72-927D-4e85-9A99-9E3DFFB3B7F7}.exe
2648	{4FCEE387-5AC3-425d-BB21-AF8920B1B90F}.exe
1672	{16AB41F8-697F-492e-87AA-05E0534B9524}.exe
1428	{F02D41E3-DC5B-4a0b-B36A-6AF406902B0A}.exe
1936	{B1BA5156-27BF-45fd-8087-0F0E355D30B3}.exe
2264	{0A8276F8-5DAA-4673-B82C-15311C3A15A3}.exe
3004	{8E0159AA-A305-48d8-B6CE-E6892F5F020F}.exe
3016	{5B56136D-45A5-4a76-95FB-724A99D4FF94}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{5286B84E-5D05-474d-9DBC-E8746A069316}.exe	{232717BE-26A2-468b-934F-E2F258A0A43C}.exe
File created	C:\Windows\{C926AE72-927D-4e85-9A99-9E3DFFB3B7F7}.exe	{EEE855FB-CA9E-4399-9B40-9D7EF41FF7FF}.exe
File created	C:\Windows\{4FCEE387-5AC3-425d-BB21-AF8920B1B90F}.exe	{C926AE72-927D-4e85-9A99-9E3DFFB3B7F7}.exe
File created	C:\Windows\{B1BA5156-27BF-45fd-8087-0F0E355D30B3}.exe	{F02D41E3-DC5B-4a0b-B36A-6AF406902B0A}.exe
File created	C:\Windows\{232717BE-26A2-468b-934F-E2F258A0A43C}.exe	aaf106d3cdb9a3210ce740577b0e5430_NeikiAnalytics.exe
File created	C:\Windows\{16AB41F8-697F-492e-87AA-05E0534B9524}.exe	{4FCEE387-5AC3-425d-BB21-AF8920B1B90F}.exe
File created	C:\Windows\{F02D41E3-DC5B-4a0b-B36A-6AF406902B0A}.exe	{16AB41F8-697F-492e-87AA-05E0534B9524}.exe
File created	C:\Windows\{0A8276F8-5DAA-4673-B82C-15311C3A15A3}.exe	{B1BA5156-27BF-45fd-8087-0F0E355D30B3}.exe
File created	C:\Windows\{8E0159AA-A305-48d8-B6CE-E6892F5F020F}.exe	{0A8276F8-5DAA-4673-B82C-15311C3A15A3}.exe
File created	C:\Windows\{5B56136D-45A5-4a76-95FB-724A99D4FF94}.exe	{8E0159AA-A305-48d8-B6CE-E6892F5F020F}.exe
File created	C:\Windows\{EEE855FB-CA9E-4399-9B40-9D7EF41FF7FF}.exe	{5286B84E-5D05-474d-9DBC-E8746A069316}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1664	aaf106d3cdb9a3210ce740577b0e5430_NeikiAnalytics.exe
Token: SeIncBasePriorityPrivilege	2856	{232717BE-26A2-468b-934F-E2F258A0A43C}.exe
Token: SeIncBasePriorityPrivilege	1212	{5286B84E-5D05-474d-9DBC-E8746A069316}.exe
Token: SeIncBasePriorityPrivilege	2056	{EEE855FB-CA9E-4399-9B40-9D7EF41FF7FF}.exe
Token: SeIncBasePriorityPrivilege	1108	{C926AE72-927D-4e85-9A99-9E3DFFB3B7F7}.exe
Token: SeIncBasePriorityPrivilege	2648	{4FCEE387-5AC3-425d-BB21-AF8920B1B90F}.exe
Token: SeIncBasePriorityPrivilege	1672	{16AB41F8-697F-492e-87AA-05E0534B9524}.exe
Token: SeIncBasePriorityPrivilege	1428	{F02D41E3-DC5B-4a0b-B36A-6AF406902B0A}.exe
Token: SeIncBasePriorityPrivilege	1936	{B1BA5156-27BF-45fd-8087-0F0E355D30B3}.exe
Token: SeIncBasePriorityPrivilege	2264	{0A8276F8-5DAA-4673-B82C-15311C3A15A3}.exe
Token: SeIncBasePriorityPrivilege	3004	{8E0159AA-A305-48d8-B6CE-E6892F5F020F}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1664 wrote to memory of 2856	1664	aaf106d3cdb9a3210ce740577b0e5430_NeikiAnalytics.exe	28
PID 1664 wrote to memory of 2856	1664	aaf106d3cdb9a3210ce740577b0e5430_NeikiAnalytics.exe	28
PID 1664 wrote to memory of 2856	1664	aaf106d3cdb9a3210ce740577b0e5430_NeikiAnalytics.exe	28
PID 1664 wrote to memory of 2856	1664	aaf106d3cdb9a3210ce740577b0e5430_NeikiAnalytics.exe	28
PID 1664 wrote to memory of 2852	1664	aaf106d3cdb9a3210ce740577b0e5430_NeikiAnalytics.exe	29
PID 1664 wrote to memory of 2852	1664	aaf106d3cdb9a3210ce740577b0e5430_NeikiAnalytics.exe	29
PID 1664 wrote to memory of 2852	1664	aaf106d3cdb9a3210ce740577b0e5430_NeikiAnalytics.exe	29
PID 1664 wrote to memory of 2852	1664	aaf106d3cdb9a3210ce740577b0e5430_NeikiAnalytics.exe	29
PID 2856 wrote to memory of 1212	2856	{232717BE-26A2-468b-934F-E2F258A0A43C}.exe	32
PID 2856 wrote to memory of 1212	2856	{232717BE-26A2-468b-934F-E2F258A0A43C}.exe	32
PID 2856 wrote to memory of 1212	2856	{232717BE-26A2-468b-934F-E2F258A0A43C}.exe	32
PID 2856 wrote to memory of 1212	2856	{232717BE-26A2-468b-934F-E2F258A0A43C}.exe	32
PID 2856 wrote to memory of 1952	2856	{232717BE-26A2-468b-934F-E2F258A0A43C}.exe	33
PID 2856 wrote to memory of 1952	2856	{232717BE-26A2-468b-934F-E2F258A0A43C}.exe	33
PID 2856 wrote to memory of 1952	2856	{232717BE-26A2-468b-934F-E2F258A0A43C}.exe	33
PID 2856 wrote to memory of 1952	2856	{232717BE-26A2-468b-934F-E2F258A0A43C}.exe	33
PID 1212 wrote to memory of 2056	1212	{5286B84E-5D05-474d-9DBC-E8746A069316}.exe	34
PID 1212 wrote to memory of 2056	1212	{5286B84E-5D05-474d-9DBC-E8746A069316}.exe	34
PID 1212 wrote to memory of 2056	1212	{5286B84E-5D05-474d-9DBC-E8746A069316}.exe	34
PID 1212 wrote to memory of 2056	1212	{5286B84E-5D05-474d-9DBC-E8746A069316}.exe	34
PID 1212 wrote to memory of 2988	1212	{5286B84E-5D05-474d-9DBC-E8746A069316}.exe	35
PID 1212 wrote to memory of 2988	1212	{5286B84E-5D05-474d-9DBC-E8746A069316}.exe	35
PID 1212 wrote to memory of 2988	1212	{5286B84E-5D05-474d-9DBC-E8746A069316}.exe	35
PID 1212 wrote to memory of 2988	1212	{5286B84E-5D05-474d-9DBC-E8746A069316}.exe	35
PID 2056 wrote to memory of 1108	2056	{EEE855FB-CA9E-4399-9B40-9D7EF41FF7FF}.exe	36
PID 2056 wrote to memory of 1108	2056	{EEE855FB-CA9E-4399-9B40-9D7EF41FF7FF}.exe	36
PID 2056 wrote to memory of 1108	2056	{EEE855FB-CA9E-4399-9B40-9D7EF41FF7FF}.exe	36
PID 2056 wrote to memory of 1108	2056	{EEE855FB-CA9E-4399-9B40-9D7EF41FF7FF}.exe	36
PID 2056 wrote to memory of 1608	2056	{EEE855FB-CA9E-4399-9B40-9D7EF41FF7FF}.exe	37
PID 2056 wrote to memory of 1608	2056	{EEE855FB-CA9E-4399-9B40-9D7EF41FF7FF}.exe	37
PID 2056 wrote to memory of 1608	2056	{EEE855FB-CA9E-4399-9B40-9D7EF41FF7FF}.exe	37
PID 2056 wrote to memory of 1608	2056	{EEE855FB-CA9E-4399-9B40-9D7EF41FF7FF}.exe	37
PID 1108 wrote to memory of 2648	1108	{C926AE72-927D-4e85-9A99-9E3DFFB3B7F7}.exe	38
PID 1108 wrote to memory of 2648	1108	{C926AE72-927D-4e85-9A99-9E3DFFB3B7F7}.exe	38
PID 1108 wrote to memory of 2648	1108	{C926AE72-927D-4e85-9A99-9E3DFFB3B7F7}.exe	38
PID 1108 wrote to memory of 2648	1108	{C926AE72-927D-4e85-9A99-9E3DFFB3B7F7}.exe	38
PID 1108 wrote to memory of 2764	1108	{C926AE72-927D-4e85-9A99-9E3DFFB3B7F7}.exe	39
PID 1108 wrote to memory of 2764	1108	{C926AE72-927D-4e85-9A99-9E3DFFB3B7F7}.exe	39
PID 1108 wrote to memory of 2764	1108	{C926AE72-927D-4e85-9A99-9E3DFFB3B7F7}.exe	39
PID 1108 wrote to memory of 2764	1108	{C926AE72-927D-4e85-9A99-9E3DFFB3B7F7}.exe	39
PID 2648 wrote to memory of 1672	2648	{4FCEE387-5AC3-425d-BB21-AF8920B1B90F}.exe	40
PID 2648 wrote to memory of 1672	2648	{4FCEE387-5AC3-425d-BB21-AF8920B1B90F}.exe	40
PID 2648 wrote to memory of 1672	2648	{4FCEE387-5AC3-425d-BB21-AF8920B1B90F}.exe	40
PID 2648 wrote to memory of 1672	2648	{4FCEE387-5AC3-425d-BB21-AF8920B1B90F}.exe	40
PID 2648 wrote to memory of 1808	2648	{4FCEE387-5AC3-425d-BB21-AF8920B1B90F}.exe	41
PID 2648 wrote to memory of 1808	2648	{4FCEE387-5AC3-425d-BB21-AF8920B1B90F}.exe	41
PID 2648 wrote to memory of 1808	2648	{4FCEE387-5AC3-425d-BB21-AF8920B1B90F}.exe	41
PID 2648 wrote to memory of 1808	2648	{4FCEE387-5AC3-425d-BB21-AF8920B1B90F}.exe	41
PID 1672 wrote to memory of 1428	1672	{16AB41F8-697F-492e-87AA-05E0534B9524}.exe	42
PID 1672 wrote to memory of 1428	1672	{16AB41F8-697F-492e-87AA-05E0534B9524}.exe	42
PID 1672 wrote to memory of 1428	1672	{16AB41F8-697F-492e-87AA-05E0534B9524}.exe	42
PID 1672 wrote to memory of 1428	1672	{16AB41F8-697F-492e-87AA-05E0534B9524}.exe	42
PID 1672 wrote to memory of 2016	1672	{16AB41F8-697F-492e-87AA-05E0534B9524}.exe	43
PID 1672 wrote to memory of 2016	1672	{16AB41F8-697F-492e-87AA-05E0534B9524}.exe	43
PID 1672 wrote to memory of 2016	1672	{16AB41F8-697F-492e-87AA-05E0534B9524}.exe	43
PID 1672 wrote to memory of 2016	1672	{16AB41F8-697F-492e-87AA-05E0534B9524}.exe	43
PID 1428 wrote to memory of 1936	1428	{F02D41E3-DC5B-4a0b-B36A-6AF406902B0A}.exe	44
PID 1428 wrote to memory of 1936	1428	{F02D41E3-DC5B-4a0b-B36A-6AF406902B0A}.exe	44
PID 1428 wrote to memory of 1936	1428	{F02D41E3-DC5B-4a0b-B36A-6AF406902B0A}.exe	44
PID 1428 wrote to memory of 1936	1428	{F02D41E3-DC5B-4a0b-B36A-6AF406902B0A}.exe	44
PID 1428 wrote to memory of 924	1428	{F02D41E3-DC5B-4a0b-B36A-6AF406902B0A}.exe	45
PID 1428 wrote to memory of 924	1428	{F02D41E3-DC5B-4a0b-B36A-6AF406902B0A}.exe	45
PID 1428 wrote to memory of 924	1428	{F02D41E3-DC5B-4a0b-B36A-6AF406902B0A}.exe	45
PID 1428 wrote to memory of 924	1428	{F02D41E3-DC5B-4a0b-B36A-6AF406902B0A}.exe	45

C:\Users\Admin\AppData\Local\Temp\aaf106d3cdb9a3210ce740577b0e5430_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\aaf106d3cdb9a3210ce740577b0e5430_NeikiAnalytics.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1664
- C:\Windows\{232717BE-26A2-468b-934F-E2F258A0A43C}.exe
  C:\Windows\{232717BE-26A2-468b-934F-E2F258A0A43C}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2856
- - C:\Windows\{5286B84E-5D05-474d-9DBC-E8746A069316}.exe
    C:\Windows\{5286B84E-5D05-474d-9DBC-E8746A069316}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1212
  - - C:\Windows\{EEE855FB-CA9E-4399-9B40-9D7EF41FF7FF}.exe
      C:\Windows\{EEE855FB-CA9E-4399-9B40-9D7EF41FF7FF}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2056
    - - C:\Windows\{C926AE72-927D-4e85-9A99-9E3DFFB3B7F7}.exe
        
        C:\Windows\{C926AE72-927D-4e85-9A99-9E3DFFB3B7F7}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1108
      - C:\Windows\{4FCEE387-5AC3-425d-BB21-AF8920B1B90F}.exe
        
        C:\Windows\{4FCEE387-5AC3-425d-BB21-AF8920B1B90F}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2648
        
        C:\Windows\{16AB41F8-697F-492e-87AA-05E0534B9524}.exe
        
        C:\Windows\{16AB41F8-697F-492e-87AA-05E0534B9524}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1672
        
        C:\Windows\{F02D41E3-DC5B-4a0b-B36A-6AF406902B0A}.exe
        
        C:\Windows\{F02D41E3-DC5B-4a0b-B36A-6AF406902B0A}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1428
        
        C:\Windows\{B1BA5156-27BF-45fd-8087-0F0E355D30B3}.exe
        
        C:\Windows\{B1BA5156-27BF-45fd-8087-0F0E355D30B3}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1936
        
        C:\Windows\{0A8276F8-5DAA-4673-B82C-15311C3A15A3}.exe
        
        C:\Windows\{0A8276F8-5DAA-4673-B82C-15311C3A15A3}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2264
        
        C:\Windows\{8E0159AA-A305-48d8-B6CE-E6892F5F020F}.exe
        
        C:\Windows\{8E0159AA-A305-48d8-B6CE-E6892F5F020F}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3004
        
        C:\Windows\{5B56136D-45A5-4a76-95FB-724A99D4FF94}.exe
        
        C:\Windows\{5B56136D-45A5-4a76-95FB-724A99D4FF94}.exe
        12⤵
        Executes dropped EXE
        
        PID:3016
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8E015~1.EXE > nul
        12⤵
        
        PID:1284
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0A827~1.EXE > nul
        11⤵
        
        PID:2932
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B1BA5~1.EXE > nul
        10⤵
        
        PID:2736
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F02D4~1.EXE > nul
        9⤵
        
        PID:924
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{16AB4~1.EXE > nul
        8⤵
        
        PID:2016
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4FCEE~1.EXE > nul
        7⤵
        
        PID:1808
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C926A~1.EXE > nul
        6⤵
        
        PID:2764
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EEE85~1.EXE > nul
        5⤵
        
        PID:1608
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{5286B~1.EXE > nul
      4⤵
      PID:2988
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{23271~1.EXE > nul
    3⤵
    PID:1952
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\AAF106~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2852

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0A8276F8-5DAA-4673-B82C-15311C3A15A3}.exe

Filesize
64KB

MD5
70c7b8c41fcdfb882a134755687c0b5f

SHA1
f378274c01d578eb5644f4aa647e34a7173579bc

SHA256
28f096a4a6db0d71c74aa6c57a77aa43407fecc8de4bd0cf81ee090514ff41fd

SHA512
0a09743ea4a60f55b1779118883fb4b0dbbaab4b37d4bc20a00b8dcfbc80ae71a07566d08b63f3168d5bc2deb723e1f5fb6887aeb175579226caadb0ba800d76

Download Submit
C:\Windows\{16AB41F8-697F-492e-87AA-05E0534B9524}.exe

Filesize
64KB

MD5
4787c0baa6354a48484e4ea0dd52df00

SHA1
8da3e5e17403cbe00fd0fc929bb287a94103a516

SHA256
669e5242c767c4fc77b06a58bc24c9565a0f4d0cdf38f03fc5db3ff823b96f23

SHA512
521957159ec98eae1419af6169027b2a718335e3b046cbd56801f61905b2db3f3ce107d81139344df7f562d6d6aa4ce68852586a7fbe926dbf926fd3e3c43439

Download Submit
C:\Windows\{232717BE-26A2-468b-934F-E2F258A0A43C}.exe

Filesize
64KB

MD5
f91c73f30d5203c7698767eec392774b

SHA1
01741fc7ac3a31ed6db72d64bc562c66b496b36b

SHA256
47d227520c9950b363a6d156805d543606f720300ce0019d87ee119775b36e17

SHA512
e7be2f67f09df2a618bf9e25e0942cbcfb559ac942b739f806e5d052f28531fab5ddf4194332f23db2caccb5784ad482ae6a208de7d066f1ca1c2e40d7c43fcd

Download Submit
C:\Windows\{4FCEE387-5AC3-425d-BB21-AF8920B1B90F}.exe

Filesize
64KB

MD5
dfbfb9f9d52ba129f96abe073a821a2e

SHA1
bb43d1dbde34b4c6ff3973a909d56ff6f82b09ec

SHA256
c7201f284cc15e8087097fc7e62113bca9549107073a6f2e9f879ea6e3da799b

SHA512
97563283a1ca7c0c17c99783bdbf9294cf67dabeb4534a079ad7492d51fbdfcb783cb7bd4d220d68fb7c2ad719794caff130f6c2419db7ddd0d579d9f2bc1035

Download Submit
C:\Windows\{5286B84E-5D05-474d-9DBC-E8746A069316}.exe

Filesize
64KB

MD5
ac3da2296ac8fb242328369b9c858930

SHA1
b8fce6dc67c184b6933d0dbf2e8379533d2f510f

SHA256
5126f861c35e01a4b3dbe835c6e6d094af4ffdf1956049a2ddcb82afcdb8fc9f

SHA512
f8b8b4967421fad3a24785c059e0fffc1d592434dde2e816ae319ca88d556b9d8b17a2f25c629e8174da31ab46edd9d0e58f872a74f7409b36234f399f601767

Download Submit
C:\Windows\{5B56136D-45A5-4a76-95FB-724A99D4FF94}.exe

Filesize
64KB

MD5
ecf2fe3854386b441fdb46d06c7058bd

SHA1
5fe96e7a947158ac2646db715be9b52e858cae3f

SHA256
dc99e93be8cb4de31afa41d0b808654d53736bab060e944a8846b431b57db729

SHA512
15ce915cc2bf65856c9901a2e76e6c9b0854ea1a94b3619179d9537b08a0e8c9262f73ec836c3fe9421ffb0c5dab12fe794af67e320aff0a837f15409d2e7d35

Download Submit
C:\Windows\{8E0159AA-A305-48d8-B6CE-E6892F5F020F}.exe

Filesize
64KB

MD5
f41e42113761e762d324b4301325779f

SHA1
4617becab38f09eabb80971a78c860cf9ad58a96

SHA256
e8a788e70c69af37823f50c509f476bd7c7bb98fdbaf0b663236dcb6fa4d4b34

SHA512
97dc6be8c0ef9ea5576211c5da44dbfc4c7f2af0679e56b75a1df2160f5f84962b1092f40b578af2b6fce8c58ae845744a677aad67ee7d6a5a06939d8c825085

Download Submit
C:\Windows\{B1BA5156-27BF-45fd-8087-0F0E355D30B3}.exe

Filesize
64KB

MD5
24e427efb7c56f0a0d6ce37135ce9a23

SHA1
6d1dff7228050bad6e2b0a8715300c62a6536a70

SHA256
05165499c59b703aa66a9ad209f5fa034b4e8dc3fce5f7a41586fd8ed7f9319a

SHA512
46f583f185c1422b910883c444ab2cf2cababb71348db31aed3a4fc7bac5cbc2b0b500d1063f69a5d4db5d26dd92c5e30cad5c6e276eeb0e9037a87745d1b63c

Download Submit
C:\Windows\{C926AE72-927D-4e85-9A99-9E3DFFB3B7F7}.exe

Filesize
64KB

MD5
a1d6ec7d1ec6b8b8cf1a56b4c0ce61e4

SHA1
e1f70b27ca4a7b6b5c266dbb878318fcae355e77

SHA256
267dea7db85589db6ce396a27e4f91a568cc96dad7d37ddbdaab26b9236be8bc

SHA512
4321683d734b512fa0e34201f273941ac9abfeb46e08bebda6012a2420f1c89585c906eb9c274bd570cd4f4d4aeb498e614f8910c7d6cbf3f6c420be74b36435

Download Submit
C:\Windows\{EEE855FB-CA9E-4399-9B40-9D7EF41FF7FF}.exe

Filesize
64KB

MD5
6a1df5f5d79e9654b1cffa673b89590d

SHA1
24a7db4a2a70f33770abf0236e9f1b17710d6334

SHA256
e9cd03bfb8d5d0f90129dcf62737fe854f889c47b69d8bee20b390ba54c018ea

SHA512
1d1024723f8b12db0a72de3f88076780ba6fce5999d5348273849f525ab2bd51c65a84e5fc5f2288b4c117729aac5919b4457f90da281a7c718f29d7367db6e9

Download Submit
C:\Windows\{F02D41E3-DC5B-4a0b-B36A-6AF406902B0A}.exe

Filesize
64KB

MD5
a92a453c8dd860a0f4cc6261821fbc27

SHA1
ec1015ef1c33deaf6d17dc006ca68f4cad4c358f

SHA256
25764b889cde9ca0ce6d9ce378e85cb6419a157fdfad5675fe8c924fc8d2ccbc

SHA512
1bbc2637a46fce920a4c7a1eb5015b5b3a4a0989d7c942a196ef298e36ecf9feaefc99eaaf078bea79b044a41f01e8783e137d138df0e5724f47fb4f8160ca90

Download Submit
memory/1108-42-0x00000000002D0000-0x00000000002E0000-memory.dmp

Filesize
64KB

Download
memory/1108-47-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1108-38-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1212-23-0x0000000000390000-0x00000000003A0000-memory.dmp

Filesize
64KB

Download
memory/1212-28-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1212-18-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1428-68-0x00000000003A0000-0x00000000003B0000-memory.dmp

Filesize
64KB

Download
memory/1428-73-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1664-6-0x00000000003E0000-0x00000000003F0000-memory.dmp

Filesize
64KB

Download
memory/1664-0-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1664-10-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1664-7-0x00000000003E0000-0x00000000003F0000-memory.dmp

Filesize
64KB

Download
memory/1672-64-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1672-59-0x0000000000260000-0x0000000000270000-memory.dmp

Filesize
64KB

Download
memory/1936-74-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1936-78-0x0000000000390000-0x00000000003A0000-memory.dmp

Filesize
64KB

Download
memory/1936-82-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2056-37-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2056-32-0x0000000000250000-0x0000000000260000-memory.dmp

Filesize
64KB

Download
memory/2264-92-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2648-54-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2856-9-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2856-19-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/3004-91-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/3004-100-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/3016-101-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads