2c37c9d71d8e4e24698d966dfcc7c1142d43ae90eee4e225412554bf2ac02da3

Analysis

max time kernel
149s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
05-06-2024 04:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3a6118f5fa133f6f44b507c61fb9c430_NeikiAnalytics.exe
Size

88KB
MD5

3a6118f5fa133f6f44b507c61fb9c430
SHA1

ea24550c819b404c8d946b1a202de242b1059876
SHA256

2c37c9d71d8e4e24698d966dfcc7c1142d43ae90eee4e225412554bf2ac02da3
SHA512

72479348c654e2277c7010585b83fa328343f6a02f82df769ec4cda96323d85b0a2144a81d398b492434d390dafb49f40cd67ed93e43c4a6648c45c0efeb1804
SSDEEP

768:Qvw9816vhKQLroN4/wQRNrfrunMxVFA3b7gln:YEGh0oNl2unMxVS3Hg1

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3F29C993-DF6B-4cf0-90BF-E8BA8F570EE6}\stubpath = "C:\\Windows\\{3F29C993-DF6B-4cf0-90BF-E8BA8F570EE6}.exe"	{7271BCA8-9C1F-4678-847C-EE97AA3254E1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{22E1CA6F-00B4-46cf-85BA-FE1757D69D45}	{32ECEC45-A1CB-44c3-A4FD-17F1A49CA8C2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C7427B89-D567-46bc-B981-7551EFAD1541}\stubpath = "C:\\Windows\\{C7427B89-D567-46bc-B981-7551EFAD1541}.exe"	{C972D065-F6A7-48eb-9FD8-4DCD3BD47FE8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E85F93F5-5B09-4f01-BFAB-F8DFB43EE369}	{1E3AA54F-8FEE-4551-9EE5-46CEA2C58504}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E85F93F5-5B09-4f01-BFAB-F8DFB43EE369}\stubpath = "C:\\Windows\\{E85F93F5-5B09-4f01-BFAB-F8DFB43EE369}.exe"	{1E3AA54F-8FEE-4551-9EE5-46CEA2C58504}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7271BCA8-9C1F-4678-847C-EE97AA3254E1}	{E85F93F5-5B09-4f01-BFAB-F8DFB43EE369}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7271BCA8-9C1F-4678-847C-EE97AA3254E1}\stubpath = "C:\\Windows\\{7271BCA8-9C1F-4678-847C-EE97AA3254E1}.exe"	{E85F93F5-5B09-4f01-BFAB-F8DFB43EE369}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3F29C993-DF6B-4cf0-90BF-E8BA8F570EE6}	{7271BCA8-9C1F-4678-847C-EE97AA3254E1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{25D371AA-C204-4ba3-8E4C-62BB33D32A40}\stubpath = "C:\\Windows\\{25D371AA-C204-4ba3-8E4C-62BB33D32A40}.exe"	3a6118f5fa133f6f44b507c61fb9c430_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C972D065-F6A7-48eb-9FD8-4DCD3BD47FE8}\stubpath = "C:\\Windows\\{C972D065-F6A7-48eb-9FD8-4DCD3BD47FE8}.exe"	{22E1CA6F-00B4-46cf-85BA-FE1757D69D45}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FBFB27DE-2C58-45c9-BCF8-8287A41C8DB1}	{347C5328-BB26-485d-BDF9-8BD493857161}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{25D371AA-C204-4ba3-8E4C-62BB33D32A40}	3a6118f5fa133f6f44b507c61fb9c430_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CAF47D77-F2EA-4e48-A77A-A5066C7D5282}	{25D371AA-C204-4ba3-8E4C-62BB33D32A40}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{32ECEC45-A1CB-44c3-A4FD-17F1A49CA8C2}	{CAF47D77-F2EA-4e48-A77A-A5066C7D5282}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{32ECEC45-A1CB-44c3-A4FD-17F1A49CA8C2}\stubpath = "C:\\Windows\\{32ECEC45-A1CB-44c3-A4FD-17F1A49CA8C2}.exe"	{CAF47D77-F2EA-4e48-A77A-A5066C7D5282}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1E3AA54F-8FEE-4551-9EE5-46CEA2C58504}	{C7427B89-D567-46bc-B981-7551EFAD1541}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{347C5328-BB26-485d-BDF9-8BD493857161}	{3F29C993-DF6B-4cf0-90BF-E8BA8F570EE6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CAF47D77-F2EA-4e48-A77A-A5066C7D5282}\stubpath = "C:\\Windows\\{CAF47D77-F2EA-4e48-A77A-A5066C7D5282}.exe"	{25D371AA-C204-4ba3-8E4C-62BB33D32A40}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{22E1CA6F-00B4-46cf-85BA-FE1757D69D45}\stubpath = "C:\\Windows\\{22E1CA6F-00B4-46cf-85BA-FE1757D69D45}.exe"	{32ECEC45-A1CB-44c3-A4FD-17F1A49CA8C2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C972D065-F6A7-48eb-9FD8-4DCD3BD47FE8}	{22E1CA6F-00B4-46cf-85BA-FE1757D69D45}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C7427B89-D567-46bc-B981-7551EFAD1541}	{C972D065-F6A7-48eb-9FD8-4DCD3BD47FE8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1E3AA54F-8FEE-4551-9EE5-46CEA2C58504}\stubpath = "C:\\Windows\\{1E3AA54F-8FEE-4551-9EE5-46CEA2C58504}.exe"	{C7427B89-D567-46bc-B981-7551EFAD1541}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{347C5328-BB26-485d-BDF9-8BD493857161}\stubpath = "C:\\Windows\\{347C5328-BB26-485d-BDF9-8BD493857161}.exe"	{3F29C993-DF6B-4cf0-90BF-E8BA8F570EE6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FBFB27DE-2C58-45c9-BCF8-8287A41C8DB1}\stubpath = "C:\\Windows\\{FBFB27DE-2C58-45c9-BCF8-8287A41C8DB1}.exe"	{347C5328-BB26-485d-BDF9-8BD493857161}.exe

Executes dropped EXE 12 IoCs

pid	Process
3308	{25D371AA-C204-4ba3-8E4C-62BB33D32A40}.exe
1004	{CAF47D77-F2EA-4e48-A77A-A5066C7D5282}.exe
2352	{32ECEC45-A1CB-44c3-A4FD-17F1A49CA8C2}.exe
1628	{22E1CA6F-00B4-46cf-85BA-FE1757D69D45}.exe
4684	{C972D065-F6A7-48eb-9FD8-4DCD3BD47FE8}.exe
536	{C7427B89-D567-46bc-B981-7551EFAD1541}.exe
984	{1E3AA54F-8FEE-4551-9EE5-46CEA2C58504}.exe
4560	{E85F93F5-5B09-4f01-BFAB-F8DFB43EE369}.exe
3280	{7271BCA8-9C1F-4678-847C-EE97AA3254E1}.exe
1628	{3F29C993-DF6B-4cf0-90BF-E8BA8F570EE6}.exe
1860	{347C5328-BB26-485d-BDF9-8BD493857161}.exe
4980	{FBFB27DE-2C58-45c9-BCF8-8287A41C8DB1}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{25D371AA-C204-4ba3-8E4C-62BB33D32A40}.exe	3a6118f5fa133f6f44b507c61fb9c430_NeikiAnalytics.exe
File created	C:\Windows\{C972D065-F6A7-48eb-9FD8-4DCD3BD47FE8}.exe	{22E1CA6F-00B4-46cf-85BA-FE1757D69D45}.exe
File created	C:\Windows\{7271BCA8-9C1F-4678-847C-EE97AA3254E1}.exe	{E85F93F5-5B09-4f01-BFAB-F8DFB43EE369}.exe
File created	C:\Windows\{3F29C993-DF6B-4cf0-90BF-E8BA8F570EE6}.exe	{7271BCA8-9C1F-4678-847C-EE97AA3254E1}.exe
File created	C:\Windows\{FBFB27DE-2C58-45c9-BCF8-8287A41C8DB1}.exe	{347C5328-BB26-485d-BDF9-8BD493857161}.exe
File created	C:\Windows\{E85F93F5-5B09-4f01-BFAB-F8DFB43EE369}.exe	{1E3AA54F-8FEE-4551-9EE5-46CEA2C58504}.exe
File created	C:\Windows\{347C5328-BB26-485d-BDF9-8BD493857161}.exe	{3F29C993-DF6B-4cf0-90BF-E8BA8F570EE6}.exe
File created	C:\Windows\{CAF47D77-F2EA-4e48-A77A-A5066C7D5282}.exe	{25D371AA-C204-4ba3-8E4C-62BB33D32A40}.exe
File created	C:\Windows\{32ECEC45-A1CB-44c3-A4FD-17F1A49CA8C2}.exe	{CAF47D77-F2EA-4e48-A77A-A5066C7D5282}.exe
File created	C:\Windows\{22E1CA6F-00B4-46cf-85BA-FE1757D69D45}.exe	{32ECEC45-A1CB-44c3-A4FD-17F1A49CA8C2}.exe
File created	C:\Windows\{C7427B89-D567-46bc-B981-7551EFAD1541}.exe	{C972D065-F6A7-48eb-9FD8-4DCD3BD47FE8}.exe
File created	C:\Windows\{1E3AA54F-8FEE-4551-9EE5-46CEA2C58504}.exe	{C7427B89-D567-46bc-B981-7551EFAD1541}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1892	3a6118f5fa133f6f44b507c61fb9c430_NeikiAnalytics.exe
Token: SeIncBasePriorityPrivilege	3308	{25D371AA-C204-4ba3-8E4C-62BB33D32A40}.exe
Token: SeIncBasePriorityPrivilege	1004	{CAF47D77-F2EA-4e48-A77A-A5066C7D5282}.exe
Token: SeIncBasePriorityPrivilege	2352	{32ECEC45-A1CB-44c3-A4FD-17F1A49CA8C2}.exe
Token: SeIncBasePriorityPrivilege	1628	{22E1CA6F-00B4-46cf-85BA-FE1757D69D45}.exe
Token: SeIncBasePriorityPrivilege	4684	{C972D065-F6A7-48eb-9FD8-4DCD3BD47FE8}.exe
Token: SeIncBasePriorityPrivilege	536	{C7427B89-D567-46bc-B981-7551EFAD1541}.exe
Token: SeIncBasePriorityPrivilege	984	{1E3AA54F-8FEE-4551-9EE5-46CEA2C58504}.exe
Token: SeIncBasePriorityPrivilege	4560	{E85F93F5-5B09-4f01-BFAB-F8DFB43EE369}.exe
Token: SeIncBasePriorityPrivilege	3280	{7271BCA8-9C1F-4678-847C-EE97AA3254E1}.exe
Token: SeIncBasePriorityPrivilege	1628	{3F29C993-DF6B-4cf0-90BF-E8BA8F570EE6}.exe
Token: SeIncBasePriorityPrivilege	1860	{347C5328-BB26-485d-BDF9-8BD493857161}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1892 wrote to memory of 3308	1892	3a6118f5fa133f6f44b507c61fb9c430_NeikiAnalytics.exe	95
PID 1892 wrote to memory of 3308	1892	3a6118f5fa133f6f44b507c61fb9c430_NeikiAnalytics.exe	95
PID 1892 wrote to memory of 3308	1892	3a6118f5fa133f6f44b507c61fb9c430_NeikiAnalytics.exe	95
PID 1892 wrote to memory of 1492	1892	3a6118f5fa133f6f44b507c61fb9c430_NeikiAnalytics.exe	96
PID 1892 wrote to memory of 1492	1892	3a6118f5fa133f6f44b507c61fb9c430_NeikiAnalytics.exe	96
PID 1892 wrote to memory of 1492	1892	3a6118f5fa133f6f44b507c61fb9c430_NeikiAnalytics.exe	96
PID 3308 wrote to memory of 1004	3308	{25D371AA-C204-4ba3-8E4C-62BB33D32A40}.exe	97
PID 3308 wrote to memory of 1004	3308	{25D371AA-C204-4ba3-8E4C-62BB33D32A40}.exe	97
PID 3308 wrote to memory of 1004	3308	{25D371AA-C204-4ba3-8E4C-62BB33D32A40}.exe	97
PID 3308 wrote to memory of 1660	3308	{25D371AA-C204-4ba3-8E4C-62BB33D32A40}.exe	98
PID 3308 wrote to memory of 1660	3308	{25D371AA-C204-4ba3-8E4C-62BB33D32A40}.exe	98
PID 3308 wrote to memory of 1660	3308	{25D371AA-C204-4ba3-8E4C-62BB33D32A40}.exe	98
PID 1004 wrote to memory of 2352	1004	{CAF47D77-F2EA-4e48-A77A-A5066C7D5282}.exe	101
PID 1004 wrote to memory of 2352	1004	{CAF47D77-F2EA-4e48-A77A-A5066C7D5282}.exe	101
PID 1004 wrote to memory of 2352	1004	{CAF47D77-F2EA-4e48-A77A-A5066C7D5282}.exe	101
PID 1004 wrote to memory of 2300	1004	{CAF47D77-F2EA-4e48-A77A-A5066C7D5282}.exe	102
PID 1004 wrote to memory of 2300	1004	{CAF47D77-F2EA-4e48-A77A-A5066C7D5282}.exe	102
PID 1004 wrote to memory of 2300	1004	{CAF47D77-F2EA-4e48-A77A-A5066C7D5282}.exe	102
PID 2352 wrote to memory of 1628	2352	{32ECEC45-A1CB-44c3-A4FD-17F1A49CA8C2}.exe	103
PID 2352 wrote to memory of 1628	2352	{32ECEC45-A1CB-44c3-A4FD-17F1A49CA8C2}.exe	103
PID 2352 wrote to memory of 1628	2352	{32ECEC45-A1CB-44c3-A4FD-17F1A49CA8C2}.exe	103
PID 2352 wrote to memory of 3128	2352	{32ECEC45-A1CB-44c3-A4FD-17F1A49CA8C2}.exe	104
PID 2352 wrote to memory of 3128	2352	{32ECEC45-A1CB-44c3-A4FD-17F1A49CA8C2}.exe	104
PID 2352 wrote to memory of 3128	2352	{32ECEC45-A1CB-44c3-A4FD-17F1A49CA8C2}.exe	104
PID 1628 wrote to memory of 4684	1628	{22E1CA6F-00B4-46cf-85BA-FE1757D69D45}.exe	105
PID 1628 wrote to memory of 4684	1628	{22E1CA6F-00B4-46cf-85BA-FE1757D69D45}.exe	105
PID 1628 wrote to memory of 4684	1628	{22E1CA6F-00B4-46cf-85BA-FE1757D69D45}.exe	105
PID 1628 wrote to memory of 4384	1628	{22E1CA6F-00B4-46cf-85BA-FE1757D69D45}.exe	106
PID 1628 wrote to memory of 4384	1628	{22E1CA6F-00B4-46cf-85BA-FE1757D69D45}.exe	106
PID 1628 wrote to memory of 4384	1628	{22E1CA6F-00B4-46cf-85BA-FE1757D69D45}.exe	106
PID 4684 wrote to memory of 536	4684	{C972D065-F6A7-48eb-9FD8-4DCD3BD47FE8}.exe	108
PID 4684 wrote to memory of 536	4684	{C972D065-F6A7-48eb-9FD8-4DCD3BD47FE8}.exe	108
PID 4684 wrote to memory of 536	4684	{C972D065-F6A7-48eb-9FD8-4DCD3BD47FE8}.exe	108
PID 4684 wrote to memory of 4736	4684	{C972D065-F6A7-48eb-9FD8-4DCD3BD47FE8}.exe	109
PID 4684 wrote to memory of 4736	4684	{C972D065-F6A7-48eb-9FD8-4DCD3BD47FE8}.exe	109
PID 4684 wrote to memory of 4736	4684	{C972D065-F6A7-48eb-9FD8-4DCD3BD47FE8}.exe	109
PID 536 wrote to memory of 984	536	{C7427B89-D567-46bc-B981-7551EFAD1541}.exe	110
PID 536 wrote to memory of 984	536	{C7427B89-D567-46bc-B981-7551EFAD1541}.exe	110
PID 536 wrote to memory of 984	536	{C7427B89-D567-46bc-B981-7551EFAD1541}.exe	110
PID 536 wrote to memory of 4480	536	{C7427B89-D567-46bc-B981-7551EFAD1541}.exe	111
PID 536 wrote to memory of 4480	536	{C7427B89-D567-46bc-B981-7551EFAD1541}.exe	111
PID 536 wrote to memory of 4480	536	{C7427B89-D567-46bc-B981-7551EFAD1541}.exe	111
PID 984 wrote to memory of 4560	984	{1E3AA54F-8FEE-4551-9EE5-46CEA2C58504}.exe	115
PID 984 wrote to memory of 4560	984	{1E3AA54F-8FEE-4551-9EE5-46CEA2C58504}.exe	115
PID 984 wrote to memory of 4560	984	{1E3AA54F-8FEE-4551-9EE5-46CEA2C58504}.exe	115
PID 984 wrote to memory of 3192	984	{1E3AA54F-8FEE-4551-9EE5-46CEA2C58504}.exe	116
PID 984 wrote to memory of 3192	984	{1E3AA54F-8FEE-4551-9EE5-46CEA2C58504}.exe	116
PID 984 wrote to memory of 3192	984	{1E3AA54F-8FEE-4551-9EE5-46CEA2C58504}.exe	116
PID 4560 wrote to memory of 3280	4560	{E85F93F5-5B09-4f01-BFAB-F8DFB43EE369}.exe	121
PID 4560 wrote to memory of 3280	4560	{E85F93F5-5B09-4f01-BFAB-F8DFB43EE369}.exe	121
PID 4560 wrote to memory of 3280	4560	{E85F93F5-5B09-4f01-BFAB-F8DFB43EE369}.exe	121
PID 4560 wrote to memory of 1872	4560	{E85F93F5-5B09-4f01-BFAB-F8DFB43EE369}.exe	122
PID 4560 wrote to memory of 1872	4560	{E85F93F5-5B09-4f01-BFAB-F8DFB43EE369}.exe	122
PID 4560 wrote to memory of 1872	4560	{E85F93F5-5B09-4f01-BFAB-F8DFB43EE369}.exe	122
PID 3280 wrote to memory of 1628	3280	{7271BCA8-9C1F-4678-847C-EE97AA3254E1}.exe	123
PID 3280 wrote to memory of 1628	3280	{7271BCA8-9C1F-4678-847C-EE97AA3254E1}.exe	123
PID 3280 wrote to memory of 1628	3280	{7271BCA8-9C1F-4678-847C-EE97AA3254E1}.exe	123
PID 3280 wrote to memory of 4392	3280	{7271BCA8-9C1F-4678-847C-EE97AA3254E1}.exe	124
PID 3280 wrote to memory of 4392	3280	{7271BCA8-9C1F-4678-847C-EE97AA3254E1}.exe	124
PID 3280 wrote to memory of 4392	3280	{7271BCA8-9C1F-4678-847C-EE97AA3254E1}.exe	124
PID 1628 wrote to memory of 1860	1628	{3F29C993-DF6B-4cf0-90BF-E8BA8F570EE6}.exe	127
PID 1628 wrote to memory of 1860	1628	{3F29C993-DF6B-4cf0-90BF-E8BA8F570EE6}.exe	127
PID 1628 wrote to memory of 1860	1628	{3F29C993-DF6B-4cf0-90BF-E8BA8F570EE6}.exe	127
PID 1628 wrote to memory of 4300	1628	{3F29C993-DF6B-4cf0-90BF-E8BA8F570EE6}.exe	128

C:\Users\Admin\AppData\Local\Temp\3a6118f5fa133f6f44b507c61fb9c430_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\3a6118f5fa133f6f44b507c61fb9c430_NeikiAnalytics.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1892
- C:\Windows\{25D371AA-C204-4ba3-8E4C-62BB33D32A40}.exe
  C:\Windows\{25D371AA-C204-4ba3-8E4C-62BB33D32A40}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3308
- - C:\Windows\{CAF47D77-F2EA-4e48-A77A-A5066C7D5282}.exe
    C:\Windows\{CAF47D77-F2EA-4e48-A77A-A5066C7D5282}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1004
  - - C:\Windows\{32ECEC45-A1CB-44c3-A4FD-17F1A49CA8C2}.exe
      C:\Windows\{32ECEC45-A1CB-44c3-A4FD-17F1A49CA8C2}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2352
    - - C:\Windows\{22E1CA6F-00B4-46cf-85BA-FE1757D69D45}.exe
        
        C:\Windows\{22E1CA6F-00B4-46cf-85BA-FE1757D69D45}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1628
      - C:\Windows\{C972D065-F6A7-48eb-9FD8-4DCD3BD47FE8}.exe
        
        C:\Windows\{C972D065-F6A7-48eb-9FD8-4DCD3BD47FE8}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4684
        
        C:\Windows\{C7427B89-D567-46bc-B981-7551EFAD1541}.exe
        
        C:\Windows\{C7427B89-D567-46bc-B981-7551EFAD1541}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:536
        
        C:\Windows\{1E3AA54F-8FEE-4551-9EE5-46CEA2C58504}.exe
        
        C:\Windows\{1E3AA54F-8FEE-4551-9EE5-46CEA2C58504}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:984
        
        C:\Windows\{E85F93F5-5B09-4f01-BFAB-F8DFB43EE369}.exe
        
        C:\Windows\{E85F93F5-5B09-4f01-BFAB-F8DFB43EE369}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4560
        
        C:\Windows\{7271BCA8-9C1F-4678-847C-EE97AA3254E1}.exe
        
        C:\Windows\{7271BCA8-9C1F-4678-847C-EE97AA3254E1}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3280
        
        C:\Windows\{3F29C993-DF6B-4cf0-90BF-E8BA8F570EE6}.exe
        
        C:\Windows\{3F29C993-DF6B-4cf0-90BF-E8BA8F570EE6}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1628
        
        C:\Windows\{347C5328-BB26-485d-BDF9-8BD493857161}.exe
        
        C:\Windows\{347C5328-BB26-485d-BDF9-8BD493857161}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1860
        
        C:\Windows\{FBFB27DE-2C58-45c9-BCF8-8287A41C8DB1}.exe
        
        C:\Windows\{FBFB27DE-2C58-45c9-BCF8-8287A41C8DB1}.exe
        13⤵
        Executes dropped EXE
        
        PID:4980
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{347C5~1.EXE > nul
        13⤵
        
        PID:1692
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3F29C~1.EXE > nul
        12⤵
        
        PID:4300
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7271B~1.EXE > nul
        11⤵
        
        PID:4392
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E85F9~1.EXE > nul
        10⤵
        
        PID:1872
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1E3AA~1.EXE > nul
        9⤵
        
        PID:3192
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C7427~1.EXE > nul
        8⤵
        
        PID:4480
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C972D~1.EXE > nul
        7⤵
        
        PID:4736
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{22E1C~1.EXE > nul
        6⤵
        
        PID:4384
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{32ECE~1.EXE > nul
        5⤵
        
        PID:3128
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{CAF47~1.EXE > nul
      4⤵
      PID:2300
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{25D37~1.EXE > nul
    3⤵
    PID:1660
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\3A6118~1.EXE > nul
  2⤵
  PID:1492

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{1E3AA54F-8FEE-4551-9EE5-46CEA2C58504}.exe

Filesize
88KB

MD5
fb9d68b44cd7a9181309df931c558421

SHA1
bb027752294f193b2ff600e3e298cfd10d39bc5d

SHA256
12fbf26430be65c29604ccde88ac27d08e490408fd9d4d58b4521a4825d4d2ed

SHA512
1cc4d1223247db044f596c106b214121fb5cdeaab7e2e85c4a99d15a77930dd4060daa2b349e284300523b6c1717353bcf30cbadb1dd0575dba82bb69e1364dc

Download Submit
C:\Windows\{22E1CA6F-00B4-46cf-85BA-FE1757D69D45}.exe

Filesize
88KB

MD5
738822d28de65c5d0e61b70930b556db

SHA1
4314ad1aef20b193223c9d139bf540b18cdca155

SHA256
19d1bef788bdb7297e2a14d476c38982eb7a8859de223bf940ccf74e89b252e7

SHA512
5a79fa81e5a67b923bb241f2f47abc2d7fdc050471570a6b290328e1c359d8223f59b265c4cc81c3b9292401354386e30b7aa690edef16a933d3f81cdab3386e

Download Submit
C:\Windows\{25D371AA-C204-4ba3-8E4C-62BB33D32A40}.exe

Filesize
88KB

MD5
afcb38a27e531e6361a3d00caf0073f5

SHA1
28323a2884b36336f123639050ac566bd321195d

SHA256
1f784d2d2f90cf905d58b52cc2022fb764b9520e66aa0d1fbd8fa32d7d46cad2

SHA512
30200142100fa6a489e04c493d23b6bfd3036c17b28baa113095a7accb04d254f4a42264ddfd7cbd685585ef11a3d60a3ef707a982c7aceeef6340aa33a15e1f

Download Submit
C:\Windows\{32ECEC45-A1CB-44c3-A4FD-17F1A49CA8C2}.exe

Filesize
88KB

MD5
627319a496585b8786102766abeceba1

SHA1
b54fbb93f208f81945b9782e06e78c4411bb8af1

SHA256
525d91cd5e324f44b00bf64d20f7254ba6513e525558adef5cfa377d8e3518a3

SHA512
d94c7f04f31a61b67c6649276bf3f1a684f27666518605c70d4184bf0456b08bb983e67e322d70db07232018a4014a9df38e5f0e905de062a869a68b1b1389eb

Download Submit
C:\Windows\{347C5328-BB26-485d-BDF9-8BD493857161}.exe

Filesize
88KB

MD5
a0f381e66c2222af6a2b8e382acf39cd

SHA1
1f2fa2caef24d55a360446d93bf75e4fb27056a7

SHA256
2a30810a5457839a39bdb9a5e3a4a4b36137d8efbb7f98eab4816268b477fad6

SHA512
fd5110c4be1986ec2cdf35b4ae05acb52a6351d4c63c91a867aea9a38d505a09d87667ed7302ef5defdaa638ea2dc1d036f72cf1038ac7508deefdcc3e6e6535

Download Submit
C:\Windows\{3F29C993-DF6B-4cf0-90BF-E8BA8F570EE6}.exe

Filesize
88KB

MD5
a6baed06ef43dec2e4c576f653a00f40

SHA1
f59ad58b1f2fb373fd11a0402463959bfac00f3d

SHA256
1595b074b806d2299cbb9ed329be5dc121caed38931692d041cdccd44983b727

SHA512
ec62798fe92f8b6976ee894739042dc2e0bbc7c362e73bfebccb0294915e427ae4a3d95a53027849231252a4098ab12d381c999ecc3d7ce7babf9939759858e2

Download Submit
C:\Windows\{7271BCA8-9C1F-4678-847C-EE97AA3254E1}.exe

Filesize
88KB

MD5
dcb62ce46114b9e657b21adc49bd111c

SHA1
02f0e38d231dafecbe278fc2ac6fb57670be43ff

SHA256
e6d94c5b3700e4808c9610a5a763e503e77cfbb2e4846bef156e4ea85eb00582

SHA512
57e47f246f887418d04473c43819e20b0121f375882b06749d62c687245d9fc6882602558c0bd43375d0a69cf2f588fc40a58fc716bbd834e19c204e93175f73

Download Submit
C:\Windows\{C7427B89-D567-46bc-B981-7551EFAD1541}.exe

Filesize
88KB

MD5
5b54a0aeb201f64244c9b4a5026db705

SHA1
8efd1c5de67c2f744177fda4e8010160da6bbab7

SHA256
e1f16d3b7ae6f16cfb8b89cdc96987da90205b3f96f0b8b5f60db64124a9538c

SHA512
be41881c1ba18473122f6b8592cc73fc44a0113f84b1520f3cec6fa953cc1e7c9cf8af5358f0c8c462b45c7ea0d8b0076f685ecbd58bfbc73a36c8fbd91cea7f

Download Submit
C:\Windows\{C972D065-F6A7-48eb-9FD8-4DCD3BD47FE8}.exe

Filesize
88KB

MD5
b6864af492b7822bb5732feaf116ad86

SHA1
21d9d4bacf8f6e5c8a72689aa2da1848904b9d90

SHA256
9f8329518752997edd07103c89317b22231f5487756a855b0b99651bfa6385bb

SHA512
0dc1fea6956116c996ec39fc4b42fdc13a7138f826b5874240ba6f4dac69cd5a449a06fcc0ed5cf39c6c79b2c6ded1e0c6bd260937f05eba509a05feecbb6b1f

Download Submit
C:\Windows\{CAF47D77-F2EA-4e48-A77A-A5066C7D5282}.exe

Filesize
88KB

MD5
c15e73f1b9aec46adcfc47403c8d2882

SHA1
d533caddeaca079caa93b46643b2f1315bec952a

SHA256
21f38f9f6b6f001e2395759e2754394e3e2af6d5af9755fc7b960e538b920ddb

SHA512
6f00dc81d8df862b50dd690f873a23a5042dd9f9ca4a8b73630332cfe81b7fd713ff994fbd1a4a47f79afb03f0d7fede319d263b0d0ce33a5d9192ac5b2e32da

Download Submit
C:\Windows\{E85F93F5-5B09-4f01-BFAB-F8DFB43EE369}.exe

Filesize
88KB

MD5
6076d4ca7d3e1fdda96c36d2e4a0664a

SHA1
b7546cca2e786c4aec02405bc39329e64571a9bf

SHA256
04fdcd8e1879c355d1244f3c7402da633617e8b6a58590f754ef1496413aed59

SHA512
4f87276ba9fe5431d35000e3a58258dd1624188a0bc903d4088223255ff45f7eb8503b043f7916b7efb1a4334b07fe2370e5dae73639a852dad737b0f559ffae

Download Submit
C:\Windows\{FBFB27DE-2C58-45c9-BCF8-8287A41C8DB1}.exe

Filesize
88KB

MD5
794e0346567cebc170912fe61baafef6

SHA1
12ad89236856ad7e3e11f814ddd96447ec553594

SHA256
3e4807a3f418b176dd36d90ecbdec7fda7fbb5239101afc51db63bf51c38aaa1

SHA512
a5a45a8442b5d7683e3bd634942c25628a25b7f636f6195e1d0a87227aabb46baba753e0a4b4e5e250d60141cad5fde673af95bf0a7135878dc7ddca348c5854

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads