a3ee938fd50270ae98fce245d0f01293371481a4524aa1ab8c110689b26bdb3a

Analysis

max time kernel
144s
max time network
122s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
06/06/2024, 21:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1dac16f56ee63b1b03619138ae17a3a0_NeikiAnalytics.exe
Size

64KB
MD5

1dac16f56ee63b1b03619138ae17a3a0
SHA1

da64ac5abb26c717672ca27e455aaac690ff99ac
SHA256

a3ee938fd50270ae98fce245d0f01293371481a4524aa1ab8c110689b26bdb3a
SHA512

82e2cb5d4cba9d93b857870cabf2d94a423026b90129909d2e10f9b346084b19cbcedef4ad2055575a3f98c29a0cc7d871f82923c9da66dd738060fb6c798540
SSDEEP

768:Ovw9816ihKQLroCb4/wQxWMZQcpFM1FgDagXP2TyS1tl7lfqvocqcdT3WVdu:6EGU0oCblwWMZQcpmgDagIyS1loL7Wru

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8DC3B475-2881-4142-9147-6607EA9FF666}\stubpath = "C:\\Windows\\{8DC3B475-2881-4142-9147-6607EA9FF666}.exe"	{DEF37D0D-7E14-46e1-AA03-C668E96A07BA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{88D8881F-2797-4265-8B78-2A95E5E79CB6}\stubpath = "C:\\Windows\\{88D8881F-2797-4265-8B78-2A95E5E79CB6}.exe"	{8DC3B475-2881-4142-9147-6607EA9FF666}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B5E7F2B5-EA33-426d-A5E6-75E862BB4467}	{88D8881F-2797-4265-8B78-2A95E5E79CB6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0FC9183B-BD88-4103-9A79-68504DAC337F}	{B5E7F2B5-EA33-426d-A5E6-75E862BB4467}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DEF37D0D-7E14-46e1-AA03-C668E96A07BA}\stubpath = "C:\\Windows\\{DEF37D0D-7E14-46e1-AA03-C668E96A07BA}.exe"	{FE75D9D2-AD8E-4536-92C9-0ECC68B9E395}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8DC3B475-2881-4142-9147-6607EA9FF666}	{DEF37D0D-7E14-46e1-AA03-C668E96A07BA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{17B620FC-6799-4397-A1DB-2C1833911AA7}\stubpath = "C:\\Windows\\{17B620FC-6799-4397-A1DB-2C1833911AA7}.exe"	{923AFF73-DAFD-4101-9102-1544FFDACED2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6EC975BA-0253-4608-A4F8-3AB6EB1CA13F}\stubpath = "C:\\Windows\\{6EC975BA-0253-4608-A4F8-3AB6EB1CA13F}.exe"	{91C077E5-2B5A-45f1-80EB-5EE49D2189CB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E15A96AA-3A2E-49ac-B22C-B364B4E4D8CF}	1dac16f56ee63b1b03619138ae17a3a0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FE75D9D2-AD8E-4536-92C9-0ECC68B9E395}	{E15A96AA-3A2E-49ac-B22C-B364B4E4D8CF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{91C077E5-2B5A-45f1-80EB-5EE49D2189CB}	{17B620FC-6799-4397-A1DB-2C1833911AA7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{91C077E5-2B5A-45f1-80EB-5EE49D2189CB}\stubpath = "C:\\Windows\\{91C077E5-2B5A-45f1-80EB-5EE49D2189CB}.exe"	{17B620FC-6799-4397-A1DB-2C1833911AA7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6EC975BA-0253-4608-A4F8-3AB6EB1CA13F}	{91C077E5-2B5A-45f1-80EB-5EE49D2189CB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FE75D9D2-AD8E-4536-92C9-0ECC68B9E395}\stubpath = "C:\\Windows\\{FE75D9D2-AD8E-4536-92C9-0ECC68B9E395}.exe"	{E15A96AA-3A2E-49ac-B22C-B364B4E4D8CF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{88D8881F-2797-4265-8B78-2A95E5E79CB6}	{8DC3B475-2881-4142-9147-6607EA9FF666}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B5E7F2B5-EA33-426d-A5E6-75E862BB4467}\stubpath = "C:\\Windows\\{B5E7F2B5-EA33-426d-A5E6-75E862BB4467}.exe"	{88D8881F-2797-4265-8B78-2A95E5E79CB6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0FC9183B-BD88-4103-9A79-68504DAC337F}\stubpath = "C:\\Windows\\{0FC9183B-BD88-4103-9A79-68504DAC337F}.exe"	{B5E7F2B5-EA33-426d-A5E6-75E862BB4467}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{923AFF73-DAFD-4101-9102-1544FFDACED2}	{0FC9183B-BD88-4103-9A79-68504DAC337F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{923AFF73-DAFD-4101-9102-1544FFDACED2}\stubpath = "C:\\Windows\\{923AFF73-DAFD-4101-9102-1544FFDACED2}.exe"	{0FC9183B-BD88-4103-9A79-68504DAC337F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{17B620FC-6799-4397-A1DB-2C1833911AA7}	{923AFF73-DAFD-4101-9102-1544FFDACED2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E15A96AA-3A2E-49ac-B22C-B364B4E4D8CF}\stubpath = "C:\\Windows\\{E15A96AA-3A2E-49ac-B22C-B364B4E4D8CF}.exe"	1dac16f56ee63b1b03619138ae17a3a0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DEF37D0D-7E14-46e1-AA03-C668E96A07BA}	{FE75D9D2-AD8E-4536-92C9-0ECC68B9E395}.exe

Deletes itself 1 IoCs

pid	Process
3052	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2080	{E15A96AA-3A2E-49ac-B22C-B364B4E4D8CF}.exe
2764	{FE75D9D2-AD8E-4536-92C9-0ECC68B9E395}.exe
2692	{DEF37D0D-7E14-46e1-AA03-C668E96A07BA}.exe
2560	{8DC3B475-2881-4142-9147-6607EA9FF666}.exe
2576	{88D8881F-2797-4265-8B78-2A95E5E79CB6}.exe
1752	{B5E7F2B5-EA33-426d-A5E6-75E862BB4467}.exe
1048	{0FC9183B-BD88-4103-9A79-68504DAC337F}.exe
1432	{923AFF73-DAFD-4101-9102-1544FFDACED2}.exe
2744	{17B620FC-6799-4397-A1DB-2C1833911AA7}.exe
1244	{91C077E5-2B5A-45f1-80EB-5EE49D2189CB}.exe
1812	{6EC975BA-0253-4608-A4F8-3AB6EB1CA13F}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{8DC3B475-2881-4142-9147-6607EA9FF666}.exe	{DEF37D0D-7E14-46e1-AA03-C668E96A07BA}.exe
File created	C:\Windows\{B5E7F2B5-EA33-426d-A5E6-75E862BB4467}.exe	{88D8881F-2797-4265-8B78-2A95E5E79CB6}.exe
File created	C:\Windows\{0FC9183B-BD88-4103-9A79-68504DAC337F}.exe	{B5E7F2B5-EA33-426d-A5E6-75E862BB4467}.exe
File created	C:\Windows\{E15A96AA-3A2E-49ac-B22C-B364B4E4D8CF}.exe	1dac16f56ee63b1b03619138ae17a3a0_NeikiAnalytics.exe
File created	C:\Windows\{FE75D9D2-AD8E-4536-92C9-0ECC68B9E395}.exe	{E15A96AA-3A2E-49ac-B22C-B364B4E4D8CF}.exe
File created	C:\Windows\{DEF37D0D-7E14-46e1-AA03-C668E96A07BA}.exe	{FE75D9D2-AD8E-4536-92C9-0ECC68B9E395}.exe
File created	C:\Windows\{88D8881F-2797-4265-8B78-2A95E5E79CB6}.exe	{8DC3B475-2881-4142-9147-6607EA9FF666}.exe
File created	C:\Windows\{923AFF73-DAFD-4101-9102-1544FFDACED2}.exe	{0FC9183B-BD88-4103-9A79-68504DAC337F}.exe
File created	C:\Windows\{17B620FC-6799-4397-A1DB-2C1833911AA7}.exe	{923AFF73-DAFD-4101-9102-1544FFDACED2}.exe
File created	C:\Windows\{91C077E5-2B5A-45f1-80EB-5EE49D2189CB}.exe	{17B620FC-6799-4397-A1DB-2C1833911AA7}.exe
File created	C:\Windows\{6EC975BA-0253-4608-A4F8-3AB6EB1CA13F}.exe	{91C077E5-2B5A-45f1-80EB-5EE49D2189CB}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2244	1dac16f56ee63b1b03619138ae17a3a0_NeikiAnalytics.exe
Token: SeIncBasePriorityPrivilege	2080	{E15A96AA-3A2E-49ac-B22C-B364B4E4D8CF}.exe
Token: SeIncBasePriorityPrivilege	2764	{FE75D9D2-AD8E-4536-92C9-0ECC68B9E395}.exe
Token: SeIncBasePriorityPrivilege	2692	{DEF37D0D-7E14-46e1-AA03-C668E96A07BA}.exe
Token: SeIncBasePriorityPrivilege	2560	{8DC3B475-2881-4142-9147-6607EA9FF666}.exe
Token: SeIncBasePriorityPrivilege	2576	{88D8881F-2797-4265-8B78-2A95E5E79CB6}.exe
Token: SeIncBasePriorityPrivilege	1752	{B5E7F2B5-EA33-426d-A5E6-75E862BB4467}.exe
Token: SeIncBasePriorityPrivilege	1048	{0FC9183B-BD88-4103-9A79-68504DAC337F}.exe
Token: SeIncBasePriorityPrivilege	1432	{923AFF73-DAFD-4101-9102-1544FFDACED2}.exe
Token: SeIncBasePriorityPrivilege	2744	{17B620FC-6799-4397-A1DB-2C1833911AA7}.exe
Token: SeIncBasePriorityPrivilege	1244	{91C077E5-2B5A-45f1-80EB-5EE49D2189CB}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2244 wrote to memory of 2080	2244	1dac16f56ee63b1b03619138ae17a3a0_NeikiAnalytics.exe	28
PID 2244 wrote to memory of 2080	2244	1dac16f56ee63b1b03619138ae17a3a0_NeikiAnalytics.exe	28
PID 2244 wrote to memory of 2080	2244	1dac16f56ee63b1b03619138ae17a3a0_NeikiAnalytics.exe	28
PID 2244 wrote to memory of 2080	2244	1dac16f56ee63b1b03619138ae17a3a0_NeikiAnalytics.exe	28
PID 2244 wrote to memory of 3052	2244	1dac16f56ee63b1b03619138ae17a3a0_NeikiAnalytics.exe	29
PID 2244 wrote to memory of 3052	2244	1dac16f56ee63b1b03619138ae17a3a0_NeikiAnalytics.exe	29
PID 2244 wrote to memory of 3052	2244	1dac16f56ee63b1b03619138ae17a3a0_NeikiAnalytics.exe	29
PID 2244 wrote to memory of 3052	2244	1dac16f56ee63b1b03619138ae17a3a0_NeikiAnalytics.exe	29
PID 2080 wrote to memory of 2764	2080	{E15A96AA-3A2E-49ac-B22C-B364B4E4D8CF}.exe	30
PID 2080 wrote to memory of 2764	2080	{E15A96AA-3A2E-49ac-B22C-B364B4E4D8CF}.exe	30
PID 2080 wrote to memory of 2764	2080	{E15A96AA-3A2E-49ac-B22C-B364B4E4D8CF}.exe	30
PID 2080 wrote to memory of 2764	2080	{E15A96AA-3A2E-49ac-B22C-B364B4E4D8CF}.exe	30
PID 2080 wrote to memory of 2524	2080	{E15A96AA-3A2E-49ac-B22C-B364B4E4D8CF}.exe	31
PID 2080 wrote to memory of 2524	2080	{E15A96AA-3A2E-49ac-B22C-B364B4E4D8CF}.exe	31
PID 2080 wrote to memory of 2524	2080	{E15A96AA-3A2E-49ac-B22C-B364B4E4D8CF}.exe	31
PID 2080 wrote to memory of 2524	2080	{E15A96AA-3A2E-49ac-B22C-B364B4E4D8CF}.exe	31
PID 2764 wrote to memory of 2692	2764	{FE75D9D2-AD8E-4536-92C9-0ECC68B9E395}.exe	32
PID 2764 wrote to memory of 2692	2764	{FE75D9D2-AD8E-4536-92C9-0ECC68B9E395}.exe	32
PID 2764 wrote to memory of 2692	2764	{FE75D9D2-AD8E-4536-92C9-0ECC68B9E395}.exe	32
PID 2764 wrote to memory of 2692	2764	{FE75D9D2-AD8E-4536-92C9-0ECC68B9E395}.exe	32
PID 2764 wrote to memory of 1696	2764	{FE75D9D2-AD8E-4536-92C9-0ECC68B9E395}.exe	33
PID 2764 wrote to memory of 1696	2764	{FE75D9D2-AD8E-4536-92C9-0ECC68B9E395}.exe	33
PID 2764 wrote to memory of 1696	2764	{FE75D9D2-AD8E-4536-92C9-0ECC68B9E395}.exe	33
PID 2764 wrote to memory of 1696	2764	{FE75D9D2-AD8E-4536-92C9-0ECC68B9E395}.exe	33
PID 2692 wrote to memory of 2560	2692	{DEF37D0D-7E14-46e1-AA03-C668E96A07BA}.exe	36
PID 2692 wrote to memory of 2560	2692	{DEF37D0D-7E14-46e1-AA03-C668E96A07BA}.exe	36
PID 2692 wrote to memory of 2560	2692	{DEF37D0D-7E14-46e1-AA03-C668E96A07BA}.exe	36
PID 2692 wrote to memory of 2560	2692	{DEF37D0D-7E14-46e1-AA03-C668E96A07BA}.exe	36
PID 2692 wrote to memory of 316	2692	{DEF37D0D-7E14-46e1-AA03-C668E96A07BA}.exe	37
PID 2692 wrote to memory of 316	2692	{DEF37D0D-7E14-46e1-AA03-C668E96A07BA}.exe	37
PID 2692 wrote to memory of 316	2692	{DEF37D0D-7E14-46e1-AA03-C668E96A07BA}.exe	37
PID 2692 wrote to memory of 316	2692	{DEF37D0D-7E14-46e1-AA03-C668E96A07BA}.exe	37
PID 2560 wrote to memory of 2576	2560	{8DC3B475-2881-4142-9147-6607EA9FF666}.exe	38
PID 2560 wrote to memory of 2576	2560	{8DC3B475-2881-4142-9147-6607EA9FF666}.exe	38
PID 2560 wrote to memory of 2576	2560	{8DC3B475-2881-4142-9147-6607EA9FF666}.exe	38
PID 2560 wrote to memory of 2576	2560	{8DC3B475-2881-4142-9147-6607EA9FF666}.exe	38
PID 2560 wrote to memory of 1800	2560	{8DC3B475-2881-4142-9147-6607EA9FF666}.exe	39
PID 2560 wrote to memory of 1800	2560	{8DC3B475-2881-4142-9147-6607EA9FF666}.exe	39
PID 2560 wrote to memory of 1800	2560	{8DC3B475-2881-4142-9147-6607EA9FF666}.exe	39
PID 2560 wrote to memory of 1800	2560	{8DC3B475-2881-4142-9147-6607EA9FF666}.exe	39
PID 2576 wrote to memory of 1752	2576	{88D8881F-2797-4265-8B78-2A95E5E79CB6}.exe	40
PID 2576 wrote to memory of 1752	2576	{88D8881F-2797-4265-8B78-2A95E5E79CB6}.exe	40
PID 2576 wrote to memory of 1752	2576	{88D8881F-2797-4265-8B78-2A95E5E79CB6}.exe	40
PID 2576 wrote to memory of 1752	2576	{88D8881F-2797-4265-8B78-2A95E5E79CB6}.exe	40
PID 2576 wrote to memory of 1988	2576	{88D8881F-2797-4265-8B78-2A95E5E79CB6}.exe	41
PID 2576 wrote to memory of 1988	2576	{88D8881F-2797-4265-8B78-2A95E5E79CB6}.exe	41
PID 2576 wrote to memory of 1988	2576	{88D8881F-2797-4265-8B78-2A95E5E79CB6}.exe	41
PID 2576 wrote to memory of 1988	2576	{88D8881F-2797-4265-8B78-2A95E5E79CB6}.exe	41
PID 1752 wrote to memory of 1048	1752	{B5E7F2B5-EA33-426d-A5E6-75E862BB4467}.exe	42
PID 1752 wrote to memory of 1048	1752	{B5E7F2B5-EA33-426d-A5E6-75E862BB4467}.exe	42
PID 1752 wrote to memory of 1048	1752	{B5E7F2B5-EA33-426d-A5E6-75E862BB4467}.exe	42
PID 1752 wrote to memory of 1048	1752	{B5E7F2B5-EA33-426d-A5E6-75E862BB4467}.exe	42
PID 1752 wrote to memory of 760	1752	{B5E7F2B5-EA33-426d-A5E6-75E862BB4467}.exe	43
PID 1752 wrote to memory of 760	1752	{B5E7F2B5-EA33-426d-A5E6-75E862BB4467}.exe	43
PID 1752 wrote to memory of 760	1752	{B5E7F2B5-EA33-426d-A5E6-75E862BB4467}.exe	43
PID 1752 wrote to memory of 760	1752	{B5E7F2B5-EA33-426d-A5E6-75E862BB4467}.exe	43
PID 1048 wrote to memory of 1432	1048	{0FC9183B-BD88-4103-9A79-68504DAC337F}.exe	44
PID 1048 wrote to memory of 1432	1048	{0FC9183B-BD88-4103-9A79-68504DAC337F}.exe	44
PID 1048 wrote to memory of 1432	1048	{0FC9183B-BD88-4103-9A79-68504DAC337F}.exe	44
PID 1048 wrote to memory of 1432	1048	{0FC9183B-BD88-4103-9A79-68504DAC337F}.exe	44
PID 1048 wrote to memory of 2344	1048	{0FC9183B-BD88-4103-9A79-68504DAC337F}.exe	45
PID 1048 wrote to memory of 2344	1048	{0FC9183B-BD88-4103-9A79-68504DAC337F}.exe	45
PID 1048 wrote to memory of 2344	1048	{0FC9183B-BD88-4103-9A79-68504DAC337F}.exe	45
PID 1048 wrote to memory of 2344	1048	{0FC9183B-BD88-4103-9A79-68504DAC337F}.exe	45

C:\Users\Admin\AppData\Local\Temp\1dac16f56ee63b1b03619138ae17a3a0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\1dac16f56ee63b1b03619138ae17a3a0_NeikiAnalytics.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2244
- C:\Windows\{E15A96AA-3A2E-49ac-B22C-B364B4E4D8CF}.exe
  C:\Windows\{E15A96AA-3A2E-49ac-B22C-B364B4E4D8CF}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2080
- - C:\Windows\{FE75D9D2-AD8E-4536-92C9-0ECC68B9E395}.exe
    C:\Windows\{FE75D9D2-AD8E-4536-92C9-0ECC68B9E395}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2764
  - - C:\Windows\{DEF37D0D-7E14-46e1-AA03-C668E96A07BA}.exe
      C:\Windows\{DEF37D0D-7E14-46e1-AA03-C668E96A07BA}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2692
    - - C:\Windows\{8DC3B475-2881-4142-9147-6607EA9FF666}.exe
        
        C:\Windows\{8DC3B475-2881-4142-9147-6607EA9FF666}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2560
      - C:\Windows\{88D8881F-2797-4265-8B78-2A95E5E79CB6}.exe
        
        C:\Windows\{88D8881F-2797-4265-8B78-2A95E5E79CB6}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2576
        
        C:\Windows\{B5E7F2B5-EA33-426d-A5E6-75E862BB4467}.exe
        
        C:\Windows\{B5E7F2B5-EA33-426d-A5E6-75E862BB4467}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1752
        
        C:\Windows\{0FC9183B-BD88-4103-9A79-68504DAC337F}.exe
        
        C:\Windows\{0FC9183B-BD88-4103-9A79-68504DAC337F}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1048
        
        C:\Windows\{923AFF73-DAFD-4101-9102-1544FFDACED2}.exe
        
        C:\Windows\{923AFF73-DAFD-4101-9102-1544FFDACED2}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1432
        
        C:\Windows\{17B620FC-6799-4397-A1DB-2C1833911AA7}.exe
        
        C:\Windows\{17B620FC-6799-4397-A1DB-2C1833911AA7}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2744
        
        C:\Windows\{91C077E5-2B5A-45f1-80EB-5EE49D2189CB}.exe
        
        C:\Windows\{91C077E5-2B5A-45f1-80EB-5EE49D2189CB}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1244
        
        C:\Windows\{6EC975BA-0253-4608-A4F8-3AB6EB1CA13F}.exe
        
        C:\Windows\{6EC975BA-0253-4608-A4F8-3AB6EB1CA13F}.exe
        12⤵
        Executes dropped EXE
        
        PID:1812
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{91C07~1.EXE > nul
        12⤵
        
        PID:2916
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{17B62~1.EXE > nul
        11⤵
        
        PID:644
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{923AF~1.EXE > nul
        10⤵
        
        PID:2888
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0FC91~1.EXE > nul
        9⤵
        
        PID:2344
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B5E7F~1.EXE > nul
        8⤵
        
        PID:760
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{88D88~1.EXE > nul
        7⤵
        
        PID:1988
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8DC3B~1.EXE > nul
        6⤵
        
        PID:1800
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DEF37~1.EXE > nul
        5⤵
        
        PID:316
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{FE75D~1.EXE > nul
      4⤵
      PID:1696
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{E15A9~1.EXE > nul
    3⤵
    PID:2524
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\1DAC16~1.EXE > nul
  2⤵
  - Deletes itself
  PID:3052

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0FC9183B-BD88-4103-9A79-68504DAC337F}.exe

Filesize
64KB

MD5
ccd649d32d70856f69c37d313c053f7d

SHA1
263e70d2e4ac6144ad2ba3579f4c65527217c3ff

SHA256
ab571d7ecbbe44c6ad0e49412b04c92ae91d3ee0ca0196559af15b337ffd94c3

SHA512
3992bb7530113d87ff1be418fa8baa3fc6ee992f354534335a4556c6f9c4dc4e78b13c2951d392d4640abbf890f223f7e4d648e31b1683e256db5420b68863cc

Download Submit
C:\Windows\{17B620FC-6799-4397-A1DB-2C1833911AA7}.exe

Filesize
64KB

MD5
0dd220ce808b9eab13b3a93bcec2ab23

SHA1
2c90183294d65b6f1f29226cd272de36c5e51b52

SHA256
537614cc945b98722630a1c802d317adf890a692c317ae97d91bf064aca8bb78

SHA512
f784dae32f66d3741a76bf67cb0cd2b2c6445204bbfd535b6a688e7f22535c378a7764eadf1c98af8927f5a8050f4ab9abf82b65cf1fae2a7245f26055a22400

Download Submit
C:\Windows\{6EC975BA-0253-4608-A4F8-3AB6EB1CA13F}.exe

Filesize
64KB

MD5
e4091cadc041881d8a5af5ca82ece714

SHA1
9542c2fb554484af014ece232763d47149de314d

SHA256
16b56629a13e690fee4af5a5e072e44489551c4b65376aeeb67e2444f8202dd7

SHA512
9ed354b8397986359811cfdd220a66ece72f78c0c891518d3da91559e22aa649071bb4e9ac109f8aed5851066960548d8fb6a2c1a3fdab28a5fb3377d8ea7b2e

Download Submit
C:\Windows\{88D8881F-2797-4265-8B78-2A95E5E79CB6}.exe

Filesize
64KB

MD5
bbf3bf9bb76ffc8b96a40fb41b4eabcf

SHA1
afa879013033eea1efd113709a0450674668ff03

SHA256
26765d414f411e1bed8442d28aa9536f55058a384a590b09aad57a1fb5501f11

SHA512
75f5a24f4ae4f1ae02450b0226d7885a11c31286c8b0499e1049a0a94fce344686ed2b661bc373fb28bd8b201faf54cc43df74f3594cc1a75aed3630bc97260a

Download Submit
C:\Windows\{8DC3B475-2881-4142-9147-6607EA9FF666}.exe

Filesize
64KB

MD5
0dc67372e2bb95f69790097a2ec73fb2

SHA1
b6014da9f306adbe63263097f72c5d8e55ecbc58

SHA256
3899f81184b226f8e42b8563275d0f6405f2b46539f0df9da5fb3d2480573acd

SHA512
cecee173376894d5618186a545972f2f28365d57a6b130b567a06b577cca22c9d56a56d5099c2f62efcc85810410d2224d17d6eb162eccd8982c122f86cf1a67

Download Submit
C:\Windows\{91C077E5-2B5A-45f1-80EB-5EE49D2189CB}.exe

Filesize
64KB

MD5
89f04650ed1d42986384324afdc49f04

SHA1
40687c2e0ae7473b769ee0bb45f26078b40582fc

SHA256
9c6d5e31e126f36e64506bd343fc16b4f452ff04620892766c499e8b45ab0fd3

SHA512
f0d1cfc3b9f716133f7e8bc421c8a3b4b5232c817e5d3c52b2e161e606e60c3af76fc0fda8d99191558a854dc5f0f9e9997da212ac987689b11365138f352d79

Download Submit
C:\Windows\{923AFF73-DAFD-4101-9102-1544FFDACED2}.exe

Filesize
64KB

MD5
8926da9d4ca5242a5b818732d0efa32b

SHA1
409bd5fb64f91f1258951691a86a427947f3f591

SHA256
02467b25dc34e179ed8ae4d7bd83fcdf94d688d2085390e6d96fc879144a214d

SHA512
50b6040627d3cc248ef58fa664de03016280db761290abb0bae94f65f953750fe584bdcd3869adf42b6cce7e37dde8d0ba13c9a3e88df5b328b7b82fa60fc957

Download Submit
C:\Windows\{B5E7F2B5-EA33-426d-A5E6-75E862BB4467}.exe

Filesize
64KB

MD5
0920719892d387f54fafe3b681d911e3

SHA1
068e1ca4bb62cd0c124d9496e865a7c74902f480

SHA256
92679fd4d6320430b087da2f387d224a6a64068449fe1982af5fda96174af2b3

SHA512
e891368f2c41c322bd51b52579ea95763e57f2cde4d5afb61160eb24142315b5b73be4e8244252c0839eec4ed40da2baf8a566c431c2a6d30f48d2af07f05511

Download Submit
C:\Windows\{DEF37D0D-7E14-46e1-AA03-C668E96A07BA}.exe

Filesize
64KB

MD5
6de27e854362e36bfde891b370dbd76c

SHA1
6e90ed03fb70882aaf7e735ef1e5c439d2038ce6

SHA256
d033d47e8828dabb55445f524232a2279ebdedda4529e61e2a55c4d02592216a

SHA512
04c3df72bc8d75420f343f9e2a0982f01cc9d8518015923c25baf75b9955adac1b5d554f1726f30455f75ad043dd45df757e559b52693d3db3643f4b930bb08a

Download Submit
C:\Windows\{E15A96AA-3A2E-49ac-B22C-B364B4E4D8CF}.exe

Filesize
64KB

MD5
6f38e61bffff16a2b1836eef09fbc03b

SHA1
b51cc2398bafd31ce11e8d3b8434330d218e0def

SHA256
e02ef515dc8e9dde7c8fc2bce331b5093edcf66383c42d825ea99a551818c56f

SHA512
e6b1f7aabde463a891ad12443447d539ffbf72561401dcaf8eaadda9e0e336e70080f7c2558828fe0b8e2b9f26d515032cc5c7213765d69c76263a0f628a5370

Download Submit
C:\Windows\{FE75D9D2-AD8E-4536-92C9-0ECC68B9E395}.exe

Filesize
64KB

MD5
f16d780ba277a27d733d4a5f6ebb2504

SHA1
bd2f3acc679a4f76771c41ac460c0adafc3ff03e

SHA256
a34098fa0a29a0cff006078cc29da179234db17f09cdbbb202e3580ca5dd0d21

SHA512
cdef5cb65a92691cfb28240720d142d97226ee4e901a81e0e1c2bedaa8f7f24f13778e2bc159c4d91770f9be80f82c1bf493324bc58e4972e4205b61a7821363

Download Submit
memory/1048-72-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1048-64-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1244-102-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1244-100-0x00000000003F0000-0x0000000000400000-memory.dmp

Filesize
64KB

Download
memory/1244-92-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1432-82-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1432-73-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1752-63-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1812-101-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2080-9-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2080-18-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2244-7-0x0000000000280000-0x0000000000290000-memory.dmp

Filesize
64KB

Download
memory/2244-10-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2244-0-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2244-8-0x0000000000280000-0x0000000000290000-memory.dmp

Filesize
64KB

Download
memory/2560-37-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2560-45-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2576-55-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2576-50-0x00000000002B0000-0x00000000002C0000-memory.dmp

Filesize
64KB

Download
memory/2576-46-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2692-28-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2692-36-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2744-81-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2744-89-0x00000000002B0000-0x00000000002C0000-memory.dmp

Filesize
64KB

Download
memory/2744-91-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2764-27-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2764-19-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads