024c3f286e144c2f802062388cad0485da458c58b0bd1aa823c11f95dc9cc745

Analysis

max time kernel
144s
max time network
119s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
06/06/2024, 20:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

df88abbac60ef61f369807651eab9330_NeikiAnalytics.exe
Size

64KB
MD5

df88abbac60ef61f369807651eab9330
SHA1

2964f96019d5ca02ef2a00d57c010c54ed96e9e5
SHA256

024c3f286e144c2f802062388cad0485da458c58b0bd1aa823c11f95dc9cc745
SHA512

aa131bc275b07726103b45370ee3f4b4fd00cb570c326cbbcbd77e240d99bfe72d5a0a22486a15d44875bacd6172e3f00150699e7c0bfe6dbb5aef3ae0f3599f
SSDEEP

192:ObOzawOs81elJHsc45ecRZOgtShcWaOT2QLrCqwqY04/CFxyNhoy5tF:ObLwOs8AHsc4QMfwhKQLroA4/CFsrdF

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C096D270-33D4-41a3-99A8-A1C9CE6AC308}\stubpath = "C:\\Windows\\{C096D270-33D4-41a3-99A8-A1C9CE6AC308}.exe"	{1FEDF98D-007E-467f-9F23-49AE72999AEB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FF2D3196-5983-4ec0-8EDC-C959ECF6E39E}\stubpath = "C:\\Windows\\{FF2D3196-5983-4ec0-8EDC-C959ECF6E39E}.exe"	{DEC57AE4-3E08-40fc-8B82-5A1009F8E686}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{322946AF-22EC-42a6-81F1-A2ABD6779682}\stubpath = "C:\\Windows\\{322946AF-22EC-42a6-81F1-A2ABD6779682}.exe"	{FF2D3196-5983-4ec0-8EDC-C959ECF6E39E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0053B60C-3081-4c3c-AA33-8DEFDF7C545B}\stubpath = "C:\\Windows\\{0053B60C-3081-4c3c-AA33-8DEFDF7C545B}.exe"	{322946AF-22EC-42a6-81F1-A2ABD6779682}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FD715627-F48D-4faf-BA01-4ABE2F567E2B}	{0053B60C-3081-4c3c-AA33-8DEFDF7C545B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FD715627-F48D-4faf-BA01-4ABE2F567E2B}\stubpath = "C:\\Windows\\{FD715627-F48D-4faf-BA01-4ABE2F567E2B}.exe"	{0053B60C-3081-4c3c-AA33-8DEFDF7C545B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1FEDF98D-007E-467f-9F23-49AE72999AEB}\stubpath = "C:\\Windows\\{1FEDF98D-007E-467f-9F23-49AE72999AEB}.exe"	{7AE5B227-C834-4b8c-8904-0511879A0AB0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B50EFCFF-1780-49b8-9C51-5DBD57BC1EBF}\stubpath = "C:\\Windows\\{B50EFCFF-1780-49b8-9C51-5DBD57BC1EBF}.exe"	{C096D270-33D4-41a3-99A8-A1C9CE6AC308}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{08C6145F-8781-4097-A518-2E93513466BD}\stubpath = "C:\\Windows\\{08C6145F-8781-4097-A518-2E93513466BD}.exe"	{B50EFCFF-1780-49b8-9C51-5DBD57BC1EBF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DEC57AE4-3E08-40fc-8B82-5A1009F8E686}\stubpath = "C:\\Windows\\{DEC57AE4-3E08-40fc-8B82-5A1009F8E686}.exe"	{08C6145F-8781-4097-A518-2E93513466BD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0053B60C-3081-4c3c-AA33-8DEFDF7C545B}	{322946AF-22EC-42a6-81F1-A2ABD6779682}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B50EFCFF-1780-49b8-9C51-5DBD57BC1EBF}	{C096D270-33D4-41a3-99A8-A1C9CE6AC308}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{08C6145F-8781-4097-A518-2E93513466BD}	{B50EFCFF-1780-49b8-9C51-5DBD57BC1EBF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FF2D3196-5983-4ec0-8EDC-C959ECF6E39E}	{DEC57AE4-3E08-40fc-8B82-5A1009F8E686}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E01A54AC-D4EE-41d4-884D-7F4FFCD7FF6A}\stubpath = "C:\\Windows\\{E01A54AC-D4EE-41d4-884D-7F4FFCD7FF6A}.exe"	{FD715627-F48D-4faf-BA01-4ABE2F567E2B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C096D270-33D4-41a3-99A8-A1C9CE6AC308}	{1FEDF98D-007E-467f-9F23-49AE72999AEB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7AE5B227-C834-4b8c-8904-0511879A0AB0}\stubpath = "C:\\Windows\\{7AE5B227-C834-4b8c-8904-0511879A0AB0}.exe"	df88abbac60ef61f369807651eab9330_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1FEDF98D-007E-467f-9F23-49AE72999AEB}	{7AE5B227-C834-4b8c-8904-0511879A0AB0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DEC57AE4-3E08-40fc-8B82-5A1009F8E686}	{08C6145F-8781-4097-A518-2E93513466BD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{322946AF-22EC-42a6-81F1-A2ABD6779682}	{FF2D3196-5983-4ec0-8EDC-C959ECF6E39E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E01A54AC-D4EE-41d4-884D-7F4FFCD7FF6A}	{FD715627-F48D-4faf-BA01-4ABE2F567E2B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7AE5B227-C834-4b8c-8904-0511879A0AB0}	df88abbac60ef61f369807651eab9330_NeikiAnalytics.exe

Deletes itself 1 IoCs

pid	Process
2888	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
1332	{7AE5B227-C834-4b8c-8904-0511879A0AB0}.exe
2712	{1FEDF98D-007E-467f-9F23-49AE72999AEB}.exe
2940	{C096D270-33D4-41a3-99A8-A1C9CE6AC308}.exe
1700	{B50EFCFF-1780-49b8-9C51-5DBD57BC1EBF}.exe
2796	{08C6145F-8781-4097-A518-2E93513466BD}.exe
2004	{DEC57AE4-3E08-40fc-8B82-5A1009F8E686}.exe
3044	{FF2D3196-5983-4ec0-8EDC-C959ECF6E39E}.exe
800	{322946AF-22EC-42a6-81F1-A2ABD6779682}.exe
1612	{0053B60C-3081-4c3c-AA33-8DEFDF7C545B}.exe
684	{FD715627-F48D-4faf-BA01-4ABE2F567E2B}.exe
3056	{E01A54AC-D4EE-41d4-884D-7F4FFCD7FF6A}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{1FEDF98D-007E-467f-9F23-49AE72999AEB}.exe	{7AE5B227-C834-4b8c-8904-0511879A0AB0}.exe
File created	C:\Windows\{FF2D3196-5983-4ec0-8EDC-C959ECF6E39E}.exe	{DEC57AE4-3E08-40fc-8B82-5A1009F8E686}.exe
File created	C:\Windows\{322946AF-22EC-42a6-81F1-A2ABD6779682}.exe	{FF2D3196-5983-4ec0-8EDC-C959ECF6E39E}.exe
File created	C:\Windows\{FD715627-F48D-4faf-BA01-4ABE2F567E2B}.exe	{0053B60C-3081-4c3c-AA33-8DEFDF7C545B}.exe
File created	C:\Windows\{7AE5B227-C834-4b8c-8904-0511879A0AB0}.exe	df88abbac60ef61f369807651eab9330_NeikiAnalytics.exe
File created	C:\Windows\{C096D270-33D4-41a3-99A8-A1C9CE6AC308}.exe	{1FEDF98D-007E-467f-9F23-49AE72999AEB}.exe
File created	C:\Windows\{B50EFCFF-1780-49b8-9C51-5DBD57BC1EBF}.exe	{C096D270-33D4-41a3-99A8-A1C9CE6AC308}.exe
File created	C:\Windows\{08C6145F-8781-4097-A518-2E93513466BD}.exe	{B50EFCFF-1780-49b8-9C51-5DBD57BC1EBF}.exe
File created	C:\Windows\{DEC57AE4-3E08-40fc-8B82-5A1009F8E686}.exe	{08C6145F-8781-4097-A518-2E93513466BD}.exe
File created	C:\Windows\{0053B60C-3081-4c3c-AA33-8DEFDF7C545B}.exe	{322946AF-22EC-42a6-81F1-A2ABD6779682}.exe
File created	C:\Windows\{E01A54AC-D4EE-41d4-884D-7F4FFCD7FF6A}.exe	{FD715627-F48D-4faf-BA01-4ABE2F567E2B}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2228	df88abbac60ef61f369807651eab9330_NeikiAnalytics.exe
Token: SeIncBasePriorityPrivilege	1332	{7AE5B227-C834-4b8c-8904-0511879A0AB0}.exe
Token: SeIncBasePriorityPrivilege	2712	{1FEDF98D-007E-467f-9F23-49AE72999AEB}.exe
Token: SeIncBasePriorityPrivilege	2940	{C096D270-33D4-41a3-99A8-A1C9CE6AC308}.exe
Token: SeIncBasePriorityPrivilege	1700	{B50EFCFF-1780-49b8-9C51-5DBD57BC1EBF}.exe
Token: SeIncBasePriorityPrivilege	2796	{08C6145F-8781-4097-A518-2E93513466BD}.exe
Token: SeIncBasePriorityPrivilege	2004	{DEC57AE4-3E08-40fc-8B82-5A1009F8E686}.exe
Token: SeIncBasePriorityPrivilege	3044	{FF2D3196-5983-4ec0-8EDC-C959ECF6E39E}.exe
Token: SeIncBasePriorityPrivilege	800	{322946AF-22EC-42a6-81F1-A2ABD6779682}.exe
Token: SeIncBasePriorityPrivilege	1612	{0053B60C-3081-4c3c-AA33-8DEFDF7C545B}.exe
Token: SeIncBasePriorityPrivilege	684	{FD715627-F48D-4faf-BA01-4ABE2F567E2B}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2228 wrote to memory of 1332	2228	df88abbac60ef61f369807651eab9330_NeikiAnalytics.exe	28
PID 2228 wrote to memory of 1332	2228	df88abbac60ef61f369807651eab9330_NeikiAnalytics.exe	28
PID 2228 wrote to memory of 1332	2228	df88abbac60ef61f369807651eab9330_NeikiAnalytics.exe	28
PID 2228 wrote to memory of 1332	2228	df88abbac60ef61f369807651eab9330_NeikiAnalytics.exe	28
PID 2228 wrote to memory of 2888	2228	df88abbac60ef61f369807651eab9330_NeikiAnalytics.exe	29
PID 2228 wrote to memory of 2888	2228	df88abbac60ef61f369807651eab9330_NeikiAnalytics.exe	29
PID 2228 wrote to memory of 2888	2228	df88abbac60ef61f369807651eab9330_NeikiAnalytics.exe	29
PID 2228 wrote to memory of 2888	2228	df88abbac60ef61f369807651eab9330_NeikiAnalytics.exe	29
PID 1332 wrote to memory of 2712	1332	{7AE5B227-C834-4b8c-8904-0511879A0AB0}.exe	30
PID 1332 wrote to memory of 2712	1332	{7AE5B227-C834-4b8c-8904-0511879A0AB0}.exe	30
PID 1332 wrote to memory of 2712	1332	{7AE5B227-C834-4b8c-8904-0511879A0AB0}.exe	30
PID 1332 wrote to memory of 2712	1332	{7AE5B227-C834-4b8c-8904-0511879A0AB0}.exe	30
PID 1332 wrote to memory of 2988	1332	{7AE5B227-C834-4b8c-8904-0511879A0AB0}.exe	31
PID 1332 wrote to memory of 2988	1332	{7AE5B227-C834-4b8c-8904-0511879A0AB0}.exe	31
PID 1332 wrote to memory of 2988	1332	{7AE5B227-C834-4b8c-8904-0511879A0AB0}.exe	31
PID 1332 wrote to memory of 2988	1332	{7AE5B227-C834-4b8c-8904-0511879A0AB0}.exe	31
PID 2712 wrote to memory of 2940	2712	{1FEDF98D-007E-467f-9F23-49AE72999AEB}.exe	32
PID 2712 wrote to memory of 2940	2712	{1FEDF98D-007E-467f-9F23-49AE72999AEB}.exe	32
PID 2712 wrote to memory of 2940	2712	{1FEDF98D-007E-467f-9F23-49AE72999AEB}.exe	32
PID 2712 wrote to memory of 2940	2712	{1FEDF98D-007E-467f-9F23-49AE72999AEB}.exe	32
PID 2712 wrote to memory of 2856	2712	{1FEDF98D-007E-467f-9F23-49AE72999AEB}.exe	33
PID 2712 wrote to memory of 2856	2712	{1FEDF98D-007E-467f-9F23-49AE72999AEB}.exe	33
PID 2712 wrote to memory of 2856	2712	{1FEDF98D-007E-467f-9F23-49AE72999AEB}.exe	33
PID 2712 wrote to memory of 2856	2712	{1FEDF98D-007E-467f-9F23-49AE72999AEB}.exe	33
PID 2940 wrote to memory of 1700	2940	{C096D270-33D4-41a3-99A8-A1C9CE6AC308}.exe	36
PID 2940 wrote to memory of 1700	2940	{C096D270-33D4-41a3-99A8-A1C9CE6AC308}.exe	36
PID 2940 wrote to memory of 1700	2940	{C096D270-33D4-41a3-99A8-A1C9CE6AC308}.exe	36
PID 2940 wrote to memory of 1700	2940	{C096D270-33D4-41a3-99A8-A1C9CE6AC308}.exe	36
PID 2940 wrote to memory of 2656	2940	{C096D270-33D4-41a3-99A8-A1C9CE6AC308}.exe	37
PID 2940 wrote to memory of 2656	2940	{C096D270-33D4-41a3-99A8-A1C9CE6AC308}.exe	37
PID 2940 wrote to memory of 2656	2940	{C096D270-33D4-41a3-99A8-A1C9CE6AC308}.exe	37
PID 2940 wrote to memory of 2656	2940	{C096D270-33D4-41a3-99A8-A1C9CE6AC308}.exe	37
PID 1700 wrote to memory of 2796	1700	{B50EFCFF-1780-49b8-9C51-5DBD57BC1EBF}.exe	38
PID 1700 wrote to memory of 2796	1700	{B50EFCFF-1780-49b8-9C51-5DBD57BC1EBF}.exe	38
PID 1700 wrote to memory of 2796	1700	{B50EFCFF-1780-49b8-9C51-5DBD57BC1EBF}.exe	38
PID 1700 wrote to memory of 2796	1700	{B50EFCFF-1780-49b8-9C51-5DBD57BC1EBF}.exe	38
PID 1700 wrote to memory of 1060	1700	{B50EFCFF-1780-49b8-9C51-5DBD57BC1EBF}.exe	39
PID 1700 wrote to memory of 1060	1700	{B50EFCFF-1780-49b8-9C51-5DBD57BC1EBF}.exe	39
PID 1700 wrote to memory of 1060	1700	{B50EFCFF-1780-49b8-9C51-5DBD57BC1EBF}.exe	39
PID 1700 wrote to memory of 1060	1700	{B50EFCFF-1780-49b8-9C51-5DBD57BC1EBF}.exe	39
PID 2796 wrote to memory of 2004	2796	{08C6145F-8781-4097-A518-2E93513466BD}.exe	40
PID 2796 wrote to memory of 2004	2796	{08C6145F-8781-4097-A518-2E93513466BD}.exe	40
PID 2796 wrote to memory of 2004	2796	{08C6145F-8781-4097-A518-2E93513466BD}.exe	40
PID 2796 wrote to memory of 2004	2796	{08C6145F-8781-4097-A518-2E93513466BD}.exe	40
PID 2796 wrote to memory of 2440	2796	{08C6145F-8781-4097-A518-2E93513466BD}.exe	41
PID 2796 wrote to memory of 2440	2796	{08C6145F-8781-4097-A518-2E93513466BD}.exe	41
PID 2796 wrote to memory of 2440	2796	{08C6145F-8781-4097-A518-2E93513466BD}.exe	41
PID 2796 wrote to memory of 2440	2796	{08C6145F-8781-4097-A518-2E93513466BD}.exe	41
PID 2004 wrote to memory of 3044	2004	{DEC57AE4-3E08-40fc-8B82-5A1009F8E686}.exe	42
PID 2004 wrote to memory of 3044	2004	{DEC57AE4-3E08-40fc-8B82-5A1009F8E686}.exe	42
PID 2004 wrote to memory of 3044	2004	{DEC57AE4-3E08-40fc-8B82-5A1009F8E686}.exe	42
PID 2004 wrote to memory of 3044	2004	{DEC57AE4-3E08-40fc-8B82-5A1009F8E686}.exe	42
PID 2004 wrote to memory of 2660	2004	{DEC57AE4-3E08-40fc-8B82-5A1009F8E686}.exe	43
PID 2004 wrote to memory of 2660	2004	{DEC57AE4-3E08-40fc-8B82-5A1009F8E686}.exe	43
PID 2004 wrote to memory of 2660	2004	{DEC57AE4-3E08-40fc-8B82-5A1009F8E686}.exe	43
PID 2004 wrote to memory of 2660	2004	{DEC57AE4-3E08-40fc-8B82-5A1009F8E686}.exe	43
PID 3044 wrote to memory of 800	3044	{FF2D3196-5983-4ec0-8EDC-C959ECF6E39E}.exe	44
PID 3044 wrote to memory of 800	3044	{FF2D3196-5983-4ec0-8EDC-C959ECF6E39E}.exe	44
PID 3044 wrote to memory of 800	3044	{FF2D3196-5983-4ec0-8EDC-C959ECF6E39E}.exe	44
PID 3044 wrote to memory of 800	3044	{FF2D3196-5983-4ec0-8EDC-C959ECF6E39E}.exe	44
PID 3044 wrote to memory of 2268	3044	{FF2D3196-5983-4ec0-8EDC-C959ECF6E39E}.exe	45
PID 3044 wrote to memory of 2268	3044	{FF2D3196-5983-4ec0-8EDC-C959ECF6E39E}.exe	45
PID 3044 wrote to memory of 2268	3044	{FF2D3196-5983-4ec0-8EDC-C959ECF6E39E}.exe	45
PID 3044 wrote to memory of 2268	3044	{FF2D3196-5983-4ec0-8EDC-C959ECF6E39E}.exe	45

C:\Users\Admin\AppData\Local\Temp\df88abbac60ef61f369807651eab9330_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\df88abbac60ef61f369807651eab9330_NeikiAnalytics.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2228
- C:\Windows\{7AE5B227-C834-4b8c-8904-0511879A0AB0}.exe
  C:\Windows\{7AE5B227-C834-4b8c-8904-0511879A0AB0}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1332
- - C:\Windows\{1FEDF98D-007E-467f-9F23-49AE72999AEB}.exe
    C:\Windows\{1FEDF98D-007E-467f-9F23-49AE72999AEB}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2712
  - - C:\Windows\{C096D270-33D4-41a3-99A8-A1C9CE6AC308}.exe
      C:\Windows\{C096D270-33D4-41a3-99A8-A1C9CE6AC308}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2940
    - - C:\Windows\{B50EFCFF-1780-49b8-9C51-5DBD57BC1EBF}.exe
        
        C:\Windows\{B50EFCFF-1780-49b8-9C51-5DBD57BC1EBF}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1700
      - C:\Windows\{08C6145F-8781-4097-A518-2E93513466BD}.exe
        
        C:\Windows\{08C6145F-8781-4097-A518-2E93513466BD}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2796
        
        C:\Windows\{DEC57AE4-3E08-40fc-8B82-5A1009F8E686}.exe
        
        C:\Windows\{DEC57AE4-3E08-40fc-8B82-5A1009F8E686}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2004
        
        C:\Windows\{FF2D3196-5983-4ec0-8EDC-C959ECF6E39E}.exe
        
        C:\Windows\{FF2D3196-5983-4ec0-8EDC-C959ECF6E39E}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3044
        
        C:\Windows\{322946AF-22EC-42a6-81F1-A2ABD6779682}.exe
        
        C:\Windows\{322946AF-22EC-42a6-81F1-A2ABD6779682}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:800
        
        C:\Windows\{0053B60C-3081-4c3c-AA33-8DEFDF7C545B}.exe
        
        C:\Windows\{0053B60C-3081-4c3c-AA33-8DEFDF7C545B}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1612
        
        C:\Windows\{FD715627-F48D-4faf-BA01-4ABE2F567E2B}.exe
        
        C:\Windows\{FD715627-F48D-4faf-BA01-4ABE2F567E2B}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:684
        
        C:\Windows\{E01A54AC-D4EE-41d4-884D-7F4FFCD7FF6A}.exe
        
        C:\Windows\{E01A54AC-D4EE-41d4-884D-7F4FFCD7FF6A}.exe
        12⤵
        Executes dropped EXE
        
        PID:3056
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FD715~1.EXE > nul
        12⤵
        
        PID:852
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0053B~1.EXE > nul
        11⤵
        
        PID:1264
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{32294~1.EXE > nul
        10⤵
        
        PID:2536
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FF2D3~1.EXE > nul
        9⤵
        
        PID:2268
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DEC57~1.EXE > nul
        8⤵
        
        PID:2660
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{08C61~1.EXE > nul
        7⤵
        
        PID:2440
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B50EF~1.EXE > nul
        6⤵
        
        PID:1060
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C096D~1.EXE > nul
        5⤵
        
        PID:2656
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{1FEDF~1.EXE > nul
      4⤵
      PID:2856
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{7AE5B~1.EXE > nul
    3⤵
    PID:2988
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\DF88AB~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2888

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0053B60C-3081-4c3c-AA33-8DEFDF7C545B}.exe

Filesize
64KB

MD5
2bef88be721d272fb03edeca407c3e32

SHA1
a89885a3b30fb2e37f93ac7f0955d8908b8c1c9c

SHA256
0e4df52cf0b055236f6f228dc2cc23840f7e855809752969d253d2f2e2919dad

SHA512
1aebd2809d5081e65b4219ae03f66261db3a9d9b56c88aef98d8d7ce6d7993b563831406365166d42a42100c34b1af8d12c14998d01e2dad01fe87688e1261c0

Download Submit
C:\Windows\{08C6145F-8781-4097-A518-2E93513466BD}.exe

Filesize
64KB

MD5
3094ad4be03e83ac7313c10d27b27054

SHA1
71894ea16745cda09a94cb54e5994aebbeed4825

SHA256
97716de01083682062f9131079c6555ee5cea93d9a4cfbe97e548355946c8761

SHA512
153feb9c5843a2835cfe60265ce8757a8dbb1aae85a7080e37100bcb039b759310cb31fad810ef86841f995b9f237cee72178ee80e3829a1d6384d32eb105584

Download Submit
C:\Windows\{1FEDF98D-007E-467f-9F23-49AE72999AEB}.exe

Filesize
64KB

MD5
7b86551385078d431662b29282575153

SHA1
4cf4946d54f1c9049be16174880fdd2ef7fc5551

SHA256
52b64ac45b79e4c69996a77ea086503a4fb2aa03c55c4ea185f0457c1e04d2e3

SHA512
62498df79cf11c65bf37b877beb20c95f062d913e7a7085d999ef139ee2eee05f0833c81b2d3f66114e422c1d92751f0789062bcab5e89f34f5f45114f7e2ac7

Download Submit
C:\Windows\{322946AF-22EC-42a6-81F1-A2ABD6779682}.exe

Filesize
64KB

MD5
57952b5a70a6ebc6c732b6d9a1bee48a

SHA1
4c77c980fa674945436eb9edb19ec3be985b8719

SHA256
d076c56e5f85f9245dbe293e34e30100fd4972d0833bb1ba59a9a0e61011c2e4

SHA512
df507af51ce315bead1409197cdd6854078294930a7cd8ed88ce1572f8d191bca1bb149937bcf8bd894500b054ba0296d8d32b26e5bc47ce896777d3cfa1c6ef

Download Submit
C:\Windows\{7AE5B227-C834-4b8c-8904-0511879A0AB0}.exe

Filesize
64KB

MD5
fd6a2fdf949d9c28da946fa83650a3db

SHA1
dd5fa549e7a8e81aee862163ca37b7532fe29fa1

SHA256
f8ad22c77ff2146051bd32e297d2882dfd901be248ed778b9350c6a6dd2015a6

SHA512
fcefcb31dc8081f16aa407c7e55a610f639e7a2a50de8fa467187e7ce830212d83820ae2482a23c9befdf03ecb5cc28144f40b5d57776a8e8e2d0d9953c89ca6

Download Submit
C:\Windows\{B50EFCFF-1780-49b8-9C51-5DBD57BC1EBF}.exe

Filesize
64KB

MD5
f82eda4aead303249e34497e6c4c7e90

SHA1
e6076b4dbb1f2d6c6e05d94cdf89a0ced5ff4ce2

SHA256
cb62ba1bb8cd246a3b77ad8dd23e0041d9316aab5e24929a1658b7777c11c163

SHA512
66adae26cbffeca1f4619983af49e1231b1691b2f2620650f18d42c6f062fdcaa9fad36a6296115625c2bc48394fb0ec3792ae69215c2c5ab4d075904020f573

Download Submit
C:\Windows\{C096D270-33D4-41a3-99A8-A1C9CE6AC308}.exe

Filesize
64KB

MD5
7a5d04de37630077d426a76f1c35d43b

SHA1
54e85879efce658a41c80ef1963264461930d0b3

SHA256
c8ac6e45f8a45f5be4d29a7f10e486edbff12a8e07ad9984edab7f7ebc85e27f

SHA512
4ecbd8702492161c08baacc657815c01ca3383b15a44006b45ad00b9cd47f9b00834b2ecb097c3fd38fda62c5adcd31c536c34cd1322b59116c7f862bb55dd0a

Download Submit
C:\Windows\{DEC57AE4-3E08-40fc-8B82-5A1009F8E686}.exe

Filesize
64KB

MD5
b7656a55a8a13e726626407aed177cf6

SHA1
bdd0300b01c1d22a94ed197f003a53c664d3d542

SHA256
412704d742590c31b88a26475e31d13c85be651774b112f00230bd17b27432bf

SHA512
6b8dc0e959939ed6bdfa4c821d6138fc347a0b4076f63f793c9c71a0e9c9559c45fb1e8db193778549efe15e131bcf06a3059e7ba231ba4c113e688448a76793

Download Submit
C:\Windows\{E01A54AC-D4EE-41d4-884D-7F4FFCD7FF6A}.exe

Filesize
64KB

MD5
fe116b5b5642c9ae1ebdd608f229582a

SHA1
fd7365bae87629a6409f8defdb4eda07129b04f5

SHA256
7006fae579a8f3c2ba8e1db82632143e7af898a30b2b0d24add73b3b553e262b

SHA512
e5aa17e96506b952de35b25f03a72ffcda5c527cd4f2ccb6e68eb68e3751cfe1c6791c81c4759547ef4ee92ca3fc541bb785fd444366536cf312d8f45270426d

Download Submit
C:\Windows\{FD715627-F48D-4faf-BA01-4ABE2F567E2B}.exe

Filesize
64KB

MD5
e69ad59d6ad6c2cebfa4867803418e1a

SHA1
388a993b921b399027ab107345e7197760ef114d

SHA256
b17e577193c520038ccd26b880aee10c23ce38cde8e9e844da5dc44576012c7d

SHA512
ce14e22aa641455ec37bf73c80794cf1f4397947be5d1858c4eb6f639df00452584afb5efcd4c207fe017df92fff522ff276513e6bb8a1ebdd7d4ef6f8601b7b

Download Submit
C:\Windows\{FF2D3196-5983-4ec0-8EDC-C959ECF6E39E}.exe

Filesize
64KB

MD5
e828b231348fb4075f74ea4fe6da4b27

SHA1
f8c2ce4373b116a138cbec8b2ab3d56927798e46

SHA256
2c4265251524c50417e0ddfa20d7783ea15571d2c02c42850e105be76c2ba0f6

SHA512
046776d1bbdfa0dd82c7c4656a8fabbb6dfd16592e644ac1d8afea424603d1510bc054039621e8a4d18f570d2360cc675c7ad1a18220576923de7c223d8e3ae8

Download Submit
memory/684-96-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/800-78-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1332-18-0x0000000000330000-0x0000000000340000-memory.dmp

Filesize
64KB

Download
memory/1332-17-0x0000000000330000-0x0000000000340000-memory.dmp

Filesize
64KB

Download
memory/1332-9-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1332-20-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1612-80-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1612-88-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1700-46-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1700-38-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2004-63-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2228-0-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2228-10-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2228-7-0x0000000000270000-0x0000000000280000-memory.dmp

Filesize
64KB

Download
memory/2228-8-0x0000000000270000-0x0000000000280000-memory.dmp

Filesize
64KB

Download
memory/2712-28-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2796-47-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2796-55-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2940-37-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2940-29-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/3044-71-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/3056-97-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads