c431c13f0072599ca587d233b16893f11532f2f680693237e27c25a7a70f1ae5

Analysis

max time kernel
144s
max time network
126s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
07/06/2024, 07:02

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

3f7b260efdb5e75af6028788bfc09ca0_NeikiAnalytics.exe
Size

64KB
MD5

3f7b260efdb5e75af6028788bfc09ca0
SHA1

0d2d92e2cc493c445b9afdb234f5edc1df0e42c7
SHA256

c431c13f0072599ca587d233b16893f11532f2f680693237e27c25a7a70f1ae5
SHA512

8b629881720efb30dfde680741d2fd9624e8aa49249de23f05e9aeebbc524016a5b6cb0f02c1ce99310f85d43d4423565762d658973e63beceafcd56d691f6f1
SSDEEP

384:ObIwOs8AHsc4sMDwhKQLrok4/CFsrdHWMZp:OEw9816vhKQLrok4/wQpWMZp

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B52351C6-1C55-47b1-A855-E41137079646}\stubpath = "C:\\Windows\\{B52351C6-1C55-47b1-A855-E41137079646}.exe"	3f7b260efdb5e75af6028788bfc09ca0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6D432A2E-EF4A-439f-9925-110FC410E06B}\stubpath = "C:\\Windows\\{6D432A2E-EF4A-439f-9925-110FC410E06B}.exe"	{B6778254-DBEA-4393-9C13-143E4F501E31}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AAAA46B6-9451-468a-9041-237BA26D5402}\stubpath = "C:\\Windows\\{AAAA46B6-9451-468a-9041-237BA26D5402}.exe"	{04A83AC9-D69A-44a7-B578-9A256A74461D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B52351C6-1C55-47b1-A855-E41137079646}	3f7b260efdb5e75af6028788bfc09ca0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6D432A2E-EF4A-439f-9925-110FC410E06B}	{B6778254-DBEA-4393-9C13-143E4F501E31}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{45850D44-B591-42ee-86D0-0FE197715506}	{C31994D2-0B6E-4655-A8C7-8D3EE01F1904}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B0E08EFB-1E98-468f-AC6C-6E7A9F1BDDB9}\stubpath = "C:\\Windows\\{B0E08EFB-1E98-468f-AC6C-6E7A9F1BDDB9}.exe"	{45850D44-B591-42ee-86D0-0FE197715506}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B6778254-DBEA-4393-9C13-143E4F501E31}	{B52351C6-1C55-47b1-A855-E41137079646}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B6778254-DBEA-4393-9C13-143E4F501E31}\stubpath = "C:\\Windows\\{B6778254-DBEA-4393-9C13-143E4F501E31}.exe"	{B52351C6-1C55-47b1-A855-E41137079646}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1C581657-AAF7-45c2-82A1-646500F34180}	{D13AC03B-C95F-4e98-A3F7-1BFC9272BB9D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8EE34FFC-3D0B-4abc-8BCC-149D695422AB}\stubpath = "C:\\Windows\\{8EE34FFC-3D0B-4abc-8BCC-149D695422AB}.exe"	{1C581657-AAF7-45c2-82A1-646500F34180}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{04A83AC9-D69A-44a7-B578-9A256A74461D}\stubpath = "C:\\Windows\\{04A83AC9-D69A-44a7-B578-9A256A74461D}.exe"	{8EE34FFC-3D0B-4abc-8BCC-149D695422AB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C31994D2-0B6E-4655-A8C7-8D3EE01F1904}\stubpath = "C:\\Windows\\{C31994D2-0B6E-4655-A8C7-8D3EE01F1904}.exe"	{AAAA46B6-9451-468a-9041-237BA26D5402}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{45850D44-B591-42ee-86D0-0FE197715506}\stubpath = "C:\\Windows\\{45850D44-B591-42ee-86D0-0FE197715506}.exe"	{C31994D2-0B6E-4655-A8C7-8D3EE01F1904}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B0E08EFB-1E98-468f-AC6C-6E7A9F1BDDB9}	{45850D44-B591-42ee-86D0-0FE197715506}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D13AC03B-C95F-4e98-A3F7-1BFC9272BB9D}	{6D432A2E-EF4A-439f-9925-110FC410E06B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D13AC03B-C95F-4e98-A3F7-1BFC9272BB9D}\stubpath = "C:\\Windows\\{D13AC03B-C95F-4e98-A3F7-1BFC9272BB9D}.exe"	{6D432A2E-EF4A-439f-9925-110FC410E06B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1C581657-AAF7-45c2-82A1-646500F34180}\stubpath = "C:\\Windows\\{1C581657-AAF7-45c2-82A1-646500F34180}.exe"	{D13AC03B-C95F-4e98-A3F7-1BFC9272BB9D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8EE34FFC-3D0B-4abc-8BCC-149D695422AB}	{1C581657-AAF7-45c2-82A1-646500F34180}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{04A83AC9-D69A-44a7-B578-9A256A74461D}	{8EE34FFC-3D0B-4abc-8BCC-149D695422AB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AAAA46B6-9451-468a-9041-237BA26D5402}	{04A83AC9-D69A-44a7-B578-9A256A74461D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C31994D2-0B6E-4655-A8C7-8D3EE01F1904}	{AAAA46B6-9451-468a-9041-237BA26D5402}.exe

Deletes itself 1 IoCs

pid	Process
2468	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2456	{B52351C6-1C55-47b1-A855-E41137079646}.exe
2404	{B6778254-DBEA-4393-9C13-143E4F501E31}.exe
2912	{6D432A2E-EF4A-439f-9925-110FC410E06B}.exe
968	{D13AC03B-C95F-4e98-A3F7-1BFC9272BB9D}.exe
2600	{1C581657-AAF7-45c2-82A1-646500F34180}.exe
1840	{8EE34FFC-3D0B-4abc-8BCC-149D695422AB}.exe
1088	{04A83AC9-D69A-44a7-B578-9A256A74461D}.exe
952	{AAAA46B6-9451-468a-9041-237BA26D5402}.exe
1708	{C31994D2-0B6E-4655-A8C7-8D3EE01F1904}.exe
528	{45850D44-B591-42ee-86D0-0FE197715506}.exe
1112	{B0E08EFB-1E98-468f-AC6C-6E7A9F1BDDB9}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{D13AC03B-C95F-4e98-A3F7-1BFC9272BB9D}.exe	{6D432A2E-EF4A-439f-9925-110FC410E06B}.exe
File created	C:\Windows\{04A83AC9-D69A-44a7-B578-9A256A74461D}.exe	{8EE34FFC-3D0B-4abc-8BCC-149D695422AB}.exe
File created	C:\Windows\{45850D44-B591-42ee-86D0-0FE197715506}.exe	{C31994D2-0B6E-4655-A8C7-8D3EE01F1904}.exe
File created	C:\Windows\{1C581657-AAF7-45c2-82A1-646500F34180}.exe	{D13AC03B-C95F-4e98-A3F7-1BFC9272BB9D}.exe
File created	C:\Windows\{8EE34FFC-3D0B-4abc-8BCC-149D695422AB}.exe	{1C581657-AAF7-45c2-82A1-646500F34180}.exe
File created	C:\Windows\{AAAA46B6-9451-468a-9041-237BA26D5402}.exe	{04A83AC9-D69A-44a7-B578-9A256A74461D}.exe
File created	C:\Windows\{C31994D2-0B6E-4655-A8C7-8D3EE01F1904}.exe	{AAAA46B6-9451-468a-9041-237BA26D5402}.exe
File created	C:\Windows\{B0E08EFB-1E98-468f-AC6C-6E7A9F1BDDB9}.exe	{45850D44-B591-42ee-86D0-0FE197715506}.exe
File created	C:\Windows\{B52351C6-1C55-47b1-A855-E41137079646}.exe	3f7b260efdb5e75af6028788bfc09ca0_NeikiAnalytics.exe
File created	C:\Windows\{B6778254-DBEA-4393-9C13-143E4F501E31}.exe	{B52351C6-1C55-47b1-A855-E41137079646}.exe
File created	C:\Windows\{6D432A2E-EF4A-439f-9925-110FC410E06B}.exe	{B6778254-DBEA-4393-9C13-143E4F501E31}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2892	3f7b260efdb5e75af6028788bfc09ca0_NeikiAnalytics.exe
Token: SeIncBasePriorityPrivilege	2456	{B52351C6-1C55-47b1-A855-E41137079646}.exe
Token: SeIncBasePriorityPrivilege	2404	{B6778254-DBEA-4393-9C13-143E4F501E31}.exe
Token: SeIncBasePriorityPrivilege	2912	{6D432A2E-EF4A-439f-9925-110FC410E06B}.exe
Token: SeIncBasePriorityPrivilege	968	{D13AC03B-C95F-4e98-A3F7-1BFC9272BB9D}.exe
Token: SeIncBasePriorityPrivilege	2600	{1C581657-AAF7-45c2-82A1-646500F34180}.exe
Token: SeIncBasePriorityPrivilege	1840	{8EE34FFC-3D0B-4abc-8BCC-149D695422AB}.exe
Token: SeIncBasePriorityPrivilege	1088	{04A83AC9-D69A-44a7-B578-9A256A74461D}.exe
Token: SeIncBasePriorityPrivilege	952	{AAAA46B6-9451-468a-9041-237BA26D5402}.exe
Token: SeIncBasePriorityPrivilege	1708	{C31994D2-0B6E-4655-A8C7-8D3EE01F1904}.exe
Token: SeIncBasePriorityPrivilege	528	{45850D44-B591-42ee-86D0-0FE197715506}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2892 wrote to memory of 2456	2892	3f7b260efdb5e75af6028788bfc09ca0_NeikiAnalytics.exe	28
PID 2892 wrote to memory of 2456	2892	3f7b260efdb5e75af6028788bfc09ca0_NeikiAnalytics.exe	28
PID 2892 wrote to memory of 2456	2892	3f7b260efdb5e75af6028788bfc09ca0_NeikiAnalytics.exe	28
PID 2892 wrote to memory of 2456	2892	3f7b260efdb5e75af6028788bfc09ca0_NeikiAnalytics.exe	28
PID 2892 wrote to memory of 2468	2892	3f7b260efdb5e75af6028788bfc09ca0_NeikiAnalytics.exe	29
PID 2892 wrote to memory of 2468	2892	3f7b260efdb5e75af6028788bfc09ca0_NeikiAnalytics.exe	29
PID 2892 wrote to memory of 2468	2892	3f7b260efdb5e75af6028788bfc09ca0_NeikiAnalytics.exe	29
PID 2892 wrote to memory of 2468	2892	3f7b260efdb5e75af6028788bfc09ca0_NeikiAnalytics.exe	29
PID 2456 wrote to memory of 2404	2456	{B52351C6-1C55-47b1-A855-E41137079646}.exe	32
PID 2456 wrote to memory of 2404	2456	{B52351C6-1C55-47b1-A855-E41137079646}.exe	32
PID 2456 wrote to memory of 2404	2456	{B52351C6-1C55-47b1-A855-E41137079646}.exe	32
PID 2456 wrote to memory of 2404	2456	{B52351C6-1C55-47b1-A855-E41137079646}.exe	32
PID 2456 wrote to memory of 2532	2456	{B52351C6-1C55-47b1-A855-E41137079646}.exe	33
PID 2456 wrote to memory of 2532	2456	{B52351C6-1C55-47b1-A855-E41137079646}.exe	33
PID 2456 wrote to memory of 2532	2456	{B52351C6-1C55-47b1-A855-E41137079646}.exe	33
PID 2456 wrote to memory of 2532	2456	{B52351C6-1C55-47b1-A855-E41137079646}.exe	33
PID 2404 wrote to memory of 2912	2404	{B6778254-DBEA-4393-9C13-143E4F501E31}.exe	34
PID 2404 wrote to memory of 2912	2404	{B6778254-DBEA-4393-9C13-143E4F501E31}.exe	34
PID 2404 wrote to memory of 2912	2404	{B6778254-DBEA-4393-9C13-143E4F501E31}.exe	34
PID 2404 wrote to memory of 2912	2404	{B6778254-DBEA-4393-9C13-143E4F501E31}.exe	34
PID 2404 wrote to memory of 2880	2404	{B6778254-DBEA-4393-9C13-143E4F501E31}.exe	35
PID 2404 wrote to memory of 2880	2404	{B6778254-DBEA-4393-9C13-143E4F501E31}.exe	35
PID 2404 wrote to memory of 2880	2404	{B6778254-DBEA-4393-9C13-143E4F501E31}.exe	35
PID 2404 wrote to memory of 2880	2404	{B6778254-DBEA-4393-9C13-143E4F501E31}.exe	35
PID 2912 wrote to memory of 968	2912	{6D432A2E-EF4A-439f-9925-110FC410E06B}.exe	36
PID 2912 wrote to memory of 968	2912	{6D432A2E-EF4A-439f-9925-110FC410E06B}.exe	36
PID 2912 wrote to memory of 968	2912	{6D432A2E-EF4A-439f-9925-110FC410E06B}.exe	36
PID 2912 wrote to memory of 968	2912	{6D432A2E-EF4A-439f-9925-110FC410E06B}.exe	36
PID 2912 wrote to memory of 2344	2912	{6D432A2E-EF4A-439f-9925-110FC410E06B}.exe	37
PID 2912 wrote to memory of 2344	2912	{6D432A2E-EF4A-439f-9925-110FC410E06B}.exe	37
PID 2912 wrote to memory of 2344	2912	{6D432A2E-EF4A-439f-9925-110FC410E06B}.exe	37
PID 2912 wrote to memory of 2344	2912	{6D432A2E-EF4A-439f-9925-110FC410E06B}.exe	37
PID 968 wrote to memory of 2600	968	{D13AC03B-C95F-4e98-A3F7-1BFC9272BB9D}.exe	38
PID 968 wrote to memory of 2600	968	{D13AC03B-C95F-4e98-A3F7-1BFC9272BB9D}.exe	38
PID 968 wrote to memory of 2600	968	{D13AC03B-C95F-4e98-A3F7-1BFC9272BB9D}.exe	38
PID 968 wrote to memory of 2600	968	{D13AC03B-C95F-4e98-A3F7-1BFC9272BB9D}.exe	38
PID 968 wrote to memory of 2540	968	{D13AC03B-C95F-4e98-A3F7-1BFC9272BB9D}.exe	39
PID 968 wrote to memory of 2540	968	{D13AC03B-C95F-4e98-A3F7-1BFC9272BB9D}.exe	39
PID 968 wrote to memory of 2540	968	{D13AC03B-C95F-4e98-A3F7-1BFC9272BB9D}.exe	39
PID 968 wrote to memory of 2540	968	{D13AC03B-C95F-4e98-A3F7-1BFC9272BB9D}.exe	39
PID 2600 wrote to memory of 1840	2600	{1C581657-AAF7-45c2-82A1-646500F34180}.exe	40
PID 2600 wrote to memory of 1840	2600	{1C581657-AAF7-45c2-82A1-646500F34180}.exe	40
PID 2600 wrote to memory of 1840	2600	{1C581657-AAF7-45c2-82A1-646500F34180}.exe	40
PID 2600 wrote to memory of 1840	2600	{1C581657-AAF7-45c2-82A1-646500F34180}.exe	40
PID 2600 wrote to memory of 1948	2600	{1C581657-AAF7-45c2-82A1-646500F34180}.exe	41
PID 2600 wrote to memory of 1948	2600	{1C581657-AAF7-45c2-82A1-646500F34180}.exe	41
PID 2600 wrote to memory of 1948	2600	{1C581657-AAF7-45c2-82A1-646500F34180}.exe	41
PID 2600 wrote to memory of 1948	2600	{1C581657-AAF7-45c2-82A1-646500F34180}.exe	41
PID 1840 wrote to memory of 1088	1840	{8EE34FFC-3D0B-4abc-8BCC-149D695422AB}.exe	42
PID 1840 wrote to memory of 1088	1840	{8EE34FFC-3D0B-4abc-8BCC-149D695422AB}.exe	42
PID 1840 wrote to memory of 1088	1840	{8EE34FFC-3D0B-4abc-8BCC-149D695422AB}.exe	42
PID 1840 wrote to memory of 1088	1840	{8EE34FFC-3D0B-4abc-8BCC-149D695422AB}.exe	42
PID 1840 wrote to memory of 1972	1840	{8EE34FFC-3D0B-4abc-8BCC-149D695422AB}.exe	43
PID 1840 wrote to memory of 1972	1840	{8EE34FFC-3D0B-4abc-8BCC-149D695422AB}.exe	43
PID 1840 wrote to memory of 1972	1840	{8EE34FFC-3D0B-4abc-8BCC-149D695422AB}.exe	43
PID 1840 wrote to memory of 1972	1840	{8EE34FFC-3D0B-4abc-8BCC-149D695422AB}.exe	43
PID 1088 wrote to memory of 952	1088	{04A83AC9-D69A-44a7-B578-9A256A74461D}.exe	44
PID 1088 wrote to memory of 952	1088	{04A83AC9-D69A-44a7-B578-9A256A74461D}.exe	44
PID 1088 wrote to memory of 952	1088	{04A83AC9-D69A-44a7-B578-9A256A74461D}.exe	44
PID 1088 wrote to memory of 952	1088	{04A83AC9-D69A-44a7-B578-9A256A74461D}.exe	44
PID 1088 wrote to memory of 1768	1088	{04A83AC9-D69A-44a7-B578-9A256A74461D}.exe	45
PID 1088 wrote to memory of 1768	1088	{04A83AC9-D69A-44a7-B578-9A256A74461D}.exe	45
PID 1088 wrote to memory of 1768	1088	{04A83AC9-D69A-44a7-B578-9A256A74461D}.exe	45
PID 1088 wrote to memory of 1768	1088	{04A83AC9-D69A-44a7-B578-9A256A74461D}.exe	45

C:\Users\Admin\AppData\Local\Temp\3f7b260efdb5e75af6028788bfc09ca0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\3f7b260efdb5e75af6028788bfc09ca0_NeikiAnalytics.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2892
- C:\Windows\{B52351C6-1C55-47b1-A855-E41137079646}.exe
  C:\Windows\{B52351C6-1C55-47b1-A855-E41137079646}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2456
- - C:\Windows\{B6778254-DBEA-4393-9C13-143E4F501E31}.exe
    C:\Windows\{B6778254-DBEA-4393-9C13-143E4F501E31}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2404
  - - C:\Windows\{6D432A2E-EF4A-439f-9925-110FC410E06B}.exe
      C:\Windows\{6D432A2E-EF4A-439f-9925-110FC410E06B}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2912
    - - C:\Windows\{D13AC03B-C95F-4e98-A3F7-1BFC9272BB9D}.exe
        
        C:\Windows\{D13AC03B-C95F-4e98-A3F7-1BFC9272BB9D}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:968
      - C:\Windows\{1C581657-AAF7-45c2-82A1-646500F34180}.exe
        
        C:\Windows\{1C581657-AAF7-45c2-82A1-646500F34180}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2600
        
        C:\Windows\{8EE34FFC-3D0B-4abc-8BCC-149D695422AB}.exe
        
        C:\Windows\{8EE34FFC-3D0B-4abc-8BCC-149D695422AB}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1840
        
        C:\Windows\{04A83AC9-D69A-44a7-B578-9A256A74461D}.exe
        
        C:\Windows\{04A83AC9-D69A-44a7-B578-9A256A74461D}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1088
        
        C:\Windows\{AAAA46B6-9451-468a-9041-237BA26D5402}.exe
        
        C:\Windows\{AAAA46B6-9451-468a-9041-237BA26D5402}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:952
        
        C:\Windows\{C31994D2-0B6E-4655-A8C7-8D3EE01F1904}.exe
        
        C:\Windows\{C31994D2-0B6E-4655-A8C7-8D3EE01F1904}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1708
        
        C:\Windows\{45850D44-B591-42ee-86D0-0FE197715506}.exe
        
        C:\Windows\{45850D44-B591-42ee-86D0-0FE197715506}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:528
        
        C:\Windows\{B0E08EFB-1E98-468f-AC6C-6E7A9F1BDDB9}.exe
        
        C:\Windows\{B0E08EFB-1E98-468f-AC6C-6E7A9F1BDDB9}.exe
        12⤵
        Executes dropped EXE
        
        PID:1112
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{45850~1.EXE > nul
        12⤵
        
        PID:2012
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C3199~1.EXE > nul
        11⤵
        
        PID:2064
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AAAA4~1.EXE > nul
        10⤵
        
        PID:3008
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{04A83~1.EXE > nul
        9⤵
        
        PID:1768
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8EE34~1.EXE > nul
        8⤵
        
        PID:1972
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1C581~1.EXE > nul
        7⤵
        
        PID:1948
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D13AC~1.EXE > nul
        6⤵
        
        PID:2540
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6D432~1.EXE > nul
        5⤵
        
        PID:2344
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{B6778~1.EXE > nul
      4⤵
      PID:2880
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{B5235~1.EXE > nul
    3⤵
    PID:2532
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\3F7B26~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2468

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{04A83AC9-D69A-44a7-B578-9A256A74461D}.exe

Filesize
64KB

MD5
b39c253a98fcfa275bf9214176dbcfd9

SHA1
e5eaf91d709dd6d11be24851a3ed268ecac43bc6

SHA256
d00f4fe28ad798deec24f07685bfbe8e4abf9bc616a02e8d0c9864c0887c8f9c

SHA512
c4bcbb53439fc353e62d54642ddf682d3a7afe3c581be1fecb20bb00e488f682f1d5a24042a5bbc1d16eb66460ee2bfc1feb004c66fab6ccde853cd4732ec36a

Download Submit
C:\Windows\{1C581657-AAF7-45c2-82A1-646500F34180}.exe

Filesize
64KB

MD5
ffe20069efe08ff468116e5b097b77f7

SHA1
749b5e7be7d4ce210351c73899c822c34819210c

SHA256
2143e18e02cc46655bddd7dde5898d01278695ab9c7fec44cfb35ab8ada919f2

SHA512
df36bafda07de350983e2ebe69cbfb155ca2ea05bca06c77b7d5708eefd82aa89f882dedad9a5cbbe875459ffa6bad7e087269c13132987f29ad89c036217e1c

Download Submit
C:\Windows\{45850D44-B591-42ee-86D0-0FE197715506}.exe

Filesize
64KB

MD5
3a70673b9b9feea5b81d355c47c9ce6c

SHA1
86e2b7da48654f2c6a52566f274d6a568975c0f2

SHA256
8fc26987c508e6ffa600032bdb3c8a82b8915fee8c99f6eeb2ea316b010b4f3b

SHA512
fa9157bd7317b0fea1b43aa40c12f3a64a0db7a69e24d99d5ecd42f5647af8aecdec6b106e3ae7b23b4d30f8e56b219c5e4051a27c19325a29acbe58e96def8e

Download Submit
C:\Windows\{6D432A2E-EF4A-439f-9925-110FC410E06B}.exe

Filesize
64KB

MD5
a8c3349675e09fba1ed2dc2a29ba8687

SHA1
c3638854a3e17758a0546bb66549184d285629cf

SHA256
ef5920f30df8e7b7de6d3a993b9f85b4d3cfc2b8d7c6b1eabe105b20602832a1

SHA512
7a3c826af52baf1cdd4e54dba46139528ab13197b794bd683b64ccef8fc9655f7ccfd0026fd47676840478b37b22946d0594efd805183ac4f36c02f5b7ef99b4

Download Submit
C:\Windows\{8EE34FFC-3D0B-4abc-8BCC-149D695422AB}.exe

Filesize
64KB

MD5
5c359b09ae504180fce0d8646de0c3c6

SHA1
6cbb84d589720fdb6aef78cbeb35b2ec3de2eb67

SHA256
8b26a7580177907a356830f57b8e632fe530d9481dbaab6fba282276742fceb8

SHA512
62cf1726d3419297dc204d8b1af69b973e660bf5415cf122b9e233c7662a455e8ae6aeb33f2f24b32bd4129a7a19475e323621f6b8f0cc89eaaab083f2454825

Download Submit
C:\Windows\{AAAA46B6-9451-468a-9041-237BA26D5402}.exe

Filesize
64KB

MD5
26cac0d5d3f9d6b893e701937db3fa09

SHA1
bbf83ccf7fbdf67eba289163dc7b6f131c378602

SHA256
f1031fa5eb98be21b200e47d370513f43fa9afaa3839463514596f2a6ebf41eb

SHA512
6c4b4d0810a56a150e08213ef46f8a3c864f1ef46e4ff14d536379a03028035c61c7414b328d50392bfd2bae515115878e2cf57f5928362c71fc44ed3c47aad4

Download Submit
C:\Windows\{B0E08EFB-1E98-468f-AC6C-6E7A9F1BDDB9}.exe

Filesize
64KB

MD5
71be4d88b9bd61dd8bea9bd6b5c84490

SHA1
6150d663a239e427b84b9c819859dbcc8a677f01

SHA256
680d4461b12707e29e608ce15ab0bf0ee21901e7172779f0a455e80906500886

SHA512
1506e24657829b9020b28b064efe0ab466897c1a4feb80b27aaa64fa335b9227f578d55bcf13fb78bcab14a3497873ebd9713b1a65060345df25c431cc272291

Download Submit
C:\Windows\{B52351C6-1C55-47b1-A855-E41137079646}.exe

Filesize
64KB

MD5
69c63dbbc93093c7c40b4bd8b403e5c2

SHA1
f6455c1bbb6fb7db15032bf813b713cea19bf4f1

SHA256
f1b8f936ec6aee02df624d0f003041ed1e18b8d40ff17fb218d61a4dfb5956ed

SHA512
6298731bb9d250747fc0993baa16bef267862b6e499e205c0cd75ad589b77a70d4a3caa24b1e695778c0a9544ff995aba346cbe76b49eb77479425cef543829c

Download Submit
C:\Windows\{B6778254-DBEA-4393-9C13-143E4F501E31}.exe

Filesize
64KB

MD5
80d5975dd5db2301365871002920e01d

SHA1
2bdaccda2d350f277d3edd208f71a475186fafd4

SHA256
83cf7a3744dd5cacd7dec4ed820701e25e3f925c7b55211d38c1d6cfa15865c4

SHA512
5efa6c4f78b0f055bb2e06dceba21ea785128ef31a1e1cf2778571cc4e698b6f81c6ae2af31ec10c285e90de4e76e5b70b31c4502387d071eccb10b44c1a80a2

Download Submit
C:\Windows\{C31994D2-0B6E-4655-A8C7-8D3EE01F1904}.exe

Filesize
64KB

MD5
27ea6582981eb994dda2fd69477b49d6

SHA1
d8ebc5421c50ad1eed28feb35d9feea27be9a775

SHA256
b2d09ffcb202c1e8b05af91364667fa3c2326957bd21872b4d01aede7f7b1a46

SHA512
8e936ca9d9cbc3d5b376e57800636c90f2926378ada1bbdb9ef5c66ae6f2173279ed3ee0683cbe0d35d32092afe95f6c80506fc745da852e3e38347a0bcc1485

Download Submit
C:\Windows\{D13AC03B-C95F-4e98-A3F7-1BFC9272BB9D}.exe

Filesize
64KB

MD5
49e7204e97ac5c3ecda2ff24c9a8fadc

SHA1
f0d25ab29274ac5ef846f122234012b1f938ad20

SHA256
39ebf09ba5c2274735a2368e4336be5ecbe577ea0d4c73cfdd2c718a8d106738

SHA512
7286d92e993046dafec00cdf4fba8549788b556bb3c8a73dd86c55762a29aef95cc85381db0d7079861075d7fa7450692917d3c47db1dbc1e618e406aab92e34

Download Submit
memory/528-101-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/528-96-0x00000000002D0000-0x00000000002E0000-memory.dmp

Filesize
64KB

Download
memory/952-83-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/968-38-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/968-46-0x0000000000250000-0x0000000000260000-memory.dmp

Filesize
64KB

Download
memory/968-45-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1088-66-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1088-75-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1112-102-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1708-87-0x0000000000260000-0x0000000000270000-memory.dmp

Filesize
64KB

Download
memory/1708-92-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1840-57-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1840-67-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2404-23-0x0000000000260000-0x0000000000270000-memory.dmp

Filesize
64KB

Download
memory/2404-19-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2404-27-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2456-13-0x00000000002E0000-0x00000000002F0000-memory.dmp

Filesize
64KB

Download
memory/2456-18-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2600-58-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2600-48-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2600-56-0x0000000000260000-0x0000000000270000-memory.dmp

Filesize
64KB

Download
memory/2892-0-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2892-9-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2892-8-0x00000000003B0000-0x00000000003C0000-memory.dmp

Filesize
64KB

Download
memory/2892-3-0x00000000003B0000-0x00000000003C0000-memory.dmp

Filesize
64KB

Download
memory/2912-32-0x0000000000350000-0x0000000000360000-memory.dmp

Filesize
64KB

Download
memory/2912-37-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads