51179732bc44509651ab7c13b151480926e22a94aaf9da7deb4a515399db3321

Analysis

max time kernel
144s
max time network
120s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
20-06-2024 09:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

51179732bc44509651ab7c13b151480926e22a94aaf9da7deb4a515399db3321_NeikiAnalytics.exe
Size

60KB
MD5

730443f70a591776eff905e8d1653990
SHA1

5ba86c737086259edd474afa2452b5d81c3d482f
SHA256

51179732bc44509651ab7c13b151480926e22a94aaf9da7deb4a515399db3321
SHA512

b1db6ad43818e2ece52ded004651064f29e68837d693d797b5fa6e26ba4d36133794e2ec155eef618bc45f3b4ca1708afa399d79e7a425ee7cb5c2dcedefe5e3
SSDEEP

768:vvw9816vhKQLroCQ4/wQxWMZQcpFM1FgDagXP2TyS1tl7lfqvocqcdT3WVd:nEGh0oCQlwWMZQcpmgDagIyS1loL7Wr

Score

8^/10

persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{07C82369-13DC-4220-9847-205DAF16EAD5}\stubpath = "C:\\Windows\\{07C82369-13DC-4220-9847-205DAF16EAD5}.exe"	{77E7F942-964E-4700-B6B1-8109CFB839E6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{12C25FA8-48D4-4a34-B6A4-A1361A96F8FE}	{07C82369-13DC-4220-9847-205DAF16EAD5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{12C25FA8-48D4-4a34-B6A4-A1361A96F8FE}\stubpath = "C:\\Windows\\{12C25FA8-48D4-4a34-B6A4-A1361A96F8FE}.exe"	{07C82369-13DC-4220-9847-205DAF16EAD5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E2F64B41-27FD-4721-968B-9CB13F6E7255}	{737BF504-0A27-49db-B74F-622C027CBEDA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{46428A4D-8449-49f0-9EB6-69D98265F788}	{A4F14AAC-A5E3-4683-86B0-C685EFCD125E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A4F14AAC-A5E3-4683-86B0-C685EFCD125E}	{361ED57E-5B2C-45bf-812F-6E475568DCD9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{46428A4D-8449-49f0-9EB6-69D98265F788}\stubpath = "C:\\Windows\\{46428A4D-8449-49f0-9EB6-69D98265F788}.exe"	{A4F14AAC-A5E3-4683-86B0-C685EFCD125E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9248F1CB-D05D-4e01-B855-F307E51E1FD5}	{46428A4D-8449-49f0-9EB6-69D98265F788}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{959BB78C-1588-4145-8EAE-860217BA0BF8}	51179732bc44509651ab7c13b151480926e22a94aaf9da7deb4a515399db3321_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{77E7F942-964E-4700-B6B1-8109CFB839E6}\stubpath = "C:\\Windows\\{77E7F942-964E-4700-B6B1-8109CFB839E6}.exe"	{959BB78C-1588-4145-8EAE-860217BA0BF8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{07C82369-13DC-4220-9847-205DAF16EAD5}	{77E7F942-964E-4700-B6B1-8109CFB839E6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{737BF504-0A27-49db-B74F-622C027CBEDA}\stubpath = "C:\\Windows\\{737BF504-0A27-49db-B74F-622C027CBEDA}.exe"	{12C25FA8-48D4-4a34-B6A4-A1361A96F8FE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{361ED57E-5B2C-45bf-812F-6E475568DCD9}	{E2F64B41-27FD-4721-968B-9CB13F6E7255}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C0509095-687F-452d-81A4-CFC43F7B3D8B}	{9248F1CB-D05D-4e01-B855-F307E51E1FD5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C0509095-687F-452d-81A4-CFC43F7B3D8B}\stubpath = "C:\\Windows\\{C0509095-687F-452d-81A4-CFC43F7B3D8B}.exe"	{9248F1CB-D05D-4e01-B855-F307E51E1FD5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{959BB78C-1588-4145-8EAE-860217BA0BF8}\stubpath = "C:\\Windows\\{959BB78C-1588-4145-8EAE-860217BA0BF8}.exe"	51179732bc44509651ab7c13b151480926e22a94aaf9da7deb4a515399db3321_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{361ED57E-5B2C-45bf-812F-6E475568DCD9}\stubpath = "C:\\Windows\\{361ED57E-5B2C-45bf-812F-6E475568DCD9}.exe"	{E2F64B41-27FD-4721-968B-9CB13F6E7255}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A4F14AAC-A5E3-4683-86B0-C685EFCD125E}\stubpath = "C:\\Windows\\{A4F14AAC-A5E3-4683-86B0-C685EFCD125E}.exe"	{361ED57E-5B2C-45bf-812F-6E475568DCD9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9248F1CB-D05D-4e01-B855-F307E51E1FD5}\stubpath = "C:\\Windows\\{9248F1CB-D05D-4e01-B855-F307E51E1FD5}.exe"	{46428A4D-8449-49f0-9EB6-69D98265F788}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{77E7F942-964E-4700-B6B1-8109CFB839E6}	{959BB78C-1588-4145-8EAE-860217BA0BF8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{737BF504-0A27-49db-B74F-622C027CBEDA}	{12C25FA8-48D4-4a34-B6A4-A1361A96F8FE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E2F64B41-27FD-4721-968B-9CB13F6E7255}\stubpath = "C:\\Windows\\{E2F64B41-27FD-4721-968B-9CB13F6E7255}.exe"	{737BF504-0A27-49db-B74F-622C027CBEDA}.exe

Deletes itself 1 IoCs

pid	Process
2948	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2612	{959BB78C-1588-4145-8EAE-860217BA0BF8}.exe
2540	{77E7F942-964E-4700-B6B1-8109CFB839E6}.exe
2460	{07C82369-13DC-4220-9847-205DAF16EAD5}.exe
1664	{12C25FA8-48D4-4a34-B6A4-A1361A96F8FE}.exe
1344	{737BF504-0A27-49db-B74F-622C027CBEDA}.exe
2116	{E2F64B41-27FD-4721-968B-9CB13F6E7255}.exe
344	{361ED57E-5B2C-45bf-812F-6E475568DCD9}.exe
1048	{A4F14AAC-A5E3-4683-86B0-C685EFCD125E}.exe
2196	{46428A4D-8449-49f0-9EB6-69D98265F788}.exe
1856	{9248F1CB-D05D-4e01-B855-F307E51E1FD5}.exe
1772	{C0509095-687F-452d-81A4-CFC43F7B3D8B}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{07C82369-13DC-4220-9847-205DAF16EAD5}.exe	{77E7F942-964E-4700-B6B1-8109CFB839E6}.exe
File created	C:\Windows\{737BF504-0A27-49db-B74F-622C027CBEDA}.exe	{12C25FA8-48D4-4a34-B6A4-A1361A96F8FE}.exe
File created	C:\Windows\{361ED57E-5B2C-45bf-812F-6E475568DCD9}.exe	{E2F64B41-27FD-4721-968B-9CB13F6E7255}.exe
File created	C:\Windows\{46428A4D-8449-49f0-9EB6-69D98265F788}.exe	{A4F14AAC-A5E3-4683-86B0-C685EFCD125E}.exe
File created	C:\Windows\{9248F1CB-D05D-4e01-B855-F307E51E1FD5}.exe	{46428A4D-8449-49f0-9EB6-69D98265F788}.exe
File created	C:\Windows\{959BB78C-1588-4145-8EAE-860217BA0BF8}.exe	51179732bc44509651ab7c13b151480926e22a94aaf9da7deb4a515399db3321_NeikiAnalytics.exe
File created	C:\Windows\{12C25FA8-48D4-4a34-B6A4-A1361A96F8FE}.exe	{07C82369-13DC-4220-9847-205DAF16EAD5}.exe
File created	C:\Windows\{E2F64B41-27FD-4721-968B-9CB13F6E7255}.exe	{737BF504-0A27-49db-B74F-622C027CBEDA}.exe
File created	C:\Windows\{A4F14AAC-A5E3-4683-86B0-C685EFCD125E}.exe	{361ED57E-5B2C-45bf-812F-6E475568DCD9}.exe
File created	C:\Windows\{C0509095-687F-452d-81A4-CFC43F7B3D8B}.exe	{9248F1CB-D05D-4e01-B855-F307E51E1FD5}.exe
File created	C:\Windows\{77E7F942-964E-4700-B6B1-8109CFB839E6}.exe	{959BB78C-1588-4145-8EAE-860217BA0BF8}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1036	51179732bc44509651ab7c13b151480926e22a94aaf9da7deb4a515399db3321_NeikiAnalytics.exe
Token: SeIncBasePriorityPrivilege	2612	{959BB78C-1588-4145-8EAE-860217BA0BF8}.exe
Token: SeIncBasePriorityPrivilege	2540	{77E7F942-964E-4700-B6B1-8109CFB839E6}.exe
Token: SeIncBasePriorityPrivilege	2460	{07C82369-13DC-4220-9847-205DAF16EAD5}.exe
Token: SeIncBasePriorityPrivilege	1664	{12C25FA8-48D4-4a34-B6A4-A1361A96F8FE}.exe
Token: SeIncBasePriorityPrivilege	1344	{737BF504-0A27-49db-B74F-622C027CBEDA}.exe
Token: SeIncBasePriorityPrivilege	2116	{E2F64B41-27FD-4721-968B-9CB13F6E7255}.exe
Token: SeIncBasePriorityPrivilege	344	{361ED57E-5B2C-45bf-812F-6E475568DCD9}.exe
Token: SeIncBasePriorityPrivilege	1048	{A4F14AAC-A5E3-4683-86B0-C685EFCD125E}.exe
Token: SeIncBasePriorityPrivilege	2196	{46428A4D-8449-49f0-9EB6-69D98265F788}.exe
Token: SeIncBasePriorityPrivilege	1856	{9248F1CB-D05D-4e01-B855-F307E51E1FD5}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1036 wrote to memory of 2612	1036	51179732bc44509651ab7c13b151480926e22a94aaf9da7deb4a515399db3321_NeikiAnalytics.exe	28
PID 1036 wrote to memory of 2612	1036	51179732bc44509651ab7c13b151480926e22a94aaf9da7deb4a515399db3321_NeikiAnalytics.exe	28
PID 1036 wrote to memory of 2612	1036	51179732bc44509651ab7c13b151480926e22a94aaf9da7deb4a515399db3321_NeikiAnalytics.exe	28
PID 1036 wrote to memory of 2612	1036	51179732bc44509651ab7c13b151480926e22a94aaf9da7deb4a515399db3321_NeikiAnalytics.exe	28
PID 1036 wrote to memory of 2948	1036	51179732bc44509651ab7c13b151480926e22a94aaf9da7deb4a515399db3321_NeikiAnalytics.exe	29
PID 1036 wrote to memory of 2948	1036	51179732bc44509651ab7c13b151480926e22a94aaf9da7deb4a515399db3321_NeikiAnalytics.exe	29
PID 1036 wrote to memory of 2948	1036	51179732bc44509651ab7c13b151480926e22a94aaf9da7deb4a515399db3321_NeikiAnalytics.exe	29
PID 1036 wrote to memory of 2948	1036	51179732bc44509651ab7c13b151480926e22a94aaf9da7deb4a515399db3321_NeikiAnalytics.exe	29
PID 2612 wrote to memory of 2540	2612	{959BB78C-1588-4145-8EAE-860217BA0BF8}.exe	30
PID 2612 wrote to memory of 2540	2612	{959BB78C-1588-4145-8EAE-860217BA0BF8}.exe	30
PID 2612 wrote to memory of 2540	2612	{959BB78C-1588-4145-8EAE-860217BA0BF8}.exe	30
PID 2612 wrote to memory of 2540	2612	{959BB78C-1588-4145-8EAE-860217BA0BF8}.exe	30
PID 2612 wrote to memory of 2680	2612	{959BB78C-1588-4145-8EAE-860217BA0BF8}.exe	31
PID 2612 wrote to memory of 2680	2612	{959BB78C-1588-4145-8EAE-860217BA0BF8}.exe	31
PID 2612 wrote to memory of 2680	2612	{959BB78C-1588-4145-8EAE-860217BA0BF8}.exe	31
PID 2612 wrote to memory of 2680	2612	{959BB78C-1588-4145-8EAE-860217BA0BF8}.exe	31
PID 2540 wrote to memory of 2460	2540	{77E7F942-964E-4700-B6B1-8109CFB839E6}.exe	32
PID 2540 wrote to memory of 2460	2540	{77E7F942-964E-4700-B6B1-8109CFB839E6}.exe	32
PID 2540 wrote to memory of 2460	2540	{77E7F942-964E-4700-B6B1-8109CFB839E6}.exe	32
PID 2540 wrote to memory of 2460	2540	{77E7F942-964E-4700-B6B1-8109CFB839E6}.exe	32
PID 2540 wrote to memory of 2568	2540	{77E7F942-964E-4700-B6B1-8109CFB839E6}.exe	33
PID 2540 wrote to memory of 2568	2540	{77E7F942-964E-4700-B6B1-8109CFB839E6}.exe	33
PID 2540 wrote to memory of 2568	2540	{77E7F942-964E-4700-B6B1-8109CFB839E6}.exe	33
PID 2540 wrote to memory of 2568	2540	{77E7F942-964E-4700-B6B1-8109CFB839E6}.exe	33
PID 2460 wrote to memory of 1664	2460	{07C82369-13DC-4220-9847-205DAF16EAD5}.exe	36
PID 2460 wrote to memory of 1664	2460	{07C82369-13DC-4220-9847-205DAF16EAD5}.exe	36
PID 2460 wrote to memory of 1664	2460	{07C82369-13DC-4220-9847-205DAF16EAD5}.exe	36
PID 2460 wrote to memory of 1664	2460	{07C82369-13DC-4220-9847-205DAF16EAD5}.exe	36
PID 2460 wrote to memory of 1896	2460	{07C82369-13DC-4220-9847-205DAF16EAD5}.exe	37
PID 2460 wrote to memory of 1896	2460	{07C82369-13DC-4220-9847-205DAF16EAD5}.exe	37
PID 2460 wrote to memory of 1896	2460	{07C82369-13DC-4220-9847-205DAF16EAD5}.exe	37
PID 2460 wrote to memory of 1896	2460	{07C82369-13DC-4220-9847-205DAF16EAD5}.exe	37
PID 1664 wrote to memory of 1344	1664	{12C25FA8-48D4-4a34-B6A4-A1361A96F8FE}.exe	38
PID 1664 wrote to memory of 1344	1664	{12C25FA8-48D4-4a34-B6A4-A1361A96F8FE}.exe	38
PID 1664 wrote to memory of 1344	1664	{12C25FA8-48D4-4a34-B6A4-A1361A96F8FE}.exe	38
PID 1664 wrote to memory of 1344	1664	{12C25FA8-48D4-4a34-B6A4-A1361A96F8FE}.exe	38
PID 1664 wrote to memory of 2492	1664	{12C25FA8-48D4-4a34-B6A4-A1361A96F8FE}.exe	39
PID 1664 wrote to memory of 2492	1664	{12C25FA8-48D4-4a34-B6A4-A1361A96F8FE}.exe	39
PID 1664 wrote to memory of 2492	1664	{12C25FA8-48D4-4a34-B6A4-A1361A96F8FE}.exe	39
PID 1664 wrote to memory of 2492	1664	{12C25FA8-48D4-4a34-B6A4-A1361A96F8FE}.exe	39
PID 1344 wrote to memory of 2116	1344	{737BF504-0A27-49db-B74F-622C027CBEDA}.exe	40
PID 1344 wrote to memory of 2116	1344	{737BF504-0A27-49db-B74F-622C027CBEDA}.exe	40
PID 1344 wrote to memory of 2116	1344	{737BF504-0A27-49db-B74F-622C027CBEDA}.exe	40
PID 1344 wrote to memory of 2116	1344	{737BF504-0A27-49db-B74F-622C027CBEDA}.exe	40
PID 1344 wrote to memory of 2340	1344	{737BF504-0A27-49db-B74F-622C027CBEDA}.exe	41
PID 1344 wrote to memory of 2340	1344	{737BF504-0A27-49db-B74F-622C027CBEDA}.exe	41
PID 1344 wrote to memory of 2340	1344	{737BF504-0A27-49db-B74F-622C027CBEDA}.exe	41
PID 1344 wrote to memory of 2340	1344	{737BF504-0A27-49db-B74F-622C027CBEDA}.exe	41
PID 2116 wrote to memory of 344	2116	{E2F64B41-27FD-4721-968B-9CB13F6E7255}.exe	42
PID 2116 wrote to memory of 344	2116	{E2F64B41-27FD-4721-968B-9CB13F6E7255}.exe	42
PID 2116 wrote to memory of 344	2116	{E2F64B41-27FD-4721-968B-9CB13F6E7255}.exe	42
PID 2116 wrote to memory of 344	2116	{E2F64B41-27FD-4721-968B-9CB13F6E7255}.exe	42
PID 2116 wrote to memory of 2744	2116	{E2F64B41-27FD-4721-968B-9CB13F6E7255}.exe	43
PID 2116 wrote to memory of 2744	2116	{E2F64B41-27FD-4721-968B-9CB13F6E7255}.exe	43
PID 2116 wrote to memory of 2744	2116	{E2F64B41-27FD-4721-968B-9CB13F6E7255}.exe	43
PID 2116 wrote to memory of 2744	2116	{E2F64B41-27FD-4721-968B-9CB13F6E7255}.exe	43
PID 344 wrote to memory of 1048	344	{361ED57E-5B2C-45bf-812F-6E475568DCD9}.exe	44
PID 344 wrote to memory of 1048	344	{361ED57E-5B2C-45bf-812F-6E475568DCD9}.exe	44
PID 344 wrote to memory of 1048	344	{361ED57E-5B2C-45bf-812F-6E475568DCD9}.exe	44
PID 344 wrote to memory of 1048	344	{361ED57E-5B2C-45bf-812F-6E475568DCD9}.exe	44
PID 344 wrote to memory of 1280	344	{361ED57E-5B2C-45bf-812F-6E475568DCD9}.exe	45
PID 344 wrote to memory of 1280	344	{361ED57E-5B2C-45bf-812F-6E475568DCD9}.exe	45
PID 344 wrote to memory of 1280	344	{361ED57E-5B2C-45bf-812F-6E475568DCD9}.exe	45
PID 344 wrote to memory of 1280	344	{361ED57E-5B2C-45bf-812F-6E475568DCD9}.exe	45

C:\Users\Admin\AppData\Local\Temp\51179732bc44509651ab7c13b151480926e22a94aaf9da7deb4a515399db3321_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\51179732bc44509651ab7c13b151480926e22a94aaf9da7deb4a515399db3321_NeikiAnalytics.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1036
- C:\Windows\{959BB78C-1588-4145-8EAE-860217BA0BF8}.exe
  C:\Windows\{959BB78C-1588-4145-8EAE-860217BA0BF8}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2612
- - C:\Windows\{77E7F942-964E-4700-B6B1-8109CFB839E6}.exe
    C:\Windows\{77E7F942-964E-4700-B6B1-8109CFB839E6}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2540
  - - C:\Windows\{07C82369-13DC-4220-9847-205DAF16EAD5}.exe
      C:\Windows\{07C82369-13DC-4220-9847-205DAF16EAD5}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2460
    - - C:\Windows\{12C25FA8-48D4-4a34-B6A4-A1361A96F8FE}.exe
        
        C:\Windows\{12C25FA8-48D4-4a34-B6A4-A1361A96F8FE}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1664
      - C:\Windows\{737BF504-0A27-49db-B74F-622C027CBEDA}.exe
        
        C:\Windows\{737BF504-0A27-49db-B74F-622C027CBEDA}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1344
        
        C:\Windows\{E2F64B41-27FD-4721-968B-9CB13F6E7255}.exe
        
        C:\Windows\{E2F64B41-27FD-4721-968B-9CB13F6E7255}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2116
        
        C:\Windows\{361ED57E-5B2C-45bf-812F-6E475568DCD9}.exe
        
        C:\Windows\{361ED57E-5B2C-45bf-812F-6E475568DCD9}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:344
        
        C:\Windows\{A4F14AAC-A5E3-4683-86B0-C685EFCD125E}.exe
        
        C:\Windows\{A4F14AAC-A5E3-4683-86B0-C685EFCD125E}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1048
        
        C:\Windows\{46428A4D-8449-49f0-9EB6-69D98265F788}.exe
        
        C:\Windows\{46428A4D-8449-49f0-9EB6-69D98265F788}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2196
        
        C:\Windows\{9248F1CB-D05D-4e01-B855-F307E51E1FD5}.exe
        
        C:\Windows\{9248F1CB-D05D-4e01-B855-F307E51E1FD5}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1856
        
        C:\Windows\{C0509095-687F-452d-81A4-CFC43F7B3D8B}.exe
        
        C:\Windows\{C0509095-687F-452d-81A4-CFC43F7B3D8B}.exe
        12⤵
        Executes dropped EXE
        
        PID:1772
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9248F~1.EXE > nul
        12⤵
        
        PID:2620
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{46428~1.EXE > nul
        11⤵
        
        PID:484
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A4F14~1.EXE > nul
        10⤵
        
        PID:2252
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{361ED~1.EXE > nul
        9⤵
        
        PID:1280
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E2F64~1.EXE > nul
        8⤵
        
        PID:2744
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{737BF~1.EXE > nul
        7⤵
        
        PID:2340
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{12C25~1.EXE > nul
        6⤵
        
        PID:2492
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{07C82~1.EXE > nul
        5⤵
        
        PID:1896
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{77E7F~1.EXE > nul
      4⤵
      PID:2568
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{959BB~1.EXE > nul
    3⤵
    PID:2680
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\511797~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2948

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{07C82369-13DC-4220-9847-205DAF16EAD5}.exe

Filesize
60KB

MD5
766a69d3127668c3433c25aca1c872fd

SHA1
1aa61e26d7b7f8fe63da06544f95f13ee924e858

SHA256
54a0653ec879e16abeaccc1c82cfb73a1368f7cb19d0dcbeec758f8bcee9a0d2

SHA512
5562b91f4a480a4390cdb188ada4c375040e4c1f0dfd5ccc87902003905eda42d2015de61d75acdb457ea61cfbc5392cef5ed05fad783d1abee19b10917f322a

Download Submit
C:\Windows\{12C25FA8-48D4-4a34-B6A4-A1361A96F8FE}.exe

Filesize
60KB

MD5
d538b26d252d5ce289950aec93890493

SHA1
10c3da1f4cfe219f4536e13032ff0f4a019b0f7c

SHA256
d787c9053ce21f4f0fccf5a156c3d35c47f5678ee89873723af7714f4c129fb2

SHA512
fcd1157704c1bd8ebaca8b230626c348810079373014a5bf3cb90ba1e210e6de06962fa80d65411546ad0d5d6ba655f208da65fc9fa064ff1ac1612c94a4e880

Download Submit
C:\Windows\{361ED57E-5B2C-45bf-812F-6E475568DCD9}.exe

Filesize
60KB

MD5
d1987a5ccef1a0d8cb9f6021bc5af50d

SHA1
99fa69962b472a290a7c2869f535cb5ccefc806e

SHA256
df8ca3922db82d2170f87ee56dd1714e03fc0d1490f413b4eec122313ccac8ab

SHA512
c001e1292fef268750636b9d87658e2c0d3edb3f4334369c19ccabcfef3c49d7ae4a224c1db6dd30225c9fcfd1c5037d6d8e37925bbb47a976915103d6bab0f1

Download Submit
C:\Windows\{46428A4D-8449-49f0-9EB6-69D98265F788}.exe

Filesize
60KB

MD5
69ba8f5a23967fcf1af38840d2ba31e9

SHA1
f7d9291fb56e6b5c23360a0c69bcb3c09f24a795

SHA256
8164e3ef31ebdbf6fe986ca023b1f08c79546ba31501d5ef4abd33b17b27fafa

SHA512
7628b9cc7c355522e854b8d78686a5439acaf25a8bfe3b82f45e6e87b8243f8a6506f5aa3c5c0b582432d824c62121adb93cc226eab8f01905f0021192059eea

Download Submit
C:\Windows\{737BF504-0A27-49db-B74F-622C027CBEDA}.exe

Filesize
60KB

MD5
3febfeb587f8ab4a9afceebda8699a2c

SHA1
6ab10b2fe8c5716aba806429bfc967a0eeb6ebd2

SHA256
0abf51fb0bf08e066972cea2685337eb55fc8ef607179b71cc6d9a168a9fc869

SHA512
2926e4f9d2fc531b5eddcdb58f248661d4e7cf4e3eb766f09c2c43ff9ba7a22dbdb3623fcc315b40b48caa1c43a23df938b113c0ed3ead97e6eeb3b718f24847

Download Submit
C:\Windows\{77E7F942-964E-4700-B6B1-8109CFB839E6}.exe

Filesize
60KB

MD5
711fdcb4818fdf1a4f35e90a96511e27

SHA1
62dac2da926d10fad0e947a3cd053f8a07b6c01b

SHA256
6ab425407493c72b744bb58470f982732299d05baea6ab1946e685075eaabdeb

SHA512
0d6b52b8600c43a60e7a00aa2005073ce2a484b3b41ac99d44ff76fc51bfb1ce2238723c6e0a1aa135696e3f9d289bf92a5e3931c99217dc58758d7d89938db1

Download Submit
C:\Windows\{9248F1CB-D05D-4e01-B855-F307E51E1FD5}.exe

Filesize
60KB

MD5
4ac117b29d7e849a28c926e9b937ad28

SHA1
967a3603f6d1244e5500843ee8e2b38a39f5c5a6

SHA256
52a8fd2ee56a0fd58f3b19daa559c869a0783cad59bde2db18344df0fb269b99

SHA512
1de8aa686af5de540010d0df3df419a0359b685470118571bd5412f35ab3b5bfe7a3a78aefd64876133d371b9cf2c4b596d9bac65c0e24c9a67f1eaeeeafbbd6

Download Submit
C:\Windows\{959BB78C-1588-4145-8EAE-860217BA0BF8}.exe

Filesize
60KB

MD5
1280b81a305360859f35debb87ef13c0

SHA1
70db45a6c6b6d237c491b6d559a2242c4c3c8023

SHA256
4fbc19e5d0309e11bf895ae2eb1e75dcbd727571706b3a4575fd4b06b5afb1f3

SHA512
1d598ab84ea05d41b13eac582edd1826f5493456fe9b542426ccbd7144d8df771e40534889c3797b04698cb4c96e6c170e2b0feb4306a6db441494895720d8ef

Download Submit
C:\Windows\{A4F14AAC-A5E3-4683-86B0-C685EFCD125E}.exe

Filesize
60KB

MD5
08f9c919498b0f3316988bc028360e70

SHA1
41913a6df1357c245c7f1cc08338ae613a00bb6e

SHA256
51df66865a6ad34184abe570a7d3d30515e15d9bb7197a762b7f7fbce5a1bbd8

SHA512
71264161a927fda46838db4d00c62b0b083e87e359cd8df8510e822d3b0ce5e2105bd377a28fc0324d557c6edf6a8c3511cae4d6922904f1a2ad2cabbaaf8a70

Download Submit
C:\Windows\{C0509095-687F-452d-81A4-CFC43F7B3D8B}.exe

Filesize
60KB

MD5
fb12247494221c88f99118c077c7d03b

SHA1
77dd410f38366a6eda0bcb55cdfa0a99f2f10854

SHA256
340aae827d3b392d4dc3bf960bf7bdf8dbd4e83cc0c07cf07c409f08c7d51343

SHA512
1bfd9e6482557fdc076238712a1671a90b61928e001516571b68da82f19155087d4578e9df69182b70da77f8ebbb419cb3c36117fdf88b4ab15463e5cef9831c

Download Submit
C:\Windows\{E2F64B41-27FD-4721-968B-9CB13F6E7255}.exe

Filesize
60KB

MD5
6cdcf3d3b76081589defce5a17d29b6c

SHA1
1331e3223448de39dc11d10c6719059be01bdfd4

SHA256
e0fb9d6296a2dac306d36bd1f2376ac311a6e8b06dc7b470eb728844e884e74d

SHA512
fd3c8417175962805e81bc77e24227780bf2940cce1234ef172f79b0f2cbfc93e61a17ac91b3ff7edd4d2f8b55105adde11c27fe9b78d9c75a9b8cced56cfcf2

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads