6958b883f6c435592a73abbbfb2631a0e50363ab1ace14f8ef456c3fe5807c3d

Analysis

max time kernel
144s
max time network
122s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
20/06/2024, 13:41

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

6958b883f6c435592a73abbbfb2631a0e50363ab1ace14f8ef456c3fe5807c3d_NeikiAnalytics.exe
Size

89KB
MD5

8c5cf022252cad18ae4fbe10ab231810
SHA1

3d5cba2f670a34382007236c9bc81ae16f4fbb57
SHA256

6958b883f6c435592a73abbbfb2631a0e50363ab1ace14f8ef456c3fe5807c3d
SHA512

5d66b12697a6e8790d35bcb636349009d71d891a0476178739ed402db21ecabdcf9f8bb2a575ef2760078d677b278af7b909515e6e8da961095eaf7675657245
SSDEEP

768:Qvw9816vhKQLroO4/wQRNrfrunMxVFA3b7gl5:YEGh0oOl2unMxVS3HgX

Score

8^/10

persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{60724BED-34E8-4295-A053-26D3FC0C82B5}	{6861200A-CE12-4fcf-A23D-4E2870476FE3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E352BEC2-E04C-40c7-9BBC-4259FE70ABA6}	{6F4780FF-D4A4-4b63-88AE-5A73676F095D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E352BEC2-E04C-40c7-9BBC-4259FE70ABA6}\stubpath = "C:\\Windows\\{E352BEC2-E04C-40c7-9BBC-4259FE70ABA6}.exe"	{6F4780FF-D4A4-4b63-88AE-5A73676F095D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C968D939-BB2F-4359-AB1A-5CC9A8F564A2}\stubpath = "C:\\Windows\\{C968D939-BB2F-4359-AB1A-5CC9A8F564A2}.exe"	{3805E5D6-046F-44cd-BB4A-3C61C97D99E0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F789F33B-FBE8-4a9b-B4A9-C8A09F5B37F5}\stubpath = "C:\\Windows\\{F789F33B-FBE8-4a9b-B4A9-C8A09F5B37F5}.exe"	{C968D939-BB2F-4359-AB1A-5CC9A8F564A2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2AE76502-4E2F-4f29-82C8-76DE957452D3}\stubpath = "C:\\Windows\\{2AE76502-4E2F-4f29-82C8-76DE957452D3}.exe"	{F789F33B-FBE8-4a9b-B4A9-C8A09F5B37F5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{32DD6D53-7B94-4046-8D98-E004771F5F84}\stubpath = "C:\\Windows\\{32DD6D53-7B94-4046-8D98-E004771F5F84}.exe"	6958b883f6c435592a73abbbfb2631a0e50363ab1ace14f8ef456c3fe5807c3d_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{ED2E4D65-F5B6-4c35-8D5B-E972A17F9C51}\stubpath = "C:\\Windows\\{ED2E4D65-F5B6-4c35-8D5B-E972A17F9C51}.exe"	{32DD6D53-7B94-4046-8D98-E004771F5F84}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6861200A-CE12-4fcf-A23D-4E2870476FE3}	{ED2E4D65-F5B6-4c35-8D5B-E972A17F9C51}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6861200A-CE12-4fcf-A23D-4E2870476FE3}\stubpath = "C:\\Windows\\{6861200A-CE12-4fcf-A23D-4E2870476FE3}.exe"	{ED2E4D65-F5B6-4c35-8D5B-E972A17F9C51}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6F4780FF-D4A4-4b63-88AE-5A73676F095D}\stubpath = "C:\\Windows\\{6F4780FF-D4A4-4b63-88AE-5A73676F095D}.exe"	{60724BED-34E8-4295-A053-26D3FC0C82B5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2AE76502-4E2F-4f29-82C8-76DE957452D3}	{F789F33B-FBE8-4a9b-B4A9-C8A09F5B37F5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E06C77A8-EDF8-41e9-B001-1BE27ED4E815}\stubpath = "C:\\Windows\\{E06C77A8-EDF8-41e9-B001-1BE27ED4E815}.exe"	{2AE76502-4E2F-4f29-82C8-76DE957452D3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{ED2E4D65-F5B6-4c35-8D5B-E972A17F9C51}	{32DD6D53-7B94-4046-8D98-E004771F5F84}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6F4780FF-D4A4-4b63-88AE-5A73676F095D}	{60724BED-34E8-4295-A053-26D3FC0C82B5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3805E5D6-046F-44cd-BB4A-3C61C97D99E0}	{E352BEC2-E04C-40c7-9BBC-4259FE70ABA6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3805E5D6-046F-44cd-BB4A-3C61C97D99E0}\stubpath = "C:\\Windows\\{3805E5D6-046F-44cd-BB4A-3C61C97D99E0}.exe"	{E352BEC2-E04C-40c7-9BBC-4259FE70ABA6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F789F33B-FBE8-4a9b-B4A9-C8A09F5B37F5}	{C968D939-BB2F-4359-AB1A-5CC9A8F564A2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E06C77A8-EDF8-41e9-B001-1BE27ED4E815}	{2AE76502-4E2F-4f29-82C8-76DE957452D3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{32DD6D53-7B94-4046-8D98-E004771F5F84}	6958b883f6c435592a73abbbfb2631a0e50363ab1ace14f8ef456c3fe5807c3d_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C968D939-BB2F-4359-AB1A-5CC9A8F564A2}	{3805E5D6-046F-44cd-BB4A-3C61C97D99E0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{60724BED-34E8-4295-A053-26D3FC0C82B5}\stubpath = "C:\\Windows\\{60724BED-34E8-4295-A053-26D3FC0C82B5}.exe"	{6861200A-CE12-4fcf-A23D-4E2870476FE3}.exe

Deletes itself 1 IoCs

pid	Process
2056	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2332	{32DD6D53-7B94-4046-8D98-E004771F5F84}.exe
2820	{ED2E4D65-F5B6-4c35-8D5B-E972A17F9C51}.exe
2432	{6861200A-CE12-4fcf-A23D-4E2870476FE3}.exe
356	{60724BED-34E8-4295-A053-26D3FC0C82B5}.exe
2752	{6F4780FF-D4A4-4b63-88AE-5A73676F095D}.exe
1832	{E352BEC2-E04C-40c7-9BBC-4259FE70ABA6}.exe
1236	{3805E5D6-046F-44cd-BB4A-3C61C97D99E0}.exe
2024	{C968D939-BB2F-4359-AB1A-5CC9A8F564A2}.exe
1560	{F789F33B-FBE8-4a9b-B4A9-C8A09F5B37F5}.exe
1732	{2AE76502-4E2F-4f29-82C8-76DE957452D3}.exe
1388	{E06C77A8-EDF8-41e9-B001-1BE27ED4E815}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{6F4780FF-D4A4-4b63-88AE-5A73676F095D}.exe	{60724BED-34E8-4295-A053-26D3FC0C82B5}.exe
File created	C:\Windows\{E352BEC2-E04C-40c7-9BBC-4259FE70ABA6}.exe	{6F4780FF-D4A4-4b63-88AE-5A73676F095D}.exe
File created	C:\Windows\{3805E5D6-046F-44cd-BB4A-3C61C97D99E0}.exe	{E352BEC2-E04C-40c7-9BBC-4259FE70ABA6}.exe
File created	C:\Windows\{C968D939-BB2F-4359-AB1A-5CC9A8F564A2}.exe	{3805E5D6-046F-44cd-BB4A-3C61C97D99E0}.exe
File created	C:\Windows\{2AE76502-4E2F-4f29-82C8-76DE957452D3}.exe	{F789F33B-FBE8-4a9b-B4A9-C8A09F5B37F5}.exe
File created	C:\Windows\{32DD6D53-7B94-4046-8D98-E004771F5F84}.exe	6958b883f6c435592a73abbbfb2631a0e50363ab1ace14f8ef456c3fe5807c3d_NeikiAnalytics.exe
File created	C:\Windows\{6861200A-CE12-4fcf-A23D-4E2870476FE3}.exe	{ED2E4D65-F5B6-4c35-8D5B-E972A17F9C51}.exe
File created	C:\Windows\{60724BED-34E8-4295-A053-26D3FC0C82B5}.exe	{6861200A-CE12-4fcf-A23D-4E2870476FE3}.exe
File created	C:\Windows\{ED2E4D65-F5B6-4c35-8D5B-E972A17F9C51}.exe	{32DD6D53-7B94-4046-8D98-E004771F5F84}.exe
File created	C:\Windows\{F789F33B-FBE8-4a9b-B4A9-C8A09F5B37F5}.exe	{C968D939-BB2F-4359-AB1A-5CC9A8F564A2}.exe
File created	C:\Windows\{E06C77A8-EDF8-41e9-B001-1BE27ED4E815}.exe	{2AE76502-4E2F-4f29-82C8-76DE957452D3}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2472	6958b883f6c435592a73abbbfb2631a0e50363ab1ace14f8ef456c3fe5807c3d_NeikiAnalytics.exe
Token: SeIncBasePriorityPrivilege	2332	{32DD6D53-7B94-4046-8D98-E004771F5F84}.exe
Token: SeIncBasePriorityPrivilege	2820	{ED2E4D65-F5B6-4c35-8D5B-E972A17F9C51}.exe
Token: SeIncBasePriorityPrivilege	2432	{6861200A-CE12-4fcf-A23D-4E2870476FE3}.exe
Token: SeIncBasePriorityPrivilege	356	{60724BED-34E8-4295-A053-26D3FC0C82B5}.exe
Token: SeIncBasePriorityPrivilege	2752	{6F4780FF-D4A4-4b63-88AE-5A73676F095D}.exe
Token: SeIncBasePriorityPrivilege	1832	{E352BEC2-E04C-40c7-9BBC-4259FE70ABA6}.exe
Token: SeIncBasePriorityPrivilege	1236	{3805E5D6-046F-44cd-BB4A-3C61C97D99E0}.exe
Token: SeIncBasePriorityPrivilege	2024	{C968D939-BB2F-4359-AB1A-5CC9A8F564A2}.exe
Token: SeIncBasePriorityPrivilege	1560	{F789F33B-FBE8-4a9b-B4A9-C8A09F5B37F5}.exe
Token: SeIncBasePriorityPrivilege	1732	{2AE76502-4E2F-4f29-82C8-76DE957452D3}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2472 wrote to memory of 2332	2472	6958b883f6c435592a73abbbfb2631a0e50363ab1ace14f8ef456c3fe5807c3d_NeikiAnalytics.exe	28
PID 2472 wrote to memory of 2332	2472	6958b883f6c435592a73abbbfb2631a0e50363ab1ace14f8ef456c3fe5807c3d_NeikiAnalytics.exe	28
PID 2472 wrote to memory of 2332	2472	6958b883f6c435592a73abbbfb2631a0e50363ab1ace14f8ef456c3fe5807c3d_NeikiAnalytics.exe	28
PID 2472 wrote to memory of 2332	2472	6958b883f6c435592a73abbbfb2631a0e50363ab1ace14f8ef456c3fe5807c3d_NeikiAnalytics.exe	28
PID 2472 wrote to memory of 2056	2472	6958b883f6c435592a73abbbfb2631a0e50363ab1ace14f8ef456c3fe5807c3d_NeikiAnalytics.exe	29
PID 2472 wrote to memory of 2056	2472	6958b883f6c435592a73abbbfb2631a0e50363ab1ace14f8ef456c3fe5807c3d_NeikiAnalytics.exe	29
PID 2472 wrote to memory of 2056	2472	6958b883f6c435592a73abbbfb2631a0e50363ab1ace14f8ef456c3fe5807c3d_NeikiAnalytics.exe	29
PID 2472 wrote to memory of 2056	2472	6958b883f6c435592a73abbbfb2631a0e50363ab1ace14f8ef456c3fe5807c3d_NeikiAnalytics.exe	29
PID 2332 wrote to memory of 2820	2332	{32DD6D53-7B94-4046-8D98-E004771F5F84}.exe	30
PID 2332 wrote to memory of 2820	2332	{32DD6D53-7B94-4046-8D98-E004771F5F84}.exe	30
PID 2332 wrote to memory of 2820	2332	{32DD6D53-7B94-4046-8D98-E004771F5F84}.exe	30
PID 2332 wrote to memory of 2820	2332	{32DD6D53-7B94-4046-8D98-E004771F5F84}.exe	30
PID 2332 wrote to memory of 2716	2332	{32DD6D53-7B94-4046-8D98-E004771F5F84}.exe	31
PID 2332 wrote to memory of 2716	2332	{32DD6D53-7B94-4046-8D98-E004771F5F84}.exe	31
PID 2332 wrote to memory of 2716	2332	{32DD6D53-7B94-4046-8D98-E004771F5F84}.exe	31
PID 2332 wrote to memory of 2716	2332	{32DD6D53-7B94-4046-8D98-E004771F5F84}.exe	31
PID 2820 wrote to memory of 2432	2820	{ED2E4D65-F5B6-4c35-8D5B-E972A17F9C51}.exe	32
PID 2820 wrote to memory of 2432	2820	{ED2E4D65-F5B6-4c35-8D5B-E972A17F9C51}.exe	32
PID 2820 wrote to memory of 2432	2820	{ED2E4D65-F5B6-4c35-8D5B-E972A17F9C51}.exe	32
PID 2820 wrote to memory of 2432	2820	{ED2E4D65-F5B6-4c35-8D5B-E972A17F9C51}.exe	32
PID 2820 wrote to memory of 2560	2820	{ED2E4D65-F5B6-4c35-8D5B-E972A17F9C51}.exe	33
PID 2820 wrote to memory of 2560	2820	{ED2E4D65-F5B6-4c35-8D5B-E972A17F9C51}.exe	33
PID 2820 wrote to memory of 2560	2820	{ED2E4D65-F5B6-4c35-8D5B-E972A17F9C51}.exe	33
PID 2820 wrote to memory of 2560	2820	{ED2E4D65-F5B6-4c35-8D5B-E972A17F9C51}.exe	33
PID 2432 wrote to memory of 356	2432	{6861200A-CE12-4fcf-A23D-4E2870476FE3}.exe	36
PID 2432 wrote to memory of 356	2432	{6861200A-CE12-4fcf-A23D-4E2870476FE3}.exe	36
PID 2432 wrote to memory of 356	2432	{6861200A-CE12-4fcf-A23D-4E2870476FE3}.exe	36
PID 2432 wrote to memory of 356	2432	{6861200A-CE12-4fcf-A23D-4E2870476FE3}.exe	36
PID 2432 wrote to memory of 2668	2432	{6861200A-CE12-4fcf-A23D-4E2870476FE3}.exe	37
PID 2432 wrote to memory of 2668	2432	{6861200A-CE12-4fcf-A23D-4E2870476FE3}.exe	37
PID 2432 wrote to memory of 2668	2432	{6861200A-CE12-4fcf-A23D-4E2870476FE3}.exe	37
PID 2432 wrote to memory of 2668	2432	{6861200A-CE12-4fcf-A23D-4E2870476FE3}.exe	37
PID 356 wrote to memory of 2752	356	{60724BED-34E8-4295-A053-26D3FC0C82B5}.exe	38
PID 356 wrote to memory of 2752	356	{60724BED-34E8-4295-A053-26D3FC0C82B5}.exe	38
PID 356 wrote to memory of 2752	356	{60724BED-34E8-4295-A053-26D3FC0C82B5}.exe	38
PID 356 wrote to memory of 2752	356	{60724BED-34E8-4295-A053-26D3FC0C82B5}.exe	38
PID 356 wrote to memory of 1548	356	{60724BED-34E8-4295-A053-26D3FC0C82B5}.exe	39
PID 356 wrote to memory of 1548	356	{60724BED-34E8-4295-A053-26D3FC0C82B5}.exe	39
PID 356 wrote to memory of 1548	356	{60724BED-34E8-4295-A053-26D3FC0C82B5}.exe	39
PID 356 wrote to memory of 1548	356	{60724BED-34E8-4295-A053-26D3FC0C82B5}.exe	39
PID 2752 wrote to memory of 1832	2752	{6F4780FF-D4A4-4b63-88AE-5A73676F095D}.exe	40
PID 2752 wrote to memory of 1832	2752	{6F4780FF-D4A4-4b63-88AE-5A73676F095D}.exe	40
PID 2752 wrote to memory of 1832	2752	{6F4780FF-D4A4-4b63-88AE-5A73676F095D}.exe	40
PID 2752 wrote to memory of 1832	2752	{6F4780FF-D4A4-4b63-88AE-5A73676F095D}.exe	40
PID 2752 wrote to memory of 1784	2752	{6F4780FF-D4A4-4b63-88AE-5A73676F095D}.exe	41
PID 2752 wrote to memory of 1784	2752	{6F4780FF-D4A4-4b63-88AE-5A73676F095D}.exe	41
PID 2752 wrote to memory of 1784	2752	{6F4780FF-D4A4-4b63-88AE-5A73676F095D}.exe	41
PID 2752 wrote to memory of 1784	2752	{6F4780FF-D4A4-4b63-88AE-5A73676F095D}.exe	41
PID 1832 wrote to memory of 1236	1832	{E352BEC2-E04C-40c7-9BBC-4259FE70ABA6}.exe	42
PID 1832 wrote to memory of 1236	1832	{E352BEC2-E04C-40c7-9BBC-4259FE70ABA6}.exe	42
PID 1832 wrote to memory of 1236	1832	{E352BEC2-E04C-40c7-9BBC-4259FE70ABA6}.exe	42
PID 1832 wrote to memory of 1236	1832	{E352BEC2-E04C-40c7-9BBC-4259FE70ABA6}.exe	42
PID 1832 wrote to memory of 2380	1832	{E352BEC2-E04C-40c7-9BBC-4259FE70ABA6}.exe	43
PID 1832 wrote to memory of 2380	1832	{E352BEC2-E04C-40c7-9BBC-4259FE70ABA6}.exe	43
PID 1832 wrote to memory of 2380	1832	{E352BEC2-E04C-40c7-9BBC-4259FE70ABA6}.exe	43
PID 1832 wrote to memory of 2380	1832	{E352BEC2-E04C-40c7-9BBC-4259FE70ABA6}.exe	43
PID 1236 wrote to memory of 2024	1236	{3805E5D6-046F-44cd-BB4A-3C61C97D99E0}.exe	44
PID 1236 wrote to memory of 2024	1236	{3805E5D6-046F-44cd-BB4A-3C61C97D99E0}.exe	44
PID 1236 wrote to memory of 2024	1236	{3805E5D6-046F-44cd-BB4A-3C61C97D99E0}.exe	44
PID 1236 wrote to memory of 2024	1236	{3805E5D6-046F-44cd-BB4A-3C61C97D99E0}.exe	44
PID 1236 wrote to memory of 1108	1236	{3805E5D6-046F-44cd-BB4A-3C61C97D99E0}.exe	45
PID 1236 wrote to memory of 1108	1236	{3805E5D6-046F-44cd-BB4A-3C61C97D99E0}.exe	45
PID 1236 wrote to memory of 1108	1236	{3805E5D6-046F-44cd-BB4A-3C61C97D99E0}.exe	45
PID 1236 wrote to memory of 1108	1236	{3805E5D6-046F-44cd-BB4A-3C61C97D99E0}.exe	45

C:\Users\Admin\AppData\Local\Temp\6958b883f6c435592a73abbbfb2631a0e50363ab1ace14f8ef456c3fe5807c3d_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\6958b883f6c435592a73abbbfb2631a0e50363ab1ace14f8ef456c3fe5807c3d_NeikiAnalytics.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2472
- C:\Windows\{32DD6D53-7B94-4046-8D98-E004771F5F84}.exe
  C:\Windows\{32DD6D53-7B94-4046-8D98-E004771F5F84}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2332
- - C:\Windows\{ED2E4D65-F5B6-4c35-8D5B-E972A17F9C51}.exe
    C:\Windows\{ED2E4D65-F5B6-4c35-8D5B-E972A17F9C51}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2820
  - - C:\Windows\{6861200A-CE12-4fcf-A23D-4E2870476FE3}.exe
      C:\Windows\{6861200A-CE12-4fcf-A23D-4E2870476FE3}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2432
    - - C:\Windows\{60724BED-34E8-4295-A053-26D3FC0C82B5}.exe
        
        C:\Windows\{60724BED-34E8-4295-A053-26D3FC0C82B5}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:356
      - C:\Windows\{6F4780FF-D4A4-4b63-88AE-5A73676F095D}.exe
        
        C:\Windows\{6F4780FF-D4A4-4b63-88AE-5A73676F095D}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2752
        
        C:\Windows\{E352BEC2-E04C-40c7-9BBC-4259FE70ABA6}.exe
        
        C:\Windows\{E352BEC2-E04C-40c7-9BBC-4259FE70ABA6}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1832
        
        C:\Windows\{3805E5D6-046F-44cd-BB4A-3C61C97D99E0}.exe
        
        C:\Windows\{3805E5D6-046F-44cd-BB4A-3C61C97D99E0}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1236
        
        C:\Windows\{C968D939-BB2F-4359-AB1A-5CC9A8F564A2}.exe
        
        C:\Windows\{C968D939-BB2F-4359-AB1A-5CC9A8F564A2}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2024
        
        C:\Windows\{F789F33B-FBE8-4a9b-B4A9-C8A09F5B37F5}.exe
        
        C:\Windows\{F789F33B-FBE8-4a9b-B4A9-C8A09F5B37F5}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1560
        
        C:\Windows\{2AE76502-4E2F-4f29-82C8-76DE957452D3}.exe
        
        C:\Windows\{2AE76502-4E2F-4f29-82C8-76DE957452D3}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1732
        
        C:\Windows\{E06C77A8-EDF8-41e9-B001-1BE27ED4E815}.exe
        
        C:\Windows\{E06C77A8-EDF8-41e9-B001-1BE27ED4E815}.exe
        12⤵
        Executes dropped EXE
        
        PID:1388
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2AE76~1.EXE > nul
        12⤵
        
        PID:2192
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F789F~1.EXE > nul
        11⤵
        
        PID:384
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C968D~1.EXE > nul
        10⤵
        
        PID:1996
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3805E~1.EXE > nul
        9⤵
        
        PID:1108
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E352B~1.EXE > nul
        8⤵
        
        PID:2380
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6F478~1.EXE > nul
        7⤵
        
        PID:1784
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{60724~1.EXE > nul
        6⤵
        
        PID:1548
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{68612~1.EXE > nul
        5⤵
        
        PID:2668
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{ED2E4~1.EXE > nul
      4⤵
      PID:2560
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{32DD6~1.EXE > nul
    3⤵
    PID:2716
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\6958B8~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2056

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{2AE76502-4E2F-4f29-82C8-76DE957452D3}.exe

Filesize
89KB

MD5
463c8c8b4a2f20720bebcde682001abf

SHA1
136e4dbf63354c04da5283c1bfab56fe62624619

SHA256
3f2a864b8487bfa22cbe31285101b301cf04f5ee5e046da7ed3bb7d1f901bcf7

SHA512
1ab8831ee9455744e58897f71eedce85cf2124ab95ed70d803b7f696be8f824abbb650562200c66691868b81910bfc2ddad4e6b1469bc2d98e7ee12095fc2e82

Download Submit
C:\Windows\{32DD6D53-7B94-4046-8D98-E004771F5F84}.exe

Filesize
89KB

MD5
66f0edbf677a292a51e0d10b8408d8e3

SHA1
e5255bffef36e2e5b18bb34ce38d909b0055bf29

SHA256
c4fb9ccb459ba9e4d5e8ec6e16100ddf6f81c09d15f59a31edf901d8c41a48fa

SHA512
ef11b6042af4cf92ccce31cdf3ec815affccfaa5a2ca4baa159f6c843a129e89961fad87a6defc4f907b5ceda622c499d059ccf33a9a8e1dc8114a157b88169f

Download Submit
C:\Windows\{3805E5D6-046F-44cd-BB4A-3C61C97D99E0}.exe

Filesize
89KB

MD5
30b738012db07fa0c91909f202835edf

SHA1
2d43499484b74273f6a896adc424ef1d2e8672c3

SHA256
48e187f322caa4b3ca9ec61baf4aed369730483975da1da09bb0492952cc9227

SHA512
473b88891fbf75c701672e9cd35a69c03f096170fdd58fd6abc6584d2b3d1713c950cd0314e35bf035101ae87e28959a42752bf09ad70b16421f792a2fa3dbc4

Download Submit
C:\Windows\{60724BED-34E8-4295-A053-26D3FC0C82B5}.exe

Filesize
89KB

MD5
90e5ec5a51aac9da5d2f88297af34be9

SHA1
ef05e2645a35fcfcca4a29690717f48b489929f4

SHA256
5f617fd089507cb70adf33caadb082196252d45f392366ab65e1842ea0677cbc

SHA512
34b7b7ff3418e87e34fba3322aa2c897b88f863069c4b085e6eee1b5e4d6271e8a7de45d083452eafbc8891777f69dbed87e320f38b25a277479e6cb166a8f7a

Download Submit
C:\Windows\{6861200A-CE12-4fcf-A23D-4E2870476FE3}.exe

Filesize
89KB

MD5
d94c8cdd9a4b2ca3c26db031447542e8

SHA1
6d5f38af387ecbad18404dedbf1d9779192de766

SHA256
fe2bbe12c1a088726feb2288b48ca6b28a6694ee1af7aa3f97a0d34d71bd045f

SHA512
9a2db1e2c50701160d6a63c0d9261a9cf929bff2936dcf70edb09486757d7b11603d5b812d4b8b87ea2dec11f96301b1cea3f570878b2648f419c59f1c4f4440

Download Submit
C:\Windows\{6F4780FF-D4A4-4b63-88AE-5A73676F095D}.exe

Filesize
89KB

MD5
528097a2fd3e1ea4806ec032fd27a51e

SHA1
ce1805048a33be54d2ec49c826b7aede399244b2

SHA256
668b396d45743e8658c5d3bd8c4dd031b11816da7689833b5776fe35a5daac65

SHA512
5ccfe60eb3b21f65391398089350db292afb33a0e24a005cdc5893c957c93a71d03d192404c5860b44e0db51e8a4f92c22c65bef25adca8aa3d2a9167c7dcf1c

Download Submit
C:\Windows\{C968D939-BB2F-4359-AB1A-5CC9A8F564A2}.exe

Filesize
89KB

MD5
e4aa60f5dcf996530b87d14863ffa96b

SHA1
f19a2d0f7f9146bdcbd090cff6f20065cc23ffc4

SHA256
1f4355b2308eba1700f4252bda7b7336cfb02996f841de7dfd4047056925eeb3

SHA512
82722eafb327e00f1714bc94b377c143bbd596b5cde19f0f7cf1088fdf12b29ab89725ecdde232380d95da94e8f99f0a5c56fed39abb9a9db0641b4240fc10f3

Download Submit
C:\Windows\{E06C77A8-EDF8-41e9-B001-1BE27ED4E815}.exe

Filesize
89KB

MD5
12967142c1f6f4da90396598745161f4

SHA1
9ef1e288d96239477e863e048a73caae7c51f4b5

SHA256
ae8e06b8b26c5b2997fd534c94c45d17f476106db7216fcd7d933729b332dc3b

SHA512
77811338faee10cf61e316e3b1030bfb75f7000ef795c0bfe959979f452aac3aafa953b5d2b93e44ec5c122aa4a38e6b79af34c599182b1911f57aaa2dca30d9

Download Submit
C:\Windows\{E352BEC2-E04C-40c7-9BBC-4259FE70ABA6}.exe

Filesize
89KB

MD5
2f8d098e8dc4affce7c855c68cc4bdc7

SHA1
d5d62ba0808d78d83bfe87d616fc998d79d4c843

SHA256
508af7ea9d750aeceabc1625e69ed1c9eec49d44ed1edd418ebc909a031858a8

SHA512
d69608d26b134187fdb559c10baa76958cae21281e7ce5dd56c13e5360cd79fb7f0871ebfc7eead91970061cce83e47cf8cffc9917cbba430dcfad6b75079bc2

Download Submit
C:\Windows\{ED2E4D65-F5B6-4c35-8D5B-E972A17F9C51}.exe

Filesize
89KB

MD5
009ffdfa302388ec77550abc60673420

SHA1
226971bf11a4fcb46060f3012f7defc700a3b9aa

SHA256
53731e8d0bf609ea09c4197310461000b88d3744646ee29dd769c7ce5cc68ed9

SHA512
ef58c316398978a4c53f9e4cbcfa9184f7fbcb1d77071d6da89a1f5f1d86ab54c94b915bb350493bb9e9a5afc2b115b711f69bda7bc8dad58ad598131e1119d8

Download Submit
C:\Windows\{F789F33B-FBE8-4a9b-B4A9-C8A09F5B37F5}.exe

Filesize
89KB

MD5
36062b9b1fcf692dde47cbca344019d3

SHA1
dcc4397abc83c4029c18503a6056a6f6756847a9

SHA256
7e357df7ef9ab5df33b305dabe2fd791c2f7624acbac006212873eb11be28652

SHA512
112cc437d81995a346f35cff6ff31f730d3834608eecf080ede40237d32a80154423b9aae256adac2dbb8332fabb408006e98de0c2ebdb0ff5c1be617b12b5f7

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads