5e0ba73ebf737dc5348dab84a9ef0b1b6ec5f2a5d9a4f88dd54939d4c01118a9

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
24/06/2024, 09:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5e0ba73ebf737dc5348dab84a9ef0b1b6ec5f2a5d9a4f88dd54939d4c01118a9_NeikiAnalytics.exe
Size

88KB
MD5

c1a7bb163f7188fa0ad05de0a0ba4700
SHA1

c3e8d865d8390780e04528015181056561ac168d
SHA256

5e0ba73ebf737dc5348dab84a9ef0b1b6ec5f2a5d9a4f88dd54939d4c01118a9
SHA512

09cf46146a07506dfd05162377b03ed79cb5ae53c71c98a0dd8c4a7bc3c37489c2683b11cdd66373d42c57b289004450a82320cf324f4da27a47b338faa4ef43
SSDEEP

768:uvw981E9hKQLroI4/wQDNrfrunMxVFA3r:aEGJ0oIlYunMxVS3r

Score

8^/10

persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3DFC3007-0356-4ce8-9BB1-1016E11C9261}	{CD75196A-8F7F-4d47-96F3-1D1D2B624364}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{897E82AA-D1AE-4e88-A802-3BB7CE96FC69}\stubpath = "C:\\Windows\\{897E82AA-D1AE-4e88-A802-3BB7CE96FC69}.exe"	{D7853564-D1C4-4e57-AD88-168D994A92B2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EFA34C4A-AA39-4212-A611-F3D63456428F}\stubpath = "C:\\Windows\\{EFA34C4A-AA39-4212-A611-F3D63456428F}.exe"	{897E82AA-D1AE-4e88-A802-3BB7CE96FC69}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{55FC347E-3A98-4af5-9E8D-FEECD5ECB418}	{434E34D8-376A-4c57-9D33-F33AFAE9CCC9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B1471E70-EC86-48eb-BAAD-051AC83237E1}	{017D428B-81A8-43e6-B9A1-E02099637789}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EE58640E-D306-40a9-A11B-64047DA6CFF8}	{B1471E70-EC86-48eb-BAAD-051AC83237E1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CD75196A-8F7F-4d47-96F3-1D1D2B624364}\stubpath = "C:\\Windows\\{CD75196A-8F7F-4d47-96F3-1D1D2B624364}.exe"	5e0ba73ebf737dc5348dab84a9ef0b1b6ec5f2a5d9a4f88dd54939d4c01118a9_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5E9471A5-B3A1-4287-B6A3-41044265C369}\stubpath = "C:\\Windows\\{5E9471A5-B3A1-4287-B6A3-41044265C369}.exe"	{EFA34C4A-AA39-4212-A611-F3D63456428F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2E66866E-440F-4e5d-9C3E-394BA2715DE6}	{5E9471A5-B3A1-4287-B6A3-41044265C369}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{434E34D8-376A-4c57-9D33-F33AFAE9CCC9}	{2E66866E-440F-4e5d-9C3E-394BA2715DE6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{017D428B-81A8-43e6-B9A1-E02099637789}\stubpath = "C:\\Windows\\{017D428B-81A8-43e6-B9A1-E02099637789}.exe"	{55FC347E-3A98-4af5-9E8D-FEECD5ECB418}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B1471E70-EC86-48eb-BAAD-051AC83237E1}\stubpath = "C:\\Windows\\{B1471E70-EC86-48eb-BAAD-051AC83237E1}.exe"	{017D428B-81A8-43e6-B9A1-E02099637789}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D7853564-D1C4-4e57-AD88-168D994A92B2}	{3DFC3007-0356-4ce8-9BB1-1016E11C9261}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{897E82AA-D1AE-4e88-A802-3BB7CE96FC69}	{D7853564-D1C4-4e57-AD88-168D994A92B2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5E9471A5-B3A1-4287-B6A3-41044265C369}	{EFA34C4A-AA39-4212-A611-F3D63456428F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{434E34D8-376A-4c57-9D33-F33AFAE9CCC9}\stubpath = "C:\\Windows\\{434E34D8-376A-4c57-9D33-F33AFAE9CCC9}.exe"	{2E66866E-440F-4e5d-9C3E-394BA2715DE6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{55FC347E-3A98-4af5-9E8D-FEECD5ECB418}\stubpath = "C:\\Windows\\{55FC347E-3A98-4af5-9E8D-FEECD5ECB418}.exe"	{434E34D8-376A-4c57-9D33-F33AFAE9CCC9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EE58640E-D306-40a9-A11B-64047DA6CFF8}\stubpath = "C:\\Windows\\{EE58640E-D306-40a9-A11B-64047DA6CFF8}.exe"	{B1471E70-EC86-48eb-BAAD-051AC83237E1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CD75196A-8F7F-4d47-96F3-1D1D2B624364}	5e0ba73ebf737dc5348dab84a9ef0b1b6ec5f2a5d9a4f88dd54939d4c01118a9_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3DFC3007-0356-4ce8-9BB1-1016E11C9261}\stubpath = "C:\\Windows\\{3DFC3007-0356-4ce8-9BB1-1016E11C9261}.exe"	{CD75196A-8F7F-4d47-96F3-1D1D2B624364}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D7853564-D1C4-4e57-AD88-168D994A92B2}\stubpath = "C:\\Windows\\{D7853564-D1C4-4e57-AD88-168D994A92B2}.exe"	{3DFC3007-0356-4ce8-9BB1-1016E11C9261}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EFA34C4A-AA39-4212-A611-F3D63456428F}	{897E82AA-D1AE-4e88-A802-3BB7CE96FC69}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2E66866E-440F-4e5d-9C3E-394BA2715DE6}\stubpath = "C:\\Windows\\{2E66866E-440F-4e5d-9C3E-394BA2715DE6}.exe"	{5E9471A5-B3A1-4287-B6A3-41044265C369}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{017D428B-81A8-43e6-B9A1-E02099637789}	{55FC347E-3A98-4af5-9E8D-FEECD5ECB418}.exe

Executes dropped EXE 12 IoCs

pid	Process
4492	{CD75196A-8F7F-4d47-96F3-1D1D2B624364}.exe
4032	{3DFC3007-0356-4ce8-9BB1-1016E11C9261}.exe
1620	{D7853564-D1C4-4e57-AD88-168D994A92B2}.exe
1964	{897E82AA-D1AE-4e88-A802-3BB7CE96FC69}.exe
2156	{EFA34C4A-AA39-4212-A611-F3D63456428F}.exe
740	{5E9471A5-B3A1-4287-B6A3-41044265C369}.exe
3212	{2E66866E-440F-4e5d-9C3E-394BA2715DE6}.exe
2344	{434E34D8-376A-4c57-9D33-F33AFAE9CCC9}.exe
3928	{55FC347E-3A98-4af5-9E8D-FEECD5ECB418}.exe
3580	{017D428B-81A8-43e6-B9A1-E02099637789}.exe
412	{B1471E70-EC86-48eb-BAAD-051AC83237E1}.exe
4572	{EE58640E-D306-40a9-A11B-64047DA6CFF8}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{017D428B-81A8-43e6-B9A1-E02099637789}.exe	{55FC347E-3A98-4af5-9E8D-FEECD5ECB418}.exe
File created	C:\Windows\{B1471E70-EC86-48eb-BAAD-051AC83237E1}.exe	{017D428B-81A8-43e6-B9A1-E02099637789}.exe
File created	C:\Windows\{CD75196A-8F7F-4d47-96F3-1D1D2B624364}.exe	5e0ba73ebf737dc5348dab84a9ef0b1b6ec5f2a5d9a4f88dd54939d4c01118a9_NeikiAnalytics.exe
File created	C:\Windows\{D7853564-D1C4-4e57-AD88-168D994A92B2}.exe	{3DFC3007-0356-4ce8-9BB1-1016E11C9261}.exe
File created	C:\Windows\{5E9471A5-B3A1-4287-B6A3-41044265C369}.exe	{EFA34C4A-AA39-4212-A611-F3D63456428F}.exe
File created	C:\Windows\{434E34D8-376A-4c57-9D33-F33AFAE9CCC9}.exe	{2E66866E-440F-4e5d-9C3E-394BA2715DE6}.exe
File created	C:\Windows\{55FC347E-3A98-4af5-9E8D-FEECD5ECB418}.exe	{434E34D8-376A-4c57-9D33-F33AFAE9CCC9}.exe
File created	C:\Windows\{EE58640E-D306-40a9-A11B-64047DA6CFF8}.exe	{B1471E70-EC86-48eb-BAAD-051AC83237E1}.exe
File created	C:\Windows\{3DFC3007-0356-4ce8-9BB1-1016E11C9261}.exe	{CD75196A-8F7F-4d47-96F3-1D1D2B624364}.exe
File created	C:\Windows\{897E82AA-D1AE-4e88-A802-3BB7CE96FC69}.exe	{D7853564-D1C4-4e57-AD88-168D994A92B2}.exe
File created	C:\Windows\{EFA34C4A-AA39-4212-A611-F3D63456428F}.exe	{897E82AA-D1AE-4e88-A802-3BB7CE96FC69}.exe
File created	C:\Windows\{2E66866E-440F-4e5d-9C3E-394BA2715DE6}.exe	{5E9471A5-B3A1-4287-B6A3-41044265C369}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3476	5e0ba73ebf737dc5348dab84a9ef0b1b6ec5f2a5d9a4f88dd54939d4c01118a9_NeikiAnalytics.exe
Token: SeIncBasePriorityPrivilege	4492	{CD75196A-8F7F-4d47-96F3-1D1D2B624364}.exe
Token: SeIncBasePriorityPrivilege	4032	{3DFC3007-0356-4ce8-9BB1-1016E11C9261}.exe
Token: SeIncBasePriorityPrivilege	1620	{D7853564-D1C4-4e57-AD88-168D994A92B2}.exe
Token: SeIncBasePriorityPrivilege	1964	{897E82AA-D1AE-4e88-A802-3BB7CE96FC69}.exe
Token: SeIncBasePriorityPrivilege	2156	{EFA34C4A-AA39-4212-A611-F3D63456428F}.exe
Token: SeIncBasePriorityPrivilege	740	{5E9471A5-B3A1-4287-B6A3-41044265C369}.exe
Token: SeIncBasePriorityPrivilege	3212	{2E66866E-440F-4e5d-9C3E-394BA2715DE6}.exe
Token: SeIncBasePriorityPrivilege	2344	{434E34D8-376A-4c57-9D33-F33AFAE9CCC9}.exe
Token: SeIncBasePriorityPrivilege	3928	{55FC347E-3A98-4af5-9E8D-FEECD5ECB418}.exe
Token: SeIncBasePriorityPrivilege	3580	{017D428B-81A8-43e6-B9A1-E02099637789}.exe
Token: SeIncBasePriorityPrivilege	412	{B1471E70-EC86-48eb-BAAD-051AC83237E1}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3476 wrote to memory of 4492	3476	5e0ba73ebf737dc5348dab84a9ef0b1b6ec5f2a5d9a4f88dd54939d4c01118a9_NeikiAnalytics.exe	92
PID 3476 wrote to memory of 4492	3476	5e0ba73ebf737dc5348dab84a9ef0b1b6ec5f2a5d9a4f88dd54939d4c01118a9_NeikiAnalytics.exe	92
PID 3476 wrote to memory of 4492	3476	5e0ba73ebf737dc5348dab84a9ef0b1b6ec5f2a5d9a4f88dd54939d4c01118a9_NeikiAnalytics.exe	92
PID 3476 wrote to memory of 3312	3476	5e0ba73ebf737dc5348dab84a9ef0b1b6ec5f2a5d9a4f88dd54939d4c01118a9_NeikiAnalytics.exe	93
PID 3476 wrote to memory of 3312	3476	5e0ba73ebf737dc5348dab84a9ef0b1b6ec5f2a5d9a4f88dd54939d4c01118a9_NeikiAnalytics.exe	93
PID 3476 wrote to memory of 3312	3476	5e0ba73ebf737dc5348dab84a9ef0b1b6ec5f2a5d9a4f88dd54939d4c01118a9_NeikiAnalytics.exe	93
PID 4492 wrote to memory of 4032	4492	{CD75196A-8F7F-4d47-96F3-1D1D2B624364}.exe	94
PID 4492 wrote to memory of 4032	4492	{CD75196A-8F7F-4d47-96F3-1D1D2B624364}.exe	94
PID 4492 wrote to memory of 4032	4492	{CD75196A-8F7F-4d47-96F3-1D1D2B624364}.exe	94
PID 4492 wrote to memory of 1212	4492	{CD75196A-8F7F-4d47-96F3-1D1D2B624364}.exe	95
PID 4492 wrote to memory of 1212	4492	{CD75196A-8F7F-4d47-96F3-1D1D2B624364}.exe	95
PID 4492 wrote to memory of 1212	4492	{CD75196A-8F7F-4d47-96F3-1D1D2B624364}.exe	95
PID 4032 wrote to memory of 1620	4032	{3DFC3007-0356-4ce8-9BB1-1016E11C9261}.exe	99
PID 4032 wrote to memory of 1620	4032	{3DFC3007-0356-4ce8-9BB1-1016E11C9261}.exe	99
PID 4032 wrote to memory of 1620	4032	{3DFC3007-0356-4ce8-9BB1-1016E11C9261}.exe	99
PID 4032 wrote to memory of 5060	4032	{3DFC3007-0356-4ce8-9BB1-1016E11C9261}.exe	100
PID 4032 wrote to memory of 5060	4032	{3DFC3007-0356-4ce8-9BB1-1016E11C9261}.exe	100
PID 4032 wrote to memory of 5060	4032	{3DFC3007-0356-4ce8-9BB1-1016E11C9261}.exe	100
PID 1620 wrote to memory of 1964	1620	{D7853564-D1C4-4e57-AD88-168D994A92B2}.exe	101
PID 1620 wrote to memory of 1964	1620	{D7853564-D1C4-4e57-AD88-168D994A92B2}.exe	101
PID 1620 wrote to memory of 1964	1620	{D7853564-D1C4-4e57-AD88-168D994A92B2}.exe	101
PID 1620 wrote to memory of 3716	1620	{D7853564-D1C4-4e57-AD88-168D994A92B2}.exe	102
PID 1620 wrote to memory of 3716	1620	{D7853564-D1C4-4e57-AD88-168D994A92B2}.exe	102
PID 1620 wrote to memory of 3716	1620	{D7853564-D1C4-4e57-AD88-168D994A92B2}.exe	102
PID 1964 wrote to memory of 2156	1964	{897E82AA-D1AE-4e88-A802-3BB7CE96FC69}.exe	103
PID 1964 wrote to memory of 2156	1964	{897E82AA-D1AE-4e88-A802-3BB7CE96FC69}.exe	103
PID 1964 wrote to memory of 2156	1964	{897E82AA-D1AE-4e88-A802-3BB7CE96FC69}.exe	103
PID 1964 wrote to memory of 2252	1964	{897E82AA-D1AE-4e88-A802-3BB7CE96FC69}.exe	104
PID 1964 wrote to memory of 2252	1964	{897E82AA-D1AE-4e88-A802-3BB7CE96FC69}.exe	104
PID 1964 wrote to memory of 2252	1964	{897E82AA-D1AE-4e88-A802-3BB7CE96FC69}.exe	104
PID 2156 wrote to memory of 740	2156	{EFA34C4A-AA39-4212-A611-F3D63456428F}.exe	106
PID 2156 wrote to memory of 740	2156	{EFA34C4A-AA39-4212-A611-F3D63456428F}.exe	106
PID 2156 wrote to memory of 740	2156	{EFA34C4A-AA39-4212-A611-F3D63456428F}.exe	106
PID 2156 wrote to memory of 4568	2156	{EFA34C4A-AA39-4212-A611-F3D63456428F}.exe	107
PID 2156 wrote to memory of 4568	2156	{EFA34C4A-AA39-4212-A611-F3D63456428F}.exe	107
PID 2156 wrote to memory of 4568	2156	{EFA34C4A-AA39-4212-A611-F3D63456428F}.exe	107
PID 740 wrote to memory of 3212	740	{5E9471A5-B3A1-4287-B6A3-41044265C369}.exe	108
PID 740 wrote to memory of 3212	740	{5E9471A5-B3A1-4287-B6A3-41044265C369}.exe	108
PID 740 wrote to memory of 3212	740	{5E9471A5-B3A1-4287-B6A3-41044265C369}.exe	108
PID 740 wrote to memory of 3568	740	{5E9471A5-B3A1-4287-B6A3-41044265C369}.exe	109
PID 740 wrote to memory of 3568	740	{5E9471A5-B3A1-4287-B6A3-41044265C369}.exe	109
PID 740 wrote to memory of 3568	740	{5E9471A5-B3A1-4287-B6A3-41044265C369}.exe	109
PID 3212 wrote to memory of 2344	3212	{2E66866E-440F-4e5d-9C3E-394BA2715DE6}.exe	115
PID 3212 wrote to memory of 2344	3212	{2E66866E-440F-4e5d-9C3E-394BA2715DE6}.exe	115
PID 3212 wrote to memory of 2344	3212	{2E66866E-440F-4e5d-9C3E-394BA2715DE6}.exe	115
PID 3212 wrote to memory of 3828	3212	{2E66866E-440F-4e5d-9C3E-394BA2715DE6}.exe	116
PID 3212 wrote to memory of 3828	3212	{2E66866E-440F-4e5d-9C3E-394BA2715DE6}.exe	116
PID 3212 wrote to memory of 3828	3212	{2E66866E-440F-4e5d-9C3E-394BA2715DE6}.exe	116
PID 2344 wrote to memory of 3928	2344	{434E34D8-376A-4c57-9D33-F33AFAE9CCC9}.exe	119
PID 2344 wrote to memory of 3928	2344	{434E34D8-376A-4c57-9D33-F33AFAE9CCC9}.exe	119
PID 2344 wrote to memory of 3928	2344	{434E34D8-376A-4c57-9D33-F33AFAE9CCC9}.exe	119
PID 2344 wrote to memory of 2188	2344	{434E34D8-376A-4c57-9D33-F33AFAE9CCC9}.exe	120
PID 2344 wrote to memory of 2188	2344	{434E34D8-376A-4c57-9D33-F33AFAE9CCC9}.exe	120
PID 2344 wrote to memory of 2188	2344	{434E34D8-376A-4c57-9D33-F33AFAE9CCC9}.exe	120
PID 3928 wrote to memory of 3580	3928	{55FC347E-3A98-4af5-9E8D-FEECD5ECB418}.exe	121
PID 3928 wrote to memory of 3580	3928	{55FC347E-3A98-4af5-9E8D-FEECD5ECB418}.exe	121
PID 3928 wrote to memory of 3580	3928	{55FC347E-3A98-4af5-9E8D-FEECD5ECB418}.exe	121
PID 3928 wrote to memory of 3832	3928	{55FC347E-3A98-4af5-9E8D-FEECD5ECB418}.exe	122
PID 3928 wrote to memory of 3832	3928	{55FC347E-3A98-4af5-9E8D-FEECD5ECB418}.exe	122
PID 3928 wrote to memory of 3832	3928	{55FC347E-3A98-4af5-9E8D-FEECD5ECB418}.exe	122
PID 3580 wrote to memory of 412	3580	{017D428B-81A8-43e6-B9A1-E02099637789}.exe	123
PID 3580 wrote to memory of 412	3580	{017D428B-81A8-43e6-B9A1-E02099637789}.exe	123
PID 3580 wrote to memory of 412	3580	{017D428B-81A8-43e6-B9A1-E02099637789}.exe	123
PID 3580 wrote to memory of 3196	3580	{017D428B-81A8-43e6-B9A1-E02099637789}.exe	124

C:\Users\Admin\AppData\Local\Temp\5e0ba73ebf737dc5348dab84a9ef0b1b6ec5f2a5d9a4f88dd54939d4c01118a9_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\5e0ba73ebf737dc5348dab84a9ef0b1b6ec5f2a5d9a4f88dd54939d4c01118a9_NeikiAnalytics.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3476
- C:\Windows\{CD75196A-8F7F-4d47-96F3-1D1D2B624364}.exe
  C:\Windows\{CD75196A-8F7F-4d47-96F3-1D1D2B624364}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4492
- - C:\Windows\{3DFC3007-0356-4ce8-9BB1-1016E11C9261}.exe
    C:\Windows\{3DFC3007-0356-4ce8-9BB1-1016E11C9261}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4032
  - - C:\Windows\{D7853564-D1C4-4e57-AD88-168D994A92B2}.exe
      C:\Windows\{D7853564-D1C4-4e57-AD88-168D994A92B2}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1620
    - - C:\Windows\{897E82AA-D1AE-4e88-A802-3BB7CE96FC69}.exe
        
        C:\Windows\{897E82AA-D1AE-4e88-A802-3BB7CE96FC69}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1964
      - C:\Windows\{EFA34C4A-AA39-4212-A611-F3D63456428F}.exe
        
        C:\Windows\{EFA34C4A-AA39-4212-A611-F3D63456428F}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2156
        
        C:\Windows\{5E9471A5-B3A1-4287-B6A3-41044265C369}.exe
        
        C:\Windows\{5E9471A5-B3A1-4287-B6A3-41044265C369}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:740
        
        C:\Windows\{2E66866E-440F-4e5d-9C3E-394BA2715DE6}.exe
        
        C:\Windows\{2E66866E-440F-4e5d-9C3E-394BA2715DE6}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3212
        
        C:\Windows\{434E34D8-376A-4c57-9D33-F33AFAE9CCC9}.exe
        
        C:\Windows\{434E34D8-376A-4c57-9D33-F33AFAE9CCC9}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2344
        
        C:\Windows\{55FC347E-3A98-4af5-9E8D-FEECD5ECB418}.exe
        
        C:\Windows\{55FC347E-3A98-4af5-9E8D-FEECD5ECB418}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3928
        
        C:\Windows\{017D428B-81A8-43e6-B9A1-E02099637789}.exe
        
        C:\Windows\{017D428B-81A8-43e6-B9A1-E02099637789}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3580
        
        C:\Windows\{B1471E70-EC86-48eb-BAAD-051AC83237E1}.exe
        
        C:\Windows\{B1471E70-EC86-48eb-BAAD-051AC83237E1}.exe
        12⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:412
        
        C:\Windows\{EE58640E-D306-40a9-A11B-64047DA6CFF8}.exe
        
        C:\Windows\{EE58640E-D306-40a9-A11B-64047DA6CFF8}.exe
        13⤵
        Executes dropped EXE
        
        PID:4572
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B1471~1.EXE > nul
        13⤵
        
        PID:4740
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{017D4~1.EXE > nul
        12⤵
        
        PID:3196
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{55FC3~1.EXE > nul
        11⤵
        
        PID:3832
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{434E3~1.EXE > nul
        10⤵
        
        PID:2188
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2E668~1.EXE > nul
        9⤵
        
        PID:3828
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5E947~1.EXE > nul
        8⤵
        
        PID:3568
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EFA34~1.EXE > nul
        7⤵
        
        PID:4568
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{897E8~1.EXE > nul
        6⤵
        
        PID:2252
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D7853~1.EXE > nul
        5⤵
        
        PID:3716
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{3DFC3~1.EXE > nul
      4⤵
      PID:5060
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{CD751~1.EXE > nul
    3⤵
    PID:1212
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\5E0BA7~1.EXE > nul
  2⤵
  PID:3312

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{017D428B-81A8-43e6-B9A1-E02099637789}.exe

Filesize
88KB

MD5
f831673f04d7bd3f332a0b8f706dbf98

SHA1
91fe12415bd664122fac63f3c8825a6192da9aff

SHA256
98e0ccde073d2a5078448aac53cf526f7db6ea4f2b368a6336610135879e9963

SHA512
be2b94610b9fe63036f96a2e432e1c35b13f5d91f469b5b0684312078dfad0690471f48d7328b3ae908be18707d34558a29030ccd6057c27b2fab11a8e7121ed

Download Submit
C:\Windows\{2E66866E-440F-4e5d-9C3E-394BA2715DE6}.exe

Filesize
88KB

MD5
e5998c5297ad796f1ce7aee062292bf8

SHA1
10157af555631bdd1bad8194003432e3bc594e2d

SHA256
25954e7c46775a514a6fc937beaf35e8a7db4eefa854e2f749445f281361fb0c

SHA512
364834f9d63d88259c64af4e78f3c514b7bf4a45f7e5ab162b2623c4ff976d17e9286708435adc7082bb7bff02f620a4a5fc0811ad3c4487d4b7bd9d43d76ddb

Download Submit
C:\Windows\{3DFC3007-0356-4ce8-9BB1-1016E11C9261}.exe

Filesize
88KB

MD5
7c35e49db042a5e4b42826da924a87be

SHA1
670b5d37f34e52ae4fa9a3f687aaf46a3d0d95cf

SHA256
9626eb7c1cfa64b051f4b0a9f87a37aea7ff8265a07681067cb9d8c607cc8871

SHA512
e1e3ad78127fc80879d96220ae6cb89986cc19fc67a6d2414798ad324bc847f9de61f3b807bc30b1fd00d8e42b464a644842ccaee0893cc5c32d6e496700e44c

Download Submit
C:\Windows\{434E34D8-376A-4c57-9D33-F33AFAE9CCC9}.exe

Filesize
88KB

MD5
ce248132b88a17dee66981c385544ba2

SHA1
e2aa9c4a627c50e25a419f9a67aca1e2802750a4

SHA256
763d9f782f58df602cc267d755a08a5b2867b8360a6599611cce5fa786cde005

SHA512
8e41338bbce511b4b758777272e935e214df3031e530c454c2299255af49a4bb1275110dc433d7d65afe021b46c09163a788c3f02b30a2e6e5f77123cc47d1f5

Download Submit
C:\Windows\{55FC347E-3A98-4af5-9E8D-FEECD5ECB418}.exe

Filesize
88KB

MD5
7ce9c08df899a94b7e1ef02cfcb212d9

SHA1
198d8a1918773f149d6e696893edaef2b251897a

SHA256
c713da3fd3f87d1153666d8dd52a6ff6b78db59ceb65fd1ca4cad902f96c9040

SHA512
4d7699965d11a153b89673682fc883da6293db702a0ad7c2077cb636a9218d394b9fe4fffc235bd9a4c4c2455e224f5418d599580061c3623f9f5e7a0b2c6b9b

Download Submit
C:\Windows\{5E9471A5-B3A1-4287-B6A3-41044265C369}.exe

Filesize
88KB

MD5
8edbd152bfc4a19d40be1e67b1af1d92

SHA1
5e869e5af1e7becf684428d3dd0e3fa7ff1a99e4

SHA256
1bfa5bfde99f441257b00f661b600128f9945a77a113390a40152de7cb9cc4e2

SHA512
ed655d57a99c42c0a4483f2c0ad9809d35dba641d4f7ca017edb2c1dd67d5a809f80f516dd28c6b5fd09460e7ac59e5b3ccdb3b443581d9c3ce306237538e64d

Download Submit
C:\Windows\{897E82AA-D1AE-4e88-A802-3BB7CE96FC69}.exe

Filesize
88KB

MD5
5cca448ca7fee3d2a2a492620531a1e3

SHA1
5a58583475832cb44405251cb09e280913ca381b

SHA256
087f07f0f0ffd9f4deb2175bae94bd3f2a777af98fdf8788466c577fb1ea3ad5

SHA512
a00941e974d3eba24abaec1b50f9ccafe2c479336e763f05f90ce3463a486f126c474d3159030a9c235d5093da2b26267d4b2fd8c06fecc0354405b54935b096

Download Submit
C:\Windows\{B1471E70-EC86-48eb-BAAD-051AC83237E1}.exe

Filesize
88KB

MD5
ff62799fbec9050ff301671a20f4cb5c

SHA1
7fc2a85da3463a9681a4d11ddbe5216576baadd5

SHA256
2bbcdb85edaf871c20a3d4ca60c4d974bead6a8a2f83f17fe0a8861eb181f3b8

SHA512
be93c02c2efa0e8c8cd8fb3317bdcff47f811546b4000db4da1989f3983431b21e98c7408711cc113acd382345994bd6c459800b9dd6a7cb15ee036797da24c8

Download Submit
C:\Windows\{CD75196A-8F7F-4d47-96F3-1D1D2B624364}.exe

Filesize
88KB

MD5
787c7c8932945101769ed0be8237d09d

SHA1
1c4b19b58783ea5bba5055fdc71657a050cbccf0

SHA256
9daa76bac0be40ef02c020336155f126d493d895baca33e89be09b1d730b4d2a

SHA512
3d2a2decc0c0a9f4c86640805701ec3bd0cb3caf238837139b352784d5e6573dfdcf0e207d91c7952a2aaee264ddb51a1ff85ab3b9b0543c9908c60bf28db292

Download Submit
C:\Windows\{D7853564-D1C4-4e57-AD88-168D994A92B2}.exe

Filesize
88KB

MD5
9c27af6408d6c94380cc81505dcf395f

SHA1
6de4080d3100aad89fd873533b902650f5a5aede

SHA256
8d104fcdbd207b01b90451b46db76d4dbba3fb6dc39f40a21e1bb1109fe81571

SHA512
194a7cb35dd56b0e03fe24868e473029c7a4f7f3246a4f5e9ccaf621e8d6b91faf9dff46a4c087ce01f51ac7721c59ee29522fd0343abc5d2194544972af78ef

Download Submit
C:\Windows\{EE58640E-D306-40a9-A11B-64047DA6CFF8}.exe

Filesize
88KB

MD5
f5be95402cf39a12fffe55e26cf8743c

SHA1
5d5f3013732591d27c803e565594da9ad9cdfdd0

SHA256
0f5c8b1662c45953468fe4e53c50e31477cfe3b14af0019e21082a15942e370e

SHA512
9d70847efccd0ba0a6ff7159b5c9b1756acea5ac8950750c1b47d144b3cbd9235cb18d842cd18c95232f94c564bd9157d2b54b5b06768a364213656b460fcf6e

Download Submit
C:\Windows\{EFA34C4A-AA39-4212-A611-F3D63456428F}.exe

Filesize
88KB

MD5
7ebe85f78373826c36200b958fc84023

SHA1
ca827aa122dc0a56600d67e0ab5d3d63521aec2e

SHA256
6d06b37527a6acbe79d54464f3b0b0f1279033bafa7d298d00997d602edc4bcf

SHA512
8a020b24b4f890d50e25ed053a6f1882ce6b6150f18eb6a296ddf92cba671f7f5f6d551a0b0e43137a699e7145c050529e8ea383e51fe481804a51d2cdee316d

Download Submit
memory/412-69-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/412-64-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/740-39-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/740-35-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1620-22-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1620-17-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1964-28-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2156-29-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2156-33-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2344-51-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2344-46-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3212-41-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3212-45-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3476-0-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3476-5-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3580-59-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3580-63-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3928-53-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3928-57-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4032-16-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4032-12-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4492-6-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4492-11-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4572-71-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads