6e31bc7fedc3f19d60534c07bb5cd0d28f3f6be195cc672d2f5d03af0a6369cc

Analysis

max time kernel
144s
max time network
119s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
24/06/2024, 11:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6e31bc7fedc3f19d60534c07bb5cd0d28f3f6be195cc672d2f5d03af0a6369cc_NeikiAnalytics.exe
Size

88KB
MD5

0cbe4fbed78b8d8194dfb208d4f48c40
SHA1

d2ebac37d9e2750a0e44c4029dd80b63cb89f973
SHA256

6e31bc7fedc3f19d60534c07bb5cd0d28f3f6be195cc672d2f5d03af0a6369cc
SHA512

63a4e34fdf8dfbf695be57a023063b96617f79589909f48b79412bd16ace9216c6e643045d71131e1fc7ce85c54260457fc76d3b0dba1447ae4027981ffc127c
SSDEEP

768:Qvw9816vhKQLrob4/wQRNrfrunMxVFA3b7gln:YEGh0obl2unMxVS3Hg1

Score

8^/10

persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7F881540-5C1C-478f-A1F4-612EC11E0420}	{C62ED9ED-F94C-43b2-BD26-1BC0BF97D67C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7F881540-5C1C-478f-A1F4-612EC11E0420}\stubpath = "C:\\Windows\\{7F881540-5C1C-478f-A1F4-612EC11E0420}.exe"	{C62ED9ED-F94C-43b2-BD26-1BC0BF97D67C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9CF5FD3A-30C7-486d-B362-B679A41445F5}\stubpath = "C:\\Windows\\{9CF5FD3A-30C7-486d-B362-B679A41445F5}.exe"	{488080BF-298F-4e25-90BD-FDC7CB5E8F5D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8DA7B452-9275-4394-9F0B-5764F51B4F1D}	{44A16E3B-0922-454f-BE47-70603E932B6C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{08D9B52F-156A-4e64-80BD-DF960977E8BC}	{B46139EA-B6F8-4bce-BCB3-A371046176F3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{08D9B52F-156A-4e64-80BD-DF960977E8BC}\stubpath = "C:\\Windows\\{08D9B52F-156A-4e64-80BD-DF960977E8BC}.exe"	{B46139EA-B6F8-4bce-BCB3-A371046176F3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{44A16E3B-0922-454f-BE47-70603E932B6C}	{452ABED4-9423-4908-81B1-726D95D431EB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5314BDED-DDF9-4c61-AF1B-93837E411B69}	{F6C0BE9D-7289-4c5d-B22A-B99330D0B1AB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B46139EA-B6F8-4bce-BCB3-A371046176F3}	6e31bc7fedc3f19d60534c07bb5cd0d28f3f6be195cc672d2f5d03af0a6369cc_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B46139EA-B6F8-4bce-BCB3-A371046176F3}\stubpath = "C:\\Windows\\{B46139EA-B6F8-4bce-BCB3-A371046176F3}.exe"	6e31bc7fedc3f19d60534c07bb5cd0d28f3f6be195cc672d2f5d03af0a6369cc_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C62ED9ED-F94C-43b2-BD26-1BC0BF97D67C}	{08D9B52F-156A-4e64-80BD-DF960977E8BC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C62ED9ED-F94C-43b2-BD26-1BC0BF97D67C}\stubpath = "C:\\Windows\\{C62ED9ED-F94C-43b2-BD26-1BC0BF97D67C}.exe"	{08D9B52F-156A-4e64-80BD-DF960977E8BC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{488080BF-298F-4e25-90BD-FDC7CB5E8F5D}	{7F881540-5C1C-478f-A1F4-612EC11E0420}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{452ABED4-9423-4908-81B1-726D95D431EB}	{9CF5FD3A-30C7-486d-B362-B679A41445F5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{44A16E3B-0922-454f-BE47-70603E932B6C}\stubpath = "C:\\Windows\\{44A16E3B-0922-454f-BE47-70603E932B6C}.exe"	{452ABED4-9423-4908-81B1-726D95D431EB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8DA7B452-9275-4394-9F0B-5764F51B4F1D}\stubpath = "C:\\Windows\\{8DA7B452-9275-4394-9F0B-5764F51B4F1D}.exe"	{44A16E3B-0922-454f-BE47-70603E932B6C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F6C0BE9D-7289-4c5d-B22A-B99330D0B1AB}\stubpath = "C:\\Windows\\{F6C0BE9D-7289-4c5d-B22A-B99330D0B1AB}.exe"	{8DA7B452-9275-4394-9F0B-5764F51B4F1D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5314BDED-DDF9-4c61-AF1B-93837E411B69}\stubpath = "C:\\Windows\\{5314BDED-DDF9-4c61-AF1B-93837E411B69}.exe"	{F6C0BE9D-7289-4c5d-B22A-B99330D0B1AB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{488080BF-298F-4e25-90BD-FDC7CB5E8F5D}\stubpath = "C:\\Windows\\{488080BF-298F-4e25-90BD-FDC7CB5E8F5D}.exe"	{7F881540-5C1C-478f-A1F4-612EC11E0420}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9CF5FD3A-30C7-486d-B362-B679A41445F5}	{488080BF-298F-4e25-90BD-FDC7CB5E8F5D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{452ABED4-9423-4908-81B1-726D95D431EB}\stubpath = "C:\\Windows\\{452ABED4-9423-4908-81B1-726D95D431EB}.exe"	{9CF5FD3A-30C7-486d-B362-B679A41445F5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F6C0BE9D-7289-4c5d-B22A-B99330D0B1AB}	{8DA7B452-9275-4394-9F0B-5764F51B4F1D}.exe

Deletes itself 1 IoCs

pid	Process
2380	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2728	{B46139EA-B6F8-4bce-BCB3-A371046176F3}.exe
2764	{08D9B52F-156A-4e64-80BD-DF960977E8BC}.exe
2576	{C62ED9ED-F94C-43b2-BD26-1BC0BF97D67C}.exe
2112	{7F881540-5C1C-478f-A1F4-612EC11E0420}.exe
2960	{488080BF-298F-4e25-90BD-FDC7CB5E8F5D}.exe
2800	{9CF5FD3A-30C7-486d-B362-B679A41445F5}.exe
2356	{452ABED4-9423-4908-81B1-726D95D431EB}.exe
2864	{44A16E3B-0922-454f-BE47-70603E932B6C}.exe
2500	{8DA7B452-9275-4394-9F0B-5764F51B4F1D}.exe
2364	{F6C0BE9D-7289-4c5d-B22A-B99330D0B1AB}.exe
1068	{5314BDED-DDF9-4c61-AF1B-93837E411B69}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{C62ED9ED-F94C-43b2-BD26-1BC0BF97D67C}.exe	{08D9B52F-156A-4e64-80BD-DF960977E8BC}.exe
File created	C:\Windows\{7F881540-5C1C-478f-A1F4-612EC11E0420}.exe	{C62ED9ED-F94C-43b2-BD26-1BC0BF97D67C}.exe
File created	C:\Windows\{9CF5FD3A-30C7-486d-B362-B679A41445F5}.exe	{488080BF-298F-4e25-90BD-FDC7CB5E8F5D}.exe
File created	C:\Windows\{8DA7B452-9275-4394-9F0B-5764F51B4F1D}.exe	{44A16E3B-0922-454f-BE47-70603E932B6C}.exe
File created	C:\Windows\{F6C0BE9D-7289-4c5d-B22A-B99330D0B1AB}.exe	{8DA7B452-9275-4394-9F0B-5764F51B4F1D}.exe
File created	C:\Windows\{5314BDED-DDF9-4c61-AF1B-93837E411B69}.exe	{F6C0BE9D-7289-4c5d-B22A-B99330D0B1AB}.exe
File created	C:\Windows\{B46139EA-B6F8-4bce-BCB3-A371046176F3}.exe	6e31bc7fedc3f19d60534c07bb5cd0d28f3f6be195cc672d2f5d03af0a6369cc_NeikiAnalytics.exe
File created	C:\Windows\{488080BF-298F-4e25-90BD-FDC7CB5E8F5D}.exe	{7F881540-5C1C-478f-A1F4-612EC11E0420}.exe
File created	C:\Windows\{452ABED4-9423-4908-81B1-726D95D431EB}.exe	{9CF5FD3A-30C7-486d-B362-B679A41445F5}.exe
File created	C:\Windows\{44A16E3B-0922-454f-BE47-70603E932B6C}.exe	{452ABED4-9423-4908-81B1-726D95D431EB}.exe
File created	C:\Windows\{08D9B52F-156A-4e64-80BD-DF960977E8BC}.exe	{B46139EA-B6F8-4bce-BCB3-A371046176F3}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2172	6e31bc7fedc3f19d60534c07bb5cd0d28f3f6be195cc672d2f5d03af0a6369cc_NeikiAnalytics.exe
Token: SeIncBasePriorityPrivilege	2728	{B46139EA-B6F8-4bce-BCB3-A371046176F3}.exe
Token: SeIncBasePriorityPrivilege	2764	{08D9B52F-156A-4e64-80BD-DF960977E8BC}.exe
Token: SeIncBasePriorityPrivilege	2576	{C62ED9ED-F94C-43b2-BD26-1BC0BF97D67C}.exe
Token: SeIncBasePriorityPrivilege	2112	{7F881540-5C1C-478f-A1F4-612EC11E0420}.exe
Token: SeIncBasePriorityPrivilege	2960	{488080BF-298F-4e25-90BD-FDC7CB5E8F5D}.exe
Token: SeIncBasePriorityPrivilege	2800	{9CF5FD3A-30C7-486d-B362-B679A41445F5}.exe
Token: SeIncBasePriorityPrivilege	2356	{452ABED4-9423-4908-81B1-726D95D431EB}.exe
Token: SeIncBasePriorityPrivilege	2864	{44A16E3B-0922-454f-BE47-70603E932B6C}.exe
Token: SeIncBasePriorityPrivilege	2500	{8DA7B452-9275-4394-9F0B-5764F51B4F1D}.exe
Token: SeIncBasePriorityPrivilege	2364	{F6C0BE9D-7289-4c5d-B22A-B99330D0B1AB}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2172 wrote to memory of 2728	2172	6e31bc7fedc3f19d60534c07bb5cd0d28f3f6be195cc672d2f5d03af0a6369cc_NeikiAnalytics.exe	28
PID 2172 wrote to memory of 2728	2172	6e31bc7fedc3f19d60534c07bb5cd0d28f3f6be195cc672d2f5d03af0a6369cc_NeikiAnalytics.exe	28
PID 2172 wrote to memory of 2728	2172	6e31bc7fedc3f19d60534c07bb5cd0d28f3f6be195cc672d2f5d03af0a6369cc_NeikiAnalytics.exe	28
PID 2172 wrote to memory of 2728	2172	6e31bc7fedc3f19d60534c07bb5cd0d28f3f6be195cc672d2f5d03af0a6369cc_NeikiAnalytics.exe	28
PID 2172 wrote to memory of 2380	2172	6e31bc7fedc3f19d60534c07bb5cd0d28f3f6be195cc672d2f5d03af0a6369cc_NeikiAnalytics.exe	29
PID 2172 wrote to memory of 2380	2172	6e31bc7fedc3f19d60534c07bb5cd0d28f3f6be195cc672d2f5d03af0a6369cc_NeikiAnalytics.exe	29
PID 2172 wrote to memory of 2380	2172	6e31bc7fedc3f19d60534c07bb5cd0d28f3f6be195cc672d2f5d03af0a6369cc_NeikiAnalytics.exe	29
PID 2172 wrote to memory of 2380	2172	6e31bc7fedc3f19d60534c07bb5cd0d28f3f6be195cc672d2f5d03af0a6369cc_NeikiAnalytics.exe	29
PID 2728 wrote to memory of 2764	2728	{B46139EA-B6F8-4bce-BCB3-A371046176F3}.exe	30
PID 2728 wrote to memory of 2764	2728	{B46139EA-B6F8-4bce-BCB3-A371046176F3}.exe	30
PID 2728 wrote to memory of 2764	2728	{B46139EA-B6F8-4bce-BCB3-A371046176F3}.exe	30
PID 2728 wrote to memory of 2764	2728	{B46139EA-B6F8-4bce-BCB3-A371046176F3}.exe	30
PID 2728 wrote to memory of 2660	2728	{B46139EA-B6F8-4bce-BCB3-A371046176F3}.exe	31
PID 2728 wrote to memory of 2660	2728	{B46139EA-B6F8-4bce-BCB3-A371046176F3}.exe	31
PID 2728 wrote to memory of 2660	2728	{B46139EA-B6F8-4bce-BCB3-A371046176F3}.exe	31
PID 2728 wrote to memory of 2660	2728	{B46139EA-B6F8-4bce-BCB3-A371046176F3}.exe	31
PID 2764 wrote to memory of 2576	2764	{08D9B52F-156A-4e64-80BD-DF960977E8BC}.exe	32
PID 2764 wrote to memory of 2576	2764	{08D9B52F-156A-4e64-80BD-DF960977E8BC}.exe	32
PID 2764 wrote to memory of 2576	2764	{08D9B52F-156A-4e64-80BD-DF960977E8BC}.exe	32
PID 2764 wrote to memory of 2576	2764	{08D9B52F-156A-4e64-80BD-DF960977E8BC}.exe	32
PID 2764 wrote to memory of 2804	2764	{08D9B52F-156A-4e64-80BD-DF960977E8BC}.exe	33
PID 2764 wrote to memory of 2804	2764	{08D9B52F-156A-4e64-80BD-DF960977E8BC}.exe	33
PID 2764 wrote to memory of 2804	2764	{08D9B52F-156A-4e64-80BD-DF960977E8BC}.exe	33
PID 2764 wrote to memory of 2804	2764	{08D9B52F-156A-4e64-80BD-DF960977E8BC}.exe	33
PID 2576 wrote to memory of 2112	2576	{C62ED9ED-F94C-43b2-BD26-1BC0BF97D67C}.exe	36
PID 2576 wrote to memory of 2112	2576	{C62ED9ED-F94C-43b2-BD26-1BC0BF97D67C}.exe	36
PID 2576 wrote to memory of 2112	2576	{C62ED9ED-F94C-43b2-BD26-1BC0BF97D67C}.exe	36
PID 2576 wrote to memory of 2112	2576	{C62ED9ED-F94C-43b2-BD26-1BC0BF97D67C}.exe	36
PID 2576 wrote to memory of 1664	2576	{C62ED9ED-F94C-43b2-BD26-1BC0BF97D67C}.exe	37
PID 2576 wrote to memory of 1664	2576	{C62ED9ED-F94C-43b2-BD26-1BC0BF97D67C}.exe	37
PID 2576 wrote to memory of 1664	2576	{C62ED9ED-F94C-43b2-BD26-1BC0BF97D67C}.exe	37
PID 2576 wrote to memory of 1664	2576	{C62ED9ED-F94C-43b2-BD26-1BC0BF97D67C}.exe	37
PID 2112 wrote to memory of 2960	2112	{7F881540-5C1C-478f-A1F4-612EC11E0420}.exe	38
PID 2112 wrote to memory of 2960	2112	{7F881540-5C1C-478f-A1F4-612EC11E0420}.exe	38
PID 2112 wrote to memory of 2960	2112	{7F881540-5C1C-478f-A1F4-612EC11E0420}.exe	38
PID 2112 wrote to memory of 2960	2112	{7F881540-5C1C-478f-A1F4-612EC11E0420}.exe	38
PID 2112 wrote to memory of 3056	2112	{7F881540-5C1C-478f-A1F4-612EC11E0420}.exe	39
PID 2112 wrote to memory of 3056	2112	{7F881540-5C1C-478f-A1F4-612EC11E0420}.exe	39
PID 2112 wrote to memory of 3056	2112	{7F881540-5C1C-478f-A1F4-612EC11E0420}.exe	39
PID 2112 wrote to memory of 3056	2112	{7F881540-5C1C-478f-A1F4-612EC11E0420}.exe	39
PID 2960 wrote to memory of 2800	2960	{488080BF-298F-4e25-90BD-FDC7CB5E8F5D}.exe	40
PID 2960 wrote to memory of 2800	2960	{488080BF-298F-4e25-90BD-FDC7CB5E8F5D}.exe	40
PID 2960 wrote to memory of 2800	2960	{488080BF-298F-4e25-90BD-FDC7CB5E8F5D}.exe	40
PID 2960 wrote to memory of 2800	2960	{488080BF-298F-4e25-90BD-FDC7CB5E8F5D}.exe	40
PID 2960 wrote to memory of 1752	2960	{488080BF-298F-4e25-90BD-FDC7CB5E8F5D}.exe	41
PID 2960 wrote to memory of 1752	2960	{488080BF-298F-4e25-90BD-FDC7CB5E8F5D}.exe	41
PID 2960 wrote to memory of 1752	2960	{488080BF-298F-4e25-90BD-FDC7CB5E8F5D}.exe	41
PID 2960 wrote to memory of 1752	2960	{488080BF-298F-4e25-90BD-FDC7CB5E8F5D}.exe	41
PID 2800 wrote to memory of 2356	2800	{9CF5FD3A-30C7-486d-B362-B679A41445F5}.exe	42
PID 2800 wrote to memory of 2356	2800	{9CF5FD3A-30C7-486d-B362-B679A41445F5}.exe	42
PID 2800 wrote to memory of 2356	2800	{9CF5FD3A-30C7-486d-B362-B679A41445F5}.exe	42
PID 2800 wrote to memory of 2356	2800	{9CF5FD3A-30C7-486d-B362-B679A41445F5}.exe	42
PID 2800 wrote to memory of 1996	2800	{9CF5FD3A-30C7-486d-B362-B679A41445F5}.exe	43
PID 2800 wrote to memory of 1996	2800	{9CF5FD3A-30C7-486d-B362-B679A41445F5}.exe	43
PID 2800 wrote to memory of 1996	2800	{9CF5FD3A-30C7-486d-B362-B679A41445F5}.exe	43
PID 2800 wrote to memory of 1996	2800	{9CF5FD3A-30C7-486d-B362-B679A41445F5}.exe	43
PID 2356 wrote to memory of 2864	2356	{452ABED4-9423-4908-81B1-726D95D431EB}.exe	44
PID 2356 wrote to memory of 2864	2356	{452ABED4-9423-4908-81B1-726D95D431EB}.exe	44
PID 2356 wrote to memory of 2864	2356	{452ABED4-9423-4908-81B1-726D95D431EB}.exe	44
PID 2356 wrote to memory of 2864	2356	{452ABED4-9423-4908-81B1-726D95D431EB}.exe	44
PID 2356 wrote to memory of 1952	2356	{452ABED4-9423-4908-81B1-726D95D431EB}.exe	45
PID 2356 wrote to memory of 1952	2356	{452ABED4-9423-4908-81B1-726D95D431EB}.exe	45
PID 2356 wrote to memory of 1952	2356	{452ABED4-9423-4908-81B1-726D95D431EB}.exe	45
PID 2356 wrote to memory of 1952	2356	{452ABED4-9423-4908-81B1-726D95D431EB}.exe	45

C:\Users\Admin\AppData\Local\Temp\6e31bc7fedc3f19d60534c07bb5cd0d28f3f6be195cc672d2f5d03af0a6369cc_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\6e31bc7fedc3f19d60534c07bb5cd0d28f3f6be195cc672d2f5d03af0a6369cc_NeikiAnalytics.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2172
- C:\Windows\{B46139EA-B6F8-4bce-BCB3-A371046176F3}.exe
  C:\Windows\{B46139EA-B6F8-4bce-BCB3-A371046176F3}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2728
- - C:\Windows\{08D9B52F-156A-4e64-80BD-DF960977E8BC}.exe
    C:\Windows\{08D9B52F-156A-4e64-80BD-DF960977E8BC}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2764
  - - C:\Windows\{C62ED9ED-F94C-43b2-BD26-1BC0BF97D67C}.exe
      C:\Windows\{C62ED9ED-F94C-43b2-BD26-1BC0BF97D67C}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2576
    - - C:\Windows\{7F881540-5C1C-478f-A1F4-612EC11E0420}.exe
        
        C:\Windows\{7F881540-5C1C-478f-A1F4-612EC11E0420}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2112
      - C:\Windows\{488080BF-298F-4e25-90BD-FDC7CB5E8F5D}.exe
        
        C:\Windows\{488080BF-298F-4e25-90BD-FDC7CB5E8F5D}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2960
        
        C:\Windows\{9CF5FD3A-30C7-486d-B362-B679A41445F5}.exe
        
        C:\Windows\{9CF5FD3A-30C7-486d-B362-B679A41445F5}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2800
        
        C:\Windows\{452ABED4-9423-4908-81B1-726D95D431EB}.exe
        
        C:\Windows\{452ABED4-9423-4908-81B1-726D95D431EB}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2356
        
        C:\Windows\{44A16E3B-0922-454f-BE47-70603E932B6C}.exe
        
        C:\Windows\{44A16E3B-0922-454f-BE47-70603E932B6C}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2864
        
        C:\Windows\{8DA7B452-9275-4394-9F0B-5764F51B4F1D}.exe
        
        C:\Windows\{8DA7B452-9275-4394-9F0B-5764F51B4F1D}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2500
        
        C:\Windows\{F6C0BE9D-7289-4c5d-B22A-B99330D0B1AB}.exe
        
        C:\Windows\{F6C0BE9D-7289-4c5d-B22A-B99330D0B1AB}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2364
        
        C:\Windows\{5314BDED-DDF9-4c61-AF1B-93837E411B69}.exe
        
        C:\Windows\{5314BDED-DDF9-4c61-AF1B-93837E411B69}.exe
        12⤵
        Executes dropped EXE
        
        PID:1068
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F6C0B~1.EXE > nul
        12⤵
        
        PID:1500
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8DA7B~1.EXE > nul
        11⤵
        
        PID:1112
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{44A16~1.EXE > nul
        10⤵
        
        PID:2924
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{452AB~1.EXE > nul
        9⤵
        
        PID:1952
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9CF5F~1.EXE > nul
        8⤵
        
        PID:1996
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{48808~1.EXE > nul
        7⤵
        
        PID:1752
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7F881~1.EXE > nul
        6⤵
        
        PID:3056
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C62ED~1.EXE > nul
        5⤵
        
        PID:1664
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{08D9B~1.EXE > nul
      4⤵
      PID:2804
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{B4613~1.EXE > nul
    3⤵
    PID:2660
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\6E31BC~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2380

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{08D9B52F-156A-4e64-80BD-DF960977E8BC}.exe

Filesize
88KB

MD5
e2cba7b18ea22b01ee962c54c5b68f58

SHA1
1576187b36399c5ea553c693d4d93f61b4e05530

SHA256
3e01e89f8bc450a9d28b9b06e05e94b240fa7e4cdd8ae6c9bbc7d9e6bd882a3c

SHA512
c0f53b68c339e7d473b63e94ec989cf8d3f7e85863205c2bf314feac46001a4e2a79b63b128a1092edfc356fe7677d45f657a31ab9cde22224c16531b992cc13

Download Submit
C:\Windows\{44A16E3B-0922-454f-BE47-70603E932B6C}.exe

Filesize
88KB

MD5
d1df16d60698daffa8652e31bd12efd0

SHA1
93133d26b0e8d833fb9e4b183617c8d83c17ea6b

SHA256
7c6cc824cf23cf781a62c4f689b780f443873e065684fbe80ad6b73646db0225

SHA512
935823dbd1f63a3593ec35f2108deb8483bc36acf712a454408a3ebe21061ea2626e66e8a9aa0273f990a3d9de35ee5322f103b6247701cb45fdbbbbb053e7ff

Download Submit
C:\Windows\{452ABED4-9423-4908-81B1-726D95D431EB}.exe

Filesize
88KB

MD5
da62ad2c30cf628edc8bd9cf2cdb3293

SHA1
ad6b00a0bb29bacf760ff44aef14f001272ccca0

SHA256
0799234b5c89c1257a7912a7b26d04612c4611e0d84787c71a95628cd43ae1b7

SHA512
f2f17d5bd51596256fe11329dd74a084a584bea582b7ee475be8a8788a56ca8644e344d8e1c464d9c1f2e5cafc5a93831a2e8e542f5a18700b0018e7eae21c7c

Download Submit
C:\Windows\{488080BF-298F-4e25-90BD-FDC7CB5E8F5D}.exe

Filesize
88KB

MD5
04f3a10acfa5b75049320bf913e99229

SHA1
97cec504862a4e3f4856c6b14bdae23c11c7d960

SHA256
2f6910b2b089547487ce405b674ec676cf40a63bcc738ae871a736c9e618c5cf

SHA512
2f083b1edbe698ad5eac510f7566ff869ca6bb05770dd334e47d672d6a27bc1b63b0c312e4708bb5247b34d599975f2e68032f4122682b0de214f9e481e34660

Download Submit
C:\Windows\{5314BDED-DDF9-4c61-AF1B-93837E411B69}.exe

Filesize
88KB

MD5
56228e4cab0cb2a1d382565b5000908f

SHA1
59ef725d17ede766873200424ca0c637eb06c914

SHA256
ed20b83683ebcacd33eb0e8c37e99cf500e4c0158651d24c25d2292e6b6f2dbc

SHA512
24b9293e8cedd2ce20284fd57d5749bac63ff01dae0b62779dc87124fc015530155de8f09da0b2a5a96e1dfbd385c6c70f6a61e25b454f8d078132a191e87622

Download Submit
C:\Windows\{7F881540-5C1C-478f-A1F4-612EC11E0420}.exe

Filesize
88KB

MD5
df5af91b781235c244964cbf6648dfb1

SHA1
98ffbfda4606579cfbd64ab9a49d18fc5645faa4

SHA256
f0c97a6bd20be0dee2607f61282444d9c29c96259e88d2bc9a888fa98a058061

SHA512
ce4422f863013716020a48a09bb9d10ba190d530288a259531bf8f217f681411157dca03ca7fcbe68175f917f307368e7167e0f24f2363fd81c2adea842e8d74

Download Submit
C:\Windows\{8DA7B452-9275-4394-9F0B-5764F51B4F1D}.exe

Filesize
88KB

MD5
444e483522b6820674c63ee5304010be

SHA1
54005bc960037f37fb5f543c7b0108b65cde3b3a

SHA256
823ecad1439faba652e2422d6c0fd45e084b3780e4e3cd6a666d00e3a5555cc8

SHA512
9ad0a1495cbcb6f6c9ac94ad382b9f4311db0d109181a9b05fffe9c8dc113b536d3dc6085118e86e5b2feff8a86d5f5b4dbb64d4f21aff44f8485891c48dfc78

Download Submit
C:\Windows\{9CF5FD3A-30C7-486d-B362-B679A41445F5}.exe

Filesize
88KB

MD5
1cc2c88fd790019444541eff114393a5

SHA1
dd07d3793ecd8b41568ef155bf8cf6aa2250dcd0

SHA256
68f8d49fc85cac65ff9b50e0d97e4db3b990da4c6ec075639b0add4e3d2875af

SHA512
cb61c1d01399ce8c04be62d5012702b96e29eb4ccc8b93ad16b8f6a9c80603c3fd0ce4eeb1e1d35384e74714d1fe9cfdb6c1bab48f5bd85e2e3a4b8676428149

Download Submit
C:\Windows\{B46139EA-B6F8-4bce-BCB3-A371046176F3}.exe

Filesize
88KB

MD5
d40ad046e71743c4a765a0bd62cf736c

SHA1
9139d5188d0ad8c14784afde3109509ae4b1a187

SHA256
6c520ddd4fa1145eb405db09e12768a3060fac37df3d607c7e3b6f6a51ac2a05

SHA512
e4b4ffee8d88b2ccd29983c5d90b6af9e30621940f6a03996a0dce6ea5f58b7253565c1f479411d5610413eb56b13a2bbd377ec288460f6f7f6b259e9a8f895a

Download Submit
C:\Windows\{C62ED9ED-F94C-43b2-BD26-1BC0BF97D67C}.exe

Filesize
88KB

MD5
7f02b03c542c9437b887a7199ca7aa11

SHA1
76f6e7ff93d1f10fa701839d80348c537b84e5c6

SHA256
8c06870b2a924864e21248c1d6506ce9d3538dd9130838447f8d3feddefbebb3

SHA512
47a62e0cc7cbef8f6be88aa956e356143d302114a6479c710777849f8e82bd03d6308c4e48713631a863d3bd2212c0bce263baaa4a9fb7d159cb31cfa63cd6e1

Download Submit
C:\Windows\{F6C0BE9D-7289-4c5d-B22A-B99330D0B1AB}.exe

Filesize
88KB

MD5
7dae8c67d43c2d6a65fa3304f0c60b6e

SHA1
1244fa40e4072684d64a2872b17cc83e502c0569

SHA256
c90988ea2f340d7d3016fbdcb13e942efa3d131e42b0a7145909b0e60a86d6e5

SHA512
63ea46fbcdf48ed516e2bf93d2eeef8f5a7018fbe6cb77a94ac5f1b6acf77816fbfb2b4b5fa5a272274ecae5db01dd96279e3df3c7f76d174b94291bc697b845

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads