32957bc176cb04892ba688bf86608a322d79d0ece5cdf25ae7cca1552e07df3c

Analysis

max time kernel
158s
max time network
166s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
27-06-2024 22:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

32957bc176cb04892ba688bf86608a322d79d0ece5cdf25ae7cca1552e07df3c_NeikiAnalytics.exe
Size

361KB
MD5

6a786d8f70217dfaec233f6345db06d0
SHA1

1836de90928de3d7a6eb0f58d7b9481a5b73d636
SHA256

32957bc176cb04892ba688bf86608a322d79d0ece5cdf25ae7cca1552e07df3c
SHA512

aa09f8d71e073e5e8e0daf28cca49790743d762dcd7b9d0285fc624fd1f72b89fd13c50a06dee5079afe4e71e359fec679d3623ae3c3b7b69f4a192c3b81ca2a
SSDEEP

6144:vflfAsiL4lIJjiJcbI03GBc3ucY5DCSjX:vflfAsiVGjSGecvX

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 49 IoCs

pid	Process
5008	wqoigbytrljdywqo.exe
5108	CreateProcess.exe
2268	bytrljdbvt.exe
4808	CreateProcess.exe
3548	CreateProcess.exe
3276	i_bytrljdbvt.exe
1384	CreateProcess.exe
3736	ifaysqkica.exe
404	CreateProcess.exe
5044	CreateProcess.exe
2124	i_ifaysqkica.exe
3624	CreateProcess.exe
2992	xupnhfzxrp.exe
2236	CreateProcess.exe
4188	CreateProcess.exe
872	i_xupnhfzxrp.exe
4788	CreateProcess.exe
468	pjhczusmke.exe
2728	CreateProcess.exe
1784	CreateProcess.exe
3396	i_pjhczusmke.exe
840	CreateProcess.exe
1532	wtomgeywqo.exe
3076	CreateProcess.exe
2688	CreateProcess.exe
1256	i_wtomgeywqo.exe
4928	CreateProcess.exe
4480	oigaytqljd.exe
2140	CreateProcess.exe
5104	CreateProcess.exe
2780	i_oigaytqljd.exe
772	CreateProcess.exe
3868	nhfaxsqkic.exe
2340	CreateProcess.exe
3828	CreateProcess.exe
1336	i_nhfaxsqkic.exe
1116	CreateProcess.exe
440	pkhcausmke.exe
840	CreateProcess.exe
3552	CreateProcess.exe
3660	i_pkhcausmke.exe
2376	CreateProcess.exe
528	jecwuomgez.exe
3836	CreateProcess.exe
3412	CreateProcess.exe
2288	i_jecwuomgez.exe
3624	CreateProcess.exe
4036	jebwtomgey.exe
1856	CreateProcess.exe

Gathers network information 2 TTPs 10 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
2028	ipconfig.exe
1632	ipconfig.exe
1704	ipconfig.exe
1888	ipconfig.exe
1948	ipconfig.exe
4308	ipconfig.exe
2132	ipconfig.exe
1236	ipconfig.exe
4776	ipconfig.exe
3580	ipconfig.exe

Modifies Internet Explorer settings 1 TTPs 21 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{15F51CFD-34D7-11EF-B9F7-5262F08EE73F} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3684571286"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31115491"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31115491"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "3684571286"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\Recovery\PendingDelete	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingDelete\C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{15F51CFF-34D7-11EF-B9F7-5262F08EE73F}.dat = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3652	32957bc176cb04892ba688bf86608a322d79d0ece5cdf25ae7cca1552e07df3c_NeikiAnalytics.exe
3652	32957bc176cb04892ba688bf86608a322d79d0ece5cdf25ae7cca1552e07df3c_NeikiAnalytics.exe
3652	32957bc176cb04892ba688bf86608a322d79d0ece5cdf25ae7cca1552e07df3c_NeikiAnalytics.exe
3652	32957bc176cb04892ba688bf86608a322d79d0ece5cdf25ae7cca1552e07df3c_NeikiAnalytics.exe
3652	32957bc176cb04892ba688bf86608a322d79d0ece5cdf25ae7cca1552e07df3c_NeikiAnalytics.exe
3652	32957bc176cb04892ba688bf86608a322d79d0ece5cdf25ae7cca1552e07df3c_NeikiAnalytics.exe
3652	32957bc176cb04892ba688bf86608a322d79d0ece5cdf25ae7cca1552e07df3c_NeikiAnalytics.exe
3652	32957bc176cb04892ba688bf86608a322d79d0ece5cdf25ae7cca1552e07df3c_NeikiAnalytics.exe
3652	32957bc176cb04892ba688bf86608a322d79d0ece5cdf25ae7cca1552e07df3c_NeikiAnalytics.exe
3652	32957bc176cb04892ba688bf86608a322d79d0ece5cdf25ae7cca1552e07df3c_NeikiAnalytics.exe
3652	32957bc176cb04892ba688bf86608a322d79d0ece5cdf25ae7cca1552e07df3c_NeikiAnalytics.exe
3652	32957bc176cb04892ba688bf86608a322d79d0ece5cdf25ae7cca1552e07df3c_NeikiAnalytics.exe
3652	32957bc176cb04892ba688bf86608a322d79d0ece5cdf25ae7cca1552e07df3c_NeikiAnalytics.exe
3652	32957bc176cb04892ba688bf86608a322d79d0ece5cdf25ae7cca1552e07df3c_NeikiAnalytics.exe
3652	32957bc176cb04892ba688bf86608a322d79d0ece5cdf25ae7cca1552e07df3c_NeikiAnalytics.exe
3652	32957bc176cb04892ba688bf86608a322d79d0ece5cdf25ae7cca1552e07df3c_NeikiAnalytics.exe
3652	32957bc176cb04892ba688bf86608a322d79d0ece5cdf25ae7cca1552e07df3c_NeikiAnalytics.exe
3652	32957bc176cb04892ba688bf86608a322d79d0ece5cdf25ae7cca1552e07df3c_NeikiAnalytics.exe
3652	32957bc176cb04892ba688bf86608a322d79d0ece5cdf25ae7cca1552e07df3c_NeikiAnalytics.exe
3652	32957bc176cb04892ba688bf86608a322d79d0ece5cdf25ae7cca1552e07df3c_NeikiAnalytics.exe
3652	32957bc176cb04892ba688bf86608a322d79d0ece5cdf25ae7cca1552e07df3c_NeikiAnalytics.exe
3652	32957bc176cb04892ba688bf86608a322d79d0ece5cdf25ae7cca1552e07df3c_NeikiAnalytics.exe
3652	32957bc176cb04892ba688bf86608a322d79d0ece5cdf25ae7cca1552e07df3c_NeikiAnalytics.exe
3652	32957bc176cb04892ba688bf86608a322d79d0ece5cdf25ae7cca1552e07df3c_NeikiAnalytics.exe
3652	32957bc176cb04892ba688bf86608a322d79d0ece5cdf25ae7cca1552e07df3c_NeikiAnalytics.exe
3652	32957bc176cb04892ba688bf86608a322d79d0ece5cdf25ae7cca1552e07df3c_NeikiAnalytics.exe
3652	32957bc176cb04892ba688bf86608a322d79d0ece5cdf25ae7cca1552e07df3c_NeikiAnalytics.exe
3652	32957bc176cb04892ba688bf86608a322d79d0ece5cdf25ae7cca1552e07df3c_NeikiAnalytics.exe
3652	32957bc176cb04892ba688bf86608a322d79d0ece5cdf25ae7cca1552e07df3c_NeikiAnalytics.exe
3652	32957bc176cb04892ba688bf86608a322d79d0ece5cdf25ae7cca1552e07df3c_NeikiAnalytics.exe
5008	wqoigbytrljdywqo.exe
5008	wqoigbytrljdywqo.exe
3652	32957bc176cb04892ba688bf86608a322d79d0ece5cdf25ae7cca1552e07df3c_NeikiAnalytics.exe
3652	32957bc176cb04892ba688bf86608a322d79d0ece5cdf25ae7cca1552e07df3c_NeikiAnalytics.exe
5008	wqoigbytrljdywqo.exe
5008	wqoigbytrljdywqo.exe
3652	32957bc176cb04892ba688bf86608a322d79d0ece5cdf25ae7cca1552e07df3c_NeikiAnalytics.exe
3652	32957bc176cb04892ba688bf86608a322d79d0ece5cdf25ae7cca1552e07df3c_NeikiAnalytics.exe
5008	wqoigbytrljdywqo.exe
5008	wqoigbytrljdywqo.exe
3652	32957bc176cb04892ba688bf86608a322d79d0ece5cdf25ae7cca1552e07df3c_NeikiAnalytics.exe
3652	32957bc176cb04892ba688bf86608a322d79d0ece5cdf25ae7cca1552e07df3c_NeikiAnalytics.exe
5008	wqoigbytrljdywqo.exe
5008	wqoigbytrljdywqo.exe
3652	32957bc176cb04892ba688bf86608a322d79d0ece5cdf25ae7cca1552e07df3c_NeikiAnalytics.exe
3652	32957bc176cb04892ba688bf86608a322d79d0ece5cdf25ae7cca1552e07df3c_NeikiAnalytics.exe
5008	wqoigbytrljdywqo.exe
5008	wqoigbytrljdywqo.exe
3652	32957bc176cb04892ba688bf86608a322d79d0ece5cdf25ae7cca1552e07df3c_NeikiAnalytics.exe
3652	32957bc176cb04892ba688bf86608a322d79d0ece5cdf25ae7cca1552e07df3c_NeikiAnalytics.exe
5008	wqoigbytrljdywqo.exe
5008	wqoigbytrljdywqo.exe
3652	32957bc176cb04892ba688bf86608a322d79d0ece5cdf25ae7cca1552e07df3c_NeikiAnalytics.exe
3652	32957bc176cb04892ba688bf86608a322d79d0ece5cdf25ae7cca1552e07df3c_NeikiAnalytics.exe
5008	wqoigbytrljdywqo.exe
3652	32957bc176cb04892ba688bf86608a322d79d0ece5cdf25ae7cca1552e07df3c_NeikiAnalytics.exe
5008	wqoigbytrljdywqo.exe
3652	32957bc176cb04892ba688bf86608a322d79d0ece5cdf25ae7cca1552e07df3c_NeikiAnalytics.exe
3652	32957bc176cb04892ba688bf86608a322d79d0ece5cdf25ae7cca1552e07df3c_NeikiAnalytics.exe
3652	32957bc176cb04892ba688bf86608a322d79d0ece5cdf25ae7cca1552e07df3c_NeikiAnalytics.exe
3652	32957bc176cb04892ba688bf86608a322d79d0ece5cdf25ae7cca1552e07df3c_NeikiAnalytics.exe
3652	32957bc176cb04892ba688bf86608a322d79d0ece5cdf25ae7cca1552e07df3c_NeikiAnalytics.exe
3652	32957bc176cb04892ba688bf86608a322d79d0ece5cdf25ae7cca1552e07df3c_NeikiAnalytics.exe
3652	32957bc176cb04892ba688bf86608a322d79d0ece5cdf25ae7cca1552e07df3c_NeikiAnalytics.exe

Suspicious behavior: LoadsDriver 10 IoCs

pid	Process
672	Process not Found
672	Process not Found
672	Process not Found
672	Process not Found
672	Process not Found
672	Process not Found
672	Process not Found
672	Process not Found
672	Process not Found
672	Process not Found

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeDebugPrivilege	3276	i_bytrljdbvt.exe
Token: SeDebugPrivilege	2124	i_ifaysqkica.exe
Token: SeDebugPrivilege	872	i_xupnhfzxrp.exe
Token: SeDebugPrivilege	3396	i_pjhczusmke.exe
Token: SeDebugPrivilege	1256	i_wtomgeywqo.exe
Token: SeDebugPrivilege	2780	i_oigaytqljd.exe
Token: SeDebugPrivilege	1336	i_nhfaxsqkic.exe
Token: SeDebugPrivilege	3660	i_pkhcausmke.exe
Token: SeDebugPrivilege	2288	i_jecwuomgez.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2980	iexplore.exe
2980	iexplore.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3652 wrote to memory of 5008	3652	32957bc176cb04892ba688bf86608a322d79d0ece5cdf25ae7cca1552e07df3c_NeikiAnalytics.exe	92
PID 3652 wrote to memory of 5008	3652	32957bc176cb04892ba688bf86608a322d79d0ece5cdf25ae7cca1552e07df3c_NeikiAnalytics.exe	92
PID 3652 wrote to memory of 5008	3652	32957bc176cb04892ba688bf86608a322d79d0ece5cdf25ae7cca1552e07df3c_NeikiAnalytics.exe	92
PID 3652 wrote to memory of 2980	3652	32957bc176cb04892ba688bf86608a322d79d0ece5cdf25ae7cca1552e07df3c_NeikiAnalytics.exe	94
PID 3652 wrote to memory of 2980	3652	32957bc176cb04892ba688bf86608a322d79d0ece5cdf25ae7cca1552e07df3c_NeikiAnalytics.exe	94
PID 5008 wrote to memory of 5108	5008	wqoigbytrljdywqo.exe	95
PID 5008 wrote to memory of 5108	5008	wqoigbytrljdywqo.exe	95
PID 5008 wrote to memory of 5108	5008	wqoigbytrljdywqo.exe	95
PID 2268 wrote to memory of 4808	2268	bytrljdbvt.exe	98
PID 2268 wrote to memory of 4808	2268	bytrljdbvt.exe	98
PID 2268 wrote to memory of 4808	2268	bytrljdbvt.exe	98
PID 5008 wrote to memory of 3548	5008	wqoigbytrljdywqo.exe	101
PID 5008 wrote to memory of 3548	5008	wqoigbytrljdywqo.exe	101
PID 5008 wrote to memory of 3548	5008	wqoigbytrljdywqo.exe	101
PID 5008 wrote to memory of 1384	5008	wqoigbytrljdywqo.exe	104
PID 5008 wrote to memory of 1384	5008	wqoigbytrljdywqo.exe	104
PID 5008 wrote to memory of 1384	5008	wqoigbytrljdywqo.exe	104
PID 3736 wrote to memory of 404	3736	ifaysqkica.exe	106
PID 3736 wrote to memory of 404	3736	ifaysqkica.exe	106
PID 3736 wrote to memory of 404	3736	ifaysqkica.exe	106
PID 2980 wrote to memory of 3468	2980	iexplore.exe	109
PID 2980 wrote to memory of 3468	2980	iexplore.exe	109
PID 2980 wrote to memory of 3468	2980	iexplore.exe	109
PID 5008 wrote to memory of 5044	5008	wqoigbytrljdywqo.exe	110
PID 5008 wrote to memory of 5044	5008	wqoigbytrljdywqo.exe	110
PID 5008 wrote to memory of 5044	5008	wqoigbytrljdywqo.exe	110
PID 5008 wrote to memory of 3624	5008	wqoigbytrljdywqo.exe	112
PID 5008 wrote to memory of 3624	5008	wqoigbytrljdywqo.exe	112
PID 5008 wrote to memory of 3624	5008	wqoigbytrljdywqo.exe	112
PID 2992 wrote to memory of 2236	2992	xupnhfzxrp.exe	114
PID 2992 wrote to memory of 2236	2992	xupnhfzxrp.exe	114
PID 2992 wrote to memory of 2236	2992	xupnhfzxrp.exe	114
PID 5008 wrote to memory of 4188	5008	wqoigbytrljdywqo.exe	117
PID 5008 wrote to memory of 4188	5008	wqoigbytrljdywqo.exe	117
PID 5008 wrote to memory of 4188	5008	wqoigbytrljdywqo.exe	117
PID 5008 wrote to memory of 4788	5008	wqoigbytrljdywqo.exe	120
PID 5008 wrote to memory of 4788	5008	wqoigbytrljdywqo.exe	120
PID 5008 wrote to memory of 4788	5008	wqoigbytrljdywqo.exe	120
PID 468 wrote to memory of 2728	468	pjhczusmke.exe	122
PID 468 wrote to memory of 2728	468	pjhczusmke.exe	122
PID 468 wrote to memory of 2728	468	pjhczusmke.exe	122
PID 5008 wrote to memory of 1784	5008	wqoigbytrljdywqo.exe	125
PID 5008 wrote to memory of 1784	5008	wqoigbytrljdywqo.exe	125
PID 5008 wrote to memory of 1784	5008	wqoigbytrljdywqo.exe	125
PID 5008 wrote to memory of 840	5008	wqoigbytrljdywqo.exe	127
PID 5008 wrote to memory of 840	5008	wqoigbytrljdywqo.exe	127
PID 5008 wrote to memory of 840	5008	wqoigbytrljdywqo.exe	127
PID 1532 wrote to memory of 3076	1532	wtomgeywqo.exe	129
PID 1532 wrote to memory of 3076	1532	wtomgeywqo.exe	129
PID 1532 wrote to memory of 3076	1532	wtomgeywqo.exe	129
PID 5008 wrote to memory of 2688	5008	wqoigbytrljdywqo.exe	134
PID 5008 wrote to memory of 2688	5008	wqoigbytrljdywqo.exe	134
PID 5008 wrote to memory of 2688	5008	wqoigbytrljdywqo.exe	134
PID 5008 wrote to memory of 4928	5008	wqoigbytrljdywqo.exe	137
PID 5008 wrote to memory of 4928	5008	wqoigbytrljdywqo.exe	137
PID 5008 wrote to memory of 4928	5008	wqoigbytrljdywqo.exe	137
PID 4480 wrote to memory of 2140	4480	oigaytqljd.exe	139
PID 4480 wrote to memory of 2140	4480	oigaytqljd.exe	139
PID 4480 wrote to memory of 2140	4480	oigaytqljd.exe	139
PID 5008 wrote to memory of 5104	5008	wqoigbytrljdywqo.exe	143
PID 5008 wrote to memory of 5104	5008	wqoigbytrljdywqo.exe	143
PID 5008 wrote to memory of 5104	5008	wqoigbytrljdywqo.exe	143
PID 5008 wrote to memory of 772	5008	wqoigbytrljdywqo.exe	147
PID 5008 wrote to memory of 772	5008	wqoigbytrljdywqo.exe	147

C:\Users\Admin\AppData\Local\Temp\32957bc176cb04892ba688bf86608a322d79d0ece5cdf25ae7cca1552e07df3c_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\32957bc176cb04892ba688bf86608a322d79d0ece5cdf25ae7cca1552e07df3c_NeikiAnalytics.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3652
- C:\Temp\wqoigbytrljdywqo.exe
  C:\Temp\wqoigbytrljdywqo.exe run
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:5008
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\bytrljdbvt.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:5108
  - - C:\Temp\bytrljdbvt.exe
      C:\Temp\bytrljdbvt.exe ups_run
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:2268
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:4808
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:1948
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_bytrljdbvt.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:3548
  - - C:\Temp\i_bytrljdbvt.exe
      C:\Temp\i_bytrljdbvt.exe ups_ins
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:3276
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\ifaysqkica.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:1384
  - - C:\Temp\ifaysqkica.exe
      C:\Temp\ifaysqkica.exe ups_run
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:3736
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:404
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:4308
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_ifaysqkica.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:5044
  - - C:\Temp\i_ifaysqkica.exe
      C:\Temp\i_ifaysqkica.exe ups_ins
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:2124
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\xupnhfzxrp.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:3624
  - - C:\Temp\xupnhfzxrp.exe
      C:\Temp\xupnhfzxrp.exe ups_run
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:2992
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:2236
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:2028
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_xupnhfzxrp.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:4188
  - - C:\Temp\i_xupnhfzxrp.exe
      C:\Temp\i_xupnhfzxrp.exe ups_ins
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:872
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\pjhczusmke.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:4788
  - - C:\Temp\pjhczusmke.exe
      C:\Temp\pjhczusmke.exe ups_run
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:468
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:2728
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:2132
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_pjhczusmke.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:1784
  - - C:\Temp\i_pjhczusmke.exe
      C:\Temp\i_pjhczusmke.exe ups_ins
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:3396
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\wtomgeywqo.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:840
  - - C:\Temp\wtomgeywqo.exe
      C:\Temp\wtomgeywqo.exe ups_run
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:1532
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:3076
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:1236
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_wtomgeywqo.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:2688
  - - C:\Temp\i_wtomgeywqo.exe
      C:\Temp\i_wtomgeywqo.exe ups_ins
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:1256
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\oigaytqljd.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:4928
  - - C:\Temp\oigaytqljd.exe
      C:\Temp\oigaytqljd.exe ups_run
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4480
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:2140
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:1632
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_oigaytqljd.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:5104
  - - C:\Temp\i_oigaytqljd.exe
      C:\Temp\i_oigaytqljd.exe ups_ins
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:2780
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\nhfaxsqkic.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:772
  - - C:\Temp\nhfaxsqkic.exe
      C:\Temp\nhfaxsqkic.exe ups_run
      4⤵
      Executes dropped EXE
      PID:3868
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:2340
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:4776
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_nhfaxsqkic.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:3828
  - - C:\Temp\i_nhfaxsqkic.exe
      C:\Temp\i_nhfaxsqkic.exe ups_ins
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:1336
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\pkhcausmke.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:1116
  - - C:\Temp\pkhcausmke.exe
      C:\Temp\pkhcausmke.exe ups_run
      4⤵
      Executes dropped EXE
      PID:440
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:840
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:3580
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_pkhcausmke.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:3552
  - - C:\Temp\i_pkhcausmke.exe
      C:\Temp\i_pkhcausmke.exe ups_ins
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:3660
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\jecwuomgez.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:2376
  - - C:\Temp\jecwuomgez.exe
      C:\Temp\jecwuomgez.exe ups_run
      4⤵
      Executes dropped EXE
      PID:528
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:3836
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:1704
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_jecwuomgez.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:3412
  - - C:\Temp\i_jecwuomgez.exe
      C:\Temp\i_jecwuomgez.exe ups_ins
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:2288
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\jebwtomgey.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:3624
  - - C:\Temp\jebwtomgey.exe
      C:\Temp\jebwtomgey.exe ups_run
      4⤵
      Executes dropped EXE
      PID:4036
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:1856
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:1888
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" http://xytets.com:2345/t.asp?os=home
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2980
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2980 CREDAT:17410 /prefetch:2
    3⤵
    PID:3468

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1340 --field-trial-handle=2356,i,13261194862334667799,7441241219475888176,262144 --variations-seed-version /prefetch:8
1⤵
PID:4676

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Temp\CreateProcess.exe

Filesize
3KB

MD5
ff5119d46d39ef1152168d5ea03113ca

SHA1
7daf2bdb2561aa8b101b16549c4678784da68c28

SHA256
2d541fe357e093125230a12c0c3d38e818f57a6ab8f514240df064069fa8d57d

SHA512
fec34096ea3ddfffe98617333ad7c8fb16ec3c8e6c80ad20b0aa2ddbd6d9415bc94e680417650c6d47bf8b0d7d189b8c1aef6ecdb12a3bc09cd7a04408b5d8fe

Download Submit
C:\Temp\bytrljdbvt.exe

Filesize
361KB

MD5
fe0b631af17bf9337e6eb33d4e51043a

SHA1
a1119c89f13643b4a8ffb55a3f7a442d5cbc6c28

SHA256
2d0051c12ccda251d115c6ff10474ea25dfd0870e5870cc92c395c4307a056c1

SHA512
c505cbb05c8322a911892456760a1f50575e3daf45310ad2c9eab043967969ec661753779bfaab988aecc5f77d0fe0eab3c038cfea64ee63c5a9c6d4b315715f

Download Submit
C:\Temp\i_bytrljdbvt.exe

Filesize
361KB

MD5
6fcc9a9e0b3424465d039b0e38454cf4

SHA1
39578f6fedcfa7114ec2128027cf21138a938ecc

SHA256
98b9ab83bb1af5375e2768ce38656ea82668b3d45d814af6c8601b14a675f089

SHA512
fbbcfc19a0a37cbb844876306b9d32ebf1793f9a0a1051ab512da7400e1ccb8de214e599eb5874278b8f70f7334cd411e96453282beb1f0ad68285e162b92b45

Download Submit
C:\Temp\i_ifaysqkica.exe

Filesize
361KB

MD5
6e4b57814b15abcdeff62d41e47c447c

SHA1
20f5185481a48f9b966ea1b022906b905e6d5597

SHA256
8a6309173bdf074800ede953c27d896cd3edb49c68972ca2faa1fa9d87b388c6

SHA512
67c929273a76dcce4536307354e33ffd4833be230d7dec5d46f8b2cfe0be642f9b360d28cd4a838f330a7cc9f2a24acb48b5d1057c1ed09af2d1fe66874c7124

Download Submit
C:\Temp\i_nhfaxsqkic.exe

Filesize
361KB

MD5
416d8ab564e8fbb68488b8775a2816fe

SHA1
5e4400225329efc69a31692dcd008d90abdc2af3

SHA256
9b01c614943456096f2f32da679686568429568afda76bd660a78d098fd6ba05

SHA512
8ae6a4f2272f6f565c65aa1db664c7fc8811a734996ab5f1163d4dac94bef66c73621821d205c863b82ed7815d4080d55af6d8e5a5d8e1e40ae10b66888af0b1

Download Submit
C:\Temp\i_oigaytqljd.exe

Filesize
361KB

MD5
eead0ec074f90d366b6b45833dbaca0b

SHA1
3fc5b8f8d537b40713f8c15f6a5cf58743c38a32

SHA256
4f4169aa814fb68a8881902a051ace25e6bcce1e2ae7f5de1021902f66c57814

SHA512
4921adcab514a78660b1a522aea82c23997284afb845ecf5dc21d0ee0cf117a49249019a97ba3a0b9de5e0152cddb3e9cc97611b1b5ab5bb77e4dc90224833aa

Download Submit
C:\Temp\i_pjhczusmke.exe

Filesize
361KB

MD5
58c1e7806cd75a0fb88d314d42d1d49e

SHA1
d4c7b6946413ee0dc9ed9ab6f48136c6887810be

SHA256
480c9b42f395d49b832fdfa73ee06388fbf1c1cd27abb845012a93f744d55b41

SHA512
92b804a71c452f737d373d509c2f60bfc4ccb6db7a57116f2c1edfdfb80cc49754970b65ebb132fd5ea3f345fa36d65db12f45f32ad47d8a44c7690c1d7e0325

Download Submit
C:\Temp\i_pkhcausmke.exe

Filesize
361KB

MD5
3312197f5001a25961eea4785b4548d4

SHA1
7dd4722744c9e994036a919d97883211a711a976

SHA256
4a874cb092c91a23df9b7c64a788beb9d336c734a6ffca56332f233d847137c5

SHA512
e318a96275a8ca9b2afb98f4f01d4655e0e0b4c30f4699619ce123996a63645d9fa4c1006f392d20d71cde516b4f3da76aa4994170dc25b8eb188f91ede0edeb

Download Submit
C:\Temp\i_wtomgeywqo.exe

Filesize
361KB

MD5
49a29a0c90a7329ba090dd1393b4a7c6

SHA1
92132f5496343c8ff67760e618195813c7155ea8

SHA256
bb3133b4d6c3de42dad3dcd8f8ee23724f8ce9c12a4ee0661d1ee8fdfb1dc2d4

SHA512
e3cebe1a91bc9f23572068eaf2979d2189ff9489b492e9cc314502d5ae02ce4020263dafcac6b89de08fcba5efd695fd48035dc577970701e01da873cf5a2c4f

Download Submit
C:\Temp\i_xupnhfzxrp.exe

Filesize
361KB

MD5
7d179456d7ee536ab3a818688dd928bf

SHA1
61c97c9f0dbe3602f0da79482ece47ce447f9d59

SHA256
48a26a592fea34425b3d85d2e8ba552d8cf0417963cbeb8c184db9382f96a612

SHA512
d08540a639e8d7c665546181c4b7c2cb6b8303becb1ab9c1c795d6deb28bd389eec620bab24fabc61acfc00e48c89f43bd105f8873471f68058912db06b5bc19

Download Submit
C:\Temp\ifaysqkica.exe

Filesize
361KB

MD5
8c5f61732baf5fc83b91e414c0998c4e

SHA1
d8a0301f8dfe0a6e3dc24266643dc9afd0a0dff1

SHA256
88e860fb38512cb7fbf9f3a412a679394fca924a0f384b823feb40ef1aec86c9

SHA512
07b0098d0471720a4658c929469c3ee6667d129a184c710eb7bb9a5b1a501056f1f1054da70071188041c51d6b62984a182277ccfadc23ad647dd8194f582215

Download Submit
C:\Temp\jecwuomgez.exe

Filesize
361KB

MD5
d569cc54bb534cf9887ce813db334f50

SHA1
5421321730e3d22e682daee8feed34083b7e8a07

SHA256
cdfd4a06eb8cc9c33613484a189ea9259d550754094e3f83a7a585e5aa2e0402

SHA512
0fee06bb6807f5af1e3945f051dc5a4d08d61084dabe8bcd99b92e3a9f2001077ac406f96a9d08ffc65c1432ea9da0deac28300aa678ee1655c88352e1909ae9

Download Submit
C:\Temp\nhfaxsqkic.exe

Filesize
361KB

MD5
925aad96773a3a668ab3d26eb1b22638

SHA1
cf9b346b1074a7f9d132c7e8f9a52a81c5e3aa25

SHA256
e96273b3430a94f0d84db20d51f82228be774b40a43478e1fef454e0959bbd54

SHA512
d643e1b4c003d952d7c330684c7d9c85b516dcf6e07d4aea6c07bf2269c097e8328427c2ceafb273eff693d4f98091739d45cc2755cc969ec62318a0a7e8480b

Download Submit
C:\Temp\oigaytqljd.exe

Filesize
361KB

MD5
580d5899efa3795f0538b34cdef752b7

SHA1
534714e63f8401ef37caeba0f69e485c048ad307

SHA256
d453148858ff5cd92be7e74e707ac15630f05821cdeceabe956f3bc1100dddf0

SHA512
d374cc29168b89043525e8b4ff7aefef16db1f218d9f76335b29fcb2bd9fb30e23f4af5071e9f58d3e98a92de2974803574a182fcbf51cf1e219c723e1fd18d3

Download Submit
C:\Temp\pjhczusmke.exe

Filesize
361KB

MD5
ef0e6eca2c441481d6555a2791c07177

SHA1
ae676b0ecfce9b643f247cb6ee8d324f1cface4f

SHA256
c9d772d3436223129e383195d91eddc47273e845b592093f0c887cf13fed02c0

SHA512
39a75786a8b1d6d56cc27276b88058a30d618ffba270b53509447a6c200a8f3a0b662057ebc1dbb8be0a9b421f66a01f2380b9560a5a620b624fe4ae0e909e8c

Download Submit
C:\Temp\pkhcausmke.exe

Filesize
361KB

MD5
84b41538bf49d4fafab5c57450d673a6

SHA1
4fc788af65631de1e05a2301f90422a5939c44d7

SHA256
7a52769d9f8c0fa92519edf71dc9fb9b627dfedb5f6bf22cf6ddb3d779ad05d8

SHA512
6716b1433d1c7d6fc204b698854d4fce8c4456c9c7617944dc8bb713f511559804022975451f942cb4d800f58dc6595f78319942984cfbb0a056f3e9a638a6c7

Download Submit
C:\Temp\wqoigbytrljdywqo.exe

Filesize
361KB

MD5
d7ddb592701f4551aa47fcf94cae29a2

SHA1
dd132a18339a5669681193f2e29f514be80300ec

SHA256
012e9dc055a185a698eef5fb2675a902309671e93599218e9a3a61ce234d5987

SHA512
01dc043923e0acf2625a14a1789c97b693943e9694121b581e07749ff879abcce1e6db2babe8e75b49aaef4e4cfc28efac3d0c753202035f6ce7ad5ee2c7bd5e

Download Submit
C:\Temp\wtomgeywqo.exe

Filesize
361KB

MD5
6d9b969174a3a2174bbdb812a3ceeb6e

SHA1
57b3e04732bf35bb23ac6a2c09b4d64a7f258440

SHA256
38ce170d1ff0c2317095756981d0ef7965df9f2c15fc4bce549d82a083f09ec9

SHA512
480eb19ab132898bdc7941b633dccd41b79af6294a1a920bb24e429da6ce0b93b1173dce132a0e91607909d4ff0103b2b2ccab58a90b620f1f0e2b76ecc68820

Download Submit
C:\Temp\xupnhfzxrp.exe

Filesize
361KB

MD5
35b8eda3598e34b401217cfc5f633d83

SHA1
a11e233238b98ab3951c65776f03fc243c9ed54f

SHA256
8ecedc516f9dc4c85d40105f235404c52d755b5638fb8c7f2c25ac24ea2ed06d

SHA512
9d17e9a781918583c50a2b71daaabe25674431d4181789029f6a055ec2247d63a030a2524049e1352078a7bbff18e5c5ffeb3102da99da338c2bf80d3509eb7b

Download Submit