422568ff8f4136550d1cf128f7ecc1ae445ec4f909130f9d78fa2002607ceaeb

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
27/06/2024, 03:03

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

422568ff8f4136550d1cf128f7ecc1ae445ec4f909130f9d78fa2002607ceaeb_NeikiAnalytics.exe
Size

89KB
MD5

fad7c493906bae1384218917ca67ba50
SHA1

db66f3efd4cff9726bfe1b0a6d6e2de5fa7701f7
SHA256

422568ff8f4136550d1cf128f7ecc1ae445ec4f909130f9d78fa2002607ceaeb
SHA512

1d8a1abde4e4e67761bc44bacd36874d231363cce5d6499de4f56fd1111afa47685e4f10bf192b24f6c6fc72de4617fe1db96c6cd72ad8942ef45380a5506069
SSDEEP

768:Qvw9816vhKQLroM4/wQRNrfrunMxVFA3b7glL:YEGh0oMl2unMxVS3Hg9

Score

8^/10

persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{10C9B6F0-05F2-4d49-AD51-CAF58BAF3048}	{B8B42E50-8D8E-4bbd-9B3C-4AD2E8D6C546}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EB1E6DBB-69A1-48a3-B22C-E2B68A360080}	{40B44F61-901E-456a-9134-FEA067852AF3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8F2C275D-B8FC-4129-BA3B-EF455ABA4337}	{EB1E6DBB-69A1-48a3-B22C-E2B68A360080}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3C6DDAEE-9EDF-4bb5-9ADA-8D8B11C08D5A}	{8F2C275D-B8FC-4129-BA3B-EF455ABA4337}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A6C39628-8423-408d-915C-AB756AA1A67A}\stubpath = "C:\\Windows\\{A6C39628-8423-408d-915C-AB756AA1A67A}.exe"	422568ff8f4136550d1cf128f7ecc1ae445ec4f909130f9d78fa2002607ceaeb_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{906A223C-67F0-4e66-B74F-78EBC89EBA07}\stubpath = "C:\\Windows\\{906A223C-67F0-4e66-B74F-78EBC89EBA07}.exe"	{A6C39628-8423-408d-915C-AB756AA1A67A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{19440EF7-D784-44e4-8E01-C3E20FDBD1A6}	{812B4DA0-DA2A-40a5-A9B3-6F3A83C4D505}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B8B42E50-8D8E-4bbd-9B3C-4AD2E8D6C546}\stubpath = "C:\\Windows\\{B8B42E50-8D8E-4bbd-9B3C-4AD2E8D6C546}.exe"	{19440EF7-D784-44e4-8E01-C3E20FDBD1A6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D51B027A-CDFC-4353-B751-AD692B83022E}\stubpath = "C:\\Windows\\{D51B027A-CDFC-4353-B751-AD692B83022E}.exe"	{F205E457-93A7-4a28-8BEE-FEB2883F00A7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{812B4DA0-DA2A-40a5-A9B3-6F3A83C4D505}\stubpath = "C:\\Windows\\{812B4DA0-DA2A-40a5-A9B3-6F3A83C4D505}.exe"	{906A223C-67F0-4e66-B74F-78EBC89EBA07}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EB1E6DBB-69A1-48a3-B22C-E2B68A360080}\stubpath = "C:\\Windows\\{EB1E6DBB-69A1-48a3-B22C-E2B68A360080}.exe"	{40B44F61-901E-456a-9134-FEA067852AF3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D51B027A-CDFC-4353-B751-AD692B83022E}	{F205E457-93A7-4a28-8BEE-FEB2883F00A7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{19440EF7-D784-44e4-8E01-C3E20FDBD1A6}\stubpath = "C:\\Windows\\{19440EF7-D784-44e4-8E01-C3E20FDBD1A6}.exe"	{812B4DA0-DA2A-40a5-A9B3-6F3A83C4D505}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{40B44F61-901E-456a-9134-FEA067852AF3}\stubpath = "C:\\Windows\\{40B44F61-901E-456a-9134-FEA067852AF3}.exe"	{10C9B6F0-05F2-4d49-AD51-CAF58BAF3048}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8F2C275D-B8FC-4129-BA3B-EF455ABA4337}\stubpath = "C:\\Windows\\{8F2C275D-B8FC-4129-BA3B-EF455ABA4337}.exe"	{EB1E6DBB-69A1-48a3-B22C-E2B68A360080}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F205E457-93A7-4a28-8BEE-FEB2883F00A7}\stubpath = "C:\\Windows\\{F205E457-93A7-4a28-8BEE-FEB2883F00A7}.exe"	{3C6DDAEE-9EDF-4bb5-9ADA-8D8B11C08D5A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{10C9B6F0-05F2-4d49-AD51-CAF58BAF3048}\stubpath = "C:\\Windows\\{10C9B6F0-05F2-4d49-AD51-CAF58BAF3048}.exe"	{B8B42E50-8D8E-4bbd-9B3C-4AD2E8D6C546}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{40B44F61-901E-456a-9134-FEA067852AF3}	{10C9B6F0-05F2-4d49-AD51-CAF58BAF3048}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3C6DDAEE-9EDF-4bb5-9ADA-8D8B11C08D5A}\stubpath = "C:\\Windows\\{3C6DDAEE-9EDF-4bb5-9ADA-8D8B11C08D5A}.exe"	{8F2C275D-B8FC-4129-BA3B-EF455ABA4337}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F205E457-93A7-4a28-8BEE-FEB2883F00A7}	{3C6DDAEE-9EDF-4bb5-9ADA-8D8B11C08D5A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A6C39628-8423-408d-915C-AB756AA1A67A}	422568ff8f4136550d1cf128f7ecc1ae445ec4f909130f9d78fa2002607ceaeb_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{906A223C-67F0-4e66-B74F-78EBC89EBA07}	{A6C39628-8423-408d-915C-AB756AA1A67A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{812B4DA0-DA2A-40a5-A9B3-6F3A83C4D505}	{906A223C-67F0-4e66-B74F-78EBC89EBA07}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B8B42E50-8D8E-4bbd-9B3C-4AD2E8D6C546}	{19440EF7-D784-44e4-8E01-C3E20FDBD1A6}.exe

Executes dropped EXE 12 IoCs

pid	Process
4556	{A6C39628-8423-408d-915C-AB756AA1A67A}.exe
4932	{906A223C-67F0-4e66-B74F-78EBC89EBA07}.exe
3620	{812B4DA0-DA2A-40a5-A9B3-6F3A83C4D505}.exe
3364	{19440EF7-D784-44e4-8E01-C3E20FDBD1A6}.exe
2780	{B8B42E50-8D8E-4bbd-9B3C-4AD2E8D6C546}.exe
4760	{10C9B6F0-05F2-4d49-AD51-CAF58BAF3048}.exe
4544	{40B44F61-901E-456a-9134-FEA067852AF3}.exe
4928	{EB1E6DBB-69A1-48a3-B22C-E2B68A360080}.exe
4768	{8F2C275D-B8FC-4129-BA3B-EF455ABA4337}.exe
464	{3C6DDAEE-9EDF-4bb5-9ADA-8D8B11C08D5A}.exe
4280	{F205E457-93A7-4a28-8BEE-FEB2883F00A7}.exe
1948	{D51B027A-CDFC-4353-B751-AD692B83022E}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{A6C39628-8423-408d-915C-AB756AA1A67A}.exe	422568ff8f4136550d1cf128f7ecc1ae445ec4f909130f9d78fa2002607ceaeb_NeikiAnalytics.exe
File created	C:\Windows\{812B4DA0-DA2A-40a5-A9B3-6F3A83C4D505}.exe	{906A223C-67F0-4e66-B74F-78EBC89EBA07}.exe
File created	C:\Windows\{19440EF7-D784-44e4-8E01-C3E20FDBD1A6}.exe	{812B4DA0-DA2A-40a5-A9B3-6F3A83C4D505}.exe
File created	C:\Windows\{40B44F61-901E-456a-9134-FEA067852AF3}.exe	{10C9B6F0-05F2-4d49-AD51-CAF58BAF3048}.exe
File created	C:\Windows\{8F2C275D-B8FC-4129-BA3B-EF455ABA4337}.exe	{EB1E6DBB-69A1-48a3-B22C-E2B68A360080}.exe
File created	C:\Windows\{906A223C-67F0-4e66-B74F-78EBC89EBA07}.exe	{A6C39628-8423-408d-915C-AB756AA1A67A}.exe
File created	C:\Windows\{B8B42E50-8D8E-4bbd-9B3C-4AD2E8D6C546}.exe	{19440EF7-D784-44e4-8E01-C3E20FDBD1A6}.exe
File created	C:\Windows\{10C9B6F0-05F2-4d49-AD51-CAF58BAF3048}.exe	{B8B42E50-8D8E-4bbd-9B3C-4AD2E8D6C546}.exe
File created	C:\Windows\{EB1E6DBB-69A1-48a3-B22C-E2B68A360080}.exe	{40B44F61-901E-456a-9134-FEA067852AF3}.exe
File created	C:\Windows\{3C6DDAEE-9EDF-4bb5-9ADA-8D8B11C08D5A}.exe	{8F2C275D-B8FC-4129-BA3B-EF455ABA4337}.exe
File created	C:\Windows\{F205E457-93A7-4a28-8BEE-FEB2883F00A7}.exe	{3C6DDAEE-9EDF-4bb5-9ADA-8D8B11C08D5A}.exe
File created	C:\Windows\{D51B027A-CDFC-4353-B751-AD692B83022E}.exe	{F205E457-93A7-4a28-8BEE-FEB2883F00A7}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4488	422568ff8f4136550d1cf128f7ecc1ae445ec4f909130f9d78fa2002607ceaeb_NeikiAnalytics.exe
Token: SeIncBasePriorityPrivilege	4556	{A6C39628-8423-408d-915C-AB756AA1A67A}.exe
Token: SeIncBasePriorityPrivilege	4932	{906A223C-67F0-4e66-B74F-78EBC89EBA07}.exe
Token: SeIncBasePriorityPrivilege	3620	{812B4DA0-DA2A-40a5-A9B3-6F3A83C4D505}.exe
Token: SeIncBasePriorityPrivilege	3364	{19440EF7-D784-44e4-8E01-C3E20FDBD1A6}.exe
Token: SeIncBasePriorityPrivilege	2780	{B8B42E50-8D8E-4bbd-9B3C-4AD2E8D6C546}.exe
Token: SeIncBasePriorityPrivilege	4760	{10C9B6F0-05F2-4d49-AD51-CAF58BAF3048}.exe
Token: SeIncBasePriorityPrivilege	4544	{40B44F61-901E-456a-9134-FEA067852AF3}.exe
Token: SeIncBasePriorityPrivilege	4928	{EB1E6DBB-69A1-48a3-B22C-E2B68A360080}.exe
Token: SeIncBasePriorityPrivilege	4768	{8F2C275D-B8FC-4129-BA3B-EF455ABA4337}.exe
Token: SeIncBasePriorityPrivilege	464	{3C6DDAEE-9EDF-4bb5-9ADA-8D8B11C08D5A}.exe
Token: SeIncBasePriorityPrivilege	4280	{F205E457-93A7-4a28-8BEE-FEB2883F00A7}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4488 wrote to memory of 4556	4488	422568ff8f4136550d1cf128f7ecc1ae445ec4f909130f9d78fa2002607ceaeb_NeikiAnalytics.exe	87
PID 4488 wrote to memory of 4556	4488	422568ff8f4136550d1cf128f7ecc1ae445ec4f909130f9d78fa2002607ceaeb_NeikiAnalytics.exe	87
PID 4488 wrote to memory of 4556	4488	422568ff8f4136550d1cf128f7ecc1ae445ec4f909130f9d78fa2002607ceaeb_NeikiAnalytics.exe	87
PID 4488 wrote to memory of 2752	4488	422568ff8f4136550d1cf128f7ecc1ae445ec4f909130f9d78fa2002607ceaeb_NeikiAnalytics.exe	88
PID 4488 wrote to memory of 2752	4488	422568ff8f4136550d1cf128f7ecc1ae445ec4f909130f9d78fa2002607ceaeb_NeikiAnalytics.exe	88
PID 4488 wrote to memory of 2752	4488	422568ff8f4136550d1cf128f7ecc1ae445ec4f909130f9d78fa2002607ceaeb_NeikiAnalytics.exe	88
PID 4556 wrote to memory of 4932	4556	{A6C39628-8423-408d-915C-AB756AA1A67A}.exe	89
PID 4556 wrote to memory of 4932	4556	{A6C39628-8423-408d-915C-AB756AA1A67A}.exe	89
PID 4556 wrote to memory of 4932	4556	{A6C39628-8423-408d-915C-AB756AA1A67A}.exe	89
PID 4556 wrote to memory of 908	4556	{A6C39628-8423-408d-915C-AB756AA1A67A}.exe	90
PID 4556 wrote to memory of 908	4556	{A6C39628-8423-408d-915C-AB756AA1A67A}.exe	90
PID 4556 wrote to memory of 908	4556	{A6C39628-8423-408d-915C-AB756AA1A67A}.exe	90
PID 4932 wrote to memory of 3620	4932	{906A223C-67F0-4e66-B74F-78EBC89EBA07}.exe	93
PID 4932 wrote to memory of 3620	4932	{906A223C-67F0-4e66-B74F-78EBC89EBA07}.exe	93
PID 4932 wrote to memory of 3620	4932	{906A223C-67F0-4e66-B74F-78EBC89EBA07}.exe	93
PID 4932 wrote to memory of 64	4932	{906A223C-67F0-4e66-B74F-78EBC89EBA07}.exe	94
PID 4932 wrote to memory of 64	4932	{906A223C-67F0-4e66-B74F-78EBC89EBA07}.exe	94
PID 4932 wrote to memory of 64	4932	{906A223C-67F0-4e66-B74F-78EBC89EBA07}.exe	94
PID 3620 wrote to memory of 3364	3620	{812B4DA0-DA2A-40a5-A9B3-6F3A83C4D505}.exe	95
PID 3620 wrote to memory of 3364	3620	{812B4DA0-DA2A-40a5-A9B3-6F3A83C4D505}.exe	95
PID 3620 wrote to memory of 3364	3620	{812B4DA0-DA2A-40a5-A9B3-6F3A83C4D505}.exe	95
PID 3620 wrote to memory of 3604	3620	{812B4DA0-DA2A-40a5-A9B3-6F3A83C4D505}.exe	96
PID 3620 wrote to memory of 3604	3620	{812B4DA0-DA2A-40a5-A9B3-6F3A83C4D505}.exe	96
PID 3620 wrote to memory of 3604	3620	{812B4DA0-DA2A-40a5-A9B3-6F3A83C4D505}.exe	96
PID 3364 wrote to memory of 2780	3364	{19440EF7-D784-44e4-8E01-C3E20FDBD1A6}.exe	97
PID 3364 wrote to memory of 2780	3364	{19440EF7-D784-44e4-8E01-C3E20FDBD1A6}.exe	97
PID 3364 wrote to memory of 2780	3364	{19440EF7-D784-44e4-8E01-C3E20FDBD1A6}.exe	97
PID 3364 wrote to memory of 4844	3364	{19440EF7-D784-44e4-8E01-C3E20FDBD1A6}.exe	98
PID 3364 wrote to memory of 4844	3364	{19440EF7-D784-44e4-8E01-C3E20FDBD1A6}.exe	98
PID 3364 wrote to memory of 4844	3364	{19440EF7-D784-44e4-8E01-C3E20FDBD1A6}.exe	98
PID 2780 wrote to memory of 4760	2780	{B8B42E50-8D8E-4bbd-9B3C-4AD2E8D6C546}.exe	99
PID 2780 wrote to memory of 4760	2780	{B8B42E50-8D8E-4bbd-9B3C-4AD2E8D6C546}.exe	99
PID 2780 wrote to memory of 4760	2780	{B8B42E50-8D8E-4bbd-9B3C-4AD2E8D6C546}.exe	99
PID 2780 wrote to memory of 3864	2780	{B8B42E50-8D8E-4bbd-9B3C-4AD2E8D6C546}.exe	100
PID 2780 wrote to memory of 3864	2780	{B8B42E50-8D8E-4bbd-9B3C-4AD2E8D6C546}.exe	100
PID 2780 wrote to memory of 3864	2780	{B8B42E50-8D8E-4bbd-9B3C-4AD2E8D6C546}.exe	100
PID 4760 wrote to memory of 4544	4760	{10C9B6F0-05F2-4d49-AD51-CAF58BAF3048}.exe	101
PID 4760 wrote to memory of 4544	4760	{10C9B6F0-05F2-4d49-AD51-CAF58BAF3048}.exe	101
PID 4760 wrote to memory of 4544	4760	{10C9B6F0-05F2-4d49-AD51-CAF58BAF3048}.exe	101
PID 4760 wrote to memory of 2952	4760	{10C9B6F0-05F2-4d49-AD51-CAF58BAF3048}.exe	102
PID 4760 wrote to memory of 2952	4760	{10C9B6F0-05F2-4d49-AD51-CAF58BAF3048}.exe	102
PID 4760 wrote to memory of 2952	4760	{10C9B6F0-05F2-4d49-AD51-CAF58BAF3048}.exe	102
PID 4544 wrote to memory of 4928	4544	{40B44F61-901E-456a-9134-FEA067852AF3}.exe	103
PID 4544 wrote to memory of 4928	4544	{40B44F61-901E-456a-9134-FEA067852AF3}.exe	103
PID 4544 wrote to memory of 4928	4544	{40B44F61-901E-456a-9134-FEA067852AF3}.exe	103
PID 4544 wrote to memory of 1240	4544	{40B44F61-901E-456a-9134-FEA067852AF3}.exe	104
PID 4544 wrote to memory of 1240	4544	{40B44F61-901E-456a-9134-FEA067852AF3}.exe	104
PID 4544 wrote to memory of 1240	4544	{40B44F61-901E-456a-9134-FEA067852AF3}.exe	104
PID 4928 wrote to memory of 4768	4928	{EB1E6DBB-69A1-48a3-B22C-E2B68A360080}.exe	105
PID 4928 wrote to memory of 4768	4928	{EB1E6DBB-69A1-48a3-B22C-E2B68A360080}.exe	105
PID 4928 wrote to memory of 4768	4928	{EB1E6DBB-69A1-48a3-B22C-E2B68A360080}.exe	105
PID 4928 wrote to memory of 4548	4928	{EB1E6DBB-69A1-48a3-B22C-E2B68A360080}.exe	106
PID 4928 wrote to memory of 4548	4928	{EB1E6DBB-69A1-48a3-B22C-E2B68A360080}.exe	106
PID 4928 wrote to memory of 4548	4928	{EB1E6DBB-69A1-48a3-B22C-E2B68A360080}.exe	106
PID 4768 wrote to memory of 464	4768	{8F2C275D-B8FC-4129-BA3B-EF455ABA4337}.exe	107
PID 4768 wrote to memory of 464	4768	{8F2C275D-B8FC-4129-BA3B-EF455ABA4337}.exe	107
PID 4768 wrote to memory of 464	4768	{8F2C275D-B8FC-4129-BA3B-EF455ABA4337}.exe	107
PID 4768 wrote to memory of 2092	4768	{8F2C275D-B8FC-4129-BA3B-EF455ABA4337}.exe	108
PID 4768 wrote to memory of 2092	4768	{8F2C275D-B8FC-4129-BA3B-EF455ABA4337}.exe	108
PID 4768 wrote to memory of 2092	4768	{8F2C275D-B8FC-4129-BA3B-EF455ABA4337}.exe	108
PID 464 wrote to memory of 4280	464	{3C6DDAEE-9EDF-4bb5-9ADA-8D8B11C08D5A}.exe	109
PID 464 wrote to memory of 4280	464	{3C6DDAEE-9EDF-4bb5-9ADA-8D8B11C08D5A}.exe	109
PID 464 wrote to memory of 4280	464	{3C6DDAEE-9EDF-4bb5-9ADA-8D8B11C08D5A}.exe	109
PID 464 wrote to memory of 652	464	{3C6DDAEE-9EDF-4bb5-9ADA-8D8B11C08D5A}.exe	110

C:\Users\Admin\AppData\Local\Temp\422568ff8f4136550d1cf128f7ecc1ae445ec4f909130f9d78fa2002607ceaeb_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\422568ff8f4136550d1cf128f7ecc1ae445ec4f909130f9d78fa2002607ceaeb_NeikiAnalytics.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4488
- C:\Windows\{A6C39628-8423-408d-915C-AB756AA1A67A}.exe
  C:\Windows\{A6C39628-8423-408d-915C-AB756AA1A67A}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4556
- - C:\Windows\{906A223C-67F0-4e66-B74F-78EBC89EBA07}.exe
    C:\Windows\{906A223C-67F0-4e66-B74F-78EBC89EBA07}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4932
  - - C:\Windows\{812B4DA0-DA2A-40a5-A9B3-6F3A83C4D505}.exe
      C:\Windows\{812B4DA0-DA2A-40a5-A9B3-6F3A83C4D505}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3620
    - - C:\Windows\{19440EF7-D784-44e4-8E01-C3E20FDBD1A6}.exe
        
        C:\Windows\{19440EF7-D784-44e4-8E01-C3E20FDBD1A6}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3364
      - C:\Windows\{B8B42E50-8D8E-4bbd-9B3C-4AD2E8D6C546}.exe
        
        C:\Windows\{B8B42E50-8D8E-4bbd-9B3C-4AD2E8D6C546}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2780
        
        C:\Windows\{10C9B6F0-05F2-4d49-AD51-CAF58BAF3048}.exe
        
        C:\Windows\{10C9B6F0-05F2-4d49-AD51-CAF58BAF3048}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4760
        
        C:\Windows\{40B44F61-901E-456a-9134-FEA067852AF3}.exe
        
        C:\Windows\{40B44F61-901E-456a-9134-FEA067852AF3}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4544
        
        C:\Windows\{EB1E6DBB-69A1-48a3-B22C-E2B68A360080}.exe
        
        C:\Windows\{EB1E6DBB-69A1-48a3-B22C-E2B68A360080}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4928
        
        C:\Windows\{8F2C275D-B8FC-4129-BA3B-EF455ABA4337}.exe
        
        C:\Windows\{8F2C275D-B8FC-4129-BA3B-EF455ABA4337}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4768
        
        C:\Windows\{3C6DDAEE-9EDF-4bb5-9ADA-8D8B11C08D5A}.exe
        
        C:\Windows\{3C6DDAEE-9EDF-4bb5-9ADA-8D8B11C08D5A}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:464
        
        C:\Windows\{F205E457-93A7-4a28-8BEE-FEB2883F00A7}.exe
        
        C:\Windows\{F205E457-93A7-4a28-8BEE-FEB2883F00A7}.exe
        12⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4280
        
        C:\Windows\{D51B027A-CDFC-4353-B751-AD692B83022E}.exe
        
        C:\Windows\{D51B027A-CDFC-4353-B751-AD692B83022E}.exe
        13⤵
        Executes dropped EXE
        
        PID:1948
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F205E~1.EXE > nul
        13⤵
        
        PID:2648
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3C6DD~1.EXE > nul
        12⤵
        
        PID:652
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8F2C2~1.EXE > nul
        11⤵
        
        PID:2092
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EB1E6~1.EXE > nul
        10⤵
        
        PID:4548
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{40B44~1.EXE > nul
        9⤵
        
        PID:1240
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{10C9B~1.EXE > nul
        8⤵
        
        PID:2952
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B8B42~1.EXE > nul
        7⤵
        
        PID:3864
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{19440~1.EXE > nul
        6⤵
        
        PID:4844
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{812B4~1.EXE > nul
        5⤵
        
        PID:3604
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{906A2~1.EXE > nul
      4⤵
      PID:64
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{A6C39~1.EXE > nul
    3⤵
    PID:908
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\422568~1.EXE > nul
  2⤵
  PID:2752

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{10C9B6F0-05F2-4d49-AD51-CAF58BAF3048}.exe

Filesize
89KB

MD5
6f6c92e458b7e6d55175580d32f8c39e

SHA1
2e63f381284ab4f9f2fa182ce21741dd539c8ae8

SHA256
38cb85b83772787579fccbe6701e453e2beba8cc9abd4aaa76d137a50b59310a

SHA512
bdf097f582379b94e0e0b6c21824ebd8efed6e9b6e52baf4bc52fa208028b1e0fcac86d5b59f84bf2b0382d99e5e0c354e7963de8523a17eabbfb0f0fe2f655c

Download Submit
C:\Windows\{19440EF7-D784-44e4-8E01-C3E20FDBD1A6}.exe

Filesize
89KB

MD5
693e66b5432a31b47c62d668b020746c

SHA1
1497491a27c6ac6bbaf5d1a1beb7f0ef16659b03

SHA256
132333ae0e8d4ba93dd6fd4179b3ce9d96063f8d993c57d3c26c9de52a9d62cc

SHA512
4cb353acfd2f5f8cbcad34ed8565262604f620ac80bf15fedadf4c3338ab3c1699cba9d229d1567a3a43b60e1ce2267af6f95b515bae572d352308718224ed49

Download Submit
C:\Windows\{3C6DDAEE-9EDF-4bb5-9ADA-8D8B11C08D5A}.exe

Filesize
89KB

MD5
b3af131bcc766e89919abe8db5c00e2f

SHA1
53a1326bc392a075ab069dd42be826e0030eca70

SHA256
efca44ffab2c85735e80e6b9d5aa2a1e9ac9abde2d8b74013ca2d7bdf25136b4

SHA512
b284372d550a6948323170bd2edbaa10f04256777e3aeaaa25eb280936db5da084be3437b4616568bf88c5687c99ebc7e8996511d7e9c3ed2149a8ee00f4f6da

Download Submit
C:\Windows\{40B44F61-901E-456a-9134-FEA067852AF3}.exe

Filesize
89KB

MD5
0c4ebd22e58b92c5b232249bc089da90

SHA1
94d64d6636875dfc945449056171b7b7e7b8ac56

SHA256
c61cc094f1f3fc0d39b7273e6c7059a3f9b9518ad74a52c0d665487732a26780

SHA512
9a857aef3d22e867a3e0f1fb0e3f8417a7ea5997915fc0afd0c4fac52d668822d1fb109eda5865e62bd665ccd4a27accf3517daf248828e52fe9336b23909438

Download Submit
C:\Windows\{812B4DA0-DA2A-40a5-A9B3-6F3A83C4D505}.exe

Filesize
89KB

MD5
cbba6575c040d6fedcfdbe6553e860b9

SHA1
7faae423ec741fb18bddf6d143f3e8ca0931a1d5

SHA256
e5f07a3d23b1bed4326c45cf69fae2eb6cbbda60f5f2aaff1448e69f65069218

SHA512
dcf9e20d3a82f679e6e8e54819b9628f1809946598ce9e3630e7922b31a42c5535db277f12a6dbaa37b3f645df44fb527ac6a01efbda390183082302c6bbb332

Download Submit
C:\Windows\{8F2C275D-B8FC-4129-BA3B-EF455ABA4337}.exe

Filesize
89KB

MD5
780752c85d4050bd003b7c118e1892ce

SHA1
e3b34c3db87d8b750fe6e57b5093fe5c3d075dea

SHA256
25a95e38e7ca9f9ba01a91f03d4eb1011c23dfcb144a0b0de97f389842433742

SHA512
6511ea5fb1c7715b3ae542202110a9398ea55bb850c784892bb5c780761186d759acd8dcb678f2cbd4469d21b64314d66e92da0b870f15174ec99757c7bf5452

Download Submit
C:\Windows\{906A223C-67F0-4e66-B74F-78EBC89EBA07}.exe

Filesize
89KB

MD5
3b94e19a83a1bcac6632d7a39733ac07

SHA1
7c544c08a33e170098d400e4ce674c64d1dae481

SHA256
26275861c9fc2189a774e9a329cd322557d8d56981c6837f9e8f5860bbe17e08

SHA512
62ad4a9e384455dad22394664ee0812e1321f2d1dca76796dac18b39c42ddbe6a2776bf01c48340e28433c6ea7262e34b36a166829c42478d53c437483201507

Download Submit
C:\Windows\{A6C39628-8423-408d-915C-AB756AA1A67A}.exe

Filesize
89KB

MD5
5c0f024064c1af51e7612af56bff4d82

SHA1
2ab3b76acbc406f6411f534c2ff0d94433bd77dc

SHA256
24a5177992f08a245a508e6c5d56ec738323b74de507cb8126a636ff93692634

SHA512
21f8a18a88286471231ed3cd6909d5ae00efa60085f82a8be19ac207b482b077c752edf0d644fc65956503af7333f3ca408caca0196f04d43ff504a569372742

Download Submit
C:\Windows\{B8B42E50-8D8E-4bbd-9B3C-4AD2E8D6C546}.exe

Filesize
89KB

MD5
3fb52120bb9a201a078649aee17a6133

SHA1
54d9a2dae2355c79551386ac206bad7107619da1

SHA256
e234ea32b050213ac4c9bf5b37c64cbde3fe3fd51bcc0f80df5c5bb69954de19

SHA512
16845e56a861ae7fe1e3f85c05cdcac581fa1fffb78828608d12555556a522c224304243bc0da4035e00f8b6d141f486e956fd8457725b827115a74c12bb5abb

Download Submit
C:\Windows\{D51B027A-CDFC-4353-B751-AD692B83022E}.exe

Filesize
89KB

MD5
422afc114c1257fa8c9119b14f3c0e7d

SHA1
9de6ba4132760b1858d85cc5bcdc341713a663d4

SHA256
ca3bcf374dfecbca016d81a77e8bf7d5547ffda31b89ff844372d1ad64ecbf99

SHA512
16558bb127e6ef1fcd0a04fd9cbf21366a9ae8ad5bb318156dcb7bc68b434a14a23933831efcf5559a49f709ac38bea6362ac728cf1e2f7a3cf5290ac082e114

Download Submit
C:\Windows\{EB1E6DBB-69A1-48a3-B22C-E2B68A360080}.exe

Filesize
89KB

MD5
d2a0219f0d569a75821866826cb10c1e

SHA1
086c710638dc60dfd10156aad718d70549ae9698

SHA256
8a9538fb7f1443a58e898da1694952a84cc3267aa46201183c9035ee23c71248

SHA512
5f708b3b38e123573a0d3116269958b61006efbd1fa9d3c6a83a42e96f61c91524e09aef8dc8509611b3c013887b47356feec5baca8109b9d982984ccccdcd69

Download Submit
C:\Windows\{F205E457-93A7-4a28-8BEE-FEB2883F00A7}.exe

Filesize
89KB

MD5
21b52f417025ebdb65494228687dd53f

SHA1
6b6e02391ac8576037c1ca084255fb792252d0b4

SHA256
9f75b8139bcb8211a8cce1df200152bcc001c7c04865b6c1a72e994472f6e9d7

SHA512
de3be773cb87f911809e6366d6c286fd07a8dc7351d7f94534a515e5facfd3d22e5dbf982b35679c8b1c0a0f034205ae45834571f91ef47a20a50546cff0e3e9

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads