59209e715b96a991accfd386c66c0b37bbec34deb82ed88054600c0feeffa6fd

Analysis

max time kernel
144s
max time network
118s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
27/06/2024, 06:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

59209e715b96a991accfd386c66c0b37bbec34deb82ed88054600c0feeffa6fd_NeikiAnalytics.exe
Size

88KB
MD5

ef5cf99c88e6f65cd2f435178e520900
SHA1

375971a32dc79e4ba787373948c4821d427af855
SHA256

59209e715b96a991accfd386c66c0b37bbec34deb82ed88054600c0feeffa6fd
SHA512

f8a2c319a22f62a6a9c923c371a86395c722213240250b0fe2ef52a0f62241755082a6358be3269b53804e1c7132f199d288f2859b5cd2dc9fe5a321641bb9e8
SSDEEP

768:uvw981E9hKQLrow4/wQDNrfrunMxVFA3r:aEGJ0owlYunMxVS3r

Score

8^/10

persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E8EDD126-8684-4805-8DDF-85CE668191AE}\stubpath = "C:\\Windows\\{E8EDD126-8684-4805-8DDF-85CE668191AE}.exe"	59209e715b96a991accfd386c66c0b37bbec34deb82ed88054600c0feeffa6fd_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7B681EBB-31E0-4f3d-98FD-4BE5E8214945}	{F41AD4EA-051D-4069-9A5A-B45243D17DCF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1E90AAC3-1330-4522-A855-3E03916B8B1F}\stubpath = "C:\\Windows\\{1E90AAC3-1330-4522-A855-3E03916B8B1F}.exe"	{A926B710-39A4-47ab-A306-6CAF6FC02954}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CA7682B2-52DC-4aef-8AA9-6F7FC6923751}	{D3FDF165-1EF0-4047-9553-F7A6BCB6F1F5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CA7682B2-52DC-4aef-8AA9-6F7FC6923751}\stubpath = "C:\\Windows\\{CA7682B2-52DC-4aef-8AA9-6F7FC6923751}.exe"	{D3FDF165-1EF0-4047-9553-F7A6BCB6F1F5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{478F3ED4-5B32-420f-A30A-CEF9BC41C2AB}	{CA7682B2-52DC-4aef-8AA9-6F7FC6923751}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8AFE8919-D41A-485e-979D-E7A4C7CFC061}\stubpath = "C:\\Windows\\{8AFE8919-D41A-485e-979D-E7A4C7CFC061}.exe"	{478F3ED4-5B32-420f-A30A-CEF9BC41C2AB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E8EDD126-8684-4805-8DDF-85CE668191AE}	59209e715b96a991accfd386c66c0b37bbec34deb82ed88054600c0feeffa6fd_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F41AD4EA-051D-4069-9A5A-B45243D17DCF}	{E8EDD126-8684-4805-8DDF-85CE668191AE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F2D923AD-EB72-439a-882D-9D628598EA0E}\stubpath = "C:\\Windows\\{F2D923AD-EB72-439a-882D-9D628598EA0E}.exe"	{1E90AAC3-1330-4522-A855-3E03916B8B1F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D3FDF165-1EF0-4047-9553-F7A6BCB6F1F5}	{F2D923AD-EB72-439a-882D-9D628598EA0E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{478F3ED4-5B32-420f-A30A-CEF9BC41C2AB}\stubpath = "C:\\Windows\\{478F3ED4-5B32-420f-A30A-CEF9BC41C2AB}.exe"	{CA7682B2-52DC-4aef-8AA9-6F7FC6923751}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{33EDEAB3-A9FE-4b2c-A6EE-74637C955805}	{8AFE8919-D41A-485e-979D-E7A4C7CFC061}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F41AD4EA-051D-4069-9A5A-B45243D17DCF}\stubpath = "C:\\Windows\\{F41AD4EA-051D-4069-9A5A-B45243D17DCF}.exe"	{E8EDD126-8684-4805-8DDF-85CE668191AE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7B681EBB-31E0-4f3d-98FD-4BE5E8214945}\stubpath = "C:\\Windows\\{7B681EBB-31E0-4f3d-98FD-4BE5E8214945}.exe"	{F41AD4EA-051D-4069-9A5A-B45243D17DCF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A926B710-39A4-47ab-A306-6CAF6FC02954}	{7B681EBB-31E0-4f3d-98FD-4BE5E8214945}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D3FDF165-1EF0-4047-9553-F7A6BCB6F1F5}\stubpath = "C:\\Windows\\{D3FDF165-1EF0-4047-9553-F7A6BCB6F1F5}.exe"	{F2D923AD-EB72-439a-882D-9D628598EA0E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8AFE8919-D41A-485e-979D-E7A4C7CFC061}	{478F3ED4-5B32-420f-A30A-CEF9BC41C2AB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A926B710-39A4-47ab-A306-6CAF6FC02954}\stubpath = "C:\\Windows\\{A926B710-39A4-47ab-A306-6CAF6FC02954}.exe"	{7B681EBB-31E0-4f3d-98FD-4BE5E8214945}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1E90AAC3-1330-4522-A855-3E03916B8B1F}	{A926B710-39A4-47ab-A306-6CAF6FC02954}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F2D923AD-EB72-439a-882D-9D628598EA0E}	{1E90AAC3-1330-4522-A855-3E03916B8B1F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{33EDEAB3-A9FE-4b2c-A6EE-74637C955805}\stubpath = "C:\\Windows\\{33EDEAB3-A9FE-4b2c-A6EE-74637C955805}.exe"	{8AFE8919-D41A-485e-979D-E7A4C7CFC061}.exe

Executes dropped EXE 11 IoCs

pid	Process
2948	{E8EDD126-8684-4805-8DDF-85CE668191AE}.exe
2580	{F41AD4EA-051D-4069-9A5A-B45243D17DCF}.exe
2732	{7B681EBB-31E0-4f3d-98FD-4BE5E8214945}.exe
2924	{A926B710-39A4-47ab-A306-6CAF6FC02954}.exe
944	{1E90AAC3-1330-4522-A855-3E03916B8B1F}.exe
1972	{F2D923AD-EB72-439a-882D-9D628598EA0E}.exe
1140	{D3FDF165-1EF0-4047-9553-F7A6BCB6F1F5}.exe
2412	{CA7682B2-52DC-4aef-8AA9-6F7FC6923751}.exe
876	{478F3ED4-5B32-420f-A30A-CEF9BC41C2AB}.exe
576	{8AFE8919-D41A-485e-979D-E7A4C7CFC061}.exe
1160	{33EDEAB3-A9FE-4b2c-A6EE-74637C955805}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{A926B710-39A4-47ab-A306-6CAF6FC02954}.exe	{7B681EBB-31E0-4f3d-98FD-4BE5E8214945}.exe
File created	C:\Windows\{1E90AAC3-1330-4522-A855-3E03916B8B1F}.exe	{A926B710-39A4-47ab-A306-6CAF6FC02954}.exe
File created	C:\Windows\{F2D923AD-EB72-439a-882D-9D628598EA0E}.exe	{1E90AAC3-1330-4522-A855-3E03916B8B1F}.exe
File created	C:\Windows\{D3FDF165-1EF0-4047-9553-F7A6BCB6F1F5}.exe	{F2D923AD-EB72-439a-882D-9D628598EA0E}.exe
File created	C:\Windows\{8AFE8919-D41A-485e-979D-E7A4C7CFC061}.exe	{478F3ED4-5B32-420f-A30A-CEF9BC41C2AB}.exe
File created	C:\Windows\{33EDEAB3-A9FE-4b2c-A6EE-74637C955805}.exe	{8AFE8919-D41A-485e-979D-E7A4C7CFC061}.exe
File created	C:\Windows\{E8EDD126-8684-4805-8DDF-85CE668191AE}.exe	59209e715b96a991accfd386c66c0b37bbec34deb82ed88054600c0feeffa6fd_NeikiAnalytics.exe
File created	C:\Windows\{F41AD4EA-051D-4069-9A5A-B45243D17DCF}.exe	{E8EDD126-8684-4805-8DDF-85CE668191AE}.exe
File created	C:\Windows\{7B681EBB-31E0-4f3d-98FD-4BE5E8214945}.exe	{F41AD4EA-051D-4069-9A5A-B45243D17DCF}.exe
File created	C:\Windows\{CA7682B2-52DC-4aef-8AA9-6F7FC6923751}.exe	{D3FDF165-1EF0-4047-9553-F7A6BCB6F1F5}.exe
File created	C:\Windows\{478F3ED4-5B32-420f-A30A-CEF9BC41C2AB}.exe	{CA7682B2-52DC-4aef-8AA9-6F7FC6923751}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2880	59209e715b96a991accfd386c66c0b37bbec34deb82ed88054600c0feeffa6fd_NeikiAnalytics.exe
Token: SeIncBasePriorityPrivilege	2948	{E8EDD126-8684-4805-8DDF-85CE668191AE}.exe
Token: SeIncBasePriorityPrivilege	2580	{F41AD4EA-051D-4069-9A5A-B45243D17DCF}.exe
Token: SeIncBasePriorityPrivilege	2732	{7B681EBB-31E0-4f3d-98FD-4BE5E8214945}.exe
Token: SeIncBasePriorityPrivilege	2924	{A926B710-39A4-47ab-A306-6CAF6FC02954}.exe
Token: SeIncBasePriorityPrivilege	944	{1E90AAC3-1330-4522-A855-3E03916B8B1F}.exe
Token: SeIncBasePriorityPrivilege	1972	{F2D923AD-EB72-439a-882D-9D628598EA0E}.exe
Token: SeIncBasePriorityPrivilege	1140	{D3FDF165-1EF0-4047-9553-F7A6BCB6F1F5}.exe
Token: SeIncBasePriorityPrivilege	2412	{CA7682B2-52DC-4aef-8AA9-6F7FC6923751}.exe
Token: SeIncBasePriorityPrivilege	876	{478F3ED4-5B32-420f-A30A-CEF9BC41C2AB}.exe
Token: SeIncBasePriorityPrivilege	576	{8AFE8919-D41A-485e-979D-E7A4C7CFC061}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2880 wrote to memory of 2948	2880	59209e715b96a991accfd386c66c0b37bbec34deb82ed88054600c0feeffa6fd_NeikiAnalytics.exe	28
PID 2880 wrote to memory of 2948	2880	59209e715b96a991accfd386c66c0b37bbec34deb82ed88054600c0feeffa6fd_NeikiAnalytics.exe	28
PID 2880 wrote to memory of 2948	2880	59209e715b96a991accfd386c66c0b37bbec34deb82ed88054600c0feeffa6fd_NeikiAnalytics.exe	28
PID 2880 wrote to memory of 2948	2880	59209e715b96a991accfd386c66c0b37bbec34deb82ed88054600c0feeffa6fd_NeikiAnalytics.exe	28
PID 2880 wrote to memory of 3032	2880	59209e715b96a991accfd386c66c0b37bbec34deb82ed88054600c0feeffa6fd_NeikiAnalytics.exe	29
PID 2880 wrote to memory of 3032	2880	59209e715b96a991accfd386c66c0b37bbec34deb82ed88054600c0feeffa6fd_NeikiAnalytics.exe	29
PID 2880 wrote to memory of 3032	2880	59209e715b96a991accfd386c66c0b37bbec34deb82ed88054600c0feeffa6fd_NeikiAnalytics.exe	29
PID 2880 wrote to memory of 3032	2880	59209e715b96a991accfd386c66c0b37bbec34deb82ed88054600c0feeffa6fd_NeikiAnalytics.exe	29
PID 2948 wrote to memory of 2580	2948	{E8EDD126-8684-4805-8DDF-85CE668191AE}.exe	30
PID 2948 wrote to memory of 2580	2948	{E8EDD126-8684-4805-8DDF-85CE668191AE}.exe	30
PID 2948 wrote to memory of 2580	2948	{E8EDD126-8684-4805-8DDF-85CE668191AE}.exe	30
PID 2948 wrote to memory of 2580	2948	{E8EDD126-8684-4805-8DDF-85CE668191AE}.exe	30
PID 2948 wrote to memory of 2696	2948	{E8EDD126-8684-4805-8DDF-85CE668191AE}.exe	31
PID 2948 wrote to memory of 2696	2948	{E8EDD126-8684-4805-8DDF-85CE668191AE}.exe	31
PID 2948 wrote to memory of 2696	2948	{E8EDD126-8684-4805-8DDF-85CE668191AE}.exe	31
PID 2948 wrote to memory of 2696	2948	{E8EDD126-8684-4805-8DDF-85CE668191AE}.exe	31
PID 2580 wrote to memory of 2732	2580	{F41AD4EA-051D-4069-9A5A-B45243D17DCF}.exe	32
PID 2580 wrote to memory of 2732	2580	{F41AD4EA-051D-4069-9A5A-B45243D17DCF}.exe	32
PID 2580 wrote to memory of 2732	2580	{F41AD4EA-051D-4069-9A5A-B45243D17DCF}.exe	32
PID 2580 wrote to memory of 2732	2580	{F41AD4EA-051D-4069-9A5A-B45243D17DCF}.exe	32
PID 2580 wrote to memory of 2576	2580	{F41AD4EA-051D-4069-9A5A-B45243D17DCF}.exe	33
PID 2580 wrote to memory of 2576	2580	{F41AD4EA-051D-4069-9A5A-B45243D17DCF}.exe	33
PID 2580 wrote to memory of 2576	2580	{F41AD4EA-051D-4069-9A5A-B45243D17DCF}.exe	33
PID 2580 wrote to memory of 2576	2580	{F41AD4EA-051D-4069-9A5A-B45243D17DCF}.exe	33
PID 2732 wrote to memory of 2924	2732	{7B681EBB-31E0-4f3d-98FD-4BE5E8214945}.exe	36
PID 2732 wrote to memory of 2924	2732	{7B681EBB-31E0-4f3d-98FD-4BE5E8214945}.exe	36
PID 2732 wrote to memory of 2924	2732	{7B681EBB-31E0-4f3d-98FD-4BE5E8214945}.exe	36
PID 2732 wrote to memory of 2924	2732	{7B681EBB-31E0-4f3d-98FD-4BE5E8214945}.exe	36
PID 2732 wrote to memory of 1992	2732	{7B681EBB-31E0-4f3d-98FD-4BE5E8214945}.exe	37
PID 2732 wrote to memory of 1992	2732	{7B681EBB-31E0-4f3d-98FD-4BE5E8214945}.exe	37
PID 2732 wrote to memory of 1992	2732	{7B681EBB-31E0-4f3d-98FD-4BE5E8214945}.exe	37
PID 2732 wrote to memory of 1992	2732	{7B681EBB-31E0-4f3d-98FD-4BE5E8214945}.exe	37
PID 2924 wrote to memory of 944	2924	{A926B710-39A4-47ab-A306-6CAF6FC02954}.exe	38
PID 2924 wrote to memory of 944	2924	{A926B710-39A4-47ab-A306-6CAF6FC02954}.exe	38
PID 2924 wrote to memory of 944	2924	{A926B710-39A4-47ab-A306-6CAF6FC02954}.exe	38
PID 2924 wrote to memory of 944	2924	{A926B710-39A4-47ab-A306-6CAF6FC02954}.exe	38
PID 2924 wrote to memory of 2168	2924	{A926B710-39A4-47ab-A306-6CAF6FC02954}.exe	39
PID 2924 wrote to memory of 2168	2924	{A926B710-39A4-47ab-A306-6CAF6FC02954}.exe	39
PID 2924 wrote to memory of 2168	2924	{A926B710-39A4-47ab-A306-6CAF6FC02954}.exe	39
PID 2924 wrote to memory of 2168	2924	{A926B710-39A4-47ab-A306-6CAF6FC02954}.exe	39
PID 944 wrote to memory of 1972	944	{1E90AAC3-1330-4522-A855-3E03916B8B1F}.exe	40
PID 944 wrote to memory of 1972	944	{1E90AAC3-1330-4522-A855-3E03916B8B1F}.exe	40
PID 944 wrote to memory of 1972	944	{1E90AAC3-1330-4522-A855-3E03916B8B1F}.exe	40
PID 944 wrote to memory of 1972	944	{1E90AAC3-1330-4522-A855-3E03916B8B1F}.exe	40
PID 944 wrote to memory of 940	944	{1E90AAC3-1330-4522-A855-3E03916B8B1F}.exe	41
PID 944 wrote to memory of 940	944	{1E90AAC3-1330-4522-A855-3E03916B8B1F}.exe	41
PID 944 wrote to memory of 940	944	{1E90AAC3-1330-4522-A855-3E03916B8B1F}.exe	41
PID 944 wrote to memory of 940	944	{1E90AAC3-1330-4522-A855-3E03916B8B1F}.exe	41
PID 1972 wrote to memory of 1140	1972	{F2D923AD-EB72-439a-882D-9D628598EA0E}.exe	42
PID 1972 wrote to memory of 1140	1972	{F2D923AD-EB72-439a-882D-9D628598EA0E}.exe	42
PID 1972 wrote to memory of 1140	1972	{F2D923AD-EB72-439a-882D-9D628598EA0E}.exe	42
PID 1972 wrote to memory of 1140	1972	{F2D923AD-EB72-439a-882D-9D628598EA0E}.exe	42
PID 1972 wrote to memory of 1756	1972	{F2D923AD-EB72-439a-882D-9D628598EA0E}.exe	43
PID 1972 wrote to memory of 1756	1972	{F2D923AD-EB72-439a-882D-9D628598EA0E}.exe	43
PID 1972 wrote to memory of 1756	1972	{F2D923AD-EB72-439a-882D-9D628598EA0E}.exe	43
PID 1972 wrote to memory of 1756	1972	{F2D923AD-EB72-439a-882D-9D628598EA0E}.exe	43
PID 1140 wrote to memory of 2412	1140	{D3FDF165-1EF0-4047-9553-F7A6BCB6F1F5}.exe	44
PID 1140 wrote to memory of 2412	1140	{D3FDF165-1EF0-4047-9553-F7A6BCB6F1F5}.exe	44
PID 1140 wrote to memory of 2412	1140	{D3FDF165-1EF0-4047-9553-F7A6BCB6F1F5}.exe	44
PID 1140 wrote to memory of 2412	1140	{D3FDF165-1EF0-4047-9553-F7A6BCB6F1F5}.exe	44
PID 1140 wrote to memory of 2904	1140	{D3FDF165-1EF0-4047-9553-F7A6BCB6F1F5}.exe	45
PID 1140 wrote to memory of 2904	1140	{D3FDF165-1EF0-4047-9553-F7A6BCB6F1F5}.exe	45
PID 1140 wrote to memory of 2904	1140	{D3FDF165-1EF0-4047-9553-F7A6BCB6F1F5}.exe	45
PID 1140 wrote to memory of 2904	1140	{D3FDF165-1EF0-4047-9553-F7A6BCB6F1F5}.exe	45

C:\Users\Admin\AppData\Local\Temp\59209e715b96a991accfd386c66c0b37bbec34deb82ed88054600c0feeffa6fd_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\59209e715b96a991accfd386c66c0b37bbec34deb82ed88054600c0feeffa6fd_NeikiAnalytics.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2880
- C:\Windows\{E8EDD126-8684-4805-8DDF-85CE668191AE}.exe
  C:\Windows\{E8EDD126-8684-4805-8DDF-85CE668191AE}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2948
- - C:\Windows\{F41AD4EA-051D-4069-9A5A-B45243D17DCF}.exe
    C:\Windows\{F41AD4EA-051D-4069-9A5A-B45243D17DCF}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2580
  - - C:\Windows\{7B681EBB-31E0-4f3d-98FD-4BE5E8214945}.exe
      C:\Windows\{7B681EBB-31E0-4f3d-98FD-4BE5E8214945}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2732
    - - C:\Windows\{A926B710-39A4-47ab-A306-6CAF6FC02954}.exe
        
        C:\Windows\{A926B710-39A4-47ab-A306-6CAF6FC02954}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2924
      - C:\Windows\{1E90AAC3-1330-4522-A855-3E03916B8B1F}.exe
        
        C:\Windows\{1E90AAC3-1330-4522-A855-3E03916B8B1F}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:944
        
        C:\Windows\{F2D923AD-EB72-439a-882D-9D628598EA0E}.exe
        
        C:\Windows\{F2D923AD-EB72-439a-882D-9D628598EA0E}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1972
        
        C:\Windows\{D3FDF165-1EF0-4047-9553-F7A6BCB6F1F5}.exe
        
        C:\Windows\{D3FDF165-1EF0-4047-9553-F7A6BCB6F1F5}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1140
        
        C:\Windows\{CA7682B2-52DC-4aef-8AA9-6F7FC6923751}.exe
        
        C:\Windows\{CA7682B2-52DC-4aef-8AA9-6F7FC6923751}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2412
        
        C:\Windows\{478F3ED4-5B32-420f-A30A-CEF9BC41C2AB}.exe
        
        C:\Windows\{478F3ED4-5B32-420f-A30A-CEF9BC41C2AB}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:876
        
        C:\Windows\{8AFE8919-D41A-485e-979D-E7A4C7CFC061}.exe
        
        C:\Windows\{8AFE8919-D41A-485e-979D-E7A4C7CFC061}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:576
        
        C:\Windows\{33EDEAB3-A9FE-4b2c-A6EE-74637C955805}.exe
        
        C:\Windows\{33EDEAB3-A9FE-4b2c-A6EE-74637C955805}.exe
        12⤵
        Executes dropped EXE
        
        PID:1160
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8AFE8~1.EXE > nul
        12⤵
        
        PID:444
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{478F3~1.EXE > nul
        11⤵
        
        PID:608
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CA768~1.EXE > nul
        10⤵
        
        PID:2128
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D3FDF~1.EXE > nul
        9⤵
        
        PID:2904
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F2D92~1.EXE > nul
        8⤵
        
        PID:1756
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1E90A~1.EXE > nul
        7⤵
        
        PID:940
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A926B~1.EXE > nul
        6⤵
        
        PID:2168
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7B681~1.EXE > nul
        5⤵
        
        PID:1992
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{F41AD~1.EXE > nul
      4⤵
      PID:2576
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{E8EDD~1.EXE > nul
    3⤵
    PID:2696
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\59209E~1.EXE > nul
  2⤵
  PID:3032

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{1E90AAC3-1330-4522-A855-3E03916B8B1F}.exe

Filesize
88KB

MD5
688d3f42374787bbef2bfd59fca95e34

SHA1
b6849dda124af20081837816b4c2def71fbe2591

SHA256
12c2513fc4ff892e59147726d88e1953ed0402bb3b05ca5982bfc61c0ab3c65e

SHA512
5c06f5fe5f632267dfd0c7bfe483440263da28931e2cbf1b728bce9be0089ab3dda117b8ecc9c462ed8e697099ca67302490ca1251ff665d2d29128886dd6f2e

Download Submit
C:\Windows\{33EDEAB3-A9FE-4b2c-A6EE-74637C955805}.exe

Filesize
88KB

MD5
4ebd0b66b9cddb0357cbe21ba0babcf0

SHA1
af59efc34f36ef48fe9545546e4739c88ba7638b

SHA256
180a8b5d512016c796be0935ed1a32c41f36f5f7a3091f93573e0b33aac488c3

SHA512
c08df32179bca582f47b68e61054a8d3d51b98214e0dab9aff0a3abe423fe9edaf5460ef8010f2a964662bc8d4f8cb9e286fba1d22b9cd4c93ac7d1054bf1274

Download Submit
C:\Windows\{478F3ED4-5B32-420f-A30A-CEF9BC41C2AB}.exe

Filesize
88KB

MD5
173f7fe0e6d305f4f574860c03d36777

SHA1
8062d939178f9a550fabe68f8a0cd6a7bb31deda

SHA256
2f4f55fd7bfae6daa51639ede667fd2bc218307e79c1129056ddb2578da11a70

SHA512
ae43e1479c205de1ff4d6a2616354061f437c0bee3057683e3e116e8f490729eb3cf7061b32fe63513aa61f3c3d1959a45f7de63eb97d89f39e008d19b0adb4a

Download Submit
C:\Windows\{7B681EBB-31E0-4f3d-98FD-4BE5E8214945}.exe

Filesize
88KB

MD5
3938e694ec37c5765768b4c85711276b

SHA1
de0df57ba30ad4987e83c4caca70cd05725e73a8

SHA256
eecbde74eacf2d5be9094e7593d3f4022bd4881651bf0098c20db996f39983ec

SHA512
e0107d344ef52241e1abd6879ed21c047d9d68413f700cf2674983f5fd2a0f1182c45d104f0048e8e1e6edb1dcd5b350c15f24c4c7afde5d83ad5e30cd73a4e2

Download Submit
C:\Windows\{8AFE8919-D41A-485e-979D-E7A4C7CFC061}.exe

Filesize
88KB

MD5
1575bd61ac9f1c7030f9d64eec2291c3

SHA1
675c5389c3783d7c6d5b6f6fd42d01d9cf3726fb

SHA256
5f06b7b4814f4f0478adcb7e75cae7f4a14607cc097d6ab845804d39dc7e737b

SHA512
631df5fc51e3b1752371c51dd37bd31043594de78b23f736b8d3ab08c3f9be2e3de1405630eac952b4a45dcf9fd9bdf0c91962b2a5dbed0bbdf78bb35872b89d

Download Submit
C:\Windows\{A926B710-39A4-47ab-A306-6CAF6FC02954}.exe

Filesize
88KB

MD5
c8a1e0bc14df44cda37ef697e0ab0b1d

SHA1
edc52a1d770cfd3563a86104d247322a73f8e020

SHA256
30146517b0515b3eaa432689368db34fec529e0a0fbbfac98a27682b4771cf5e

SHA512
24a788edbee17953e613a46575803c8bc3ca8e481acfd019d42ac3a3680b1edf4ca087dc577ec551244545966607881a4a591ad56ea1f449da5f67cdc91a3560

Download Submit
C:\Windows\{CA7682B2-52DC-4aef-8AA9-6F7FC6923751}.exe

Filesize
88KB

MD5
c1b1af80c9783e73511cb5b44818b552

SHA1
4cf43ce7bfe5883f0056197ad4a19371a28ccad5

SHA256
e489605ed3f7f88831c1dcd505bb05ee1eb55f770f060995a2944924b7376942

SHA512
13433881cb842eadce6881864d09cecc5f06acaccafdf47e580a8027ce7c53568b8aec5259b9cd1d4a35cf6b7a91d517ee6d5607b62d1187b5f9bd53eafcd9f7

Download Submit
C:\Windows\{D3FDF165-1EF0-4047-9553-F7A6BCB6F1F5}.exe

Filesize
88KB

MD5
a5f1de8e7107a001a764294c87f2ed8e

SHA1
61f905797ccbafd1026ee6feed44668fa4504805

SHA256
3878c205a6d2bc969a295e706df00f2a200ff9135f6dd4408755e9c0ebfc02bb

SHA512
fb548780422d2dcb417be0fd21128bb156e791368a3b2406eae700cbfefd07b70c6def37914ae9756a6ee408b07064dc1daf4a208831c5ffadd8865f4e393a39

Download Submit
C:\Windows\{E8EDD126-8684-4805-8DDF-85CE668191AE}.exe

Filesize
88KB

MD5
ca098cc19898ff9750eb8db2b82b737c

SHA1
0f9e115014dd03895f457397a277461005ce2627

SHA256
13144ad65e8b2c90de07e7c091c88a3158b14ea6b7caf1fcbc043a04627ee892

SHA512
c664eb06b9fc7aada5e30750a0d48024dae43c934345081eef16768c0386c88cebe5d16e24e89e70d60d32bbf5f6b056fc030f4ab64637712c9333ffa65a3260

Download Submit
C:\Windows\{F2D923AD-EB72-439a-882D-9D628598EA0E}.exe

Filesize
88KB

MD5
1a586837b80206fdce8d3d081552a47c

SHA1
aa12f2c174d107e325936ef0ec6fa1211108ccdd

SHA256
ce004d9f7075acb2b2f189919563aebf7f9e0da3f6fd6a223b19b4888c8e3080

SHA512
90e75d0b9583eb697f55a34af7fd3d32db0ed7f69b5f1541e31634261a9cfdba2b9a0372a451ce881b64ae5f648ef049207505e491121e6f3b46ee526ef7e4ce

Download Submit
C:\Windows\{F41AD4EA-051D-4069-9A5A-B45243D17DCF}.exe

Filesize
88KB

MD5
684a183c517e8bbd95c91a24cccf764d

SHA1
e07f6aff30f74cd8561f6d1a2e31bb6121d275a5

SHA256
72b0d4151b2ea1a13c664d9a23ba89c3ed4bd3e0e69841201a0ff7fbc6dce34f

SHA512
58759a22929f835c9995d9fa72443efbab44d753a27cbab29bb78d6be7c6410d0c03587805b3d12366beb430340726b19fca4c32132ad2ea95b71cac1fec40b3

Download Submit
memory/576-98-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/876-89-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/876-82-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/944-54-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/944-47-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1140-71-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1972-63-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1972-56-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2412-73-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2412-80-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2580-19-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2580-26-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2732-36-0x00000000002A0000-0x00000000002B1000-memory.dmp

Filesize
68KB

Download
memory/2732-35-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2880-0-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2880-10-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2880-8-0x00000000003B0000-0x00000000003C1000-memory.dmp

Filesize
68KB

Download
memory/2880-3-0x00000000003B0000-0x00000000003C1000-memory.dmp

Filesize
68KB

Download
memory/2924-45-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2924-46-0x0000000001BE0000-0x0000000001BF1000-memory.dmp

Filesize
68KB

Download
memory/2924-37-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2948-17-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2948-9-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads