59209e715b96a991accfd386c66c0b37bbec34deb82ed88054600c0feeffa6fd

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
27-06-2024 06:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

59209e715b96a991accfd386c66c0b37bbec34deb82ed88054600c0feeffa6fd_NeikiAnalytics.exe
Size

88KB
MD5

ef5cf99c88e6f65cd2f435178e520900
SHA1

375971a32dc79e4ba787373948c4821d427af855
SHA256

59209e715b96a991accfd386c66c0b37bbec34deb82ed88054600c0feeffa6fd
SHA512

f8a2c319a22f62a6a9c923c371a86395c722213240250b0fe2ef52a0f62241755082a6358be3269b53804e1c7132f199d288f2859b5cd2dc9fe5a321641bb9e8
SSDEEP

768:uvw981E9hKQLrow4/wQDNrfrunMxVFA3r:aEGJ0owlYunMxVS3r

Score

8^/10

persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BB0B1543-FC14-497f-83BF-182C1DF3CFBC}	{CDBA3AFE-9F07-49eb-AF68-6730359C84F2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CA750550-4D2B-4059-95A8-67DECB4F266C}\stubpath = "C:\\Windows\\{CA750550-4D2B-4059-95A8-67DECB4F266C}.exe"	59209e715b96a991accfd386c66c0b37bbec34deb82ed88054600c0feeffa6fd_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BAC9E59C-9A81-46ff-8040-C92C8964BEE0}\stubpath = "C:\\Windows\\{BAC9E59C-9A81-46ff-8040-C92C8964BEE0}.exe"	{B869CE23-C9FB-481b-8262-31CA590B3E70}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{85E223AD-BEAF-4927-A7B9-63A565C5465A}	{E429D1E8-DF3B-48d0-AB9C-4DE89FA51468}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{85E223AD-BEAF-4927-A7B9-63A565C5465A}\stubpath = "C:\\Windows\\{85E223AD-BEAF-4927-A7B9-63A565C5465A}.exe"	{E429D1E8-DF3B-48d0-AB9C-4DE89FA51468}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{336A1EA9-7AD1-4fc3-AF95-9825C190275E}	{E5AAB54F-D8E8-4064-B339-08DE748C8787}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A7B3AF76-17FA-41ee-B993-F8F142CB6E71}\stubpath = "C:\\Windows\\{A7B3AF76-17FA-41ee-B993-F8F142CB6E71}.exe"	{336A1EA9-7AD1-4fc3-AF95-9825C190275E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CDBA3AFE-9F07-49eb-AF68-6730359C84F2}	{03B0F7B3-C5FA-4e5e-AF2F-6EDD3A8B514C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BB0B1543-FC14-497f-83BF-182C1DF3CFBC}\stubpath = "C:\\Windows\\{BB0B1543-FC14-497f-83BF-182C1DF3CFBC}.exe"	{CDBA3AFE-9F07-49eb-AF68-6730359C84F2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CA750550-4D2B-4059-95A8-67DECB4F266C}	59209e715b96a991accfd386c66c0b37bbec34deb82ed88054600c0feeffa6fd_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BAC9E59C-9A81-46ff-8040-C92C8964BEE0}	{B869CE23-C9FB-481b-8262-31CA590B3E70}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E429D1E8-DF3B-48d0-AB9C-4DE89FA51468}\stubpath = "C:\\Windows\\{E429D1E8-DF3B-48d0-AB9C-4DE89FA51468}.exe"	{BAC9E59C-9A81-46ff-8040-C92C8964BEE0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E5AAB54F-D8E8-4064-B339-08DE748C8787}\stubpath = "C:\\Windows\\{E5AAB54F-D8E8-4064-B339-08DE748C8787}.exe"	{85E223AD-BEAF-4927-A7B9-63A565C5465A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{336A1EA9-7AD1-4fc3-AF95-9825C190275E}\stubpath = "C:\\Windows\\{336A1EA9-7AD1-4fc3-AF95-9825C190275E}.exe"	{E5AAB54F-D8E8-4064-B339-08DE748C8787}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E00C1510-5170-49f6-BD91-2338128E00B7}\stubpath = "C:\\Windows\\{E00C1510-5170-49f6-BD91-2338128E00B7}.exe"	{BB0B1543-FC14-497f-83BF-182C1DF3CFBC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B869CE23-C9FB-481b-8262-31CA590B3E70}\stubpath = "C:\\Windows\\{B869CE23-C9FB-481b-8262-31CA590B3E70}.exe"	{CA750550-4D2B-4059-95A8-67DECB4F266C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{03B0F7B3-C5FA-4e5e-AF2F-6EDD3A8B514C}	{A7B3AF76-17FA-41ee-B993-F8F142CB6E71}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E00C1510-5170-49f6-BD91-2338128E00B7}	{BB0B1543-FC14-497f-83BF-182C1DF3CFBC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CDBA3AFE-9F07-49eb-AF68-6730359C84F2}\stubpath = "C:\\Windows\\{CDBA3AFE-9F07-49eb-AF68-6730359C84F2}.exe"	{03B0F7B3-C5FA-4e5e-AF2F-6EDD3A8B514C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B869CE23-C9FB-481b-8262-31CA590B3E70}	{CA750550-4D2B-4059-95A8-67DECB4F266C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E429D1E8-DF3B-48d0-AB9C-4DE89FA51468}	{BAC9E59C-9A81-46ff-8040-C92C8964BEE0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E5AAB54F-D8E8-4064-B339-08DE748C8787}	{85E223AD-BEAF-4927-A7B9-63A565C5465A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A7B3AF76-17FA-41ee-B993-F8F142CB6E71}	{336A1EA9-7AD1-4fc3-AF95-9825C190275E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{03B0F7B3-C5FA-4e5e-AF2F-6EDD3A8B514C}\stubpath = "C:\\Windows\\{03B0F7B3-C5FA-4e5e-AF2F-6EDD3A8B514C}.exe"	{A7B3AF76-17FA-41ee-B993-F8F142CB6E71}.exe

Executes dropped EXE 12 IoCs

pid	Process
3044	{CA750550-4D2B-4059-95A8-67DECB4F266C}.exe
4640	{B869CE23-C9FB-481b-8262-31CA590B3E70}.exe
4964	{BAC9E59C-9A81-46ff-8040-C92C8964BEE0}.exe
1092	{E429D1E8-DF3B-48d0-AB9C-4DE89FA51468}.exe
1168	{85E223AD-BEAF-4927-A7B9-63A565C5465A}.exe
4800	{E5AAB54F-D8E8-4064-B339-08DE748C8787}.exe
2844	{336A1EA9-7AD1-4fc3-AF95-9825C190275E}.exe
1780	{A7B3AF76-17FA-41ee-B993-F8F142CB6E71}.exe
2196	{03B0F7B3-C5FA-4e5e-AF2F-6EDD3A8B514C}.exe
4524	{CDBA3AFE-9F07-49eb-AF68-6730359C84F2}.exe
2348	{BB0B1543-FC14-497f-83BF-182C1DF3CFBC}.exe
992	{E00C1510-5170-49f6-BD91-2338128E00B7}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{E429D1E8-DF3B-48d0-AB9C-4DE89FA51468}.exe	{BAC9E59C-9A81-46ff-8040-C92C8964BEE0}.exe
File created	C:\Windows\{85E223AD-BEAF-4927-A7B9-63A565C5465A}.exe	{E429D1E8-DF3B-48d0-AB9C-4DE89FA51468}.exe
File created	C:\Windows\{E5AAB54F-D8E8-4064-B339-08DE748C8787}.exe	{85E223AD-BEAF-4927-A7B9-63A565C5465A}.exe
File created	C:\Windows\{A7B3AF76-17FA-41ee-B993-F8F142CB6E71}.exe	{336A1EA9-7AD1-4fc3-AF95-9825C190275E}.exe
File created	C:\Windows\{B869CE23-C9FB-481b-8262-31CA590B3E70}.exe	{CA750550-4D2B-4059-95A8-67DECB4F266C}.exe
File created	C:\Windows\{BAC9E59C-9A81-46ff-8040-C92C8964BEE0}.exe	{B869CE23-C9FB-481b-8262-31CA590B3E70}.exe
File created	C:\Windows\{03B0F7B3-C5FA-4e5e-AF2F-6EDD3A8B514C}.exe	{A7B3AF76-17FA-41ee-B993-F8F142CB6E71}.exe
File created	C:\Windows\{CDBA3AFE-9F07-49eb-AF68-6730359C84F2}.exe	{03B0F7B3-C5FA-4e5e-AF2F-6EDD3A8B514C}.exe
File created	C:\Windows\{BB0B1543-FC14-497f-83BF-182C1DF3CFBC}.exe	{CDBA3AFE-9F07-49eb-AF68-6730359C84F2}.exe
File created	C:\Windows\{E00C1510-5170-49f6-BD91-2338128E00B7}.exe	{BB0B1543-FC14-497f-83BF-182C1DF3CFBC}.exe
File created	C:\Windows\{CA750550-4D2B-4059-95A8-67DECB4F266C}.exe	59209e715b96a991accfd386c66c0b37bbec34deb82ed88054600c0feeffa6fd_NeikiAnalytics.exe
File created	C:\Windows\{336A1EA9-7AD1-4fc3-AF95-9825C190275E}.exe	{E5AAB54F-D8E8-4064-B339-08DE748C8787}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2984	59209e715b96a991accfd386c66c0b37bbec34deb82ed88054600c0feeffa6fd_NeikiAnalytics.exe
Token: SeIncBasePriorityPrivilege	3044	{CA750550-4D2B-4059-95A8-67DECB4F266C}.exe
Token: SeIncBasePriorityPrivilege	4640	{B869CE23-C9FB-481b-8262-31CA590B3E70}.exe
Token: SeIncBasePriorityPrivilege	4964	{BAC9E59C-9A81-46ff-8040-C92C8964BEE0}.exe
Token: SeIncBasePriorityPrivilege	1092	{E429D1E8-DF3B-48d0-AB9C-4DE89FA51468}.exe
Token: SeIncBasePriorityPrivilege	1168	{85E223AD-BEAF-4927-A7B9-63A565C5465A}.exe
Token: SeIncBasePriorityPrivilege	4800	{E5AAB54F-D8E8-4064-B339-08DE748C8787}.exe
Token: SeIncBasePriorityPrivilege	2844	{336A1EA9-7AD1-4fc3-AF95-9825C190275E}.exe
Token: SeIncBasePriorityPrivilege	1780	{A7B3AF76-17FA-41ee-B993-F8F142CB6E71}.exe
Token: SeIncBasePriorityPrivilege	2196	{03B0F7B3-C5FA-4e5e-AF2F-6EDD3A8B514C}.exe
Token: SeIncBasePriorityPrivilege	4524	{CDBA3AFE-9F07-49eb-AF68-6730359C84F2}.exe
Token: SeIncBasePriorityPrivilege	2348	{BB0B1543-FC14-497f-83BF-182C1DF3CFBC}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2984 wrote to memory of 3044	2984	59209e715b96a991accfd386c66c0b37bbec34deb82ed88054600c0feeffa6fd_NeikiAnalytics.exe	95
PID 2984 wrote to memory of 3044	2984	59209e715b96a991accfd386c66c0b37bbec34deb82ed88054600c0feeffa6fd_NeikiAnalytics.exe	95
PID 2984 wrote to memory of 3044	2984	59209e715b96a991accfd386c66c0b37bbec34deb82ed88054600c0feeffa6fd_NeikiAnalytics.exe	95
PID 2984 wrote to memory of 3212	2984	59209e715b96a991accfd386c66c0b37bbec34deb82ed88054600c0feeffa6fd_NeikiAnalytics.exe	96
PID 2984 wrote to memory of 3212	2984	59209e715b96a991accfd386c66c0b37bbec34deb82ed88054600c0feeffa6fd_NeikiAnalytics.exe	96
PID 2984 wrote to memory of 3212	2984	59209e715b96a991accfd386c66c0b37bbec34deb82ed88054600c0feeffa6fd_NeikiAnalytics.exe	96
PID 3044 wrote to memory of 4640	3044	{CA750550-4D2B-4059-95A8-67DECB4F266C}.exe	97
PID 3044 wrote to memory of 4640	3044	{CA750550-4D2B-4059-95A8-67DECB4F266C}.exe	97
PID 3044 wrote to memory of 4640	3044	{CA750550-4D2B-4059-95A8-67DECB4F266C}.exe	97
PID 3044 wrote to memory of 4176	3044	{CA750550-4D2B-4059-95A8-67DECB4F266C}.exe	98
PID 3044 wrote to memory of 4176	3044	{CA750550-4D2B-4059-95A8-67DECB4F266C}.exe	98
PID 3044 wrote to memory of 4176	3044	{CA750550-4D2B-4059-95A8-67DECB4F266C}.exe	98
PID 4640 wrote to memory of 4964	4640	{B869CE23-C9FB-481b-8262-31CA590B3E70}.exe	102
PID 4640 wrote to memory of 4964	4640	{B869CE23-C9FB-481b-8262-31CA590B3E70}.exe	102
PID 4640 wrote to memory of 4964	4640	{B869CE23-C9FB-481b-8262-31CA590B3E70}.exe	102
PID 4640 wrote to memory of 2872	4640	{B869CE23-C9FB-481b-8262-31CA590B3E70}.exe	103
PID 4640 wrote to memory of 2872	4640	{B869CE23-C9FB-481b-8262-31CA590B3E70}.exe	103
PID 4640 wrote to memory of 2872	4640	{B869CE23-C9FB-481b-8262-31CA590B3E70}.exe	103
PID 4964 wrote to memory of 1092	4964	{BAC9E59C-9A81-46ff-8040-C92C8964BEE0}.exe	104
PID 4964 wrote to memory of 1092	4964	{BAC9E59C-9A81-46ff-8040-C92C8964BEE0}.exe	104
PID 4964 wrote to memory of 1092	4964	{BAC9E59C-9A81-46ff-8040-C92C8964BEE0}.exe	104
PID 4964 wrote to memory of 3496	4964	{BAC9E59C-9A81-46ff-8040-C92C8964BEE0}.exe	105
PID 4964 wrote to memory of 3496	4964	{BAC9E59C-9A81-46ff-8040-C92C8964BEE0}.exe	105
PID 4964 wrote to memory of 3496	4964	{BAC9E59C-9A81-46ff-8040-C92C8964BEE0}.exe	105
PID 1092 wrote to memory of 1168	1092	{E429D1E8-DF3B-48d0-AB9C-4DE89FA51468}.exe	107
PID 1092 wrote to memory of 1168	1092	{E429D1E8-DF3B-48d0-AB9C-4DE89FA51468}.exe	107
PID 1092 wrote to memory of 1168	1092	{E429D1E8-DF3B-48d0-AB9C-4DE89FA51468}.exe	107
PID 1092 wrote to memory of 1264	1092	{E429D1E8-DF3B-48d0-AB9C-4DE89FA51468}.exe	108
PID 1092 wrote to memory of 1264	1092	{E429D1E8-DF3B-48d0-AB9C-4DE89FA51468}.exe	108
PID 1092 wrote to memory of 1264	1092	{E429D1E8-DF3B-48d0-AB9C-4DE89FA51468}.exe	108
PID 1168 wrote to memory of 4800	1168	{85E223AD-BEAF-4927-A7B9-63A565C5465A}.exe	109
PID 1168 wrote to memory of 4800	1168	{85E223AD-BEAF-4927-A7B9-63A565C5465A}.exe	109
PID 1168 wrote to memory of 4800	1168	{85E223AD-BEAF-4927-A7B9-63A565C5465A}.exe	109
PID 1168 wrote to memory of 3208	1168	{85E223AD-BEAF-4927-A7B9-63A565C5465A}.exe	110
PID 1168 wrote to memory of 3208	1168	{85E223AD-BEAF-4927-A7B9-63A565C5465A}.exe	110
PID 1168 wrote to memory of 3208	1168	{85E223AD-BEAF-4927-A7B9-63A565C5465A}.exe	110
PID 4800 wrote to memory of 2844	4800	{E5AAB54F-D8E8-4064-B339-08DE748C8787}.exe	111
PID 4800 wrote to memory of 2844	4800	{E5AAB54F-D8E8-4064-B339-08DE748C8787}.exe	111
PID 4800 wrote to memory of 2844	4800	{E5AAB54F-D8E8-4064-B339-08DE748C8787}.exe	111
PID 4800 wrote to memory of 2584	4800	{E5AAB54F-D8E8-4064-B339-08DE748C8787}.exe	112
PID 4800 wrote to memory of 2584	4800	{E5AAB54F-D8E8-4064-B339-08DE748C8787}.exe	112
PID 4800 wrote to memory of 2584	4800	{E5AAB54F-D8E8-4064-B339-08DE748C8787}.exe	112
PID 2844 wrote to memory of 1780	2844	{336A1EA9-7AD1-4fc3-AF95-9825C190275E}.exe	120
PID 2844 wrote to memory of 1780	2844	{336A1EA9-7AD1-4fc3-AF95-9825C190275E}.exe	120
PID 2844 wrote to memory of 1780	2844	{336A1EA9-7AD1-4fc3-AF95-9825C190275E}.exe	120
PID 2844 wrote to memory of 5072	2844	{336A1EA9-7AD1-4fc3-AF95-9825C190275E}.exe	121
PID 2844 wrote to memory of 5072	2844	{336A1EA9-7AD1-4fc3-AF95-9825C190275E}.exe	121
PID 2844 wrote to memory of 5072	2844	{336A1EA9-7AD1-4fc3-AF95-9825C190275E}.exe	121
PID 1780 wrote to memory of 2196	1780	{A7B3AF76-17FA-41ee-B993-F8F142CB6E71}.exe	122
PID 1780 wrote to memory of 2196	1780	{A7B3AF76-17FA-41ee-B993-F8F142CB6E71}.exe	122
PID 1780 wrote to memory of 2196	1780	{A7B3AF76-17FA-41ee-B993-F8F142CB6E71}.exe	122
PID 1780 wrote to memory of 2400	1780	{A7B3AF76-17FA-41ee-B993-F8F142CB6E71}.exe	123
PID 1780 wrote to memory of 2400	1780	{A7B3AF76-17FA-41ee-B993-F8F142CB6E71}.exe	123
PID 1780 wrote to memory of 2400	1780	{A7B3AF76-17FA-41ee-B993-F8F142CB6E71}.exe	123
PID 2196 wrote to memory of 4524	2196	{03B0F7B3-C5FA-4e5e-AF2F-6EDD3A8B514C}.exe	124
PID 2196 wrote to memory of 4524	2196	{03B0F7B3-C5FA-4e5e-AF2F-6EDD3A8B514C}.exe	124
PID 2196 wrote to memory of 4524	2196	{03B0F7B3-C5FA-4e5e-AF2F-6EDD3A8B514C}.exe	124
PID 2196 wrote to memory of 1528	2196	{03B0F7B3-C5FA-4e5e-AF2F-6EDD3A8B514C}.exe	125
PID 2196 wrote to memory of 1528	2196	{03B0F7B3-C5FA-4e5e-AF2F-6EDD3A8B514C}.exe	125
PID 2196 wrote to memory of 1528	2196	{03B0F7B3-C5FA-4e5e-AF2F-6EDD3A8B514C}.exe	125
PID 4524 wrote to memory of 2348	4524	{CDBA3AFE-9F07-49eb-AF68-6730359C84F2}.exe	128
PID 4524 wrote to memory of 2348	4524	{CDBA3AFE-9F07-49eb-AF68-6730359C84F2}.exe	128
PID 4524 wrote to memory of 2348	4524	{CDBA3AFE-9F07-49eb-AF68-6730359C84F2}.exe	128
PID 4524 wrote to memory of 1652	4524	{CDBA3AFE-9F07-49eb-AF68-6730359C84F2}.exe	129

C:\Users\Admin\AppData\Local\Temp\59209e715b96a991accfd386c66c0b37bbec34deb82ed88054600c0feeffa6fd_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\59209e715b96a991accfd386c66c0b37bbec34deb82ed88054600c0feeffa6fd_NeikiAnalytics.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2984
- C:\Windows\{CA750550-4D2B-4059-95A8-67DECB4F266C}.exe
  C:\Windows\{CA750550-4D2B-4059-95A8-67DECB4F266C}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3044
- - C:\Windows\{B869CE23-C9FB-481b-8262-31CA590B3E70}.exe
    C:\Windows\{B869CE23-C9FB-481b-8262-31CA590B3E70}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4640
  - - C:\Windows\{BAC9E59C-9A81-46ff-8040-C92C8964BEE0}.exe
      C:\Windows\{BAC9E59C-9A81-46ff-8040-C92C8964BEE0}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4964
    - - C:\Windows\{E429D1E8-DF3B-48d0-AB9C-4DE89FA51468}.exe
        
        C:\Windows\{E429D1E8-DF3B-48d0-AB9C-4DE89FA51468}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1092
      - C:\Windows\{85E223AD-BEAF-4927-A7B9-63A565C5465A}.exe
        
        C:\Windows\{85E223AD-BEAF-4927-A7B9-63A565C5465A}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1168
        
        C:\Windows\{E5AAB54F-D8E8-4064-B339-08DE748C8787}.exe
        
        C:\Windows\{E5AAB54F-D8E8-4064-B339-08DE748C8787}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4800
        
        C:\Windows\{336A1EA9-7AD1-4fc3-AF95-9825C190275E}.exe
        
        C:\Windows\{336A1EA9-7AD1-4fc3-AF95-9825C190275E}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2844
        
        C:\Windows\{A7B3AF76-17FA-41ee-B993-F8F142CB6E71}.exe
        
        C:\Windows\{A7B3AF76-17FA-41ee-B993-F8F142CB6E71}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1780
        
        C:\Windows\{03B0F7B3-C5FA-4e5e-AF2F-6EDD3A8B514C}.exe
        
        C:\Windows\{03B0F7B3-C5FA-4e5e-AF2F-6EDD3A8B514C}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2196
        
        C:\Windows\{CDBA3AFE-9F07-49eb-AF68-6730359C84F2}.exe
        
        C:\Windows\{CDBA3AFE-9F07-49eb-AF68-6730359C84F2}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4524
        
        C:\Windows\{BB0B1543-FC14-497f-83BF-182C1DF3CFBC}.exe
        
        C:\Windows\{BB0B1543-FC14-497f-83BF-182C1DF3CFBC}.exe
        12⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2348
        
        C:\Windows\{E00C1510-5170-49f6-BD91-2338128E00B7}.exe
        
        C:\Windows\{E00C1510-5170-49f6-BD91-2338128E00B7}.exe
        13⤵
        Executes dropped EXE
        
        PID:992
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BB0B1~1.EXE > nul
        13⤵
        
        PID:372
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CDBA3~1.EXE > nul
        12⤵
        
        PID:1652
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{03B0F~1.EXE > nul
        11⤵
        
        PID:1528
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A7B3A~1.EXE > nul
        10⤵
        
        PID:2400
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{336A1~1.EXE > nul
        9⤵
        
        PID:5072
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E5AAB~1.EXE > nul
        8⤵
        
        PID:2584
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{85E22~1.EXE > nul
        7⤵
        
        PID:3208
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E429D~1.EXE > nul
        6⤵
        
        PID:1264
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BAC9E~1.EXE > nul
        5⤵
        
        PID:3496
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{B869C~1.EXE > nul
      4⤵
      PID:2872
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{CA750~1.EXE > nul
    3⤵
    PID:4176
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\59209E~1.EXE > nul
  2⤵
  PID:3212

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{03B0F7B3-C5FA-4e5e-AF2F-6EDD3A8B514C}.exe

Filesize
88KB

MD5
0badc381ce782e78501b1aa8c8cc7cac

SHA1
395dddccc089b0a8755e0a355093c286f307bc94

SHA256
7dd2358c07783d9c7cbfc07c5fc2e1a62d7c60c4f3cded006916d3cf4890e8ea

SHA512
cf9add8c39b62d7a9dc6cc9e8ec5d177fb58ca911962b8d0c7250aa9d91ed34223f91db165a9e0bd2bf0b4d2a163bb0bda690dca756f87cc9d60efc384408277

Download Submit
C:\Windows\{336A1EA9-7AD1-4fc3-AF95-9825C190275E}.exe

Filesize
88KB

MD5
628c66e84d14a4231ff25a7d7142f45b

SHA1
5fc382e55c79c3b0ba6cbb7640cd1fd1845d26eb

SHA256
ec958064bc161e835a085cb751617bf667ae00f7b5027c250014e692919739fc

SHA512
29e836b6af1b8528d34baadbd6e1680e101a95721cbd9d5c4e7c1c7207f1cfa4c0861cc47dd54b3859b83bcfc9131dcdc772095af730737d6405c1d9477c5f10

Download Submit
C:\Windows\{85E223AD-BEAF-4927-A7B9-63A565C5465A}.exe

Filesize
88KB

MD5
6c9bb9fd398260df3767dbb69e946a72

SHA1
124817aa105ec9d2799c81e619d4e02405a2efc5

SHA256
a2765ea03e0b6c05ecb48e6c0b96a689258bab83f6f2a4fa529797d73aa64491

SHA512
d8bac32995c09df33b8e6ffb51125574c63c798a809c5ba1d4ae229cac8c3482c92ba34c05eb83c0110ef49fb16ae3e0552db26790a700d373c3be5f09f2955f

Download Submit
C:\Windows\{A7B3AF76-17FA-41ee-B993-F8F142CB6E71}.exe

Filesize
88KB

MD5
fdca3e5c67d1316e9005f84cf47185f2

SHA1
cdda600da3b2203646a8bcf52a153b9b8efeea93

SHA256
e828b515e866dae8efd8c5996b5d75588f911678e62c2b234a2e7300c7c7b442

SHA512
ae35d60de70b2ae0fd0637625257812c25086b5cd44061542c5c2ea567ce5dd5f9d35658a8b6b4db4a5736e6a42af9c310bf3387a6335b4411e119427f230748

Download Submit
C:\Windows\{B869CE23-C9FB-481b-8262-31CA590B3E70}.exe

Filesize
88KB

MD5
0b071e2d25c417b4e3bca11580572957

SHA1
ac78f4c1e4deecc26b237910aedbb78107b79bae

SHA256
58b6520bf0f28132e00088bd4db374f6aacb8fda82a46021ca63bb7bc7549f94

SHA512
ca882511ba0dc92642a1b6fe88ea544949cb2961a4523f78fd643a743b0ce4debc431cdefad4a7fc26de5ef1198e5e51747b68f753da94ed50b19a4dad96d644

Download Submit
C:\Windows\{BAC9E59C-9A81-46ff-8040-C92C8964BEE0}.exe

Filesize
88KB

MD5
fffd65aa9f8e4bac853de7d44347b674

SHA1
936844232218004e4d87c650768a594b7e8ae135

SHA256
f34ae10c1854c30706f33b4793e95714721a47d09a4f41acfa5a1134f90bfeb9

SHA512
d898fe02836ac50e69338bd989882afc6225ffdc5b432851556f1bb79d44e198b0444234ddfbf78e0c445da404d1f78c620f06696361cc07bd58f392c5c39923

Download Submit
C:\Windows\{BB0B1543-FC14-497f-83BF-182C1DF3CFBC}.exe

Filesize
88KB

MD5
a2c012a95fec848d59f56c12df2483d1

SHA1
28468489662c3ca00146e769923d21fe394b3906

SHA256
ad7caf0d575453139159f3a71c04fe82e2e00570a88b4271ffa3cd2a2deb244f

SHA512
66f339d30bf7f76a0a1ae5f86940cdaee17cdff76f928cea6796e4d8b650a8eea7930424c4381d2ed48d842ce6d959de03fb3dfc707adc4096ad30ad35ef8705

Download Submit
C:\Windows\{CA750550-4D2B-4059-95A8-67DECB4F266C}.exe

Filesize
88KB

MD5
c073d5292d6ec3176119b60d0be6753a

SHA1
15fa8de2e47ca3ef1e52b1347b8b857f4a751737

SHA256
603adcbbc00a54ac15115f95448c3ea7075d1a852df051e09efd29ddc1b64fc8

SHA512
198e81508ea6916ea906d5898e17426f6d3bee2a3171962b77939b51a29c7e980ac427cb131f7a1e60caa487551a4d3cb7583bd73f538fba8d75ae25a23051ed

Download Submit
C:\Windows\{CDBA3AFE-9F07-49eb-AF68-6730359C84F2}.exe

Filesize
88KB

MD5
0945c372e41ac57131455e2f430ace3e

SHA1
61406fda043c4121a1dccf2bd7fbe5e8c5a75274

SHA256
a4765272a321594b291f6ce916b3fc541ffc890cc51bc4a97f40f20ac414abd9

SHA512
26964f67f42fe5e7f6e3a69a694fb398e7c9210048fe151e26addafd7c1e91ccd5c633391c4282d5d5bc01c780ac1a9cc78ab0dfc1bc88b24eea41500b8058cf

Download Submit
C:\Windows\{E00C1510-5170-49f6-BD91-2338128E00B7}.exe

Filesize
88KB

MD5
0e37f96928dd0632e6186f82c784d861

SHA1
6634fdc6a80bd63f86e3799f34e4a81e1a28e572

SHA256
116a5f2d1afc6fc9ba50ba7f885b16f8a7aa5a391b2d6f9916e6c9dffbfe0365

SHA512
40e5bb214f882e780bca071618222d313062729ef09cb9715ec09b5550ca0791dd4b98d395b968c6cfa71011f8ea4923f513a0e7c84fd37ef36bfb06c1e91f26

Download Submit
C:\Windows\{E429D1E8-DF3B-48d0-AB9C-4DE89FA51468}.exe

Filesize
88KB

MD5
1bb620df2afd64bca9d0375f5794112d

SHA1
c857307d5551329a680d2344ed507d7921fe5d3d

SHA256
c30c42692b261cfff74a3b3440e8019cec045d4b9521534b3b5cbdbcc7af4b4e

SHA512
3c35ebf7624f6989599a19b9212e301b4787e66b1ad10c1399912d6c1bc05585e6d9e3eba5dbecd9d4d0ea80457452f55283471c8a9adcaf0fd4703156b2e476

Download Submit
C:\Windows\{E5AAB54F-D8E8-4064-B339-08DE748C8787}.exe

Filesize
88KB

MD5
8ddc38cc565da3815eaf4265988014ba

SHA1
ab31855c7730de8e003a2f1fea0ab00713537271

SHA256
7a08fa24a389ee92b944f6cb95f18f9756134a7dbeae26535d38c7e1e6ee0706

SHA512
7eaf30973985c627506511614a821552b570fc5dfb86729be93d5bf8d702dd7a2f12d1d06335a74d053ecb3db911aa94278cb35beb9f13c28b6fbe884562c022

Download Submit
memory/992-68-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1092-28-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1168-32-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1780-51-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1780-45-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2196-56-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2348-66-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2348-63-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2844-40-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2844-44-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2984-0-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2984-6-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3044-11-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3044-5-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4524-57-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4524-62-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4640-16-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4640-12-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4800-34-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4800-38-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4964-18-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4964-23-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads