68289a8c18a9da24d57d0972d1f12ba3b6522c2d3b0f840190329b00a647ab7f

Analysis

max time kernel
144s
max time network
120s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
28/06/2024, 02:31

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

68289a8c18a9da24d57d0972d1f12ba3b6522c2d3b0f840190329b00a647ab7f_NeikiAnalytics.exe
Size

60KB
MD5

0a1f173cb67c8e2d43d536e0dbfbde70
SHA1

345e0b38463fb047bb8ab13dba80d97bdcddfc17
SHA256

68289a8c18a9da24d57d0972d1f12ba3b6522c2d3b0f840190329b00a647ab7f
SHA512

ae85c04663360af2e80e33c5fd781ddbe119158bb292cf5a1e6ee0a0eba9fb0592aecb8db7b1a7f3133f0a24ed1d5daaf954b76fe3140075215a9bbb4da113cd
SSDEEP

192:vbOzawOs81elJHsc45CcRZOgtShcWaOT2QLrCqwOY04/CFxyNhoy5t:vbLwOs8AHsc4sMfwhKQLro04/CFsrd

Score

8^/10

persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{67518FA4-4570-455b-A9F4-5CECD40FC545}\stubpath = "C:\\Windows\\{67518FA4-4570-455b-A9F4-5CECD40FC545}.exe"	{588E92C2-C361-49d0-B62B-3CC3AF5D3B32}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B475F33A-F99F-4047-A7F5-FCE9C58E3A87}	{67518FA4-4570-455b-A9F4-5CECD40FC545}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{20CD0EEA-BC42-4887-B1E7-0BF70DE7D4B5}\stubpath = "C:\\Windows\\{20CD0EEA-BC42-4887-B1E7-0BF70DE7D4B5}.exe"	{B0A5EA03-22F5-4f3a-8B61-A4DE56C90C3B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A9E304D2-737C-48d7-A65A-3F63FAABE6C2}	{CCBD3909-CEFF-4c08-B1D2-BB4F532DC314}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1D5C0C89-6FD7-422a-BE69-8CB6C6E9B79D}	{2E821AFF-13A3-4120-BA23-DF781EED65A6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1D5C0C89-6FD7-422a-BE69-8CB6C6E9B79D}\stubpath = "C:\\Windows\\{1D5C0C89-6FD7-422a-BE69-8CB6C6E9B79D}.exe"	{2E821AFF-13A3-4120-BA23-DF781EED65A6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{588E92C2-C361-49d0-B62B-3CC3AF5D3B32}\stubpath = "C:\\Windows\\{588E92C2-C361-49d0-B62B-3CC3AF5D3B32}.exe"	{B1ACAC04-7D62-4341-AEDE-A0829968FE63}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B0A5EA03-22F5-4f3a-8B61-A4DE56C90C3B}	68289a8c18a9da24d57d0972d1f12ba3b6522c2d3b0f840190329b00a647ab7f_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{20CD0EEA-BC42-4887-B1E7-0BF70DE7D4B5}	{B0A5EA03-22F5-4f3a-8B61-A4DE56C90C3B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CCBD3909-CEFF-4c08-B1D2-BB4F532DC314}	{2CA515C5-50E5-4477-B8BB-E9273661D52F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2E821AFF-13A3-4120-BA23-DF781EED65A6}\stubpath = "C:\\Windows\\{2E821AFF-13A3-4120-BA23-DF781EED65A6}.exe"	{A9E304D2-737C-48d7-A65A-3F63FAABE6C2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B475F33A-F99F-4047-A7F5-FCE9C58E3A87}\stubpath = "C:\\Windows\\{B475F33A-F99F-4047-A7F5-FCE9C58E3A87}.exe"	{67518FA4-4570-455b-A9F4-5CECD40FC545}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2CA515C5-50E5-4477-B8BB-E9273661D52F}	{20CD0EEA-BC42-4887-B1E7-0BF70DE7D4B5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B1ACAC04-7D62-4341-AEDE-A0829968FE63}	{1D5C0C89-6FD7-422a-BE69-8CB6C6E9B79D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B1ACAC04-7D62-4341-AEDE-A0829968FE63}\stubpath = "C:\\Windows\\{B1ACAC04-7D62-4341-AEDE-A0829968FE63}.exe"	{1D5C0C89-6FD7-422a-BE69-8CB6C6E9B79D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{588E92C2-C361-49d0-B62B-3CC3AF5D3B32}	{B1ACAC04-7D62-4341-AEDE-A0829968FE63}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{67518FA4-4570-455b-A9F4-5CECD40FC545}	{588E92C2-C361-49d0-B62B-3CC3AF5D3B32}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B0A5EA03-22F5-4f3a-8B61-A4DE56C90C3B}\stubpath = "C:\\Windows\\{B0A5EA03-22F5-4f3a-8B61-A4DE56C90C3B}.exe"	68289a8c18a9da24d57d0972d1f12ba3b6522c2d3b0f840190329b00a647ab7f_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2CA515C5-50E5-4477-B8BB-E9273661D52F}\stubpath = "C:\\Windows\\{2CA515C5-50E5-4477-B8BB-E9273661D52F}.exe"	{20CD0EEA-BC42-4887-B1E7-0BF70DE7D4B5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CCBD3909-CEFF-4c08-B1D2-BB4F532DC314}\stubpath = "C:\\Windows\\{CCBD3909-CEFF-4c08-B1D2-BB4F532DC314}.exe"	{2CA515C5-50E5-4477-B8BB-E9273661D52F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A9E304D2-737C-48d7-A65A-3F63FAABE6C2}\stubpath = "C:\\Windows\\{A9E304D2-737C-48d7-A65A-3F63FAABE6C2}.exe"	{CCBD3909-CEFF-4c08-B1D2-BB4F532DC314}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2E821AFF-13A3-4120-BA23-DF781EED65A6}	{A9E304D2-737C-48d7-A65A-3F63FAABE6C2}.exe

Deletes itself 1 IoCs

pid	Process
2696	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
1452	{B0A5EA03-22F5-4f3a-8B61-A4DE56C90C3B}.exe
2792	{20CD0EEA-BC42-4887-B1E7-0BF70DE7D4B5}.exe
2816	{2CA515C5-50E5-4477-B8BB-E9273661D52F}.exe
1156	{CCBD3909-CEFF-4c08-B1D2-BB4F532DC314}.exe
2860	{A9E304D2-737C-48d7-A65A-3F63FAABE6C2}.exe
1988	{2E821AFF-13A3-4120-BA23-DF781EED65A6}.exe
2248	{1D5C0C89-6FD7-422a-BE69-8CB6C6E9B79D}.exe
2768	{B1ACAC04-7D62-4341-AEDE-A0829968FE63}.exe
692	{588E92C2-C361-49d0-B62B-3CC3AF5D3B32}.exe
1232	{67518FA4-4570-455b-A9F4-5CECD40FC545}.exe
1088	{B475F33A-F99F-4047-A7F5-FCE9C58E3A87}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{1D5C0C89-6FD7-422a-BE69-8CB6C6E9B79D}.exe	{2E821AFF-13A3-4120-BA23-DF781EED65A6}.exe
File created	C:\Windows\{B1ACAC04-7D62-4341-AEDE-A0829968FE63}.exe	{1D5C0C89-6FD7-422a-BE69-8CB6C6E9B79D}.exe
File created	C:\Windows\{588E92C2-C361-49d0-B62B-3CC3AF5D3B32}.exe	{B1ACAC04-7D62-4341-AEDE-A0829968FE63}.exe
File created	C:\Windows\{B475F33A-F99F-4047-A7F5-FCE9C58E3A87}.exe	{67518FA4-4570-455b-A9F4-5CECD40FC545}.exe
File created	C:\Windows\{B0A5EA03-22F5-4f3a-8B61-A4DE56C90C3B}.exe	68289a8c18a9da24d57d0972d1f12ba3b6522c2d3b0f840190329b00a647ab7f_NeikiAnalytics.exe
File created	C:\Windows\{2CA515C5-50E5-4477-B8BB-E9273661D52F}.exe	{20CD0EEA-BC42-4887-B1E7-0BF70DE7D4B5}.exe
File created	C:\Windows\{A9E304D2-737C-48d7-A65A-3F63FAABE6C2}.exe	{CCBD3909-CEFF-4c08-B1D2-BB4F532DC314}.exe
File created	C:\Windows\{2E821AFF-13A3-4120-BA23-DF781EED65A6}.exe	{A9E304D2-737C-48d7-A65A-3F63FAABE6C2}.exe
File created	C:\Windows\{20CD0EEA-BC42-4887-B1E7-0BF70DE7D4B5}.exe	{B0A5EA03-22F5-4f3a-8B61-A4DE56C90C3B}.exe
File created	C:\Windows\{CCBD3909-CEFF-4c08-B1D2-BB4F532DC314}.exe	{2CA515C5-50E5-4477-B8BB-E9273661D52F}.exe
File created	C:\Windows\{67518FA4-4570-455b-A9F4-5CECD40FC545}.exe	{588E92C2-C361-49d0-B62B-3CC3AF5D3B32}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2408	68289a8c18a9da24d57d0972d1f12ba3b6522c2d3b0f840190329b00a647ab7f_NeikiAnalytics.exe
Token: SeIncBasePriorityPrivilege	1452	{B0A5EA03-22F5-4f3a-8B61-A4DE56C90C3B}.exe
Token: SeIncBasePriorityPrivilege	2792	{20CD0EEA-BC42-4887-B1E7-0BF70DE7D4B5}.exe
Token: SeIncBasePriorityPrivilege	2816	{2CA515C5-50E5-4477-B8BB-E9273661D52F}.exe
Token: SeIncBasePriorityPrivilege	1156	{CCBD3909-CEFF-4c08-B1D2-BB4F532DC314}.exe
Token: SeIncBasePriorityPrivilege	2860	{A9E304D2-737C-48d7-A65A-3F63FAABE6C2}.exe
Token: SeIncBasePriorityPrivilege	1988	{2E821AFF-13A3-4120-BA23-DF781EED65A6}.exe
Token: SeIncBasePriorityPrivilege	2248	{1D5C0C89-6FD7-422a-BE69-8CB6C6E9B79D}.exe
Token: SeIncBasePriorityPrivilege	2768	{B1ACAC04-7D62-4341-AEDE-A0829968FE63}.exe
Token: SeIncBasePriorityPrivilege	692	{588E92C2-C361-49d0-B62B-3CC3AF5D3B32}.exe
Token: SeIncBasePriorityPrivilege	1232	{67518FA4-4570-455b-A9F4-5CECD40FC545}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2408 wrote to memory of 1452	2408	68289a8c18a9da24d57d0972d1f12ba3b6522c2d3b0f840190329b00a647ab7f_NeikiAnalytics.exe	28
PID 2408 wrote to memory of 1452	2408	68289a8c18a9da24d57d0972d1f12ba3b6522c2d3b0f840190329b00a647ab7f_NeikiAnalytics.exe	28
PID 2408 wrote to memory of 1452	2408	68289a8c18a9da24d57d0972d1f12ba3b6522c2d3b0f840190329b00a647ab7f_NeikiAnalytics.exe	28
PID 2408 wrote to memory of 1452	2408	68289a8c18a9da24d57d0972d1f12ba3b6522c2d3b0f840190329b00a647ab7f_NeikiAnalytics.exe	28
PID 2408 wrote to memory of 2696	2408	68289a8c18a9da24d57d0972d1f12ba3b6522c2d3b0f840190329b00a647ab7f_NeikiAnalytics.exe	29
PID 2408 wrote to memory of 2696	2408	68289a8c18a9da24d57d0972d1f12ba3b6522c2d3b0f840190329b00a647ab7f_NeikiAnalytics.exe	29
PID 2408 wrote to memory of 2696	2408	68289a8c18a9da24d57d0972d1f12ba3b6522c2d3b0f840190329b00a647ab7f_NeikiAnalytics.exe	29
PID 2408 wrote to memory of 2696	2408	68289a8c18a9da24d57d0972d1f12ba3b6522c2d3b0f840190329b00a647ab7f_NeikiAnalytics.exe	29
PID 1452 wrote to memory of 2792	1452	{B0A5EA03-22F5-4f3a-8B61-A4DE56C90C3B}.exe	30
PID 1452 wrote to memory of 2792	1452	{B0A5EA03-22F5-4f3a-8B61-A4DE56C90C3B}.exe	30
PID 1452 wrote to memory of 2792	1452	{B0A5EA03-22F5-4f3a-8B61-A4DE56C90C3B}.exe	30
PID 1452 wrote to memory of 2792	1452	{B0A5EA03-22F5-4f3a-8B61-A4DE56C90C3B}.exe	30
PID 1452 wrote to memory of 2620	1452	{B0A5EA03-22F5-4f3a-8B61-A4DE56C90C3B}.exe	31
PID 1452 wrote to memory of 2620	1452	{B0A5EA03-22F5-4f3a-8B61-A4DE56C90C3B}.exe	31
PID 1452 wrote to memory of 2620	1452	{B0A5EA03-22F5-4f3a-8B61-A4DE56C90C3B}.exe	31
PID 1452 wrote to memory of 2620	1452	{B0A5EA03-22F5-4f3a-8B61-A4DE56C90C3B}.exe	31
PID 2792 wrote to memory of 2816	2792	{20CD0EEA-BC42-4887-B1E7-0BF70DE7D4B5}.exe	32
PID 2792 wrote to memory of 2816	2792	{20CD0EEA-BC42-4887-B1E7-0BF70DE7D4B5}.exe	32
PID 2792 wrote to memory of 2816	2792	{20CD0EEA-BC42-4887-B1E7-0BF70DE7D4B5}.exe	32
PID 2792 wrote to memory of 2816	2792	{20CD0EEA-BC42-4887-B1E7-0BF70DE7D4B5}.exe	32
PID 2792 wrote to memory of 2760	2792	{20CD0EEA-BC42-4887-B1E7-0BF70DE7D4B5}.exe	33
PID 2792 wrote to memory of 2760	2792	{20CD0EEA-BC42-4887-B1E7-0BF70DE7D4B5}.exe	33
PID 2792 wrote to memory of 2760	2792	{20CD0EEA-BC42-4887-B1E7-0BF70DE7D4B5}.exe	33
PID 2792 wrote to memory of 2760	2792	{20CD0EEA-BC42-4887-B1E7-0BF70DE7D4B5}.exe	33
PID 2816 wrote to memory of 1156	2816	{2CA515C5-50E5-4477-B8BB-E9273661D52F}.exe	36
PID 2816 wrote to memory of 1156	2816	{2CA515C5-50E5-4477-B8BB-E9273661D52F}.exe	36
PID 2816 wrote to memory of 1156	2816	{2CA515C5-50E5-4477-B8BB-E9273661D52F}.exe	36
PID 2816 wrote to memory of 1156	2816	{2CA515C5-50E5-4477-B8BB-E9273661D52F}.exe	36
PID 2816 wrote to memory of 2560	2816	{2CA515C5-50E5-4477-B8BB-E9273661D52F}.exe	37
PID 2816 wrote to memory of 2560	2816	{2CA515C5-50E5-4477-B8BB-E9273661D52F}.exe	37
PID 2816 wrote to memory of 2560	2816	{2CA515C5-50E5-4477-B8BB-E9273661D52F}.exe	37
PID 2816 wrote to memory of 2560	2816	{2CA515C5-50E5-4477-B8BB-E9273661D52F}.exe	37
PID 1156 wrote to memory of 2860	1156	{CCBD3909-CEFF-4c08-B1D2-BB4F532DC314}.exe	38
PID 1156 wrote to memory of 2860	1156	{CCBD3909-CEFF-4c08-B1D2-BB4F532DC314}.exe	38
PID 1156 wrote to memory of 2860	1156	{CCBD3909-CEFF-4c08-B1D2-BB4F532DC314}.exe	38
PID 1156 wrote to memory of 2860	1156	{CCBD3909-CEFF-4c08-B1D2-BB4F532DC314}.exe	38
PID 1156 wrote to memory of 3020	1156	{CCBD3909-CEFF-4c08-B1D2-BB4F532DC314}.exe	39
PID 1156 wrote to memory of 3020	1156	{CCBD3909-CEFF-4c08-B1D2-BB4F532DC314}.exe	39
PID 1156 wrote to memory of 3020	1156	{CCBD3909-CEFF-4c08-B1D2-BB4F532DC314}.exe	39
PID 1156 wrote to memory of 3020	1156	{CCBD3909-CEFF-4c08-B1D2-BB4F532DC314}.exe	39
PID 2860 wrote to memory of 1988	2860	{A9E304D2-737C-48d7-A65A-3F63FAABE6C2}.exe	40
PID 2860 wrote to memory of 1988	2860	{A9E304D2-737C-48d7-A65A-3F63FAABE6C2}.exe	40
PID 2860 wrote to memory of 1988	2860	{A9E304D2-737C-48d7-A65A-3F63FAABE6C2}.exe	40
PID 2860 wrote to memory of 1988	2860	{A9E304D2-737C-48d7-A65A-3F63FAABE6C2}.exe	40
PID 2860 wrote to memory of 1060	2860	{A9E304D2-737C-48d7-A65A-3F63FAABE6C2}.exe	41
PID 2860 wrote to memory of 1060	2860	{A9E304D2-737C-48d7-A65A-3F63FAABE6C2}.exe	41
PID 2860 wrote to memory of 1060	2860	{A9E304D2-737C-48d7-A65A-3F63FAABE6C2}.exe	41
PID 2860 wrote to memory of 1060	2860	{A9E304D2-737C-48d7-A65A-3F63FAABE6C2}.exe	41
PID 1988 wrote to memory of 2248	1988	{2E821AFF-13A3-4120-BA23-DF781EED65A6}.exe	42
PID 1988 wrote to memory of 2248	1988	{2E821AFF-13A3-4120-BA23-DF781EED65A6}.exe	42
PID 1988 wrote to memory of 2248	1988	{2E821AFF-13A3-4120-BA23-DF781EED65A6}.exe	42
PID 1988 wrote to memory of 2248	1988	{2E821AFF-13A3-4120-BA23-DF781EED65A6}.exe	42
PID 1988 wrote to memory of 1672	1988	{2E821AFF-13A3-4120-BA23-DF781EED65A6}.exe	43
PID 1988 wrote to memory of 1672	1988	{2E821AFF-13A3-4120-BA23-DF781EED65A6}.exe	43
PID 1988 wrote to memory of 1672	1988	{2E821AFF-13A3-4120-BA23-DF781EED65A6}.exe	43
PID 1988 wrote to memory of 1672	1988	{2E821AFF-13A3-4120-BA23-DF781EED65A6}.exe	43
PID 2248 wrote to memory of 2768	2248	{1D5C0C89-6FD7-422a-BE69-8CB6C6E9B79D}.exe	44
PID 2248 wrote to memory of 2768	2248	{1D5C0C89-6FD7-422a-BE69-8CB6C6E9B79D}.exe	44
PID 2248 wrote to memory of 2768	2248	{1D5C0C89-6FD7-422a-BE69-8CB6C6E9B79D}.exe	44
PID 2248 wrote to memory of 2768	2248	{1D5C0C89-6FD7-422a-BE69-8CB6C6E9B79D}.exe	44
PID 2248 wrote to memory of 1984	2248	{1D5C0C89-6FD7-422a-BE69-8CB6C6E9B79D}.exe	45
PID 2248 wrote to memory of 1984	2248	{1D5C0C89-6FD7-422a-BE69-8CB6C6E9B79D}.exe	45
PID 2248 wrote to memory of 1984	2248	{1D5C0C89-6FD7-422a-BE69-8CB6C6E9B79D}.exe	45
PID 2248 wrote to memory of 1984	2248	{1D5C0C89-6FD7-422a-BE69-8CB6C6E9B79D}.exe	45

C:\Users\Admin\AppData\Local\Temp\68289a8c18a9da24d57d0972d1f12ba3b6522c2d3b0f840190329b00a647ab7f_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\68289a8c18a9da24d57d0972d1f12ba3b6522c2d3b0f840190329b00a647ab7f_NeikiAnalytics.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2408
- C:\Windows\{B0A5EA03-22F5-4f3a-8B61-A4DE56C90C3B}.exe
  C:\Windows\{B0A5EA03-22F5-4f3a-8B61-A4DE56C90C3B}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1452
- - C:\Windows\{20CD0EEA-BC42-4887-B1E7-0BF70DE7D4B5}.exe
    C:\Windows\{20CD0EEA-BC42-4887-B1E7-0BF70DE7D4B5}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2792
  - - C:\Windows\{2CA515C5-50E5-4477-B8BB-E9273661D52F}.exe
      C:\Windows\{2CA515C5-50E5-4477-B8BB-E9273661D52F}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2816
    - - C:\Windows\{CCBD3909-CEFF-4c08-B1D2-BB4F532DC314}.exe
        
        C:\Windows\{CCBD3909-CEFF-4c08-B1D2-BB4F532DC314}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1156
      - C:\Windows\{A9E304D2-737C-48d7-A65A-3F63FAABE6C2}.exe
        
        C:\Windows\{A9E304D2-737C-48d7-A65A-3F63FAABE6C2}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2860
        
        C:\Windows\{2E821AFF-13A3-4120-BA23-DF781EED65A6}.exe
        
        C:\Windows\{2E821AFF-13A3-4120-BA23-DF781EED65A6}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1988
        
        C:\Windows\{1D5C0C89-6FD7-422a-BE69-8CB6C6E9B79D}.exe
        
        C:\Windows\{1D5C0C89-6FD7-422a-BE69-8CB6C6E9B79D}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2248
        
        C:\Windows\{B1ACAC04-7D62-4341-AEDE-A0829968FE63}.exe
        
        C:\Windows\{B1ACAC04-7D62-4341-AEDE-A0829968FE63}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2768
        
        C:\Windows\{588E92C2-C361-49d0-B62B-3CC3AF5D3B32}.exe
        
        C:\Windows\{588E92C2-C361-49d0-B62B-3CC3AF5D3B32}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:692
        
        C:\Windows\{67518FA4-4570-455b-A9F4-5CECD40FC545}.exe
        
        C:\Windows\{67518FA4-4570-455b-A9F4-5CECD40FC545}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1232
        
        C:\Windows\{B475F33A-F99F-4047-A7F5-FCE9C58E3A87}.exe
        
        C:\Windows\{B475F33A-F99F-4047-A7F5-FCE9C58E3A87}.exe
        12⤵
        Executes dropped EXE
        
        PID:1088
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{67518~1.EXE > nul
        12⤵
        
        PID:944
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{588E9~1.EXE > nul
        11⤵
        
        PID:2292
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B1ACA~1.EXE > nul
        10⤵
        
        PID:2124
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1D5C0~1.EXE > nul
        9⤵
        
        PID:1984
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2E821~1.EXE > nul
        8⤵
        
        PID:1672
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A9E30~1.EXE > nul
        7⤵
        
        PID:1060
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CCBD3~1.EXE > nul
        6⤵
        
        PID:3020
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2CA51~1.EXE > nul
        5⤵
        
        PID:2560
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{20CD0~1.EXE > nul
      4⤵
      PID:2760
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{B0A5E~1.EXE > nul
    3⤵
    PID:2620
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\68289A~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2696

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{1D5C0C89-6FD7-422a-BE69-8CB6C6E9B79D}.exe

Filesize
60KB

MD5
f032e4cc2da15aee2de267a5ab6a282e

SHA1
776e88636a5d1f42b145ac2dd54dd0a1a059c655

SHA256
8da479811cdf7dbdec9d8998f8ee3bfcf6ddaef52072a21d2b43bc1303f33e7e

SHA512
95541cbd1cdf3fbe49a8a6a665facf54ac397d76434980303cab9cd26bbd9f4f4f5676d3bd4f76d35a2399d233de4de16e53421088d73e8a998e824bcf2689d3

Download Submit
C:\Windows\{20CD0EEA-BC42-4887-B1E7-0BF70DE7D4B5}.exe

Filesize
60KB

MD5
a8ff5d26dcff689f8f190e3be4ce343a

SHA1
4a79452c524bc486a47cc79791c0227b85c60999

SHA256
39517b67be5bd8ddb1069ece7387888547c622284870d3720eda9b0fbe10d51c

SHA512
91fcc592c89b39288046e432e9885812042f16d1ca9dff6ef152f3393a355c4bd708a3490e139adc5538ac83c1769c2f21ab8f5b9153aec0fb38b7059e0f09ff

Download Submit
C:\Windows\{2CA515C5-50E5-4477-B8BB-E9273661D52F}.exe

Filesize
60KB

MD5
cdefaa2f4a4a95eb89796e31a101b260

SHA1
fa08091d50e1d37d6949245785a5debeecff513b

SHA256
4e35cac9dee2a9b4d22c76667095b2affe362fc95cb3f776eebbd9051332e68e

SHA512
32eca47beaea9c0a35b13cb303e154d7e11cac56bd8e2dd9405c31250c7023b69028a1df492178dadc6a6f9fd2138501116e964d68fa05074791f2b6a61c94f4

Download Submit
C:\Windows\{2E821AFF-13A3-4120-BA23-DF781EED65A6}.exe

Filesize
60KB

MD5
284ced14c51c405427b6bba5b4fb6248

SHA1
0390daa901a987ba4a93ce8d75c01696ecdfd78b

SHA256
748d044fe8b2fa540ae33c1c15f499f152e97fe0ce1e3391ad3957bc6a4fd942

SHA512
bf0c9b0fe1aa72471e97497b1ca4a3976889fc54df1c759d578f1d7d987fcc5e6ae5777e95680d7f963f7f0224896adaef565b19633fb7a35a06a0d09eca7506

Download Submit
C:\Windows\{588E92C2-C361-49d0-B62B-3CC3AF5D3B32}.exe

Filesize
60KB

MD5
db193ba355f80af75b600da48958efc0

SHA1
c99f85360b756aa0e3bf8a7c7acfd03a99c0568d

SHA256
56e20ee517d164ff1844ab4c0ec7f3f016e000691e3f3481ec9b069c4ee6ef0a

SHA512
b0996f8a39dfba4e5c89050322f11aed3f9616b675e15bedb6f302beb0f45c757403763fd33d935b1af838f2d3cbc7035bd0532bc98eff1d79dc256128dd6671

Download Submit
C:\Windows\{67518FA4-4570-455b-A9F4-5CECD40FC545}.exe

Filesize
60KB

MD5
ed1e88d85b72ddee370be2884efcf02e

SHA1
ad5f2bbc2925a9d761f431c99e2c2316862d9433

SHA256
b11154f7c7eaeaa08e643da634332fe3adb911dbd1d0844e564ae2c4e5fc5110

SHA512
e0f665016e48866548f35a9f81c763c65cf33519bdab4ab875352aa954a38ca81d2cff3cfe78875822222d36150a2eb43e26e59231a2be5daa55891135128ee2

Download Submit
C:\Windows\{A9E304D2-737C-48d7-A65A-3F63FAABE6C2}.exe

Filesize
60KB

MD5
a6da16d9088c4d8bfa479149e7a6e52a

SHA1
e58806c1b2142b4dc1aa6a9ca704e8c57d2304d3

SHA256
f4a065d2b11d6e923e4be67fb3738d8e5996d7afa4984abeab8e5e01bd3fc780

SHA512
9f56f1cebe2ec79aaf0a471b10f23601a3f9e612ba8bc08a958d4160c345b7d054bc8b95cc0ad808ce96f76e0e7006a42600d73e78eeeaf1fdbfd17e74832dd7

Download Submit
C:\Windows\{B0A5EA03-22F5-4f3a-8B61-A4DE56C90C3B}.exe

Filesize
60KB

MD5
893c50e4defe8ce988263ed71a116f55

SHA1
8fef29947a3e0775ae6b0798ca019952d18123a3

SHA256
50e8a8092493148a9e65c5a00f6db73a98c99374d81f1bef8b0b00a16988ba40

SHA512
77819f5cba7d9168a65a4116407053295ba45292539886e8edb3908e7c34ff210f3bb3c0d11b9d2039622930aef88fe8e271cd869e156caf6a98acd579a71c7f

Download Submit
C:\Windows\{B1ACAC04-7D62-4341-AEDE-A0829968FE63}.exe

Filesize
60KB

MD5
08a44897520f370d9b4fb157f2696e13

SHA1
dd72d2c1ec4a3c051204f3426412cb651f89f699

SHA256
d88792e5f3df9834a80297c8986948580613812df04392fdc8e6303b43524471

SHA512
6d206eaeea4309900f905a5036ed9159406c933f83b1b534d2f83d3a6d533dc02c2d22bf4967e1ad7c3c2a30c7191f321659302db9d2459e351bbf2c651daf44

Download Submit
C:\Windows\{B475F33A-F99F-4047-A7F5-FCE9C58E3A87}.exe

Filesize
60KB

MD5
3214eebf066e5a63c4ae3b5ab6b53dcb

SHA1
e3778896e1bcef84bacd2fde637052a3cd8fb401

SHA256
502c79505877c9c62573a0efeacd4db1fb5e8c0ed1cbe252b96a077bdc71a1f3

SHA512
25c25a9c0f117e150351ac71b5bde732445559e8f7352287323066312853488d255dfddcca1070b15998a3e71f5dcbe5cef713806bc352ea01cdd69a53debe05

Download Submit
C:\Windows\{CCBD3909-CEFF-4c08-B1D2-BB4F532DC314}.exe

Filesize
60KB

MD5
777da124d4d2e05df9611c9227cca151

SHA1
de8344a9defa141acbe8cd714dd37187cbdeda6b

SHA256
468926cd732c0cd362b7da4d23a632a78b0af64f09a0f76c3d1afebdc73552ef

SHA512
58ff4618557a88a54d1e8984a13affa4c1849d79eb6a7dac6329abc61426d7f9b3ea947187513d940e1d45bdca5b641ea93b144002792071a29007d2696f1810

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads