8d28475f21cd57bf80671905c21771e69aca8f30cfb78de88adf1440471d0019

Analysis

max time kernel
144s
max time network
125s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
28/06/2024, 07:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8d28475f21cd57bf80671905c21771e69aca8f30cfb78de88adf1440471d0019_NeikiAnalytics.exe
Size

90KB
MD5

d5d24dfc93a292d7ef6a8d1bd54926d0
SHA1

6fcfe97d4adb9e122881d4b4c13ae2c9d9e3ea61
SHA256

8d28475f21cd57bf80671905c21771e69aca8f30cfb78de88adf1440471d0019
SHA512

5aaaa78f2c346b21cbe030977eba5e712329d1820f4157825913168ae778c6dc5b1570bc562ee380bd2c9dc77848e0f70bc874ae560fa921743f9b32e46eefb2
SSDEEP

768:Qvw9816vhKQLroc4/wQRNrfrunMxVFA3b7glws:YEGh0ocl2unMxVS3Hgz

Score

8^/10

persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{66A7C2F3-1588-455a-9681-35C8045B077E}	{40439ED2-FE82-4987-9835-6257209AC1EA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F08EE274-ED62-43ee-9B95-406FA5916799}	{C236BA3E-2E81-4521-BC0B-691D6D74BD35}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F08EE274-ED62-43ee-9B95-406FA5916799}\stubpath = "C:\\Windows\\{F08EE274-ED62-43ee-9B95-406FA5916799}.exe"	{C236BA3E-2E81-4521-BC0B-691D6D74BD35}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{63D7BB73-592D-4892-9362-0F9BBDF2831F}\stubpath = "C:\\Windows\\{63D7BB73-592D-4892-9362-0F9BBDF2831F}.exe"	{5E5ADF1D-2736-4323-9257-10035D36F123}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C1502349-0D39-4a18-BADB-1572266F149B}\stubpath = "C:\\Windows\\{C1502349-0D39-4a18-BADB-1572266F149B}.exe"	{5274020B-20E0-4343-89C0-34FE54900A7A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C168923E-BDF0-4b29-BC3A-3B1F9BD0847A}	{E0D1F679-B199-4ef7-9B05-5C4AD4C986E7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{40439ED2-FE82-4987-9835-6257209AC1EA}\stubpath = "C:\\Windows\\{40439ED2-FE82-4987-9835-6257209AC1EA}.exe"	8d28475f21cd57bf80671905c21771e69aca8f30cfb78de88adf1440471d0019_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{66A7C2F3-1588-455a-9681-35C8045B077E}\stubpath = "C:\\Windows\\{66A7C2F3-1588-455a-9681-35C8045B077E}.exe"	{40439ED2-FE82-4987-9835-6257209AC1EA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BA8B4455-B207-4c13-B378-1FEF70735B01}	{66A7C2F3-1588-455a-9681-35C8045B077E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{63D7BB73-592D-4892-9362-0F9BBDF2831F}	{5E5ADF1D-2736-4323-9257-10035D36F123}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BA8B4455-B207-4c13-B378-1FEF70735B01}\stubpath = "C:\\Windows\\{BA8B4455-B207-4c13-B378-1FEF70735B01}.exe"	{66A7C2F3-1588-455a-9681-35C8045B077E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C236BA3E-2E81-4521-BC0B-691D6D74BD35}\stubpath = "C:\\Windows\\{C236BA3E-2E81-4521-BC0B-691D6D74BD35}.exe"	{BA8B4455-B207-4c13-B378-1FEF70735B01}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5E5ADF1D-2736-4323-9257-10035D36F123}	{F08EE274-ED62-43ee-9B95-406FA5916799}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5274020B-20E0-4343-89C0-34FE54900A7A}	{63D7BB73-592D-4892-9362-0F9BBDF2831F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C1502349-0D39-4a18-BADB-1572266F149B}	{5274020B-20E0-4343-89C0-34FE54900A7A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C168923E-BDF0-4b29-BC3A-3B1F9BD0847A}\stubpath = "C:\\Windows\\{C168923E-BDF0-4b29-BC3A-3B1F9BD0847A}.exe"	{E0D1F679-B199-4ef7-9B05-5C4AD4C986E7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{40439ED2-FE82-4987-9835-6257209AC1EA}	8d28475f21cd57bf80671905c21771e69aca8f30cfb78de88adf1440471d0019_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C236BA3E-2E81-4521-BC0B-691D6D74BD35}	{BA8B4455-B207-4c13-B378-1FEF70735B01}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5E5ADF1D-2736-4323-9257-10035D36F123}\stubpath = "C:\\Windows\\{5E5ADF1D-2736-4323-9257-10035D36F123}.exe"	{F08EE274-ED62-43ee-9B95-406FA5916799}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5274020B-20E0-4343-89C0-34FE54900A7A}\stubpath = "C:\\Windows\\{5274020B-20E0-4343-89C0-34FE54900A7A}.exe"	{63D7BB73-592D-4892-9362-0F9BBDF2831F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E0D1F679-B199-4ef7-9B05-5C4AD4C986E7}	{C1502349-0D39-4a18-BADB-1572266F149B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E0D1F679-B199-4ef7-9B05-5C4AD4C986E7}\stubpath = "C:\\Windows\\{E0D1F679-B199-4ef7-9B05-5C4AD4C986E7}.exe"	{C1502349-0D39-4a18-BADB-1572266F149B}.exe

Deletes itself 1 IoCs

pid	Process
2764	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
1252	{40439ED2-FE82-4987-9835-6257209AC1EA}.exe
2736	{66A7C2F3-1588-455a-9681-35C8045B077E}.exe
916	{BA8B4455-B207-4c13-B378-1FEF70735B01}.exe
2340	{C236BA3E-2E81-4521-BC0B-691D6D74BD35}.exe
432	{F08EE274-ED62-43ee-9B95-406FA5916799}.exe
360	{5E5ADF1D-2736-4323-9257-10035D36F123}.exe
2244	{63D7BB73-592D-4892-9362-0F9BBDF2831F}.exe
1376	{5274020B-20E0-4343-89C0-34FE54900A7A}.exe
928	{C1502349-0D39-4a18-BADB-1572266F149B}.exe
2896	{E0D1F679-B199-4ef7-9B05-5C4AD4C986E7}.exe
2664	{C168923E-BDF0-4b29-BC3A-3B1F9BD0847A}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{C1502349-0D39-4a18-BADB-1572266F149B}.exe	{5274020B-20E0-4343-89C0-34FE54900A7A}.exe
File created	C:\Windows\{40439ED2-FE82-4987-9835-6257209AC1EA}.exe	8d28475f21cd57bf80671905c21771e69aca8f30cfb78de88adf1440471d0019_NeikiAnalytics.exe
File created	C:\Windows\{C236BA3E-2E81-4521-BC0B-691D6D74BD35}.exe	{BA8B4455-B207-4c13-B378-1FEF70735B01}.exe
File created	C:\Windows\{5E5ADF1D-2736-4323-9257-10035D36F123}.exe	{F08EE274-ED62-43ee-9B95-406FA5916799}.exe
File created	C:\Windows\{63D7BB73-592D-4892-9362-0F9BBDF2831F}.exe	{5E5ADF1D-2736-4323-9257-10035D36F123}.exe
File created	C:\Windows\{5274020B-20E0-4343-89C0-34FE54900A7A}.exe	{63D7BB73-592D-4892-9362-0F9BBDF2831F}.exe
File created	C:\Windows\{E0D1F679-B199-4ef7-9B05-5C4AD4C986E7}.exe	{C1502349-0D39-4a18-BADB-1572266F149B}.exe
File created	C:\Windows\{C168923E-BDF0-4b29-BC3A-3B1F9BD0847A}.exe	{E0D1F679-B199-4ef7-9B05-5C4AD4C986E7}.exe
File created	C:\Windows\{66A7C2F3-1588-455a-9681-35C8045B077E}.exe	{40439ED2-FE82-4987-9835-6257209AC1EA}.exe
File created	C:\Windows\{BA8B4455-B207-4c13-B378-1FEF70735B01}.exe	{66A7C2F3-1588-455a-9681-35C8045B077E}.exe
File created	C:\Windows\{F08EE274-ED62-43ee-9B95-406FA5916799}.exe	{C236BA3E-2E81-4521-BC0B-691D6D74BD35}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2444	8d28475f21cd57bf80671905c21771e69aca8f30cfb78de88adf1440471d0019_NeikiAnalytics.exe
Token: SeIncBasePriorityPrivilege	1252	{40439ED2-FE82-4987-9835-6257209AC1EA}.exe
Token: SeIncBasePriorityPrivilege	2736	{66A7C2F3-1588-455a-9681-35C8045B077E}.exe
Token: SeIncBasePriorityPrivilege	916	{BA8B4455-B207-4c13-B378-1FEF70735B01}.exe
Token: SeIncBasePriorityPrivilege	2340	{C236BA3E-2E81-4521-BC0B-691D6D74BD35}.exe
Token: SeIncBasePriorityPrivilege	432	{F08EE274-ED62-43ee-9B95-406FA5916799}.exe
Token: SeIncBasePriorityPrivilege	360	{5E5ADF1D-2736-4323-9257-10035D36F123}.exe
Token: SeIncBasePriorityPrivilege	2244	{63D7BB73-592D-4892-9362-0F9BBDF2831F}.exe
Token: SeIncBasePriorityPrivilege	1376	{5274020B-20E0-4343-89C0-34FE54900A7A}.exe
Token: SeIncBasePriorityPrivilege	928	{C1502349-0D39-4a18-BADB-1572266F149B}.exe
Token: SeIncBasePriorityPrivilege	2896	{E0D1F679-B199-4ef7-9B05-5C4AD4C986E7}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2444 wrote to memory of 1252	2444	8d28475f21cd57bf80671905c21771e69aca8f30cfb78de88adf1440471d0019_NeikiAnalytics.exe	28
PID 2444 wrote to memory of 1252	2444	8d28475f21cd57bf80671905c21771e69aca8f30cfb78de88adf1440471d0019_NeikiAnalytics.exe	28
PID 2444 wrote to memory of 1252	2444	8d28475f21cd57bf80671905c21771e69aca8f30cfb78de88adf1440471d0019_NeikiAnalytics.exe	28
PID 2444 wrote to memory of 1252	2444	8d28475f21cd57bf80671905c21771e69aca8f30cfb78de88adf1440471d0019_NeikiAnalytics.exe	28
PID 2444 wrote to memory of 2764	2444	8d28475f21cd57bf80671905c21771e69aca8f30cfb78de88adf1440471d0019_NeikiAnalytics.exe	29
PID 2444 wrote to memory of 2764	2444	8d28475f21cd57bf80671905c21771e69aca8f30cfb78de88adf1440471d0019_NeikiAnalytics.exe	29
PID 2444 wrote to memory of 2764	2444	8d28475f21cd57bf80671905c21771e69aca8f30cfb78de88adf1440471d0019_NeikiAnalytics.exe	29
PID 2444 wrote to memory of 2764	2444	8d28475f21cd57bf80671905c21771e69aca8f30cfb78de88adf1440471d0019_NeikiAnalytics.exe	29
PID 1252 wrote to memory of 2736	1252	{40439ED2-FE82-4987-9835-6257209AC1EA}.exe	30
PID 1252 wrote to memory of 2736	1252	{40439ED2-FE82-4987-9835-6257209AC1EA}.exe	30
PID 1252 wrote to memory of 2736	1252	{40439ED2-FE82-4987-9835-6257209AC1EA}.exe	30
PID 1252 wrote to memory of 2736	1252	{40439ED2-FE82-4987-9835-6257209AC1EA}.exe	30
PID 1252 wrote to memory of 2624	1252	{40439ED2-FE82-4987-9835-6257209AC1EA}.exe	31
PID 1252 wrote to memory of 2624	1252	{40439ED2-FE82-4987-9835-6257209AC1EA}.exe	31
PID 1252 wrote to memory of 2624	1252	{40439ED2-FE82-4987-9835-6257209AC1EA}.exe	31
PID 1252 wrote to memory of 2624	1252	{40439ED2-FE82-4987-9835-6257209AC1EA}.exe	31
PID 2736 wrote to memory of 916	2736	{66A7C2F3-1588-455a-9681-35C8045B077E}.exe	34
PID 2736 wrote to memory of 916	2736	{66A7C2F3-1588-455a-9681-35C8045B077E}.exe	34
PID 2736 wrote to memory of 916	2736	{66A7C2F3-1588-455a-9681-35C8045B077E}.exe	34
PID 2736 wrote to memory of 916	2736	{66A7C2F3-1588-455a-9681-35C8045B077E}.exe	34
PID 2736 wrote to memory of 2500	2736	{66A7C2F3-1588-455a-9681-35C8045B077E}.exe	35
PID 2736 wrote to memory of 2500	2736	{66A7C2F3-1588-455a-9681-35C8045B077E}.exe	35
PID 2736 wrote to memory of 2500	2736	{66A7C2F3-1588-455a-9681-35C8045B077E}.exe	35
PID 2736 wrote to memory of 2500	2736	{66A7C2F3-1588-455a-9681-35C8045B077E}.exe	35
PID 916 wrote to memory of 2340	916	{BA8B4455-B207-4c13-B378-1FEF70735B01}.exe	36
PID 916 wrote to memory of 2340	916	{BA8B4455-B207-4c13-B378-1FEF70735B01}.exe	36
PID 916 wrote to memory of 2340	916	{BA8B4455-B207-4c13-B378-1FEF70735B01}.exe	36
PID 916 wrote to memory of 2340	916	{BA8B4455-B207-4c13-B378-1FEF70735B01}.exe	36
PID 916 wrote to memory of 2036	916	{BA8B4455-B207-4c13-B378-1FEF70735B01}.exe	37
PID 916 wrote to memory of 2036	916	{BA8B4455-B207-4c13-B378-1FEF70735B01}.exe	37
PID 916 wrote to memory of 2036	916	{BA8B4455-B207-4c13-B378-1FEF70735B01}.exe	37
PID 916 wrote to memory of 2036	916	{BA8B4455-B207-4c13-B378-1FEF70735B01}.exe	37
PID 2340 wrote to memory of 432	2340	{C236BA3E-2E81-4521-BC0B-691D6D74BD35}.exe	38
PID 2340 wrote to memory of 432	2340	{C236BA3E-2E81-4521-BC0B-691D6D74BD35}.exe	38
PID 2340 wrote to memory of 432	2340	{C236BA3E-2E81-4521-BC0B-691D6D74BD35}.exe	38
PID 2340 wrote to memory of 432	2340	{C236BA3E-2E81-4521-BC0B-691D6D74BD35}.exe	38
PID 2340 wrote to memory of 2840	2340	{C236BA3E-2E81-4521-BC0B-691D6D74BD35}.exe	39
PID 2340 wrote to memory of 2840	2340	{C236BA3E-2E81-4521-BC0B-691D6D74BD35}.exe	39
PID 2340 wrote to memory of 2840	2340	{C236BA3E-2E81-4521-BC0B-691D6D74BD35}.exe	39
PID 2340 wrote to memory of 2840	2340	{C236BA3E-2E81-4521-BC0B-691D6D74BD35}.exe	39
PID 432 wrote to memory of 360	432	{F08EE274-ED62-43ee-9B95-406FA5916799}.exe	40
PID 432 wrote to memory of 360	432	{F08EE274-ED62-43ee-9B95-406FA5916799}.exe	40
PID 432 wrote to memory of 360	432	{F08EE274-ED62-43ee-9B95-406FA5916799}.exe	40
PID 432 wrote to memory of 360	432	{F08EE274-ED62-43ee-9B95-406FA5916799}.exe	40
PID 432 wrote to memory of 2864	432	{F08EE274-ED62-43ee-9B95-406FA5916799}.exe	41
PID 432 wrote to memory of 2864	432	{F08EE274-ED62-43ee-9B95-406FA5916799}.exe	41
PID 432 wrote to memory of 2864	432	{F08EE274-ED62-43ee-9B95-406FA5916799}.exe	41
PID 432 wrote to memory of 2864	432	{F08EE274-ED62-43ee-9B95-406FA5916799}.exe	41
PID 360 wrote to memory of 2244	360	{5E5ADF1D-2736-4323-9257-10035D36F123}.exe	42
PID 360 wrote to memory of 2244	360	{5E5ADF1D-2736-4323-9257-10035D36F123}.exe	42
PID 360 wrote to memory of 2244	360	{5E5ADF1D-2736-4323-9257-10035D36F123}.exe	42
PID 360 wrote to memory of 2244	360	{5E5ADF1D-2736-4323-9257-10035D36F123}.exe	42
PID 360 wrote to memory of 1984	360	{5E5ADF1D-2736-4323-9257-10035D36F123}.exe	43
PID 360 wrote to memory of 1984	360	{5E5ADF1D-2736-4323-9257-10035D36F123}.exe	43
PID 360 wrote to memory of 1984	360	{5E5ADF1D-2736-4323-9257-10035D36F123}.exe	43
PID 360 wrote to memory of 1984	360	{5E5ADF1D-2736-4323-9257-10035D36F123}.exe	43
PID 2244 wrote to memory of 1376	2244	{63D7BB73-592D-4892-9362-0F9BBDF2831F}.exe	44
PID 2244 wrote to memory of 1376	2244	{63D7BB73-592D-4892-9362-0F9BBDF2831F}.exe	44
PID 2244 wrote to memory of 1376	2244	{63D7BB73-592D-4892-9362-0F9BBDF2831F}.exe	44
PID 2244 wrote to memory of 1376	2244	{63D7BB73-592D-4892-9362-0F9BBDF2831F}.exe	44
PID 2244 wrote to memory of 2568	2244	{63D7BB73-592D-4892-9362-0F9BBDF2831F}.exe	45
PID 2244 wrote to memory of 2568	2244	{63D7BB73-592D-4892-9362-0F9BBDF2831F}.exe	45
PID 2244 wrote to memory of 2568	2244	{63D7BB73-592D-4892-9362-0F9BBDF2831F}.exe	45
PID 2244 wrote to memory of 2568	2244	{63D7BB73-592D-4892-9362-0F9BBDF2831F}.exe	45

C:\Users\Admin\AppData\Local\Temp\8d28475f21cd57bf80671905c21771e69aca8f30cfb78de88adf1440471d0019_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\8d28475f21cd57bf80671905c21771e69aca8f30cfb78de88adf1440471d0019_NeikiAnalytics.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2444
- C:\Windows\{40439ED2-FE82-4987-9835-6257209AC1EA}.exe
  C:\Windows\{40439ED2-FE82-4987-9835-6257209AC1EA}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1252
- - C:\Windows\{66A7C2F3-1588-455a-9681-35C8045B077E}.exe
    C:\Windows\{66A7C2F3-1588-455a-9681-35C8045B077E}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2736
  - - C:\Windows\{BA8B4455-B207-4c13-B378-1FEF70735B01}.exe
      C:\Windows\{BA8B4455-B207-4c13-B378-1FEF70735B01}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:916
    - - C:\Windows\{C236BA3E-2E81-4521-BC0B-691D6D74BD35}.exe
        
        C:\Windows\{C236BA3E-2E81-4521-BC0B-691D6D74BD35}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2340
      - C:\Windows\{F08EE274-ED62-43ee-9B95-406FA5916799}.exe
        
        C:\Windows\{F08EE274-ED62-43ee-9B95-406FA5916799}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:432
        
        C:\Windows\{5E5ADF1D-2736-4323-9257-10035D36F123}.exe
        
        C:\Windows\{5E5ADF1D-2736-4323-9257-10035D36F123}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:360
        
        C:\Windows\{63D7BB73-592D-4892-9362-0F9BBDF2831F}.exe
        
        C:\Windows\{63D7BB73-592D-4892-9362-0F9BBDF2831F}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2244
        
        C:\Windows\{5274020B-20E0-4343-89C0-34FE54900A7A}.exe
        
        C:\Windows\{5274020B-20E0-4343-89C0-34FE54900A7A}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1376
        
        C:\Windows\{C1502349-0D39-4a18-BADB-1572266F149B}.exe
        
        C:\Windows\{C1502349-0D39-4a18-BADB-1572266F149B}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:928
        
        C:\Windows\{E0D1F679-B199-4ef7-9B05-5C4AD4C986E7}.exe
        
        C:\Windows\{E0D1F679-B199-4ef7-9B05-5C4AD4C986E7}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2896
        
        C:\Windows\{C168923E-BDF0-4b29-BC3A-3B1F9BD0847A}.exe
        
        C:\Windows\{C168923E-BDF0-4b29-BC3A-3B1F9BD0847A}.exe
        12⤵
        Executes dropped EXE
        
        PID:2664
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E0D1F~1.EXE > nul
        12⤵
        
        PID:2052
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C1502~1.EXE > nul
        11⤵
        
        PID:2240
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{52740~1.EXE > nul
        10⤵
        
        PID:1568
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{63D7B~1.EXE > nul
        9⤵
        
        PID:2568
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5E5AD~1.EXE > nul
        8⤵
        
        PID:1984
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F08EE~1.EXE > nul
        7⤵
        
        PID:2864
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C236B~1.EXE > nul
        6⤵
        
        PID:2840
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BA8B4~1.EXE > nul
        5⤵
        
        PID:2036
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{66A7C~1.EXE > nul
      4⤵
      PID:2500
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{40439~1.EXE > nul
    3⤵
    PID:2624
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\8D2847~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2764

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{40439ED2-FE82-4987-9835-6257209AC1EA}.exe

Filesize
90KB

MD5
37d75196b53c2f64d4917472fd750ebf

SHA1
7fd55daae0257d1cf3f113f63bda33724d42bf12

SHA256
ba7ad3885269f69589596827af4e310eec9459976d567c75fdc9815cfcc46aaa

SHA512
5bdf9cf80762668535cd481d40e5f435c7d2d3b6d027314e026bcc602b936a24741c37e9c4bbbb350f5b77aa61e88fbd8c824f79c06437097d52354a9421e5c1

Download Submit
C:\Windows\{5274020B-20E0-4343-89C0-34FE54900A7A}.exe

Filesize
90KB

MD5
9bfc559c68bd8c4684efec3918cdd330

SHA1
13d2d7dd0a56ec8dbe616563d79c4872c9194ef2

SHA256
ed01785e08db4ac3c8cf25e99610dd0b122b439d053aabe4f1af9130643aedd5

SHA512
7a08049c4c6b61486c199410b7a66d228cbccc5bd14e73f02eb64ed74a2e04f03b89aac862fa0c832105927a49af564da8d7179f6076fefb0fa7a59eeb0a3576

Download Submit
C:\Windows\{5E5ADF1D-2736-4323-9257-10035D36F123}.exe

Filesize
90KB

MD5
2c193eb796a68124084be017b9a30ec9

SHA1
10d8c7ea6940fe7e62a4175128f2a7bea4d293bc

SHA256
00d69f4baa23ac982f9f403bc150b7d84887c7ff80017d7359d4983f6e56155c

SHA512
60c79d7da298e8c27bcf09be35e190e1a4f11922ebf9eff9941104775ff9bfd67ade5d753e22817cdecb2c042490af87745321dfa533a7050c085f0ad7daa3f0

Download Submit
C:\Windows\{63D7BB73-592D-4892-9362-0F9BBDF2831F}.exe

Filesize
90KB

MD5
0eb929757d7b190d4a23805b1bbebba0

SHA1
c635760ddd446a3e0a14658498c164ef7ad4ee4f

SHA256
f5b7afef7d501a14c0416e747cc17bb5d67a80628e942b4b66e5c3e5f970e404

SHA512
87fc3ea61293e1e917b2032b7fdeaaabb1cb12d04bc8a08bcc8b7fd581baf7e4937288dc20788fe552e290303028abd96c0353b7d13973ccad28aeef18ea0d56

Download Submit
C:\Windows\{66A7C2F3-1588-455a-9681-35C8045B077E}.exe

Filesize
90KB

MD5
dad36da26b69f7c1a6d2e22eb9fe8cbf

SHA1
fa6d3bd1f30232d852f7cc593292604381f60f46

SHA256
7946f7de87dd1afec4f8f9ed22f4d669b930ece8ce882441aef9bb5aca4ab263

SHA512
cdea5ba865691a5225161da109bbc3cce48f9e2473cf577a0dbffbb4b9b79cd69ef1542484d81eaa0ff908c4eb0cf93f6e7ba5cf96a58ef5f9ce18ab699e2819

Download Submit
C:\Windows\{BA8B4455-B207-4c13-B378-1FEF70735B01}.exe

Filesize
90KB

MD5
918cdde4fd81efc27f92d0f85719397d

SHA1
b899a04c011e6417340e8e55999955758b3a9a01

SHA256
225343cc6eabc9a18c8f37a879333a5fed7cca5a364cfe274b1f2ab4141fe605

SHA512
decff33662156d3ad5c3f7a6bc4ec14e281f4423a2abc8407905d0b2102405df6ca060bfed9215cd3d4fe42f3f3469389d99b8db83deb46a004346bd3afc965e

Download Submit
C:\Windows\{C1502349-0D39-4a18-BADB-1572266F149B}.exe

Filesize
90KB

MD5
a793d1949b36c02f985cda82fb5282b3

SHA1
5eece0a36a7d3abc546b08e82f5a4ca7d5540d5e

SHA256
e77f8a021b657a31ff0c1e3817f752cc168bc450155b27c26dfc78ea337b3e46

SHA512
2b58f0ffc66a2f8343f4b8db909880821493a11e8b38820dc4d4a3d480e6a407fa5e813cef55d3c580036e11cac0892b6ca0550eb8996f053f234d0d2f99dadf

Download Submit
C:\Windows\{C168923E-BDF0-4b29-BC3A-3B1F9BD0847A}.exe

Filesize
90KB

MD5
b5f129e5f859810a29f49c6876b73cf1

SHA1
22d139a422c01e8b9710b2f9da751bcb265d259e

SHA256
ac28c88e315cde7ce311c85d7a6a0e58f968ec730b268626aed9f7813a1e8f2c

SHA512
c84c008953084747170fb42c9db52624e4fa40e62fb35d1838e445eb7237589d4e4d2a0b0764a29f3fcca262c94b6dea1703e6ec350f415aef8cc7bee3b4d580

Download Submit
C:\Windows\{C236BA3E-2E81-4521-BC0B-691D6D74BD35}.exe

Filesize
90KB

MD5
38466e69ef7574d33293d75682111e81

SHA1
038e6856e141939241de9781d18bf084ad51a0e9

SHA256
fb7408ea912f8ca2e97d409f029ce34094fa1c2fafa3e85b3ac5073f0463c721

SHA512
9fd25c67694ce44a3645905e4e10d3846f776edb9acd4dabb0e1bfb0345931ab1317a4e95808b2cd34b680412c71ca035ecee691e54f596dc63a4ffb70247ee8

Download Submit
C:\Windows\{E0D1F679-B199-4ef7-9B05-5C4AD4C986E7}.exe

Filesize
90KB

MD5
4795cd1cf6f0d126c6322bd8da857502

SHA1
9b572bf55fb9abf7865930231f6864de242165ad

SHA256
c33255e07b33e9216d727a28b7ec5444510c1ec883c079339f5936ec516a3c77

SHA512
6e80e500e0ed8c66280c30bbc4b77169ba415f1638a8efaf859eb12bfd5deb8df6c5371cd9de4bf7a3ebe6827d748c10a7ab2f56eced46f46a6ff4bc08922f42

Download Submit
C:\Windows\{F08EE274-ED62-43ee-9B95-406FA5916799}.exe

Filesize
90KB

MD5
3c5c457fd60211c4db880097cbdabe6d

SHA1
d6ea15d90d5629db1a68c09232c7397224de6241

SHA256
51aecc22f6a2e3390a1438933ad770f1a8eb634368b78849cffb6b7477cb2db4

SHA512
84a89816ad8de564027e47e1536d48bab45bf744d46c5240f6eed2274e82d447241db3a1d859ba633d84c4a8b36b95077a1c7b8c87bcf239a3e47edd86b1ca88

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads