7eb89cd1f0ed28ad4a925953f09f1114d72cc73f2fa036a146c02ef07763bdae

Analysis

max time kernel
149s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
29/06/2024, 07:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7eb89cd1f0ed28ad4a925953f09f1114d72cc73f2fa036a146c02ef07763bdae_NeikiAnalytics.exe
Size

118KB
MD5

b38d8849b7e15cd0ca0b3d83c8d29f20
SHA1

63235020c6c41ab014367c41715923987d7b65de
SHA256

7eb89cd1f0ed28ad4a925953f09f1114d72cc73f2fa036a146c02ef07763bdae
SHA512

1a5db5c74e87bd531951ccced6a7f5881436d0c99b638c8a128bd8db670f03fb5387c1d3517f66345a7b67ea6aa0e4d2533e5184ec7c86e03a41838875daf141
SSDEEP

1536:nEGh0oll2unMxVS3HgdoKjhLJh731xvsr:nEGh0ollvMUyNjhLJh731xvsr

Score

8^/10

persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CDBC0343-97E2-46c2-9191-58D0FDAB3C82}\stubpath = "C:\\Windows\\{CDBC0343-97E2-46c2-9191-58D0FDAB3C82}.exe"	{9FE885F3-9428-4f52-A770-13110CA47CAB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{95AF7456-81FF-45e0-9A7B-6249473BAD99}	{CDBC0343-97E2-46c2-9191-58D0FDAB3C82}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5DAC0C68-E6AE-475b-BC84-A26872BF1941}\stubpath = "C:\\Windows\\{5DAC0C68-E6AE-475b-BC84-A26872BF1941}.exe"	{CA81595D-0B1C-41cb-886B-4790380F233E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1FBAB6DD-7689-4969-B82B-4AD19853B40B}\stubpath = "C:\\Windows\\{1FBAB6DD-7689-4969-B82B-4AD19853B40B}.exe"	{6193EC9B-D668-48e4-A938-D280D1F30032}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1FBAB6DD-7689-4969-B82B-4AD19853B40B}	{6193EC9B-D668-48e4-A938-D280D1F30032}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3592F76E-B779-48df-B17A-F21F1D5EF94E}	7eb89cd1f0ed28ad4a925953f09f1114d72cc73f2fa036a146c02ef07763bdae_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{69F40E7A-716D-46bc-A1AB-F3B3E3D45A7E}	{7961E171-788D-4a15-8D1D-3D9451B80494}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A196E8C1-1931-4cb5-A87D-386F8EC1C5B9}	{5DAC0C68-E6AE-475b-BC84-A26872BF1941}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6193EC9B-D668-48e4-A938-D280D1F30032}	{A196E8C1-1931-4cb5-A87D-386F8EC1C5B9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6193EC9B-D668-48e4-A938-D280D1F30032}\stubpath = "C:\\Windows\\{6193EC9B-D668-48e4-A938-D280D1F30032}.exe"	{A196E8C1-1931-4cb5-A87D-386F8EC1C5B9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A196E8C1-1931-4cb5-A87D-386F8EC1C5B9}\stubpath = "C:\\Windows\\{A196E8C1-1931-4cb5-A87D-386F8EC1C5B9}.exe"	{5DAC0C68-E6AE-475b-BC84-A26872BF1941}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{16147A88-20A9-42bb-808E-D289CF538847}	{1FBAB6DD-7689-4969-B82B-4AD19853B40B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7961E171-788D-4a15-8D1D-3D9451B80494}	{95AF7456-81FF-45e0-9A7B-6249473BAD99}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7961E171-788D-4a15-8D1D-3D9451B80494}\stubpath = "C:\\Windows\\{7961E171-788D-4a15-8D1D-3D9451B80494}.exe"	{95AF7456-81FF-45e0-9A7B-6249473BAD99}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CA81595D-0B1C-41cb-886B-4790380F233E}	{69F40E7A-716D-46bc-A1AB-F3B3E3D45A7E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CA81595D-0B1C-41cb-886B-4790380F233E}\stubpath = "C:\\Windows\\{CA81595D-0B1C-41cb-886B-4790380F233E}.exe"	{69F40E7A-716D-46bc-A1AB-F3B3E3D45A7E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5DAC0C68-E6AE-475b-BC84-A26872BF1941}	{CA81595D-0B1C-41cb-886B-4790380F233E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{69F40E7A-716D-46bc-A1AB-F3B3E3D45A7E}\stubpath = "C:\\Windows\\{69F40E7A-716D-46bc-A1AB-F3B3E3D45A7E}.exe"	{7961E171-788D-4a15-8D1D-3D9451B80494}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{16147A88-20A9-42bb-808E-D289CF538847}\stubpath = "C:\\Windows\\{16147A88-20A9-42bb-808E-D289CF538847}.exe"	{1FBAB6DD-7689-4969-B82B-4AD19853B40B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3592F76E-B779-48df-B17A-F21F1D5EF94E}\stubpath = "C:\\Windows\\{3592F76E-B779-48df-B17A-F21F1D5EF94E}.exe"	7eb89cd1f0ed28ad4a925953f09f1114d72cc73f2fa036a146c02ef07763bdae_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9FE885F3-9428-4f52-A770-13110CA47CAB}	{3592F76E-B779-48df-B17A-F21F1D5EF94E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9FE885F3-9428-4f52-A770-13110CA47CAB}\stubpath = "C:\\Windows\\{9FE885F3-9428-4f52-A770-13110CA47CAB}.exe"	{3592F76E-B779-48df-B17A-F21F1D5EF94E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CDBC0343-97E2-46c2-9191-58D0FDAB3C82}	{9FE885F3-9428-4f52-A770-13110CA47CAB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{95AF7456-81FF-45e0-9A7B-6249473BAD99}\stubpath = "C:\\Windows\\{95AF7456-81FF-45e0-9A7B-6249473BAD99}.exe"	{CDBC0343-97E2-46c2-9191-58D0FDAB3C82}.exe

Executes dropped EXE 12 IoCs

pid	Process
1292	{3592F76E-B779-48df-B17A-F21F1D5EF94E}.exe
2992	{9FE885F3-9428-4f52-A770-13110CA47CAB}.exe
1368	{CDBC0343-97E2-46c2-9191-58D0FDAB3C82}.exe
1972	{95AF7456-81FF-45e0-9A7B-6249473BAD99}.exe
2376	{7961E171-788D-4a15-8D1D-3D9451B80494}.exe
4888	{69F40E7A-716D-46bc-A1AB-F3B3E3D45A7E}.exe
2596	{CA81595D-0B1C-41cb-886B-4790380F233E}.exe
3992	{5DAC0C68-E6AE-475b-BC84-A26872BF1941}.exe
4380	{A196E8C1-1931-4cb5-A87D-386F8EC1C5B9}.exe
4840	{6193EC9B-D668-48e4-A938-D280D1F30032}.exe
872	{1FBAB6DD-7689-4969-B82B-4AD19853B40B}.exe
4664	{16147A88-20A9-42bb-808E-D289CF538847}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{CDBC0343-97E2-46c2-9191-58D0FDAB3C82}.exe	{9FE885F3-9428-4f52-A770-13110CA47CAB}.exe
File created	C:\Windows\{69F40E7A-716D-46bc-A1AB-F3B3E3D45A7E}.exe	{7961E171-788D-4a15-8D1D-3D9451B80494}.exe
File created	C:\Windows\{CA81595D-0B1C-41cb-886B-4790380F233E}.exe	{69F40E7A-716D-46bc-A1AB-F3B3E3D45A7E}.exe
File created	C:\Windows\{16147A88-20A9-42bb-808E-D289CF538847}.exe	{1FBAB6DD-7689-4969-B82B-4AD19853B40B}.exe
File created	C:\Windows\{6193EC9B-D668-48e4-A938-D280D1F30032}.exe	{A196E8C1-1931-4cb5-A87D-386F8EC1C5B9}.exe
File created	C:\Windows\{1FBAB6DD-7689-4969-B82B-4AD19853B40B}.exe	{6193EC9B-D668-48e4-A938-D280D1F30032}.exe
File created	C:\Windows\{3592F76E-B779-48df-B17A-F21F1D5EF94E}.exe	7eb89cd1f0ed28ad4a925953f09f1114d72cc73f2fa036a146c02ef07763bdae_NeikiAnalytics.exe
File created	C:\Windows\{9FE885F3-9428-4f52-A770-13110CA47CAB}.exe	{3592F76E-B779-48df-B17A-F21F1D5EF94E}.exe
File created	C:\Windows\{95AF7456-81FF-45e0-9A7B-6249473BAD99}.exe	{CDBC0343-97E2-46c2-9191-58D0FDAB3C82}.exe
File created	C:\Windows\{7961E171-788D-4a15-8D1D-3D9451B80494}.exe	{95AF7456-81FF-45e0-9A7B-6249473BAD99}.exe
File created	C:\Windows\{5DAC0C68-E6AE-475b-BC84-A26872BF1941}.exe	{CA81595D-0B1C-41cb-886B-4790380F233E}.exe
File created	C:\Windows\{A196E8C1-1931-4cb5-A87D-386F8EC1C5B9}.exe	{5DAC0C68-E6AE-475b-BC84-A26872BF1941}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3380	7eb89cd1f0ed28ad4a925953f09f1114d72cc73f2fa036a146c02ef07763bdae_NeikiAnalytics.exe
Token: SeIncBasePriorityPrivilege	1292	{3592F76E-B779-48df-B17A-F21F1D5EF94E}.exe
Token: SeIncBasePriorityPrivilege	2992	{9FE885F3-9428-4f52-A770-13110CA47CAB}.exe
Token: SeIncBasePriorityPrivilege	1368	{CDBC0343-97E2-46c2-9191-58D0FDAB3C82}.exe
Token: SeIncBasePriorityPrivilege	1972	{95AF7456-81FF-45e0-9A7B-6249473BAD99}.exe
Token: SeIncBasePriorityPrivilege	2376	{7961E171-788D-4a15-8D1D-3D9451B80494}.exe
Token: SeIncBasePriorityPrivilege	4888	{69F40E7A-716D-46bc-A1AB-F3B3E3D45A7E}.exe
Token: SeIncBasePriorityPrivilege	2596	{CA81595D-0B1C-41cb-886B-4790380F233E}.exe
Token: SeIncBasePriorityPrivilege	3992	{5DAC0C68-E6AE-475b-BC84-A26872BF1941}.exe
Token: SeIncBasePriorityPrivilege	4380	{A196E8C1-1931-4cb5-A87D-386F8EC1C5B9}.exe
Token: SeIncBasePriorityPrivilege	4840	{6193EC9B-D668-48e4-A938-D280D1F30032}.exe
Token: SeIncBasePriorityPrivilege	872	{1FBAB6DD-7689-4969-B82B-4AD19853B40B}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3380 wrote to memory of 1292	3380	7eb89cd1f0ed28ad4a925953f09f1114d72cc73f2fa036a146c02ef07763bdae_NeikiAnalytics.exe	88
PID 3380 wrote to memory of 1292	3380	7eb89cd1f0ed28ad4a925953f09f1114d72cc73f2fa036a146c02ef07763bdae_NeikiAnalytics.exe	88
PID 3380 wrote to memory of 1292	3380	7eb89cd1f0ed28ad4a925953f09f1114d72cc73f2fa036a146c02ef07763bdae_NeikiAnalytics.exe	88
PID 3380 wrote to memory of 772	3380	7eb89cd1f0ed28ad4a925953f09f1114d72cc73f2fa036a146c02ef07763bdae_NeikiAnalytics.exe	89
PID 3380 wrote to memory of 772	3380	7eb89cd1f0ed28ad4a925953f09f1114d72cc73f2fa036a146c02ef07763bdae_NeikiAnalytics.exe	89
PID 3380 wrote to memory of 772	3380	7eb89cd1f0ed28ad4a925953f09f1114d72cc73f2fa036a146c02ef07763bdae_NeikiAnalytics.exe	89
PID 1292 wrote to memory of 2992	1292	{3592F76E-B779-48df-B17A-F21F1D5EF94E}.exe	90
PID 1292 wrote to memory of 2992	1292	{3592F76E-B779-48df-B17A-F21F1D5EF94E}.exe	90
PID 1292 wrote to memory of 2992	1292	{3592F76E-B779-48df-B17A-F21F1D5EF94E}.exe	90
PID 1292 wrote to memory of 3320	1292	{3592F76E-B779-48df-B17A-F21F1D5EF94E}.exe	91
PID 1292 wrote to memory of 3320	1292	{3592F76E-B779-48df-B17A-F21F1D5EF94E}.exe	91
PID 1292 wrote to memory of 3320	1292	{3592F76E-B779-48df-B17A-F21F1D5EF94E}.exe	91
PID 2992 wrote to memory of 1368	2992	{9FE885F3-9428-4f52-A770-13110CA47CAB}.exe	94
PID 2992 wrote to memory of 1368	2992	{9FE885F3-9428-4f52-A770-13110CA47CAB}.exe	94
PID 2992 wrote to memory of 1368	2992	{9FE885F3-9428-4f52-A770-13110CA47CAB}.exe	94
PID 2992 wrote to memory of 2064	2992	{9FE885F3-9428-4f52-A770-13110CA47CAB}.exe	95
PID 2992 wrote to memory of 2064	2992	{9FE885F3-9428-4f52-A770-13110CA47CAB}.exe	95
PID 2992 wrote to memory of 2064	2992	{9FE885F3-9428-4f52-A770-13110CA47CAB}.exe	95
PID 1368 wrote to memory of 1972	1368	{CDBC0343-97E2-46c2-9191-58D0FDAB3C82}.exe	96
PID 1368 wrote to memory of 1972	1368	{CDBC0343-97E2-46c2-9191-58D0FDAB3C82}.exe	96
PID 1368 wrote to memory of 1972	1368	{CDBC0343-97E2-46c2-9191-58D0FDAB3C82}.exe	96
PID 1368 wrote to memory of 4464	1368	{CDBC0343-97E2-46c2-9191-58D0FDAB3C82}.exe	97
PID 1368 wrote to memory of 4464	1368	{CDBC0343-97E2-46c2-9191-58D0FDAB3C82}.exe	97
PID 1368 wrote to memory of 4464	1368	{CDBC0343-97E2-46c2-9191-58D0FDAB3C82}.exe	97
PID 1972 wrote to memory of 2376	1972	{95AF7456-81FF-45e0-9A7B-6249473BAD99}.exe	98
PID 1972 wrote to memory of 2376	1972	{95AF7456-81FF-45e0-9A7B-6249473BAD99}.exe	98
PID 1972 wrote to memory of 2376	1972	{95AF7456-81FF-45e0-9A7B-6249473BAD99}.exe	98
PID 1972 wrote to memory of 3092	1972	{95AF7456-81FF-45e0-9A7B-6249473BAD99}.exe	99
PID 1972 wrote to memory of 3092	1972	{95AF7456-81FF-45e0-9A7B-6249473BAD99}.exe	99
PID 1972 wrote to memory of 3092	1972	{95AF7456-81FF-45e0-9A7B-6249473BAD99}.exe	99
PID 2376 wrote to memory of 4888	2376	{7961E171-788D-4a15-8D1D-3D9451B80494}.exe	100
PID 2376 wrote to memory of 4888	2376	{7961E171-788D-4a15-8D1D-3D9451B80494}.exe	100
PID 2376 wrote to memory of 4888	2376	{7961E171-788D-4a15-8D1D-3D9451B80494}.exe	100
PID 2376 wrote to memory of 2808	2376	{7961E171-788D-4a15-8D1D-3D9451B80494}.exe	101
PID 2376 wrote to memory of 2808	2376	{7961E171-788D-4a15-8D1D-3D9451B80494}.exe	101
PID 2376 wrote to memory of 2808	2376	{7961E171-788D-4a15-8D1D-3D9451B80494}.exe	101
PID 4888 wrote to memory of 2596	4888	{69F40E7A-716D-46bc-A1AB-F3B3E3D45A7E}.exe	102
PID 4888 wrote to memory of 2596	4888	{69F40E7A-716D-46bc-A1AB-F3B3E3D45A7E}.exe	102
PID 4888 wrote to memory of 2596	4888	{69F40E7A-716D-46bc-A1AB-F3B3E3D45A7E}.exe	102
PID 4888 wrote to memory of 2540	4888	{69F40E7A-716D-46bc-A1AB-F3B3E3D45A7E}.exe	103
PID 4888 wrote to memory of 2540	4888	{69F40E7A-716D-46bc-A1AB-F3B3E3D45A7E}.exe	103
PID 4888 wrote to memory of 2540	4888	{69F40E7A-716D-46bc-A1AB-F3B3E3D45A7E}.exe	103
PID 2596 wrote to memory of 3992	2596	{CA81595D-0B1C-41cb-886B-4790380F233E}.exe	104
PID 2596 wrote to memory of 3992	2596	{CA81595D-0B1C-41cb-886B-4790380F233E}.exe	104
PID 2596 wrote to memory of 3992	2596	{CA81595D-0B1C-41cb-886B-4790380F233E}.exe	104
PID 2596 wrote to memory of 3472	2596	{CA81595D-0B1C-41cb-886B-4790380F233E}.exe	105
PID 2596 wrote to memory of 3472	2596	{CA81595D-0B1C-41cb-886B-4790380F233E}.exe	105
PID 2596 wrote to memory of 3472	2596	{CA81595D-0B1C-41cb-886B-4790380F233E}.exe	105
PID 3992 wrote to memory of 4380	3992	{5DAC0C68-E6AE-475b-BC84-A26872BF1941}.exe	106
PID 3992 wrote to memory of 4380	3992	{5DAC0C68-E6AE-475b-BC84-A26872BF1941}.exe	106
PID 3992 wrote to memory of 4380	3992	{5DAC0C68-E6AE-475b-BC84-A26872BF1941}.exe	106
PID 3992 wrote to memory of 2352	3992	{5DAC0C68-E6AE-475b-BC84-A26872BF1941}.exe	107
PID 3992 wrote to memory of 2352	3992	{5DAC0C68-E6AE-475b-BC84-A26872BF1941}.exe	107
PID 3992 wrote to memory of 2352	3992	{5DAC0C68-E6AE-475b-BC84-A26872BF1941}.exe	107
PID 4380 wrote to memory of 4840	4380	{A196E8C1-1931-4cb5-A87D-386F8EC1C5B9}.exe	108
PID 4380 wrote to memory of 4840	4380	{A196E8C1-1931-4cb5-A87D-386F8EC1C5B9}.exe	108
PID 4380 wrote to memory of 4840	4380	{A196E8C1-1931-4cb5-A87D-386F8EC1C5B9}.exe	108
PID 4380 wrote to memory of 4676	4380	{A196E8C1-1931-4cb5-A87D-386F8EC1C5B9}.exe	109
PID 4380 wrote to memory of 4676	4380	{A196E8C1-1931-4cb5-A87D-386F8EC1C5B9}.exe	109
PID 4380 wrote to memory of 4676	4380	{A196E8C1-1931-4cb5-A87D-386F8EC1C5B9}.exe	109
PID 4840 wrote to memory of 872	4840	{6193EC9B-D668-48e4-A938-D280D1F30032}.exe	110
PID 4840 wrote to memory of 872	4840	{6193EC9B-D668-48e4-A938-D280D1F30032}.exe	110
PID 4840 wrote to memory of 872	4840	{6193EC9B-D668-48e4-A938-D280D1F30032}.exe	110
PID 4840 wrote to memory of 344	4840	{6193EC9B-D668-48e4-A938-D280D1F30032}.exe	111

C:\Users\Admin\AppData\Local\Temp\7eb89cd1f0ed28ad4a925953f09f1114d72cc73f2fa036a146c02ef07763bdae_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\7eb89cd1f0ed28ad4a925953f09f1114d72cc73f2fa036a146c02ef07763bdae_NeikiAnalytics.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3380
- C:\Windows\{3592F76E-B779-48df-B17A-F21F1D5EF94E}.exe
  C:\Windows\{3592F76E-B779-48df-B17A-F21F1D5EF94E}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1292
- - C:\Windows\{9FE885F3-9428-4f52-A770-13110CA47CAB}.exe
    C:\Windows\{9FE885F3-9428-4f52-A770-13110CA47CAB}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2992
  - - C:\Windows\{CDBC0343-97E2-46c2-9191-58D0FDAB3C82}.exe
      C:\Windows\{CDBC0343-97E2-46c2-9191-58D0FDAB3C82}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1368
    - - C:\Windows\{95AF7456-81FF-45e0-9A7B-6249473BAD99}.exe
        
        C:\Windows\{95AF7456-81FF-45e0-9A7B-6249473BAD99}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1972
      - C:\Windows\{7961E171-788D-4a15-8D1D-3D9451B80494}.exe
        
        C:\Windows\{7961E171-788D-4a15-8D1D-3D9451B80494}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2376
        
        C:\Windows\{69F40E7A-716D-46bc-A1AB-F3B3E3D45A7E}.exe
        
        C:\Windows\{69F40E7A-716D-46bc-A1AB-F3B3E3D45A7E}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4888
        
        C:\Windows\{CA81595D-0B1C-41cb-886B-4790380F233E}.exe
        
        C:\Windows\{CA81595D-0B1C-41cb-886B-4790380F233E}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2596
        
        C:\Windows\{5DAC0C68-E6AE-475b-BC84-A26872BF1941}.exe
        
        C:\Windows\{5DAC0C68-E6AE-475b-BC84-A26872BF1941}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3992
        
        C:\Windows\{A196E8C1-1931-4cb5-A87D-386F8EC1C5B9}.exe
        
        C:\Windows\{A196E8C1-1931-4cb5-A87D-386F8EC1C5B9}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4380
        
        C:\Windows\{6193EC9B-D668-48e4-A938-D280D1F30032}.exe
        
        C:\Windows\{6193EC9B-D668-48e4-A938-D280D1F30032}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4840
        
        C:\Windows\{1FBAB6DD-7689-4969-B82B-4AD19853B40B}.exe
        
        C:\Windows\{1FBAB6DD-7689-4969-B82B-4AD19853B40B}.exe
        12⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:872
        
        C:\Windows\{16147A88-20A9-42bb-808E-D289CF538847}.exe
        
        C:\Windows\{16147A88-20A9-42bb-808E-D289CF538847}.exe
        13⤵
        Executes dropped EXE
        
        PID:4664
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1FBAB~1.EXE > nul
        13⤵
        
        PID:3612
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6193E~1.EXE > nul
        12⤵
        
        PID:344
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A196E~1.EXE > nul
        11⤵
        
        PID:4676
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5DAC0~1.EXE > nul
        10⤵
        
        PID:2352
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CA815~1.EXE > nul
        9⤵
        
        PID:3472
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{69F40~1.EXE > nul
        8⤵
        
        PID:2540
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7961E~1.EXE > nul
        7⤵
        
        PID:2808
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{95AF7~1.EXE > nul
        6⤵
        
        PID:3092
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CDBC0~1.EXE > nul
        5⤵
        
        PID:4464
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{9FE88~1.EXE > nul
      4⤵
      PID:2064
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{3592F~1.EXE > nul
    3⤵
    PID:3320
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\7EB89C~1.EXE > nul
  2⤵
  PID:772

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{16147A88-20A9-42bb-808E-D289CF538847}.exe

Filesize
118KB

MD5
4f339df9412abf6ccd9eeed839c8e2c2

SHA1
8ef674b8e188c7157a7c7cd78b30a87b79edbe87

SHA256
14aeadd01b2ea30f33bb16e386ac90dee0a6d335cc9df6ac9f1a3483f29ee08e

SHA512
138c0171e407867a75c4334ac8f10dfa8d666ed7fe7658e556a7715af597deaf6372fed7d82a3e9ed1ff5bc09f3d8d38f23b22c5776d0641d47cfaf9f8dd32a6

Download Submit
C:\Windows\{1FBAB6DD-7689-4969-B82B-4AD19853B40B}.exe

Filesize
118KB

MD5
63f19da517e054b0318c30660eda8a4a

SHA1
1ecae36d205c2cdec0c0d6d577e4d31510df279a

SHA256
56166cf56d4160fb32b4b88ef849b8e430dc6025af91a211ae64390e2f59cd78

SHA512
24ada46c3abee0cf855dd5a7726899e45b7514a2c3f23a8a28d4a364e559d9631819bee343dc8c8df77f2d48b7b4b113cbe95dced215640783692a6d14050b89

Download Submit
C:\Windows\{3592F76E-B779-48df-B17A-F21F1D5EF94E}.exe

Filesize
118KB

MD5
31c29b959024b28848cf30c9b1311644

SHA1
7868a2a53dd9f9f2f67bb8c08279570004b9ab2f

SHA256
a13e9bdfdf3c0a80c336a812fa889e32b1dbeae1c0d3a50fbc292cbec0041c76

SHA512
a8ca435127999c519e4796da99417814f7fecc190447d623e468ef4a4c0c6dbd9d3386dd6060d52caaff1a59f0f729e609bb07b72099136a3f73480e680c04c5

Download Submit
C:\Windows\{5DAC0C68-E6AE-475b-BC84-A26872BF1941}.exe

Filesize
118KB

MD5
b5251dd19625cbec24bc17508d959b86

SHA1
af196bd2deb69c05dcbd847d2929cd407041d0e2

SHA256
583fc788c305685cfa83efb8227f76f6cbed5b2a057a2af3c91c66857c01859f

SHA512
8de8e90a139c6568bfe7ee07adb48f6744ac9ceeca14875e3879ae53595f626e518ce125ec72f64a37d38fec0749e257c5054681a0879f54d2ad404502ffbf23

Download Submit
C:\Windows\{6193EC9B-D668-48e4-A938-D280D1F30032}.exe

Filesize
118KB

MD5
b0ffc075302e52aab9eab02e956c3442

SHA1
04b1b5168425c0fb2e2b5defce9eb3ea1e0f7c52

SHA256
4195af4b5fe0ff7deef36b6759f8f059bb49e151032d7c721a17ef518a305cde

SHA512
d19af0f2705d38d6d12bb75503a115e258ce59f0081db2ccdff062c343f295bbcdbf3c54dfa42dee3bd2735a0032d2b663b42017fd7f772f65b2e07af157c0ad

Download Submit
C:\Windows\{69F40E7A-716D-46bc-A1AB-F3B3E3D45A7E}.exe

Filesize
118KB

MD5
ff6187fd3e01cb3e2643b09b0983d6c8

SHA1
d745e60790803520aad45ba84f85be65b4ff4834

SHA256
859f7841dac2c95735cbbb8f334c6ca340446a4af102e38d08c4c541eeeabf9b

SHA512
1c91d658795787dd7e9907d4b8b7f219bd848b3c1da93311c2a584eeab6c24e1bd2159186412bac95036cbd86fd8039cd033900f285a3a9751dbdd70811c71be

Download Submit
C:\Windows\{7961E171-788D-4a15-8D1D-3D9451B80494}.exe

Filesize
118KB

MD5
b797d018a0f2959781dea39810d8cd39

SHA1
39436f508ce5ec226d4b59616be8bfecddf8a44a

SHA256
e190388245a671347ff11d65719d6cf8c13055e895ef9639833adc2b9dd5b64c

SHA512
8c6ff87e559b771625ec3c5960e66a9c01805e31852a08574d94da6a8cdf3d56acab8321ff8afb74128bcc2aa17b156c58cfc0e746d1b1ae56200f42064c0272

Download Submit
C:\Windows\{95AF7456-81FF-45e0-9A7B-6249473BAD99}.exe

Filesize
118KB

MD5
e7f4f3acdd9bd424353aed6920a743f6

SHA1
0fe331cbfda3f82a0326f2df9f8751b590366d5e

SHA256
bfd3dd8734bcba95ea187f2d35bb3f560eacef69a6a78f3a085ea48f0a52c2c9

SHA512
3f1d7e2dada4d64f67d278f2aa67f6fb160ce6d59cc5ff8c1d46de5bf64eac7b8f8ba15f4f05e26233c3a25d16c17f7d4d03e782f9b09e787ef380be1d1747a2

Download Submit
C:\Windows\{9FE885F3-9428-4f52-A770-13110CA47CAB}.exe

Filesize
118KB

MD5
88f448928e335f3c69b8a2851910e9c3

SHA1
a745ef4a1bf2180785844b870fc37e5ce4c0ddcb

SHA256
f98673d797bb8b9c7e9a56cbf21ac595db138643ea9f0896f855088744e95a42

SHA512
b8902b7a6c1bea0c671af97a0b94acb6cccdbe320761cf29b62471e25abeb69f057777348e05030ac1010f6f6692cf9e469fd69248ac1a41ff4c175691ef8bcf

Download Submit
C:\Windows\{A196E8C1-1931-4cb5-A87D-386F8EC1C5B9}.exe

Filesize
118KB

MD5
2b5e737e50b99224ec2e12abd9a88b84

SHA1
8225529e4d5239cbbcb69ba6214f5963dc21cbe7

SHA256
33139cc490819792002b4483d880a60b34ee9357cb44f695faacf55093c6c00a

SHA512
94ca13863ab13a79872a4605576e8d37e98b48e3e5a226fe2da8c62085d7ab890b4ab073d175c878852e46bde9024c166eb029c47d9e03cc8990e0edb23bf332

Download Submit
C:\Windows\{CA81595D-0B1C-41cb-886B-4790380F233E}.exe

Filesize
118KB

MD5
7b41a0517e03e110e96b4b135949cf4d

SHA1
83157f9a3132cfe6bb479fbb02c4238d027cfc82

SHA256
52e3e311109c33a54e2dbc16e758e6a18072ef64c013834ec0bf0013eec86f8d

SHA512
5fd219e5c8a7b9e4a487ed4735e07c62a3ddaa065a266dcbb2697002e9f71f31d08051d21bea27222ecaa059f1b282d03eda7a47bdd6c31a9c772119ec51c22a

Download Submit
C:\Windows\{CDBC0343-97E2-46c2-9191-58D0FDAB3C82}.exe

Filesize
118KB

MD5
f6e20f663e83ea676c68ceb59f8e1970

SHA1
ec3d070d1a5142db6af21debc29d732eba42575a

SHA256
9fc71fc45ef953fdb27b163785e42719a018c70d51ece81c2042496cfa06c55a

SHA512
568ecfc59750c1d44d4239afb87c62b425ae52fdf78b41372509a96f7a75dd82a59e5ee253cd08d90af4c546782b5ae1bcd7c6f4ac3538005dbdd98826bb3c50

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads