167b8eb011981310d2098ce279ede6a11345d11ceaabda968adfced76b26644b

Analysis

max time kernel
144s
max time network
119s
platform
windows7_x64
resource
win7-20240419-en
resource tags

arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
submitted
30/06/2024, 20:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

167b8eb011981310d2098ce279ede6a11345d11ceaabda968adfced76b26644b_NeikiAnalytics.exe
Size

89KB
MD5

dc77f4ccefded2d2e7771de494519790
SHA1

3da039048c6039c3731fb6ecda08d3403b7873a8
SHA256

167b8eb011981310d2098ce279ede6a11345d11ceaabda968adfced76b26644b
SHA512

d847673ad2d2c228245a53f7d41867e9ebbc80663c6a2000aa0674b3525e740bbe5cc9e1555499c5bc25e385acbe3781931b818be055c34265e7d64dd115ec1e
SSDEEP

768:5vw9816thKQLroy4/wQkNrfrunMxVFA3k:lEG/0oylbunMxVS3k

Score

8^/10

persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F56123EF-8DB1-47c4-B672-C257B91E79EB}	167b8eb011981310d2098ce279ede6a11345d11ceaabda968adfced76b26644b_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F56123EF-8DB1-47c4-B672-C257B91E79EB}\stubpath = "C:\\Windows\\{F56123EF-8DB1-47c4-B672-C257B91E79EB}.exe"	167b8eb011981310d2098ce279ede6a11345d11ceaabda968adfced76b26644b_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CFAE7C67-0F85-4c01-BEB6-71040C1E48EB}\stubpath = "C:\\Windows\\{CFAE7C67-0F85-4c01-BEB6-71040C1E48EB}.exe"	{875F7B3A-A9C5-414b-8265-9F10A65A2BE6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9228C179-6B1C-4a0c-AB7E-2132C2E60E22}	{BFAAF168-4EED-40bf-8F21-F6184401B8DF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{875F7B3A-A9C5-414b-8265-9F10A65A2BE6}\stubpath = "C:\\Windows\\{875F7B3A-A9C5-414b-8265-9F10A65A2BE6}.exe"	{F56123EF-8DB1-47c4-B672-C257B91E79EB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CFAE7C67-0F85-4c01-BEB6-71040C1E48EB}	{875F7B3A-A9C5-414b-8265-9F10A65A2BE6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BFAAF168-4EED-40bf-8F21-F6184401B8DF}	{B4E6A531-F588-4b59-93C5-918D54B21293}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BFAAF168-4EED-40bf-8F21-F6184401B8DF}\stubpath = "C:\\Windows\\{BFAAF168-4EED-40bf-8F21-F6184401B8DF}.exe"	{B4E6A531-F588-4b59-93C5-918D54B21293}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{016123FD-59F3-431f-B28E-611D65F0F679}	{9228C179-6B1C-4a0c-AB7E-2132C2E60E22}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{ABCE1B09-FCA5-4504-AE63-F2364DF5C3FE}	{016123FD-59F3-431f-B28E-611D65F0F679}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{37F47848-6469-4192-8C91-1D78E90754A7}\stubpath = "C:\\Windows\\{37F47848-6469-4192-8C91-1D78E90754A7}.exe"	{CECAD009-E6C8-444f-BCBC-BB352F4F7792}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D0455761-DA41-4194-A50F-89EE83CBFBC2}\stubpath = "C:\\Windows\\{D0455761-DA41-4194-A50F-89EE83CBFBC2}.exe"	{37F47848-6469-4192-8C91-1D78E90754A7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{875F7B3A-A9C5-414b-8265-9F10A65A2BE6}	{F56123EF-8DB1-47c4-B672-C257B91E79EB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B4E6A531-F588-4b59-93C5-918D54B21293}\stubpath = "C:\\Windows\\{B4E6A531-F588-4b59-93C5-918D54B21293}.exe"	{CFAE7C67-0F85-4c01-BEB6-71040C1E48EB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9228C179-6B1C-4a0c-AB7E-2132C2E60E22}\stubpath = "C:\\Windows\\{9228C179-6B1C-4a0c-AB7E-2132C2E60E22}.exe"	{BFAAF168-4EED-40bf-8F21-F6184401B8DF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{ABCE1B09-FCA5-4504-AE63-F2364DF5C3FE}\stubpath = "C:\\Windows\\{ABCE1B09-FCA5-4504-AE63-F2364DF5C3FE}.exe"	{016123FD-59F3-431f-B28E-611D65F0F679}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{37F47848-6469-4192-8C91-1D78E90754A7}	{CECAD009-E6C8-444f-BCBC-BB352F4F7792}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D0455761-DA41-4194-A50F-89EE83CBFBC2}	{37F47848-6469-4192-8C91-1D78E90754A7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B4E6A531-F588-4b59-93C5-918D54B21293}	{CFAE7C67-0F85-4c01-BEB6-71040C1E48EB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{016123FD-59F3-431f-B28E-611D65F0F679}\stubpath = "C:\\Windows\\{016123FD-59F3-431f-B28E-611D65F0F679}.exe"	{9228C179-6B1C-4a0c-AB7E-2132C2E60E22}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CECAD009-E6C8-444f-BCBC-BB352F4F7792}	{ABCE1B09-FCA5-4504-AE63-F2364DF5C3FE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CECAD009-E6C8-444f-BCBC-BB352F4F7792}\stubpath = "C:\\Windows\\{CECAD009-E6C8-444f-BCBC-BB352F4F7792}.exe"	{ABCE1B09-FCA5-4504-AE63-F2364DF5C3FE}.exe

Deletes itself 1 IoCs

pid	Process
2624	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2424	{F56123EF-8DB1-47c4-B672-C257B91E79EB}.exe
2688	{875F7B3A-A9C5-414b-8265-9F10A65A2BE6}.exe
2632	{CFAE7C67-0F85-4c01-BEB6-71040C1E48EB}.exe
2532	{B4E6A531-F588-4b59-93C5-918D54B21293}.exe
1352	{BFAAF168-4EED-40bf-8F21-F6184401B8DF}.exe
1360	{9228C179-6B1C-4a0c-AB7E-2132C2E60E22}.exe
1028	{016123FD-59F3-431f-B28E-611D65F0F679}.exe
2232	{ABCE1B09-FCA5-4504-AE63-F2364DF5C3FE}.exe
1924	{CECAD009-E6C8-444f-BCBC-BB352F4F7792}.exe
292	{37F47848-6469-4192-8C91-1D78E90754A7}.exe
744	{D0455761-DA41-4194-A50F-89EE83CBFBC2}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{875F7B3A-A9C5-414b-8265-9F10A65A2BE6}.exe	{F56123EF-8DB1-47c4-B672-C257B91E79EB}.exe
File created	C:\Windows\{BFAAF168-4EED-40bf-8F21-F6184401B8DF}.exe	{B4E6A531-F588-4b59-93C5-918D54B21293}.exe
File created	C:\Windows\{37F47848-6469-4192-8C91-1D78E90754A7}.exe	{CECAD009-E6C8-444f-BCBC-BB352F4F7792}.exe
File created	C:\Windows\{D0455761-DA41-4194-A50F-89EE83CBFBC2}.exe	{37F47848-6469-4192-8C91-1D78E90754A7}.exe
File created	C:\Windows\{016123FD-59F3-431f-B28E-611D65F0F679}.exe	{9228C179-6B1C-4a0c-AB7E-2132C2E60E22}.exe
File created	C:\Windows\{ABCE1B09-FCA5-4504-AE63-F2364DF5C3FE}.exe	{016123FD-59F3-431f-B28E-611D65F0F679}.exe
File created	C:\Windows\{CECAD009-E6C8-444f-BCBC-BB352F4F7792}.exe	{ABCE1B09-FCA5-4504-AE63-F2364DF5C3FE}.exe
File created	C:\Windows\{F56123EF-8DB1-47c4-B672-C257B91E79EB}.exe	167b8eb011981310d2098ce279ede6a11345d11ceaabda968adfced76b26644b_NeikiAnalytics.exe
File created	C:\Windows\{CFAE7C67-0F85-4c01-BEB6-71040C1E48EB}.exe	{875F7B3A-A9C5-414b-8265-9F10A65A2BE6}.exe
File created	C:\Windows\{B4E6A531-F588-4b59-93C5-918D54B21293}.exe	{CFAE7C67-0F85-4c01-BEB6-71040C1E48EB}.exe
File created	C:\Windows\{9228C179-6B1C-4a0c-AB7E-2132C2E60E22}.exe	{BFAAF168-4EED-40bf-8F21-F6184401B8DF}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2256	167b8eb011981310d2098ce279ede6a11345d11ceaabda968adfced76b26644b_NeikiAnalytics.exe
Token: SeIncBasePriorityPrivilege	2424	{F56123EF-8DB1-47c4-B672-C257B91E79EB}.exe
Token: SeIncBasePriorityPrivilege	2688	{875F7B3A-A9C5-414b-8265-9F10A65A2BE6}.exe
Token: SeIncBasePriorityPrivilege	2632	{CFAE7C67-0F85-4c01-BEB6-71040C1E48EB}.exe
Token: SeIncBasePriorityPrivilege	2532	{B4E6A531-F588-4b59-93C5-918D54B21293}.exe
Token: SeIncBasePriorityPrivilege	1352	{BFAAF168-4EED-40bf-8F21-F6184401B8DF}.exe
Token: SeIncBasePriorityPrivilege	1360	{9228C179-6B1C-4a0c-AB7E-2132C2E60E22}.exe
Token: SeIncBasePriorityPrivilege	1028	{016123FD-59F3-431f-B28E-611D65F0F679}.exe
Token: SeIncBasePriorityPrivilege	2232	{ABCE1B09-FCA5-4504-AE63-F2364DF5C3FE}.exe
Token: SeIncBasePriorityPrivilege	1924	{CECAD009-E6C8-444f-BCBC-BB352F4F7792}.exe
Token: SeIncBasePriorityPrivilege	292	{37F47848-6469-4192-8C91-1D78E90754A7}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2256 wrote to memory of 2424	2256	167b8eb011981310d2098ce279ede6a11345d11ceaabda968adfced76b26644b_NeikiAnalytics.exe	28
PID 2256 wrote to memory of 2424	2256	167b8eb011981310d2098ce279ede6a11345d11ceaabda968adfced76b26644b_NeikiAnalytics.exe	28
PID 2256 wrote to memory of 2424	2256	167b8eb011981310d2098ce279ede6a11345d11ceaabda968adfced76b26644b_NeikiAnalytics.exe	28
PID 2256 wrote to memory of 2424	2256	167b8eb011981310d2098ce279ede6a11345d11ceaabda968adfced76b26644b_NeikiAnalytics.exe	28
PID 2256 wrote to memory of 2624	2256	167b8eb011981310d2098ce279ede6a11345d11ceaabda968adfced76b26644b_NeikiAnalytics.exe	29
PID 2256 wrote to memory of 2624	2256	167b8eb011981310d2098ce279ede6a11345d11ceaabda968adfced76b26644b_NeikiAnalytics.exe	29
PID 2256 wrote to memory of 2624	2256	167b8eb011981310d2098ce279ede6a11345d11ceaabda968adfced76b26644b_NeikiAnalytics.exe	29
PID 2256 wrote to memory of 2624	2256	167b8eb011981310d2098ce279ede6a11345d11ceaabda968adfced76b26644b_NeikiAnalytics.exe	29
PID 2424 wrote to memory of 2688	2424	{F56123EF-8DB1-47c4-B672-C257B91E79EB}.exe	30
PID 2424 wrote to memory of 2688	2424	{F56123EF-8DB1-47c4-B672-C257B91E79EB}.exe	30
PID 2424 wrote to memory of 2688	2424	{F56123EF-8DB1-47c4-B672-C257B91E79EB}.exe	30
PID 2424 wrote to memory of 2688	2424	{F56123EF-8DB1-47c4-B672-C257B91E79EB}.exe	30
PID 2424 wrote to memory of 2652	2424	{F56123EF-8DB1-47c4-B672-C257B91E79EB}.exe	31
PID 2424 wrote to memory of 2652	2424	{F56123EF-8DB1-47c4-B672-C257B91E79EB}.exe	31
PID 2424 wrote to memory of 2652	2424	{F56123EF-8DB1-47c4-B672-C257B91E79EB}.exe	31
PID 2424 wrote to memory of 2652	2424	{F56123EF-8DB1-47c4-B672-C257B91E79EB}.exe	31
PID 2688 wrote to memory of 2632	2688	{875F7B3A-A9C5-414b-8265-9F10A65A2BE6}.exe	32
PID 2688 wrote to memory of 2632	2688	{875F7B3A-A9C5-414b-8265-9F10A65A2BE6}.exe	32
PID 2688 wrote to memory of 2632	2688	{875F7B3A-A9C5-414b-8265-9F10A65A2BE6}.exe	32
PID 2688 wrote to memory of 2632	2688	{875F7B3A-A9C5-414b-8265-9F10A65A2BE6}.exe	32
PID 2688 wrote to memory of 2752	2688	{875F7B3A-A9C5-414b-8265-9F10A65A2BE6}.exe	33
PID 2688 wrote to memory of 2752	2688	{875F7B3A-A9C5-414b-8265-9F10A65A2BE6}.exe	33
PID 2688 wrote to memory of 2752	2688	{875F7B3A-A9C5-414b-8265-9F10A65A2BE6}.exe	33
PID 2688 wrote to memory of 2752	2688	{875F7B3A-A9C5-414b-8265-9F10A65A2BE6}.exe	33
PID 2632 wrote to memory of 2532	2632	{CFAE7C67-0F85-4c01-BEB6-71040C1E48EB}.exe	36
PID 2632 wrote to memory of 2532	2632	{CFAE7C67-0F85-4c01-BEB6-71040C1E48EB}.exe	36
PID 2632 wrote to memory of 2532	2632	{CFAE7C67-0F85-4c01-BEB6-71040C1E48EB}.exe	36
PID 2632 wrote to memory of 2532	2632	{CFAE7C67-0F85-4c01-BEB6-71040C1E48EB}.exe	36
PID 2632 wrote to memory of 2728	2632	{CFAE7C67-0F85-4c01-BEB6-71040C1E48EB}.exe	37
PID 2632 wrote to memory of 2728	2632	{CFAE7C67-0F85-4c01-BEB6-71040C1E48EB}.exe	37
PID 2632 wrote to memory of 2728	2632	{CFAE7C67-0F85-4c01-BEB6-71040C1E48EB}.exe	37
PID 2632 wrote to memory of 2728	2632	{CFAE7C67-0F85-4c01-BEB6-71040C1E48EB}.exe	37
PID 2532 wrote to memory of 1352	2532	{B4E6A531-F588-4b59-93C5-918D54B21293}.exe	38
PID 2532 wrote to memory of 1352	2532	{B4E6A531-F588-4b59-93C5-918D54B21293}.exe	38
PID 2532 wrote to memory of 1352	2532	{B4E6A531-F588-4b59-93C5-918D54B21293}.exe	38
PID 2532 wrote to memory of 1352	2532	{B4E6A531-F588-4b59-93C5-918D54B21293}.exe	38
PID 2532 wrote to memory of 2824	2532	{B4E6A531-F588-4b59-93C5-918D54B21293}.exe	39
PID 2532 wrote to memory of 2824	2532	{B4E6A531-F588-4b59-93C5-918D54B21293}.exe	39
PID 2532 wrote to memory of 2824	2532	{B4E6A531-F588-4b59-93C5-918D54B21293}.exe	39
PID 2532 wrote to memory of 2824	2532	{B4E6A531-F588-4b59-93C5-918D54B21293}.exe	39
PID 1352 wrote to memory of 1360	1352	{BFAAF168-4EED-40bf-8F21-F6184401B8DF}.exe	40
PID 1352 wrote to memory of 1360	1352	{BFAAF168-4EED-40bf-8F21-F6184401B8DF}.exe	40
PID 1352 wrote to memory of 1360	1352	{BFAAF168-4EED-40bf-8F21-F6184401B8DF}.exe	40
PID 1352 wrote to memory of 1360	1352	{BFAAF168-4EED-40bf-8F21-F6184401B8DF}.exe	40
PID 1352 wrote to memory of 1476	1352	{BFAAF168-4EED-40bf-8F21-F6184401B8DF}.exe	41
PID 1352 wrote to memory of 1476	1352	{BFAAF168-4EED-40bf-8F21-F6184401B8DF}.exe	41
PID 1352 wrote to memory of 1476	1352	{BFAAF168-4EED-40bf-8F21-F6184401B8DF}.exe	41
PID 1352 wrote to memory of 1476	1352	{BFAAF168-4EED-40bf-8F21-F6184401B8DF}.exe	41
PID 1360 wrote to memory of 1028	1360	{9228C179-6B1C-4a0c-AB7E-2132C2E60E22}.exe	42
PID 1360 wrote to memory of 1028	1360	{9228C179-6B1C-4a0c-AB7E-2132C2E60E22}.exe	42
PID 1360 wrote to memory of 1028	1360	{9228C179-6B1C-4a0c-AB7E-2132C2E60E22}.exe	42
PID 1360 wrote to memory of 1028	1360	{9228C179-6B1C-4a0c-AB7E-2132C2E60E22}.exe	42
PID 1360 wrote to memory of 2836	1360	{9228C179-6B1C-4a0c-AB7E-2132C2E60E22}.exe	43
PID 1360 wrote to memory of 2836	1360	{9228C179-6B1C-4a0c-AB7E-2132C2E60E22}.exe	43
PID 1360 wrote to memory of 2836	1360	{9228C179-6B1C-4a0c-AB7E-2132C2E60E22}.exe	43
PID 1360 wrote to memory of 2836	1360	{9228C179-6B1C-4a0c-AB7E-2132C2E60E22}.exe	43
PID 1028 wrote to memory of 2232	1028	{016123FD-59F3-431f-B28E-611D65F0F679}.exe	44
PID 1028 wrote to memory of 2232	1028	{016123FD-59F3-431f-B28E-611D65F0F679}.exe	44
PID 1028 wrote to memory of 2232	1028	{016123FD-59F3-431f-B28E-611D65F0F679}.exe	44
PID 1028 wrote to memory of 2232	1028	{016123FD-59F3-431f-B28E-611D65F0F679}.exe	44
PID 1028 wrote to memory of 2964	1028	{016123FD-59F3-431f-B28E-611D65F0F679}.exe	45
PID 1028 wrote to memory of 2964	1028	{016123FD-59F3-431f-B28E-611D65F0F679}.exe	45
PID 1028 wrote to memory of 2964	1028	{016123FD-59F3-431f-B28E-611D65F0F679}.exe	45
PID 1028 wrote to memory of 2964	1028	{016123FD-59F3-431f-B28E-611D65F0F679}.exe	45

C:\Users\Admin\AppData\Local\Temp\167b8eb011981310d2098ce279ede6a11345d11ceaabda968adfced76b26644b_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\167b8eb011981310d2098ce279ede6a11345d11ceaabda968adfced76b26644b_NeikiAnalytics.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2256
- C:\Windows\{F56123EF-8DB1-47c4-B672-C257B91E79EB}.exe
  C:\Windows\{F56123EF-8DB1-47c4-B672-C257B91E79EB}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2424
- - C:\Windows\{875F7B3A-A9C5-414b-8265-9F10A65A2BE6}.exe
    C:\Windows\{875F7B3A-A9C5-414b-8265-9F10A65A2BE6}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2688
  - - C:\Windows\{CFAE7C67-0F85-4c01-BEB6-71040C1E48EB}.exe
      C:\Windows\{CFAE7C67-0F85-4c01-BEB6-71040C1E48EB}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2632
    - - C:\Windows\{B4E6A531-F588-4b59-93C5-918D54B21293}.exe
        
        C:\Windows\{B4E6A531-F588-4b59-93C5-918D54B21293}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2532
      - C:\Windows\{BFAAF168-4EED-40bf-8F21-F6184401B8DF}.exe
        
        C:\Windows\{BFAAF168-4EED-40bf-8F21-F6184401B8DF}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1352
        
        C:\Windows\{9228C179-6B1C-4a0c-AB7E-2132C2E60E22}.exe
        
        C:\Windows\{9228C179-6B1C-4a0c-AB7E-2132C2E60E22}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1360
        
        C:\Windows\{016123FD-59F3-431f-B28E-611D65F0F679}.exe
        
        C:\Windows\{016123FD-59F3-431f-B28E-611D65F0F679}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1028
        
        C:\Windows\{ABCE1B09-FCA5-4504-AE63-F2364DF5C3FE}.exe
        
        C:\Windows\{ABCE1B09-FCA5-4504-AE63-F2364DF5C3FE}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2232
        
        C:\Windows\{CECAD009-E6C8-444f-BCBC-BB352F4F7792}.exe
        
        C:\Windows\{CECAD009-E6C8-444f-BCBC-BB352F4F7792}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1924
        
        C:\Windows\{37F47848-6469-4192-8C91-1D78E90754A7}.exe
        
        C:\Windows\{37F47848-6469-4192-8C91-1D78E90754A7}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:292
        
        C:\Windows\{D0455761-DA41-4194-A50F-89EE83CBFBC2}.exe
        
        C:\Windows\{D0455761-DA41-4194-A50F-89EE83CBFBC2}.exe
        12⤵
        Executes dropped EXE
        
        PID:744
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{37F47~1.EXE > nul
        12⤵
        
        PID:2100
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CECAD~1.EXE > nul
        11⤵
        
        PID:2844
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{ABCE1~1.EXE > nul
        10⤵
        
        PID:2356
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{01612~1.EXE > nul
        9⤵
        
        PID:2964
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9228C~1.EXE > nul
        8⤵
        
        PID:2836
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BFAAF~1.EXE > nul
        7⤵
        
        PID:1476
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B4E6A~1.EXE > nul
        6⤵
        
        PID:2824
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CFAE7~1.EXE > nul
        5⤵
        
        PID:2728
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{875F7~1.EXE > nul
      4⤵
      PID:2752
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{F5612~1.EXE > nul
    3⤵
    PID:2652
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\167B8E~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2624

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{016123FD-59F3-431f-B28E-611D65F0F679}.exe

Filesize
89KB

MD5
283186d32acd231b0f76a831851bf743

SHA1
dee1539e18345d249623057cfcabe6b221f01c36

SHA256
c39c890aad03077c8684cff76976c40abcd8215408411e7bd762075e77c9ab9a

SHA512
d82eb8e791f52e37ef80fd606484e0fc46709313e9e68d80f8a1002f6211f889cd64c614a73115de9e584c6addbca929fd39e3b8a3b2d87eb7536803e1a33b3f

Download Submit
C:\Windows\{37F47848-6469-4192-8C91-1D78E90754A7}.exe

Filesize
89KB

MD5
398ec2c7617e8ba423f9c2bb38a93c93

SHA1
cfb7fab09d38420803bce1d7dda5bcc22f6993d5

SHA256
aa74941099e7e49f5049cedeada30f30a9ccf74b7c88b7ebe3d10bc03e13232f

SHA512
30698efe8f470fee0495c241303b1adc05866edc7283931826abdfb20e962e4b95a0a94a9af87bfbc92541bb59d9148eeeb8085ec7389d14a08f8f2f1aef2b58

Download Submit
C:\Windows\{875F7B3A-A9C5-414b-8265-9F10A65A2BE6}.exe

Filesize
89KB

MD5
3a98067afcbd8939378c836e082ef030

SHA1
7537c7084045a231df7349c35399cc2a825d6a3f

SHA256
78000cc43a5e29afd7579e90af8633fa26fb457f6bd25190cc0b85e22374a16a

SHA512
0234616ccbef5caad0d7402fb983d4e9c4d4ff05446f577456bc49c23fe350618cd1e5677a753208e99ee13b09851db641da16642d39fecb9e998c3d7123a9c4

Download Submit
C:\Windows\{9228C179-6B1C-4a0c-AB7E-2132C2E60E22}.exe

Filesize
89KB

MD5
c2d995369ebd1d121b04703752bd1066

SHA1
4b20133d1a9c48730805c7d04e6577edf2ca0b7a

SHA256
0101b582a0b1cbcdf6c15b57b18181b51d269c61275240ab161d9132be8e91b4

SHA512
02d9e2d21be5726fceaab381350a3d6b46b2e85b7c7cb298a31b1dc0a4390f25b9fd47f0d8bf943f3d2d89c91c38eb111141c2472d721053b7abd6d711cc6b1c

Download Submit
C:\Windows\{ABCE1B09-FCA5-4504-AE63-F2364DF5C3FE}.exe

Filesize
89KB

MD5
bc5da8df918292c8fb31fd9c325e6f49

SHA1
cdfb5e4e7278119fd540b2868fd39f50ee309da5

SHA256
02012d04b6d75e0d0d662e55f30dc4eae0dfdf1d0746163e0048d5728e22a5ff

SHA512
0560715afa7d29a7a8ad63f3ab6eceebc23a03155de2802fc5e7854b7c6dae98aa71193a332eccd10bd6dc8b79136144104cf7f27bef964422b9cb0dd1bcd695

Download Submit
C:\Windows\{B4E6A531-F588-4b59-93C5-918D54B21293}.exe

Filesize
89KB

MD5
3d088afaf95810dd2b51f071adccb6bc

SHA1
665e956d21c4e760b392a8c68d60744c97edf48c

SHA256
a1df8b02f6be9562974f110916c2395fd444136e9457df16b3b0da8a03f7d989

SHA512
db97b7f488869aa6e5134f5a0ed65f414053e11d1254d513c8b51b703a725dd87d88c821a24f5e1411ca7533ae4a67a504abeb81edd57689a6d80610c227e5cc

Download Submit
C:\Windows\{BFAAF168-4EED-40bf-8F21-F6184401B8DF}.exe

Filesize
89KB

MD5
f1796108f6b571a9743040e6669e2001

SHA1
ed6d16e62d6aedca2efd14285b0529c4ac7c473f

SHA256
0d7d7c32d22ded1c108d865e733bf282ff18b3e3ee83242ad1c394658c4c9141

SHA512
7ee2d9d34c6e998fbcc70243d1067c2c30599bced023f0202422d318c9cb043a2bc44b8ca3b4f0d3e6cbf704dfdc8be7e2846d8650175e933eee29908c27e40d

Download Submit
C:\Windows\{CECAD009-E6C8-444f-BCBC-BB352F4F7792}.exe

Filesize
89KB

MD5
7e78b113b0ca6a14a6abc0ff0617f650

SHA1
2aa1bfd7a9e26443edeeda453e3f06dd6d37ad42

SHA256
bb0edb2d9924917b61ba08ec7189f8d8f872ac69b19a0ecb063ab99b2c6d844e

SHA512
eaa1fccbc247fd32d9bb8a98993a92b1d1055ae717e1c9a24a35a27020ff5c5df1ac44c7ed395e2726c34d7453feb8c2c606240cf95de8e708b6299902a1c0d0

Download Submit
C:\Windows\{CFAE7C67-0F85-4c01-BEB6-71040C1E48EB}.exe

Filesize
89KB

MD5
c87b5f84b97823f35e27320f248fa0c5

SHA1
8f3005a88fa132ec87dd0222905a71350e16030c

SHA256
3e50ac7fc67e33efc5556b386792dffee58b03719ee64d0c62e1fc25b922bd7d

SHA512
6686ad2765282c4c6e6991f4777d8ca0281fa2101ef99a0226d5337aa28d0b0a50545269cad6294186df9938ad8eb41854d76079eb5cbd4efe7dc7232c5d8d99

Download Submit
C:\Windows\{D0455761-DA41-4194-A50F-89EE83CBFBC2}.exe

Filesize
89KB

MD5
7265750a15bed509b8a12ee4fcd098f7

SHA1
0f6ed2cd344d5bcde1808ed82897387d7c589e31

SHA256
ae65ba08b3b2469443971accb64fc4efaddf72ac71ae2172e1fbba242c049599

SHA512
f3ce12cb97e847f61ecac57b8449f0f5b98ab70e985fae9cb284b7c891ffea3568153485b10a870d1f7f77bdefe0f0e90d375dfd19595f5a809c23cc229714fa

Download Submit
C:\Windows\{F56123EF-8DB1-47c4-B672-C257B91E79EB}.exe

Filesize
89KB

MD5
5606527afc47dc4680db784e928c5625

SHA1
996c164d74cd15205d9a8b8b718652c00b3298c8

SHA256
1e38cecf382e19317fbb7a89776e5198b2764c4912899f7d57e9477f8cb558c6

SHA512
96746ed7844ffaa711fb71e49c0561585eb77e80255bc6c85e41c65ff086abdb4bfc92ea931dcde4c5e434a865ada64bc12f44ddc3ee676bf09f5d195a354e99

Download Submit
memory/292-90-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/292-98-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1028-71-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1352-53-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1352-45-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1360-62-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1360-59-0x0000000000310000-0x0000000000321000-memory.dmp

Filesize
68KB

Download
memory/1360-58-0x0000000000310000-0x0000000000321000-memory.dmp

Filesize
68KB

Download
memory/1924-89-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1924-81-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2232-79-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2232-78-0x0000000001BE0000-0x0000000001BF1000-memory.dmp

Filesize
68KB

Download
memory/2256-0-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2256-7-0x00000000003A0000-0x00000000003B1000-memory.dmp

Filesize
68KB

Download
memory/2256-8-0x00000000003A0000-0x00000000003B1000-memory.dmp

Filesize
68KB

Download
memory/2256-10-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2424-17-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2424-9-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2532-44-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2632-36-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2632-28-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2688-26-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2688-19-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads