328de58451baf80175055e5d666ef9e4ed02fcfda3ee986fe2a64f0e9692bda6

Analysis

max time kernel
144s
max time network
121s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
01/07/2024, 03:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

328de58451baf80175055e5d666ef9e4ed02fcfda3ee986fe2a64f0e9692bda6_NeikiAnalytics.exe
Size

89KB
MD5

afa19dc9d2dd99e2f4029c369b89fdb0
SHA1

ea6e36b1438653a4c30ccb055ffb11cd1e52178a
SHA256

328de58451baf80175055e5d666ef9e4ed02fcfda3ee986fe2a64f0e9692bda6
SHA512

21f94806d82ec4b06fc98f1da56308f3ecc94c706ed3978ca51f007fe822a4d576b35cb1089645e615e9cdd2e486130e77a4df038ffadebb899d131c5d1f77d7
SSDEEP

768:Qvw9816vhKQLrot4/wQRNrfrunMxVFA3b7glL:YEGh0otl2unMxVS3Hg9

Score

8^/10

persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{57DCEC58-6F08-4c52-83F8-FB7954187714}\stubpath = "C:\\Windows\\{57DCEC58-6F08-4c52-83F8-FB7954187714}.exe"	{2FACE247-6815-41bb-83AC-31D62AFF9201}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{54C6E3B5-4CE7-4457-89D2-FB2DCB38E5D8}\stubpath = "C:\\Windows\\{54C6E3B5-4CE7-4457-89D2-FB2DCB38E5D8}.exe"	{60AF222A-869A-4654-8CCA-39E4C78FA568}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{40C8ACB8-9D3C-4200-B8E2-612B2069DB7D}	328de58451baf80175055e5d666ef9e4ed02fcfda3ee986fe2a64f0e9692bda6_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8BC91B5A-F5B1-4c22-9D77-814830D67F2A}\stubpath = "C:\\Windows\\{8BC91B5A-F5B1-4c22-9D77-814830D67F2A}.exe"	{54C6E3B5-4CE7-4457-89D2-FB2DCB38E5D8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4586FD13-AD06-47fd-8CA8-D1C6B6E21115}\stubpath = "C:\\Windows\\{4586FD13-AD06-47fd-8CA8-D1C6B6E21115}.exe"	{2203F13A-4A0C-4594-8875-EC71344F8A95}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{26995A61-42CA-4063-BC44-846D3914E062}	{40C8ACB8-9D3C-4200-B8E2-612B2069DB7D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{26995A61-42CA-4063-BC44-846D3914E062}\stubpath = "C:\\Windows\\{26995A61-42CA-4063-BC44-846D3914E062}.exe"	{40C8ACB8-9D3C-4200-B8E2-612B2069DB7D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9F22BAA0-2918-439a-9799-7DA111862192}\stubpath = "C:\\Windows\\{9F22BAA0-2918-439a-9799-7DA111862192}.exe"	{26995A61-42CA-4063-BC44-846D3914E062}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2FACE247-6815-41bb-83AC-31D62AFF9201}	{9F22BAA0-2918-439a-9799-7DA111862192}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2FACE247-6815-41bb-83AC-31D62AFF9201}\stubpath = "C:\\Windows\\{2FACE247-6815-41bb-83AC-31D62AFF9201}.exe"	{9F22BAA0-2918-439a-9799-7DA111862192}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{57DCEC58-6F08-4c52-83F8-FB7954187714}	{2FACE247-6815-41bb-83AC-31D62AFF9201}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2203F13A-4A0C-4594-8875-EC71344F8A95}	{57DCEC58-6F08-4c52-83F8-FB7954187714}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{40C8ACB8-9D3C-4200-B8E2-612B2069DB7D}\stubpath = "C:\\Windows\\{40C8ACB8-9D3C-4200-B8E2-612B2069DB7D}.exe"	328de58451baf80175055e5d666ef9e4ed02fcfda3ee986fe2a64f0e9692bda6_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8BC91B5A-F5B1-4c22-9D77-814830D67F2A}	{54C6E3B5-4CE7-4457-89D2-FB2DCB38E5D8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CECC5EE0-188C-4c22-82F6-8189767EC2FA}\stubpath = "C:\\Windows\\{CECC5EE0-188C-4c22-82F6-8189767EC2FA}.exe"	{4586FD13-AD06-47fd-8CA8-D1C6B6E21115}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2203F13A-4A0C-4594-8875-EC71344F8A95}\stubpath = "C:\\Windows\\{2203F13A-4A0C-4594-8875-EC71344F8A95}.exe"	{57DCEC58-6F08-4c52-83F8-FB7954187714}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4586FD13-AD06-47fd-8CA8-D1C6B6E21115}	{2203F13A-4A0C-4594-8875-EC71344F8A95}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CECC5EE0-188C-4c22-82F6-8189767EC2FA}	{4586FD13-AD06-47fd-8CA8-D1C6B6E21115}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{60AF222A-869A-4654-8CCA-39E4C78FA568}	{CECC5EE0-188C-4c22-82F6-8189767EC2FA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{60AF222A-869A-4654-8CCA-39E4C78FA568}\stubpath = "C:\\Windows\\{60AF222A-869A-4654-8CCA-39E4C78FA568}.exe"	{CECC5EE0-188C-4c22-82F6-8189767EC2FA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{54C6E3B5-4CE7-4457-89D2-FB2DCB38E5D8}	{60AF222A-869A-4654-8CCA-39E4C78FA568}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9F22BAA0-2918-439a-9799-7DA111862192}	{26995A61-42CA-4063-BC44-846D3914E062}.exe

Deletes itself 1 IoCs

pid	Process
2688	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2576	{40C8ACB8-9D3C-4200-B8E2-612B2069DB7D}.exe
2588	{26995A61-42CA-4063-BC44-846D3914E062}.exe
2692	{9F22BAA0-2918-439a-9799-7DA111862192}.exe
1852	{2FACE247-6815-41bb-83AC-31D62AFF9201}.exe
2268	{57DCEC58-6F08-4c52-83F8-FB7954187714}.exe
1672	{2203F13A-4A0C-4594-8875-EC71344F8A95}.exe
1224	{4586FD13-AD06-47fd-8CA8-D1C6B6E21115}.exe
1128	{CECC5EE0-188C-4c22-82F6-8189767EC2FA}.exe
2108	{60AF222A-869A-4654-8CCA-39E4C78FA568}.exe
2872	{54C6E3B5-4CE7-4457-89D2-FB2DCB38E5D8}.exe
648	{8BC91B5A-F5B1-4c22-9D77-814830D67F2A}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{40C8ACB8-9D3C-4200-B8E2-612B2069DB7D}.exe	328de58451baf80175055e5d666ef9e4ed02fcfda3ee986fe2a64f0e9692bda6_NeikiAnalytics.exe
File created	C:\Windows\{2FACE247-6815-41bb-83AC-31D62AFF9201}.exe	{9F22BAA0-2918-439a-9799-7DA111862192}.exe
File created	C:\Windows\{57DCEC58-6F08-4c52-83F8-FB7954187714}.exe	{2FACE247-6815-41bb-83AC-31D62AFF9201}.exe
File created	C:\Windows\{2203F13A-4A0C-4594-8875-EC71344F8A95}.exe	{57DCEC58-6F08-4c52-83F8-FB7954187714}.exe
File created	C:\Windows\{60AF222A-869A-4654-8CCA-39E4C78FA568}.exe	{CECC5EE0-188C-4c22-82F6-8189767EC2FA}.exe
File created	C:\Windows\{54C6E3B5-4CE7-4457-89D2-FB2DCB38E5D8}.exe	{60AF222A-869A-4654-8CCA-39E4C78FA568}.exe
File created	C:\Windows\{26995A61-42CA-4063-BC44-846D3914E062}.exe	{40C8ACB8-9D3C-4200-B8E2-612B2069DB7D}.exe
File created	C:\Windows\{9F22BAA0-2918-439a-9799-7DA111862192}.exe	{26995A61-42CA-4063-BC44-846D3914E062}.exe
File created	C:\Windows\{4586FD13-AD06-47fd-8CA8-D1C6B6E21115}.exe	{2203F13A-4A0C-4594-8875-EC71344F8A95}.exe
File created	C:\Windows\{CECC5EE0-188C-4c22-82F6-8189767EC2FA}.exe	{4586FD13-AD06-47fd-8CA8-D1C6B6E21115}.exe
File created	C:\Windows\{8BC91B5A-F5B1-4c22-9D77-814830D67F2A}.exe	{54C6E3B5-4CE7-4457-89D2-FB2DCB38E5D8}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2788	328de58451baf80175055e5d666ef9e4ed02fcfda3ee986fe2a64f0e9692bda6_NeikiAnalytics.exe
Token: SeIncBasePriorityPrivilege	2576	{40C8ACB8-9D3C-4200-B8E2-612B2069DB7D}.exe
Token: SeIncBasePriorityPrivilege	2588	{26995A61-42CA-4063-BC44-846D3914E062}.exe
Token: SeIncBasePriorityPrivilege	2692	{9F22BAA0-2918-439a-9799-7DA111862192}.exe
Token: SeIncBasePriorityPrivilege	1852	{2FACE247-6815-41bb-83AC-31D62AFF9201}.exe
Token: SeIncBasePriorityPrivilege	2268	{57DCEC58-6F08-4c52-83F8-FB7954187714}.exe
Token: SeIncBasePriorityPrivilege	1672	{2203F13A-4A0C-4594-8875-EC71344F8A95}.exe
Token: SeIncBasePriorityPrivilege	1224	{4586FD13-AD06-47fd-8CA8-D1C6B6E21115}.exe
Token: SeIncBasePriorityPrivilege	1128	{CECC5EE0-188C-4c22-82F6-8189767EC2FA}.exe
Token: SeIncBasePriorityPrivilege	2108	{60AF222A-869A-4654-8CCA-39E4C78FA568}.exe
Token: SeIncBasePriorityPrivilege	2872	{54C6E3B5-4CE7-4457-89D2-FB2DCB38E5D8}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2788 wrote to memory of 2576	2788	328de58451baf80175055e5d666ef9e4ed02fcfda3ee986fe2a64f0e9692bda6_NeikiAnalytics.exe	28
PID 2788 wrote to memory of 2576	2788	328de58451baf80175055e5d666ef9e4ed02fcfda3ee986fe2a64f0e9692bda6_NeikiAnalytics.exe	28
PID 2788 wrote to memory of 2576	2788	328de58451baf80175055e5d666ef9e4ed02fcfda3ee986fe2a64f0e9692bda6_NeikiAnalytics.exe	28
PID 2788 wrote to memory of 2576	2788	328de58451baf80175055e5d666ef9e4ed02fcfda3ee986fe2a64f0e9692bda6_NeikiAnalytics.exe	28
PID 2788 wrote to memory of 2688	2788	328de58451baf80175055e5d666ef9e4ed02fcfda3ee986fe2a64f0e9692bda6_NeikiAnalytics.exe	29
PID 2788 wrote to memory of 2688	2788	328de58451baf80175055e5d666ef9e4ed02fcfda3ee986fe2a64f0e9692bda6_NeikiAnalytics.exe	29
PID 2788 wrote to memory of 2688	2788	328de58451baf80175055e5d666ef9e4ed02fcfda3ee986fe2a64f0e9692bda6_NeikiAnalytics.exe	29
PID 2788 wrote to memory of 2688	2788	328de58451baf80175055e5d666ef9e4ed02fcfda3ee986fe2a64f0e9692bda6_NeikiAnalytics.exe	29
PID 2576 wrote to memory of 2588	2576	{40C8ACB8-9D3C-4200-B8E2-612B2069DB7D}.exe	30
PID 2576 wrote to memory of 2588	2576	{40C8ACB8-9D3C-4200-B8E2-612B2069DB7D}.exe	30
PID 2576 wrote to memory of 2588	2576	{40C8ACB8-9D3C-4200-B8E2-612B2069DB7D}.exe	30
PID 2576 wrote to memory of 2588	2576	{40C8ACB8-9D3C-4200-B8E2-612B2069DB7D}.exe	30
PID 2576 wrote to memory of 2572	2576	{40C8ACB8-9D3C-4200-B8E2-612B2069DB7D}.exe	31
PID 2576 wrote to memory of 2572	2576	{40C8ACB8-9D3C-4200-B8E2-612B2069DB7D}.exe	31
PID 2576 wrote to memory of 2572	2576	{40C8ACB8-9D3C-4200-B8E2-612B2069DB7D}.exe	31
PID 2576 wrote to memory of 2572	2576	{40C8ACB8-9D3C-4200-B8E2-612B2069DB7D}.exe	31
PID 2588 wrote to memory of 2692	2588	{26995A61-42CA-4063-BC44-846D3914E062}.exe	32
PID 2588 wrote to memory of 2692	2588	{26995A61-42CA-4063-BC44-846D3914E062}.exe	32
PID 2588 wrote to memory of 2692	2588	{26995A61-42CA-4063-BC44-846D3914E062}.exe	32
PID 2588 wrote to memory of 2692	2588	{26995A61-42CA-4063-BC44-846D3914E062}.exe	32
PID 2588 wrote to memory of 2480	2588	{26995A61-42CA-4063-BC44-846D3914E062}.exe	33
PID 2588 wrote to memory of 2480	2588	{26995A61-42CA-4063-BC44-846D3914E062}.exe	33
PID 2588 wrote to memory of 2480	2588	{26995A61-42CA-4063-BC44-846D3914E062}.exe	33
PID 2588 wrote to memory of 2480	2588	{26995A61-42CA-4063-BC44-846D3914E062}.exe	33
PID 2692 wrote to memory of 1852	2692	{9F22BAA0-2918-439a-9799-7DA111862192}.exe	36
PID 2692 wrote to memory of 1852	2692	{9F22BAA0-2918-439a-9799-7DA111862192}.exe	36
PID 2692 wrote to memory of 1852	2692	{9F22BAA0-2918-439a-9799-7DA111862192}.exe	36
PID 2692 wrote to memory of 1852	2692	{9F22BAA0-2918-439a-9799-7DA111862192}.exe	36
PID 2692 wrote to memory of 2724	2692	{9F22BAA0-2918-439a-9799-7DA111862192}.exe	37
PID 2692 wrote to memory of 2724	2692	{9F22BAA0-2918-439a-9799-7DA111862192}.exe	37
PID 2692 wrote to memory of 2724	2692	{9F22BAA0-2918-439a-9799-7DA111862192}.exe	37
PID 2692 wrote to memory of 2724	2692	{9F22BAA0-2918-439a-9799-7DA111862192}.exe	37
PID 1852 wrote to memory of 2268	1852	{2FACE247-6815-41bb-83AC-31D62AFF9201}.exe	38
PID 1852 wrote to memory of 2268	1852	{2FACE247-6815-41bb-83AC-31D62AFF9201}.exe	38
PID 1852 wrote to memory of 2268	1852	{2FACE247-6815-41bb-83AC-31D62AFF9201}.exe	38
PID 1852 wrote to memory of 2268	1852	{2FACE247-6815-41bb-83AC-31D62AFF9201}.exe	38
PID 1852 wrote to memory of 2160	1852	{2FACE247-6815-41bb-83AC-31D62AFF9201}.exe	39
PID 1852 wrote to memory of 2160	1852	{2FACE247-6815-41bb-83AC-31D62AFF9201}.exe	39
PID 1852 wrote to memory of 2160	1852	{2FACE247-6815-41bb-83AC-31D62AFF9201}.exe	39
PID 1852 wrote to memory of 2160	1852	{2FACE247-6815-41bb-83AC-31D62AFF9201}.exe	39
PID 2268 wrote to memory of 1672	2268	{57DCEC58-6F08-4c52-83F8-FB7954187714}.exe	40
PID 2268 wrote to memory of 1672	2268	{57DCEC58-6F08-4c52-83F8-FB7954187714}.exe	40
PID 2268 wrote to memory of 1672	2268	{57DCEC58-6F08-4c52-83F8-FB7954187714}.exe	40
PID 2268 wrote to memory of 1672	2268	{57DCEC58-6F08-4c52-83F8-FB7954187714}.exe	40
PID 2268 wrote to memory of 1588	2268	{57DCEC58-6F08-4c52-83F8-FB7954187714}.exe	41
PID 2268 wrote to memory of 1588	2268	{57DCEC58-6F08-4c52-83F8-FB7954187714}.exe	41
PID 2268 wrote to memory of 1588	2268	{57DCEC58-6F08-4c52-83F8-FB7954187714}.exe	41
PID 2268 wrote to memory of 1588	2268	{57DCEC58-6F08-4c52-83F8-FB7954187714}.exe	41
PID 1672 wrote to memory of 1224	1672	{2203F13A-4A0C-4594-8875-EC71344F8A95}.exe	42
PID 1672 wrote to memory of 1224	1672	{2203F13A-4A0C-4594-8875-EC71344F8A95}.exe	42
PID 1672 wrote to memory of 1224	1672	{2203F13A-4A0C-4594-8875-EC71344F8A95}.exe	42
PID 1672 wrote to memory of 1224	1672	{2203F13A-4A0C-4594-8875-EC71344F8A95}.exe	42
PID 1672 wrote to memory of 592	1672	{2203F13A-4A0C-4594-8875-EC71344F8A95}.exe	43
PID 1672 wrote to memory of 592	1672	{2203F13A-4A0C-4594-8875-EC71344F8A95}.exe	43
PID 1672 wrote to memory of 592	1672	{2203F13A-4A0C-4594-8875-EC71344F8A95}.exe	43
PID 1672 wrote to memory of 592	1672	{2203F13A-4A0C-4594-8875-EC71344F8A95}.exe	43
PID 1224 wrote to memory of 1128	1224	{4586FD13-AD06-47fd-8CA8-D1C6B6E21115}.exe	44
PID 1224 wrote to memory of 1128	1224	{4586FD13-AD06-47fd-8CA8-D1C6B6E21115}.exe	44
PID 1224 wrote to memory of 1128	1224	{4586FD13-AD06-47fd-8CA8-D1C6B6E21115}.exe	44
PID 1224 wrote to memory of 1128	1224	{4586FD13-AD06-47fd-8CA8-D1C6B6E21115}.exe	44
PID 1224 wrote to memory of 2936	1224	{4586FD13-AD06-47fd-8CA8-D1C6B6E21115}.exe	45
PID 1224 wrote to memory of 2936	1224	{4586FD13-AD06-47fd-8CA8-D1C6B6E21115}.exe	45
PID 1224 wrote to memory of 2936	1224	{4586FD13-AD06-47fd-8CA8-D1C6B6E21115}.exe	45
PID 1224 wrote to memory of 2936	1224	{4586FD13-AD06-47fd-8CA8-D1C6B6E21115}.exe	45

C:\Users\Admin\AppData\Local\Temp\328de58451baf80175055e5d666ef9e4ed02fcfda3ee986fe2a64f0e9692bda6_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\328de58451baf80175055e5d666ef9e4ed02fcfda3ee986fe2a64f0e9692bda6_NeikiAnalytics.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2788
- C:\Windows\{40C8ACB8-9D3C-4200-B8E2-612B2069DB7D}.exe
  C:\Windows\{40C8ACB8-9D3C-4200-B8E2-612B2069DB7D}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2576
- - C:\Windows\{26995A61-42CA-4063-BC44-846D3914E062}.exe
    C:\Windows\{26995A61-42CA-4063-BC44-846D3914E062}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2588
  - - C:\Windows\{9F22BAA0-2918-439a-9799-7DA111862192}.exe
      C:\Windows\{9F22BAA0-2918-439a-9799-7DA111862192}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2692
    - - C:\Windows\{2FACE247-6815-41bb-83AC-31D62AFF9201}.exe
        
        C:\Windows\{2FACE247-6815-41bb-83AC-31D62AFF9201}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1852
      - C:\Windows\{57DCEC58-6F08-4c52-83F8-FB7954187714}.exe
        
        C:\Windows\{57DCEC58-6F08-4c52-83F8-FB7954187714}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2268
        
        C:\Windows\{2203F13A-4A0C-4594-8875-EC71344F8A95}.exe
        
        C:\Windows\{2203F13A-4A0C-4594-8875-EC71344F8A95}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1672
        
        C:\Windows\{4586FD13-AD06-47fd-8CA8-D1C6B6E21115}.exe
        
        C:\Windows\{4586FD13-AD06-47fd-8CA8-D1C6B6E21115}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1224
        
        C:\Windows\{CECC5EE0-188C-4c22-82F6-8189767EC2FA}.exe
        
        C:\Windows\{CECC5EE0-188C-4c22-82F6-8189767EC2FA}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1128
        
        C:\Windows\{60AF222A-869A-4654-8CCA-39E4C78FA568}.exe
        
        C:\Windows\{60AF222A-869A-4654-8CCA-39E4C78FA568}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2108
        
        C:\Windows\{54C6E3B5-4CE7-4457-89D2-FB2DCB38E5D8}.exe
        
        C:\Windows\{54C6E3B5-4CE7-4457-89D2-FB2DCB38E5D8}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2872
        
        C:\Windows\{8BC91B5A-F5B1-4c22-9D77-814830D67F2A}.exe
        
        C:\Windows\{8BC91B5A-F5B1-4c22-9D77-814830D67F2A}.exe
        12⤵
        Executes dropped EXE
        
        PID:648
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{54C6E~1.EXE > nul
        12⤵
        
        PID:1076
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{60AF2~1.EXE > nul
        11⤵
        
        PID:2244
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CECC5~1.EXE > nul
        10⤵
        
        PID:1948
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4586F~1.EXE > nul
        9⤵
        
        PID:2936
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2203F~1.EXE > nul
        8⤵
        
        PID:592
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{57DCE~1.EXE > nul
        7⤵
        
        PID:1588
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2FACE~1.EXE > nul
        6⤵
        
        PID:2160
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9F22B~1.EXE > nul
        5⤵
        
        PID:2724
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{26995~1.EXE > nul
      4⤵
      PID:2480
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{40C8A~1.EXE > nul
    3⤵
    PID:2572
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\328DE5~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2688

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{2203F13A-4A0C-4594-8875-EC71344F8A95}.exe

Filesize
89KB

MD5
b58b61f3ca488e9cb8015cd9c13696d1

SHA1
1aa290927ad6b58df2f0cb02efee0c377675ad79

SHA256
7f8dd77d689aced055a0aa04c766db2942cee1f2443fcceb6f221dbe1849fa53

SHA512
f26d23c093e363ae1d3b11a4dd2a474be853597b8431c1ea4936016969a2d47a8ed9c14a1bf4502112cf68313520365a8ced9e44ad6a7c89e38f7d356b71267c

Download Submit
C:\Windows\{26995A61-42CA-4063-BC44-846D3914E062}.exe

Filesize
89KB

MD5
48717650244b27edec19575a608f3db6

SHA1
dc546db8e388a27ee4ab933bbb5aff152323090d

SHA256
805a69de3106102ec76b045561308ad28b22735df901135a447cb72806504de8

SHA512
03aab4b44fa777f576aff8011071472411a2e03ce6b4c5d70538bb5fb9e69f980cb0c33d0760a342885c18d6d04459f5611e8c2fc3cbcd036223262e49e90071

Download Submit
C:\Windows\{2FACE247-6815-41bb-83AC-31D62AFF9201}.exe

Filesize
89KB

MD5
dd22b1ae57257bd6b06fb5cb123fcea5

SHA1
137d8775bc55d03938ff064c480438ba92616b7c

SHA256
437dd52545022d4b28c00fc9dafabd1ba0b30e93485cddddbe4a06f9c48c28e5

SHA512
e50d5b66ca43f5e1961b1a30de8d9bcedcc7cf83249ac252282b89cd5c5fb125b304ae833b6f4f1abfa7442c484fb9346fd68803d70ab678262f6c3ff4ea850f

Download Submit
C:\Windows\{40C8ACB8-9D3C-4200-B8E2-612B2069DB7D}.exe

Filesize
89KB

MD5
bc5daf36065520a09a9dd5f077bd8573

SHA1
453f97396b7533436f3a17d5a80b254195fe35cd

SHA256
c2eef9fa8e788eb339141252892339cbe3677eb6d7c10601a9ef5562d095b530

SHA512
977c86963ab01596386bfc9bbf4797db620e6f5d8149d7eb894ae2119a704d7e0cc0b28a27a16d25f885b22e92c496292650eea3b634e44e35dc1cfb3c60da8e

Download Submit
C:\Windows\{4586FD13-AD06-47fd-8CA8-D1C6B6E21115}.exe

Filesize
89KB

MD5
a00a9fa66aef722e0f1ceafe6a22438e

SHA1
29bbb8323e17c149fed78eda25ea00c4694d8bb6

SHA256
247300bac58f9df90ea94e21d9d52aa11ef0bd84b4cc9743b5737d99acb3d463

SHA512
8e2bdd6250aa650b180e7ee2e5c20782e1376d450ef1a143f23e5b15665ac01f4e0ee0a4ed50e0807fe207029a5eecfb21c663dc008aabac04f2bd4f72e0559a

Download Submit
C:\Windows\{54C6E3B5-4CE7-4457-89D2-FB2DCB38E5D8}.exe

Filesize
89KB

MD5
0c3fdcade606bd108f69b06c7aa6c2b3

SHA1
66bd52dbb156299bcbbd0735c48b8af642c76705

SHA256
83f87d0c6667c8da5d0f823aa18d8b78ee7750ed8856287af9b008449c99514b

SHA512
b1a23c82ccf014aa8f196be7130c73e95d055001777dca0a8706ea988ad35ff739e29a033c8df8928676c94261160120dc29539e48d50c4bd338125fa01b8215

Download Submit
C:\Windows\{57DCEC58-6F08-4c52-83F8-FB7954187714}.exe

Filesize
89KB

MD5
1e1fd1404c0499c2d2716841a36065e1

SHA1
b59e059caea44fe0aecfb92b9ca38fadc8680986

SHA256
c8c260e4666b7b579ba3c8c62540a1af0d6511fbc713e5e923ac3ff935d863b9

SHA512
ef4aef53ce4dd4af10e5dc2d731ee9ba9a28182a6eacb6c7bff4528c47dfa5904a22668ab23fa45efa472c879878f166dff34a303289bc6088d9c699a4d1e11e

Download Submit
C:\Windows\{60AF222A-869A-4654-8CCA-39E4C78FA568}.exe

Filesize
89KB

MD5
39bb3730491bf00f421f94d29f2656a3

SHA1
f2304629a11adeff77a9bd4e8c7eb97f2c798afa

SHA256
5eed93632fa8b057b157fa38b0a2d826154f7ea1c96c7349db43e432787c6c64

SHA512
9bd9f6730257fbcf56ab4533842ce3700878a48eaabbf5c7cf9f97aafc519e3ac8852c319e8f500292fb0eb025e3ce8d50cf1c89d8bdcd98bc953333ed4149b0

Download Submit
C:\Windows\{8BC91B5A-F5B1-4c22-9D77-814830D67F2A}.exe

Filesize
89KB

MD5
e70bf054740299022bf9fc81b22771d4

SHA1
852b5676dedb48f5b43944d73f63b8f64c9a7584

SHA256
f23ea5fc194d532ed8523836d3995e74943d0f4052637bdf3a21adc9b818db6c

SHA512
23e6027d083574d97bfea7574896fc38a128d039c866d833116c370b7cf757d131e5576265dd31877851ea36795b192e4c3460b6d0ac54c5d73a37c567cf097a

Download Submit
C:\Windows\{9F22BAA0-2918-439a-9799-7DA111862192}.exe

Filesize
89KB

MD5
d476b553110cefd9ac26a5bb1fc36929

SHA1
e4983acc3169c2f95954f4e4c759742ad827daf5

SHA256
dd21c884e2b7134ab7a6868c3ff8f8cc94578857bec52e1761c9d15141cf6fc1

SHA512
126b43e095cfd7973e10c34cd27d7422bed1551878eac5c68e094133466425d00361eb23605412f67f1c2f82e6e04c7e80ac57e46987e2b0f1f4c588c9fbb79a

Download Submit
C:\Windows\{CECC5EE0-188C-4c22-82F6-8189767EC2FA}.exe

Filesize
89KB

MD5
b2ce42196ab8fe959d2a3b5d36d54647

SHA1
b60b27a0ab6e065862ed0002fe4f6750acd55ebd

SHA256
a85c25c5131772645c55427c45f39534ecedb5af05d497c947da5f0fce396619

SHA512
c94512811012097500d6967c73652014dd281586fefa14ee29a896f381daf3ebf989cced55ad20384ac08194be11b6058aacfec14a353a1d13b93eeac5cf6adb

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads