3e593515637a0912aca85924bc83f8dd38789c6bad7e67a611308ba7344952af

Analysis

max time kernel
150s
max time network
125s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
01/07/2024, 07:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3e593515637a0912aca85924bc83f8dd38789c6bad7e67a611308ba7344952af_NeikiAnalytics.exe
Size

116KB
MD5

b978fe1801898901eedca610475f0150
SHA1

2df9aa00cf19a013522e167848926e83c8a1ca2e
SHA256

3e593515637a0912aca85924bc83f8dd38789c6bad7e67a611308ba7344952af
SHA512

e7136e970b5e1ca2bbae5a133a983a0b40090524b50f5d3b1fd9fe37307b09856f17d95ddb8d6283e600d11ce6138226b18103300fc568f67ffdc24eae3f57ad
SSDEEP

768:Qvw9816vhKQLroT4/wQRNrfrunMxVFA3b7glwRjMlfwGxEI5nWAwxt6sDntNiLJN:YEGh0oTl2unMxVS3HgdoKjhLJhL

Score

8^/10

persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C0DCA704-FE64-477f-9464-FE487432DA09}	{DEFB6DB7-E8FD-4618-8751-E5A13626F068}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{120BDC21-AB16-4b3f-9823-B86A48F36B6A}\stubpath = "C:\\Windows\\{120BDC21-AB16-4b3f-9823-B86A48F36B6A}.exe"	{C0DCA704-FE64-477f-9464-FE487432DA09}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5A3F7CC1-47B9-434c-863D-5E3E896D61D0}	{120BDC21-AB16-4b3f-9823-B86A48F36B6A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5A3F7CC1-47B9-434c-863D-5E3E896D61D0}\stubpath = "C:\\Windows\\{5A3F7CC1-47B9-434c-863D-5E3E896D61D0}.exe"	{120BDC21-AB16-4b3f-9823-B86A48F36B6A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6DE7D9CE-0FD8-40f1-9FA7-833628AD51CE}	{B81A9441-9E9F-460e-88AB-BAF6A03285AE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{30CA09C9-C7E0-4895-92BB-06092D8888C2}	{6DE7D9CE-0FD8-40f1-9FA7-833628AD51CE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6296929D-C37C-4429-A7E5-8E5970BCF798}	{30CA09C9-C7E0-4895-92BB-06092D8888C2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D9D361DB-E94B-45f6-8C82-D885E886646D}	3e593515637a0912aca85924bc83f8dd38789c6bad7e67a611308ba7344952af_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{05B4715A-C5DF-4a0f-9168-E2A1DB40CB16}	{D9D361DB-E94B-45f6-8C82-D885E886646D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{05B4715A-C5DF-4a0f-9168-E2A1DB40CB16}\stubpath = "C:\\Windows\\{05B4715A-C5DF-4a0f-9168-E2A1DB40CB16}.exe"	{D9D361DB-E94B-45f6-8C82-D885E886646D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DEFB6DB7-E8FD-4618-8751-E5A13626F068}	{05B4715A-C5DF-4a0f-9168-E2A1DB40CB16}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DEFB6DB7-E8FD-4618-8751-E5A13626F068}\stubpath = "C:\\Windows\\{DEFB6DB7-E8FD-4618-8751-E5A13626F068}.exe"	{05B4715A-C5DF-4a0f-9168-E2A1DB40CB16}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{120BDC21-AB16-4b3f-9823-B86A48F36B6A}	{C0DCA704-FE64-477f-9464-FE487432DA09}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B81A9441-9E9F-460e-88AB-BAF6A03285AE}\stubpath = "C:\\Windows\\{B81A9441-9E9F-460e-88AB-BAF6A03285AE}.exe"	{5A3F7CC1-47B9-434c-863D-5E3E896D61D0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{30CA09C9-C7E0-4895-92BB-06092D8888C2}\stubpath = "C:\\Windows\\{30CA09C9-C7E0-4895-92BB-06092D8888C2}.exe"	{6DE7D9CE-0FD8-40f1-9FA7-833628AD51CE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6DE7D9CE-0FD8-40f1-9FA7-833628AD51CE}\stubpath = "C:\\Windows\\{6DE7D9CE-0FD8-40f1-9FA7-833628AD51CE}.exe"	{B81A9441-9E9F-460e-88AB-BAF6A03285AE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{50E4E9C0-AA40-4653-9515-241B3EEDADC0}	{6296929D-C37C-4429-A7E5-8E5970BCF798}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D9D361DB-E94B-45f6-8C82-D885E886646D}\stubpath = "C:\\Windows\\{D9D361DB-E94B-45f6-8C82-D885E886646D}.exe"	3e593515637a0912aca85924bc83f8dd38789c6bad7e67a611308ba7344952af_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C0DCA704-FE64-477f-9464-FE487432DA09}\stubpath = "C:\\Windows\\{C0DCA704-FE64-477f-9464-FE487432DA09}.exe"	{DEFB6DB7-E8FD-4618-8751-E5A13626F068}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B81A9441-9E9F-460e-88AB-BAF6A03285AE}	{5A3F7CC1-47B9-434c-863D-5E3E896D61D0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6296929D-C37C-4429-A7E5-8E5970BCF798}\stubpath = "C:\\Windows\\{6296929D-C37C-4429-A7E5-8E5970BCF798}.exe"	{30CA09C9-C7E0-4895-92BB-06092D8888C2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{50E4E9C0-AA40-4653-9515-241B3EEDADC0}\stubpath = "C:\\Windows\\{50E4E9C0-AA40-4653-9515-241B3EEDADC0}.exe"	{6296929D-C37C-4429-A7E5-8E5970BCF798}.exe

Executes dropped EXE 11 IoCs

pid	Process
3008	{D9D361DB-E94B-45f6-8C82-D885E886646D}.exe
2584	{05B4715A-C5DF-4a0f-9168-E2A1DB40CB16}.exe
2508	{DEFB6DB7-E8FD-4618-8751-E5A13626F068}.exe
960	{C0DCA704-FE64-477f-9464-FE487432DA09}.exe
1356	{120BDC21-AB16-4b3f-9823-B86A48F36B6A}.exe
2816	{5A3F7CC1-47B9-434c-863D-5E3E896D61D0}.exe
880	{B81A9441-9E9F-460e-88AB-BAF6A03285AE}.exe
2516	{6DE7D9CE-0FD8-40f1-9FA7-833628AD51CE}.exe
1404	{30CA09C9-C7E0-4895-92BB-06092D8888C2}.exe
2280	{6296929D-C37C-4429-A7E5-8E5970BCF798}.exe
1724	{50E4E9C0-AA40-4653-9515-241B3EEDADC0}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{DEFB6DB7-E8FD-4618-8751-E5A13626F068}.exe	{05B4715A-C5DF-4a0f-9168-E2A1DB40CB16}.exe
File created	C:\Windows\{120BDC21-AB16-4b3f-9823-B86A48F36B6A}.exe	{C0DCA704-FE64-477f-9464-FE487432DA09}.exe
File created	C:\Windows\{5A3F7CC1-47B9-434c-863D-5E3E896D61D0}.exe	{120BDC21-AB16-4b3f-9823-B86A48F36B6A}.exe
File created	C:\Windows\{50E4E9C0-AA40-4653-9515-241B3EEDADC0}.exe	{6296929D-C37C-4429-A7E5-8E5970BCF798}.exe
File created	C:\Windows\{30CA09C9-C7E0-4895-92BB-06092D8888C2}.exe	{6DE7D9CE-0FD8-40f1-9FA7-833628AD51CE}.exe
File created	C:\Windows\{6296929D-C37C-4429-A7E5-8E5970BCF798}.exe	{30CA09C9-C7E0-4895-92BB-06092D8888C2}.exe
File created	C:\Windows\{D9D361DB-E94B-45f6-8C82-D885E886646D}.exe	3e593515637a0912aca85924bc83f8dd38789c6bad7e67a611308ba7344952af_NeikiAnalytics.exe
File created	C:\Windows\{05B4715A-C5DF-4a0f-9168-E2A1DB40CB16}.exe	{D9D361DB-E94B-45f6-8C82-D885E886646D}.exe
File created	C:\Windows\{C0DCA704-FE64-477f-9464-FE487432DA09}.exe	{DEFB6DB7-E8FD-4618-8751-E5A13626F068}.exe
File created	C:\Windows\{B81A9441-9E9F-460e-88AB-BAF6A03285AE}.exe	{5A3F7CC1-47B9-434c-863D-5E3E896D61D0}.exe
File created	C:\Windows\{6DE7D9CE-0FD8-40f1-9FA7-833628AD51CE}.exe	{B81A9441-9E9F-460e-88AB-BAF6A03285AE}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2056	3e593515637a0912aca85924bc83f8dd38789c6bad7e67a611308ba7344952af_NeikiAnalytics.exe
Token: SeIncBasePriorityPrivilege	3008	{D9D361DB-E94B-45f6-8C82-D885E886646D}.exe
Token: SeIncBasePriorityPrivilege	2584	{05B4715A-C5DF-4a0f-9168-E2A1DB40CB16}.exe
Token: SeIncBasePriorityPrivilege	2508	{DEFB6DB7-E8FD-4618-8751-E5A13626F068}.exe
Token: SeIncBasePriorityPrivilege	960	{C0DCA704-FE64-477f-9464-FE487432DA09}.exe
Token: SeIncBasePriorityPrivilege	1356	{120BDC21-AB16-4b3f-9823-B86A48F36B6A}.exe
Token: SeIncBasePriorityPrivilege	2816	{5A3F7CC1-47B9-434c-863D-5E3E896D61D0}.exe
Token: SeIncBasePriorityPrivilege	880	{B81A9441-9E9F-460e-88AB-BAF6A03285AE}.exe
Token: SeIncBasePriorityPrivilege	2516	{6DE7D9CE-0FD8-40f1-9FA7-833628AD51CE}.exe
Token: SeIncBasePriorityPrivilege	1404	{30CA09C9-C7E0-4895-92BB-06092D8888C2}.exe
Token: SeIncBasePriorityPrivilege	2280	{6296929D-C37C-4429-A7E5-8E5970BCF798}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2056 wrote to memory of 3008	2056	3e593515637a0912aca85924bc83f8dd38789c6bad7e67a611308ba7344952af_NeikiAnalytics.exe	28
PID 2056 wrote to memory of 3008	2056	3e593515637a0912aca85924bc83f8dd38789c6bad7e67a611308ba7344952af_NeikiAnalytics.exe	28
PID 2056 wrote to memory of 3008	2056	3e593515637a0912aca85924bc83f8dd38789c6bad7e67a611308ba7344952af_NeikiAnalytics.exe	28
PID 2056 wrote to memory of 3008	2056	3e593515637a0912aca85924bc83f8dd38789c6bad7e67a611308ba7344952af_NeikiAnalytics.exe	28
PID 2056 wrote to memory of 3028	2056	3e593515637a0912aca85924bc83f8dd38789c6bad7e67a611308ba7344952af_NeikiAnalytics.exe	29
PID 2056 wrote to memory of 3028	2056	3e593515637a0912aca85924bc83f8dd38789c6bad7e67a611308ba7344952af_NeikiAnalytics.exe	29
PID 2056 wrote to memory of 3028	2056	3e593515637a0912aca85924bc83f8dd38789c6bad7e67a611308ba7344952af_NeikiAnalytics.exe	29
PID 2056 wrote to memory of 3028	2056	3e593515637a0912aca85924bc83f8dd38789c6bad7e67a611308ba7344952af_NeikiAnalytics.exe	29
PID 3008 wrote to memory of 2584	3008	{D9D361DB-E94B-45f6-8C82-D885E886646D}.exe	30
PID 3008 wrote to memory of 2584	3008	{D9D361DB-E94B-45f6-8C82-D885E886646D}.exe	30
PID 3008 wrote to memory of 2584	3008	{D9D361DB-E94B-45f6-8C82-D885E886646D}.exe	30
PID 3008 wrote to memory of 2584	3008	{D9D361DB-E94B-45f6-8C82-D885E886646D}.exe	30
PID 3008 wrote to memory of 2764	3008	{D9D361DB-E94B-45f6-8C82-D885E886646D}.exe	31
PID 3008 wrote to memory of 2764	3008	{D9D361DB-E94B-45f6-8C82-D885E886646D}.exe	31
PID 3008 wrote to memory of 2764	3008	{D9D361DB-E94B-45f6-8C82-D885E886646D}.exe	31
PID 3008 wrote to memory of 2764	3008	{D9D361DB-E94B-45f6-8C82-D885E886646D}.exe	31
PID 2584 wrote to memory of 2508	2584	{05B4715A-C5DF-4a0f-9168-E2A1DB40CB16}.exe	34
PID 2584 wrote to memory of 2508	2584	{05B4715A-C5DF-4a0f-9168-E2A1DB40CB16}.exe	34
PID 2584 wrote to memory of 2508	2584	{05B4715A-C5DF-4a0f-9168-E2A1DB40CB16}.exe	34
PID 2584 wrote to memory of 2508	2584	{05B4715A-C5DF-4a0f-9168-E2A1DB40CB16}.exe	34
PID 2584 wrote to memory of 2412	2584	{05B4715A-C5DF-4a0f-9168-E2A1DB40CB16}.exe	35
PID 2584 wrote to memory of 2412	2584	{05B4715A-C5DF-4a0f-9168-E2A1DB40CB16}.exe	35
PID 2584 wrote to memory of 2412	2584	{05B4715A-C5DF-4a0f-9168-E2A1DB40CB16}.exe	35
PID 2584 wrote to memory of 2412	2584	{05B4715A-C5DF-4a0f-9168-E2A1DB40CB16}.exe	35
PID 2508 wrote to memory of 960	2508	{DEFB6DB7-E8FD-4618-8751-E5A13626F068}.exe	36
PID 2508 wrote to memory of 960	2508	{DEFB6DB7-E8FD-4618-8751-E5A13626F068}.exe	36
PID 2508 wrote to memory of 960	2508	{DEFB6DB7-E8FD-4618-8751-E5A13626F068}.exe	36
PID 2508 wrote to memory of 960	2508	{DEFB6DB7-E8FD-4618-8751-E5A13626F068}.exe	36
PID 2508 wrote to memory of 588	2508	{DEFB6DB7-E8FD-4618-8751-E5A13626F068}.exe	37
PID 2508 wrote to memory of 588	2508	{DEFB6DB7-E8FD-4618-8751-E5A13626F068}.exe	37
PID 2508 wrote to memory of 588	2508	{DEFB6DB7-E8FD-4618-8751-E5A13626F068}.exe	37
PID 2508 wrote to memory of 588	2508	{DEFB6DB7-E8FD-4618-8751-E5A13626F068}.exe	37
PID 960 wrote to memory of 1356	960	{C0DCA704-FE64-477f-9464-FE487432DA09}.exe	38
PID 960 wrote to memory of 1356	960	{C0DCA704-FE64-477f-9464-FE487432DA09}.exe	38
PID 960 wrote to memory of 1356	960	{C0DCA704-FE64-477f-9464-FE487432DA09}.exe	38
PID 960 wrote to memory of 1356	960	{C0DCA704-FE64-477f-9464-FE487432DA09}.exe	38
PID 960 wrote to memory of 1504	960	{C0DCA704-FE64-477f-9464-FE487432DA09}.exe	39
PID 960 wrote to memory of 1504	960	{C0DCA704-FE64-477f-9464-FE487432DA09}.exe	39
PID 960 wrote to memory of 1504	960	{C0DCA704-FE64-477f-9464-FE487432DA09}.exe	39
PID 960 wrote to memory of 1504	960	{C0DCA704-FE64-477f-9464-FE487432DA09}.exe	39
PID 1356 wrote to memory of 2816	1356	{120BDC21-AB16-4b3f-9823-B86A48F36B6A}.exe	40
PID 1356 wrote to memory of 2816	1356	{120BDC21-AB16-4b3f-9823-B86A48F36B6A}.exe	40
PID 1356 wrote to memory of 2816	1356	{120BDC21-AB16-4b3f-9823-B86A48F36B6A}.exe	40
PID 1356 wrote to memory of 2816	1356	{120BDC21-AB16-4b3f-9823-B86A48F36B6A}.exe	40
PID 1356 wrote to memory of 2200	1356	{120BDC21-AB16-4b3f-9823-B86A48F36B6A}.exe	41
PID 1356 wrote to memory of 2200	1356	{120BDC21-AB16-4b3f-9823-B86A48F36B6A}.exe	41
PID 1356 wrote to memory of 2200	1356	{120BDC21-AB16-4b3f-9823-B86A48F36B6A}.exe	41
PID 1356 wrote to memory of 2200	1356	{120BDC21-AB16-4b3f-9823-B86A48F36B6A}.exe	41
PID 2816 wrote to memory of 880	2816	{5A3F7CC1-47B9-434c-863D-5E3E896D61D0}.exe	42
PID 2816 wrote to memory of 880	2816	{5A3F7CC1-47B9-434c-863D-5E3E896D61D0}.exe	42
PID 2816 wrote to memory of 880	2816	{5A3F7CC1-47B9-434c-863D-5E3E896D61D0}.exe	42
PID 2816 wrote to memory of 880	2816	{5A3F7CC1-47B9-434c-863D-5E3E896D61D0}.exe	42
PID 2816 wrote to memory of 1692	2816	{5A3F7CC1-47B9-434c-863D-5E3E896D61D0}.exe	43
PID 2816 wrote to memory of 1692	2816	{5A3F7CC1-47B9-434c-863D-5E3E896D61D0}.exe	43
PID 2816 wrote to memory of 1692	2816	{5A3F7CC1-47B9-434c-863D-5E3E896D61D0}.exe	43
PID 2816 wrote to memory of 1692	2816	{5A3F7CC1-47B9-434c-863D-5E3E896D61D0}.exe	43
PID 880 wrote to memory of 2516	880	{B81A9441-9E9F-460e-88AB-BAF6A03285AE}.exe	44
PID 880 wrote to memory of 2516	880	{B81A9441-9E9F-460e-88AB-BAF6A03285AE}.exe	44
PID 880 wrote to memory of 2516	880	{B81A9441-9E9F-460e-88AB-BAF6A03285AE}.exe	44
PID 880 wrote to memory of 2516	880	{B81A9441-9E9F-460e-88AB-BAF6A03285AE}.exe	44
PID 880 wrote to memory of 2680	880	{B81A9441-9E9F-460e-88AB-BAF6A03285AE}.exe	45
PID 880 wrote to memory of 2680	880	{B81A9441-9E9F-460e-88AB-BAF6A03285AE}.exe	45
PID 880 wrote to memory of 2680	880	{B81A9441-9E9F-460e-88AB-BAF6A03285AE}.exe	45
PID 880 wrote to memory of 2680	880	{B81A9441-9E9F-460e-88AB-BAF6A03285AE}.exe	45

C:\Users\Admin\AppData\Local\Temp\3e593515637a0912aca85924bc83f8dd38789c6bad7e67a611308ba7344952af_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\3e593515637a0912aca85924bc83f8dd38789c6bad7e67a611308ba7344952af_NeikiAnalytics.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2056
- C:\Windows\{D9D361DB-E94B-45f6-8C82-D885E886646D}.exe
  C:\Windows\{D9D361DB-E94B-45f6-8C82-D885E886646D}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3008
- - C:\Windows\{05B4715A-C5DF-4a0f-9168-E2A1DB40CB16}.exe
    C:\Windows\{05B4715A-C5DF-4a0f-9168-E2A1DB40CB16}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2584
  - - C:\Windows\{DEFB6DB7-E8FD-4618-8751-E5A13626F068}.exe
      C:\Windows\{DEFB6DB7-E8FD-4618-8751-E5A13626F068}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2508
    - - C:\Windows\{C0DCA704-FE64-477f-9464-FE487432DA09}.exe
        
        C:\Windows\{C0DCA704-FE64-477f-9464-FE487432DA09}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:960
      - C:\Windows\{120BDC21-AB16-4b3f-9823-B86A48F36B6A}.exe
        
        C:\Windows\{120BDC21-AB16-4b3f-9823-B86A48F36B6A}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1356
        
        C:\Windows\{5A3F7CC1-47B9-434c-863D-5E3E896D61D0}.exe
        
        C:\Windows\{5A3F7CC1-47B9-434c-863D-5E3E896D61D0}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2816
        
        C:\Windows\{B81A9441-9E9F-460e-88AB-BAF6A03285AE}.exe
        
        C:\Windows\{B81A9441-9E9F-460e-88AB-BAF6A03285AE}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:880
        
        C:\Windows\{6DE7D9CE-0FD8-40f1-9FA7-833628AD51CE}.exe
        
        C:\Windows\{6DE7D9CE-0FD8-40f1-9FA7-833628AD51CE}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2516
        
        C:\Windows\{30CA09C9-C7E0-4895-92BB-06092D8888C2}.exe
        
        C:\Windows\{30CA09C9-C7E0-4895-92BB-06092D8888C2}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1404
        
        C:\Windows\{6296929D-C37C-4429-A7E5-8E5970BCF798}.exe
        
        C:\Windows\{6296929D-C37C-4429-A7E5-8E5970BCF798}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2280
        
        C:\Windows\{50E4E9C0-AA40-4653-9515-241B3EEDADC0}.exe
        
        C:\Windows\{50E4E9C0-AA40-4653-9515-241B3EEDADC0}.exe
        12⤵
        Executes dropped EXE
        
        PID:1724
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{62969~1.EXE > nul
        12⤵
        
        PID:3064
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{30CA0~1.EXE > nul
        11⤵
        
        PID:2852
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6DE7D~1.EXE > nul
        10⤵
        
        PID:872
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B81A9~1.EXE > nul
        9⤵
        
        PID:2680
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5A3F7~1.EXE > nul
        8⤵
        
        PID:1692
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{120BD~1.EXE > nul
        7⤵
        
        PID:2200
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C0DCA~1.EXE > nul
        6⤵
        
        PID:1504
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DEFB6~1.EXE > nul
        5⤵
        
        PID:588
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{05B47~1.EXE > nul
      4⤵
      PID:2412
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{D9D36~1.EXE > nul
    3⤵
    PID:2764
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\3E5935~1.EXE > nul
  2⤵
  PID:3028

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{05B4715A-C5DF-4a0f-9168-E2A1DB40CB16}.exe

Filesize
116KB

MD5
a7de1b48ca87a1f04af4a2e4f4eddd8e

SHA1
708fe62aac9655512ff5186204bb7e0e9d5b753f

SHA256
f4eb738a03282de1c98ebea7fdc2d3dacd8e19564e1762a1b303e01bc4bee931

SHA512
bd22b382e43351b2893dcce9642438efb350704fd70ab9a61ae1e6b3e6bea796f3c24fd246cec16594aebe27677bdc88a1eccd8cdc8f45ce61dc0141bf2cf083

Download Submit
C:\Windows\{120BDC21-AB16-4b3f-9823-B86A48F36B6A}.exe

Filesize
116KB

MD5
f495e6768d47feae50b1f53b2bce52c9

SHA1
2bc072a3b6bd837bdc9ca5dc8fae6b9a34246140

SHA256
9fed9b6c03590ad26e38dacbf88605df3f680409afdeff103937d49f1d1f7af6

SHA512
b5169f0583d96c85330807d7afb22c22d6a74586be357eb0e670ef3be1d5c5f7386a865094fab76400920a4e98f5b86115f95731bbd53f070b4419e1c2d9bd4c

Download Submit
C:\Windows\{30CA09C9-C7E0-4895-92BB-06092D8888C2}.exe

Filesize
116KB

MD5
0ab5f7366ae9da04a6fbda6e3979f829

SHA1
850f6f451dc7dd7118e6697f45a658d359c92c74

SHA256
b78b8664d8135de490cf58483062f99f0ab21c4db91a771a0780bbc4a34dcb51

SHA512
396a0b46aad348610a1c8d7591ec1101c8130dc4a64721c162d1d182d8a674fa404ce32c1d24eac33978ed383e430d83ba9dba6e18e0c444aa33336c2f671bd6

Download Submit
C:\Windows\{50E4E9C0-AA40-4653-9515-241B3EEDADC0}.exe

Filesize
116KB

MD5
1962dd7e4a1d9999fdcce9df524445d9

SHA1
dc971846f1ea184581715608d1c270453e5bf202

SHA256
e25248f45563027a1809044560ff58c53ab2cfc773ed56be3abc283d77ce02e5

SHA512
791b3a237c027b9a7ff18e314e5841cac42441daf3e96cf8d5555505fe459da82eecf4ee0d7817f19dcfd861969181746d6e1e9395644ad386d57b36365198de

Download Submit
C:\Windows\{5A3F7CC1-47B9-434c-863D-5E3E896D61D0}.exe

Filesize
116KB

MD5
2f0fb7503aff82eb521b7b6fe6d31536

SHA1
2e0f7d2d99e6c3e90c13deff6cb2e465a2071667

SHA256
c3c50425574edb8f34389dd995fc3106ad332dd56a2c40fb3684647ba21ca5cf

SHA512
e603de5abf9b45c5e1a974911051b480b7f9a0af214a6751b00228f91da03fdba996f33f44fab6e4339a2a9a2d5cde486dde7dc4af709af78d919dd303791325

Download Submit
C:\Windows\{6296929D-C37C-4429-A7E5-8E5970BCF798}.exe

Filesize
116KB

MD5
3fc5bbc436e0b47f492d8e14829e4c98

SHA1
51a5fcd782978173fc92102a5b01e1319115aa83

SHA256
bf665636801219b6482fca8c20759ae0d46f03d60456f0ed93dc520824e5a173

SHA512
646ee2fe8cc6cbdca4b264cdebfb447665dfc0e39c66f7143688e07c5a2e87446bed778ee687d1714956b9f9c62894759b286db6e4cbc6b23ffb6110ecb80811

Download Submit
C:\Windows\{6DE7D9CE-0FD8-40f1-9FA7-833628AD51CE}.exe

Filesize
116KB

MD5
79764607dd9a0b433f32e0e59af5a658

SHA1
f7036950d3008421d67165cbd062a662d5408155

SHA256
a6c83973226a334a7cc2507922df577e278ea2714b19dd4ee90aa5345df6dc32

SHA512
cb6583ff04d897e5f6f9176b56125582d93c1e8248baedc206898c14925058c499490897573ba331fc7034afccd4bb1823566a3820280d677037eb5713623e99

Download Submit
C:\Windows\{B81A9441-9E9F-460e-88AB-BAF6A03285AE}.exe

Filesize
116KB

MD5
05f955bf89e1c58e6a6fd2416da6878c

SHA1
60421439fdfcf0385cc1cbb3f4d0973d15a15d5c

SHA256
5ea534fac7780d9e0384fcab80b1843c55d279656f31dc587990352731c9ae41

SHA512
df357d638a25b4ab1b90573a3210357919fcd134ada2ca7713f0a4c185413642e877b3f3bbf1cffc404fbaf3683b35a0dafc54dd0193c52453c2a88b1ffd124a

Download Submit
C:\Windows\{C0DCA704-FE64-477f-9464-FE487432DA09}.exe

Filesize
116KB

MD5
70c967114f89cdacf276ecdfd75013b5

SHA1
a1ccdb5203f4683a916fd530d771760a2a18dc7e

SHA256
1d4464f665be359c0eb9c7e29223a9846749462dd8e2d5bce142ed3fc00dae0e

SHA512
c43c2c79b8ea1532d22d978ebab373ec8ec4ba8448106bc19de43c41ceacdfc41b8120fd1c749dec217819595f2047c8be1078647aaaea56b4b5dc8597e71dc3

Download Submit
C:\Windows\{D9D361DB-E94B-45f6-8C82-D885E886646D}.exe

Filesize
116KB

MD5
4bc30c4675b200b8ec76b44de8a46d74

SHA1
bed6b740afa074dcf85dd0180aa6caaea6100992

SHA256
e2647333ccd55561b9adda6775ad315c7fbb25fb2fa000d6eda086c25d161c79

SHA512
920523b603f541f657ad2f82cee95e9c50d2a813402ea7e3432f4a7399fda4c88bbfc53f9804d455e9678895e380e5c9c2394884551f5c0557706b0ca96ce920

Download Submit
C:\Windows\{DEFB6DB7-E8FD-4618-8751-E5A13626F068}.exe

Filesize
116KB

MD5
1786462412f3e42261325b30e46314bf

SHA1
f8ed2416cfee68f7cabc2545499e99e8ce5bb655

SHA256
07cff34785ae47474588128752fd3dfb19e404e75dc52e121ae6284235a28645

SHA512
f9c2b51422a9d452abe40cfc2f7318b939b0b4b5dcbafc623189e0563a36a743b68ffe9284c23d74c7fef7f889d99002e6943d378328c515c844f0408027733a

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads