436d7b39b107b403ae96859eb79a979ca283e1f0b92580613c9e388d31cbfc9c

Analysis

max time kernel
144s
max time network
130s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
01/07/2024, 08:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

436d7b39b107b403ae96859eb79a979ca283e1f0b92580613c9e388d31cbfc9c_NeikiAnalytics.exe
Size

90KB
MD5

7599eb90a5085483f75ac7a0c6599f20
SHA1

1193c5bbff60bd2d5a9ffc3371e8217c11faef8e
SHA256

436d7b39b107b403ae96859eb79a979ca283e1f0b92580613c9e388d31cbfc9c
SHA512

a6cc2080038e7dfa72e948def0b09c7dbbefe0d3a2e22f03403a4a2f116bc67fea4c94a2bcc274c63624dd4f57d83ab8a86eca11e583138f105098ee698a2ab3
SSDEEP

768:Qvw9816vhKQLroH4/wQRNrfrunMxVFA3b7glws:YEGh0oHl2unMxVS3Hgz

Score

8^/10

persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8DD5DF54-1428-4d95-93E6-74C72E804A2B}\stubpath = "C:\\Windows\\{8DD5DF54-1428-4d95-93E6-74C72E804A2B}.exe"	{26356073-86FE-4222-91B2-BC10D0BEC1C9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F782E704-202A-464d-8C38-D357542C233F}\stubpath = "C:\\Windows\\{F782E704-202A-464d-8C38-D357542C233F}.exe"	{9BB837AB-F428-4f55-ACFE-99D0C029A0AD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{35E2550F-3ED5-46ff-9035-1FF8D92BD80B}	{F782E704-202A-464d-8C38-D357542C233F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{35E2550F-3ED5-46ff-9035-1FF8D92BD80B}\stubpath = "C:\\Windows\\{35E2550F-3ED5-46ff-9035-1FF8D92BD80B}.exe"	{F782E704-202A-464d-8C38-D357542C233F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E6172AC6-D181-4198-883A-25B7E0D0E928}\stubpath = "C:\\Windows\\{E6172AC6-D181-4198-883A-25B7E0D0E928}.exe"	{35E2550F-3ED5-46ff-9035-1FF8D92BD80B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E6172AC6-D181-4198-883A-25B7E0D0E928}	{35E2550F-3ED5-46ff-9035-1FF8D92BD80B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BDA49386-000F-4d15-AB09-793A05631621}\stubpath = "C:\\Windows\\{BDA49386-000F-4d15-AB09-793A05631621}.exe"	{51A8029B-C1D1-4a87-B9E3-D00AA7ADD6F2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E9538201-4FCC-4fbc-84CC-6452B756F452}	{5ECF06B2-95C7-4a91-B4D7-9E90D5A99277}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E9538201-4FCC-4fbc-84CC-6452B756F452}\stubpath = "C:\\Windows\\{E9538201-4FCC-4fbc-84CC-6452B756F452}.exe"	{5ECF06B2-95C7-4a91-B4D7-9E90D5A99277}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{26356073-86FE-4222-91B2-BC10D0BEC1C9}	{E9538201-4FCC-4fbc-84CC-6452B756F452}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8DD5DF54-1428-4d95-93E6-74C72E804A2B}	{26356073-86FE-4222-91B2-BC10D0BEC1C9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9BB837AB-F428-4f55-ACFE-99D0C029A0AD}\stubpath = "C:\\Windows\\{9BB837AB-F428-4f55-ACFE-99D0C029A0AD}.exe"	{8DD5DF54-1428-4d95-93E6-74C72E804A2B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{51A8029B-C1D1-4a87-B9E3-D00AA7ADD6F2}	436d7b39b107b403ae96859eb79a979ca283e1f0b92580613c9e388d31cbfc9c_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{51A8029B-C1D1-4a87-B9E3-D00AA7ADD6F2}\stubpath = "C:\\Windows\\{51A8029B-C1D1-4a87-B9E3-D00AA7ADD6F2}.exe"	436d7b39b107b403ae96859eb79a979ca283e1f0b92580613c9e388d31cbfc9c_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BDA49386-000F-4d15-AB09-793A05631621}	{51A8029B-C1D1-4a87-B9E3-D00AA7ADD6F2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{23C3759C-4858-4593-A86A-5CCA1BF7D530}\stubpath = "C:\\Windows\\{23C3759C-4858-4593-A86A-5CCA1BF7D530}.exe"	{BDA49386-000F-4d15-AB09-793A05631621}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9BB837AB-F428-4f55-ACFE-99D0C029A0AD}	{8DD5DF54-1428-4d95-93E6-74C72E804A2B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{23C3759C-4858-4593-A86A-5CCA1BF7D530}	{BDA49386-000F-4d15-AB09-793A05631621}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5ECF06B2-95C7-4a91-B4D7-9E90D5A99277}	{23C3759C-4858-4593-A86A-5CCA1BF7D530}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5ECF06B2-95C7-4a91-B4D7-9E90D5A99277}\stubpath = "C:\\Windows\\{5ECF06B2-95C7-4a91-B4D7-9E90D5A99277}.exe"	{23C3759C-4858-4593-A86A-5CCA1BF7D530}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{26356073-86FE-4222-91B2-BC10D0BEC1C9}\stubpath = "C:\\Windows\\{26356073-86FE-4222-91B2-BC10D0BEC1C9}.exe"	{E9538201-4FCC-4fbc-84CC-6452B756F452}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F782E704-202A-464d-8C38-D357542C233F}	{9BB837AB-F428-4f55-ACFE-99D0C029A0AD}.exe

Deletes itself 1 IoCs

pid	Process
3024	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
1932	{51A8029B-C1D1-4a87-B9E3-D00AA7ADD6F2}.exe
2748	{BDA49386-000F-4d15-AB09-793A05631621}.exe
2780	{23C3759C-4858-4593-A86A-5CCA1BF7D530}.exe
2352	{5ECF06B2-95C7-4a91-B4D7-9E90D5A99277}.exe
672	{E9538201-4FCC-4fbc-84CC-6452B756F452}.exe
2828	{26356073-86FE-4222-91B2-BC10D0BEC1C9}.exe
1792	{8DD5DF54-1428-4d95-93E6-74C72E804A2B}.exe
1072	{9BB837AB-F428-4f55-ACFE-99D0C029A0AD}.exe
640	{F782E704-202A-464d-8C38-D357542C233F}.exe
2480	{35E2550F-3ED5-46ff-9035-1FF8D92BD80B}.exe
2320	{E6172AC6-D181-4198-883A-25B7E0D0E928}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{23C3759C-4858-4593-A86A-5CCA1BF7D530}.exe	{BDA49386-000F-4d15-AB09-793A05631621}.exe
File created	C:\Windows\{5ECF06B2-95C7-4a91-B4D7-9E90D5A99277}.exe	{23C3759C-4858-4593-A86A-5CCA1BF7D530}.exe
File created	C:\Windows\{E9538201-4FCC-4fbc-84CC-6452B756F452}.exe	{5ECF06B2-95C7-4a91-B4D7-9E90D5A99277}.exe
File created	C:\Windows\{9BB837AB-F428-4f55-ACFE-99D0C029A0AD}.exe	{8DD5DF54-1428-4d95-93E6-74C72E804A2B}.exe
File created	C:\Windows\{F782E704-202A-464d-8C38-D357542C233F}.exe	{9BB837AB-F428-4f55-ACFE-99D0C029A0AD}.exe
File created	C:\Windows\{51A8029B-C1D1-4a87-B9E3-D00AA7ADD6F2}.exe	436d7b39b107b403ae96859eb79a979ca283e1f0b92580613c9e388d31cbfc9c_NeikiAnalytics.exe
File created	C:\Windows\{BDA49386-000F-4d15-AB09-793A05631621}.exe	{51A8029B-C1D1-4a87-B9E3-D00AA7ADD6F2}.exe
File created	C:\Windows\{26356073-86FE-4222-91B2-BC10D0BEC1C9}.exe	{E9538201-4FCC-4fbc-84CC-6452B756F452}.exe
File created	C:\Windows\{8DD5DF54-1428-4d95-93E6-74C72E804A2B}.exe	{26356073-86FE-4222-91B2-BC10D0BEC1C9}.exe
File created	C:\Windows\{35E2550F-3ED5-46ff-9035-1FF8D92BD80B}.exe	{F782E704-202A-464d-8C38-D357542C233F}.exe
File created	C:\Windows\{E6172AC6-D181-4198-883A-25B7E0D0E928}.exe	{35E2550F-3ED5-46ff-9035-1FF8D92BD80B}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2040	436d7b39b107b403ae96859eb79a979ca283e1f0b92580613c9e388d31cbfc9c_NeikiAnalytics.exe
Token: SeIncBasePriorityPrivilege	1932	{51A8029B-C1D1-4a87-B9E3-D00AA7ADD6F2}.exe
Token: SeIncBasePriorityPrivilege	2748	{BDA49386-000F-4d15-AB09-793A05631621}.exe
Token: SeIncBasePriorityPrivilege	2780	{23C3759C-4858-4593-A86A-5CCA1BF7D530}.exe
Token: SeIncBasePriorityPrivilege	2352	{5ECF06B2-95C7-4a91-B4D7-9E90D5A99277}.exe
Token: SeIncBasePriorityPrivilege	672	{E9538201-4FCC-4fbc-84CC-6452B756F452}.exe
Token: SeIncBasePriorityPrivilege	2828	{26356073-86FE-4222-91B2-BC10D0BEC1C9}.exe
Token: SeIncBasePriorityPrivilege	1792	{8DD5DF54-1428-4d95-93E6-74C72E804A2B}.exe
Token: SeIncBasePriorityPrivilege	1072	{9BB837AB-F428-4f55-ACFE-99D0C029A0AD}.exe
Token: SeIncBasePriorityPrivilege	640	{F782E704-202A-464d-8C38-D357542C233F}.exe
Token: SeIncBasePriorityPrivilege	2480	{35E2550F-3ED5-46ff-9035-1FF8D92BD80B}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2040 wrote to memory of 1932	2040	436d7b39b107b403ae96859eb79a979ca283e1f0b92580613c9e388d31cbfc9c_NeikiAnalytics.exe	28
PID 2040 wrote to memory of 1932	2040	436d7b39b107b403ae96859eb79a979ca283e1f0b92580613c9e388d31cbfc9c_NeikiAnalytics.exe	28
PID 2040 wrote to memory of 1932	2040	436d7b39b107b403ae96859eb79a979ca283e1f0b92580613c9e388d31cbfc9c_NeikiAnalytics.exe	28
PID 2040 wrote to memory of 1932	2040	436d7b39b107b403ae96859eb79a979ca283e1f0b92580613c9e388d31cbfc9c_NeikiAnalytics.exe	28
PID 2040 wrote to memory of 3024	2040	436d7b39b107b403ae96859eb79a979ca283e1f0b92580613c9e388d31cbfc9c_NeikiAnalytics.exe	29
PID 2040 wrote to memory of 3024	2040	436d7b39b107b403ae96859eb79a979ca283e1f0b92580613c9e388d31cbfc9c_NeikiAnalytics.exe	29
PID 2040 wrote to memory of 3024	2040	436d7b39b107b403ae96859eb79a979ca283e1f0b92580613c9e388d31cbfc9c_NeikiAnalytics.exe	29
PID 2040 wrote to memory of 3024	2040	436d7b39b107b403ae96859eb79a979ca283e1f0b92580613c9e388d31cbfc9c_NeikiAnalytics.exe	29
PID 1932 wrote to memory of 2748	1932	{51A8029B-C1D1-4a87-B9E3-D00AA7ADD6F2}.exe	30
PID 1932 wrote to memory of 2748	1932	{51A8029B-C1D1-4a87-B9E3-D00AA7ADD6F2}.exe	30
PID 1932 wrote to memory of 2748	1932	{51A8029B-C1D1-4a87-B9E3-D00AA7ADD6F2}.exe	30
PID 1932 wrote to memory of 2748	1932	{51A8029B-C1D1-4a87-B9E3-D00AA7ADD6F2}.exe	30
PID 1932 wrote to memory of 2676	1932	{51A8029B-C1D1-4a87-B9E3-D00AA7ADD6F2}.exe	31
PID 1932 wrote to memory of 2676	1932	{51A8029B-C1D1-4a87-B9E3-D00AA7ADD6F2}.exe	31
PID 1932 wrote to memory of 2676	1932	{51A8029B-C1D1-4a87-B9E3-D00AA7ADD6F2}.exe	31
PID 1932 wrote to memory of 2676	1932	{51A8029B-C1D1-4a87-B9E3-D00AA7ADD6F2}.exe	31
PID 2748 wrote to memory of 2780	2748	{BDA49386-000F-4d15-AB09-793A05631621}.exe	32
PID 2748 wrote to memory of 2780	2748	{BDA49386-000F-4d15-AB09-793A05631621}.exe	32
PID 2748 wrote to memory of 2780	2748	{BDA49386-000F-4d15-AB09-793A05631621}.exe	32
PID 2748 wrote to memory of 2780	2748	{BDA49386-000F-4d15-AB09-793A05631621}.exe	32
PID 2748 wrote to memory of 2544	2748	{BDA49386-000F-4d15-AB09-793A05631621}.exe	33
PID 2748 wrote to memory of 2544	2748	{BDA49386-000F-4d15-AB09-793A05631621}.exe	33
PID 2748 wrote to memory of 2544	2748	{BDA49386-000F-4d15-AB09-793A05631621}.exe	33
PID 2748 wrote to memory of 2544	2748	{BDA49386-000F-4d15-AB09-793A05631621}.exe	33
PID 2780 wrote to memory of 2352	2780	{23C3759C-4858-4593-A86A-5CCA1BF7D530}.exe	36
PID 2780 wrote to memory of 2352	2780	{23C3759C-4858-4593-A86A-5CCA1BF7D530}.exe	36
PID 2780 wrote to memory of 2352	2780	{23C3759C-4858-4593-A86A-5CCA1BF7D530}.exe	36
PID 2780 wrote to memory of 2352	2780	{23C3759C-4858-4593-A86A-5CCA1BF7D530}.exe	36
PID 2780 wrote to memory of 776	2780	{23C3759C-4858-4593-A86A-5CCA1BF7D530}.exe	37
PID 2780 wrote to memory of 776	2780	{23C3759C-4858-4593-A86A-5CCA1BF7D530}.exe	37
PID 2780 wrote to memory of 776	2780	{23C3759C-4858-4593-A86A-5CCA1BF7D530}.exe	37
PID 2780 wrote to memory of 776	2780	{23C3759C-4858-4593-A86A-5CCA1BF7D530}.exe	37
PID 2352 wrote to memory of 672	2352	{5ECF06B2-95C7-4a91-B4D7-9E90D5A99277}.exe	38
PID 2352 wrote to memory of 672	2352	{5ECF06B2-95C7-4a91-B4D7-9E90D5A99277}.exe	38
PID 2352 wrote to memory of 672	2352	{5ECF06B2-95C7-4a91-B4D7-9E90D5A99277}.exe	38
PID 2352 wrote to memory of 672	2352	{5ECF06B2-95C7-4a91-B4D7-9E90D5A99277}.exe	38
PID 2352 wrote to memory of 2508	2352	{5ECF06B2-95C7-4a91-B4D7-9E90D5A99277}.exe	39
PID 2352 wrote to memory of 2508	2352	{5ECF06B2-95C7-4a91-B4D7-9E90D5A99277}.exe	39
PID 2352 wrote to memory of 2508	2352	{5ECF06B2-95C7-4a91-B4D7-9E90D5A99277}.exe	39
PID 2352 wrote to memory of 2508	2352	{5ECF06B2-95C7-4a91-B4D7-9E90D5A99277}.exe	39
PID 672 wrote to memory of 2828	672	{E9538201-4FCC-4fbc-84CC-6452B756F452}.exe	40
PID 672 wrote to memory of 2828	672	{E9538201-4FCC-4fbc-84CC-6452B756F452}.exe	40
PID 672 wrote to memory of 2828	672	{E9538201-4FCC-4fbc-84CC-6452B756F452}.exe	40
PID 672 wrote to memory of 2828	672	{E9538201-4FCC-4fbc-84CC-6452B756F452}.exe	40
PID 672 wrote to memory of 704	672	{E9538201-4FCC-4fbc-84CC-6452B756F452}.exe	41
PID 672 wrote to memory of 704	672	{E9538201-4FCC-4fbc-84CC-6452B756F452}.exe	41
PID 672 wrote to memory of 704	672	{E9538201-4FCC-4fbc-84CC-6452B756F452}.exe	41
PID 672 wrote to memory of 704	672	{E9538201-4FCC-4fbc-84CC-6452B756F452}.exe	41
PID 2828 wrote to memory of 1792	2828	{26356073-86FE-4222-91B2-BC10D0BEC1C9}.exe	42
PID 2828 wrote to memory of 1792	2828	{26356073-86FE-4222-91B2-BC10D0BEC1C9}.exe	42
PID 2828 wrote to memory of 1792	2828	{26356073-86FE-4222-91B2-BC10D0BEC1C9}.exe	42
PID 2828 wrote to memory of 1792	2828	{26356073-86FE-4222-91B2-BC10D0BEC1C9}.exe	42
PID 2828 wrote to memory of 2260	2828	{26356073-86FE-4222-91B2-BC10D0BEC1C9}.exe	43
PID 2828 wrote to memory of 2260	2828	{26356073-86FE-4222-91B2-BC10D0BEC1C9}.exe	43
PID 2828 wrote to memory of 2260	2828	{26356073-86FE-4222-91B2-BC10D0BEC1C9}.exe	43
PID 2828 wrote to memory of 2260	2828	{26356073-86FE-4222-91B2-BC10D0BEC1C9}.exe	43
PID 1792 wrote to memory of 1072	1792	{8DD5DF54-1428-4d95-93E6-74C72E804A2B}.exe	44
PID 1792 wrote to memory of 1072	1792	{8DD5DF54-1428-4d95-93E6-74C72E804A2B}.exe	44
PID 1792 wrote to memory of 1072	1792	{8DD5DF54-1428-4d95-93E6-74C72E804A2B}.exe	44
PID 1792 wrote to memory of 1072	1792	{8DD5DF54-1428-4d95-93E6-74C72E804A2B}.exe	44
PID 1792 wrote to memory of 600	1792	{8DD5DF54-1428-4d95-93E6-74C72E804A2B}.exe	45
PID 1792 wrote to memory of 600	1792	{8DD5DF54-1428-4d95-93E6-74C72E804A2B}.exe	45
PID 1792 wrote to memory of 600	1792	{8DD5DF54-1428-4d95-93E6-74C72E804A2B}.exe	45
PID 1792 wrote to memory of 600	1792	{8DD5DF54-1428-4d95-93E6-74C72E804A2B}.exe	45

C:\Users\Admin\AppData\Local\Temp\436d7b39b107b403ae96859eb79a979ca283e1f0b92580613c9e388d31cbfc9c_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\436d7b39b107b403ae96859eb79a979ca283e1f0b92580613c9e388d31cbfc9c_NeikiAnalytics.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2040
- C:\Windows\{51A8029B-C1D1-4a87-B9E3-D00AA7ADD6F2}.exe
  C:\Windows\{51A8029B-C1D1-4a87-B9E3-D00AA7ADD6F2}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1932
- - C:\Windows\{BDA49386-000F-4d15-AB09-793A05631621}.exe
    C:\Windows\{BDA49386-000F-4d15-AB09-793A05631621}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2748
  - - C:\Windows\{23C3759C-4858-4593-A86A-5CCA1BF7D530}.exe
      C:\Windows\{23C3759C-4858-4593-A86A-5CCA1BF7D530}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2780
    - - C:\Windows\{5ECF06B2-95C7-4a91-B4D7-9E90D5A99277}.exe
        
        C:\Windows\{5ECF06B2-95C7-4a91-B4D7-9E90D5A99277}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2352
      - C:\Windows\{E9538201-4FCC-4fbc-84CC-6452B756F452}.exe
        
        C:\Windows\{E9538201-4FCC-4fbc-84CC-6452B756F452}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:672
        
        C:\Windows\{26356073-86FE-4222-91B2-BC10D0BEC1C9}.exe
        
        C:\Windows\{26356073-86FE-4222-91B2-BC10D0BEC1C9}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2828
        
        C:\Windows\{8DD5DF54-1428-4d95-93E6-74C72E804A2B}.exe
        
        C:\Windows\{8DD5DF54-1428-4d95-93E6-74C72E804A2B}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1792
        
        C:\Windows\{9BB837AB-F428-4f55-ACFE-99D0C029A0AD}.exe
        
        C:\Windows\{9BB837AB-F428-4f55-ACFE-99D0C029A0AD}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1072
        
        C:\Windows\{F782E704-202A-464d-8C38-D357542C233F}.exe
        
        C:\Windows\{F782E704-202A-464d-8C38-D357542C233F}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:640
        
        C:\Windows\{35E2550F-3ED5-46ff-9035-1FF8D92BD80B}.exe
        
        C:\Windows\{35E2550F-3ED5-46ff-9035-1FF8D92BD80B}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2480
        
        C:\Windows\{E6172AC6-D181-4198-883A-25B7E0D0E928}.exe
        
        C:\Windows\{E6172AC6-D181-4198-883A-25B7E0D0E928}.exe
        12⤵
        Executes dropped EXE
        
        PID:2320
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{35E25~1.EXE > nul
        12⤵
        
        PID:1120
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F782E~1.EXE > nul
        11⤵
        
        PID:2104
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9BB83~1.EXE > nul
        10⤵
        
        PID:848
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8DD5D~1.EXE > nul
        9⤵
        
        PID:600
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{26356~1.EXE > nul
        8⤵
        
        PID:2260
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E9538~1.EXE > nul
        7⤵
        
        PID:704
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5ECF0~1.EXE > nul
        6⤵
        
        PID:2508
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{23C37~1.EXE > nul
        5⤵
        
        PID:776
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{BDA49~1.EXE > nul
      4⤵
      PID:2544
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{51A80~1.EXE > nul
    3⤵
    PID:2676
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\436D7B~1.EXE > nul
  2⤵
  - Deletes itself
  PID:3024

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{23C3759C-4858-4593-A86A-5CCA1BF7D530}.exe

Filesize
90KB

MD5
bee88a9a48ffbbae17b26725ea57212f

SHA1
2a02b73384db5c01acb2269bff97a0411d9d8b44

SHA256
85e98180d0894a401d7962ee917f0d6ac524a6cde5e32c932a742439c7600ecb

SHA512
83e3517d0530410104b6dd58b3adc7ce6be67ae680a89d5ca3ce90fec1654b47f429b5177895da87b18b31cd5455613de6a2860f044ac2845775d271bdb7251a

Download Submit
C:\Windows\{26356073-86FE-4222-91B2-BC10D0BEC1C9}.exe

Filesize
90KB

MD5
99ce2c82a503e3d18733d62af970b9a0

SHA1
08f263106357ebff08e60f35a6273afe06634d44

SHA256
8824edc45be78faf5328dcd97bc0de729886b126746ba222b07ddb19a03e897c

SHA512
d6f7ec68142a9c4e46f7473506e032ab942d47f6a29bd210a9910a70948d7ac31c4d02f4e8460266764c704e5862871b82a268edb3fd672d7c5a2712c7685147

Download Submit
C:\Windows\{35E2550F-3ED5-46ff-9035-1FF8D92BD80B}.exe

Filesize
90KB

MD5
98ac4827c76c552dfa62c523bf289abd

SHA1
b47298cfdbd37d8ca4e0add62462a2fa844f8791

SHA256
a8da32bd410a83e94fa7dcc39109e2558899aa95c883347821d1b74b2467b640

SHA512
9e787bdcefa26b2d91a050e1190c93682c5854e48cc8b48e3e86f9f83b0188d9101fa3c4aea90da165a4808289cc67962e1933fe52af42ffcb77f40eb642e8c4

Download Submit
C:\Windows\{51A8029B-C1D1-4a87-B9E3-D00AA7ADD6F2}.exe

Filesize
90KB

MD5
274c9fee84f48176a975d43d5cbc7d5c

SHA1
44a9c921e1284f3d1ea96b02f1501391882af82a

SHA256
8cfeec88e3ca42255d518f83e9b1e66e10d67a07935e71c5a0f43def86742df3

SHA512
d8aefac4e1921589c78e2fd0e706aa83c545f6f8fd848bcbf68cd15943c36ec0e4c30d2f193babee88e67a64f4385c6bca872d3e67bc85d920024aea85287086

Download Submit
C:\Windows\{5ECF06B2-95C7-4a91-B4D7-9E90D5A99277}.exe

Filesize
90KB

MD5
1c5c8a2012292ccd6c4a9a3b3faff031

SHA1
3fbada875341cc46a5b6942c180e7476ea8128f8

SHA256
96ba6a04827107c0a3dc7f7c4fab22d5098051a56032f9d691ff1d927ee1c6a5

SHA512
9fa35bdcac13a36d7c7def5f8ac314e30b80fa1b2a0e07dae7fee0727e5edd73f1d2a7978aaa9696db878198bbd2edb1502b649a1b4ac052fc12832d3074d3bf

Download Submit
C:\Windows\{8DD5DF54-1428-4d95-93E6-74C72E804A2B}.exe

Filesize
90KB

MD5
7d7c441977774c5e924ded8757ac4456

SHA1
836d4865aca40b41d5dfaca505288a9dbafdec95

SHA256
71d4a30bd4e93f6211adf42973db677050ec09c79b37cffde80da4fa9f078264

SHA512
cf112a3e96eeeae3ee8f8e03682a7f699b76f8bfb22a4b849f2505b77fdbc298223447d843320b5db7b4916db2419e129d7f24821d1f3381785e79187e8d4860

Download Submit
C:\Windows\{9BB837AB-F428-4f55-ACFE-99D0C029A0AD}.exe

Filesize
90KB

MD5
c34b32f7a6c5c134d2f9ec237c6c17ff

SHA1
9e6eed6776c7c44a8cc09522d5e7bbf57552915e

SHA256
4b9b8e84777a9408fdd774d425e9b68997de9068a0a5143fe168b81b45998235

SHA512
bbdc9d1d42561fd37e6ed9ab2c48a5a826e97da587ec66159f442ebeb13eb7956a14bdec84b1521d7c1ea0c1f2d9f2923c779f50089bce24d615fb7288b93b31

Download Submit
C:\Windows\{BDA49386-000F-4d15-AB09-793A05631621}.exe

Filesize
90KB

MD5
e07ff5032272f2aa94965b82a3929d73

SHA1
e08529b811bc9a9874cf8b17c7fd8babaa2b5bab

SHA256
0b9e85256b264453a2cc46525eff33d593a45346e89c5d9e0f061576bcc92859

SHA512
e58dc02ab58fd4731e4161e11d7f7bfb9400e65e40066462d4c2c2e9bcb53b70357c6007351e4b72a1d922388ffa4f09351c1b1618750fbb14ec79fd3b50212c

Download Submit
C:\Windows\{E6172AC6-D181-4198-883A-25B7E0D0E928}.exe

Filesize
90KB

MD5
5f7a34b24ca6af406d953e9b18945851

SHA1
2da6a3543c7ec6a7e94e8c531d3c2d4b7587237f

SHA256
1a43d88b0edaa07beed3031cd05ff518f58a715b9f081a10801df82f7741d383

SHA512
957c3faa099615d4de9ca8b1aa4f8ea565c2ac0ece8f2d52571a258cd9bbc08b3311e62d67aed11957b5ca453600d9b6dcacd835d95d735ca3673d15e4113dd2

Download Submit
C:\Windows\{E9538201-4FCC-4fbc-84CC-6452B756F452}.exe

Filesize
90KB

MD5
432a9a109fa38f3e0669afdc3e2a7432

SHA1
de91a1fa636c39bc7399c46862842e1b0c9dbc4f

SHA256
5cd5543071723e8e806ba1974671aa857fa6b1a03fdc94b31f83f23a24754faa

SHA512
047af1ad18f45390df2ce0e7d2e10b98c483c26e9162110649f3eaacebf5969623f020b53d2ecdd25ea5b40b73cd43aaa8ffb2dc9099ecd063f09e0013bace87

Download Submit
C:\Windows\{F782E704-202A-464d-8C38-D357542C233F}.exe

Filesize
90KB

MD5
e1fc039cb89fc3aa7277272978bb9715

SHA1
924f2659547dc2813bd9070a8b94b7eddbfee358

SHA256
31508cbeae6b2729f0dcf1907f374ba0688a0f3dabeb11685092e636acc8e8a7

SHA512
d927e35f9ac31dd90a400628836723c9c9c0761035fd296993dcf7e834487bd56956eaa9202d0f4f0e56b0aa1a1c399e9e74629af7bb6c1b36da9c15a1d89341

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads