Overview

overview

10

Static

static

10

18881a8974...KI.exe

windows7-x64

10

18881a8974...KI.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    138s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240419-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08-05-2024 07:52

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    18881a897426a64bf676f00415259f10_NEIKI.exe

  • Size

    1.8MB

  • MD5

    18881a897426a64bf676f00415259f10

  • SHA1

    d6aa5c64c71c1c8b82b2a989dc129e97e43f5f2d

  • SHA256

    1fc57c3525585fbc3de57df4e005e78321b2a2952fd056bb2078a4b49acef38d

  • SHA512

    7930bb9975ad51f6d48402433ea0a49e1d072f6b0dea679b6eecca7355c01e187b3fe0e4257741e3dfede066f03ebdf9d6080b554729b626ac6032b0aece9680

  • SSDEEP

    24576:ASg5R9AL05rj1vlyn02GKSV2kRNQtKfA9v9UuDjZ+HAkv0Zj6fyblXT+yQkSwvjw:Ajew2PK4zDN+PvUJj+LpwvEBC

Score
10/10
zgratpersistenceratspywarestealer

Malware Config

Signatures

  • Detect ZGRat V1 2 IoCs
  • Modifies WinLogon for persistence 2 TTPs 6 IoCs
    persistence
  • Process spawned unexpected child process 18 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • ZGRat

    ZGRat is remote access trojan written in C#.

    ratzgrat
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 12 IoCs
    persistence
  • Drops file in System32 directory 2 IoCs
  • Drops file in Program Files directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 18 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\18881a897426a64bf676f00415259f10_NEIKI.exe
    "C:\Users\Admin\AppData\Local\Temp\18881a897426a64bf676f00415259f10_NEIKI.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Checks computer location settings
    • Adds Run key to start application
    • Drops file in Program Files directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1708
    • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\pi4ohteb\pi4ohteb.cmdline"
      2⤵
      • Drops file in System32 directory
      • Suspicious use of WriteProcessMemory
      PID:3696
      • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4B22.tmp" "c:\Windows\System32\CSC9064C783B8B149CD8AE8959479756590.TMP"
        3⤵
          PID:800
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\cnaEIOTEmi.bat"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:4220
        • C:\Windows\system32\chcp.com
          chcp 65001
          3⤵
            PID:4460
          • C:\Windows\system32\w32tm.exe
            w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
            3⤵
              PID:3612
            • C:\Users\Default\Saved Games\backgroundTaskHost.exe
              "C:\Users\Default\Saved Games\backgroundTaskHost.exe"
              3⤵
              • Executes dropped EXE
              • Suspicious behavior: GetForegroundWindowSpam
              • Suspicious use of AdjustPrivilegeToken
              PID:4332
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\NetHood\fontdrvhost.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:4628
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Users\Admin\NetHood\fontdrvhost.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:2876
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\NetHood\fontdrvhost.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:2664
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:4112
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:2692
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:4104
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Program Files\Common Files\DESIGNER\RuntimeBroker.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:752
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\Common Files\DESIGNER\RuntimeBroker.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:4652
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Program Files\Common Files\DESIGNER\RuntimeBroker.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:2260
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 5 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\taskhostw.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:1664
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\taskhostw.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:2336
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 13 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\taskhostw.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:1680
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 12 /tr "'C:\Users\Default\Saved Games\backgroundTaskHost.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:2552
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Users\Default\Saved Games\backgroundTaskHost.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:4200
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 12 /tr "'C:\Users\Default\Saved Games\backgroundTaskHost.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:3944
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "18881a897426a64bf676f00415259f10_NEIKI1" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\AppData\Local\Temp\18881a897426a64bf676f00415259f10_NEIKI.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:5112
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "18881a897426a64bf676f00415259f10_NEIKI" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Temp\18881a897426a64bf676f00415259f10_NEIKI.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:3104
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "18881a897426a64bf676f00415259f10_NEIKI1" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\AppData\Local\Temp\18881a897426a64bf676f00415259f10_NEIKI.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:4904

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\RES4B22.tmp
          Filesize

          1KB

          MD5

          36053038ac2daffbf1630615d6a87209

          SHA1

          4fac8602f3fa6b413083e63936af612d0d92a419

          SHA256

          539ceb34df17b0f033ee4e84a6e22a61bb00f5f01e301c76984c2be194b85435

          SHA512

          ee3fa6389ce7f71ac9d4cb9815b0fd905bc7cc983dc0bb8ab2fb59d469fe10d5b9c114e55854eb541446c4ffe499a7b87c1d3f1a2ae2b369afdffe9c7f452814

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\cnaEIOTEmi.bat
          Filesize

          227B

          MD5

          e06d2866b845984771093ba310e6f3b6

          SHA1

          5d483cf9b880c3c47cb4ad2570e1bc8e8faceacf

          SHA256

          c26d931890ed14305925669aa55de4c72e17bbd27b41a49b70758bc5f66f493f

          SHA512

          338f0eed340e205ed051ab9f834b7d20268a7a45efb6ad19878e422315a11ae08be2736d245259af9cb6e819c946186b5764555d3320c2e82ce76816c49e8c17

          Download Submit

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Network Shortcuts\fontdrvhost.exe
          Filesize

          1.8MB

          MD5

          18881a897426a64bf676f00415259f10

          SHA1

          d6aa5c64c71c1c8b82b2a989dc129e97e43f5f2d

          SHA256

          1fc57c3525585fbc3de57df4e005e78321b2a2952fd056bb2078a4b49acef38d

          SHA512

          7930bb9975ad51f6d48402433ea0a49e1d072f6b0dea679b6eecca7355c01e187b3fe0e4257741e3dfede066f03ebdf9d6080b554729b626ac6032b0aece9680

          Download Submit

        • \??\c:\Users\Admin\AppData\Local\Temp\pi4ohteb\pi4ohteb.0.cs
          Filesize

          370B

          MD5

          31110fb507382f2b0622650a706c2daa

          SHA1

          4029314fb45d3a1942699f7de5381e7b2f72d262

          SHA256

          d78da00340581c37834804c1ae8ad510e214c9a5a2afb00809f667136084bb24

          SHA512

          b05cbbcb84f7d2656dcadfdfa8cfa2126d285e767ca1d268d721fe8a94d6ba0aa2ab2631136014b3fb8f623c5efadcccddab478621698ad3618b90b1436fe86a

          Download Submit

        • \??\c:\Users\Admin\AppData\Local\Temp\pi4ohteb\pi4ohteb.cmdline
          Filesize

          235B

          MD5

          9328b6998521354b3d7606f311973463

          SHA1

          5b4747181be9f5b6a6d017d5647aef6ade70da86

          SHA256

          47695426642b137fcb35e3ee929f4b335b8f2aa15697a3257fa3c5b16a0951ee

          SHA512

          e3e60cee8ad3d586cff2234d52b95560303c94f269696386341b6789274be11086fb90828a83f36fbe88b8f2571002fc7485f3767352467fb2599de0d93eb17a

          Download Submit

        • \??\c:\Windows\System32\CSC9064C783B8B149CD8AE8959479756590.TMP
          Filesize

          1KB

          MD5

          15e348fb3b4a8ef2854c70fca0b4428a

          SHA1

          2eedab28109db7f685a7c1530f365ad4f29d9da8

          SHA256

          13ef6bd5ee3ffe6bb186c51588804b3f4d706281ec74c6d99706d15606ded408

          SHA512

          f946113b33f926a7b0268ecfcdc24bd63390977f77470118b22eb09d1c5db3560a7e62d1fdb1d11a9fc9e24eeb2c24600c0dfb59bc3030dce30a47ee628ab0a8

          Download Submit

        • memory/1708-7-0x00007FFE30CE0000-0x00007FFE317A1000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/1708-0-0x00007FFE30CE3000-0x00007FFE30CE5000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1708-11-0x000000001B6B0000-0x000000001B6CC000-memory.dmp

          Filesize

          112KB

          Download

        • memory/1708-8-0x00007FFE30CE0000-0x00007FFE317A1000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/1708-12-0x000000001B840000-0x000000001B890000-memory.dmp

          Filesize

          320KB

          Download

        • memory/1708-14-0x000000001B6D0000-0x000000001B6E8000-memory.dmp

          Filesize

          96KB

          Download

        • memory/1708-16-0x0000000002D80000-0x0000000002D8C000-memory.dmp

          Filesize

          48KB

          Download

        • memory/1708-17-0x00007FFE30CE0000-0x00007FFE317A1000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/1708-21-0x00007FFE30CE0000-0x00007FFE317A1000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/1708-9-0x00007FFE30CE0000-0x00007FFE317A1000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/1708-30-0x00007FFE30CE0000-0x00007FFE317A1000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/1708-6-0x0000000002D70000-0x0000000002D7E000-memory.dmp

          Filesize

          56KB

          Download

        • memory/1708-4-0x00007FFE30CE0000-0x00007FFE317A1000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/1708-3-0x00007FFE30CE0000-0x00007FFE317A1000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/1708-38-0x00007FFE30CE0000-0x00007FFE317A1000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/1708-2-0x00007FFE30CE0000-0x00007FFE317A1000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/1708-1-0x00000000008B0000-0x0000000000A8A000-memory.dmp

          Filesize

          1.9MB

          Download

        • memory/1708-50-0x00007FFE30CE0000-0x00007FFE317A1000-memory.dmp

          Filesize

          10.8MB

          Download