Analysis Overview
SHA256
6badfc713ecea281aecb89bdcddafea95465e94098557bc679cdb85a70d67555
Threat Level: Known bad
The file dacdc4204974035b495698e1e6de02e0_NEIKI was found to be: Known bad.
Malicious Activity Summary
Detect ZGRat V1
ZGRat
Loads dropped DLL
.NET Reactor proctector
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Modifies system certificate store
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-09 03:11
Signatures
.NET Reactor proctector
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-09 03:11
Reported
2024-05-09 03:14
Platform
win7-20240221-en
Max time kernel
120s
Max time network
128s
Command Line
Signatures
Detect ZGRat V1
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
ZGRat
.NET Reactor proctector
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\dacdc4204974035b495698e1e6de02e0_NEIKI.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\dacdc4204974035b495698e1e6de02e0_NEIKI.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\dacdc4204974035b495698e1e6de02e0_NEIKI.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\dacdc4204974035b495698e1e6de02e0_NEIKI.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\dacdc4204974035b495698e1e6de02e0_NEIKI.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\dacdc4204974035b495698e1e6de02e0_NEIKI.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\dacdc4204974035b495698e1e6de02e0_NEIKI.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\dacdc4204974035b495698e1e6de02e0_NEIKI.exe
"C:\Users\Admin\AppData\Local\Temp\dacdc4204974035b495698e1e6de02e0_NEIKI.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.ivcmf.by | udp |
| BY | 195.50.4.166:443 | www.ivcmf.by | tcp |
Files
memory/2892-0-0x000000007434E000-0x000000007434F000-memory.dmp
memory/2892-1-0x0000000000C00000-0x00000000011EA000-memory.dmp
memory/2892-2-0x0000000074340000-0x0000000074A2E000-memory.dmp
memory/2892-3-0x0000000074340000-0x0000000074A2E000-memory.dmp
memory/2892-4-0x000000000A800000-0x000000000ADF2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\AvCryptSvc.ini
| MD5 | 0677d433a47449d66395bc690c20ef68 |
| SHA1 | 80feca271ddebad5b10cb8c8714c6c2aa386fa32 |
| SHA256 | e07b900ffa34af1c388ce75b3820f6f3d3d247ee72a9961eecd1425b66f6f1f3 |
| SHA512 | 2c013b88bcb314a26e1e297a038a7b91e28135d2ff4b8b4aa170f035d70c69cb96d04c43331cbc9b6868d4279b30f49d7c8af8afdb8ca1469ee174797811c435 |
C:\Users\Admin\AppData\Local\Temp\AvCryptSvc.exe
| MD5 | 79758f40946119b9dbdfe1d3f0d013ab |
| SHA1 | cf80ca05cf992bc875defa1f301adf8240bd9cf3 |
| SHA256 | cc541615455783965444ec82aff7bda49262123d165f8c8c3ceb7110339c9f33 |
| SHA512 | d505e796af2a061284c234afcc7cc7243e8553cab487d467c8c752ab35298422cfbac8ced565a9c7fe48c8663d8dc3e1909dcba9f67f66fe2390a6646ba32b51 |
memory/2892-82-0x00000000056D0000-0x000000000576E000-memory.dmp
memory/2892-77-0x00000000056D0000-0x000000000576E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\AvCmMsg.ini
| MD5 | 1f4b8e7405456dc2f2250d5fbbad7486 |
| SHA1 | efea299772b2f82610af2fb4aaf0afb05b3ac00d |
| SHA256 | 96015f0063145199f15f084e31e79ff77493591bd340a29895edb0783fb132b4 |
| SHA512 | 69867da84b22249373f675c8cc84bf19968c6dc4bee23d505a52447dd27563ea39330804cb17e5967cfd0ee57c845f704a8f98912d9c5d082eca192fb521905e |
memory/2892-93-0x0000000074340000-0x0000000074A2E000-memory.dmp
memory/2892-95-0x000000007434E000-0x000000007434F000-memory.dmp
memory/2892-96-0x0000000074340000-0x0000000074A2E000-memory.dmp
memory/2892-97-0x0000000074340000-0x0000000074A2E000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-09 03:11
Reported
2024-05-09 03:14
Platform
win10v2004-20240426-en
Max time kernel
150s
Max time network
151s
Command Line
Signatures
Detect ZGRat V1
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
ZGRat
.NET Reactor proctector
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\dacdc4204974035b495698e1e6de02e0_NEIKI.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\dacdc4204974035b495698e1e6de02e0_NEIKI.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\dacdc4204974035b495698e1e6de02e0_NEIKI.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\dacdc4204974035b495698e1e6de02e0_NEIKI.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\58F6A68D38867D61B346F3BB298BCB0FCDD30A99\Blob = 03000000010000001400000058f6a68d38867d61b346f3bb298bcb0fcdd30a99140000000100000014000000bd05b7f38a933c73cb79fa0f8512a177961891740400000001000000100000004c63082d06a1d58d998f46a381fa8ca10f0000000100000020000000e561fec47c5a1dcdc2e9b27ce54416bcddc73206f5b67a565da735f269ae8a791900000001000000100000002527850217b0428fdbf1e5e25e980c175c000000010000000400000000080000180000000100000010000000cb9dd0fceaaa492f75ce292c21bbfbdd2000000001000000900500003082058c30820374a00302010202107f1f2c902e83d0e3b6fb3bee478b5e80300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523631133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3233303731393033343332355a170d3236303731393030303030305a3055310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d7361312b302906035504031322476c6f62616c5369676e2047434320523620416c70686153534c204341203230323330820122300d06092a864886f70d01010105000382010f003082010a0282010100d3426f939003a693b4ae00e78f5335e1721bd37d806ace34f4924501bf1c5238a914eb61ef248b75a58b7b7b3ade84ace71dde5b0cd3a57e01164cd96f14f57a82521df4f6334c19e5038f702223b2bf9807c4c0bd5db2252caaf9e991acdfc5b600924da597489e638a95bc489fd502e5cf333b803f6c98a6e3dc8e34391b2aecb035e0bbe161b58c6ac853fb052bf1f63421879415e7384bc9cb9a9fc9fe274530d3d59140ae89190e47cc36508a790d7a5f9f6593511b5804f507a1fad1c1a65ae46a507583ce6a2643ce27b4a812f2ac98391a8e0824fec4aaecd3f2cc569afd50466624511be164c420678860f9eb5f0f438b6b7301f23288d214e6ce1d0203010001a382015f3082015b300e0603551d0f0101ff040403020186301d0603551d250416301406082b0601050507030106082b0601050507030230120603551d130101ff040830060101ff020100301d0603551d0e04160414bd05b7f38a933c73cb79fa0f8512a17796189174301f0603551d23041830168014ae6c05a39313e2a2e7e2d71cd6c7f07fc86753a0307b06082b06010505070101046f306d302e06082b060105050730018622687474703a2f2f6f637370322e676c6f62616c7369676e2e636f6d2f726f6f747236303b06082b06010505073002862f687474703a2f2f7365637572652e676c6f62616c7369676e2e636f6d2f6361636572742f726f6f742d72362e63727430360603551d1f042f302d302ba029a0278625687474703a2f2f63726c2e676c6f62616c7369676e2e636f6d2f726f6f742d72362e63726c30210603551d20041a30183008060667810c010201300c060a2b06010401a0320a0103300d06092a864886f70d01010b050003820201007cc924328e60e269f57ede1de31476907cd8a43ba4842d5760fc1f49937703d9c405a76374a64c1fb8ae4b5bc5f2e49c836ebfdf40d13de9f67c546cafaeb6102c94091e0e7de8a218d76842f71eb0cf57a5ec371cb40fe2a1e0facefbe2134bbc6443e1a2922b016a2ccadca82c3ab4401f5fdf6d156b03e23cdb0ba93cb6348bcc49747d35257e425a5a9bcb564a60f5eb7cb43f1de756f298283927a27ac1c5e99ac4869e4b01a1b69cd7e9d79a007b8d00bd79d53c678d45168f3b055de40adad65ac76441abce6ccb1750f97f00ef32fe33ae016cf4c32bcf9caa26fa8e96e2f28363affa5cfca935d79b389ea68f26882e9d2aba842f863c7cec1cc4361e6ce7b0083b2206a52d2c0c40a15433f32c47d1b07d8527cfd6e70a05d27bec053a9f6120aa6e541b1de0c3b428fb3257fc25fa9a32ea9c6c4e2b312c9f787c827594309dcfebf6e8e7b61ebdd40261c7261e08cd3899eb4921eedc07a7787459be3dde5eaef638c77dabd2e435434b29cb556336a5098eeb2c62e5cdc8c9851d2b8b410e8fade3e61f995c48c42960accfa03fd188d543fcf2b43b7bee3b9be1de8ee829bd457f3a1a9c3b05153af0d1a2ce7515bfb662cf5953559406fc69df81f34609b0be075d89d01bcc180056fc2e1c120f24fdbfe0b50b595c20713b9c4d00029f49487c4362c99af698b88343e18370603a6d9eb93473c3b4744b35 | C:\Users\Admin\AppData\Local\Temp\dacdc4204974035b495698e1e6de02e0_NEIKI.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\58F6A68D38867D61B346F3BB298BCB0FCDD30A99 | C:\Users\Admin\AppData\Local\Temp\dacdc4204974035b495698e1e6de02e0_NEIKI.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\dacdc4204974035b495698e1e6de02e0_NEIKI.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\dacdc4204974035b495698e1e6de02e0_NEIKI.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\dacdc4204974035b495698e1e6de02e0_NEIKI.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\dacdc4204974035b495698e1e6de02e0_NEIKI.exe
"C:\Users\Admin\AppData\Local\Temp\dacdc4204974035b495698e1e6de02e0_NEIKI.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.ivcmf.by | udp |
| BY | 195.50.4.166:443 | www.ivcmf.by | tcp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 136.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 166.4.50.195.in-addr.arpa | udp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 226.21.18.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.61.62.23.in-addr.arpa | udp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.121.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 3.173.189.20.in-addr.arpa | udp |
Files
memory/1760-0-0x000000007492E000-0x000000007492F000-memory.dmp
memory/1760-1-0x0000000000B60000-0x000000000114A000-memory.dmp
memory/1760-2-0x0000000074920000-0x00000000750D0000-memory.dmp
memory/1760-3-0x0000000006280000-0x0000000006824000-memory.dmp
memory/1760-4-0x0000000074920000-0x00000000750D0000-memory.dmp
memory/1760-5-0x0000000005BB0000-0x0000000005C42000-memory.dmp
memory/1760-6-0x0000000005C50000-0x0000000005C5A000-memory.dmp
memory/1760-7-0x000000000B4B0000-0x000000000BAA2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\AvCryptSvc.ini
| MD5 | 0677d433a47449d66395bc690c20ef68 |
| SHA1 | 80feca271ddebad5b10cb8c8714c6c2aa386fa32 |
| SHA256 | e07b900ffa34af1c388ce75b3820f6f3d3d247ee72a9961eecd1425b66f6f1f3 |
| SHA512 | 2c013b88bcb314a26e1e297a038a7b91e28135d2ff4b8b4aa170f035d70c69cb96d04c43331cbc9b6868d4279b30f49d7c8af8afdb8ca1469ee174797811c435 |
memory/1760-74-0x0000000006220000-0x0000000006242000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\AvCryptSvc.exe
| MD5 | 79758f40946119b9dbdfe1d3f0d013ab |
| SHA1 | cf80ca05cf992bc875defa1f301adf8240bd9cf3 |
| SHA256 | cc541615455783965444ec82aff7bda49262123d165f8c8c3ceb7110339c9f33 |
| SHA512 | d505e796af2a061284c234afcc7cc7243e8553cab487d467c8c752ab35298422cfbac8ced565a9c7fe48c8663d8dc3e1909dcba9f67f66fe2390a6646ba32b51 |
memory/1760-81-0x00000000071C0000-0x000000000725E000-memory.dmp
memory/1760-92-0x0000000074920000-0x00000000750D0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\AvCmMsg.ini
| MD5 | 1f4b8e7405456dc2f2250d5fbbad7486 |
| SHA1 | efea299772b2f82610af2fb4aaf0afb05b3ac00d |
| SHA256 | 96015f0063145199f15f084e31e79ff77493591bd340a29895edb0783fb132b4 |
| SHA512 | 69867da84b22249373f675c8cc84bf19968c6dc4bee23d505a52447dd27563ea39330804cb17e5967cfd0ee57c845f704a8f98912d9c5d082eca192fb521905e |
memory/1760-104-0x000000007492E000-0x000000007492F000-memory.dmp
memory/1760-105-0x0000000074920000-0x00000000750D0000-memory.dmp
memory/1760-106-0x0000000074920000-0x00000000750D0000-memory.dmp