Overview

overview

10

Static

static

10

7dcea724fd...cs.exe

windows7-x64

10

7dcea724fd...cs.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    130s
  • max time network
    147s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    09-05-2024 15:56

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7dcea724fda3fd345207c7d539924ef0_NeikiAnalytics.exe

  • Size

    2.2MB

  • MD5

    7dcea724fda3fd345207c7d539924ef0

  • SHA1

    2b5a82f17a5da662e3cc246ab9b9b480de4df3d4

  • SHA256

    5430f89081787db94574aa0765ce42d6ede7c47df351481f44d8bdb0987607ca

  • SHA512

    016ef2257f38653659d9e1b963364d80b0e91ff6522305832e48abe6eaccb57be2c6d5f9801d1f26dd2d7b5e55215f379fbccb21865df26b5524c91cc4703492

  • SSDEEP

    24576:2TbBv5rUyXVwmEg9jD2GDFZOOS9RxVGS8+4zhotSUz68Sh0+w7GNmG+vVxfmjyqR:IBJw5OS9Rp8fJUzaNbIG0m

Score
10/10
zgratevasionratspywarestealer

Malware Config

Signatures

  • Detect ZGRat V1 3 IoCs
  • ZGRat

    ZGRat is remote access trojan written in C#.

    ratzgrat
  • Disables Task Manager via registry modification
    evasion
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry key 1 TTPs 1 IoCs
  • Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 30 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\7dcea724fda3fd345207c7d539924ef0_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\7dcea724fda3fd345207c7d539924ef0_NeikiAnalytics.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2128
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\svc_host\LLtHD6KyksTtn9xrvTjsqO9gPW0zdCW69vHytT.vbe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1192
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\svc_host\o6N3MULqHjrpw5R3dKMVsIOofJS2K8wQZ2DqcVD.bat" "
        3⤵
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:2584
        • C:\Windows\SysWOW64\reg.exe
          reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
          4⤵
          • Modifies registry key
          PID:2700
        • C:\svc_host\refsvc.exe
          "C:\svc_host/refsvc.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2728
          • C:\Windows\System32\cmd.exe
            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\cd4bcaTvCp.bat"
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:2512
            • C:\Windows\system32\chcp.com
              chcp 65001
              6⤵
                PID:2936
              • C:\Windows\system32\w32tm.exe
                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                6⤵
                  PID:2308
                • C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\sppsvc.exe
                  "C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\sppsvc.exe"
                  6⤵
                  • Executes dropped EXE
                  • Suspicious behavior: CmdExeWriteProcessMemorySpam
                  • Suspicious behavior: GetForegroundWindowSpam
                  • Suspicious use of AdjustPrivilegeToken
                  PID:1696

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\cd4bcaTvCp.bat
        Filesize

        235B

        MD5

        1fa448101a061efe242acbd49733de19

        SHA1

        cd110ab05a328ef63e2043e3debcb4fa5f75d0a7

        SHA256

        d086efd84a8f33098f920e91b945370888769cb0447e47b87d979e02521d265f

        SHA512

        1b1e3422dccff3c7ab260677dd8729a9bc9072038b6e0fd3f0b6533c92082afc8e3af235f561c6e970b5d6a50e69ee2cafb992f8a5512eb905e9539fbf93c859

        Download Submit

      • C:\svc_host\LLtHD6KyksTtn9xrvTjsqO9gPW0zdCW69vHytT.vbe
        Filesize

        225B

        MD5

        0999aa302043250c87205f71c9ae2124

        SHA1

        90a26bb66c737ee925282bd427fc40b5a76e00f8

        SHA256

        73148262eff9aca1d1624e72983e2466ec6e69987561c587c69715e5dcd97efb

        SHA512

        51a794adba929c73413e15633d093e10924fc3c02ccd6c193c7f4d3b15cb5a85c52725d7ae94705245ad928b3c5d18d721789712b3895ad7c259f0b6c92d10e9

        Download Submit

      • C:\svc_host\o6N3MULqHjrpw5R3dKMVsIOofJS2K8wQZ2DqcVD.bat
        Filesize

        177B

        MD5

        2bc7ba1d121bab2aaa3daeb4b82da7ae

        SHA1

        00eeaa69ea9f2b0cd99a478e76b47d090af77fc3

        SHA256

        bf91299f8c63b91a89e661d3a29f67591bc6d73539e55d3a9265d7d5c4dd9a3e

        SHA512

        ca9c5f796aeba7c6153357749b300a3b3a95e84c675210db98bf05d995bbc73e0b4b6a97bc7e84f666d29826f74c799f02a2a0841e4b0c48c671f3a8d0ea4c48

        Download Submit

      • \svc_host\refsvc.exe
        Filesize

        1.9MB

        MD5

        e91a72e040145056f9aa92a0653c5884

        SHA1

        5d3e149f8e8d8cd7e695c6ffd58997af16ea41e0

        SHA256

        74e6ef57d2cec172f217a48f5e013a644588a9f4ec25a1a5e05d0f3c04c6b922

        SHA512

        3650052c5ee1141290e2ef4d0ce42c1b6596740439ba9b91ac33ccefc2696664bf03f2712a558a819a7e186fbce66c7782e4d904ff8f9099f17180d78c1d544d

        Download Submit

      • memory/1696-44-0x0000000001110000-0x00000000012FE000-memory.dmp

        Filesize

        1.9MB

        Download

      • memory/2728-13-0x0000000000AE0000-0x0000000000CCE000-memory.dmp

        Filesize

        1.9MB

        Download

      • memory/2728-15-0x0000000000510000-0x000000000051E000-memory.dmp

        Filesize

        56KB

        Download

      • memory/2728-17-0x0000000000A70000-0x0000000000A8C000-memory.dmp

        Filesize

        112KB

        Download

      • memory/2728-19-0x0000000000A90000-0x0000000000AA8000-memory.dmp

        Filesize

        96KB

        Download

      • memory/2728-21-0x0000000000520000-0x000000000052C000-memory.dmp

        Filesize

        48KB

        Download

      • memory/2728-23-0x0000000000530000-0x000000000053E000-memory.dmp

        Filesize

        56KB

        Download

      • memory/2728-25-0x0000000000AB0000-0x0000000000ABC000-memory.dmp

        Filesize

        48KB

        Download