Overview

overview

10

Static

static

10

7dcea724fd...cs.exe

windows7-x64

10

7dcea724fd...cs.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    125s
  • max time network
    147s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09-05-2024 15:56

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7dcea724fda3fd345207c7d539924ef0_NeikiAnalytics.exe

  • Size

    2.2MB

  • MD5

    7dcea724fda3fd345207c7d539924ef0

  • SHA1

    2b5a82f17a5da662e3cc246ab9b9b480de4df3d4

  • SHA256

    5430f89081787db94574aa0765ce42d6ede7c47df351481f44d8bdb0987607ca

  • SHA512

    016ef2257f38653659d9e1b963364d80b0e91ff6522305832e48abe6eaccb57be2c6d5f9801d1f26dd2d7b5e55215f379fbccb21865df26b5524c91cc4703492

  • SSDEEP

    24576:2TbBv5rUyXVwmEg9jD2GDFZOOS9RxVGS8+4zhotSUz68Sh0+w7GNmG+vVxfmjyqR:IBJw5OS9Rp8fJUzaNbIG0m

Score
10/10
zgratevasionratspywarestealer

Malware Config

Signatures

  • Detect ZGRat V1 2 IoCs
  • ZGRat

    ZGRat is remote access trojan written in C#.

    ratzgrat
  • Disables Task Manager via registry modification
    evasion
  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Drops file in Program Files directory 6 IoCs
  • Drops file in Windows directory 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 2 IoCs
  • Modifies registry key 1 TTPs 1 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 19 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\7dcea724fda3fd345207c7d539924ef0_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\7dcea724fda3fd345207c7d539924ef0_NeikiAnalytics.exe"
    1⤵
    • Checks computer location settings
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:932
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\svc_host\LLtHD6KyksTtn9xrvTjsqO9gPW0zdCW69vHytT.vbe"
      2⤵
      • Checks computer location settings
      • Suspicious use of WriteProcessMemory
      PID:1392
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\svc_host\o6N3MULqHjrpw5R3dKMVsIOofJS2K8wQZ2DqcVD.bat" "
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:3176
        • C:\Windows\SysWOW64\reg.exe
          reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
          4⤵
          • Modifies registry key
          PID:5104
        • C:\svc_host\refsvc.exe
          "C:\svc_host/refsvc.exe"
          4⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1132
          • C:\Windows\System32\cmd.exe
            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\2V8ivUijeo.bat"
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:5092
            • C:\Windows\system32\chcp.com
              chcp 65001
              6⤵
                PID:772
              • C:\Windows\system32\PING.EXE
                ping -n 10 localhost
                6⤵
                • Runs ping.exe
                PID:4292
              • C:\Windows\DigitalLocker\en-US\taskhostw.exe
                "C:\Windows\DigitalLocker\en-US\taskhostw.exe"
                6⤵
                • Executes dropped EXE
                • Suspicious behavior: GetForegroundWindowSpam
                • Suspicious use of AdjustPrivilegeToken
                PID:3220

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\2V8ivUijeo.bat
      Filesize

      172B

      MD5

      197257298f659b9e05a9c4da7e3cc38f

      SHA1

      d30ac82c53a877cba0d3e72b50a56eefd4ba1d5b

      SHA256

      7db49eb7593513e5ab933dbbb44fb63a3ca061f7067d58981deb04c9aa59eb8d

      SHA512

      403300ad323ee688b9a080e66432df86a24af8617db2a0e64b7ef71b78d6bcaf59344d71432974e5a981454b7eee8463a8bc679d529d1dd744ec17282945789b

      Download Submit

    • C:\svc_host\LLtHD6KyksTtn9xrvTjsqO9gPW0zdCW69vHytT.vbe
      Filesize

      225B

      MD5

      0999aa302043250c87205f71c9ae2124

      SHA1

      90a26bb66c737ee925282bd427fc40b5a76e00f8

      SHA256

      73148262eff9aca1d1624e72983e2466ec6e69987561c587c69715e5dcd97efb

      SHA512

      51a794adba929c73413e15633d093e10924fc3c02ccd6c193c7f4d3b15cb5a85c52725d7ae94705245ad928b3c5d18d721789712b3895ad7c259f0b6c92d10e9

      Download Submit

    • C:\svc_host\o6N3MULqHjrpw5R3dKMVsIOofJS2K8wQZ2DqcVD.bat
      Filesize

      177B

      MD5

      2bc7ba1d121bab2aaa3daeb4b82da7ae

      SHA1

      00eeaa69ea9f2b0cd99a478e76b47d090af77fc3

      SHA256

      bf91299f8c63b91a89e661d3a29f67591bc6d73539e55d3a9265d7d5c4dd9a3e

      SHA512

      ca9c5f796aeba7c6153357749b300a3b3a95e84c675210db98bf05d995bbc73e0b4b6a97bc7e84f666d29826f74c799f02a2a0841e4b0c48c671f3a8d0ea4c48

      Download Submit

    • C:\svc_host\refsvc.exe
      Filesize

      1.9MB

      MD5

      e91a72e040145056f9aa92a0653c5884

      SHA1

      5d3e149f8e8d8cd7e695c6ffd58997af16ea41e0

      SHA256

      74e6ef57d2cec172f217a48f5e013a644588a9f4ec25a1a5e05d0f3c04c6b922

      SHA512

      3650052c5ee1141290e2ef4d0ce42c1b6596740439ba9b91ac33ccefc2696664bf03f2712a558a819a7e186fbce66c7782e4d904ff8f9099f17180d78c1d544d

      Download Submit

    • memory/1132-12-0x0000000000A70000-0x0000000000C5E000-memory.dmp

      Filesize

      1.9MB

      Download

    • memory/1132-14-0x0000000001480000-0x000000000148E000-memory.dmp

      Filesize

      56KB

      Download

    • memory/1132-16-0x0000000002DB0000-0x0000000002DCC000-memory.dmp

      Filesize

      112KB

      Download

    • memory/1132-17-0x000000001BCC0000-0x000000001BD10000-memory.dmp

      Filesize

      320KB

      Download

    • memory/1132-19-0x0000000002DD0000-0x0000000002DE8000-memory.dmp

      Filesize

      96KB

      Download

    • memory/1132-21-0x0000000001490000-0x000000000149C000-memory.dmp

      Filesize

      48KB

      Download

    • memory/1132-23-0x0000000002D90000-0x0000000002D9E000-memory.dmp

      Filesize

      56KB

      Download

    • memory/1132-25-0x0000000002DA0000-0x0000000002DAC000-memory.dmp

      Filesize

      48KB

      Download