Analysis Overview
SHA256
8c865af1a6f5285e6a3ee64421ea74a1bc18963321f2f7bd36e1a3da3ceb9d4b
Threat Level: Known bad
The file 51f28789646af41d049b694138433dc0_NeikiAnalytics was found to be: Known bad.
Malicious Activity Summary
UAC bypass
Detect ZGRat V1
Windows security bypass
ZGRat
Command and Scripting Interpreter: PowerShell
Executes dropped EXE
Windows security modification
Checks computer location settings
Uses the VBS compiler for execution
Looks up external IP address via web service
Adds Run key to start application
Checks whether UAC is enabled
Suspicious use of SetThreadContext
Unsigned PE
Enumerates physical storage devices
Delays execution with timeout.exe
Creates scheduled task(s)
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetWindowsHookEx
Uses Task Scheduler COM API
Runs regedit.exe
System policy modification
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-10 02:46
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-10 02:46
Reported
2024-05-10 02:49
Platform
win7-20231129-en
Max time kernel
117s
Max time network
117s
Command Line
Signatures
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\51f28789646af41d049b694138433dc0_NeikiAnalytics.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2340 wrote to memory of 2164 | N/A | C:\Users\Admin\AppData\Local\Temp\51f28789646af41d049b694138433dc0_NeikiAnalytics.exe | C:\Windows\system32\WerFault.exe |
| PID 2340 wrote to memory of 2164 | N/A | C:\Users\Admin\AppData\Local\Temp\51f28789646af41d049b694138433dc0_NeikiAnalytics.exe | C:\Windows\system32\WerFault.exe |
| PID 2340 wrote to memory of 2164 | N/A | C:\Users\Admin\AppData\Local\Temp\51f28789646af41d049b694138433dc0_NeikiAnalytics.exe | C:\Windows\system32\WerFault.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\51f28789646af41d049b694138433dc0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\51f28789646af41d049b694138433dc0_NeikiAnalytics.exe"
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2340 -s 544
Network
Files
memory/2340-0-0x000007FEF5B83000-0x000007FEF5B84000-memory.dmp
memory/2340-1-0x0000000000D10000-0x0000000000D28000-memory.dmp
memory/2340-2-0x000007FEF5B83000-0x000007FEF5B84000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-10 02:46
Reported
2024-05-10 02:49
Platform
win10v2004-20240508-en
Max time kernel
125s
Max time network
126s
Command Line
Signatures
Detect ZGRat V1
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
Windows security bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\svchost.exe = "0" | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
ZGRat
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\51f28789646af41d049b694138433dc0_NeikiAnalytics.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
Uses the VBS compiler for execution
Windows security modification
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\svchost.exe = "0" | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost = "\"C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe\"" | C:\Users\Admin\AppData\Local\Temp\51f28789646af41d049b694138433dc0_NeikiAnalytics.exe | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.ipify.org | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4336 set thread context of 4768 | N/A | C:\Users\Admin\AppData\Roaming\svchost.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
Runs regedit.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\regedit.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\51f28789646af41d049b694138433dc0_NeikiAnalytics.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe | N/A |
Suspicious use of WriteProcessMemory
System policy modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\51f28789646af41d049b694138433dc0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\51f28789646af41d049b694138433dc0_NeikiAnalytics.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"' & exit
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpF05B.tmp.bat""
C:\Windows\system32\timeout.exe
timeout 3
C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"'
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3608,i,15140928051103392835,1612840580898364401,262144 --variations-seed-version --mojo-platform-channel-handle=4120 /prefetch:8
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\svchost.exe" -Force
C:\Windows\regedit.exe
"C:\Windows\regedit.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 20.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 104.26.13.205:443 | api.ipify.org | tcp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | 205.13.26.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.112.95.208.in-addr.arpa | udp |
| US | 8.8.8.8:53 | s82.gocheapweb.com | udp |
| DE | 51.195.88.199:587 | s82.gocheapweb.com | tcp |
| US | 8.8.8.8:53 | 199.88.195.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.15.31.184.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 107.116.69.13.in-addr.arpa | udp |
Files
memory/4892-0-0x00000188B4010000-0x00000188B4028000-memory.dmp
memory/4892-1-0x00007FFCAD333000-0x00007FFCAD335000-memory.dmp
memory/4892-2-0x00000188CE520000-0x00000188CE5C2000-memory.dmp
memory/4892-3-0x00007FFCAD330000-0x00007FFCADDF1000-memory.dmp
memory/4892-8-0x00007FFCAD330000-0x00007FFCADDF1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmpF05B.tmp.bat
| MD5 | bc8a9e15b76a0bd5923a7f916a815487 |
| SHA1 | ccf569b9425c5c238b800c890b467723c530c799 |
| SHA256 | 71412543400626df6302d54e15d018fee476c6c7cbf0dd57ceb782a2ba2cb485 |
| SHA512 | a4c0957513fab7cb2c2722a326c913586b73a1956e1015080f3f529ade4725a803e43cda72e867533d42bc8bc14425cd917d42ffd60ba92e79cfb8e43ad8308b |
C:\Users\Admin\AppData\Roaming\svchost.exe
| MD5 | 51f28789646af41d049b694138433dc0 |
| SHA1 | 57c4323053589025713656f1ed6cb14e7d05eb59 |
| SHA256 | 8c865af1a6f5285e6a3ee64421ea74a1bc18963321f2f7bd36e1a3da3ceb9d4b |
| SHA512 | 24160456a2b764169b923033e3e9696b24caf3966b2f366a821c80ece051d5484747ffa78fce95fac5f2a2f3dee28082d09e2a1d2a3a6a16133791fcd96bc302 |
memory/3136-15-0x000001ACF54B0000-0x000001ACF54D2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_jiict0sj.jsv.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/4768-25-0x0000000000400000-0x000000000044C000-memory.dmp
memory/4768-26-0x0000000000400000-0x000000000044C000-memory.dmp
memory/4768-27-0x0000000002DD0000-0x0000000002E2C000-memory.dmp
memory/4768-28-0x0000000005B90000-0x0000000006134000-memory.dmp
memory/4768-29-0x00000000055E0000-0x000000000563A000-memory.dmp
memory/4768-43-0x00000000055E0000-0x0000000005634000-memory.dmp
memory/4768-59-0x00000000055E0000-0x0000000005634000-memory.dmp
memory/4768-91-0x00000000055E0000-0x0000000005634000-memory.dmp
memory/4768-87-0x00000000055E0000-0x0000000005634000-memory.dmp
memory/4768-85-0x00000000055E0000-0x0000000005634000-memory.dmp
memory/4768-83-0x00000000055E0000-0x0000000005634000-memory.dmp
memory/4768-81-0x00000000055E0000-0x0000000005634000-memory.dmp
memory/4768-79-0x00000000055E0000-0x0000000005634000-memory.dmp
memory/4768-77-0x00000000055E0000-0x0000000005634000-memory.dmp
memory/4768-75-0x00000000055E0000-0x0000000005634000-memory.dmp
memory/4768-73-0x00000000055E0000-0x0000000005634000-memory.dmp
memory/4768-69-0x00000000055E0000-0x0000000005634000-memory.dmp
memory/4768-67-0x00000000055E0000-0x0000000005634000-memory.dmp
memory/4768-63-0x00000000055E0000-0x0000000005634000-memory.dmp
memory/4768-61-0x00000000055E0000-0x0000000005634000-memory.dmp
memory/4768-57-0x00000000055E0000-0x0000000005634000-memory.dmp
memory/4768-55-0x00000000055E0000-0x0000000005634000-memory.dmp
memory/4768-53-0x00000000055E0000-0x0000000005634000-memory.dmp
memory/4768-51-0x00000000055E0000-0x0000000005634000-memory.dmp
memory/4768-49-0x00000000055E0000-0x0000000005634000-memory.dmp
memory/4768-47-0x00000000055E0000-0x0000000005634000-memory.dmp
memory/4768-45-0x00000000055E0000-0x0000000005634000-memory.dmp
memory/4768-41-0x00000000055E0000-0x0000000005634000-memory.dmp
memory/4768-40-0x00000000055E0000-0x0000000005634000-memory.dmp
memory/4768-37-0x00000000055E0000-0x0000000005634000-memory.dmp
memory/4768-36-0x00000000055E0000-0x0000000005634000-memory.dmp
memory/4768-33-0x00000000055E0000-0x0000000005634000-memory.dmp
memory/4768-89-0x00000000055E0000-0x0000000005634000-memory.dmp
memory/4768-71-0x00000000055E0000-0x0000000005634000-memory.dmp
memory/4768-65-0x00000000055E0000-0x0000000005634000-memory.dmp
memory/4768-31-0x00000000055E0000-0x0000000005634000-memory.dmp
memory/4768-30-0x00000000055E0000-0x0000000005634000-memory.dmp
memory/4768-1094-0x00000000057B0000-0x0000000005816000-memory.dmp
memory/4768-1095-0x0000000007290000-0x00000000072E0000-memory.dmp
memory/4768-1096-0x0000000007380000-0x000000000741C000-memory.dmp
memory/4768-1097-0x0000000007420000-0x00000000074B2000-memory.dmp
memory/4768-1098-0x0000000007320000-0x000000000732A000-memory.dmp