Analysis
-
max time kernel
126s -
max time network
148s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
-
submitted
10/05/2024, 07:13
General
-
Target
9c9cfb46f054ba152005a24e4bc13cd0_NeikiAnalytics.exe
-
Size
1.8MB
-
MD5
9c9cfb46f054ba152005a24e4bc13cd0
-
SHA1
894e8cce959ed8d0fccfefa585891f5fd85c6aeb
-
SHA256
105661772dbcadfa0e07c1d790efb26adce0e54d33ecb6bee0e42ae201eecef1
-
SHA512
3923648a5708f884150318bb5ee9f4df2713bd826b85861bbf2cf1026487ab8b1d5668e361081493ab4cd8b3ede7b7cf9bd173dc7b72eaf95c4082b20aad98a4
-
SSDEEP
24576:P+ss0unD9Gm7yQGbSMZ6/YnFAHZ5r24ZPW5HuehnP2uC/X2nLU:PM5H78bSEnmxZ+Juehnc/2
Malware Config
Signatures
-
Detect ZGRat V1 3 IoCs
-
Modifies WinLogon for persistence 2 TTPs 6 IoCs
-
Process spawned unexpected child process 18 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
ZGRat
ZGRat is remote access trojan written in C#.
-
Executes dropped EXE 1 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 12 IoCs
-
Drops file in System32 directory 2 IoCs
-
Drops file in Program Files directory 3 IoCs
-
Drops file in Windows directory 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 18 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of WriteProcessMemory 18 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\9c9cfb46f054ba152005a24e4bc13cd0_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\9c9cfb46f054ba152005a24e4bc13cd0_NeikiAnalytics.exe"1⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\tmkw0gqi\tmkw0gqi.cmdline"2⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2FB8.tmp" "c:\Windows\System32\CSC42E97CB6EBA840E98D1EF51BA7FC9ABE.TMP"3⤵
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\cy8ISVXXgP.bat"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comchcp 650013⤵
-
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:23⤵
-
-
C:\Program Files (x86)\Windows Photo Viewer\it-IT\Idle.exe"C:\Program Files (x86)\Windows Photo Viewer\it-IT\Idle.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\Users\Default\Downloads\sppsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Users\Default\Downloads\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\Users\Default\Downloads\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 9 /tr "'C:\Users\Default\Recent\audiodg.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Users\Default\Recent\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 6 /tr "'C:\Users\Default\Recent\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\Recovery\84917bc2-d02e-11ee-b7c7-ea6b8212ffd3\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\84917bc2-d02e-11ee-b7c7-ea6b8212ffd3\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Recovery\84917bc2-d02e-11ee-b7c7-ea6b8212ffd3\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Windows\Downloaded Program Files\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\Downloaded Program Files\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Windows\Downloaded Program Files\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Photo Viewer\it-IT\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\it-IT\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Photo Viewer\it-IT\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "9c9cfb46f054ba152005a24e4bc13cd0_NeikiAnalytics9" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\AppData\Local\Temp\9c9cfb46f054ba152005a24e4bc13cd0_NeikiAnalytics.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "9c9cfb46f054ba152005a24e4bc13cd0_NeikiAnalytics" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Temp\9c9cfb46f054ba152005a24e4bc13cd0_NeikiAnalytics.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "9c9cfb46f054ba152005a24e4bc13cd0_NeikiAnalytics9" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\AppData\Local\Temp\9c9cfb46f054ba152005a24e4bc13cd0_NeikiAnalytics.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD59f9c25531140b51433e397aa78516839
SHA1a3b95b2ddf33f797c7072f40c3bd7475ed541822
SHA256eebbf1835b4f5d41ad5037835164630ad0da323ecd714059e0b987e27709b93e
SHA512e2fb885f80abf2230f52fbd64dd67f082c4cb1362ac8ebc25c96d637a2407b84ad4c3e312742bb6409968ef40d99935b2793803b3f8c943624327f6c4e096d93
-
Filesize
234B
MD5997e755e20d49d06d4c16d4f69e10784
SHA1a149db9f5cb73b14f9bd60b080a78fc279616b28
SHA256d49a2de3f6c70181c42898201a9c6fc427d8e3e75b45e70fc08ac1724b3d4f7d
SHA512eb477dd236877fc79da5f826117b11a17322abc29d5f5d3552c5c624af5d6025bf54ba8f51d7f73cd59086ed105c323866de6a7929115254b8f0c7dfef905111
-
Filesize
1.8MB
MD59c9cfb46f054ba152005a24e4bc13cd0
SHA1894e8cce959ed8d0fccfefa585891f5fd85c6aeb
SHA256105661772dbcadfa0e07c1d790efb26adce0e54d33ecb6bee0e42ae201eecef1
SHA5123923648a5708f884150318bb5ee9f4df2713bd826b85861bbf2cf1026487ab8b1d5668e361081493ab4cd8b3ede7b7cf9bd173dc7b72eaf95c4082b20aad98a4
-
Filesize
369B
MD5e8eb652a53aa4ca8b5fa2c826aededeb
SHA1c57b622e1435b3e25e872416c78fa3c4421ee012
SHA256e26c92c65129475b22cc9bc3dab758a3f5a87cd8893e8907278ed122252f78fb
SHA5129fad7bf8270feb9776e009682907d459d6884749c168ec5b5d7b441bdc5a00718f030c078a26bc050f358927c2c31d2aa60e31aa69c7cacb975b47011efad6af
-
Filesize
235B
MD59eb425b515c1ac1bbd8ab191a628a73d
SHA1a3bfe3c5b71d756c08dd6aea3aa9ab6aa1e5ddab
SHA25637b8425ca82440b74fdd022f6ee673e041c34d67779eb346fd937a910f5988cc
SHA512cacc2ddba84f7689e76c088c3bbf494824f904533d1142f38fe710a1231d745fa4fbabf20c5abfd0547734c8c6cdbf860349fdc721f7474758e27af466bb7035
-
Filesize
1KB
MD5984924caf6574026769de34f35c2358e
SHA16dd41e492235d812252231912aa025f47fa7a9e7
SHA2562bf5f65c8161575847113a1b4194625204c6ddce042f9b3432011c31348bb986
SHA5125918fdc8d27ff5421dea1455df93c6cf85738e94c5079701ba7fded59b01bda482b70e2a500ba2c2aebedb6d2b0815d094d9bb271133de738f9e630167f6be46
-
Filesize
1.9MB
-
Filesize
56KB
-
Filesize
9.9MB
-
Filesize
48KB
-
Filesize
9.9MB
-
Filesize
9.9MB
-
Filesize
9.9MB
-
Filesize
9.9MB
-
Filesize
96KB
-
Filesize
112KB
-
Filesize
4KB
-
Filesize
9.9MB
-
Filesize
9.9MB
-
Filesize
9.9MB
-
Filesize
9.9MB
-
Filesize
1.9MB