zgrat | 105661772dbcadfa0e07c1d790efb26adce0e54d33ecb6bee0e42ae201eecef1

Analysis

max time kernel
146s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
10/05/2024, 07:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9c9cfb46f054ba152005a24e4bc13cd0_NeikiAnalytics.exe
Size

1.8MB
MD5

9c9cfb46f054ba152005a24e4bc13cd0
SHA1

894e8cce959ed8d0fccfefa585891f5fd85c6aeb
SHA256

105661772dbcadfa0e07c1d790efb26adce0e54d33ecb6bee0e42ae201eecef1
SHA512

3923648a5708f884150318bb5ee9f4df2713bd826b85861bbf2cf1026487ab8b1d5668e361081493ab4cd8b3ede7b7cf9bd173dc7b72eaf95c4082b20aad98a4
SSDEEP

24576:P+ss0unD9Gm7yQGbSMZ6/YnFAHZ5r24ZPW5HuehnP2uC/X2nLU:PM5H78bSEnmxZ+Juehnc/2

Score

10^/10

zgrat persistence rat spyware stealer

Malware Config

Signatures

Detect ZGRat V1 2 IoCs

resource	yara_rule
behavioral2/memory/4912-1-0x00000000007F0000-0x00000000009CA000-memory.dmp	family_zgrat_v1
behavioral2/files/0x0007000000023431-27.dat	family_zgrat_v1

Modifies WinLogon for persistence 2 TTPs 6 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default User\\sppsvc.exe\", \"C:\\Windows\\Provisioning\\Autopilot\\csrss.exe\", \"C:\\Users\\Default User\\OfficeClickToRun.exe\""	9c9cfb46f054ba152005a24e4bc13cd0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default User\\sppsvc.exe\", \"C:\\Windows\\Provisioning\\Autopilot\\csrss.exe\", \"C:\\Users\\Default User\\OfficeClickToRun.exe\", \"C:\\Recovery\\WindowsRE\\dllhost.exe\""	9c9cfb46f054ba152005a24e4bc13cd0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default User\\sppsvc.exe\", \"C:\\Windows\\Provisioning\\Autopilot\\csrss.exe\", \"C:\\Users\\Default User\\OfficeClickToRun.exe\", \"C:\\Recovery\\WindowsRE\\dllhost.exe\", \"C:\\Program Files\\Microsoft Office 15\\ClientX64\\RuntimeBroker.exe\""	9c9cfb46f054ba152005a24e4bc13cd0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default User\\sppsvc.exe\", \"C:\\Windows\\Provisioning\\Autopilot\\csrss.exe\", \"C:\\Users\\Default User\\OfficeClickToRun.exe\", \"C:\\Recovery\\WindowsRE\\dllhost.exe\", \"C:\\Program Files\\Microsoft Office 15\\ClientX64\\RuntimeBroker.exe\", \"C:\\Users\\Admin\\AppData\\Local\\Temp\\9c9cfb46f054ba152005a24e4bc13cd0_NeikiAnalytics.exe\""	9c9cfb46f054ba152005a24e4bc13cd0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default User\\sppsvc.exe\""	9c9cfb46f054ba152005a24e4bc13cd0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default User\\sppsvc.exe\", \"C:\\Windows\\Provisioning\\Autopilot\\csrss.exe\""	9c9cfb46f054ba152005a24e4bc13cd0_NeikiAnalytics.exe

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5044	1404	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3784	1404	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2716	1404	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4616	1404	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4828	1404	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3612	1404	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4880	1404	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4888	1404	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2328	1404	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4128	1404	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4084	1404	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	228	1404	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	232	1404	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4596	1404	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1788	1404	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	528	1404	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2568	1404	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3084	1404	schtasks.exe	85

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	9c9cfb46f054ba152005a24e4bc13cd0_NeikiAnalytics.exe

Executes dropped EXE 1 IoCs

pid	Process
2972	RuntimeBroker.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 12 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Users\\Default User\\sppsvc.exe\""	9c9cfb46f054ba152005a24e4bc13cd0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OfficeClickToRun = "\"C:\\Users\\Default User\\OfficeClickToRun.exe\""	9c9cfb46f054ba152005a24e4bc13cd0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Program Files\\Microsoft Office 15\\ClientX64\\RuntimeBroker.exe\""	9c9cfb46f054ba152005a24e4bc13cd0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Users\\Default User\\sppsvc.exe\""	9c9cfb46f054ba152005a24e4bc13cd0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\Provisioning\\Autopilot\\csrss.exe\""	9c9cfb46f054ba152005a24e4bc13cd0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OfficeClickToRun = "\"C:\\Users\\Default User\\OfficeClickToRun.exe\""	9c9cfb46f054ba152005a24e4bc13cd0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Recovery\\WindowsRE\\dllhost.exe\""	9c9cfb46f054ba152005a24e4bc13cd0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Recovery\\WindowsRE\\dllhost.exe\""	9c9cfb46f054ba152005a24e4bc13cd0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Program Files\\Microsoft Office 15\\ClientX64\\RuntimeBroker.exe\""	9c9cfb46f054ba152005a24e4bc13cd0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\9c9cfb46f054ba152005a24e4bc13cd0_NeikiAnalytics = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\9c9cfb46f054ba152005a24e4bc13cd0_NeikiAnalytics.exe\""	9c9cfb46f054ba152005a24e4bc13cd0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\9c9cfb46f054ba152005a24e4bc13cd0_NeikiAnalytics = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\9c9cfb46f054ba152005a24e4bc13cd0_NeikiAnalytics.exe\""	9c9cfb46f054ba152005a24e4bc13cd0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\Provisioning\\Autopilot\\csrss.exe\""	9c9cfb46f054ba152005a24e4bc13cd0_NeikiAnalytics.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	\??\c:\Windows\System32\iehhk_.exe	csc.exe
File created	\??\c:\Windows\System32\CSC4675A77895C348E6B02ECABC90B5CD34.TMP	csc.exe

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Microsoft Office 15\ClientX64\RuntimeBroker.exe	9c9cfb46f054ba152005a24e4bc13cd0_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office 15\ClientX64\9e8d7a4ca61bd9	9c9cfb46f054ba152005a24e4bc13cd0_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office 15\ClientX64\RuntimeBroker.exe	9c9cfb46f054ba152005a24e4bc13cd0_NeikiAnalytics.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Provisioning\Autopilot\csrss.exe	9c9cfb46f054ba152005a24e4bc13cd0_NeikiAnalytics.exe
File created	C:\Windows\Provisioning\Autopilot\886983d96e3d3e	9c9cfb46f054ba152005a24e4bc13cd0_NeikiAnalytics.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2328	schtasks.exe
1788	schtasks.exe
2568	schtasks.exe
5044	schtasks.exe
2716	schtasks.exe
4828	schtasks.exe
3612	schtasks.exe
3784	schtasks.exe
232	schtasks.exe
528	schtasks.exe
4616	schtasks.exe
228	schtasks.exe
4596	schtasks.exe
3084	schtasks.exe
4880	schtasks.exe
4888	schtasks.exe
4128	schtasks.exe
4084	schtasks.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings	9c9cfb46f054ba152005a24e4bc13cd0_NeikiAnalytics.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
4684	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4912	9c9cfb46f054ba152005a24e4bc13cd0_NeikiAnalytics.exe
4912	9c9cfb46f054ba152005a24e4bc13cd0_NeikiAnalytics.exe
4912	9c9cfb46f054ba152005a24e4bc13cd0_NeikiAnalytics.exe
4912	9c9cfb46f054ba152005a24e4bc13cd0_NeikiAnalytics.exe
4912	9c9cfb46f054ba152005a24e4bc13cd0_NeikiAnalytics.exe
4912	9c9cfb46f054ba152005a24e4bc13cd0_NeikiAnalytics.exe
4912	9c9cfb46f054ba152005a24e4bc13cd0_NeikiAnalytics.exe
4912	9c9cfb46f054ba152005a24e4bc13cd0_NeikiAnalytics.exe
4912	9c9cfb46f054ba152005a24e4bc13cd0_NeikiAnalytics.exe
4912	9c9cfb46f054ba152005a24e4bc13cd0_NeikiAnalytics.exe
4912	9c9cfb46f054ba152005a24e4bc13cd0_NeikiAnalytics.exe
4912	9c9cfb46f054ba152005a24e4bc13cd0_NeikiAnalytics.exe
4912	9c9cfb46f054ba152005a24e4bc13cd0_NeikiAnalytics.exe
4912	9c9cfb46f054ba152005a24e4bc13cd0_NeikiAnalytics.exe
4912	9c9cfb46f054ba152005a24e4bc13cd0_NeikiAnalytics.exe
4912	9c9cfb46f054ba152005a24e4bc13cd0_NeikiAnalytics.exe
4912	9c9cfb46f054ba152005a24e4bc13cd0_NeikiAnalytics.exe
4912	9c9cfb46f054ba152005a24e4bc13cd0_NeikiAnalytics.exe
4912	9c9cfb46f054ba152005a24e4bc13cd0_NeikiAnalytics.exe
4912	9c9cfb46f054ba152005a24e4bc13cd0_NeikiAnalytics.exe
4912	9c9cfb46f054ba152005a24e4bc13cd0_NeikiAnalytics.exe
4912	9c9cfb46f054ba152005a24e4bc13cd0_NeikiAnalytics.exe
4912	9c9cfb46f054ba152005a24e4bc13cd0_NeikiAnalytics.exe
4912	9c9cfb46f054ba152005a24e4bc13cd0_NeikiAnalytics.exe
4912	9c9cfb46f054ba152005a24e4bc13cd0_NeikiAnalytics.exe
4912	9c9cfb46f054ba152005a24e4bc13cd0_NeikiAnalytics.exe
4912	9c9cfb46f054ba152005a24e4bc13cd0_NeikiAnalytics.exe
4912	9c9cfb46f054ba152005a24e4bc13cd0_NeikiAnalytics.exe
4912	9c9cfb46f054ba152005a24e4bc13cd0_NeikiAnalytics.exe
4912	9c9cfb46f054ba152005a24e4bc13cd0_NeikiAnalytics.exe
4912	9c9cfb46f054ba152005a24e4bc13cd0_NeikiAnalytics.exe
4912	9c9cfb46f054ba152005a24e4bc13cd0_NeikiAnalytics.exe
4912	9c9cfb46f054ba152005a24e4bc13cd0_NeikiAnalytics.exe
4912	9c9cfb46f054ba152005a24e4bc13cd0_NeikiAnalytics.exe
4912	9c9cfb46f054ba152005a24e4bc13cd0_NeikiAnalytics.exe
4912	9c9cfb46f054ba152005a24e4bc13cd0_NeikiAnalytics.exe
4912	9c9cfb46f054ba152005a24e4bc13cd0_NeikiAnalytics.exe
4912	9c9cfb46f054ba152005a24e4bc13cd0_NeikiAnalytics.exe
4912	9c9cfb46f054ba152005a24e4bc13cd0_NeikiAnalytics.exe
4912	9c9cfb46f054ba152005a24e4bc13cd0_NeikiAnalytics.exe
4912	9c9cfb46f054ba152005a24e4bc13cd0_NeikiAnalytics.exe
4912	9c9cfb46f054ba152005a24e4bc13cd0_NeikiAnalytics.exe
4912	9c9cfb46f054ba152005a24e4bc13cd0_NeikiAnalytics.exe
4912	9c9cfb46f054ba152005a24e4bc13cd0_NeikiAnalytics.exe
4912	9c9cfb46f054ba152005a24e4bc13cd0_NeikiAnalytics.exe
4912	9c9cfb46f054ba152005a24e4bc13cd0_NeikiAnalytics.exe
4912	9c9cfb46f054ba152005a24e4bc13cd0_NeikiAnalytics.exe
4912	9c9cfb46f054ba152005a24e4bc13cd0_NeikiAnalytics.exe
4912	9c9cfb46f054ba152005a24e4bc13cd0_NeikiAnalytics.exe
4912	9c9cfb46f054ba152005a24e4bc13cd0_NeikiAnalytics.exe
4912	9c9cfb46f054ba152005a24e4bc13cd0_NeikiAnalytics.exe
4912	9c9cfb46f054ba152005a24e4bc13cd0_NeikiAnalytics.exe
4912	9c9cfb46f054ba152005a24e4bc13cd0_NeikiAnalytics.exe
4912	9c9cfb46f054ba152005a24e4bc13cd0_NeikiAnalytics.exe
4912	9c9cfb46f054ba152005a24e4bc13cd0_NeikiAnalytics.exe
4912	9c9cfb46f054ba152005a24e4bc13cd0_NeikiAnalytics.exe
4912	9c9cfb46f054ba152005a24e4bc13cd0_NeikiAnalytics.exe
4912	9c9cfb46f054ba152005a24e4bc13cd0_NeikiAnalytics.exe
4912	9c9cfb46f054ba152005a24e4bc13cd0_NeikiAnalytics.exe
4912	9c9cfb46f054ba152005a24e4bc13cd0_NeikiAnalytics.exe
4912	9c9cfb46f054ba152005a24e4bc13cd0_NeikiAnalytics.exe
4912	9c9cfb46f054ba152005a24e4bc13cd0_NeikiAnalytics.exe
4912	9c9cfb46f054ba152005a24e4bc13cd0_NeikiAnalytics.exe
4912	9c9cfb46f054ba152005a24e4bc13cd0_NeikiAnalytics.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2972	RuntimeBroker.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4912	9c9cfb46f054ba152005a24e4bc13cd0_NeikiAnalytics.exe
Token: SeDebugPrivilege	2972	RuntimeBroker.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 4912 wrote to memory of 2176	4912	9c9cfb46f054ba152005a24e4bc13cd0_NeikiAnalytics.exe	89
PID 4912 wrote to memory of 2176	4912	9c9cfb46f054ba152005a24e4bc13cd0_NeikiAnalytics.exe	89
PID 2176 wrote to memory of 2268	2176	csc.exe	91
PID 2176 wrote to memory of 2268	2176	csc.exe	91
PID 4912 wrote to memory of 4608	4912	9c9cfb46f054ba152005a24e4bc13cd0_NeikiAnalytics.exe	107
PID 4912 wrote to memory of 4608	4912	9c9cfb46f054ba152005a24e4bc13cd0_NeikiAnalytics.exe	107
PID 4608 wrote to memory of 1560	4608	cmd.exe	109
PID 4608 wrote to memory of 1560	4608	cmd.exe	109
PID 4608 wrote to memory of 4684	4608	cmd.exe	110
PID 4608 wrote to memory of 4684	4608	cmd.exe	110
PID 4608 wrote to memory of 2972	4608	cmd.exe	111
PID 4608 wrote to memory of 2972	4608	cmd.exe	111

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\9c9cfb46f054ba152005a24e4bc13cd0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\9c9cfb46f054ba152005a24e4bc13cd0_NeikiAnalytics.exe"
1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4912
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\d52yz0tu\d52yz0tu.cmdline"
  2⤵
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:2176
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES89D1.tmp" "c:\Windows\System32\CSC4675A77895C348E6B02ECABC90B5CD34.TMP"
    3⤵
    PID:2268
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\cya3h2BZSK.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4608
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:1560
- - C:\Windows\system32\PING.EXE
    ping -n 10 localhost
    3⤵
    - Runs ping.exe
    PID:4684
- - C:\Program Files\Microsoft Office 15\ClientX64\RuntimeBroker.exe
    "C:\Program Files\Microsoft Office 15\ClientX64\RuntimeBroker.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    PID:2972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Users\Default User\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\Users\Default User\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Windows\Provisioning\Autopilot\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\Provisioning\Autopilot\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Windows\Provisioning\Autopilot\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\OfficeClickToRun.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Users\Default User\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2328

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4128

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4084

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:228

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Program Files\Microsoft Office 15\ClientX64\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:232

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office 15\ClientX64\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Program Files\Microsoft Office 15\ClientX64\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "9c9cfb46f054ba152005a24e4bc13cd0_NeikiAnalytics9" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\AppData\Local\Temp\9c9cfb46f054ba152005a24e4bc13cd0_NeikiAnalytics.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:528

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "9c9cfb46f054ba152005a24e4bc13cd0_NeikiAnalytics" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Temp\9c9cfb46f054ba152005a24e4bc13cd0_NeikiAnalytics.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "9c9cfb46f054ba152005a24e4bc13cd0_NeikiAnalytics9" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\AppData\Local\Temp\9c9cfb46f054ba152005a24e4bc13cd0_NeikiAnalytics.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3084

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES89D1.tmp

Filesize
1KB

MD5
1cbbe310f1151aae2d3ab8cd98c8316f

SHA1
1c05e1908d34658e0bce0b7f7b44fd83fc03d87f

SHA256
33340add363e33dc38aa8b8412cad082c67660b08a1d88d69a4b00be53a5f135

SHA512
1329a70727c278651c3afd3807d870496b5ee667b4e1157720616849033908770412a4280ab0cb127cde59ace9a11550c647f7bbbc6fb229922d3cb5045c901e

Download Submit
C:\Users\Admin\AppData\Local\Temp\cya3h2BZSK.bat

Filesize
192B

MD5
7406adf112133dad8452e6d58085edff

SHA1
745c0f162b7baef6ad243371120a8c5cb15f1bbe

SHA256
e5c185ddbdc5544ed43011958821956c771ebef422d3c20870dbce614dc0691d

SHA512
991865af7a172b10020c947026cf1c4cc7e9037934131f867af16cd21ae00c1db7b23a412e2d865a7ce87d3df6aba51e7d94f563321b26d555b8aae7ed5b7d38

Download Submit
C:\Users\Default\sppsvc.exe

Filesize
1.8MB

MD5
9c9cfb46f054ba152005a24e4bc13cd0

SHA1
894e8cce959ed8d0fccfefa585891f5fd85c6aeb

SHA256
105661772dbcadfa0e07c1d790efb26adce0e54d33ecb6bee0e42ae201eecef1

SHA512
3923648a5708f884150318bb5ee9f4df2713bd826b85861bbf2cf1026487ab8b1d5668e361081493ab4cd8b3ede7b7cf9bd173dc7b72eaf95c4082b20aad98a4

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\d52yz0tu\d52yz0tu.0.cs

Filesize
364B

MD5
2b89f60385e4a7f08bc7d93fa670a32d

SHA1
396e5caa48629eb94642b32566b711e1cff7d861

SHA256
5d56c2bf57820c71c81d45c4ff3807b26fe96a544e22b15552513410ebfaa9a6

SHA512
1f11e75d910df0f74374e1e1ecd0d1b2ad93aad2aa86507d4273a8b7dfebc4340d26cc9a189d0347c5f32c2a5608c96f0e3625b9c7477307493ee6ff0399062d

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\d52yz0tu\d52yz0tu.cmdline

Filesize
235B

MD5
2dd34cdb1193d89666a9350260e73ea9

SHA1
9e98ebc1879ec1289b513b42885a19cdbe1eb231

SHA256
5b9d789a552c4bb809784c273c198cd6d6b58febf18567bf061a210870ea26b2

SHA512
0385dfcad2ba278a5b307112fb8b5594438fdf578a193344f32a91d950fee3a77195895f9b87dd85a8e3eab0be0d5ae43e6507b20370ef015da975ad979242f5

Download Submit
\??\c:\Windows\System32\CSC4675A77895C348E6B02ECABC90B5CD34.TMP

Filesize
1KB

MD5
6c8d705f12e071558058fc19e815fe28

SHA1
25c4f0b2bfaff4f8264f6cc36185e4b148c0e0b7

SHA256
9e6e446a2e264c8af311438fc1e8b4456c3b56aa4836ff9448f4385e6b77ca5d

SHA512
9195980872a010dc9c6d7012cd8b6f195dda94b50b19aa2024295e13651af6c9e89e0778d2f2e337ba84bafeb7d6cb5a2fc5ac0e4a94eee1d924ddb177e3e955

Download Submit
memory/2972-59-0x000000001AF60000-0x000000001AF68000-memory.dmp

Filesize
32KB

Download
memory/4912-16-0x00007FFA71590000-0x00007FFA72051000-memory.dmp

Filesize
10.8MB

Download
memory/4912-30-0x00007FFA71590000-0x00007FFA72051000-memory.dmp

Filesize
10.8MB

Download
memory/4912-11-0x00007FFA71590000-0x00007FFA72051000-memory.dmp

Filesize
10.8MB

Download
memory/4912-13-0x0000000002C30000-0x0000000002C48000-memory.dmp

Filesize
96KB

Download
memory/4912-15-0x0000000002AA0000-0x0000000002AAC000-memory.dmp

Filesize
48KB

Download
memory/4912-0-0x00007FFA71593000-0x00007FFA71595000-memory.dmp

Filesize
8KB

Download
memory/4912-17-0x00007FFA71590000-0x00007FFA72051000-memory.dmp

Filesize
10.8MB

Download
memory/4912-9-0x0000000002C10000-0x0000000002C2C000-memory.dmp

Filesize
112KB

Download
memory/4912-29-0x00007FFA71590000-0x00007FFA72051000-memory.dmp

Filesize
10.8MB

Download
memory/4912-10-0x000000001B9D0000-0x000000001BA20000-memory.dmp

Filesize
320KB

Download
memory/4912-31-0x00007FFA71590000-0x00007FFA72051000-memory.dmp

Filesize
10.8MB

Download
memory/4912-32-0x00007FFA71590000-0x00007FFA72051000-memory.dmp

Filesize
10.8MB

Download
memory/4912-7-0x0000000002A90000-0x0000000002A9E000-memory.dmp

Filesize
56KB

Download
memory/4912-5-0x00007FFA71590000-0x00007FFA72051000-memory.dmp

Filesize
10.8MB

Download
memory/4912-4-0x00007FFA71590000-0x00007FFA72051000-memory.dmp

Filesize
10.8MB

Download
memory/4912-3-0x00007FFA71590000-0x00007FFA72051000-memory.dmp

Filesize
10.8MB

Download
memory/4912-50-0x00007FFA71590000-0x00007FFA72051000-memory.dmp

Filesize
10.8MB

Download
memory/4912-2-0x00007FFA71590000-0x00007FFA72051000-memory.dmp

Filesize
10.8MB

Download
memory/4912-1-0x00000000007F0000-0x00000000009CA000-memory.dmp

Filesize
1.9MB

Download