Analysis Overview
SHA256
32656c10bc36086f55c102ca3aecb8150780ce69a06328cb2dcec9740525fad2
Threat Level: Known bad
The file 9a2a42528b5f4e10d460a3ff7f0ccb10_NeikiAnalytics was found to be: Known bad.
Malicious Activity Summary
Detect ZGRat V1
AgentTesla
ZGRat
AutoIT Executable
Suspicious use of SetThreadContext
Unsigned PE
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of SendNotifyMessage
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-05-10 07:04
Signatures
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-10 07:04
Reported
2024-05-10 07:07
Platform
win7-20240508-en
Max time kernel
120s
Max time network
120s
Command Line
Signatures
AgentTesla
Detect ZGRat V1
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
ZGRat
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2836 set thread context of 2660 | N/A | C:\Users\Admin\AppData\Local\Temp\9a2a42528b5f4e10d460a3ff7f0ccb10_NeikiAnalytics.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9a2a42528b5f4e10d460a3ff7f0ccb10_NeikiAnalytics.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9a2a42528b5f4e10d460a3ff7f0ccb10_NeikiAnalytics.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9a2a42528b5f4e10d460a3ff7f0ccb10_NeikiAnalytics.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9a2a42528b5f4e10d460a3ff7f0ccb10_NeikiAnalytics.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9a2a42528b5f4e10d460a3ff7f0ccb10_NeikiAnalytics.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9a2a42528b5f4e10d460a3ff7f0ccb10_NeikiAnalytics.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9a2a42528b5f4e10d460a3ff7f0ccb10_NeikiAnalytics.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9a2a42528b5f4e10d460a3ff7f0ccb10_NeikiAnalytics.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9a2a42528b5f4e10d460a3ff7f0ccb10_NeikiAnalytics.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9a2a42528b5f4e10d460a3ff7f0ccb10_NeikiAnalytics.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\9a2a42528b5f4e10d460a3ff7f0ccb10_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\9a2a42528b5f4e10d460a3ff7f0ccb10_NeikiAnalytics.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Users\Admin\AppData\Local\Temp\9a2a42528b5f4e10d460a3ff7f0ccb10_NeikiAnalytics.exe"
C:\Users\Admin\AppData\Local\Temp\9a2a42528b5f4e10d460a3ff7f0ccb10_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\9a2a42528b5f4e10d460a3ff7f0ccb10_NeikiAnalytics.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Users\Admin\AppData\Local\Temp\9a2a42528b5f4e10d460a3ff7f0ccb10_NeikiAnalytics.exe"
Network
Files
C:\Users\Admin\AppData\Local\Temp\parachronistic
| MD5 | 573d440d12a2bd22c2bb3fe1ff5d0daa |
| SHA1 | b92fb12836fa1392b0e9e7e0616ed26662a13791 |
| SHA256 | 47865b075d506d19953b299ba9d699b53a730af1b11d08b7395cc5097ba3cf2c |
| SHA512 | 30131b0b01517c596a1c66bc6af9e3c259e2d460db922c579a6b3d3300d0106555588afebe130387657eedcb1e1161793659dc150fefd7aa757123bb1ac99184 |
memory/2980-11-0x0000000000810000-0x0000000000814000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\hepatoduodenostomy
| MD5 | 1c5cb5b277787f3806c4f950c5805db5 |
| SHA1 | bbce2669c95c8ab82a83ce99092c5c57e142f895 |
| SHA256 | 45dbf140b2b749ee3c7a63a9927180a56d6ce228a501af20fb51d0a8c040ab5c |
| SHA512 | d8ead5a566cc403ea797ac2a4cf302a59fc8961fcc4bf37222af998e3fdfeac1e270a874fbebba39194a27ccdf0582495e8af5988f13800f348e23590be050e5 |
memory/2660-25-0x0000000000400000-0x0000000000446000-memory.dmp
memory/2660-28-0x0000000000400000-0x0000000000446000-memory.dmp
memory/2660-27-0x0000000000400000-0x0000000000446000-memory.dmp
memory/2660-29-0x000000007468E000-0x000000007468F000-memory.dmp
memory/2660-30-0x00000000007E0000-0x0000000000834000-memory.dmp
memory/2660-31-0x0000000074680000-0x0000000074D6E000-memory.dmp
memory/2660-34-0x0000000074680000-0x0000000074D6E000-memory.dmp
memory/2660-33-0x0000000074680000-0x0000000074D6E000-memory.dmp
memory/2660-32-0x0000000000B20000-0x0000000000B72000-memory.dmp
memory/2660-60-0x0000000000B20000-0x0000000000B6D000-memory.dmp
memory/2660-58-0x0000000000B20000-0x0000000000B6D000-memory.dmp
memory/2660-56-0x0000000000B20000-0x0000000000B6D000-memory.dmp
memory/2660-54-0x0000000000B20000-0x0000000000B6D000-memory.dmp
memory/2660-52-0x0000000000B20000-0x0000000000B6D000-memory.dmp
memory/2660-50-0x0000000000B20000-0x0000000000B6D000-memory.dmp
memory/2660-48-0x0000000000B20000-0x0000000000B6D000-memory.dmp
memory/2660-46-0x0000000000B20000-0x0000000000B6D000-memory.dmp
memory/2660-44-0x0000000000B20000-0x0000000000B6D000-memory.dmp
memory/2660-86-0x0000000000B20000-0x0000000000B6D000-memory.dmp
memory/2660-42-0x0000000000B20000-0x0000000000B6D000-memory.dmp
memory/2660-40-0x0000000000B20000-0x0000000000B6D000-memory.dmp
memory/2660-38-0x0000000000B20000-0x0000000000B6D000-memory.dmp
memory/2660-36-0x0000000000B20000-0x0000000000B6D000-memory.dmp
memory/2660-62-0x0000000000B20000-0x0000000000B6D000-memory.dmp
memory/2660-35-0x0000000000B20000-0x0000000000B6D000-memory.dmp
memory/2660-94-0x0000000000B20000-0x0000000000B6D000-memory.dmp
memory/2660-92-0x0000000000B20000-0x0000000000B6D000-memory.dmp
memory/2660-90-0x0000000000B20000-0x0000000000B6D000-memory.dmp
memory/2660-88-0x0000000000B20000-0x0000000000B6D000-memory.dmp
memory/2660-84-0x0000000000B20000-0x0000000000B6D000-memory.dmp
memory/2660-82-0x0000000000B20000-0x0000000000B6D000-memory.dmp
memory/2660-80-0x0000000000B20000-0x0000000000B6D000-memory.dmp
memory/2660-78-0x0000000000B20000-0x0000000000B6D000-memory.dmp
memory/2660-76-0x0000000000B20000-0x0000000000B6D000-memory.dmp
memory/2660-74-0x0000000000B20000-0x0000000000B6D000-memory.dmp
memory/2660-72-0x0000000000B20000-0x0000000000B6D000-memory.dmp
memory/2660-70-0x0000000000B20000-0x0000000000B6D000-memory.dmp
memory/2660-68-0x0000000000B20000-0x0000000000B6D000-memory.dmp
memory/2660-66-0x0000000000B20000-0x0000000000B6D000-memory.dmp
memory/2660-64-0x0000000000B20000-0x0000000000B6D000-memory.dmp
memory/2660-1065-0x0000000074680000-0x0000000074D6E000-memory.dmp
memory/2660-1066-0x0000000000400000-0x0000000000446000-memory.dmp
memory/2660-1067-0x000000007468E000-0x000000007468F000-memory.dmp
memory/2660-1068-0x0000000074680000-0x0000000074D6E000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-10 07:04
Reported
2024-05-10 07:07
Platform
win10v2004-20240508-en
Max time kernel
149s
Max time network
151s
Command Line
Signatures
AgentTesla
Detect ZGRat V1
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
ZGRat
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1408 set thread context of 3708 | N/A | C:\Users\Admin\AppData\Local\Temp\9a2a42528b5f4e10d460a3ff7f0ccb10_NeikiAnalytics.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9a2a42528b5f4e10d460a3ff7f0ccb10_NeikiAnalytics.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9a2a42528b5f4e10d460a3ff7f0ccb10_NeikiAnalytics.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9a2a42528b5f4e10d460a3ff7f0ccb10_NeikiAnalytics.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9a2a42528b5f4e10d460a3ff7f0ccb10_NeikiAnalytics.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9a2a42528b5f4e10d460a3ff7f0ccb10_NeikiAnalytics.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9a2a42528b5f4e10d460a3ff7f0ccb10_NeikiAnalytics.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9a2a42528b5f4e10d460a3ff7f0ccb10_NeikiAnalytics.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9a2a42528b5f4e10d460a3ff7f0ccb10_NeikiAnalytics.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9a2a42528b5f4e10d460a3ff7f0ccb10_NeikiAnalytics.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9a2a42528b5f4e10d460a3ff7f0ccb10_NeikiAnalytics.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\9a2a42528b5f4e10d460a3ff7f0ccb10_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\9a2a42528b5f4e10d460a3ff7f0ccb10_NeikiAnalytics.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Users\Admin\AppData\Local\Temp\9a2a42528b5f4e10d460a3ff7f0ccb10_NeikiAnalytics.exe"
C:\Users\Admin\AppData\Local\Temp\9a2a42528b5f4e10d460a3ff7f0ccb10_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\9a2a42528b5f4e10d460a3ff7f0ccb10_NeikiAnalytics.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Users\Admin\AppData\Local\Temp\9a2a42528b5f4e10d460a3ff7f0ccb10_NeikiAnalytics.exe"
Network
| Country | Destination | Domain | Proto |
| NL | 23.62.61.97:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 133.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 66.112.168.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\aut4825.tmp
| MD5 | 573d440d12a2bd22c2bb3fe1ff5d0daa |
| SHA1 | b92fb12836fa1392b0e9e7e0616ed26662a13791 |
| SHA256 | 47865b075d506d19953b299ba9d699b53a730af1b11d08b7395cc5097ba3cf2c |
| SHA512 | 30131b0b01517c596a1c66bc6af9e3c259e2d460db922c579a6b3d3300d0106555588afebe130387657eedcb1e1161793659dc150fefd7aa757123bb1ac99184 |
memory/1808-12-0x0000000003F60000-0x0000000003F64000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\parachronistic
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Temp\hepatoduodenostomy
| MD5 | 1c5cb5b277787f3806c4f950c5805db5 |
| SHA1 | bbce2669c95c8ab82a83ce99092c5c57e142f895 |
| SHA256 | 45dbf140b2b749ee3c7a63a9927180a56d6ce228a501af20fb51d0a8c040ab5c |
| SHA512 | d8ead5a566cc403ea797ac2a4cf302a59fc8961fcc4bf37222af998e3fdfeac1e270a874fbebba39194a27ccdf0582495e8af5988f13800f348e23590be050e5 |
memory/3708-27-0x0000000000400000-0x0000000000446000-memory.dmp
memory/3708-30-0x0000000000400000-0x0000000000446000-memory.dmp
memory/3708-29-0x0000000000400000-0x0000000000446000-memory.dmp
memory/3708-28-0x0000000000400000-0x0000000000446000-memory.dmp
memory/3708-31-0x00000000749DE000-0x00000000749DF000-memory.dmp
memory/3708-32-0x0000000004F10000-0x0000000004F64000-memory.dmp
memory/3708-33-0x00000000749D0000-0x0000000075180000-memory.dmp
memory/3708-34-0x0000000005580000-0x0000000005B24000-memory.dmp
memory/3708-37-0x00000000749D0000-0x0000000075180000-memory.dmp
memory/3708-36-0x0000000005020000-0x0000000005072000-memory.dmp
memory/3708-35-0x00000000749D0000-0x0000000075180000-memory.dmp
memory/3708-67-0x0000000005020000-0x000000000506D000-memory.dmp
memory/3708-99-0x0000000005020000-0x000000000506D000-memory.dmp
memory/3708-98-0x0000000005020000-0x000000000506D000-memory.dmp
memory/3708-95-0x0000000005020000-0x000000000506D000-memory.dmp
memory/3708-93-0x0000000005020000-0x000000000506D000-memory.dmp
memory/3708-91-0x0000000005020000-0x000000000506D000-memory.dmp
memory/3708-89-0x0000000005020000-0x000000000506D000-memory.dmp
memory/3708-85-0x0000000005020000-0x000000000506D000-memory.dmp
memory/3708-83-0x0000000005020000-0x000000000506D000-memory.dmp
memory/3708-81-0x0000000005020000-0x000000000506D000-memory.dmp
memory/3708-79-0x0000000005020000-0x000000000506D000-memory.dmp
memory/3708-77-0x0000000005020000-0x000000000506D000-memory.dmp
memory/3708-75-0x0000000005020000-0x000000000506D000-memory.dmp
memory/3708-73-0x0000000005020000-0x000000000506D000-memory.dmp
memory/3708-71-0x0000000005020000-0x000000000506D000-memory.dmp
memory/3708-69-0x0000000005020000-0x000000000506D000-memory.dmp
memory/3708-65-0x0000000005020000-0x000000000506D000-memory.dmp
memory/3708-63-0x0000000005020000-0x000000000506D000-memory.dmp
memory/3708-61-0x0000000005020000-0x000000000506D000-memory.dmp
memory/3708-59-0x0000000005020000-0x000000000506D000-memory.dmp
memory/3708-57-0x0000000005020000-0x000000000506D000-memory.dmp
memory/3708-55-0x0000000005020000-0x000000000506D000-memory.dmp
memory/3708-53-0x0000000005020000-0x000000000506D000-memory.dmp
memory/3708-51-0x0000000005020000-0x000000000506D000-memory.dmp
memory/3708-49-0x0000000005020000-0x000000000506D000-memory.dmp
memory/3708-47-0x0000000005020000-0x000000000506D000-memory.dmp
memory/3708-45-0x0000000005020000-0x000000000506D000-memory.dmp
memory/3708-43-0x0000000005020000-0x000000000506D000-memory.dmp
memory/3708-41-0x0000000005020000-0x000000000506D000-memory.dmp
memory/3708-87-0x0000000005020000-0x000000000506D000-memory.dmp
memory/3708-39-0x0000000005020000-0x000000000506D000-memory.dmp
memory/3708-38-0x0000000005020000-0x000000000506D000-memory.dmp
memory/3708-1069-0x00000000749D0000-0x0000000075180000-memory.dmp
memory/3708-1068-0x0000000005220000-0x0000000005286000-memory.dmp
memory/3708-1070-0x0000000006180000-0x00000000061D0000-memory.dmp
memory/3708-1071-0x0000000006270000-0x0000000006302000-memory.dmp
memory/3708-1072-0x00000000061D0000-0x00000000061DA000-memory.dmp
memory/3708-1073-0x0000000000400000-0x0000000000446000-memory.dmp
memory/3708-1074-0x00000000749DE000-0x00000000749DF000-memory.dmp
memory/3708-1075-0x00000000749D0000-0x0000000075180000-memory.dmp