zgrat | 2b490a23a834a6bf642c63f2307218042efca27baf0d3f3ebff812a6473a1da2

Analysis

max time kernel
130s
max time network
148s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
14-05-2024 01:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

487178eeecd2d1285e86aa36f01d9ec0_NeikiAnalytics.exe
Size

2.0MB
MD5

487178eeecd2d1285e86aa36f01d9ec0
SHA1

6e010a746f7cc2b2c705a2ed27d67ca4e9c7860f
SHA256

2b490a23a834a6bf642c63f2307218042efca27baf0d3f3ebff812a6473a1da2
SHA512

8b1c5f8debedc6c677847d1de97bb21729b24dda7e1a8ee6893e2f2efb4969ad7023af6017829516980951368025ee1bffae24476d237d062a7b8bf344c3af80
SSDEEP

24576:5wImKMglogGImH6sZZ1cyqP+dMqeeX1WiNZWlsynbMj8q5npWL2W1syhKlykVwd8:CX7ZZZWyqLeXYUZWlRMzzWqyKsuH

Score

10^/10

zgrat persistence rat

Malware Config

Signatures

Detect ZGRat V1 2 IoCs

resource	yara_rule
behavioral1/memory/352-1-0x0000000001070000-0x0000000001276000-memory.dmp	family_zgrat_v1
behavioral1/files/0x0006000000015cd9-30.dat	family_zgrat_v1

Modifies WinLogon for persistence 2 TTPs 6 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\3e6c2342-cc12-11ee-878b-7662d560f583\\487178eeecd2d1285e86aa36f01d9ec0_NeikiAnalytics.exe\", \"C:\\Users\\Public\\Pictures\\Sample Pictures\\audiodg.exe\""	487178eeecd2d1285e86aa36f01d9ec0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\3e6c2342-cc12-11ee-878b-7662d560f583\\487178eeecd2d1285e86aa36f01d9ec0_NeikiAnalytics.exe\", \"C:\\Users\\Public\\Pictures\\Sample Pictures\\audiodg.exe\", \"C:\\Program Files\\Microsoft Office\\Office14\\1033\\spoolsv.exe\""	487178eeecd2d1285e86aa36f01d9ec0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\3e6c2342-cc12-11ee-878b-7662d560f583\\487178eeecd2d1285e86aa36f01d9ec0_NeikiAnalytics.exe\", \"C:\\Users\\Public\\Pictures\\Sample Pictures\\audiodg.exe\", \"C:\\Program Files\\Microsoft Office\\Office14\\1033\\spoolsv.exe\", \"C:\\Recovery\\3e6c2342-cc12-11ee-878b-7662d560f583\\dwm.exe\""	487178eeecd2d1285e86aa36f01d9ec0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\3e6c2342-cc12-11ee-878b-7662d560f583\\487178eeecd2d1285e86aa36f01d9ec0_NeikiAnalytics.exe\", \"C:\\Users\\Public\\Pictures\\Sample Pictures\\audiodg.exe\", \"C:\\Program Files\\Microsoft Office\\Office14\\1033\\spoolsv.exe\", \"C:\\Recovery\\3e6c2342-cc12-11ee-878b-7662d560f583\\dwm.exe\", \"C:\\Recovery\\3e6c2342-cc12-11ee-878b-7662d560f583\\spoolsv.exe\""	487178eeecd2d1285e86aa36f01d9ec0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\3e6c2342-cc12-11ee-878b-7662d560f583\\487178eeecd2d1285e86aa36f01d9ec0_NeikiAnalytics.exe\", \"C:\\Users\\Public\\Pictures\\Sample Pictures\\audiodg.exe\", \"C:\\Program Files\\Microsoft Office\\Office14\\1033\\spoolsv.exe\", \"C:\\Recovery\\3e6c2342-cc12-11ee-878b-7662d560f583\\dwm.exe\", \"C:\\Recovery\\3e6c2342-cc12-11ee-878b-7662d560f583\\spoolsv.exe\", \"C:\\Users\\Admin\\AppData\\Local\\Temp\\487178eeecd2d1285e86aa36f01d9ec0_NeikiAnalytics.exe\""	487178eeecd2d1285e86aa36f01d9ec0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\3e6c2342-cc12-11ee-878b-7662d560f583\\487178eeecd2d1285e86aa36f01d9ec0_NeikiAnalytics.exe\""	487178eeecd2d1285e86aa36f01d9ec0_NeikiAnalytics.exe

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2608	2700	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2472	2700	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2656	2700	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2512	2700	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	328	2700	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2784	2700	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2200	2700	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1588	2700	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2336	2700	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1520	2700	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2120	2700	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1708	2700	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1984	2700	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1668	2700	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	816	2700	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2748	2700	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1672	2700	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2032	2700	schtasks.exe	28

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Adds Run key to start application 2 TTPs 12 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\audiodg = "\"C:\\Users\\Public\\Pictures\\Sample Pictures\\audiodg.exe\""	487178eeecd2d1285e86aa36f01d9ec0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Program Files\\Microsoft Office\\Office14\\1033\\spoolsv.exe\""	487178eeecd2d1285e86aa36f01d9ec0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Recovery\\3e6c2342-cc12-11ee-878b-7662d560f583\\dwm.exe\""	487178eeecd2d1285e86aa36f01d9ec0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Recovery\\3e6c2342-cc12-11ee-878b-7662d560f583\\spoolsv.exe\""	487178eeecd2d1285e86aa36f01d9ec0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Recovery\\3e6c2342-cc12-11ee-878b-7662d560f583\\spoolsv.exe\""	487178eeecd2d1285e86aa36f01d9ec0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\487178eeecd2d1285e86aa36f01d9ec0_NeikiAnalytics = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\487178eeecd2d1285e86aa36f01d9ec0_NeikiAnalytics.exe\""	487178eeecd2d1285e86aa36f01d9ec0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\487178eeecd2d1285e86aa36f01d9ec0_NeikiAnalytics = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\487178eeecd2d1285e86aa36f01d9ec0_NeikiAnalytics.exe\""	487178eeecd2d1285e86aa36f01d9ec0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\487178eeecd2d1285e86aa36f01d9ec0_NeikiAnalytics = "\"C:\\Recovery\\3e6c2342-cc12-11ee-878b-7662d560f583\\487178eeecd2d1285e86aa36f01d9ec0_NeikiAnalytics.exe\""	487178eeecd2d1285e86aa36f01d9ec0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\487178eeecd2d1285e86aa36f01d9ec0_NeikiAnalytics = "\"C:\\Recovery\\3e6c2342-cc12-11ee-878b-7662d560f583\\487178eeecd2d1285e86aa36f01d9ec0_NeikiAnalytics.exe\""	487178eeecd2d1285e86aa36f01d9ec0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiodg = "\"C:\\Users\\Public\\Pictures\\Sample Pictures\\audiodg.exe\""	487178eeecd2d1285e86aa36f01d9ec0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Program Files\\Microsoft Office\\Office14\\1033\\spoolsv.exe\""	487178eeecd2d1285e86aa36f01d9ec0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Recovery\\3e6c2342-cc12-11ee-878b-7662d560f583\\dwm.exe\""	487178eeecd2d1285e86aa36f01d9ec0_NeikiAnalytics.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	\??\c:\Windows\System32\CSC854111B96789416B998092B899BF357B.TMP	csc.exe
File created	\??\c:\Windows\System32\oin92z.exe	csc.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Office\Office14\1033\spoolsv.exe	487178eeecd2d1285e86aa36f01d9ec0_NeikiAnalytics.exe
File created	C:\Program Files\Microsoft Office\Office14\1033\f3b6ecef712a24	487178eeecd2d1285e86aa36f01d9ec0_NeikiAnalytics.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2748	schtasks.exe
1672	schtasks.exe
2608	schtasks.exe
328	schtasks.exe
1588	schtasks.exe
1984	schtasks.exe
816	schtasks.exe
2200	schtasks.exe
2120	schtasks.exe
1708	schtasks.exe
2336	schtasks.exe
1520	schtasks.exe
2032	schtasks.exe
2472	schtasks.exe
2656	schtasks.exe
2512	schtasks.exe
2784	schtasks.exe
1668	schtasks.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
1272	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
352	487178eeecd2d1285e86aa36f01d9ec0_NeikiAnalytics.exe
352	487178eeecd2d1285e86aa36f01d9ec0_NeikiAnalytics.exe
352	487178eeecd2d1285e86aa36f01d9ec0_NeikiAnalytics.exe
352	487178eeecd2d1285e86aa36f01d9ec0_NeikiAnalytics.exe
352	487178eeecd2d1285e86aa36f01d9ec0_NeikiAnalytics.exe
352	487178eeecd2d1285e86aa36f01d9ec0_NeikiAnalytics.exe
352	487178eeecd2d1285e86aa36f01d9ec0_NeikiAnalytics.exe
352	487178eeecd2d1285e86aa36f01d9ec0_NeikiAnalytics.exe
352	487178eeecd2d1285e86aa36f01d9ec0_NeikiAnalytics.exe
352	487178eeecd2d1285e86aa36f01d9ec0_NeikiAnalytics.exe
352	487178eeecd2d1285e86aa36f01d9ec0_NeikiAnalytics.exe
352	487178eeecd2d1285e86aa36f01d9ec0_NeikiAnalytics.exe
352	487178eeecd2d1285e86aa36f01d9ec0_NeikiAnalytics.exe
352	487178eeecd2d1285e86aa36f01d9ec0_NeikiAnalytics.exe
352	487178eeecd2d1285e86aa36f01d9ec0_NeikiAnalytics.exe
352	487178eeecd2d1285e86aa36f01d9ec0_NeikiAnalytics.exe
352	487178eeecd2d1285e86aa36f01d9ec0_NeikiAnalytics.exe
352	487178eeecd2d1285e86aa36f01d9ec0_NeikiAnalytics.exe
352	487178eeecd2d1285e86aa36f01d9ec0_NeikiAnalytics.exe
352	487178eeecd2d1285e86aa36f01d9ec0_NeikiAnalytics.exe
352	487178eeecd2d1285e86aa36f01d9ec0_NeikiAnalytics.exe
352	487178eeecd2d1285e86aa36f01d9ec0_NeikiAnalytics.exe
352	487178eeecd2d1285e86aa36f01d9ec0_NeikiAnalytics.exe
352	487178eeecd2d1285e86aa36f01d9ec0_NeikiAnalytics.exe
352	487178eeecd2d1285e86aa36f01d9ec0_NeikiAnalytics.exe
352	487178eeecd2d1285e86aa36f01d9ec0_NeikiAnalytics.exe
352	487178eeecd2d1285e86aa36f01d9ec0_NeikiAnalytics.exe
352	487178eeecd2d1285e86aa36f01d9ec0_NeikiAnalytics.exe
352	487178eeecd2d1285e86aa36f01d9ec0_NeikiAnalytics.exe
352	487178eeecd2d1285e86aa36f01d9ec0_NeikiAnalytics.exe
352	487178eeecd2d1285e86aa36f01d9ec0_NeikiAnalytics.exe
352	487178eeecd2d1285e86aa36f01d9ec0_NeikiAnalytics.exe
352	487178eeecd2d1285e86aa36f01d9ec0_NeikiAnalytics.exe
352	487178eeecd2d1285e86aa36f01d9ec0_NeikiAnalytics.exe
352	487178eeecd2d1285e86aa36f01d9ec0_NeikiAnalytics.exe
352	487178eeecd2d1285e86aa36f01d9ec0_NeikiAnalytics.exe
352	487178eeecd2d1285e86aa36f01d9ec0_NeikiAnalytics.exe
352	487178eeecd2d1285e86aa36f01d9ec0_NeikiAnalytics.exe
352	487178eeecd2d1285e86aa36f01d9ec0_NeikiAnalytics.exe
352	487178eeecd2d1285e86aa36f01d9ec0_NeikiAnalytics.exe
352	487178eeecd2d1285e86aa36f01d9ec0_NeikiAnalytics.exe
352	487178eeecd2d1285e86aa36f01d9ec0_NeikiAnalytics.exe
352	487178eeecd2d1285e86aa36f01d9ec0_NeikiAnalytics.exe
352	487178eeecd2d1285e86aa36f01d9ec0_NeikiAnalytics.exe
352	487178eeecd2d1285e86aa36f01d9ec0_NeikiAnalytics.exe
352	487178eeecd2d1285e86aa36f01d9ec0_NeikiAnalytics.exe
352	487178eeecd2d1285e86aa36f01d9ec0_NeikiAnalytics.exe
352	487178eeecd2d1285e86aa36f01d9ec0_NeikiAnalytics.exe
352	487178eeecd2d1285e86aa36f01d9ec0_NeikiAnalytics.exe
352	487178eeecd2d1285e86aa36f01d9ec0_NeikiAnalytics.exe
352	487178eeecd2d1285e86aa36f01d9ec0_NeikiAnalytics.exe
352	487178eeecd2d1285e86aa36f01d9ec0_NeikiAnalytics.exe
352	487178eeecd2d1285e86aa36f01d9ec0_NeikiAnalytics.exe
352	487178eeecd2d1285e86aa36f01d9ec0_NeikiAnalytics.exe
352	487178eeecd2d1285e86aa36f01d9ec0_NeikiAnalytics.exe
352	487178eeecd2d1285e86aa36f01d9ec0_NeikiAnalytics.exe
352	487178eeecd2d1285e86aa36f01d9ec0_NeikiAnalytics.exe
352	487178eeecd2d1285e86aa36f01d9ec0_NeikiAnalytics.exe
352	487178eeecd2d1285e86aa36f01d9ec0_NeikiAnalytics.exe
352	487178eeecd2d1285e86aa36f01d9ec0_NeikiAnalytics.exe
352	487178eeecd2d1285e86aa36f01d9ec0_NeikiAnalytics.exe
352	487178eeecd2d1285e86aa36f01d9ec0_NeikiAnalytics.exe
352	487178eeecd2d1285e86aa36f01d9ec0_NeikiAnalytics.exe
352	487178eeecd2d1285e86aa36f01d9ec0_NeikiAnalytics.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
800	487178eeecd2d1285e86aa36f01d9ec0_NeikiAnalytics.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	352	487178eeecd2d1285e86aa36f01d9ec0_NeikiAnalytics.exe
Token: SeDebugPrivilege	800	487178eeecd2d1285e86aa36f01d9ec0_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 352 wrote to memory of 2500	352	487178eeecd2d1285e86aa36f01d9ec0_NeikiAnalytics.exe	32
PID 352 wrote to memory of 2500	352	487178eeecd2d1285e86aa36f01d9ec0_NeikiAnalytics.exe	32
PID 352 wrote to memory of 2500	352	487178eeecd2d1285e86aa36f01d9ec0_NeikiAnalytics.exe	32
PID 2500 wrote to memory of 2508	2500	csc.exe	34
PID 2500 wrote to memory of 2508	2500	csc.exe	34
PID 2500 wrote to memory of 2508	2500	csc.exe	34
PID 352 wrote to memory of 2080	352	487178eeecd2d1285e86aa36f01d9ec0_NeikiAnalytics.exe	50
PID 352 wrote to memory of 2080	352	487178eeecd2d1285e86aa36f01d9ec0_NeikiAnalytics.exe	50
PID 352 wrote to memory of 2080	352	487178eeecd2d1285e86aa36f01d9ec0_NeikiAnalytics.exe	50
PID 2080 wrote to memory of 1320	2080	cmd.exe	52
PID 2080 wrote to memory of 1320	2080	cmd.exe	52
PID 2080 wrote to memory of 1320	2080	cmd.exe	52
PID 2080 wrote to memory of 1272	2080	cmd.exe	53
PID 2080 wrote to memory of 1272	2080	cmd.exe	53
PID 2080 wrote to memory of 1272	2080	cmd.exe	53
PID 2080 wrote to memory of 800	2080	cmd.exe	54
PID 2080 wrote to memory of 800	2080	cmd.exe	54
PID 2080 wrote to memory of 800	2080	cmd.exe	54

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\487178eeecd2d1285e86aa36f01d9ec0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\487178eeecd2d1285e86aa36f01d9ec0_NeikiAnalytics.exe"
1⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:352
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ptncbvsz\ptncbvsz.cmdline"
  2⤵
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:2500
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1803.tmp" "c:\Windows\System32\CSC854111B96789416B998092B899BF357B.TMP"
    3⤵
    PID:2508
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\BnfI8W6ayq.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2080
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:1320
- - C:\Windows\system32\PING.EXE
    ping -n 10 localhost
    3⤵
    - Runs ping.exe
    PID:1272
- - C:\Users\Admin\AppData\Local\Temp\487178eeecd2d1285e86aa36f01d9ec0_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\487178eeecd2d1285e86aa36f01d9ec0_NeikiAnalytics.exe"
    3⤵
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    PID:800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "487178eeecd2d1285e86aa36f01d9ec0_NeikiAnalytics4" /sc MINUTE /mo 12 /tr "'C:\Recovery\3e6c2342-cc12-11ee-878b-7662d560f583\487178eeecd2d1285e86aa36f01d9ec0_NeikiAnalytics.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "487178eeecd2d1285e86aa36f01d9ec0_NeikiAnalytics" /sc ONLOGON /tr "'C:\Recovery\3e6c2342-cc12-11ee-878b-7662d560f583\487178eeecd2d1285e86aa36f01d9ec0_NeikiAnalytics.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2472

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "487178eeecd2d1285e86aa36f01d9ec0_NeikiAnalytics4" /sc MINUTE /mo 12 /tr "'C:\Recovery\3e6c2342-cc12-11ee-878b-7662d560f583\487178eeecd2d1285e86aa36f01d9ec0_NeikiAnalytics.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 5 /tr "'C:\Users\Public\Pictures\Sample Pictures\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Users\Public\Pictures\Sample Pictures\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 14 /tr "'C:\Users\Public\Pictures\Sample Pictures\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2512

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Program Files\Microsoft Office\Office14\1033\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\Office14\1033\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Program Files\Microsoft Office\Office14\1033\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:328

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\Recovery\3e6c2342-cc12-11ee-878b-7662d560f583\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2200

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\3e6c2342-cc12-11ee-878b-7662d560f583\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\Recovery\3e6c2342-cc12-11ee-878b-7662d560f583\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Recovery\3e6c2342-cc12-11ee-878b-7662d560f583\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\3e6c2342-cc12-11ee-878b-7662d560f583\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2336

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\Recovery\3e6c2342-cc12-11ee-878b-7662d560f583\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "487178eeecd2d1285e86aa36f01d9ec0_NeikiAnalytics4" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\AppData\Local\Temp\487178eeecd2d1285e86aa36f01d9ec0_NeikiAnalytics.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1520

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "487178eeecd2d1285e86aa36f01d9ec0_NeikiAnalytics" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Temp\487178eeecd2d1285e86aa36f01d9ec0_NeikiAnalytics.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "487178eeecd2d1285e86aa36f01d9ec0_NeikiAnalytics4" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\AppData\Local\Temp\487178eeecd2d1285e86aa36f01d9ec0_NeikiAnalytics.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2120

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Recovery\3e6c2342-cc12-11ee-878b-7662d560f583\487178eeecd2d1285e86aa36f01d9ec0_NeikiAnalytics.exe

Filesize
2.0MB

MD5
487178eeecd2d1285e86aa36f01d9ec0

SHA1
6e010a746f7cc2b2c705a2ed27d67ca4e9c7860f

SHA256
2b490a23a834a6bf642c63f2307218042efca27baf0d3f3ebff812a6473a1da2

SHA512
8b1c5f8debedc6c677847d1de97bb21729b24dda7e1a8ee6893e2f2efb4969ad7023af6017829516980951368025ee1bffae24476d237d062a7b8bf344c3af80

Download Submit
C:\Users\Admin\AppData\Local\Temp\BnfI8W6ayq.bat

Filesize
213B

MD5
4ccad5c75a0855bf00ec388580c7a7d9

SHA1
cc38fc3d975e6186bf9b6331f0d75932a3f8b54e

SHA256
ea63016eca7aa333244f836751d86d78a0e4f826d6f58ca87ccc064b1d0ee96e

SHA512
f27df2622e8fe454f89976a68718f1c8ac4d5b83c4a882ec9e3b4f90859c7572581b74f97ed11722444b7e36b9cfef97db464859d11b84bb23c7ca8dbd87ac4b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES1803.tmp

Filesize
1KB

MD5
344f7f6baf9c394386555313bd0c98ea

SHA1
a10be2c47a74eb777610b83ce0947f4e7374ee05

SHA256
a7d71b17e029070e39f9db0fd1b30b3e77185ce4b2aecb1dcc2d7d7f23e4a5d4

SHA512
70287aa8e1788c6274750c661b17bc43e9e6cf3d00a20ec225872120fc6626ce45662a64e035cd20e715ba7da1abbd0112e9b40aea6135a81b24b356dead33a2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ptncbvsz\ptncbvsz.0.cs

Filesize
432B

MD5
28c01a8638ed83bc18b6380743481736

SHA1
c1c456a1d0dbdade483ef344c56aac53a0613368

SHA256
766652481aec3d11146de5bee9ebc078b1cb6042d7a8a7808a25cd8e12c6ca88

SHA512
f46be7e932caf33c99597eda7dbfb050c58589f8b8bd5db6fb0524763319e280286f11998306cc4045fe13ba630c2ba38547d03573c54acfc9de34b3faf33feb

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ptncbvsz\ptncbvsz.cmdline

Filesize
235B

MD5
37c2de73b37737dd36e8f2485e1e37de

SHA1
91c2e527da2b9fa3d21539beaaca0ef7a9e8a6c9

SHA256
ed1dc78be2fd67ebdecd13c8684ab5442e6235f80b6835a0a6c9a0b2d9a4bc3d

SHA512
8d92a05bcfad08608ef69daf1a6a7f4c2a2721514c89f96e552fcd43c4e29a0f4afd0fec2a3118f05aeabcf383fe70b2df833168a3df5b1b68b4175e382c003e

Download Submit
\??\c:\Windows\System32\CSC854111B96789416B998092B899BF357B.TMP

Filesize
1KB

MD5
1c0f7844f7e250162f11df610012cc1f

SHA1
2ee0b2ac51be783b0d196868edc6a1fe7a0af068

SHA256
988d255e5988f6b4de58f1eb852279c5974974d18d47af4dccb89cacff4cc020

SHA512
3b323f3a51f44e5dc73f7f54cecb39de91fdb6ea64965fb2e84764297e2856e86c9751c71bb5d549f322547c9b383a13f16775d32e8c9333a66a11739d5e3f6d

Download Submit
memory/352-15-0x00000000005B0000-0x00000000005C8000-memory.dmp

Filesize
96KB

Download
memory/352-21-0x000007FEF5280000-0x000007FEF5C6C000-memory.dmp

Filesize
9.9MB

Download
memory/352-9-0x0000000000300000-0x000000000030E000-memory.dmp

Filesize
56KB

Download
memory/352-12-0x0000000000590000-0x00000000005AC000-memory.dmp

Filesize
112KB

Download
memory/352-0-0x000007FEF5283000-0x000007FEF5284000-memory.dmp

Filesize
4KB

Download
memory/352-13-0x000007FEF5280000-0x000007FEF5C6C000-memory.dmp

Filesize
9.9MB

Download
memory/352-17-0x0000000000310000-0x000000000031E000-memory.dmp

Filesize
56KB

Download
memory/352-18-0x000007FEF5280000-0x000007FEF5C6C000-memory.dmp

Filesize
9.9MB

Download
memory/352-20-0x000007FEF5280000-0x000007FEF5C6C000-memory.dmp

Filesize
9.9MB

Download
memory/352-10-0x000007FEF5280000-0x000007FEF5C6C000-memory.dmp

Filesize
9.9MB

Download
memory/352-7-0x000007FEF5280000-0x000007FEF5C6C000-memory.dmp

Filesize
9.9MB

Download
memory/352-6-0x0000000000320000-0x0000000000346000-memory.dmp

Filesize
152KB

Download
memory/352-4-0x000007FEF5280000-0x000007FEF5C6C000-memory.dmp

Filesize
9.9MB

Download
memory/352-49-0x000007FEF5280000-0x000007FEF5C6C000-memory.dmp

Filesize
9.9MB

Download
memory/352-3-0x000007FEF5280000-0x000007FEF5C6C000-memory.dmp

Filesize
9.9MB

Download
memory/352-2-0x000007FEF5280000-0x000007FEF5C6C000-memory.dmp

Filesize
9.9MB

Download
memory/352-1-0x0000000001070000-0x0000000001276000-memory.dmp

Filesize
2.0MB

Download