zgrat | 2b490a23a834a6bf642c63f2307218042efca27baf0d3f3ebff812a6473a1da2

General

Target

487178eeecd2d1285e86aa36f01d9ec0_NeikiAnalytics.exe
Size

2.0MB
MD5

487178eeecd2d1285e86aa36f01d9ec0
SHA1

6e010a746f7cc2b2c705a2ed27d67ca4e9c7860f
SHA256

2b490a23a834a6bf642c63f2307218042efca27baf0d3f3ebff812a6473a1da2
SHA512

8b1c5f8debedc6c677847d1de97bb21729b24dda7e1a8ee6893e2f2efb4969ad7023af6017829516980951368025ee1bffae24476d237d062a7b8bf344c3af80
SSDEEP

24576:5wImKMglogGImH6sZZ1cyqP+dMqeeX1WiNZWlsynbMj8q5npWL2W1syhKlykVwd8:CX7ZZZWyqLeXYUZWlRMzzWqyKsuH

Score

10^/10

zgrat persistence rat

Malware Config

Signatures

Detect ZGRat V1 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3868-1-0x0000000000D10000-0x0000000000F16000-memory.dmp	family_zgrat_v1
C:\Recovery\WindowsRE\csrss.exe	family_zgrat_v1

Modifies WinLogon for persistence 2 TTPs 6 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

487178eeecd2d1285e86aa36f01d9ec0_NeikiAnalytics.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\csrss.exe\""	487178eeecd2d1285e86aa36f01d9ec0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\csrss.exe\", \"C:\\Recovery\\WindowsRE\\winlogon.exe\""	487178eeecd2d1285e86aa36f01d9ec0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\csrss.exe\", \"C:\\Recovery\\WindowsRE\\winlogon.exe\", \"C:\\Program Files (x86)\\Windows Media Player\\explorer.exe\""	487178eeecd2d1285e86aa36f01d9ec0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\csrss.exe\", \"C:\\Recovery\\WindowsRE\\winlogon.exe\", \"C:\\Program Files (x86)\\Windows Media Player\\explorer.exe\", \"C:\\Windows\\IdentityCRL\\INT\\OfficeClickToRun.exe\""	487178eeecd2d1285e86aa36f01d9ec0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\csrss.exe\", \"C:\\Recovery\\WindowsRE\\winlogon.exe\", \"C:\\Program Files (x86)\\Windows Media Player\\explorer.exe\", \"C:\\Windows\\IdentityCRL\\INT\\OfficeClickToRun.exe\", \"C:\\Users\\All Users\\Application Data\\sihost.exe\""	487178eeecd2d1285e86aa36f01d9ec0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\csrss.exe\", \"C:\\Recovery\\WindowsRE\\winlogon.exe\", \"C:\\Program Files (x86)\\Windows Media Player\\explorer.exe\", \"C:\\Windows\\IdentityCRL\\INT\\OfficeClickToRun.exe\", \"C:\\Users\\All Users\\Application Data\\sihost.exe\", \"C:\\Users\\Admin\\AppData\\Local\\Temp\\487178eeecd2d1285e86aa36f01d9ec0_NeikiAnalytics.exe\""	487178eeecd2d1285e86aa36f01d9ec0_NeikiAnalytics.exe

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	460	384	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2476	384	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3720	384	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	116	384	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2508	384	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1480	384	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1916	384	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1836	384	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2272	384	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3148	384	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2852	384	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1352	384	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	732	384	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1192	384	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4944	384	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4672	384	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3100	384	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1860	384	schtasks.exe

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

487178eeecd2d1285e86aa36f01d9ec0_NeikiAnalytics.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation	487178eeecd2d1285e86aa36f01d9ec0_NeikiAnalytics.exe

Executes dropped EXE 1 IoCs

Processes:

sihost.exe

pid process

2864 sihost.exe

pid	process
2864	sihost.exe

Adds Run key to start application 2 TTPs 12 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

487178eeecd2d1285e86aa36f01d9ec0_NeikiAnalytics.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\487178eeecd2d1285e86aa36f01d9ec0_NeikiAnalytics = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\487178eeecd2d1285e86aa36f01d9ec0_NeikiAnalytics.exe\""	487178eeecd2d1285e86aa36f01d9ec0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OfficeClickToRun = "\"C:\\Windows\\IdentityCRL\\INT\\OfficeClickToRun.exe\""	487178eeecd2d1285e86aa36f01d9ec0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OfficeClickToRun = "\"C:\\Windows\\IdentityCRL\\INT\\OfficeClickToRun.exe\""	487178eeecd2d1285e86aa36f01d9ec0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sihost = "\"C:\\Users\\All Users\\Application Data\\sihost.exe\""	487178eeecd2d1285e86aa36f01d9ec0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sihost = "\"C:\\Users\\All Users\\Application Data\\sihost.exe\""	487178eeecd2d1285e86aa36f01d9ec0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\487178eeecd2d1285e86aa36f01d9ec0_NeikiAnalytics = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\487178eeecd2d1285e86aa36f01d9ec0_NeikiAnalytics.exe\""	487178eeecd2d1285e86aa36f01d9ec0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Program Files (x86)\\Windows Media Player\\explorer.exe\""	487178eeecd2d1285e86aa36f01d9ec0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Recovery\\WindowsRE\\csrss.exe\""	487178eeecd2d1285e86aa36f01d9ec0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Recovery\\WindowsRE\\csrss.exe\""	487178eeecd2d1285e86aa36f01d9ec0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Recovery\\WindowsRE\\winlogon.exe\""	487178eeecd2d1285e86aa36f01d9ec0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Recovery\\WindowsRE\\winlogon.exe\""	487178eeecd2d1285e86aa36f01d9ec0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Program Files (x86)\\Windows Media Player\\explorer.exe\""	487178eeecd2d1285e86aa36f01d9ec0_NeikiAnalytics.exe

Drops file in System32 directory 2 IoCs

Processes:

csc.exe

description	ioc	process
File created	\??\c:\Windows\System32\CSC48CA2ABAC5A545DA84F0A6253E983A16.TMP	csc.exe
File created	\??\c:\Windows\System32\7wv1lf.exe	csc.exe

Drops file in Program Files directory 2 IoCs

Processes:

487178eeecd2d1285e86aa36f01d9ec0_NeikiAnalytics.exe

description	ioc	process
File created	C:\Program Files (x86)\Windows Media Player\explorer.exe	487178eeecd2d1285e86aa36f01d9ec0_NeikiAnalytics.exe
File created	C:\Program Files (x86)\Windows Media Player\7a0fd90576e088	487178eeecd2d1285e86aa36f01d9ec0_NeikiAnalytics.exe

Drops file in Windows directory 2 IoCs

Processes:

487178eeecd2d1285e86aa36f01d9ec0_NeikiAnalytics.exe

description	ioc	process
File created	C:\Windows\IdentityCRL\INT\e6c9b481da804f	487178eeecd2d1285e86aa36f01d9ec0_NeikiAnalytics.exe
File created	C:\Windows\IdentityCRL\INT\OfficeClickToRun.exe	487178eeecd2d1285e86aa36f01d9ec0_NeikiAnalytics.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
1352	schtasks.exe
732	schtasks.exe
1836	schtasks.exe
3148	schtasks.exe
1916	schtasks.exe
1192	schtasks.exe
3100	schtasks.exe
460	schtasks.exe
2476	schtasks.exe
2272	schtasks.exe
2852	schtasks.exe
4672	schtasks.exe
1860	schtasks.exe
3720	schtasks.exe
2508	schtasks.exe
4944	schtasks.exe
116	schtasks.exe
1480	schtasks.exe

Modifies registry class 1 IoCs

Processes:

487178eeecd2d1285e86aa36f01d9ec0_NeikiAnalytics.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings	487178eeecd2d1285e86aa36f01d9ec0_NeikiAnalytics.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

2016 PING.EXE

pid	process
2016	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

487178eeecd2d1285e86aa36f01d9ec0_NeikiAnalytics.exe

pid	process
3868	487178eeecd2d1285e86aa36f01d9ec0_NeikiAnalytics.exe
3868	487178eeecd2d1285e86aa36f01d9ec0_NeikiAnalytics.exe
3868	487178eeecd2d1285e86aa36f01d9ec0_NeikiAnalytics.exe
3868	487178eeecd2d1285e86aa36f01d9ec0_NeikiAnalytics.exe
3868	487178eeecd2d1285e86aa36f01d9ec0_NeikiAnalytics.exe
3868	487178eeecd2d1285e86aa36f01d9ec0_NeikiAnalytics.exe
3868	487178eeecd2d1285e86aa36f01d9ec0_NeikiAnalytics.exe
3868	487178eeecd2d1285e86aa36f01d9ec0_NeikiAnalytics.exe
3868	487178eeecd2d1285e86aa36f01d9ec0_NeikiAnalytics.exe
3868	487178eeecd2d1285e86aa36f01d9ec0_NeikiAnalytics.exe
3868	487178eeecd2d1285e86aa36f01d9ec0_NeikiAnalytics.exe
3868	487178eeecd2d1285e86aa36f01d9ec0_NeikiAnalytics.exe
3868	487178eeecd2d1285e86aa36f01d9ec0_NeikiAnalytics.exe
3868	487178eeecd2d1285e86aa36f01d9ec0_NeikiAnalytics.exe
3868	487178eeecd2d1285e86aa36f01d9ec0_NeikiAnalytics.exe
3868	487178eeecd2d1285e86aa36f01d9ec0_NeikiAnalytics.exe
3868	487178eeecd2d1285e86aa36f01d9ec0_NeikiAnalytics.exe
3868	487178eeecd2d1285e86aa36f01d9ec0_NeikiAnalytics.exe
3868	487178eeecd2d1285e86aa36f01d9ec0_NeikiAnalytics.exe
3868	487178eeecd2d1285e86aa36f01d9ec0_NeikiAnalytics.exe
3868	487178eeecd2d1285e86aa36f01d9ec0_NeikiAnalytics.exe
3868	487178eeecd2d1285e86aa36f01d9ec0_NeikiAnalytics.exe
3868	487178eeecd2d1285e86aa36f01d9ec0_NeikiAnalytics.exe
3868	487178eeecd2d1285e86aa36f01d9ec0_NeikiAnalytics.exe
3868	487178eeecd2d1285e86aa36f01d9ec0_NeikiAnalytics.exe
3868	487178eeecd2d1285e86aa36f01d9ec0_NeikiAnalytics.exe
3868	487178eeecd2d1285e86aa36f01d9ec0_NeikiAnalytics.exe
3868	487178eeecd2d1285e86aa36f01d9ec0_NeikiAnalytics.exe
3868	487178eeecd2d1285e86aa36f01d9ec0_NeikiAnalytics.exe
3868	487178eeecd2d1285e86aa36f01d9ec0_NeikiAnalytics.exe
3868	487178eeecd2d1285e86aa36f01d9ec0_NeikiAnalytics.exe
3868	487178eeecd2d1285e86aa36f01d9ec0_NeikiAnalytics.exe
3868	487178eeecd2d1285e86aa36f01d9ec0_NeikiAnalytics.exe
3868	487178eeecd2d1285e86aa36f01d9ec0_NeikiAnalytics.exe
3868	487178eeecd2d1285e86aa36f01d9ec0_NeikiAnalytics.exe
3868	487178eeecd2d1285e86aa36f01d9ec0_NeikiAnalytics.exe
3868	487178eeecd2d1285e86aa36f01d9ec0_NeikiAnalytics.exe
3868	487178eeecd2d1285e86aa36f01d9ec0_NeikiAnalytics.exe
3868	487178eeecd2d1285e86aa36f01d9ec0_NeikiAnalytics.exe
3868	487178eeecd2d1285e86aa36f01d9ec0_NeikiAnalytics.exe
3868	487178eeecd2d1285e86aa36f01d9ec0_NeikiAnalytics.exe
3868	487178eeecd2d1285e86aa36f01d9ec0_NeikiAnalytics.exe
3868	487178eeecd2d1285e86aa36f01d9ec0_NeikiAnalytics.exe
3868	487178eeecd2d1285e86aa36f01d9ec0_NeikiAnalytics.exe
3868	487178eeecd2d1285e86aa36f01d9ec0_NeikiAnalytics.exe
3868	487178eeecd2d1285e86aa36f01d9ec0_NeikiAnalytics.exe
3868	487178eeecd2d1285e86aa36f01d9ec0_NeikiAnalytics.exe
3868	487178eeecd2d1285e86aa36f01d9ec0_NeikiAnalytics.exe
3868	487178eeecd2d1285e86aa36f01d9ec0_NeikiAnalytics.exe
3868	487178eeecd2d1285e86aa36f01d9ec0_NeikiAnalytics.exe
3868	487178eeecd2d1285e86aa36f01d9ec0_NeikiAnalytics.exe
3868	487178eeecd2d1285e86aa36f01d9ec0_NeikiAnalytics.exe
3868	487178eeecd2d1285e86aa36f01d9ec0_NeikiAnalytics.exe
3868	487178eeecd2d1285e86aa36f01d9ec0_NeikiAnalytics.exe
3868	487178eeecd2d1285e86aa36f01d9ec0_NeikiAnalytics.exe
3868	487178eeecd2d1285e86aa36f01d9ec0_NeikiAnalytics.exe
3868	487178eeecd2d1285e86aa36f01d9ec0_NeikiAnalytics.exe
3868	487178eeecd2d1285e86aa36f01d9ec0_NeikiAnalytics.exe
3868	487178eeecd2d1285e86aa36f01d9ec0_NeikiAnalytics.exe
3868	487178eeecd2d1285e86aa36f01d9ec0_NeikiAnalytics.exe
3868	487178eeecd2d1285e86aa36f01d9ec0_NeikiAnalytics.exe
3868	487178eeecd2d1285e86aa36f01d9ec0_NeikiAnalytics.exe
3868	487178eeecd2d1285e86aa36f01d9ec0_NeikiAnalytics.exe
3868	487178eeecd2d1285e86aa36f01d9ec0_NeikiAnalytics.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

sihost.exe

pid process

2864 sihost.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

487178eeecd2d1285e86aa36f01d9ec0_NeikiAnalytics.exesihost.exe

description pid process

Token: SeDebugPrivilege 3868 487178eeecd2d1285e86aa36f01d9ec0_NeikiAnalytics.exe
Token: SeDebugPrivilege 2864 sihost.exe

pid	process
2864	sihost.exe

description	pid	process
Token: SeDebugPrivilege	3868	487178eeecd2d1285e86aa36f01d9ec0_NeikiAnalytics.exe
Token: SeDebugPrivilege	2864	sihost.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

487178eeecd2d1285e86aa36f01d9ec0_NeikiAnalytics.execsc.execmd.exe

description	pid	process	target process
PID 3868 wrote to memory of 4460	3868	487178eeecd2d1285e86aa36f01d9ec0_NeikiAnalytics.exe	csc.exe
PID 3868 wrote to memory of 4460	3868	487178eeecd2d1285e86aa36f01d9ec0_NeikiAnalytics.exe	csc.exe
PID 4460 wrote to memory of 2964	4460	csc.exe	cvtres.exe
PID 4460 wrote to memory of 2964	4460	csc.exe	cvtres.exe
PID 3868 wrote to memory of 3320	3868	487178eeecd2d1285e86aa36f01d9ec0_NeikiAnalytics.exe	cmd.exe
PID 3868 wrote to memory of 3320	3868	487178eeecd2d1285e86aa36f01d9ec0_NeikiAnalytics.exe	cmd.exe
PID 3320 wrote to memory of 1904	3320	cmd.exe	chcp.com
PID 3320 wrote to memory of 1904	3320	cmd.exe	chcp.com
PID 3320 wrote to memory of 2016	3320	cmd.exe	PING.EXE
PID 3320 wrote to memory of 2016	3320	cmd.exe	PING.EXE
PID 3320 wrote to memory of 2864	3320	cmd.exe	sihost.exe
PID 3320 wrote to memory of 2864	3320	cmd.exe	sihost.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\487178eeecd2d1285e86aa36f01d9ec0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\487178eeecd2d1285e86aa36f01d9ec0_NeikiAnalytics.exe"
1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3868
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\0vzs0wk2\0vzs0wk2.cmdline"
  2⤵
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:4460
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7223.tmp" "c:\Windows\System32\CSC48CA2ABAC5A545DA84F0A6253E983A16.TMP"
    3⤵
    PID:2964
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\jYEx0Yku5Y.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3320
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:1904
- - C:\Windows\system32\PING.EXE
    ping -n 10 localhost
    3⤵
    - Runs ping.exe
    PID:2016
- - C:\Users\All Users\Application Data\sihost.exe
    "C:\Users\All Users\Application Data\sihost.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    PID:2864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:460

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2476

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:116

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2508

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Media Player\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1480

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Media Player\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2272

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 8 /tr "'C:\Windows\IdentityCRL\INT\OfficeClickToRun.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3148

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Windows\IdentityCRL\INT\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1352

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 7 /tr "'C:\Windows\IdentityCRL\INT\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\Application Data\sihost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Users\All Users\Application Data\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1192

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 5 /tr "'C:\Users\All Users\Application Data\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "487178eeecd2d1285e86aa36f01d9ec0_NeikiAnalytics4" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\AppData\Local\Temp\487178eeecd2d1285e86aa36f01d9ec0_NeikiAnalytics.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "487178eeecd2d1285e86aa36f01d9ec0_NeikiAnalytics" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Temp\487178eeecd2d1285e86aa36f01d9ec0_NeikiAnalytics.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "487178eeecd2d1285e86aa36f01d9ec0_NeikiAnalytics4" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\AppData\Local\Temp\487178eeecd2d1285e86aa36f01d9ec0_NeikiAnalytics.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3100

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Boot or Logon Autostart Execution

2

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Winlogon Helper DLL

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

2

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Winlogon Helper DLL

Scheduled Task/Job

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Query Registry

2

T1012

Remote System Discovery

1

T1018

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Recovery\WindowsRE\csrss.exe

Filesize
2.0MB

MD5
487178eeecd2d1285e86aa36f01d9ec0

SHA1
6e010a746f7cc2b2c705a2ed27d67ca4e9c7860f

SHA256
2b490a23a834a6bf642c63f2307218042efca27baf0d3f3ebff812a6473a1da2

SHA512
8b1c5f8debedc6c677847d1de97bb21729b24dda7e1a8ee6893e2f2efb4969ad7023af6017829516980951368025ee1bffae24476d237d062a7b8bf344c3af80

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES7223.tmp

Filesize
1KB

MD5
21073683ea0c8102ce4a800d6c409056

SHA1
f00a8ff8cbaf641f363bef13562c65e90660e48f

SHA256
d5f0088dcee23d39ad8274b6ed656b8ab2941be624759084942245ecb52d7a45

SHA512
49c6fdc60a22e26eecc0e7036570aeef92eba880d4a9e7449266a1769310aee158608abc7017c932ea87ff2adb729fdfdc1b043c05a2794b9ac0ef75a0db67ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\jYEx0Yku5Y.bat

Filesize
174B

MD5
096bb0051be3981c8ac904d61cc72e2a

SHA1
8863d4921c1ed10c4756122ad9ab065c606faf2e

SHA256
f509bf2f1e62b744a0873c2be23da6e1bfa450f3d630a0cce648f5205c90054d

SHA512
73253601e59478f256d8a049c97f812cd690a84669b0c86047132a620e4ca6108fadede11d0475898af078f820d28c4c921481bc3c564f837fa8bb6c80e590b7

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\0vzs0wk2\0vzs0wk2.0.cs

Filesize
363B

MD5
928be18f83e68b4d88ce7dc7dd911137

SHA1
71237957cf388bbb0a937d48d69bde2c3c79b0da

SHA256
7fb31795410a3b97c280897508b85a94084b7948082f5d440e2fcdb9c0d8cb5e

SHA512
093783801c81bb3a6ac5c4fc8903653923ccdab2d233d1df28873cfd5ca5a5a939dc998232c98205561153142fccc0d670f2051b09ed6b3c197e23474b6d7e3f

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\0vzs0wk2\0vzs0wk2.cmdline

Filesize
235B

MD5
787dfbd78a196153037c322a146aecd6

SHA1
47849a4ef6141227a6c68a1b4d4b371b61eecb19

SHA256
01a97ad5c3f6425c6bad6f5aceae9f4f8fc36ef08c77ccb6eac5eaebdf1c093f

SHA512
9acb4580f269e88a74d8562525d9652d882e16354fe6f3a1dd25cc93cbef0844d8f9230cb44d50fb404198f529446923a5735baa4eda60003b31d649cdd62070

Download Submit
\??\c:\Windows\System32\CSC48CA2ABAC5A545DA84F0A6253E983A16.TMP

Filesize
1KB

MD5
af7c030393a1aa241dbd66ac9c612687

SHA1
7700f60d2b4b2730d78f792fd920a19f2df08853

SHA256
f7577c92c7a0e06a106d26fe5e9953f1db17612e65844fa4d1098ea7151bfdb3

SHA512
aefb89b99596423c7b732165d02f8a020eeecec7cea2bc6ee29966a39e739775f7f7f151bef74b4b83742d3b5ada120d4a9ad65738887b3bf5481afa4ee58d67

Download Submit
memory/3868-12-0x00000000030A0000-0x00000000030BC000-memory.dmp

Filesize
112KB

Download
memory/3868-31-0x00007FFD7D5F0000-0x00007FFD7E0B1000-memory.dmp

Filesize
10.8MB

Download
memory/3868-17-0x0000000001710000-0x000000000171E000-memory.dmp

Filesize
56KB

Download
memory/3868-18-0x00007FFD7D5F0000-0x00007FFD7E0B1000-memory.dmp

Filesize
10.8MB

Download
memory/3868-15-0x000000001BAB0000-0x000000001BAC8000-memory.dmp

Filesize
96KB

Download
memory/3868-13-0x000000001BB50000-0x000000001BBA0000-memory.dmp

Filesize
320KB

Download
memory/3868-1-0x0000000000D10000-0x0000000000F16000-memory.dmp

Filesize
2.0MB

Download
memory/3868-9-0x00000000016F0000-0x00000000016FE000-memory.dmp

Filesize
56KB

Download
memory/3868-20-0x00007FFD7D5F0000-0x00007FFD7E0B1000-memory.dmp

Filesize
10.8MB

Download
memory/3868-10-0x00007FFD7D5F0000-0x00007FFD7E0B1000-memory.dmp

Filesize
10.8MB

Download
memory/3868-7-0x00007FFD7D5F0000-0x00007FFD7E0B1000-memory.dmp

Filesize
10.8MB

Download
memory/3868-32-0x00007FFD7D5F0000-0x00007FFD7E0B1000-memory.dmp

Filesize
10.8MB

Download
memory/3868-33-0x00007FFD7D5F0000-0x00007FFD7E0B1000-memory.dmp

Filesize
10.8MB

Download
memory/3868-34-0x00007FFD7D5F0000-0x00007FFD7E0B1000-memory.dmp

Filesize
10.8MB

Download
memory/3868-6-0x0000000003070000-0x0000000003096000-memory.dmp

Filesize
152KB

Download
memory/3868-4-0x00007FFD7D5F0000-0x00007FFD7E0B1000-memory.dmp

Filesize
10.8MB

Download
memory/3868-3-0x00007FFD7D5F0000-0x00007FFD7E0B1000-memory.dmp

Filesize
10.8MB

Download
memory/3868-2-0x00007FFD7D5F0000-0x00007FFD7E0B1000-memory.dmp

Filesize
10.8MB

Download
memory/3868-53-0x00007FFD7D5F0000-0x00007FFD7E0B1000-memory.dmp

Filesize
10.8MB

Download
memory/3868-0-0x00007FFD7D5F3000-0x00007FFD7D5F5000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads