zgrat | 6ef54df3017339537b7649647096dcbc2b9fefea5b49776d8c80c38726b3698f

General

Target

7c12d48df8f08a95701197c514269a50_NeikiAnalytics.exe
Size

1.7MB
MD5

7c12d48df8f08a95701197c514269a50
SHA1

4f99360c54ad2cce0afe14ddb37697f6777795c8
SHA256

6ef54df3017339537b7649647096dcbc2b9fefea5b49776d8c80c38726b3698f
SHA512

37ed65a444ceba50af00e7570856cf3ae275bdbcb2acf6b72e0c3d3a6ba0361f0e1bf93ef1ae7a011dfc670c9840c43d88978c114f9f688bac1eff8f6d83b80d
SSDEEP

24576:YciyxcGgPmGJ5CNvo3h9Uzt/RUr0YOnWiqj+7A/X0Vp6W5GuqSD5bdGjPIT9z:YsgB2yoQ4k/ECW5Gu5xdGjPIT9

Score

10^/10

zgrat rat

Malware Config

Signatures

Detect ZGRat V1 2 IoCs

resource	yara_rule
behavioral2/memory/2036-0-0x0000000000780000-0x0000000000932000-memory.dmp	family_zgrat_v1
behavioral2/files/0x0007000000023552-18.dat	family_zgrat_v1

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	7c12d48df8f08a95701197c514269a50_NeikiAnalytics.exe

Executes dropped EXE 1 IoCs

pid	Process
768	7c12d48df8f08a95701197c514269a50_NeikiAnalytics.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files\Windows NT\Accessories\en-US\wininit.exe	7c12d48df8f08a95701197c514269a50_NeikiAnalytics.exe
File created	C:\Program Files\Windows NT\Accessories\en-US\56085415360792	7c12d48df8f08a95701197c514269a50_NeikiAnalytics.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\apppatch\es-ES\sppsvc.exe	7c12d48df8f08a95701197c514269a50_NeikiAnalytics.exe
File created	C:\Windows\apppatch\es-ES\0a1fd5f707cd16	7c12d48df8f08a95701197c514269a50_NeikiAnalytics.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings	7c12d48df8f08a95701197c514269a50_NeikiAnalytics.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
1232	PING.EXE

Suspicious behavior: EnumeratesProcesses 45 IoCs

pid	Process
2036	7c12d48df8f08a95701197c514269a50_NeikiAnalytics.exe
2036	7c12d48df8f08a95701197c514269a50_NeikiAnalytics.exe
2036	7c12d48df8f08a95701197c514269a50_NeikiAnalytics.exe
2036	7c12d48df8f08a95701197c514269a50_NeikiAnalytics.exe
2036	7c12d48df8f08a95701197c514269a50_NeikiAnalytics.exe
2036	7c12d48df8f08a95701197c514269a50_NeikiAnalytics.exe
2036	7c12d48df8f08a95701197c514269a50_NeikiAnalytics.exe
2036	7c12d48df8f08a95701197c514269a50_NeikiAnalytics.exe
2036	7c12d48df8f08a95701197c514269a50_NeikiAnalytics.exe
2036	7c12d48df8f08a95701197c514269a50_NeikiAnalytics.exe
2036	7c12d48df8f08a95701197c514269a50_NeikiAnalytics.exe
2036	7c12d48df8f08a95701197c514269a50_NeikiAnalytics.exe
2036	7c12d48df8f08a95701197c514269a50_NeikiAnalytics.exe
2036	7c12d48df8f08a95701197c514269a50_NeikiAnalytics.exe
2036	7c12d48df8f08a95701197c514269a50_NeikiAnalytics.exe
2036	7c12d48df8f08a95701197c514269a50_NeikiAnalytics.exe
2036	7c12d48df8f08a95701197c514269a50_NeikiAnalytics.exe
2036	7c12d48df8f08a95701197c514269a50_NeikiAnalytics.exe
2036	7c12d48df8f08a95701197c514269a50_NeikiAnalytics.exe
2036	7c12d48df8f08a95701197c514269a50_NeikiAnalytics.exe
2036	7c12d48df8f08a95701197c514269a50_NeikiAnalytics.exe
2036	7c12d48df8f08a95701197c514269a50_NeikiAnalytics.exe
2036	7c12d48df8f08a95701197c514269a50_NeikiAnalytics.exe
2036	7c12d48df8f08a95701197c514269a50_NeikiAnalytics.exe
768	7c12d48df8f08a95701197c514269a50_NeikiAnalytics.exe
768	7c12d48df8f08a95701197c514269a50_NeikiAnalytics.exe
768	7c12d48df8f08a95701197c514269a50_NeikiAnalytics.exe
768	7c12d48df8f08a95701197c514269a50_NeikiAnalytics.exe
768	7c12d48df8f08a95701197c514269a50_NeikiAnalytics.exe
768	7c12d48df8f08a95701197c514269a50_NeikiAnalytics.exe
768	7c12d48df8f08a95701197c514269a50_NeikiAnalytics.exe
768	7c12d48df8f08a95701197c514269a50_NeikiAnalytics.exe
768	7c12d48df8f08a95701197c514269a50_NeikiAnalytics.exe
768	7c12d48df8f08a95701197c514269a50_NeikiAnalytics.exe
768	7c12d48df8f08a95701197c514269a50_NeikiAnalytics.exe
768	7c12d48df8f08a95701197c514269a50_NeikiAnalytics.exe
768	7c12d48df8f08a95701197c514269a50_NeikiAnalytics.exe
768	7c12d48df8f08a95701197c514269a50_NeikiAnalytics.exe
768	7c12d48df8f08a95701197c514269a50_NeikiAnalytics.exe
768	7c12d48df8f08a95701197c514269a50_NeikiAnalytics.exe
768	7c12d48df8f08a95701197c514269a50_NeikiAnalytics.exe
768	7c12d48df8f08a95701197c514269a50_NeikiAnalytics.exe
768	7c12d48df8f08a95701197c514269a50_NeikiAnalytics.exe
768	7c12d48df8f08a95701197c514269a50_NeikiAnalytics.exe
768	7c12d48df8f08a95701197c514269a50_NeikiAnalytics.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
768	7c12d48df8f08a95701197c514269a50_NeikiAnalytics.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2036	7c12d48df8f08a95701197c514269a50_NeikiAnalytics.exe
Token: SeDebugPrivilege	768	7c12d48df8f08a95701197c514269a50_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2036 wrote to memory of 1624	2036	7c12d48df8f08a95701197c514269a50_NeikiAnalytics.exe	93
PID 2036 wrote to memory of 1624	2036	7c12d48df8f08a95701197c514269a50_NeikiAnalytics.exe	93
PID 1624 wrote to memory of 5044	1624	cmd.exe	95
PID 1624 wrote to memory of 5044	1624	cmd.exe	95
PID 1624 wrote to memory of 1232	1624	cmd.exe	96
PID 1624 wrote to memory of 1232	1624	cmd.exe	96
PID 1624 wrote to memory of 768	1624	cmd.exe	101
PID 1624 wrote to memory of 768	1624	cmd.exe	101

C:\Users\Admin\AppData\Local\Temp\7c12d48df8f08a95701197c514269a50_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\7c12d48df8f08a95701197c514269a50_NeikiAnalytics.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2036
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\FF4TW08Jzh.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1624
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:5044
- - C:\Windows\system32\PING.EXE
    ping -n 10 localhost
    3⤵
    - Runs ping.exe
    PID:1232
- - C:\Recovery\WindowsRE\7c12d48df8f08a95701197c514269a50_NeikiAnalytics.exe
    "C:\Recovery\WindowsRE\7c12d48df8f08a95701197c514269a50_NeikiAnalytics.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    PID:768

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=1040,i,4686244434963378549,11462511444150484980,262144 --variations-seed-version --mojo-platform-channel-handle=4316 /prefetch:8
1⤵
PID:4736

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Remote System Discovery

1

T1018

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\7c12d48df8f08a95701197c514269a50_NeikiAnalytics.exe.log

Filesize
1KB

MD5
1eff74e45bb1f7104e691358cb209546

SHA1
253b13ffad516cc34704f5b882c6fa36953a953f

SHA256
7ad96be486e6058b19446b95bb734acdaf4addc557b2d059a66ee1acfe19b3fc

SHA512
44163ed001baf697ce66d3b386e13bf5cb94bc24ce6b1ae98665d766d5fcdf0ca28b41ecc26c5f11bbea117ac17099e87f204f9d5469bb102a769548edeead7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\FF4TW08Jzh.bat

Filesize
201B

MD5
4697e65d16a42f8595b45b47670027fb

SHA1
00e3c791130efb31d77fc1a5234a0fabde8bc48a

SHA256
5bf856e5eab479d60524d9260d744c10af368ea8c3bb4d6a46c0b206ed5c0bd1

SHA512
96ca4a8a1e5846b5e66fb61c65100f4b8951ab45297be07deb768a4c6e77c2d6ada3c702bfb9a6c8fbc4bdd32618e0c8486de65cffea0c99c2d9777c4dacfe36

Download Submit
C:\Windows\apppatch\es-ES\sppsvc.exe

Filesize
1.7MB

MD5
7c12d48df8f08a95701197c514269a50

SHA1
4f99360c54ad2cce0afe14ddb37697f6777795c8

SHA256
6ef54df3017339537b7649647096dcbc2b9fefea5b49776d8c80c38726b3698f

SHA512
37ed65a444ceba50af00e7570856cf3ae275bdbcb2acf6b72e0c3d3a6ba0361f0e1bf93ef1ae7a011dfc670c9840c43d88978c114f9f688bac1eff8f6d83b80d

Download Submit
memory/768-42-0x00007FFFE5150000-0x00007FFFE5C11000-memory.dmp

Filesize
10.8MB

Download
memory/768-41-0x00007FFFE5150000-0x00007FFFE5C11000-memory.dmp

Filesize
10.8MB

Download
memory/768-40-0x00007FFFE5150000-0x00007FFFE5C11000-memory.dmp

Filesize
10.8MB

Download
memory/768-38-0x000000001BBF0000-0x000000001BBF8000-memory.dmp

Filesize
32KB

Download
memory/768-36-0x00007FFFE5150000-0x00007FFFE5C11000-memory.dmp

Filesize
10.8MB

Download
memory/768-35-0x00007FFFE5150000-0x00007FFFE5C11000-memory.dmp

Filesize
10.8MB

Download
memory/768-34-0x00007FFFE5150000-0x00007FFFE5C11000-memory.dmp

Filesize
10.8MB

Download
memory/2036-6-0x00000000012A0000-0x00000000012BC000-memory.dmp

Filesize
112KB

Download
memory/2036-24-0x00007FFFE5380000-0x00007FFFE5E41000-memory.dmp

Filesize
10.8MB

Download
memory/2036-25-0x00007FFFE5380000-0x00007FFFE5E41000-memory.dmp

Filesize
10.8MB

Download
memory/2036-28-0x00007FFFE5380000-0x00007FFFE5E41000-memory.dmp

Filesize
10.8MB

Download
memory/2036-20-0x00007FFFE5380000-0x00007FFFE5E41000-memory.dmp

Filesize
10.8MB

Download
memory/2036-11-0x00007FFFE5380000-0x00007FFFE5E41000-memory.dmp

Filesize
10.8MB

Download
memory/2036-8-0x00007FFFE5380000-0x00007FFFE5E41000-memory.dmp

Filesize
10.8MB

Download
memory/2036-7-0x0000000002C10000-0x0000000002C60000-memory.dmp

Filesize
320KB

Download
memory/2036-1-0x00007FFFE5383000-0x00007FFFE5385000-memory.dmp

Filesize
8KB

Download
memory/2036-4-0x00007FFFE5380000-0x00007FFFE5E41000-memory.dmp

Filesize
10.8MB

Download
memory/2036-3-0x00007FFFE5380000-0x00007FFFE5E41000-memory.dmp

Filesize
10.8MB

Download
memory/2036-2-0x00007FFFE5380000-0x00007FFFE5E41000-memory.dmp

Filesize
10.8MB

Download
memory/2036-0-0x0000000000780000-0x0000000000932000-memory.dmp

Filesize
1.7MB

Download

Analysis

Sharing