Overview

overview

10

Static

static

10

75da1def0c...cs.exe

windows7-x64

10

75da1def0c...cs.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    121s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    15-05-2024 03:53

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    75da1def0cb2b50f387441c2ebed4120_NeikiAnalytics.exe

  • Size

    2.0MB

  • MD5

    75da1def0cb2b50f387441c2ebed4120

  • SHA1

    7eca930b9afe2bf57ab9a3e546cc9969d4e5dce7

  • SHA256

    2edf5f9fc75dc5cc293db94f337b66524386b0a4d1fd6e56f3d7ad30963cc790

  • SHA512

    adc14364c6e6d614f2a92b7094cced4ca247f96a27844c6601b3f2519de72d3215bb3335eae095363dd82edc2a3ff31b631c61df272c8cf023f72f8bcce737e1

  • SSDEEP

    49152:3XVUwwcIuRR61tCoC6Kof/qLvwATSUhlTovO5rb:3XVUwDjR6+oNwo05cO5

Score
10/10
zgratratspywarestealer

Malware Config

Signatures

  • Detect ZGRat V1 2 IoCs
  • Process spawned unexpected child process 18 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • ZGRat

    ZGRat is remote access trojan written in C#.

    ratzgrat
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 18 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\75da1def0cb2b50f387441c2ebed4120_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\75da1def0cb2b50f387441c2ebed4120_NeikiAnalytics.exe"
    1⤵
    • Checks computer location settings
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:224
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Du3MCIuGRH.bat"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:5028
      • C:\Windows\system32\chcp.com
        chcp 65001
        3⤵
          PID:640
        • C:\Windows\system32\w32tm.exe
          w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
          3⤵
            PID:1068
          • C:\Recovery\WindowsRE\sppsvc.exe
            "C:\Recovery\WindowsRE\sppsvc.exe"
            3⤵
            • Executes dropped EXE
            • Suspicious behavior: GetForegroundWindowSpam
            • Suspicious use of AdjustPrivilegeToken
            PID:3632
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\Windows\SKB\LanguageModels\explorer.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:3560
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\SKB\LanguageModels\explorer.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:1072
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\Windows\SKB\LanguageModels\explorer.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:2152
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:2620
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:2960
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:2808
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:3820
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:2656
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:4880
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\Windows\ja-JP\sppsvc.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:4132
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\ja-JP\sppsvc.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:4516
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\Windows\ja-JP\sppsvc.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:2180
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "75da1def0cb2b50f387441c2ebed4120_NeikiAnalytics7" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\75da1def0cb2b50f387441c2ebed4120_NeikiAnalytics.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:464
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "75da1def0cb2b50f387441c2ebed4120_NeikiAnalytics" /sc ONLOGON /tr "'C:\Users\Admin\75da1def0cb2b50f387441c2ebed4120_NeikiAnalytics.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:2000
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "75da1def0cb2b50f387441c2ebed4120_NeikiAnalytics7" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\75da1def0cb2b50f387441c2ebed4120_NeikiAnalytics.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:4404
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "75da1def0cb2b50f387441c2ebed4120_NeikiAnalytics7" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\AppData\Local\Temp\75da1def0cb2b50f387441c2ebed4120_NeikiAnalytics.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:3360
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "75da1def0cb2b50f387441c2ebed4120_NeikiAnalytics" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Temp\75da1def0cb2b50f387441c2ebed4120_NeikiAnalytics.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:1208
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "75da1def0cb2b50f387441c2ebed4120_NeikiAnalytics7" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\AppData\Local\Temp\75da1def0cb2b50f387441c2ebed4120_NeikiAnalytics.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:780

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\Du3MCIuGRH.bat
        Filesize

        208B

        MD5

        6858fe63737cddb1fc59417402992859

        SHA1

        041ec4f74cbd6b4c4ca4e654dc418eb1417e31ca

        SHA256

        93bf640ac6410582832e8714ce15c73fd5ceb5e5f2f5c1343b0a356a585df6d1

        SHA512

        ee2a0f3fe90aa1303426118dd48dcb323db68c1ea164324436df8b0b38a62a639325a7eb47243f870c0fe84bab2fac864874a71a6fe4557a5faf49422de82e07

        Download Submit

      • C:\Windows\SKB\LanguageModels\explorer.exe
        Filesize

        2.0MB

        MD5

        75da1def0cb2b50f387441c2ebed4120

        SHA1

        7eca930b9afe2bf57ab9a3e546cc9969d4e5dce7

        SHA256

        2edf5f9fc75dc5cc293db94f337b66524386b0a4d1fd6e56f3d7ad30963cc790

        SHA512

        adc14364c6e6d614f2a92b7094cced4ca247f96a27844c6601b3f2519de72d3215bb3335eae095363dd82edc2a3ff31b631c61df272c8cf023f72f8bcce737e1

        Download Submit

      • memory/224-7-0x00007FFB278C0000-0x00007FFB28381000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/224-4-0x00007FFB278C0000-0x00007FFB28381000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/224-16-0x00007FFB278C0000-0x00007FFB28381000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/224-6-0x000000001B650000-0x000000001B65E000-memory.dmp

        Filesize

        56KB

        Download

      • memory/224-0-0x00007FFB278C3000-0x00007FFB278C5000-memory.dmp

        Filesize

        8KB

        Download

      • memory/224-12-0x00007FFB278C0000-0x00007FFB28381000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/224-11-0x000000001BC90000-0x000000001BCE0000-memory.dmp

        Filesize

        320KB

        Download

      • memory/224-15-0x00007FFB278C0000-0x00007FFB28381000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/224-18-0x000000001B810000-0x000000001B828000-memory.dmp

        Filesize

        96KB

        Download

      • memory/224-10-0x00007FFB278C0000-0x00007FFB28381000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/224-1-0x0000000000990000-0x0000000000B98000-memory.dmp

        Filesize

        2.0MB

        Download

      • memory/224-3-0x00007FFB278C0000-0x00007FFB28381000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/224-14-0x000000001B6A0000-0x000000001B6B0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/224-20-0x000000001B6B0000-0x000000001B6BE000-memory.dmp

        Filesize

        56KB

        Download

      • memory/224-22-0x000000001BC40000-0x000000001BC58000-memory.dmp

        Filesize

        96KB

        Download

      • memory/224-24-0x000000001B7F0000-0x000000001B7FC000-memory.dmp

        Filesize

        48KB

        Download

      • memory/224-2-0x00007FFB278C0000-0x00007FFB28381000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/224-36-0x00007FFB278C0000-0x00007FFB28381000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/224-40-0x00007FFB278C0000-0x00007FFB28381000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/224-44-0x00007FFB278C0000-0x00007FFB28381000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/224-43-0x00007FFB278C0000-0x00007FFB28381000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/224-9-0x000000001B7D0000-0x000000001B7EC000-memory.dmp

        Filesize

        112KB

        Download