Overview

overview

10

Static

static

10

7c12d48df8...cs.exe

windows7-x64

10

7c12d48df8...cs.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    144s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    15-05-2024 04:26

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7c12d48df8f08a95701197c514269a50_NeikiAnalytics.exe

  • Size

    1.7MB

  • MD5

    7c12d48df8f08a95701197c514269a50

  • SHA1

    4f99360c54ad2cce0afe14ddb37697f6777795c8

  • SHA256

    6ef54df3017339537b7649647096dcbc2b9fefea5b49776d8c80c38726b3698f

  • SHA512

    37ed65a444ceba50af00e7570856cf3ae275bdbcb2acf6b72e0c3d3a6ba0361f0e1bf93ef1ae7a011dfc670c9840c43d88978c114f9f688bac1eff8f6d83b80d

  • SSDEEP

    24576:YciyxcGgPmGJ5CNvo3h9Uzt/RUr0YOnWiqj+7A/X0Vp6W5GuqSD5bdGjPIT9z:YsgB2yoQ4k/ECW5Gu5xdGjPIT9

Score
10/10
zgratrat

Malware Config

Signatures

  • Detect ZGRat V1 2 IoCs
  • ZGRat

    ZGRat is remote access trojan written in C#.

    ratzgrat
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 1 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 45 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\7c12d48df8f08a95701197c514269a50_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\7c12d48df8f08a95701197c514269a50_NeikiAnalytics.exe"
    1⤵
    • Checks computer location settings
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2036
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\FF4TW08Jzh.bat"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1624
      • C:\Windows\system32\chcp.com
        chcp 65001
        3⤵
          PID:5044
        • C:\Windows\system32\PING.EXE
          ping -n 10 localhost
          3⤵
          • Runs ping.exe
          PID:1232
        • C:\Recovery\WindowsRE\7c12d48df8f08a95701197c514269a50_NeikiAnalytics.exe
          "C:\Recovery\WindowsRE\7c12d48df8f08a95701197c514269a50_NeikiAnalytics.exe"
          3⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of AdjustPrivilegeToken
          PID:768
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=1040,i,4686244434963378549,11462511444150484980,262144 --variations-seed-version --mojo-platform-channel-handle=4316 /prefetch:8
      1⤵
        PID:4736

      Network

      MITRE ATT&CK Matrix ATT&CK v13

      Initial Access

      Execution

      Persistence

      Privilege Escalation

      Defense Evasion

      Credential Access

      Discovery

      Query Registry

      1
      T1012

      System Information Discovery

      2
      T1082

      Remote System Discovery

      1
      T1018

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Resource Development

      Reconnaissance

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\7c12d48df8f08a95701197c514269a50_NeikiAnalytics.exe.log
        Filesize

        1KB

        MD5

        1eff74e45bb1f7104e691358cb209546

        SHA1

        253b13ffad516cc34704f5b882c6fa36953a953f

        SHA256

        7ad96be486e6058b19446b95bb734acdaf4addc557b2d059a66ee1acfe19b3fc

        SHA512

        44163ed001baf697ce66d3b386e13bf5cb94bc24ce6b1ae98665d766d5fcdf0ca28b41ecc26c5f11bbea117ac17099e87f204f9d5469bb102a769548edeead7e

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\FF4TW08Jzh.bat
        Filesize

        201B

        MD5

        4697e65d16a42f8595b45b47670027fb

        SHA1

        00e3c791130efb31d77fc1a5234a0fabde8bc48a

        SHA256

        5bf856e5eab479d60524d9260d744c10af368ea8c3bb4d6a46c0b206ed5c0bd1

        SHA512

        96ca4a8a1e5846b5e66fb61c65100f4b8951ab45297be07deb768a4c6e77c2d6ada3c702bfb9a6c8fbc4bdd32618e0c8486de65cffea0c99c2d9777c4dacfe36

        Download Submit
      • C:\Windows\apppatch\es-ES\sppsvc.exe
        Filesize

        1.7MB

        MD5

        7c12d48df8f08a95701197c514269a50

        SHA1

        4f99360c54ad2cce0afe14ddb37697f6777795c8

        SHA256

        6ef54df3017339537b7649647096dcbc2b9fefea5b49776d8c80c38726b3698f

        SHA512

        37ed65a444ceba50af00e7570856cf3ae275bdbcb2acf6b72e0c3d3a6ba0361f0e1bf93ef1ae7a011dfc670c9840c43d88978c114f9f688bac1eff8f6d83b80d

        Download Submit
      • memory/768-42-0x00007FFFE5150000-0x00007FFFE5C11000-memory.dmp
        Filesize

        10.8MB

        Download
      • memory/768-41-0x00007FFFE5150000-0x00007FFFE5C11000-memory.dmp
        Filesize

        10.8MB

        Download
      • memory/768-40-0x00007FFFE5150000-0x00007FFFE5C11000-memory.dmp
        Filesize

        10.8MB

        Download
      • memory/768-38-0x000000001BBF0000-0x000000001BBF8000-memory.dmp
        Filesize

        32KB

        Download
      • memory/768-36-0x00007FFFE5150000-0x00007FFFE5C11000-memory.dmp
        Filesize

        10.8MB

        Download
      • memory/768-35-0x00007FFFE5150000-0x00007FFFE5C11000-memory.dmp
        Filesize

        10.8MB

        Download
      • memory/768-34-0x00007FFFE5150000-0x00007FFFE5C11000-memory.dmp
        Filesize

        10.8MB

        Download
      • memory/2036-6-0x00000000012A0000-0x00000000012BC000-memory.dmp
        Filesize

        112KB

        Download
      • memory/2036-24-0x00007FFFE5380000-0x00007FFFE5E41000-memory.dmp
        Filesize

        10.8MB

        Download
      • memory/2036-25-0x00007FFFE5380000-0x00007FFFE5E41000-memory.dmp
        Filesize

        10.8MB

        Download
      • memory/2036-28-0x00007FFFE5380000-0x00007FFFE5E41000-memory.dmp
        Filesize

        10.8MB

        Download
      • memory/2036-20-0x00007FFFE5380000-0x00007FFFE5E41000-memory.dmp
        Filesize

        10.8MB

        Download
      • memory/2036-11-0x00007FFFE5380000-0x00007FFFE5E41000-memory.dmp
        Filesize

        10.8MB

        Download
      • memory/2036-8-0x00007FFFE5380000-0x00007FFFE5E41000-memory.dmp
        Filesize

        10.8MB

        Download
      • memory/2036-7-0x0000000002C10000-0x0000000002C60000-memory.dmp
        Filesize

        320KB

        Download
      • memory/2036-1-0x00007FFFE5383000-0x00007FFFE5385000-memory.dmp
        Filesize

        8KB

        Download
      • memory/2036-4-0x00007FFFE5380000-0x00007FFFE5E41000-memory.dmp
        Filesize

        10.8MB

        Download
      • memory/2036-3-0x00007FFFE5380000-0x00007FFFE5E41000-memory.dmp
        Filesize

        10.8MB

        Download
      • memory/2036-2-0x00007FFFE5380000-0x00007FFFE5E41000-memory.dmp
        Filesize

        10.8MB

        Download
      • memory/2036-0-0x0000000000780000-0x0000000000932000-memory.dmp
        Filesize

        1.7MB

        Download