Analysis

  • max time kernel
    142s
  • max time network
    146s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    24/02/2024, 12:54

General

  • Target

    Nzewxakqtk.exe

  • Size

    51KB

  • MD5

    b4bb2848a06f5b7cc4164ac2a701f50a

  • SHA1

    9ad29b0652b419df2840526002f2c9ae483c0f48

  • SHA256

    fb9844ab20cb5995d2fb6df467f1aee283ca0a013b8f330ad39a9ed5e3c7c026

  • SHA512

    9dcec4f9a6a299010abef9557fd7c19e9410ded76dae915136dbb2365787d88fd7c1e712d475d9f6136d1244b9e867c50e767e10d7d4891ea817bf09241d67ba

  • SSDEEP

    768:+3Npy7qykFI0ykvnxdgkib10ufiy1Y274+aAFqnv6WWtXz/nK3/T75Ynn8wfAyfo:+Rm10Zy19faAFc6JB/no/inn8YAyfo

Malware Config

Signatures

  • Darkcomet

    DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

  • Detect ZGRat V1 34 IoCs
  • ZGRat

    ZGRat is remote access trojan written in C#.

  • Drops startup file 5 IoCs
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 3 IoCs
  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies system certificate store 2 TTPs 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 25 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 30 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Nzewxakqtk.exe
    "C:\Users\Admin\AppData\Local\Temp\Nzewxakqtk.exe"
    1⤵
    • Drops startup file
    • Suspicious use of SetThreadContext
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2232
    • C:\Users\Admin\AppData\Local\Temp\Nzewxakqtk.exe
      C:\Users\Admin\AppData\Local\Temp\Nzewxakqtk.exe
      2⤵
      • Drops startup file
      • Loads dropped DLL
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2860
      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe"
        3⤵
        • Drops startup file
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of SetThreadContext
        • Modifies system certificate store
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2680
        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe
          "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe"
          4⤵
          • Drops startup file
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious use of SetThreadContext
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:2388
          • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe
            "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe"
            5⤵
            • Executes dropped EXE
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of SetWindowsHookEx
            PID:440

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\Cab543A.tmp

    Filesize

    65KB

    MD5

    ac05d27423a85adc1622c714f2cb6184

    SHA1

    b0fe2b1abddb97837ea0195be70ab2ff14d43198

    SHA256

    c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

    SHA512

    6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

  • C:\Users\Admin\AppData\Local\Temp\Tar547B.tmp

    Filesize

    171KB

    MD5

    9c0c641c06238516f27941aa1166d427

    SHA1

    64cd549fb8cf014fcd9312aa7a5b023847b6c977

    SHA256

    4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

    SHA512

    936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Qwxgibnmmbg.vbs

    Filesize

    86B

    MD5

    9dc18a9d8ef3f0d6c07eba06f9c8e80b

    SHA1

    4fe54582050c4312ff0e00e0ec80b602ab699fda

    SHA256

    fa46279e4e6020cde19bc4de9e61d12078fb02e9d2ecd8d20ff4e01dc3f17b34

    SHA512

    85591c3de014012087819fcc8c56e343f25928319ba6bc1533e17bb48b45c6554f2622997e149dfd272fbdd9439e13d869c621caee050d6d160cccef9511bdc1

  • \Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe

    Filesize

    51KB

    MD5

    b4bb2848a06f5b7cc4164ac2a701f50a

    SHA1

    9ad29b0652b419df2840526002f2c9ae483c0f48

    SHA256

    fb9844ab20cb5995d2fb6df467f1aee283ca0a013b8f330ad39a9ed5e3c7c026

    SHA512

    9dcec4f9a6a299010abef9557fd7c19e9410ded76dae915136dbb2365787d88fd7c1e712d475d9f6136d1244b9e867c50e767e10d7d4891ea817bf09241d67ba

  • memory/440-2342-0x0000000000400000-0x00000000004B8000-memory.dmp

    Filesize

    736KB

  • memory/440-2336-0x00000000000A0000-0x00000000000A1000-memory.dmp

    Filesize

    4KB

  • memory/440-2335-0x0000000000400000-0x00000000004B8000-memory.dmp

    Filesize

    736KB

  • memory/2232-76-0x0000000005880000-0x000000000596A000-memory.dmp

    Filesize

    936KB

  • memory/2232-84-0x0000000005880000-0x000000000596A000-memory.dmp

    Filesize

    936KB

  • memory/2232-39-0x0000000005880000-0x000000000596A000-memory.dmp

    Filesize

    936KB

  • memory/2232-40-0x0000000005880000-0x000000000596A000-memory.dmp

    Filesize

    936KB

  • memory/2232-42-0x0000000005880000-0x000000000596A000-memory.dmp

    Filesize

    936KB

  • memory/2232-44-0x0000000005880000-0x000000000596A000-memory.dmp

    Filesize

    936KB

  • memory/2232-46-0x0000000005880000-0x000000000596A000-memory.dmp

    Filesize

    936KB

  • memory/2232-48-0x0000000005880000-0x000000000596A000-memory.dmp

    Filesize

    936KB

  • memory/2232-50-0x0000000005880000-0x000000000596A000-memory.dmp

    Filesize

    936KB

  • memory/2232-52-0x0000000005880000-0x000000000596A000-memory.dmp

    Filesize

    936KB

  • memory/2232-54-0x0000000005880000-0x000000000596A000-memory.dmp

    Filesize

    936KB

  • memory/2232-56-0x0000000005880000-0x000000000596A000-memory.dmp

    Filesize

    936KB

  • memory/2232-58-0x0000000005880000-0x000000000596A000-memory.dmp

    Filesize

    936KB

  • memory/2232-60-0x0000000005880000-0x000000000596A000-memory.dmp

    Filesize

    936KB

  • memory/2232-62-0x0000000005880000-0x000000000596A000-memory.dmp

    Filesize

    936KB

  • memory/2232-64-0x0000000005880000-0x000000000596A000-memory.dmp

    Filesize

    936KB

  • memory/2232-66-0x0000000005880000-0x000000000596A000-memory.dmp

    Filesize

    936KB

  • memory/2232-68-0x0000000005880000-0x000000000596A000-memory.dmp

    Filesize

    936KB

  • memory/2232-70-0x0000000005880000-0x000000000596A000-memory.dmp

    Filesize

    936KB

  • memory/2232-72-0x0000000005880000-0x000000000596A000-memory.dmp

    Filesize

    936KB

  • memory/2232-74-0x0000000005880000-0x000000000596A000-memory.dmp

    Filesize

    936KB

  • memory/2232-3-0x0000000000240000-0x0000000000246000-memory.dmp

    Filesize

    24KB

  • memory/2232-78-0x0000000005880000-0x000000000596A000-memory.dmp

    Filesize

    936KB

  • memory/2232-80-0x0000000005880000-0x000000000596A000-memory.dmp

    Filesize

    936KB

  • memory/2232-82-0x0000000005880000-0x000000000596A000-memory.dmp

    Filesize

    936KB

  • memory/2232-38-0x0000000005880000-0x0000000005970000-memory.dmp

    Filesize

    960KB

  • memory/2232-86-0x0000000005880000-0x000000000596A000-memory.dmp

    Filesize

    936KB

  • memory/2232-88-0x0000000005880000-0x000000000596A000-memory.dmp

    Filesize

    936KB

  • memory/2232-90-0x0000000005880000-0x000000000596A000-memory.dmp

    Filesize

    936KB

  • memory/2232-92-0x0000000005880000-0x000000000596A000-memory.dmp

    Filesize

    936KB

  • memory/2232-94-0x0000000005880000-0x000000000596A000-memory.dmp

    Filesize

    936KB

  • memory/2232-96-0x0000000005880000-0x000000000596A000-memory.dmp

    Filesize

    936KB

  • memory/2232-98-0x0000000005880000-0x000000000596A000-memory.dmp

    Filesize

    936KB

  • memory/2232-100-0x0000000005880000-0x000000000596A000-memory.dmp

    Filesize

    936KB

  • memory/2232-102-0x0000000005880000-0x000000000596A000-memory.dmp

    Filesize

    936KB

  • memory/2232-1153-0x00000000005E0000-0x00000000005E1000-memory.dmp

    Filesize

    4KB

  • memory/2232-1154-0x00000000050F0000-0x000000000516A000-memory.dmp

    Filesize

    488KB

  • memory/2232-1155-0x0000000002190000-0x00000000021DC000-memory.dmp

    Filesize

    304KB

  • memory/2232-1156-0x0000000074D40000-0x000000007542E000-memory.dmp

    Filesize

    6.9MB

  • memory/2232-1157-0x0000000000960000-0x00000000009A0000-memory.dmp

    Filesize

    256KB

  • memory/2232-1168-0x0000000074D40000-0x000000007542E000-memory.dmp

    Filesize

    6.9MB

  • memory/2232-0-0x0000000000290000-0x00000000002A2000-memory.dmp

    Filesize

    72KB

  • memory/2232-1-0x0000000074D40000-0x000000007542E000-memory.dmp

    Filesize

    6.9MB

  • memory/2232-2-0x0000000000960000-0x00000000009A0000-memory.dmp

    Filesize

    256KB

  • memory/2388-2331-0x0000000000400000-0x00000000004D9000-memory.dmp

    Filesize

    868KB

  • memory/2680-2298-0x0000000074900000-0x0000000074FEE000-memory.dmp

    Filesize

    6.9MB

  • memory/2680-2315-0x0000000074900000-0x0000000074FEE000-memory.dmp

    Filesize

    6.9MB

  • memory/2680-2296-0x00000000005F0000-0x00000000005F1000-memory.dmp

    Filesize

    4KB

  • memory/2680-1181-0x0000000074900000-0x0000000074FEE000-memory.dmp

    Filesize

    6.9MB

  • memory/2680-1180-0x0000000000C60000-0x0000000000C72000-memory.dmp

    Filesize

    72KB

  • memory/2860-1170-0x0000000000400000-0x00000000004D9000-memory.dmp

    Filesize

    868KB

  • memory/2860-2297-0x0000000000400000-0x00000000004D9000-memory.dmp

    Filesize

    868KB