Analysis
-
max time kernel
142s -
max time network
146s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
24/02/2024, 12:54
Static task
static1
Behavioral task
behavioral1
Sample
Nzewxakqtk.exe
Resource
win7-20240221-en
General
-
Target
Nzewxakqtk.exe
-
Size
51KB
-
MD5
b4bb2848a06f5b7cc4164ac2a701f50a
-
SHA1
9ad29b0652b419df2840526002f2c9ae483c0f48
-
SHA256
fb9844ab20cb5995d2fb6df467f1aee283ca0a013b8f330ad39a9ed5e3c7c026
-
SHA512
9dcec4f9a6a299010abef9557fd7c19e9410ded76dae915136dbb2365787d88fd7c1e712d475d9f6136d1244b9e867c50e767e10d7d4891ea817bf09241d67ba
-
SSDEEP
768:+3Npy7qykFI0ykvnxdgkib10ufiy1Y274+aAFqnv6WWtXz/nK3/T75Ynn8wfAyfo:+Rm10Zy19faAFc6JB/no/inn8YAyfo
Malware Config
Signatures
-
Detect ZGRat V1 34 IoCs
resource yara_rule behavioral1/memory/2232-38-0x0000000005880000-0x0000000005970000-memory.dmp family_zgrat_v1 behavioral1/memory/2232-39-0x0000000005880000-0x000000000596A000-memory.dmp family_zgrat_v1 behavioral1/memory/2232-40-0x0000000005880000-0x000000000596A000-memory.dmp family_zgrat_v1 behavioral1/memory/2232-42-0x0000000005880000-0x000000000596A000-memory.dmp family_zgrat_v1 behavioral1/memory/2232-44-0x0000000005880000-0x000000000596A000-memory.dmp family_zgrat_v1 behavioral1/memory/2232-46-0x0000000005880000-0x000000000596A000-memory.dmp family_zgrat_v1 behavioral1/memory/2232-48-0x0000000005880000-0x000000000596A000-memory.dmp family_zgrat_v1 behavioral1/memory/2232-50-0x0000000005880000-0x000000000596A000-memory.dmp family_zgrat_v1 behavioral1/memory/2232-52-0x0000000005880000-0x000000000596A000-memory.dmp family_zgrat_v1 behavioral1/memory/2232-54-0x0000000005880000-0x000000000596A000-memory.dmp family_zgrat_v1 behavioral1/memory/2232-56-0x0000000005880000-0x000000000596A000-memory.dmp family_zgrat_v1 behavioral1/memory/2232-58-0x0000000005880000-0x000000000596A000-memory.dmp family_zgrat_v1 behavioral1/memory/2232-60-0x0000000005880000-0x000000000596A000-memory.dmp family_zgrat_v1 behavioral1/memory/2232-62-0x0000000005880000-0x000000000596A000-memory.dmp family_zgrat_v1 behavioral1/memory/2232-64-0x0000000005880000-0x000000000596A000-memory.dmp family_zgrat_v1 behavioral1/memory/2232-66-0x0000000005880000-0x000000000596A000-memory.dmp family_zgrat_v1 behavioral1/memory/2232-68-0x0000000005880000-0x000000000596A000-memory.dmp family_zgrat_v1 behavioral1/memory/2232-70-0x0000000005880000-0x000000000596A000-memory.dmp family_zgrat_v1 behavioral1/memory/2232-72-0x0000000005880000-0x000000000596A000-memory.dmp family_zgrat_v1 behavioral1/memory/2232-74-0x0000000005880000-0x000000000596A000-memory.dmp family_zgrat_v1 behavioral1/memory/2232-76-0x0000000005880000-0x000000000596A000-memory.dmp family_zgrat_v1 behavioral1/memory/2232-78-0x0000000005880000-0x000000000596A000-memory.dmp family_zgrat_v1 behavioral1/memory/2232-80-0x0000000005880000-0x000000000596A000-memory.dmp family_zgrat_v1 behavioral1/memory/2232-82-0x0000000005880000-0x000000000596A000-memory.dmp family_zgrat_v1 behavioral1/memory/2232-84-0x0000000005880000-0x000000000596A000-memory.dmp family_zgrat_v1 behavioral1/memory/2232-86-0x0000000005880000-0x000000000596A000-memory.dmp family_zgrat_v1 behavioral1/memory/2232-88-0x0000000005880000-0x000000000596A000-memory.dmp family_zgrat_v1 behavioral1/memory/2232-90-0x0000000005880000-0x000000000596A000-memory.dmp family_zgrat_v1 behavioral1/memory/2232-92-0x0000000005880000-0x000000000596A000-memory.dmp family_zgrat_v1 behavioral1/memory/2232-94-0x0000000005880000-0x000000000596A000-memory.dmp family_zgrat_v1 behavioral1/memory/2232-96-0x0000000005880000-0x000000000596A000-memory.dmp family_zgrat_v1 behavioral1/memory/2232-98-0x0000000005880000-0x000000000596A000-memory.dmp family_zgrat_v1 behavioral1/memory/2232-100-0x0000000005880000-0x000000000596A000-memory.dmp family_zgrat_v1 behavioral1/memory/2232-102-0x0000000005880000-0x000000000596A000-memory.dmp family_zgrat_v1 -
Drops startup file 5 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Qwxgibnmmbg.vbs .exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe .exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Qwxgibnmmbg.vbs Nzewxakqtk.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe Nzewxakqtk.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe Nzewxakqtk.exe -
Executes dropped EXE 3 IoCs
pid Process 2680 .exe 2388 .exe 440 .exe -
Loads dropped DLL 3 IoCs
pid Process 2860 Nzewxakqtk.exe 2680 .exe 2388 .exe -
resource yara_rule behavioral1/memory/440-2335-0x0000000000400000-0x00000000004B8000-memory.dmp upx behavioral1/memory/440-2342-0x0000000000400000-0x00000000004B8000-memory.dmp upx -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 2232 set thread context of 2860 2232 Nzewxakqtk.exe 30 PID 2680 set thread context of 2388 2680 .exe 32 PID 2388 set thread context of 440 2388 .exe 33 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
description ioc Process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 0f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 .exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 040000000100000010000000acb694a59c17e0d791529bb19706a6e4030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47409000000010000000c000000300a06082b060105050703011d0000000100000010000000918ad43a9475f78bb5243de886d8103c140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c00b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f00740000000f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f20000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 .exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 19000000010000001000000068cb42b035ea773e52ef50ecf50ec5290f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae474040000000100000010000000acb694a59c17e0d791529bb19706a6e420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 .exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474 .exe -
Suspicious use of AdjustPrivilegeToken 25 IoCs
description pid Process Token: SeDebugPrivilege 2232 Nzewxakqtk.exe Token: SeDebugPrivilege 2680 .exe Token: SeIncreaseQuotaPrivilege 440 .exe Token: SeSecurityPrivilege 440 .exe Token: SeTakeOwnershipPrivilege 440 .exe Token: SeLoadDriverPrivilege 440 .exe Token: SeSystemProfilePrivilege 440 .exe Token: SeSystemtimePrivilege 440 .exe Token: SeProfSingleProcessPrivilege 440 .exe Token: SeIncBasePriorityPrivilege 440 .exe Token: SeCreatePagefilePrivilege 440 .exe Token: SeBackupPrivilege 440 .exe Token: SeRestorePrivilege 440 .exe Token: SeShutdownPrivilege 440 .exe Token: SeDebugPrivilege 440 .exe Token: SeSystemEnvironmentPrivilege 440 .exe Token: SeChangeNotifyPrivilege 440 .exe Token: SeRemoteShutdownPrivilege 440 .exe Token: SeUndockPrivilege 440 .exe Token: SeManageVolumePrivilege 440 .exe Token: SeImpersonatePrivilege 440 .exe Token: SeCreateGlobalPrivilege 440 .exe Token: 33 440 .exe Token: 34 440 .exe Token: 35 440 .exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 2860 Nzewxakqtk.exe 2388 .exe 440 .exe -
Suspicious use of WriteProcessMemory 30 IoCs
description pid Process procid_target PID 2232 wrote to memory of 2860 2232 Nzewxakqtk.exe 30 PID 2232 wrote to memory of 2860 2232 Nzewxakqtk.exe 30 PID 2232 wrote to memory of 2860 2232 Nzewxakqtk.exe 30 PID 2232 wrote to memory of 2860 2232 Nzewxakqtk.exe 30 PID 2232 wrote to memory of 2860 2232 Nzewxakqtk.exe 30 PID 2232 wrote to memory of 2860 2232 Nzewxakqtk.exe 30 PID 2232 wrote to memory of 2860 2232 Nzewxakqtk.exe 30 PID 2232 wrote to memory of 2860 2232 Nzewxakqtk.exe 30 PID 2232 wrote to memory of 2860 2232 Nzewxakqtk.exe 30 PID 2860 wrote to memory of 2680 2860 Nzewxakqtk.exe 31 PID 2860 wrote to memory of 2680 2860 Nzewxakqtk.exe 31 PID 2860 wrote to memory of 2680 2860 Nzewxakqtk.exe 31 PID 2860 wrote to memory of 2680 2860 Nzewxakqtk.exe 31 PID 2680 wrote to memory of 2388 2680 .exe 32 PID 2680 wrote to memory of 2388 2680 .exe 32 PID 2680 wrote to memory of 2388 2680 .exe 32 PID 2680 wrote to memory of 2388 2680 .exe 32 PID 2680 wrote to memory of 2388 2680 .exe 32 PID 2680 wrote to memory of 2388 2680 .exe 32 PID 2680 wrote to memory of 2388 2680 .exe 32 PID 2680 wrote to memory of 2388 2680 .exe 32 PID 2680 wrote to memory of 2388 2680 .exe 32 PID 2388 wrote to memory of 440 2388 .exe 33 PID 2388 wrote to memory of 440 2388 .exe 33 PID 2388 wrote to memory of 440 2388 .exe 33 PID 2388 wrote to memory of 440 2388 .exe 33 PID 2388 wrote to memory of 440 2388 .exe 33 PID 2388 wrote to memory of 440 2388 .exe 33 PID 2388 wrote to memory of 440 2388 .exe 33 PID 2388 wrote to memory of 440 2388 .exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\Nzewxakqtk.exe"C:\Users\Admin\AppData\Local\Temp\Nzewxakqtk.exe"1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2232 -
C:\Users\Admin\AppData\Local\Temp\Nzewxakqtk.exeC:\Users\Admin\AppData\Local\Temp\Nzewxakqtk.exe2⤵
- Drops startup file
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2860 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe"3⤵
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2680 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe"4⤵
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2388 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe"5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:440
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
65KB
MD5ac05d27423a85adc1622c714f2cb6184
SHA1b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA5126d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d
-
Filesize
171KB
MD59c0c641c06238516f27941aa1166d427
SHA164cd549fb8cf014fcd9312aa7a5b023847b6c977
SHA2564276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f
SHA512936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06
-
Filesize
86B
MD59dc18a9d8ef3f0d6c07eba06f9c8e80b
SHA14fe54582050c4312ff0e00e0ec80b602ab699fda
SHA256fa46279e4e6020cde19bc4de9e61d12078fb02e9d2ecd8d20ff4e01dc3f17b34
SHA51285591c3de014012087819fcc8c56e343f25928319ba6bc1533e17bb48b45c6554f2622997e149dfd272fbdd9439e13d869c621caee050d6d160cccef9511bdc1
-
Filesize
51KB
MD5b4bb2848a06f5b7cc4164ac2a701f50a
SHA19ad29b0652b419df2840526002f2c9ae483c0f48
SHA256fb9844ab20cb5995d2fb6df467f1aee283ca0a013b8f330ad39a9ed5e3c7c026
SHA5129dcec4f9a6a299010abef9557fd7c19e9410ded76dae915136dbb2365787d88fd7c1e712d475d9f6136d1244b9e867c50e767e10d7d4891ea817bf09241d67ba