Analysis
-
max time kernel
147s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240221-en -
resource tags
arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system -
submitted
24/02/2024, 12:54
Static task
static1
Behavioral task
behavioral1
Sample
Nzewxakqtk.exe
Resource
win7-20240221-en
General
-
Target
Nzewxakqtk.exe
-
Size
51KB
-
MD5
b4bb2848a06f5b7cc4164ac2a701f50a
-
SHA1
9ad29b0652b419df2840526002f2c9ae483c0f48
-
SHA256
fb9844ab20cb5995d2fb6df467f1aee283ca0a013b8f330ad39a9ed5e3c7c026
-
SHA512
9dcec4f9a6a299010abef9557fd7c19e9410ded76dae915136dbb2365787d88fd7c1e712d475d9f6136d1244b9e867c50e767e10d7d4891ea817bf09241d67ba
-
SSDEEP
768:+3Npy7qykFI0ykvnxdgkib10ufiy1Y274+aAFqnv6WWtXz/nK3/T75Ynn8wfAyfo:+Rm10Zy19faAFc6JB/no/inn8YAyfo
Malware Config
Signatures
-
Detect ZGRat V1 34 IoCs
resource yara_rule behavioral2/memory/3572-4-0x0000000005C90000-0x0000000005D80000-memory.dmp family_zgrat_v1 behavioral2/memory/3572-7-0x0000000005C90000-0x0000000005D7A000-memory.dmp family_zgrat_v1 behavioral2/memory/3572-10-0x0000000005C90000-0x0000000005D7A000-memory.dmp family_zgrat_v1 behavioral2/memory/3572-8-0x0000000005C90000-0x0000000005D7A000-memory.dmp family_zgrat_v1 behavioral2/memory/3572-12-0x0000000005C90000-0x0000000005D7A000-memory.dmp family_zgrat_v1 behavioral2/memory/3572-14-0x0000000005C90000-0x0000000005D7A000-memory.dmp family_zgrat_v1 behavioral2/memory/3572-16-0x0000000005C90000-0x0000000005D7A000-memory.dmp family_zgrat_v1 behavioral2/memory/3572-18-0x0000000005C90000-0x0000000005D7A000-memory.dmp family_zgrat_v1 behavioral2/memory/3572-20-0x0000000005C90000-0x0000000005D7A000-memory.dmp family_zgrat_v1 behavioral2/memory/3572-22-0x0000000005C90000-0x0000000005D7A000-memory.dmp family_zgrat_v1 behavioral2/memory/3572-24-0x0000000005C90000-0x0000000005D7A000-memory.dmp family_zgrat_v1 behavioral2/memory/3572-26-0x0000000005C90000-0x0000000005D7A000-memory.dmp family_zgrat_v1 behavioral2/memory/3572-28-0x0000000005C90000-0x0000000005D7A000-memory.dmp family_zgrat_v1 behavioral2/memory/3572-30-0x0000000005C90000-0x0000000005D7A000-memory.dmp family_zgrat_v1 behavioral2/memory/3572-32-0x0000000005C90000-0x0000000005D7A000-memory.dmp family_zgrat_v1 behavioral2/memory/3572-34-0x0000000005C90000-0x0000000005D7A000-memory.dmp family_zgrat_v1 behavioral2/memory/3572-36-0x0000000005C90000-0x0000000005D7A000-memory.dmp family_zgrat_v1 behavioral2/memory/3572-38-0x0000000005C90000-0x0000000005D7A000-memory.dmp family_zgrat_v1 behavioral2/memory/3572-40-0x0000000005C90000-0x0000000005D7A000-memory.dmp family_zgrat_v1 behavioral2/memory/3572-42-0x0000000005C90000-0x0000000005D7A000-memory.dmp family_zgrat_v1 behavioral2/memory/3572-44-0x0000000005C90000-0x0000000005D7A000-memory.dmp family_zgrat_v1 behavioral2/memory/3572-46-0x0000000005C90000-0x0000000005D7A000-memory.dmp family_zgrat_v1 behavioral2/memory/3572-48-0x0000000005C90000-0x0000000005D7A000-memory.dmp family_zgrat_v1 behavioral2/memory/3572-50-0x0000000005C90000-0x0000000005D7A000-memory.dmp family_zgrat_v1 behavioral2/memory/3572-52-0x0000000005C90000-0x0000000005D7A000-memory.dmp family_zgrat_v1 behavioral2/memory/3572-54-0x0000000005C90000-0x0000000005D7A000-memory.dmp family_zgrat_v1 behavioral2/memory/3572-56-0x0000000005C90000-0x0000000005D7A000-memory.dmp family_zgrat_v1 behavioral2/memory/3572-58-0x0000000005C90000-0x0000000005D7A000-memory.dmp family_zgrat_v1 behavioral2/memory/3572-60-0x0000000005C90000-0x0000000005D7A000-memory.dmp family_zgrat_v1 behavioral2/memory/3572-62-0x0000000005C90000-0x0000000005D7A000-memory.dmp family_zgrat_v1 behavioral2/memory/3572-64-0x0000000005C90000-0x0000000005D7A000-memory.dmp family_zgrat_v1 behavioral2/memory/3572-66-0x0000000005C90000-0x0000000005D7A000-memory.dmp family_zgrat_v1 behavioral2/memory/3572-68-0x0000000005C90000-0x0000000005D7A000-memory.dmp family_zgrat_v1 behavioral2/memory/3572-70-0x0000000005C90000-0x0000000005D7A000-memory.dmp family_zgrat_v1 -
Drops startup file 5 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe Nzewxakqtk.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe Nzewxakqtk.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Qwxgibnmmbg.vbs .exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe .exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Qwxgibnmmbg.vbs Nzewxakqtk.exe -
Executes dropped EXE 3 IoCs
pid Process 940 .exe 4780 .exe 3096 .exe -
resource yara_rule behavioral2/memory/3096-2277-0x0000000000400000-0x00000000004B8000-memory.dmp upx behavioral2/memory/3096-2285-0x0000000000400000-0x00000000004B8000-memory.dmp upx -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 3572 set thread context of 1564 3572 Nzewxakqtk.exe 95 PID 940 set thread context of 4780 940 .exe 97 PID 4780 set thread context of 3096 4780 .exe 98 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 26 IoCs
description pid Process Token: SeDebugPrivilege 3572 Nzewxakqtk.exe Token: SeDebugPrivilege 940 .exe Token: SeIncreaseQuotaPrivilege 3096 .exe Token: SeSecurityPrivilege 3096 .exe Token: SeTakeOwnershipPrivilege 3096 .exe Token: SeLoadDriverPrivilege 3096 .exe Token: SeSystemProfilePrivilege 3096 .exe Token: SeSystemtimePrivilege 3096 .exe Token: SeProfSingleProcessPrivilege 3096 .exe Token: SeIncBasePriorityPrivilege 3096 .exe Token: SeCreatePagefilePrivilege 3096 .exe Token: SeBackupPrivilege 3096 .exe Token: SeRestorePrivilege 3096 .exe Token: SeShutdownPrivilege 3096 .exe Token: SeDebugPrivilege 3096 .exe Token: SeSystemEnvironmentPrivilege 3096 .exe Token: SeChangeNotifyPrivilege 3096 .exe Token: SeRemoteShutdownPrivilege 3096 .exe Token: SeUndockPrivilege 3096 .exe Token: SeManageVolumePrivilege 3096 .exe Token: SeImpersonatePrivilege 3096 .exe Token: SeCreateGlobalPrivilege 3096 .exe Token: 33 3096 .exe Token: 34 3096 .exe Token: 35 3096 .exe Token: 36 3096 .exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 1564 Nzewxakqtk.exe 4780 .exe 3096 .exe -
Suspicious use of WriteProcessMemory 27 IoCs
description pid Process procid_target PID 3572 wrote to memory of 1564 3572 Nzewxakqtk.exe 95 PID 3572 wrote to memory of 1564 3572 Nzewxakqtk.exe 95 PID 3572 wrote to memory of 1564 3572 Nzewxakqtk.exe 95 PID 3572 wrote to memory of 1564 3572 Nzewxakqtk.exe 95 PID 3572 wrote to memory of 1564 3572 Nzewxakqtk.exe 95 PID 3572 wrote to memory of 1564 3572 Nzewxakqtk.exe 95 PID 3572 wrote to memory of 1564 3572 Nzewxakqtk.exe 95 PID 3572 wrote to memory of 1564 3572 Nzewxakqtk.exe 95 PID 1564 wrote to memory of 940 1564 Nzewxakqtk.exe 96 PID 1564 wrote to memory of 940 1564 Nzewxakqtk.exe 96 PID 1564 wrote to memory of 940 1564 Nzewxakqtk.exe 96 PID 940 wrote to memory of 4780 940 .exe 97 PID 940 wrote to memory of 4780 940 .exe 97 PID 940 wrote to memory of 4780 940 .exe 97 PID 940 wrote to memory of 4780 940 .exe 97 PID 940 wrote to memory of 4780 940 .exe 97 PID 940 wrote to memory of 4780 940 .exe 97 PID 940 wrote to memory of 4780 940 .exe 97 PID 940 wrote to memory of 4780 940 .exe 97 PID 4780 wrote to memory of 3096 4780 .exe 98 PID 4780 wrote to memory of 3096 4780 .exe 98 PID 4780 wrote to memory of 3096 4780 .exe 98 PID 4780 wrote to memory of 3096 4780 .exe 98 PID 4780 wrote to memory of 3096 4780 .exe 98 PID 4780 wrote to memory of 3096 4780 .exe 98 PID 4780 wrote to memory of 3096 4780 .exe 98 PID 4780 wrote to memory of 3096 4780 .exe 98
Processes
-
C:\Users\Admin\AppData\Local\Temp\Nzewxakqtk.exe"C:\Users\Admin\AppData\Local\Temp\Nzewxakqtk.exe"1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3572 -
C:\Users\Admin\AppData\Local\Temp\Nzewxakqtk.exeC:\Users\Admin\AppData\Local\Temp\Nzewxakqtk.exe2⤵
- Drops startup file
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1564 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe"3⤵
- Drops startup file
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:940 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe"4⤵
- Drops startup file
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4780 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe"5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3096
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
51KB
MD5b4bb2848a06f5b7cc4164ac2a701f50a
SHA19ad29b0652b419df2840526002f2c9ae483c0f48
SHA256fb9844ab20cb5995d2fb6df467f1aee283ca0a013b8f330ad39a9ed5e3c7c026
SHA5129dcec4f9a6a299010abef9557fd7c19e9410ded76dae915136dbb2365787d88fd7c1e712d475d9f6136d1244b9e867c50e767e10d7d4891ea817bf09241d67ba
-
Filesize
86B
MD59dc18a9d8ef3f0d6c07eba06f9c8e80b
SHA14fe54582050c4312ff0e00e0ec80b602ab699fda
SHA256fa46279e4e6020cde19bc4de9e61d12078fb02e9d2ecd8d20ff4e01dc3f17b34
SHA51285591c3de014012087819fcc8c56e343f25928319ba6bc1533e17bb48b45c6554f2622997e149dfd272fbdd9439e13d869c621caee050d6d160cccef9511bdc1