Analysis

  • max time kernel
    147s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240221-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24/02/2024, 12:54

General

  • Target

    Nzewxakqtk.exe

  • Size

    51KB

  • MD5

    b4bb2848a06f5b7cc4164ac2a701f50a

  • SHA1

    9ad29b0652b419df2840526002f2c9ae483c0f48

  • SHA256

    fb9844ab20cb5995d2fb6df467f1aee283ca0a013b8f330ad39a9ed5e3c7c026

  • SHA512

    9dcec4f9a6a299010abef9557fd7c19e9410ded76dae915136dbb2365787d88fd7c1e712d475d9f6136d1244b9e867c50e767e10d7d4891ea817bf09241d67ba

  • SSDEEP

    768:+3Npy7qykFI0ykvnxdgkib10ufiy1Y274+aAFqnv6WWtXz/nK3/T75Ynn8wfAyfo:+Rm10Zy19faAFc6JB/no/inn8YAyfo

Malware Config

Signatures

  • Darkcomet

    DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

  • Detect ZGRat V1 34 IoCs
  • ZGRat

    ZGRat is remote access trojan written in C#.

  • Drops startup file 5 IoCs
  • Executes dropped EXE 3 IoCs
  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of AdjustPrivilegeToken 26 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 27 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Nzewxakqtk.exe
    "C:\Users\Admin\AppData\Local\Temp\Nzewxakqtk.exe"
    1⤵
    • Drops startup file
    • Suspicious use of SetThreadContext
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3572
    • C:\Users\Admin\AppData\Local\Temp\Nzewxakqtk.exe
      C:\Users\Admin\AppData\Local\Temp\Nzewxakqtk.exe
      2⤵
      • Drops startup file
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1564
      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe"
        3⤵
        • Drops startup file
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:940
        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe
          "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe"
          4⤵
          • Drops startup file
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:4780
          • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe
            "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe"
            5⤵
            • Executes dropped EXE
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of SetWindowsHookEx
            PID:3096

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe

    Filesize

    51KB

    MD5

    b4bb2848a06f5b7cc4164ac2a701f50a

    SHA1

    9ad29b0652b419df2840526002f2c9ae483c0f48

    SHA256

    fb9844ab20cb5995d2fb6df467f1aee283ca0a013b8f330ad39a9ed5e3c7c026

    SHA512

    9dcec4f9a6a299010abef9557fd7c19e9410ded76dae915136dbb2365787d88fd7c1e712d475d9f6136d1244b9e867c50e767e10d7d4891ea817bf09241d67ba

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Qwxgibnmmbg.vbs

    Filesize

    86B

    MD5

    9dc18a9d8ef3f0d6c07eba06f9c8e80b

    SHA1

    4fe54582050c4312ff0e00e0ec80b602ab699fda

    SHA256

    fa46279e4e6020cde19bc4de9e61d12078fb02e9d2ecd8d20ff4e01dc3f17b34

    SHA512

    85591c3de014012087819fcc8c56e343f25928319ba6bc1533e17bb48b45c6554f2622997e149dfd272fbdd9439e13d869c621caee050d6d160cccef9511bdc1

  • memory/940-2258-0x00000000062C0000-0x00000000062C1000-memory.dmp

    Filesize

    4KB

  • memory/940-1143-0x00000000034F0000-0x0000000003500000-memory.dmp

    Filesize

    64KB

  • memory/940-2269-0x0000000074160000-0x0000000074910000-memory.dmp

    Filesize

    7.7MB

  • memory/940-1142-0x0000000074160000-0x0000000074910000-memory.dmp

    Filesize

    7.7MB

  • memory/940-2261-0x00000000034F0000-0x0000000003500000-memory.dmp

    Filesize

    64KB

  • memory/940-2260-0x0000000074160000-0x0000000074910000-memory.dmp

    Filesize

    7.7MB

  • memory/1564-1133-0x0000000000400000-0x00000000004D9000-memory.dmp

    Filesize

    868KB

  • memory/1564-2259-0x0000000000400000-0x00000000004D9000-memory.dmp

    Filesize

    868KB

  • memory/3096-2285-0x0000000000400000-0x00000000004B8000-memory.dmp

    Filesize

    736KB

  • memory/3096-2278-0x00000000030A0000-0x00000000030A1000-memory.dmp

    Filesize

    4KB

  • memory/3096-2277-0x0000000000400000-0x00000000004B8000-memory.dmp

    Filesize

    736KB

  • memory/3572-42-0x0000000005C90000-0x0000000005D7A000-memory.dmp

    Filesize

    936KB

  • memory/3572-54-0x0000000005C90000-0x0000000005D7A000-memory.dmp

    Filesize

    936KB

  • memory/3572-12-0x0000000005C90000-0x0000000005D7A000-memory.dmp

    Filesize

    936KB

  • memory/3572-14-0x0000000005C90000-0x0000000005D7A000-memory.dmp

    Filesize

    936KB

  • memory/3572-16-0x0000000005C90000-0x0000000005D7A000-memory.dmp

    Filesize

    936KB

  • memory/3572-18-0x0000000005C90000-0x0000000005D7A000-memory.dmp

    Filesize

    936KB

  • memory/3572-20-0x0000000005C90000-0x0000000005D7A000-memory.dmp

    Filesize

    936KB

  • memory/3572-22-0x0000000005C90000-0x0000000005D7A000-memory.dmp

    Filesize

    936KB

  • memory/3572-24-0x0000000005C90000-0x0000000005D7A000-memory.dmp

    Filesize

    936KB

  • memory/3572-26-0x0000000005C90000-0x0000000005D7A000-memory.dmp

    Filesize

    936KB

  • memory/3572-28-0x0000000005C90000-0x0000000005D7A000-memory.dmp

    Filesize

    936KB

  • memory/3572-30-0x0000000005C90000-0x0000000005D7A000-memory.dmp

    Filesize

    936KB

  • memory/3572-32-0x0000000005C90000-0x0000000005D7A000-memory.dmp

    Filesize

    936KB

  • memory/3572-34-0x0000000005C90000-0x0000000005D7A000-memory.dmp

    Filesize

    936KB

  • memory/3572-36-0x0000000005C90000-0x0000000005D7A000-memory.dmp

    Filesize

    936KB

  • memory/3572-38-0x0000000005C90000-0x0000000005D7A000-memory.dmp

    Filesize

    936KB

  • memory/3572-40-0x0000000005C90000-0x0000000005D7A000-memory.dmp

    Filesize

    936KB

  • memory/3572-10-0x0000000005C90000-0x0000000005D7A000-memory.dmp

    Filesize

    936KB

  • memory/3572-44-0x0000000005C90000-0x0000000005D7A000-memory.dmp

    Filesize

    936KB

  • memory/3572-46-0x0000000005C90000-0x0000000005D7A000-memory.dmp

    Filesize

    936KB

  • memory/3572-48-0x0000000005C90000-0x0000000005D7A000-memory.dmp

    Filesize

    936KB

  • memory/3572-50-0x0000000005C90000-0x0000000005D7A000-memory.dmp

    Filesize

    936KB

  • memory/3572-52-0x0000000005C90000-0x0000000005D7A000-memory.dmp

    Filesize

    936KB

  • memory/3572-8-0x0000000005C90000-0x0000000005D7A000-memory.dmp

    Filesize

    936KB

  • memory/3572-56-0x0000000005C90000-0x0000000005D7A000-memory.dmp

    Filesize

    936KB

  • memory/3572-58-0x0000000005C90000-0x0000000005D7A000-memory.dmp

    Filesize

    936KB

  • memory/3572-60-0x0000000005C90000-0x0000000005D7A000-memory.dmp

    Filesize

    936KB

  • memory/3572-62-0x0000000005C90000-0x0000000005D7A000-memory.dmp

    Filesize

    936KB

  • memory/3572-64-0x0000000005C90000-0x0000000005D7A000-memory.dmp

    Filesize

    936KB

  • memory/3572-66-0x0000000005C90000-0x0000000005D7A000-memory.dmp

    Filesize

    936KB

  • memory/3572-68-0x0000000005C90000-0x0000000005D7A000-memory.dmp

    Filesize

    936KB

  • memory/3572-70-0x0000000005C90000-0x0000000005D7A000-memory.dmp

    Filesize

    936KB

  • memory/3572-1121-0x0000000005E30000-0x0000000005E31000-memory.dmp

    Filesize

    4KB

  • memory/3572-1122-0x0000000006130000-0x00000000061AA000-memory.dmp

    Filesize

    488KB

  • memory/3572-7-0x0000000005C90000-0x0000000005D7A000-memory.dmp

    Filesize

    936KB

  • memory/3572-6-0x0000000005EF0000-0x0000000005FFA000-memory.dmp

    Filesize

    1.0MB

  • memory/3572-5-0x00000000063A0000-0x00000000069B8000-memory.dmp

    Filesize

    6.1MB

  • memory/3572-4-0x0000000005C90000-0x0000000005D80000-memory.dmp

    Filesize

    960KB

  • memory/3572-3-0x0000000002C60000-0x0000000002C66000-memory.dmp

    Filesize

    24KB

  • memory/3572-2-0x0000000005280000-0x0000000005290000-memory.dmp

    Filesize

    64KB

  • memory/3572-0-0x00000000008A0000-0x00000000008B2000-memory.dmp

    Filesize

    72KB

  • memory/3572-1123-0x00000000061B0000-0x00000000061FC000-memory.dmp

    Filesize

    304KB

  • memory/3572-1124-0x00000000749C0000-0x0000000075170000-memory.dmp

    Filesize

    7.7MB

  • memory/3572-1125-0x0000000005280000-0x0000000005290000-memory.dmp

    Filesize

    64KB

  • memory/3572-1126-0x00000000070E0000-0x0000000007684000-memory.dmp

    Filesize

    5.6MB

  • memory/3572-1134-0x00000000749C0000-0x0000000075170000-memory.dmp

    Filesize

    7.7MB

  • memory/3572-1-0x00000000749C0000-0x0000000075170000-memory.dmp

    Filesize

    7.7MB

  • memory/4780-2282-0x0000000000400000-0x00000000004D9000-memory.dmp

    Filesize

    868KB