14f025b6400e2f3db5ba60a78812501e658f19929e1ffea669677596482140ff

Analysis

max time kernel
151s
max time network
70s
platform
windows7_x64
resource
win7
submitted
06-10-2020 06:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Nibiru.bin.exe
Size

121KB
MD5

49d9d587a88074016a2042bdb42b9441
SHA1

5659837b54f1c48318025051c8541aa915b80aac
SHA256

e0a681902f4f331582670e535a7d1eb3d6eff18d3fbed3ffd2433f898219576f
SHA512

ad8a1f71eeea4dea8073886563191bce9aff27a5c0f28e1f23362787f8a759635996a0434d73792351f30bcbfbe17c455aa4774ff366cc6a79e18c7fc7e3c65d

Score

8^/10

spyware ransomware persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112
Modifies extensions of user files 1 IoCs
Ransomware generally changes the extension on encrypted files.
ransomware

Processes:

Nibiru.bin.exe

description ioc process

File opened for modification C:\Users\Admin\Pictures\SwitchOptimize.raw.Nibiru Nibiru.bin.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081

description	ioc	process
File opened for modification	C:\Users\Admin\Pictures\SwitchOptimize.raw.Nibiru	Nibiru.bin.exe

Suspicious behavior: EnumeratesProcesses 80 IoCs

Processes:

Nibiru.bin.exe

pid	process
1496	Nibiru.bin.exe
1496	Nibiru.bin.exe
1496	Nibiru.bin.exe
1496	Nibiru.bin.exe
1496	Nibiru.bin.exe
1496	Nibiru.bin.exe
1496	Nibiru.bin.exe
1496	Nibiru.bin.exe
1496	Nibiru.bin.exe
1496	Nibiru.bin.exe
1496	Nibiru.bin.exe
1496	Nibiru.bin.exe
1496	Nibiru.bin.exe
1496	Nibiru.bin.exe
1496	Nibiru.bin.exe
1496	Nibiru.bin.exe
1496	Nibiru.bin.exe
1496	Nibiru.bin.exe
1496	Nibiru.bin.exe
1496	Nibiru.bin.exe
1496	Nibiru.bin.exe
1496	Nibiru.bin.exe
1496	Nibiru.bin.exe
1496	Nibiru.bin.exe
1496	Nibiru.bin.exe
1496	Nibiru.bin.exe
1496	Nibiru.bin.exe
1496	Nibiru.bin.exe
1496	Nibiru.bin.exe
1496	Nibiru.bin.exe
1496	Nibiru.bin.exe
1496	Nibiru.bin.exe
1496	Nibiru.bin.exe
1496	Nibiru.bin.exe
1496	Nibiru.bin.exe
1496	Nibiru.bin.exe
1496	Nibiru.bin.exe
1496	Nibiru.bin.exe
1496	Nibiru.bin.exe
1496	Nibiru.bin.exe
1496	Nibiru.bin.exe
1496	Nibiru.bin.exe
1496	Nibiru.bin.exe
1496	Nibiru.bin.exe
1496	Nibiru.bin.exe
1496	Nibiru.bin.exe
1496	Nibiru.bin.exe
1496	Nibiru.bin.exe
1496	Nibiru.bin.exe
1496	Nibiru.bin.exe
1496	Nibiru.bin.exe
1496	Nibiru.bin.exe
1496	Nibiru.bin.exe
1496	Nibiru.bin.exe
1496	Nibiru.bin.exe
1496	Nibiru.bin.exe
1496	Nibiru.bin.exe
1496	Nibiru.bin.exe
1496	Nibiru.bin.exe
1496	Nibiru.bin.exe
1496	Nibiru.bin.exe
1496	Nibiru.bin.exe
1496	Nibiru.bin.exe
1496	Nibiru.bin.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

Nibiru.bin.exe

description pid process

Token: SeDebugPrivilege 1496 Nibiru.bin.exe

description	pid	process
Token: SeDebugPrivilege	1496	Nibiru.bin.exe

C:\Users\Admin\AppData\Local\Temp\Nibiru.bin.exe
"C:\Users\Admin\AppData\Local\Temp\Nibiru.bin.exe"
1⤵
- Modifies extensions of user files
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1496

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:1224

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1496-0-0x0000000073B80000-0x000000007426E000-memory.dmp

Filesize
6.9MB

Download
memory/1496-1-0x0000000001220000-0x0000000001221000-memory.dmp

Filesize
4KB

Download