Nibiru.bin.zip

General
Target

Nibiru.bin.exe

Filesize

121KB

Completed

06-10-2020 06:18

Score
8 /10
MD5

49d9d587a88074016a2042bdb42b9441

SHA1

5659837b54f1c48318025051c8541aa915b80aac

SHA256

e0a681902f4f331582670e535a7d1eb3d6eff18d3fbed3ffd2433f898219576f

Malware Config
Signatures 5

Filter: none

Collection
Credential Access
Defense Evasion
Persistence
  • Modifies Installed Components in the registry

    TTPs

    Registry Run Keys / Startup FolderModify Registry
  • Modifies extensions of user files
    Nibiru.bin.exe

    Description

    Ransomware generally changes the extension on encrypted files.

    Tags

    Reported IOCs

    descriptioniocprocess
    File opened for modificationC:\Users\Admin\Pictures\SwitchOptimize.raw.NibiruNibiru.bin.exe
  • Reads user/profile data of web browsers

    Description

    Infostealers often target stored browser data, which can include saved credentials etc.

    Tags

    TTPs

    Data from Local SystemCredentials in Files
  • Suspicious behavior: EnumeratesProcesses
    Nibiru.bin.exe

    Reported IOCs

    pidprocess
    1496Nibiru.bin.exe
    1496Nibiru.bin.exe
    1496Nibiru.bin.exe
    1496Nibiru.bin.exe
    1496Nibiru.bin.exe
    1496Nibiru.bin.exe
    1496Nibiru.bin.exe
    1496Nibiru.bin.exe
    1496Nibiru.bin.exe
    1496Nibiru.bin.exe
    1496Nibiru.bin.exe
    1496Nibiru.bin.exe
    1496Nibiru.bin.exe
    1496Nibiru.bin.exe
    1496Nibiru.bin.exe
    1496Nibiru.bin.exe
    1496Nibiru.bin.exe
    1496Nibiru.bin.exe
    1496Nibiru.bin.exe
    1496Nibiru.bin.exe
    1496Nibiru.bin.exe
    1496Nibiru.bin.exe
    1496Nibiru.bin.exe
    1496Nibiru.bin.exe
    1496Nibiru.bin.exe
    1496Nibiru.bin.exe
    1496Nibiru.bin.exe
    1496Nibiru.bin.exe
    1496Nibiru.bin.exe
    1496Nibiru.bin.exe
    1496Nibiru.bin.exe
    1496Nibiru.bin.exe
    1496Nibiru.bin.exe
    1496Nibiru.bin.exe
    1496Nibiru.bin.exe
    1496Nibiru.bin.exe
    1496Nibiru.bin.exe
    1496Nibiru.bin.exe
    1496Nibiru.bin.exe
    1496Nibiru.bin.exe
    1496Nibiru.bin.exe
    1496Nibiru.bin.exe
    1496Nibiru.bin.exe
    1496Nibiru.bin.exe
    1496Nibiru.bin.exe
    1496Nibiru.bin.exe
    1496Nibiru.bin.exe
    1496Nibiru.bin.exe
    1496Nibiru.bin.exe
    1496Nibiru.bin.exe
    1496Nibiru.bin.exe
    1496Nibiru.bin.exe
    1496Nibiru.bin.exe
    1496Nibiru.bin.exe
    1496Nibiru.bin.exe
    1496Nibiru.bin.exe
    1496Nibiru.bin.exe
    1496Nibiru.bin.exe
    1496Nibiru.bin.exe
    1496Nibiru.bin.exe
    1496Nibiru.bin.exe
    1496Nibiru.bin.exe
    1496Nibiru.bin.exe
    1496Nibiru.bin.exe
    1496Nibiru.bin.exe
    1496Nibiru.bin.exe
    1496Nibiru.bin.exe
    1496Nibiru.bin.exe
    1496Nibiru.bin.exe
    1496Nibiru.bin.exe
    1496Nibiru.bin.exe
    1496Nibiru.bin.exe
    1496Nibiru.bin.exe
    1496Nibiru.bin.exe
    1496Nibiru.bin.exe
    1496Nibiru.bin.exe
    1496Nibiru.bin.exe
    1496Nibiru.bin.exe
    1496Nibiru.bin.exe
    1496Nibiru.bin.exe
  • Suspicious use of AdjustPrivilegeToken
    Nibiru.bin.exe

    Reported IOCs

    descriptionpidprocess
    Token: SeDebugPrivilege1496Nibiru.bin.exe
Processes
Network
MITRE ATT&CK Matrix
Command and Control
    Credential Access
    Defense Evasion
    Discovery
      Execution
        Exfiltration
          Impact
            Initial Access
              Lateral Movement
                Privilege Escalation
                  Replay Monitor
                  00:00 00:00
                  Downloads
                  • memory/1496-0-0x0000000073B80000-0x000000007426E000-memory.dmp

                    Download
                  • memory/1496-1-0x0000000001220000-0x0000000001221000-memory.dmp

                    Download