Overview
overview
10Static
static
8all/clicke...fy.exe
windows7_x64
7all/clicke...fy.exe
windows10-2004_x64
7all/clicke...v2.exe
windows7_x64
8all/clicke...v2.exe
windows10-2004_x64
8all/clicke...on.exe
windows7_x64
1all/clicke...on.exe
windows10-2004_x64
4all/clicke...er.exe
windows7_x64
1all/clicke...er.exe
windows10-2004_x64
7all/clicke...p3.exe
windows7_x64
8all/clicke...p3.exe
windows10-2004_x64
8all/clicke...ao.exe
windows7_x64
4all/clicke...ao.exe
windows10-2004_x64
6all/clickers/vega.exe
windows7_x64
1all/clickers/vega.exe
windows10-2004_x64
10all/gcs/Cl...er.exe
windows7_x64
7all/gcs/Cl...er.exe
windows10-2004_x64
7all/gcs/Icetea.exe
windows7_x64
1all/gcs/Icetea.exe
windows10-2004_x64
4all/gcs/Koid.exe
windows7_x64
1all/gcs/Koid.exe
windows10-2004_x64
4all/gcs/crypt.exe
windows7_x64
9all/gcs/crypt.exe
windows10-2004_x64
9all/gcs/en...an.exe
windows7_x64
8all/gcs/en...an.exe
windows10-2004_x64
8all/gcs/epic.exe
windows7_x64
1all/gcs/epic.exe
windows10-2004_x64
4all/gcs/itami.exe
windows7_x64
1all/gcs/itami.exe
windows10-2004_x64
4all/gcs/kr...nt.exe
windows7_x64
1all/gcs/kr...nt.exe
windows10-2004_x64
9all/gcs/kura.exe
windows7_x64
1all/gcs/kura.exe
windows10-2004_x64
9Analysis
-
max time kernel
1598s -
max time network
1736s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
16-02-2022 17:24
Behavioral task
behavioral1
Sample
all/clickers/Spotify.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
all/clickers/Spotify.exe
Resource
win10v2004-en-20220112
Behavioral task
behavioral3
Sample
all/clickers/axentav2.exe
Resource
win7-en-20211208
Behavioral task
behavioral4
Sample
all/clickers/axentav2.exe
Resource
win10v2004-en-20220112
Behavioral task
behavioral5
Sample
all/clickers/isolation.exe
Resource
win7-en-20211208
Behavioral task
behavioral6
Sample
all/clickers/isolation.exe
Resource
win10v2004-en-20220113
Behavioral task
behavioral7
Sample
all/clickers/mangoclicker.exe
Resource
win7-en-20211208
Behavioral task
behavioral8
Sample
all/clickers/mangoclicker.exe
Resource
win10v2004-en-20220113
Behavioral task
behavioral9
Sample
all/clickers/nigclickermp3.exe
Resource
win7-en-20211208
Behavioral task
behavioral10
Sample
all/clickers/nigclickermp3.exe
Resource
win10v2004-en-20220113
Behavioral task
behavioral11
Sample
all/clickers/slinkylmao.exe
Resource
win7-en-20211208
Behavioral task
behavioral12
Sample
all/clickers/slinkylmao.exe
Resource
win10v2004-en-20220112
Behavioral task
behavioral13
Sample
all/clickers/vega.exe
Resource
win7-en-20211208
Behavioral task
behavioral14
Sample
all/clickers/vega.exe
Resource
win10v2004-en-20220112
Behavioral task
behavioral15
Sample
all/gcs/Client_Loader.exe
Resource
win7-en-20211208
Behavioral task
behavioral16
Sample
all/gcs/Client_Loader.exe
Resource
win10v2004-en-20220113
Behavioral task
behavioral17
Sample
all/gcs/Icetea.exe
Resource
win7-en-20211208
Behavioral task
behavioral18
Sample
all/gcs/Icetea.exe
Resource
win10v2004-en-20220113
Behavioral task
behavioral19
Sample
all/gcs/Koid.exe
Resource
win7-en-20211208
Behavioral task
behavioral20
Sample
all/gcs/Koid.exe
Resource
win10v2004-en-20220113
Behavioral task
behavioral21
Sample
all/gcs/crypt.exe
Resource
win7-en-20211208
Behavioral task
behavioral22
Sample
all/gcs/crypt.exe
Resource
win10v2004-en-20220112
Behavioral task
behavioral23
Sample
all/gcs/encephalon_clean.exe
Resource
win7-en-20211208
Behavioral task
behavioral24
Sample
all/gcs/encephalon_clean.exe
Resource
win10v2004-en-20220112
Behavioral task
behavioral25
Sample
all/gcs/epic.exe
Resource
win7-en-20211208
Behavioral task
behavioral26
Sample
all/gcs/epic.exe
Resource
win10v2004-en-20220112
Behavioral task
behavioral27
Sample
all/gcs/itami.exe
Resource
win7-en-20211208
Behavioral task
behavioral28
Sample
all/gcs/itami.exe
Resource
win10v2004-en-20220113
Behavioral task
behavioral29
Sample
all/gcs/kryptonclient.exe
Resource
win7-en-20211208
Behavioral task
behavioral30
Sample
all/gcs/kryptonclient.exe
Resource
win10v2004-en-20220113
Behavioral task
behavioral31
Sample
all/gcs/kura.exe
Resource
win7-en-20211208
General
-
Target
all/clickers/nigclickermp3.exe
-
Size
154KB
-
MD5
c54431007e22486b5f6f6dab618224e1
-
SHA1
6ea6d21f22c0350541ca9e1e48bc20a571e33dc4
-
SHA256
131bd4e3170c5c87cafa632cfec7eb7281490b00c292dcde95e770752d7272ad
-
SHA512
b63d396af593b26538226e5940b3e18479dbc84c60f6ea0148969ca67b810b102cbdf44b06033513cdc7ba7b868ff94c0c4df4d586f7a2cd3b9ed6ed819bdeb4
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
nig_clicker.exepid process 4068 nig_clicker.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
nigclickermp3.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation nigclickermp3.exe -
Loads dropped DLL 2 IoCs
Processes:
nig_clicker.exepid process 4068 nig_clicker.exe 4068 nig_clicker.exe -
Drops file in Windows directory 8 IoCs
Processes:
TiWorker.exesvchost.exedescription ioc process File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies data under HKEY_USERS 1 IoCs
Processes:
svchost.exedescription ioc process Key created \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections svchost.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
nig_clicker.exesvchost.exeTiWorker.exedescription pid process Token: SeDebugPrivilege 4068 nig_clicker.exe Token: SeShutdownPrivilege 1268 svchost.exe Token: SeCreatePagefilePrivilege 1268 svchost.exe Token: SeShutdownPrivilege 1268 svchost.exe Token: SeCreatePagefilePrivilege 1268 svchost.exe Token: SeShutdownPrivilege 1268 svchost.exe Token: SeCreatePagefilePrivilege 1268 svchost.exe Token: SeSecurityPrivilege 4652 TiWorker.exe Token: SeRestorePrivilege 4652 TiWorker.exe Token: SeBackupPrivilege 4652 TiWorker.exe Token: SeBackupPrivilege 4652 TiWorker.exe Token: SeRestorePrivilege 4652 TiWorker.exe Token: SeSecurityPrivilege 4652 TiWorker.exe Token: SeBackupPrivilege 4652 TiWorker.exe Token: SeRestorePrivilege 4652 TiWorker.exe Token: SeSecurityPrivilege 4652 TiWorker.exe Token: SeBackupPrivilege 4652 TiWorker.exe Token: SeRestorePrivilege 4652 TiWorker.exe Token: SeSecurityPrivilege 4652 TiWorker.exe Token: SeBackupPrivilege 4652 TiWorker.exe Token: SeRestorePrivilege 4652 TiWorker.exe Token: SeSecurityPrivilege 4652 TiWorker.exe Token: SeBackupPrivilege 4652 TiWorker.exe Token: SeRestorePrivilege 4652 TiWorker.exe Token: SeSecurityPrivilege 4652 TiWorker.exe Token: SeBackupPrivilege 4652 TiWorker.exe Token: SeRestorePrivilege 4652 TiWorker.exe Token: SeSecurityPrivilege 4652 TiWorker.exe Token: SeBackupPrivilege 4652 TiWorker.exe Token: SeRestorePrivilege 4652 TiWorker.exe Token: SeSecurityPrivilege 4652 TiWorker.exe Token: SeBackupPrivilege 4652 TiWorker.exe Token: SeRestorePrivilege 4652 TiWorker.exe Token: SeSecurityPrivilege 4652 TiWorker.exe Token: SeBackupPrivilege 4652 TiWorker.exe Token: SeRestorePrivilege 4652 TiWorker.exe Token: SeSecurityPrivilege 4652 TiWorker.exe Token: SeBackupPrivilege 4652 TiWorker.exe Token: SeRestorePrivilege 4652 TiWorker.exe Token: SeSecurityPrivilege 4652 TiWorker.exe Token: SeBackupPrivilege 4652 TiWorker.exe Token: SeRestorePrivilege 4652 TiWorker.exe Token: SeSecurityPrivilege 4652 TiWorker.exe Token: SeBackupPrivilege 4652 TiWorker.exe Token: SeRestorePrivilege 4652 TiWorker.exe Token: SeSecurityPrivilege 4652 TiWorker.exe Token: SeBackupPrivilege 4652 TiWorker.exe Token: SeRestorePrivilege 4652 TiWorker.exe Token: SeSecurityPrivilege 4652 TiWorker.exe Token: SeBackupPrivilege 4652 TiWorker.exe Token: SeRestorePrivilege 4652 TiWorker.exe Token: SeSecurityPrivilege 4652 TiWorker.exe Token: SeBackupPrivilege 4652 TiWorker.exe Token: SeRestorePrivilege 4652 TiWorker.exe Token: SeSecurityPrivilege 4652 TiWorker.exe Token: SeBackupPrivilege 4652 TiWorker.exe Token: SeRestorePrivilege 4652 TiWorker.exe Token: SeSecurityPrivilege 4652 TiWorker.exe Token: SeBackupPrivilege 4652 TiWorker.exe Token: SeRestorePrivilege 4652 TiWorker.exe Token: SeSecurityPrivilege 4652 TiWorker.exe Token: SeBackupPrivilege 4652 TiWorker.exe Token: SeRestorePrivilege 4652 TiWorker.exe Token: SeSecurityPrivilege 4652 TiWorker.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
nigclickermp3.execmd.execmd.execmd.exedescription pid process target process PID 2612 wrote to memory of 720 2612 nigclickermp3.exe cmd.exe PID 2612 wrote to memory of 720 2612 nigclickermp3.exe cmd.exe PID 720 wrote to memory of 1596 720 cmd.exe cmd.exe PID 720 wrote to memory of 1596 720 cmd.exe cmd.exe PID 1596 wrote to memory of 2008 1596 cmd.exe chcp.com PID 1596 wrote to memory of 2008 1596 cmd.exe chcp.com PID 720 wrote to memory of 4092 720 cmd.exe chcp.com PID 720 wrote to memory of 4092 720 cmd.exe chcp.com PID 720 wrote to memory of 3612 720 cmd.exe cmd.exe PID 720 wrote to memory of 3612 720 cmd.exe cmd.exe PID 3612 wrote to memory of 4068 3612 cmd.exe nig_clicker.exe PID 3612 wrote to memory of 4068 3612 cmd.exe nig_clicker.exe PID 3612 wrote to memory of 4068 3612 cmd.exe nig_clicker.exe PID 720 wrote to memory of 3588 720 cmd.exe chcp.com PID 720 wrote to memory of 3588 720 cmd.exe chcp.com
Processes
-
C:\Users\Admin\AppData\Local\Temp\all\clickers\nigclickermp3.exe"C:\Users\Admin\AppData\Local\Temp\all\clickers\nigclickermp3.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\D128.tmp\nig_click_obfuscated.bat" "2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c chcp3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comchcp4⤵
-
C:\Windows\system32\chcp.comchcp 7083⤵
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\D128.tmp\nig_click_obfuscated.bat" "3⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\D128.tmp\nig_clicker.exenig_clicker.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\chcp.comchcp 4373⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s BITS1⤵
- Modifies data under HKEY_USERS
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\D128.tmp\SkeetUI.dllMD5
368ac15b75350731cb8fb0df29bb0278
SHA1ff4320baba23e1b8b0053e94baf8441c91b735f0
SHA2565beb1cabcd7b0c14095819ad4e70884fb5eb1fa5d1b2238d68a6877efc4d2436
SHA5125140257e3bb77bbe0a919d8a71b5676d1dc9402694eb768ae0365927d2a2a3856883f45ae32051bf4030346cef26e62d31a7e1c0cbf34d4c9b478f22655f526d
-
C:\Users\Admin\AppData\Local\Temp\D128.tmp\SkeetUI.dllMD5
368ac15b75350731cb8fb0df29bb0278
SHA1ff4320baba23e1b8b0053e94baf8441c91b735f0
SHA2565beb1cabcd7b0c14095819ad4e70884fb5eb1fa5d1b2238d68a6877efc4d2436
SHA5125140257e3bb77bbe0a919d8a71b5676d1dc9402694eb768ae0365927d2a2a3856883f45ae32051bf4030346cef26e62d31a7e1c0cbf34d4c9b478f22655f526d
-
C:\Users\Admin\AppData\Local\Temp\D128.tmp\SkeetUI.dllMD5
368ac15b75350731cb8fb0df29bb0278
SHA1ff4320baba23e1b8b0053e94baf8441c91b735f0
SHA2565beb1cabcd7b0c14095819ad4e70884fb5eb1fa5d1b2238d68a6877efc4d2436
SHA5125140257e3bb77bbe0a919d8a71b5676d1dc9402694eb768ae0365927d2a2a3856883f45ae32051bf4030346cef26e62d31a7e1c0cbf34d4c9b478f22655f526d
-
C:\Users\Admin\AppData\Local\Temp\D128.tmp\nig_click_obfuscated.batMD5
46129fe86da9ed908eb378dd1020cf49
SHA10eae2e06129bfca5d569f1c3e0637f43fb67ee86
SHA256d9ca75dfe0e3444bd73136d6d6fe17e5f06aff9d62ecc67f110a15040f8425f0
SHA5127812abe84a23dcd83bf0e6f3fa39efb55e14e2e1803e89fea6002c35002c40a85a9cef6e2a940be91dc663425cd8a215ab3282d05add0c87d9ac41213cc0bab8
-
C:\Users\Admin\AppData\Local\Temp\D128.tmp\nig_clicker.exeMD5
90f4b55e24d8c49144ff51dc3595afc6
SHA1e65148006ea938e42685f710c51030d2b1bc06dd
SHA25645eabf220a915eafcf0e95a77aca95c021c5df105f76eef8c6676cc5134f9ccf
SHA512d0b349e5dcbd6d0fab2e01c16d5bb4ccee95df3991772cba27ea61de5910fedd08460246e72c3f3821c6fdacf65561125e75cc898ed3522ac980acd226c4837d
-
C:\Users\Admin\AppData\Local\Temp\D128.tmp\nig_clicker.exeMD5
90f4b55e24d8c49144ff51dc3595afc6
SHA1e65148006ea938e42685f710c51030d2b1bc06dd
SHA25645eabf220a915eafcf0e95a77aca95c021c5df105f76eef8c6676cc5134f9ccf
SHA512d0b349e5dcbd6d0fab2e01c16d5bb4ccee95df3991772cba27ea61de5910fedd08460246e72c3f3821c6fdacf65561125e75cc898ed3522ac980acd226c4837d
-
memory/824-144-0x0000020827560000-0x0000020827570000-memory.dmpFilesize
64KB
-
memory/824-151-0x0000020829DF0000-0x0000020829DF4000-memory.dmpFilesize
16KB
-
memory/824-156-0x0000020829A60000-0x0000020829A61000-memory.dmpFilesize
4KB
-
memory/824-155-0x0000020829B60000-0x0000020829B64000-memory.dmpFilesize
16KB
-
memory/824-154-0x0000020829B60000-0x0000020829B61000-memory.dmpFilesize
4KB
-
memory/824-153-0x0000020829B70000-0x0000020829B74000-memory.dmpFilesize
16KB
-
memory/824-145-0x00000208275C0000-0x00000208275D0000-memory.dmpFilesize
64KB
-
memory/824-146-0x0000020829B40000-0x0000020829B44000-memory.dmpFilesize
16KB
-
memory/824-152-0x0000020829DD0000-0x0000020829DD1000-memory.dmpFilesize
4KB
-
memory/1268-160-0x0000024F6F680000-0x0000024F6F681000-memory.dmpFilesize
4KB
-
memory/1268-158-0x0000024F6F6C0000-0x0000024F6F6C1000-memory.dmpFilesize
4KB
-
memory/1268-157-0x0000024F6F780000-0x0000024F6F784000-memory.dmpFilesize
16KB
-
memory/1268-150-0x0000024F6F760000-0x0000024F6F764000-memory.dmpFilesize
16KB
-
memory/4068-141-0x0000000000F80000-0x0000000000F81000-memory.dmpFilesize
4KB
-
memory/4068-147-0x0000000008333000-0x0000000008335000-memory.dmpFilesize
8KB
-
memory/4068-133-0x0000000000F60000-0x0000000000FB6000-memory.dmpFilesize
344KB
-
memory/4068-143-0x0000000008820000-0x000000000882A000-memory.dmpFilesize
40KB
-
memory/4068-136-0x0000000074BDE000-0x0000000074BDF000-memory.dmpFilesize
4KB
-
memory/4068-142-0x0000000008330000-0x0000000008331000-memory.dmpFilesize
4KB
-
memory/4068-134-0x00000000055A0000-0x0000000005632000-memory.dmpFilesize
584KB
-
memory/4068-135-0x0000000005BF0000-0x0000000006194000-memory.dmpFilesize
5.6MB
-
memory/4068-140-0x0000000005B30000-0x0000000005B3E000-memory.dmpFilesize
56KB