91cd8bfbe714acc43beff32856c3d56ded48706d3c92c492a1acb994b606003b

Analysis

max time kernel
1598s
max time network
1736s
platform
windows10-2004_x64
resource
win10v2004-en-20220113
submitted
16-02-2022 17:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

all/clickers/nigclickermp3.exe
Size

154KB
MD5

c54431007e22486b5f6f6dab618224e1
SHA1

6ea6d21f22c0350541ca9e1e48bc20a571e33dc4
SHA256

131bd4e3170c5c87cafa632cfec7eb7281490b00c292dcde95e770752d7272ad
SHA512

b63d396af593b26538226e5940b3e18479dbc84c60f6ea0148969ca67b810b102cbdf44b06033513cdc7ba7b868ff94c0c4df4d586f7a2cd3b9ed6ed819bdeb4

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

nig_clicker.exe

pid process

4068 nig_clicker.exe

pid	process
4068	nig_clicker.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

nigclickermp3.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	nigclickermp3.exe

Loads dropped DLL 2 IoCs

Processes:

nig_clicker.exe

pid process

4068 nig_clicker.exe
4068 nig_clicker.exe

pid	process
4068	nig_clicker.exe
4068	nig_clicker.exe

Drops file in Windows directory 8 IoCs

Processes:

TiWorker.exesvchost.exe

description	ioc	process
File opened for modification	C:\Windows\Logs\CBS\CBS.log	TiWorker.exe
File opened for modification	C:\Windows\WinSxS\pending.xml	TiWorker.exe
File opened for modification	C:\Windows\WindowsUpdate.log	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\DataStore.edb	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\ReportingEvents.log	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Modifies data under HKEY_USERS 1 IoCs

Processes:

svchost.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections svchost.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	svchost.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

nig_clicker.exesvchost.exeTiWorker.exe

description	pid	process
Token: SeDebugPrivilege	4068	nig_clicker.exe
Token: SeShutdownPrivilege	1268	svchost.exe
Token: SeCreatePagefilePrivilege	1268	svchost.exe
Token: SeShutdownPrivilege	1268	svchost.exe
Token: SeCreatePagefilePrivilege	1268	svchost.exe
Token: SeShutdownPrivilege	1268	svchost.exe
Token: SeCreatePagefilePrivilege	1268	svchost.exe
Token: SeSecurityPrivilege	4652	TiWorker.exe
Token: SeRestorePrivilege	4652	TiWorker.exe
Token: SeBackupPrivilege	4652	TiWorker.exe
Token: SeBackupPrivilege	4652	TiWorker.exe
Token: SeRestorePrivilege	4652	TiWorker.exe
Token: SeSecurityPrivilege	4652	TiWorker.exe
Token: SeBackupPrivilege	4652	TiWorker.exe
Token: SeRestorePrivilege	4652	TiWorker.exe
Token: SeSecurityPrivilege	4652	TiWorker.exe
Token: SeBackupPrivilege	4652	TiWorker.exe
Token: SeRestorePrivilege	4652	TiWorker.exe
Token: SeSecurityPrivilege	4652	TiWorker.exe
Token: SeBackupPrivilege	4652	TiWorker.exe
Token: SeRestorePrivilege	4652	TiWorker.exe
Token: SeSecurityPrivilege	4652	TiWorker.exe
Token: SeBackupPrivilege	4652	TiWorker.exe
Token: SeRestorePrivilege	4652	TiWorker.exe
Token: SeSecurityPrivilege	4652	TiWorker.exe
Token: SeBackupPrivilege	4652	TiWorker.exe
Token: SeRestorePrivilege	4652	TiWorker.exe
Token: SeSecurityPrivilege	4652	TiWorker.exe
Token: SeBackupPrivilege	4652	TiWorker.exe
Token: SeRestorePrivilege	4652	TiWorker.exe
Token: SeSecurityPrivilege	4652	TiWorker.exe
Token: SeBackupPrivilege	4652	TiWorker.exe
Token: SeRestorePrivilege	4652	TiWorker.exe
Token: SeSecurityPrivilege	4652	TiWorker.exe
Token: SeBackupPrivilege	4652	TiWorker.exe
Token: SeRestorePrivilege	4652	TiWorker.exe
Token: SeSecurityPrivilege	4652	TiWorker.exe
Token: SeBackupPrivilege	4652	TiWorker.exe
Token: SeRestorePrivilege	4652	TiWorker.exe
Token: SeSecurityPrivilege	4652	TiWorker.exe
Token: SeBackupPrivilege	4652	TiWorker.exe
Token: SeRestorePrivilege	4652	TiWorker.exe
Token: SeSecurityPrivilege	4652	TiWorker.exe
Token: SeBackupPrivilege	4652	TiWorker.exe
Token: SeRestorePrivilege	4652	TiWorker.exe
Token: SeSecurityPrivilege	4652	TiWorker.exe
Token: SeBackupPrivilege	4652	TiWorker.exe
Token: SeRestorePrivilege	4652	TiWorker.exe
Token: SeSecurityPrivilege	4652	TiWorker.exe
Token: SeBackupPrivilege	4652	TiWorker.exe
Token: SeRestorePrivilege	4652	TiWorker.exe
Token: SeSecurityPrivilege	4652	TiWorker.exe
Token: SeBackupPrivilege	4652	TiWorker.exe
Token: SeRestorePrivilege	4652	TiWorker.exe
Token: SeSecurityPrivilege	4652	TiWorker.exe
Token: SeBackupPrivilege	4652	TiWorker.exe
Token: SeRestorePrivilege	4652	TiWorker.exe
Token: SeSecurityPrivilege	4652	TiWorker.exe
Token: SeBackupPrivilege	4652	TiWorker.exe
Token: SeRestorePrivilege	4652	TiWorker.exe
Token: SeSecurityPrivilege	4652	TiWorker.exe
Token: SeBackupPrivilege	4652	TiWorker.exe
Token: SeRestorePrivilege	4652	TiWorker.exe
Token: SeSecurityPrivilege	4652	TiWorker.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

nigclickermp3.execmd.execmd.execmd.exe

description	pid	process	target process
PID 2612 wrote to memory of 720	2612	nigclickermp3.exe	cmd.exe
PID 2612 wrote to memory of 720	2612	nigclickermp3.exe	cmd.exe
PID 720 wrote to memory of 1596	720	cmd.exe	cmd.exe
PID 720 wrote to memory of 1596	720	cmd.exe	cmd.exe
PID 1596 wrote to memory of 2008	1596	cmd.exe	chcp.com
PID 1596 wrote to memory of 2008	1596	cmd.exe	chcp.com
PID 720 wrote to memory of 4092	720	cmd.exe	chcp.com
PID 720 wrote to memory of 4092	720	cmd.exe	chcp.com
PID 720 wrote to memory of 3612	720	cmd.exe	cmd.exe
PID 720 wrote to memory of 3612	720	cmd.exe	cmd.exe
PID 3612 wrote to memory of 4068	3612	cmd.exe	nig_clicker.exe
PID 3612 wrote to memory of 4068	3612	cmd.exe	nig_clicker.exe
PID 3612 wrote to memory of 4068	3612	cmd.exe	nig_clicker.exe
PID 720 wrote to memory of 3588	720	cmd.exe	chcp.com
PID 720 wrote to memory of 3588	720	cmd.exe	chcp.com

C:\Users\Admin\AppData\Local\Temp\all\clickers\nigclickermp3.exe
"C:\Users\Admin\AppData\Local\Temp\all\clickers\nigclickermp3.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2612

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\D128.tmp\nig_click_obfuscated.bat" "
2⤵
- Suspicious use of WriteProcessMemory
PID:720

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c chcp
3⤵
- Suspicious use of WriteProcessMemory
PID:1596

C:\Windows\system32\chcp.com
chcp
4⤵
PID:2008

C:\Windows\system32\chcp.com
chcp 708
3⤵
PID:4092

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\D128.tmp\nig_click_obfuscated.bat" "
3⤵
- Suspicious use of WriteProcessMemory
PID:3612

C:\Users\Admin\AppData\Local\Temp\D128.tmp\nig_clicker.exe
nig_clicker.exe
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:4068

C:\Windows\system32\chcp.com
chcp 437
3⤵
PID:3588

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
1⤵
- Modifies data under HKEY_USERS
PID:824

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1268

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4652

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\D128.tmp\SkeetUI.dll
MD5
368ac15b75350731cb8fb0df29bb0278

SHA1
ff4320baba23e1b8b0053e94baf8441c91b735f0

SHA256
5beb1cabcd7b0c14095819ad4e70884fb5eb1fa5d1b2238d68a6877efc4d2436

SHA512
5140257e3bb77bbe0a919d8a71b5676d1dc9402694eb768ae0365927d2a2a3856883f45ae32051bf4030346cef26e62d31a7e1c0cbf34d4c9b478f22655f526d

Download Submit
C:\Users\Admin\AppData\Local\Temp\D128.tmp\SkeetUI.dll
MD5
368ac15b75350731cb8fb0df29bb0278

SHA1
ff4320baba23e1b8b0053e94baf8441c91b735f0

SHA256
5beb1cabcd7b0c14095819ad4e70884fb5eb1fa5d1b2238d68a6877efc4d2436

SHA512
5140257e3bb77bbe0a919d8a71b5676d1dc9402694eb768ae0365927d2a2a3856883f45ae32051bf4030346cef26e62d31a7e1c0cbf34d4c9b478f22655f526d

Download Submit
C:\Users\Admin\AppData\Local\Temp\D128.tmp\SkeetUI.dll
MD5
368ac15b75350731cb8fb0df29bb0278

SHA1
ff4320baba23e1b8b0053e94baf8441c91b735f0

SHA256
5beb1cabcd7b0c14095819ad4e70884fb5eb1fa5d1b2238d68a6877efc4d2436

SHA512
5140257e3bb77bbe0a919d8a71b5676d1dc9402694eb768ae0365927d2a2a3856883f45ae32051bf4030346cef26e62d31a7e1c0cbf34d4c9b478f22655f526d

Download Submit
C:\Users\Admin\AppData\Local\Temp\D128.tmp\nig_click_obfuscated.bat
MD5
46129fe86da9ed908eb378dd1020cf49

SHA1
0eae2e06129bfca5d569f1c3e0637f43fb67ee86

SHA256
d9ca75dfe0e3444bd73136d6d6fe17e5f06aff9d62ecc67f110a15040f8425f0

SHA512
7812abe84a23dcd83bf0e6f3fa39efb55e14e2e1803e89fea6002c35002c40a85a9cef6e2a940be91dc663425cd8a215ab3282d05add0c87d9ac41213cc0bab8

Download Submit
C:\Users\Admin\AppData\Local\Temp\D128.tmp\nig_clicker.exe
MD5
90f4b55e24d8c49144ff51dc3595afc6

SHA1
e65148006ea938e42685f710c51030d2b1bc06dd

SHA256
45eabf220a915eafcf0e95a77aca95c021c5df105f76eef8c6676cc5134f9ccf

SHA512
d0b349e5dcbd6d0fab2e01c16d5bb4ccee95df3991772cba27ea61de5910fedd08460246e72c3f3821c6fdacf65561125e75cc898ed3522ac980acd226c4837d

Download Submit
C:\Users\Admin\AppData\Local\Temp\D128.tmp\nig_clicker.exe
MD5
90f4b55e24d8c49144ff51dc3595afc6

SHA1
e65148006ea938e42685f710c51030d2b1bc06dd

SHA256
45eabf220a915eafcf0e95a77aca95c021c5df105f76eef8c6676cc5134f9ccf

SHA512
d0b349e5dcbd6d0fab2e01c16d5bb4ccee95df3991772cba27ea61de5910fedd08460246e72c3f3821c6fdacf65561125e75cc898ed3522ac980acd226c4837d

Download Submit
memory/824-144-0x0000020827560000-0x0000020827570000-memory.dmp

Filesize
64KB

Download
memory/824-151-0x0000020829DF0000-0x0000020829DF4000-memory.dmp

Filesize
16KB

Download
memory/824-156-0x0000020829A60000-0x0000020829A61000-memory.dmp

Filesize
4KB

Download
memory/824-155-0x0000020829B60000-0x0000020829B64000-memory.dmp

Filesize
16KB

Download
memory/824-154-0x0000020829B60000-0x0000020829B61000-memory.dmp

Filesize
4KB

Download
memory/824-153-0x0000020829B70000-0x0000020829B74000-memory.dmp

Filesize
16KB

Download
memory/824-145-0x00000208275C0000-0x00000208275D0000-memory.dmp

Filesize
64KB

Download
memory/824-146-0x0000020829B40000-0x0000020829B44000-memory.dmp

Filesize
16KB

Download
memory/824-152-0x0000020829DD0000-0x0000020829DD1000-memory.dmp

Filesize
4KB

Download
memory/1268-160-0x0000024F6F680000-0x0000024F6F681000-memory.dmp

Filesize
4KB

Download
memory/1268-158-0x0000024F6F6C0000-0x0000024F6F6C1000-memory.dmp

Filesize
4KB

Download
memory/1268-157-0x0000024F6F780000-0x0000024F6F784000-memory.dmp

Filesize
16KB

Download
memory/1268-150-0x0000024F6F760000-0x0000024F6F764000-memory.dmp

Filesize
16KB

Download
memory/4068-141-0x0000000000F80000-0x0000000000F81000-memory.dmp

Filesize
4KB

Download
memory/4068-147-0x0000000008333000-0x0000000008335000-memory.dmp

Filesize
8KB

Download
memory/4068-133-0x0000000000F60000-0x0000000000FB6000-memory.dmp

Filesize
344KB

Download
memory/4068-143-0x0000000008820000-0x000000000882A000-memory.dmp

Filesize
40KB

Download
memory/4068-136-0x0000000074BDE000-0x0000000074BDF000-memory.dmp

Filesize
4KB

Download
memory/4068-142-0x0000000008330000-0x0000000008331000-memory.dmp

Filesize
4KB

Download
memory/4068-134-0x00000000055A0000-0x0000000005632000-memory.dmp

Filesize
584KB

Download
memory/4068-135-0x0000000005BF0000-0x0000000006194000-memory.dmp

Filesize
5.6MB

Download
memory/4068-140-0x0000000005B30000-0x0000000005B3E000-memory.dmp

Filesize
56KB

Download