91cd8bfbe714acc43beff32856c3d56ded48706d3c92c492a1acb994b606003b

Analysis

max time kernel
1789s
max time network
1818s
platform
windows7_x64
resource
win7-en-20211208
submitted
16-02-2022 17:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

all/clickers/nigclickermp3.exe
Size

154KB
MD5

c54431007e22486b5f6f6dab618224e1
SHA1

6ea6d21f22c0350541ca9e1e48bc20a571e33dc4
SHA256

131bd4e3170c5c87cafa632cfec7eb7281490b00c292dcde95e770752d7272ad
SHA512

b63d396af593b26538226e5940b3e18479dbc84c60f6ea0148969ca67b810b102cbdf44b06033513cdc7ba7b868ff94c0c4df4d586f7a2cd3b9ed6ed819bdeb4

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

nig_clicker.exe

pid process

1304 nig_clicker.exe
Loads dropped DLL 2 IoCs

Processes:

nig_clicker.exe

pid process

1304 nig_clicker.exe
1304 nig_clicker.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

Processes:

nig_clicker.exe

pid process

1304 nig_clicker.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

nig_clicker.exe

description pid process

Token: SeDebugPrivilege 1304 nig_clicker.exe

pid	process
1304	nig_clicker.exe

pid	process
1304	nig_clicker.exe
1304	nig_clicker.exe

pid	process
1304	nig_clicker.exe

description	pid	process
Token: SeDebugPrivilege	1304	nig_clicker.exe

Suspicious use of WriteProcessMemory 22 IoCs

Processes:

nigclickermp3.execmd.execmd.execmd.exe

description	pid	process	target process
PID 580 wrote to memory of 780	580	nigclickermp3.exe	cmd.exe
PID 580 wrote to memory of 780	580	nigclickermp3.exe	cmd.exe
PID 580 wrote to memory of 780	580	nigclickermp3.exe	cmd.exe
PID 780 wrote to memory of 1468	780	cmd.exe	cmd.exe
PID 780 wrote to memory of 1468	780	cmd.exe	cmd.exe
PID 780 wrote to memory of 1468	780	cmd.exe	cmd.exe
PID 1468 wrote to memory of 1672	1468	cmd.exe	chcp.com
PID 1468 wrote to memory of 1672	1468	cmd.exe	chcp.com
PID 1468 wrote to memory of 1672	1468	cmd.exe	chcp.com
PID 780 wrote to memory of 984	780	cmd.exe	chcp.com
PID 780 wrote to memory of 984	780	cmd.exe	chcp.com
PID 780 wrote to memory of 984	780	cmd.exe	chcp.com
PID 780 wrote to memory of 696	780	cmd.exe	cmd.exe
PID 780 wrote to memory of 696	780	cmd.exe	cmd.exe
PID 780 wrote to memory of 696	780	cmd.exe	cmd.exe
PID 696 wrote to memory of 1304	696	cmd.exe	nig_clicker.exe
PID 696 wrote to memory of 1304	696	cmd.exe	nig_clicker.exe
PID 696 wrote to memory of 1304	696	cmd.exe	nig_clicker.exe
PID 696 wrote to memory of 1304	696	cmd.exe	nig_clicker.exe
PID 780 wrote to memory of 2016	780	cmd.exe	chcp.com
PID 780 wrote to memory of 2016	780	cmd.exe	chcp.com
PID 780 wrote to memory of 2016	780	cmd.exe	chcp.com

C:\Users\Admin\AppData\Local\Temp\all\clickers\nigclickermp3.exe
"C:\Users\Admin\AppData\Local\Temp\all\clickers\nigclickermp3.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:580

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\DF5.tmp\nig_click_obfuscated.bat" "
2⤵
- Suspicious use of WriteProcessMemory
PID:780

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c chcp
3⤵
- Suspicious use of WriteProcessMemory
PID:1468

C:\Windows\system32\chcp.com
chcp
4⤵
PID:1672

C:\Windows\system32\chcp.com
chcp 708
3⤵
PID:984

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\DF5.tmp\nig_click_obfuscated.bat" "
3⤵
- Suspicious use of WriteProcessMemory
PID:696

C:\Users\Admin\AppData\Local\Temp\DF5.tmp\nig_clicker.exe
nig_clicker.exe
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious use of AdjustPrivilegeToken
PID:1304

C:\Windows\system32\chcp.com
chcp 437
3⤵
PID:2016

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DF5.tmp\SkeetUI.dll
MD5
368ac15b75350731cb8fb0df29bb0278

SHA1
ff4320baba23e1b8b0053e94baf8441c91b735f0

SHA256
5beb1cabcd7b0c14095819ad4e70884fb5eb1fa5d1b2238d68a6877efc4d2436

SHA512
5140257e3bb77bbe0a919d8a71b5676d1dc9402694eb768ae0365927d2a2a3856883f45ae32051bf4030346cef26e62d31a7e1c0cbf34d4c9b478f22655f526d

Download Submit
C:\Users\Admin\AppData\Local\Temp\DF5.tmp\nig_click_obfuscated.bat
MD5
46129fe86da9ed908eb378dd1020cf49

SHA1
0eae2e06129bfca5d569f1c3e0637f43fb67ee86

SHA256
d9ca75dfe0e3444bd73136d6d6fe17e5f06aff9d62ecc67f110a15040f8425f0

SHA512
7812abe84a23dcd83bf0e6f3fa39efb55e14e2e1803e89fea6002c35002c40a85a9cef6e2a940be91dc663425cd8a215ab3282d05add0c87d9ac41213cc0bab8

Download Submit
C:\Users\Admin\AppData\Local\Temp\DF5.tmp\nig_clicker.exe
MD5
90f4b55e24d8c49144ff51dc3595afc6

SHA1
e65148006ea938e42685f710c51030d2b1bc06dd

SHA256
45eabf220a915eafcf0e95a77aca95c021c5df105f76eef8c6676cc5134f9ccf

SHA512
d0b349e5dcbd6d0fab2e01c16d5bb4ccee95df3991772cba27ea61de5910fedd08460246e72c3f3821c6fdacf65561125e75cc898ed3522ac980acd226c4837d

Download Submit
C:\Users\Admin\AppData\Local\Temp\DF5.tmp\nig_clicker.exe
MD5
90f4b55e24d8c49144ff51dc3595afc6

SHA1
e65148006ea938e42685f710c51030d2b1bc06dd

SHA256
45eabf220a915eafcf0e95a77aca95c021c5df105f76eef8c6676cc5134f9ccf

SHA512
d0b349e5dcbd6d0fab2e01c16d5bb4ccee95df3991772cba27ea61de5910fedd08460246e72c3f3821c6fdacf65561125e75cc898ed3522ac980acd226c4837d

Download Submit
\Users\Admin\AppData\Local\Temp\DF5.tmp\SkeetUI.dll
MD5
368ac15b75350731cb8fb0df29bb0278

SHA1
ff4320baba23e1b8b0053e94baf8441c91b735f0

SHA256
5beb1cabcd7b0c14095819ad4e70884fb5eb1fa5d1b2238d68a6877efc4d2436

SHA512
5140257e3bb77bbe0a919d8a71b5676d1dc9402694eb768ae0365927d2a2a3856883f45ae32051bf4030346cef26e62d31a7e1c0cbf34d4c9b478f22655f526d

Download Submit
\Users\Admin\AppData\Local\Temp\DF5.tmp\SkeetUI.dll
MD5
368ac15b75350731cb8fb0df29bb0278

SHA1
ff4320baba23e1b8b0053e94baf8441c91b735f0

SHA256
5beb1cabcd7b0c14095819ad4e70884fb5eb1fa5d1b2238d68a6877efc4d2436

SHA512
5140257e3bb77bbe0a919d8a71b5676d1dc9402694eb768ae0365927d2a2a3856883f45ae32051bf4030346cef26e62d31a7e1c0cbf34d4c9b478f22655f526d

Download Submit
memory/580-55-0x000007FEFBAE1000-0x000007FEFBAE3000-memory.dmp

Filesize
8KB

Download
memory/1304-60-0x0000000000240000-0x0000000000296000-memory.dmp

Filesize
344KB

Download
memory/1304-61-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/1304-62-0x00000000072E0000-0x00000000072E1000-memory.dmp

Filesize
4KB

Download
memory/1304-59-0x00000000744CE000-0x00000000744CF000-memory.dmp

Filesize
4KB

Download
memory/1304-66-0x0000000000360000-0x000000000036E000-memory.dmp

Filesize
56KB

Download
memory/1304-67-0x00000000072E5000-0x00000000072F6000-memory.dmp

Filesize
68KB

Download