d162f51c1531eb9dec3a3b88738553b3cdcf97e5b62d08773cfc726c7cb0cbbb

Analysis

max time kernel
151s
max time network
41s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
01-12-2022 22:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d162f51c1531eb9dec3a3b88738553b3cdcf97e5b62d08773cfc726c7cb0cbbb.exe
Size

232KB
MD5

7dbd2076778f171a0887e5dcffa5bb70
SHA1

97832362f3e8c81522c7b8516715921b3bc66ffe
SHA256

d162f51c1531eb9dec3a3b88738553b3cdcf97e5b62d08773cfc726c7cb0cbbb
SHA512

7149c0239dd18d9aebc8dd7b7c947dfdecfc2a9270c05d05e37a31d3608c13bdfce30920a5349967fd6c88197a11fc4526cb17de3281d5bb6199fb176f43ee68
SSDEEP

6144:oyN3PFKs78vpRTlEqxF6snji81RUinKbLq+:FPhpL

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	d162f51c1531eb9dec3a3b88738553b3cdcf97e5b62d08773cfc726c7cb0cbbb.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	niiiqu.exe

Executes dropped EXE 1 IoCs

pid	Process
1548	niiiqu.exe

Loads dropped DLL 2 IoCs

pid	Process
1452	d162f51c1531eb9dec3a3b88738553b3cdcf97e5b62d08773cfc726c7cb0cbbb.exe
1452	d162f51c1531eb9dec3a3b88738553b3cdcf97e5b62d08773cfc726c7cb0cbbb.exe

Adds Run key to start application 2 TTPs 29 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\niiiqu = "C:\\Users\\Admin\\niiiqu.exe /i"	niiiqu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\niiiqu = "C:\\Users\\Admin\\niiiqu.exe /g"	niiiqu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\niiiqu = "C:\\Users\\Admin\\niiiqu.exe /p"	niiiqu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\niiiqu = "C:\\Users\\Admin\\niiiqu.exe /k"	niiiqu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\niiiqu = "C:\\Users\\Admin\\niiiqu.exe /t"	niiiqu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\niiiqu = "C:\\Users\\Admin\\niiiqu.exe /a"	niiiqu.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\	d162f51c1531eb9dec3a3b88738553b3cdcf97e5b62d08773cfc726c7cb0cbbb.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\niiiqu = "C:\\Users\\Admin\\niiiqu.exe /q"	niiiqu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\niiiqu = "C:\\Users\\Admin\\niiiqu.exe /o"	d162f51c1531eb9dec3a3b88738553b3cdcf97e5b62d08773cfc726c7cb0cbbb.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\niiiqu = "C:\\Users\\Admin\\niiiqu.exe /s"	niiiqu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\niiiqu = "C:\\Users\\Admin\\niiiqu.exe /x"	niiiqu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\niiiqu = "C:\\Users\\Admin\\niiiqu.exe /l"	niiiqu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\niiiqu = "C:\\Users\\Admin\\niiiqu.exe /y"	niiiqu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\niiiqu = "C:\\Users\\Admin\\niiiqu.exe /n"	niiiqu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\niiiqu = "C:\\Users\\Admin\\niiiqu.exe /e"	niiiqu.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\	niiiqu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\niiiqu = "C:\\Users\\Admin\\niiiqu.exe /b"	niiiqu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\niiiqu = "C:\\Users\\Admin\\niiiqu.exe /u"	niiiqu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\niiiqu = "C:\\Users\\Admin\\niiiqu.exe /w"	niiiqu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\niiiqu = "C:\\Users\\Admin\\niiiqu.exe /h"	niiiqu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\niiiqu = "C:\\Users\\Admin\\niiiqu.exe /m"	niiiqu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\niiiqu = "C:\\Users\\Admin\\niiiqu.exe /f"	niiiqu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\niiiqu = "C:\\Users\\Admin\\niiiqu.exe /r"	niiiqu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\niiiqu = "C:\\Users\\Admin\\niiiqu.exe /j"	niiiqu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\niiiqu = "C:\\Users\\Admin\\niiiqu.exe /c"	niiiqu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\niiiqu = "C:\\Users\\Admin\\niiiqu.exe /z"	niiiqu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\niiiqu = "C:\\Users\\Admin\\niiiqu.exe /v"	niiiqu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\niiiqu = "C:\\Users\\Admin\\niiiqu.exe /o"	niiiqu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\niiiqu = "C:\\Users\\Admin\\niiiqu.exe /d"	niiiqu.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1452	d162f51c1531eb9dec3a3b88738553b3cdcf97e5b62d08773cfc726c7cb0cbbb.exe
1548	niiiqu.exe
1548	niiiqu.exe
1548	niiiqu.exe
1548	niiiqu.exe
1548	niiiqu.exe
1548	niiiqu.exe
1548	niiiqu.exe
1548	niiiqu.exe
1548	niiiqu.exe
1548	niiiqu.exe
1548	niiiqu.exe
1548	niiiqu.exe
1548	niiiqu.exe
1548	niiiqu.exe
1548	niiiqu.exe
1548	niiiqu.exe
1548	niiiqu.exe
1548	niiiqu.exe
1548	niiiqu.exe
1548	niiiqu.exe
1548	niiiqu.exe
1548	niiiqu.exe
1548	niiiqu.exe
1548	niiiqu.exe
1548	niiiqu.exe
1548	niiiqu.exe
1548	niiiqu.exe
1548	niiiqu.exe
1548	niiiqu.exe
1548	niiiqu.exe
1548	niiiqu.exe
1548	niiiqu.exe
1548	niiiqu.exe
1548	niiiqu.exe
1548	niiiqu.exe
1548	niiiqu.exe
1548	niiiqu.exe
1548	niiiqu.exe
1548	niiiqu.exe
1548	niiiqu.exe
1548	niiiqu.exe
1548	niiiqu.exe
1548	niiiqu.exe
1548	niiiqu.exe
1548	niiiqu.exe
1548	niiiqu.exe
1548	niiiqu.exe
1548	niiiqu.exe
1548	niiiqu.exe
1548	niiiqu.exe
1548	niiiqu.exe
1548	niiiqu.exe
1548	niiiqu.exe
1548	niiiqu.exe
1548	niiiqu.exe
1548	niiiqu.exe
1548	niiiqu.exe
1548	niiiqu.exe
1548	niiiqu.exe
1548	niiiqu.exe
1548	niiiqu.exe
1548	niiiqu.exe
1548	niiiqu.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1452	d162f51c1531eb9dec3a3b88738553b3cdcf97e5b62d08773cfc726c7cb0cbbb.exe
1548	niiiqu.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1452 wrote to memory of 1548	1452	d162f51c1531eb9dec3a3b88738553b3cdcf97e5b62d08773cfc726c7cb0cbbb.exe	26
PID 1452 wrote to memory of 1548	1452	d162f51c1531eb9dec3a3b88738553b3cdcf97e5b62d08773cfc726c7cb0cbbb.exe	26
PID 1452 wrote to memory of 1548	1452	d162f51c1531eb9dec3a3b88738553b3cdcf97e5b62d08773cfc726c7cb0cbbb.exe	26
PID 1452 wrote to memory of 1548	1452	d162f51c1531eb9dec3a3b88738553b3cdcf97e5b62d08773cfc726c7cb0cbbb.exe	26

C:\Users\Admin\AppData\Local\Temp\d162f51c1531eb9dec3a3b88738553b3cdcf97e5b62d08773cfc726c7cb0cbbb.exe
"C:\Users\Admin\AppData\Local\Temp\d162f51c1531eb9dec3a3b88738553b3cdcf97e5b62d08773cfc726c7cb0cbbb.exe"
1⤵
- Modifies visiblity of hidden/system files in Explorer
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1452
- C:\Users\Admin\niiiqu.exe
  "C:\Users\Admin\niiiqu.exe"
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:1548

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\niiiqu.exe

Filesize
232KB

MD5
396cc035ed68ea01dfc6a5c501a52bcc

SHA1
b45097b54b13dba21caa6f2b10155574394f1777

SHA256
f50d43b65ac43443df3affba598e701200440a41eca5efafbb7f0e95820c8c91

SHA512
3e86ce8ae90166abccfc5c16fb354f53674085a8be84f59ee719c8271cc683b7a53745507b536d0859d18c5e67c30b09e498c699ee9e9d88350e93c60f03b2e3

Download Submit
C:\Users\Admin\niiiqu.exe

Filesize
232KB

MD5
396cc035ed68ea01dfc6a5c501a52bcc

SHA1
b45097b54b13dba21caa6f2b10155574394f1777

SHA256
f50d43b65ac43443df3affba598e701200440a41eca5efafbb7f0e95820c8c91

SHA512
3e86ce8ae90166abccfc5c16fb354f53674085a8be84f59ee719c8271cc683b7a53745507b536d0859d18c5e67c30b09e498c699ee9e9d88350e93c60f03b2e3

Download Submit
\Users\Admin\niiiqu.exe

Filesize
232KB

MD5
396cc035ed68ea01dfc6a5c501a52bcc

SHA1
b45097b54b13dba21caa6f2b10155574394f1777

SHA256
f50d43b65ac43443df3affba598e701200440a41eca5efafbb7f0e95820c8c91

SHA512
3e86ce8ae90166abccfc5c16fb354f53674085a8be84f59ee719c8271cc683b7a53745507b536d0859d18c5e67c30b09e498c699ee9e9d88350e93c60f03b2e3

Download Submit
\Users\Admin\niiiqu.exe

Filesize
232KB

MD5
396cc035ed68ea01dfc6a5c501a52bcc

SHA1
b45097b54b13dba21caa6f2b10155574394f1777

SHA256
f50d43b65ac43443df3affba598e701200440a41eca5efafbb7f0e95820c8c91

SHA512
3e86ce8ae90166abccfc5c16fb354f53674085a8be84f59ee719c8271cc683b7a53745507b536d0859d18c5e67c30b09e498c699ee9e9d88350e93c60f03b2e3

Download Submit
memory/1452-56-0x0000000075041000-0x0000000075043000-memory.dmp

Filesize
8KB

Download
memory/1548-59-0x0000000000000000-mapping.dmp

Download