Analysis
-
max time kernel
599s -
max time network
580s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
05-12-2022 15:57
Behavioral task
behavioral1
Sample
My Nigga.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
My Nigga.exe
Resource
win10v2004-20221111-en
General
-
Target
My Nigga.exe
-
Size
469KB
-
MD5
82602aed5a4328fd0f432ac95f05a500
-
SHA1
83c7d33c0d034ec89953986d191fe82e5f5ba297
-
SHA256
fbf0d947bf22491229799e2ddaca2484d24b1cd7e4be6945758a9a153cc98791
-
SHA512
afef8b35bbedbc91d4f5e196878c1f2f6564da216137e75cb7977e4c4563cf20d927552a722056ab4366bd29096098e3265c42e207e0eb55dbb351167413eaf9
-
SSDEEP
12288:umnk7iLJbpIpiRL6I2WhSKQ9ZsfZQSqn9:WiLJbpI7I2WhQqZ7q9
Malware Config
Extracted
remcos
PeterObi2023
76.8.53.133:1198
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
sdfge.exe
-
delete_file
false
-
hide_file
true
-
hide_keylog_file
false
-
install_flag
true
-
install_path
%AppData%
-
keylog_crypt
false
-
keylog_file
fghoiuytr.dat
-
keylog_flag
false
-
mouse_option
false
-
mutex
fghjcvbn-UURPOS
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
startup_value
dfghrtyu
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
sdfge.exepid process 1520 sdfge.exe -
Loads dropped DLL 2 IoCs
Processes:
cmd.exepid process 580 cmd.exe 580 cmd.exe -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
sdfge.exeMy Nigga.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\ sdfge.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\dfghrtyu = "\"C:\\Users\\Admin\\AppData\\Roaming\\sdfge.exe\"" sdfge.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\ My Nigga.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\dfghrtyu = "\"C:\\Users\\Admin\\AppData\\Roaming\\sdfge.exe\"" My Nigga.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
sdfge.exedescription pid process target process PID 1520 set thread context of 584 1520 sdfge.exe svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
sdfge.exepid process 1520 sdfge.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
sdfge.exepid process 1520 sdfge.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
My Nigga.exeWScript.execmd.exesdfge.exedescription pid process target process PID 1204 wrote to memory of 1088 1204 My Nigga.exe WScript.exe PID 1204 wrote to memory of 1088 1204 My Nigga.exe WScript.exe PID 1204 wrote to memory of 1088 1204 My Nigga.exe WScript.exe PID 1204 wrote to memory of 1088 1204 My Nigga.exe WScript.exe PID 1088 wrote to memory of 580 1088 WScript.exe cmd.exe PID 1088 wrote to memory of 580 1088 WScript.exe cmd.exe PID 1088 wrote to memory of 580 1088 WScript.exe cmd.exe PID 1088 wrote to memory of 580 1088 WScript.exe cmd.exe PID 580 wrote to memory of 1520 580 cmd.exe sdfge.exe PID 580 wrote to memory of 1520 580 cmd.exe sdfge.exe PID 580 wrote to memory of 1520 580 cmd.exe sdfge.exe PID 580 wrote to memory of 1520 580 cmd.exe sdfge.exe PID 1520 wrote to memory of 584 1520 sdfge.exe svchost.exe PID 1520 wrote to memory of 584 1520 sdfge.exe svchost.exe PID 1520 wrote to memory of 584 1520 sdfge.exe svchost.exe PID 1520 wrote to memory of 584 1520 sdfge.exe svchost.exe PID 1520 wrote to memory of 584 1520 sdfge.exe svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\My Nigga.exe"C:\Users\Admin\AppData\Local\Temp\My Nigga.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\sdfge.exe"3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\sdfge.exeC:\Users\Admin\AppData\Roaming\sdfge.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exesvchost.exe5⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\install.vbsFilesize
402B
MD598acdc6ea897431e57cab98ee8203874
SHA11858e36b790f415f850063b1aa291846a1b4b4b1
SHA256e55d508c8f0fbfbb78d556fbd969e1611b95872b8f73f046e7c71c5c2804a50a
SHA512ac41f7acb3be653f398066d353120935cc3764fdddb9346fddc6012f1d0e61a3a09a7a434806cab3654c37a1301d637081d921a634b1919b72d4e07e66b38aa7
-
C:\Users\Admin\AppData\Roaming\sdfge.exeFilesize
469KB
MD582602aed5a4328fd0f432ac95f05a500
SHA183c7d33c0d034ec89953986d191fe82e5f5ba297
SHA256fbf0d947bf22491229799e2ddaca2484d24b1cd7e4be6945758a9a153cc98791
SHA512afef8b35bbedbc91d4f5e196878c1f2f6564da216137e75cb7977e4c4563cf20d927552a722056ab4366bd29096098e3265c42e207e0eb55dbb351167413eaf9
-
C:\Users\Admin\AppData\Roaming\sdfge.exeFilesize
469KB
MD582602aed5a4328fd0f432ac95f05a500
SHA183c7d33c0d034ec89953986d191fe82e5f5ba297
SHA256fbf0d947bf22491229799e2ddaca2484d24b1cd7e4be6945758a9a153cc98791
SHA512afef8b35bbedbc91d4f5e196878c1f2f6564da216137e75cb7977e4c4563cf20d927552a722056ab4366bd29096098e3265c42e207e0eb55dbb351167413eaf9
-
\Users\Admin\AppData\Roaming\sdfge.exeFilesize
469KB
MD582602aed5a4328fd0f432ac95f05a500
SHA183c7d33c0d034ec89953986d191fe82e5f5ba297
SHA256fbf0d947bf22491229799e2ddaca2484d24b1cd7e4be6945758a9a153cc98791
SHA512afef8b35bbedbc91d4f5e196878c1f2f6564da216137e75cb7977e4c4563cf20d927552a722056ab4366bd29096098e3265c42e207e0eb55dbb351167413eaf9
-
\Users\Admin\AppData\Roaming\sdfge.exeFilesize
469KB
MD582602aed5a4328fd0f432ac95f05a500
SHA183c7d33c0d034ec89953986d191fe82e5f5ba297
SHA256fbf0d947bf22491229799e2ddaca2484d24b1cd7e4be6945758a9a153cc98791
SHA512afef8b35bbedbc91d4f5e196878c1f2f6564da216137e75cb7977e4c4563cf20d927552a722056ab4366bd29096098e3265c42e207e0eb55dbb351167413eaf9
-
memory/580-58-0x0000000000000000-mapping.dmp
-
memory/584-65-0x00000000000B27A4-mapping.dmp
-
memory/584-67-0x0000000000080000-0x00000000000FF000-memory.dmpFilesize
508KB
-
memory/1088-55-0x0000000000000000-mapping.dmp
-
memory/1204-54-0x0000000074DE1000-0x0000000074DE3000-memory.dmpFilesize
8KB
-
memory/1520-62-0x0000000000000000-mapping.dmp