Analysis
-
max time kernel
771s -
max time network
824s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
05-12-2022 15:57
Behavioral task
behavioral1
Sample
My Nigga.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
My Nigga.exe
Resource
win10v2004-20221111-en
General
-
Target
My Nigga.exe
-
Size
469KB
-
MD5
82602aed5a4328fd0f432ac95f05a500
-
SHA1
83c7d33c0d034ec89953986d191fe82e5f5ba297
-
SHA256
fbf0d947bf22491229799e2ddaca2484d24b1cd7e4be6945758a9a153cc98791
-
SHA512
afef8b35bbedbc91d4f5e196878c1f2f6564da216137e75cb7977e4c4563cf20d927552a722056ab4366bd29096098e3265c42e207e0eb55dbb351167413eaf9
-
SSDEEP
12288:umnk7iLJbpIpiRL6I2WhSKQ9ZsfZQSqn9:WiLJbpI7I2WhQqZ7q9
Malware Config
Extracted
remcos
PeterObi2023
76.8.53.133:1198
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
sdfge.exe
-
delete_file
false
-
hide_file
true
-
hide_keylog_file
false
-
install_flag
true
-
install_path
%AppData%
-
keylog_crypt
false
-
keylog_file
fghoiuytr.dat
-
keylog_flag
false
-
mouse_option
false
-
mutex
fghjcvbn-UURPOS
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
startup_value
dfghrtyu
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
sdfge.exepid process 2344 sdfge.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
My Nigga.exeWScript.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation My Nigga.exe Key value queried \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation WScript.exe -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
My Nigga.exesdfge.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Windows\CurrentVersion\Run\ My Nigga.exe Set value (str) \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dfghrtyu = "\"C:\\Users\\Admin\\AppData\\Roaming\\sdfge.exe\"" My Nigga.exe Key created \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Windows\CurrentVersion\Run\ sdfge.exe Set value (str) \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dfghrtyu = "\"C:\\Users\\Admin\\AppData\\Roaming\\sdfge.exe\"" sdfge.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
sdfge.exedescription pid process target process PID 2344 set thread context of 4296 2344 sdfge.exe svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 1 IoCs
Processes:
My Nigga.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings My Nigga.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
sdfge.exepid process 2344 sdfge.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
sdfge.exepid process 2344 sdfge.exe -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
My Nigga.exeWScript.execmd.exesdfge.exedescription pid process target process PID 3912 wrote to memory of 3516 3912 My Nigga.exe WScript.exe PID 3912 wrote to memory of 3516 3912 My Nigga.exe WScript.exe PID 3912 wrote to memory of 3516 3912 My Nigga.exe WScript.exe PID 3516 wrote to memory of 3788 3516 WScript.exe cmd.exe PID 3516 wrote to memory of 3788 3516 WScript.exe cmd.exe PID 3516 wrote to memory of 3788 3516 WScript.exe cmd.exe PID 3788 wrote to memory of 2344 3788 cmd.exe sdfge.exe PID 3788 wrote to memory of 2344 3788 cmd.exe sdfge.exe PID 3788 wrote to memory of 2344 3788 cmd.exe sdfge.exe PID 2344 wrote to memory of 4296 2344 sdfge.exe svchost.exe PID 2344 wrote to memory of 4296 2344 sdfge.exe svchost.exe PID 2344 wrote to memory of 4296 2344 sdfge.exe svchost.exe PID 2344 wrote to memory of 4296 2344 sdfge.exe svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\My Nigga.exe"C:\Users\Admin\AppData\Local\Temp\My Nigga.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\sdfge.exe"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\sdfge.exeC:\Users\Admin\AppData\Roaming\sdfge.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exesvchost.exe5⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\install.vbsFilesize
402B
MD598acdc6ea897431e57cab98ee8203874
SHA11858e36b790f415f850063b1aa291846a1b4b4b1
SHA256e55d508c8f0fbfbb78d556fbd969e1611b95872b8f73f046e7c71c5c2804a50a
SHA512ac41f7acb3be653f398066d353120935cc3764fdddb9346fddc6012f1d0e61a3a09a7a434806cab3654c37a1301d637081d921a634b1919b72d4e07e66b38aa7
-
C:\Users\Admin\AppData\Roaming\sdfge.exeFilesize
469KB
MD582602aed5a4328fd0f432ac95f05a500
SHA183c7d33c0d034ec89953986d191fe82e5f5ba297
SHA256fbf0d947bf22491229799e2ddaca2484d24b1cd7e4be6945758a9a153cc98791
SHA512afef8b35bbedbc91d4f5e196878c1f2f6564da216137e75cb7977e4c4563cf20d927552a722056ab4366bd29096098e3265c42e207e0eb55dbb351167413eaf9
-
C:\Users\Admin\AppData\Roaming\sdfge.exeFilesize
469KB
MD582602aed5a4328fd0f432ac95f05a500
SHA183c7d33c0d034ec89953986d191fe82e5f5ba297
SHA256fbf0d947bf22491229799e2ddaca2484d24b1cd7e4be6945758a9a153cc98791
SHA512afef8b35bbedbc91d4f5e196878c1f2f6564da216137e75cb7977e4c4563cf20d927552a722056ab4366bd29096098e3265c42e207e0eb55dbb351167413eaf9
-
memory/2344-135-0x0000000000000000-mapping.dmp
-
memory/3516-132-0x0000000000000000-mapping.dmp
-
memory/3788-134-0x0000000000000000-mapping.dmp
-
memory/4296-138-0x0000000000000000-mapping.dmp
-
memory/4296-139-0x0000000000310000-0x000000000038F000-memory.dmpFilesize
508KB