Overview

overview

10

Static

static

10

nigga.exe

windows7-x64

10

nigga.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    55s
  • max time network
    37s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    04-03-2023 19:13

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    nigga.exe

  • Size

    48.1MB

  • MD5

    829e376db81019bac6fabbaa3db13650

  • SHA1

    1396d6d2471e0429e95776245c010ee2f8c6b784

  • SHA256

    64beb19dbd3b8dfbfbba01c0ce8731df0b4f140647975a34ba70e2698e39288b

  • SHA512

    438741699839edf63644b5da0f8d75a1cf139730d536be1b802f79108406509d889dac74d93b15ed7209af63535cbd31bf0f450cdd7ce6c0f50997ab112f8f0c

  • SSDEEP

    393216:JQhxAlnOFkxdb74/m3psp7QfR/pdRp5Z1wGTu:OMlOqxdH4KsW1pwuu

Score
10/10
darkcometevasionpersistencepyinstallerrattrojanupx

Malware Config

Signatures

  • Darkcomet

    DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    trojanratdarkcomet
  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
    persistence
  • Sets file to hidden 1 TTPs 2 IoCs

    Modifies file attributes to stop it showing in Explorer etc.

    evasion
  • Deletes itself 1 IoCs
  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 9 IoCs
  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Drops file in System32 directory 6 IoCs
  • Detects Pyinstaller 12 IoCs
    pyinstaller
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of AdjustPrivilegeToken 46 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Views/modifies file attributes 1 TTPs 2 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\nigga.exe
    "C:\Users\Admin\AppData\Local\Temp\nigga.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Loads dropped DLL
    • Adds Run key to start application
    • Drops file in System32 directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1724
    • C:\Windows\SysWOW64\notepad.exe
      notepad
      2⤵
      • Adds Run key to start application
      • Drops file in System32 directory
      PID:936
    • C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Users\Admin\AppData\Local\Temp\nigga.exe" +s +h
      2⤵
      • Sets file to hidden
      • Views/modifies file attributes
      PID:2028
    • C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
      2⤵
      • Sets file to hidden
      • Views/modifies file attributes
      PID:1980
    • C:\Users\Admin\AppData\Local\Temp\CLIENT.EXE
      "C:\Users\Admin\AppData\Local\Temp\CLIENT.EXE"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:1508
      • C:\Users\Admin\AppData\Local\Temp\CLIENT.EXE
        "C:\Users\Admin\AppData\Local\Temp\CLIENT.EXE"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        PID:1584
    • C:\Users\Admin\AppData\Local\Temp\TINTSERVICESSWOOFER.EXE
      "C:\Users\Admin\AppData\Local\Temp\TINTSERVICESSWOOFER.EXE"
      2⤵
      • Executes dropped EXE
      PID:760
    • C:\Windows\SysWOW64\Windupdt\winupdate.exe
      "C:\Windows\system32\Windupdt\winupdate.exe"
      2⤵
      • Modifies WinLogon for persistence
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Drops file in System32 directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:984
      • C:\Windows\SysWOW64\notepad.exe
        notepad
        3⤵
        • Adds Run key to start application
        • Drops file in System32 directory
        PID:824
    • C:\Windows\SysWOW64\notepad.exe
      C:\Windows\SysWOW64\notepad.exe
      2⤵
      • Deletes itself
      PID:1996

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

1
T1004

Hidden Files and Directories

2
T1158

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

2
T1112

Hidden Files and Directories

2
T1158

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\CLIENT.EXE
    Filesize

    47.1MB

    MD5

    866e581e6167c84f6cd58cf8f7672bda

    SHA1

    ff49649fc163367c0a0d359dd01c8d28ff1a2ec2

    SHA256

    eb523644f09f2aee53069863cd02e8220507d6a36ae9e0c2cd48e22be4ba5dcb

    SHA512

    0277a8c17ad1aed7e9bca658da1e3c2875190a6fda399287620653c30cbbb74b93553b32315709716846acf9f68868c14156f31f2257707381ffca42fcb33d6b

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\CLIENT.EXE
    Filesize

    47.1MB

    MD5

    866e581e6167c84f6cd58cf8f7672bda

    SHA1

    ff49649fc163367c0a0d359dd01c8d28ff1a2ec2

    SHA256

    eb523644f09f2aee53069863cd02e8220507d6a36ae9e0c2cd48e22be4ba5dcb

    SHA512

    0277a8c17ad1aed7e9bca658da1e3c2875190a6fda399287620653c30cbbb74b93553b32315709716846acf9f68868c14156f31f2257707381ffca42fcb33d6b

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\CLIENT.EXE
    Filesize

    47.1MB

    MD5

    866e581e6167c84f6cd58cf8f7672bda

    SHA1

    ff49649fc163367c0a0d359dd01c8d28ff1a2ec2

    SHA256

    eb523644f09f2aee53069863cd02e8220507d6a36ae9e0c2cd48e22be4ba5dcb

    SHA512

    0277a8c17ad1aed7e9bca658da1e3c2875190a6fda399287620653c30cbbb74b93553b32315709716846acf9f68868c14156f31f2257707381ffca42fcb33d6b

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\TINTSERVICESSWOOFER.EXE
    Filesize

    405KB

    MD5

    57b88c75442b008e53a23d2e8fe0cc30

    SHA1

    0e520fdd1484e74b2368a57d888434b57f5dbf80

    SHA256

    bd86538c6e4ae7668c120ef18580651123eb2ab4b3fd13bb0c498cb719202bfd

    SHA512

    a955ccb44728d3892f38434c0eb827830140697f15eb464a4a35a6d2a96faebc254c62d48dfd548433e1466cbd429695cfb5e00429300ba28df212a904020b1c

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\_MEI15082\python310.dll
    Filesize

    1.5MB

    MD5

    d366db026edf7875a5e3d0cf42808148

    SHA1

    fc60d2581c4cdb4f240d8769dc5154b1f48e616d

    SHA256

    6d70ac2367a5794aea069883c12261694755b79454337afbce4f672930652d7f

    SHA512

    479397f006cc943b61c11e229e22433fc2e0b3446359d0ea7f7b8882f953a1f1453920ccf6a674b1f076af316562573825cff33c23d6e7e0abc142b832377153

    Download Submit
  • C:\Windows\SysWOW64\Windupdt\winupdate.exe
    Filesize

    48.1MB

    MD5

    829e376db81019bac6fabbaa3db13650

    SHA1

    1396d6d2471e0429e95776245c010ee2f8c6b784

    SHA256

    64beb19dbd3b8dfbfbba01c0ce8731df0b4f140647975a34ba70e2698e39288b

    SHA512

    438741699839edf63644b5da0f8d75a1cf139730d536be1b802f79108406509d889dac74d93b15ed7209af63535cbd31bf0f450cdd7ce6c0f50997ab112f8f0c

    Download Submit
  • C:\Windows\SysWOW64\Windupdt\winupdate.exe
    Filesize

    48.1MB

    MD5

    829e376db81019bac6fabbaa3db13650

    SHA1

    1396d6d2471e0429e95776245c010ee2f8c6b784

    SHA256

    64beb19dbd3b8dfbfbba01c0ce8731df0b4f140647975a34ba70e2698e39288b

    SHA512

    438741699839edf63644b5da0f8d75a1cf139730d536be1b802f79108406509d889dac74d93b15ed7209af63535cbd31bf0f450cdd7ce6c0f50997ab112f8f0c

    Download Submit
  • C:\Windows\SysWOW64\Windupdt\winupdate.exe
    Filesize

    48.1MB

    MD5

    829e376db81019bac6fabbaa3db13650

    SHA1

    1396d6d2471e0429e95776245c010ee2f8c6b784

    SHA256

    64beb19dbd3b8dfbfbba01c0ce8731df0b4f140647975a34ba70e2698e39288b

    SHA512

    438741699839edf63644b5da0f8d75a1cf139730d536be1b802f79108406509d889dac74d93b15ed7209af63535cbd31bf0f450cdd7ce6c0f50997ab112f8f0c

    Download Submit
  • \Users\Admin\AppData\Local\Temp\CLIENT.EXE
    Filesize

    47.1MB

    MD5

    866e581e6167c84f6cd58cf8f7672bda

    SHA1

    ff49649fc163367c0a0d359dd01c8d28ff1a2ec2

    SHA256

    eb523644f09f2aee53069863cd02e8220507d6a36ae9e0c2cd48e22be4ba5dcb

    SHA512

    0277a8c17ad1aed7e9bca658da1e3c2875190a6fda399287620653c30cbbb74b93553b32315709716846acf9f68868c14156f31f2257707381ffca42fcb33d6b

    Download Submit
  • \Users\Admin\AppData\Local\Temp\CLIENT.EXE
    Filesize

    47.1MB

    MD5

    866e581e6167c84f6cd58cf8f7672bda

    SHA1

    ff49649fc163367c0a0d359dd01c8d28ff1a2ec2

    SHA256

    eb523644f09f2aee53069863cd02e8220507d6a36ae9e0c2cd48e22be4ba5dcb

    SHA512

    0277a8c17ad1aed7e9bca658da1e3c2875190a6fda399287620653c30cbbb74b93553b32315709716846acf9f68868c14156f31f2257707381ffca42fcb33d6b

    Download Submit
  • \Users\Admin\AppData\Local\Temp\TINTSERVICESSWOOFER.EXE
    Filesize

    405KB

    MD5

    57b88c75442b008e53a23d2e8fe0cc30

    SHA1

    0e520fdd1484e74b2368a57d888434b57f5dbf80

    SHA256

    bd86538c6e4ae7668c120ef18580651123eb2ab4b3fd13bb0c498cb719202bfd

    SHA512

    a955ccb44728d3892f38434c0eb827830140697f15eb464a4a35a6d2a96faebc254c62d48dfd548433e1466cbd429695cfb5e00429300ba28df212a904020b1c

    Download Submit
  • \Users\Admin\AppData\Local\Temp\TINTSERVICESSWOOFER.EXE
    Filesize

    405KB

    MD5

    57b88c75442b008e53a23d2e8fe0cc30

    SHA1

    0e520fdd1484e74b2368a57d888434b57f5dbf80

    SHA256

    bd86538c6e4ae7668c120ef18580651123eb2ab4b3fd13bb0c498cb719202bfd

    SHA512

    a955ccb44728d3892f38434c0eb827830140697f15eb464a4a35a6d2a96faebc254c62d48dfd548433e1466cbd429695cfb5e00429300ba28df212a904020b1c

    Download Submit
  • \Users\Admin\AppData\Local\Temp\_MEI15082\python310.dll
    Filesize

    1.5MB

    MD5

    d366db026edf7875a5e3d0cf42808148

    SHA1

    fc60d2581c4cdb4f240d8769dc5154b1f48e616d

    SHA256

    6d70ac2367a5794aea069883c12261694755b79454337afbce4f672930652d7f

    SHA512

    479397f006cc943b61c11e229e22433fc2e0b3446359d0ea7f7b8882f953a1f1453920ccf6a674b1f076af316562573825cff33c23d6e7e0abc142b832377153

    Download Submit
  • \Windows\SysWOW64\Windupdt\winupdate.exe
    Filesize

    48.1MB

    MD5

    829e376db81019bac6fabbaa3db13650

    SHA1

    1396d6d2471e0429e95776245c010ee2f8c6b784

    SHA256

    64beb19dbd3b8dfbfbba01c0ce8731df0b4f140647975a34ba70e2698e39288b

    SHA512

    438741699839edf63644b5da0f8d75a1cf139730d536be1b802f79108406509d889dac74d93b15ed7209af63535cbd31bf0f450cdd7ce6c0f50997ab112f8f0c

    Download Submit
  • \Windows\SysWOW64\Windupdt\winupdate.exe
    Filesize

    48.1MB

    MD5

    829e376db81019bac6fabbaa3db13650

    SHA1

    1396d6d2471e0429e95776245c010ee2f8c6b784

    SHA256

    64beb19dbd3b8dfbfbba01c0ce8731df0b4f140647975a34ba70e2698e39288b

    SHA512

    438741699839edf63644b5da0f8d75a1cf139730d536be1b802f79108406509d889dac74d93b15ed7209af63535cbd31bf0f450cdd7ce6c0f50997ab112f8f0c

    Download Submit
  • \Windows\SysWOW64\Windupdt\winupdate.exe
    Filesize

    48.1MB

    MD5

    829e376db81019bac6fabbaa3db13650

    SHA1

    1396d6d2471e0429e95776245c010ee2f8c6b784

    SHA256

    64beb19dbd3b8dfbfbba01c0ce8731df0b4f140647975a34ba70e2698e39288b

    SHA512

    438741699839edf63644b5da0f8d75a1cf139730d536be1b802f79108406509d889dac74d93b15ed7209af63535cbd31bf0f450cdd7ce6c0f50997ab112f8f0c

    Download Submit
  • \Windows\SysWOW64\Windupdt\winupdate.exe
    Filesize

    48.1MB

    MD5

    829e376db81019bac6fabbaa3db13650

    SHA1

    1396d6d2471e0429e95776245c010ee2f8c6b784

    SHA256

    64beb19dbd3b8dfbfbba01c0ce8731df0b4f140647975a34ba70e2698e39288b

    SHA512

    438741699839edf63644b5da0f8d75a1cf139730d536be1b802f79108406509d889dac74d93b15ed7209af63535cbd31bf0f450cdd7ce6c0f50997ab112f8f0c

    Download Submit
  • memory/760-157-0x000000013F350000-0x000000013F3D5000-memory.dmp
    Filesize

    532KB

    Download
  • memory/936-55-0x0000000000080000-0x0000000000081000-memory.dmp
    Filesize

    4KB

    Download
  • memory/936-75-0x0000000000460000-0x0000000000461000-memory.dmp
    Filesize

    4KB

    Download
  • memory/984-236-0x0000000000260000-0x0000000000261000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1584-241-0x000007FEF6310000-0x000007FEF677F000-memory.dmp
    Filesize

    4.4MB

    Download
  • memory/1724-145-0x0000000003260000-0x00000000032E5000-memory.dmp
    Filesize

    532KB

    Download
  • memory/1724-130-0x0000000013140000-0x0000000016169000-memory.dmp
    Filesize

    48.2MB

    Download
  • memory/1724-79-0x0000000000240000-0x0000000000241000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1724-232-0x0000000013140000-0x0000000016169000-memory.dmp
    Filesize

    48.2MB

    Download
  • memory/1996-229-0x0000000000340000-0x0000000000341000-memory.dmp
    Filesize

    4KB

    Download