Analysis
-
max time kernel
143s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20230703-en -
resource tags
-
submitted
21-07-2023 22:21
General
-
Target
Loader_Nightlight.exe
-
Size
560KB
-
MD5
eefd263f90538d866981daf683424b86
-
SHA1
639363e932b7aaa41a3d1fcef7c27831ec7755ec
-
SHA256
8d84e7d51995e229844e3375b91e31b12c5f413e0fa8ff369cb54355fe05f6c5
-
SHA512
aa12579fb7cfa8225d4c36dd1b022edbe78cc2924de9053bfdb238a3698beb9542cefaf137806f86d46c07ae45cb203d8c18b9bf2893e1b6b57f4cd7d99e8fd2
-
SSDEEP
12288:n8sCZLdC/jGiKcT063eR7RHWm3CJF8zyw:89LdpiPiR757348zy
Score
8/10
Malware Config
Signatures
-
Stops running service(s) 3 TTPs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
-
Launches sc.exe 9 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Kills process with taskkill 36 IoCs
-
Modifies registry class 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 36 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\Loader_Nightlight.exe"C:\Users\Admin\AppData\Local\Temp\Loader_Nightlight.exe"1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mode con cols=55 lines=152⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\mode.commode con cols=55 lines=153⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mode con cols=55 lines=152⤵
-
C:\Windows\system32\mode.commode con cols=55 lines=153⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\Loader_Nightlight.exe" MD52⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\certutil.execertutil -hashfile "C:\Users\Admin\AppData\Local\Temp\Loader_Nightlight.exe" MD53⤵
-
-
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&12⤵
-
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill /IM HTTPDebuggerSvc.exe /F3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c sc stop HTTPDebuggerPro >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\sc.exesc stop HTTPDebuggerPro3⤵
- Launches sc.exe
-
-
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill /IM HTTPDebuggerSvc.exe /F3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&12⤵
-
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c sc stop HTTPDebuggerPro >nul 2>&12⤵
-
C:\Windows\system32\sc.exesc stop HTTPDebuggerPro3⤵
- Launches sc.exe
-
-
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c sc stop HTTPDebuggerPro >nul 2>&12⤵
-
C:\Windows\system32\sc.exesc stop HTTPDebuggerPro3⤵
- Launches sc.exe
-
-
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /IM HTTPDebuggerSvc.exe /F3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&12⤵
-
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /IM HTTPDebuggerSvc.exe /F3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c sc stop HTTPDebuggerPro >nul 2>&12⤵
-
C:\Windows\system32\sc.exesc stop HTTPDebuggerPro3⤵
- Launches sc.exe
-
-
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&12⤵
-
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&12⤵
-
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&12⤵
-
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /IM HTTPDebuggerSvc.exe /F3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c sc stop HTTPDebuggerPro >nul 2>&12⤵
-
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&12⤵
-
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c sc stop HTTPDebuggerPro >nul 2>&12⤵
-
C:\Windows\system32\sc.exesc stop HTTPDebuggerPro3⤵
- Launches sc.exe
-
-
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&12⤵
-
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /IM HTTPDebuggerSvc.exe /F3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
-
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&12⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mode con cols=70 lines=222⤵
-
C:\Windows\system32\mode.commode con cols=70 lines=223⤵
-
-
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&12⤵
-
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /IM HTTPDebuggerSvc.exe /F3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c sc stop HTTPDebuggerPro >nul 2>&12⤵
-
C:\Windows\system32\sc.exesc stop HTTPDebuggerPro3⤵
- Launches sc.exe
-
-
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&12⤵
-
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /IM HTTPDebuggerSvc.exe /F3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c sc stop HTTPDebuggerPro >nul 2>&12⤵
-
C:\Windows\system32\sc.exesc stop HTTPDebuggerPro3⤵
- Launches sc.exe
-
-
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&12⤵
-
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /IM HTTPDebuggerSvc.exe /F3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c sc stop HTTPDebuggerPro >nul 2>&12⤵
-
C:\Windows\system32\sc.exesc stop HTTPDebuggerPro3⤵
- Launches sc.exe
-
-
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&12⤵
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\system32\sc.exesc stop HTTPDebuggerPro1⤵
- Launches sc.exe
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T1⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T1⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:ShellFeedsUI.AppXnj65k2d1a1rnztt2t2nng5ctmk3e76pn.mca1⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵