8c39d4cd55fe88cb11b1968c3ea58d81dea2e9bc851bb2eeb11aa6a76a5d515b

Analysis

max time kernel
117s
max time network
133s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
31/08/2023, 23:17

Target

nigger2.exe
Size

90KB
MD5

b766966665ff8c270d3954390a51f07f
SHA1

a733693a6a681e94058f36d96cb88a5e81aa5d31
SHA256

8c39d4cd55fe88cb11b1968c3ea58d81dea2e9bc851bb2eeb11aa6a76a5d515b
SHA512

5084b2083cb0a7fad2ca69228f8090bd70bc14826bf179754dcc3b48b20ee3c7d3400e90f6a92412ac1eec4cfe9bd826d0b84cf5a798b3e8e27bff885366c476
SSDEEP

1536:z7fbN3eEDhDPA/pICdUkbBtW7upvaLU0bI5taxKo0IOlnToIfVwRrQOB:v7DhdC6kzWypvaQ0FxyNTBfVO

Score

1^/10

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1964	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1964	powershell.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1348 wrote to memory of 2688	1348	nigger2.exe	29
PID 1348 wrote to memory of 2688	1348	nigger2.exe	29
PID 1348 wrote to memory of 2688	1348	nigger2.exe	29
PID 1348 wrote to memory of 2688	1348	nigger2.exe	29
PID 2688 wrote to memory of 1964	2688	cmd.exe	30
PID 2688 wrote to memory of 1964	2688	cmd.exe	30
PID 2688 wrote to memory of 1964	2688	cmd.exe	30

C:\Users\Admin\AppData\Local\Temp\nigger2.exe
"C:\Users\Admin\AppData\Local\Temp\nigger2.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1348
- C:\Windows\system32\cmd.exe
  "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\91C4.tmp\91C5.tmp\91C6.bat C:\Users\Admin\AppData\Local\Temp\nigger2.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2688
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "Expand-Archive -Path 'botnet.zip' -DestinationPath 'C:\Users\Admin\Desktop'"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1964

C:\Users\Admin\AppData\Local\Temp\91C4.tmp\91C5.tmp\91C6.bat

Filesize
1KB

MD5
b3fa127b332c25f85cbc3804e722c899

SHA1
c08bd08976c6cc36a916fa179e6e51f1edc4c3e7

SHA256
eaf8cf2c559154fbd1b8e6689119fd5877e841c6e9ae2c3a92b460d064571d19

SHA512
1574127a99e82f7e06cd96ea69ed1cebe93d32fdf6383a93faa13ec3cb5218db3504d2ce27ea71c8a1a29c6b325ff6b400e42f85833365f1c2b91960c05d695a

Download Submit
memory/1964-6-0x000000001B270000-0x000000001B552000-memory.dmp

Filesize
2.9MB

Download
memory/1964-8-0x000007FEF5BE0000-0x000007FEF657D000-memory.dmp

Filesize
9.6MB

Download
memory/1964-7-0x0000000001E50000-0x0000000001E58000-memory.dmp

Filesize
32KB

Download
memory/1964-9-0x000007FEF5BE0000-0x000007FEF657D000-memory.dmp

Filesize
9.6MB

Download
memory/1964-10-0x0000000002860000-0x00000000028E0000-memory.dmp

Filesize
512KB

Download
memory/1964-11-0x0000000002860000-0x00000000028E0000-memory.dmp

Filesize
512KB

Download
memory/1964-12-0x0000000002860000-0x00000000028E0000-memory.dmp

Filesize
512KB

Download
memory/1964-13-0x000007FEF5BE0000-0x000007FEF657D000-memory.dmp

Filesize
9.6MB

Download