d48517838c4854729916b60f6c5fc84e9d6651787dbda8228ba63b30d6b84861

Analysis

max time kernel
150s
max time network
121s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
24/02/2024, 05:21

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

a10c263af6e8182dad8405fcfcf5fb5f.exe
Size

296KB
MD5

a10c263af6e8182dad8405fcfcf5fb5f
SHA1

f6b5cf994351983a354ab630e2b3d7923a22d19d
SHA256

d48517838c4854729916b60f6c5fc84e9d6651787dbda8228ba63b30d6b84861
SHA512

0f71fa5a321f1dd233dfa515425f3013d6273d9d36ab21d1e2bc5eadfdbb8efab744bd47ab267fe53c858a765d41613e315a3c5d53e9d96809092cf849770bab
SSDEEP

3072:XcDwo2q+sg+swlSN9BkPFzW85u9ututumuOu+uxuOugujuju9u9ugu9uPuTu6utE:XFq+sg+s

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	nifih.exe

Executes dropped EXE 1 IoCs

pid	Process
2444	nifih.exe

Loads dropped DLL 2 IoCs

pid	Process
1580	a10c263af6e8182dad8405fcfcf5fb5f.exe
1580	a10c263af6e8182dad8405fcfcf5fb5f.exe

Adds Run key to start application 2 TTPs 52 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\nifih = "C:\\Users\\Admin\\nifih.exe /h"	nifih.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\nifih = "C:\\Users\\Admin\\nifih.exe /l"	nifih.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\nifih = "C:\\Users\\Admin\\nifih.exe /P"	nifih.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\nifih = "C:\\Users\\Admin\\nifih.exe /G"	nifih.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\nifih = "C:\\Users\\Admin\\nifih.exe /r"	nifih.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\nifih = "C:\\Users\\Admin\\nifih.exe /U"	nifih.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\nifih = "C:\\Users\\Admin\\nifih.exe /q"	nifih.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\nifih = "C:\\Users\\Admin\\nifih.exe /R"	nifih.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\nifih = "C:\\Users\\Admin\\nifih.exe /W"	nifih.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\nifih = "C:\\Users\\Admin\\nifih.exe /C"	nifih.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\nifih = "C:\\Users\\Admin\\nifih.exe /I"	nifih.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\nifih = "C:\\Users\\Admin\\nifih.exe /m"	nifih.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\nifih = "C:\\Users\\Admin\\nifih.exe /Q"	nifih.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\nifih = "C:\\Users\\Admin\\nifih.exe /B"	nifih.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\nifih = "C:\\Users\\Admin\\nifih.exe /X"	nifih.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\nifih = "C:\\Users\\Admin\\nifih.exe /Y"	nifih.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\nifih = "C:\\Users\\Admin\\nifih.exe /i"	nifih.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\nifih = "C:\\Users\\Admin\\nifih.exe /w"	nifih.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\nifih = "C:\\Users\\Admin\\nifih.exe /e"	nifih.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\nifih = "C:\\Users\\Admin\\nifih.exe /s"	nifih.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\nifih = "C:\\Users\\Admin\\nifih.exe /S"	nifih.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\nifih = "C:\\Users\\Admin\\nifih.exe /M"	nifih.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\nifih = "C:\\Users\\Admin\\nifih.exe /A"	nifih.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\nifih = "C:\\Users\\Admin\\nifih.exe /x"	nifih.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\nifih = "C:\\Users\\Admin\\nifih.exe /t"	nifih.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\nifih = "C:\\Users\\Admin\\nifih.exe /f"	nifih.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\nifih = "C:\\Users\\Admin\\nifih.exe /F"	nifih.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\nifih = "C:\\Users\\Admin\\nifih.exe /V"	nifih.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\nifih = "C:\\Users\\Admin\\nifih.exe /K"	nifih.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\nifih = "C:\\Users\\Admin\\nifih.exe /Z"	nifih.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\nifih = "C:\\Users\\Admin\\nifih.exe /g"	nifih.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\nifih = "C:\\Users\\Admin\\nifih.exe /E"	nifih.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\nifih = "C:\\Users\\Admin\\nifih.exe /J"	nifih.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\nifih = "C:\\Users\\Admin\\nifih.exe /L"	nifih.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\nifih = "C:\\Users\\Admin\\nifih.exe /b"	nifih.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\nifih = "C:\\Users\\Admin\\nifih.exe /c"	nifih.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\nifih = "C:\\Users\\Admin\\nifih.exe /n"	nifih.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\nifih = "C:\\Users\\Admin\\nifih.exe /T"	nifih.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\nifih = "C:\\Users\\Admin\\nifih.exe /a"	nifih.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\nifih = "C:\\Users\\Admin\\nifih.exe /p"	nifih.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\nifih = "C:\\Users\\Admin\\nifih.exe /y"	nifih.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\nifih = "C:\\Users\\Admin\\nifih.exe /j"	nifih.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\nifih = "C:\\Users\\Admin\\nifih.exe /D"	nifih.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\nifih = "C:\\Users\\Admin\\nifih.exe /z"	nifih.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\nifih = "C:\\Users\\Admin\\nifih.exe /H"	nifih.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\nifih = "C:\\Users\\Admin\\nifih.exe /v"	nifih.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\nifih = "C:\\Users\\Admin\\nifih.exe /O"	nifih.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\nifih = "C:\\Users\\Admin\\nifih.exe /u"	nifih.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\nifih = "C:\\Users\\Admin\\nifih.exe /o"	nifih.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\nifih = "C:\\Users\\Admin\\nifih.exe /k"	nifih.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\nifih = "C:\\Users\\Admin\\nifih.exe /d"	nifih.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\nifih = "C:\\Users\\Admin\\nifih.exe /N"	nifih.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2444	nifih.exe
2444	nifih.exe
2444	nifih.exe
2444	nifih.exe
2444	nifih.exe
2444	nifih.exe
2444	nifih.exe
2444	nifih.exe
2444	nifih.exe
2444	nifih.exe
2444	nifih.exe
2444	nifih.exe
2444	nifih.exe
2444	nifih.exe
2444	nifih.exe
2444	nifih.exe
2444	nifih.exe
2444	nifih.exe
2444	nifih.exe
2444	nifih.exe
2444	nifih.exe
2444	nifih.exe
2444	nifih.exe
2444	nifih.exe
2444	nifih.exe
2444	nifih.exe
2444	nifih.exe
2444	nifih.exe
2444	nifih.exe
2444	nifih.exe
2444	nifih.exe
2444	nifih.exe
2444	nifih.exe
2444	nifih.exe
2444	nifih.exe
2444	nifih.exe
2444	nifih.exe
2444	nifih.exe
2444	nifih.exe
2444	nifih.exe
2444	nifih.exe
2444	nifih.exe
2444	nifih.exe
2444	nifih.exe
2444	nifih.exe
2444	nifih.exe
2444	nifih.exe
2444	nifih.exe
2444	nifih.exe
2444	nifih.exe
2444	nifih.exe
2444	nifih.exe
2444	nifih.exe
2444	nifih.exe
2444	nifih.exe
2444	nifih.exe
2444	nifih.exe
2444	nifih.exe
2444	nifih.exe
2444	nifih.exe
2444	nifih.exe
2444	nifih.exe
2444	nifih.exe
2444	nifih.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1580	a10c263af6e8182dad8405fcfcf5fb5f.exe
2444	nifih.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1580 wrote to memory of 2444	1580	a10c263af6e8182dad8405fcfcf5fb5f.exe	28
PID 1580 wrote to memory of 2444	1580	a10c263af6e8182dad8405fcfcf5fb5f.exe	28
PID 1580 wrote to memory of 2444	1580	a10c263af6e8182dad8405fcfcf5fb5f.exe	28
PID 1580 wrote to memory of 2444	1580	a10c263af6e8182dad8405fcfcf5fb5f.exe	28
PID 2444 wrote to memory of 1580	2444	nifih.exe	1
PID 2444 wrote to memory of 1580	2444	nifih.exe	1
PID 2444 wrote to memory of 1580	2444	nifih.exe	1
PID 2444 wrote to memory of 1580	2444	nifih.exe	1
PID 2444 wrote to memory of 1580	2444	nifih.exe	1
PID 2444 wrote to memory of 1580	2444	nifih.exe	1
PID 2444 wrote to memory of 1580	2444	nifih.exe	1
PID 2444 wrote to memory of 1580	2444	nifih.exe	1
PID 2444 wrote to memory of 1580	2444	nifih.exe	1
PID 2444 wrote to memory of 1580	2444	nifih.exe	1
PID 2444 wrote to memory of 1580	2444	nifih.exe	1
PID 2444 wrote to memory of 1580	2444	nifih.exe	1
PID 2444 wrote to memory of 1580	2444	nifih.exe	1
PID 2444 wrote to memory of 1580	2444	nifih.exe	1
PID 2444 wrote to memory of 1580	2444	nifih.exe	1
PID 2444 wrote to memory of 1580	2444	nifih.exe	1
PID 2444 wrote to memory of 1580	2444	nifih.exe	1
PID 2444 wrote to memory of 1580	2444	nifih.exe	1
PID 2444 wrote to memory of 1580	2444	nifih.exe	1
PID 2444 wrote to memory of 1580	2444	nifih.exe	1
PID 2444 wrote to memory of 1580	2444	nifih.exe	1
PID 2444 wrote to memory of 1580	2444	nifih.exe	1
PID 2444 wrote to memory of 1580	2444	nifih.exe	1
PID 2444 wrote to memory of 1580	2444	nifih.exe	1
PID 2444 wrote to memory of 1580	2444	nifih.exe	1
PID 2444 wrote to memory of 1580	2444	nifih.exe	1
PID 2444 wrote to memory of 1580	2444	nifih.exe	1
PID 2444 wrote to memory of 1580	2444	nifih.exe	1
PID 2444 wrote to memory of 1580	2444	nifih.exe	1
PID 2444 wrote to memory of 1580	2444	nifih.exe	1
PID 2444 wrote to memory of 1580	2444	nifih.exe	1
PID 2444 wrote to memory of 1580	2444	nifih.exe	1
PID 2444 wrote to memory of 1580	2444	nifih.exe	1
PID 2444 wrote to memory of 1580	2444	nifih.exe	1
PID 2444 wrote to memory of 1580	2444	nifih.exe	1
PID 2444 wrote to memory of 1580	2444	nifih.exe	1
PID 2444 wrote to memory of 1580	2444	nifih.exe	1
PID 2444 wrote to memory of 1580	2444	nifih.exe	1
PID 2444 wrote to memory of 1580	2444	nifih.exe	1
PID 2444 wrote to memory of 1580	2444	nifih.exe	1
PID 2444 wrote to memory of 1580	2444	nifih.exe	1
PID 2444 wrote to memory of 1580	2444	nifih.exe	1
PID 2444 wrote to memory of 1580	2444	nifih.exe	1
PID 2444 wrote to memory of 1580	2444	nifih.exe	1
PID 2444 wrote to memory of 1580	2444	nifih.exe	1
PID 2444 wrote to memory of 1580	2444	nifih.exe	1
PID 2444 wrote to memory of 1580	2444	nifih.exe	1
PID 2444 wrote to memory of 1580	2444	nifih.exe	1
PID 2444 wrote to memory of 1580	2444	nifih.exe	1
PID 2444 wrote to memory of 1580	2444	nifih.exe	1
PID 2444 wrote to memory of 1580	2444	nifih.exe	1
PID 2444 wrote to memory of 1580	2444	nifih.exe	1
PID 2444 wrote to memory of 1580	2444	nifih.exe	1
PID 2444 wrote to memory of 1580	2444	nifih.exe	1
PID 2444 wrote to memory of 1580	2444	nifih.exe	1
PID 2444 wrote to memory of 1580	2444	nifih.exe	1
PID 2444 wrote to memory of 1580	2444	nifih.exe	1
PID 2444 wrote to memory of 1580	2444	nifih.exe	1
PID 2444 wrote to memory of 1580	2444	nifih.exe	1
PID 2444 wrote to memory of 1580	2444	nifih.exe	1

C:\Users\Admin\AppData\Local\Temp\a10c263af6e8182dad8405fcfcf5fb5f.exe
"C:\Users\Admin\AppData\Local\Temp\a10c263af6e8182dad8405fcfcf5fb5f.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1580
- C:\Users\Admin\nifih.exe
  "C:\Users\Admin\nifih.exe"
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2444

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\nifih.exe

Filesize
296KB

MD5
c75216f2dab1b1092d60bd30b3d24204

SHA1
0c5e4258f4548217f156e477a11d3e01195aad89

SHA256
d2917e39f0e65b02325fbfd67bd89aa60b23fa18825904f303b1791c16ce6171

SHA512
31826a45775dd852f68b848ae70281448119708d1c8ecb3ef32f89293ffc9628af2b2743a065c9522c348cfaa1c65633e671f5c120a0d2a2f2933ac45d8dfa41

Download Submit