Overview
overview
10Static
static
7MyMalwareD...og.exe
windows7-x64
7MyMalwareD...og.exe
windows10-2004-x64
7$1/1337/Frog.exe
windows7-x64
3$1/1337/Frog.exe
windows10-2004-x64
3$1/1337/php5ts.dll
windows7-x64
1$1/1337/php5ts.dll
windows10-2004-x64
1$PLUGINSDI...em.dll
windows7-x64
3$PLUGINSDI...em.dll
windows10-2004-x64
3MyMalwareD...ry.exe
windows7-x64
1MyMalwareD...ry.exe
windows10-2004-x64
1MyMalwareD...1).exe
windows7-x64
7MyMalwareD...1).exe
windows10-2004-x64
7MyMalwareD...ge.exe
windows7-x64
1MyMalwareD...ge.exe
windows10-2004-x64
1MyMalwareD...64.exe
windows7-x64
1MyMalwareD...64.exe
windows10-2004-x64
1MyMalwareD...re.exe
windows7-x64
10MyMalwareD...re.exe
windows10-2004-x64
10MyMalwareD...ck.bat
windows7-x64
1MyMalwareD...ck.bat
windows10-2004-x64
1MyMalwareD...1).exe
windows7-x64
1MyMalwareD...1).exe
windows10-2004-x64
MyMalwareD...1).exe
windows7-x64
8MyMalwareD...1).exe
windows10-2004-x64
8MyMalwareD...rn.exe
windows7-x64
3MyMalwareD...rn.exe
windows10-2004-x64
3Sulfoxide/...de.exe
windows7-x64
Sulfoxide/...de.exe
windows10-2004-x64
Sulfoxide/...es.exe
windows7-x64
Sulfoxide/...es.exe
windows10-2004-x64
Sulfoxide/...64.exe
windows7-x64
7Sulfoxide/...64.exe
windows10-2004-x64
7Analysis
-
max time kernel
150s -
max time network
115s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
02-03-2024 20:38
Behavioral task
behavioral1
Sample
MyMalwareDatabase-main/MyMalwareDatabase-main/Frog.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
MyMalwareDatabase-main/MyMalwareDatabase-main/Frog.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral3
Sample
$1/1337/Frog.exe
Resource
win7-20240221-en
Behavioral task
behavioral4
Sample
$1/1337/Frog.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral5
Sample
$1/1337/php5ts.dll
Resource
win7-20240221-en
Behavioral task
behavioral6
Sample
$1/1337/php5ts.dll
Resource
win10v2004-20240226-en
Behavioral task
behavioral7
Sample
$PLUGINSDIR/System.dll
Resource
win7-20240221-en
Behavioral task
behavioral8
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20240226-en
Behavioral task
behavioral9
Sample
MyMalwareDatabase-main/MyMalwareDatabase-main/GonnaCry/GonnaCry.exe
Resource
win7-20240221-en
Behavioral task
behavioral10
Sample
MyMalwareDatabase-main/MyMalwareDatabase-main/GonnaCry/GonnaCry.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral11
Sample
MyMalwareDatabase-main/MyMalwareDatabase-main/Hydromatic (1).exe
Resource
win7-20240221-en
Behavioral task
behavioral12
Sample
MyMalwareDatabase-main/MyMalwareDatabase-main/Hydromatic (1).exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral13
Sample
MyMalwareDatabase-main/MyMalwareDatabase-main/Losange/Losange.exe
Resource
win7-20240221-en
Behavioral task
behavioral14
Sample
MyMalwareDatabase-main/MyMalwareDatabase-main/Losange/Losange.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral15
Sample
MyMalwareDatabase-main/MyMalwareDatabase-main/Monoxidex64.exe
Resource
win7-20240221-en
Behavioral task
behavioral16
Sample
MyMalwareDatabase-main/MyMalwareDatabase-main/Monoxidex64.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral17
Sample
MyMalwareDatabase-main/MyMalwareDatabase-main/NightMare/NightMare.exe
Resource
win7-20240220-en
Behavioral task
behavioral18
Sample
MyMalwareDatabase-main/MyMalwareDatabase-main/NightMare/NightMare.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral19
Sample
MyMalwareDatabase-main/MyMalwareDatabase-main/NightMare/REGFuck.bat
Resource
win7-20240221-en
Behavioral task
behavioral20
Sample
MyMalwareDatabase-main/MyMalwareDatabase-main/NightMare/REGFuck.bat
Resource
win10v2004-20240226-en
Behavioral task
behavioral21
Sample
MyMalwareDatabase-main/MyMalwareDatabase-main/NoEscape (1).exe
Resource
win7-20240221-en
Behavioral task
behavioral22
Sample
MyMalwareDatabase-main/MyMalwareDatabase-main/NoEscape (1).exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral23
Sample
MyMalwareDatabase-main/MyMalwareDatabase-main/Protactinium (1).exe
Resource
win7-20240221-en
Behavioral task
behavioral24
Sample
MyMalwareDatabase-main/MyMalwareDatabase-main/Protactinium (1).exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral25
Sample
MyMalwareDatabase-main/MyMalwareDatabase-main/Saturn.exe
Resource
win7-20240221-en
Behavioral task
behavioral26
Sample
MyMalwareDatabase-main/MyMalwareDatabase-main/Saturn.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral27
Sample
Sulfoxide/Sulfoxide.exe
Resource
win7-20240215-en
Behavioral task
behavioral28
Sample
Sulfoxide/Sulfoxide.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral29
Sample
Sulfoxide/Sulfoxide_fixes.exe
Resource
win7-20240221-en
Behavioral task
behavioral30
Sample
Sulfoxide/Sulfoxide_fixes.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral31
Sample
Sulfoxide/vcredist_x64.exe
Resource
win7-20240221-en
Behavioral task
behavioral32
Sample
Sulfoxide/vcredist_x64.exe
Resource
win10v2004-20240226-en
General
-
Target
MyMalwareDatabase-main/MyMalwareDatabase-main/NightMare/NightMare.exe
-
Size
42KB
-
MD5
4c5dfe827dd3465bb97016996936fe38
-
SHA1
010b868fe1a9e637912226a1eda1b73d901347dd
-
SHA256
366373109445178df10e219c3d58ea40b435c3cc20f80be7398d199aee01f62b
-
SHA512
e0692e425b7c702d297c88f0495c3bdae53eb566c3128f334d0e87e90a7047c433633f918ab6163a025a488111bcb2f199df0852b338fdc00e524897a2a7d82e
-
SSDEEP
768:73oACIqXSoiSnWsHorfhH7HjVq9HTtYcFA/Vc6K:7TCxNn/orfhbDVqRD8Vcl
Malware Config
Signatures
-
Processes:
NightMare.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" NightMare.exe -
Disables RegEdit via registry modification 1 IoCs
Processes:
NightMare.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" NightMare.exe -
Disables Task Manager via registry modification
-
Possible privilege escalation attempt 15 IoCs
Processes:
takeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exeicacls.exetakeown.exepid process 7300 takeown.exe 5220 takeown.exe 5004 takeown.exe 1664 takeown.exe 4312 takeown.exe 7864 takeown.exe 6848 takeown.exe 3868 takeown.exe 7020 takeown.exe 6428 takeown.exe 6984 takeown.exe 4364 takeown.exe 7736 takeown.exe 3640 icacls.exe 7296 takeown.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
NightMare.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation NightMare.exe -
Modifies file permissions 1 TTPs 15 IoCs
Processes:
icacls.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exepid process 3640 icacls.exe 7864 takeown.exe 5004 takeown.exe 4312 takeown.exe 6428 takeown.exe 7296 takeown.exe 5220 takeown.exe 6984 takeown.exe 4364 takeown.exe 7300 takeown.exe 7736 takeown.exe 7020 takeown.exe 1664 takeown.exe 6848 takeown.exe 3868 takeown.exe -
Modifies system executable filetype association 2 TTPs 1 IoCs
Processes:
NightMare.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\DefaultIcon\ NightMare.exe -
Processes:
NightMare.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" NightMare.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA NightMare.exe -
Drops desktop.ini file(s) 1 IoCs
Processes:
svchost.exedescription ioc process File opened for modification C:\Users\Admin\Videos\Captures\desktop.ini svchost.exe -
Drops file in System32 directory 2 IoCs
Processes:
ReAgentc.exedescription ioc process File opened for modification C:\Windows\SysWOW64\Recovery ReAgentc.exe File opened for modification C:\Windows\SysWOW64\Recovery\ReAgent.xml ReAgentc.exe -
Drops file in Windows directory 64 IoCs
Processes:
NightMare.exedescription ioc process File created C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(6873).txt NightMare.exe File created C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(7244).txt NightMare.exe File created C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(9349).txt NightMare.exe File created C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(47).txt NightMare.exe File created C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(753).txt NightMare.exe File created C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(2943).txt NightMare.exe File created C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(5354).txt NightMare.exe File created C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(1504).txt NightMare.exe File created C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(4001).txt NightMare.exe File created C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(6777).txt NightMare.exe File created C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(7255).txt NightMare.exe File created C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(8356).txt NightMare.exe File created C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(8889).txt NightMare.exe File created C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(427).txt NightMare.exe File created C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(1721).txt NightMare.exe File created C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(5731).txt NightMare.exe File created C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(7904).txt NightMare.exe File created C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(6054).txt NightMare.exe File created C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(8721).txt NightMare.exe File created C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(7809).txt NightMare.exe File created C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(9018).txt NightMare.exe File created C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(2655).txt NightMare.exe File created C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(3496).txt NightMare.exe File created C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(5096).txt NightMare.exe File created C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(6206).txt NightMare.exe File created C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(8738).txt NightMare.exe File created C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(71).txt NightMare.exe File created C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(2622).txt NightMare.exe File created C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(3951).txt NightMare.exe File created C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(6635).txt NightMare.exe File created C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(9927).txt NightMare.exe File created C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(127).txt NightMare.exe File created C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(4813).txt NightMare.exe File created C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(6120).txt NightMare.exe File created C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(8168).txt NightMare.exe File created C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(7988).txt NightMare.exe File created C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(998).txt NightMare.exe File created C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(1411).txt NightMare.exe File created C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(4121).txt NightMare.exe File created C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(7871).txt NightMare.exe File created C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(6016).txt NightMare.exe File created C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(9571).txt NightMare.exe File created C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(7102).txt NightMare.exe File created C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(1054).txt NightMare.exe File created C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(1949).txt NightMare.exe File created C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(2064).txt NightMare.exe File created C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(6608).txt NightMare.exe File created C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(2101).txt NightMare.exe File created C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(2369).txt NightMare.exe File created C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(5780).txt NightMare.exe File created C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(7808).txt NightMare.exe File created C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(2429).txt NightMare.exe File created C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(3897).txt NightMare.exe File created C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(4877).txt NightMare.exe File created C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(5301).txt NightMare.exe File created C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(2277).txt NightMare.exe File created C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(7242).txt NightMare.exe File created C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(8020).txt NightMare.exe File created C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(2156).txt NightMare.exe File created C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(4408).txt NightMare.exe File created C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(5476).txt NightMare.exe File created C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(5650).txt NightMare.exe File created C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(6074).txt NightMare.exe File created C:\Windows\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE(6196).txt NightMare.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
svchost.exedescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString svchost.exe -
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid process 8260 taskkill.exe -
Modifies Control Panel 14 IoCs
Processes:
NightMare.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\Cursors\SizeWE = "C:\\Windows\\WinSxS\\amd64_microsoft-windows-shell-cursors_31bf3856ad364e35_10.0.19041.1_none_01289c50fa22c737\\aero_unavail_xl.cur" NightMare.exe Set value (str) \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\Cursors\Help = "C:\\Windows\\WinSxS\\amd64_microsoft-windows-shell-cursors_31bf3856ad364e35_10.0.19041.1_none_01289c50fa22c737\\aero_unavail_xl.cur" NightMare.exe Set value (str) \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\Cursors\NWPen = "C:\\Windows\\WinSxS\\amd64_microsoft-windows-shell-cursors_31bf3856ad364e35_10.0.19041.1_none_01289c50fa22c737\\aero_unavail_xl.cur" NightMare.exe Set value (str) \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\Cursors\SizeNS = "C:\\Windows\\WinSxS\\amd64_microsoft-windows-shell-cursors_31bf3856ad364e35_10.0.19041.1_none_01289c50fa22c737\\aero_unavail_xl.cur" NightMare.exe Set value (str) \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\Cursors\SizeNWSE = "C:\\Windows\\WinSxS\\amd64_microsoft-windows-shell-cursors_31bf3856ad364e35_10.0.19041.1_none_01289c50fa22c737\\aero_unavail_xl.cur" NightMare.exe Set value (str) \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\Cursors\Wait = "C:\\Windows\\WinSxS\\amd64_microsoft-windows-shell-cursors_31bf3856ad364e35_10.0.19041.1_none_01289c50fa22c737\\aero_unavail_xl.cur" NightMare.exe Set value (str) \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\Cursors\SizeNESW = "C:\\Windows\\WinSxS\\amd64_microsoft-windows-shell-cursors_31bf3856ad364e35_10.0.19041.1_none_01289c50fa22c737\\aero_unavail_xl.cur" NightMare.exe Set value (str) \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\Cursors\ = "C:\\Windows\\WinSxS\\amd64_microsoft-windows-shell-cursors_31bf3856ad364e35_10.0.19041.1_none_01289c50fa22c737\\aero_unavail_xl.cur" NightMare.exe Set value (str) \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\Cursors\AppStarting = "C:\\Windows\\WinSxS\\amd64_microsoft-windows-shell-cursors_31bf3856ad364e35_10.0.19041.1_none_01289c50fa22c737\\aero_unavail_xl.cur" NightMare.exe Set value (str) \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\Cursors\Arrow = "C:\\Windows\\WinSxS\\amd64_microsoft-windows-shell-cursors_31bf3856ad364e35_10.0.19041.1_none_01289c50fa22c737\\aero_unavail_xl.cur" NightMare.exe Set value (str) \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\Cursors\Hand = "C:\\Windows\\WinSxS\\amd64_microsoft-windows-shell-cursors_31bf3856ad364e35_10.0.19041.1_none_01289c50fa22c737\\aero_unavail_xl.cur" NightMare.exe Set value (str) \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\Cursors\No = "C:\\Windows\\WinSxS\\amd64_microsoft-windows-shell-cursors_31bf3856ad364e35_10.0.19041.1_none_01289c50fa22c737\\aero_unavail_xl.cur" NightMare.exe Set value (str) \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\Cursors\SizeAll = "C:\\Windows\\WinSxS\\amd64_microsoft-windows-shell-cursors_31bf3856ad364e35_10.0.19041.1_none_01289c50fa22c737\\aero_unavail_xl.cur" NightMare.exe Set value (str) \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\Cursors\UpArrow = "C:\\Windows\\WinSxS\\amd64_microsoft-windows-shell-cursors_31bf3856ad364e35_10.0.19041.1_none_01289c50fa22c737\\aero_unavail_xl.cur" NightMare.exe -
Modifies File Icons 3 IoCs
Processes:
NightMare.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons NightMare.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons\3 NightMare.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons\4 NightMare.exe -
Modifies registry class 40 IoCs
Processes:
NightMare.exesvchost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\giffile\DefaultIcon\ NightMare.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\jntfile\DefaultIcon NightMare.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\DefaultIcon\ NightMare.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ratfile\DefaultIcon\ NightMare.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\sysfile\DefaultIcon\ NightMare.exe Key created \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000_Classes\WOW6432Node\CLSID\{031E4825-7B94-4dc3-B131-E946B44C8DD5}\DefaultIcon NightMare.exe Key created \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000_Classes\WOW6432Node\CLSID NightMare.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\jntfile\DefaultIcon\ NightMare.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\jpegfile\DefaultIcon\ NightMare.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\pjpegfile\DefaultIcon\ NightMare.exe Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-983155329-280873152-1838004294-1000\{541AAFB6-0992-404A-8AD9-71F50A10B1A4} svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\textfile\DefaultIcon\ NightMare.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\jarfile\DefaultIcon\ NightMare.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\DefaultIcon\ NightMare.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htlm\DefaultIcon\ NightMare.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\icmfile\DefaultIcon\ NightMare.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\DefaultIcon\ NightMare.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\regfile\DefaultIcon\ NightMare.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\zapfile\DefaultIcon\ NightMare.exe Key created \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000_Classes\WOW6432Node\CLSID\{1248BD21-B584-4EB8-85D0-8EC479CD043B} NightMare.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htlm\DefaultIcon NightMare.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\jntfile NightMare.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\JSEFile\DefaultIcon\ NightMare.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\sysfile\DefaultIcon NightMare.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\textfile\DefaultIcon NightMare.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\jarfile\DefaultIcon NightMare.exe Key created \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000_Classes\WOW6432Node\CLSID\{031E4825-7B94-4dc3-B131-E946B44C8DD5} NightMare.exe Key created \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000_Classes\WOW6432Node\CLSID\{1248BD21-B584-4EB8-85D0-8EC479CD043B}\DefaultIcon NightMare.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\icofile\DefaultIcon\ NightMare.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inifile\DefaultIcon\ NightMare.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\pngfile\DefaultIcon\ NightMare.exe Set value (str) \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000_Classes\WOW6432Node\CLSID\{1248BD21-B584-4EB8-85D0-8EC479CD043B}\DefaultIcon\ NightMare.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htlm NightMare.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\xmlfile\DefaultIcon\ NightMare.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\dllfile\DefaultIcon\ NightMare.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\JSFile\DefaultIcon\ NightMare.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mscfile\DefaultIcon\ NightMare.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\pnffile\DefaultIcon\ NightMare.exe Key created \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000_Classes\WOW6432Node NightMare.exe Set value (str) \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000_Classes\WOW6432Node\CLSID\{031E4825-7B94-4dc3-B131-E946B44C8DD5}\DefaultIcon\ NightMare.exe -
Modifies registry key 1 TTPs 1 IoCs
-
Runs net.exe
-
Suspicious use of AdjustPrivilegeToken 21 IoCs
Processes:
takeown.exetakeown.exeNightMare.exetakeown.exetakeown.exetakeown.exetakeown.exetaskkill.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exedescription pid process Token: SeTakeOwnershipPrivilege 5004 takeown.exe Token: SeTakeOwnershipPrivilege 1664 takeown.exe Token: SeDebugPrivilege 3928 NightMare.exe Token: SeDebugPrivilege 3928 NightMare.exe Token: SeTakeOwnershipPrivilege 6984 takeown.exe Token: SeTakeOwnershipPrivilege 4312 takeown.exe Token: SeTakeOwnershipPrivilege 4364 takeown.exe Token: SeTakeOwnershipPrivilege 6848 takeown.exe Token: SeDebugPrivilege 8260 taskkill.exe Token: SeTakeOwnershipPrivilege 7300 takeown.exe Token: SeTakeOwnershipPrivilege 7296 takeown.exe Token: SeTakeOwnershipPrivilege 3868 takeown.exe Token: SeTakeOwnershipPrivilege 7736 takeown.exe Token: SeDebugPrivilege 3928 NightMare.exe Token: SeTakeOwnershipPrivilege 7020 takeown.exe Token: SeDebugPrivilege 3928 NightMare.exe Token: SeTakeOwnershipPrivilege 5220 takeown.exe Token: SeDebugPrivilege 3928 NightMare.exe Token: SeTakeOwnershipPrivilege 6428 takeown.exe Token: SeDebugPrivilege 3928 NightMare.exe Token: SeTakeOwnershipPrivilege 7864 takeown.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
OpenWith.exepid process 5048 OpenWith.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
NightMare.execmd.execmd.exenet.execmd.execmd.execmd.execmd.execmd.execmd.exedescription pid process target process PID 3928 wrote to memory of 3768 3928 NightMare.exe cmd.exe PID 3928 wrote to memory of 3768 3928 NightMare.exe cmd.exe PID 3928 wrote to memory of 3768 3928 NightMare.exe cmd.exe PID 3928 wrote to memory of 2080 3928 NightMare.exe cmd.exe PID 3928 wrote to memory of 2080 3928 NightMare.exe cmd.exe PID 3928 wrote to memory of 2080 3928 NightMare.exe cmd.exe PID 3928 wrote to memory of 4016 3928 NightMare.exe cmd.exe PID 3928 wrote to memory of 4016 3928 NightMare.exe cmd.exe PID 3928 wrote to memory of 4016 3928 NightMare.exe cmd.exe PID 3928 wrote to memory of 2272 3928 NightMare.exe cmd.exe PID 3928 wrote to memory of 2272 3928 NightMare.exe cmd.exe PID 3928 wrote to memory of 2272 3928 NightMare.exe cmd.exe PID 3928 wrote to memory of 1736 3928 NightMare.exe cmd.exe PID 3928 wrote to memory of 1736 3928 NightMare.exe cmd.exe PID 3928 wrote to memory of 1736 3928 NightMare.exe cmd.exe PID 3928 wrote to memory of 3156 3928 NightMare.exe cmd.exe PID 3928 wrote to memory of 3156 3928 NightMare.exe cmd.exe PID 3928 wrote to memory of 3156 3928 NightMare.exe cmd.exe PID 3928 wrote to memory of 3668 3928 NightMare.exe cmd.exe PID 3928 wrote to memory of 3668 3928 NightMare.exe cmd.exe PID 3928 wrote to memory of 3668 3928 NightMare.exe cmd.exe PID 3768 wrote to memory of 3628 3768 cmd.exe net.exe PID 3768 wrote to memory of 3628 3768 cmd.exe net.exe PID 3768 wrote to memory of 3628 3768 cmd.exe net.exe PID 2080 wrote to memory of 4764 2080 cmd.exe reg.exe PID 2080 wrote to memory of 4764 2080 cmd.exe reg.exe PID 2080 wrote to memory of 4764 2080 cmd.exe reg.exe PID 3628 wrote to memory of 1368 3628 net.exe net1.exe PID 3628 wrote to memory of 1368 3628 net.exe net1.exe PID 3628 wrote to memory of 1368 3628 net.exe net1.exe PID 4016 wrote to memory of 3044 4016 cmd.exe reg.exe PID 4016 wrote to memory of 3044 4016 cmd.exe reg.exe PID 4016 wrote to memory of 3044 4016 cmd.exe reg.exe PID 2272 wrote to memory of 1488 2272 cmd.exe reg.exe PID 2272 wrote to memory of 1488 2272 cmd.exe reg.exe PID 2272 wrote to memory of 1488 2272 cmd.exe reg.exe PID 3156 wrote to memory of 4628 3156 cmd.exe ReAgentc.exe PID 3156 wrote to memory of 4628 3156 cmd.exe ReAgentc.exe PID 3156 wrote to memory of 4628 3156 cmd.exe ReAgentc.exe PID 1736 wrote to memory of 5004 1736 cmd.exe takeown.exe PID 1736 wrote to memory of 5004 1736 cmd.exe takeown.exe PID 1736 wrote to memory of 5004 1736 cmd.exe takeown.exe PID 3668 wrote to memory of 1664 3668 cmd.exe takeown.exe PID 3668 wrote to memory of 1664 3668 cmd.exe takeown.exe PID 3668 wrote to memory of 1664 3668 cmd.exe takeown.exe PID 3668 wrote to memory of 3640 3668 cmd.exe icacls.exe PID 3668 wrote to memory of 3640 3668 cmd.exe icacls.exe PID 3668 wrote to memory of 3640 3668 cmd.exe icacls.exe PID 3928 wrote to memory of 8652 3928 NightMare.exe cmd.exe PID 3928 wrote to memory of 8652 3928 NightMare.exe cmd.exe PID 3928 wrote to memory of 8652 3928 NightMare.exe cmd.exe PID 3928 wrote to memory of 7152 3928 NightMare.exe cmd.exe PID 3928 wrote to memory of 7152 3928 NightMare.exe cmd.exe PID 3928 wrote to memory of 7152 3928 NightMare.exe cmd.exe PID 8652 wrote to memory of 6984 8652 cmd.exe takeown.exe PID 8652 wrote to memory of 6984 8652 cmd.exe takeown.exe PID 8652 wrote to memory of 6984 8652 cmd.exe takeown.exe PID 3928 wrote to memory of 4236 3928 NightMare.exe cmd.exe PID 3928 wrote to memory of 4236 3928 NightMare.exe cmd.exe PID 3928 wrote to memory of 4236 3928 NightMare.exe cmd.exe PID 3928 wrote to memory of 8200 3928 NightMare.exe cmd.exe PID 3928 wrote to memory of 8200 3928 NightMare.exe cmd.exe PID 3928 wrote to memory of 8200 3928 NightMare.exe cmd.exe PID 3928 wrote to memory of 5172 3928 NightMare.exe cmd.exe -
System policy modification 1 TTPs 1 IoCs
Processes:
NightMare.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" NightMare.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe"C:\Users\Admin\AppData\Local\Temp\MyMalwareDatabase-main\MyMalwareDatabase-main\NightMare\NightMare.exe"1⤵
- UAC bypass
- Disables RegEdit via registry modification
- Checks computer location settings
- Modifies system executable filetype association
- Checks whether UAC is enabled
- Drops file in Windows directory
- Modifies Control Panel
- Modifies File Icons
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3928 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k net user %username% /delete && exit2⤵
- Suspicious use of WriteProcessMemory
PID:3768 -
C:\Windows\SysWOW64\net.exenet user Admin /delete3⤵
- Suspicious use of WriteProcessMemory
PID:3628 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 user Admin /delete4⤵PID:1368
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k reg delete HKCR && exit2⤵
- Suspicious use of WriteProcessMemory
PID:2080 -
C:\Windows\SysWOW64\reg.exereg delete HKCR3⤵PID:4764
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k reg delete HKU && exit2⤵
- Suspicious use of WriteProcessMemory
PID:4016 -
C:\Windows\SysWOW64\reg.exereg delete HKU3⤵PID:3044
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k reg delete HKLM && exit2⤵
- Suspicious use of WriteProcessMemory
PID:2272 -
C:\Windows\SysWOW64\reg.exereg delete HKLM3⤵
- Modifies registry key
PID:1488
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /F C:\Windows\Boot\DVD\EFI && pause2⤵
- Suspicious use of WriteProcessMemory
PID:1736 -
C:\Windows\SysWOW64\takeown.exetakeown /F C:\Windows\Boot\DVD\EFI3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:5004
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k reagentc.exe /disable && pause2⤵
- Suspicious use of WriteProcessMemory
PID:3156 -
C:\Windows\SysWOW64\ReAgentc.exereagentc.exe /disable3⤵
- Drops file in System32 directory
PID:4628
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k color 47 && takeown /f C:\Windows\System32 && icacls C:\Windows\System32 /grant %username%:F && takeown /f C:\Windows\System32\drivers && icacls C:\Windows\System32\drivers /grant %username%:F && Exit2⤵
- Suspicious use of WriteProcessMemory
PID:3668 -
C:\Windows\SysWOW64\takeown.exetakeown /f C:\Windows\System323⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1664
-
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\System32 /grant Admin:F3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3640
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /F C:\Windows\Boot\DVD\EFI && pause2⤵
- Suspicious use of WriteProcessMemory
PID:8652 -
C:\Windows\SysWOW64\takeown.exetakeown /F C:\Windows\Boot\DVD\EFI3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:6984
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /F C:\Windows\system32\taskmgr.exe && pause2⤵PID:7152
-
C:\Windows\SysWOW64\takeown.exetakeown /F C:\Windows\system32\taskmgr.exe3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:6848
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /F C:\Windows\system32\LogonUI.exe && pause2⤵PID:4236
-
C:\Windows\SysWOW64\takeown.exetakeown /F C:\Windows\system32\LogonUI.exe3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4312
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /F C:\Windows\Boot\DVD\EFI\BCD && pause2⤵PID:8200
-
C:\Windows\SysWOW64\takeown.exetakeown /F C:\Windows\Boot\DVD\EFI\BCD3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:3868
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /F C:\Windows\Boot\DVD\EFI\boot.sdi && pause2⤵PID:5172
-
C:\Windows\SysWOW64\takeown.exetakeown /F C:\Windows\Boot\DVD\EFI\boot.sdi3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4364
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /F C:\Windows\system32\drivers && pause2⤵PID:5400
-
C:\Windows\SysWOW64\takeown.exetakeown /F C:\Windows\system32\drivers3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:7296
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /F C:\Windows\servicing\TrustedInstaller.exe && pause2⤵PID:6260
-
C:\Windows\SysWOW64\takeown.exetakeown /F C:\Windows\servicing\TrustedInstaller.exe3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:7300
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /F C:\Windows\System32\WUDFHost.exe && pause2⤵PID:7676
-
C:\Windows\SysWOW64\takeown.exetakeown /F C:\Windows\System32\WUDFHost.exe3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:7736
-
-
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM fontdrvhost.exe /F2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:8260
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /F C:\Windows\Boot\DVD\EFI && pause2⤵PID:1564
-
C:\Windows\SysWOW64\takeown.exetakeown /F C:\Windows\Boot\DVD\EFI3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:7020
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /F C:\Windows\Boot\DVD\EFI && pause2⤵PID:8408
-
C:\Windows\SysWOW64\takeown.exetakeown /F C:\Windows\Boot\DVD\EFI3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:5220
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /F C:\Windows\Boot\DVD\EFI && pause2⤵PID:7348
-
C:\Windows\SysWOW64\takeown.exetakeown /F C:\Windows\Boot\DVD\EFI3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:6428
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k takeown /F C:\Windows\Boot\DVD\EFI && pause2⤵PID:5900
-
C:\Windows\SysWOW64\takeown.exetakeown /F C:\Windows\Boot\DVD\EFI3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:7864
-
-
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Suspicious use of SetWindowsHookEx
PID:5048
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k BcastDVRUserService -s BcastDVRUserService1⤵
- Drops desktop.ini file(s)
- Checks processor information in registry
- Modifies registry class
PID:2372
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵PID:8928
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k BcastDVRUserService -s BcastDVRUserService1⤵PID:3784
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵PID:7060
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵PID:7524
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Event Triggered Execution
1Change Default File Association
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE_NO_ESCAPE.txt
Filesize662B
MD521ad42bd4156f914d3a265823a1c269c
SHA14129bc994a0947b38e3bac2aeabc8e2fbdbd503f
SHA256680671bac3f22a5f19ffbd2c82eec069a32844cf93d419aa59319cd0cbc98ac2
SHA5127ec8c3801798b4fd547578d31badd96edeaacf0a91dca807c04e40ad65d97592043cb8e747947f74b9850f8e99dcd1c8f1c311cb0f8b79be301be36ca884cc5a
-
Filesize
190B
MD5b0d27eaec71f1cd73b015f5ceeb15f9d
SHA162264f8b5c2f5034a1e4143df6e8c787165fbc2f
SHA25686d9f822aeb989755fac82929e8db369b3f5f04117ef96fd76e3d5f920a501d2
SHA5127b5c9783a0a14b600b156825639d24cbbc000f5066c48ce9fecc195255603fc55129aaaca336d7ce6ad4e941d5492b756562f2c7a1d151fcfc2dabac76f3946c