Analysis
-
max time kernel
370s -
max time network
378s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
30-04-2024 17:47
Behavioral task
behavioral1
Sample
NigNig.exe
Resource
win7-20240221-en
windows7-x64
14 signatures
150 seconds
General
-
Target
NigNig.exe
-
Size
51KB
-
MD5
ed852fca3d9f3b61313c33ebcb843d88
-
SHA1
7786d1943a1e00319df05a6199d70dc69ff0a25d
-
SHA256
bbafea1be559fc898f4e6d48b1d0514a4f6cc9348c1755e8978ee264824a7d51
-
SHA512
0294771e06f472e29ce8030ca4e7dd9cb45074f9a7b3a55e700c36f7b7f80889d295cccd05fa61a9d4944a2bf8a47a824aa5ccd26602475e3701491c92f51418
-
SSDEEP
768:bivdjHrddilbVauou79EoasmqEPBZ6HLBSkGu2yPo+LGZYebFDa9k6RNSgNOcf:8pHmVauo35n/ZADj6CSYebFwlf42
Malware Config
Extracted
Family
xenorat
C2
teaching-wireless.gl.at.ply.gg
Mutex
nignig_rat_nd8912d
Attributes
-
delay
1000
-
install_path
temp
-
port
39289
-
startup_name
discord
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 1432 NigNig.exe 1956 NigNig.exe -
Loads dropped DLL 2 IoCs
pid Process 2524 NigNig.exe 1432 NigNig.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\D: NigNig.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2548 schtasks.exe -
Modifies registry class 10 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\ms-settings\Shell\Open\command NigNig.exe Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\ms-settings\Shell NigNig.exe Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\ms-settings\Shell\Open NigNig.exe Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\ms-settings\Shell\Open\command\DelegateExecute NigNig.exe Key deleted \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\ms-settings NigNig.exe Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\ms-settings NigNig.exe Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\ms-settings\Shell\Open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\XenoManager\\NigNig.exe\"" NigNig.exe Key deleted \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\ms-settings\Shell\Open\command NigNig.exe Key deleted \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\ms-settings\Shell\Open NigNig.exe Key deleted \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\ms-settings\Shell NigNig.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1432 NigNig.exe 1432 NigNig.exe 1432 NigNig.exe 1432 NigNig.exe 1432 NigNig.exe 1432 NigNig.exe 1432 NigNig.exe 1432 NigNig.exe 1432 NigNig.exe 1432 NigNig.exe 1432 NigNig.exe 1432 NigNig.exe 1432 NigNig.exe 1432 NigNig.exe 1432 NigNig.exe 1432 NigNig.exe 1432 NigNig.exe 1432 NigNig.exe 1432 NigNig.exe 1432 NigNig.exe 1432 NigNig.exe 1432 NigNig.exe 1432 NigNig.exe 1432 NigNig.exe 1432 NigNig.exe 1432 NigNig.exe 1432 NigNig.exe 1432 NigNig.exe 1432 NigNig.exe 1432 NigNig.exe 1432 NigNig.exe 1432 NigNig.exe 1432 NigNig.exe 1432 NigNig.exe 1432 NigNig.exe 1432 NigNig.exe 1432 NigNig.exe 1432 NigNig.exe 1432 NigNig.exe 1432 NigNig.exe 1432 NigNig.exe 1432 NigNig.exe 1432 NigNig.exe 1432 NigNig.exe 1432 NigNig.exe 1432 NigNig.exe 1432 NigNig.exe 1432 NigNig.exe 1432 NigNig.exe 1432 NigNig.exe 1432 NigNig.exe 1432 NigNig.exe 1432 NigNig.exe 1432 NigNig.exe 1432 NigNig.exe 1432 NigNig.exe 1432 NigNig.exe 1432 NigNig.exe 1432 NigNig.exe 1432 NigNig.exe 1432 NigNig.exe 1432 NigNig.exe 1432 NigNig.exe 1432 NigNig.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1432 NigNig.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 1432 NigNig.exe Token: SeDebugPrivilege 3064 taskmgr.exe Token: SeShutdownPrivilege 1432 NigNig.exe -
Suspicious use of FindShellTrayWindow 38 IoCs
pid Process 3064 taskmgr.exe 3064 taskmgr.exe 3064 taskmgr.exe 3064 taskmgr.exe 3064 taskmgr.exe 3064 taskmgr.exe 3064 taskmgr.exe 3064 taskmgr.exe 3064 taskmgr.exe 3064 taskmgr.exe 3064 taskmgr.exe 3064 taskmgr.exe 3064 taskmgr.exe 3064 taskmgr.exe 3064 taskmgr.exe 3064 taskmgr.exe 3064 taskmgr.exe 3064 taskmgr.exe 3064 taskmgr.exe 3064 taskmgr.exe 3064 taskmgr.exe 3064 taskmgr.exe 3064 taskmgr.exe 3064 taskmgr.exe 3064 taskmgr.exe 3064 taskmgr.exe 3064 taskmgr.exe 3064 taskmgr.exe 3064 taskmgr.exe 3064 taskmgr.exe 3064 taskmgr.exe 3064 taskmgr.exe 3064 taskmgr.exe 3064 taskmgr.exe 3064 taskmgr.exe 3064 taskmgr.exe 3064 taskmgr.exe 3064 taskmgr.exe -
Suspicious use of SendNotifyMessage 37 IoCs
pid Process 3064 taskmgr.exe 3064 taskmgr.exe 3064 taskmgr.exe 3064 taskmgr.exe 3064 taskmgr.exe 3064 taskmgr.exe 3064 taskmgr.exe 3064 taskmgr.exe 3064 taskmgr.exe 3064 taskmgr.exe 3064 taskmgr.exe 3064 taskmgr.exe 3064 taskmgr.exe 3064 taskmgr.exe 3064 taskmgr.exe 3064 taskmgr.exe 3064 taskmgr.exe 3064 taskmgr.exe 3064 taskmgr.exe 3064 taskmgr.exe 3064 taskmgr.exe 3064 taskmgr.exe 3064 taskmgr.exe 3064 taskmgr.exe 3064 taskmgr.exe 3064 taskmgr.exe 3064 taskmgr.exe 3064 taskmgr.exe 3064 taskmgr.exe 3064 taskmgr.exe 3064 taskmgr.exe 3064 taskmgr.exe 3064 taskmgr.exe 3064 taskmgr.exe 3064 taskmgr.exe 3064 taskmgr.exe 3064 taskmgr.exe -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 2524 wrote to memory of 1432 2524 NigNig.exe 28 PID 2524 wrote to memory of 1432 2524 NigNig.exe 28 PID 2524 wrote to memory of 1432 2524 NigNig.exe 28 PID 2524 wrote to memory of 1432 2524 NigNig.exe 28 PID 1432 wrote to memory of 2548 1432 NigNig.exe 29 PID 1432 wrote to memory of 2548 1432 NigNig.exe 29 PID 1432 wrote to memory of 2548 1432 NigNig.exe 29 PID 1432 wrote to memory of 2548 1432 NigNig.exe 29 PID 1432 wrote to memory of 1956 1432 NigNig.exe 34 PID 1432 wrote to memory of 1956 1432 NigNig.exe 34 PID 1432 wrote to memory of 1956 1432 NigNig.exe 34 PID 1432 wrote to memory of 1956 1432 NigNig.exe 34 PID 1432 wrote to memory of 1496 1432 NigNig.exe 35 PID 1432 wrote to memory of 1496 1432 NigNig.exe 35 PID 1432 wrote to memory of 1496 1432 NigNig.exe 35 PID 1432 wrote to memory of 1496 1432 NigNig.exe 35
Processes
-
C:\Users\Admin\AppData\Local\Temp\NigNig.exe"C:\Users\Admin\AppData\Local\Temp\NigNig.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2524 -
C:\Users\Admin\AppData\Local\Temp\XenoManager\NigNig.exe"C:\Users\Admin\AppData\Local\Temp\XenoManager\NigNig.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1432 -
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /Create /TN "discord" /XML "C:\Users\Admin\AppData\Local\Temp\tmp2491.tmp" /F3⤵
- Creates scheduled task(s)
PID:2548
-
-
C:\Users\Admin\AppData\Local\Temp\XenoManager\NigNig.exe"C:\Users\Admin\AppData\Local\Temp\XenoManager\NigNig.exe"3⤵
- Executes dropped EXE
PID:1956
-
-
C:\Windows\system32\cmd.execmd /c start "" "%windir%\system32\fodhelper.exe"3⤵PID:1496
-
-
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3064
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5270a3037e28c41657687de0061e5e719
SHA191e3b4163195d9e90b216e8370e353be45ebe8ba
SHA256b4141c32d58f5e1bd89249a61882db30b8cbf7d8662e3a1da82c8daa6f05b1cb
SHA512b697526a80ae13915c3f984ae7ee229580ef86599a9450e5a56a42a534f6fd4fa366a75f991840f2230591a087cb8c88713abeacf464c2e803674fc720ba80a8
-
Filesize
51KB
MD5ed852fca3d9f3b61313c33ebcb843d88
SHA17786d1943a1e00319df05a6199d70dc69ff0a25d
SHA256bbafea1be559fc898f4e6d48b1d0514a4f6cc9348c1755e8978ee264824a7d51
SHA5120294771e06f472e29ce8030ca4e7dd9cb45074f9a7b3a55e700c36f7b7f80889d295cccd05fa61a9d4944a2bf8a47a824aa5ccd26602475e3701491c92f51418