Overview

overview

10

Static

static

10

NigNig.exe

windows7-x64

10

NigNig.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240419-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30-04-2024 17:47

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    NigNig.exe

  • Size

    51KB

  • MD5

    ed852fca3d9f3b61313c33ebcb843d88

  • SHA1

    7786d1943a1e00319df05a6199d70dc69ff0a25d

  • SHA256

    bbafea1be559fc898f4e6d48b1d0514a4f6cc9348c1755e8978ee264824a7d51

  • SHA512

    0294771e06f472e29ce8030ca4e7dd9cb45074f9a7b3a55e700c36f7b7f80889d295cccd05fa61a9d4944a2bf8a47a824aa5ccd26602475e3701491c92f51418

  • SSDEEP

    768:bivdjHrddilbVauou79EoasmqEPBZ6HLBSkGu2yPo+LGZYebFDa9k6RNSgNOcf:8pHmVauo35n/ZADj6CSYebFwlf42

Score
10/10
xenoratrattrojan

Malware Config

Extracted

Family

xenorat

C2

teaching-wireless.gl.at.ply.gg

Mutex

nignig_rat_nd8912d

Attributes
  • delay

    1000

  • install_path

    temp

  • port

    39289

  • startup_name

    discord

Signatures

  • XenorRat

    XenorRat is a remote access trojan written in C#.

    trojanratxenorat
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\NigNig.exe
    "C:\Users\Admin\AppData\Local\Temp\NigNig.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:548
    • C:\Users\Admin\AppData\Local\Temp\XenoManager\NigNig.exe
      "C:\Users\Admin\AppData\Local\Temp\XenoManager\NigNig.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:832
      • C:\Windows\SysWOW64\schtasks.exe
        "schtasks.exe" /Create /TN "discord" /XML "C:\Users\Admin\AppData\Local\Temp\tmp47D6.tmp" /F
        3⤵
        • Creates scheduled task(s)
        PID:2092

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\NigNig.exe.log
    Filesize

    226B

    MD5

    916851e072fbabc4796d8916c5131092

    SHA1

    d48a602229a690c512d5fdaf4c8d77547a88e7a2

    SHA256

    7e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d

    SHA512

    07ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\XenoManager\NigNig.exe
    Filesize

    51KB

    MD5

    ed852fca3d9f3b61313c33ebcb843d88

    SHA1

    7786d1943a1e00319df05a6199d70dc69ff0a25d

    SHA256

    bbafea1be559fc898f4e6d48b1d0514a4f6cc9348c1755e8978ee264824a7d51

    SHA512

    0294771e06f472e29ce8030ca4e7dd9cb45074f9a7b3a55e700c36f7b7f80889d295cccd05fa61a9d4944a2bf8a47a824aa5ccd26602475e3701491c92f51418

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\tmp47D6.tmp
    Filesize

    1KB

    MD5

    270a3037e28c41657687de0061e5e719

    SHA1

    91e3b4163195d9e90b216e8370e353be45ebe8ba

    SHA256

    b4141c32d58f5e1bd89249a61882db30b8cbf7d8662e3a1da82c8daa6f05b1cb

    SHA512

    b697526a80ae13915c3f984ae7ee229580ef86599a9450e5a56a42a534f6fd4fa366a75f991840f2230591a087cb8c88713abeacf464c2e803674fc720ba80a8

    Download Submit

  • memory/548-0-0x0000000000FE0000-0x0000000000FF4000-memory.dmp

    Filesize

    80KB

    Download

  • memory/548-1-0x0000000074920000-0x00000000750D0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/548-15-0x0000000074920000-0x00000000750D0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/832-17-0x0000000004C70000-0x0000000004C80000-memory.dmp

    Filesize

    64KB

    Download

  • memory/832-16-0x0000000074920000-0x00000000750D0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/832-20-0x0000000005610000-0x0000000005676000-memory.dmp

    Filesize

    408KB

    Download

  • memory/832-21-0x0000000074920000-0x00000000750D0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/832-22-0x0000000004C70000-0x0000000004C80000-memory.dmp

    Filesize

    64KB

    Download