Malware Analysis Report

2025-05-05 21:25

Sample ID 240521-vg8rmscc82
Target nigger.exe
SHA256 dada2e816fe928b713be0ed163032c0049acc2a9a6d39253aeffe930572079d7
Tags
pyinstaller
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

dada2e816fe928b713be0ed163032c0049acc2a9a6d39253aeffe930572079d7

Threat Level: Shows suspicious behavior

The file nigger.exe was found to be: Shows suspicious behavior.

Malicious Activity Summary

pyinstaller

Loads dropped DLL

Legitimate hosting services abused for malware hosting/C2

Unsigned PE

Enumerates physical storage devices

Detects Pyinstaller

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-21 16:58

Signatures

Detects Pyinstaller

pyinstaller
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-21 16:58

Reported

2024-05-21 17:01

Platform

win10v2004-20240508-en

Max time kernel

142s

Max time network

104s

Command Line

"C:\Users\Admin\AppData\Local\Temp\nigger.exe"

Signatures

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\nigger.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4984 wrote to memory of 3444 N/A C:\Users\Admin\AppData\Local\Temp\nigger.exe C:\Users\Admin\AppData\Local\Temp\nigger.exe
PID 4984 wrote to memory of 3444 N/A C:\Users\Admin\AppData\Local\Temp\nigger.exe C:\Users\Admin\AppData\Local\Temp\nigger.exe

Processes

C:\Users\Admin\AppData\Local\Temp\nigger.exe

"C:\Users\Admin\AppData\Local\Temp\nigger.exe"

C:\Users\Admin\AppData\Local\Temp\nigger.exe

"C:\Users\Admin\AppData\Local\Temp\nigger.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 101.58.20.217.in-addr.arpa udp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.129:443 www.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 129.61.62.23.in-addr.arpa udp
NL 23.62.61.129:443 www.bing.com tcp
N/A 127.0.0.1:63997 tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 discord.com udp
US 162.159.136.232:443 discord.com tcp
US 162.159.128.233:443 discord.com tcp
US 162.159.137.232:443 discord.com tcp
US 162.159.135.232:443 discord.com tcp
US 162.159.138.232:443 discord.com tcp
US 8.8.8.8:53 232.136.159.162.in-addr.arpa udp
US 8.8.8.8:53 233.128.159.162.in-addr.arpa udp
US 8.8.8.8:53 232.137.159.162.in-addr.arpa udp
US 8.8.8.8:53 232.135.159.162.in-addr.arpa udp
US 8.8.8.8:53 232.138.159.162.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\_MEI49842\ucrtbase.dll

MD5 0e0bac3d1dcc1833eae4e3e4cf83c4ef
SHA1 4189f4459c54e69c6d3155a82524bda7549a75a6
SHA256 8a91052ef261b5fbf3223ae9ce789af73dfe1e9b0ba5bdbc4d564870a24f2bae
SHA512 a45946e3971816f66dd7ea3788aacc384a9e95011500b458212dc104741315b85659e0d56a41570731d338bdf182141c093d3ced222c007038583ceb808e26fd

C:\Users\Admin\AppData\Local\Temp\_MEI49842\python37.dll

MD5 62125a78b9be5ac58c3b55413f085028
SHA1 46c643f70dd3b3e82ab4a5d1bc979946039e35b2
SHA256 17c29e6188b022f795092d72a1fb58630a7c723d70ac5bc3990b20cd2eb2a51f
SHA512 e63f4aa8fc5cd1569ae401e283bc8e1445859131eb0db76581b941f1085670c549cbc3fedf911a21c1237b0f3f66f62b10c60e88b923fa058f7fafee18dd0fa4

C:\Users\Admin\AppData\Local\Temp\_MEI49842\VCRUNTIME140.dll

MD5 0e675d4a7a5b7ccd69013386793f68eb
SHA1 6e5821ddd8fea6681bda4448816f39984a33596b
SHA256 bf5ff4603557c9959acec995653d052d9054ad4826df967974efd2f377c723d1
SHA512 cae69a90f92936febde67dacd6ce77647cb3b3ed82bb66463cd9047e90723f633aa2fc365489de09fecdc510be15808c183b12e6236b0893af19633f6a670e66

C:\Users\Admin\AppData\Local\Temp\_MEI49842\base_library.zip

MD5 46be82a377d053f56444fa141682c256
SHA1 d2ce0acd78d0c69c056890fb15a8ab72ca4a2786
SHA256 1bc7d01f5b20392225c0d47e4aece58d3032440609d6a89c5612abaad0900d6c
SHA512 21653a8940a6895ac0e484b75e57b96e0872d4038812e1dde36204195304bbda13254e08cf6d7fef83cb1c7ed39c911ed80b2ba011512bd90a2c52935ce07602

C:\Users\Admin\AppData\Local\Temp\_MEI49842\_ctypes.pyd

MD5 2f21f50d2252e3083555a724ca57b71e
SHA1 49ec351d569a466284b8cc55ee9aeaf3fbf20099
SHA256 09887f07f4316057d3c87e3a907c2235dc6547e54ed4f5f9125f99e547d58bce
SHA512 e71ff1e63105f51a4516498cd09f8156d7208758c5dc9a74e7654844e5cefc6e84f8fe98a1f1bd7a459a98965fbe913cb5edb552fffa1e33dfda709f918dddeb

C:\Users\Admin\AppData\Local\Temp\_MEI49842\_bz2.pyd

MD5 4079b0e80ef0f97ce35f272410bd29fe
SHA1 19ef1b81a1a0b3286bac74b6af9a18ed381bf92c
SHA256 466d21407f5b589b20c464c51bfe2be420e5a586a7f394908448545f16b08b33
SHA512 21cd5a848f69b0d1715e62dca89d1501f7f09edfe0fa2947cfc473ca72ed3355bfccd32c3a0cdd5f65311e621c89ddb67845945142a4b1bdc5c70e7f7b99ed67

C:\Users\Admin\AppData\Local\Temp\_MEI49842\_lzma.pyd

MD5 a567a2ecb4737e5b70500eac25f23049
SHA1 951673dd1a8b5a7f774d34f61b765da2b4026cab
SHA256 a4cba6d82369c57cb38a32d4dacb99225f58206d2dd9883f6fc0355d6ddaec3d
SHA512 97f3b1c20c9a7ed52d9781d1e47f4606579faeae4d98ba09963b99cd2f13426dc0fc2aeb4bb3af18ed584c8ba9d5b6358d8e34687a1d5f74a3954b3f84d12349

C:\Users\Admin\AppData\Local\Temp\_MEI49842\_socket.pyd

MD5 d7e7a7592338ce88e131f858a84deec6
SHA1 3add8cd9fbbf7f5fa40d8a972d9ac18282dcf357
SHA256 4ba5d0e236711bdcb29ce9c3138406f7321bd00587b6b362b4ace94379cf52d5
SHA512 96649296e8ccdc06d6787902185e21020a700436fc7007b2aa6464d0af7f9eb66a4485b3d46461106ac5f1d35403183daa1925e842e7df6f2db9e3e833b18fb4

C:\Users\Admin\AppData\Local\Temp\_MEI49842\select.pyd

MD5 c30e5eccf9c62b0b0bc57ed591e16cc0
SHA1 24aece32d4f215516ee092ab72471d1e15c3ba24
SHA256 56d1a971762a1a56a73bdf64727e416ffa9395b8af4efcd218f5203d744e1268
SHA512 3e5c58428d4c166a3d6d3e153b46c4a57cca2e402001932ec90052c4689b7f5ba4c5f122d1a66d282b2a0a0c9916dc5a5b5e5f6dfc952cdb62332ac29cb7b36a

C:\Users\Admin\AppData\Local\Temp\_MEI49842\_ssl.pyd

MD5 d429ff3fd91943ad8539c076c2a0c75f
SHA1 bb6611ddca8ebe9e4790f20366b89253a27aed02
SHA256 45c8b99ba9e832cab85e9d45b5601b7a1d744652e7f756ec6a6091e1d8398dd4
SHA512 019178eecb9fb3d531e39854685a53fa3df5a84b1424e4a195f0a51ca0587d1524fd8fbd6d4360188ea9c2f54d7019c7d335ec6dc5471128159153c2287b0e18

C:\Users\Admin\AppData\Local\Temp\_MEI49842\libcrypto-1_1-x64.dll

MD5 022a61849adab67e3a59bcf4d0f1c40b
SHA1 fca2e1e8c30767c88f7ab5b42fe2bd9abb644672
SHA256 2a57183839c3e9cc4618fb1994c40e47672a8b6daffaa76c5f89cf2542b02c2f
SHA512 94ac596181f0887af7bf02a7ce31327ad443bb7fe2d668217953e0f0c782d19296a80de965008118708afd9bda14fd8c78f49785ebf7abcc37d166b692e88246

C:\Users\Admin\AppData\Local\Temp\_MEI49842\libssl-1_1-x64.dll

MD5 4ec3c7fe06b18086f83a18ffbb3b9b55
SHA1 31d66ffab754fe002914bff2cf58c7381f8588d9
SHA256 9d35d8dd9854a4d4205ae4eafe28c92f8d0e3ac7c494ac4a6a117f6e4b45170c
SHA512 d53ee1f7c082a27ace38bf414529d25223c46bfae1be0a1fbe0c5eab10a7b10d23571fd9812c3be591c34059a4c0028699b4bf50736582b06a17ae1ef1b5341e

C:\Users\Admin\AppData\Local\Temp\_MEI49842\_contextvars.pyd

MD5 8f0fc15b89105f42bfa8ddd21342f046
SHA1 3f529ac0ff13ae117c4285218526e61ab6225c94
SHA256 94b38784f2349f803cb62abb8b8fd9f2352c9dc891acf8b3d2f1b8b745b7d79b
SHA512 17259c44804e7ba3ce2b5448ca92984e00fa9a3877edd060496f29bfbb0ade28efe122274cb79c846ab10b558eb2be0ef2012ce3bfe6137aed44f8267bff1eb6

C:\Users\Admin\AppData\Local\Temp\_MEI49842\_asyncio.pyd

MD5 5a1e2e1e7528c9622b8c1eafb80a71e1
SHA1 4fd36047b09532261db3cd8a344d01a9a22f58c3
SHA256 24a0be8d4c4c6260720f89e0a99840305f182d06220306c70785a1bfc8903bb4
SHA512 3d1401c5ccc0baea580d73c12d49bd751d344de837cf937b3482ffdb5070d8481b80070f9d74e6c2c237101b8401e56ae6a34674d954316adea8aa562022e31b

C:\Users\Admin\AppData\Local\Temp\_MEI49842\_overlapped.pyd

MD5 cac4ea23441ac5658dda2e0a48013826
SHA1 53a46f8ed71501acde7d4f09aef57e32e5ceeb9c
SHA256 2d30cd0be4a129a88fba368c0b14957905b3112869c8133b8f7e78dcf7edf1e9
SHA512 aed87e075607bc83b12a7d2f614325566ec8438bfef4194141312aaf649521e26b3e609b565c84ddb9847c2bd632f569ffba1cbb91c973b4696162bafef22d11

C:\Users\Admin\AppData\Local\Temp\_MEI49842\_hashlib.pyd

MD5 c3b19ad5381b9832e313a448de7c5210
SHA1 51777d53e1ea5592efede1ed349418345b55f367
SHA256 bdf4a536f783958357d2e0055debdc3cf7790ee28beb286452eec0354a346bdc
SHA512 7f8d3b79a58612e850d18e8952d14793e974483c688b5daee217baaa83120fd50d1e036ca4a1b59d748b22951744377257d2a8f094a4b4de1f79fecd4bf06afb

C:\Users\Admin\AppData\Local\Temp\_MEI49842\unicodedata.pyd

MD5 7d1f105cf81820bb6d0962b669897dde
SHA1 6c4897147c05c6d6da98dd969bf84e12cc5682be
SHA256 71b13fd922190081d3aeec8628bd72858cc69ee553e16bf3da412f535108d0e4
SHA512 7546c3afb0440dc0e4c0f24d7b145a4f162cda72068cc51f7dc1a644454b645c0b3c954920c489b0748ba4c1ea2c34e86ba2565770e08077c2fdd02fd237f9d3

C:\Users\Admin\AppData\Local\Temp\_MEI49842\yarl\_quoting_c.cp37-win_amd64.pyd

MD5 027ad0c0dc4689bcf18c1ec6fd9a66f5
SHA1 7d07692445559f3164c4df2dd22dba3196404f7e
SHA256 5264fcff96ca9558663e9cbe649a11d9261859f7d9056775694a0452c6c11845
SHA512 d4d66d00303d457a72b306711b83d8d5c18be9ea99b02bc1250246052a001e02273937d6fcd2408a563defb8119922477aad718186b903b15cc45f57cfec77ed

C:\Users\Admin\AppData\Local\Temp\_MEI49842\multidict\_multidict.cp37-win_amd64.pyd

MD5 9f6d47335dbda0939aedc3488de73c4a
SHA1 072b778c78bd81445a138b996713fed909c21b4e
SHA256 a874aa34a46df245bfc6c5ef5b213deca84e8e051c4f022b2f0463f12b6da56f
SHA512 eb3d383d84e84edde4d9f8eb783e66053c00832912402c6e7b07b22795e7efc6755c583484be1112eb42a1bb99efb1b31785e3a17c2efbe9bdce46eec7dd62ad

C:\Users\Admin\AppData\Local\Temp\_MEI49842\aiohttp\_helpers.cp37-win_amd64.pyd

MD5 9d99f86fe345bb9941d19a2c551cd88f
SHA1 3f78ad04c8b160291ee0a35691609400ee83be9d
SHA256 0575c621abb17eaaf6914dc5e1415da453d89c5e4ce0ee45c14832bc425e8b3b
SHA512 2ef0486671d62d37cf58f619b1cffa79de3d9bb07c4e71433b008d74fd8d0354e5a3971443b49c9c45c99150084dabbe50448835b61db681f789d617a8b83106

C:\Users\Admin\AppData\Local\Temp\_MEI49842\aiohttp\_http_parser.cp37-win_amd64.pyd

MD5 71b5fe49956eb00e5c5276859bb0f47e
SHA1 ad3db646b9c1ca0522e3e33d413ff35dc293cce5
SHA256 296a86f86018c9c868b7bb39ac1e29852cceba1623295994d8fc515335cf0545
SHA512 fded64ff6ead27af41a61ca4ac77bb38368561f4bfdcd643bd36a4f7ab6daad0dcd5f0afdefa3a191cc901f8fd7ad641e7bbc9d26f30d3ffa22c9bea4f3071f2

C:\Users\Admin\AppData\Local\Temp\_MEI49842\aiohttp\_http_writer.cp37-win_amd64.pyd

MD5 7c8fd7f58b435e40a86eabf68949f512
SHA1 c559c7395e429d5039ca915070400c5acd358e6a
SHA256 debb0e712b1b6fb98ce65094ab564309b962271c6b6a13da24a0bfd5d3a32b1e
SHA512 f57b37c272b0ea6a3a1a6bcf1b52ced9574cddf5422b05c387e75d256b39c29805399ed63ec633c047f085192d6284a4818a58fe5c6fe716d71e535919060d09

C:\Users\Admin\AppData\Local\Temp\_MEI49842\aiohttp\_websocket.cp37-win_amd64.pyd

MD5 1f0b4e75ed11d6a355f9873e8b8f420b
SHA1 9aa2f378f278fa0d72788463d902c30ec57192c5
SHA256 b44aa794b88eecc2699383dad0319dafbd031e0ee2edef15965134808443ea5a
SHA512 a5a824001a106fcbaa56eab92364f61817323e8ca78715b45622103955c1a17ae32068fcdd06a29a1c1da74e99bb780700fe03e80e9fef70225e03080d764908

C:\Users\Admin\AppData\Local\Temp\_MEI49842\aiohttp\_frozenlist.cp37-win_amd64.pyd

MD5 3a044a2e7e7482bd4c4119d15eb807b7
SHA1 3a329ad1ef246a5c47920ebd9a9b6b72d6ce95ed
SHA256 bac33e0f292483046c9aa01c5a4d86f68f2c3ab4240845c65756158ce393390b
SHA512 2df1400d1f22e3b0a236eba056ad88b272a547b9813ef71298434a6a4992f5e5d568bdf35b2e16af453cf05cfbb8024b60eee3171f6eaa32f2ca3d6b661a55e8

C:\Users\Admin\AppData\Local\Temp\_MEI49842\_queue.pyd

MD5 2325dab36242fc732c85914ab7ce25af
SHA1 b4a81b312b6e037a0aa4a2e2de5e331cb2803648
SHA256 2ffa512a2a369ccd3713419c6d4e36c2bd5d1967e046663d721d7e7ac9e4ab59
SHA512 13f92c90a81f5dfbc15cadfd31dbc30b5c72c93dc7ad057f4b211388c3a57ab070bd25c0f1212173a0772972b2d3aa2caedbfb7e3513ffc0d83a15dbc9198b87

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-21 16:58

Reported

2024-05-21 17:01

Platform

win10v2004-20240426-en

Max time kernel

129s

Max time network

99s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\nigger.pyc

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\nigger.pyc

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
NL 23.62.61.72:443 www.bing.com tcp
US 8.8.8.8:53 72.61.62.23.in-addr.arpa udp

Files

N/A