Analysis Overview
SHA256
dada2e816fe928b713be0ed163032c0049acc2a9a6d39253aeffe930572079d7
Threat Level: Shows suspicious behavior
The file nigger.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Loads dropped DLL
Legitimate hosting services abused for malware hosting/C2
Unsigned PE
Enumerates physical storage devices
Detects Pyinstaller
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Modifies registry class
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-21 16:58
Signatures
Detects Pyinstaller
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-21 16:58
Reported
2024-05-21 17:01
Platform
win10v2004-20240508-en
Max time kernel
142s
Max time network
104s
Command Line
Signatures
Loads dropped DLL
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: 35 | N/A | C:\Users\Admin\AppData\Local\Temp\nigger.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4984 wrote to memory of 3444 | N/A | C:\Users\Admin\AppData\Local\Temp\nigger.exe | C:\Users\Admin\AppData\Local\Temp\nigger.exe |
| PID 4984 wrote to memory of 3444 | N/A | C:\Users\Admin\AppData\Local\Temp\nigger.exe | C:\Users\Admin\AppData\Local\Temp\nigger.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\nigger.exe
"C:\Users\Admin\AppData\Local\Temp\nigger.exe"
C:\Users\Admin\AppData\Local\Temp\nigger.exe
"C:\Users\Admin\AppData\Local\Temp\nigger.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 101.58.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| NL | 23.62.61.129:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 129.61.62.23.in-addr.arpa | udp |
| NL | 23.62.61.129:443 | www.bing.com | tcp |
| N/A | 127.0.0.1:63997 | tcp | |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | discord.com | udp |
| US | 162.159.136.232:443 | discord.com | tcp |
| US | 162.159.128.233:443 | discord.com | tcp |
| US | 162.159.137.232:443 | discord.com | tcp |
| US | 162.159.135.232:443 | discord.com | tcp |
| US | 162.159.138.232:443 | discord.com | tcp |
| US | 8.8.8.8:53 | 232.136.159.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 233.128.159.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.137.159.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.135.159.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.138.159.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\_MEI49842\ucrtbase.dll
| MD5 | 0e0bac3d1dcc1833eae4e3e4cf83c4ef |
| SHA1 | 4189f4459c54e69c6d3155a82524bda7549a75a6 |
| SHA256 | 8a91052ef261b5fbf3223ae9ce789af73dfe1e9b0ba5bdbc4d564870a24f2bae |
| SHA512 | a45946e3971816f66dd7ea3788aacc384a9e95011500b458212dc104741315b85659e0d56a41570731d338bdf182141c093d3ced222c007038583ceb808e26fd |
C:\Users\Admin\AppData\Local\Temp\_MEI49842\python37.dll
| MD5 | 62125a78b9be5ac58c3b55413f085028 |
| SHA1 | 46c643f70dd3b3e82ab4a5d1bc979946039e35b2 |
| SHA256 | 17c29e6188b022f795092d72a1fb58630a7c723d70ac5bc3990b20cd2eb2a51f |
| SHA512 | e63f4aa8fc5cd1569ae401e283bc8e1445859131eb0db76581b941f1085670c549cbc3fedf911a21c1237b0f3f66f62b10c60e88b923fa058f7fafee18dd0fa4 |
C:\Users\Admin\AppData\Local\Temp\_MEI49842\VCRUNTIME140.dll
| MD5 | 0e675d4a7a5b7ccd69013386793f68eb |
| SHA1 | 6e5821ddd8fea6681bda4448816f39984a33596b |
| SHA256 | bf5ff4603557c9959acec995653d052d9054ad4826df967974efd2f377c723d1 |
| SHA512 | cae69a90f92936febde67dacd6ce77647cb3b3ed82bb66463cd9047e90723f633aa2fc365489de09fecdc510be15808c183b12e6236b0893af19633f6a670e66 |
C:\Users\Admin\AppData\Local\Temp\_MEI49842\base_library.zip
| MD5 | 46be82a377d053f56444fa141682c256 |
| SHA1 | d2ce0acd78d0c69c056890fb15a8ab72ca4a2786 |
| SHA256 | 1bc7d01f5b20392225c0d47e4aece58d3032440609d6a89c5612abaad0900d6c |
| SHA512 | 21653a8940a6895ac0e484b75e57b96e0872d4038812e1dde36204195304bbda13254e08cf6d7fef83cb1c7ed39c911ed80b2ba011512bd90a2c52935ce07602 |
C:\Users\Admin\AppData\Local\Temp\_MEI49842\_ctypes.pyd
| MD5 | 2f21f50d2252e3083555a724ca57b71e |
| SHA1 | 49ec351d569a466284b8cc55ee9aeaf3fbf20099 |
| SHA256 | 09887f07f4316057d3c87e3a907c2235dc6547e54ed4f5f9125f99e547d58bce |
| SHA512 | e71ff1e63105f51a4516498cd09f8156d7208758c5dc9a74e7654844e5cefc6e84f8fe98a1f1bd7a459a98965fbe913cb5edb552fffa1e33dfda709f918dddeb |
C:\Users\Admin\AppData\Local\Temp\_MEI49842\_bz2.pyd
| MD5 | 4079b0e80ef0f97ce35f272410bd29fe |
| SHA1 | 19ef1b81a1a0b3286bac74b6af9a18ed381bf92c |
| SHA256 | 466d21407f5b589b20c464c51bfe2be420e5a586a7f394908448545f16b08b33 |
| SHA512 | 21cd5a848f69b0d1715e62dca89d1501f7f09edfe0fa2947cfc473ca72ed3355bfccd32c3a0cdd5f65311e621c89ddb67845945142a4b1bdc5c70e7f7b99ed67 |
C:\Users\Admin\AppData\Local\Temp\_MEI49842\_lzma.pyd
| MD5 | a567a2ecb4737e5b70500eac25f23049 |
| SHA1 | 951673dd1a8b5a7f774d34f61b765da2b4026cab |
| SHA256 | a4cba6d82369c57cb38a32d4dacb99225f58206d2dd9883f6fc0355d6ddaec3d |
| SHA512 | 97f3b1c20c9a7ed52d9781d1e47f4606579faeae4d98ba09963b99cd2f13426dc0fc2aeb4bb3af18ed584c8ba9d5b6358d8e34687a1d5f74a3954b3f84d12349 |
C:\Users\Admin\AppData\Local\Temp\_MEI49842\_socket.pyd
| MD5 | d7e7a7592338ce88e131f858a84deec6 |
| SHA1 | 3add8cd9fbbf7f5fa40d8a972d9ac18282dcf357 |
| SHA256 | 4ba5d0e236711bdcb29ce9c3138406f7321bd00587b6b362b4ace94379cf52d5 |
| SHA512 | 96649296e8ccdc06d6787902185e21020a700436fc7007b2aa6464d0af7f9eb66a4485b3d46461106ac5f1d35403183daa1925e842e7df6f2db9e3e833b18fb4 |
C:\Users\Admin\AppData\Local\Temp\_MEI49842\select.pyd
| MD5 | c30e5eccf9c62b0b0bc57ed591e16cc0 |
| SHA1 | 24aece32d4f215516ee092ab72471d1e15c3ba24 |
| SHA256 | 56d1a971762a1a56a73bdf64727e416ffa9395b8af4efcd218f5203d744e1268 |
| SHA512 | 3e5c58428d4c166a3d6d3e153b46c4a57cca2e402001932ec90052c4689b7f5ba4c5f122d1a66d282b2a0a0c9916dc5a5b5e5f6dfc952cdb62332ac29cb7b36a |
C:\Users\Admin\AppData\Local\Temp\_MEI49842\_ssl.pyd
| MD5 | d429ff3fd91943ad8539c076c2a0c75f |
| SHA1 | bb6611ddca8ebe9e4790f20366b89253a27aed02 |
| SHA256 | 45c8b99ba9e832cab85e9d45b5601b7a1d744652e7f756ec6a6091e1d8398dd4 |
| SHA512 | 019178eecb9fb3d531e39854685a53fa3df5a84b1424e4a195f0a51ca0587d1524fd8fbd6d4360188ea9c2f54d7019c7d335ec6dc5471128159153c2287b0e18 |
C:\Users\Admin\AppData\Local\Temp\_MEI49842\libcrypto-1_1-x64.dll
| MD5 | 022a61849adab67e3a59bcf4d0f1c40b |
| SHA1 | fca2e1e8c30767c88f7ab5b42fe2bd9abb644672 |
| SHA256 | 2a57183839c3e9cc4618fb1994c40e47672a8b6daffaa76c5f89cf2542b02c2f |
| SHA512 | 94ac596181f0887af7bf02a7ce31327ad443bb7fe2d668217953e0f0c782d19296a80de965008118708afd9bda14fd8c78f49785ebf7abcc37d166b692e88246 |
C:\Users\Admin\AppData\Local\Temp\_MEI49842\libssl-1_1-x64.dll
| MD5 | 4ec3c7fe06b18086f83a18ffbb3b9b55 |
| SHA1 | 31d66ffab754fe002914bff2cf58c7381f8588d9 |
| SHA256 | 9d35d8dd9854a4d4205ae4eafe28c92f8d0e3ac7c494ac4a6a117f6e4b45170c |
| SHA512 | d53ee1f7c082a27ace38bf414529d25223c46bfae1be0a1fbe0c5eab10a7b10d23571fd9812c3be591c34059a4c0028699b4bf50736582b06a17ae1ef1b5341e |
C:\Users\Admin\AppData\Local\Temp\_MEI49842\_contextvars.pyd
| MD5 | 8f0fc15b89105f42bfa8ddd21342f046 |
| SHA1 | 3f529ac0ff13ae117c4285218526e61ab6225c94 |
| SHA256 | 94b38784f2349f803cb62abb8b8fd9f2352c9dc891acf8b3d2f1b8b745b7d79b |
| SHA512 | 17259c44804e7ba3ce2b5448ca92984e00fa9a3877edd060496f29bfbb0ade28efe122274cb79c846ab10b558eb2be0ef2012ce3bfe6137aed44f8267bff1eb6 |
C:\Users\Admin\AppData\Local\Temp\_MEI49842\_asyncio.pyd
| MD5 | 5a1e2e1e7528c9622b8c1eafb80a71e1 |
| SHA1 | 4fd36047b09532261db3cd8a344d01a9a22f58c3 |
| SHA256 | 24a0be8d4c4c6260720f89e0a99840305f182d06220306c70785a1bfc8903bb4 |
| SHA512 | 3d1401c5ccc0baea580d73c12d49bd751d344de837cf937b3482ffdb5070d8481b80070f9d74e6c2c237101b8401e56ae6a34674d954316adea8aa562022e31b |
C:\Users\Admin\AppData\Local\Temp\_MEI49842\_overlapped.pyd
| MD5 | cac4ea23441ac5658dda2e0a48013826 |
| SHA1 | 53a46f8ed71501acde7d4f09aef57e32e5ceeb9c |
| SHA256 | 2d30cd0be4a129a88fba368c0b14957905b3112869c8133b8f7e78dcf7edf1e9 |
| SHA512 | aed87e075607bc83b12a7d2f614325566ec8438bfef4194141312aaf649521e26b3e609b565c84ddb9847c2bd632f569ffba1cbb91c973b4696162bafef22d11 |
C:\Users\Admin\AppData\Local\Temp\_MEI49842\_hashlib.pyd
| MD5 | c3b19ad5381b9832e313a448de7c5210 |
| SHA1 | 51777d53e1ea5592efede1ed349418345b55f367 |
| SHA256 | bdf4a536f783958357d2e0055debdc3cf7790ee28beb286452eec0354a346bdc |
| SHA512 | 7f8d3b79a58612e850d18e8952d14793e974483c688b5daee217baaa83120fd50d1e036ca4a1b59d748b22951744377257d2a8f094a4b4de1f79fecd4bf06afb |
C:\Users\Admin\AppData\Local\Temp\_MEI49842\unicodedata.pyd
| MD5 | 7d1f105cf81820bb6d0962b669897dde |
| SHA1 | 6c4897147c05c6d6da98dd969bf84e12cc5682be |
| SHA256 | 71b13fd922190081d3aeec8628bd72858cc69ee553e16bf3da412f535108d0e4 |
| SHA512 | 7546c3afb0440dc0e4c0f24d7b145a4f162cda72068cc51f7dc1a644454b645c0b3c954920c489b0748ba4c1ea2c34e86ba2565770e08077c2fdd02fd237f9d3 |
C:\Users\Admin\AppData\Local\Temp\_MEI49842\yarl\_quoting_c.cp37-win_amd64.pyd
| MD5 | 027ad0c0dc4689bcf18c1ec6fd9a66f5 |
| SHA1 | 7d07692445559f3164c4df2dd22dba3196404f7e |
| SHA256 | 5264fcff96ca9558663e9cbe649a11d9261859f7d9056775694a0452c6c11845 |
| SHA512 | d4d66d00303d457a72b306711b83d8d5c18be9ea99b02bc1250246052a001e02273937d6fcd2408a563defb8119922477aad718186b903b15cc45f57cfec77ed |
C:\Users\Admin\AppData\Local\Temp\_MEI49842\multidict\_multidict.cp37-win_amd64.pyd
| MD5 | 9f6d47335dbda0939aedc3488de73c4a |
| SHA1 | 072b778c78bd81445a138b996713fed909c21b4e |
| SHA256 | a874aa34a46df245bfc6c5ef5b213deca84e8e051c4f022b2f0463f12b6da56f |
| SHA512 | eb3d383d84e84edde4d9f8eb783e66053c00832912402c6e7b07b22795e7efc6755c583484be1112eb42a1bb99efb1b31785e3a17c2efbe9bdce46eec7dd62ad |
C:\Users\Admin\AppData\Local\Temp\_MEI49842\aiohttp\_helpers.cp37-win_amd64.pyd
| MD5 | 9d99f86fe345bb9941d19a2c551cd88f |
| SHA1 | 3f78ad04c8b160291ee0a35691609400ee83be9d |
| SHA256 | 0575c621abb17eaaf6914dc5e1415da453d89c5e4ce0ee45c14832bc425e8b3b |
| SHA512 | 2ef0486671d62d37cf58f619b1cffa79de3d9bb07c4e71433b008d74fd8d0354e5a3971443b49c9c45c99150084dabbe50448835b61db681f789d617a8b83106 |
C:\Users\Admin\AppData\Local\Temp\_MEI49842\aiohttp\_http_parser.cp37-win_amd64.pyd
| MD5 | 71b5fe49956eb00e5c5276859bb0f47e |
| SHA1 | ad3db646b9c1ca0522e3e33d413ff35dc293cce5 |
| SHA256 | 296a86f86018c9c868b7bb39ac1e29852cceba1623295994d8fc515335cf0545 |
| SHA512 | fded64ff6ead27af41a61ca4ac77bb38368561f4bfdcd643bd36a4f7ab6daad0dcd5f0afdefa3a191cc901f8fd7ad641e7bbc9d26f30d3ffa22c9bea4f3071f2 |
C:\Users\Admin\AppData\Local\Temp\_MEI49842\aiohttp\_http_writer.cp37-win_amd64.pyd
| MD5 | 7c8fd7f58b435e40a86eabf68949f512 |
| SHA1 | c559c7395e429d5039ca915070400c5acd358e6a |
| SHA256 | debb0e712b1b6fb98ce65094ab564309b962271c6b6a13da24a0bfd5d3a32b1e |
| SHA512 | f57b37c272b0ea6a3a1a6bcf1b52ced9574cddf5422b05c387e75d256b39c29805399ed63ec633c047f085192d6284a4818a58fe5c6fe716d71e535919060d09 |
C:\Users\Admin\AppData\Local\Temp\_MEI49842\aiohttp\_websocket.cp37-win_amd64.pyd
| MD5 | 1f0b4e75ed11d6a355f9873e8b8f420b |
| SHA1 | 9aa2f378f278fa0d72788463d902c30ec57192c5 |
| SHA256 | b44aa794b88eecc2699383dad0319dafbd031e0ee2edef15965134808443ea5a |
| SHA512 | a5a824001a106fcbaa56eab92364f61817323e8ca78715b45622103955c1a17ae32068fcdd06a29a1c1da74e99bb780700fe03e80e9fef70225e03080d764908 |
C:\Users\Admin\AppData\Local\Temp\_MEI49842\aiohttp\_frozenlist.cp37-win_amd64.pyd
| MD5 | 3a044a2e7e7482bd4c4119d15eb807b7 |
| SHA1 | 3a329ad1ef246a5c47920ebd9a9b6b72d6ce95ed |
| SHA256 | bac33e0f292483046c9aa01c5a4d86f68f2c3ab4240845c65756158ce393390b |
| SHA512 | 2df1400d1f22e3b0a236eba056ad88b272a547b9813ef71298434a6a4992f5e5d568bdf35b2e16af453cf05cfbb8024b60eee3171f6eaa32f2ca3d6b661a55e8 |
C:\Users\Admin\AppData\Local\Temp\_MEI49842\_queue.pyd
| MD5 | 2325dab36242fc732c85914ab7ce25af |
| SHA1 | b4a81b312b6e037a0aa4a2e2de5e331cb2803648 |
| SHA256 | 2ffa512a2a369ccd3713419c6d4e36c2bd5d1967e046663d721d7e7ac9e4ab59 |
| SHA512 | 13f92c90a81f5dfbc15cadfd31dbc30b5c72c93dc7ad057f4b211388c3a57ab070bd25c0f1212173a0772972b2d3aa2caedbfb7e3513ffc0d83a15dbc9198b87 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-21 16:58
Reported
2024-05-21 17:01
Platform
win10v2004-20240426-en
Max time kernel
129s
Max time network
99s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\nigger.pyc
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| NL | 52.142.223.178:80 | tcp | |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| NL | 23.62.61.72:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 72.61.62.23.in-addr.arpa | udp |