Analysis Overview
SHA256
92c041e2edd75efa5104ee6ed9848725605fd3b95c0f0412ddc2342f3348fe96
Threat Level: Known bad
The file NIGGGER.exe was found to be: Known bad.
Malicious Activity Summary
Xworm family
Detect Xworm Payload
Xworm
Drops startup file
Adds Run key to start application
Legitimate hosting services abused for malware hosting/C2
Enumerates physical storage devices
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Enumerates system info in registry
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-27 23:39
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xworm family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-27 23:39
Reported
2024-05-27 23:42
Platform
win7-20240419-en
Max time kernel
52s
Max time network
150s
Command Line
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xworm
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk | C:\Users\Admin\AppData\Local\Temp\NIGGGER.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk | C:\Users\Admin\AppData\Local\Temp\NIGGGER.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\XClient = "C:\\Users\\Admin\\AppData\\Roaming\\XClient.exe" | C:\Users\Admin\AppData\Local\Temp\NIGGGER.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
Enumerates physical storage devices
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\NIGGGER.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\NIGGGER.exe
"C:\Users\Admin\AppData\Local\Temp\NIGGGER.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef30c9758,0x7fef30c9768,0x7fef30c9778
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1176 --field-trial-handle=1384,i,3223027847720711380,10921134687120822,131072 /prefetch:2
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1536 --field-trial-handle=1384,i,3223027847720711380,10921134687120822,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1588 --field-trial-handle=1384,i,3223027847720711380,10921134687120822,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2264 --field-trial-handle=1384,i,3223027847720711380,10921134687120822,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2276 --field-trial-handle=1384,i,3223027847720711380,10921134687120822,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1708 --field-trial-handle=1384,i,3223027847720711380,10921134687120822,131072 /prefetch:2
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=1412 --field-trial-handle=1384,i,3223027847720711380,10921134687120822,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3340 --field-trial-handle=1384,i,3223027847720711380,10921134687120822,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3380 --field-trial-handle=1384,i,3223027847720711380,10921134687120822,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3232 --field-trial-handle=1384,i,3223027847720711380,10921134687120822,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3844 --field-trial-handle=1384,i,3223027847720711380,10921134687120822,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3804 --field-trial-handle=1384,i,3223027847720711380,10921134687120822,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=3768 --field-trial-handle=1384,i,3223027847720711380,10921134687120822,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2312 --field-trial-handle=1384,i,3223027847720711380,10921134687120822,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2388 --field-trial-handle=1384,i,3223027847720711380,10921134687120822,131072 /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.google.com | udp |
| FR | 172.217.20.196:443 | www.google.com | tcp |
| US | 8.8.8.8:53 | apis.google.com | udp |
| FR | 142.250.178.142:443 | apis.google.com | tcp |
| US | 8.8.8.8:53 | play.google.com | udp |
| FR | 172.217.20.174:443 | play.google.com | tcp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 147.185.221.19:60312 | tcp | |
| FR | 172.217.20.196:443 | www.google.com | udp |
| FR | 172.217.20.174:443 | play.google.com | udp |
| US | 147.185.221.19:60312 | tcp | |
| US | 147.185.221.19:60312 | tcp | |
| FR | 172.217.20.196:443 | www.google.com | udp |
| US | 8.8.8.8:53 | beacons.gcp.gvt2.com | udp |
| FR | 216.58.215.35:443 | beacons.gcp.gvt2.com | tcp |
| US | 8.8.8.8:53 | id.google.com | udp |
| FR | 142.250.75.227:443 | id.google.com | tcp |
| FR | 172.217.20.174:443 | play.google.com | udp |
| US | 147.185.221.19:60312 | tcp |
Files
memory/2204-0-0x000007FEF6063000-0x000007FEF6064000-memory.dmp
memory/2204-1-0x0000000000130000-0x0000000000140000-memory.dmp
\??\pipe\crashpad_1508_SECOJYPJKHNSEZBC
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\000007.dbtmp
| MD5 | 18e723571b00fb1694a3bad6c78e4054 |
| SHA1 | afcc0ef32d46fe59e0483f9a3c891d3034d12f32 |
| SHA256 | 8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa |
| SHA512 | 43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1
| MD5 | f50f89a0a91564d0b8a211f8921aa7de |
| SHA1 | 112403a17dd69d5b9018b8cede023cb3b54eab7d |
| SHA256 | b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec |
| SHA512 | bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58 |
memory/2204-71-0x000007FEF6060000-0x000007FEF6A4C000-memory.dmp
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\000006.dbtmp
| MD5 | aefd77f47fb84fae5ea194496b44c67a |
| SHA1 | dcfbb6a5b8d05662c4858664f81693bb7f803b82 |
| SHA256 | 4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611 |
| SHA512 | b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
| MD5 | 763eb7a625b3d4751073060ceea558f8 |
| SHA1 | 22f0fc8cca2692b7d91cf063e1fecfdaaea38d92 |
| SHA256 | 9630c23d9435b262bc042f79388a381d3bcb35d58903d1b437c95066eebfdfa4 |
| SHA512 | 278a896b8b1ee1025c4b34462dd098cdf7bf03cb2d09c767f39f645d7eb28d2f4796138d34d3b088bdebea1bafc3d3bf4f23f5327ab48146dd2704b63a7dc587 |
memory/2204-99-0x000007FEF6060000-0x000007FEF6A4C000-memory.dmp
memory/2204-154-0x0000000000320000-0x000000000032C000-memory.dmp
memory/2204-155-0x000007FEF6060000-0x000007FEF6A4C000-memory.dmp
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 2e7ee6124bd07acb5dd9dac2ac14d013 |
| SHA1 | 3272f066e5cf46cd8ab86e5e67414903880bba36 |
| SHA256 | 80c35d3cd5b5589f26040e217f660f73ebb1a63758e0dad543b72c71f3d10081 |
| SHA512 | f0c6dd9070bc9a133875a38557b869aad589d04631220796b94342fd1f33da9f611d31a69192be6dc11399956f26e29f04f741d8657783ebd7d50b84690ef96b |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
| MD5 | 4ec6f5abe4c4b817ef95c8a2e87e62d0 |
| SHA1 | 3fbbc76697551a252fa5d7882bef000d8a8e2db0 |
| SHA256 | ed7dea0509d88a52deaf4b13a3a3d411475d50c2d3467669d132c321a90cd434 |
| SHA512 | fb590aa2f132b29689d85fa133811b7cfc8a9de51af2d5b74510e522e755878019a08b08ef46154ed0ff548c8cabe7a10496e6903566f8f98fd2dd7bf6ccfa22 |
memory/2204-178-0x000007FEF6060000-0x000007FEF6A4C000-memory.dmp
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | d2156741ddee0f5150211dd49f34b4d7 |
| SHA1 | 40283d05c05133e7b21112c08ab0206667cbe314 |
| SHA256 | 5556b383837636609f1884d2ad7d07a58cbbf94e8cdc83c07555c58b4c1d4314 |
| SHA512 | 21d72fd8ba82a9ac93da55a85ca7c553f51ba0f622877ab79b5a66fadfd6571ff8d3cff489a05adc0a99a28a87c2a08a49243348622416a0b3874c97788c8a85 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\fa3b4398-1cbe-4df3-bc7e-1c79d8a3b427.tmp
| MD5 | 4e8fd83279a92d7f8d65079adaf71b58 |
| SHA1 | 17bf4ba89ef52174df4d1e173b6aa41216eb1f20 |
| SHA256 | 55485c2afd6fd98058edb82c7ee117b0526cfc6fa9a7c2b07325496f635d9318 |
| SHA512 | 2704bee33c14e3ae4f007856c6b425f051b07e62f8342dde08d3e02fc3c682780c0085d15f99b1743061ae98be26996435ce07cca0508c29ebf4a6b1289a4144 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 2328d45d4468077c90a6105288a9c6e8 |
| SHA1 | 4afcbd53b69ab479bc3ab3b09871b8e1fbdb7869 |
| SHA256 | 7f58b5cc72bd1aa47a78c24261e27276f030e3de92d0b529c56c60bf1d4017e5 |
| SHA512 | 871caf03f8f9c20240b8df2a59ea902845248a7dfc98ee1281ce43cb272778127c0a8e1376e0b053c2ef1d115b7c47a39125384a21c6869929ba5d7479a49e4c |
memory/2204-214-0x00000000002B0000-0x00000000002BA000-memory.dmp
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
| MD5 | 3adb09d2d8dd5bbc9e3e662898ae080f |
| SHA1 | 6353b8b2ffd990ed978b59b04617421e80c021d9 |
| SHA256 | 0422a8a8e3ddb6012ee2d5ababc95a76336ce9fa2fbfba9d8bb81321d4cda396 |
| SHA512 | e94d931e866658bf49c172b793c85f8bd14dc5cc588b04c7e1004c720d56bd4e6638465fd195a3403a57f6672b840b9284bdbf99c5b310f0738ef8401e33a20d |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 013ad00ad17a318b6827fab22bf40b12 |
| SHA1 | 734d482a9008fc4008c10b8d08020680e8222034 |
| SHA256 | fa42fd34ef735193fbe0122ad5933d0a265ee339d8be65d36f0c1fbd59bfaee7 |
| SHA512 | a22b32f1a569ce50bff841c67fd2fb0c62172589439db8d4870e83299e675c09106f40a5c3a3169e06114b506e8d385d02014881d0e694256d5015318c93667e |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
| MD5 | a7d5b638373bf75e3bfbeee7a8f15c0c |
| SHA1 | 1f005df5c6ac8d4380feccbf136abc7d94845261 |
| SHA256 | c4b25502e2edbbb0a3c58ffa31d9df6eef0d97a926d06cb8a13da9b1ed10907d |
| SHA512 | cdea6adb434b1c68e8bdf6f5c2a3d8d6fadb2940ab5edfa7f241eb5292fee4c76cc067e96a94215aed6339f7fbf51d6562f76aa6d4b144432757ca4d735e6979 |
memory/2204-274-0x0000000000370000-0x000000000037C000-memory.dmp
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
| MD5 | 5975ac12466456744b721db8ab815a20 |
| SHA1 | 84aa85ee8bdab95cc4eb86e4b1df26d925dfa90b |
| SHA256 | 8cbd22dc88de0535d488dd79a74787518af101c20545ccc6877a56c8781ab7a5 |
| SHA512 | 5a531a433857afc366fa6e94170d8a8153825d37b5995412002c2ff94f92b137c09134bb5b3dcf6f3541a80edab986c90632eaaefd9f8ac06f1006832a3bc590 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\98e6bb88-0c23-4864-a208-2a0f4a91d800.tmp
| MD5 | a53b14ac987be2e220929d3eaf92cacb |
| SHA1 | e66965d35dac3222e81fe23ba045465d69e6d6dd |
| SHA256 | 29f11702f6ea76384c4f2aca295101b231141bdb32b13eb9ec552a397951260d |
| SHA512 | fb5f14e7d83cc5ff64b62f610d2dce948ef4358056bd187dd24f676004d23c857097de0f4d879ea5d5d27347e6343aa4c34e911925437538b46124e830861fa0 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-27 23:39
Reported
2024-05-27 23:42
Platform
win10v2004-20240508-en
Max time kernel
132s
Max time network
149s
Command Line
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xworm
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk | C:\Users\Admin\AppData\Local\Temp\NIGGGER.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk | C:\Users\Admin\AppData\Local\Temp\NIGGGER.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\XClient = "C:\\Users\\Admin\\AppData\\Roaming\\XClient.exe" | C:\Users\Admin\AppData\Local\Temp\NIGGGER.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\NIGGGER.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\NIGGGER.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\NIGGGER.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\NIGGGER.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\NIGGGER.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\NIGGGER.exe
"C:\Users\Admin\AppData\Local\Temp\NIGGGER.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3804,i,1809100026287847100,9768898026582633513,262144 --variations-seed-version --mojo-platform-channel-handle=4024 /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| NL | 23.62.61.97:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 97.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 104.20.3.235:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | 235.3.20.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 147.185.221.19:60312 | tcp | |
| US | 8.8.8.8:53 | 19.221.185.147.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
Files
memory/2500-0-0x00007FF94B923000-0x00007FF94B925000-memory.dmp
memory/2500-1-0x0000000000B00000-0x0000000000B10000-memory.dmp
memory/2500-6-0x00007FF94B920000-0x00007FF94C3E1000-memory.dmp
memory/2500-7-0x00007FF94B923000-0x00007FF94B925000-memory.dmp
memory/2500-8-0x00007FF94B920000-0x00007FF94C3E1000-memory.dmp