Resubmissions
15-06-2024 04:04
240615-em1efsycrd 915-06-2024 04:02
240615-ematssscrr 915-06-2024 04:00
240615-eksa3ascnj 315-06-2024 03:58
240615-ejj83ascjr 9Analysis
-
max time kernel
121s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
15-06-2024 04:00
Static task
static1
Behavioral task
behavioral1
Sample
NiggaSploit.gz
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
NiggaSploit.gz
Resource
win10v2004-20240508-en
Behavioral task
behavioral3
Sample
sample.tar
Resource
win7-20240221-en
Behavioral task
behavioral4
Sample
sample.tar
Resource
win10v2004-20240611-en
Behavioral task
behavioral5
Sample
SolaraB2/SolaraBootstrapper.exe
Resource
win7-20240508-en
Behavioral task
behavioral6
Sample
SolaraB2/SolaraBootstrapper.exe
Resource
win10v2004-20240508-en
General
-
Target
NiggaSploit.gz
-
Size
278KB
-
MD5
fb44663383577e72cb1d59c6a16adfe2
-
SHA1
1c33fffe182c18a17cc6fc1f6fe4a89bead052ed
-
SHA256
1590e2efd5142338b56790e0bd492b5c117078dc60cfcb57c77127839acfd0e9
-
SHA512
18e5b619a527b835cf122c024dbb974eed0078e6fc4ae697b880b2e45476a3dc56523c2c4bad334f915b1db97988b80c34769af6443f77e77437a7c68c8f4cc2
-
SSDEEP
6144:SAsnviz4uS0NLr42O0Lo7c94nLbr+oUKkBDV6MfmAP:SAoq8uS0ZGI+n/r+TDsMfmk
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 2 IoCs
Processes:
rundll32.exerundll32.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_Classes\Local Settings rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_Classes\Local Settings rundll32.exe -
Opens file in notepad (likely ransom note) 1 IoCs
Processes:
NOTEPAD.EXEpid process 2540 NOTEPAD.EXE -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
rundll32.exepid process 2616 rundll32.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
cmd.exerundll32.exerundll32.exedescription pid process target process PID 352 wrote to memory of 2632 352 cmd.exe rundll32.exe PID 352 wrote to memory of 2632 352 cmd.exe rundll32.exe PID 352 wrote to memory of 2632 352 cmd.exe rundll32.exe PID 2632 wrote to memory of 2616 2632 rundll32.exe rundll32.exe PID 2632 wrote to memory of 2616 2632 rundll32.exe rundll32.exe PID 2632 wrote to memory of 2616 2632 rundll32.exe rundll32.exe PID 2616 wrote to memory of 2540 2616 rundll32.exe NOTEPAD.EXE PID 2616 wrote to memory of 2540 2616 rundll32.exe NOTEPAD.EXE PID 2616 wrote to memory of 2540 2616 rundll32.exe NOTEPAD.EXE
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\NiggaSploit.gz1⤵
- Suspicious use of WriteProcessMemory
PID:352 -
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\NiggaSploit.gz2⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2632 -
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\NiggaSploit.gz3⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:2616 -
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\NiggaSploit.gz4⤵
- Opens file in notepad (likely ransom note)
PID:2540
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"1⤵PID:328