Analysis Overview
SHA256
1590e2efd5142338b56790e0bd492b5c117078dc60cfcb57c77127839acfd0e9
Threat Level: Likely benign
The file NiggaSploit.targz was found to be: Likely benign.
Malicious Activity Summary
Unsigned PE
Program crash
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
Modifies registry class
Opens file in notepad (likely ransom note)
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of WriteProcessMemory
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-15 04:00
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral6
Detonation Overview
Submitted
2024-06-15 04:00
Reported
2024-06-15 04:03
Platform
win10v2004-20240508-en
Max time kernel
147s
Max time network
150s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\SolaraB2\SolaraBootstrapper.exe |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SolaraB2\SolaraBootstrapper.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SolaraB2\SolaraBootstrapper.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\SolaraB2\SolaraBootstrapper.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\SolaraB2\SolaraBootstrapper.exe
"C:\Users\Admin\AppData\Local\Temp\SolaraB2\SolaraBootstrapper.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 1200 -ip 1200
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1200 -s 1444
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.nodejs.org | udp |
Files
memory/1200-0-0x0000000074FFE000-0x0000000074FFF000-memory.dmp
memory/1200-1-0x00000000006E0000-0x00000000007AE000-memory.dmp
memory/1200-2-0x0000000005630000-0x0000000005BD4000-memory.dmp
memory/1200-3-0x0000000074FF0000-0x00000000757A0000-memory.dmp
memory/1200-4-0x0000000074FF0000-0x00000000757A0000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-15 04:00
Reported
2024-06-15 04:03
Platform
win7-20240508-en
Max time kernel
121s
Max time network
121s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_Classes\Local Settings | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_Classes\Local Settings | C:\Windows\system32\rundll32.exe | N/A |
Opens file in notepad (likely ransom note)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\NOTEPAD.EXE | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 352 wrote to memory of 2632 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 352 wrote to memory of 2632 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 352 wrote to memory of 2632 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 2632 wrote to memory of 2616 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\system32\rundll32.exe |
| PID 2632 wrote to memory of 2616 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\system32\rundll32.exe |
| PID 2632 wrote to memory of 2616 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\system32\rundll32.exe |
| PID 2616 wrote to memory of 2540 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\system32\NOTEPAD.EXE |
| PID 2616 wrote to memory of 2540 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\system32\NOTEPAD.EXE |
| PID 2616 wrote to memory of 2540 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\system32\NOTEPAD.EXE |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\NiggaSploit.gz
C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\NiggaSploit.gz
C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\NiggaSploit.gz
C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\NiggaSploit.gz
C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
Network
Files
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-15 04:00
Reported
2024-06-15 04:03
Platform
win10v2004-20240508-en
Max time kernel
145s
Max time network
150s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
Opens file in notepad (likely ransom note)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\NOTEPAD.EXE | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4156 wrote to memory of 2996 | N/A | C:\Windows\system32\OpenWith.exe | C:\Windows\system32\NOTEPAD.EXE |
| PID 4156 wrote to memory of 2996 | N/A | C:\Windows\system32\OpenWith.exe | C:\Windows\system32\NOTEPAD.EXE |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\NiggaSploit.gz
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=1288,i,11746347647270949551,7786733067759450703,262144 --variations-seed-version --mojo-platform-channel-handle=3936 /prefetch:8
C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\NiggaSploit.gz
Network
Files
Analysis: behavioral3
Detonation Overview
Submitted
2024-06-15 04:00
Reported
2024-06-15 04:03
Platform
win7-20240221-en
Max time kernel
121s
Max time network
122s
Command Line
Signatures
Enumerates physical storage devices
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeRestorePrivilege | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| Token: 35 | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2252 wrote to memory of 2556 | N/A | C:\Windows\system32\cmd.exe | C:\Program Files\7-Zip\7zFM.exe |
| PID 2252 wrote to memory of 2556 | N/A | C:\Windows\system32\cmd.exe | C:\Program Files\7-Zip\7zFM.exe |
| PID 2252 wrote to memory of 2556 | N/A | C:\Windows\system32\cmd.exe | C:\Program Files\7-Zip\7zFM.exe |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\sample.tar
C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\sample.tar"
Network
Files
Analysis: behavioral4
Detonation Overview
Submitted
2024-06-15 04:00
Reported
2024-06-15 04:03
Platform
win10v2004-20240611-en
Max time kernel
149s
Max time network
149s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\sample.tar
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 13.107.21.237:443 | g.bing.com | tcp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 22.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 36.56.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | udp |
Files
Analysis: behavioral5
Detonation Overview
Submitted
2024-06-15 04:00
Reported
2024-06-15 04:03
Platform
win7-20240508-en
Max time kernel
120s
Max time network
121s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\SolaraB2\SolaraBootstrapper.exe |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SolaraB2\SolaraBootstrapper.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SolaraB2\SolaraBootstrapper.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\SolaraB2\SolaraBootstrapper.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2108 wrote to memory of 2708 | N/A | C:\Users\Admin\AppData\Local\Temp\SolaraB2\SolaraBootstrapper.exe | C:\Windows\SysWOW64\WerFault.exe |
| PID 2108 wrote to memory of 2708 | N/A | C:\Users\Admin\AppData\Local\Temp\SolaraB2\SolaraBootstrapper.exe | C:\Windows\SysWOW64\WerFault.exe |
| PID 2108 wrote to memory of 2708 | N/A | C:\Users\Admin\AppData\Local\Temp\SolaraB2\SolaraBootstrapper.exe | C:\Windows\SysWOW64\WerFault.exe |
| PID 2108 wrote to memory of 2708 | N/A | C:\Users\Admin\AppData\Local\Temp\SolaraB2\SolaraBootstrapper.exe | C:\Windows\SysWOW64\WerFault.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\SolaraB2\SolaraBootstrapper.exe
"C:\Users\Admin\AppData\Local\Temp\SolaraB2\SolaraBootstrapper.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2108 -s 1004
C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.nodejs.org | udp |
Files
memory/2108-0-0x0000000073EBE000-0x0000000073EBF000-memory.dmp
memory/2108-1-0x00000000013C0000-0x000000000148E000-memory.dmp
memory/2108-2-0x0000000073EB0000-0x000000007459E000-memory.dmp
memory/2108-3-0x0000000073EB0000-0x000000007459E000-memory.dmp