Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Overview
overview
6Static
static
3NightyGo.rar
windows7-x64
3NightyGo.rar
windows10-2004-x64
3NightyGo/NightyGo.exe
windows7-x64
1NightyGo/NightyGo.exe
windows10-2004-x64
1NightyGo/config.json
windows7-x64
3NightyGo/config.json
windows10-2004-x64
3NightyGo/d...nd.mp3
windows7-x64
1NightyGo/d...nd.mp3
windows10-2004-x64
6Analysis
-
max time kernel
79s -
max time network
99s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
04/07/2024, 12:57
Static task
static1
Behavioral task
behavioral1
Sample
NightyGo.rar
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
NightyGo.rar
Resource
win10v2004-20240508-en
Behavioral task
behavioral3
Sample
NightyGo/NightyGo.exe
Resource
win7-20240508-en
Behavioral task
behavioral4
Sample
NightyGo/NightyGo.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral5
Sample
NightyGo/config.json
Resource
win7-20240221-en
Behavioral task
behavioral6
Sample
NightyGo/config.json
Resource
win10v2004-20240508-en
Behavioral task
behavioral7
Sample
NightyGo/data/nitrosound.mp3
Resource
win7-20240221-en
Behavioral task
behavioral8
Sample
NightyGo/data/nitrosound.mp3
Resource
win10v2004-20240508-en
General
-
Target
NightyGo/data/nitrosound.mp3
-
Size
8KB
-
MD5
812c7504df40d796245774dce0e6c85c
-
SHA1
6c1c3bb3ce138b29a2681af9e6b6dbaab80e1e47
-
SHA256
3b8d47c95911247ffcdbb44fe1111852d447cfef21ed9dd52e72577671e531f3
-
SHA512
e8cb13c6e81c9df4052af65357574ddf8f71f6c4400b3eea95f617471375be2f91ac1706da6edf12fcce9d7ea09deda83747fef56b4ed93b6ff95920c3fa5ddc
-
SSDEEP
192:QCsw5oFc5mypvMcYkYP9Y6fFqztAeQSXrPs7ZApBh3:5srFSpvMDr9TwtAeQWPs783
Malware Config
Signatures
-
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\T: unregmp2.exe File opened (read-only) \??\U: unregmp2.exe File opened (read-only) \??\E: unregmp2.exe File opened (read-only) \??\H: unregmp2.exe File opened (read-only) \??\L: unregmp2.exe File opened (read-only) \??\V: unregmp2.exe File opened (read-only) \??\W: unregmp2.exe File opened (read-only) \??\A: unregmp2.exe File opened (read-only) \??\B: unregmp2.exe File opened (read-only) \??\N: unregmp2.exe File opened (read-only) \??\P: unregmp2.exe File opened (read-only) \??\R: unregmp2.exe File opened (read-only) \??\S: unregmp2.exe File opened (read-only) \??\X: unregmp2.exe File opened (read-only) \??\Y: unregmp2.exe File opened (read-only) \??\G: unregmp2.exe File opened (read-only) \??\J: unregmp2.exe File opened (read-only) \??\M: unregmp2.exe File opened (read-only) \??\O: unregmp2.exe File opened (read-only) \??\Q: unregmp2.exe File opened (read-only) \??\Z: unregmp2.exe File opened (read-only) \??\I: unregmp2.exe File opened (read-only) \??\K: unregmp2.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeShutdownPrivilege 404 unregmp2.exe Token: SeCreatePagefilePrivilege 404 unregmp2.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 3864 wrote to memory of 4972 3864 wmplayer.exe 80 PID 3864 wrote to memory of 4972 3864 wmplayer.exe 80 PID 3864 wrote to memory of 4972 3864 wmplayer.exe 80 PID 3864 wrote to memory of 4044 3864 wmplayer.exe 81 PID 3864 wrote to memory of 4044 3864 wmplayer.exe 81 PID 3864 wrote to memory of 4044 3864 wmplayer.exe 81 PID 4044 wrote to memory of 404 4044 unregmp2.exe 82 PID 4044 wrote to memory of 404 4044 unregmp2.exe 82
Processes
-
C:\Program Files (x86)\Windows Media Player\wmplayer.exe"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:6 /Open "C:\Users\Admin\AppData\Local\Temp\NightyGo\data\nitrosound.mp3"1⤵
- Suspicious use of WriteProcessMemory
PID:3864 -
C:\Program Files (x86)\Windows Media Player\setup_wm.exe"C:\Program Files (x86)\Windows Media Player\setup_wm.exe" /RunOnce:"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:6 /Open "C:\Users\Admin\AppData\Local\Temp\NightyGo\data\nitrosound.mp3"2⤵PID:4972
-
-
C:\Windows\SysWOW64\unregmp2.exe"C:\Windows\System32\unregmp2.exe" /AsyncFirstLogon2⤵
- Suspicious use of WriteProcessMemory
PID:4044 -
C:\Windows\system32\unregmp2.exe"C:\Windows\SysNative\unregmp2.exe" /AsyncFirstLogon /REENTRANT3⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
PID:404
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
512KB
MD5946f3d332664c951e4220b6529c08cf4
SHA18cef2495aeb0b14c503c53fe51282e7bdfa487a1
SHA256def03bbc743e3f1f8e1e7c235e05180fd3501857547d59eac77034bb17f54d16
SHA512a6ed17d51b299c250d9b50385e5a0c7c35dc388062d3d448fd2d55a001928518fb18f84a38a692af85d8f4b40b5e3a767724a0060702c842ac0bf8f83f9a67bc
-
Filesize
9KB
MD57050d5ae8acfbe560fa11073fef8185d
SHA15bc38e77ff06785fe0aec5a345c4ccd15752560e
SHA256cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b
SHA512a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b
-
Filesize
1KB
MD54b6c612a43e335d0563a9db61e135246
SHA140cb8e118cd50cfb72ece203fe809f90661f5f57
SHA256f9f733291c729b8a685436d5cd0b403b602ff4c23752ac7e6fbc153e7800e7e5
SHA512dc6596b01cb3daad8b3f0d1d323698214c1f744227ae4507a766d348a08245602b9dfa2c51d37f79e4ebda5be93ca8c4a1dba5539e7051a0d6be73b962a86c46