a6560d7ca0aa6cd9fed35b053740140b7f57c89a63b5f965aa2f2be3beab3501

Analysis

max time kernel
118s
max time network
120s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
20-08-2024 05:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Nighty-Selfbot-main/Nighty.py
Size

403KB
MD5

9df79fdef09b4cac5612a5a5eeb2cdef
SHA1

da120d8235a4b874547c4e230a5b85af5a24e335
SHA256

2f3191a89989584127d4194cf625facbd9d1fb4378085fbf5556f3fc8294be3c
SHA512

a875a28ce6a6dabbd0274f48754b4e8978c362081202e89894ce43783a74102996f200e9f18835ef1b5665e056fbb81ad3670987297d3f7774da36184b79ec64
SSDEEP

3072:87IPebDivUK5pBNA2F3OzqY3nXkk50EGn5kGzq:QK5pBPd45CniG2

Score

3^/10

discovery

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AcroRd32.exe

Modifies registry class 9 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_CLASSES\py_auto_file\shell	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_CLASSES\.py	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_CLASSES\.py\ = "py_auto_file"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_CLASSES\py_auto_file\	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_CLASSES\py_auto_file\shell\Read	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_CLASSES\py_auto_file\shell\Read\command	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_CLASSES\py_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\""	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_CLASSES\py_auto_file	rundll32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2876	AcroRd32.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2876	AcroRd32.exe
2876	AcroRd32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1572 wrote to memory of 2868	1572	cmd.exe	31
PID 1572 wrote to memory of 2868	1572	cmd.exe	31
PID 1572 wrote to memory of 2868	1572	cmd.exe	31
PID 2868 wrote to memory of 2876	2868	rundll32.exe	33
PID 2868 wrote to memory of 2876	2868	rundll32.exe	33
PID 2868 wrote to memory of 2876	2868	rundll32.exe	33
PID 2868 wrote to memory of 2876	2868	rundll32.exe	33

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\Nighty-Selfbot-main\Nighty.py
1⤵
- Suspicious use of WriteProcessMemory
PID:1572
- C:\Windows\system32\rundll32.exe
  "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Nighty-Selfbot-main\Nighty.py
  2⤵
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2868
- - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Nighty-Selfbot-main\Nighty.py"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    PID:2876

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
631fb3eb89bc4fb7cfc96f9b1d4a6ead

SHA1
e20eec014d30ee9f173d182f215db6b9c8490f1f

SHA256
5e8374b225a58a794604d0a5c65acccdc712781eaa5d678d20198ec7f47aa542

SHA512
55a2b4d70c2e8c066ce01dfc4a980b5470ae996569d394bde7de998cb6335c2776143bf914b6f4f7adb511898986ded9b6c6fb53ccc6d57ead3a387a28c32bff

Download Submit