Overview

overview

10

Static

static

3

nigger.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22-11-2024 01:35

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    nigger.exe

  • Size

    545KB

  • MD5

    293ed1407a6ee099dde67370c745d910

  • SHA1

    454da02a2783e2305a4b6033262dbeb04a4de2c3

  • SHA256

    9a947932b1065b67fe0cb8a2fc18c9599ffeee414affbe7ea95c27b7c054037b

  • SHA512

    f72ef62b30408005a532e38be4b1454e04563201b07612055163e81f7b0b8d7f8eb28fe649c5c940da2fbe3d8ed71d039bf34bd497f864c7b39dbefac224438a

  • SSDEEP

    6144:+Jm5QUB5HH4nWU95vV8RPeypQRISD1T7EZ7FT+CWAoYwI4NgfeTCbDnL/EXiM:j5XVU9QdeyeRu7sCWAoYINg22v

Score
10/10
persistence

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops file in Windows directory 4 IoCs
  • Checks SCSI registry key(s) 3 TTPs 6 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Suspicious use of FindShellTrayWindow 41 IoCs
  • Suspicious use of SendNotifyMessage 40 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\nigger.exe
    "C:\Users\Admin\AppData\Local\Temp\nigger.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Adds Run key to start application
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4688
    • C:\Windows\SYSTEM32\CMD.exe
      "CMD" /C SchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "System" /tr "C:\Windows\WindowsDefender" & exit
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:5000
      • C:\Windows\system32\schtasks.exe
        SchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "System" /tr "C:\Windows\WindowsDefender"
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:4976
  • C:\Windows\system32\taskmgr.exe
    "C:\Windows\system32\taskmgr.exe" /4
    1⤵
    • Checks SCSI registry key(s)
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:4748
  • C:\Windows\system32\taskmgr.exe
    "C:\Windows\system32\taskmgr.exe" /4
    1⤵
    • Checks SCSI registry key(s)
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:4312
  • C:\Windows\system32\wbem\WmiApSrv.exe
    C:\Windows\system32\wbem\WmiApSrv.exe
    1⤵
      PID:1140

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.idx
      Filesize

      64KB

      MD5

      d2fb266b97caff2086bf0fa74eddb6b2

      SHA1

      2f0061ce9c51b5b4fbab76b37fc6a540be7f805d

      SHA256

      b09f68b61d9ff5a7c7c8b10eee9447d4813ee0e866346e629e788cd4adecb66a

      SHA512

      c3ba95a538c1d266beb83334af755c34ce642a4178ab0f2e5f7822fd6821d3b68862a8b58f167a9294e6d913b08c1054a69b5d7aec2efdb3cf9796ed84de21a8

      Download Submit

    • C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.lock
      Filesize

      4B

      MD5

      f49655f856acb8884cc0ace29216f511

      SHA1

      cb0f1f87ec0455ec349aaa950c600475ac7b7b6b

      SHA256

      7852fce59c67ddf1d6b8b997eaa1adfac004a9f3a91c37295de9223674011fba

      SHA512

      599e93d25b174524495ed29653052b3590133096404873318f05fd68f4c9a5c9a3b30574551141fbb73d7329d6be342699a17f3ae84554bab784776dfda2d5f8

      Download Submit

    • C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.val
      Filesize

      944B

      MD5

      6bd369f7c74a28194c991ed1404da30f

      SHA1

      0f8e3f8ab822c9374409fe399b6bfe5d68cbd643

      SHA256

      878947d0ec814fe7c343cdebc05eebf00eb14f3023bdb3809a559e17f399fe5d

      SHA512

      8fc5f073dc9fa1e1ae47c60a5f06e0a48709fd6a4302dffaa721858409e7bde64bc6856d3fb28891090516d1a7afc542579de287778b5755eafe75cc67d45d93

      Download Submit

    • memory/4312-82-0x00000121414D0000-0x00000121414D1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4312-73-0x00000121414D0000-0x00000121414D1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4312-74-0x00000121414D0000-0x00000121414D1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4312-80-0x00000121414D0000-0x00000121414D1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4312-81-0x00000121414D0000-0x00000121414D1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4312-83-0x00000121414D0000-0x00000121414D1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4312-84-0x00000121414D0000-0x00000121414D1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4312-85-0x00000121414D0000-0x00000121414D1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4312-75-0x00000121414D0000-0x00000121414D1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4688-1-0x0000000000E20000-0x0000000000EAE000-memory.dmp

      Filesize

      568KB

      Download

    • memory/4688-166-0x000000001E120000-0x000000001E266000-memory.dmp

      Filesize

      1.3MB

      Download

    • memory/4688-416-0x000000001CDB0000-0x000000001CDC2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4688-167-0x000000001CB20000-0x000000001CB3E000-memory.dmp

      Filesize

      120KB

      Download

    • memory/4688-165-0x000000001D690000-0x000000001D706000-memory.dmp

      Filesize

      472KB

      Download

    • memory/4688-15-0x00007FFBAD8E3000-0x00007FFBAD8E5000-memory.dmp

      Filesize

      8KB

      Download

    • memory/4688-0-0x00007FFBAD8E3000-0x00007FFBAD8E5000-memory.dmp

      Filesize

      8KB

      Download

    • memory/4748-10-0x000001F86E500000-0x000001F86E501000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4748-11-0x000001F86E500000-0x000001F86E501000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4748-9-0x000001F86E500000-0x000001F86E501000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4748-12-0x000001F86E500000-0x000001F86E501000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4748-13-0x000001F86E500000-0x000001F86E501000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4748-14-0x000001F86E500000-0x000001F86E501000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4748-8-0x000001F86E500000-0x000001F86E501000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4748-3-0x000001F86E500000-0x000001F86E501000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4748-2-0x000001F86E500000-0x000001F86E501000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4748-4-0x000001F86E500000-0x000001F86E501000-memory.dmp

      Filesize

      4KB

      Download