Analysis
-
max time kernel
56s -
max time network
41s -
platform
windows10-2004_x64 -
resource
win10v2004-20250314-en -
resource tags
arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system -
submitted
29/03/2025, 19:48
Behavioral task
behavioral1
Sample
nigga.exe
Resource
win7-20240903-en
General
-
Target
nigga.exe
-
Size
47KB
-
MD5
3a89fa04e508172538fb62323065d621
-
SHA1
7a8e7fb80e4919630dc1780916d4f385975942bd
-
SHA256
9a4798fb51cd9ab16766be2172b208e2bed0fb59787058c25dfa2e26e4918f37
-
SHA512
554c60aebe07e992f496cfdbee506186089560d468b5e4bb00b16bc7191ee541081f6c9c6c7e79c43cc0c21fe668fbdf113edd0c93bdd8671f67cf2b4cd6a230
-
SSDEEP
768:QAUR8bIL+Cyq+DikcPoAil2YbbgefXzERTvEgK/JXZVc6KN:QPIeLPONbkvnkJXZVclN
Malware Config
Extracted
asyncrat
1.0.7
Default
127.0.0.1:8848
DcRatMutex_qwqdanchun
-
delay
1
-
install
true
-
install_file
taskmgr.exe
-
install_folder
%AppData%
Signatures
-
Asyncrat family
-
Async RAT payload 1 IoCs
resource yara_rule behavioral2/files/0x00080000000217a5-10.dat family_asyncrat -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation nigga.exe -
Executes dropped EXE 1 IoCs
pid Process 2984 taskmgr.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Delays execution with timeout.exe 1 IoCs
pid Process 4920 timeout.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1440 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 23 IoCs
pid Process 6132 nigga.exe 6132 nigga.exe 6132 nigga.exe 6132 nigga.exe 6132 nigga.exe 6132 nigga.exe 6132 nigga.exe 6132 nigga.exe 6132 nigga.exe 6132 nigga.exe 6132 nigga.exe 6132 nigga.exe 6132 nigga.exe 6132 nigga.exe 6132 nigga.exe 6132 nigga.exe 6132 nigga.exe 6132 nigga.exe 6132 nigga.exe 6132 nigga.exe 6132 nigga.exe 6132 nigga.exe 6132 nigga.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 6132 nigga.exe Token: SeDebugPrivilege 2984 taskmgr.exe -
Suspicious use of WriteProcessMemory 10 IoCs
description pid Process procid_target PID 6132 wrote to memory of 2284 6132 nigga.exe 90 PID 6132 wrote to memory of 2284 6132 nigga.exe 90 PID 6132 wrote to memory of 4472 6132 nigga.exe 92 PID 6132 wrote to memory of 4472 6132 nigga.exe 92 PID 2284 wrote to memory of 1440 2284 cmd.exe 94 PID 2284 wrote to memory of 1440 2284 cmd.exe 94 PID 4472 wrote to memory of 4920 4472 cmd.exe 95 PID 4472 wrote to memory of 4920 4472 cmd.exe 95 PID 4472 wrote to memory of 2984 4472 cmd.exe 100 PID 4472 wrote to memory of 2984 4472 cmd.exe 100 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\nigga.exe"C:\Users\Admin\AppData\Local\Temp\nigga.exe"1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:6132 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "taskmgr" /tr '"C:\Users\Admin\AppData\Roaming\taskmgr.exe"' & exit2⤵
- Suspicious use of WriteProcessMemory
PID:2284 -
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "taskmgr" /tr '"C:\Users\Admin\AppData\Roaming\taskmgr.exe"'3⤵
- Scheduled Task/Job: Scheduled Task
PID:1440
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp6CD3.tmp.bat""2⤵
- Suspicious use of WriteProcessMemory
PID:4472 -
C:\Windows\system32\timeout.exetimeout 33⤵
- Delays execution with timeout.exe
PID:4920
-
-
C:\Users\Admin\AppData\Roaming\taskmgr.exe"C:\Users\Admin\AppData\Roaming\taskmgr.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2984
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
151B
MD585408b558d32ebd00db511393115e751
SHA14cec0d5a960f0a690e80701376ba90e572b500bb
SHA2560fea9380ee337fa227d5f6db3e46cd0dcca74b40aef6d9dcbbe478501ace773a
SHA512a19a4a8374f323fc1ff0808618a135d128c45dd9ebee105724e73a5b99acd37bc80d8aba0966c3b62c81e967cef954d8448857ab2af2658f83b8119886d8d11d
-
Filesize
47KB
MD53a89fa04e508172538fb62323065d621
SHA17a8e7fb80e4919630dc1780916d4f385975942bd
SHA2569a4798fb51cd9ab16766be2172b208e2bed0fb59787058c25dfa2e26e4918f37
SHA512554c60aebe07e992f496cfdbee506186089560d468b5e4bb00b16bc7191ee541081f6c9c6c7e79c43cc0c21fe668fbdf113edd0c93bdd8671f67cf2b4cd6a230