Analysis
-
max time kernel
42s -
max time network
45s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
08-10-2022 01:30
Behavioral task
behavioral1
Sample
Nitro Generator.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
Nitro Generator.exe
Resource
win10v2004-20220812-en
General
-
Target
Nitro Generator.exe
-
Size
42KB
-
MD5
f876e8abb41050c1804a7a27472539f6
-
SHA1
e43ac116f0960c99d9f99d4f07c1f39adc3788f1
-
SHA256
f4fcee629d0cff0f3ef2293353bd65945f5d022872692084a2070a2be45b6955
-
SHA512
3bdd94636d7732b2714b08d92bb84850e69222f470ba34f3c82771d81b79ddc9b85419c1c4458c767f72719bedfaf2e7548835e28d1499292e77d207ffea10e9
-
SSDEEP
768:NiSbjAuRHCBuZMhLfvTjMLKZKfgm3Ehat:Nt9RHCrLfvTYLF7EAt
Malware Config
Extracted
mercurialgrabber
https://discord.com/api/webhooks/1025859706373296138/RTELJNdCxYhdj6ZzM2cwNuXYgqUFjRz_CmoH5uJORXdkYOcKOXWAB79omPP_FUG0WzNG
Signatures
-
Mercurial Grabber Stealer
Mercurial Grabber is an open source stealer targeting Chrome, Discord and some game clients as well as generic system information.
-
Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
Processes:
Nitro Generator.exedescription ioc process Key opened \REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions Nitro Generator.exe -
Looks for VMWare Tools registry key 2 TTPs 1 IoCs
Processes:
Nitro Generator.exedescription ioc process Key opened \REGISTRY\MACHINE\SOFTWARE\VMWare, Inc.\VMWare Tools Nitro Generator.exe -
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
Nitro Generator.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Nitro Generator.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
Nitro Generator.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum Nitro Generator.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 Nitro Generator.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2008 864 WerFault.exe Nitro Generator.exe -
Checks SCSI registry key(s) 3 TTPs 1 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
Nitro Generator.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_VMware_&Prod_VMware_Virtual_S Nitro Generator.exe -
Enumerates system info in registry 2 TTPs 4 IoCs
Processes:
Nitro Generator.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemProductName Nitro Generator.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Logical Unit Id 0 Nitro Generator.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosInformation Nitro Generator.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemManufacturer Nitro Generator.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
Nitro Generator.exedescription pid process Token: SeDebugPrivilege 864 Nitro Generator.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
Nitro Generator.exedescription pid process target process PID 864 wrote to memory of 2008 864 Nitro Generator.exe WerFault.exe PID 864 wrote to memory of 2008 864 Nitro Generator.exe WerFault.exe PID 864 wrote to memory of 2008 864 Nitro Generator.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Nitro Generator.exe"C:\Users\Admin\AppData\Local\Temp\Nitro Generator.exe"1⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Maps connected drives based on registry
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 864 -s 12162⤵
- Program crash