a5cd667a686d3140aef60b4d11679491751a24adace845c04a65f9db84483488

Analysis

max time kernel
797s
max time network
885s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
28-12-2023 01:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Nitro Generator.exe
Size

17.1MB
MD5

bb64387766b55fe98c73767ad9076686
SHA1

e053872b961382c95e5c58d035b50b52d34803b1
SHA256

a5cd667a686d3140aef60b4d11679491751a24adace845c04a65f9db84483488
SHA512

e77cdf900a430616aa99eea4fa56737c7dade78381de68e17471e14b366fb8f1faee867ef1ebc22e753b70fa166e592e9281e8e47c5be63184ae61db8b90707c
SSDEEP

393216:3u7L/sQbo3pUTLfhJjdQuslSl99oWOv+9fPjMb6Y5/n:3CL0QbaUTLJRdQu9DorvSHjy6Yp

Score

7^/10

spyware stealer

Malware Config

Signatures

Drops startup file 3 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Nitro Generator.exe	Nitro Generator.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Nitro Generator.exe	Nitro Generator.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Nitro Generator.exe	Nitro Generator.exe

Executes dropped EXE 2 IoCs

pid	Process
4204	Nitro Generator.exe
1512	Nitro Generator.exe

Loads dropped DLL 64 IoCs

pid	Process
4216	Nitro Generator.exe
4216	Nitro Generator.exe
4216	Nitro Generator.exe
4216	Nitro Generator.exe
4216	Nitro Generator.exe
4216	Nitro Generator.exe
4216	Nitro Generator.exe
4216	Nitro Generator.exe
4216	Nitro Generator.exe
4216	Nitro Generator.exe
4216	Nitro Generator.exe
4216	Nitro Generator.exe
4216	Nitro Generator.exe
4216	Nitro Generator.exe
4216	Nitro Generator.exe
4216	Nitro Generator.exe
4216	Nitro Generator.exe
4216	Nitro Generator.exe
4216	Nitro Generator.exe
4216	Nitro Generator.exe
4216	Nitro Generator.exe
4216	Nitro Generator.exe
4216	Nitro Generator.exe
4216	Nitro Generator.exe
4216	Nitro Generator.exe
4216	Nitro Generator.exe
4216	Nitro Generator.exe
4216	Nitro Generator.exe
4216	Nitro Generator.exe
4216	Nitro Generator.exe
4216	Nitro Generator.exe
4216	Nitro Generator.exe
4216	Nitro Generator.exe
4216	Nitro Generator.exe
4216	Nitro Generator.exe
4216	Nitro Generator.exe
4216	Nitro Generator.exe
4216	Nitro Generator.exe
4216	Nitro Generator.exe
4216	Nitro Generator.exe
4216	Nitro Generator.exe
4216	Nitro Generator.exe
4216	Nitro Generator.exe
4216	Nitro Generator.exe
4216	Nitro Generator.exe
4216	Nitro Generator.exe
4216	Nitro Generator.exe
4216	Nitro Generator.exe
1544	Nitro Generator.exe
1544	Nitro Generator.exe
1544	Nitro Generator.exe
1544	Nitro Generator.exe
1544	Nitro Generator.exe
1544	Nitro Generator.exe
1544	Nitro Generator.exe
1544	Nitro Generator.exe
1544	Nitro Generator.exe
1544	Nitro Generator.exe
1544	Nitro Generator.exe
1544	Nitro Generator.exe
1544	Nitro Generator.exe
1544	Nitro Generator.exe
1544	Nitro Generator.exe
1544	Nitro Generator.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 14 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
271	api.ipify.org
285	api.ipify.org
295	api.ipify.org
25	api.ipify.org
60	api.ipify.org
63	api.ipify.org
309	api.ipify.org
292	api.ipify.org
304	api.ipify.org
29	api.ipify.org
49	api.ipify.org
273	api.ipify.org
298	api.ipify.org
312	api.ipify.org

Enumerates processes with tasklist 1 TTPs 4 IoCs

Process Discovery

T1057

pid	Process
1300	tasklist.exe
4760	tasklist.exe
212	tasklist.exe
2996	tasklist.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	1300	tasklist.exe
Token: SeDebugPrivilege	4760	tasklist.exe
Token: SeDebugPrivilege	212	tasklist.exe
Token: SeDebugPrivilege	2996	tasklist.exe

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 1452 wrote to memory of 4216	1452	Nitro Generator.exe	89
PID 1452 wrote to memory of 4216	1452	Nitro Generator.exe	89
PID 4216 wrote to memory of 2588	4216	Nitro Generator.exe	92
PID 4216 wrote to memory of 2588	4216	Nitro Generator.exe	92
PID 4216 wrote to memory of 3520	4216	Nitro Generator.exe	93
PID 4216 wrote to memory of 3520	4216	Nitro Generator.exe	93
PID 3520 wrote to memory of 1300	3520	cmd.exe	95
PID 3520 wrote to memory of 1300	3520	cmd.exe	95
PID 3536 wrote to memory of 1544	3536	Nitro Generator.exe	130
PID 3536 wrote to memory of 1544	3536	Nitro Generator.exe	130
PID 1544 wrote to memory of 4396	1544	Nitro Generator.exe	131
PID 1544 wrote to memory of 4396	1544	Nitro Generator.exe	131
PID 1544 wrote to memory of 1632	1544	Nitro Generator.exe	133
PID 1544 wrote to memory of 1632	1544	Nitro Generator.exe	133
PID 1632 wrote to memory of 4760	1632	cmd.exe	135
PID 1632 wrote to memory of 4760	1632	cmd.exe	135
PID 4136 wrote to memory of 3416	4136	Nitro Generator.exe	138
PID 4136 wrote to memory of 3416	4136	Nitro Generator.exe	138
PID 3416 wrote to memory of 3588	3416	Nitro Generator.exe	140
PID 3416 wrote to memory of 3588	3416	Nitro Generator.exe	140
PID 4204 wrote to memory of 1512	4204	Nitro Generator.exe	142
PID 4204 wrote to memory of 1512	4204	Nitro Generator.exe	142
PID 3416 wrote to memory of 1496	3416	Nitro Generator.exe	143
PID 3416 wrote to memory of 1496	3416	Nitro Generator.exe	143
PID 1496 wrote to memory of 212	1496	cmd.exe	145
PID 1496 wrote to memory of 212	1496	cmd.exe	145
PID 1512 wrote to memory of 3200	1512	Nitro Generator.exe	146
PID 1512 wrote to memory of 3200	1512	Nitro Generator.exe	146
PID 1512 wrote to memory of 4164	1512	Nitro Generator.exe	148
PID 1512 wrote to memory of 4164	1512	Nitro Generator.exe	148
PID 4164 wrote to memory of 2996	4164	cmd.exe	150
PID 4164 wrote to memory of 2996	4164	cmd.exe	150

C:\Users\Admin\AppData\Local\Temp\Nitro Generator.exe
"C:\Users\Admin\AppData\Local\Temp\Nitro Generator.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1452
- C:\Users\Admin\AppData\Local\Temp\Nitro Generator.exe
  "C:\Users\Admin\AppData\Local\Temp\Nitro Generator.exe"
  2⤵
  - Drops startup file
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:4216
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "ver"
    3⤵
    PID:2588
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3520
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:1300

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4464

C:\Users\Admin\AppData\Local\Temp\Nitro Generator.exe
"C:\Users\Admin\AppData\Local\Temp\Nitro Generator.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3536
- C:\Users\Admin\AppData\Local\Temp\Nitro Generator.exe
  "C:\Users\Admin\AppData\Local\Temp\Nitro Generator.exe"
  2⤵
  - Drops startup file
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1544
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "ver"
    3⤵
    PID:4396
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1632
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:4760

C:\Users\Admin\AppData\Local\Temp\Nitro Generator.exe
"C:\Users\Admin\AppData\Local\Temp\Nitro Generator.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4136
- C:\Users\Admin\AppData\Local\Temp\Nitro Generator.exe
  "C:\Users\Admin\AppData\Local\Temp\Nitro Generator.exe"
  2⤵
  - Drops startup file
  - Suspicious use of WriteProcessMemory
  PID:3416
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "ver"
    3⤵
    PID:3588
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1496
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:212

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Nitro Generator.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Nitro Generator.exe"
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4204
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Nitro Generator.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Nitro Generator.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1512
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "ver"
    3⤵
    PID:3200
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4164
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:2996

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Process Discovery

T1057

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_MEI14522\VCRUNTIME140.dll

Filesize
106KB

MD5
870fea4e961e2fbd00110d3783e529be

SHA1
a948e65c6f73d7da4ffde4e8533c098a00cc7311

SHA256
76fdb83fde238226b5bebaf3392ee562e2cb7ca8d3ef75983bf5f9d6c7119644

SHA512
0b636a3cdefa343eb4cb228b391bb657b5b4c20df62889cd1be44c7bee94ffad6ec82dc4db79949edef576bff57867e0d084e0a597bf7bf5c8e4ed1268477e88

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI14522\_ctypes.pyd

Filesize
119KB

MD5
ca4cef051737b0e4e56b7d597238df94

SHA1
583df3f7ecade0252fdff608eb969439956f5c4a

SHA256
e60a2b100c4fa50b0b144cf825fe3cde21a8b7b60b92bfc326cb39573ce96b2b

SHA512
17103d6b5fa84156055e60f9e5756ffc31584cdb6274c686a136291c58ba0be00238d501f8acc1f1ca7e1a1fadcb0c7fefddcb98cedb9dd04325314f7e905df3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI14522\_lzma.pyd

Filesize
92KB

MD5
a1e9a164293a2fe04c22448984e8166d

SHA1
5724336a11d3291341f91567b22a358271ec0b07

SHA256
c3237c0659dd221a1093a2f5f71786d73f16dc6ecee340e986081b0003e0c4b7

SHA512
f0f4c45a62cca1626651ec1cb93b43ccebf2438374cca889bb93aaf7bf351f9d3d3f60b6c70e4d9d1064ecde75ca631738198903a6f1f9e4025c1bd055508918

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI14522\base_library.zip

Filesize
92KB

MD5
e69c1f2c8859a8d76205b632b54f5e43

SHA1
bf5d31140a0667a7e070bc33232daef4ba849141

SHA256
e0101d7987c2e97822a56ff6a3b55e4bb30b5f10fde5d94ea58e85f3a0f4fecc

SHA512
5307f7beb3b674e50643e7385976443ea474d73ae23967cab42ac9254833c3e8c86369d95132749d4b887705a597bdbb063d9ac6f70220165f727af40d972eb3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI14522\python310.dll

Filesize
1.9MB

MD5
a48056869f34ca1499aee152579ae801

SHA1
79716e70db8c003ab9e3d8adbb5bc4f6ecf4ac87

SHA256
e7ae1c828c5ee4fcb38a89bf9a47107e75ffc5ed85bbfee2214eb43dcae0ac51

SHA512
0dbeac9ca90e6b8385572f920d84cafacfc13a1762061992affa7074059d1e7e02656321668a507c3a26d17108d8d2f09c2d3279fdcee85a4bac67472b39202b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI14522\python310.dll

Filesize
1.0MB

MD5
0937ab15c160efc9dfcab6b8e3b6c326

SHA1
382cc1efd53b8b289617c6591a3e41dbff16fa45

SHA256
eec8f8e06dfcb940cd044bfd4ef7eab5f7e36fe14a19a9efdb29ee9adfdf505e

SHA512
bc67969c7615e99610e165ed907c385439d9d056433598a9e783f40c3a7ee7c70240e9d1d350621faf20fe49d51f3168bdb80755282ac754bc08b3484d9f1fc1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35362\setuptools-65.5.0.dist-info\INSTALLER

Filesize
4B

MD5
365c9bfeb7d89244f2ce01c1de44cb85

SHA1
d7a03141d5d6b1e88b6b59ef08b6681df212c599

SHA256
ceebae7b8927a3227e5303cf5e0f1f7b34bb542ad7250ac03fbcde36ec2f1508

SHA512
d220d322a4053d84130567d626a9f7bb2fb8f0b854da1621f001826dc61b0ed6d3f91793627e6f0ac2ac27aea2b986b6a7a63427f05fe004d8a2adfbdadc13c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\crcook.txt

Filesize
29B

MD5
155ea3c94a04ceab8bd7480f9205257d

SHA1
b46bbbb64b3df5322dd81613e7fa14426816b1c1

SHA256
445e2bcecaa0d8d427b87e17e7e53581d172af1b9674cf1a33dbe1014732108b

SHA512
3d47449da7c91fe279217a946d2f86e5d95d396f53b55607ec8aca7e9aa545cfaf9cb97914b643a5d8a91944570f9237e18eecec0f1526735be6ceee45ecba05

Download Submit
C:\Users\Admin\AppData\Local\Tempcrdhdcvwgi.db

Filesize
20KB

MD5
c9ff7748d8fcef4cf84a5501e996a641

SHA1
02867e5010f62f97ebb0cfb32cb3ede9449fe0c9

SHA256
4d3f3194cb1133437aa69bb880c8cbb55ddf06ff61a88ca6c3f1bbfbfd35d988

SHA512
d36054499869a8f56ac8547ccd5455f1252c24e17d2b185955390b32da7e2a732ace4e0f30f9493fcc61425a2e31ed623465f998f41af69423ee0e3ed1483a73

Download Submit
C:\Users\Admin\AppData\Local\Tempcrnfksrjbw.db

Filesize
48KB

MD5
349e6eb110e34a08924d92f6b334801d

SHA1
bdfb289daff51890cc71697b6322aa4b35ec9169

SHA256
c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a

SHA512
2a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574

Download Submit
C:\Users\Admin\AppData\Local\Tempcrntdhigcx.db

Filesize
46KB

MD5
02d2c46697e3714e49f46b680b9a6b83

SHA1
84f98b56d49f01e9b6b76a4e21accf64fd319140

SHA256
522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9

SHA512
60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

Download Submit