Overview

overview

10

Static

static

10

NitroGenerator.py

windows7-x64

3

NitroGenerator.py

windows10-2004-x64

3

Analysis

  • max time kernel
    132s
  • max time network
    136s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19-02-2024 14:56

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    NitroGenerator.py

  • Size

    46KB

  • MD5

    a86cdb9c66cc18e8aa83a8cf149ecfca

  • SHA1

    cb79487356c442c1040ee13095230f6b2a4bbfe1

  • SHA256

    4fb52a9cb5ef0696312897d1070613a1f12632b92f55b1553aa28bdd2993b5ce

  • SHA512

    2bfbc9cf9e5453f2e9279283695779a1c795755d3a2a608605495d1451d089606578a3730f446eca4b153d20f400f89a1b338b6f14858fdb75636be26907a120

  • SSDEEP

    768:Q1DAWRenXeihOCS9DtiXLCezzj/VppDPiDqWA:Q1kWRenhhFS9Dt6LvLVpZWA

Score
3/10

Malware Config

Signatures

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 5 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry class 3 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 16 IoCs
  • Suspicious use of SendNotifyMessage 15 IoCs
  • Suspicious use of SetWindowsHookEx 64 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\NitroGenerator.py
    1⤵
    • Modifies registry class
    PID:2592
  • C:\Windows\system32\OpenWith.exe
    C:\Windows\system32\OpenWith.exe -Embedding
    1⤵
    • Modifies registry class
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of SetWindowsHookEx
    PID:4932
  • C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4376
    • C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe"
      2⤵
      • Checks processor information in registry
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:4468
      • C:\Program Files\Mozilla Firefox\firefox.exe
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4468.0.1349840936\193545608" -parentBuildID 20221007134813 -prefsHandle 1904 -prefMapHandle 1896 -prefsLen 20749 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {140e762b-c4b3-4b4f-bc7e-538768577810} 4468 "\\.\pipe\gecko-crash-server-pipe.4468" 1992 1d38d2d9e58 gpu
        3⤵
          PID:1944
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4468.1.1531657145\1671604856" -parentBuildID 20221007134813 -prefsHandle 2384 -prefMapHandle 2380 -prefsLen 20785 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {34f9fd33-46da-4d57-9b73-60b29a6ec7d7} 4468 "\\.\pipe\gecko-crash-server-pipe.4468" 2396 1d38cffc358 socket
          3⤵
            PID:2160
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4468.2.633982949\1677252233" -childID 1 -isForBrowser -prefsHandle 1716 -prefMapHandle 2848 -prefsLen 20888 -prefMapSize 233444 -jsInitHandle 1392 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1b0b72c7-bdad-4b66-bb20-6994b9164dca} 4468 "\\.\pipe\gecko-crash-server-pipe.4468" 3236 1d3912a7458 tab
            3⤵
              PID:3304
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4468.3.1362623195\76425807" -childID 2 -isForBrowser -prefsHandle 3588 -prefMapHandle 3584 -prefsLen 26066 -prefMapSize 233444 -jsInitHandle 1392 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8ab082b3-da2a-4228-a050-ca6a06e7324c} 4468 "\\.\pipe\gecko-crash-server-pipe.4468" 3600 1d380962b58 tab
              3⤵
                PID:1460
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4468.4.1459257541\2047651499" -childID 3 -isForBrowser -prefsHandle 3772 -prefMapHandle 3716 -prefsLen 26125 -prefMapSize 233444 -jsInitHandle 1392 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1f27970a-ccdc-4ebc-9ca1-a08e0978a97c} 4468 "\\.\pipe\gecko-crash-server-pipe.4468" 1676 1d393304458 tab
                3⤵
                  PID:4592
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4468.5.689178894\952016265" -childID 4 -isForBrowser -prefsHandle 5280 -prefMapHandle 5276 -prefsLen 26206 -prefMapSize 233444 -jsInitHandle 1392 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2097b9e8-ec6a-484f-9d1c-ff89dc1024db} 4468 "\\.\pipe\gecko-crash-server-pipe.4468" 5260 1d380930e58 tab
                  3⤵
                    PID:1444
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4468.6.1040188473\621712923" -childID 5 -isForBrowser -prefsHandle 5420 -prefMapHandle 5424 -prefsLen 26206 -prefMapSize 233444 -jsInitHandle 1392 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {05a64755-5c98-4a04-86e6-e7e672814547} 4468 "\\.\pipe\gecko-crash-server-pipe.4468" 5408 1d38f8cd158 tab
                    3⤵
                      PID:412
                    • C:\Program Files\Mozilla Firefox\firefox.exe
                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4468.7.993245545\1209338374" -childID 6 -isForBrowser -prefsHandle 2892 -prefMapHandle 5204 -prefsLen 26206 -prefMapSize 233444 -jsInitHandle 1392 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {54f7bfa4-7028-40bc-bd25-bf99acf77f8c} 4468 "\\.\pipe\gecko-crash-server-pipe.4468" 5604 1d39125a458 tab
                      3⤵
                        PID:4404
                      • C:\Program Files\Mozilla Firefox\firefox.exe
                        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4468.8.1710568554\1075247369" -childID 7 -isForBrowser -prefsHandle 5976 -prefMapHandle 5972 -prefsLen 26381 -prefMapSize 233444 -jsInitHandle 1392 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {47adb4ce-772e-40f8-9364-b9f3827e4297} 4468 "\\.\pipe\gecko-crash-server-pipe.4468" 5984 1d39569c458 tab
                        3⤵
                          PID:5572
                        • C:\Program Files\Mozilla Firefox\firefox.exe
                          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4468.9.70357500\855521163" -parentBuildID 20221007134813 -prefsHandle 4900 -prefMapHandle 4680 -prefsLen 26646 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {8c102047-a45a-47d3-8f94-acd3d3c2cca2} 4468 "\\.\pipe\gecko-crash-server-pipe.4468" 4924 1d39386c458 rdd
                          3⤵
                            PID:6116
                          • C:\Program Files\Mozilla Firefox\firefox.exe
                            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4468.10.1957680549\63584075" -parentBuildID 20221007134813 -sandboxingKind 1 -prefsHandle 6244 -prefMapHandle 6240 -prefsLen 26646 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {04922b0a-bfc9-47ff-8e96-6ab1ae43271b} 4468 "\\.\pipe\gecko-crash-server-pipe.4468" 6252 1d39386b558 utility
                            3⤵
                              PID:5184
                        • C:\Windows\system32\AUDIODG.EXE
                          C:\Windows\system32\AUDIODG.EXE 0x314 0x494
                          1⤵
                          • Suspicious use of AdjustPrivilegeToken
                          PID:5064

                        Network

                        MITRE ATT&CK Enterprise v15

                        Replay Monitor

                        Loading Replay Monitor...

                        Downloads

                        • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\eg7x8yxg.default-release\cache2\entries\0CAEF7F888B762E2BA192BCD450FFE1DFD4D8CA9
                          Filesize

                          57KB

                          MD5

                          ef3d7850f2ff9ebcaa2ba23c2f04e66b

                          SHA1

                          13372f4b4f4a9dc8e691e2456c933336b2874713

                          SHA256

                          d9856e58977c30e36bb108e4f7cefe7e89df61e248bc36f839acf491d4f800ef

                          SHA512

                          432b8cac04a96459852e94aedfcc80ef146a78183caac417dcf71e013d4dc35e34ca290fc5120089f367e68a6c7fb1f18d57cb444c5256cf4205630961d6a7af

                          Download Submit

                        • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\eg7x8yxg.default-release\cache2\entries\4DA9C528416A77B90E10C4E946B9623AB3D72891
                          Filesize

                          203KB

                          MD5

                          451a2d3d2a23c3d49d21089f2b7d45f1

                          SHA1

                          17f0497e76b87f2d7ab53a9b35d9e64bfe163e00

                          SHA256

                          2df28464abaf308d2f33a673576928ef3c7833ed3ee88fe2ef6c0388412786a3

                          SHA512

                          ede7830056c28746074c7739d1190ef9e61e6ac70f23f7cc1cae5f55488a3eacfe3ec39b8d4261f933b714db313294878eeac94d130eaeef58768cd6a9f0eade

                          Download Submit

                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\eg7x8yxg.default-release\datareporting\glean\db\data.safe.bin
                          Filesize

                          2KB

                          MD5

                          7f91a7692935fa1b3586997188f0f68b

                          SHA1

                          61585b653c093827be267e42a63697e099caf033

                          SHA256

                          19a4156c35d62625351b0adb2519af7449ffd251f4d8b220fbe54a010593baab

                          SHA512

                          635a59987c19ec6ea7ddf7f71d1b27dafcb92acff115a08ae74baa38436a9d0ef1ba906d61c69f91429880b030c222548ec28bf4fd72b1e2c3285c8a83320099

                          Download Submit

                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\eg7x8yxg.default-release\datareporting\glean\pending_pings\72cfaabd-326e-450b-a8e5-152dba3221a2
                          Filesize

                          12KB

                          MD5

                          78271cbba5f1347588e742b23ce77ddf

                          SHA1

                          723dacea859443c2cc34fd7a635efa9d426a4d2e

                          SHA256

                          50a83280eb66d155a0ac7614665e5d28f1b7dce6f3c9421313b67f5216a32cc7

                          SHA512

                          81bd8bc22a876e35beaa237db2572c8354bd758b4c60718881b7a9ad8e6e3eee418653748287658616a27bc0c7ca3cf4b179fa23cb7fc356bb5d43f179552867

                          Download Submit

                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\eg7x8yxg.default-release\datareporting\glean\pending_pings\aec4cea7-612d-494b-993a-f00594f292a8
                          Filesize

                          746B

                          MD5

                          e9ecfce8ac8f75807ff75bd199803ea4

                          SHA1

                          1d2d1fc2e2dcc18938b75aa2b37ce24c2e43c8d4

                          SHA256

                          256f437e82077631241b79484940462231b74be30dd402171cca6d52afc4758e

                          SHA512

                          d480d1e9f8aeffcdb8e14aa3c9bac06b70036a8c37bc87f28dbc22999055b8ef301b539ebf19c32915bf68c30f04e9d8b7eab1669e921eb0b02f79967ddc4b5e

                          Download Submit

                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\eg7x8yxg.default-release\prefs-1.js
                          Filesize

                          6KB

                          MD5

                          626b1d350881ed947a48731d473c4446

                          SHA1

                          dc24ed82dd57c467ccffc6a16a6323e907ace444

                          SHA256

                          798894c58100b857350bb557bea4c004caf2b2d6cb67f8ee0f3798b4ea4263f7

                          SHA512

                          975c156ada229c64d35cf21f326e7dc0be5d9b2740c79ec8f8fbc9f71fccfad31f46bfe1c35001ef037e118fae0bb9f3d2e2e0957065a101b364731fb71dcaef

                          Download Submit

                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\eg7x8yxg.default-release\prefs-1.js
                          Filesize

                          6KB

                          MD5

                          f60f0397044a14d3077b5b4e810537af

                          SHA1

                          e00a5f34d2adbebdf8f9db06ce405a3add2fc5da

                          SHA256

                          c158a7673b1e4581355710ea4766f2a5e106dac9d83b56ddb5175cdb0a57dfd1

                          SHA512

                          6a123ed9b591bb590d3a85684440681a3b754b1ca6df4d9398418ee24e4d7baf382a693122cd917b5e1edf8a60ba4838ba33c407522b8f64e1e1b0b3da05e4ad

                          Download Submit

                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\eg7x8yxg.default-release\sessionstore-backups\recovery.jsonlz4
                          Filesize

                          4KB

                          MD5

                          0ab12ccef2fffd47b55da2477aa64eff

                          SHA1

                          3f7399c7b9ab77624733313ed7ff7c366ef835f9

                          SHA256

                          ec1cab76b2b7172655f9ca30e052823456bb25c66a41062aa48ec9f4c2c8e02d

                          SHA512

                          e2aeeebb0d321fb7d499e2cf3da7b5b2f4d7514a7d3337db6b9bfd430cce6af2ac3db0250936e5dba523e9d4ee68bb1fd8eef8efde4d1a138289d3d4da758586

                          Download Submit

                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\eg7x8yxg.default-release\sessionstore-backups\recovery.jsonlz4
                          Filesize

                          4KB

                          MD5

                          fa1a8665aff8bf4fed6f7ab633bbca0d

                          SHA1

                          70b693c52cdc0e957408f78d96a7f2a225def9d1

                          SHA256

                          2094b6131945ef1c8913ec33f810c9e4462d2f7775c41bf794667e816596d656

                          SHA512

                          5254b160c4f32e3089653b6ba09053c370187f72ef38f81c15f0e362a1ab4dc40f1598f59d07c2610d2ae7f7ba1737552e77b76e08bac9336c5e8969c998766c

                          Download Submit

                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\eg7x8yxg.default-release\sessionstore-backups\recovery.jsonlz4
                          Filesize

                          4KB

                          MD5

                          7b88fae48359032c634d334f073ad502

                          SHA1

                          1c04c5ae68a6ee4cb1e36d38b238f44872506954

                          SHA256

                          8133be54b494994723b0c4714e0a20bd617861f405795ee325c1d379815fdcca

                          SHA512

                          c9860791b4faeb04f24e24bbfd383fbf1f18bdc62228af69a68015c8d7962e8440e490090be6576bfb2cf9a5c149516203988086e938c89695729af066ada865

                          Download Submit

                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\eg7x8yxg.default-release\sessionstore-backups\recovery.jsonlz4
                          Filesize

                          3KB

                          MD5

                          4af4b3ff35bc04f7c16fe765980f940f

                          SHA1

                          bb5f67f57217c4dc2191de3d8f0b106853ce8535

                          SHA256

                          905ce6dc154c134f9b99db2726ed40cb594c9f181d02f5cc5220cba97b89c31c

                          SHA512

                          22d47b018db8c713e1dd055f3f6b65ac72567cbb8795fc756b04cbf57630ed073c79970bc7309cc8d2444b79b55cc1689fbbc54fb4451e0c9dea692514ba9264

                          Download Submit

                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\eg7x8yxg.default-release\sessionstore-backups\recovery.jsonlz4
                          Filesize

                          4KB

                          MD5

                          629cd803dc74aa69e21a6ca899e2e222

                          SHA1

                          e3b0a0f00075300e8a068d69b2f73e9ac202c95a

                          SHA256

                          90d700413356ce3727fd656b771bc3d8ff518547eaecd0a2165cec5764d1394e

                          SHA512

                          fb340112da73463a60ceb47144cae5668d5e79ea5c712f4d32f5c0bf3246f375bca840ef3a17cf281578a99b5278777d0f1684a197e0f15580d9322ccb8a6f5b

                          Download Submit