Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Overview
overview
10Static
static
10NitroGenerator.rar
windows7-x64
7NitroGenerator.rar
windows10-2004-x64
8Nitro Generator.exe
windows7-x64
7Nitro Generator.exe
windows10-2004-x64
7main.pyc
windows7-x64
3main.pyc
windows10-2004-x64
3ReadMe.txt
windows7-x64
1ReadMe.txt
windows10-2004-x64
1install_python.bat
windows7-x64
1install_python.bat
windows10-2004-x64
8Analysis
-
max time kernel
117s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
20/02/2024, 20:43
Behavioral task
behavioral1
Sample
NitroGenerator.rar
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
NitroGenerator.rar
Resource
win10v2004-20240220-en
Behavioral task
behavioral3
Sample
Nitro Generator.exe
Resource
win7-20231215-en
Behavioral task
behavioral4
Sample
Nitro Generator.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral5
Sample
main.pyc
Resource
win7-20231215-en
Behavioral task
behavioral6
Sample
main.pyc
Resource
win10v2004-20240220-en
Behavioral task
behavioral7
Sample
ReadMe.txt
Resource
win7-20231129-en
Behavioral task
behavioral8
Sample
ReadMe.txt
Resource
win10v2004-20231215-en
Behavioral task
behavioral9
Sample
install_python.bat
Resource
win7-20231215-en
Behavioral task
behavioral10
Sample
install_python.bat
Resource
win10v2004-20231215-en
General
-
Target
NitroGenerator.rar
-
Size
18.2MB
-
MD5
0f9fdadb340f36684255eb9fe32d0364
-
SHA1
14dcdefef70f7e443c4f38a1f9333b8d7b5e2a94
-
SHA256
40f7c20cde14d5158e027a6c4adbc0cd1fcbf1d627a4d25cb09bdaafab3d103a
-
SHA512
988a874443d1439fe939441940c39ce96294d1e6d035029c57e8a10c315c6206fb0e67ae83b2b920ebe91b1f16f029f21474ac1d395972df4237d62c83084ad9
-
SSDEEP
393216:/ijswMe8CX5P7uuaPTrDZimg5mEDXt3IPrce7G7Ci3thnsLuAWWUg/V2zs:qj4jkbaPTHZimg59Tt3IPRG7C8fnsLuQ
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 2560 Nitro Generator.exe 476 Nitro Generator.exe -
Loads dropped DLL 11 IoCs
pid Process 2996 7zFM.exe 2560 Nitro Generator.exe 476 Nitro Generator.exe 476 Nitro Generator.exe 476 Nitro Generator.exe 476 Nitro Generator.exe 476 Nitro Generator.exe 476 Nitro Generator.exe 476 Nitro Generator.exe 1164 Process not Found 1164 Process not Found -
resource yara_rule behavioral1/files/0x000500000001c696-197.dat upx behavioral1/files/0x000500000001c696-198.dat upx behavioral1/memory/476-199-0x000007FEF61A0000-0x000007FEF660E000-memory.dmp upx -
Detects Pyinstaller 7 IoCs
resource yara_rule behavioral1/files/0x000b000000015d81-27.dat pyinstaller behavioral1/files/0x000b000000015d81-31.dat pyinstaller behavioral1/files/0x000b000000015d81-30.dat pyinstaller behavioral1/files/0x000b000000015d81-29.dat pyinstaller behavioral1/files/0x000b000000015d81-184.dat pyinstaller behavioral1/files/0x000b000000015d81-183.dat pyinstaller behavioral1/files/0x000b000000015d81-200.dat pyinstaller -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2056 powershell.exe 2996 7zFM.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 2996 7zFM.exe 476 Nitro Generator.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
description pid Process Token: SeRestorePrivilege 2996 7zFM.exe Token: 35 2996 7zFM.exe Token: SeSecurityPrivilege 2996 7zFM.exe Token: SeSecurityPrivilege 2996 7zFM.exe Token: SeDebugPrivilege 2056 powershell.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
pid Process 2996 7zFM.exe 2996 7zFM.exe 2996 7zFM.exe -
Suspicious use of WriteProcessMemory 20 IoCs
description pid Process procid_target PID 1896 wrote to memory of 2996 1896 cmd.exe 29 PID 1896 wrote to memory of 2996 1896 cmd.exe 29 PID 1896 wrote to memory of 2996 1896 cmd.exe 29 PID 2996 wrote to memory of 2560 2996 7zFM.exe 30 PID 2996 wrote to memory of 2560 2996 7zFM.exe 30 PID 2996 wrote to memory of 2560 2996 7zFM.exe 30 PID 2560 wrote to memory of 476 2560 Nitro Generator.exe 31 PID 2560 wrote to memory of 476 2560 Nitro Generator.exe 31 PID 2560 wrote to memory of 476 2560 Nitro Generator.exe 31 PID 2996 wrote to memory of 1408 2996 7zFM.exe 32 PID 2996 wrote to memory of 1408 2996 7zFM.exe 32 PID 2996 wrote to memory of 1408 2996 7zFM.exe 32 PID 2996 wrote to memory of 1408 2996 7zFM.exe 32 PID 2996 wrote to memory of 1408 2996 7zFM.exe 32 PID 1408 wrote to memory of 552 1408 cmd.exe 34 PID 1408 wrote to memory of 552 1408 cmd.exe 34 PID 1408 wrote to memory of 552 1408 cmd.exe 34 PID 552 wrote to memory of 2056 552 cmd.exe 35 PID 552 wrote to memory of 2056 552 cmd.exe 35 PID 552 wrote to memory of 2056 552 cmd.exe 35
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\NitroGenerator.rar1⤵
- Suspicious use of WriteProcessMemory
PID:1896 -
C:\Program Files\7-Zip\7zFM.exe"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\NitroGenerator.rar"2⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2996 -
C:\Users\Admin\AppData\Local\Temp\7zO4BBD8766\Nitro Generator.exe"C:\Users\Admin\AppData\Local\Temp\7zO4BBD8766\Nitro Generator.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2560 -
C:\Users\Admin\AppData\Local\Temp\7zO4BBD8766\Nitro Generator.exe"C:\Users\Admin\AppData\Local\Temp\7zO4BBD8766\Nitro Generator.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: GetForegroundWindowSpam
PID:476
-
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\7zO4BB5DF56\install_python.bat" "3⤵
- Suspicious use of WriteProcessMemory
PID:1408 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c powershell -Command "Invoke-WebRequest https://www.python.org/ftp/python/ -UseBasicParsing | Select-String -Pattern '3.10.[0-9]{1,2}' -AllMatches | Select-Object -ExpandProperty Matches | Select-Object -ExpandProperty Value | Sort-Object -Descending -Unique | Select-Object -First 1"4⤵
- Suspicious use of WriteProcessMemory
PID:552 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Invoke-WebRequest https://www.python.org/ftp/python/ -UseBasicParsing | Select-String -Pattern '3.10.[0-9]{1,2}' -AllMatches | Select-Object -ExpandProperty Matches | Select-Object -ExpandProperty Value | Sort-Object -Descending -Unique | Select-Object -First 1"5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2056
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
686B
MD5f30718a354e7cc104ea553ce5ae2d486
SHA13876134e6b92da57a49d868013ed35b5d946f8fd
SHA25694008c8135d149fecd29ca62aded487f0fbfa6af893596ffc3e4b621a0fe4966
SHA512601b2256ea709a885741f1dec5c97dda6fb7fd4e485b4afac3503af1aefe73472e5bc5529c144814a3defbc0b51ac4b50e02a50dccc69b41ee5d87a3f4282874
-
Filesize
673KB
MD58a6544c8effe88a91a44f58752f3adcd
SHA1e7fc2fc82457185732d18b6a7accdcc41ce09e5f
SHA2560dc388fe1fa32293645434ca6f4ea202e9f8a2084591aa1eb43ca7fd70692906
SHA5129c0a7ba2dc08d13388af88fd853618d1d663e50d2e052e8723a66b0e366e7649521869fd06861b471caa1d23614cb85e9b90d272cbb60ec02d5c5f0a4ec5e2d1
-
Filesize
4.4MB
MD56cd4df751fcd9d840d713061295846dd
SHA187b85feff3675128e35c4fcbea1e73ef0aeceb3e
SHA2568817023b6bc369ef0beca8e224d3907706898f8b287cc36e0b2a46d9e640394d
SHA5127f9ac8294b40ceaf868e74ff1225283c2f286c28a0e3d5274e184a3a0bd625e8d1234fea757eb52826988d671a9eeec3574806d3503ca99da8839eb4edee465a
-
Filesize
3.6MB
MD579256e0fbc3dfbcc5b9674b249ad0571
SHA1c7be49487f90b98f81a07514f4169e4337b2c382
SHA256ac2fa8083c7c13599a08f31049f492c54320ff79b990abce370c64b4b24bdb9a
SHA5127806fc1b3533fe43011233a22266923cda99eb93ac9d4ff418c21a5253dc2bed2983ffc307aba101a39e05e14153753d7a4a009bf4d86718c58b702031c0d4c2
-
Filesize
3.1MB
MD5bb710fdfcb9b0dadec3c15f988f3095b
SHA1dd1b2dfe7b60908d29f7aba62492a3763ba460bd
SHA256e48432d1fa9512f806713c7e983d0c3d770f1f37e029b7d9d68017173ea93382
SHA512ebbba598be3060e2e1d7917e86c0f8bd646c055e90de1ba36111e0794d8e66c7501e64f8f71708b856aa79c67d11bf154be5065f6728313e2f4c724668add690
-
Filesize
11KB
MD55a72a803df2b425d5aaff21f0f064011
SHA14b31963d981c07a7ab2a0d1a706067c539c55ec5
SHA256629e52ba4e2dca91b10ef7729a1722888e01284eed7dda6030d0a1ec46c94086
SHA512bf44997c405c2ba80100eb0f2ff7304938fc69e4d7ae3eac52b3c236c3188e80c9f18bda226b5f4fde0112320e74c198ad985f9ffd7cea99aca22980c39c7f69
-
Filesize
11KB
MD5721b60b85094851c06d572f0bd5d88cd
SHA14d0ee4d717aeb9c35da8621a545d3e2b9f19b4e7
SHA256dac867476caa42ff8df8f5dfe869ffd56a18dadee17d47889afb69ed6519afbf
SHA512430a91fcecde4c8cc4ac7eb9b4c6619243ab244ee88c34c9e93ca918e54bd42b08aca8ea4475d4c0f5fa95241e4aacb3206cbae863e92d15528c8e7c9f45601b
-
Filesize
14KB
MD51ed0b196ab58edb58fcf84e1739c63ce
SHA1ac7d6c77629bdee1df7e380cc9559e09d51d75b7
SHA2568664222823e122fca724620fd8b72187fc5336c737d891d3cef85f4f533b8de2
SHA512e1fa7f14f39c97aaa3104f3e13098626b5f7cfd665ba52dcb2312a329639aaf5083a9177e4686d11c4213e28acc40e2c027988074b6cc13c5016d5c5e9ef897b
-
Filesize
27KB
MD569cc2c97f73a7a11366b859bf7d01e0d
SHA15f900542b1adff086ccdaec46a1d4c73960e4d81
SHA2567af1d9a66d428ef8bfca460da47fe5e17e0d5284c98ecf98eb5a2e31b03038be
SHA512d1452e0cfff1f34dbee2066769dc16d8a9a3c9d6e83e7bf00186cc8c3b1790391677773c9b2e7cf98c80774227e0cbfc44edd39429bebc96620cc5635da459be
-
Filesize
283KB
MD52a2130436d7933c7170666c72b09d0ff
SHA1ded13f337a69147050d077486e7e1e264bb48eae
SHA256843d47e72d706c84ca3efce43109a3bdbba35e6f0f589b2419294a4da6019bcd
SHA5126b0a207bee01862fd362ddfb51a9a9961819b00b40c77ddd0c6775c5fb4da533c73ed28ec58fdf4e3cd9b11782f8d13d3139ed38b148f1b24742aa9f5fba6881
-
Filesize
601KB
MD5e21a864e6f99317c4e39a20a52ee094c
SHA1b023a1803a542c4ede080963d1fda89029851f12
SHA256b3f80bf2d5990cc77f9904ea4a2c52c0214b98d219d16a965c09961d70731b48
SHA5125d0ea1ad09792f0b93603ca385fb732a9ceb6691a69ed39ef86a1a78b9d100f10be590cfa6d0c2fe28ad6a8470babc1b5d67b5b9993bf260dfce7abe10bc86e9
-
Filesize
18.4MB
MD58e3e0737df3744affe6aa9cc8c0bacc4
SHA1726d05d5b06a39216dab21facdc2e27705465cb4
SHA256178cc31882e0b7a11319e3015372c5df5d41447000eff58c60167d0225043fdb
SHA5125b07d366fc15633a555d8e7314e0220201de873a1991f47a81082adc4e6c4682b4e3792fa6bea74c0418d4aabd6c048c41ff79666ff5dda6e1958f0fa66f899f
-
Filesize
2.8MB
MD560ce68eda801569095d04f37c5805d2e
SHA14b5cc49fdc1b2f1157db6473cc481dedd95d0e7b
SHA256cf4e882f2a9116d0151cf5153932d4c8e03471523be4605db31a347913563c10
SHA5129c8a7f1d39737c3a11f42b850744e15a1722f9bb5b529f954509f324a42ae2d8135a1a743d8878266994f8faf914581937276de8a55755ad3150b53e43bf98e9
-
Filesize
11KB
MD57e8b61d27a9d04e28d4dae0bfa0902ed
SHA1861a7b31022915f26fb49c79ac357c65782c9f4b
SHA2561ef06c600c451e66e744b2ca356b7f4b7b88ba2f52ec7795858d21525848ac8c
SHA5121c5b35026937b45beb76cb8d79334a306342c57a8e36cc15d633458582fc8f7d9ab70ace7a92144288c6c017f33ecfc20477a04432619b40a21c9cda8d249f6d
-
Filesize
11KB
MD591a2ae3c4eb79cf748e15a58108409ad
SHA1d402b9df99723ea26a141bfc640d78eaf0b0111b
SHA256b0eda99eabd32fefecc478fd9fe7439a3f646a864fdab4ec3c1f18574b5f8b34
SHA5128527af610c1e2101b6f336a142b1a85ac9c19bb3af4ad4a245cfb6fd602dc185da0f7803358067099475102f3a8f10a834dc75b56d3e6ded2ed833c00ad217ed
-
Filesize
73KB
MD5800d6ad1c2e2b2cec3a16d16a4b27672
SHA1926377b978d3c3ecf63344e491556931802f5608
SHA256062afbf1be6c2caec1e289b9f3ba4f77249cf7d776482b5c61ba559a8a2ec03f
SHA512d07fab624b19dec2f217e4693faa77d26872a70f65568f2427ce69e3a5f98ecc4a36d61d5c9b2df940b0e30a5206c0fabe40c620723d7f810a0925a92cc3a5d4
-
Filesize
398KB
MD55bfe3b14db75ec62033958e011e8a84b
SHA1e260e2f5363bf2d20cebac0433e59c8d406aaed5
SHA2569a9361f88b9cc21b9e1387795af678341b6e89c20eac17fc0225c5aebf334b63
SHA5125bbecde3c9c936a7e393de760b3033293a4951669f71892777efb797a405ab962d08847eb8cfe1d74c7ed00d0b83b05ee1bde199c2129c850c03e5c1497cf6cf