40f7c20cde14d5158e027a6c4adbc0cd1fcbf1d627a4d25cb09bdaafab3d103a

Resubmissions

20/02/2024, 20:52

240220-zntzaafd27 10

20/02/2024, 20:43

240220-zhst2afc62 10

Analysis

max time kernel
117s
max time network
118s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
20/02/2024, 20:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NitroGenerator.rar
Size

18.2MB
MD5

0f9fdadb340f36684255eb9fe32d0364
SHA1

14dcdefef70f7e443c4f38a1f9333b8d7b5e2a94
SHA256

40f7c20cde14d5158e027a6c4adbc0cd1fcbf1d627a4d25cb09bdaafab3d103a
SHA512

988a874443d1439fe939441940c39ce96294d1e6d035029c57e8a10c315c6206fb0e67ae83b2b920ebe91b1f16f029f21474ac1d395972df4237d62c83084ad9
SSDEEP

393216:/ijswMe8CX5P7uuaPTrDZimg5mEDXt3IPrce7G7Ci3thnsLuAWWUg/V2zs:qj4jkbaPTHZimg59Tt3IPRG7C8fnsLuQ

Score

7^/10

pyinstaller upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2560	Nitro Generator.exe
476	Nitro Generator.exe

Loads dropped DLL 11 IoCs

pid	Process
2996	7zFM.exe
2560	Nitro Generator.exe
476	Nitro Generator.exe
476	Nitro Generator.exe
476	Nitro Generator.exe
476	Nitro Generator.exe
476	Nitro Generator.exe
476	Nitro Generator.exe
476	Nitro Generator.exe
1164	Process not Found
1164	Process not Found

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000500000001c696-197.dat	upx
behavioral1/files/0x000500000001c696-198.dat	upx
behavioral1/memory/476-199-0x000007FEF61A0000-0x000007FEF660E000-memory.dmp	upx

Detects Pyinstaller 7 IoCs

pyinstaller

resource	yara_rule
behavioral1/files/0x000b000000015d81-27.dat	pyinstaller
behavioral1/files/0x000b000000015d81-31.dat	pyinstaller
behavioral1/files/0x000b000000015d81-30.dat	pyinstaller
behavioral1/files/0x000b000000015d81-29.dat	pyinstaller
behavioral1/files/0x000b000000015d81-184.dat	pyinstaller
behavioral1/files/0x000b000000015d81-183.dat	pyinstaller
behavioral1/files/0x000b000000015d81-200.dat	pyinstaller

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2056	powershell.exe
2996	7zFM.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
2996	7zFM.exe
476	Nitro Generator.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeRestorePrivilege	2996	7zFM.exe
Token: 35	2996	7zFM.exe
Token: SeSecurityPrivilege	2996	7zFM.exe
Token: SeSecurityPrivilege	2996	7zFM.exe
Token: SeDebugPrivilege	2056	powershell.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
2996	7zFM.exe
2996	7zFM.exe
2996	7zFM.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 1896 wrote to memory of 2996	1896	cmd.exe	29
PID 1896 wrote to memory of 2996	1896	cmd.exe	29
PID 1896 wrote to memory of 2996	1896	cmd.exe	29
PID 2996 wrote to memory of 2560	2996	7zFM.exe	30
PID 2996 wrote to memory of 2560	2996	7zFM.exe	30
PID 2996 wrote to memory of 2560	2996	7zFM.exe	30
PID 2560 wrote to memory of 476	2560	Nitro Generator.exe	31
PID 2560 wrote to memory of 476	2560	Nitro Generator.exe	31
PID 2560 wrote to memory of 476	2560	Nitro Generator.exe	31
PID 2996 wrote to memory of 1408	2996	7zFM.exe	32
PID 2996 wrote to memory of 1408	2996	7zFM.exe	32
PID 2996 wrote to memory of 1408	2996	7zFM.exe	32
PID 2996 wrote to memory of 1408	2996	7zFM.exe	32
PID 2996 wrote to memory of 1408	2996	7zFM.exe	32
PID 1408 wrote to memory of 552	1408	cmd.exe	34
PID 1408 wrote to memory of 552	1408	cmd.exe	34
PID 1408 wrote to memory of 552	1408	cmd.exe	34
PID 552 wrote to memory of 2056	552	cmd.exe	35
PID 552 wrote to memory of 2056	552	cmd.exe	35
PID 552 wrote to memory of 2056	552	cmd.exe	35

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\NitroGenerator.rar
1⤵
- Suspicious use of WriteProcessMemory
PID:1896
- C:\Program Files\7-Zip\7zFM.exe
  "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\NitroGenerator.rar"
  2⤵
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:2996
- - C:\Users\Admin\AppData\Local\Temp\7zO4BBD8766\Nitro Generator.exe
    "C:\Users\Admin\AppData\Local\Temp\7zO4BBD8766\Nitro Generator.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2560
  - - C:\Users\Admin\AppData\Local\Temp\7zO4BBD8766\Nitro Generator.exe
      "C:\Users\Admin\AppData\Local\Temp\7zO4BBD8766\Nitro Generator.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious behavior: GetForegroundWindowSpam
      PID:476
- - C:\Windows\system32\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\7zO4BB5DF56\install_python.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1408
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c powershell -Command "Invoke-WebRequest https://www.python.org/ftp/python/ -UseBasicParsing | Select-String -Pattern '3.10.[0-9]{1,2}' -AllMatches | Select-Object -ExpandProperty Matches | Select-Object -ExpandProperty Value | Sort-Object -Descending -Unique | Select-Object -First 1"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:552
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Invoke-WebRequest https://www.python.org/ftp/python/ -UseBasicParsing | Select-String -Pattern '3.10.[0-9]{1,2}' -AllMatches | Select-Object -ExpandProperty Matches | Select-Object -ExpandProperty Value | Sort-Object -Descending -Unique | Select-Object -First 1"
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2056

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zO4BB5DF56\install_python.bat

Filesize
686B

MD5
f30718a354e7cc104ea553ce5ae2d486

SHA1
3876134e6b92da57a49d868013ed35b5d946f8fd

SHA256
94008c8135d149fecd29ca62aded487f0fbfa6af893596ffc3e4b621a0fe4966

SHA512
601b2256ea709a885741f1dec5c97dda6fb7fd4e485b4afac3503af1aefe73472e5bc5529c144814a3defbc0b51ac4b50e02a50dccc69b41ee5d87a3f4282874

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zO4BBD8766\Nitro Generator.exe

Filesize
673KB

MD5
8a6544c8effe88a91a44f58752f3adcd

SHA1
e7fc2fc82457185732d18b6a7accdcc41ce09e5f

SHA256
0dc388fe1fa32293645434ca6f4ea202e9f8a2084591aa1eb43ca7fd70692906

SHA512
9c0a7ba2dc08d13388af88fd853618d1d663e50d2e052e8723a66b0e366e7649521869fd06861b471caa1d23614cb85e9b90d272cbb60ec02d5c5f0a4ec5e2d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zO4BBD8766\Nitro Generator.exe

Filesize
4.4MB

MD5
6cd4df751fcd9d840d713061295846dd

SHA1
87b85feff3675128e35c4fcbea1e73ef0aeceb3e

SHA256
8817023b6bc369ef0beca8e224d3907706898f8b287cc36e0b2a46d9e640394d

SHA512
7f9ac8294b40ceaf868e74ff1225283c2f286c28a0e3d5274e184a3a0bd625e8d1234fea757eb52826988d671a9eeec3574806d3503ca99da8839eb4edee465a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zO4BBD8766\Nitro Generator.exe

Filesize
3.6MB

MD5
79256e0fbc3dfbcc5b9674b249ad0571

SHA1
c7be49487f90b98f81a07514f4169e4337b2c382

SHA256
ac2fa8083c7c13599a08f31049f492c54320ff79b990abce370c64b4b24bdb9a

SHA512
7806fc1b3533fe43011233a22266923cda99eb93ac9d4ff418c21a5253dc2bed2983ffc307aba101a39e05e14153753d7a4a009bf4d86718c58b702031c0d4c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zO4BBD8766\Nitro Generator.exe

Filesize
3.1MB

MD5
bb710fdfcb9b0dadec3c15f988f3095b

SHA1
dd1b2dfe7b60908d29f7aba62492a3763ba460bd

SHA256
e48432d1fa9512f806713c7e983d0c3d770f1f37e029b7d9d68017173ea93382

SHA512
ebbba598be3060e2e1d7917e86c0f8bd646c055e90de1ba36111e0794d8e66c7501e64f8f71708b856aa79c67d11bf154be5065f6728313e2f4c724668add690

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI25602\api-ms-win-core-file-l1-2-0.dll

Filesize
11KB

MD5
5a72a803df2b425d5aaff21f0f064011

SHA1
4b31963d981c07a7ab2a0d1a706067c539c55ec5

SHA256
629e52ba4e2dca91b10ef7729a1722888e01284eed7dda6030d0a1ec46c94086

SHA512
bf44997c405c2ba80100eb0f2ff7304938fc69e4d7ae3eac52b3c236c3188e80c9f18bda226b5f4fde0112320e74c198ad985f9ffd7cea99aca22980c39c7f69

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI25602\api-ms-win-core-file-l2-1-0.dll

Filesize
11KB

MD5
721b60b85094851c06d572f0bd5d88cd

SHA1
4d0ee4d717aeb9c35da8621a545d3e2b9f19b4e7

SHA256
dac867476caa42ff8df8f5dfe869ffd56a18dadee17d47889afb69ed6519afbf

SHA512
430a91fcecde4c8cc4ac7eb9b4c6619243ab244ee88c34c9e93ca918e54bd42b08aca8ea4475d4c0f5fa95241e4aacb3206cbae863e92d15528c8e7c9f45601b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI25602\api-ms-win-core-localization-l1-2-0.dll

Filesize
14KB

MD5
1ed0b196ab58edb58fcf84e1739c63ce

SHA1
ac7d6c77629bdee1df7e380cc9559e09d51d75b7

SHA256
8664222823e122fca724620fd8b72187fc5336c737d891d3cef85f4f533b8de2

SHA512
e1fa7f14f39c97aaa3104f3e13098626b5f7cfd665ba52dcb2312a329639aaf5083a9177e4686d11c4213e28acc40e2c027988074b6cc13c5016d5c5e9ef897b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI25602\python310.dll

Filesize
27KB

MD5
69cc2c97f73a7a11366b859bf7d01e0d

SHA1
5f900542b1adff086ccdaec46a1d4c73960e4d81

SHA256
7af1d9a66d428ef8bfca460da47fe5e17e0d5284c98ecf98eb5a2e31b03038be

SHA512
d1452e0cfff1f34dbee2066769dc16d8a9a3c9d6e83e7bf00186cc8c3b1790391677773c9b2e7cf98c80774227e0cbfc44edd39429bebc96620cc5635da459be

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI25602\ucrtbase.dll

Filesize
283KB

MD5
2a2130436d7933c7170666c72b09d0ff

SHA1
ded13f337a69147050d077486e7e1e264bb48eae

SHA256
843d47e72d706c84ca3efce43109a3bdbba35e6f0f589b2419294a4da6019bcd

SHA512
6b0a207bee01862fd362ddfb51a9a9961819b00b40c77ddd0c6775c5fb4da533c73ed28ec58fdf4e3cd9b11782f8d13d3139ed38b148f1b24742aa9f5fba6881

Download Submit
\Users\Admin\AppData\Local\Temp\7zO4BBD8766\Nitro Generator.exe

Filesize
601KB

MD5
e21a864e6f99317c4e39a20a52ee094c

SHA1
b023a1803a542c4ede080963d1fda89029851f12

SHA256
b3f80bf2d5990cc77f9904ea4a2c52c0214b98d219d16a965c09961d70731b48

SHA512
5d0ea1ad09792f0b93603ca385fb732a9ceb6691a69ed39ef86a1a78b9d100f10be590cfa6d0c2fe28ad6a8470babc1b5d67b5b9993bf260dfce7abe10bc86e9

Download Submit
\Users\Admin\AppData\Local\Temp\7zO4BBD8766\Nitro Generator.exe

Filesize
18.4MB

MD5
8e3e0737df3744affe6aa9cc8c0bacc4

SHA1
726d05d5b06a39216dab21facdc2e27705465cb4

SHA256
178cc31882e0b7a11319e3015372c5df5d41447000eff58c60167d0225043fdb

SHA512
5b07d366fc15633a555d8e7314e0220201de873a1991f47a81082adc4e6c4682b4e3792fa6bea74c0418d4aabd6c048c41ff79666ff5dda6e1958f0fa66f899f

Download Submit
\Users\Admin\AppData\Local\Temp\7zO4BBD8766\Nitro Generator.exe

Filesize
2.8MB

MD5
60ce68eda801569095d04f37c5805d2e

SHA1
4b5cc49fdc1b2f1157db6473cc481dedd95d0e7b

SHA256
cf4e882f2a9116d0151cf5153932d4c8e03471523be4605db31a347913563c10

SHA512
9c8a7f1d39737c3a11f42b850744e15a1722f9bb5b529f954509f324a42ae2d8135a1a743d8878266994f8faf914581937276de8a55755ad3150b53e43bf98e9

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI25602\api-ms-win-core-processthreads-l1-1-1.dll

Filesize
11KB

MD5
7e8b61d27a9d04e28d4dae0bfa0902ed

SHA1
861a7b31022915f26fb49c79ac357c65782c9f4b

SHA256
1ef06c600c451e66e744b2ca356b7f4b7b88ba2f52ec7795858d21525848ac8c

SHA512
1c5b35026937b45beb76cb8d79334a306342c57a8e36cc15d633458582fc8f7d9ab70ace7a92144288c6c017f33ecfc20477a04432619b40a21c9cda8d249f6d

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI25602\api-ms-win-core-timezone-l1-1-0.dll

Filesize
11KB

MD5
91a2ae3c4eb79cf748e15a58108409ad

SHA1
d402b9df99723ea26a141bfc640d78eaf0b0111b

SHA256
b0eda99eabd32fefecc478fd9fe7439a3f646a864fdab4ec3c1f18574b5f8b34

SHA512
8527af610c1e2101b6f336a142b1a85ac9c19bb3af4ad4a245cfb6fd602dc185da0f7803358067099475102f3a8f10a834dc75b56d3e6ded2ed833c00ad217ed

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI25602\python310.dll

Filesize
73KB

MD5
800d6ad1c2e2b2cec3a16d16a4b27672

SHA1
926377b978d3c3ecf63344e491556931802f5608

SHA256
062afbf1be6c2caec1e289b9f3ba4f77249cf7d776482b5c61ba559a8a2ec03f

SHA512
d07fab624b19dec2f217e4693faa77d26872a70f65568f2427ce69e3a5f98ecc4a36d61d5c9b2df940b0e30a5206c0fabe40c620723d7f810a0925a92cc3a5d4

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI25602\ucrtbase.dll

Filesize
398KB

MD5
5bfe3b14db75ec62033958e011e8a84b

SHA1
e260e2f5363bf2d20cebac0433e59c8d406aaed5

SHA256
9a9361f88b9cc21b9e1387795af678341b6e89c20eac17fc0225c5aebf334b63

SHA512
5bbecde3c9c936a7e393de760b3033293a4951669f71892777efb797a405ab962d08847eb8cfe1d74c7ed00d0b83b05ee1bde199c2129c850c03e5c1497cf6cf

Download Submit
memory/476-199-0x000007FEF61A0000-0x000007FEF660E000-memory.dmp

Filesize
4.4MB

Download
memory/2056-223-0x00000000022E0000-0x00000000022E8000-memory.dmp

Filesize
32KB

Download
memory/2056-222-0x000000001B6B0000-0x000000001B992000-memory.dmp

Filesize
2.9MB

Download
memory/2056-225-0x0000000002B90000-0x0000000002C10000-memory.dmp

Filesize
512KB

Download
memory/2056-224-0x000007FEF5C70000-0x000007FEF660D000-memory.dmp

Filesize
9.6MB

Download
memory/2056-226-0x000007FEF5C70000-0x000007FEF660D000-memory.dmp

Filesize
9.6MB

Download
memory/2056-228-0x0000000002B90000-0x0000000002C10000-memory.dmp

Filesize
512KB

Download
memory/2056-227-0x0000000002B90000-0x0000000002C10000-memory.dmp

Filesize
512KB

Download
memory/2056-229-0x000007FEF5C70000-0x000007FEF660D000-memory.dmp

Filesize
9.6MB

Download