Analysis
-
max time kernel
67s -
max time network
16s -
platform
windows11-21h2_x64 -
resource
win11-20240221-en -
resource tags
arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system -
submitted
21-02-2024 15:58
Behavioral task
behavioral1
Sample
ForceNitro.exe
Resource
win11-20240221-en
windows11-21h2-x64
9 signatures
150 seconds
General
-
Target
ForceNitro.exe
-
Size
762KB
-
MD5
6abff90b8cb80533bca9eb040ed698da
-
SHA1
ae2e389320bec602965a5f12c13e595df870ac0f
-
SHA256
70b80a1a24d526e456893f0185550c15c3d914deaf8ebaa02d8817a15aa5bf80
-
SHA512
086e4c1eb5a32ae116ffeaf28995cf4e660460fec758c1c4708d0df30413b774924e863381b6a46125c09a82570fbde933f24cac8a0691751998eb075fff1813
-
SSDEEP
12288:RXfl4WqP5C+ZQpvBlUh1ArlVOs/mRtZJhg6VQ/IoDsp+LbMoUA5bQcoln+TMuHat:RXN4WO5upvH4ip/mRtZJVQ/IoDswYg0B
Score
10/10
Malware Config
Signatures
-
PandaStealer
Panda Stealer is a fork of CollectorProject Stealer written in C++.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 taskmgr.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString taskmgr.exe -
Suspicious behavior: EnumeratesProcesses 24 IoCs
pid Process 4800 ForceNitro.exe 4800 ForceNitro.exe 1476 taskmgr.exe 1476 taskmgr.exe 1476 taskmgr.exe 1476 taskmgr.exe 1476 taskmgr.exe 1476 taskmgr.exe 1476 taskmgr.exe 1476 taskmgr.exe 1476 taskmgr.exe 1476 taskmgr.exe 1476 taskmgr.exe 1476 taskmgr.exe 1476 taskmgr.exe 1476 taskmgr.exe 1476 taskmgr.exe 1476 taskmgr.exe 1476 taskmgr.exe 1476 taskmgr.exe 1476 taskmgr.exe 1476 taskmgr.exe 1476 taskmgr.exe 1476 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 1476 taskmgr.exe Token: SeSystemProfilePrivilege 1476 taskmgr.exe Token: SeCreateGlobalPrivilege 1476 taskmgr.exe -
Suspicious use of FindShellTrayWindow 33 IoCs
pid Process 1476 taskmgr.exe 1476 taskmgr.exe 1476 taskmgr.exe 1476 taskmgr.exe 1476 taskmgr.exe 1476 taskmgr.exe 1476 taskmgr.exe 1476 taskmgr.exe 1476 taskmgr.exe 1476 taskmgr.exe 1476 taskmgr.exe 1476 taskmgr.exe 1476 taskmgr.exe 1476 taskmgr.exe 1476 taskmgr.exe 1476 taskmgr.exe 1476 taskmgr.exe 1476 taskmgr.exe 1476 taskmgr.exe 1476 taskmgr.exe 1476 taskmgr.exe 1476 taskmgr.exe 1476 taskmgr.exe 1476 taskmgr.exe 1476 taskmgr.exe 1476 taskmgr.exe 1476 taskmgr.exe 1476 taskmgr.exe 1476 taskmgr.exe 1476 taskmgr.exe 1476 taskmgr.exe 1476 taskmgr.exe 1476 taskmgr.exe -
Suspicious use of SendNotifyMessage 33 IoCs
pid Process 1476 taskmgr.exe 1476 taskmgr.exe 1476 taskmgr.exe 1476 taskmgr.exe 1476 taskmgr.exe 1476 taskmgr.exe 1476 taskmgr.exe 1476 taskmgr.exe 1476 taskmgr.exe 1476 taskmgr.exe 1476 taskmgr.exe 1476 taskmgr.exe 1476 taskmgr.exe 1476 taskmgr.exe 1476 taskmgr.exe 1476 taskmgr.exe 1476 taskmgr.exe 1476 taskmgr.exe 1476 taskmgr.exe 1476 taskmgr.exe 1476 taskmgr.exe 1476 taskmgr.exe 1476 taskmgr.exe 1476 taskmgr.exe 1476 taskmgr.exe 1476 taskmgr.exe 1476 taskmgr.exe 1476 taskmgr.exe 1476 taskmgr.exe 1476 taskmgr.exe 1476 taskmgr.exe 1476 taskmgr.exe 1476 taskmgr.exe -
Suspicious use of WriteProcessMemory 5 IoCs
description pid Process procid_target PID 4800 wrote to memory of 408 4800 ForceNitro.exe 78 PID 4800 wrote to memory of 408 4800 ForceNitro.exe 78 PID 4800 wrote to memory of 408 4800 ForceNitro.exe 78 PID 1476 wrote to memory of 4860 1476 taskmgr.exe 83 PID 1476 wrote to memory of 4860 1476 taskmgr.exe 83
Processes
-
C:\Users\Admin\AppData\Local\Temp\ForceNitro.exe"C:\Users\Admin\AppData\Local\Temp\ForceNitro.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4800 -
C:\Windows\SysWOW64\cmd.execmd.exe /C Del /f /q "C:\Users\Admin\AppData\Local\Temp\ForceNitro.exe"2⤵PID:408
-
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:5104
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /01⤵
- Checks SCSI registry key(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1476 -
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"2⤵PID:4860
-