e28407d4722864f25c85ba44cd86487a3e30956f25a43259e5764882ae7d57c7

Resubmissions

24/02/2024, 19:03

240224-xqmxmsbg52 3

24/02/2024, 16:14

24/02/2024, 16:11

24/02/2024, 16:11

24/02/2024, 16:09

24/02/2024, 16:07

Analysis

max time kernel
27s
max time network
95s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
24/02/2024, 16:09

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

NITROGEN/NITROGEN.vbs
Size

224B
MD5

e485af611d0d005a5094eed1778a4ff7
SHA1

2a299d4703ddf8471c187cb58f9e33abed0e9264
SHA256

34147011e951b5672b7cf571a2380b135f13edf2b8624b08845f916193d658a5
SHA512

5d0b58f7136035cb6e4dc4b77ef00dae946f14e517a049af2914413bc01f6eca470ccf6d637f2d050b40de3fbe7bb1b687b645e2a532237f52007b6ffe558d24

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2936	chrome.exe
2936	chrome.exe

Suspicious use of AdjustPrivilegeToken 28 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2936	chrome.exe
Token: SeShutdownPrivilege	2936	chrome.exe
Token: SeShutdownPrivilege	2936	chrome.exe
Token: SeShutdownPrivilege	2936	chrome.exe
Token: SeShutdownPrivilege	2936	chrome.exe
Token: SeShutdownPrivilege	2936	chrome.exe
Token: SeShutdownPrivilege	2936	chrome.exe
Token: SeShutdownPrivilege	2936	chrome.exe
Token: SeShutdownPrivilege	2936	chrome.exe
Token: SeShutdownPrivilege	2936	chrome.exe
Token: SeShutdownPrivilege	2936	chrome.exe
Token: SeShutdownPrivilege	2936	chrome.exe
Token: SeShutdownPrivilege	2936	chrome.exe
Token: SeShutdownPrivilege	2936	chrome.exe
Token: SeShutdownPrivilege	2936	chrome.exe
Token: SeShutdownPrivilege	2936	chrome.exe
Token: SeShutdownPrivilege	2936	chrome.exe
Token: SeShutdownPrivilege	2936	chrome.exe
Token: SeShutdownPrivilege	2936	chrome.exe
Token: SeShutdownPrivilege	2936	chrome.exe
Token: SeShutdownPrivilege	2936	chrome.exe
Token: SeShutdownPrivilege	2936	chrome.exe
Token: SeShutdownPrivilege	2936	chrome.exe
Token: SeShutdownPrivilege	2936	chrome.exe
Token: SeShutdownPrivilege	2936	chrome.exe
Token: SeShutdownPrivilege	2936	chrome.exe
Token: SeShutdownPrivilege	2936	chrome.exe
Token: SeShutdownPrivilege	2936	chrome.exe

Suspicious use of FindShellTrayWindow 34 IoCs

pid	Process
2936	chrome.exe
2936	chrome.exe
2936	chrome.exe
2936	chrome.exe
2936	chrome.exe
2936	chrome.exe
2936	chrome.exe
2936	chrome.exe
2936	chrome.exe
2936	chrome.exe
2936	chrome.exe
2936	chrome.exe
2936	chrome.exe
2936	chrome.exe
2936	chrome.exe
2936	chrome.exe
2936	chrome.exe
2936	chrome.exe
2936	chrome.exe
2936	chrome.exe
2936	chrome.exe
2936	chrome.exe
2936	chrome.exe
2936	chrome.exe
2936	chrome.exe
2936	chrome.exe
2936	chrome.exe
2936	chrome.exe
2936	chrome.exe
2936	chrome.exe
2936	chrome.exe
2936	chrome.exe
2936	chrome.exe
2936	chrome.exe

Suspicious use of SendNotifyMessage 32 IoCs

pid	Process
2936	chrome.exe
2936	chrome.exe
2936	chrome.exe
2936	chrome.exe
2936	chrome.exe
2936	chrome.exe
2936	chrome.exe
2936	chrome.exe
2936	chrome.exe
2936	chrome.exe
2936	chrome.exe
2936	chrome.exe
2936	chrome.exe
2936	chrome.exe
2936	chrome.exe
2936	chrome.exe
2936	chrome.exe
2936	chrome.exe
2936	chrome.exe
2936	chrome.exe
2936	chrome.exe
2936	chrome.exe
2936	chrome.exe
2936	chrome.exe
2936	chrome.exe
2936	chrome.exe
2936	chrome.exe
2936	chrome.exe
2936	chrome.exe
2936	chrome.exe
2936	chrome.exe
2936	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2936 wrote to memory of 2544	2936	chrome.exe	29
PID 2936 wrote to memory of 2544	2936	chrome.exe	29
PID 2936 wrote to memory of 2544	2936	chrome.exe	29
PID 2936 wrote to memory of 2400	2936	chrome.exe	31
PID 2936 wrote to memory of 2400	2936	chrome.exe	31
PID 2936 wrote to memory of 2400	2936	chrome.exe	31
PID 2936 wrote to memory of 2400	2936	chrome.exe	31
PID 2936 wrote to memory of 2400	2936	chrome.exe	31
PID 2936 wrote to memory of 2400	2936	chrome.exe	31
PID 2936 wrote to memory of 2400	2936	chrome.exe	31
PID 2936 wrote to memory of 2400	2936	chrome.exe	31
PID 2936 wrote to memory of 2400	2936	chrome.exe	31
PID 2936 wrote to memory of 2400	2936	chrome.exe	31
PID 2936 wrote to memory of 2400	2936	chrome.exe	31
PID 2936 wrote to memory of 2400	2936	chrome.exe	31
PID 2936 wrote to memory of 2400	2936	chrome.exe	31
PID 2936 wrote to memory of 2400	2936	chrome.exe	31
PID 2936 wrote to memory of 2400	2936	chrome.exe	31
PID 2936 wrote to memory of 2400	2936	chrome.exe	31
PID 2936 wrote to memory of 2400	2936	chrome.exe	31
PID 2936 wrote to memory of 2400	2936	chrome.exe	31
PID 2936 wrote to memory of 2400	2936	chrome.exe	31
PID 2936 wrote to memory of 2400	2936	chrome.exe	31
PID 2936 wrote to memory of 2400	2936	chrome.exe	31
PID 2936 wrote to memory of 2400	2936	chrome.exe	31
PID 2936 wrote to memory of 2400	2936	chrome.exe	31
PID 2936 wrote to memory of 2400	2936	chrome.exe	31
PID 2936 wrote to memory of 2400	2936	chrome.exe	31
PID 2936 wrote to memory of 2400	2936	chrome.exe	31
PID 2936 wrote to memory of 2400	2936	chrome.exe	31
PID 2936 wrote to memory of 2400	2936	chrome.exe	31
PID 2936 wrote to memory of 2400	2936	chrome.exe	31
PID 2936 wrote to memory of 2400	2936	chrome.exe	31
PID 2936 wrote to memory of 2400	2936	chrome.exe	31
PID 2936 wrote to memory of 2400	2936	chrome.exe	31
PID 2936 wrote to memory of 2400	2936	chrome.exe	31
PID 2936 wrote to memory of 2400	2936	chrome.exe	31
PID 2936 wrote to memory of 2400	2936	chrome.exe	31
PID 2936 wrote to memory of 2400	2936	chrome.exe	31
PID 2936 wrote to memory of 2400	2936	chrome.exe	31
PID 2936 wrote to memory of 2400	2936	chrome.exe	31
PID 2936 wrote to memory of 2400	2936	chrome.exe	31
PID 2936 wrote to memory of 2820	2936	chrome.exe	32
PID 2936 wrote to memory of 2820	2936	chrome.exe	32
PID 2936 wrote to memory of 2820	2936	chrome.exe	32
PID 2936 wrote to memory of 2836	2936	chrome.exe	33
PID 2936 wrote to memory of 2836	2936	chrome.exe	33
PID 2936 wrote to memory of 2836	2936	chrome.exe	33
PID 2936 wrote to memory of 2836	2936	chrome.exe	33
PID 2936 wrote to memory of 2836	2936	chrome.exe	33
PID 2936 wrote to memory of 2836	2936	chrome.exe	33
PID 2936 wrote to memory of 2836	2936	chrome.exe	33
PID 2936 wrote to memory of 2836	2936	chrome.exe	33
PID 2936 wrote to memory of 2836	2936	chrome.exe	33
PID 2936 wrote to memory of 2836	2936	chrome.exe	33
PID 2936 wrote to memory of 2836	2936	chrome.exe	33
PID 2936 wrote to memory of 2836	2936	chrome.exe	33
PID 2936 wrote to memory of 2836	2936	chrome.exe	33
PID 2936 wrote to memory of 2836	2936	chrome.exe	33
PID 2936 wrote to memory of 2836	2936	chrome.exe	33
PID 2936 wrote to memory of 2836	2936	chrome.exe	33
PID 2936 wrote to memory of 2836	2936	chrome.exe	33
PID 2936 wrote to memory of 2836	2936	chrome.exe	33
PID 2936 wrote to memory of 2836	2936	chrome.exe	33

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\NITROGEN\NITROGEN.vbs"
1⤵
PID:1964
- C:\Windows\System32\shutdown.exe
  "C:\Windows\System32\shutdown.exe" -s -t 01
  2⤵
  PID:1748

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2936
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef6349758,0x7fef6349768,0x7fef6349778
  2⤵
  PID:2544
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1168 --field-trial-handle=1248,i,6900366553232885412,3198034511830088728,131072 /prefetch:2
  2⤵
  PID:2400
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1524 --field-trial-handle=1248,i,6900366553232885412,3198034511830088728,131072 /prefetch:8
  2⤵
  PID:2820
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1548 --field-trial-handle=1248,i,6900366553232885412,3198034511830088728,131072 /prefetch:8
  2⤵
  PID:2836
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2248 --field-trial-handle=1248,i,6900366553232885412,3198034511830088728,131072 /prefetch:1
  2⤵
  PID:2484
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2256 --field-trial-handle=1248,i,6900366553232885412,3198034511830088728,131072 /prefetch:1
  2⤵
  PID:2712
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=3224 --field-trial-handle=1248,i,6900366553232885412,3198034511830088728,131072 /prefetch:2
  2⤵
  PID:2272
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=1448 --field-trial-handle=1248,i,6900366553232885412,3198034511830088728,131072 /prefetch:1
  2⤵
  PID:2756
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3900 --field-trial-handle=1248,i,6900366553232885412,3198034511830088728,131072 /prefetch:8
  2⤵
  PID:2496
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=3880 --field-trial-handle=1248,i,6900366553232885412,3198034511830088728,131072 /prefetch:1
  2⤵
  PID:1460

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:768

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
1⤵
PID:1980

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x1
1⤵
PID:1732

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\8c38427a-d27a-4ba5-8238-f9bda379deba.tmp

Filesize
257KB

MD5
d654d3c1aff9ac367a3dde8805ed633f

SHA1
3270c075238fc277ec0d1b7a022a1b89f97219d0

SHA256
7656fb484a37eabdef1e057bf30103bdf425cd05c8f8afe00a5077a3d9d7ee41

SHA512
e3b4b596ae76126a7d2ea86206ef554d5aec4db02cd8ea26cea0a32a96c2547ae2225ff3298ebf9f3e0002599045ae2e390db02efd0bd02a618c028605502d4b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000001

Filesize
195KB

MD5
873734b55d4c7d35a177c8318b0caec7

SHA1
469b913b09ea5b55e60098c95120cc9b935ddb28

SHA256
4ee3aa3dc43cb3ef3f6bfb91ed8214659e9c2600a45bee9728ebbcb6f33b088d

SHA512
24f05ed981e994475879ca2221b6948418c4412063b9c07f46b8de581047ddd5d73401562fa9ee54d4ce5f97a6288c54eac5de0ca29b1bb5797bdac5a1b30308

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
168B

MD5
edef7bbc37b96ca3404480a3b4b176b6

SHA1
31f83d11de11a55bdacb85242d16a3b3a020e024

SHA256
be903668a3390fb355fa5cc4317d91f56432bc34faf9e8ea77b5070e0ea1756f

SHA512
76c5e2205312435765bc1bdef011286968323b6894b7613389edf73856a14725565fc22a3ab437e0abd644a4ef8a5fb405614f7324a2c547441d9f1e07d21dd8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
de5b2755e9d6018029d445053e36517c

SHA1
5df8315acd1b46e126d5cf2cd72b808ea2ef3943

SHA256
fa0b6e262975a29b11b83706efdd41fa6c1cc0c16d74f09ba4dceecab270c80b

SHA512
2564730534f6162ffe602029b7e698f1a7d2db45cebb8078637e40808716a1c56e708ec24c8989f2557826ee873a3f8d5be2d8d93a6c76671c4528ebfb299b1d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
f1eb5b374d6259ac2d260264718186b4

SHA1
c481aac0eec60562c23ca3b0929946c8836aeecf

SHA256
4895636e0f0a8905d4edf1d6aa05f59340809d7747a4f0da759f9ff64e2851c5

SHA512
bf326d974fb26278823711b2fb5944daa2e3aba4a33e0093c0cb90ce60b2195b0d2a952592ef9855b8b0e0eecad434025f01ce4b8322c2a50cd38ad60e060124

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
bd44d9773f8464372916cf03bfdfa6df

SHA1
e180dcc8fed9be3438990d96f0c889d2bab5ecda

SHA256
6232d57ac5c7cca837337f87abed75983269f443a2eefd9be9d40f154c87f617

SHA512
2c6cf52800d69143ebc9772a0c15d3e57e89c56bff704c3ee2cd4d357ee282c92d6522cd64daa1e9d24f5d9e0ba412edab45966b08c3e57c47c34e3b0b0af535

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\000007.dbtmp

Filesize
16B

MD5
18e723571b00fb1694a3bad6c78e4054

SHA1
afcc0ef32d46fe59e0483f9a3c891d3034d12f32

SHA256
8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

SHA512
43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
257KB

MD5
a75c5537926fb743841163b34cbffc3e

SHA1
4b3d34951be5999220272886e0a4861769fb1b77

SHA256
503650cc4ddd183d2c8077d80a0f4d7db0763d812f1ad1da4dd819021be6808e

SHA512
cf090583f064d826577df04001ce1d400483b6f3c37f6772a18d127e0ea3bfe88830a8546fa29372ae448877b0a0fa428968d7014b527e58643e88f099bbb463

Download Submit
memory/1732-239-0x00000000026E0000-0x00000000026E1000-memory.dmp

Filesize
4KB

Download
memory/1980-238-0x00000000029C0000-0x00000000029C1000-memory.dmp

Filesize
4KB

Download