Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

3

Static

static

1

NITROGEN/NITROGEN.vbs

windows11-21h2-x64

Resubmissions

24/02/2024, 19:03

240224-xqmxmsbg52 3

24/02/2024, 16:14

240224-tpyqzagc67 1

24/02/2024, 16:11

240224-tm7wvsgc32 4

24/02/2024, 16:11

240224-tmycesgc27 1

24/02/2024, 16:09

240224-tls2baha4s 1

24/02/2024, 16:07

240224-tkqvkagb79 3

Analysis

  • max time kernel
    32s
  • max time network
    44s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240221-en
  • resource tags

    arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    24/02/2024, 19:03

Sharing

Copy URL
Twitter E-mail

Errors

Reason
Machine shutdown
Report Analysis Logs

General

  • Target

    NITROGEN/NITROGEN.vbs

  • Size

    224B

  • MD5

    e485af611d0d005a5094eed1778a4ff7

  • SHA1

    2a299d4703ddf8471c187cb58f9e33abed0e9264

  • SHA256

    34147011e951b5672b7cf571a2380b135f13edf2b8624b08845f916193d658a5

  • SHA512

    5d0b58f7136035cb6e4dc4b77ef00dae946f14e517a049af2914413bc01f6eca470ccf6d637f2d050b40de3fbe7bb1b687b645e2a532237f52007b6ffe558d24

Score
3/10

Malware Config

Signatures

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 5 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies data under HKEY_USERS 15 IoCs
  • Modifies registry class 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\NITROGEN\NITROGEN.vbs"
    1⤵
      PID:3996
      • C:\Windows\System32\shutdown.exe
        "C:\Windows\System32\shutdown.exe" -s -t 01
        2⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:4580
    • C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe"
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:2824
      • C:\Program Files\Mozilla Firefox\firefox.exe
        "C:\Program Files\Mozilla Firefox\firefox.exe"
        2⤵
        • Checks processor information in registry
        • Modifies registry class
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:3728
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3728.0.656689217\993872677" -parentBuildID 20221007134813 -prefsHandle 1764 -prefMapHandle 1756 -prefsLen 20747 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {b62ecb56-a84c-47fb-bd9c-7e724bfcca05} 3728 "\\.\pipe\gecko-crash-server-pipe.3728" 1832 204e3cdeb58 gpu
          3⤵
            PID:3472
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3728.1.907145689\1100676579" -parentBuildID 20221007134813 -prefsHandle 2196 -prefMapHandle 2192 -prefsLen 20783 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d375b335-6eb0-4c2b-8f7a-04e89001ac57} 3728 "\\.\pipe\gecko-crash-server-pipe.3728" 2208 204e3842858 socket
            3⤵
              PID:4384
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3728.2.1591375388\705702401" -childID 1 -isForBrowser -prefsHandle 2656 -prefMapHandle 2956 -prefsLen 20821 -prefMapSize 233444 -jsInitHandle 1284 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {35ee2b9d-9213-4529-b9fa-e5487deeb03d} 3728 "\\.\pipe\gecko-crash-server-pipe.3728" 2892 204e910b258 tab
              3⤵
                PID:2412
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3728.3.293942711\1447559483" -childID 2 -isForBrowser -prefsHandle 3480 -prefMapHandle 3476 -prefsLen 26064 -prefMapSize 233444 -jsInitHandle 1284 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {81499d43-cd67-4daa-bb70-63cae9d75deb} 3728 "\\.\pipe\gecko-crash-server-pipe.3728" 3488 204e672ef58 tab
                3⤵
                  PID:4148
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3728.4.2123051720\221468282" -childID 3 -isForBrowser -prefsHandle 3648 -prefMapHandle 3652 -prefsLen 26123 -prefMapSize 233444 -jsInitHandle 1284 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {af74328c-e28b-427e-a618-0feac3f054ee} 3728 "\\.\pipe\gecko-crash-server-pipe.3728" 4560 204ead6ee58 tab
                  3⤵
                    PID:4440
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3728.7.57894010\684224141" -childID 6 -isForBrowser -prefsHandle 5280 -prefMapHandle 5284 -prefsLen 26123 -prefMapSize 233444 -jsInitHandle 1284 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c36b88c0-4a8c-4690-9147-385c9f5bd29b} 3728 "\\.\pipe\gecko-crash-server-pipe.3728" 5272 204eb471f58 tab
                    3⤵
                      PID:3292
                    • C:\Program Files\Mozilla Firefox\firefox.exe
                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3728.6.1964997043\957352632" -childID 5 -isForBrowser -prefsHandle 5084 -prefMapHandle 5088 -prefsLen 26123 -prefMapSize 233444 -jsInitHandle 1284 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {eda20434-92e3-4f48-bf0f-f82decc9b0ab} 3728 "\\.\pipe\gecko-crash-server-pipe.3728" 4968 204eb470d58 tab
                      3⤵
                        PID:1756
                      • C:\Program Files\Mozilla Firefox\firefox.exe
                        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3728.5.1303527026\1471312248" -childID 4 -isForBrowser -prefsHandle 4936 -prefMapHandle 4932 -prefsLen 26123 -prefMapSize 233444 -jsInitHandle 1284 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a0b98214-d39b-4a88-a64a-30025b16c26c} 3728 "\\.\pipe\gecko-crash-server-pipe.3728" 4948 204e95b4058 tab
                        3⤵
                          PID:1796
                    • C:\Windows\System32\PickerHost.exe
                      C:\Windows\System32\PickerHost.exe -Embedding
                      1⤵
                      • Suspicious use of SetWindowsHookEx
                      PID:4004
                    • C:\Windows\system32\LogonUI.exe
                      "LogonUI.exe" /flags:0x4 /state0:0xa3a22855 /state1:0x41c64e6d
                      1⤵
                      • Modifies data under HKEY_USERS
                      • Suspicious use of SetWindowsHookEx
                      PID:2940

                    Network

                    MITRE ATT&CK Enterprise v15

                    Replay Monitor

                    Loading Replay Monitor...

                    Downloads

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\f6y7ha3v.default-release\datareporting\glean\db\data.safe.bin
                      Filesize

                      2KB

                      MD5

                      3f5d246aabbd5a8dd7a61a6816d09b47

                      SHA1

                      d19668c7a044c04c374e9ca8242527a25f328d20

                      SHA256

                      6813570c7a79b8e9f89d526d231b64a5b9b2b96c3be635e51030764699bd5ecc

                      SHA512

                      0160568216448f37811e1cdd96935b8c7fcae1551f961396e3123fd4960e719e31cfe2c6b4294146d85e0e15272aa6d94bc48646a8963db0108986aa62e7ab00

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\f6y7ha3v.default-release\datareporting\glean\pending_pings\9f2c8378-dbff-4854-859d-00b330e20383
                      Filesize

                      746B

                      MD5

                      6653e6593038e7e36acf0504904ad37d

                      SHA1

                      0065952bd7e9df84f6072963b8fa00e14856c60c

                      SHA256

                      25d6083da743c42833ade9a333bff554eba9f50f5dc8f7a982e29af69186a41d

                      SHA512

                      0169446d6098024ed9f3e80ff3ef20786534598a14ffe4387d177a69e2914bb1b0bf5062eb2bd832cb042d7ce63b3f80a9416de4eae48fb7b715b014f04a7203

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\f6y7ha3v.default-release\datareporting\glean\pending_pings\c26ad44b-f311-446f-a49a-010d50424826
                      Filesize

                      10KB

                      MD5

                      0af817c8790dffd8048303c766137026

                      SHA1

                      aecb0f5293dd43e77e9d84f76c0068e8543e7ac2

                      SHA256

                      e85667758ce5407ffb576efe0e7649cac5d067a33bd1098c15917982226c99a9

                      SHA512

                      a98173a578b452b79ba63dc0b025b740921e8d40e2ed6b706c311cfdb20f699f86269ee6e585b58a4770cc6d556880097b727da6f1a4cf121e4413a20d9c487a

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\f6y7ha3v.default-release\prefs-1.js
                      Filesize

                      6KB

                      MD5

                      82efbde2b8fba4f9cc2422fb5094fd81

                      SHA1

                      2906a5119c1846b19deacc08eba59f02278b68d0

                      SHA256

                      57c0d148309795f8f237f4b8bb0bc9ae5929732e5f0ffefc5e8fdab269a885b8

                      SHA512

                      adcb80f06b17db06498b2ce1f6e3a53df6c189a887e380784fe14b8e8793a79ed0af7bebfe017993bbb6434ec926b731339adad0cbd648d6d25258c7f10d8ddf

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\f6y7ha3v.default-release\sessionCheckpoints.json.tmp
                      Filesize

                      212B

                      MD5

                      29ce37dc02c78bbe2e5284d350fae004

                      SHA1

                      bab97d5908ea6592aef6b46cee1ded6f34693fa2

                      SHA256

                      1bfee61e2f346959c53aa41add4b02d2b05c86c9f19ffefe1018f4a964bf4693

                      SHA512

                      53a9eb746e193c088210d8eaa6218d988f3a67ee4cb21844d682ff0178db040932404f5ce2f3cf8b4576313ba0ec33c04ca288c3412bfa5df7dd8230cc2068bb

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\f6y7ha3v.default-release\sessionstore.jsonlz4
                      Filesize

                      419B

                      MD5

                      c32df479acbbf403b56b2b603a57630a

                      SHA1

                      336fb9e5440ec4eed0d808f9734b4e859a514c88

                      SHA256

                      90ad78dda481554036bc16fd8c6a5319b3d61f7db1d659179242aaa96c3311f5

                      SHA512

                      d366f36bff6f88a93d88bd47c01416ca2250773886280136c7fefb2f59094a835276d017da850960b497f6e2daccd4db72c55ef34d9001cb7a379cbcc1bc3813

                      Download Submit