hxxps://github[.]com/KanekiWeb/Nitro-Generator

Analysis

max time kernel
149s
max time network
139s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
07/06/2024, 16:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/KanekiWeb/Nitro-Generator

Score

6^/10

Malware Config

Signatures

Legitimate hosting services abused for malware hosting/C2 1 TTPs 6 IoCs

Web Service

T1102

flow	ioc
19	camo.githubusercontent.com
20	camo.githubusercontent.com
21	camo.githubusercontent.com
22	camo.githubusercontent.com
17	camo.githubusercontent.com
18	camo.githubusercontent.com

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133622530727955837"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4092	chrome.exe
4092	chrome.exe
4916	chrome.exe
4916	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
4092	chrome.exe
4092	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4092	chrome.exe
Token: SeCreatePagefilePrivilege	4092	chrome.exe
Token: SeShutdownPrivilege	4092	chrome.exe
Token: SeCreatePagefilePrivilege	4092	chrome.exe
Token: SeShutdownPrivilege	4092	chrome.exe
Token: SeCreatePagefilePrivilege	4092	chrome.exe
Token: SeShutdownPrivilege	4092	chrome.exe
Token: SeCreatePagefilePrivilege	4092	chrome.exe
Token: SeShutdownPrivilege	4092	chrome.exe
Token: SeCreatePagefilePrivilege	4092	chrome.exe
Token: SeShutdownPrivilege	4092	chrome.exe
Token: SeCreatePagefilePrivilege	4092	chrome.exe
Token: SeShutdownPrivilege	4092	chrome.exe
Token: SeCreatePagefilePrivilege	4092	chrome.exe
Token: SeShutdownPrivilege	4092	chrome.exe
Token: SeCreatePagefilePrivilege	4092	chrome.exe
Token: SeShutdownPrivilege	4092	chrome.exe
Token: SeCreatePagefilePrivilege	4092	chrome.exe
Token: SeShutdownPrivilege	4092	chrome.exe
Token: SeCreatePagefilePrivilege	4092	chrome.exe
Token: SeShutdownPrivilege	4092	chrome.exe
Token: SeCreatePagefilePrivilege	4092	chrome.exe
Token: SeShutdownPrivilege	4092	chrome.exe
Token: SeCreatePagefilePrivilege	4092	chrome.exe
Token: SeShutdownPrivilege	4092	chrome.exe
Token: SeCreatePagefilePrivilege	4092	chrome.exe
Token: SeShutdownPrivilege	4092	chrome.exe
Token: SeCreatePagefilePrivilege	4092	chrome.exe
Token: SeShutdownPrivilege	4092	chrome.exe
Token: SeCreatePagefilePrivilege	4092	chrome.exe
Token: SeShutdownPrivilege	4092	chrome.exe
Token: SeCreatePagefilePrivilege	4092	chrome.exe
Token: SeShutdownPrivilege	4092	chrome.exe
Token: SeCreatePagefilePrivilege	4092	chrome.exe
Token: SeShutdownPrivilege	4092	chrome.exe
Token: SeCreatePagefilePrivilege	4092	chrome.exe
Token: SeShutdownPrivilege	4092	chrome.exe
Token: SeCreatePagefilePrivilege	4092	chrome.exe
Token: SeShutdownPrivilege	4092	chrome.exe
Token: SeCreatePagefilePrivilege	4092	chrome.exe
Token: SeShutdownPrivilege	4092	chrome.exe
Token: SeCreatePagefilePrivilege	4092	chrome.exe
Token: SeShutdownPrivilege	4092	chrome.exe
Token: SeCreatePagefilePrivilege	4092	chrome.exe
Token: SeShutdownPrivilege	4092	chrome.exe
Token: SeCreatePagefilePrivilege	4092	chrome.exe
Token: SeShutdownPrivilege	4092	chrome.exe
Token: SeCreatePagefilePrivilege	4092	chrome.exe
Token: SeShutdownPrivilege	4092	chrome.exe
Token: SeCreatePagefilePrivilege	4092	chrome.exe
Token: SeShutdownPrivilege	4092	chrome.exe
Token: SeCreatePagefilePrivilege	4092	chrome.exe
Token: SeShutdownPrivilege	4092	chrome.exe
Token: SeCreatePagefilePrivilege	4092	chrome.exe
Token: SeShutdownPrivilege	4092	chrome.exe
Token: SeCreatePagefilePrivilege	4092	chrome.exe
Token: SeShutdownPrivilege	4092	chrome.exe
Token: SeCreatePagefilePrivilege	4092	chrome.exe
Token: SeShutdownPrivilege	4092	chrome.exe
Token: SeCreatePagefilePrivilege	4092	chrome.exe
Token: SeShutdownPrivilege	4092	chrome.exe
Token: SeCreatePagefilePrivilege	4092	chrome.exe
Token: SeShutdownPrivilege	4092	chrome.exe
Token: SeCreatePagefilePrivilege	4092	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
4092	chrome.exe
4092	chrome.exe
4092	chrome.exe
4092	chrome.exe
4092	chrome.exe
4092	chrome.exe
4092	chrome.exe
4092	chrome.exe
4092	chrome.exe
4092	chrome.exe
4092	chrome.exe
4092	chrome.exe
4092	chrome.exe
4092	chrome.exe
4092	chrome.exe
4092	chrome.exe
4092	chrome.exe
4092	chrome.exe
4092	chrome.exe
4092	chrome.exe
4092	chrome.exe
4092	chrome.exe
4092	chrome.exe
4092	chrome.exe
4092	chrome.exe
4092	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4092	chrome.exe
4092	chrome.exe
4092	chrome.exe
4092	chrome.exe
4092	chrome.exe
4092	chrome.exe
4092	chrome.exe
4092	chrome.exe
4092	chrome.exe
4092	chrome.exe
4092	chrome.exe
4092	chrome.exe
4092	chrome.exe
4092	chrome.exe
4092	chrome.exe
4092	chrome.exe
4092	chrome.exe
4092	chrome.exe
4092	chrome.exe
4092	chrome.exe
4092	chrome.exe
4092	chrome.exe
4092	chrome.exe
4092	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4092 wrote to memory of 1296	4092	chrome.exe	73
PID 4092 wrote to memory of 1296	4092	chrome.exe	73
PID 4092 wrote to memory of 4324	4092	chrome.exe	75
PID 4092 wrote to memory of 4324	4092	chrome.exe	75
PID 4092 wrote to memory of 4324	4092	chrome.exe	75
PID 4092 wrote to memory of 4324	4092	chrome.exe	75
PID 4092 wrote to memory of 4324	4092	chrome.exe	75
PID 4092 wrote to memory of 4324	4092	chrome.exe	75
PID 4092 wrote to memory of 4324	4092	chrome.exe	75
PID 4092 wrote to memory of 4324	4092	chrome.exe	75
PID 4092 wrote to memory of 4324	4092	chrome.exe	75
PID 4092 wrote to memory of 4324	4092	chrome.exe	75
PID 4092 wrote to memory of 4324	4092	chrome.exe	75
PID 4092 wrote to memory of 4324	4092	chrome.exe	75
PID 4092 wrote to memory of 4324	4092	chrome.exe	75
PID 4092 wrote to memory of 4324	4092	chrome.exe	75
PID 4092 wrote to memory of 4324	4092	chrome.exe	75
PID 4092 wrote to memory of 4324	4092	chrome.exe	75
PID 4092 wrote to memory of 4324	4092	chrome.exe	75
PID 4092 wrote to memory of 4324	4092	chrome.exe	75
PID 4092 wrote to memory of 4324	4092	chrome.exe	75
PID 4092 wrote to memory of 4324	4092	chrome.exe	75
PID 4092 wrote to memory of 4324	4092	chrome.exe	75
PID 4092 wrote to memory of 4324	4092	chrome.exe	75
PID 4092 wrote to memory of 4324	4092	chrome.exe	75
PID 4092 wrote to memory of 4324	4092	chrome.exe	75
PID 4092 wrote to memory of 4324	4092	chrome.exe	75
PID 4092 wrote to memory of 4324	4092	chrome.exe	75
PID 4092 wrote to memory of 4324	4092	chrome.exe	75
PID 4092 wrote to memory of 4324	4092	chrome.exe	75
PID 4092 wrote to memory of 4324	4092	chrome.exe	75
PID 4092 wrote to memory of 4324	4092	chrome.exe	75
PID 4092 wrote to memory of 4324	4092	chrome.exe	75
PID 4092 wrote to memory of 4324	4092	chrome.exe	75
PID 4092 wrote to memory of 4324	4092	chrome.exe	75
PID 4092 wrote to memory of 4324	4092	chrome.exe	75
PID 4092 wrote to memory of 4324	4092	chrome.exe	75
PID 4092 wrote to memory of 4324	4092	chrome.exe	75
PID 4092 wrote to memory of 4324	4092	chrome.exe	75
PID 4092 wrote to memory of 4324	4092	chrome.exe	75
PID 4092 wrote to memory of 3616	4092	chrome.exe	76
PID 4092 wrote to memory of 3616	4092	chrome.exe	76
PID 4092 wrote to memory of 5076	4092	chrome.exe	77
PID 4092 wrote to memory of 5076	4092	chrome.exe	77
PID 4092 wrote to memory of 5076	4092	chrome.exe	77
PID 4092 wrote to memory of 5076	4092	chrome.exe	77
PID 4092 wrote to memory of 5076	4092	chrome.exe	77
PID 4092 wrote to memory of 5076	4092	chrome.exe	77
PID 4092 wrote to memory of 5076	4092	chrome.exe	77
PID 4092 wrote to memory of 5076	4092	chrome.exe	77
PID 4092 wrote to memory of 5076	4092	chrome.exe	77
PID 4092 wrote to memory of 5076	4092	chrome.exe	77
PID 4092 wrote to memory of 5076	4092	chrome.exe	77
PID 4092 wrote to memory of 5076	4092	chrome.exe	77
PID 4092 wrote to memory of 5076	4092	chrome.exe	77
PID 4092 wrote to memory of 5076	4092	chrome.exe	77
PID 4092 wrote to memory of 5076	4092	chrome.exe	77
PID 4092 wrote to memory of 5076	4092	chrome.exe	77
PID 4092 wrote to memory of 5076	4092	chrome.exe	77
PID 4092 wrote to memory of 5076	4092	chrome.exe	77
PID 4092 wrote to memory of 5076	4092	chrome.exe	77
PID 4092 wrote to memory of 5076	4092	chrome.exe	77
PID 4092 wrote to memory of 5076	4092	chrome.exe	77
PID 4092 wrote to memory of 5076	4092	chrome.exe	77

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://github.com/KanekiWeb/Nitro-Generator
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4092
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ffa67369758,0x7ffa67369768,0x7ffa67369778
  2⤵
  PID:1296
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1528 --field-trial-handle=1788,i,15800048850283480685,6762243849783463498,131072 /prefetch:2
  2⤵
  PID:4324
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2020 --field-trial-handle=1788,i,15800048850283480685,6762243849783463498,131072 /prefetch:8
  2⤵
  PID:3616
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2100 --field-trial-handle=1788,i,15800048850283480685,6762243849783463498,131072 /prefetch:8
  2⤵
  PID:5076
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2852 --field-trial-handle=1788,i,15800048850283480685,6762243849783463498,131072 /prefetch:1
  2⤵
  PID:1492
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2860 --field-trial-handle=1788,i,15800048850283480685,6762243849783463498,131072 /prefetch:1
  2⤵
  PID:204
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4952 --field-trial-handle=1788,i,15800048850283480685,6762243849783463498,131072 /prefetch:8
  2⤵
  PID:4472
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5016 --field-trial-handle=1788,i,15800048850283480685,6762243849783463498,131072 /prefetch:8
  2⤵
  PID:4440
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2408 --field-trial-handle=1788,i,15800048850283480685,6762243849783463498,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4916

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2260

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
35bb6de8971d23353b8a7e53c45997b6

SHA1
25b3ba3d6beda4c7e565426c0d79a6c8960cf479

SHA256
427c6319a8374609ba3c0e629d2ea6e4e6d6531683a143b80fddc83651167c1f

SHA512
4ebb52e14f2ad59bd1ab10064221ed118694bb1e95a382dbc50a512f91d6762282548e69b9e5fe9b1ca2f83283f0efa1185a965acdcb6210fe30e4c65c4f8c7b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
211b84b6fa210b4b7e530eb3cb85b9f1

SHA1
243041aea35942a3a11ab044d4121d7a0a5a9348

SHA256
ff6572045211fa7d82b5a83a2bd04f189b6dcd1fcd40e01ac4f4cd94cf17cd49

SHA512
dfdc9275c4349e4324ca98dd41e369820558c676ba84dcc767d3431b53a4902046cd588204295acc74478e65ad7bb9399e7ff5289c51923b99a6c9a915c38b5a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
08999f9dad9553feb0617cf52df9b3a3

SHA1
67a7e47e88311fe364ca2b106324ab144e639b31

SHA256
e0b9d4f5716ad5370786f7e9ff9df95e6fa306cdbc5e4e34e92fc04d649d6d64

SHA512
5621af36ed401975fd761130fd269cdd216a2b9c4a2984640512b7a43589f3b42514a68132914ab09f1abb967441512818786198c13ced3cb87401cd31975428

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
e81bd30087f025dced5c2301053e502d

SHA1
cf0952f64af46e256ff97ebe7b0c60057a19f501

SHA256
8971c94215da3f64ab50f23673b2f5b16a7575c9c46f309f852c8328f80add3f

SHA512
e309f8e8cb28ee19537445cb371092f8f16fd8cebf92c185784c329e6f827f9a171dddaf355b17f1830953ee69c9616dbf3bfe48895a962fd529d7da5b706005

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
483c872391f094ecceff512e2c1f5e99

SHA1
9524fb9464c988d4dc113435b58ef070925aafc5

SHA256
3a12d4ab650cf2ae242deb075d88f26e5890cbd8be2bea8112ab75617480782d

SHA512
e4bc34492e4524e91fe73d816c379ae6e95ada072b6270b8f6e6d1889dfba14542e43ac86f162ac62459391cf9b1cab18723e683c808757b792dde390f44e1fe

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
98c3a7f447278e167bde7e73e025b94e

SHA1
90ef9e5320789a5ceb074c38248ad87558df0f02

SHA256
778288194d6f32b1977b3bfa9dca9a386c092ff6ce2ee5415cd48424833b1597

SHA512
dc2431ac50e982ef6d12192bc62d32142bafd088caeedae618d6a6f241e925366a4586be584c26954a081f9d94d081f39f27275b04508e0caad256965ba8b80c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
136KB

MD5
2d041fd82198db60387e1505a3cd8eba

SHA1
faecb3a12903c9d6de5824760f6f04aab685ac2f

SHA256
1fc7d7aa50c8add0e60634b649e8f2c9264f9b4ff52544e3f5af791c1a708477

SHA512
24b665fe62dfcb457b3edb7ad7b10e7719e0e27a241eab93928b86fe4dd1975c582309b736757a82d92c0d49df757164bd2a18b62b6c7a1e9807b52ddfda0db5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit