Analysis
-
max time kernel
1559s -
max time network
1564s -
platform
windows7_x64 -
resource
win7-20240611-en -
resource tags
arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system -
submitted
13-06-2024 16:47
Static task
static1
Behavioral task
behavioral1
Sample
nitrogenerator.xml
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
nitrogenerator.xml
Resource
win10v2004-20240508-en
General
-
Target
nitrogenerator.xml
-
Size
240B
-
MD5
f71d9f85481364ac9ee85e0353bfd943
-
SHA1
7242390badd5280cca763d10050d3e70ef85ed31
-
SHA256
84388821e026288f254b663628e143aa6e7ae42feca16be6dcfa6858d29442a6
-
SHA512
cee41e6f9df837b7b6ac7ab326e74e0e7a1466f5edfd42a0fbd246c45b1c9838e56296654568781560bc5c9c34a2a35109d83e3dcb25f393206df104762ee3d0
Malware Config
Signatures
-
Processes:
IEXPLORE.EXEIEXPLORE.EXEdescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\GPU IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\IntelliForms IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\LowRegistry IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 20a82600b3bdda01 IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\IETld\LowMic IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Toolbar IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Zoom IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\InternetRegistry IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\DomainSuggestion IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "424459790" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\PageSetup IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\SearchScopes IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{2B2C2CC1-29A6-11EF-8144-CE80800B5EC6} = "0" IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000005ec80cf279b2564c91633e21940a8076000000000200000000001066000000010000200000003636d233348cd680cf757cc23687a05bcb270c20230bfa1751f226b1db8a7f5f000000000e8000000002000020000000b925d515f353136237d8f38bd49878b55de523a51421b279f611e43f645b77af200000001a638b5b12442636b317512e5c925fffed319e760a56957249b643d5ea5f8b5b400000004bc5f1cec87bd278cc8a5566b374f83ab4d5abc53332f9b4092899981df9a0643e614b41d949585bc6f9d01fea4fc448523310cb06947e8d7e91ee3a43b67100 IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000005ec80cf279b2564c91633e21940a807600000000020000000000106600000001000020000000905b8f9834c236492b42a43f7cfc94c5084870a5fa29f46f2bbe99b2dafffa86000000000e80000000020000200000002169802fc24249d8d8fe9fe43f79abd1d1634a754d4afec86879f65082ee7ab390000000d0ed89ee2e86765b794fa515257d6a3295bd61108a67fba169bcbb2731cdd39fcaf193094210bfa7500604b9fc7fae3a50a1d3ee7d7821b327dea51e5367afd57c0c47246e7df1dc194d5829979700d3aa03224ed4cb0a7f5aa42d33f1795ed5e7c4c055fe021c2839a5176c92daf0532ac960f6c1387bf5b3ae532cffaa40e754ee7310ab0440f96ac9fd93ed9f23b040000000a33fb6ae5084fe590a4e738736b9ad3410a4c6921e8eedaaec7b72ddb33958825c2bf4f305162fe717a423de118e0b800b7b35c08c921fd715088a8069152707 IEXPLORE.EXE -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
IEXPLORE.EXEpid process 2692 IEXPLORE.EXE -
Suspicious use of SetWindowsHookEx 6 IoCs
Processes:
IEXPLORE.EXEIEXPLORE.EXEpid process 2692 IEXPLORE.EXE 2692 IEXPLORE.EXE 3060 IEXPLORE.EXE 3060 IEXPLORE.EXE 3060 IEXPLORE.EXE 3060 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
MSOXMLED.EXEiexplore.exeIEXPLORE.EXEdescription pid process target process PID 1688 wrote to memory of 2296 1688 MSOXMLED.EXE iexplore.exe PID 1688 wrote to memory of 2296 1688 MSOXMLED.EXE iexplore.exe PID 1688 wrote to memory of 2296 1688 MSOXMLED.EXE iexplore.exe PID 1688 wrote to memory of 2296 1688 MSOXMLED.EXE iexplore.exe PID 2296 wrote to memory of 2692 2296 iexplore.exe IEXPLORE.EXE PID 2296 wrote to memory of 2692 2296 iexplore.exe IEXPLORE.EXE PID 2296 wrote to memory of 2692 2296 iexplore.exe IEXPLORE.EXE PID 2296 wrote to memory of 2692 2296 iexplore.exe IEXPLORE.EXE PID 2692 wrote to memory of 3060 2692 IEXPLORE.EXE IEXPLORE.EXE PID 2692 wrote to memory of 3060 2692 IEXPLORE.EXE IEXPLORE.EXE PID 2692 wrote to memory of 3060 2692 IEXPLORE.EXE IEXPLORE.EXE PID 2692 wrote to memory of 3060 2692 IEXPLORE.EXE IEXPLORE.EXE
Processes
-
C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\nitrogenerator.xml"1⤵
- Suspicious use of WriteProcessMemory
PID:1688 -
C:\Program Files (x86)\Internet Explorer\iexplore.exe"C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome2⤵
- Suspicious use of WriteProcessMemory
PID:2296 -
C:\Program Files\Internet Explorer\IEXPLORE.EXE"C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome3⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2692 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2692 CREDAT:275457 /prefetch:24⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:3060
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD566f6ca9f5fae93080dc0b245f6586d47
SHA18f713409f458654a65c578233319108ba2734c6e
SHA256107754cbc818d171b4b4f4e1dc5b4335844b3e7e474e79b221cc988cd6d5741f
SHA51283c7108e19b706c425545a0125beebbb20c1f1a7fc0de99c40a6743de998877d8ee279fadd9f9ac6dc814602262a977f0378f8ff14f412ef566d471c9d16a004
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD56a9c361804b4b058201d363492c097e7
SHA16212d3d138f3d0b3531a09119e3b7b3692c55a43
SHA256743715b785b37e23b0014eddd919d2ec3217929d4310cacbee142e81589242a6
SHA512d69e0fcf8c63441d884ccb52a0d28c08dce98ed349f7c28c7cfe6e1882a8049ac9e7843bff45442e68702e41c66a4a9d417b15288e697d5f1a3556a280cb9d5b
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5d54ab1acfa33356e285b4af1781a418a
SHA134fd82c700ceebd6b669cfa2717af2e5c9706958
SHA256ea10f8c6ac1dc0bc0761dc0cfad4f0c3cc365fe6add47407834b6ee5d70eece1
SHA512cc0f3f82cd435546078c21dc0e315a460b2121db29164753408b8d1f4a84dff2b77ee2edd26de08a0a5c5e66405fa5a75f16246c256418b50a8aa150989908bb
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5878dcea2c4ac861b02b5ce70b0e948e2
SHA124e751e980ad1a68476ff4492648176cb0fd2219
SHA2567e6f3552c1d323fa0bc2fde976caa4b2703a0e56334e3e4ca5f89cf38323bfdb
SHA512000c91de8e15fdcaec0f9de4efb4e7893ddbc77dc3a348c580c19454608301502763f9f01cc726ff8b6de410963951313e483ab1f0dd111bb08a757e06e465b8
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD57e5d800034e3ce25723c275a9edb8d20
SHA178de683c8397d4ec7ff65cbc9b77069f05d50625
SHA256ddfd63cfc35f9544090dcbb32b0cbd063ab0aa4f0161ba69f990cf10256c18cf
SHA512540ca96c7df59ecd4d4381f51316b5031767b2acfb4c40a058fa6e3175121f6c3e3ee364bac51d5af4cb3e4f42559d20f9d35e1c4f7f8aaacb59b6e7b3a6a13c
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5c9721292bfd7ae8bbc5d8ad46d9b21a6
SHA1fe40227817a2571948cb566342aedc7a7d133f0f
SHA256b0760ce7d4b43ba42ed4ca87fa2472e0dcc9b4b368db4a10c075783747b976c6
SHA512195a9aa11e11a1501e7c0b9b2d3c57d7e186389f15a413deddb13eb89a375697f553b926fa031d339cb3f6794955cab73e7bd12d2215f0f1eeda3c2a4298f277
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD59d7dee78594b13e644cba30f1945cc50
SHA176cef11c9dc9472361258704a3a3738ba0520332
SHA256c073c9af1fb0ab8f91bf27f37a8d08baf82798da83b99161cb4eaf7de93c28b9
SHA512697aec54e14917ae41e0e016eb5b1ea4cbc58d0fa9afbc430a8993d07ce0da361c459295d7d760c704988e29e8504659694ada2622f0556880a19005387d0135
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD56914974c147345efdb09ae559462c8fc
SHA1d1a11a1760a9a8f410a0621aed46ddb3dd2fa0cd
SHA2564d6081ed23020c3019da87cef2bb4f9ef88e48621311ff902a406474d1e25241
SHA5129788782b15f4e5a6a1e0664793acb9177e9895ee45f8802992392715b9940380913bac94db2514fc6811cb00db97f1c84c6a1b5da82b746b7a6b689a27a6e7d3
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD527c94d1a09b950f6a5b0b8d417057176
SHA1003c52812a4cb93166ec00b70916c453d420c014
SHA25669fcfeab5d6b4631d19294a27adbfb752c4ae1724ea78103ed37ff32871ae7f2
SHA512d56ad3385518b84e662ee874e405af30174cb00ae8d9450984cf57e9bad3834e2058b331acfd1cb609dfc337a3bfb0d8ce3a3f1c0058816454994ef4799b6425
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5ae36a18b94a268dcc8f0f80f0724da2f
SHA1fcd75c9246e5a50af551eac801e5b5689e4e6739
SHA2561a5a99d829a3c91b70a1d6748a18effe11281131eb15ecf52bc233dee620ac44
SHA51260d712b5860f3e81a84f7109423090938893ff17d3a97e2d7532ee451c5a35e3ffe8b8a744273cc077534aa1e87d0b7945e75fc13dc2bac43b02aca64ff762e7
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b