Analysis Overview
SHA256
84388821e026288f254b663628e143aa6e7ae42feca16be6dcfa6858d29442a6
Threat Level: No (potentially) malicious behavior was detected
The file nitrogenerator.exe was found to be: No (potentially) malicious behavior was detected.
Malicious Activity Summary
Modifies Internet Explorer settings
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-13 16:47
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-13 16:47
Reported
2024-06-13 17:28
Platform
win7-20240611-en
Max time kernel
1559s
Max time network
1564s
Command Line
Signatures
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\IntelliForms | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\LowRegistry | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 20a82600b3bdda01 | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\IETld\LowMic | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Zoom | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\InternetRegistry | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\DomainSuggestion | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "424459790" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\PageSetup | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\SearchScopes | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{2B2C2CC1-29A6-11EF-8144-CE80800B5EC6} = "0" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000005ec80cf279b2564c91633e21940a8076000000000200000000001066000000010000200000003636d233348cd680cf757cc23687a05bcb270c20230bfa1751f226b1db8a7f5f000000000e8000000002000020000000b925d515f353136237d8f38bd49878b55de523a51421b279f611e43f645b77af200000001a638b5b12442636b317512e5c925fffed319e760a56957249b643d5ea5f8b5b400000004bc5f1cec87bd278cc8a5566b374f83ab4d5abc53332f9b4092899981df9a0643e614b41d949585bc6f9d01fea4fc448523310cb06947e8d7e91ee3a43b67100 | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000005ec80cf279b2564c91633e21940a807600000000020000000000106600000001000020000000905b8f9834c236492b42a43f7cfc94c5084870a5fa29f46f2bbe99b2dafffa86000000000e80000000020000200000002169802fc24249d8d8fe9fe43f79abd1d1634a754d4afec86879f65082ee7ab390000000d0ed89ee2e86765b794fa515257d6a3295bd61108a67fba169bcbb2731cdd39fcaf193094210bfa7500604b9fc7fae3a50a1d3ee7d7821b327dea51e5367afd57c0c47246e7df1dc194d5829979700d3aa03224ed4cb0a7f5aa42d33f1795ed5e7c4c055fe021c2839a5176c92daf0532ac960f6c1387bf5b3ae532cffaa40e754ee7310ab0440f96ac9fd93ed9f23b040000000a33fb6ae5084fe590a4e738736b9ad3410a4c6921e8eedaaec7b72ddb33958825c2bf4f305162fe717a423de118e0b800b7b35c08c921fd715088a8069152707 | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\nitrogenerator.xml"
C:\Program Files (x86)\Internet Explorer\iexplore.exe
"C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome
C:\Program Files\Internet Explorer\IEXPLORE.EXE
"C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2692 CREDAT:275457 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | api.bing.com | udp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\Cab7571.tmp
| MD5 | 49aebf8cbd62d92ac215b2923fb1b9f5 |
| SHA1 | 1723be06719828dda65ad804298d0431f6aff976 |
| SHA256 | b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f |
| SHA512 | bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b |
C:\Users\Admin\AppData\Local\Temp\Tar78BF.tmp
| MD5 | 4ea6026cf93ec6338144661bf1202cd1 |
| SHA1 | a1dec9044f750ad887935a01430bf49322fbdcb7 |
| SHA256 | 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8 |
| SHA512 | 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 66f6ca9f5fae93080dc0b245f6586d47 |
| SHA1 | 8f713409f458654a65c578233319108ba2734c6e |
| SHA256 | 107754cbc818d171b4b4f4e1dc5b4335844b3e7e474e79b221cc988cd6d5741f |
| SHA512 | 83c7108e19b706c425545a0125beebbb20c1f1a7fc0de99c40a6743de998877d8ee279fadd9f9ac6dc814602262a977f0378f8ff14f412ef566d471c9d16a004 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 6a9c361804b4b058201d363492c097e7 |
| SHA1 | 6212d3d138f3d0b3531a09119e3b7b3692c55a43 |
| SHA256 | 743715b785b37e23b0014eddd919d2ec3217929d4310cacbee142e81589242a6 |
| SHA512 | d69e0fcf8c63441d884ccb52a0d28c08dce98ed349f7c28c7cfe6e1882a8049ac9e7843bff45442e68702e41c66a4a9d417b15288e697d5f1a3556a280cb9d5b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | d54ab1acfa33356e285b4af1781a418a |
| SHA1 | 34fd82c700ceebd6b669cfa2717af2e5c9706958 |
| SHA256 | ea10f8c6ac1dc0bc0761dc0cfad4f0c3cc365fe6add47407834b6ee5d70eece1 |
| SHA512 | cc0f3f82cd435546078c21dc0e315a460b2121db29164753408b8d1f4a84dff2b77ee2edd26de08a0a5c5e66405fa5a75f16246c256418b50a8aa150989908bb |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 878dcea2c4ac861b02b5ce70b0e948e2 |
| SHA1 | 24e751e980ad1a68476ff4492648176cb0fd2219 |
| SHA256 | 7e6f3552c1d323fa0bc2fde976caa4b2703a0e56334e3e4ca5f89cf38323bfdb |
| SHA512 | 000c91de8e15fdcaec0f9de4efb4e7893ddbc77dc3a348c580c19454608301502763f9f01cc726ff8b6de410963951313e483ab1f0dd111bb08a757e06e465b8 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 7e5d800034e3ce25723c275a9edb8d20 |
| SHA1 | 78de683c8397d4ec7ff65cbc9b77069f05d50625 |
| SHA256 | ddfd63cfc35f9544090dcbb32b0cbd063ab0aa4f0161ba69f990cf10256c18cf |
| SHA512 | 540ca96c7df59ecd4d4381f51316b5031767b2acfb4c40a058fa6e3175121f6c3e3ee364bac51d5af4cb3e4f42559d20f9d35e1c4f7f8aaacb59b6e7b3a6a13c |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | c9721292bfd7ae8bbc5d8ad46d9b21a6 |
| SHA1 | fe40227817a2571948cb566342aedc7a7d133f0f |
| SHA256 | b0760ce7d4b43ba42ed4ca87fa2472e0dcc9b4b368db4a10c075783747b976c6 |
| SHA512 | 195a9aa11e11a1501e7c0b9b2d3c57d7e186389f15a413deddb13eb89a375697f553b926fa031d339cb3f6794955cab73e7bd12d2215f0f1eeda3c2a4298f277 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 9d7dee78594b13e644cba30f1945cc50 |
| SHA1 | 76cef11c9dc9472361258704a3a3738ba0520332 |
| SHA256 | c073c9af1fb0ab8f91bf27f37a8d08baf82798da83b99161cb4eaf7de93c28b9 |
| SHA512 | 697aec54e14917ae41e0e016eb5b1ea4cbc58d0fa9afbc430a8993d07ce0da361c459295d7d760c704988e29e8504659694ada2622f0556880a19005387d0135 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 6914974c147345efdb09ae559462c8fc |
| SHA1 | d1a11a1760a9a8f410a0621aed46ddb3dd2fa0cd |
| SHA256 | 4d6081ed23020c3019da87cef2bb4f9ef88e48621311ff902a406474d1e25241 |
| SHA512 | 9788782b15f4e5a6a1e0664793acb9177e9895ee45f8802992392715b9940380913bac94db2514fc6811cb00db97f1c84c6a1b5da82b746b7a6b689a27a6e7d3 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 27c94d1a09b950f6a5b0b8d417057176 |
| SHA1 | 003c52812a4cb93166ec00b70916c453d420c014 |
| SHA256 | 69fcfeab5d6b4631d19294a27adbfb752c4ae1724ea78103ed37ff32871ae7f2 |
| SHA512 | d56ad3385518b84e662ee874e405af30174cb00ae8d9450984cf57e9bad3834e2058b331acfd1cb609dfc337a3bfb0d8ce3a3f1c0058816454994ef4799b6425 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | ae36a18b94a268dcc8f0f80f0724da2f |
| SHA1 | fcd75c9246e5a50af551eac801e5b5689e4e6739 |
| SHA256 | 1a5a99d829a3c91b70a1d6748a18effe11281131eb15ecf52bc233dee620ac44 |
| SHA512 | 60d712b5860f3e81a84f7109423090938893ff17d3a97e2d7532ee451c5a35e3ffe8b8a744273cc077534aa1e87d0b7945e75fc13dc2bac43b02aca64ff762e7 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-13 16:47
Reported
2024-06-13 17:28
Platform
win10v2004-20240508-en
Max time kernel
1752s
Max time network
1761s
Command Line
Signatures
Processes
C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE
"C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\nitrogenerator.xml"
Network
Files
memory/4532-0-0x00007FF9E1830000-0x00007FF9E1840000-memory.dmp
memory/4532-1-0x00007FFA2184D000-0x00007FFA2184E000-memory.dmp
memory/4532-2-0x00007FFA217B0000-0x00007FFA219A5000-memory.dmp
memory/4532-3-0x00007FFA217B0000-0x00007FFA219A5000-memory.dmp