Malware Analysis Report

2024-10-23 21:05

Sample ID 240613-vahxms1bll
Target nitrogenerator.exe
SHA256 84388821e026288f254b663628e143aa6e7ae42feca16be6dcfa6858d29442a6
Tags
score
1/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
1/10

SHA256

84388821e026288f254b663628e143aa6e7ae42feca16be6dcfa6858d29442a6

Threat Level: No (potentially) malicious behavior was detected

The file nitrogenerator.exe was found to be: No (potentially) malicious behavior was detected.

Malicious Activity Summary


Modifies Internet Explorer settings

Suspicious use of FindShellTrayWindow

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-13 16:47

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-13 16:47

Reported

2024-06-13 17:28

Platform

win7-20240611-en

Max time kernel

1559s

Max time network

1564s

Command Line

"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\nitrogenerator.xml"

Signatures

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 20a82600b3bdda01 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "424459790" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{2B2C2CC1-29A6-11EF-8144-CE80800B5EC6} = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000005ec80cf279b2564c91633e21940a8076000000000200000000001066000000010000200000003636d233348cd680cf757cc23687a05bcb270c20230bfa1751f226b1db8a7f5f000000000e8000000002000020000000b925d515f353136237d8f38bd49878b55de523a51421b279f611e43f645b77af200000001a638b5b12442636b317512e5c925fffed319e760a56957249b643d5ea5f8b5b400000004bc5f1cec87bd278cc8a5566b374f83ab4d5abc53332f9b4092899981df9a0643e614b41d949585bc6f9d01fea4fc448523310cb06947e8d7e91ee3a43b67100 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000005ec80cf279b2564c91633e21940a807600000000020000000000106600000001000020000000905b8f9834c236492b42a43f7cfc94c5084870a5fa29f46f2bbe99b2dafffa86000000000e80000000020000200000002169802fc24249d8d8fe9fe43f79abd1d1634a754d4afec86879f65082ee7ab390000000d0ed89ee2e86765b794fa515257d6a3295bd61108a67fba169bcbb2731cdd39fcaf193094210bfa7500604b9fc7fae3a50a1d3ee7d7821b327dea51e5367afd57c0c47246e7df1dc194d5829979700d3aa03224ed4cb0a7f5aa42d33f1795ed5e7c4c055fe021c2839a5176c92daf0532ac960f6c1387bf5b3ae532cffaa40e754ee7310ab0440f96ac9fd93ed9f23b040000000a33fb6ae5084fe590a4e738736b9ad3410a4c6921e8eedaaec7b72ddb33958825c2bf4f305162fe717a423de118e0b800b7b35c08c921fd715088a8069152707 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1688 wrote to memory of 2296 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 1688 wrote to memory of 2296 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 1688 wrote to memory of 2296 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 1688 wrote to memory of 2296 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 2296 wrote to memory of 2692 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2296 wrote to memory of 2692 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2296 wrote to memory of 2692 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2296 wrote to memory of 2692 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2692 wrote to memory of 3060 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2692 wrote to memory of 3060 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2692 wrote to memory of 3060 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2692 wrote to memory of 3060 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

Processes

C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE

"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\nitrogenerator.xml"

C:\Program Files (x86)\Internet Explorer\iexplore.exe

"C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome

C:\Program Files\Internet Explorer\IEXPLORE.EXE

"C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2692 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.bing.com udp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

C:\Users\Admin\AppData\Local\Temp\Cab7571.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\Tar78BF.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 66f6ca9f5fae93080dc0b245f6586d47
SHA1 8f713409f458654a65c578233319108ba2734c6e
SHA256 107754cbc818d171b4b4f4e1dc5b4335844b3e7e474e79b221cc988cd6d5741f
SHA512 83c7108e19b706c425545a0125beebbb20c1f1a7fc0de99c40a6743de998877d8ee279fadd9f9ac6dc814602262a977f0378f8ff14f412ef566d471c9d16a004

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6a9c361804b4b058201d363492c097e7
SHA1 6212d3d138f3d0b3531a09119e3b7b3692c55a43
SHA256 743715b785b37e23b0014eddd919d2ec3217929d4310cacbee142e81589242a6
SHA512 d69e0fcf8c63441d884ccb52a0d28c08dce98ed349f7c28c7cfe6e1882a8049ac9e7843bff45442e68702e41c66a4a9d417b15288e697d5f1a3556a280cb9d5b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d54ab1acfa33356e285b4af1781a418a
SHA1 34fd82c700ceebd6b669cfa2717af2e5c9706958
SHA256 ea10f8c6ac1dc0bc0761dc0cfad4f0c3cc365fe6add47407834b6ee5d70eece1
SHA512 cc0f3f82cd435546078c21dc0e315a460b2121db29164753408b8d1f4a84dff2b77ee2edd26de08a0a5c5e66405fa5a75f16246c256418b50a8aa150989908bb

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 878dcea2c4ac861b02b5ce70b0e948e2
SHA1 24e751e980ad1a68476ff4492648176cb0fd2219
SHA256 7e6f3552c1d323fa0bc2fde976caa4b2703a0e56334e3e4ca5f89cf38323bfdb
SHA512 000c91de8e15fdcaec0f9de4efb4e7893ddbc77dc3a348c580c19454608301502763f9f01cc726ff8b6de410963951313e483ab1f0dd111bb08a757e06e465b8

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 7e5d800034e3ce25723c275a9edb8d20
SHA1 78de683c8397d4ec7ff65cbc9b77069f05d50625
SHA256 ddfd63cfc35f9544090dcbb32b0cbd063ab0aa4f0161ba69f990cf10256c18cf
SHA512 540ca96c7df59ecd4d4381f51316b5031767b2acfb4c40a058fa6e3175121f6c3e3ee364bac51d5af4cb3e4f42559d20f9d35e1c4f7f8aaacb59b6e7b3a6a13c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c9721292bfd7ae8bbc5d8ad46d9b21a6
SHA1 fe40227817a2571948cb566342aedc7a7d133f0f
SHA256 b0760ce7d4b43ba42ed4ca87fa2472e0dcc9b4b368db4a10c075783747b976c6
SHA512 195a9aa11e11a1501e7c0b9b2d3c57d7e186389f15a413deddb13eb89a375697f553b926fa031d339cb3f6794955cab73e7bd12d2215f0f1eeda3c2a4298f277

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 9d7dee78594b13e644cba30f1945cc50
SHA1 76cef11c9dc9472361258704a3a3738ba0520332
SHA256 c073c9af1fb0ab8f91bf27f37a8d08baf82798da83b99161cb4eaf7de93c28b9
SHA512 697aec54e14917ae41e0e016eb5b1ea4cbc58d0fa9afbc430a8993d07ce0da361c459295d7d760c704988e29e8504659694ada2622f0556880a19005387d0135

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6914974c147345efdb09ae559462c8fc
SHA1 d1a11a1760a9a8f410a0621aed46ddb3dd2fa0cd
SHA256 4d6081ed23020c3019da87cef2bb4f9ef88e48621311ff902a406474d1e25241
SHA512 9788782b15f4e5a6a1e0664793acb9177e9895ee45f8802992392715b9940380913bac94db2514fc6811cb00db97f1c84c6a1b5da82b746b7a6b689a27a6e7d3

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 27c94d1a09b950f6a5b0b8d417057176
SHA1 003c52812a4cb93166ec00b70916c453d420c014
SHA256 69fcfeab5d6b4631d19294a27adbfb752c4ae1724ea78103ed37ff32871ae7f2
SHA512 d56ad3385518b84e662ee874e405af30174cb00ae8d9450984cf57e9bad3834e2058b331acfd1cb609dfc337a3bfb0d8ce3a3f1c0058816454994ef4799b6425

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ae36a18b94a268dcc8f0f80f0724da2f
SHA1 fcd75c9246e5a50af551eac801e5b5689e4e6739
SHA256 1a5a99d829a3c91b70a1d6748a18effe11281131eb15ecf52bc233dee620ac44
SHA512 60d712b5860f3e81a84f7109423090938893ff17d3a97e2d7532ee451c5a35e3ffe8b8a744273cc077534aa1e87d0b7945e75fc13dc2bac43b02aca64ff762e7

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-13 16:47

Reported

2024-06-13 17:28

Platform

win10v2004-20240508-en

Max time kernel

1752s

Max time network

1761s

Command Line

"C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\nitrogenerator.xml"

Signatures

N/A

Processes

C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE

"C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\nitrogenerator.xml"

Network

Files

memory/4532-0-0x00007FF9E1830000-0x00007FF9E1840000-memory.dmp

memory/4532-1-0x00007FFA2184D000-0x00007FFA2184E000-memory.dmp

memory/4532-2-0x00007FFA217B0000-0x00007FFA219A5000-memory.dmp

memory/4532-3-0x00007FFA217B0000-0x00007FFA219A5000-memory.dmp