Analysis
-
max time kernel
57s -
max time network
60s -
platform
windows11-21h2_x64 -
resource
win11-20240611-en -
resource tags
arch:x64arch:x86image:win11-20240611-enlocale:en-usos:windows11-21h2-x64system -
submitted
19-06-2024 14:02
Behavioral task
behavioral1
Sample
Nitro.rar
Resource
win11-20240611-en
Behavioral task
behavioral2
Sample
Nitro/Nitro Gen.exe
Resource
win11-20240611-en
Behavioral task
behavioral3
Sample
main.pyc
Resource
win11-20240508-en
Behavioral task
behavioral4
Sample
Nitro/config/config.json
Resource
win11-20240611-en
Behavioral task
behavioral5
Sample
Nitro/config/proxies.txt
Resource
win11-20240611-en
Behavioral task
behavioral6
Sample
Nitro/results/hit.txt
Resource
win11-20240508-en
General
-
Target
Nitro.rar
-
Size
40.2MB
-
MD5
a4de5d955af8f2741a7e2d8868814312
-
SHA1
8e4b3bc11bedfcef7e90976f1689149b2fe5c47c
-
SHA256
55a9731315dd5191dc6eab4ceef4be4a6c71a527c8b4205a41a1879283a7b3e1
-
SHA512
949cfd1481a281532cf27645d3b3b52d06b1e4cfd5ec8eebe8d51afebb1f09ff2e8b6018ff22b7dd8136bd3933e050e0384204582b1d111bc89ce9f8e1e1efae
-
SSDEEP
786432:HRAXpj+vh3S5fAxznW8t5U75PXn04LSlefAq71P+QY2/Qcdi+:HRMpjmNGfAhxU7l0CSl071PpY2/QUB
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Modifies registry class 2 IoCs
Processes:
cmd.exeOpenWith.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1560405787-796225086-678739705-1000_Classes\Local Settings cmd.exe Key created \REGISTRY\USER\S-1-5-21-1560405787-796225086-678739705-1000_Classes\Local Settings OpenWith.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
vlc.exepid process 1092 vlc.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
msedge.exemsedge.exemsedge.exeidentity_helper.exepid process 4424 msedge.exe 4424 msedge.exe 4036 msedge.exe 4036 msedge.exe 1736 msedge.exe 1736 msedge.exe 436 identity_helper.exe 436 identity_helper.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
vlc.exepid process 1092 vlc.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
Processes:
msedge.exepid process 4424 msedge.exe 4424 msedge.exe 4424 msedge.exe 4424 msedge.exe 4424 msedge.exe 4424 msedge.exe 4424 msedge.exe -
Suspicious use of FindShellTrayWindow 34 IoCs
Processes:
vlc.exemsedge.exepid process 1092 vlc.exe 1092 vlc.exe 1092 vlc.exe 1092 vlc.exe 1092 vlc.exe 1092 vlc.exe 1092 vlc.exe 1092 vlc.exe 1092 vlc.exe 4424 msedge.exe 4424 msedge.exe 4424 msedge.exe 4424 msedge.exe 4424 msedge.exe 4424 msedge.exe 4424 msedge.exe 4424 msedge.exe 4424 msedge.exe 4424 msedge.exe 4424 msedge.exe 4424 msedge.exe 4424 msedge.exe 4424 msedge.exe 4424 msedge.exe 4424 msedge.exe 4424 msedge.exe 4424 msedge.exe 4424 msedge.exe 4424 msedge.exe 4424 msedge.exe 4424 msedge.exe 4424 msedge.exe 4424 msedge.exe 4424 msedge.exe -
Suspicious use of SendNotifyMessage 20 IoCs
Processes:
vlc.exemsedge.exepid process 1092 vlc.exe 1092 vlc.exe 1092 vlc.exe 1092 vlc.exe 1092 vlc.exe 1092 vlc.exe 1092 vlc.exe 1092 vlc.exe 4424 msedge.exe 4424 msedge.exe 4424 msedge.exe 4424 msedge.exe 4424 msedge.exe 4424 msedge.exe 4424 msedge.exe 4424 msedge.exe 4424 msedge.exe 4424 msedge.exe 4424 msedge.exe 4424 msedge.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
Processes:
OpenWith.exevlc.exepid process 3364 OpenWith.exe 3364 OpenWith.exe 3364 OpenWith.exe 3364 OpenWith.exe 3364 OpenWith.exe 1092 vlc.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
OpenWith.exemsedge.exedescription pid process target process PID 3364 wrote to memory of 1092 3364 OpenWith.exe vlc.exe PID 3364 wrote to memory of 1092 3364 OpenWith.exe vlc.exe PID 4424 wrote to memory of 4088 4424 msedge.exe msedge.exe PID 4424 wrote to memory of 4088 4424 msedge.exe msedge.exe PID 4424 wrote to memory of 1676 4424 msedge.exe msedge.exe PID 4424 wrote to memory of 1676 4424 msedge.exe msedge.exe PID 4424 wrote to memory of 1676 4424 msedge.exe msedge.exe PID 4424 wrote to memory of 1676 4424 msedge.exe msedge.exe PID 4424 wrote to memory of 1676 4424 msedge.exe msedge.exe PID 4424 wrote to memory of 1676 4424 msedge.exe msedge.exe PID 4424 wrote to memory of 1676 4424 msedge.exe msedge.exe PID 4424 wrote to memory of 1676 4424 msedge.exe msedge.exe PID 4424 wrote to memory of 1676 4424 msedge.exe msedge.exe PID 4424 wrote to memory of 1676 4424 msedge.exe msedge.exe PID 4424 wrote to memory of 1676 4424 msedge.exe msedge.exe PID 4424 wrote to memory of 1676 4424 msedge.exe msedge.exe PID 4424 wrote to memory of 1676 4424 msedge.exe msedge.exe PID 4424 wrote to memory of 1676 4424 msedge.exe msedge.exe PID 4424 wrote to memory of 1676 4424 msedge.exe msedge.exe PID 4424 wrote to memory of 1676 4424 msedge.exe msedge.exe PID 4424 wrote to memory of 1676 4424 msedge.exe msedge.exe PID 4424 wrote to memory of 1676 4424 msedge.exe msedge.exe PID 4424 wrote to memory of 1676 4424 msedge.exe msedge.exe PID 4424 wrote to memory of 1676 4424 msedge.exe msedge.exe PID 4424 wrote to memory of 1676 4424 msedge.exe msedge.exe PID 4424 wrote to memory of 1676 4424 msedge.exe msedge.exe PID 4424 wrote to memory of 1676 4424 msedge.exe msedge.exe PID 4424 wrote to memory of 1676 4424 msedge.exe msedge.exe PID 4424 wrote to memory of 1676 4424 msedge.exe msedge.exe PID 4424 wrote to memory of 1676 4424 msedge.exe msedge.exe PID 4424 wrote to memory of 1676 4424 msedge.exe msedge.exe PID 4424 wrote to memory of 1676 4424 msedge.exe msedge.exe PID 4424 wrote to memory of 1676 4424 msedge.exe msedge.exe PID 4424 wrote to memory of 1676 4424 msedge.exe msedge.exe PID 4424 wrote to memory of 1676 4424 msedge.exe msedge.exe PID 4424 wrote to memory of 1676 4424 msedge.exe msedge.exe PID 4424 wrote to memory of 1676 4424 msedge.exe msedge.exe PID 4424 wrote to memory of 1676 4424 msedge.exe msedge.exe PID 4424 wrote to memory of 1676 4424 msedge.exe msedge.exe PID 4424 wrote to memory of 1676 4424 msedge.exe msedge.exe PID 4424 wrote to memory of 1676 4424 msedge.exe msedge.exe PID 4424 wrote to memory of 1676 4424 msedge.exe msedge.exe PID 4424 wrote to memory of 1676 4424 msedge.exe msedge.exe PID 4424 wrote to memory of 1676 4424 msedge.exe msedge.exe PID 4424 wrote to memory of 4036 4424 msedge.exe msedge.exe PID 4424 wrote to memory of 4036 4424 msedge.exe msedge.exe PID 4424 wrote to memory of 3440 4424 msedge.exe msedge.exe PID 4424 wrote to memory of 3440 4424 msedge.exe msedge.exe PID 4424 wrote to memory of 3440 4424 msedge.exe msedge.exe PID 4424 wrote to memory of 3440 4424 msedge.exe msedge.exe PID 4424 wrote to memory of 3440 4424 msedge.exe msedge.exe PID 4424 wrote to memory of 3440 4424 msedge.exe msedge.exe PID 4424 wrote to memory of 3440 4424 msedge.exe msedge.exe PID 4424 wrote to memory of 3440 4424 msedge.exe msedge.exe PID 4424 wrote to memory of 3440 4424 msedge.exe msedge.exe PID 4424 wrote to memory of 3440 4424 msedge.exe msedge.exe PID 4424 wrote to memory of 3440 4424 msedge.exe msedge.exe PID 4424 wrote to memory of 3440 4424 msedge.exe msedge.exe PID 4424 wrote to memory of 3440 4424 msedge.exe msedge.exe PID 4424 wrote to memory of 3440 4424 msedge.exe msedge.exe PID 4424 wrote to memory of 3440 4424 msedge.exe msedge.exe PID 4424 wrote to memory of 3440 4424 msedge.exe msedge.exe PID 4424 wrote to memory of 3440 4424 msedge.exe msedge.exe PID 4424 wrote to memory of 3440 4424 msedge.exe msedge.exe
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\Nitro.rar1⤵
- Modifies registry class
PID:912
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3364 -
C:\Program Files\VideoLAN\VLC\vlc.exe"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\AppData\Local\Temp\Nitro.rar"2⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:1092
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4424 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffa93973cb8,0x7ffa93973cc8,0x7ffa93973cd82⤵PID:4088
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1896,2202184833714254701,11863994598536320617,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1908 /prefetch:22⤵PID:1676
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1896,2202184833714254701,11863994598536320617,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2108 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:4036
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1896,2202184833714254701,11863994598536320617,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2720 /prefetch:82⤵PID:3440
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,2202184833714254701,11863994598536320617,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3336 /prefetch:12⤵PID:3212
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,2202184833714254701,11863994598536320617,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3344 /prefetch:12⤵PID:4832
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,2202184833714254701,11863994598536320617,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4896 /prefetch:12⤵PID:3464
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,2202184833714254701,11863994598536320617,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4576 /prefetch:12⤵PID:704
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,2202184833714254701,11863994598536320617,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5256 /prefetch:12⤵PID:5108
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,2202184833714254701,11863994598536320617,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4000 /prefetch:12⤵PID:3408
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1896,2202184833714254701,11863994598536320617,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3900 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:1736
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,2202184833714254701,11863994598536320617,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4080 /prefetch:12⤵PID:1204
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1896,2202184833714254701,11863994598536320617,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4980 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:436
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1552
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4464
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD5196eaa9f7a574c29bd419f9d8c2d9349
SHA119982d15d1e2688903b0a3e53a8517ab537b68ed
SHA256df1e96677bcfffe5044826aa14a11e85ef2ebb014ee9e890e723a14dc5f31412
SHA512e066d74da36a459c19db30e68b703ec9f92019f2d5f24fd476a5fd3653c0b453871e2c08cdc47f2b4d4c4be19ff99e6ef3956d93b2d7d0a69645577d44125ac7
-
Filesize
152B
MD5f717f56b5d8e2e057c440a5a81043662
SHA10ad6c9bbd28dab5c9664bad04db95fd50db36b3f
SHA2564286cd3f23251d0a607e47eccb5e0f4af8542d38b32879d2db2ab7f4e6031945
SHA51261e263935d51028ec0aab51b938b880945a950cec9635a0dafddf795658ea0a2dfcf9cfc0cab5459b659bb7204347b047a5c6b924fabea44ce389b1cbb9867d6
-
Filesize
5KB
MD5156fd4bd4bc0fb02cbf7db0b2d3e8b41
SHA1f5079c11bab5a0f48275b5b9fcafdf28a116bf58
SHA2569ec4e6b3c81b8d22bab93c872283fdb0da3981bb4fa2949e29d98c7d07ddfd1e
SHA5125d861a1cf1793dba8aca9a891e43811d9ec604950b624b7372676ee2bf68c733e631ea15f037e514e14480e228dc6398a5f16c8e4899ea415f36b8664fe60ecb
-
Filesize
6KB
MD595306c041be405fee98bbd5749f7fa5d
SHA183105052e798d13362797f2cd1e9cf98f61f30ce
SHA256073d6f73498154707aa3c20edfc5689cfa9e704d557d30d67eb1be177d5a0517
SHA512da189a762ab7e2470dd3da629c23b04ec615193d2fb9845826bef93e67644e03622ddba67ee15015a3d61b0fae4694c4ee7a3f595f4c4cb3bdb4f0d130a9a18e
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
Filesize
11KB
MD5f37074752f9adce4c20382ab191e14d3
SHA18a3a6445afbdee2f57dcf594e808c259d69bcc54
SHA2563c077f938ae3339e342bc0bd737bfea3f1e210c7a9577aae4417221fb1ab9c3a
SHA5128ce676a15f1ce4e34123d0926ba9a2dcbfd4636e6c201893e17b7b9ac45355faaefd6bd647fbbbaf68d3041cb1101929b2feb9f0c2a10871b07c20ce9ee700bb
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e