Analysis
-
max time kernel
145s -
max time network
147s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
21-06-2024 23:03
Static task
static1
Behavioral task
behavioral1
Sample
Nitro Generator v1.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
Nitro Generator v1.exe
Resource
win10-20240404-en
Behavioral task
behavioral3
Sample
Nitro Generator v1.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral4
Sample
Nitro Generator v1.exe
Resource
win11-20240508-en
General
-
Target
Nitro Generator v1.exe
-
Size
225KB
-
MD5
a2da88430b3dd46d547cd75126ecee69
-
SHA1
c41229461c4b6ddc695c8a01940e76a0f0b930b7
-
SHA256
c95d4d86a71f2b53bf73a48d9b04f924f2527c7886b7db877b2d339ecda9ef12
-
SHA512
c3dcfa26d3c2a10f5ac58cd22f2c5bf5fbb986c11a43a547e0ea1f4ac016819de46bfadab6d111e83c2c9f572285a7f3ea4e275944ef7c16bf98426283fac859
-
SSDEEP
3072:LVAzYZD5kDzAgXKnj8meFDm8Zk5WFEw2zlXPcARAK4Mtx1Nnva/Vk5uAOcU3aQg7:LVBZ+DsfnwmlMkQEaARV4MT6dY9Mg59
Malware Config
Extracted
xworm
runderscore00-25851.portmap.host:25851
-
Install_directory
%ProgramData%
-
install_file
USB.exe
Signatures
-
Detect Xworm Payload 4 IoCs
Processes:
resource yara_rule C:\Windows\Nitro Generator.exe family_xworm behavioral1/memory/2504-26-0x0000000000EC0000-0x0000000000EDA000-memory.dmp family_xworm behavioral1/memory/300-35-0x0000000001000000-0x000000000101A000-memory.dmp family_xworm behavioral1/memory/1652-38-0x0000000001230000-0x000000000124A000-memory.dmp family_xworm -
Drops startup file 2 IoCs
Processes:
Nitro Generator.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk Nitro Generator.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk Nitro Generator.exe -
Executes dropped EXE 4 IoCs
Processes:
NitroGen.exeNitro Generator.exesvchostsvchostpid process 2376 NitroGen.exe 2504 Nitro Generator.exe 300 svchost 1652 svchost -
Loads dropped DLL 2 IoCs
Processes:
Nitro Generator v1.exepid process 2912 Nitro Generator v1.exe 2364 -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
Nitro Generator.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\ProgramData\\svchost" Nitro Generator.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 4 ip-api.com -
Drops file in Windows directory 1 IoCs
Processes:
Nitro Generator v1.exedescription ioc process File created C:\Windows\Nitro Generator.exe Nitro Generator v1.exe -
Processes:
powershell.exepowershell.exepid process 2888 powershell.exe 2536 powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
powershell.exepowershell.exeNitro Generator.exepid process 2888 powershell.exe 2536 powershell.exe 2504 Nitro Generator.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
powershell.exepowershell.exeNitro Generator.exesvchostsvchostdescription pid process Token: SeDebugPrivilege 2888 powershell.exe Token: SeDebugPrivilege 2536 powershell.exe Token: SeDebugPrivilege 2504 Nitro Generator.exe Token: SeDebugPrivilege 2504 Nitro Generator.exe Token: SeDebugPrivilege 300 svchost Token: SeDebugPrivilege 1652 svchost -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
Nitro Generator.exepid process 2504 Nitro Generator.exe -
Suspicious use of WriteProcessMemory 21 IoCs
Processes:
Nitro Generator v1.exeNitro Generator.exetaskeng.exedescription pid process target process PID 2912 wrote to memory of 2888 2912 Nitro Generator v1.exe powershell.exe PID 2912 wrote to memory of 2888 2912 Nitro Generator v1.exe powershell.exe PID 2912 wrote to memory of 2888 2912 Nitro Generator v1.exe powershell.exe PID 2912 wrote to memory of 2536 2912 Nitro Generator v1.exe powershell.exe PID 2912 wrote to memory of 2536 2912 Nitro Generator v1.exe powershell.exe PID 2912 wrote to memory of 2536 2912 Nitro Generator v1.exe powershell.exe PID 2912 wrote to memory of 2376 2912 Nitro Generator v1.exe NitroGen.exe PID 2912 wrote to memory of 2376 2912 Nitro Generator v1.exe NitroGen.exe PID 2912 wrote to memory of 2376 2912 Nitro Generator v1.exe NitroGen.exe PID 2912 wrote to memory of 2504 2912 Nitro Generator v1.exe Nitro Generator.exe PID 2912 wrote to memory of 2504 2912 Nitro Generator v1.exe Nitro Generator.exe PID 2912 wrote to memory of 2504 2912 Nitro Generator v1.exe Nitro Generator.exe PID 2504 wrote to memory of 2072 2504 Nitro Generator.exe schtasks.exe PID 2504 wrote to memory of 2072 2504 Nitro Generator.exe schtasks.exe PID 2504 wrote to memory of 2072 2504 Nitro Generator.exe schtasks.exe PID 356 wrote to memory of 300 356 taskeng.exe svchost PID 356 wrote to memory of 300 356 taskeng.exe svchost PID 356 wrote to memory of 300 356 taskeng.exe svchost PID 356 wrote to memory of 1652 356 taskeng.exe svchost PID 356 wrote to memory of 1652 356 taskeng.exe svchost PID 356 wrote to memory of 1652 356 taskeng.exe svchost -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Nitro Generator v1.exe"C:\Users\Admin\AppData\Local\Temp\Nitro Generator v1.exe"1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2912 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGoAaQBuACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAGYAYQB6ACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcASQBuAHYAYQBsAGkAZAAgAE8AUwAgAFQAeQBwAGUAIAB4ADgANgAsACAAPwA/AD8APwA/ACcALAAnACcALAAnAE8ASwAnACwAJwBFAHIAcgBvAHIAJwApADwAIwBzAG0AdgAjAD4A"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2888
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHMAYwBnACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAegBjACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHoAcAB1ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHIAYQBmACMAPgA="2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2536
-
-
C:\Users\Admin\AppData\Local\Temp\NitroGen.exe"C:\Users\Admin\AppData\Local\Temp\NitroGen.exe"2⤵
- Executes dropped EXE
PID:2376
-
-
C:\Windows\Nitro Generator.exe"C:\Windows\Nitro Generator.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2504 -
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\ProgramData\svchost"3⤵
- Scheduled Task/Job: Scheduled Task
PID:2072
-
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {8DBD58ED-AD28-40D6-90C3-D7053C731BEB} S-1-5-21-2721934792-624042501-2768869379-1000:BISMIZHX\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
PID:356 -
C:\ProgramData\svchostC:\ProgramData\svchost2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:300
-
-
C:\ProgramData\svchostC:\ProgramData\svchost2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1652
-
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5180792358c1f1b6cb9af0cecfa83087c
SHA191d3e9e6c9f5050b910de3588bf2ef027c465eaf
SHA2561134edb33019281abee55820bb499cf9263696cff06282507336305ff50b55bb
SHA512463d1ddd0ec3065a05d6fe52835c59242862e29c183ec14c942daf6785d1c667bd85cb9b57f4198f80f7882b27b7d480e0eb56f78350ba3283b949fda65e2c40
-
Filesize
77KB
MD58bbf53c41f2625a3c4e608ad13cb2c55
SHA13335287d42f6e674eb1d4465949e02d262bb8391
SHA256ae5a9dec7624bf30d8b8f9659dd6969973969a88933790fedff2f5717745e299
SHA5129c568dff7a8cbeb26997fdb17c7cc1c2a1fc3d060cf83fdbf1a5b994da8e04cf2e03a2f6a5406005d8edd77d3a497617f89c9cc2575b76c0ac0f0ceef97b60ec
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
Filesize
139KB
MD516c70bc93e70148d8e32877fb69c5163
SHA19997631ad75d02297a4c7a06c37db115a0a1c0ec
SHA256b0c0ffb63ae352291b03770b081847a349f1c221a6f3a0cca1570050261f9f3d
SHA51202242bdaa7b78378d3f8fc85f6a9d51eb8672a348c718ac4483dcddcf061994d8dc7dc8ead58a0b6903d44d9dc06ff17e4782598f25ac5e4ffd8a528a05373dd