Analysis

  • max time kernel
    105s
  • max time network
    51s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21-06-2024 23:03

General

  • Target

    Nitro Generator v1.exe

  • Size

    225KB

  • MD5

    a2da88430b3dd46d547cd75126ecee69

  • SHA1

    c41229461c4b6ddc695c8a01940e76a0f0b930b7

  • SHA256

    c95d4d86a71f2b53bf73a48d9b04f924f2527c7886b7db877b2d339ecda9ef12

  • SHA512

    c3dcfa26d3c2a10f5ac58cd22f2c5bf5fbb986c11a43a547e0ea1f4ac016819de46bfadab6d111e83c2c9f572285a7f3ea4e275944ef7c16bf98426283fac859

  • SSDEEP

    3072:LVAzYZD5kDzAgXKnj8meFDm8Zk5WFEw2zlXPcARAK4Mtx1Nnva/Vk5uAOcU3aQg7:LVBZ+DsfnwmlMkQEaARV4MT6dY9Mg59

Malware Config

Extracted

Family

xworm

C2

runderscore00-25851.portmap.host:25851

Attributes
  • Install_directory

    %ProgramData%

  • install_file

    USB.exe

Signatures

  • Detect Xworm Payload 2 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 4 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in Windows directory 1 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Using powershell.exe command.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\Nitro Generator v1.exe
    "C:\Users\Admin\AppData\Local\Temp\Nitro Generator v1.exe"
    1⤵
    • Checks computer location settings
    • Drops file in Windows directory
    • Suspicious use of WriteProcessMemory
    PID:4068
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGoAaQBuACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAGYAYQB6ACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcASQBuAHYAYQBsAGkAZAAgAE8AUwAgAFQAeQBwAGUAIAB4ADgANgAsACAAPwA/AD8APwA/ACcALAAnACcALAAnAE8ASwAnACwAJwBFAHIAcgBvAHIAJwApADwAIwBzAG0AdgAjAD4A"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2816
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHMAYwBnACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAegBjACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHoAcAB1ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHIAYQBmACMAPgA="
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3180
    • C:\Users\Admin\AppData\Local\Temp\NitroGen.exe
      "C:\Users\Admin\AppData\Local\Temp\NitroGen.exe"
      2⤵
      • Executes dropped EXE
      PID:1000
    • C:\Windows\Nitro Generator.exe
      "C:\Windows\Nitro Generator.exe"
      2⤵
      • Checks computer location settings
      • Drops startup file
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:3772
      • C:\Windows\System32\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\ProgramData\svchost"
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:2724
  • C:\ProgramData\svchost
    C:\ProgramData\svchost
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:464
  • C:\ProgramData\svchost
    C:\ProgramData\svchost
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:3432

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

    Filesize

    2KB

    MD5

    d85ba6ff808d9e5444a4b369f5bc2730

    SHA1

    31aa9d96590fff6981b315e0b391b575e4c0804a

    SHA256

    84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

    SHA512

    8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\svchost.log

    Filesize

    654B

    MD5

    2ff39f6c7249774be85fd60a8f9a245e

    SHA1

    684ff36b31aedc1e587c8496c02722c6698c1c4e

    SHA256

    e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced

    SHA512

    1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

    Filesize

    1KB

    MD5

    e1d7973fb9071815b4241da5ec0dfb6a

    SHA1

    41f06afbd0ac9f9a0b226a2dd6fa9495d83209b9

    SHA256

    b3953ac9f5752d996ec2545864d6ccf09ffe4b0f84f41a2cc52a95ad8103212b

    SHA512

    66163114aba8867561ceac2124bc2060c351cb4a83c4f8d40bc6bfd8042881690ea8152e2b58ec55b4b6de17e1610642c90df602e1fb2658b4c3d0783f3a0900

  • C:\Users\Admin\AppData\Local\Temp\NitroGen.exe

    Filesize

    139KB

    MD5

    16c70bc93e70148d8e32877fb69c5163

    SHA1

    9997631ad75d02297a4c7a06c37db115a0a1c0ec

    SHA256

    b0c0ffb63ae352291b03770b081847a349f1c221a6f3a0cca1570050261f9f3d

    SHA512

    02242bdaa7b78378d3f8fc85f6a9d51eb8672a348c718ac4483dcddcf061994d8dc7dc8ead58a0b6903d44d9dc06ff17e4782598f25ac5e4ffd8a528a05373dd

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_cyac3gp5.zx5.ps1

    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

  • C:\Windows\Nitro Generator.exe

    Filesize

    77KB

    MD5

    8bbf53c41f2625a3c4e608ad13cb2c55

    SHA1

    3335287d42f6e674eb1d4465949e02d262bb8391

    SHA256

    ae5a9dec7624bf30d8b8f9659dd6969973969a88933790fedff2f5717745e299

    SHA512

    9c568dff7a8cbeb26997fdb17c7cc1c2a1fc3d060cf83fdbf1a5b994da8e04cf2e03a2f6a5406005d8edd77d3a497617f89c9cc2575b76c0ac0f0ceef97b60ec

  • memory/2816-56-0x000001FDF3A20000-0x000001FDF3C3C000-memory.dmp

    Filesize

    2.1MB

  • memory/2816-14-0x00007FFD614D0000-0x00007FFD61F91000-memory.dmp

    Filesize

    10.8MB

  • memory/2816-15-0x00007FFD614D0000-0x00007FFD61F91000-memory.dmp

    Filesize

    10.8MB

  • memory/2816-57-0x00007FFD614D0000-0x00007FFD61F91000-memory.dmp

    Filesize

    10.8MB

  • memory/2816-13-0x00007FFD614D0000-0x00007FFD61F91000-memory.dmp

    Filesize

    10.8MB

  • memory/2816-12-0x000001FDF39A0000-0x000001FDF39C2000-memory.dmp

    Filesize

    136KB

  • memory/3180-52-0x000001EDE9FB0000-0x000001EDEA1CC000-memory.dmp

    Filesize

    2.1MB

  • memory/3772-38-0x0000000000850000-0x000000000086A000-memory.dmp

    Filesize

    104KB

  • memory/4068-39-0x00007FFD614D0000-0x00007FFD61F91000-memory.dmp

    Filesize

    10.8MB

  • memory/4068-2-0x00007FFD614D0000-0x00007FFD61F91000-memory.dmp

    Filesize

    10.8MB

  • memory/4068-1-0x00000000002A0000-0x00000000002DE000-memory.dmp

    Filesize

    248KB

  • memory/4068-0-0x00007FFD614D3000-0x00007FFD614D5000-memory.dmp

    Filesize

    8KB