Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
21-06-2024 23:04
Behavioral task
behavioral1
Sample
Nitro Generator.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
Nitro Generator.exe
Resource
win10-20240404-en
Behavioral task
behavioral3
Sample
Nitro Generator.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral4
Sample
Nitro Generator.exe
Resource
win11-20240419-en
General
-
Target
Nitro Generator.exe
-
Size
77KB
-
MD5
8bbf53c41f2625a3c4e608ad13cb2c55
-
SHA1
3335287d42f6e674eb1d4465949e02d262bb8391
-
SHA256
ae5a9dec7624bf30d8b8f9659dd6969973969a88933790fedff2f5717745e299
-
SHA512
9c568dff7a8cbeb26997fdb17c7cc1c2a1fc3d060cf83fdbf1a5b994da8e04cf2e03a2f6a5406005d8edd77d3a497617f89c9cc2575b76c0ac0f0ceef97b60ec
-
SSDEEP
1536:KRF0u1pqSjRVjnnsT5zYYPwRIH7I7AFbgwOLYP0og1KMwEnO8oBoRF:Kz0KprsT5zYY+IH7I7AFbgTK0omFjnOI
Malware Config
Extracted
xworm
runderscore00-25851.portmap.host:25851
-
Install_directory
%ProgramData%
-
install_file
USB.exe
Signatures
-
Detect Xworm Payload 5 IoCs
Processes:
resource yara_rule behavioral1/memory/2988-1-0x0000000000CB0000-0x0000000000CCA000-memory.dmp family_xworm C:\ProgramData\svchost family_xworm behavioral1/memory/2648-9-0x0000000000FA0000-0x0000000000FBA000-memory.dmp family_xworm behavioral1/memory/592-14-0x0000000000060000-0x000000000007A000-memory.dmp family_xworm behavioral1/memory/576-16-0x0000000000F20000-0x0000000000F3A000-memory.dmp family_xworm -
Drops startup file 2 IoCs
Processes:
Nitro Generator.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk Nitro Generator.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk Nitro Generator.exe -
Executes dropped EXE 3 IoCs
Processes:
svchostsvchostsvchostpid process 2648 svchost 592 svchost 576 svchost -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
Nitro Generator.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\ProgramData\\svchost" Nitro Generator.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 4 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
Nitro Generator.exepid process 2988 Nitro Generator.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
Nitro Generator.exesvchostsvchostsvchostdescription pid process Token: SeDebugPrivilege 2988 Nitro Generator.exe Token: SeDebugPrivilege 2988 Nitro Generator.exe Token: SeDebugPrivilege 2648 svchost Token: SeDebugPrivilege 592 svchost Token: SeDebugPrivilege 576 svchost -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
Nitro Generator.exepid process 2988 Nitro Generator.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
Nitro Generator.exetaskeng.exedescription pid process target process PID 2988 wrote to memory of 2892 2988 Nitro Generator.exe schtasks.exe PID 2988 wrote to memory of 2892 2988 Nitro Generator.exe schtasks.exe PID 2988 wrote to memory of 2892 2988 Nitro Generator.exe schtasks.exe PID 2504 wrote to memory of 2648 2504 taskeng.exe svchost PID 2504 wrote to memory of 2648 2504 taskeng.exe svchost PID 2504 wrote to memory of 2648 2504 taskeng.exe svchost PID 2504 wrote to memory of 592 2504 taskeng.exe svchost PID 2504 wrote to memory of 592 2504 taskeng.exe svchost PID 2504 wrote to memory of 592 2504 taskeng.exe svchost PID 2504 wrote to memory of 576 2504 taskeng.exe svchost PID 2504 wrote to memory of 576 2504 taskeng.exe svchost PID 2504 wrote to memory of 576 2504 taskeng.exe svchost -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Nitro Generator.exe"C:\Users\Admin\AppData\Local\Temp\Nitro Generator.exe"1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2988 -
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\ProgramData\svchost"2⤵
- Scheduled Task/Job: Scheduled Task
PID:2892
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {54A29E1F-4D0A-43FE-9CD1-5761805AE9EE} S-1-5-21-3627615824-4061627003-3019543961-1000:SCFGBRBT\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
PID:2504 -
C:\ProgramData\svchostC:\ProgramData\svchost2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2648
-
-
C:\ProgramData\svchostC:\ProgramData\svchost2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:592
-
-
C:\ProgramData\svchostC:\ProgramData\svchost2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:576
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
77KB
MD58bbf53c41f2625a3c4e608ad13cb2c55
SHA13335287d42f6e674eb1d4465949e02d262bb8391
SHA256ae5a9dec7624bf30d8b8f9659dd6969973969a88933790fedff2f5717745e299
SHA5129c568dff7a8cbeb26997fdb17c7cc1c2a1fc3d060cf83fdbf1a5b994da8e04cf2e03a2f6a5406005d8edd77d3a497617f89c9cc2575b76c0ac0f0ceef97b60ec