Analysis

  • max time kernel
    94s
  • max time network
    100s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21-06-2024 22:58

General

  • Target

    Nitro Generator.exe

  • Size

    219KB

  • MD5

    4ab66456fa03810ce18ec3ddef076ded

  • SHA1

    c0c758df2b2eb5d5703bdbe41cc6d0953af4c657

  • SHA256

    6e832a90c7406c44e2dc752954c437b04a2a510d3325a3e69bcca0a942cfc294

  • SHA512

    4edd73f4aaab6092e5ac9d7564b4ef4efd8d50367f76db34309d9c72e8e935d02e909c31fd3179ef02bba3a33d9d78cea79edea7bb888ca15451cf18aacc77b4

  • SSDEEP

    6144:stSVFtbPbryEOgNeFN/9pPD+blkEAQGY5SYQTJhWSOn3oAb:smbDGEtc7rr+blkEAQGvY0Xfk9

Malware Config

Extracted

Family

xworm

C2

runderscore00-25851.portmap.host:25851

Attributes
  • Install_directory

    %ProgramData%

  • install_file

    USB.exe

Signatures

  • Detect Xworm Payload 2 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 4 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\Nitro Generator.exe
    "C:\Users\Admin\AppData\Local\Temp\Nitro Generator.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:2680
    • C:\ProgramData\SaveNitroCodes.exe
      "C:\ProgramData\SaveNitroCodes.exe"
      2⤵
      • Checks computer location settings
      • Drops startup file
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:4172
      • C:\Windows\System32\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\ProgramData\svchost"
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:4812
    • C:\ProgramData\NitroGen.exe
      "C:\ProgramData\NitroGen.exe"
      2⤵
      • Executes dropped EXE
      PID:3492
  • C:\ProgramData\svchost
    C:\ProgramData\svchost
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:2676
  • C:\ProgramData\svchost
    C:\ProgramData\svchost
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:4452

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\NitroGen.exe

    Filesize

    139KB

    MD5

    16c70bc93e70148d8e32877fb69c5163

    SHA1

    9997631ad75d02297a4c7a06c37db115a0a1c0ec

    SHA256

    b0c0ffb63ae352291b03770b081847a349f1c221a6f3a0cca1570050261f9f3d

    SHA512

    02242bdaa7b78378d3f8fc85f6a9d51eb8672a348c718ac4483dcddcf061994d8dc7dc8ead58a0b6903d44d9dc06ff17e4782598f25ac5e4ffd8a528a05373dd

  • C:\ProgramData\SaveNitroCodes.exe

    Filesize

    62KB

    MD5

    00c32ab73202fbbeeb8b1c4c11331a46

    SHA1

    9e35253c5f3fa7251697fdeb9c845f02418204b1

    SHA256

    435d9e9f707f1f84b404461b4910b6292709fa28900623e35d6416200eedc39b

    SHA512

    bbfc662e5c13384ddde066b52617fc53c429b31cd96eea2907d0a82edd1e89dbd2b84554cf758d08dd26b24a9c801399a1d62221332f98a07902e925653689c5

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\svchost.log

    Filesize

    654B

    MD5

    2ff39f6c7249774be85fd60a8f9a245e

    SHA1

    684ff36b31aedc1e587c8496c02722c6698c1c4e

    SHA256

    e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced

    SHA512

    1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

  • memory/2680-26-0x00007FFBF81B0000-0x00007FFBF8C71000-memory.dmp

    Filesize

    10.8MB

  • memory/2680-2-0x0000000003020000-0x000000000305C000-memory.dmp

    Filesize

    240KB

  • memory/2680-0-0x00007FFBF81B3000-0x00007FFBF81B5000-memory.dmp

    Filesize

    8KB

  • memory/2680-28-0x00007FFBF81B0000-0x00007FFBF8C71000-memory.dmp

    Filesize

    10.8MB

  • memory/2680-1-0x0000000000E60000-0x0000000000E9E000-memory.dmp

    Filesize

    248KB

  • memory/4172-25-0x0000000000210000-0x0000000000226000-memory.dmp

    Filesize

    88KB

  • memory/4172-27-0x00007FFBF81B0000-0x00007FFBF8C71000-memory.dmp

    Filesize

    10.8MB

  • memory/4172-30-0x00007FFBF81B0000-0x00007FFBF8C71000-memory.dmp

    Filesize

    10.8MB

  • memory/4172-34-0x00007FFBF81B0000-0x00007FFBF8C71000-memory.dmp

    Filesize

    10.8MB

  • memory/4172-35-0x00007FFBF81B0000-0x00007FFBF8C71000-memory.dmp

    Filesize

    10.8MB