Analysis
-
max time kernel
94s -
max time network
100s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
21-06-2024 22:58
Static task
static1
Behavioral task
behavioral1
Sample
Nitro Generator.exe
Resource
win10-20240404-en
Behavioral task
behavioral2
Sample
Nitro Generator.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral3
Sample
Nitro Generator.exe
Resource
win11-20240611-en
General
-
Target
Nitro Generator.exe
-
Size
219KB
-
MD5
4ab66456fa03810ce18ec3ddef076ded
-
SHA1
c0c758df2b2eb5d5703bdbe41cc6d0953af4c657
-
SHA256
6e832a90c7406c44e2dc752954c437b04a2a510d3325a3e69bcca0a942cfc294
-
SHA512
4edd73f4aaab6092e5ac9d7564b4ef4efd8d50367f76db34309d9c72e8e935d02e909c31fd3179ef02bba3a33d9d78cea79edea7bb888ca15451cf18aacc77b4
-
SSDEEP
6144:stSVFtbPbryEOgNeFN/9pPD+blkEAQGY5SYQTJhWSOn3oAb:smbDGEtc7rr+blkEAQGvY0Xfk9
Malware Config
Extracted
xworm
runderscore00-25851.portmap.host:25851
-
Install_directory
%ProgramData%
-
install_file
USB.exe
Signatures
-
Detect Xworm Payload 2 IoCs
Processes:
resource yara_rule C:\ProgramData\SaveNitroCodes.exe family_xworm behavioral2/memory/4172-25-0x0000000000210000-0x0000000000226000-memory.dmp family_xworm -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
Nitro Generator.exeSaveNitroCodes.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation Nitro Generator.exe Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation SaveNitroCodes.exe -
Drops startup file 2 IoCs
Processes:
SaveNitroCodes.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk SaveNitroCodes.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk SaveNitroCodes.exe -
Executes dropped EXE 4 IoCs
Processes:
SaveNitroCodes.exeNitroGen.exesvchostsvchostpid process 4172 SaveNitroCodes.exe 3492 NitroGen.exe 2676 svchost 4452 svchost -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
SaveNitroCodes.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\ProgramData\\svchost" SaveNitroCodes.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 2 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
SaveNitroCodes.exepid process 4172 SaveNitroCodes.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
SaveNitroCodes.exesvchostsvchostdescription pid process Token: SeDebugPrivilege 4172 SaveNitroCodes.exe Token: SeDebugPrivilege 4172 SaveNitroCodes.exe Token: SeDebugPrivilege 2676 svchost Token: SeDebugPrivilege 4452 svchost -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
SaveNitroCodes.exepid process 4172 SaveNitroCodes.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
Nitro Generator.exeSaveNitroCodes.exedescription pid process target process PID 2680 wrote to memory of 4172 2680 Nitro Generator.exe SaveNitroCodes.exe PID 2680 wrote to memory of 4172 2680 Nitro Generator.exe SaveNitroCodes.exe PID 2680 wrote to memory of 3492 2680 Nitro Generator.exe NitroGen.exe PID 2680 wrote to memory of 3492 2680 Nitro Generator.exe NitroGen.exe PID 4172 wrote to memory of 4812 4172 SaveNitroCodes.exe schtasks.exe PID 4172 wrote to memory of 4812 4172 SaveNitroCodes.exe schtasks.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Nitro Generator.exe"C:\Users\Admin\AppData\Local\Temp\Nitro Generator.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2680 -
C:\ProgramData\SaveNitroCodes.exe"C:\ProgramData\SaveNitroCodes.exe"2⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4172 -
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\ProgramData\svchost"3⤵
- Scheduled Task/Job: Scheduled Task
PID:4812
-
-
-
C:\ProgramData\NitroGen.exe"C:\ProgramData\NitroGen.exe"2⤵
- Executes dropped EXE
PID:3492
-
-
C:\ProgramData\svchostC:\ProgramData\svchost1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2676
-
C:\ProgramData\svchostC:\ProgramData\svchost1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4452
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
139KB
MD516c70bc93e70148d8e32877fb69c5163
SHA19997631ad75d02297a4c7a06c37db115a0a1c0ec
SHA256b0c0ffb63ae352291b03770b081847a349f1c221a6f3a0cca1570050261f9f3d
SHA51202242bdaa7b78378d3f8fc85f6a9d51eb8672a348c718ac4483dcddcf061994d8dc7dc8ead58a0b6903d44d9dc06ff17e4782598f25ac5e4ffd8a528a05373dd
-
Filesize
62KB
MD500c32ab73202fbbeeb8b1c4c11331a46
SHA19e35253c5f3fa7251697fdeb9c845f02418204b1
SHA256435d9e9f707f1f84b404461b4910b6292709fa28900623e35d6416200eedc39b
SHA512bbfc662e5c13384ddde066b52617fc53c429b31cd96eea2907d0a82edd1e89dbd2b84554cf758d08dd26b24a9c801399a1d62221332f98a07902e925653689c5
-
Filesize
654B
MD52ff39f6c7249774be85fd60a8f9a245e
SHA1684ff36b31aedc1e587c8496c02722c6698c1c4e
SHA256e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced
SHA5121d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1