Analysis
-
max time kernel
141s -
max time network
143s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
-
submitted
26/07/2024, 15:52
General
-
Target
https://github.com/sapperalfaboy7/nitrogen-v3/releases/tag/Download
Malware Config
Signatures
-
Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
-
Executes dropped EXE 1 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
Program crash 2 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies registry class 1 IoCs
-
Opens file in notepad (likely ransom note) 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 26 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
-
Suspicious use of AdjustPrivilegeToken 9 IoCs
-
Suspicious use of FindShellTrayWindow 64 IoCs
-
Suspicious use of SendNotifyMessage 58 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Windows\system32\sihost.exesihost.exe1⤵
-
C:\Windows\SysWOW64\dialer.exe"C:\Windows\system32\dialer.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/sapperalfaboy7/nitrogen-v3/releases/tag/Download1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffce37046f8,0x7ffce3704708,0x7ffce37047182⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2100,4771538217526027958,9048395708364696838,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2112 /prefetch:22⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2100,4771538217526027958,9048395708364696838,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2260 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2100,4771538217526027958,9048395708364696838,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2884 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,4771538217526027958,9048395708364696838,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3312 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,4771538217526027958,9048395708364696838,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3336 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2100,4771538217526027958,9048395708364696838,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5236 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2100,4771538217526027958,9048395708364696838,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5236 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,4771538217526027958,9048395708364696838,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5500 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,4771538217526027958,9048395708364696838,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5620 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,4771538217526027958,9048395708364696838,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4980 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,4771538217526027958,9048395708364696838,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5364 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2100,4771538217526027958,9048395708364696838,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5620 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,4771538217526027958,9048395708364696838,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5928 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2100,4771538217526027958,9048395708364696838,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6232 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2100,4771538217526027958,9048395708364696838,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1304 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\NitroGen\" -spe -an -ai#7zMap15346:78:7zEvent56361⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {c82192ee-6cb5-4bc0-9ef0-fb818773790a} -Embedding1⤵
-
C:\Users\Admin\Downloads\NitroGen\nitro.exe"C:\Users\Admin\Downloads\NitroGen\nitro.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5972 -s 6163⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5972 -s 6083⤵
- Program crash
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 180 -p 5972 -ip 59721⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 5972 -ip 59721⤵
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\StructuredQuery.log1⤵
- Opens file in notepad (likely ransom note)
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /71⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD5c00b0d6e0f836dfa596c6df9d3b2f8f2
SHA169ad27d9b4502630728f98917f67307e9dd12a30
SHA256578481cd359c669455e24983b13723c25584f58925b47283cb580019ef3142b1
SHA5120e098ab5f5772fec17880e228a0dccbbaa06dc1af14e0fd827f361599c61899fe07d612a7f7b049ff6661d27fdc495566dd20fc28ceed022b87c212bf00be5da
-
Filesize
152B
MD554f1b76300ce15e44e5cc1a3947f5ca9
SHA1c978bfaa6ec6dae05464c6426eaa6cb3c3e2f3b7
SHA25643dec5d87b7ee892a3d99cb61f772ba403882ac0772423f36034e84244c1ca24
SHA512ac26e5676c675be329eb62b5d5a36a0e6014ab8a6366684b0fc2a59ae5f061f596f462b82eb4e9f135d2235a0cbd4af96680d234eecc873a8397fd81507d277a
-
Filesize
1KB
MD558b807ebf769cdf858643f42860459e5
SHA1026efffd83c3b018757d56befbc1a1b8e453df53
SHA25642edab2af68e37ca22fa65b18390499f587892900ea49bbc22398f16afe0ac54
SHA512df1db7fb1fbeaea24f6bc2e0e53a2ffdc67a732bf7c50a4ca126c1d6ad1ecf5b7dc10cca56322f9d5d025dc98c4a16f1468c7d75f495d677b78dfb886b7c5c39
-
Filesize
111B
MD5807419ca9a4734feaf8d8563a003b048
SHA1a723c7d60a65886ffa068711f1e900ccc85922a6
SHA256aa10bf07b0d265bed28f2a475f3564d8ddb5e4d4ffee0ab6f3a0cc564907b631
SHA512f10d496ae75db5ba412bd9f17bf0c7da7632db92a3fabf7f24071e40f5759c6a875ad8f3a72bad149da58b3da3b816077df125d0d9f3544adba68c66353d206c
-
Filesize
496B
MD52ff4b0a28cbb1d79ad892d29eff5a289
SHA1610ad5f22ba0b14005becaf3fe50512ed011fde4
SHA2568684f55e8c85397e73ab1714db4ea03eacbd1299de8cd35bef22c687ea791785
SHA512f91f60d325396329c1b6bc944b317b2a0d67f92c9dab1dd91a114054b1674ede3adb28319acdeb6d254c3a51ab8b016afbc42bf7665015e8f70038ce77434189
-
Filesize
5KB
MD54da0bc7cf63ed2446f7c905bb01fa8c9
SHA1cae73bff50b9d30f30246bd904b8090942daba58
SHA25670ea0ceb39670034aa4a60159500ccb3c26479ec88414c931d9c2e69d774a100
SHA5129bc1c0fc90c73ce7ce623aadce0da808278c4fb9fb0514acfd3faaef2446e2a599661aef0c1651216673d696ecb98edc59e14cdf22866b42715eb3aae12dfdec
-
Filesize
6KB
MD5b877fcc1f03b4f88b40fb4df930b679d
SHA187c1362029f4c1a7e4725ef576b17cca8a384dde
SHA256ed976aa144eb5759efbd96cfb15d295232f9d37e57d50b00f947eba6c0d6eb33
SHA512281825d28028677fc812957a3f270ece60123a54464bb8631b7620d006298ac3ac6a1d8c10c12d7e30a250d761d78901caf2eecd798d6c0158be7957393bbf6d
-
Filesize
6KB
MD5201d6d7a7b1645c4a52d9b0aca351549
SHA103065a49b2aea502295e91d6f5e0960a7953c6a4
SHA256888248f02f979781b45a02a5e2897632c59fdd92656cab82f411820d99185e31
SHA5122855abc132d513fd126e7f6af64357e1cdf302a7df52815777eae416b75e7444de1324e3306be1d88e30331f88a14a3def5139344d70525b9f305b6bd7797d67
-
Filesize
874B
MD54b66a28f9c8c4014eee2e3aa4a7be5c5
SHA1f4c010d8dbfdae2bd7e2156115d91c41405932b9
SHA256fcf155822a6915ad626eb82a6ea6bb1c5e2e84d6282cb2cab5a8c265d26675c7
SHA512086fd294343477284c72f207158ce8c6fcffddfef9d97045058543b8cd7bcba0a0ce117de69ddf354ead0f774b58d569835375cf0d2e3d25e5baa2f46f29bab4
-
Filesize
874B
MD5923f9c6e7458c4a42114b802e74d34ea
SHA10dbd6d5ca5a61bc0522b6cffdf39eefc6568a025
SHA256c4a8484e37ac4bc24d820fd4d4afe2f2687cb30ed451522166957ab6dac0ffe0
SHA512ddc89650aabfbc273d772320287435eae0288681f71212996aef5a50086d22fa7b06da7231a5456823955a3d9ae741cd4a29c9ffe16065e9dd25ee75ef65ece0
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
11KB
MD517f837850fa6ea87dc1a5826d441a25b
SHA1f76597420affd3ee1b737a1117abd2e198ec2432
SHA256b805c8bbfb90305440d364e7c51bae249dff4fe29f9950b86a97175d201c4b49
SHA512ec427cb4e704aeb89b4b8961354af43eb7c99af3cc15b256e1e3290bd9be5ac8a58e6090b4897c58d10020ab2893383bc6dc0135c370db10d92b458390c4cf35
-
Filesize
11KB
MD51e9c7504187abe8e5ecc52005f88029d
SHA1e9dac5b9457f5c931fbfff0f4bd933ffdf65a46f
SHA2568ef6916df1462f3f850ae96367831ad8ad3a7e461cfa5079d84c5583656c8b9e
SHA512bac81b731448f10c16b821ffe7dcc92c35472fc8a4c620682a4d7cadb40428abb8760f455a68b111aeb38842562ed54408085a3ef97c5d4e9a4dc61e54543c6b
-
Filesize
448KB
MD5247e118fea545a3c2fe66e2f6cbb909e
SHA19b3111d641b4d298c1929bb854fe625dce04a31e
SHA256fb60104722bd3e978deb9f646a66c645669b56976f3860422151936945104b0d
SHA512339d33716e0906b40ec99e959f364681af828d9e4c6756955ca20d4bd309ce534e77593d9e662fbf15b848f480dcd6ca73d94407499b067e1984d0070af96078
-
Filesize
8.3MB
MD5ede1266566f1f5b72445b54fdd777871
SHA103174101545f6d9b39a39628c851ff217fbf23a2
SHA256587322c9740d55c91f25992cdfa74bea19ee360e2c435a2bc099f02605166dc6
SHA5125ee0d863d74d407b196ac3480e0921ef77c0c084a626e85cb0c16c2b09ef62c1d831debc87b4a0b6c5d7d71e3e778c7e5acad8d374eb922a55589f66794f2829
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
472KB
-
Filesize
436KB
-
Filesize
2.1MB
-
Filesize
2.0MB
-
Filesize
4.0MB
-
Filesize
4.0MB
-
Filesize
436KB
-
Filesize
2.1MB
-
Filesize
2.0MB
-
Filesize
4.0MB
-
Filesize
36KB