xenorat | f452d308667d9c6dff85c5d17ad8a791a9b2d4a8ecd4d976b2213888d79063e5

Resubmissions

10-08-2024 04:31

240810-e5qb7swcmq 10

10-08-2024 00:54

240810-a9en2ssang 10

10-08-2024 00:33

240810-av8zcaxbqn 10

Analysis

max time kernel
118s
max time network
118s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
10-08-2024 04:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Nitro_Gen.exe
Size

42.5MB
MD5

7fc35dab36cbce9c5e3272232e561ddb
SHA1

f2f8c41c6e486269f20a989a70172ec57faef1ee
SHA256

f452d308667d9c6dff85c5d17ad8a791a9b2d4a8ecd4d976b2213888d79063e5
SHA512

f63f925397f37fd96a959129f49bb9de81b0eeaf0a20ac323d6d8a03fe1c02496b9624044bb889bc9892e24b9df870ab3a1c1f01a12bbe23df23a7418a4ba8c3
SSDEEP

393216:Z1Du8BtuBw2FEL3Z3aLUoQvo6LP/SgbSpYvKEh1EdKwlGQKPJuGsiTfREsrgCYfb:ZMguj8Q4VfvZqFTrYwIrRy19dLY1E

Score

10^/10

xenorat discovery pyinstaller rat trojan

Malware Config

Extracted

Family

xenorat

76.109.192.116

Mutex

Nitro-Gen

Attributes

delay
5000
install_path
appdata
port
4444
startup_name
Nitro

Signatures

XenorRat
XenorRat is a remote access trojan written in C#.
trojan rat xenorat

Executes dropped EXE 13 IoCs

pid	Process
4572	i6abzj.exe
3840	sszu4g.exe
4780	sszu4g.exe
4620	i6abzj.exe
720	70f55.exe
4604	ldlond.exe
2336	70f55.exe
4080	ldlond.exe
4704	liye59.exe
4136	liye59.exe
4040	i5p9ir5.exe
2908	i5p9ir5.exe
3732	i6abzj.exe

Loads dropped DLL 51 IoCs

pid	Process
4780	sszu4g.exe
4780	sszu4g.exe
4780	sszu4g.exe
4780	sszu4g.exe
4780	sszu4g.exe
4780	sszu4g.exe
4780	sszu4g.exe
4780	sszu4g.exe
4780	sszu4g.exe
4780	sszu4g.exe
4780	sszu4g.exe
4780	sszu4g.exe
4780	sszu4g.exe
4780	sszu4g.exe
4780	sszu4g.exe
4780	sszu4g.exe
4780	sszu4g.exe
4080	ldlond.exe
4080	ldlond.exe
4080	ldlond.exe
4080	ldlond.exe
4080	ldlond.exe
4080	ldlond.exe
4080	ldlond.exe
4080	ldlond.exe
4080	ldlond.exe
4080	ldlond.exe
4080	ldlond.exe
4080	ldlond.exe
4080	ldlond.exe
4080	ldlond.exe
4080	ldlond.exe
4080	ldlond.exe
4080	ldlond.exe
2908	i5p9ir5.exe
2908	i5p9ir5.exe
2908	i5p9ir5.exe
2908	i5p9ir5.exe
2908	i5p9ir5.exe
2908	i5p9ir5.exe
2908	i5p9ir5.exe
2908	i5p9ir5.exe
2908	i5p9ir5.exe
2908	i5p9ir5.exe
2908	i5p9ir5.exe
2908	i5p9ir5.exe
2908	i5p9ir5.exe
2908	i5p9ir5.exe
2908	i5p9ir5.exe
2908	i5p9ir5.exe
2908	i5p9ir5.exe

Detects Pyinstaller 1 IoCs

pyinstaller

resource	yara_rule
behavioral1/files/0x000400000002aa8d-7.dat	pyinstaller

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 29 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	liye59.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	i5p9ir5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	i6abzj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ldlond.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	i6abzj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	70f55.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	liye59.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sszu4g.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sszu4g.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	i6abzj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ldlond.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	70f55.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	i5p9ir5.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000_Classes\Local Settings	taskmgr.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 4 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1484	schtasks.exe
2488	schtasks.exe
1076	schtasks.exe
3644	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1588	taskmgr.exe
1588	taskmgr.exe
1588	taskmgr.exe
1588	taskmgr.exe
1588	taskmgr.exe
1588	taskmgr.exe
1588	taskmgr.exe
1588	taskmgr.exe
1588	taskmgr.exe
1588	taskmgr.exe
1588	taskmgr.exe
1588	taskmgr.exe
1588	taskmgr.exe
1588	taskmgr.exe
1588	taskmgr.exe
1588	taskmgr.exe
1588	taskmgr.exe
1588	taskmgr.exe
1588	taskmgr.exe
1588	taskmgr.exe
1588	taskmgr.exe
1588	taskmgr.exe
1588	taskmgr.exe
1588	taskmgr.exe
1588	taskmgr.exe
1588	taskmgr.exe
1588	taskmgr.exe
1588	taskmgr.exe
1588	taskmgr.exe
1588	taskmgr.exe
1588	taskmgr.exe
1588	taskmgr.exe
1588	taskmgr.exe
1588	taskmgr.exe
1588	taskmgr.exe
1588	taskmgr.exe
1588	taskmgr.exe
1588	taskmgr.exe
1588	taskmgr.exe
1588	taskmgr.exe
1588	taskmgr.exe
1588	taskmgr.exe
1588	taskmgr.exe
1588	taskmgr.exe
1588	taskmgr.exe
1588	taskmgr.exe
1588	taskmgr.exe
1588	taskmgr.exe
1588	taskmgr.exe
1588	taskmgr.exe
1588	taskmgr.exe
1588	taskmgr.exe
1588	taskmgr.exe
1588	taskmgr.exe
1588	taskmgr.exe
1588	taskmgr.exe
1588	taskmgr.exe
1588	taskmgr.exe
1588	taskmgr.exe
1588	taskmgr.exe
1588	taskmgr.exe
1588	taskmgr.exe
1588	taskmgr.exe
1588	taskmgr.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1588	taskmgr.exe
Token: SeSystemProfilePrivilege	1588	taskmgr.exe
Token: SeCreateGlobalPrivilege	1588	taskmgr.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1588	taskmgr.exe
1588	taskmgr.exe
1588	taskmgr.exe
1588	taskmgr.exe
1588	taskmgr.exe
1588	taskmgr.exe
1588	taskmgr.exe
1588	taskmgr.exe
1588	taskmgr.exe
1588	taskmgr.exe
1588	taskmgr.exe
1588	taskmgr.exe
1588	taskmgr.exe
1588	taskmgr.exe
1588	taskmgr.exe
1588	taskmgr.exe
1588	taskmgr.exe
1588	taskmgr.exe
1588	taskmgr.exe
1588	taskmgr.exe
1588	taskmgr.exe
1588	taskmgr.exe
1588	taskmgr.exe
1588	taskmgr.exe
1588	taskmgr.exe
1588	taskmgr.exe
1588	taskmgr.exe
1588	taskmgr.exe
1588	taskmgr.exe
1588	taskmgr.exe
1588	taskmgr.exe
1588	taskmgr.exe
1588	taskmgr.exe
1588	taskmgr.exe
1588	taskmgr.exe
1588	taskmgr.exe
1588	taskmgr.exe
1588	taskmgr.exe
1588	taskmgr.exe
1588	taskmgr.exe
1588	taskmgr.exe
1588	taskmgr.exe
1588	taskmgr.exe
1588	taskmgr.exe
1588	taskmgr.exe
1588	taskmgr.exe
1588	taskmgr.exe
1588	taskmgr.exe
1588	taskmgr.exe
1588	taskmgr.exe
1588	taskmgr.exe
1588	taskmgr.exe
1588	taskmgr.exe
1588	taskmgr.exe
1588	taskmgr.exe
1588	taskmgr.exe
1588	taskmgr.exe
1588	taskmgr.exe
1588	taskmgr.exe
1588	taskmgr.exe
1588	taskmgr.exe
1588	taskmgr.exe
1588	taskmgr.exe
1588	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
1588	taskmgr.exe
1588	taskmgr.exe
1588	taskmgr.exe
1588	taskmgr.exe
1588	taskmgr.exe
1588	taskmgr.exe
1588	taskmgr.exe
1588	taskmgr.exe
1588	taskmgr.exe
1588	taskmgr.exe
1588	taskmgr.exe
1588	taskmgr.exe
1588	taskmgr.exe
1588	taskmgr.exe
1588	taskmgr.exe
1588	taskmgr.exe
1588	taskmgr.exe
1588	taskmgr.exe
1588	taskmgr.exe
1588	taskmgr.exe
1588	taskmgr.exe
1588	taskmgr.exe
1588	taskmgr.exe
1588	taskmgr.exe
1588	taskmgr.exe
1588	taskmgr.exe
1588	taskmgr.exe
1588	taskmgr.exe
1588	taskmgr.exe
1588	taskmgr.exe
1588	taskmgr.exe
1588	taskmgr.exe
1588	taskmgr.exe
1588	taskmgr.exe
1588	taskmgr.exe
1588	taskmgr.exe
1588	taskmgr.exe
1588	taskmgr.exe
1588	taskmgr.exe
1588	taskmgr.exe
1588	taskmgr.exe
1588	taskmgr.exe
1588	taskmgr.exe
1588	taskmgr.exe
1588	taskmgr.exe
1588	taskmgr.exe
1588	taskmgr.exe
1588	taskmgr.exe
1588	taskmgr.exe
1588	taskmgr.exe
1588	taskmgr.exe
1588	taskmgr.exe
1588	taskmgr.exe
1588	taskmgr.exe
1588	taskmgr.exe
1588	taskmgr.exe
1588	taskmgr.exe
1588	taskmgr.exe
1588	taskmgr.exe
1588	taskmgr.exe
1588	taskmgr.exe
1588	taskmgr.exe
1588	taskmgr.exe
1588	taskmgr.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4876 wrote to memory of 3324	4876	Nitro_Gen.exe	79
PID 4876 wrote to memory of 3324	4876	Nitro_Gen.exe	79
PID 4876 wrote to memory of 2700	4876	Nitro_Gen.exe	81
PID 4876 wrote to memory of 2700	4876	Nitro_Gen.exe	81
PID 3324 wrote to memory of 4572	3324	cmd.exe	80
PID 3324 wrote to memory of 4572	3324	cmd.exe	80
PID 3324 wrote to memory of 4572	3324	cmd.exe	80
PID 2700 wrote to memory of 3840	2700	cmd.exe	82
PID 2700 wrote to memory of 3840	2700	cmd.exe	82
PID 2700 wrote to memory of 3840	2700	cmd.exe	82
PID 3840 wrote to memory of 4780	3840	sszu4g.exe	83
PID 3840 wrote to memory of 4780	3840	sszu4g.exe	83
PID 3840 wrote to memory of 4780	3840	sszu4g.exe	83
PID 4572 wrote to memory of 4620	4572	i6abzj.exe	84
PID 4572 wrote to memory of 4620	4572	i6abzj.exe	84
PID 4572 wrote to memory of 4620	4572	i6abzj.exe	84
PID 4780 wrote to memory of 388	4780	sszu4g.exe	85
PID 4780 wrote to memory of 388	4780	sszu4g.exe	85
PID 4780 wrote to memory of 388	4780	sszu4g.exe	85
PID 4780 wrote to memory of 4628	4780	sszu4g.exe	86
PID 4780 wrote to memory of 4628	4780	sszu4g.exe	86
PID 4780 wrote to memory of 4628	4780	sszu4g.exe	86
PID 4780 wrote to memory of 2964	4780	sszu4g.exe	87
PID 4780 wrote to memory of 2964	4780	sszu4g.exe	87
PID 4780 wrote to memory of 2964	4780	sszu4g.exe	87
PID 4780 wrote to memory of 2128	4780	sszu4g.exe	88
PID 4780 wrote to memory of 2128	4780	sszu4g.exe	88
PID 4780 wrote to memory of 2128	4780	sszu4g.exe	88
PID 4620 wrote to memory of 1076	4620	i6abzj.exe	89
PID 4620 wrote to memory of 1076	4620	i6abzj.exe	89
PID 4620 wrote to memory of 1076	4620	i6abzj.exe	89
PID 4012 wrote to memory of 3904	4012	Nitro_Gen.exe	96
PID 4012 wrote to memory of 3904	4012	Nitro_Gen.exe	96
PID 3904 wrote to memory of 720	3904	cmd.exe	97
PID 3904 wrote to memory of 720	3904	cmd.exe	97
PID 3904 wrote to memory of 720	3904	cmd.exe	97
PID 4012 wrote to memory of 492	4012	Nitro_Gen.exe	98
PID 4012 wrote to memory of 492	4012	Nitro_Gen.exe	98
PID 492 wrote to memory of 4604	492	cmd.exe	99
PID 492 wrote to memory of 4604	492	cmd.exe	99
PID 492 wrote to memory of 4604	492	cmd.exe	99
PID 720 wrote to memory of 2336	720	70f55.exe	100
PID 720 wrote to memory of 2336	720	70f55.exe	100
PID 720 wrote to memory of 2336	720	70f55.exe	100
PID 4604 wrote to memory of 4080	4604	ldlond.exe	101
PID 4604 wrote to memory of 4080	4604	ldlond.exe	101
PID 4604 wrote to memory of 4080	4604	ldlond.exe	101
PID 4080 wrote to memory of 2208	4080	ldlond.exe	102
PID 4080 wrote to memory of 2208	4080	ldlond.exe	102
PID 4080 wrote to memory of 2208	4080	ldlond.exe	102
PID 4080 wrote to memory of 276	4080	ldlond.exe	103
PID 4080 wrote to memory of 276	4080	ldlond.exe	103
PID 4080 wrote to memory of 276	4080	ldlond.exe	103
PID 4080 wrote to memory of 2328	4080	ldlond.exe	104
PID 4080 wrote to memory of 2328	4080	ldlond.exe	104
PID 4080 wrote to memory of 2328	4080	ldlond.exe	104
PID 4080 wrote to memory of 4460	4080	ldlond.exe	105
PID 4080 wrote to memory of 4460	4080	ldlond.exe	105
PID 4080 wrote to memory of 4460	4080	ldlond.exe	105
PID 2336 wrote to memory of 3644	2336	70f55.exe	106
PID 2336 wrote to memory of 3644	2336	70f55.exe	106
PID 2336 wrote to memory of 3644	2336	70f55.exe	106
PID 1868 wrote to memory of 3560	1868	Nitro_Gen.exe	110
PID 1868 wrote to memory of 3560	1868	Nitro_Gen.exe	110

C:\Users\Admin\AppData\Local\Temp\Nitro_Gen.exe
"C:\Users\Admin\AppData\Local\Temp\Nitro_Gen.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4876
- C:\Windows\system32\cmd.exe
  cmd.exe /d /c call C:\Users\Admin\AppData\Local\Temp\i6abzj.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3324
- - C:\Users\Admin\AppData\Local\Temp\i6abzj.exe
    C:\Users\Admin\AppData\Local\Temp\i6abzj.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4572
  - - C:\Users\Admin\AppData\Roaming\XenoManager\i6abzj.exe
      "C:\Users\Admin\AppData\Roaming\XenoManager\i6abzj.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4620
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks.exe" /Create /TN "Nitro" /XML "C:\Users\Admin\AppData\Local\Temp\tmpF3E5.tmp" /F
        5⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:1076
- C:\Windows\system32\cmd.exe
  cmd.exe /d /c call C:\Users\Admin\AppData\Local\Temp\sszu4g.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2700
- - C:\Users\Admin\AppData\Local\Temp\sszu4g.exe
    C:\Users\Admin\AppData\Local\Temp\sszu4g.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3840
  - - C:\Users\Admin\AppData\Local\Temp\sszu4g.exe
      C:\Users\Admin\AppData\Local\Temp\sszu4g.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4780
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c cls
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:388
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c title NitroGen v1.3 ~ Made by viben#6633 [Menu]
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4628
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c cls
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2964
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c title Nitro Gen v1.3 ~ Made by viben#6633 [Generator]
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2128

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4380

C:\Users\Admin\AppData\Local\Temp\Nitro_Gen.exe
"C:\Users\Admin\AppData\Local\Temp\Nitro_Gen.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4012
- C:\Windows\system32\cmd.exe
  cmd.exe /d /c call C:\Users\Admin\AppData\Local\Temp\70f55.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3904
- - C:\Users\Admin\AppData\Local\Temp\70f55.exe
    C:\Users\Admin\AppData\Local\Temp\70f55.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:720
  - - C:\Users\Admin\AppData\Roaming\XenoManager\70f55.exe
      "C:\Users\Admin\AppData\Roaming\XenoManager\70f55.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2336
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks.exe" /Create /TN "Nitro" /XML "C:\Users\Admin\AppData\Local\Temp\tmp5D6D.tmp" /F
        5⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:3644
- C:\Windows\system32\cmd.exe
  cmd.exe /d /c call C:\Users\Admin\AppData\Local\Temp\ldlond.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:492
- - C:\Users\Admin\AppData\Local\Temp\ldlond.exe
    C:\Users\Admin\AppData\Local\Temp\ldlond.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4604
  - - C:\Users\Admin\AppData\Local\Temp\ldlond.exe
      C:\Users\Admin\AppData\Local\Temp\ldlond.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4080
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c cls
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2208
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c title NitroGen v1.3 ~ Made by viben#6633 [Menu]
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:276
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c cls
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2328
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c title Nitro Gen v1.3 ~ Made by viben#6633 [Generator + Checker]
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4460

C:\Users\Admin\AppData\Local\Temp\Nitro_Gen.exe
"C:\Users\Admin\AppData\Local\Temp\Nitro_Gen.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1868
- C:\Windows\system32\cmd.exe
  cmd.exe /d /c call C:\Users\Admin\AppData\Local\Temp\liye59.exe
  2⤵
  PID:3560
- - C:\Users\Admin\AppData\Local\Temp\liye59.exe
    C:\Users\Admin\AppData\Local\Temp\liye59.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4704
  - - C:\Users\Admin\AppData\Roaming\XenoManager\liye59.exe
      "C:\Users\Admin\AppData\Roaming\XenoManager\liye59.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:4136
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks.exe" /Create /TN "Nitro" /XML "C:\Users\Admin\AppData\Local\Temp\tmp84BB.tmp" /F
        5⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:1484
- C:\Windows\system32\cmd.exe
  cmd.exe /d /c call C:\Users\Admin\AppData\Local\Temp\i5p9ir5.exe
  2⤵
  PID:4688
- - C:\Users\Admin\AppData\Local\Temp\i5p9ir5.exe
    C:\Users\Admin\AppData\Local\Temp\i5p9ir5.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4040
  - - C:\Users\Admin\AppData\Local\Temp\i5p9ir5.exe
      C:\Users\Admin\AppData\Local\Temp\i5p9ir5.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:2908
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c cls
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4760
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c title NitroGen v1.3 ~ Made by viben#6633 [Menu]
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4804
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c cls
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1636
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c title Nitro Gen v1.3 ~ Made by viben#6633 [Generator + Checker]
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1204

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /0
1⤵
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1588

C:\Users\Admin\AppData\Roaming\XenoManager\i6abzj.exe
"C:\Users\Admin\AppData\Roaming\XenoManager\i6abzj.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3732
- C:\Windows\SysWOW64\schtasks.exe
  "schtasks.exe" /Create /TN "Nitro" /XML "C:\Users\Admin\AppData\Local\Temp\tmpD35.tmp" /F
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:2488

C:\Windows\System32\54bn-c.exe
"C:\Windows\System32\54bn-c.exe"
1⤵
PID:2056

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_MEI38402\MSVCP140.dll

Filesize
426KB

MD5
8ff1898897f3f4391803c7253366a87b

SHA1
9bdbeed8f75a892b6b630ef9e634667f4c620fa0

SHA256
51398691feef7ae0a876b523aec47c4a06d9a1ee62f1a0aee27de6d6191c68ad

SHA512
cb071ad55beaa541b5baf1f7d5e145f2c26fbee53e535e8c31b8f2b8df4bf7723f7bef214b670b2c3de57a4a75711dd204a940a2158939ad72f551e32da7ab03

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI38402\VCRUNTIME140.dll

Filesize
84KB

MD5
ae96651cfbd18991d186a029cbecb30c

SHA1
18df8af1022b5cb188e3ee98ac5b4da24ac9c526

SHA256
1b372f064eacb455a0351863706e6326ca31b08e779a70de5de986b5be8069a1

SHA512
42a58c17f63cf0d404896d3b4bb16b2c9270cc2192aa4c9be265ed3970dfc2a4115e1db08f35c39e403b4c918be4ed7d19d2e2e015cb06b33d26a6c6521556e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI38402\_brotli.cp38-win32.pyd

Filesize
780KB

MD5
458267b5b318d7baf74d286ade22718b

SHA1
52ecce4f0e84ad5b85f53c570fb095adb9093747

SHA256
f1feb3e509c3927788cb0bf16a217c8c0b7ade68f0e6170c4aa1bc0d614041a6

SHA512
1aa7379c950a4218332221d7d46a89053dab3434511bf0c6f72e6b1eeaa8b667a0c356ea3b27725651777c43dc8c44003e6caaaef3121e4ab47b9870814bdee9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI38402\_bz2.pyd

Filesize
72KB

MD5
7f8dc5e22155dfaeeee837bee907f960

SHA1
9d03bd1120fd67cb4a2a6e42707c3ecc95d56a31

SHA256
f2eaab5894a666556a6ec0f7b430deb30cdcdb534e822cda8c789435d3834535

SHA512
ac4ae9f88dbebdd6619be62252275260f476bec5765644de279dadf9f10437ebec526d833fbaae70686de1ef65fc574659191c2c8050df96b7ff7ff3fb51f80c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI38402\_ctypes.pyd

Filesize
109KB

MD5
e7f1c92338eb9964ea5922de823abcb8

SHA1
ae5719b87f4f6b3cdaacd6e43f5bf101e492adc0

SHA256
497cf76470349d3cb601e1fe66c8e08f7570cfb0d25e15c3d94aae84280dba58

SHA512
0fe48e6c7596c226d031a1c2966270589b939b54a316e44856054a933be052d5084afc4c1a9d8314aa1cf0e15cc777747645741f3efea3016a41248c01d8fc14

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI38402\_hashlib.pyd

Filesize
36KB

MD5
13e5639aa1732db7f8fd9c2820cced10

SHA1
5f9799b1a16bbdb337766b42b9828f8da1f55e75

SHA256
b54e3474472fd318e0d94b9115238dca43c457e6253f06f92d2604df14d8247d

SHA512
f4abc90e5f6ea1b204265e91f22978ca8eb04c8ce9bef5d558becadb1b6116c769d7e3401b9396438c85f5decf88b79fd8114f6054541228c753494660a949d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI38402\_lzma.pyd

Filesize
181KB

MD5
b1abe0da66ec97e4aff97f1bd5203434

SHA1
c3bd39814c4f01b57a442da50ed515e7dfd05a8a

SHA256
ee4f276ec7f0b34acd38361023173d6113d97a7de17d28a4fbbd286fe5ce2f28

SHA512
47556e4c65aa04853520c92fdb1f88bb03ab7f4478bfc60e15186f6109cf659e68d458a7b1090a063a0f771c6eb835582464a646456d9e7f82534854c74f83b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI38402\_queue.pyd

Filesize
24KB

MD5
b9dc46c4d8f7640c75baba109d9569bb

SHA1
3188e695eef3e0bbcf50b13a507dc87b2284c998

SHA256
151315638f893e81d9e724615cb2e97f31d7a1aaff3c5d598094206332c78e2b

SHA512
4cb320b9639393afff2c8b955b3ab059bfd6590b3b3e02ddf9dee55a15e345ebea1387c367e7ab49c75be861cd7a4bdbe6c29c11bf0ea1c8350327bad31b221c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI38402\_socket.pyd

Filesize
67KB

MD5
6f71a76bb3c8da44c671f23b4b78f901

SHA1
444e2d7d167dbe387317a1f52396c9ccab40ee49

SHA256
9cb6bb684c2d475c60a94d3f789cae6e662901ea408e18ac4bc34cba0baffeed

SHA512
f1346f5f83717218d1d2517c022d69cb246ff01d88cbf72443b6b06545eef2fe1ff77859e2a87915fc55925847777d1721abc7085a0d81226b3356916b8871eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI38402\_ssl.pyd

Filesize
108KB

MD5
38a431e39fe4502ebbc7a17bcb519240

SHA1
5f9990e47b03a35707639047839ad215af7cb82c

SHA256
91225559138228aaadf83d77c92835b080bbcbcc17c190c6ef7bb9d23cc17595

SHA512
cc8c635471b2ae18d1c3962812b30b1ca6d4187595bc941ca84c18028f46c3f75c9a6d66afceb75b1f454884c5a012f97d8d995a55d60b493d381bb827413c94

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI38402\base_library.zip

Filesize
775KB

MD5
f38a879dd5ed3f790c5e9f8ecb50806d

SHA1
1573dcb23d5cc62bc7c84ced408f7a9b8aa5282a

SHA256
a302c9de9089600ed3067d485fb341b7d6854ae807463c439d5ba1d66b9757c6

SHA512
06bba13d775acfb2c8ce186bd309039f5331acb57bd3b0ee8a2413175d3890a8334b214c797c93371e5d1548f00936f94c7467c3b0f7ecabdfbb3dac7b33f8cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI38402\libcrypto-1_1.dll

Filesize
2.1MB

MD5
67c1ea1b655dbb8989a55e146761c202

SHA1
aecc6573b0e28f59ea8fdd01191621dda6f228ed

SHA256
541adbc9654d967491d11359a0e4ad4972d2bd25f260476dd7576c576478698a

SHA512
1c7612c03df85b596dc360c1a94e367d8bfba51f651b49c598e4a066a693d9aa74195a40cc849ef787eac9b6e1e1fc079b389c03fc539e53abf4aa729bef5893

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI38402\libffi-7.dll

Filesize
28KB

MD5
bc20614744ebf4c2b8acd28d1fe54174

SHA1
665c0acc404e13a69800fae94efd69a41bdda901

SHA256
0c7ec6de19c246a23756b8550e6178ac2394b1093e96d0f43789124149486f57

SHA512
0c473e7070c72d85ae098d208b8d128b50574abebba874dda2a7408aea2aabc6c4b9018801416670af91548c471b7dd5a709a7b17e3358b053c37433665d3f6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI38402\libssl-1_1.dll

Filesize
524KB

MD5
9417e0d677e0f8b08398fcd57dccbafd

SHA1
569e82788ff8206e3a43c8653d6421d456ff2a68

SHA256
db16853dbc64f045ae2a972f7605a6f192d09b79cae86fd93b8434fa7d9e031f

SHA512
b7dfd0b265c19d97518e638e4fcc19db3031382cda05c2cbb8965651ceadaa0f68f9d4dd62d542b2c9ef33d9703d50f4d74eb8b9f4918130895ef17feff2f6cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI38402\python38.dll

Filesize
3.7MB

MD5
97d893cd2879f8e9a6bc8a35d203b2f4

SHA1
68ddf1e3a98e080c4ef2c9d241a31dee6aec240b

SHA256
6e7ed993131a5beb3b96736320bafb83a063d3043015bf2b14eea6601a414ab8

SHA512
30804c88389b54a6119c7c134af315330afb234d743b51acbb25f11d2aec3400c7498e918294f4497e49ebf7ddac557509847d785d58fe9cd381a3fbf8eb9378

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI38402\select.pyd

Filesize
23KB

MD5
e6969a95ca8b62725206ebef19af0371

SHA1
60bfcad0dd79267793c3b8ff109a98c4201ffc18

SHA256
3f177ee6d35f0dbeb0f0719f4e20404abe6a101c375ab6d27fcd28aa846def2c

SHA512
ae45e272f4b0207dc8720681932641b53379a8b4d1ee7c878ce7804cc475069812d8dcd8689dc6383911b51af272801dbce6b076aaf60f5287c2bacbce8d95e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI38402\unicodedata.pyd

Filesize
1.0MB

MD5
d40589a59a706d6ff0d95a1b9a5acc0f

SHA1
7a23501a1c5d2d2d300c1496f3a6e455f47769d3

SHA256
b4829151d38443389cb6af2371df4f44e3e9e217b8c7051519d365d5d107e557

SHA512
48158c1dd1b880e33ac409581f79d69197ddfc7b8ae8ee4ea758e9d14563ad6eadaa844db2eb28bf70994a6f196319bb5614fb13fe9d9ec4f33f78c6d24146c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\i6abzj.exe

Filesize
45KB

MD5
56eba89e64e5a1b084569b5e3dab1a81

SHA1
b2dcde4265801d9e95504a7082b491712fed2a60

SHA256
154c006d3e76366f7ae2a018b1057c72a300ea7cbd1c47723a1ba4f5f50b67e1

SHA512
14a58d893874dc354b88389d5ed9806477ff5c2331d2159ede39bf6517d7c571e69ea8bea1aafb964a39d4d09a0b5765046ca88c78e0f9f827d417ad082ce9a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\sszu4g.exe

Filesize
6.7MB

MD5
d0c36409ceed9b71c38828f8ce0c8d7f

SHA1
d8e7bcaa6efd38fd99b634a6fa0b4dfc567a6fa0

SHA256
f4e646b5ff58c1c1f8de1888f1315f8953c59388060141c6f2ab07a4331b157b

SHA512
4eaebde47ff5b2b7222fdf1c9eb9b62e88424a5a9dfb0c9bdc31d639a6c23c45b6954df6fcccd1c0e6f045d0e91fdc7bf8e89c588ac2d6c12828a4c552764034

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpF3E5.tmp

Filesize
1KB

MD5
d5454fb3d5dd6cce95138d85b47b828f

SHA1
bea0b4c5e9a7095c69c58091ff565503c7d6c3ad

SHA256
ec066d4655a488dd1bf3c087652fb0a1cd1b7c1b7ed0af48852bca9d241ad12b

SHA512
94a901c4232d4cbf57509e6b40b07a6abea395b3d3d8f9873b3996c9d2f3d1ea6edc33d9ba60810ef934985d3deb961397230539496e984cdcc94d9b6c0f367c

Download Submit
memory/1588-206-0x0000021342260000-0x0000021342261000-memory.dmp

Filesize
4KB

Download
memory/1588-200-0x0000021342260000-0x0000021342261000-memory.dmp

Filesize
4KB

Download
memory/1588-202-0x0000021342260000-0x0000021342261000-memory.dmp

Filesize
4KB

Download
memory/1588-201-0x0000021342260000-0x0000021342261000-memory.dmp

Filesize
4KB

Download
memory/1588-212-0x0000021342260000-0x0000021342261000-memory.dmp

Filesize
4KB

Download
memory/1588-211-0x0000021342260000-0x0000021342261000-memory.dmp

Filesize
4KB

Download
memory/1588-210-0x0000021342260000-0x0000021342261000-memory.dmp

Filesize
4KB

Download
memory/1588-209-0x0000021342260000-0x0000021342261000-memory.dmp

Filesize
4KB

Download
memory/1588-208-0x0000021342260000-0x0000021342261000-memory.dmp

Filesize
4KB

Download
memory/1588-207-0x0000021342260000-0x0000021342261000-memory.dmp

Filesize
4KB

Download
memory/4572-25-0x00000000748EE000-0x00000000748EF000-memory.dmp

Filesize
4KB

Download
memory/4572-29-0x0000000000FE0000-0x0000000000FF2000-memory.dmp

Filesize
72KB

Download