Analysis
-
max time kernel
15s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
24-08-2024 15:28
Static task
static1
Behavioral task
behavioral1
Sample
Nitro Generator.exe
Resource
win7-20240708-en
General
-
Target
Nitro Generator.exe
-
Size
7.0MB
-
MD5
578cf37a2b1464b471e606d46521e699
-
SHA1
9cd998a5ba37d738616f4145a90826e914d02a7c
-
SHA256
101e7be71c1ef5b6c772b7e6f2374d5d9bd2f55f8c1cbd051fe504e9610ce2ee
-
SHA512
e45c97e3c9879490be5237201b2f1138ee18bd7bd84354f9a0356bd21989f14d3603fda78caec19596e4fcc6843fddb1c1754a95b456ddf464d14696f0f19e7c
-
SSDEEP
196608:uQ+qtlxOZzcFVZ9+PKoAULcEcOIHmCXK:ulqZOpcPZIPZLccIo
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
main.exepid process 2180 main.exe -
Loads dropped DLL 2 IoCs
Processes:
Nitro Generator.exemain.exepid process 1864 Nitro Generator.exe 2180 main.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
Nitro Generator.exemain.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nitro Generator.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language main.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
Nitro Generator.exedescription pid process target process PID 1864 wrote to memory of 2180 1864 Nitro Generator.exe main.exe PID 1864 wrote to memory of 2180 1864 Nitro Generator.exe main.exe PID 1864 wrote to memory of 2180 1864 Nitro Generator.exe main.exe PID 1864 wrote to memory of 2180 1864 Nitro Generator.exe main.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Nitro Generator.exe"C:\Users\Admin\AppData\Local\Temp\Nitro Generator.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1864 -
C:\Users\Admin\AppData\Local\Temp\onefile_1864_133689869183390000\main.exe"C:\Users\Admin\AppData\Local\Temp\Nitro Generator.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2180
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4.8MB
MD501dad4bcbf2d93c294ec789cead86c81
SHA168983bb44bd719bb8b68ef6653eecb5e274bac53
SHA2564c70503cd8ec785604eae405d0e59aaf649b6a62d284deccebeaa51da47d6c6c
SHA5124f2f06f7fcee7291794e674b7033f6777a7605e475b771598ec5d247e483944c4d92967c3b86d84b828b2415e457198f667183609cf39ec8f8ce177c285847cb
-
Filesize
11.8MB
MD5fe881dbd608450f02a03bd30cf4f9c6a
SHA18200652ae003860d6a8b56680821cedda70ded3b
SHA256188878f5fbe1f06203d60a08f6abc3495f0187907eda787c4c3e12c2a73de03f
SHA512af8c785cf08df429b558c97b5b86507ad5dbad7bed2474317012f05a365ad487a3a57c70ff17f8e57c9ca00aee0265f746a4eb1e42f806f122cfdd7d52f1f137