Analysis
-
max time kernel
13s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
24-08-2024 18:27
Static task
static1
Behavioral task
behavioral1
Sample
NitroGenerator.exe
Resource
win7-20240704-en
General
-
Target
NitroGenerator.exe
-
Size
7.0MB
-
MD5
578cf37a2b1464b471e606d46521e699
-
SHA1
9cd998a5ba37d738616f4145a90826e914d02a7c
-
SHA256
101e7be71c1ef5b6c772b7e6f2374d5d9bd2f55f8c1cbd051fe504e9610ce2ee
-
SHA512
e45c97e3c9879490be5237201b2f1138ee18bd7bd84354f9a0356bd21989f14d3603fda78caec19596e4fcc6843fddb1c1754a95b456ddf464d14696f0f19e7c
-
SSDEEP
196608:uQ+qtlxOZzcFVZ9+PKoAULcEcOIHmCXK:ulqZOpcPZIPZLccIo
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
main.exepid process 2196 main.exe -
Loads dropped DLL 2 IoCs
Processes:
NitroGenerator.exemain.exepid process 3008 NitroGenerator.exe 2196 main.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
NitroGenerator.exemain.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language NitroGenerator.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language main.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
NitroGenerator.exedescription pid process target process PID 3008 wrote to memory of 2196 3008 NitroGenerator.exe main.exe PID 3008 wrote to memory of 2196 3008 NitroGenerator.exe main.exe PID 3008 wrote to memory of 2196 3008 NitroGenerator.exe main.exe PID 3008 wrote to memory of 2196 3008 NitroGenerator.exe main.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\NitroGenerator.exe"C:\Users\Admin\AppData\Local\Temp\NitroGenerator.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3008 -
C:\Users\Admin\AppData\Local\Temp\onefile_3008_133689976358714000\main.exeC:\Users\Admin\AppData\Local\Temp\NitroGenerator.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2196
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4.8MB
MD501dad4bcbf2d93c294ec789cead86c81
SHA168983bb44bd719bb8b68ef6653eecb5e274bac53
SHA2564c70503cd8ec785604eae405d0e59aaf649b6a62d284deccebeaa51da47d6c6c
SHA5124f2f06f7fcee7291794e674b7033f6777a7605e475b771598ec5d247e483944c4d92967c3b86d84b828b2415e457198f667183609cf39ec8f8ce177c285847cb
-
Filesize
11.8MB
MD5fe881dbd608450f02a03bd30cf4f9c6a
SHA18200652ae003860d6a8b56680821cedda70ded3b
SHA256188878f5fbe1f06203d60a08f6abc3495f0187907eda787c4c3e12c2a73de03f
SHA512af8c785cf08df429b558c97b5b86507ad5dbad7bed2474317012f05a365ad487a3a57c70ff17f8e57c9ca00aee0265f746a4eb1e42f806f122cfdd7d52f1f137