Analysis

  • max time kernel
    149s
  • max time network
    145s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24-08-2024 18:27

General

  • Target

    NitroGenerator.exe

  • Size

    7.0MB

  • MD5

    578cf37a2b1464b471e606d46521e699

  • SHA1

    9cd998a5ba37d738616f4145a90826e914d02a7c

  • SHA256

    101e7be71c1ef5b6c772b7e6f2374d5d9bd2f55f8c1cbd051fe504e9610ce2ee

  • SHA512

    e45c97e3c9879490be5237201b2f1138ee18bd7bd84354f9a0356bd21989f14d3603fda78caec19596e4fcc6843fddb1c1754a95b456ddf464d14696f0f19e7c

  • SSDEEP

    196608:uQ+qtlxOZzcFVZ9+PKoAULcEcOIHmCXK:ulqZOpcPZIPZLccIo

Malware Config

Signatures

  • SectopRAT

    SectopRAT is a remote access trojan first seen in November 2019.

  • SectopRAT payload 2 IoCs
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 18 IoCs
  • Themida packer 3 IoCs

    Detects Themida, an advanced Windows software protection system.

  • Checks whether UAC is enabled 1 TTPs 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\NitroGenerator.exe
    "C:\Users\Admin\AppData\Local\Temp\NitroGenerator.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2492
    • C:\Users\Admin\AppData\Local\Temp\onefile_2492_133689976314777729\main.exe
      C:\Users\Admin\AppData\Local\Temp\NitroGenerator.exe
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4824
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\file.exe"
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:4836
        • C:\Users\Admin\AppData\Local\Temp\file.exe
          C:\Users\Admin\AppData\Local\Temp\file.exe
          4⤵
          • Identifies VirtualBox via ACPI registry values (likely anti-VM)
          • Checks BIOS information in registry
          • Executes dropped EXE
          • Checks whether UAC is enabled
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:3340

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\_bz2.pyd

    Filesize

    79KB

    MD5

    fba68bf5c0074a51901b87e26a8c8f97

    SHA1

    2866d58bfbb19c1a629baebc00ef7a6debb9e1fe

    SHA256

    f2f775916f24d7b949b68d460fd34cdc86825f542b3d6207733b84106cb43e2e

    SHA512

    66b55a4ff7ed51e5997285f20fb585ea33dd48e7156d5e0d826bb37bf473a43116d19d1295cbb58f1e6e833f34a91e6550c893c6bc89f895273d785982920f05

  • C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\_ctypes.pyd

    Filesize

    105KB

    MD5

    113cec4cffb5a6c47c1c53052897e6a2

    SHA1

    c84947efa0b8290a4baae63ad1d5db98ef88fb1f

    SHA256

    157f928b0bf79b7cab8f67b5ccaefee6cfd81e8d417eac77ac830b173488f997

    SHA512

    843af159051e08010ee5bd71c0aa8580149402a65584eb325df304099bcc9149faf29085bb6d81346edd8744a1e8dc3d3cf437f79d53a6feb83d3f59577e9b08

  • C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\_lzma.pyd

    Filesize

    145KB

    MD5

    8b4d78b1bd4795f786125c8032cd7018

    SHA1

    01ac050850aa60167936ce7963b349407e60a803

    SHA256

    03da5f3cfbd22c024bc30623123d6eb200d8cd51fd6911a26dba9c6bd742dfdc

    SHA512

    697f1f480c4f490c74ba959bfa22a5ac169fda450cc7a062054ce192394976e8de403b10102de4498a3aec97f456fa777ab270879e828451622f112aeb41c6c4

  • C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\_queue.pyd

    Filesize

    28KB

    MD5

    cf015a78b6aaeeb4d03484f4085ebe9e

    SHA1

    2f08f97b4435d57846f7e9ff247acfd5784ba93e

    SHA256

    1cc522afa8efd21280af65ac3015c1439cc6654ecc88053dd76a491ec1a3fbe4

    SHA512

    aafa8f2c5817ac256c9e3e197c813cdcffbe936b4826797face8566a05dc19a68bed9ae7047d3f5a06408ad3e42459325e77266d606fcf827287940e7e250d51

  • C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\_socket.pyd

    Filesize

    67KB

    MD5

    5a15ebc6fea692994aebf7a33eb9537a

    SHA1

    cd701822370b4837cb64a964ffc9a2a39b49412d

    SHA256

    f819d0444aeff705aea0f011f3787a04220f426eef0130a899b84d4848f78627

    SHA512

    628f7232ad358647e1d4ce2d19a200c184ffe3f0d0f387fb3473169bb0c4594dd380b59887d59fdaff1a36a6a15e7953356eef828f8dd3fcf422414f88a2efe8

  • C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\_ssl.pyd

    Filesize

    153KB

    MD5

    6238633c459e1e2af10f9cb33162eee8

    SHA1

    5b20757caddfd79b8080dd8978b1e092b3ef54e8

    SHA256

    b48adf6f1286a0f2dd8a4442fe8a2200db7addd8400dfe99080556f815d40cff

    SHA512

    db59fd425c7f51f85f9988cdc739d6590803efed2d013c0222a6c9c36fc464479a35366c0b3ba573de601a36a68ae50fd27a6b6fa5b41e86a72fa8f5f37c9670

  • C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\certifi\cacert.pem

    Filesize

    284KB

    MD5

    181ac9a809b1a8f1bc39c1c5c777cf2a

    SHA1

    9341e715cea2e6207329e7034365749fca1f37dc

    SHA256

    488ba960602bf07cc63f4ef7aec108692fec41820fc3328a8e3f3de038149aee

    SHA512

    e19a92b94aedcf1282b3ef561bd471ea19ed361334092c55d72425f9183ebd1d30a619e493841b6f75c629f26f28dc682960977941b486c59475f21cf86fff85

  • C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\libcrypto-3.dll

    Filesize

    3.3MB

    MD5

    2e9277a5dd088949086d450da0e5f4e8

    SHA1

    c939886464bb65dc4667d8e477d97a619eadddfc

    SHA256

    7de51a1913ca3b10027f83d99ccccb166d6a3c06ca5d6358f260342dbacdbf6a

    SHA512

    9f16c77cd90e1b6657f3d2cbd131273bf24becff01c198690ebadb2c454e3f84b88a7e9c6fecdb7f564e1aa99a5583bbd1933e5db408efce3a9095776fa1a056

  • C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\libssl-3.dll

    Filesize

    620KB

    MD5

    8b8fb5ec8d5fca88463bb9ad9fa23344

    SHA1

    cbc26ffca78f03b146c84925749029ca2777b30a

    SHA256

    b777ccc04c05ca5b0a6ff68e6c46ad9837dc02311ee132ad6a81910f4a1ed54f

    SHA512

    3763752732822b80622d5260745313575993f535b1fed49434483b644009eb09ab91a1a7f32df22ada477d873ddb0726e0ab5e9416b08fa70e6446d8e981104d

  • C:\Users\Admin\AppData\Local\Temp\file.exe

    Filesize

    4.5MB

    MD5

    9fc140cadd49c639ccdc22cd217fbca2

    SHA1

    b660df2d1919b96c45a16f46deacbdf74d3393cc

    SHA256

    82eba2779dd22e900353319c02d81b027fd5681419decfeb433f71300618f8b7

    SHA512

    0d004f815e10398e08bb065e7902dd1a83b45723093058fd0fb2a6bac9698fec193c03e148949b221154c2c604af6f9964e5be613925b5d919ecb1b562da7abf

  • C:\Users\Admin\AppData\Local\Temp\onefile_2492_133689976314777729\VCRUNTIME140.dll

    Filesize

    88KB

    MD5

    17f01742d17d9ffa7d8b3500978fc842

    SHA1

    2da2ff031da84ac8c2d063a964450642e849144d

    SHA256

    70dd90f6ee01854cecf18b1b6d1dfbf30d33c5170ba07ad8b64721f0bdcc235e

    SHA512

    c4e617cd808e48cc803343616853adf32b7f2e694b5827392219c69145a43969384d2fc67fa6fa0f5af1ca449eb4932004fbcdd394a5ba092212412b347586f0

  • C:\Users\Admin\AppData\Local\Temp\onefile_2492_133689976314777729\_hashlib.pyd

    Filesize

    48KB

    MD5

    d1c86bcaf38f2c155fa04009591de420

    SHA1

    d5677ffb8bdb48e3690aa33b84c25c9ac76a5051

    SHA256

    c6cb5b01ac5f2c18d99540960855bef93ef177557c3d73cb8599186d4a08c130

    SHA512

    9ca6e41d875e87be8ebb71991b7d48831eb1a9b742de834bf779bf7e3e38e11063a94c420151be46a064a59bcb8d55b373ee17a2ad2a14737d9c9d5b3662eb26

  • C:\Users\Admin\AppData\Local\Temp\onefile_2492_133689976314777729\charset_normalizer\md.pyd

    Filesize

    8KB

    MD5

    5242622c9818ff5572c08d3f9f96ea07

    SHA1

    f4c53ef8930a2975335182ad9b6c6a2ab3851362

    SHA256

    85f6e0b522d54459e7d24746054d26ba35ea4cc8505a3dd74a2bf5590f9f40fc

    SHA512

    c2ef2a5632eb42b00756bee9ffb00e382cbc1b0c6578243f3f1fe48eff18a1033187a5d7bf8bda4d9cf8d6cb4131ca37c47d8238ff264e1b1c496b16740b79a7

  • C:\Users\Admin\AppData\Local\Temp\onefile_2492_133689976314777729\charset_normalizer\md__mypyc.pyd

    Filesize

    98KB

    MD5

    ca6309d94f4136c058a244044c890d89

    SHA1

    49424c3eba17a4675a469326b6a5f10f6c14ba88

    SHA256

    b65e4644d0cdc01f5076fe9b7548ffd047ae143087b8ab3cbe0a1dc24fdbf00d

    SHA512

    ec2329db2378350ec27d742ed649df3fb81b1b2dfb24ed4cd8c274852742809c571f28a960f8907f04ec515c1960c2111880fbeecacfd04dea439a4d116f225b

  • C:\Users\Admin\AppData\Local\Temp\onefile_2492_133689976314777729\libffi-8.dll

    Filesize

    34KB

    MD5

    74d2b5e0120a6faae57042a9894c4430

    SHA1

    592f115016a964b7eb42860b589ed988e9fff314

    SHA256

    b982741576a050860c3f3608c7b269dbd35ab296429192b8afa53f1f190069c0

    SHA512

    f3c62f270488d224e24e29a078439736fa51c9ac7b0378dd8ac1b6987c8b8942a0131062bd117977a37046d4b1488f0f719f355039692bc21418fdfbb182e231

  • C:\Users\Admin\AppData\Local\Temp\onefile_2492_133689976314777729\main.exe

    Filesize

    11.8MB

    MD5

    fe881dbd608450f02a03bd30cf4f9c6a

    SHA1

    8200652ae003860d6a8b56680821cedda70ded3b

    SHA256

    188878f5fbe1f06203d60a08f6abc3495f0187907eda787c4c3e12c2a73de03f

    SHA512

    af8c785cf08df429b558c97b5b86507ad5dbad7bed2474317012f05a365ad487a3a57c70ff17f8e57c9ca00aee0265f746a4eb1e42f806f122cfdd7d52f1f137

  • C:\Users\Admin\AppData\Local\Temp\onefile_2492_133689976314777729\python311.dll

    Filesize

    4.8MB

    MD5

    01dad4bcbf2d93c294ec789cead86c81

    SHA1

    68983bb44bd719bb8b68ef6653eecb5e274bac53

    SHA256

    4c70503cd8ec785604eae405d0e59aaf649b6a62d284deccebeaa51da47d6c6c

    SHA512

    4f2f06f7fcee7291794e674b7033f6777a7605e475b771598ec5d247e483944c4d92967c3b86d84b828b2415e457198f667183609cf39ec8f8ce177c285847cb

  • C:\Users\Admin\AppData\Local\Temp\onefile_2492_133689976314777729\select.pyd

    Filesize

    26KB

    MD5

    1b9bb917bf3d56a711c0dc5098eb3be6

    SHA1

    b7951787cc9037259b01ff5b5462cfcdac2f1c9b

    SHA256

    2af9f8340f380b51dc0673d5e458caf3e56f3a395f6884962c71f9293391c70b

    SHA512

    058c28af566d3344d91f0428a228cd30f52ff7275c35371ddc677c3620160e3164ec34037f7901c39aa0392bd5fea17961d2d7ab93974c661831dd0dc076ebc1

  • C:\Users\Admin\AppData\Local\Temp\onefile_2492_133689976314777729\unicodedata.pyd

    Filesize

    1.1MB

    MD5

    ba07111d13d9dcd451b333a9127d4ac6

    SHA1

    cd50441104257153819b647b2ecf6e7be0f0d802

    SHA256

    d3dce2bf827156d0b94a78059f1c2504e8337b90b23f758a125fa38e047fe684

    SHA512

    450f23012b0ef4bf19e3db0ffdf768428bf58bccd262ea1e26346e231d510e4da9201a09d5c3a7f4638f7ffeaf5ed517548f90ba73b77ce69497b33a7a01c8a8

  • C:\Users\Admin\AppData\Local\Temp\onefile_2492_133689976314777729\zstandard\backend_c.pyd

    Filesize

    421KB

    MD5

    85fc4bf48a5131557c86ac1d171ba367

    SHA1

    22a0432770f274baa6387416211e16610d62f2a2

    SHA256

    152f92483f12da67df378b1ea8c1b8500dcf600435f763932647352c8fd79724

    SHA512

    dcc0caeb0efab08f9a86ff1ced0b752f2a4ba885c99e0c3a794862056a63ea03a72c2d8869b19dcc3b0e3b5e3b257bcf7176b59e3700d4f635356defddd32cac

  • memory/2492-63-0x0000000000FA0000-0x00000000016D3000-memory.dmp

    Filesize

    7.2MB

  • memory/3340-76-0x0000000076630000-0x0000000076720000-memory.dmp

    Filesize

    960KB

  • memory/3340-90-0x0000000000400000-0x000000000103A000-memory.dmp

    Filesize

    12.2MB

  • memory/3340-71-0x0000000000400000-0x000000000103A000-memory.dmp

    Filesize

    12.2MB

  • memory/3340-72-0x0000000076650000-0x0000000076651000-memory.dmp

    Filesize

    4KB

  • memory/3340-75-0x0000000076630000-0x0000000076720000-memory.dmp

    Filesize

    960KB

  • memory/3340-74-0x0000000076630000-0x0000000076720000-memory.dmp

    Filesize

    960KB

  • memory/3340-73-0x0000000076630000-0x0000000076720000-memory.dmp

    Filesize

    960KB

  • memory/3340-97-0x0000000076630000-0x0000000076720000-memory.dmp

    Filesize

    960KB

  • memory/3340-78-0x0000000076630000-0x0000000076720000-memory.dmp

    Filesize

    960KB

  • memory/3340-77-0x0000000076630000-0x0000000076720000-memory.dmp

    Filesize

    960KB

  • memory/3340-79-0x0000000076630000-0x0000000076720000-memory.dmp

    Filesize

    960KB

  • memory/3340-81-0x0000000000400000-0x000000000103A000-memory.dmp

    Filesize

    12.2MB

  • memory/3340-82-0x0000000000400000-0x000000000103A000-memory.dmp

    Filesize

    12.2MB

  • memory/3340-83-0x0000000005710000-0x0000000005D28000-memory.dmp

    Filesize

    6.1MB

  • memory/3340-94-0x0000000076630000-0x0000000076720000-memory.dmp

    Filesize

    960KB

  • memory/3340-86-0x00000000055A0000-0x00000000055B2000-memory.dmp

    Filesize

    72KB

  • memory/3340-87-0x00000000055C0000-0x00000000055FC000-memory.dmp

    Filesize

    240KB

  • memory/3340-88-0x0000000005620000-0x000000000566C000-memory.dmp

    Filesize

    304KB

  • memory/3340-89-0x0000000005DE0000-0x0000000005EEA000-memory.dmp

    Filesize

    1.0MB

  • memory/3340-93-0x0000000076630000-0x0000000076720000-memory.dmp

    Filesize

    960KB

  • memory/3340-91-0x0000000076650000-0x0000000076651000-memory.dmp

    Filesize

    4KB

  • memory/3340-92-0x0000000076630000-0x0000000076720000-memory.dmp

    Filesize

    960KB

  • memory/4824-66-0x00000000002B0000-0x0000000000E88000-memory.dmp

    Filesize

    11.8MB

  • memory/4824-85-0x00000000002B0000-0x0000000000E88000-memory.dmp

    Filesize

    11.8MB

  • memory/4824-64-0x00000000002B0000-0x0000000000E88000-memory.dmp

    Filesize

    11.8MB