Analysis
-
max time kernel
149s -
max time network
145s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
24-08-2024 18:27
Static task
static1
Behavioral task
behavioral1
Sample
NitroGenerator.exe
Resource
win7-20240704-en
General
-
Target
NitroGenerator.exe
-
Size
7.0MB
-
MD5
578cf37a2b1464b471e606d46521e699
-
SHA1
9cd998a5ba37d738616f4145a90826e914d02a7c
-
SHA256
101e7be71c1ef5b6c772b7e6f2374d5d9bd2f55f8c1cbd051fe504e9610ce2ee
-
SHA512
e45c97e3c9879490be5237201b2f1138ee18bd7bd84354f9a0356bd21989f14d3603fda78caec19596e4fcc6843fddb1c1754a95b456ddf464d14696f0f19e7c
-
SSDEEP
196608:uQ+qtlxOZzcFVZ9+PKoAULcEcOIHmCXK:ulqZOpcPZIPZLccIo
Malware Config
Signatures
-
SectopRAT payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/3340-81-0x0000000000400000-0x000000000103A000-memory.dmp family_sectoprat behavioral2/memory/3340-82-0x0000000000400000-0x000000000103A000-memory.dmp family_sectoprat -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
Processes:
file.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ file.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
file.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion file.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion file.exe -
Executes dropped EXE 2 IoCs
Processes:
main.exefile.exepid process 4824 main.exe 3340 file.exe -
Loads dropped DLL 18 IoCs
Processes:
main.exepid process 4824 main.exe 4824 main.exe 4824 main.exe 4824 main.exe 4824 main.exe 4824 main.exe 4824 main.exe 4824 main.exe 4824 main.exe 4824 main.exe 4824 main.exe 4824 main.exe 4824 main.exe 4824 main.exe 4824 main.exe 4824 main.exe 4824 main.exe 4824 main.exe -
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\file.exe themida behavioral2/memory/3340-81-0x0000000000400000-0x000000000103A000-memory.dmp themida behavioral2/memory/3340-82-0x0000000000400000-0x000000000103A000-memory.dmp themida -
Processes:
file.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA file.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
file.exepid process 3340 file.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
NitroGenerator.exemain.execmd.exefile.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language NitroGenerator.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language main.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language file.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
file.exepid process 3340 file.exe 3340 file.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
file.exedescription pid process Token: SeDebugPrivilege 3340 file.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
NitroGenerator.exemain.execmd.exedescription pid process target process PID 2492 wrote to memory of 4824 2492 NitroGenerator.exe main.exe PID 2492 wrote to memory of 4824 2492 NitroGenerator.exe main.exe PID 2492 wrote to memory of 4824 2492 NitroGenerator.exe main.exe PID 4824 wrote to memory of 4836 4824 main.exe cmd.exe PID 4824 wrote to memory of 4836 4824 main.exe cmd.exe PID 4824 wrote to memory of 4836 4824 main.exe cmd.exe PID 4836 wrote to memory of 3340 4836 cmd.exe file.exe PID 4836 wrote to memory of 3340 4836 cmd.exe file.exe PID 4836 wrote to memory of 3340 4836 cmd.exe file.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\NitroGenerator.exe"C:\Users\Admin\AppData\Local\Temp\NitroGenerator.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2492 -
C:\Users\Admin\AppData\Local\Temp\onefile_2492_133689976314777729\main.exeC:\Users\Admin\AppData\Local\Temp\NitroGenerator.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4824 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\file.exe"3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4836 -
C:\Users\Admin\AppData\Local\Temp\file.exeC:\Users\Admin\AppData\Local\Temp\file.exe4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3340
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
79KB
MD5fba68bf5c0074a51901b87e26a8c8f97
SHA12866d58bfbb19c1a629baebc00ef7a6debb9e1fe
SHA256f2f775916f24d7b949b68d460fd34cdc86825f542b3d6207733b84106cb43e2e
SHA51266b55a4ff7ed51e5997285f20fb585ea33dd48e7156d5e0d826bb37bf473a43116d19d1295cbb58f1e6e833f34a91e6550c893c6bc89f895273d785982920f05
-
Filesize
105KB
MD5113cec4cffb5a6c47c1c53052897e6a2
SHA1c84947efa0b8290a4baae63ad1d5db98ef88fb1f
SHA256157f928b0bf79b7cab8f67b5ccaefee6cfd81e8d417eac77ac830b173488f997
SHA512843af159051e08010ee5bd71c0aa8580149402a65584eb325df304099bcc9149faf29085bb6d81346edd8744a1e8dc3d3cf437f79d53a6feb83d3f59577e9b08
-
Filesize
145KB
MD58b4d78b1bd4795f786125c8032cd7018
SHA101ac050850aa60167936ce7963b349407e60a803
SHA25603da5f3cfbd22c024bc30623123d6eb200d8cd51fd6911a26dba9c6bd742dfdc
SHA512697f1f480c4f490c74ba959bfa22a5ac169fda450cc7a062054ce192394976e8de403b10102de4498a3aec97f456fa777ab270879e828451622f112aeb41c6c4
-
Filesize
28KB
MD5cf015a78b6aaeeb4d03484f4085ebe9e
SHA12f08f97b4435d57846f7e9ff247acfd5784ba93e
SHA2561cc522afa8efd21280af65ac3015c1439cc6654ecc88053dd76a491ec1a3fbe4
SHA512aafa8f2c5817ac256c9e3e197c813cdcffbe936b4826797face8566a05dc19a68bed9ae7047d3f5a06408ad3e42459325e77266d606fcf827287940e7e250d51
-
Filesize
67KB
MD55a15ebc6fea692994aebf7a33eb9537a
SHA1cd701822370b4837cb64a964ffc9a2a39b49412d
SHA256f819d0444aeff705aea0f011f3787a04220f426eef0130a899b84d4848f78627
SHA512628f7232ad358647e1d4ce2d19a200c184ffe3f0d0f387fb3473169bb0c4594dd380b59887d59fdaff1a36a6a15e7953356eef828f8dd3fcf422414f88a2efe8
-
Filesize
153KB
MD56238633c459e1e2af10f9cb33162eee8
SHA15b20757caddfd79b8080dd8978b1e092b3ef54e8
SHA256b48adf6f1286a0f2dd8a4442fe8a2200db7addd8400dfe99080556f815d40cff
SHA512db59fd425c7f51f85f9988cdc739d6590803efed2d013c0222a6c9c36fc464479a35366c0b3ba573de601a36a68ae50fd27a6b6fa5b41e86a72fa8f5f37c9670
-
Filesize
284KB
MD5181ac9a809b1a8f1bc39c1c5c777cf2a
SHA19341e715cea2e6207329e7034365749fca1f37dc
SHA256488ba960602bf07cc63f4ef7aec108692fec41820fc3328a8e3f3de038149aee
SHA512e19a92b94aedcf1282b3ef561bd471ea19ed361334092c55d72425f9183ebd1d30a619e493841b6f75c629f26f28dc682960977941b486c59475f21cf86fff85
-
Filesize
3.3MB
MD52e9277a5dd088949086d450da0e5f4e8
SHA1c939886464bb65dc4667d8e477d97a619eadddfc
SHA2567de51a1913ca3b10027f83d99ccccb166d6a3c06ca5d6358f260342dbacdbf6a
SHA5129f16c77cd90e1b6657f3d2cbd131273bf24becff01c198690ebadb2c454e3f84b88a7e9c6fecdb7f564e1aa99a5583bbd1933e5db408efce3a9095776fa1a056
-
Filesize
620KB
MD58b8fb5ec8d5fca88463bb9ad9fa23344
SHA1cbc26ffca78f03b146c84925749029ca2777b30a
SHA256b777ccc04c05ca5b0a6ff68e6c46ad9837dc02311ee132ad6a81910f4a1ed54f
SHA5123763752732822b80622d5260745313575993f535b1fed49434483b644009eb09ab91a1a7f32df22ada477d873ddb0726e0ab5e9416b08fa70e6446d8e981104d
-
Filesize
4.5MB
MD59fc140cadd49c639ccdc22cd217fbca2
SHA1b660df2d1919b96c45a16f46deacbdf74d3393cc
SHA25682eba2779dd22e900353319c02d81b027fd5681419decfeb433f71300618f8b7
SHA5120d004f815e10398e08bb065e7902dd1a83b45723093058fd0fb2a6bac9698fec193c03e148949b221154c2c604af6f9964e5be613925b5d919ecb1b562da7abf
-
Filesize
88KB
MD517f01742d17d9ffa7d8b3500978fc842
SHA12da2ff031da84ac8c2d063a964450642e849144d
SHA25670dd90f6ee01854cecf18b1b6d1dfbf30d33c5170ba07ad8b64721f0bdcc235e
SHA512c4e617cd808e48cc803343616853adf32b7f2e694b5827392219c69145a43969384d2fc67fa6fa0f5af1ca449eb4932004fbcdd394a5ba092212412b347586f0
-
Filesize
48KB
MD5d1c86bcaf38f2c155fa04009591de420
SHA1d5677ffb8bdb48e3690aa33b84c25c9ac76a5051
SHA256c6cb5b01ac5f2c18d99540960855bef93ef177557c3d73cb8599186d4a08c130
SHA5129ca6e41d875e87be8ebb71991b7d48831eb1a9b742de834bf779bf7e3e38e11063a94c420151be46a064a59bcb8d55b373ee17a2ad2a14737d9c9d5b3662eb26
-
Filesize
8KB
MD55242622c9818ff5572c08d3f9f96ea07
SHA1f4c53ef8930a2975335182ad9b6c6a2ab3851362
SHA25685f6e0b522d54459e7d24746054d26ba35ea4cc8505a3dd74a2bf5590f9f40fc
SHA512c2ef2a5632eb42b00756bee9ffb00e382cbc1b0c6578243f3f1fe48eff18a1033187a5d7bf8bda4d9cf8d6cb4131ca37c47d8238ff264e1b1c496b16740b79a7
-
Filesize
98KB
MD5ca6309d94f4136c058a244044c890d89
SHA149424c3eba17a4675a469326b6a5f10f6c14ba88
SHA256b65e4644d0cdc01f5076fe9b7548ffd047ae143087b8ab3cbe0a1dc24fdbf00d
SHA512ec2329db2378350ec27d742ed649df3fb81b1b2dfb24ed4cd8c274852742809c571f28a960f8907f04ec515c1960c2111880fbeecacfd04dea439a4d116f225b
-
Filesize
34KB
MD574d2b5e0120a6faae57042a9894c4430
SHA1592f115016a964b7eb42860b589ed988e9fff314
SHA256b982741576a050860c3f3608c7b269dbd35ab296429192b8afa53f1f190069c0
SHA512f3c62f270488d224e24e29a078439736fa51c9ac7b0378dd8ac1b6987c8b8942a0131062bd117977a37046d4b1488f0f719f355039692bc21418fdfbb182e231
-
Filesize
11.8MB
MD5fe881dbd608450f02a03bd30cf4f9c6a
SHA18200652ae003860d6a8b56680821cedda70ded3b
SHA256188878f5fbe1f06203d60a08f6abc3495f0187907eda787c4c3e12c2a73de03f
SHA512af8c785cf08df429b558c97b5b86507ad5dbad7bed2474317012f05a365ad487a3a57c70ff17f8e57c9ca00aee0265f746a4eb1e42f806f122cfdd7d52f1f137
-
Filesize
4.8MB
MD501dad4bcbf2d93c294ec789cead86c81
SHA168983bb44bd719bb8b68ef6653eecb5e274bac53
SHA2564c70503cd8ec785604eae405d0e59aaf649b6a62d284deccebeaa51da47d6c6c
SHA5124f2f06f7fcee7291794e674b7033f6777a7605e475b771598ec5d247e483944c4d92967c3b86d84b828b2415e457198f667183609cf39ec8f8ce177c285847cb
-
Filesize
26KB
MD51b9bb917bf3d56a711c0dc5098eb3be6
SHA1b7951787cc9037259b01ff5b5462cfcdac2f1c9b
SHA2562af9f8340f380b51dc0673d5e458caf3e56f3a395f6884962c71f9293391c70b
SHA512058c28af566d3344d91f0428a228cd30f52ff7275c35371ddc677c3620160e3164ec34037f7901c39aa0392bd5fea17961d2d7ab93974c661831dd0dc076ebc1
-
Filesize
1.1MB
MD5ba07111d13d9dcd451b333a9127d4ac6
SHA1cd50441104257153819b647b2ecf6e7be0f0d802
SHA256d3dce2bf827156d0b94a78059f1c2504e8337b90b23f758a125fa38e047fe684
SHA512450f23012b0ef4bf19e3db0ffdf768428bf58bccd262ea1e26346e231d510e4da9201a09d5c3a7f4638f7ffeaf5ed517548f90ba73b77ce69497b33a7a01c8a8
-
Filesize
421KB
MD585fc4bf48a5131557c86ac1d171ba367
SHA122a0432770f274baa6387416211e16610d62f2a2
SHA256152f92483f12da67df378b1ea8c1b8500dcf600435f763932647352c8fd79724
SHA512dcc0caeb0efab08f9a86ff1ced0b752f2a4ba885c99e0c3a794862056a63ea03a72c2d8869b19dcc3b0e3b5e3b257bcf7176b59e3700d4f635356defddd32cac