Analysis Overview
SHA256
a168edbf63b98d8e0dbdb524308f89ff2fd3b7226e5b9a400763d1fa357f1483
Threat Level: Likely benign
The file Nitro Gen V1.0 By JF.rar was found to be: Likely benign.
Malicious Activity Summary
Enumerates physical storage devices
Modifies registry class
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of SendNotifyMessage
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-08-25 09:34
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-25 09:34
Reported
2024-08-25 09:36
Platform
win7-20240705-en
Max time kernel
42s
Max time network
39s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000_Classes\Local Settings | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000_Classes\Local Settings | C:\Windows\system32\rundll32.exe | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: 33 | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: 33 | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 600 wrote to memory of 2920 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 600 wrote to memory of 2920 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 600 wrote to memory of 2920 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 2920 wrote to memory of 2156 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\system32\rundll32.exe |
| PID 2920 wrote to memory of 2156 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\system32\rundll32.exe |
| PID 2920 wrote to memory of 2156 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\system32\rundll32.exe |
| PID 2156 wrote to memory of 1932 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files\VideoLAN\VLC\vlc.exe |
| PID 2156 wrote to memory of 1932 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files\VideoLAN\VLC\vlc.exe |
| PID 2156 wrote to memory of 1932 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files\VideoLAN\VLC\vlc.exe |
Processes
C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\Nitro Gen V1.0 By JF.rar"
C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Nitro Gen V1.0 By JF.rar
C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Nitro Gen V1.0 By JF.rar
C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\AppData\Local\Temp\Nitro Gen V1.0 By JF.rar"
C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4f4
Network
Files
memory/1932-37-0x000007FEF6400000-0x000007FEF6434000-memory.dmp
memory/1932-36-0x000000013FF70000-0x0000000140068000-memory.dmp
memory/1932-40-0x000007FEF5FE0000-0x000007FEF5FF7000-memory.dmp
memory/1932-43-0x000007FEF5300000-0x000007FEF5311000-memory.dmp
memory/1932-45-0x000007FEF52C0000-0x000007FEF52D1000-memory.dmp
memory/1932-44-0x000007FEF52E0000-0x000007FEF52FD000-memory.dmp
memory/1932-42-0x000007FEF5630000-0x000007FEF5647000-memory.dmp
memory/1932-41-0x000007FEF5FC0000-0x000007FEF5FD1000-memory.dmp
memory/1932-38-0x000007FEF5320000-0x000007FEF55D6000-memory.dmp
memory/1932-39-0x000007FEF6000000-0x000007FEF6018000-memory.dmp
memory/1932-46-0x000007FEF50B0000-0x000007FEF52BB000-memory.dmp
memory/1932-57-0x000007FEF3E70000-0x000007FEF3EA0000-memory.dmp
memory/1932-47-0x000007FEF4000000-0x000007FEF50B0000-memory.dmp
memory/1932-67-0x000007FEF3C10000-0x000007FEF3C22000-memory.dmp
memory/1932-66-0x000007FEF3C30000-0x000007FEF3C41000-memory.dmp
memory/1932-65-0x000007FEF3C50000-0x000007FEF3C73000-memory.dmp
memory/1932-64-0x000007FEF3C80000-0x000007FEF3C98000-memory.dmp
memory/1932-63-0x000007FEF3CA0000-0x000007FEF3CC4000-memory.dmp
memory/1932-62-0x000007FEF3CD0000-0x000007FEF3CF8000-memory.dmp
memory/1932-61-0x000007FEF3D00000-0x000007FEF3D57000-memory.dmp
memory/1932-60-0x000007FEF3D60000-0x000007FEF3D71000-memory.dmp
memory/1932-59-0x000007FEF3D80000-0x000007FEF3DFC000-memory.dmp
memory/1932-58-0x000007FEF3E00000-0x000007FEF3E67000-memory.dmp
memory/1932-56-0x000007FEF3EA0000-0x000007FEF3EB8000-memory.dmp
memory/1932-55-0x000007FEF3EC0000-0x000007FEF3ED1000-memory.dmp
memory/1932-54-0x000007FEF3EE0000-0x000007FEF3EFB000-memory.dmp
memory/1932-53-0x000007FEF3F00000-0x000007FEF3F11000-memory.dmp
memory/1932-52-0x000007FEF3F20000-0x000007FEF3F31000-memory.dmp
memory/1932-51-0x000007FEF3F40000-0x000007FEF3F51000-memory.dmp
memory/1932-50-0x000007FEF3F60000-0x000007FEF3F78000-memory.dmp
memory/1932-49-0x000007FEF3F80000-0x000007FEF3FA1000-memory.dmp
memory/1932-48-0x000007FEF3FB0000-0x000007FEF3FF1000-memory.dmp
C:\Users\Admin\AppData\Roaming\vlc\vlc-qt-interface.ini
| MD5 | 80a0493bbaa9054ee732e07005897286 |
| SHA1 | 3e49fcfa7370a84d06257c9e2329fd0408fac2e1 |
| SHA256 | 656e39f20a3453515943a6afdcd415887e85495da4d413644e19e3cd4a78c5af |
| SHA512 | 101fc8960a3b1be86e4bd84f4a729fcbfd3ee676621600a13b6ee6a54baa76543c3217c3a67ac91a24c0649629a2a600ea2cbede1b2135a3e8ce2b7bef0fd9b0 |
C:\Users\Admin\AppData\Roaming\vlc\vlc-qt-interface.ini.lock
| MD5 | ad92643fe62db9b8f07143e510b28bd8 |
| SHA1 | 817f911d58b6c8d5e35d25e2d0a29cfb9fa71c9f |
| SHA256 | 777ffea0be2437d81a45c3de530a351db7b4ed81e49d9b976a6bb547620fc2d3 |
| SHA512 | ba0e055d51efc70e42a7d3f9e2e1bfc312c189b9029f6f972007fc67369d22d0d4c54db8059f52eaba43565c4d9125553b4529e38e1f0ff541648f7f053fdfe7 |
memory/1932-230-0x000007FEF6400000-0x000007FEF6434000-memory.dmp
memory/1932-231-0x000007FEF5320000-0x000007FEF55D6000-memory.dmp
memory/1932-229-0x000000013FF70000-0x0000000140068000-memory.dmp
memory/1932-232-0x000007FEF4000000-0x000007FEF50B0000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-25 09:34
Reported
2024-08-25 10:05
Platform
win10v2004-20240802-en
Max time kernel
1362s
Max time network
1153s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Processes
C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\Nitro Gen V1.0 By JF.rar"
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 192.142.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.27.171.150.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.173.189.20.in-addr.arpa | udp |