Analysis
-
max time kernel
150s -
max time network
140s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
-
submitted
19/09/2024, 12:37
General
-
Target
Nitro Generator with Checker/NitroGen.exe
-
Size
181KB
-
MD5
4e365e8ccd70afbd3bb87ff051cc04cc
-
SHA1
019d2786471cd7e9d860b2d2f35beae8f70f5e0f
-
SHA256
a5460367bad0aa216b9d13f150ac125eb0c32aff9f70c1d081fb579e36b2ec99
-
SHA512
ac90d76d2f7883c49f8b3a0f322e0c37d93840a5bdf8f8f37d81c9d7572deb1e82be5b3ecd585b6596d77b6ef9f2cc9e5e6797ec008cb6b2ab4f148266490ecb
-
SSDEEP
768:Eec4lj/TePn4d3TNDI+eFdNwPfeivrm/J/aKr9n8RA3LfzIh:s4l3ePiO+eF3wPfeivrEFBfUh
Malware Config
Signatures
-
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
-
Drops startup file 1 IoCs
-
Executes dropped EXE 3 IoCs
-
Loads dropped DLL 15 IoCs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Drops file in Windows directory 9 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: EnumeratesProcesses 10 IoCs
-
Suspicious use of AdjustPrivilegeToken 5 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 24 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\Nitro Generator with Checker\NitroGen.exe"C:\Users\Admin\AppData\Local\Temp\Nitro Generator with Checker\NitroGen.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Nitro Generator with Checker\WebDriver\Launcher.exe"C:\Users\Admin\AppData\Local\Temp\Nitro Generator with Checker\WebDriver\Launcher.exe"2⤵
- Drops startup file
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" add-mppreference -exclusionpath C:\Windows\IMF\3⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\IMF\Windows Services.exe"C:\Windows\IMF\Windows Services.exe" {Arguments If Needed}3⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\IMF\Secure System Shell.exe"C:\Windows\IMF\Secure System Shell.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\IMF\Runtime Explorer.exe"C:\Windows\IMF\Runtime Explorer.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" add-mppreference -exclusionpath C:\Users\Admin\AppData\Roaming\5⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Nitro Generator with Checker\WebDriver\Jint.exe"C:\Users\Admin\AppData\Local\Temp\Nitro Generator with Checker\WebDriver\Jint.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Nitro Generator with Checker\WebDriver\Jint.exe"C:\Users\Admin\AppData\Local\Temp\Nitro Generator with Checker\WebDriver\Jint.exe"3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls4⤵
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5968cb9309758126772781b83adb8a28f
SHA18da30e71accf186b2ba11da1797cf67f8f78b47c
SHA25692099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA5124bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3
-
Filesize
18KB
MD51762c14c77674ccbad8cb0d966142abe
SHA174a4cb1d1965d2e36a26d2029017f2f75ce23a54
SHA2563fe9be2e23af283ac6ae8fd640cf9b6694e5a5f6892e9be9d95171c425f44af1
SHA512290c51108e2a5dffa599a536e7be7eac1bbeadb96ccf6c25ace02c12ad89ae5fc9140597755f582dbb1bbe8b335dc7c39a0baf398a8842bfd4605f9efdb574d6
-
Filesize
94KB
MD518049f6811fc0f94547189a9e104f5d2
SHA1dc127fa1ff0aab71abd76b89fc4b849ad3cf43a6
SHA256c865c3366a98431ec3a5959cb5ac3966081a43b82dfcd8bfefafe0146b1508db
SHA51238fa01debdb8c5369b3be45b1384434acb09a6afe75a50a31b3f0babb7bc0550261a5376dd7e5beac74234ec1722967a33fc55335b1809c0b64db42f7e56cdf7
-
Filesize
84KB
MD5a991152fd5b8f2a0eb6c34582adf7111
SHA13589342abea22438e28aa0a0a86e2e96e08421a1
SHA2567301fc2447e7e6d599472d2c52116fbe318a9ff9259b8a85981c419bfd20e3ef
SHA512f039ac9473201d27882c0c11e5628a10bdbe5b4c9b78ead246fd53f09d25e74c984e9891fccbc27c63edc8846d5e70f765ca7b77847a45416675d2e7c04964fc
-
Filesize
124KB
MD57322f8245b5c8551d67c337c0dc247c9
SHA15f4cb918133daa86631211ae7fa65f26c23fcc98
SHA2564fcf4c9c98b75a07a7779c52e1f7dff715ae8a2f8a34574e9dac66243fb86763
SHA51252748b59ce5d488d2a4438548963eb0f2808447c563916e2917d08e5f4aab275e4769c02b63012b3d2606fdb5a8baa9eb5942ba5c5e11b7678f5f4187b82b0c2
-
Filesize
64KB
MD588e2bf0a590791891fb5125ffcf5a318
SHA139f96abbabf3fdd46844ba5190d2043fb8388696
SHA256e7aecb61a54dcc77b6d9cafe9a51fd1f8d78b2194cc3baf6304bbd1edfd0aee6
SHA5127d91d2fa95bb0ffe92730679b9a82e13a3a6b9906b2c7f69bc9065f636a20be65e1d6e7a557bfd6e4b80edd0f00db92eb7fea06345c2c9b98176c65d18c4bdbf
-
Filesize
159KB
MD5cdd13b537dad6a910cb9cbb932770dc9
SHA1b37706590d5b6f18c042119d616df6ff8ce3ad46
SHA256638cd8c336f90629a6260e67827833143939497d542838846f4fc94b2475bb3e
SHA512c375fb6914cda3ae7829d016d3084f3b5b9f78f200a62f076ec1646576f87694eec7fa6f1c99cbe30824f2fe6e2d61ecdeb50061383b12143cd2678004703199
-
Filesize
28KB
MD5f19d9a56df14aea465e7ead84751ea5f
SHA1f170ccbeb8fb4a1e0fe56f9a7c20ae4c1a48e4a9
SHA25617ccd37dfba38bba706189d12ed28ca32c7330cc60db7bf203bf7198287073e4
SHA5122b69a11026bf4fe3792082d57eaf3b24713e7bd44dfd61ccaa6e5adb6771e49b6c81c1b542fbb159c9055db9739b9c4473a856914c72683a2a4cf658d6d7a469
-
Filesize
78KB
MD5478abd499eefeba3e50cfc4ff50ec49d
SHA1fe1aae16b411a9c349b0ac1e490236d4d55b95b2
SHA256fdb14859efee35e105f21a64f7afdf50c399ffa0fa8b7fcc76dae4b345d946cb
SHA512475b8d533599991b4b8bfd27464b379d78e51c41f497e81698b4e7e871f82b5f6b2bfec70ec2c0a1a8842611c8c2591133eaef3f7fc4bc7625e18fc4189c914e
-
Filesize
151KB
MD5cf7886b3ac590d2ea1a6efe4ee47dc20
SHA18157a0c614360162588f698a2b0a4efe321ea427
SHA2563d183c1b3a24d634387cce3835f58b8e1322bf96ab03f9fe9f02658fb17d1f8c
SHA512b171f7d683621fdab5989bfed20c3f6479037035f334ea9a19feb1184f46976095a7666170a06f1258c6ddf2c1f8bdb4e31cbfd33d3b8fa4b330f097d1c09d81
-
Filesize
763KB
MD5abbe5270af3906f418a479c104a04a5a
SHA1520c6184459e9b526ffaefb985a1446d3511c028
SHA2564d9abd9354a1a7554109a4a01f23d0b18e34b8fd1e953a2ede4cbca7952e695e
SHA512a0c790f99fe4e7a02ab5107bcfa025e30ccb468b7b8f4f528fc34d6ad670087a5ff95ad38568b8ff0ec254a9fcad7fde743a1b98720277604720454bdb48ae55
-
Filesize
3.2MB
MD589511df61678befa2f62f5025c8c8448
SHA1df3961f833b4964f70fcf1c002d9fd7309f53ef8
SHA256296426e7ce11bc3d1cfa9f2aeb42f60c974da4af3b3efbeb0ba40e92e5299fdf
SHA5129af069ea13551a4672fdd4635d3242e017837b76ab2815788148dd4c44b4cf3a650d43ac79cd2122e1e51e01fb5164e71ff81a829395bdb8e50bb50a33f0a668
-
Filesize
32KB
MD5eef7981412be8ea459064d3090f4b3aa
SHA1c60da4830ce27afc234b3c3014c583f7f0a5a925
SHA256f60dd9f2fcbd495674dfc1555effb710eb081fc7d4cae5fa58c438ab50405081
SHA512dc9ff4202f74a13ca9949a123dff4c0223da969f49e9348feaf93da4470f7be82cfa1d392566eaaa836d77dde7193fed15a8395509f72a0e9f97c66c0a096016
-
Filesize
674KB
MD550bcfb04328fec1a22c31c0e39286470
SHA13a1b78faf34125c7b8d684419fa715c367db3daa
SHA256fddd0da02dcd41786e9aa04ba17ba391ce39dae6b1f54cfa1e2bb55bc753fce9
SHA512370e6dfd318d905b79baf1808efbf6da58590f00006513bdaaed0c313f6fa6c36f634ea3b05f916cee59f4db25a23dd9e6f64caf3c04a200e78c193027f57685
-
Filesize
4.3MB
MD51d5e4c20a20740f38f061bdf48aaca4f
SHA1de1b64ab5219aa6fef95cd2b0ccead1c925fd0d0
SHA256f8172151d11bcf934f2a7518cd0d834e3f079bd980391e9da147ce4cff72c366
SHA5129df64c97e4e993e815fdaf7e8ecbc3ce32aa8d979f8f4f7a732b2efa636cfeb9a145fe2c2dcdf2e5e9247ee376625e1fdc62f9657e8007bb504336ac8d05a397
-
Filesize
28KB
MD5fed3dae56f7c9ea35d2e896fede29581
SHA1ae5b2ef114138c4d8a6479d6441967c170c5aa23
SHA256d56542143775d02c70ad713ac36f295d473329ef3ad7a2999811d12151512931
SHA5123128c57724b0609cfcaca430568d79b0e6abd13e5bba25295493191532dba24af062d4e0340d0ed68a885c24fbbf36b7a3d650add2f47f7c2364eab6a0b5faff
-
Filesize
1.1MB
MD5cd12c15c6eef60d9ea058cd4092e5d1b
SHA157a7c0b0468f0be8e824561b45f86e0aa0db28dd
SHA256e3ab6e5749a64e04ee8547f71748303ba159dd68dfc402cb69356f35e645badd
SHA512514e76174f977cc73300bc40ff170007a444e743a39947d5e2f76e60b2a149c16d57b42b6a82a7fea8dd4e9addb3e876d8ab50ea1898ee896c1907667277cf00
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
152KB
MD503f5e0141f4519f0c5ac26ce0b036a0f
SHA14f7a2a230e7a194a898cc9f2d563ac8777fe99c0
SHA25678a408c628e33e3332645f480ee7ce01b5dc24fc96cf16ffa0868d43f3d421ef
SHA51286a68f040654006e06b51c5714e0d7168d0d1bef7f3c39843632068104f773f771d21be4bc251d712f3e915cd1058f89ad31d9e3f3d9e7cf6da6785cbf22d8d7
-
Filesize
45KB
MD57d0c7359e5b2daa5665d01afdc98cc00
SHA1c3cc830c8ffd0f53f28d89dcd9f3426be87085cb
SHA256f1abd5ab03189e82971513e6ca04bd372fcf234d670079888f01cf4addd49809
SHA512a8f82b11b045d8dd744506f4f56f3382b33a03684a6aebc91a02ea901c101b91cb43b7d0213f72f39cbb22f616ecd5de8b9e6c99fb5669f26a3ea6bcb63c8407
-
Filesize
46KB
MD5ad0ce1302147fbdfecaec58480eb9cf9
SHA1874efbc76e5f91bc1425a43ea19400340f98d42b
SHA2562c339b52b82e73b4698a0110cdfe310c00c5c69078e9e1bd6fa1308652bf82a3
SHA512adccd5520e01b673c2fc5c451305fe31b1a3e74891aece558f75fefc50218adf1fb81bb8c7f19969929d3fecb0fdb2cb5b564400d51e0a5a1ad8d5bc2d4eed53
-
Filesize
72KB
-
Filesize
7.7MB
-
Filesize
504KB
-
Filesize
7.7MB
-
Filesize
80KB
-
Filesize
7.7MB
-
Filesize
472KB
-
Filesize
120KB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
208KB
-
Filesize
624KB
-
Filesize
5.6MB
-
Filesize
584KB
-
Filesize
4KB
-
Filesize
40KB
-
Filesize
344KB
-
Filesize
304KB
-
Filesize
72KB
-
Filesize
120KB
-
Filesize
40KB
-
Filesize
6.2MB
-
Filesize
136KB
-
Filesize
3.3MB
-
Filesize
304KB
-
Filesize
200KB
-
Filesize
652KB
-
Filesize
104KB
-
Filesize
6.5MB
-
Filesize
408KB
-
Filesize
216KB
-
Filesize
600KB
-
Filesize
68KB
-
Filesize
56KB
-
Filesize
80KB
-
Filesize
104KB
-
Filesize
32KB
-
Filesize
408KB
-
Filesize
304KB
-
Filesize
120KB