Analysis Overview
SHA256
d23aab6822f83486a792afb7310912b552e050febdd0e92d3dc711a8e054c401
Threat Level: Shows suspicious behavior
The file Nitro (1).exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Loads dropped DLL
Reads user/profile data of web browsers
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Unsigned PE
Detects Pyinstaller
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-27 14:44
Signatures
Detects Pyinstaller
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-27 14:44
Reported
2024-10-27 14:45
Platform
win10v2004-20241007-en
Max time kernel
34s
Max time network
35s
Command Line
Signatures
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Nitro (1).exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Nitro (1).exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Nitro (1).exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Nitro (1).exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Nitro (1).exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Nitro (1).exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Nitro (1).exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Nitro (1).exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Nitro (1).exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Nitro (1).exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Nitro (1).exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Nitro (1).exe | N/A |
Reads user/profile data of web browsers
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.ipify.org | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: 35 | N/A | C:\Users\Admin\AppData\Local\Temp\Nitro (1).exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Nitro (1).exe
"C:\Users\Admin\AppData\Local\Temp\Nitro (1).exe"
C:\Users\Admin\AppData\Local\Temp\Nitro (1).exe
"C:\Users\Admin\AppData\Local\Temp\Nitro (1).exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c title N
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c title Ni
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c title Nit
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c title Nitr
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c title Nitro
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c title Nitro Ge
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c title Nitro Gen
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c title Nitro Gen
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c title Nitro Gene
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c title Nitro Gener
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c title Nitro Genera
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c title Nitro Generat
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c title Nitro Generato
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c title Nitro Generator
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 104.26.13.205:443 | api.ipify.org | tcp |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 104.20.3.235:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | discord.com | udp |
| US | 162.159.135.232:443 | discord.com | tcp |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.13.26.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 235.3.20.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.135.159.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\_MEI10602\python37.dll
| MD5 | d558d4db5a6bd29a8b60b8aa46e5329a |
| SHA1 | a5036009de7165b1b4721263eae4b240ee689095 |
| SHA256 | 1cfdd40a9107d89310e4e3b6df5f25f26944b312e61638d014f1b1a8050ccc07 |
| SHA512 | 5590fbd6c9c81293b21e9da9d35d5177f03ba3d247771e4abef3420420d9024f3a775796d73becd5aeb469df648d3105a016693c6b8f68e8c61399212439eebf |
C:\Users\Admin\AppData\Local\Temp\_MEI10602\nitro.exe.manifest
| MD5 | 4818855f73b865adac0eaf7c75c0658b |
| SHA1 | 7d3f3bb28e8157c69e5753ea722e2046792536ba |
| SHA256 | 18b99cc6c511459cd049ea7089cbf9557375ef0b13c148b2388e1e3320e09a1a |
| SHA512 | 083fd10b53b3426622072b56778338f780bf231d8f1b3e1043ca30abdbe20d4a4899ebc02a519916e0fe3493e02e13c7bd108f055fc78c37f1579745ebcc7bf6 |
C:\Users\Admin\AppData\Local\Temp\_MEI10602\VCRUNTIME140.dll
| MD5 | 0e675d4a7a5b7ccd69013386793f68eb |
| SHA1 | 6e5821ddd8fea6681bda4448816f39984a33596b |
| SHA256 | bf5ff4603557c9959acec995653d052d9054ad4826df967974efd2f377c723d1 |
| SHA512 | cae69a90f92936febde67dacd6ce77647cb3b3ed82bb66463cd9047e90723f633aa2fc365489de09fecdc510be15808c183b12e6236b0893af19633f6a670e66 |
C:\Users\Admin\AppData\Local\Temp\_MEI10602\base_library.zip
| MD5 | d07fc3903321a9ba31ee744c34420d70 |
| SHA1 | e67f987bf2a9f039524a09d70bb99aab5a24f0f7 |
| SHA256 | 0d459ddb2f1c496cd05b71e6233bc783997fed270b5023b7dad673345d363ea2 |
| SHA512 | aa7464e316e23c780cb29d89ce8845b145fc37db8f467e8a3035f5d42e6843997724936d27bf747aa46448032156fa6b043613538949e4195f4ac93abc74e518 |
C:\Users\Admin\AppData\Local\Temp\_MEI10602\_ctypes.pyd
| MD5 | 9e18aca18e4ece1c187f8c0cd12a5c8f |
| SHA1 | a8ba36a9eea969d722a9ae90139d4d59f643f951 |
| SHA256 | 3351627469ea8965b08bafc9de18d1d890479357df6bc8917f7218535e02f211 |
| SHA512 | 237b0ef23d0a91014581b94f5c7696da1ab3c1c3a51f6ffe10787c65dc4f5a90d1760e4088afc9acc27bae7f159a32fa3e7a9b15daba5950751932683e9373b3 |
C:\Users\Admin\AppData\Local\Temp\_MEI10602\_hashlib.pyd
| MD5 | e2f401c211fab8c5e1517764e9175616 |
| SHA1 | 7497eb47b63435d60e7d1bf20b2c946335e6671e |
| SHA256 | 76fb36e23b8f6821caec61c49f90b194632e68c9c78c9eb1f2e668c1b6383a73 |
| SHA512 | 1312eaa7cc46b774392ae9e588c41b104eda43703e48e5b13702e15da665c0e5cc8e21b4011141c63811cd366a0d5773ff26c40c27159b80486bc491eef450a9 |
C:\Users\Admin\AppData\Local\Temp\_MEI10602\libcrypto-1_1-x64.dll
| MD5 | 8c75bca5ea3bea4d63f52369e3694d01 |
| SHA1 | a0c0fd3d9e5688d75386094979171dbde2ce583a |
| SHA256 | 8513e629cd85a984e4a30dfe4b3b7502ab87c8bc920825c11035718cb0211ea0 |
| SHA512 | 6d80d26d91b704d50ff3ad74f76d6b1afe98af3d7a18e43011dbe3809adc305b0e382c10868328eb82c9f8b4c77bca1522bdc023c7c8712057b65f6579c9dff5 |
C:\Users\Admin\AppData\Local\Temp\_MEI10602\_socket.pyd
| MD5 | 9f0683eb56d79d33ee3820f1d3504cc2 |
| SHA1 | 0bf7a74e9040bb7ffda943ffef531520a9f419af |
| SHA256 | 39612c28eef633eef7e2e2c83a779fdda178d043d7aec0a07890e5d2a11cf4f8 |
| SHA512 | f086cc899b517ace259d27c048db5846552a7a8e57ddad4d6ea0b25b45e52282979309cea56bb56312aa83273b61f78b25b1ad6a61b6b3de33f5980c81ae6f32 |
C:\Users\Admin\AppData\Local\Temp\_MEI10602\select.pyd
| MD5 | cf7bd630db53356c3dfd51ca8822b696 |
| SHA1 | 202837642baa0d161d462039ab2441d491c6fe5f |
| SHA256 | 5ed33afc7f63de065457e0ef0852de0cc182a7111bd852e855eb9f48451b0e58 |
| SHA512 | 4c32e03b670fa42f57e5e265e56e9845b719286ffecd8afcd583649fee11b803776f15ea28730925dc0c0b5510c18047ceda951fca1a716a1acc54f0dbc9e91a |
C:\Users\Admin\AppData\Local\Temp\_MEI10602\_ssl.pyd
| MD5 | a7fadacb8f4ff72a26f1ccbcfcdc33c1 |
| SHA1 | e73311cce41f1de6e01e13ef5745febf37fb3193 |
| SHA256 | b8232c839e99a3701657fe16f245e0afca2f269562682eb1a3468c47d07ac5cf |
| SHA512 | a486a2c9fa2cf8a8b8c609a9f4d132c55c39dabcc1ea20455a27e23395515881c9cd396416796762777079aae6c6673dc9905bdcc92ff13d93e7e6c2a06403fe |
C:\Users\Admin\AppData\Local\Temp\_MEI10602\_bz2.pyd
| MD5 | e5ba852cb53065389044fe34474a4699 |
| SHA1 | d14401c170be8f73de67cfc7ea414dfb1c878ae5 |
| SHA256 | 690bfd170e038b7b369eb4e4e32621823b1050d895bae3ef538c6382cdc1b2b0 |
| SHA512 | c6db73a39c563ac8395214ba1fa9807542b228ebcf6daef9e5478ba99acfcd8dc3d4816c68c51128bb421e8ee2f4625ec24fbe1ef2d268eb01ce09c37ed27101 |
C:\Users\Admin\AppData\Local\Temp\_MEI10602\libssl-1_1-x64.dll
| MD5 | 0205c08024bf4bb892b9f31d751531a0 |
| SHA1 | 60875676bc6f2494f052769aa7d644ef4a28c5e5 |
| SHA256 | ebe7ffc7eb0b79e29bfc4e408ea27e9b633584dd7bc8e0b5ffc46af19263844b |
| SHA512 | 45da0c128bfb706cb0340ad40fbc691696f3483a0235faaac864dea4580b57e36aa5b4b55a60322081d2d2e2df788c550fd43c317582a9b6a2d66712df215bd0 |
C:\Users\Admin\AppData\Local\Temp\_MEI10602\_lzma.pyd
| MD5 | c7bbbab8b4764c1c2bfd480dc649653c |
| SHA1 | a5226b44fd42f39948174fab8b6ba5999104d831 |
| SHA256 | 96205c0efbfbc282d3f4b76f8f2f189a409f365dbe9a9a088351a2906b18cd36 |
| SHA512 | aad92eb554af4a99647c770f8a0e988da78542df348e89b740f5f777b5acd992a896c9790598c2c9df35a4167347653e7b337ac98258b9c878c710582e7c21da |
C:\Users\Admin\AppData\Local\Temp\_MEI10602\unicodedata.pyd
| MD5 | d009552163b6a795e0816ea5ce4928ce |
| SHA1 | f3640f46037735667b6eba057f89a978a3901430 |
| SHA256 | 5938061557e920e925a4e9b31f950b6d25c5ff10e143fe8e1f773466810ce2a2 |
| SHA512 | 5ed7513a843d2e239aae8a4ce9cbb42366d9f2a0ea5adaedd8dd8c53493594ee3b5b118f766cc04d47d3eb31ec03eeb77b0dc05851de5a585f6970830b6e8580 |