Analysis
-
max time kernel
39s -
max time network
40s -
platform
windows10-ltsc 2021_x64 -
resource
win10ltsc2021-20241023-en -
resource tags
arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system -
submitted
31/10/2024, 04:48
Behavioral task
behavioral1
Sample
NitroGen.exe
Resource
win10ltsc2021-20241023-en
General
-
Target
NitroGen.exe
-
Size
76KB
-
MD5
f2969199c528611db2c3aa1cb01bf3be
-
SHA1
ae8bd3ac37c949a507239859b5a3280705d36cdb
-
SHA256
80c21c8ed69aed6da6dd3422e29238d41c76db39ad0a94d388f22d1df01888e2
-
SHA512
bb9710c6ed95dd94942632b24e86a14eacc555695f60bcb33f2a9af51e6603fd32c7c8e0d1ebd67ee59cc38c8393ede5eeca9675de97f5ccb7c75f0fe29a2760
-
SSDEEP
1536:7NCPl72PIk5az4V1JEw+bD1/sk/0ZvJ6/YOwe5VMuP4Uc:hSTkIz21Gw+bDqFrOwe5KPR
Malware Config
Extracted
xworm
104.154.53.10:7000
-
Install_directory
%Temp%
-
install_file
Registry.exe
Signatures
-
Detect Xworm Payload 1 IoCs
resource yara_rule behavioral1/memory/2272-1-0x00000000008A0000-0x00000000008BA000-memory.dmp family_xworm -
Xworm family
-
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 192 powershell.exe 4272 powershell.exe 4280 powershell.exe 4500 powershell.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3785588363-1079601362-4184885025-1000\Control Panel\International\Geo\Nation NitroGen.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Registry.lnk NitroGen.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Registry.lnk NitroGen.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3785588363-1079601362-4184885025-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Registry = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Registry.exe" NitroGen.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1160 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 9 IoCs
pid Process 192 powershell.exe 192 powershell.exe 4272 powershell.exe 4272 powershell.exe 4280 powershell.exe 4280 powershell.exe 4500 powershell.exe 4500 powershell.exe 2272 NitroGen.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 2272 NitroGen.exe Token: SeDebugPrivilege 192 powershell.exe Token: SeIncreaseQuotaPrivilege 192 powershell.exe Token: SeSecurityPrivilege 192 powershell.exe Token: SeTakeOwnershipPrivilege 192 powershell.exe Token: SeLoadDriverPrivilege 192 powershell.exe Token: SeSystemProfilePrivilege 192 powershell.exe Token: SeSystemtimePrivilege 192 powershell.exe Token: SeProfSingleProcessPrivilege 192 powershell.exe Token: SeIncBasePriorityPrivilege 192 powershell.exe Token: SeCreatePagefilePrivilege 192 powershell.exe Token: SeBackupPrivilege 192 powershell.exe Token: SeRestorePrivilege 192 powershell.exe Token: SeShutdownPrivilege 192 powershell.exe Token: SeDebugPrivilege 192 powershell.exe Token: SeSystemEnvironmentPrivilege 192 powershell.exe Token: SeRemoteShutdownPrivilege 192 powershell.exe Token: SeUndockPrivilege 192 powershell.exe Token: SeManageVolumePrivilege 192 powershell.exe Token: 33 192 powershell.exe Token: 34 192 powershell.exe Token: 35 192 powershell.exe Token: 36 192 powershell.exe Token: SeDebugPrivilege 4272 powershell.exe Token: SeIncreaseQuotaPrivilege 4272 powershell.exe Token: SeSecurityPrivilege 4272 powershell.exe Token: SeTakeOwnershipPrivilege 4272 powershell.exe Token: SeLoadDriverPrivilege 4272 powershell.exe Token: SeSystemProfilePrivilege 4272 powershell.exe Token: SeSystemtimePrivilege 4272 powershell.exe Token: SeProfSingleProcessPrivilege 4272 powershell.exe Token: SeIncBasePriorityPrivilege 4272 powershell.exe Token: SeCreatePagefilePrivilege 4272 powershell.exe Token: SeBackupPrivilege 4272 powershell.exe Token: SeRestorePrivilege 4272 powershell.exe Token: SeShutdownPrivilege 4272 powershell.exe Token: SeDebugPrivilege 4272 powershell.exe Token: SeSystemEnvironmentPrivilege 4272 powershell.exe Token: SeRemoteShutdownPrivilege 4272 powershell.exe Token: SeUndockPrivilege 4272 powershell.exe Token: SeManageVolumePrivilege 4272 powershell.exe Token: 33 4272 powershell.exe Token: 34 4272 powershell.exe Token: 35 4272 powershell.exe Token: 36 4272 powershell.exe Token: SeDebugPrivilege 4280 powershell.exe Token: SeIncreaseQuotaPrivilege 4280 powershell.exe Token: SeSecurityPrivilege 4280 powershell.exe Token: SeTakeOwnershipPrivilege 4280 powershell.exe Token: SeLoadDriverPrivilege 4280 powershell.exe Token: SeSystemProfilePrivilege 4280 powershell.exe Token: SeSystemtimePrivilege 4280 powershell.exe Token: SeProfSingleProcessPrivilege 4280 powershell.exe Token: SeIncBasePriorityPrivilege 4280 powershell.exe Token: SeCreatePagefilePrivilege 4280 powershell.exe Token: SeBackupPrivilege 4280 powershell.exe Token: SeRestorePrivilege 4280 powershell.exe Token: SeShutdownPrivilege 4280 powershell.exe Token: SeDebugPrivilege 4280 powershell.exe Token: SeSystemEnvironmentPrivilege 4280 powershell.exe Token: SeRemoteShutdownPrivilege 4280 powershell.exe Token: SeUndockPrivilege 4280 powershell.exe Token: SeManageVolumePrivilege 4280 powershell.exe Token: 33 4280 powershell.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2272 NitroGen.exe -
Suspicious use of WriteProcessMemory 10 IoCs
description pid Process procid_target PID 2272 wrote to memory of 192 2272 NitroGen.exe 84 PID 2272 wrote to memory of 192 2272 NitroGen.exe 84 PID 2272 wrote to memory of 4272 2272 NitroGen.exe 87 PID 2272 wrote to memory of 4272 2272 NitroGen.exe 87 PID 2272 wrote to memory of 4280 2272 NitroGen.exe 89 PID 2272 wrote to memory of 4280 2272 NitroGen.exe 89 PID 2272 wrote to memory of 4500 2272 NitroGen.exe 91 PID 2272 wrote to memory of 4500 2272 NitroGen.exe 91 PID 2272 wrote to memory of 1160 2272 NitroGen.exe 95 PID 2272 wrote to memory of 1160 2272 NitroGen.exe 95 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\NitroGen.exe"C:\Users\Admin\AppData\Local\Temp\NitroGen.exe"1⤵
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2272 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\NitroGen.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:192
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'NitroGen.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4272
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Registry.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4280
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Registry.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:4500
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Registry" /tr "C:\Users\Admin\AppData\Local\Temp\Registry.exe"2⤵
- Scheduled Task/Job: Scheduled Task
PID:1160
-
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD53eb3833f769dd890afc295b977eab4b4
SHA1e857649b037939602c72ad003e5d3698695f436f
SHA256c485a6e2fd17c342fca60060f47d6a5655a65a412e35e001bb5bf88d96e6e485
SHA512c24bbc8f278478d43756807b8c584d4e3fb2289db468bc92986a489f74a8da386a667a758360a397e77e018e363be8912ac260072fa3e31117ad0599ac749e72
-
Filesize
1KB
MD5af1cc13f412ef37a00e668df293b1584
SHA18973b3e622f187fcf484a0eb9fa692bf3e2103cb
SHA256449c0c61734cf23f28ad05a7e528f55dd8a7c6ae7a723253707e5f73de187037
SHA51275d954ec8b98f804d068635875fac06e9594874f0f5d6e2ad9d6267285d1d4a1de6309009de9e2956c6477a888db648396f77a1a49b58287d2683b8214e7a3d3
-
Filesize
1KB
MD5c89671578badca1980abd30ee08c6ef4
SHA179cc06f7e038f551be97625c3c5ea0255b89ee25
SHA2561cf4b698e3120b83ce7b04f5582a430d04c4a47e0bd8fe1d1b136eb7ea141117
SHA512d330c8848fff27bf98f880e58541d08f59a1d8e27ffe1bd6392a65d8057c402eae642f92305303a0a370803f9adba6d5e350e1aeb0f4cea65769d7adc93edf65
-
Filesize
1KB
MD5705133121e18d0f8fab7848502dc9b85
SHA1e03a4425450c04e3cd5ccc07424a1989ca12ea27
SHA25688eb8c45ee90ecbc0edbe0b2108b2ace11cda293150ba75388808043a105ea3f
SHA512d88de3a89f05f711551d2ffaa16b3caf5b2616849f0d1391bc382ce3539f9b4614b6188d6bddbc33bead418c38ce7173f45e716c42be5aa1413dad90def9e0ff
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82