e038854494c067f921f7df47f3149c782779a26d23581d8c3c87d4c5e2270847

Analysis

max time kernel
83s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
04/04/2025, 00:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Nitrogen.exe
Size

1.2MB
MD5

834d94cf35d9417aa93a5cb350a756e9
SHA1

5fbe4fef61314da6663b17b9120af20db0a2866f
SHA256

0db5c55ef52e89401a668f59bf4f69391f4632447c51483bb64749d7f2123916
SHA512

d986d4af87088a1599fd2c5eb8bc19594509bd422c1f462788430f6b636c75b9e578889c7322b841d2f0cd77c789c243dc979608f213f9b255a439f11ac70728
SSDEEP

24576:Ye5MhKjQ6Vrn/hdGNGVb9e5DFzvwPxoAgCxp59p:YeEl6Vrn/HQGVb9e5DFzvExVgC

Score

10^/10

credential_access discovery ransomware spyware stealer

Malware Config

Extracted

Path

C:\Recovery\readme.txt

Ransom Note

Nitrogen welcome you! Take this seriously, this is not a joke! Your company network are encrypted and your data has been stolen and downloaded to our servers. Ignoring this message will result in all your data being published on our blog: http://nitrogenczslprh3xyw6lh5xyjvmsz7ciljoqxxknd7uymkfetfhgvqd.onion This problem can be solved: 1. Your network and data can will be restored. 2. Your data is stolen and stored on our server, after receive payment it will be completely removed from our servers. 3. No one is aware about the data leak from your company except you. If you believe you can handle without us and decrypting your servers and data using some IT Solution from third-party specialists? They will only make significant damage to all of your data; every encrypted file will be corrupted forever. Only our Decryption Tool will make decryption guaranteed. Don't go to recovery companies, they are essentially just middlemen who will make money off you. If you decide not to negotiate with us and find another solution. We will make huge damage to your business by using all of our experience to make your partners, clients, employees and whoever cooperates with your company know about this accident and stop any partnership with you. As a result, You will suffer great losses and you will must to pay a penalty to the state and to compensate for lawsuits against your company. Also in case of disclosure of information about a cyber attack and theft of confidential data of your company your assets may fall and it will cost you several times more expensive instead agreeing with us. Want to go to Government for protection? Your address them for help will only make the situation worse. They will try to prevent you from negotiating with us, because the negotiations will make them look weak and incompetent. After the incident report is handed over to the government department, you receive get a penalty for this accident and leak personal data. This will be a huge amount, you can read more about the GDRP legislation: https://en.wikipedia.org/wiki/General_Data_Protection_Regulation/ In this situation you will not be winners anyway. So lets get straight to the point. After we receive your payment you will get the followings: -Decryption tool for all your systems. -Detailed penetration overview with main kill chain and security recommendations -Proof that we have securely deleted your data -Our word that we will not perform attacks on you in the future. Now, in order to start negotiations, you need to do the following: -Install Tor Browser from https://www.torproject.org/download/ -Use Tor Browser open: xqsdbtrtmufdyiqnkrkvosec4gqappf2egcptzqppjtqdevsoadakyqd.onion/quick-access/5RyUpUB1erpS21m9la/chats/veaftorztqes -If you have any problems accessing the onion site, use the qTox app(https://github.com/qTox/qTox/releases/download/v1.17.6/setup-qtox-x86_64-release.exe) to contact us. ToxID: 088B7708F2C1557B6023B1102FFC5C36C023FF4883CB073F26A33B73832C9268993ED58B817E If you do not contact us within 3 days, we will begin publishing your data on all social networks.

URLs

http://nitrogenczslprh3xyw6lh5xyjvmsz7ciljoqxxknd7uymkfetfhgvqd.onion

http://xqsdbtrtmufdyiqnkrkvosec4gqappf2egcptzqppjtqdevsoadakyqd.onion/quick-access/5RyUpUB1erpS21m9la/chats/veaftorztqes

Signatures

Renames multiple (1369) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Credentials from Password Stores: Windows Credential Manager 1 TTPs
Suspicious access to Credentials History.
credential_access stealer

Windows Credential Manager
T1555.004

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\readme.txt	Nitrogen.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Drops desktop.ini file(s) 25 IoCs

description	ioc	Process
File opened for modification	C:\Users\Public\Pictures\desktop.ini	Nitrogen.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	Nitrogen.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	Nitrogen.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	Nitrogen.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	Nitrogen.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	Nitrogen.exe
File opened for modification	C:\Users\Admin\3D Objects\desktop.ini	Nitrogen.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	Nitrogen.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	Nitrogen.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	Nitrogen.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	Nitrogen.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	Nitrogen.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	Nitrogen.exe
File opened for modification	C:\Users\Admin\Pictures\Saved Pictures\desktop.ini	Nitrogen.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	Nitrogen.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	Nitrogen.exe
File opened for modification	C:\Users\Public\AccountPictures\desktop.ini	Nitrogen.exe
File opened for modification	C:\Users\Public\desktop.ini	Nitrogen.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	Nitrogen.exe
File opened for modification	C:\Users\Admin\Pictures\Camera Roll\desktop.ini	Nitrogen.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	Nitrogen.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	Nitrogen.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	Nitrogen.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	Nitrogen.exe
File opened for modification	C:\Users\Admin\OneDrive\desktop.ini	Nitrogen.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

C:\Users\Admin\AppData\Local\Temp\Nitrogen.exe
"C:\Users\Admin\AppData\Local\Temp\Nitrogen.exe"
1⤵
- Drops startup file
- Drops desktop.ini file(s)
PID:5016

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Windows Credential Manager

T1555.004

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Recovery\readme.txt

Filesize
3KB

MD5
127cc94d6da9b941d111efc013c7f916

SHA1
cb0869d2a33c558088dbd4882edb4c8658b088d0

SHA256
f52aa6a579cab2d8ace707e70d1aa0857e28300cdde0e6ddb7b2d5ea8cd2c113

SHA512
f117fbf5fd2edf64c763ac43dc0a8ad0a33ae8591e0141f24936dbe7c3c4322172ab5e8249dc579e57d9424cfb0c483377fd05a728c82c90e7b49964fab1eac8

Download Submit
C:\Users\Admin\AppData\Local\Comms\UnistoreDB\USSres00002.jrs.NBA

Filesize
3.0MB

MD5
de48653af7171e8403214091875e3103

SHA1
7702c9fea227725bcc46a9a15446be5123939717

SHA256
2df53ba8dbb6b60496ca1d88a7ead7557b022d6da350657e60ea3f71032b5b47

SHA512
dcadc73b878f135436d0ae846a44c57916c8aa58d21ef6bbf4c0f6ff720c6a49b24df618535ab54dbf5906a967e84afd191f7a1be1ee5a8961f2117085f0c9fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extension Rules\MANIFEST-000001

Filesize
129B

MD5
5e99345a09adbbe0b334de64ac08ec20

SHA1
9a45e02e13b52951a2db9bb6070f53bbbe212fa7

SHA256
6b68b4a1b30c51dd560a0cd29e2b21a592fa6788cf5eb588fc0b3703400d71f0

SHA512
28c94c4979281f87943f30b48f31a90d22a94f5935d706ca3b93b7a7871c377f19d01b9dbeb549b9841f241729b7eb3b7d2b17567ba2555e2a1bead4c2f7d746

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extension Scripts\CURRENT

Filesize
104B

MD5
31fff6cf99e52fa64a552e6cf41915ae

SHA1
eeda042df280a24ce8fe86964e325dc28b5123ed

SHA256
b14d9e4f7f9e05a01fff9048df14d69863b248a0b9428d806e545eafb3fa563b

SHA512
6feb71d3a07090a7f65fc8781379c9cc9b2b4761dafc3e366bb047e2c31da3c112445d5026cd0d5e00c742cf9d03225b70a9858e8aa5dfc9d1cd1fac70355349

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\GPUCache\data_0.NBA

Filesize
8KB

MD5
737d40bab3265610b8cdff61765d4021

SHA1
5a724cbe6a1fd4461cf1eb4da46edcc76679c185

SHA256
4ab985f00db4251d163dbc47b88f82de01539ce4efb5230b4aad75a2a2556fea

SHA512
d3ead01912d6a6f55b1ef9e0be04725efc0911f15797a6ab1b8daf22e5317c57b74d97e65bc6d73fe6b7455b83e8ba7e51e22e08add1a77bb976466308d81719

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
560ffd813454b5e395fce655c62431d3

SHA1
224f2bfd1bf930e515538b22931f6e4f9bd3e278

SHA256
e683473fd63c5a6c661e922c95c5483906f2797af89725715ef2fae464252990

SHA512
21d351af0ded65c590a1daf4e3081565be3f18bc3591fc999cb74331e44e45a25b67c4fdec4a1179066f2bbe4feeccea5defc4beb835ec31cf96b968edcc11e0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\GPUCache\data_2

Filesize
8KB

MD5
9f4bde7cd2eed8735254287f534e6a15

SHA1
30348bcb1588d21c20722118774ee37830f2d727

SHA256
3aae2479577cccbfb16fd2be462d1c85d4c678a0af3d1106acb425bf5c926ac7

SHA512
084980fbdcf77730730a59b502f2d93426de4f91b8e8aefa3128422ada0de21bc482fa78354460f022bc4cf4eb711ab8a5c7286ef2e26e922216724fea828d71

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\GPUCache\data_3

Filesize
8KB

MD5
dd8a80efd88d4351d8242750042b7fa5

SHA1
88ff921798de13ab0fb4720d7fd049e67e3053f6

SHA256
a47e0dc780e605ee3cd74689e4b2c37d8a0caea941236ecb7aeda01519eb90a6

SHA512
c8e05a8183e82194656a25052260ec771676c84c18507c89c043f93bea3381f677e33485363585860c4717c2b4ab311fc87d31e8041f8acdd5b10a455f8c9efd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\GPUCache\index

Filesize
256KB

MD5
04595186d91f4643f32d28f42bd6b19b

SHA1
98e070c697800d2af8cb84d4684733b5d0b81823

SHA256
810950ee7304e37543ca75de73cd6005445632a2fa8474fcf5f9689052f01fbc

SHA512
d9781d754d5d6aba6d82bcb48df9a648ed0e65d93d301f7591aa6af7a20fab28a002137831d5cac4a025de5ef3a4d6087e18d0ced16cfaeaa396c5fade1154ad

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\3ccc50e6-2756-45ff-8360-e6392c62a4e5\index

Filesize
112B

MD5
90c302d28430b93e307a184d19977c76

SHA1
431497c602af7926c48656c685000915e4e9a5e4

SHA256
47a16932b8664458d3bcffd57f436f0b5150c592600693e68ccbc222e540e963

SHA512
ff5a4343a13335846165b5af1729b57745b43bd68bcb40c0f1b3a60eca7d35444fda2b66370f93f5d34323a98f29bdcef75474c6b0ca263899dcf464ff0b85c9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Shared Dictionary\cache\index

Filesize
112B

MD5
035d841605789879f26fc3583d284a39

SHA1
3f22b23394da010d01bbc0bbb447860b148b40a8

SHA256
d664ac8f734bc6e6347062004f62c45972fed4a07013d699fc660cf0379cb9b7

SHA512
5449e95f98eb6298ccda653d6616214e67e31990adef7ca56adf1ae283702138ff1c11789fdf5b2e60e11239f3f6c7ac858ec0580c00f6fe4bd5b9fe0cb1e9bf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\CURRENT

Filesize
104B

MD5
990a23b819575741c65a0a9c3bfdaac4

SHA1
7ef781058fb2f9e14aa6e64cf59df643ddefed88

SHA256
8aea532aabe25a191e1a5c91728d39a868c1da759f9343cce0964a0e4db34162

SHA512
db9fd57d394fc6178a09692826f9fb645140dd5ee327c9a7e3e8cc1267e2283de0c7249751b5b5fd74dd19a0c5aa172ed4b90552e614323a160d31e82abfa764

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\MANIFEST-000001

Filesize
129B

MD5
12cc26226f71855c392696b6198e02e2

SHA1
8d048906257e2bf55cd774bd678ae8a6081f61bd

SHA256
15b7118f79956ec6052913d5cc0652c65655791691c9b4fe0a9355b6dc951202

SHA512
363beb7ce017c37f972d6b889b8abf4d1a2a9aa60102e36bf2580d33e5b477bd0ecd020a61d7af362ce393083f4cde3f84fc14de5090d8f06fb11d1e9ccda72b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_1

Filesize
264KB

MD5
44558ba4be18d7b469d44276ccb559cd

SHA1
6bfc5977b56d3c07b34dd9378b600518fd37abba

SHA256
d96f3cf89c4c9fe9c188dac96b3384ff5ec3589d4472bec299bbb96527bad502

SHA512
8dbdb3c5160fe99bb7e85eef52d651accee4bd2110473c70695eb0eeb15620fc66dea310d174f91827cc606aad76b3132eb50ff5df84c3d49ab6baca3a846f87

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_2

Filesize
8KB

MD5
1d62ae5e86eb407accdfa2a7e245354d

SHA1
13625d4d4620d5b52a8bce7f69de7ab220f72fc9

SHA256
6f8a285baf93ce395b72c0a087171e34f97828722537b5a32bcd6a9f01bc98b2

SHA512
2b3525bb9bb4c40b75ee5b33c2ac160607623d815d7be73b5bb19cb7a1e0cb1487e9c4fd78abd62ebcb05dca3d119f997135595a8078cd2c28a14698acc8424b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_3

Filesize
8KB

MD5
dde81c765b40f6cd460dc0c774515aa4

SHA1
7e0f820f530eaeef7db75efe87df23180827f390

SHA256
367d3492d3337d51d0f9881063ab7ac4dca5f554c40ca2647871f2811adf4ea3

SHA512
d5d76e575166718eb45820472f2456933b0eac761db572eb88c9aa1636523ea702786c2d4606b51638b58bb069ab0e2700394db369602ace974f78482d8d7030

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\data_0

Filesize
8KB

MD5
f39d754c64e8014b9fedab8bd656a88a

SHA1
d690c4645b55d274f18db7c4615a2e175556497e

SHA256
4c81cc1812ec7dc39c52bf99b74b892367f503e31e0ab5f6ffeb2874c501631f

SHA512
db602f1ce0544ee5849114d12a8bffb7fc3c8ed647363765f5fc91534ef209325208150dc3e2ee7680de65b4401ac05c178a3a7949567fa2c020290367be54a0

Download Submit
C:\Users\Admin\AppData\Local\Packages\E2A4F912-2574-4A75-9BB0-0D023378592B_cw5n1h2txyewy\Settings\settings.dat

Filesize
8KB

MD5
13481a7b890a8a967642dfa2d0a3b9ad

SHA1
622956c50eef5e440a234f9ee9cdeffcf910ede4

SHA256
cd92735dd1373cf464453cfa98fa1fdb8128827a16d33ab4a418b0743435faa6

SHA512
c77aaa241002e7d51267f8deeac8f68e0f2b168bcdeb66e4b06dde4babb178e708698f312fb7420f4daa39bba82b0b83d1963b5e484eec24fe6b5bf88451a37f

Download Submit
C:\Users\Admin\AppData\Local\Temp\wct17E8.tmp

Filesize
63KB

MD5
5dd35aff85f5afa44a5028f114a58f35

SHA1
02984f8366067d2d23a3f855054d311e976aaae2

SHA256
b6d12ddebba822d15eaf07a6f216a7cfa565c9f1c958f9c29740e3fcb70595c2

SHA512
91f52c0185c28b9701f2ea4a740bd7534431bbbedd3be6734970a9dbaa3c5fc1cec5fe015cf837a9e43b668005b4f43961f1a5de28fb23402b1dd6788f9ea066

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\LiveContent\16\Managed\Word Document Bibliography Styles\TM02851227[[fn=sist02]].xsl

Filesize
245KB

MD5
07485c553461d8f7c179d3d925dec17f

SHA1
89663b90eba3dc95a3271b73e4e5e298073d27e3

SHA256
428d2071fcd7602cf51bc05529e99b441ecd41a038b1c053f46b1dd7342eb49f

SHA512
af3acea36785431e53d988c938452f6631de9c6abe52258a6e3a6ed529d48b2f1c80c3117542888cb0efcaf7f71bef813b2def683610e8f9877cf3f0e5f34985

Download Submit
memory/5016-3838-0x00007FF6E5130000-0x00007FF6E526C000-memory.dmp

Filesize
1.2MB

Download