Analysis
-
max time kernel
91s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20250314-en -
resource tags
-
submitted
04/04/2025, 01:29
General
-
Target
Nitrogen.exe
-
Size
1.2MB
-
MD5
834d94cf35d9417aa93a5cb350a756e9
-
SHA1
5fbe4fef61314da6663b17b9120af20db0a2866f
-
SHA256
0db5c55ef52e89401a668f59bf4f69391f4632447c51483bb64749d7f2123916
-
SHA512
d986d4af87088a1599fd2c5eb8bc19594509bd422c1f462788430f6b636c75b9e578889c7322b841d2f0cd77c789c243dc979608f213f9b255a439f11ac70728
-
SSDEEP
24576:Ye5MhKjQ6Vrn/hdGNGVb9e5DFzvwPxoAgCxp59p:YeEl6Vrn/HQGVb9e5DFzvExVgC
Malware Config
Extracted
C:\Recovery\readme.txt
http://nitrogenczslprh3xyw6lh5xyjvmsz7ciljoqxxknd7uymkfetfhgvqd.onion
http://xqsdbtrtmufdyiqnkrkvosec4gqappf2egcptzqppjtqdevsoadakyqd.onion/quick-access/5RyUpUB1erpS21m9la/chats/ftornxmnsbgu
Signatures
-
Renames multiple (1292) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Credentials from Password Stores: Windows Credential Manager 1 TTPs
Suspicious access to Credentials History.
-
Drops startup file 1 IoCs
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s) 25 IoCs
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Nitrogen.exe"C:\Users\Admin\AppData\Local\Temp\Nitrogen.exe"1⤵
- Drops startup file
- Drops desktop.ini file(s)
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD58ca4b68ab017cf8d1377f62ab7698422
SHA190b941806b049f0c98c6ca997425564adc31b509
SHA256df25259d4f6e5872cce8292420a4a1ba3358c019c0c6f1c8e42cffaab11b784c
SHA512745a05e913411b8e5067741f597588e6e865b31ddd42a7a0b64fe4339660edc61a809069c74c5698b0958a683ab51ff1f7312c059c6413069e40a864187a09fd
-
Filesize
3.0MB
MD59e47c7ee62467455625842b9ccadd49c
SHA1888ef16b7d789a78396d28dcda176e57e685aa03
SHA2564aac743889af063601683262492c1105ed044dbcdf9772c4caa7d911e124c677
SHA51272be83e90a1091387f3b2d6e25712d31fd3d3010339ce1484c09c460261b2287e25ebbe7d7cb6a85fa80cb0dada810c8614cee05f97581a2160996e1ec4f04ac
-
Filesize
129B
MD5f7833d489c8d622e7b4892c170277ae3
SHA1fbe45b21d88e4d4f7b74be5bea5c754a787822b2
SHA25668f40fea7d0b0dca0916ae2213d2e657a5f95e97d0c653e344069fd4e492ea98
SHA5120de6de4dbaf6c32e7707cfa9772b5df655e2e0b08f62e00ec27a5a31417ffde848440fd1924c16932c4c18649a62bb36e8be98a46a08af44b91d1e79d7973b59
-
Filesize
104B
MD587f752851e6ad414551c7c4c3a491894
SHA1904a1b0a324589f86190e736ee25934c47ca2708
SHA256b3e13da34eb199451040240d5a354c6660bafcfe849c3de9d430f205e75244db
SHA5129820f852a1204b891d093fd7269f24bfb80b73bb4d2dde742faf252301ff013ed8333a0e24f937c01c82728008bc6377b67c4ac966f51ef1a3924c5d14394671
-
Filesize
8KB
MD50c9eb4f005489bbdb73a04bcb3947eed
SHA134ca2a46620aa14d2d117074b36670ff175e6d86
SHA256d46a606f84d8c264a2ec24c205b12439afa498d4a00994b66856e80e47369aa1
SHA512ca1f4401589995a62fa1c40070d9513881c5107de1def26494b8f28fc09f4b6f0c5c075783fd5db7f2c8c51b68edc049ba0a8e445f97a4f8d23dea5a2bfc8b80
-
Filesize
264KB
MD541b1ed508d47db8615723856f6b95859
SHA1b5b3c20d02c53ba1d6f551442f160b7dc9c51b05
SHA2569be0c88cbd473128af6f654a8ed2cb62cbb488fd0a84e1666fd94139c2f840f0
SHA512208e4156954674c2188de42ccdecb6da057667060c55f56fda079529cfc8cb6694c13188c3ba5d0c2b2420eee1a8238cc53b830aa6ca472d98427eeb66c35ce2
-
Filesize
8KB
MD5266e8ccbd5c57e60ba38b7b8d8204600
SHA1b761ebeb859416f4cf12308d7bbe5bd6d67ff12e
SHA25628495d2f6c6a9d6ea7fbd1f8dc802f8bd1cdbd535c31fb942910ed7e6325a59d
SHA5129d9fa67bf48b9912f1e00fcddc4fc78bc772828deab22315f8045ea0b8d3e65d6a8aa25e71e9f6112ee4b1ceef0a08155b1e4e0cb32b3b4dfe59ab05357e9dad
-
Filesize
8KB
MD5cde0ac52f781e0697f1d9277522cdcea
SHA16596f3b1e20e43aded366379d562a8cd93459cf6
SHA25626aaacf21ad71ec1b00d0040d58ddc8a6d7212434168715bf6d2655d2f6ff35e
SHA5124a78ee6792e71adde43a1691e8f0250ebdd67ec4ba333ead3c2815f5554d524c5995ffe65d92843f1b652f751414a99aeaa3994a40cf0304d438ba2e4ef8b3de
-
Filesize
256KB
MD583e3cacb9512bd80bf76268c4589c881
SHA186f23299a20470275a75e5acd6ab8f347db39d17
SHA25601a611c2cdcd21a58c52a42e47e0bcbdd6bb41781ffc481bebb3c31d80cfd0e1
SHA5125e2326775bfc2a165f867a746cb1be38f2e37236b3594e1a8d42c5a3a6d3298f649547f0fcbc3bde0689c47af1ee200bc2ef63cd64dbff8f95a768212b06aab6
-
Filesize
112B
MD524a6a9b6685eaf00a8b5bd7ae272f3c4
SHA1425d605d3e6819e28e54c61dbf8f91fd07283690
SHA2560c0e5a254cda1170aeb0ed515b98853a87cd271f0d1468c29069ca6b5fce98a3
SHA512d336a004cba71aae4940b5af2700893919002faaef88124fafbf34f05ea676c8e26f42c3875ccfcf1f536ace310964618cded8f750a698851fefe0902605cc2b
-
Filesize
112B
MD550bacdf82db917db155363421a607c37
SHA1764f47a6b2b9e297e98022dcbc41febc439682cc
SHA25684b8614dacf514b94124b9e57a0facc758bb8bb42309cd96bd55e60db465e051
SHA5120e4e2209e2d2000e46d1c68ff9c754dc23bae8c0ed4abf756c2123a7d8456abcb7ddb253b3b7f7c7bcb307706aa3bee39b1e10be380f32f418e70093de508af7
-
Filesize
104B
MD5dbea7053a36d3d14074b00e4c52f5457
SHA14d3df47e98e6a7919ddbe15ef373e076ba765fab
SHA256e4c2399db72c853a779ed5d8ff63b266dcdadb93a8ee7a03056003d1653dd25f
SHA51235f13be0b4bfbfd96477473abf6f843359e08a8d2fe9205e91c7e4a5a30e0470a20f8a03af783281e92aaf11b827c9508b3660e0fe4625f5620b77eb95b1ff51
-
Filesize
129B
MD5e861d0366d1b641314663b1a7545a24a
SHA1b0ac88a37e193470868cfc85473748ab67e36803
SHA2567c324a8849f3dee094ce82cf813d2e1a6a0dcfe344f6afa6c5cf78d22ca8055d
SHA51298b84d089305663b8199f0f4fddede57a0df393f112e8d4778ce666d6b81cbdce980a2611e318e1c8612acd6dcca9c6825c402860a82cb2e408cc30d7b79c64d
-
Filesize
264KB
MD559fe849dbd1b4d186f20000eb88aae34
SHA1033aa27b4de8cc2c8b16a698bea71bb5c608e797
SHA25677e23fc245e48991d695a709c60428399a53c430f0df8bad118ac79c387ac87b
SHA512722db98e533c91e734fe1dcc12492484df5c0d3a73684afc2f87a3d45aacecc4823421af812c30a301389be0b4f297536abae8dd304dff2c87d67a27e901650f
-
Filesize
8KB
MD5df971c2e497f5f5bd9abd638f54cde94
SHA113f4f9d131f135fa4f4546c4189f152390f3aafa
SHA256443d66e70a79dcbc4f1dfffb02aeaf439c41163fbe8e8a2fefbeb6241e231126
SHA51227cbfee682347f80f09573acc809d9e04b35bcd3295041ba724f35c1c2df12926f0413473fd378d438732e5904d6dbd2aa796d60420b8f6175c87bb9b89da902
-
Filesize
8KB
MD55d3876dd36b6865c91c36bc885c670cc
SHA1f6ee3989c5db7b5cd865a86ad8c07cec15eed7ed
SHA256b557a14f34e5d29741eca00e1f13b94479108091d0f40f26828f69f89804de75
SHA51267217f285735bca6b0ef8e9650f95c6ee74d249f1390cb500585da6e38a729386b682209383ee88fd0672e1f83f2ca36e28b96a436de66f3fd6bfb50d5973cc7
-
Filesize
8KB
MD54a64909803c629da2e9535efd42381d4
SHA1f6eb680f50b9c83b0c0f84d3777093c3d32d80ac
SHA256446f0b22f5fa2adb3e7e69839010d0b3f64f2a55ff1e8ccba0bda77c2a5e250b
SHA512cb436be11b3b79fc02bcfe629bba98ae94a18647571d8837e371e538dafa2a8f8ffcb76b79a33785d9a61a5fb1aa61fe4e72cb464032fc715d5e0af63a64658c
-
Filesize
8KB
MD5da7922aa9da13d6de00b1f14ac3ea405
SHA17222ca029ea4e1c3ee9d2e1d6d3c353b2e9355bf
SHA256235cdc85129032a3ed9664942d8b7c385af71f016bd569f86e9c2d0a9ca91e62
SHA51211a53ebacc380f4540381034ef837d5ad4f193c567da1eeb557d8eb4e4e1919f7c5d06bfa47bc123fef22780176fec8183b5975900f304869f526b9d3d582343
-
Filesize
8KB
MD593d475681dd665a3e1f969f5738c673f
SHA14671c6209cdbf39c89a0a0379669250f8b14edfe
SHA256239187b3e0ccfba75d53a0d755bcd38db79886275fd0cc44b17c7b18fa5af232
SHA51230b041445eca87a7febc23dbca7d94bc649689ec80ffbbc500f6a108a3ccba4b06e3947a5dba1d2d67900572d8696775dfb8fdb01b17ed9295953ccde2974eee
-
Filesize
63KB
MD59fa7fab7aad5cb35ec75648f104f18cf
SHA1d2d76038a0f2164fb31cbc71e0a8b7c258193b7f
SHA256df570c96bec91ff658ef4839bc2bc4a3a9a25a0303c4fba2079e5f4adc01e84f
SHA512328b37ef032b3da6751b161fa6cb31a5fba051195033d9bbe46f539307fcc2884cdd124fdbcdac1a1517bdcdf0f3883cf66121e424acbff215092a3744bb1e66
-
Filesize
1.2MB