nitro | 7cca9ea23ca57d8ed6ac3f9a13b193703c04475c274920861edbfea78b4e44aa

General

Target

23cb7de182b1553bbdd9c4066c7d1f3f.exe
Size

42KB
MD5

23cb7de182b1553bbdd9c4066c7d1f3f
SHA1

64fbafd3b5f5bba8ac5a664ae5534bf19edf1ed5
SHA256

7cca9ea23ca57d8ed6ac3f9a13b193703c04475c274920861edbfea78b4e44aa
SHA512

913b2cac23a69f9f2b0bff39b445acfdd38fdeecd29e9838783c1563e23674a515c48da954648f8f89414da8e2734b80397eeb168594295f79b513110955ac67

Score

10^/10

nitro persistence ransomware

Malware Config

Signatures

Nitro
A ransomware that demands Discord nitro gift codes to decrypt files.
ransomware nitro

Modifies extensions of user files 12 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

23cb7de182b1553bbdd9c4066c7d1f3f.exe

description	ioc	process
File created	C:\Users\Admin\Pictures\ReadSuspend.png.givemenitro	23cb7de182b1553bbdd9c4066c7d1f3f.exe
File opened for modification	C:\Users\Admin\Pictures\SkipAdd.tiff	23cb7de182b1553bbdd9c4066c7d1f3f.exe
File opened for modification	C:\Users\Admin\Pictures\ApproveUse.tiff	23cb7de182b1553bbdd9c4066c7d1f3f.exe
File created	C:\Users\Admin\Pictures\ConvertFromFind.tif.givemenitro	23cb7de182b1553bbdd9c4066c7d1f3f.exe
File created	C:\Users\Admin\Pictures\DenyCheckpoint.raw.givemenitro	23cb7de182b1553bbdd9c4066c7d1f3f.exe
File created	C:\Users\Admin\Pictures\EditConvertTo.tiff.givemenitro	23cb7de182b1553bbdd9c4066c7d1f3f.exe
File created	C:\Users\Admin\Pictures\EnableRemove.raw.givemenitro	23cb7de182b1553bbdd9c4066c7d1f3f.exe
File created	C:\Users\Admin\Pictures\ReadMount.png.givemenitro	23cb7de182b1553bbdd9c4066c7d1f3f.exe
File created	C:\Users\Admin\Pictures\ApproveUse.tiff.givemenitro	23cb7de182b1553bbdd9c4066c7d1f3f.exe
File opened for modification	C:\Users\Admin\Pictures\EditConvertTo.tiff	23cb7de182b1553bbdd9c4066c7d1f3f.exe
File created	C:\Users\Admin\Pictures\SkipAdd.tiff.givemenitro	23cb7de182b1553bbdd9c4066c7d1f3f.exe
File created	C:\Users\Admin\Pictures\SubmitConnect.crw.givemenitro	23cb7de182b1553bbdd9c4066c7d1f3f.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

23cb7de182b1553bbdd9c4066c7d1f3f.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\NR = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\23cb7de182b1553bbdd9c4066c7d1f3f.exe\""	23cb7de182b1553bbdd9c4066c7d1f3f.exe

Drops desktop.ini file(s) 3 IoCs

Processes:

23cb7de182b1553bbdd9c4066c7d1f3f.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	23cb7de182b1553bbdd9c4066c7d1f3f.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	23cb7de182b1553bbdd9c4066c7d1f3f.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	23cb7de182b1553bbdd9c4066c7d1f3f.exe

Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

5 api.ipify.org
6 api.ipify.org

flow	ioc
5	api.ipify.org
6	api.ipify.org

Sets desktop wallpaper using registry 2 TTPs 2 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

23cb7de182b1553bbdd9c4066c7d1f3f.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Roaming\\wallpaper.png"	23cb7de182b1553bbdd9c4066c7d1f3f.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Pictures\\Wallpaper.jpg"	23cb7de182b1553bbdd9c4066c7d1f3f.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

23cb7de182b1553bbdd9c4066c7d1f3f.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	23cb7de182b1553bbdd9c4066c7d1f3f.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	23cb7de182b1553bbdd9c4066c7d1f3f.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	23cb7de182b1553bbdd9c4066c7d1f3f.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

23cb7de182b1553bbdd9c4066c7d1f3f.exe

pid process

1824 23cb7de182b1553bbdd9c4066c7d1f3f.exe
1824 23cb7de182b1553bbdd9c4066c7d1f3f.exe

pid	process
1824	23cb7de182b1553bbdd9c4066c7d1f3f.exe
1824	23cb7de182b1553bbdd9c4066c7d1f3f.exe

Suspicious use of AdjustPrivilegeToken 41 IoCs

Processes:

23cb7de182b1553bbdd9c4066c7d1f3f.exeWMIC.exe

description	pid	process
Token: SeDebugPrivilege	1824	23cb7de182b1553bbdd9c4066c7d1f3f.exe
Token: SeIncreaseQuotaPrivilege	992	WMIC.exe
Token: SeSecurityPrivilege	992	WMIC.exe
Token: SeTakeOwnershipPrivilege	992	WMIC.exe
Token: SeLoadDriverPrivilege	992	WMIC.exe
Token: SeSystemProfilePrivilege	992	WMIC.exe
Token: SeSystemtimePrivilege	992	WMIC.exe
Token: SeProfSingleProcessPrivilege	992	WMIC.exe
Token: SeIncBasePriorityPrivilege	992	WMIC.exe
Token: SeCreatePagefilePrivilege	992	WMIC.exe
Token: SeBackupPrivilege	992	WMIC.exe
Token: SeRestorePrivilege	992	WMIC.exe
Token: SeShutdownPrivilege	992	WMIC.exe
Token: SeDebugPrivilege	992	WMIC.exe
Token: SeSystemEnvironmentPrivilege	992	WMIC.exe
Token: SeRemoteShutdownPrivilege	992	WMIC.exe
Token: SeUndockPrivilege	992	WMIC.exe
Token: SeManageVolumePrivilege	992	WMIC.exe
Token: 33	992	WMIC.exe
Token: 34	992	WMIC.exe
Token: 35	992	WMIC.exe
Token: SeIncreaseQuotaPrivilege	992	WMIC.exe
Token: SeSecurityPrivilege	992	WMIC.exe
Token: SeTakeOwnershipPrivilege	992	WMIC.exe
Token: SeLoadDriverPrivilege	992	WMIC.exe
Token: SeSystemProfilePrivilege	992	WMIC.exe
Token: SeSystemtimePrivilege	992	WMIC.exe
Token: SeProfSingleProcessPrivilege	992	WMIC.exe
Token: SeIncBasePriorityPrivilege	992	WMIC.exe
Token: SeCreatePagefilePrivilege	992	WMIC.exe
Token: SeBackupPrivilege	992	WMIC.exe
Token: SeRestorePrivilege	992	WMIC.exe
Token: SeShutdownPrivilege	992	WMIC.exe
Token: SeDebugPrivilege	992	WMIC.exe
Token: SeSystemEnvironmentPrivilege	992	WMIC.exe
Token: SeRemoteShutdownPrivilege	992	WMIC.exe
Token: SeUndockPrivilege	992	WMIC.exe
Token: SeManageVolumePrivilege	992	WMIC.exe
Token: 33	992	WMIC.exe
Token: 34	992	WMIC.exe
Token: 35	992	WMIC.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

23cb7de182b1553bbdd9c4066c7d1f3f.execmd.exe

description	pid	process	target process
PID 1824 wrote to memory of 1980	1824	23cb7de182b1553bbdd9c4066c7d1f3f.exe	cmd.exe
PID 1824 wrote to memory of 1980	1824	23cb7de182b1553bbdd9c4066c7d1f3f.exe	cmd.exe
PID 1824 wrote to memory of 1980	1824	23cb7de182b1553bbdd9c4066c7d1f3f.exe	cmd.exe
PID 1824 wrote to memory of 1980	1824	23cb7de182b1553bbdd9c4066c7d1f3f.exe	cmd.exe
PID 1980 wrote to memory of 992	1980	cmd.exe	WMIC.exe
PID 1980 wrote to memory of 992	1980	cmd.exe	WMIC.exe
PID 1980 wrote to memory of 992	1980	cmd.exe	WMIC.exe
PID 1980 wrote to memory of 992	1980	cmd.exe	WMIC.exe

C:\Users\Admin\AppData\Local\Temp\23cb7de182b1553bbdd9c4066c7d1f3f.exe
"C:\Users\Admin\AppData\Local\Temp\23cb7de182b1553bbdd9c4066c7d1f3f.exe"
1⤵
- Modifies extensions of user files
- Adds Run key to start application
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1824
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1980
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic csproduct get uuid
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:992

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Install Root Certificate

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

1

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

memory/992-64-0x0000000000000000-mapping.dmp

Download
memory/1824-60-0x00000000003C0000-0x00000000003C1000-memory.dmp

Filesize
4KB

Download
memory/1824-62-0x00000000003D0000-0x00000000003E0000-memory.dmp

Filesize
64KB

Download
memory/1824-65-0x0000000004C50000-0x0000000004C51000-memory.dmp

Filesize
4KB

Download
memory/1824-66-0x0000000004C55000-0x0000000004C66000-memory.dmp

Filesize
68KB

Download
memory/1980-63-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads