General

  • Target

    89fbfa647b0558f766bee4029fe66187

  • Size

    62KB

  • Sample

    210812-5ardkj6826

  • MD5

    89fbfa647b0558f766bee4029fe66187

  • SHA1

    72260bdc557b500d3c4c13d8f1228c0b49c5ae95

  • SHA256

    155e6b0ba6cc29659970f69c00034f7b591e8f63c4727a12c64f13f7543421e3

  • SHA512

    025485d9577127babd06b130de117f0b9c756b8a90f0fb6a00399411bb5f284e94e81412a45e5f98a4c3927a32139216c34ffdf5c73c2288f2ddc88cb89b4fc4

Malware Config

Targets

    • Target

      89fbfa647b0558f766bee4029fe66187

    • Size

      62KB

    • MD5

      89fbfa647b0558f766bee4029fe66187

    • SHA1

      72260bdc557b500d3c4c13d8f1228c0b49c5ae95

    • SHA256

      155e6b0ba6cc29659970f69c00034f7b591e8f63c4727a12c64f13f7543421e3

    • SHA512

      025485d9577127babd06b130de117f0b9c756b8a90f0fb6a00399411bb5f284e94e81412a45e5f98a4c3927a32139216c34ffdf5c73c2288f2ddc88cb89b4fc4

    • Nitro

      A ransomware that demands Discord nitro gift codes to decrypt files.

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

    • Adds Run key to start application

    • Drops desktop.ini file(s)

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Sets desktop wallpaper using registry

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Registry Run Keys / Startup Folder

1
T1060

Defense Evasion

Modify Registry

3
T1112

Install Root Certificate

1
T1130

Impact

Defacement

1
T1491

Tasks