Analysis
-
max time kernel
85s -
max time network
139s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
12-08-2021 11:20
Static task
static1
Behavioral task
behavioral1
Sample
45b3bd0d1d388b5802d643b9729043e9.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
45b3bd0d1d388b5802d643b9729043e9.exe
Resource
win10v20210408
General
-
Target
45b3bd0d1d388b5802d643b9729043e9.exe
-
Size
60KB
-
MD5
45b3bd0d1d388b5802d643b9729043e9
-
SHA1
8e9fce72a1fe5f46e4057b5123667087c1d8e379
-
SHA256
056f57fb1be7827272aeea42c255cfb62f8c9960072eb9a1a7464d2abf806e64
-
SHA512
666d1fe677715f3db72dc48532c63d0656fa5c107cad773633a1d2100485bbf6fe8116a889622d9eb29b699f8397f097d8ed71c748e0387a06ecb5188d926b94
Malware Config
Signatures
-
Nitro
A ransomware that demands Discord nitro gift codes to decrypt files.
-
Modifies extensions of user files 8 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
45b3bd0d1d388b5802d643b9729043e9.exedescription ioc Process File created C:\Users\Admin\Pictures\StepGroup.tiff.givemenitro 45b3bd0d1d388b5802d643b9729043e9.exe File opened for modification C:\Users\Admin\Pictures\StepGroup.tiff 45b3bd0d1d388b5802d643b9729043e9.exe File created C:\Users\Admin\Pictures\ConvertToUnregister.png.givemenitro 45b3bd0d1d388b5802d643b9729043e9.exe File created C:\Users\Admin\Pictures\DisableClose.tiff.givemenitro 45b3bd0d1d388b5802d643b9729043e9.exe File opened for modification C:\Users\Admin\Pictures\DisableClose.tiff 45b3bd0d1d388b5802d643b9729043e9.exe File created C:\Users\Admin\Pictures\ReceiveCompress.tif.givemenitro 45b3bd0d1d388b5802d643b9729043e9.exe File created C:\Users\Admin\Pictures\RenameRemove.tiff.givemenitro 45b3bd0d1d388b5802d643b9729043e9.exe File opened for modification C:\Users\Admin\Pictures\RenameRemove.tiff 45b3bd0d1d388b5802d643b9729043e9.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
45b3bd0d1d388b5802d643b9729043e9.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\NR = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\45b3bd0d1d388b5802d643b9729043e9.exe\"" 45b3bd0d1d388b5802d643b9729043e9.exe -
Drops desktop.ini file(s) 5 IoCs
Processes:
45b3bd0d1d388b5802d643b9729043e9.exedescription ioc Process File opened for modification C:\Users\Admin\Documents\desktop.ini 45b3bd0d1d388b5802d643b9729043e9.exe File opened for modification C:\Users\Admin\Pictures\desktop.ini 45b3bd0d1d388b5802d643b9729043e9.exe File opened for modification C:\Users\Admin\Pictures\Camera Roll\desktop.ini 45b3bd0d1d388b5802d643b9729043e9.exe File opened for modification C:\Users\Admin\Pictures\Saved Pictures\desktop.ini 45b3bd0d1d388b5802d643b9729043e9.exe File opened for modification C:\Users\Admin\Desktop\desktop.ini 45b3bd0d1d388b5802d643b9729043e9.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 11 api.ipify.org 12 api.ipify.org -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
45b3bd0d1d388b5802d643b9729043e9.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Roaming\\wallpaper.png" 45b3bd0d1d388b5802d643b9729043e9.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
45b3bd0d1d388b5802d643b9729043e9.exepid Process 3260 45b3bd0d1d388b5802d643b9729043e9.exe 3260 45b3bd0d1d388b5802d643b9729043e9.exe -
Suspicious use of AdjustPrivilegeToken 43 IoCs
Processes:
45b3bd0d1d388b5802d643b9729043e9.exeWMIC.exedescription pid Process Token: SeDebugPrivilege 3260 45b3bd0d1d388b5802d643b9729043e9.exe Token: SeIncreaseQuotaPrivilege 4028 WMIC.exe Token: SeSecurityPrivilege 4028 WMIC.exe Token: SeTakeOwnershipPrivilege 4028 WMIC.exe Token: SeLoadDriverPrivilege 4028 WMIC.exe Token: SeSystemProfilePrivilege 4028 WMIC.exe Token: SeSystemtimePrivilege 4028 WMIC.exe Token: SeProfSingleProcessPrivilege 4028 WMIC.exe Token: SeIncBasePriorityPrivilege 4028 WMIC.exe Token: SeCreatePagefilePrivilege 4028 WMIC.exe Token: SeBackupPrivilege 4028 WMIC.exe Token: SeRestorePrivilege 4028 WMIC.exe Token: SeShutdownPrivilege 4028 WMIC.exe Token: SeDebugPrivilege 4028 WMIC.exe Token: SeSystemEnvironmentPrivilege 4028 WMIC.exe Token: SeRemoteShutdownPrivilege 4028 WMIC.exe Token: SeUndockPrivilege 4028 WMIC.exe Token: SeManageVolumePrivilege 4028 WMIC.exe Token: 33 4028 WMIC.exe Token: 34 4028 WMIC.exe Token: 35 4028 WMIC.exe Token: 36 4028 WMIC.exe Token: SeIncreaseQuotaPrivilege 4028 WMIC.exe Token: SeSecurityPrivilege 4028 WMIC.exe Token: SeTakeOwnershipPrivilege 4028 WMIC.exe Token: SeLoadDriverPrivilege 4028 WMIC.exe Token: SeSystemProfilePrivilege 4028 WMIC.exe Token: SeSystemtimePrivilege 4028 WMIC.exe Token: SeProfSingleProcessPrivilege 4028 WMIC.exe Token: SeIncBasePriorityPrivilege 4028 WMIC.exe Token: SeCreatePagefilePrivilege 4028 WMIC.exe Token: SeBackupPrivilege 4028 WMIC.exe Token: SeRestorePrivilege 4028 WMIC.exe Token: SeShutdownPrivilege 4028 WMIC.exe Token: SeDebugPrivilege 4028 WMIC.exe Token: SeSystemEnvironmentPrivilege 4028 WMIC.exe Token: SeRemoteShutdownPrivilege 4028 WMIC.exe Token: SeUndockPrivilege 4028 WMIC.exe Token: SeManageVolumePrivilege 4028 WMIC.exe Token: 33 4028 WMIC.exe Token: 34 4028 WMIC.exe Token: 35 4028 WMIC.exe Token: 36 4028 WMIC.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
45b3bd0d1d388b5802d643b9729043e9.execmd.exedescription pid Process procid_target PID 3260 wrote to memory of 2844 3260 45b3bd0d1d388b5802d643b9729043e9.exe 75 PID 3260 wrote to memory of 2844 3260 45b3bd0d1d388b5802d643b9729043e9.exe 75 PID 3260 wrote to memory of 2844 3260 45b3bd0d1d388b5802d643b9729043e9.exe 75 PID 2844 wrote to memory of 4028 2844 cmd.exe 77 PID 2844 wrote to memory of 4028 2844 cmd.exe 77 PID 2844 wrote to memory of 4028 2844 cmd.exe 77
Processes
-
C:\Users\Admin\AppData\Local\Temp\45b3bd0d1d388b5802d643b9729043e9.exe"C:\Users\Admin\AppData\Local\Temp\45b3bd0d1d388b5802d643b9729043e9.exe"1⤵
- Modifies extensions of user files
- Adds Run key to start application
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3260 -
C:\Windows\SysWOW64\cmd.exe"cmd.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:2844 -
C:\Windows\SysWOW64\Wbem\WMIC.exewmic csproduct get uuid3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4028
-
-