nitro | 056f57fb1be7827272aeea42c255cfb62f8c9960072eb9a1a7464d2abf806e64

General

Target

45b3bd0d1d388b5802d643b9729043e9.exe
Size

60KB
MD5

45b3bd0d1d388b5802d643b9729043e9
SHA1

8e9fce72a1fe5f46e4057b5123667087c1d8e379
SHA256

056f57fb1be7827272aeea42c255cfb62f8c9960072eb9a1a7464d2abf806e64
SHA512

666d1fe677715f3db72dc48532c63d0656fa5c107cad773633a1d2100485bbf6fe8116a889622d9eb29b699f8397f097d8ed71c748e0387a06ecb5188d926b94

Score

10^/10

nitro persistence ransomware

Malware Config

Signatures

Nitro
A ransomware that demands Discord nitro gift codes to decrypt files.
ransomware nitro

Modifies extensions of user files 8 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

45b3bd0d1d388b5802d643b9729043e9.exe

description	ioc	process
File created	C:\Users\Admin\Pictures\StepGroup.tiff.givemenitro	45b3bd0d1d388b5802d643b9729043e9.exe
File opened for modification	C:\Users\Admin\Pictures\StepGroup.tiff	45b3bd0d1d388b5802d643b9729043e9.exe
File created	C:\Users\Admin\Pictures\ConvertToUnregister.png.givemenitro	45b3bd0d1d388b5802d643b9729043e9.exe
File created	C:\Users\Admin\Pictures\DisableClose.tiff.givemenitro	45b3bd0d1d388b5802d643b9729043e9.exe
File opened for modification	C:\Users\Admin\Pictures\DisableClose.tiff	45b3bd0d1d388b5802d643b9729043e9.exe
File created	C:\Users\Admin\Pictures\ReceiveCompress.tif.givemenitro	45b3bd0d1d388b5802d643b9729043e9.exe
File created	C:\Users\Admin\Pictures\RenameRemove.tiff.givemenitro	45b3bd0d1d388b5802d643b9729043e9.exe
File opened for modification	C:\Users\Admin\Pictures\RenameRemove.tiff	45b3bd0d1d388b5802d643b9729043e9.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

45b3bd0d1d388b5802d643b9729043e9.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\NR = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\45b3bd0d1d388b5802d643b9729043e9.exe\""	45b3bd0d1d388b5802d643b9729043e9.exe

Drops desktop.ini file(s) 5 IoCs

Processes:

45b3bd0d1d388b5802d643b9729043e9.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Documents\desktop.ini	45b3bd0d1d388b5802d643b9729043e9.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	45b3bd0d1d388b5802d643b9729043e9.exe
File opened for modification	C:\Users\Admin\Pictures\Camera Roll\desktop.ini	45b3bd0d1d388b5802d643b9729043e9.exe
File opened for modification	C:\Users\Admin\Pictures\Saved Pictures\desktop.ini	45b3bd0d1d388b5802d643b9729043e9.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	45b3bd0d1d388b5802d643b9729043e9.exe

Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

11 api.ipify.org
12 api.ipify.org

flow	ioc
11	api.ipify.org
12	api.ipify.org

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

45b3bd0d1d388b5802d643b9729043e9.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Roaming\\wallpaper.png"	45b3bd0d1d388b5802d643b9729043e9.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

45b3bd0d1d388b5802d643b9729043e9.exe

pid process

3260 45b3bd0d1d388b5802d643b9729043e9.exe
3260 45b3bd0d1d388b5802d643b9729043e9.exe

pid	process
3260	45b3bd0d1d388b5802d643b9729043e9.exe
3260	45b3bd0d1d388b5802d643b9729043e9.exe

Suspicious use of AdjustPrivilegeToken 43 IoCs

Processes:

45b3bd0d1d388b5802d643b9729043e9.exeWMIC.exe

description	pid	process
Token: SeDebugPrivilege	3260	45b3bd0d1d388b5802d643b9729043e9.exe
Token: SeIncreaseQuotaPrivilege	4028	WMIC.exe
Token: SeSecurityPrivilege	4028	WMIC.exe
Token: SeTakeOwnershipPrivilege	4028	WMIC.exe
Token: SeLoadDriverPrivilege	4028	WMIC.exe
Token: SeSystemProfilePrivilege	4028	WMIC.exe
Token: SeSystemtimePrivilege	4028	WMIC.exe
Token: SeProfSingleProcessPrivilege	4028	WMIC.exe
Token: SeIncBasePriorityPrivilege	4028	WMIC.exe
Token: SeCreatePagefilePrivilege	4028	WMIC.exe
Token: SeBackupPrivilege	4028	WMIC.exe
Token: SeRestorePrivilege	4028	WMIC.exe
Token: SeShutdownPrivilege	4028	WMIC.exe
Token: SeDebugPrivilege	4028	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4028	WMIC.exe
Token: SeRemoteShutdownPrivilege	4028	WMIC.exe
Token: SeUndockPrivilege	4028	WMIC.exe
Token: SeManageVolumePrivilege	4028	WMIC.exe
Token: 33	4028	WMIC.exe
Token: 34	4028	WMIC.exe
Token: 35	4028	WMIC.exe
Token: 36	4028	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4028	WMIC.exe
Token: SeSecurityPrivilege	4028	WMIC.exe
Token: SeTakeOwnershipPrivilege	4028	WMIC.exe
Token: SeLoadDriverPrivilege	4028	WMIC.exe
Token: SeSystemProfilePrivilege	4028	WMIC.exe
Token: SeSystemtimePrivilege	4028	WMIC.exe
Token: SeProfSingleProcessPrivilege	4028	WMIC.exe
Token: SeIncBasePriorityPrivilege	4028	WMIC.exe
Token: SeCreatePagefilePrivilege	4028	WMIC.exe
Token: SeBackupPrivilege	4028	WMIC.exe
Token: SeRestorePrivilege	4028	WMIC.exe
Token: SeShutdownPrivilege	4028	WMIC.exe
Token: SeDebugPrivilege	4028	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4028	WMIC.exe
Token: SeRemoteShutdownPrivilege	4028	WMIC.exe
Token: SeUndockPrivilege	4028	WMIC.exe
Token: SeManageVolumePrivilege	4028	WMIC.exe
Token: 33	4028	WMIC.exe
Token: 34	4028	WMIC.exe
Token: 35	4028	WMIC.exe
Token: 36	4028	WMIC.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

45b3bd0d1d388b5802d643b9729043e9.execmd.exe

description	pid	process	target process
PID 3260 wrote to memory of 2844	3260	45b3bd0d1d388b5802d643b9729043e9.exe	cmd.exe
PID 3260 wrote to memory of 2844	3260	45b3bd0d1d388b5802d643b9729043e9.exe	cmd.exe
PID 3260 wrote to memory of 2844	3260	45b3bd0d1d388b5802d643b9729043e9.exe	cmd.exe
PID 2844 wrote to memory of 4028	2844	cmd.exe	WMIC.exe
PID 2844 wrote to memory of 4028	2844	cmd.exe	WMIC.exe
PID 2844 wrote to memory of 4028	2844	cmd.exe	WMIC.exe

C:\Users\Admin\AppData\Local\Temp\45b3bd0d1d388b5802d643b9729043e9.exe
"C:\Users\Admin\AppData\Local\Temp\45b3bd0d1d388b5802d643b9729043e9.exe"
1⤵
- Modifies extensions of user files
- Adds Run key to start application
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3260

C:\Windows\SysWOW64\cmd.exe
"cmd.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:2844

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic csproduct get uuid
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4028

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

1

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2844-118-0x0000000000000000-mapping.dmp

Download
memory/3260-114-0x0000000000CA0000-0x0000000000CA1000-memory.dmp

Filesize
4KB

Download
memory/3260-116-0x0000000005990000-0x0000000005991000-memory.dmp

Filesize
4KB

Download
memory/3260-117-0x0000000005530000-0x0000000005531000-memory.dmp

Filesize
4KB

Download
memory/3260-119-0x0000000005490000-0x000000000598E000-memory.dmp

Filesize
5.0MB

Download
memory/3260-121-0x0000000001580000-0x0000000001581000-memory.dmp

Filesize
4KB

Download
memory/3260-123-0x0000000005490000-0x000000000598E000-memory.dmp

Filesize
5.0MB

Download
memory/3260-122-0x0000000005490000-0x000000000598E000-memory.dmp

Filesize
5.0MB

Download
memory/4028-120-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads