Analysis
-
max time kernel
159s -
max time network
167s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
15-04-2022 19:56
Static task
static1
Behavioral task
behavioral1
Sample
NitroRansomware.exe
Resource
win7-20220414-en
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
NitroRansomware.exe
Resource
win10v2004-20220414-en
windows10-2004_x64
0 signatures
0 seconds
General
-
Target
NitroRansomware.exe
-
Size
108KB
-
MD5
3fff55017f68f7fd04157b08e2cf8b59
-
SHA1
e7fd09b650526bab65091f6db7484578143fd3d2
-
SHA256
00a84b4d7c45a603efaf946f2422e8ce64ebb632473ec36c34c03a94739e745a
-
SHA512
f77719aa974d85473c10f278991a3cc742fee5464039b102b12c5a436277726e79bea276be641450c73bf0ceab5bad8deaa42b4687f0e8c40873972be631a8ba
Score
8/10
Malware Config
Signatures
-
Modifies extensions of user files 8 IoCs
Ransomware generally changes the extension on encrypted files.
description ioc Process File created C:\Users\Admin\Pictures\ExportStart.raw.givemenitro NitroRansomware.exe File created C:\Users\Admin\Pictures\InitializeWatch.raw.givemenitro NitroRansomware.exe File created C:\Users\Admin\Pictures\ResetClear.tiff.givemenitro NitroRansomware.exe File opened for modification C:\Users\Admin\Pictures\ResetClear.tiff NitroRansomware.exe File created C:\Users\Admin\Pictures\ResolveConvert.raw.givemenitro NitroRansomware.exe File created C:\Users\Admin\Pictures\ApproveMount.crw.givemenitro NitroRansomware.exe File created C:\Users\Admin\Pictures\ConvertResume.raw.givemenitro NitroRansomware.exe File created C:\Users\Admin\Pictures\DisconnectDebug.raw.givemenitro NitroRansomware.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NR = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\NitroRansomware.exe\"" NitroRansomware.exe -
Drops desktop.ini file(s) 3 IoCs
description ioc Process File opened for modification C:\Users\Admin\Pictures\desktop.ini NitroRansomware.exe File opened for modification C:\Users\Admin\Documents\desktop.ini NitroRansomware.exe File opened for modification C:\Users\Admin\Desktop\desktop.ini NitroRansomware.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 2 api.ipify.org 3 api.ipify.org -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1272 NitroRansomware.exe 1272 NitroRansomware.exe -
Suspicious use of AdjustPrivilegeToken 43 IoCs
description pid Process Token: SeDebugPrivilege 1272 NitroRansomware.exe Token: SeIncreaseQuotaPrivilege 4824 WMIC.exe Token: SeSecurityPrivilege 4824 WMIC.exe Token: SeTakeOwnershipPrivilege 4824 WMIC.exe Token: SeLoadDriverPrivilege 4824 WMIC.exe Token: SeSystemProfilePrivilege 4824 WMIC.exe Token: SeSystemtimePrivilege 4824 WMIC.exe Token: SeProfSingleProcessPrivilege 4824 WMIC.exe Token: SeIncBasePriorityPrivilege 4824 WMIC.exe Token: SeCreatePagefilePrivilege 4824 WMIC.exe Token: SeBackupPrivilege 4824 WMIC.exe Token: SeRestorePrivilege 4824 WMIC.exe Token: SeShutdownPrivilege 4824 WMIC.exe Token: SeDebugPrivilege 4824 WMIC.exe Token: SeSystemEnvironmentPrivilege 4824 WMIC.exe Token: SeRemoteShutdownPrivilege 4824 WMIC.exe Token: SeUndockPrivilege 4824 WMIC.exe Token: SeManageVolumePrivilege 4824 WMIC.exe Token: 33 4824 WMIC.exe Token: 34 4824 WMIC.exe Token: 35 4824 WMIC.exe Token: 36 4824 WMIC.exe Token: SeIncreaseQuotaPrivilege 4824 WMIC.exe Token: SeSecurityPrivilege 4824 WMIC.exe Token: SeTakeOwnershipPrivilege 4824 WMIC.exe Token: SeLoadDriverPrivilege 4824 WMIC.exe Token: SeSystemProfilePrivilege 4824 WMIC.exe Token: SeSystemtimePrivilege 4824 WMIC.exe Token: SeProfSingleProcessPrivilege 4824 WMIC.exe Token: SeIncBasePriorityPrivilege 4824 WMIC.exe Token: SeCreatePagefilePrivilege 4824 WMIC.exe Token: SeBackupPrivilege 4824 WMIC.exe Token: SeRestorePrivilege 4824 WMIC.exe Token: SeShutdownPrivilege 4824 WMIC.exe Token: SeDebugPrivilege 4824 WMIC.exe Token: SeSystemEnvironmentPrivilege 4824 WMIC.exe Token: SeRemoteShutdownPrivilege 4824 WMIC.exe Token: SeUndockPrivilege 4824 WMIC.exe Token: SeManageVolumePrivilege 4824 WMIC.exe Token: 33 4824 WMIC.exe Token: 34 4824 WMIC.exe Token: 35 4824 WMIC.exe Token: 36 4824 WMIC.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 1272 wrote to memory of 1296 1272 NitroRansomware.exe 75 PID 1272 wrote to memory of 1296 1272 NitroRansomware.exe 75 PID 1272 wrote to memory of 1296 1272 NitroRansomware.exe 75 PID 1296 wrote to memory of 4824 1296 cmd.exe 77 PID 1296 wrote to memory of 4824 1296 cmd.exe 77 PID 1296 wrote to memory of 4824 1296 cmd.exe 77
Processes
-
C:\Users\Admin\AppData\Local\Temp\NitroRansomware.exe"C:\Users\Admin\AppData\Local\Temp\NitroRansomware.exe"1⤵
- Modifies extensions of user files
- Adds Run key to start application
- Drops desktop.ini file(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1272 -
C:\Windows\SysWOW64\cmd.exe"cmd.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:1296 -
C:\Windows\SysWOW64\Wbem\WMIC.exewmic csproduct get uuid3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4824
-
-