Analysis
-
max time kernel
71s -
max time network
65s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
25-09-2022 04:32
Static task
static1
Behavioral task
behavioral1
Sample
HEUR-Trojan-Ransom.Win32.Generic-32f88ed5c23e8215f8443dac1a96e0a1c3be607dfc428d6954854adfe1d7308b.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
HEUR-Trojan-Ransom.Win32.Generic-32f88ed5c23e8215f8443dac1a96e0a1c3be607dfc428d6954854adfe1d7308b.exe
Resource
win10v2004-20220812-en
General
-
Target
HEUR-Trojan-Ransom.Win32.Generic-32f88ed5c23e8215f8443dac1a96e0a1c3be607dfc428d6954854adfe1d7308b.exe
-
Size
61KB
-
MD5
94c48acae497a1c852fcfc0c1ae5665e
-
SHA1
7c11819b579d1aecd8df04f4bfa73f16b9d7b543
-
SHA256
32f88ed5c23e8215f8443dac1a96e0a1c3be607dfc428d6954854adfe1d7308b
-
SHA512
839c9005fbfa201d8123b30cd106083c5e141738c08d0f66fd62d92500a74e9947d6c2a6fc1a16fddab1d98d8e03ae9c3edfe0c01e3d404522a476419b2c900e
-
SSDEEP
768:CKsMqCXfVcWO/M9ZkiANIUJVYLDwUzc80gmq3oP/oDe:CKseiM9ZkiAP0r/0O8/oq
Malware Config
Signatures
-
Nitro
A ransomware that demands Discord nitro gift codes to decrypt files.
-
Modifies extensions of user files 3 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
HEUR-Trojan-Ransom.Win32.Generic-32f88ed5c23e8215f8443dac1a96e0a1c3be607dfc428d6954854adfe1d7308b.exedescription ioc process File created C:\Users\Admin\Pictures\BlockConnect.tiff.givemenitro HEUR-Trojan-Ransom.Win32.Generic-32f88ed5c23e8215f8443dac1a96e0a1c3be607dfc428d6954854adfe1d7308b.exe File opened for modification C:\Users\Admin\Pictures\BlockConnect.tiff HEUR-Trojan-Ransom.Win32.Generic-32f88ed5c23e8215f8443dac1a96e0a1c3be607dfc428d6954854adfe1d7308b.exe File created C:\Users\Admin\Pictures\ConvertRestore.raw.givemenitro HEUR-Trojan-Ransom.Win32.Generic-32f88ed5c23e8215f8443dac1a96e0a1c3be607dfc428d6954854adfe1d7308b.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
HEUR-Trojan-Ransom.Win32.Generic-32f88ed5c23e8215f8443dac1a96e0a1c3be607dfc428d6954854adfe1d7308b.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\NR = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\" HEUR-Trojan-Ransom.Win32.Generic-32f88ed5c23e8215f8443dac1a96e0a1c3be607dfc428d6954854adfe1d7308b.exe -
Drops desktop.ini file(s) 3 IoCs
Processes:
HEUR-Trojan-Ransom.Win32.Generic-32f88ed5c23e8215f8443dac1a96e0a1c3be607dfc428d6954854adfe1d7308b.exedescription ioc process File opened for modification C:\Users\Admin\Pictures\desktop.ini HEUR-Trojan-Ransom.Win32.Generic-32f88ed5c23e8215f8443dac1a96e0a1c3be607dfc428d6954854adfe1d7308b.exe File opened for modification C:\Users\Admin\Documents\desktop.ini HEUR-Trojan-Ransom.Win32.Generic-32f88ed5c23e8215f8443dac1a96e0a1c3be607dfc428d6954854adfe1d7308b.exe File opened for modification C:\Users\Admin\Desktop\desktop.ini HEUR-Trojan-Ransom.Win32.Generic-32f88ed5c23e8215f8443dac1a96e0a1c3be607dfc428d6954854adfe1d7308b.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 3 api.ipify.org 4 api.ipify.org -
Sets desktop wallpaper using registry 2 TTPs 2 IoCs
Processes:
HEUR-Trojan-Ransom.Win32.Generic-32f88ed5c23e8215f8443dac1a96e0a1c3be607dfc428d6954854adfe1d7308b.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Roaming\\wallpaper.png" HEUR-Trojan-Ransom.Win32.Generic-32f88ed5c23e8215f8443dac1a96e0a1c3be607dfc428d6954854adfe1d7308b.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Pictures\\My Wallpaper.jpg" HEUR-Trojan-Ransom.Win32.Generic-32f88ed5c23e8215f8443dac1a96e0a1c3be607dfc428d6954854adfe1d7308b.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
HEUR-Trojan-Ransom.Win32.Generic-32f88ed5c23e8215f8443dac1a96e0a1c3be607dfc428d6954854adfe1d7308b.exepid process 1060 HEUR-Trojan-Ransom.Win32.Generic-32f88ed5c23e8215f8443dac1a96e0a1c3be607dfc428d6954854adfe1d7308b.exe 1060 HEUR-Trojan-Ransom.Win32.Generic-32f88ed5c23e8215f8443dac1a96e0a1c3be607dfc428d6954854adfe1d7308b.exe -
Suspicious use of AdjustPrivilegeToken 41 IoCs
Processes:
HEUR-Trojan-Ransom.Win32.Generic-32f88ed5c23e8215f8443dac1a96e0a1c3be607dfc428d6954854adfe1d7308b.exeWMIC.exedescription pid process Token: SeDebugPrivilege 1060 HEUR-Trojan-Ransom.Win32.Generic-32f88ed5c23e8215f8443dac1a96e0a1c3be607dfc428d6954854adfe1d7308b.exe Token: SeIncreaseQuotaPrivilege 112 WMIC.exe Token: SeSecurityPrivilege 112 WMIC.exe Token: SeTakeOwnershipPrivilege 112 WMIC.exe Token: SeLoadDriverPrivilege 112 WMIC.exe Token: SeSystemProfilePrivilege 112 WMIC.exe Token: SeSystemtimePrivilege 112 WMIC.exe Token: SeProfSingleProcessPrivilege 112 WMIC.exe Token: SeIncBasePriorityPrivilege 112 WMIC.exe Token: SeCreatePagefilePrivilege 112 WMIC.exe Token: SeBackupPrivilege 112 WMIC.exe Token: SeRestorePrivilege 112 WMIC.exe Token: SeShutdownPrivilege 112 WMIC.exe Token: SeDebugPrivilege 112 WMIC.exe Token: SeSystemEnvironmentPrivilege 112 WMIC.exe Token: SeRemoteShutdownPrivilege 112 WMIC.exe Token: SeUndockPrivilege 112 WMIC.exe Token: SeManageVolumePrivilege 112 WMIC.exe Token: 33 112 WMIC.exe Token: 34 112 WMIC.exe Token: 35 112 WMIC.exe Token: SeIncreaseQuotaPrivilege 112 WMIC.exe Token: SeSecurityPrivilege 112 WMIC.exe Token: SeTakeOwnershipPrivilege 112 WMIC.exe Token: SeLoadDriverPrivilege 112 WMIC.exe Token: SeSystemProfilePrivilege 112 WMIC.exe Token: SeSystemtimePrivilege 112 WMIC.exe Token: SeProfSingleProcessPrivilege 112 WMIC.exe Token: SeIncBasePriorityPrivilege 112 WMIC.exe Token: SeCreatePagefilePrivilege 112 WMIC.exe Token: SeBackupPrivilege 112 WMIC.exe Token: SeRestorePrivilege 112 WMIC.exe Token: SeShutdownPrivilege 112 WMIC.exe Token: SeDebugPrivilege 112 WMIC.exe Token: SeSystemEnvironmentPrivilege 112 WMIC.exe Token: SeRemoteShutdownPrivilege 112 WMIC.exe Token: SeUndockPrivilege 112 WMIC.exe Token: SeManageVolumePrivilege 112 WMIC.exe Token: 33 112 WMIC.exe Token: 34 112 WMIC.exe Token: 35 112 WMIC.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
HEUR-Trojan-Ransom.Win32.Generic-32f88ed5c23e8215f8443dac1a96e0a1c3be607dfc428d6954854adfe1d7308b.execmd.exedescription pid process target process PID 1060 wrote to memory of 2020 1060 HEUR-Trojan-Ransom.Win32.Generic-32f88ed5c23e8215f8443dac1a96e0a1c3be607dfc428d6954854adfe1d7308b.exe cmd.exe PID 1060 wrote to memory of 2020 1060 HEUR-Trojan-Ransom.Win32.Generic-32f88ed5c23e8215f8443dac1a96e0a1c3be607dfc428d6954854adfe1d7308b.exe cmd.exe PID 1060 wrote to memory of 2020 1060 HEUR-Trojan-Ransom.Win32.Generic-32f88ed5c23e8215f8443dac1a96e0a1c3be607dfc428d6954854adfe1d7308b.exe cmd.exe PID 1060 wrote to memory of 2020 1060 HEUR-Trojan-Ransom.Win32.Generic-32f88ed5c23e8215f8443dac1a96e0a1c3be607dfc428d6954854adfe1d7308b.exe cmd.exe PID 2020 wrote to memory of 112 2020 cmd.exe WMIC.exe PID 2020 wrote to memory of 112 2020 cmd.exe WMIC.exe PID 2020 wrote to memory of 112 2020 cmd.exe WMIC.exe PID 2020 wrote to memory of 112 2020 cmd.exe WMIC.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\HEUR-Trojan-Ransom.Win32.Generic-32f88ed5c23e8215f8443dac1a96e0a1c3be607dfc428d6954854adfe1d7308b.exe"C:\Users\Admin\AppData\Local\Temp\HEUR-Trojan-Ransom.Win32.Generic-32f88ed5c23e8215f8443dac1a96e0a1c3be607dfc428d6954854adfe1d7308b.exe"1⤵
- Modifies extensions of user files
- Adds Run key to start application
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic csproduct get uuid3⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/112-57-0x0000000000000000-mapping.dmp
-
memory/1060-54-0x0000000000AD0000-0x0000000000AE6000-memory.dmpFilesize
88KB
-
memory/1060-55-0x0000000074DC1000-0x0000000074DC3000-memory.dmpFilesize
8KB
-
memory/1060-58-0x0000000004C65000-0x0000000004C76000-memory.dmpFilesize
68KB
-
memory/2020-56-0x0000000000000000-mapping.dmp