Analysis
-
max time kernel
90s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
25-09-2022 04:33
Static task
static1
Behavioral task
behavioral1
Sample
HEUR-Trojan-Ransom.Win32.Generic-abbac1d240758fe349c6765e118ff6a5e34e080d10542593a154ca32b222b83f.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
HEUR-Trojan-Ransom.Win32.Generic-abbac1d240758fe349c6765e118ff6a5e34e080d10542593a154ca32b222b83f.exe
Resource
win10v2004-20220812-en
General
-
Target
HEUR-Trojan-Ransom.Win32.Generic-abbac1d240758fe349c6765e118ff6a5e34e080d10542593a154ca32b222b83f.exe
-
Size
61KB
-
MD5
f218346ca2a666282ca4987def10313c
-
SHA1
3635c7c7ba1dc1059f685819e5e9bd29037a6ae0
-
SHA256
abbac1d240758fe349c6765e118ff6a5e34e080d10542593a154ca32b222b83f
-
SHA512
6ddb2a524399189bbe26a6df9f53b9ff9398761896ccd65fe40570800b5b5a521b5827079cecd91144228fc9eac6f13c3447334549b9f3364303d17d5d754d56
-
SSDEEP
768:qKsMqCXfVcWl0M9ZQSANIULMkLDwUzc80gmq3oP/oDy:qKsemM9ZQSAPdr/0O8/om
Malware Config
Signatures
-
Nitro
A ransomware that demands Discord nitro gift codes to decrypt files.
-
Modifies extensions of user files 9 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
HEUR-Trojan-Ransom.Win32.Generic-abbac1d240758fe349c6765e118ff6a5e34e080d10542593a154ca32b222b83f.exedescription ioc process File created C:\Users\Admin\Pictures\CopyPush.tif.givemenitro HEUR-Trojan-Ransom.Win32.Generic-abbac1d240758fe349c6765e118ff6a5e34e080d10542593a154ca32b222b83f.exe File created C:\Users\Admin\Pictures\ResumeRead.tiff.givemenitro HEUR-Trojan-Ransom.Win32.Generic-abbac1d240758fe349c6765e118ff6a5e34e080d10542593a154ca32b222b83f.exe File opened for modification C:\Users\Admin\Pictures\SwitchConvertTo.tiff HEUR-Trojan-Ransom.Win32.Generic-abbac1d240758fe349c6765e118ff6a5e34e080d10542593a154ca32b222b83f.exe File created C:\Users\Admin\Pictures\UndoSelect.tiff.givemenitro HEUR-Trojan-Ransom.Win32.Generic-abbac1d240758fe349c6765e118ff6a5e34e080d10542593a154ca32b222b83f.exe File created C:\Users\Admin\Pictures\DenySet.tif.givemenitro HEUR-Trojan-Ransom.Win32.Generic-abbac1d240758fe349c6765e118ff6a5e34e080d10542593a154ca32b222b83f.exe File created C:\Users\Admin\Pictures\ReadSave.crw.givemenitro HEUR-Trojan-Ransom.Win32.Generic-abbac1d240758fe349c6765e118ff6a5e34e080d10542593a154ca32b222b83f.exe File opened for modification C:\Users\Admin\Pictures\ResumeRead.tiff HEUR-Trojan-Ransom.Win32.Generic-abbac1d240758fe349c6765e118ff6a5e34e080d10542593a154ca32b222b83f.exe File created C:\Users\Admin\Pictures\SwitchConvertTo.tiff.givemenitro HEUR-Trojan-Ransom.Win32.Generic-abbac1d240758fe349c6765e118ff6a5e34e080d10542593a154ca32b222b83f.exe File opened for modification C:\Users\Admin\Pictures\UndoSelect.tiff HEUR-Trojan-Ransom.Win32.Generic-abbac1d240758fe349c6765e118ff6a5e34e080d10542593a154ca32b222b83f.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
HEUR-Trojan-Ransom.Win32.Generic-abbac1d240758fe349c6765e118ff6a5e34e080d10542593a154ca32b222b83f.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NR = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\HEUR-Trojan-Ransom.Win32.Generic-abbac1d240758fe349c6765e118ff6a5e34e080d10542593a154ca32b222b83f.exe\"" HEUR-Trojan-Ransom.Win32.Generic-abbac1d240758fe349c6765e118ff6a5e34e080d10542593a154ca32b222b83f.exe -
Drops desktop.ini file(s) 5 IoCs
Processes:
HEUR-Trojan-Ransom.Win32.Generic-abbac1d240758fe349c6765e118ff6a5e34e080d10542593a154ca32b222b83f.exedescription ioc process File opened for modification C:\Users\Admin\Desktop\desktop.ini HEUR-Trojan-Ransom.Win32.Generic-abbac1d240758fe349c6765e118ff6a5e34e080d10542593a154ca32b222b83f.exe File opened for modification C:\Users\Admin\Pictures\desktop.ini HEUR-Trojan-Ransom.Win32.Generic-abbac1d240758fe349c6765e118ff6a5e34e080d10542593a154ca32b222b83f.exe File opened for modification C:\Users\Admin\Documents\desktop.ini HEUR-Trojan-Ransom.Win32.Generic-abbac1d240758fe349c6765e118ff6a5e34e080d10542593a154ca32b222b83f.exe File opened for modification C:\Users\Admin\Pictures\Camera Roll\desktop.ini HEUR-Trojan-Ransom.Win32.Generic-abbac1d240758fe349c6765e118ff6a5e34e080d10542593a154ca32b222b83f.exe File opened for modification C:\Users\Admin\Pictures\Saved Pictures\desktop.ini HEUR-Trojan-Ransom.Win32.Generic-abbac1d240758fe349c6765e118ff6a5e34e080d10542593a154ca32b222b83f.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 6 api.ipify.org 7 api.ipify.org -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
HEUR-Trojan-Ransom.Win32.Generic-abbac1d240758fe349c6765e118ff6a5e34e080d10542593a154ca32b222b83f.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Roaming\\wallpaper.png" HEUR-Trojan-Ransom.Win32.Generic-abbac1d240758fe349c6765e118ff6a5e34e080d10542593a154ca32b222b83f.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
HEUR-Trojan-Ransom.Win32.Generic-abbac1d240758fe349c6765e118ff6a5e34e080d10542593a154ca32b222b83f.exepid process 1136 HEUR-Trojan-Ransom.Win32.Generic-abbac1d240758fe349c6765e118ff6a5e34e080d10542593a154ca32b222b83f.exe 1136 HEUR-Trojan-Ransom.Win32.Generic-abbac1d240758fe349c6765e118ff6a5e34e080d10542593a154ca32b222b83f.exe -
Suspicious use of AdjustPrivilegeToken 43 IoCs
Processes:
HEUR-Trojan-Ransom.Win32.Generic-abbac1d240758fe349c6765e118ff6a5e34e080d10542593a154ca32b222b83f.exeWMIC.exedescription pid process Token: SeDebugPrivilege 1136 HEUR-Trojan-Ransom.Win32.Generic-abbac1d240758fe349c6765e118ff6a5e34e080d10542593a154ca32b222b83f.exe Token: SeIncreaseQuotaPrivilege 4920 WMIC.exe Token: SeSecurityPrivilege 4920 WMIC.exe Token: SeTakeOwnershipPrivilege 4920 WMIC.exe Token: SeLoadDriverPrivilege 4920 WMIC.exe Token: SeSystemProfilePrivilege 4920 WMIC.exe Token: SeSystemtimePrivilege 4920 WMIC.exe Token: SeProfSingleProcessPrivilege 4920 WMIC.exe Token: SeIncBasePriorityPrivilege 4920 WMIC.exe Token: SeCreatePagefilePrivilege 4920 WMIC.exe Token: SeBackupPrivilege 4920 WMIC.exe Token: SeRestorePrivilege 4920 WMIC.exe Token: SeShutdownPrivilege 4920 WMIC.exe Token: SeDebugPrivilege 4920 WMIC.exe Token: SeSystemEnvironmentPrivilege 4920 WMIC.exe Token: SeRemoteShutdownPrivilege 4920 WMIC.exe Token: SeUndockPrivilege 4920 WMIC.exe Token: SeManageVolumePrivilege 4920 WMIC.exe Token: 33 4920 WMIC.exe Token: 34 4920 WMIC.exe Token: 35 4920 WMIC.exe Token: 36 4920 WMIC.exe Token: SeIncreaseQuotaPrivilege 4920 WMIC.exe Token: SeSecurityPrivilege 4920 WMIC.exe Token: SeTakeOwnershipPrivilege 4920 WMIC.exe Token: SeLoadDriverPrivilege 4920 WMIC.exe Token: SeSystemProfilePrivilege 4920 WMIC.exe Token: SeSystemtimePrivilege 4920 WMIC.exe Token: SeProfSingleProcessPrivilege 4920 WMIC.exe Token: SeIncBasePriorityPrivilege 4920 WMIC.exe Token: SeCreatePagefilePrivilege 4920 WMIC.exe Token: SeBackupPrivilege 4920 WMIC.exe Token: SeRestorePrivilege 4920 WMIC.exe Token: SeShutdownPrivilege 4920 WMIC.exe Token: SeDebugPrivilege 4920 WMIC.exe Token: SeSystemEnvironmentPrivilege 4920 WMIC.exe Token: SeRemoteShutdownPrivilege 4920 WMIC.exe Token: SeUndockPrivilege 4920 WMIC.exe Token: SeManageVolumePrivilege 4920 WMIC.exe Token: 33 4920 WMIC.exe Token: 34 4920 WMIC.exe Token: 35 4920 WMIC.exe Token: 36 4920 WMIC.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
HEUR-Trojan-Ransom.Win32.Generic-abbac1d240758fe349c6765e118ff6a5e34e080d10542593a154ca32b222b83f.execmd.exedescription pid process target process PID 1136 wrote to memory of 4928 1136 HEUR-Trojan-Ransom.Win32.Generic-abbac1d240758fe349c6765e118ff6a5e34e080d10542593a154ca32b222b83f.exe cmd.exe PID 1136 wrote to memory of 4928 1136 HEUR-Trojan-Ransom.Win32.Generic-abbac1d240758fe349c6765e118ff6a5e34e080d10542593a154ca32b222b83f.exe cmd.exe PID 1136 wrote to memory of 4928 1136 HEUR-Trojan-Ransom.Win32.Generic-abbac1d240758fe349c6765e118ff6a5e34e080d10542593a154ca32b222b83f.exe cmd.exe PID 4928 wrote to memory of 4920 4928 cmd.exe WMIC.exe PID 4928 wrote to memory of 4920 4928 cmd.exe WMIC.exe PID 4928 wrote to memory of 4920 4928 cmd.exe WMIC.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\HEUR-Trojan-Ransom.Win32.Generic-abbac1d240758fe349c6765e118ff6a5e34e080d10542593a154ca32b222b83f.exe"C:\Users\Admin\AppData\Local\Temp\HEUR-Trojan-Ransom.Win32.Generic-abbac1d240758fe349c6765e118ff6a5e34e080d10542593a154ca32b222b83f.exe"1⤵
- Modifies extensions of user files
- Adds Run key to start application
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic csproduct get uuid3⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1136-132-0x00000000009D0000-0x00000000009E6000-memory.dmpFilesize
88KB
-
memory/1136-133-0x0000000005840000-0x0000000005DE4000-memory.dmpFilesize
5.6MB
-
memory/1136-134-0x0000000005390000-0x0000000005422000-memory.dmpFilesize
584KB
-
memory/1136-137-0x00000000012D0000-0x00000000012DA000-memory.dmpFilesize
40KB
-
memory/4920-136-0x0000000000000000-mapping.dmp
-
memory/4928-135-0x0000000000000000-mapping.dmp