nitro | 72198d0c025e9866510cb454e38b5099d345ff627ab04ba3205954142f7decda

Analysis

max time kernel
150s
max time network
124s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
15-11-2022 05:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

nitro.zip
Size

160KB
MD5

b81672770e0610b00421c8822ed8b1d2
SHA1

9d4c8a7a309957cd9bbf95a1e750cc60760402cb
SHA256

72198d0c025e9866510cb454e38b5099d345ff627ab04ba3205954142f7decda
SHA512

4ff65c6cf8a2d8bfaef947517eb55f70cb3267f4bf32b5e19cad7bc88a7aaf6bb526e329e28c1605ee7e7ad1c3f7d65a334e3a54ae6270f408c38c27047783f5
SSDEEP

3072:J0O62dUcflC7iHRTEur1hI4HUENiAS/N8x7Y02rzV2P4aD8tnPinAA6:WODYuH2uRhHqAS/Nm75jt/nAA6

Score

10^/10

nitro persistence ransomware

Malware Config

Signatures

Nitro
A ransomware that demands Discord nitro gift codes to decrypt files.
ransomware nitro

Modifies extensions of user files 18 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File created	C:\Users\Admin\Pictures\ConvertFromReset.crw.lockedup	10f30e000c7500ef9ac1116ca3022f03a50700ce39a3f6f76c2b6202bcf14760.exe
File created	C:\Users\Admin\Pictures\StartSplit.raw.lockedup	10f30e000c7500ef9ac1116ca3022f03a50700ce39a3f6f76c2b6202bcf14760.exe
File created	C:\Users\Admin\Pictures\UnregisterExit.tiff.lockedup	10f30e000c7500ef9ac1116ca3022f03a50700ce39a3f6f76c2b6202bcf14760.exe
File created	C:\Users\Admin\Pictures\UpdateCopy.png.lockedup	10f30e000c7500ef9ac1116ca3022f03a50700ce39a3f6f76c2b6202bcf14760.exe
File opened for modification	C:\Users\Admin\Pictures\ExportSearch.png.lockedup	10f30e000c7500ef9ac1116ca3022f03a50700ce39a3f6f76c2b6202bcf14760.exe
File created	C:\Users\Admin\Pictures\FormatSelect.tif.lockedup	10f30e000c7500ef9ac1116ca3022f03a50700ce39a3f6f76c2b6202bcf14760.exe
File created	C:\Users\Admin\Pictures\GetProtect.crw.lockedup	10f30e000c7500ef9ac1116ca3022f03a50700ce39a3f6f76c2b6202bcf14760.exe
File created	C:\Users\Admin\Pictures\NewResume.raw.lockedup	10f30e000c7500ef9ac1116ca3022f03a50700ce39a3f6f76c2b6202bcf14760.exe
File created	C:\Users\Admin\Pictures\SendConvertFrom.tiff.lockedup	10f30e000c7500ef9ac1116ca3022f03a50700ce39a3f6f76c2b6202bcf14760.exe
File created	C:\Users\Admin\Pictures\StopCompare.png.lockedup	10f30e000c7500ef9ac1116ca3022f03a50700ce39a3f6f76c2b6202bcf14760.exe
File opened for modification	C:\Users\Admin\Pictures\UnregisterExit.tiff	10f30e000c7500ef9ac1116ca3022f03a50700ce39a3f6f76c2b6202bcf14760.exe
File created	C:\Users\Admin\Pictures\GroupCopy.png.lockedup	10f30e000c7500ef9ac1116ca3022f03a50700ce39a3f6f76c2b6202bcf14760.exe
File created	C:\Users\Admin\Pictures\MergeResume.crw.lockedup	10f30e000c7500ef9ac1116ca3022f03a50700ce39a3f6f76c2b6202bcf14760.exe
File opened for modification	C:\Users\Admin\Pictures\ConvertFromReset.crw.lockedup	10f30e000c7500ef9ac1116ca3022f03a50700ce39a3f6f76c2b6202bcf14760.exe
File opened for modification	C:\Users\Admin\Pictures\FormatSelect.tif.lockedup	10f30e000c7500ef9ac1116ca3022f03a50700ce39a3f6f76c2b6202bcf14760.exe
File created	C:\Users\Admin\Pictures\ExportSearch.png.lockedup	10f30e000c7500ef9ac1116ca3022f03a50700ce39a3f6f76c2b6202bcf14760.exe
File opened for modification	C:\Users\Admin\Pictures\SendConvertFrom.tiff	10f30e000c7500ef9ac1116ca3022f03a50700ce39a3f6f76c2b6202bcf14760.exe
File opened for modification	C:\Users\Admin\Pictures\GetProtect.crw.lockedup	10f30e000c7500ef9ac1116ca3022f03a50700ce39a3f6f76c2b6202bcf14760.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NR = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\10f30e000c7500ef9ac1116ca3022f03a50700ce39a3f6f76c2b6202bcf14760.exe\""	10f30e000c7500ef9ac1116ca3022f03a50700ce39a3f6f76c2b6202bcf14760.exe

Drops desktop.ini file(s) 6 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Documents\desktop.ini	10f30e000c7500ef9ac1116ca3022f03a50700ce39a3f6f76c2b6202bcf14760.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	10f30e000c7500ef9ac1116ca3022f03a50700ce39a3f6f76c2b6202bcf14760.exe
File opened for modification	C:\Users\Admin\Pictures\Camera Roll\desktop.ini	10f30e000c7500ef9ac1116ca3022f03a50700ce39a3f6f76c2b6202bcf14760.exe
File opened for modification	C:\Users\Admin\Pictures\Saved Pictures\desktop.ini	10f30e000c7500ef9ac1116ca3022f03a50700ce39a3f6f76c2b6202bcf14760.exe
File created	C:\Users\Admin\Pictures\desktop.ini	10f30e000c7500ef9ac1116ca3022f03a50700ce39a3f6f76c2b6202bcf14760.exe
File created	C:\Users\Admin\Documents\desktop.ini	10f30e000c7500ef9ac1116ca3022f03a50700ce39a3f6f76c2b6202bcf14760.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
33	api.ipify.org
34	api.ipify.org

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Roaming\\wallpaper.png"	10f30e000c7500ef9ac1116ca3022f03a50700ce39a3f6f76c2b6202bcf14760.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4360	1096	WerFault.exe	34

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
2520	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4136	10f30e000c7500ef9ac1116ca3022f03a50700ce39a3f6f76c2b6202bcf14760.exe
4136	10f30e000c7500ef9ac1116ca3022f03a50700ce39a3f6f76c2b6202bcf14760.exe

Suspicious use of AdjustPrivilegeToken 43 IoCs

description	pid	Process
Token: SeDebugPrivilege	4136	10f30e000c7500ef9ac1116ca3022f03a50700ce39a3f6f76c2b6202bcf14760.exe
Token: SeIncreaseQuotaPrivilege	1828	WMIC.exe
Token: SeSecurityPrivilege	1828	WMIC.exe
Token: SeTakeOwnershipPrivilege	1828	WMIC.exe
Token: SeLoadDriverPrivilege	1828	WMIC.exe
Token: SeSystemProfilePrivilege	1828	WMIC.exe
Token: SeSystemtimePrivilege	1828	WMIC.exe
Token: SeProfSingleProcessPrivilege	1828	WMIC.exe
Token: SeIncBasePriorityPrivilege	1828	WMIC.exe
Token: SeCreatePagefilePrivilege	1828	WMIC.exe
Token: SeBackupPrivilege	1828	WMIC.exe
Token: SeRestorePrivilege	1828	WMIC.exe
Token: SeShutdownPrivilege	1828	WMIC.exe
Token: SeDebugPrivilege	1828	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1828	WMIC.exe
Token: SeRemoteShutdownPrivilege	1828	WMIC.exe
Token: SeUndockPrivilege	1828	WMIC.exe
Token: SeManageVolumePrivilege	1828	WMIC.exe
Token: 33	1828	WMIC.exe
Token: 34	1828	WMIC.exe
Token: 35	1828	WMIC.exe
Token: 36	1828	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1828	WMIC.exe
Token: SeSecurityPrivilege	1828	WMIC.exe
Token: SeTakeOwnershipPrivilege	1828	WMIC.exe
Token: SeLoadDriverPrivilege	1828	WMIC.exe
Token: SeSystemProfilePrivilege	1828	WMIC.exe
Token: SeSystemtimePrivilege	1828	WMIC.exe
Token: SeProfSingleProcessPrivilege	1828	WMIC.exe
Token: SeIncBasePriorityPrivilege	1828	WMIC.exe
Token: SeCreatePagefilePrivilege	1828	WMIC.exe
Token: SeBackupPrivilege	1828	WMIC.exe
Token: SeRestorePrivilege	1828	WMIC.exe
Token: SeShutdownPrivilege	1828	WMIC.exe
Token: SeDebugPrivilege	1828	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1828	WMIC.exe
Token: SeRemoteShutdownPrivilege	1828	WMIC.exe
Token: SeUndockPrivilege	1828	WMIC.exe
Token: SeManageVolumePrivilege	1828	WMIC.exe
Token: 33	1828	WMIC.exe
Token: 34	1828	WMIC.exe
Token: 35	1828	WMIC.exe
Token: 36	1828	WMIC.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4136 wrote to memory of 428	4136	10f30e000c7500ef9ac1116ca3022f03a50700ce39a3f6f76c2b6202bcf14760.exe	97
PID 4136 wrote to memory of 428	4136	10f30e000c7500ef9ac1116ca3022f03a50700ce39a3f6f76c2b6202bcf14760.exe	97
PID 4136 wrote to memory of 428	4136	10f30e000c7500ef9ac1116ca3022f03a50700ce39a3f6f76c2b6202bcf14760.exe	97
PID 428 wrote to memory of 1828	428	cmd.exe	99
PID 428 wrote to memory of 1828	428	cmd.exe	99
PID 428 wrote to memory of 1828	428	cmd.exe	99

C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\nitro.zip
1⤵
PID:3188

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 424 -p 1096 -ip 1096
1⤵
PID:2252

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 1096 -s 2464
1⤵
- Program crash
PID:4360

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4140

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\decrypt.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:2520

C:\Users\Admin\Desktop\10f30e000c7500ef9ac1116ca3022f03a50700ce39a3f6f76c2b6202bcf14760.exe
"C:\Users\Admin\Desktop\10f30e000c7500ef9ac1116ca3022f03a50700ce39a3f6f76c2b6202bcf14760.exe"
1⤵
- Modifies extensions of user files
- Adds Run key to start application
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4136
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:428
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic csproduct get uuid
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1828

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Web Service

T1102

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4136-132-0x0000000000D20000-0x0000000000D58000-memory.dmp

Filesize
224KB

Download
memory/4136-133-0x0000000005C10000-0x00000000061B4000-memory.dmp

Filesize
5.6MB

Download
memory/4136-134-0x0000000005700000-0x0000000005792000-memory.dmp

Filesize
584KB

Download
memory/4136-137-0x00000000012C0000-0x00000000012CA000-memory.dmp

Filesize
40KB

Download