Analysis
-
max time kernel
90s -
max time network
100s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
04-01-2023 16:54
Static task
static1
Behavioral task
behavioral1
Sample
NitroRansomware.exe
Resource
win10v2004-20221111-en
windows10-2004-x64
10 signatures
150 seconds
General
-
Target
NitroRansomware.exe
-
Size
61KB
-
MD5
a0c0192c30c048044421d25c23501582
-
SHA1
d6080d25a6439238d0a8e90e6bbfc229680ecf3b
-
SHA256
eeee4913ce5c133dfc97b42d9736ee144686682d98c9a00dc69f3993a3da1db1
-
SHA512
af11e4b7d07c68d06caa9a1da4bb888e4c131f109b2bc1c7835a06be73591e4e66109532c70f4f7d3eddcb43a23ce9c4111fe44b60b73ea6bd07490546db756b
-
SSDEEP
768:K3KsMqCXfVcWlQM9ZkCANIUL5PGLDwUzc80gmq3oP/oDy:KKseSM9ZkCAPor/0O8/oO
Score
10/10
Malware Config
Signatures
-
Nitro
A ransomware that demands Discord nitro gift codes to decrypt files.
-
Modifies extensions of user files 6 IoCs
Ransomware generally changes the extension on encrypted files.
description ioc Process File created C:\Users\Admin\Pictures\OutBlock.tiff.givemenitro NitroRansomware.exe File opened for modification C:\Users\Admin\Pictures\OutBlock.tiff NitroRansomware.exe File created C:\Users\Admin\Pictures\ResetUnprotect.png.givemenitro NitroRansomware.exe File created C:\Users\Admin\Pictures\TestMount.png.givemenitro NitroRansomware.exe File created C:\Users\Admin\Pictures\GetUnprotect.png.givemenitro NitroRansomware.exe File created C:\Users\Admin\Pictures\MoveSave.tif.givemenitro NitroRansomware.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NR = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\NitroRansomware.exe\"" NitroRansomware.exe -
Drops desktop.ini file(s) 5 IoCs
description ioc Process File opened for modification C:\Users\Admin\Pictures\Saved Pictures\desktop.ini NitroRansomware.exe File opened for modification C:\Users\Admin\Pictures\desktop.ini NitroRansomware.exe File opened for modification C:\Users\Admin\Desktop\desktop.ini NitroRansomware.exe File opened for modification C:\Users\Admin\Documents\desktop.ini NitroRansomware.exe File opened for modification C:\Users\Admin\Pictures\Camera Roll\desktop.ini NitroRansomware.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 3 api.ipify.org -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Roaming\\wallpaper.png" NitroRansomware.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4212 NitroRansomware.exe 4212 NitroRansomware.exe -
Suspicious use of AdjustPrivilegeToken 43 IoCs
description pid Process Token: SeDebugPrivilege 4212 NitroRansomware.exe Token: SeIncreaseQuotaPrivilege 1588 WMIC.exe Token: SeSecurityPrivilege 1588 WMIC.exe Token: SeTakeOwnershipPrivilege 1588 WMIC.exe Token: SeLoadDriverPrivilege 1588 WMIC.exe Token: SeSystemProfilePrivilege 1588 WMIC.exe Token: SeSystemtimePrivilege 1588 WMIC.exe Token: SeProfSingleProcessPrivilege 1588 WMIC.exe Token: SeIncBasePriorityPrivilege 1588 WMIC.exe Token: SeCreatePagefilePrivilege 1588 WMIC.exe Token: SeBackupPrivilege 1588 WMIC.exe Token: SeRestorePrivilege 1588 WMIC.exe Token: SeShutdownPrivilege 1588 WMIC.exe Token: SeDebugPrivilege 1588 WMIC.exe Token: SeSystemEnvironmentPrivilege 1588 WMIC.exe Token: SeRemoteShutdownPrivilege 1588 WMIC.exe Token: SeUndockPrivilege 1588 WMIC.exe Token: SeManageVolumePrivilege 1588 WMIC.exe Token: 33 1588 WMIC.exe Token: 34 1588 WMIC.exe Token: 35 1588 WMIC.exe Token: 36 1588 WMIC.exe Token: SeIncreaseQuotaPrivilege 1588 WMIC.exe Token: SeSecurityPrivilege 1588 WMIC.exe Token: SeTakeOwnershipPrivilege 1588 WMIC.exe Token: SeLoadDriverPrivilege 1588 WMIC.exe Token: SeSystemProfilePrivilege 1588 WMIC.exe Token: SeSystemtimePrivilege 1588 WMIC.exe Token: SeProfSingleProcessPrivilege 1588 WMIC.exe Token: SeIncBasePriorityPrivilege 1588 WMIC.exe Token: SeCreatePagefilePrivilege 1588 WMIC.exe Token: SeBackupPrivilege 1588 WMIC.exe Token: SeRestorePrivilege 1588 WMIC.exe Token: SeShutdownPrivilege 1588 WMIC.exe Token: SeDebugPrivilege 1588 WMIC.exe Token: SeSystemEnvironmentPrivilege 1588 WMIC.exe Token: SeRemoteShutdownPrivilege 1588 WMIC.exe Token: SeUndockPrivilege 1588 WMIC.exe Token: SeManageVolumePrivilege 1588 WMIC.exe Token: 33 1588 WMIC.exe Token: 34 1588 WMIC.exe Token: 35 1588 WMIC.exe Token: 36 1588 WMIC.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 4212 wrote to memory of 3272 4212 NitroRansomware.exe 78 PID 4212 wrote to memory of 3272 4212 NitroRansomware.exe 78 PID 4212 wrote to memory of 3272 4212 NitroRansomware.exe 78 PID 3272 wrote to memory of 1588 3272 cmd.exe 81 PID 3272 wrote to memory of 1588 3272 cmd.exe 81 PID 3272 wrote to memory of 1588 3272 cmd.exe 81
Processes
-
C:\Users\Admin\AppData\Local\Temp\NitroRansomware.exe"C:\Users\Admin\AppData\Local\Temp\NitroRansomware.exe"1⤵
- Modifies extensions of user files
- Adds Run key to start application
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4212 -
C:\Windows\SysWOW64\cmd.exe"cmd.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:3272 -
C:\Windows\SysWOW64\Wbem\WMIC.exewmic csproduct get uuid3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1588
-
-