Overview

overview

10

Static

static

3

NitroRansomware.exe

windows7-x64

10

NitroRansomware.exe

windows10-2004-x64

10

Resubmissions

30-06-2023 03:23

230630-dxn9hagh4t 10

30-06-2023 03:00

230630-dhqh1sgh3s 10

Analysis

  • max time kernel
    150s
  • max time network
    152s
  • platform
    windows7_x64
  • resource
    win7-20230621-en
  • resource tags

    arch:x64arch:x86image:win7-20230621-enlocale:en-usos:windows7-x64system
  • submitted
    30-06-2023 03:00

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    NitroRansomware.exe

  • Size

    61KB

  • MD5

    f34e35e3380bd7b8744a0468c3b6c5f6

  • SHA1

    52cfedab61625567d963a6e5bfa89ff128571796

  • SHA256

    86ade3c887b60e3acb896236eb9cb11508140f9eb2e551e309006b04dd3dc645

  • SHA512

    e0361b40017c7b39fc928d93b1d3e119393a676f61147ebf158c95013bb9f11b769d3416c508ffc894f3ae2f9510f490a303933573137b154685c08da66d37b7

  • SSDEEP

    768:aKsMqCXfVcWlzM9ZkiANIUakYLDwUzc80gmq3oP/oDD:aKse1M9ZkiAPYr/0O8/o/

Score
10/10
nitropersistenceransomwarespywarestealer

Malware Config

Signatures

  • Nitro

    A ransomware that demands Discord nitro gift codes to decrypt files.

    ransomwarenitro
  • Modifies extensions of user files 2 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops desktop.ini file(s) 3 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Sets desktop wallpaper using registry 2 TTPs 2 IoCs
    ransomware
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 45 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\NitroRansomware.exe
    "C:\Users\Admin\AppData\Local\Temp\NitroRansomware.exe"
    1⤵
    • Modifies extensions of user files
    • Adds Run key to start application
    • Drops desktop.ini file(s)
    • Sets desktop wallpaper using registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1312
    • C:\Windows\SysWOW64\cmd.exe
      "cmd.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1972
      • C:\Windows\SysWOW64\Wbem\WMIC.exe
        wmic csproduct get uuid
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:1044
  • C:\Windows\explorer.exe
    "C:\Windows\explorer.exe"
    1⤵
      PID:568
    • C:\Windows\system32\AUDIODG.EXE
      C:\Windows\system32\AUDIODG.EXE 0x4d8
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:1168

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/1312-54-0x0000000001000000-0x0000000001016000-memory.dmp

      Filesize

      88KB

      Download

    • memory/1312-55-0x0000000000AF0000-0x0000000000B30000-memory.dmp

      Filesize

      256KB

      Download

    • memory/1312-56-0x0000000000AF0000-0x0000000000B30000-memory.dmp

      Filesize

      256KB

      Download

    • memory/1312-136-0x0000000000AF0000-0x0000000000B30000-memory.dmp

      Filesize

      256KB

      Download

    • memory/1312-137-0x0000000000AF0000-0x0000000000B30000-memory.dmp

      Filesize

      256KB

      Download