Overview

overview

10

Static

static

3

NitroRansomware.exe

windows7-x64

10

NitroRansomware.exe

windows10-2004-x64

10

Resubmissions

30-06-2023 03:23

230630-dxn9hagh4t 10

30-06-2023 03:00

230630-dhqh1sgh3s 10

Analysis

  • max time kernel
    120s
  • max time network
    131s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230621-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230621-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30-06-2023 03:00

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    NitroRansomware.exe

  • Size

    61KB

  • MD5

    f34e35e3380bd7b8744a0468c3b6c5f6

  • SHA1

    52cfedab61625567d963a6e5bfa89ff128571796

  • SHA256

    86ade3c887b60e3acb896236eb9cb11508140f9eb2e551e309006b04dd3dc645

  • SHA512

    e0361b40017c7b39fc928d93b1d3e119393a676f61147ebf158c95013bb9f11b769d3416c508ffc894f3ae2f9510f490a303933573137b154685c08da66d37b7

  • SSDEEP

    768:aKsMqCXfVcWlzM9ZkiANIUakYLDwUzc80gmq3oP/oDD:aKse1M9ZkiAPYr/0O8/o/

Score
10/10
nitropersistenceransomwarespywarestealer

Malware Config

Signatures

  • Nitro

    A ransomware that demands Discord nitro gift codes to decrypt files.

    ransomwarenitro
  • Modifies extensions of user files 9 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops desktop.ini file(s) 5 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Program crash 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 43 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\NitroRansomware.exe
    "C:\Users\Admin\AppData\Local\Temp\NitroRansomware.exe"
    1⤵
    • Modifies extensions of user files
    • Adds Run key to start application
    • Drops desktop.ini file(s)
    • Sets desktop wallpaper using registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2076
    • C:\Windows\SysWOW64\cmd.exe
      "cmd.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1076
      • C:\Windows\SysWOW64\Wbem\WMIC.exe
        wmic csproduct get uuid
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:4232
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2076 -s 2180
      2⤵
      • Program crash
      PID:1540
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2076 -s 2200
      2⤵
      • Program crash
      PID:408
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    1⤵
      PID:3068
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 2076 -ip 2076
      1⤵
        PID:3960
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 2076 -ip 2076
        1⤵
          PID:4056

        Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • memory/2076-133-0x00000000009E0000-0x00000000009F6000-memory.dmp

          Filesize

          88KB

          Download

        • memory/2076-134-0x0000000005870000-0x0000000005E14000-memory.dmp

          Filesize

          5.6MB

          Download

        • memory/2076-135-0x00000000053B0000-0x0000000005442000-memory.dmp

          Filesize

          584KB

          Download

        • memory/2076-136-0x00000000056E0000-0x00000000056F0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/2076-143-0x00000000056E0000-0x00000000056F0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/2076-238-0x0000000001190000-0x000000000119A000-memory.dmp

          Filesize

          40KB

          Download