Overview

overview

10

Static

static

3

NitroRansomware.exe

windows10-2004-x64

10

Resubmissions

30-06-2023 03:23

230630-dxn9hagh4t 10

30-06-2023 03:00

230630-dhqh1sgh3s 10

Analysis

  • max time kernel
    107s
  • max time network
    123s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230621-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230621-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30-06-2023 03:23

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    NitroRansomware.exe

  • Size

    61KB

  • MD5

    f34e35e3380bd7b8744a0468c3b6c5f6

  • SHA1

    52cfedab61625567d963a6e5bfa89ff128571796

  • SHA256

    86ade3c887b60e3acb896236eb9cb11508140f9eb2e551e309006b04dd3dc645

  • SHA512

    e0361b40017c7b39fc928d93b1d3e119393a676f61147ebf158c95013bb9f11b769d3416c508ffc894f3ae2f9510f490a303933573137b154685c08da66d37b7

  • SSDEEP

    768:aKsMqCXfVcWlzM9ZkiANIUakYLDwUzc80gmq3oP/oDD:aKse1M9ZkiAPYr/0O8/o/

Score
10/10
nitropersistenceransomwarespywarestealer

Malware Config

Signatures

  • Nitro

    A ransomware that demands Discord nitro gift codes to decrypt files.

    ransomwarenitro
  • Modifies extensions of user files 5 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops desktop.ini file(s) 5 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Program crash 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 43 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\NitroRansomware.exe
    "C:\Users\Admin\AppData\Local\Temp\NitroRansomware.exe"
    1⤵
    • Modifies extensions of user files
    • Adds Run key to start application
    • Drops desktop.ini file(s)
    • Sets desktop wallpaper using registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1360
    • C:\Windows\SysWOW64\cmd.exe
      "cmd.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1840
      • C:\Windows\SysWOW64\Wbem\WMIC.exe
        wmic csproduct get uuid
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:3116
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1360 -s 2200
      2⤵
      • Program crash
      PID:4124
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1360 -s 2200
      2⤵
      • Program crash
      PID:1164
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 1360 -ip 1360
    1⤵
      PID:1296
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 1360 -ip 1360
      1⤵
        PID:1220

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • memory/1360-133-0x0000000000F70000-0x0000000000F86000-memory.dmp

        Filesize

        88KB

        Download

      • memory/1360-134-0x0000000005E80000-0x0000000006424000-memory.dmp

        Filesize

        5.6MB

        Download

      • memory/1360-135-0x0000000005970000-0x0000000005A02000-memory.dmp

        Filesize

        584KB

        Download

      • memory/1360-136-0x0000000005960000-0x0000000005970000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1360-149-0x0000000005960000-0x0000000005970000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1360-227-0x00000000066A0000-0x00000000066AA000-memory.dmp

        Filesize

        40KB

        Download