Overview

overview

10

Static

static

3

NitroRansomware.exe

windows10-2004-x64

10

Resubmissions

01-07-2023 10:36

230701-mngyhagf75 10

01-07-2023 10:34

230701-ml5lsagf74 10

01-07-2023 10:31

230701-mkjb6ahg8t 10

01-07-2023 10:19

230701-mc171agf63 10

Analysis

  • max time kernel
    66s
  • max time network
    68s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230621-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230621-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01-07-2023 10:19

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    NitroRansomware.exe

  • Size

    1.0MB

  • MD5

    67158b9c2184e40339161fddffa9e850

  • SHA1

    5715c4610d84a077de42b5d031ec70ad77a8433e

  • SHA256

    6d65adceb3723db328eac3601cbb540d40bcad7289e98804e977fe24a22d747f

  • SHA512

    617cecfee0d7ad0002cd1fb6782bbadc0642b4513d0b4b195fa94475d774acf8e7a943128ca448bd451573b1642c665b36035adfa12e5ec02cbbdbe4474777a1

  • SSDEEP

    24576:0rYGGjodngwtlaHxN8KUWVe6tw2wvKhLnTU:0rYG2odngwwHv5VbtHw

Score
10/10
nitroevasionpersistenceransomwaretrojan

Malware Config

Signatures

  • Nitro

    A ransomware that demands Discord nitro gift codes to decrypt files.

    ransomwarenitro
  • UAC bypass 3 TTPs 1 IoCs
    evasiontrojan
  • Modifies extensions of user files 11 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 2 IoCs
    evasiontrojan
  • Drops desktop.ini file(s) 5 IoCs
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Enumerates processes with tasklist 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 44 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs
  • System policy modification 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\NitroRansomware.exe
    "C:\Users\Admin\AppData\Local\Temp\NitroRansomware.exe"
    1⤵
    • UAC bypass
    • Modifies extensions of user files
    • Adds Run key to start application
    • Checks whether UAC is enabled
    • Drops desktop.ini file(s)
    • Sets desktop wallpaper using registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:456
    • C:\Windows\SysWOW64\Wbem\wmic.exe
      "wmic" csproduct get uuid
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:3564
    • C:\Windows\SysWOW64\tasklist.exe
      "tasklist"
      2⤵
      • Enumerates processes with tasklist
      • Suspicious use of AdjustPrivilegeToken
      PID:2328

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/456-133-0x0000000000FF0000-0x00000000010FA000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/456-134-0x0000000005FC0000-0x0000000006564000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/456-135-0x0000000005AF0000-0x0000000005B82000-memory.dmp

    Filesize

    584KB

    Download

  • memory/456-136-0x0000000005C90000-0x0000000005CF6000-memory.dmp

    Filesize

    408KB

    Download

  • memory/456-137-0x0000000003510000-0x0000000003520000-memory.dmp

    Filesize

    64KB

    Download

  • memory/456-143-0x0000000003510000-0x0000000003520000-memory.dmp

    Filesize

    64KB

    Download