Overview

overview

10

Static

static

3

NitroRansomware.exe

windows10-1703-x64

10

NitroRansomware.exe

windows7-x64

10

NitroRansomware.exe

windows10-2004-x64

10

Resubmissions

01-07-2023 10:36

230701-mngyhagf75 10

01-07-2023 10:34

230701-ml5lsagf74 10

01-07-2023 10:31

230701-mkjb6ahg8t 10

01-07-2023 10:19

230701-mc171agf63 10

Analysis

  • max time kernel
    136s
  • max time network
    86s
  • platform
    windows10-1703_x64
  • resource
    win10-20230621-en
  • resource tags

    arch:x64arch:x86image:win10-20230621-enlocale:en-usos:windows10-1703-x64system
  • submitted
    01-07-2023 10:31

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    NitroRansomware.exe

  • Size

    1.0MB

  • MD5

    67158b9c2184e40339161fddffa9e850

  • SHA1

    5715c4610d84a077de42b5d031ec70ad77a8433e

  • SHA256

    6d65adceb3723db328eac3601cbb540d40bcad7289e98804e977fe24a22d747f

  • SHA512

    617cecfee0d7ad0002cd1fb6782bbadc0642b4513d0b4b195fa94475d774acf8e7a943128ca448bd451573b1642c665b36035adfa12e5ec02cbbdbe4474777a1

  • SSDEEP

    24576:0rYGGjodngwtlaHxN8KUWVe6tw2wvKhLnTU:0rYG2odngwwHv5VbtHw

Score
10/10
agentteslanitroevasionkeyloggerpersistenceransomwarespywarestealertrojan

Malware Config

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • Nitro

    A ransomware that demands Discord nitro gift codes to decrypt files.

    ransomwarenitro
  • UAC bypass 3 TTPs 1 IoCs
    evasiontrojan
  • AgentTesla payload 1 IoCs
  • Modifies extensions of user files 6 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 2 IoCs
    evasiontrojan
  • Drops desktop.ini file(s) 5 IoCs
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Enumerates processes with tasklist 1 TTPs 1 IoCs
  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 44 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs
  • System policy modification 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\NitroRansomware.exe
    "C:\Users\Admin\AppData\Local\Temp\NitroRansomware.exe"
    1⤵
    • UAC bypass
    • Modifies extensions of user files
    • Adds Run key to start application
    • Checks whether UAC is enabled
    • Drops desktop.ini file(s)
    • Sets desktop wallpaper using registry
    • Enumerates system info in registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:2312
    • C:\Windows\SysWOW64\Wbem\wmic.exe
      "wmic" csproduct get uuid
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2940
    • C:\Windows\SysWOW64\tasklist.exe
      "tasklist"
      2⤵
      • Enumerates processes with tasklist
      • Suspicious use of AdjustPrivilegeToken
      PID:2124

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/2312-121-0x0000000000FE0000-0x00000000010EA000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/2312-122-0x0000000005EB0000-0x00000000063AE000-memory.dmp

    Filesize

    5.0MB

    Download

  • memory/2312-123-0x0000000005A60000-0x0000000005AF2000-memory.dmp

    Filesize

    584KB

    Download

  • memory/2312-124-0x0000000005C00000-0x0000000005C66000-memory.dmp

    Filesize

    408KB

    Download

  • memory/2312-125-0x00000000059A0000-0x00000000059B0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2312-128-0x00000000059A0000-0x00000000059B0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2312-215-0x0000000001670000-0x000000000167A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/2312-216-0x0000000007780000-0x0000000007976000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/2312-217-0x00000000059A0000-0x00000000059B0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2312-218-0x00000000059A0000-0x00000000059B0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2312-219-0x00000000059A0000-0x00000000059B0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2312-220-0x00000000059A0000-0x00000000059B0000-memory.dmp

    Filesize

    64KB

    Download