agenttesla | 6d65adceb3723db328eac3601cbb540d40bcad7289e98804e977fe24a22d747f

Resubmissions

01-07-2023 10:36

230701-mngyhagf75 10

01-07-2023 10:34

230701-ml5lsagf74 10

01-07-2023 10:31

230701-mkjb6ahg8t 10

01-07-2023 10:19

230701-mc171agf63 10

Analysis

max time kernel
403s
max time network
1602s
platform
windows10-1703_x64
resource
win10-20230621-en
resource tags

arch:x64arch:x86image:win10-20230621-enlocale:en-usos:windows10-1703-x64system
submitted
01-07-2023 10:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NitroRansomware.exe
Size

1.0MB
MD5

67158b9c2184e40339161fddffa9e850
SHA1

5715c4610d84a077de42b5d031ec70ad77a8433e
SHA256

6d65adceb3723db328eac3601cbb540d40bcad7289e98804e977fe24a22d747f
SHA512

617cecfee0d7ad0002cd1fb6782bbadc0642b4513d0b4b195fa94475d774acf8e7a943128ca448bd451573b1642c665b36035adfa12e5ec02cbbdbe4474777a1
SSDEEP

24576:0rYGGjodngwtlaHxN8KUWVe6tw2wvKhLnTU:0rYG2odngwwHv5VbtHw

Score

10^/10

agenttesla nitro evasion keylogger persistence ransomware spyware stealer trojan

Malware Config

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Nitro
A ransomware that demands Discord nitro gift codes to decrypt files.
ransomware nitro

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	NitroRansomware.exe

AgentTesla payload 1 IoCs

resource	yara_rule
behavioral1/memory/4320-225-0x0000000008040000-0x0000000008236000-memory.dmp	family_agenttesla

Modifies extensions of user files 12 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File created	C:\Users\Admin\Pictures\GroupRedo.tiff.lmao	NitroRansomware.exe
File opened for modification	C:\Users\Admin\Pictures\GroupRedo.tiff	NitroRansomware.exe
File created	C:\Users\Admin\Pictures\RedoWatch.tiff.lmao	NitroRansomware.exe
File opened for modification	C:\Users\Admin\Pictures\RedoWatch.tiff	NitroRansomware.exe
File created	C:\Users\Admin\Pictures\TraceComplete.png.lmao	NitroRansomware.exe
File created	C:\Users\Admin\Pictures\FindAdd.tiff.lmao	NitroRansomware.exe
File opened for modification	C:\Users\Admin\Pictures\FindAdd.tiff	NitroRansomware.exe
File created	C:\Users\Admin\Pictures\GrantUnprotect.png.lmao	NitroRansomware.exe
File created	C:\Users\Admin\Pictures\StartStop.tif.lmao	NitroRansomware.exe
File created	C:\Users\Admin\Pictures\MoveHide.crw.lmao	NitroRansomware.exe
File created	C:\Users\Admin\Pictures\ProtectComplete.raw.lmao	NitroRansomware.exe
File created	C:\Users\Admin\Pictures\RestartSplit.tif.lmao	NitroRansomware.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2920667096-3376612704-1562175574-1000\Control Panel\International\Geo\Nation	NitroRansomware.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2920667096-3376612704-1562175574-1000\Software\Microsoft\Windows\CurrentVersion\Run\NR = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\NitroRansomware.exe\""	NitroRansomware.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	NitroRansomware.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	NitroRansomware.exe

Drops desktop.ini file(s) 5 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	NitroRansomware.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	NitroRansomware.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	NitroRansomware.exe
File opened for modification	C:\Users\Admin\Pictures\Camera Roll\desktop.ini	NitroRansomware.exe
File opened for modification	C:\Users\Admin\Pictures\Saved Pictures\desktop.ini	NitroRansomware.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
1	api.ipify.org
2	api.ipify.org

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2920667096-3376612704-1562175574-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Roaming\\wallpaper.png"	NitroRansomware.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\rescache\_merged\3720402701\2219095117.pri	MicrosoftEdgeCP.exe
File created	C:\Windows\rescache\_merged\3720402701\2219095117.pri	MicrosoftEdge.exe
File opened for modification	C:\Windows\Debug\ESE.TXT	MicrosoftEdge.exe

Enumerates processes with tasklist 1 TTPs 1 IoCs

Process Discovery

T1057

pid	Process
1052	tasklist.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	NitroRansomware.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	NitroRansomware.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion	NitroRansomware.exe

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2920667096-3376612704-1562175574-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2920667096-3376612704-1562175574-1000\Software\Microsoft\Internet Explorer\Main	browser_broker.exe
Key created	\REGISTRY\USER\S-1-5-21-2920667096-3376612704-1562175574-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdgeCP.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2920667096-3376612704-1562175574-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\IECompatVersionHigh = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2920667096-3376612704-1562175574-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Roaming	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2920667096-3376612704-1562175574-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Extensible Cache	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-2920667096-3376612704-1562175574-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2920667096-3376612704-1562175574-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-Revision = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2920667096-3376612704-1562175574-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Cookies	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2920667096-3376612704-1562175574-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\IECompatVersionLow = "395205405"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2920667096-3376612704-1562175574-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-2920667096-3376612704-1562175574-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2920667096-3376612704-1562175574-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones\3\{AEBA21FA-782A-4A90-978D-B7216 = 1a3761592352350c7a5f20172f1e1a190e2b017313371312141a152a	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2920667096-3376612704-1562175574-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\ACGStatus\DynamicCodePolicy = 05000000	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2920667096-3376612704-1562175574-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DummyPath\dummySetting = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2920667096-3376612704-1562175574-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\ChromeMigration\AllComplete = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2920667096-3376612704-1562175574-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListDOSTime = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2920667096-3376612704-1562175574-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\History	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2920667096-3376612704-1562175574-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery\ReadingStorePending = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2920667096-3376612704-1562175574-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2920667096-3376612704-1562175574-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main\ImageStoreRandomFolder = "fqg47f3"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2920667096-3376612704-1562175574-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\LowRegistry	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2920667096-3376612704-1562175574-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\PrivacyAdvanced = "0"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2920667096-3376612704-1562175574-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DataStore\LastCleanup = 0000000000000000	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2920667096-3376612704-1562175574-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\OnlineHistory\NextBrowserDataLogTime = d01e52e391aad901	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2920667096-3376612704-1562175574-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Content\CacheLimit = "256000"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2920667096-3376612704-1562175574-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modif	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2920667096-3376612704-1562175574-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\DynamicCodePolicy = 05000000	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-2920667096-3376612704-1562175574-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-2920667096-3376612704-1562175574-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2920667096-3376612704-1562175574-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\History\CachePrefix = "Visited:"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2920667096-3376612704-1562175574-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\History\CacheLimit = "1"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-2920667096-3376612704-1562175574-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2920667096-3376612704-1562175574-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2920667096-3376612704-1562175574-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = b590ee835faad901	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2920667096-3376612704-1562175574-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Toolbar\WebBrowser	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2920667096-3376612704-1562175574-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-VendorId = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2920667096-3376612704-1562175574-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2920667096-3376612704-1562175574-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\IECompatVersionHigh = "268435456"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2920667096-3376612704-1562175574-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\History\CacheLimit = "1"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2920667096-3376612704-1562175574-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\Main\OperationalData = "1"	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2920667096-3376612704-1562175574-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs\url1 = "https://www.facebook.com/"	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2920667096-3376612704-1562175574-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Content\CachePrefix	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2920667096-3376612704-1562175574-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder\TreeView = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2920667096-3376612704-1562175574-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2920667096-3376612704-1562175574-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-2920667096-3376612704-1562175574-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\InternetRegistry	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2920667096-3376612704-1562175574-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ServiceUI	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2920667096-3376612704-1562175574-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-SubSysId = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2920667096-3376612704-1562175574-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Rating\Rating Prompt Shown = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2920667096-3376612704-1562175574-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2920667096-3376612704-1562175574-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder\Favorites\Order = 0c0000000a000000000000000c0000000100000000000000	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2920667096-3376612704-1562175574-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\DeviceId = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2920667096-3376612704-1562175574-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\SubSysId = "0"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2920667096-3376612704-1562175574-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\CIStatus\SignaturePolicy = 06000000	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2920667096-3376612704-1562175574-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\CIPolicyState = "0"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-2920667096-3376612704-1562175574-1000_Classes\Local Settings\MrtCache	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2920667096-3376612704-1562175574-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\EnableNegotiate = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2920667096-3376612704-1562175574-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\AllComplete = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2920667096-3376612704-1562175574-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListXMLVersionHigh = "0"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2920667096-3376612704-1562175574-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\SignaturePolicy = 06000000	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2920667096-3376612704-1562175574-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Content\CachePrefix	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2920667096-3376612704-1562175574-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DataStore\LastCleanup = 27c627845faad901	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2920667096-3376612704-1562175574-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\ACGStatus\DynamicCodePolicy = 00000000	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-2920667096-3376612704-1562175574-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-2920667096-3376612704-1562175574-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2920667096-3376612704-1562175574-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder\SyncIEFirstTimeFullScan = "1"	MicrosoftEdge.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4320	NitroRansomware.exe
4320	NitroRansomware.exe

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
3740	MicrosoftEdgeCP.exe
3740	MicrosoftEdgeCP.exe

Suspicious use of AdjustPrivilegeToken 55 IoCs

description	pid	Process
Token: SeDebugPrivilege	4320	NitroRansomware.exe
Token: SeIncreaseQuotaPrivilege	2192	wmic.exe
Token: SeSecurityPrivilege	2192	wmic.exe
Token: SeTakeOwnershipPrivilege	2192	wmic.exe
Token: SeLoadDriverPrivilege	2192	wmic.exe
Token: SeSystemProfilePrivilege	2192	wmic.exe
Token: SeSystemtimePrivilege	2192	wmic.exe
Token: SeProfSingleProcessPrivilege	2192	wmic.exe
Token: SeIncBasePriorityPrivilege	2192	wmic.exe
Token: SeCreatePagefilePrivilege	2192	wmic.exe
Token: SeBackupPrivilege	2192	wmic.exe
Token: SeRestorePrivilege	2192	wmic.exe
Token: SeShutdownPrivilege	2192	wmic.exe
Token: SeDebugPrivilege	2192	wmic.exe
Token: SeSystemEnvironmentPrivilege	2192	wmic.exe
Token: SeRemoteShutdownPrivilege	2192	wmic.exe
Token: SeUndockPrivilege	2192	wmic.exe
Token: SeManageVolumePrivilege	2192	wmic.exe
Token: 33	2192	wmic.exe
Token: 34	2192	wmic.exe
Token: 35	2192	wmic.exe
Token: 36	2192	wmic.exe
Token: SeIncreaseQuotaPrivilege	2192	wmic.exe
Token: SeSecurityPrivilege	2192	wmic.exe
Token: SeTakeOwnershipPrivilege	2192	wmic.exe
Token: SeLoadDriverPrivilege	2192	wmic.exe
Token: SeSystemProfilePrivilege	2192	wmic.exe
Token: SeSystemtimePrivilege	2192	wmic.exe
Token: SeProfSingleProcessPrivilege	2192	wmic.exe
Token: SeIncBasePriorityPrivilege	2192	wmic.exe
Token: SeCreatePagefilePrivilege	2192	wmic.exe
Token: SeBackupPrivilege	2192	wmic.exe
Token: SeRestorePrivilege	2192	wmic.exe
Token: SeShutdownPrivilege	2192	wmic.exe
Token: SeDebugPrivilege	2192	wmic.exe
Token: SeSystemEnvironmentPrivilege	2192	wmic.exe
Token: SeRemoteShutdownPrivilege	2192	wmic.exe
Token: SeUndockPrivilege	2192	wmic.exe
Token: SeManageVolumePrivilege	2192	wmic.exe
Token: 33	2192	wmic.exe
Token: 34	2192	wmic.exe
Token: 35	2192	wmic.exe
Token: 36	2192	wmic.exe
Token: SeDebugPrivilege	1052	tasklist.exe
Token: SeDebugPrivilege	1408	MicrosoftEdge.exe
Token: SeDebugPrivilege	1408	MicrosoftEdge.exe
Token: SeDebugPrivilege	1408	MicrosoftEdge.exe
Token: SeDebugPrivilege	1408	MicrosoftEdge.exe
Token: SeDebugPrivilege	3136	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	3136	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	3136	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	3136	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	4924	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	4924	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	1408	MicrosoftEdge.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
1408	MicrosoftEdge.exe
3740	MicrosoftEdgeCP.exe
3740	MicrosoftEdgeCP.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 4320 wrote to memory of 2192	4320	NitroRansomware.exe	67
PID 4320 wrote to memory of 2192	4320	NitroRansomware.exe	67
PID 4320 wrote to memory of 2192	4320	NitroRansomware.exe	67
PID 4320 wrote to memory of 1052	4320	NitroRansomware.exe	69
PID 4320 wrote to memory of 1052	4320	NitroRansomware.exe	69
PID 4320 wrote to memory of 1052	4320	NitroRansomware.exe	69
PID 3740 wrote to memory of 3136	3740	MicrosoftEdgeCP.exe	78
PID 3740 wrote to memory of 3136	3740	MicrosoftEdgeCP.exe	78
PID 3740 wrote to memory of 3136	3740	MicrosoftEdgeCP.exe	78
PID 3740 wrote to memory of 3136	3740	MicrosoftEdgeCP.exe	78
PID 3740 wrote to memory of 3136	3740	MicrosoftEdgeCP.exe	78
PID 3740 wrote to memory of 3136	3740	MicrosoftEdgeCP.exe	78
PID 3740 wrote to memory of 3136	3740	MicrosoftEdgeCP.exe	78
PID 3740 wrote to memory of 3136	3740	MicrosoftEdgeCP.exe	78
PID 3740 wrote to memory of 3136	3740	MicrosoftEdgeCP.exe	78
PID 3740 wrote to memory of 3136	3740	MicrosoftEdgeCP.exe	78
PID 3740 wrote to memory of 3136	3740	MicrosoftEdgeCP.exe	78
PID 3740 wrote to memory of 3136	3740	MicrosoftEdgeCP.exe	78
PID 3740 wrote to memory of 3136	3740	MicrosoftEdgeCP.exe	78
PID 3740 wrote to memory of 3136	3740	MicrosoftEdgeCP.exe	78
PID 3740 wrote to memory of 3136	3740	MicrosoftEdgeCP.exe	78
PID 3740 wrote to memory of 3136	3740	MicrosoftEdgeCP.exe	78
PID 3740 wrote to memory of 3136	3740	MicrosoftEdgeCP.exe	78
PID 3740 wrote to memory of 3136	3740	MicrosoftEdgeCP.exe	78

System policy modification 1 TTPs 1 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	NitroRansomware.exe

C:\Users\Admin\AppData\Local\Temp\NitroRansomware.exe
"C:\Users\Admin\AppData\Local\Temp\NitroRansomware.exe"
1⤵
- UAC bypass
- Modifies extensions of user files
- Checks computer location settings
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4320
- C:\Windows\SysWOW64\Wbem\wmic.exe
  "wmic" csproduct get uuid
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2192
- C:\Windows\SysWOW64\tasklist.exe
  "tasklist"
  2⤵
  - Enumerates processes with tasklist
  - Suspicious use of AdjustPrivilegeToken
  PID:1052

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1408

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
- Modifies Internet Explorer settings
PID:2644

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3740

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:3136

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:4924

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:3232

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:1772

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Web Service

T1102

Credential Access

Discovery

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\PAHHKJU0\edgecompatviewlist[1].xml

Filesize
74KB

MD5
d4fc49dc14f63895d997fa4940f24378

SHA1
3efb1437a7c5e46034147cbbc8db017c69d02c31

SHA256
853d2f4eb81c9fdcea2ee079f6faf98214b111b77cdf68709b38989d123890f1

SHA512
cc60d79b4afe5007634ac21dc4bc92081880be4c0d798a1735b63b27e936c02f399964f744dc73711987f01e8a1064b02a4867dd6cac27538e5fbe275cc61e0a

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\Cache\D9J30VWG\favicon[1].png

Filesize
958B

MD5
346e09471362f2907510a31812129cd2

SHA1
323b99430dd424604ae57a19a91f25376e209759

SHA256
74cf90ac2fe6624ab1056cacea11cf7ed4f8bef54bbb0e869638013bba45bc08

SHA512
a62b0fcc02e671d6037725cf67935f8ca1c875f764ce39fed267420935c0b7bad69ab50d3f9f8c628e9b3cff439885ee416989e31ceaa5d32ae596dd7e5fedbd

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157

Filesize
4KB

MD5
f7dcb24540769805e5bb30d193944dce

SHA1
e26c583c562293356794937d9e2e6155d15449ee

SHA256
6b88c6ac55bbd6fea0ebe5a760d1ad2cfce251c59d0151a1400701cb927e36ea

SHA512
cb5ad678b0ef642bf492f32079fe77e8be20c02de267f04b545df346b25f3e4eb98bb568c4c2c483bb88f7d1826863cb515b570d620766e52476c8ee2931ea94

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\Microsoft\Windows\3720402701\2219095117.pri

Filesize
207KB

MD5
e2b88765ee31470114e866d939a8f2c6

SHA1
e0a53b8511186ff308a0507b6304fb16cabd4e1f

SHA256
523e419d2fa2e780239812d36caa37e92f8c3e6a5cd9f18f0d807c593effa45e

SHA512
462e8e6b4e63fc6781b6a9935b332a1dc77bfb88e1de49134f86fd46bd1598d2e842902dd9415a328e325bd7cdee766bd9473f2695acdfa769ffe7ba9ae1953d

Download Submit
memory/1408-553-0x0000022595EF0000-0x0000022595EF2000-memory.dmp

Filesize
8KB

Download
memory/1408-556-0x0000022595C10000-0x0000022595C11000-memory.dmp

Filesize
4KB

Download
memory/1408-560-0x00000225949F0000-0x00000225949F1000-memory.dmp

Filesize
4KB

Download
memory/1408-509-0x000002259BE40000-0x000002259BE41000-memory.dmp

Filesize
4KB

Download
memory/1408-508-0x000002259BE30000-0x000002259BE31000-memory.dmp

Filesize
4KB

Download
memory/1408-271-0x000002259A420000-0x000002259A422000-memory.dmp

Filesize
8KB

Download
memory/1408-272-0x000002259A450000-0x000002259A452000-memory.dmp

Filesize
8KB

Download
memory/1408-246-0x0000022596200000-0x0000022596210000-memory.dmp

Filesize
64KB

Download
memory/1408-267-0x0000022595C10000-0x0000022595C11000-memory.dmp

Filesize
4KB

Download
memory/1408-269-0x0000022595ED0000-0x0000022595ED2000-memory.dmp

Filesize
8KB

Download
memory/3136-494-0x0000026733800000-0x0000026733802000-memory.dmp

Filesize
8KB

Download
memory/3136-488-0x0000026733700000-0x0000026733702000-memory.dmp

Filesize
8KB

Download
memory/3136-465-0x0000026732890000-0x0000026732892000-memory.dmp

Filesize
8KB

Download
memory/3136-468-0x0000026732D00000-0x0000026732D02000-memory.dmp

Filesize
8KB

Download
memory/3136-470-0x0000026733140000-0x0000026733142000-memory.dmp

Filesize
8KB

Download
memory/3136-472-0x0000026733270000-0x0000026733272000-memory.dmp

Filesize
8KB

Download
memory/3136-474-0x0000026733380000-0x0000026733382000-memory.dmp

Filesize
8KB

Download
memory/3136-476-0x00000267334A0000-0x00000267334A2000-memory.dmp

Filesize
8KB

Download
memory/3136-478-0x00000267334C0000-0x00000267334C2000-memory.dmp

Filesize
8KB

Download
memory/3136-480-0x00000267334E0000-0x00000267334E2000-memory.dmp

Filesize
8KB

Download
memory/3136-482-0x00000267336A0000-0x00000267336A2000-memory.dmp

Filesize
8KB

Download
memory/3136-484-0x00000267336C0000-0x00000267336C2000-memory.dmp

Filesize
8KB

Download
memory/3136-486-0x00000267336E0000-0x00000267336E2000-memory.dmp

Filesize
8KB

Download
memory/3136-515-0x0000026732C40000-0x0000026732C42000-memory.dmp

Filesize
8KB

Download
memory/3136-490-0x00000267337C0000-0x00000267337C2000-memory.dmp

Filesize
8KB

Download
memory/3136-492-0x00000267337E0000-0x00000267337E2000-memory.dmp

Filesize
8KB

Download
memory/3136-502-0x00000267339F0000-0x00000267339F2000-memory.dmp

Filesize
8KB

Download
memory/4320-228-0x0000000005640000-0x0000000005650000-memory.dmp

Filesize
64KB

Download
memory/4320-120-0x0000000000C50000-0x0000000000D5A000-memory.dmp

Filesize
1.0MB

Download
memory/4320-227-0x0000000005640000-0x0000000005650000-memory.dmp

Filesize
64KB

Download
memory/4320-226-0x0000000005640000-0x0000000005650000-memory.dmp

Filesize
64KB

Download
memory/4320-225-0x0000000008040000-0x0000000008236000-memory.dmp

Filesize
2.0MB

Download
memory/4320-229-0x0000000005640000-0x0000000005650000-memory.dmp

Filesize
64KB

Download
memory/4320-224-0x0000000001580000-0x000000000158A000-memory.dmp

Filesize
40KB

Download
memory/4320-124-0x0000000005640000-0x0000000005650000-memory.dmp

Filesize
64KB

Download
memory/4320-123-0x0000000005760000-0x00000000057C6000-memory.dmp

Filesize
408KB

Download
memory/4320-122-0x0000000005650000-0x00000000056E2000-memory.dmp

Filesize
584KB

Download
memory/4320-121-0x0000000005B50000-0x000000000604E000-memory.dmp

Filesize
5.0MB

Download