Overview

overview

10

Static

static

3

NitroRansomware.exe

windows10-1703-x64

10

Analysis

  • max time kernel
    109s
  • max time network
    77s
  • platform
    windows10-1703_x64
  • resource
    win10-20230621-en
  • resource tags

    arch:x64arch:x86image:win10-20230621-enlocale:en-usos:windows10-1703-x64system
  • submitted
    02-07-2023 23:13

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    NitroRansomware.exe

  • Size

    1.3MB

  • MD5

    d8bc15d7823c0db0882be71f853ce8f7

  • SHA1

    b17969bbc6826d6d33ab6ca6b9cfad0af46d6ec8

  • SHA256

    c853ee6eb1abf28eab76d035f1b5b5548563f375f0f98335aa0853e8a66181b3

  • SHA512

    222926d57978c16b6ad3b7a487c3c862f932e5dd734e6e889026996fcb37b2168dd205f29201549dad5c7955775e6b3b8bf5f960df06504419ed5369de082c2a

  • SSDEEP

    24576:WNYGGwodngwtlaHxN8KUWVe6tw2wvKhLnekqjVnlqud+/2P+AP3:WNYGjodngwwHv5VbtHw1kqXfd+/9A

Score
10/10
agentteslanitroevasionkeyloggerpersistenceransomwarespywarestealertrojan

Malware Config

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • Nitro

    A ransomware that demands Discord nitro gift codes to decrypt files.

    ransomwarenitro
  • UAC bypass 3 TTPs 1 IoCs
    evasiontrojan
  • AgentTesla payload 1 IoCs
  • Disables Task Manager via registry modification
    evasion
  • Modifies extensions of user files 12 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 2 IoCs
    evasiontrojan
  • Drops desktop.ini file(s) 5 IoCs
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Enumerates processes with tasklist 1 TTPs 1 IoCs
  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 44 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs
  • System policy modification 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\NitroRansomware.exe
    "C:\Users\Admin\AppData\Local\Temp\NitroRansomware.exe"
    1⤵
    • UAC bypass
    • Modifies extensions of user files
    • Adds Run key to start application
    • Checks whether UAC is enabled
    • Drops desktop.ini file(s)
    • Sets desktop wallpaper using registry
    • Enumerates system info in registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:4240
    • C:\Windows\SysWOW64\Wbem\wmic.exe
      "wmic" csproduct get uuid
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:5072
    • C:\Windows\SysWOW64\tasklist.exe
      "tasklist"
      2⤵
      • Enumerates processes with tasklist
      • Suspicious use of AdjustPrivilegeToken
      PID:4080

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/4240-120-0x0000000000AA0000-0x0000000000BEE000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/4240-121-0x0000000005A90000-0x0000000005F8E000-memory.dmp

    Filesize

    5.0MB

    Download

  • memory/4240-122-0x0000000005590000-0x0000000005622000-memory.dmp

    Filesize

    584KB

    Download

  • memory/4240-123-0x0000000005730000-0x0000000005796000-memory.dmp

    Filesize

    408KB

    Download

  • memory/4240-124-0x0000000005580000-0x0000000005590000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4240-127-0x0000000006F50000-0x0000000007002000-memory.dmp

    Filesize

    712KB

    Download

  • memory/4240-128-0x0000000007090000-0x0000000007106000-memory.dmp

    Filesize

    472KB

    Download

  • memory/4240-129-0x0000000007110000-0x0000000007132000-memory.dmp

    Filesize

    136KB

    Download

  • memory/4240-130-0x0000000007140000-0x000000000715E000-memory.dmp

    Filesize

    120KB

    Download

  • memory/4240-140-0x0000000005580000-0x0000000005590000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4240-219-0x0000000001270000-0x000000000127A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/4240-220-0x0000000007580000-0x0000000007776000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/4240-221-0x0000000005580000-0x0000000005590000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4240-222-0x0000000005580000-0x0000000005590000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4240-223-0x0000000005580000-0x0000000005590000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4240-224-0x0000000005580000-0x0000000005590000-memory.dmp

    Filesize

    64KB

    Download