Analysis
-
max time kernel
81s -
max time network
57s -
platform
windows7_x64 -
resource
win7-20230621-en -
resource tags
arch:x64arch:x86image:win7-20230621-enlocale:en-usos:windows7-x64system -
submitted
02/07/2023, 02:36
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
fb8b40c35ce47a3e9c7106c3a9074812.exe
Resource
win7-20230621-en
windows7-x64
10 signatures
150 seconds
Behavioral task
behavioral2
Sample
fb8b40c35ce47a3e9c7106c3a9074812.exe
Resource
win10v2004-20230621-en
windows10-2004-x64
11 signatures
150 seconds
General
-
Target
fb8b40c35ce47a3e9c7106c3a9074812.exe
-
Size
66KB
-
MD5
fb8b40c35ce47a3e9c7106c3a9074812
-
SHA1
157158936a9ae7c26f9f2194e0e19cf2729362f3
-
SHA256
62bf001525c54efc9715f6562e58bce96a6283aed9acb13f330f0fc487220419
-
SHA512
9bf593e6fbad5c566e6526e7892f750f050cff2e6a255ce611bf51b85e214bba0e1bc2f8d13c6538ac2df16f00a80bebf74f7262ca6b9fd2c1becd211b8d98e6
-
SSDEEP
768:qH3DdNeB5G8tOHsvVXwmIkpLDwUzc80gmq3oP/oDT:a3RQB3tXWx0r/0O8/oP
Score
10/10
Malware Config
Signatures
-
Nitro
A ransomware that demands Discord nitro gift codes to decrypt files.
-
Modifies extensions of user files 5 IoCs
Ransomware generally changes the extension on encrypted files.
description ioc Process File created C:\Users\Admin\Pictures\SkipRead.tiff.givemenitro fb8b40c35ce47a3e9c7106c3a9074812.exe File opened for modification C:\Users\Admin\Pictures\SkipRead.tiff fb8b40c35ce47a3e9c7106c3a9074812.exe File created C:\Users\Admin\Pictures\SuspendSkip.png.givemenitro fb8b40c35ce47a3e9c7106c3a9074812.exe File created C:\Users\Admin\Pictures\SwitchGroup.crw.givemenitro fb8b40c35ce47a3e9c7106c3a9074812.exe File created C:\Users\Admin\Pictures\WaitConvertTo.crw.givemenitro fb8b40c35ce47a3e9c7106c3a9074812.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3419557010-3639509551-242374962-1000\Software\Microsoft\Windows\CurrentVersion\Run\NR = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\fb8b40c35ce47a3e9c7106c3a9074812.exe\"" fb8b40c35ce47a3e9c7106c3a9074812.exe -
Drops desktop.ini file(s) 3 IoCs
description ioc Process File opened for modification C:\Users\Admin\Desktop\desktop.ini fb8b40c35ce47a3e9c7106c3a9074812.exe File opened for modification C:\Users\Admin\Pictures\desktop.ini fb8b40c35ce47a3e9c7106c3a9074812.exe File opened for modification C:\Users\Admin\Documents\desktop.ini fb8b40c35ce47a3e9c7106c3a9074812.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 3 api.ipify.org 4 api.ipify.org -
Sets desktop wallpaper using registry 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3419557010-3639509551-242374962-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Roaming\\wallpaper.png" fb8b40c35ce47a3e9c7106c3a9074812.exe Set value (str) \REGISTRY\USER\S-1-5-21-3419557010-3639509551-242374962-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Pictures\\My Wallpaper.jpg" fb8b40c35ce47a3e9c7106c3a9074812.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2024 fb8b40c35ce47a3e9c7106c3a9074812.exe 2024 fb8b40c35ce47a3e9c7106c3a9074812.exe -
Suspicious use of AdjustPrivilegeToken 41 IoCs
description pid Process Token: SeDebugPrivilege 2024 fb8b40c35ce47a3e9c7106c3a9074812.exe Token: SeIncreaseQuotaPrivilege 2020 wmic.exe Token: SeSecurityPrivilege 2020 wmic.exe Token: SeTakeOwnershipPrivilege 2020 wmic.exe Token: SeLoadDriverPrivilege 2020 wmic.exe Token: SeSystemProfilePrivilege 2020 wmic.exe Token: SeSystemtimePrivilege 2020 wmic.exe Token: SeProfSingleProcessPrivilege 2020 wmic.exe Token: SeIncBasePriorityPrivilege 2020 wmic.exe Token: SeCreatePagefilePrivilege 2020 wmic.exe Token: SeBackupPrivilege 2020 wmic.exe Token: SeRestorePrivilege 2020 wmic.exe Token: SeShutdownPrivilege 2020 wmic.exe Token: SeDebugPrivilege 2020 wmic.exe Token: SeSystemEnvironmentPrivilege 2020 wmic.exe Token: SeRemoteShutdownPrivilege 2020 wmic.exe Token: SeUndockPrivilege 2020 wmic.exe Token: SeManageVolumePrivilege 2020 wmic.exe Token: 33 2020 wmic.exe Token: 34 2020 wmic.exe Token: 35 2020 wmic.exe Token: SeIncreaseQuotaPrivilege 2020 wmic.exe Token: SeSecurityPrivilege 2020 wmic.exe Token: SeTakeOwnershipPrivilege 2020 wmic.exe Token: SeLoadDriverPrivilege 2020 wmic.exe Token: SeSystemProfilePrivilege 2020 wmic.exe Token: SeSystemtimePrivilege 2020 wmic.exe Token: SeProfSingleProcessPrivilege 2020 wmic.exe Token: SeIncBasePriorityPrivilege 2020 wmic.exe Token: SeCreatePagefilePrivilege 2020 wmic.exe Token: SeBackupPrivilege 2020 wmic.exe Token: SeRestorePrivilege 2020 wmic.exe Token: SeShutdownPrivilege 2020 wmic.exe Token: SeDebugPrivilege 2020 wmic.exe Token: SeSystemEnvironmentPrivilege 2020 wmic.exe Token: SeRemoteShutdownPrivilege 2020 wmic.exe Token: SeUndockPrivilege 2020 wmic.exe Token: SeManageVolumePrivilege 2020 wmic.exe Token: 33 2020 wmic.exe Token: 34 2020 wmic.exe Token: 35 2020 wmic.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2024 wrote to memory of 2020 2024 fb8b40c35ce47a3e9c7106c3a9074812.exe 28 PID 2024 wrote to memory of 2020 2024 fb8b40c35ce47a3e9c7106c3a9074812.exe 28 PID 2024 wrote to memory of 2020 2024 fb8b40c35ce47a3e9c7106c3a9074812.exe 28 PID 2024 wrote to memory of 2020 2024 fb8b40c35ce47a3e9c7106c3a9074812.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\fb8b40c35ce47a3e9c7106c3a9074812.exe"C:\Users\Admin\AppData\Local\Temp\fb8b40c35ce47a3e9c7106c3a9074812.exe"1⤵
- Modifies extensions of user files
- Adds Run key to start application
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2024 -
C:\Windows\SysWOW64\Wbem\wmic.exe"wmic" csproduct get uuid2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2020
-