Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Resubmissions

04/07/2023, 04:31

230704-e5fg1ace91 10

04/07/2023, 04:30

230704-e4z51sba89 10

04/07/2023, 04:28

230704-e34f2sce9t 10

Analysis

  • max time kernel
    215s
  • max time network
    216s
  • platform
    windows10-1703_x64
  • resource
    win10-20230703-en
  • resource tags

    arch:x64arch:x86image:win10-20230703-enlocale:en-usos:windows10-1703-x64system
  • submitted
    04/07/2023, 04:31

General

  • Target

    NitroRansomware.exe

  • Size

    1.5MB

  • MD5

    662b89fc83ffec95d0d1fb911e8b3f8e

  • SHA1

    464d3f513e0f05ed342d1d512611fbd17560ba38

  • SHA256

    8225c8ed538083338ff8441c73e6a9faa77c6fb8b58a19355fed6edb7e4805d4

  • SHA512

    b23a6981f424c2165b031daed2159286786767b51b0b2dc5d31b03282c3b97306ae58b078217aef785a806e7f8dd754e8e36cb7bc5a9af507c9b08bea7a7f266

  • SSDEEP

    49152:lpYGwfZPzodngwwHv5VbtHw1kqXfd+/9A:lmDZbIgNhVRw1kqXf0F

Malware Config

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

  • Nitro

    A ransomware that demands Discord nitro gift codes to decrypt files.

  • UAC bypass 3 TTPs 1 IoCs
  • AgentTesla payload 1 IoCs
  • Disables Task Manager via registry modification
  • Modifies extensions of user files 6 IoCs

    Ransomware generally changes the extension on encrypted files.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks whether UAC is enabled 1 TTPs 2 IoCs
  • Drops desktop.ini file(s) 5 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
  • Drops file in Windows directory 4 IoCs
  • Enumerates processes with tasklist 1 TTPs 1 IoCs
  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies Internet Explorer settings 1 TTPs 2 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: MapViewOfSection 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 50 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs
  • System policy modification 1 TTPs 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\NitroRansomware.exe
    "C:\Users\Admin\AppData\Local\Temp\NitroRansomware.exe"
    1⤵
    • UAC bypass
    • Modifies extensions of user files
    • Checks computer location settings
    • Adds Run key to start application
    • Checks whether UAC is enabled
    • Drops desktop.ini file(s)
    • Sets desktop wallpaper using registry
    • Enumerates system info in registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:2196
    • C:\Windows\SysWOW64\Wbem\wmic.exe
      "wmic" csproduct get uuid
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:956
    • C:\Windows\SysWOW64\tasklist.exe
      "tasklist"
      2⤵
      • Enumerates processes with tasklist
      • Suspicious use of AdjustPrivilegeToken
      PID:4224
  • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
    "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
    1⤵
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    PID:5068
  • C:\Windows\system32\browser_broker.exe
    C:\Windows\system32\browser_broker.exe -Embedding
    1⤵
    • Modifies Internet Explorer settings
    PID:3300
  • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
    "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
    1⤵
    • Modifies registry class
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4668
  • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
    "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
    1⤵
    • Drops file in Windows directory
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    PID:3968
  • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
    "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
    1⤵
    • Drops file in Windows directory
    • Modifies registry class
    PID:4512
  • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
    "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
    1⤵
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    PID:2012

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\Cache\2RPX2MPE\favicon[2].png

    Filesize

    958B

    MD5

    346e09471362f2907510a31812129cd2

    SHA1

    323b99430dd424604ae57a19a91f25376e209759

    SHA256

    74cf90ac2fe6624ab1056cacea11cf7ed4f8bef54bbb0e869638013bba45bc08

    SHA512

    a62b0fcc02e671d6037725cf67935f8ca1c875f764ce39fed267420935c0b7bad69ab50d3f9f8c628e9b3cff439885ee416989e31ceaa5d32ae596dd7e5fedbd

  • memory/2196-127-0x0000000006110000-0x000000000612E000-memory.dmp

    Filesize

    120KB

  • memory/2196-216-0x00000000010C0000-0x00000000010CA000-memory.dmp

    Filesize

    40KB

  • memory/2196-120-0x00000000052A0000-0x0000000005306000-memory.dmp

    Filesize

    408KB

  • memory/2196-121-0x0000000002BA0000-0x0000000002BB0000-memory.dmp

    Filesize

    64KB

  • memory/2196-124-0x0000000006A70000-0x0000000006B22000-memory.dmp

    Filesize

    712KB

  • memory/2196-125-0x0000000006BB0000-0x0000000006C26000-memory.dmp

    Filesize

    472KB

  • memory/2196-126-0x0000000006C30000-0x0000000006C52000-memory.dmp

    Filesize

    136KB

  • memory/2196-117-0x00000000006D0000-0x000000000085C000-memory.dmp

    Filesize

    1.5MB

  • memory/2196-137-0x0000000002BA0000-0x0000000002BB0000-memory.dmp

    Filesize

    64KB

  • memory/2196-217-0x0000000007DA0000-0x0000000007F96000-memory.dmp

    Filesize

    2.0MB

  • memory/2196-119-0x0000000005100000-0x0000000005192000-memory.dmp

    Filesize

    584KB

  • memory/2196-218-0x0000000002BA0000-0x0000000002BB0000-memory.dmp

    Filesize

    64KB

  • memory/2196-219-0x0000000002BA0000-0x0000000002BB0000-memory.dmp

    Filesize

    64KB

  • memory/2196-220-0x0000000002BA0000-0x0000000002BB0000-memory.dmp

    Filesize

    64KB

  • memory/2196-221-0x0000000002BA0000-0x0000000002BB0000-memory.dmp

    Filesize

    64KB

  • memory/2196-118-0x0000000005560000-0x0000000005A5E000-memory.dmp

    Filesize

    5.0MB

  • memory/3968-270-0x000002007EB30000-0x000002007EB32000-memory.dmp

    Filesize

    8KB

  • memory/3968-276-0x000002007EB60000-0x000002007EB62000-memory.dmp

    Filesize

    8KB

  • memory/3968-272-0x000002007EB50000-0x000002007EB52000-memory.dmp

    Filesize

    8KB

  • memory/4512-472-0x0000024E39190000-0x0000024E39192000-memory.dmp

    Filesize

    8KB

  • memory/4512-480-0x0000024E391F0000-0x0000024E391F2000-memory.dmp

    Filesize

    8KB

  • memory/4512-488-0x0000024E39410000-0x0000024E39412000-memory.dmp

    Filesize

    8KB

  • memory/4512-486-0x0000024E392F0000-0x0000024E392F2000-memory.dmp

    Filesize

    8KB

  • memory/4512-484-0x0000024E392D0000-0x0000024E392D2000-memory.dmp

    Filesize

    8KB

  • memory/4512-466-0x0000024E38DD0000-0x0000024E38DD2000-memory.dmp

    Filesize

    8KB

  • memory/4512-482-0x0000024E392B0000-0x0000024E392B2000-memory.dmp

    Filesize

    8KB

  • memory/4512-474-0x0000024E391A0000-0x0000024E391A2000-memory.dmp

    Filesize

    8KB

  • memory/4512-476-0x0000024E391B0000-0x0000024E391B2000-memory.dmp

    Filesize

    8KB

  • memory/4512-478-0x0000024E391D0000-0x0000024E391D2000-memory.dmp

    Filesize

    8KB

  • memory/5068-257-0x000001A23BFA0000-0x000001A23BFA2000-memory.dmp

    Filesize

    8KB

  • memory/5068-238-0x000001A23C180000-0x000001A23C190000-memory.dmp

    Filesize

    64KB

  • memory/5068-222-0x000001A23B920000-0x000001A23B930000-memory.dmp

    Filesize

    64KB

  • memory/5068-457-0x000001A241F00000-0x000001A241F01000-memory.dmp

    Filesize

    4KB

  • memory/5068-458-0x000001A241F10000-0x000001A241F11000-memory.dmp

    Filesize

    4KB