8225c8ed538083338ff8441c73e6a9faa77c6fb8b58a19355fed6edb7e4805d4

Analysis

max time kernel
28s
max time network
32s
platform
windows7_x64
resource
win7-20230703-en
resource tags

arch:x64arch:x86image:win7-20230703-enlocale:en-usos:windows7-x64system
submitted
04-07-2023 13:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NitroRansomwareexe.exe
Size

1.5MB
MD5

662b89fc83ffec95d0d1fb911e8b3f8e
SHA1

464d3f513e0f05ed342d1d512611fbd17560ba38
SHA256

8225c8ed538083338ff8441c73e6a9faa77c6fb8b58a19355fed6edb7e4805d4
SHA512

b23a6981f424c2165b031daed2159286786767b51b0b2dc5d31b03282c3b97306ae58b078217aef785a806e7f8dd754e8e36cb7bc5a9af507c9b08bea7a7f266
SSDEEP

49152:lpYGwfZPzodngwwHv5VbtHw1kqXfd+/9A:lmDZbIgNhVRw1kqXf0F

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	NitroRansomwareexe.exe

Disables Task Manager via registry modification
evasion

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1724861073-2584418204-2594431177-1000\Software\Microsoft\Windows\CurrentVersion\Run\NR = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\NitroRansomwareexe.exe\""	NitroRansomwareexe.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	NitroRansomwareexe.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	NitroRansomwareexe.exe

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
3	api.ipify.org
4	api.ipify.org

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1512	2420	WerFault.exe	28

Enumerates processes with tasklist 1 TTPs 1 IoCs

Process Discovery

T1057

pid	Process
380	tasklist.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2420	NitroRansomwareexe.exe
2420	NitroRansomwareexe.exe

Suspicious use of AdjustPrivilegeToken 42 IoCs

description	pid	Process
Token: SeDebugPrivilege	2420	NitroRansomwareexe.exe
Token: SeIncreaseQuotaPrivilege	3036	wmic.exe
Token: SeSecurityPrivilege	3036	wmic.exe
Token: SeTakeOwnershipPrivilege	3036	wmic.exe
Token: SeLoadDriverPrivilege	3036	wmic.exe
Token: SeSystemProfilePrivilege	3036	wmic.exe
Token: SeSystemtimePrivilege	3036	wmic.exe
Token: SeProfSingleProcessPrivilege	3036	wmic.exe
Token: SeIncBasePriorityPrivilege	3036	wmic.exe
Token: SeCreatePagefilePrivilege	3036	wmic.exe
Token: SeBackupPrivilege	3036	wmic.exe
Token: SeRestorePrivilege	3036	wmic.exe
Token: SeShutdownPrivilege	3036	wmic.exe
Token: SeDebugPrivilege	3036	wmic.exe
Token: SeSystemEnvironmentPrivilege	3036	wmic.exe
Token: SeRemoteShutdownPrivilege	3036	wmic.exe
Token: SeUndockPrivilege	3036	wmic.exe
Token: SeManageVolumePrivilege	3036	wmic.exe
Token: 33	3036	wmic.exe
Token: 34	3036	wmic.exe
Token: 35	3036	wmic.exe
Token: SeIncreaseQuotaPrivilege	3036	wmic.exe
Token: SeSecurityPrivilege	3036	wmic.exe
Token: SeTakeOwnershipPrivilege	3036	wmic.exe
Token: SeLoadDriverPrivilege	3036	wmic.exe
Token: SeSystemProfilePrivilege	3036	wmic.exe
Token: SeSystemtimePrivilege	3036	wmic.exe
Token: SeProfSingleProcessPrivilege	3036	wmic.exe
Token: SeIncBasePriorityPrivilege	3036	wmic.exe
Token: SeCreatePagefilePrivilege	3036	wmic.exe
Token: SeBackupPrivilege	3036	wmic.exe
Token: SeRestorePrivilege	3036	wmic.exe
Token: SeShutdownPrivilege	3036	wmic.exe
Token: SeDebugPrivilege	3036	wmic.exe
Token: SeSystemEnvironmentPrivilege	3036	wmic.exe
Token: SeRemoteShutdownPrivilege	3036	wmic.exe
Token: SeUndockPrivilege	3036	wmic.exe
Token: SeManageVolumePrivilege	3036	wmic.exe
Token: 33	3036	wmic.exe
Token: 34	3036	wmic.exe
Token: 35	3036	wmic.exe
Token: SeDebugPrivilege	380	tasklist.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2420 wrote to memory of 3036	2420	NitroRansomwareexe.exe	30
PID 2420 wrote to memory of 3036	2420	NitroRansomwareexe.exe	30
PID 2420 wrote to memory of 3036	2420	NitroRansomwareexe.exe	30
PID 2420 wrote to memory of 3036	2420	NitroRansomwareexe.exe	30
PID 2420 wrote to memory of 380	2420	NitroRansomwareexe.exe	32
PID 2420 wrote to memory of 380	2420	NitroRansomwareexe.exe	32
PID 2420 wrote to memory of 380	2420	NitroRansomwareexe.exe	32
PID 2420 wrote to memory of 380	2420	NitroRansomwareexe.exe	32
PID 2420 wrote to memory of 1512	2420	NitroRansomwareexe.exe	34
PID 2420 wrote to memory of 1512	2420	NitroRansomwareexe.exe	34
PID 2420 wrote to memory of 1512	2420	NitroRansomwareexe.exe	34
PID 2420 wrote to memory of 1512	2420	NitroRansomwareexe.exe	34

System policy modification 1 TTPs 1 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	NitroRansomwareexe.exe

C:\Users\Admin\AppData\Local\Temp\NitroRansomwareexe.exe
"C:\Users\Admin\AppData\Local\Temp\NitroRansomwareexe.exe"
1⤵
- UAC bypass
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2420
- C:\Windows\SysWOW64\Wbem\wmic.exe
  "wmic" csproduct get uuid
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3036
- C:\Windows\SysWOW64\tasklist.exe
  "tasklist"
  2⤵
  - Enumerates processes with tasklist
  - Suspicious use of AdjustPrivilegeToken
  PID:380
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2420 -s 1432
  2⤵
  - Program crash
  PID:1512

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Process Discovery

T1057

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2420-54-0x0000000000FB0000-0x000000000113C000-memory.dmp

Filesize
1.5MB

Download
memory/2420-55-0x0000000000C70000-0x0000000000CB0000-memory.dmp

Filesize
256KB

Download
memory/2420-58-0x0000000000C70000-0x0000000000CB0000-memory.dmp

Filesize
256KB

Download