nitro | c1d03cea76ebe3fad233250347dc80a0f0661991ebd119ee549d535b24769a79

Analysis

max time kernel
9s
max time network
11s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
07/07/2023, 22:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NitroRansomware.exe
Size

1.7MB
MD5

31ddcf7eaeef8857e2a6f3a1bbf34a09
SHA1

bcfee5374172f50e431c6486d24925cf07d14e3a
SHA256

c1d03cea76ebe3fad233250347dc80a0f0661991ebd119ee549d535b24769a79
SHA512

9b8eae3bc41c6484920eed652057c8f04dcb362dc3de74d4a780e832540521578fafc75d786902c3b05622c2808cf8e240c9f1e894fbaf4abebd353ae87a34c6
SSDEEP

49152:QRYYGwfZPnlXgNuTdngwwHv5VbtHw1kqXfd+/9A:QRNDZdQNuNgNhVRw1kqXf0F

Score

10^/10

nitro ransomware

Malware Config

Extracted

Family

nitro

https://api.telegram.org/botPut your telegram token here/sendMessage?chat_id=Put your telegram chat ID here

Attributes

decrypt_key
e14a1a875002aa43e3b7869ef81c4f675abfcfa3563a2dbd191d0c96a03a7c75/

Signatures

Nitro
A ransomware that demands Discord nitro gift codes to decrypt files.
ransomware nitro

Suspicious use of AdjustPrivilegeToken 44 IoCs

description	pid	Process
Token: SeDebugPrivilege	2508	NitroRansomware.exe
Token: SeIncreaseQuotaPrivilege	1276	wmic.exe
Token: SeSecurityPrivilege	1276	wmic.exe
Token: SeTakeOwnershipPrivilege	1276	wmic.exe
Token: SeLoadDriverPrivilege	1276	wmic.exe
Token: SeSystemProfilePrivilege	1276	wmic.exe
Token: SeSystemtimePrivilege	1276	wmic.exe
Token: SeProfSingleProcessPrivilege	1276	wmic.exe
Token: SeIncBasePriorityPrivilege	1276	wmic.exe
Token: SeCreatePagefilePrivilege	1276	wmic.exe
Token: SeBackupPrivilege	1276	wmic.exe
Token: SeRestorePrivilege	1276	wmic.exe
Token: SeShutdownPrivilege	1276	wmic.exe
Token: SeDebugPrivilege	1276	wmic.exe
Token: SeSystemEnvironmentPrivilege	1276	wmic.exe
Token: SeRemoteShutdownPrivilege	1276	wmic.exe
Token: SeUndockPrivilege	1276	wmic.exe
Token: SeManageVolumePrivilege	1276	wmic.exe
Token: 33	1276	wmic.exe
Token: 34	1276	wmic.exe
Token: 35	1276	wmic.exe
Token: 36	1276	wmic.exe
Token: SeIncreaseQuotaPrivilege	1276	wmic.exe
Token: SeSecurityPrivilege	1276	wmic.exe
Token: SeTakeOwnershipPrivilege	1276	wmic.exe
Token: SeLoadDriverPrivilege	1276	wmic.exe
Token: SeSystemProfilePrivilege	1276	wmic.exe
Token: SeSystemtimePrivilege	1276	wmic.exe
Token: SeProfSingleProcessPrivilege	1276	wmic.exe
Token: SeIncBasePriorityPrivilege	1276	wmic.exe
Token: SeCreatePagefilePrivilege	1276	wmic.exe
Token: SeBackupPrivilege	1276	wmic.exe
Token: SeRestorePrivilege	1276	wmic.exe
Token: SeShutdownPrivilege	1276	wmic.exe
Token: SeDebugPrivilege	1276	wmic.exe
Token: SeSystemEnvironmentPrivilege	1276	wmic.exe
Token: SeRemoteShutdownPrivilege	1276	wmic.exe
Token: SeUndockPrivilege	1276	wmic.exe
Token: SeManageVolumePrivilege	1276	wmic.exe
Token: 33	1276	wmic.exe
Token: 34	1276	wmic.exe
Token: 35	1276	wmic.exe
Token: 36	1276	wmic.exe
Token: SeShutdownPrivilege	2508	NitroRansomware.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2508 wrote to memory of 1276	2508	NitroRansomware.exe	85
PID 2508 wrote to memory of 1276	2508	NitroRansomware.exe	85
PID 2508 wrote to memory of 1276	2508	NitroRansomware.exe	85

C:\Users\Admin\AppData\Local\Temp\NitroRansomware.exe
"C:\Users\Admin\AppData\Local\Temp\NitroRansomware.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2508
- C:\Windows\SysWOW64\Wbem\wmic.exe
  "wmic" csproduct get uuid
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1276

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2508-133-0x0000000000760000-0x0000000000918000-memory.dmp

Filesize
1.7MB

Download
memory/2508-134-0x00000000057D0000-0x0000000005D74000-memory.dmp

Filesize
5.6MB

Download
memory/2508-135-0x00000000052D0000-0x0000000005362000-memory.dmp

Filesize
584KB

Download