Overview

overview

10

Static

static

3

NitroRansomware.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    551s
  • max time network
    552s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231023-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25-11-2023 16:58

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    NitroRansomware.exe

  • Size

    46KB

  • MD5

    af57b5cdafd36c63826b26ad16d78e3d

  • SHA1

    19405d20a07fcc4b5a8c0840db657d137e68b076

  • SHA256

    dd7daac7332b1b74aebe5e3374efc2a4efa10a0629e327a3a0aaf777e400a731

  • SHA512

    41ebea4b37b802c8b78c804bad6482e32cb2b78a75a9b6b848ef0899eb238aca89fb4c7fda4a47e862ee045624d0830e662893a233c766886c356464246ea61a

  • SSDEEP

    768:ZRUiBoXdCiIuiAzYEYySfjYwmlLDwUzc8y:ZRU1kZ5AzYAS8nlr/y

Score
10/10
nitropersistenceransomwarespywarestealer

Malware Config

Signatures

  • Nitro

    A ransomware that demands Discord nitro gift codes to decrypt files.

    ransomwarenitro
  • Renames multiple (63) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops desktop.ini file(s) 5 IoCs
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Program crash 2 IoCs
  • Checks processor information in registry 2 TTPs 5 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry class 2 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 45 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of SetWindowsHookEx 20 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\NitroRansomware.exe
    "C:\Users\Admin\AppData\Local\Temp\NitroRansomware.exe"
    1⤵
    • Adds Run key to start application
    • Drops desktop.ini file(s)
    • Sets desktop wallpaper using registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3416
    • C:\Windows\SysWOW64\cmd.exe
      "cmd.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4476
      • C:\Windows\SysWOW64\Wbem\WMIC.exe
        wmic csproduct get uuid
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:2276
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3416 -s 2108
      2⤵
      • Program crash
      PID:4728
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3416 -s 2108
      2⤵
      • Program crash
      PID:2376
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 3416 -ip 3416
    1⤵
      PID:1788
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 3416 -ip 3416
      1⤵
        PID:2340
      • C:\Windows\system32\OpenWith.exe
        C:\Windows\system32\OpenWith.exe -Embedding
        1⤵
        • Modifies registry class
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:632
        • C:\Windows\system32\NOTEPAD.EXE
          "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\RemoveGrant.bmp.givemenitro
          2⤵
          • Opens file in notepad (likely ransom note)
          PID:5112
      • C:\Windows\System32\rundll32.exe
        C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
        1⤵
          PID:3416
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe"
          1⤵
          • Suspicious use of WriteProcessMemory
          PID:1056
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe"
            2⤵
            • Checks processor information in registry
            • Modifies registry class
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SendNotifyMessage
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:2696
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2696.0.541007390\1515030047" -parentBuildID 20221007134813 -prefsHandle 1896 -prefMapHandle 1564 -prefsLen 20938 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c177abf9-09ec-419b-a2bc-3e3bf6c052a0} 2696 "\\.\pipe\gecko-crash-server-pipe.2696" 1976 22c35edc058 gpu
              3⤵
                PID:4404
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2696.1.201535762\1970794571" -parentBuildID 20221007134813 -prefsHandle 2364 -prefMapHandle 2360 -prefsLen 20974 -prefMapSize 232675 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6520a93b-a3db-4920-818d-aa178672efa6} 2696 "\\.\pipe\gecko-crash-server-pipe.2696" 2376 22c35a34058 socket
                3⤵
                  PID:2424
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2696.2.1978756420\962170513" -childID 1 -isForBrowser -prefsHandle 3244 -prefMapHandle 3260 -prefsLen 21077 -prefMapSize 232675 -jsInitHandle 1228 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {395e1258-6a4b-4843-8b07-953748ccfe08} 2696 "\\.\pipe\gecko-crash-server-pipe.2696" 3224 22c3a1a6f58 tab
                  3⤵
                    PID:4796
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2696.3.233906292\862580148" -childID 2 -isForBrowser -prefsHandle 3568 -prefMapHandle 3564 -prefsLen 26437 -prefMapSize 232675 -jsInitHandle 1228 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {622614aa-8849-4ffb-9162-b29d6705a14d} 2696 "\\.\pipe\gecko-crash-server-pipe.2696" 3580 22c22362b58 tab
                    3⤵
                      PID:3724
                    • C:\Program Files\Mozilla Firefox\firefox.exe
                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2696.4.1048855784\1738692986" -childID 3 -isForBrowser -prefsHandle 3596 -prefMapHandle 3700 -prefsLen 26437 -prefMapSize 232675 -jsInitHandle 1228 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {08cb7c2e-217b-477e-a9b0-369c2840c662} 2696 "\\.\pipe\gecko-crash-server-pipe.2696" 3960 22c3b30c258 tab
                      3⤵
                        PID:952
                      • C:\Program Files\Mozilla Firefox\firefox.exe
                        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2696.7.1406008193\1827089362" -childID 6 -isForBrowser -prefsHandle 5212 -prefMapHandle 5216 -prefsLen 26496 -prefMapSize 232675 -jsInitHandle 1228 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {430ffe1f-24fb-40f4-9984-491d5e4608d9} 2696 "\\.\pipe\gecko-crash-server-pipe.2696" 5204 22c3c0ceb58 tab
                        3⤵
                          PID:796
                        • C:\Program Files\Mozilla Firefox\firefox.exe
                          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2696.6.1448511596\1186541455" -childID 5 -isForBrowser -prefsHandle 5068 -prefMapHandle 4996 -prefsLen 26496 -prefMapSize 232675 -jsInitHandle 1228 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {078cb74b-cb6f-44ee-884e-05a4f3309549} 2696 "\\.\pipe\gecko-crash-server-pipe.2696" 4984 22c3c0cf158 tab
                          3⤵
                            PID:2408
                          • C:\Program Files\Mozilla Firefox\firefox.exe
                            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2696.5.2116274644\1880567214" -childID 4 -isForBrowser -prefsHandle 1680 -prefMapHandle 3988 -prefsLen 26496 -prefMapSize 232675 -jsInitHandle 1228 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a2713d1e-bfb8-4d1a-95e9-4aebd667aed4} 2696 "\\.\pipe\gecko-crash-server-pipe.2696" 1804 22c35edba58 tab
                            3⤵
                              PID:3056
                            • C:\Program Files\Mozilla Firefox\firefox.exe
                              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2696.8.1470892189\1483461190" -childID 7 -isForBrowser -prefsHandle 2812 -prefMapHandle 5788 -prefsLen 26831 -prefMapSize 232675 -jsInitHandle 1228 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {393aae28-1e33-4448-906b-d32b43b57789} 2696 "\\.\pipe\gecko-crash-server-pipe.2696" 5776 22c3df43858 tab
                              3⤵
                                PID:4652

                          Network

                          MITRE ATT&CK Enterprise v15

                          Replay Monitor

                          Loading Replay Monitor...

                          Downloads

                          • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\04pqhkp3.default-release\activity-stream.discovery_stream.json.tmp
                            Filesize

                            22KB

                            MD5

                            15614418e91761d0ba4c70cd43dfc577

                            SHA1

                            9e32022c3110dae83e5307966ac9a5fb7cd91aeb

                            SHA256

                            cb51eaf4acea90df96b622723a2374d6a71ff6b3e0f43c2e2c78c5d9ac4db9e8

                            SHA512

                            0c71e3b8ffd64cc2646ac3cb37480c9fc034f64f2babc5b904b2f1e2a5e41a915271cf0947693f882b05c97fe0779e2cb76201dd2ee9307db4e17b7d0fe8b3b3

                            Download Submit

                          • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\04pqhkp3.default-release\cache2\doomed\24977
                            Filesize

                            15KB

                            MD5

                            6b66111a9795ad6e2327f654dd4c73aa

                            SHA1

                            4109fbf0037c01d3d9a585c38535c52682b965c2

                            SHA256

                            978ebe3144f2edb8cb6610ac6058f725054692c0b74e816d323e7a914f6d8fb4

                            SHA512

                            1041e4c6b58ea5ea9297cf5192d09611aac2c83fc3ff95b54820e4d81e307fe04726bb0d4587c2b6fec48471f209a1d32ffca4f2197392b78925a5599df86aff

                            Download Submit

                          • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\04pqhkp3.default-release\cache2\doomed\29299
                            Filesize

                            15KB

                            MD5

                            70cd9e9daaf92caf8006c0bf3786bb79

                            SHA1

                            057aafd75eb0b762db541e53a5ecd659ada34c06

                            SHA256

                            15805e8fc031338fde523ef6f2e7b9ddf93717e0288505a99925e289af79cf7a

                            SHA512

                            bbacea11ced1c91d6af2833406ba9ddafe68d397808b328241ec4ae39662136bc5672b20f6a247b52acbcb2082c5383945d7f5a56f07391097b7ef322bba71fc

                            Download Submit

                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\04pqhkp3.default-release\prefs-1.js
                            Filesize

                            6KB

                            MD5

                            1f2e570c66bf8d9bd028553fce819f9f

                            SHA1

                            7b18fb4a3ce8271a8466051963f99f92f11913c8

                            SHA256

                            a07ccc988ccc1e9288d49a342db05e49f7f9ee913eff69c3ea3c25e2e8db7c66

                            SHA512

                            d48d97a846cfc66b7612b386599a60ecba232c4bb5b1bf41f17870ee674a4f430cde2754c7a7260d270cadcc5e7edcb9b81f8d9078d66aac787ee7573e23c4e5

                            Download Submit

                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\04pqhkp3.default-release\sessionstore-backups\recovery.jsonlz4
                            Filesize

                            3KB

                            MD5

                            a7ddafd0b2cc01aa63fd772f7e7f1d86

                            SHA1

                            7d4ac366d5b73e9005776f557c01742ed52f2cde

                            SHA256

                            b89e0fc24af76901b4b3cda9fe2f715ac89e8a6e5abb47ae235c31d9f5e90bef

                            SHA512

                            d1ccf6d85f12ac5b5b8cb97dc1c2c08697f31cddcb5a93e0d9f7ddae74edc17d7c6b5cbb7f1d12653c890c5c254fda50e682b68dc32cc51e46707728ee046e6e

                            Download Submit

                          • C:\Users\Admin\Desktop\RemoveGrant.bmp.givemenitro
                            Filesize

                            1.7MB

                            MD5

                            196b949529c666bfa7637050c2612e65

                            SHA1

                            b492c156880833e50291feb171417fec4da399b0

                            SHA256

                            b68523753684b9164617dfa4091bf60986a3b4d370eb90e36923db1c10a93450

                            SHA512

                            6ac522ee4110556be12d06786aea61e4783d1ad74d3e71b0daab231a15d2117462f543b218928ba12cb2a9785fd88ac9f2438714f1d5335ffcf2890d032d1e3b

                            Download Submit

                          • memory/3416-3-0x0000000005840000-0x00000000058D2000-memory.dmp

                            Filesize

                            584KB

                            Download

                          • memory/3416-72-0x0000000006650000-0x000000000665A000-memory.dmp

                            Filesize

                            40KB

                            Download

                          • memory/3416-73-0x00000000751F0000-0x00000000759A0000-memory.dmp

                            Filesize

                            7.7MB

                            Download

                          • memory/3416-59-0x0000000005B90000-0x0000000005BA0000-memory.dmp

                            Filesize

                            64KB

                            Download

                          • memory/3416-53-0x00000000751F0000-0x00000000759A0000-memory.dmp

                            Filesize

                            7.7MB

                            Download

                          • memory/3416-4-0x0000000005B90000-0x0000000005BA0000-memory.dmp

                            Filesize

                            64KB

                            Download

                          • memory/3416-0-0x0000000000DF0000-0x0000000000E02000-memory.dmp

                            Filesize

                            72KB

                            Download

                          • memory/3416-2-0x0000000005D10000-0x00000000062B4000-memory.dmp

                            Filesize

                            5.6MB

                            Download

                          • memory/3416-1-0x00000000751F0000-0x00000000759A0000-memory.dmp

                            Filesize

                            7.7MB

                            Download