Analysis
-
max time kernel
1787s -
max time network
1797s -
platform
windows11-21h2_x64 -
resource
win11-20231129-en -
resource tags
arch:x64arch:x86image:win11-20231129-enlocale:en-usos:windows11-21h2-x64system -
submitted
02-12-2023 17:30
Static task
static1
Behavioral task
behavioral1
Sample
W-DAX-main/D WAX.exe
Resource
win7-20231023-en
Behavioral task
behavioral2
Sample
W-DAX-main/D WAX.exe
Resource
win10-20231023-en
Behavioral task
behavioral3
Sample
W-DAX-main/D WAX.exe
Resource
win10v2004-20231130-en
Behavioral task
behavioral4
Sample
W-DAX-main/D WAX.exe
Resource
win11-20231129-en
General
-
Target
W-DAX-main/D WAX.exe
-
Size
220KB
-
MD5
72b51e28589fbeac9400380dddedb79a
-
SHA1
4d14ab35e4425a8b1b1b655c2178b0ea2522e7f0
-
SHA256
6ca01f81cc92345981212659aa05d5595a45e96a1f4a6f8678d21f1d24c96aa0
-
SHA512
31cdc53b75d92b258ff5c160224e6212228d5ab42d5ed6b7e976439c0bd97cf444687079b95810e88c3ef36aa9670e4089578cf102baa37cc2f91d1dbe658cca
-
SSDEEP
6144:w9/COjX6BAs8WN7wwZV/pt2qFnM/pte63AX:wVvXK8WNzfptHEptpM
Malware Config
Extracted
xworm
3.0
16.ip.gl.ply.gg:59539
-
Install_directory
%AppData%
-
install_file
USB.exe
Extracted
C:\Users\Admin\AppData\Local\Temp\NitroRansomware.exe
Signatures
-
Detect Xworm Payload 4 IoCs
Processes:
resource yara_rule behavioral4/files/0x00020000000295e9-7.dat family_xworm behavioral4/files/0x00020000000295e9-13.dat family_xworm behavioral4/files/0x00020000000295e9-12.dat family_xworm behavioral4/memory/3100-26-0x0000000000E20000-0x0000000000E40000-memory.dmp family_xworm -
Nitro
A ransomware that demands Discord nitro gift codes to decrypt files.
-
Renames multiple (106) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Drops startup file 2 IoCs
Processes:
SECURITY AVAST.exedescription ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SECURITY AVAST.lnk SECURITY AVAST.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SECURITY AVAST.lnk SECURITY AVAST.exe -
Executes dropped EXE 2 IoCs
Processes:
SECURITY AVAST.exeNitroRansomware.exepid Process 3100 SECURITY AVAST.exe 5048 NitroRansomware.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
D WAX.exeNitroRansomware.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-89531631-1347641568-3714596404-1000\Software\Microsoft\Windows\CurrentVersion\Run\SECURITY AVAST = "C:\\Users\\Admin\\AppData\\Local\\Temp\\SECURITY AVAST.exe" D WAX.exe Set value (str) \REGISTRY\USER\S-1-5-21-89531631-1347641568-3714596404-1000\Software\Microsoft\Windows\CurrentVersion\Run\NR = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\NitroRansomware.exe\"" NitroRansomware.exe -
Drops desktop.ini file(s) 5 IoCs
Processes:
NitroRansomware.exedescription ioc Process File opened for modification C:\Users\Admin\Desktop\desktop.ini NitroRansomware.exe File opened for modification C:\Users\Admin\Pictures\desktop.ini NitroRansomware.exe File opened for modification C:\Users\Admin\Documents\desktop.ini NitroRansomware.exe File opened for modification C:\Users\Admin\Pictures\Camera Roll\desktop.ini NitroRansomware.exe File opened for modification C:\Users\Admin\Pictures\Saved Pictures\desktop.ini NitroRansomware.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
NitroRansomware.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-89531631-1347641568-3714596404-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Roaming\\wallpaper.png" NitroRansomware.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
Processes:
WerFault.exeWerFault.exepid pid_target Process procid_target 3256 5048 WerFault.exe 80 1696 5048 WerFault.exe 80 -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
NitroRansomware.exepid Process 5048 NitroRansomware.exe 5048 NitroRansomware.exe -
Suspicious use of AdjustPrivilegeToken 45 IoCs
Processes:
SECURITY AVAST.exeNitroRansomware.exeWMIC.exedescription pid Process Token: SeDebugPrivilege 3100 SECURITY AVAST.exe Token: SeDebugPrivilege 5048 NitroRansomware.exe Token: SeIncreaseQuotaPrivilege 2404 WMIC.exe Token: SeSecurityPrivilege 2404 WMIC.exe Token: SeTakeOwnershipPrivilege 2404 WMIC.exe Token: SeLoadDriverPrivilege 2404 WMIC.exe Token: SeSystemProfilePrivilege 2404 WMIC.exe Token: SeSystemtimePrivilege 2404 WMIC.exe Token: SeProfSingleProcessPrivilege 2404 WMIC.exe Token: SeIncBasePriorityPrivilege 2404 WMIC.exe Token: SeCreatePagefilePrivilege 2404 WMIC.exe Token: SeBackupPrivilege 2404 WMIC.exe Token: SeRestorePrivilege 2404 WMIC.exe Token: SeShutdownPrivilege 2404 WMIC.exe Token: SeDebugPrivilege 2404 WMIC.exe Token: SeSystemEnvironmentPrivilege 2404 WMIC.exe Token: SeRemoteShutdownPrivilege 2404 WMIC.exe Token: SeUndockPrivilege 2404 WMIC.exe Token: SeManageVolumePrivilege 2404 WMIC.exe Token: 33 2404 WMIC.exe Token: 34 2404 WMIC.exe Token: 35 2404 WMIC.exe Token: 36 2404 WMIC.exe Token: SeIncreaseQuotaPrivilege 2404 WMIC.exe Token: SeSecurityPrivilege 2404 WMIC.exe Token: SeTakeOwnershipPrivilege 2404 WMIC.exe Token: SeLoadDriverPrivilege 2404 WMIC.exe Token: SeSystemProfilePrivilege 2404 WMIC.exe Token: SeSystemtimePrivilege 2404 WMIC.exe Token: SeProfSingleProcessPrivilege 2404 WMIC.exe Token: SeIncBasePriorityPrivilege 2404 WMIC.exe Token: SeCreatePagefilePrivilege 2404 WMIC.exe Token: SeBackupPrivilege 2404 WMIC.exe Token: SeRestorePrivilege 2404 WMIC.exe Token: SeShutdownPrivilege 2404 WMIC.exe Token: SeDebugPrivilege 2404 WMIC.exe Token: SeSystemEnvironmentPrivilege 2404 WMIC.exe Token: SeRemoteShutdownPrivilege 2404 WMIC.exe Token: SeUndockPrivilege 2404 WMIC.exe Token: SeManageVolumePrivilege 2404 WMIC.exe Token: 33 2404 WMIC.exe Token: 34 2404 WMIC.exe Token: 35 2404 WMIC.exe Token: 36 2404 WMIC.exe Token: SeDebugPrivilege 3100 SECURITY AVAST.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
D WAX.exeNitroRansomware.execmd.exedescription pid Process procid_target PID 4164 wrote to memory of 3100 4164 D WAX.exe 79 PID 4164 wrote to memory of 3100 4164 D WAX.exe 79 PID 4164 wrote to memory of 5048 4164 D WAX.exe 80 PID 4164 wrote to memory of 5048 4164 D WAX.exe 80 PID 4164 wrote to memory of 5048 4164 D WAX.exe 80 PID 5048 wrote to memory of 2112 5048 NitroRansomware.exe 81 PID 5048 wrote to memory of 2112 5048 NitroRansomware.exe 81 PID 5048 wrote to memory of 2112 5048 NitroRansomware.exe 81 PID 2112 wrote to memory of 2404 2112 cmd.exe 83 PID 2112 wrote to memory of 2404 2112 cmd.exe 83 PID 2112 wrote to memory of 2404 2112 cmd.exe 83
Processes
-
C:\Users\Admin\AppData\Local\Temp\W-DAX-main\D WAX.exe"C:\Users\Admin\AppData\Local\Temp\W-DAX-main\D WAX.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4164 -
C:\Users\Admin\AppData\Local\Temp\SECURITY AVAST.exe"C:\Users\Admin\AppData\Local\Temp\SECURITY AVAST.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3100
-
-
C:\Users\Admin\AppData\Local\Temp\NitroRansomware.exe"C:\Users\Admin\AppData\Local\Temp\NitroRansomware.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5048 -
C:\Windows\SysWOW64\cmd.exe"cmd.exe"3⤵
- Suspicious use of WriteProcessMemory
PID:2112 -
C:\Windows\SysWOW64\Wbem\WMIC.exewmic csproduct get uuid4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2404
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5048 -s 18403⤵
- Program crash
PID:3256
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5048 -s 18403⤵
- Program crash
PID:1696
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5048 -ip 50481⤵PID:3060
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 5048 -ip 50481⤵PID:1680
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
106KB
MD59d45fedb0c67a1c04a89edb3ee707d44
SHA17773d0e37a0c478191f11e57b338a7a780001a3a
SHA2567019f42701a888986b9dda599f0e8a6d21a762d409f539a05345778e39de7865
SHA51288f99051e5023846d6cb1886031e6f390ac8c04b4f60ba1433edadb3239d23b8a817e20b06d6135a700b85d23ce8885714a8349d2f1c980a93b55a638262c7d6
-
Filesize
106KB
MD59d45fedb0c67a1c04a89edb3ee707d44
SHA17773d0e37a0c478191f11e57b338a7a780001a3a
SHA2567019f42701a888986b9dda599f0e8a6d21a762d409f539a05345778e39de7865
SHA51288f99051e5023846d6cb1886031e6f390ac8c04b4f60ba1433edadb3239d23b8a817e20b06d6135a700b85d23ce8885714a8349d2f1c980a93b55a638262c7d6
-
Filesize
106KB
MD59d45fedb0c67a1c04a89edb3ee707d44
SHA17773d0e37a0c478191f11e57b338a7a780001a3a
SHA2567019f42701a888986b9dda599f0e8a6d21a762d409f539a05345778e39de7865
SHA51288f99051e5023846d6cb1886031e6f390ac8c04b4f60ba1433edadb3239d23b8a817e20b06d6135a700b85d23ce8885714a8349d2f1c980a93b55a638262c7d6
-
Filesize
104KB
MD5cceba0ca8ed89f7c181bcfbbd934c591
SHA12166e325c5a65d751547e0a5b53f66e341e6ba40
SHA2562f8785ef55401b2a906b9bc6a4d995bb58084c12577d39dae5a32d49525ae629
SHA512c56d0716db3df6d657f199b3e879cb09ebc7cccef5a722ad651ee4c44e019ca7bd62f5954af6404ec235f53afe9f248300619c99e7bf0e4ba3a8d5f4180f0262
-
Filesize
104KB
MD5cceba0ca8ed89f7c181bcfbbd934c591
SHA12166e325c5a65d751547e0a5b53f66e341e6ba40
SHA2562f8785ef55401b2a906b9bc6a4d995bb58084c12577d39dae5a32d49525ae629
SHA512c56d0716db3df6d657f199b3e879cb09ebc7cccef5a722ad651ee4c44e019ca7bd62f5954af6404ec235f53afe9f248300619c99e7bf0e4ba3a8d5f4180f0262
-
Filesize
104KB
MD5cceba0ca8ed89f7c181bcfbbd934c591
SHA12166e325c5a65d751547e0a5b53f66e341e6ba40
SHA2562f8785ef55401b2a906b9bc6a4d995bb58084c12577d39dae5a32d49525ae629
SHA512c56d0716db3df6d657f199b3e879cb09ebc7cccef5a722ad651ee4c44e019ca7bd62f5954af6404ec235f53afe9f248300619c99e7bf0e4ba3a8d5f4180f0262