Analysis
-
max time kernel
122s -
max time network
135s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
30-12-2023 10:43
Static task
static1
Behavioral task
behavioral1
Sample
164651e3f142e4aec14ea0716a217064.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
164651e3f142e4aec14ea0716a217064.exe
Resource
win10v2004-20231215-en
General
-
Target
164651e3f142e4aec14ea0716a217064.exe
-
Size
88KB
-
MD5
164651e3f142e4aec14ea0716a217064
-
SHA1
63b608ba0c59407c312a83ee788392c99bc13642
-
SHA256
c00db1eba5ba7fcd234c6a568ff9ae60bb3f343da199d0db8cd9b11308603a4d
-
SHA512
6bef7221251a851b35c12c3f0c50d5d8412601e97f49a273e5da1b62dcf70d0841d864e625ee01b89f0b69866be7ab3b3f65f3ef577a97297de04f4bd035fe20
-
SSDEEP
768:1SKncH7WavCd2ULDwUzc8Ugmq3oP/oD75x1Yte1FmIOfTf9fgflfFf5fjfRfTf0c:1SxNQr/UO8/ofCtHI/DqSVFvTd
Malware Config
Signatures
-
Nitro
A ransomware that demands Discord nitro gift codes to decrypt files.
-
Renames multiple (75) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\NR = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\164651e3f142e4aec14ea0716a217064.exe\"" 164651e3f142e4aec14ea0716a217064.exe -
Drops desktop.ini file(s) 3 IoCs
description ioc Process File opened for modification C:\Users\Admin\Documents\desktop.ini 164651e3f142e4aec14ea0716a217064.exe File opened for modification C:\Users\Admin\Pictures\desktop.ini 164651e3f142e4aec14ea0716a217064.exe File opened for modification C:\Users\Admin\Desktop\desktop.ini 164651e3f142e4aec14ea0716a217064.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 3 api.ipify.org 2 api.ipify.org -
Sets desktop wallpaper using registry 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Pictures\\My Wallpaper.jpg" 164651e3f142e4aec14ea0716a217064.exe Set value (str) \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Roaming\\wallpaper.png" 164651e3f142e4aec14ea0716a217064.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2120 164651e3f142e4aec14ea0716a217064.exe 2120 164651e3f142e4aec14ea0716a217064.exe -
Suspicious use of AdjustPrivilegeToken 41 IoCs
description pid Process Token: SeDebugPrivilege 2120 164651e3f142e4aec14ea0716a217064.exe Token: SeIncreaseQuotaPrivilege 2844 WMIC.exe Token: SeSecurityPrivilege 2844 WMIC.exe Token: SeTakeOwnershipPrivilege 2844 WMIC.exe Token: SeLoadDriverPrivilege 2844 WMIC.exe Token: SeSystemProfilePrivilege 2844 WMIC.exe Token: SeSystemtimePrivilege 2844 WMIC.exe Token: SeProfSingleProcessPrivilege 2844 WMIC.exe Token: SeIncBasePriorityPrivilege 2844 WMIC.exe Token: SeCreatePagefilePrivilege 2844 WMIC.exe Token: SeBackupPrivilege 2844 WMIC.exe Token: SeRestorePrivilege 2844 WMIC.exe Token: SeShutdownPrivilege 2844 WMIC.exe Token: SeDebugPrivilege 2844 WMIC.exe Token: SeSystemEnvironmentPrivilege 2844 WMIC.exe Token: SeRemoteShutdownPrivilege 2844 WMIC.exe Token: SeUndockPrivilege 2844 WMIC.exe Token: SeManageVolumePrivilege 2844 WMIC.exe Token: 33 2844 WMIC.exe Token: 34 2844 WMIC.exe Token: 35 2844 WMIC.exe Token: SeIncreaseQuotaPrivilege 2844 WMIC.exe Token: SeSecurityPrivilege 2844 WMIC.exe Token: SeTakeOwnershipPrivilege 2844 WMIC.exe Token: SeLoadDriverPrivilege 2844 WMIC.exe Token: SeSystemProfilePrivilege 2844 WMIC.exe Token: SeSystemtimePrivilege 2844 WMIC.exe Token: SeProfSingleProcessPrivilege 2844 WMIC.exe Token: SeIncBasePriorityPrivilege 2844 WMIC.exe Token: SeCreatePagefilePrivilege 2844 WMIC.exe Token: SeBackupPrivilege 2844 WMIC.exe Token: SeRestorePrivilege 2844 WMIC.exe Token: SeShutdownPrivilege 2844 WMIC.exe Token: SeDebugPrivilege 2844 WMIC.exe Token: SeSystemEnvironmentPrivilege 2844 WMIC.exe Token: SeRemoteShutdownPrivilege 2844 WMIC.exe Token: SeUndockPrivilege 2844 WMIC.exe Token: SeManageVolumePrivilege 2844 WMIC.exe Token: 33 2844 WMIC.exe Token: 34 2844 WMIC.exe Token: 35 2844 WMIC.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2120 wrote to memory of 2700 2120 164651e3f142e4aec14ea0716a217064.exe 28 PID 2120 wrote to memory of 2700 2120 164651e3f142e4aec14ea0716a217064.exe 28 PID 2120 wrote to memory of 2700 2120 164651e3f142e4aec14ea0716a217064.exe 28 PID 2120 wrote to memory of 2700 2120 164651e3f142e4aec14ea0716a217064.exe 28 PID 2700 wrote to memory of 2844 2700 cmd.exe 30 PID 2700 wrote to memory of 2844 2700 cmd.exe 30 PID 2700 wrote to memory of 2844 2700 cmd.exe 30 PID 2700 wrote to memory of 2844 2700 cmd.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\164651e3f142e4aec14ea0716a217064.exe"C:\Users\Admin\AppData\Local\Temp\164651e3f142e4aec14ea0716a217064.exe"1⤵
- Adds Run key to start application
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2120 -
C:\Windows\SysWOW64\cmd.exe"cmd.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:2700 -
C:\Windows\SysWOW64\Wbem\WMIC.exewmic csproduct get uuid3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2844
-
-