Analysis
-
max time kernel
121s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
15-03-2024 07:34
Static task
static1
Behavioral task
behavioral1
Sample
cad7af2b2714b813aa083c5e692cd7ba.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
cad7af2b2714b813aa083c5e692cd7ba.exe
Resource
win10v2004-20240226-en
General
-
Target
cad7af2b2714b813aa083c5e692cd7ba.exe
-
Size
9.0MB
-
MD5
cad7af2b2714b813aa083c5e692cd7ba
-
SHA1
24eb7d428398fb6fe79da729e8ff416b0970d6d8
-
SHA256
7eceee2d481d80031eb26f51bd11fbf9671c123107c83b0100b5dbaaf52ec833
-
SHA512
5f8902b38668bbf17001e47cb5045c590f1d733e00e0dddcdc5f95c883f93afdddac97d3a6f37981b9648869fd3247220d92adef8ca42e6a3b7630ac9300c4b8
-
SSDEEP
768:HOucKn7n1JGDNANIUARbvLDwUzc80gmq3oP/oDE:HO2GDNAPA9r/0O8/o4
Malware Config
Signatures
-
Nitro
A ransomware that demands Discord nitro gift codes to decrypt files.
-
Renames multiple (84) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\NR = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\cad7af2b2714b813aa083c5e692cd7ba.exe\"" cad7af2b2714b813aa083c5e692cd7ba.exe -
Drops desktop.ini file(s) 3 IoCs
description ioc Process File opened for modification C:\Users\Admin\Pictures\desktop.ini cad7af2b2714b813aa083c5e692cd7ba.exe File opened for modification C:\Users\Admin\Documents\desktop.ini cad7af2b2714b813aa083c5e692cd7ba.exe File opened for modification C:\Users\Admin\Desktop\desktop.ini cad7af2b2714b813aa083c5e692cd7ba.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 6 IoCs
flow ioc 9 discord.com 4 discord.com 5 discord.com 6 discord.com 7 discord.com 8 discord.com -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 2 api.ipify.org 3 api.ipify.org -
Sets desktop wallpaper using registry 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Roaming\\wallpaper.png" cad7af2b2714b813aa083c5e692cd7ba.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Pictures\\My Wallpaper.jpg" cad7af2b2714b813aa083c5e692cd7ba.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2340 cad7af2b2714b813aa083c5e692cd7ba.exe 2340 cad7af2b2714b813aa083c5e692cd7ba.exe -
Suspicious use of AdjustPrivilegeToken 41 IoCs
description pid Process Token: SeDebugPrivilege 2340 cad7af2b2714b813aa083c5e692cd7ba.exe Token: SeIncreaseQuotaPrivilege 3052 WMIC.exe Token: SeSecurityPrivilege 3052 WMIC.exe Token: SeTakeOwnershipPrivilege 3052 WMIC.exe Token: SeLoadDriverPrivilege 3052 WMIC.exe Token: SeSystemProfilePrivilege 3052 WMIC.exe Token: SeSystemtimePrivilege 3052 WMIC.exe Token: SeProfSingleProcessPrivilege 3052 WMIC.exe Token: SeIncBasePriorityPrivilege 3052 WMIC.exe Token: SeCreatePagefilePrivilege 3052 WMIC.exe Token: SeBackupPrivilege 3052 WMIC.exe Token: SeRestorePrivilege 3052 WMIC.exe Token: SeShutdownPrivilege 3052 WMIC.exe Token: SeDebugPrivilege 3052 WMIC.exe Token: SeSystemEnvironmentPrivilege 3052 WMIC.exe Token: SeRemoteShutdownPrivilege 3052 WMIC.exe Token: SeUndockPrivilege 3052 WMIC.exe Token: SeManageVolumePrivilege 3052 WMIC.exe Token: 33 3052 WMIC.exe Token: 34 3052 WMIC.exe Token: 35 3052 WMIC.exe Token: SeIncreaseQuotaPrivilege 3052 WMIC.exe Token: SeSecurityPrivilege 3052 WMIC.exe Token: SeTakeOwnershipPrivilege 3052 WMIC.exe Token: SeLoadDriverPrivilege 3052 WMIC.exe Token: SeSystemProfilePrivilege 3052 WMIC.exe Token: SeSystemtimePrivilege 3052 WMIC.exe Token: SeProfSingleProcessPrivilege 3052 WMIC.exe Token: SeIncBasePriorityPrivilege 3052 WMIC.exe Token: SeCreatePagefilePrivilege 3052 WMIC.exe Token: SeBackupPrivilege 3052 WMIC.exe Token: SeRestorePrivilege 3052 WMIC.exe Token: SeShutdownPrivilege 3052 WMIC.exe Token: SeDebugPrivilege 3052 WMIC.exe Token: SeSystemEnvironmentPrivilege 3052 WMIC.exe Token: SeRemoteShutdownPrivilege 3052 WMIC.exe Token: SeUndockPrivilege 3052 WMIC.exe Token: SeManageVolumePrivilege 3052 WMIC.exe Token: 33 3052 WMIC.exe Token: 34 3052 WMIC.exe Token: 35 3052 WMIC.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2340 wrote to memory of 1764 2340 cad7af2b2714b813aa083c5e692cd7ba.exe 28 PID 2340 wrote to memory of 1764 2340 cad7af2b2714b813aa083c5e692cd7ba.exe 28 PID 2340 wrote to memory of 1764 2340 cad7af2b2714b813aa083c5e692cd7ba.exe 28 PID 2340 wrote to memory of 1764 2340 cad7af2b2714b813aa083c5e692cd7ba.exe 28 PID 1764 wrote to memory of 3052 1764 cmd.exe 30 PID 1764 wrote to memory of 3052 1764 cmd.exe 30 PID 1764 wrote to memory of 3052 1764 cmd.exe 30 PID 1764 wrote to memory of 3052 1764 cmd.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\cad7af2b2714b813aa083c5e692cd7ba.exe"C:\Users\Admin\AppData\Local\Temp\cad7af2b2714b813aa083c5e692cd7ba.exe"1⤵
- Adds Run key to start application
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2340 -
C:\Windows\SysWOW64\cmd.exe"cmd.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:1764 -
C:\Windows\SysWOW64\Wbem\WMIC.exewmic csproduct get uuid3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3052
-
-