Overview

overview

10

Static

static

3

b09e0d502b...20.exe

windows7-x64

10

b09e0d502b...20.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    5fcc0d771615c34aae003a2dede09255a7ccf62455d29a06d6b1024ccff05ee8

  • Size

    25KB

  • Sample

    240419-v14l2abd7s

  • MD5

    cc37558aa6a54ac985b76ca64d5477bf

  • SHA1

    b7ce478598ef44474d539b81e8544376ed33a003

  • SHA256

    5fcc0d771615c34aae003a2dede09255a7ccf62455d29a06d6b1024ccff05ee8

  • SHA512

    06d7bfbec67a95f5b3c3bff11a3b09d87d9c08cc5ad8b1c937f0b6e508792a9f5530ccd84c31645a6362afa4a9d74416030a1cee4867cc8b53b3fe6e5fb11192

  • SSDEEP

    768:Ra6YGs76byCCfIU50Ra2DVTUWxPU6p+/RmpP:Ra6Bs76uCSIUCLoWRpu8P

Score
10/10
nitropersistenceransomwarespywarestealer

Malware Config

Targets

    • Target

      b09e0d502b9b512921e230c6f231c332c835134c39211266d3279871d6214420.exe

    • Size

      61KB

    • MD5

      c0d5c092b08dec24d255e0d686da9848

    • SHA1

      c20d4772984d3b3fe570375c74becb5315be14f8

    • SHA256

      b09e0d502b9b512921e230c6f231c332c835134c39211266d3279871d6214420

    • SHA512

      7ebc6ea3f4c9c370ef40d1bbb09409acb1bc67d195520f59801f48f9261c4d560c93c0a4e8d13961e55f7a6274400cb0afb858453b35964352c4f46230dd20f1

    • SSDEEP

      768:FKsMqCXfVcWO/M9ZkiANIUMDYLDwUzc80gmq3oP/oDW:FKseiM9ZkiAP3r/0O8/oq

    Score
    10/10
    nitropersistenceransomwarespywarestealer

    • Nitro

      A ransomware that demands Discord nitro gift codes to decrypt files.

      ransomwarenitro

    • Renames multiple (80) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Drops desktop.ini file(s)

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Sets desktop wallpaper using registry

      ransomware
    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Modify Registry

2
T1112

Credential Access

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Web Service

1
T1102

Impact

Defacement

1
T1491

Resource Development

Reconnaissance

Tasks