Malware Analysis Report

2024-08-06 15:54

Sample ID 240511-jp1v8aef61
Target Free Nitro V1 (NICHT ÖFFNEN).exe
SHA256 251502f58eaa174cc8e0644573a8f12e766d662b4c8d88db99080dc73748bd14
Tags
chaos defense_evasion evasion execution impact ransomware spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

251502f58eaa174cc8e0644573a8f12e766d662b4c8d88db99080dc73748bd14

Threat Level: Known bad

The file Free Nitro V1 (NICHT ÖFFNEN).exe was found to be: Known bad.

Malicious Activity Summary

chaos defense_evasion evasion execution impact ransomware spyware stealer

Chaos Ransomware

Chaos family

Chaos

Deletes shadow copies

Modifies boot configuration data using bcdedit

Deletes backup catalog

Checks computer location settings

Reads user/profile data of web browsers

Drops startup file

Executes dropped EXE

Drops desktop.ini file(s)

Unsigned PE

Enumerates physical storage devices

Modifies registry class

Opens file in notepad (likely ransom note)

Suspicious behavior: EnumeratesProcesses

Interacts with shadow copies

Suspicious behavior: AddClipboardFormatListener

Suspicious use of AdjustPrivilegeToken

Uses Volume Shadow Copy service COM API

Checks SCSI registry key(s)

Uses Task Scheduler COM API

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Windows Management Instrumentation
T1047
Command and Scripting Interpreter
T1059
Persistence
TA0003
Privilege Escalation
TA0004
Defense Evasion
TA0005
Indicator Removal
T1070
File Deletion
T1070.004
Credential Access
TA0006
Unsecured Credentials
T1552
Credentials In Files
T1552.001
Discovery
TA0007
System Information Discovery
T1082
Query Registry
T1012
Peripheral Device Discovery
T1120
Lateral Movement
TA0008
Collection
TA0009
Data from Local System
T1005
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Inhibit System Recovery
T1490
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-05-11 07:51

Signatures

Chaos Ransomware

Description Indicator Process Target
N/A N/A N/A N/A

Chaos family

chaos

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-11 07:51

Reported

2024-05-11 07:54

Platform

win7-20240221-en

Max time kernel

118s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Free Nitro V1 (NICHT ÖFFNEN).exe"

Signatures

Chaos

ransomware chaos

Chaos Ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Deletes shadow copies

ransomware defense_evasion impact execution

Modifies boot configuration data using bcdedit

ransomware evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A

Deletes backup catalog

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\wbadmin.exe N/A

Drops startup file

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini C:\Users\Admin\AppData\Roaming\Free Nitro V1.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\read_it.txt C:\Users\Admin\AppData\Roaming\Free Nitro V1.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Free Nitro V1.url C:\Users\Admin\AppData\Roaming\Free Nitro V1.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Free Nitro V1.exe N/A

Reads user/profile data of web browsers

spyware stealer

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\Users\Admin\Downloads\desktop.ini C:\Users\Admin\AppData\Roaming\Free Nitro V1.exe N/A
File opened for modification C:\Users\Admin\Saved Games\desktop.ini C:\Users\Admin\AppData\Roaming\Free Nitro V1.exe N/A
File opened for modification C:\Users\Admin\Searches\desktop.ini C:\Users\Admin\AppData\Roaming\Free Nitro V1.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini C:\Users\Admin\AppData\Roaming\Free Nitro V1.exe N/A
File opened for modification C:\Users\Public\Pictures\Sample Pictures\desktop.ini C:\Users\Admin\AppData\Roaming\Free Nitro V1.exe N/A
File opened for modification C:\Users\Public\Documents\desktop.ini C:\Users\Admin\AppData\Roaming\Free Nitro V1.exe N/A
File opened for modification C:\Users\Admin\Favorites\desktop.ini C:\Users\Admin\AppData\Roaming\Free Nitro V1.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini C:\Users\Admin\AppData\Roaming\Free Nitro V1.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\AppData\Roaming\Free Nitro V1.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini C:\Users\Admin\AppData\Roaming\Free Nitro V1.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini C:\Users\Admin\AppData\Roaming\Free Nitro V1.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini C:\Users\Admin\AppData\Roaming\Free Nitro V1.exe N/A
File opened for modification C:\Users\Public\Music\Sample Music\desktop.ini C:\Users\Admin\AppData\Roaming\Free Nitro V1.exe N/A
File opened for modification F:\$RECYCLE.BIN\S-1-5-21-1298544033-3225604241-2703760938-1000\desktop.ini C:\Users\Admin\AppData\Roaming\Free Nitro V1.exe N/A
File opened for modification C:\Users\Admin\Links\desktop.ini C:\Users\Admin\AppData\Roaming\Free Nitro V1.exe N/A
File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini C:\Users\Admin\AppData\Roaming\Free Nitro V1.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Roaming\Free Nitro V1.exe N/A
File opened for modification C:\Users\Public\Pictures\desktop.ini C:\Users\Admin\AppData\Roaming\Free Nitro V1.exe N/A
File opened for modification C:\Users\Public\Music\desktop.ini C:\Users\Admin\AppData\Roaming\Free Nitro V1.exe N/A
File opened for modification C:\Users\Admin\Desktop\desktop.ini C:\Users\Admin\AppData\Roaming\Free Nitro V1.exe N/A
File opened for modification C:\Users\Admin\Music\desktop.ini C:\Users\Admin\AppData\Roaming\Free Nitro V1.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini C:\Users\Admin\AppData\Roaming\Free Nitro V1.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini C:\Users\Admin\AppData\Roaming\Free Nitro V1.exe N/A
File opened for modification C:\Users\Public\Videos\Sample Videos\desktop.ini C:\Users\Admin\AppData\Roaming\Free Nitro V1.exe N/A
File opened for modification C:\Users\Admin\Favorites\Links for United States\desktop.ini C:\Users\Admin\AppData\Roaming\Free Nitro V1.exe N/A
File opened for modification C:\Users\Admin\Videos\desktop.ini C:\Users\Admin\AppData\Roaming\Free Nitro V1.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini C:\Users\Admin\AppData\Roaming\Free Nitro V1.exe N/A
File opened for modification C:\Users\Public\Videos\desktop.ini C:\Users\Admin\AppData\Roaming\Free Nitro V1.exe N/A
File opened for modification C:\Users\Public\Desktop\desktop.ini C:\Users\Admin\AppData\Roaming\Free Nitro V1.exe N/A
File opened for modification C:\Users\Admin\Contacts\desktop.ini C:\Users\Admin\AppData\Roaming\Free Nitro V1.exe N/A
File opened for modification C:\Users\Admin\Documents\desktop.ini C:\Users\Admin\AppData\Roaming\Free Nitro V1.exe N/A
File opened for modification C:\Users\Admin\Pictures\desktop.ini C:\Users\Admin\AppData\Roaming\Free Nitro V1.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Roaming\Free Nitro V1.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini C:\Users\Admin\AppData\Roaming\Free Nitro V1.exe N/A

Enumerates physical storage devices

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\vssadmin.exe N/A

Opens file in notepad (likely ransom note)

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\NOTEPAD.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Free Nitro V1.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Free Nitro V1 (NICHT ÖFFNEN).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Free Nitro V1 (NICHT ÖFFNEN).exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Free Nitro V1.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Free Nitro V1.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Free Nitro V1.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Free Nitro V1 (NICHT ÖFFNEN).exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Free Nitro V1.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wbengine.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2300 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Temp\Free Nitro V1 (NICHT ÖFFNEN).exe C:\Users\Admin\AppData\Roaming\Free Nitro V1.exe
PID 2300 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Temp\Free Nitro V1 (NICHT ÖFFNEN).exe C:\Users\Admin\AppData\Roaming\Free Nitro V1.exe
PID 2300 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Temp\Free Nitro V1 (NICHT ÖFFNEN).exe C:\Users\Admin\AppData\Roaming\Free Nitro V1.exe
PID 2212 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Roaming\Free Nitro V1.exe C:\Windows\System32\cmd.exe
PID 2212 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Roaming\Free Nitro V1.exe C:\Windows\System32\cmd.exe
PID 2212 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Roaming\Free Nitro V1.exe C:\Windows\System32\cmd.exe
PID 2604 wrote to memory of 2472 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 2604 wrote to memory of 2472 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 2604 wrote to memory of 2472 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 2604 wrote to memory of 2772 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2604 wrote to memory of 2772 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2604 wrote to memory of 2772 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2212 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Roaming\Free Nitro V1.exe C:\Windows\System32\cmd.exe
PID 2212 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Roaming\Free Nitro V1.exe C:\Windows\System32\cmd.exe
PID 2212 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Roaming\Free Nitro V1.exe C:\Windows\System32\cmd.exe
PID 2668 wrote to memory of 2760 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2668 wrote to memory of 2760 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2668 wrote to memory of 2760 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2668 wrote to memory of 2768 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2668 wrote to memory of 2768 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2668 wrote to memory of 2768 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2212 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Roaming\Free Nitro V1.exe C:\Windows\System32\cmd.exe
PID 2212 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Roaming\Free Nitro V1.exe C:\Windows\System32\cmd.exe
PID 2212 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Roaming\Free Nitro V1.exe C:\Windows\System32\cmd.exe
PID 2744 wrote to memory of 1228 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 2744 wrote to memory of 1228 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 2744 wrote to memory of 1228 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 2212 wrote to memory of 672 N/A C:\Users\Admin\AppData\Roaming\Free Nitro V1.exe C:\Windows\system32\NOTEPAD.EXE
PID 2212 wrote to memory of 672 N/A C:\Users\Admin\AppData\Roaming\Free Nitro V1.exe C:\Windows\system32\NOTEPAD.EXE
PID 2212 wrote to memory of 672 N/A C:\Users\Admin\AppData\Roaming\Free Nitro V1.exe C:\Windows\system32\NOTEPAD.EXE

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\Free Nitro V1 (NICHT ÖFFNEN).exe

"C:\Users\Admin\AppData\Local\Temp\Free Nitro V1 (NICHT ÖFFNEN).exe"

C:\Users\Admin\AppData\Roaming\Free Nitro V1.exe

"C:\Users\Admin\AppData\Roaming\Free Nitro V1.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet & wmic shadowcopy delete

C:\Windows\system32\vssadmin.exe

vssadmin delete shadows /all /quiet

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\System32\Wbem\WMIC.exe

wmic shadowcopy delete

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} recoveryenabled no

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet

C:\Windows\system32\wbadmin.exe

wbadmin delete catalog -quiet

C:\Windows\system32\wbengine.exe

"C:\Windows\system32\wbengine.exe"

C:\Windows\System32\vdsldr.exe

C:\Windows\System32\vdsldr.exe -Embedding

C:\Windows\System32\vds.exe

C:\Windows\System32\vds.exe

C:\Windows\system32\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\read_it.txt

Network

N/A

Files

memory/2300-0-0x000007FEF5D73000-0x000007FEF5D74000-memory.dmp

memory/2300-1-0x0000000000DF0000-0x0000000000DFC000-memory.dmp

C:\Users\Admin\AppData\Roaming\Free Nitro V1.exe

MD5 15b098986a7466a4c5262f4d4034aa70
SHA1 85eef8e7bcbd7358ba4eeed6e2813b2eb394f32f
SHA256 251502f58eaa174cc8e0644573a8f12e766d662b4c8d88db99080dc73748bd14
SHA512 e48b29e292c6c89d28ea6b9fce4b7560fed82faa9848fcd9c227edab2f376b670e5a5b7b57a59e525456893858d5dbf7d1acd5a09f42004fea24799b5f736530

memory/2212-7-0x0000000000840000-0x000000000084C000-memory.dmp

memory/2212-25-0x000007FEF5D70000-0x000007FEF675C000-memory.dmp

memory/2212-26-0x000007FEF5D70000-0x000007FEF675C000-memory.dmp

C:\Users\Admin\Documents\read_it.txt

MD5 c3100858c2ef177fbcb0be8a79c5d808
SHA1 f72d55236d91dc5f25ba7449e905b10f93550211
SHA256 3ced8d9de724facb6a6c15d7e83bb7e6da14b6621594044f106f06f392aa8365
SHA512 d5bc0605d51574de1d01d393255ba4fe1698afedd13042f26793fee939ec33b1d5411e401dd14dba9a14e25c4fc8b7d7a1906af0828d30f33fc35dac2f032f0c

memory/2212-436-0x000007FEF5D70000-0x000007FEF675C000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-11 07:51

Reported

2024-05-11 07:52

Platform

win10v2004-20240426-en

Max time kernel

37s

Max time network

36s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Free Nitro V1 (NICHT ÖFFNEN).exe"

Signatures

Chaos

ransomware chaos

Chaos Ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Deletes shadow copies

ransomware defense_evasion impact execution

Modifies boot configuration data using bcdedit

ransomware evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A

Deletes backup catalog

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\wbadmin.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Free Nitro V1 (NICHT ÖFFNEN).exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\Free Nitro V1.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Free Nitro V1.url C:\Users\Admin\AppData\Roaming\Free Nitro V1.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini C:\Users\Admin\AppData\Roaming\Free Nitro V1.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\read_it.txt C:\Users\Admin\AppData\Roaming\Free Nitro V1.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Free Nitro V1.exe N/A

Reads user/profile data of web browsers

spyware stealer

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\Users\Admin\Pictures\Saved Pictures\desktop.ini C:\Users\Admin\AppData\Roaming\Free Nitro V1.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\AppData\Roaming\Free Nitro V1.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini C:\Users\Admin\AppData\Roaming\Free Nitro V1.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini C:\Users\Admin\AppData\Roaming\Free Nitro V1.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini C:\Users\Admin\AppData\Roaming\Free Nitro V1.exe N/A
File opened for modification C:\Users\Public\Music\desktop.ini C:\Users\Admin\AppData\Roaming\Free Nitro V1.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini C:\Users\Admin\AppData\Roaming\Free Nitro V1.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Roaming\Free Nitro V1.exe N/A
File opened for modification C:\Users\Public\Documents\desktop.ini C:\Users\Admin\AppData\Roaming\Free Nitro V1.exe N/A
File opened for modification C:\Users\Admin\Pictures\Camera Roll\desktop.ini C:\Users\Admin\AppData\Roaming\Free Nitro V1.exe N/A
File opened for modification C:\Users\Admin\Music\desktop.ini C:\Users\Admin\AppData\Roaming\Free Nitro V1.exe N/A
File opened for modification C:\Users\Admin\OneDrive\desktop.ini C:\Users\Admin\AppData\Roaming\Free Nitro V1.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Roaming\Free Nitro V1.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini C:\Users\Admin\AppData\Roaming\Free Nitro V1.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini C:\Users\Admin\AppData\Roaming\Free Nitro V1.exe N/A
File opened for modification F:\$RECYCLE.BIN\S-1-5-21-540404634-651139247-2967210625-1000\desktop.ini C:\Users\Admin\AppData\Roaming\Free Nitro V1.exe N/A
File opened for modification C:\Users\Admin\Documents\desktop.ini C:\Users\Admin\AppData\Roaming\Free Nitro V1.exe N/A
File opened for modification C:\Users\Admin\Saved Games\desktop.ini C:\Users\Admin\AppData\Roaming\Free Nitro V1.exe N/A
File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini C:\Users\Admin\AppData\Roaming\Free Nitro V1.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini C:\Users\Admin\AppData\Roaming\Free Nitro V1.exe N/A
File opened for modification C:\Users\Public\Pictures\desktop.ini C:\Users\Admin\AppData\Roaming\Free Nitro V1.exe N/A
File opened for modification C:\Users\Public\Videos\desktop.ini C:\Users\Admin\AppData\Roaming\Free Nitro V1.exe N/A
File opened for modification C:\Users\Admin\Desktop\desktop.ini C:\Users\Admin\AppData\Roaming\Free Nitro V1.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini C:\Users\Admin\AppData\Roaming\Free Nitro V1.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini C:\Users\Admin\AppData\Roaming\Free Nitro V1.exe N/A
File opened for modification C:\Users\Public\Desktop\desktop.ini C:\Users\Admin\AppData\Roaming\Free Nitro V1.exe N/A
File opened for modification C:\Users\Admin\Links\desktop.ini C:\Users\Admin\AppData\Roaming\Free Nitro V1.exe N/A
File opened for modification C:\Users\Admin\Downloads\desktop.ini C:\Users\Admin\AppData\Roaming\Free Nitro V1.exe N/A
File opened for modification C:\Users\Admin\Favorites\desktop.ini C:\Users\Admin\AppData\Roaming\Free Nitro V1.exe N/A
File opened for modification C:\Users\Admin\Searches\desktop.ini C:\Users\Admin\AppData\Roaming\Free Nitro V1.exe N/A
File opened for modification C:\Users\Admin\Contacts\desktop.ini C:\Users\Admin\AppData\Roaming\Free Nitro V1.exe N/A
File opened for modification C:\Users\Admin\Pictures\desktop.ini C:\Users\Admin\AppData\Roaming\Free Nitro V1.exe N/A
File opened for modification C:\Users\Admin\Videos\desktop.ini C:\Users\Admin\AppData\Roaming\Free Nitro V1.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini C:\Users\Admin\AppData\Roaming\Free Nitro V1.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 C:\Windows\System32\vds.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName C:\Windows\System32\vds.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 C:\Windows\System32\vds.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName C:\Windows\System32\vds.exe N/A

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\vssadmin.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\Local Settings C:\Users\Admin\AppData\Roaming\Free Nitro V1.exe N/A

Opens file in notepad (likely ransom note)

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\NOTEPAD.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Free Nitro V1.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Free Nitro V1 (NICHT ÖFFNEN).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Free Nitro V1 (NICHT ÖFFNEN).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Free Nitro V1 (NICHT ÖFFNEN).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Free Nitro V1 (NICHT ÖFFNEN).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Free Nitro V1 (NICHT ÖFFNEN).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Free Nitro V1 (NICHT ÖFFNEN).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Free Nitro V1 (NICHT ÖFFNEN).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Free Nitro V1 (NICHT ÖFFNEN).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Free Nitro V1 (NICHT ÖFFNEN).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Free Nitro V1 (NICHT ÖFFNEN).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Free Nitro V1 (NICHT ÖFFNEN).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Free Nitro V1 (NICHT ÖFFNEN).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Free Nitro V1 (NICHT ÖFFNEN).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Free Nitro V1 (NICHT ÖFFNEN).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Free Nitro V1 (NICHT ÖFFNEN).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Free Nitro V1 (NICHT ÖFFNEN).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Free Nitro V1 (NICHT ÖFFNEN).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Free Nitro V1 (NICHT ÖFFNEN).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Free Nitro V1 (NICHT ÖFFNEN).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Free Nitro V1 (NICHT ÖFFNEN).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Free Nitro V1 (NICHT ÖFFNEN).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Free Nitro V1 (NICHT ÖFFNEN).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Free Nitro V1 (NICHT ÖFFNEN).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Free Nitro V1 (NICHT ÖFFNEN).exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Free Nitro V1.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Free Nitro V1.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Free Nitro V1.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Free Nitro V1.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Free Nitro V1.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Free Nitro V1.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Free Nitro V1.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Free Nitro V1.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Free Nitro V1.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Free Nitro V1.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Free Nitro V1.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Free Nitro V1.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Free Nitro V1.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Free Nitro V1.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Free Nitro V1.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Free Nitro V1.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Free Nitro V1.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Free Nitro V1.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Free Nitro V1.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Free Nitro V1.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Free Nitro V1.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Free Nitro V1.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Free Nitro V1.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Free Nitro V1.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Free Nitro V1.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Free Nitro V1.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Free Nitro V1 (NICHT ÖFFNEN).exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Free Nitro V1.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wbengine.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3192 wrote to memory of 5076 N/A C:\Users\Admin\AppData\Local\Temp\Free Nitro V1 (NICHT ÖFFNEN).exe C:\Users\Admin\AppData\Roaming\Free Nitro V1.exe
PID 3192 wrote to memory of 5076 N/A C:\Users\Admin\AppData\Local\Temp\Free Nitro V1 (NICHT ÖFFNEN).exe C:\Users\Admin\AppData\Roaming\Free Nitro V1.exe
PID 5076 wrote to memory of 1908 N/A C:\Users\Admin\AppData\Roaming\Free Nitro V1.exe C:\Windows\System32\cmd.exe
PID 5076 wrote to memory of 1908 N/A C:\Users\Admin\AppData\Roaming\Free Nitro V1.exe C:\Windows\System32\cmd.exe
PID 1908 wrote to memory of 5092 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 1908 wrote to memory of 5092 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 1908 wrote to memory of 5044 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 1908 wrote to memory of 5044 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 5076 wrote to memory of 4516 N/A C:\Users\Admin\AppData\Roaming\Free Nitro V1.exe C:\Windows\System32\cmd.exe
PID 5076 wrote to memory of 4516 N/A C:\Users\Admin\AppData\Roaming\Free Nitro V1.exe C:\Windows\System32\cmd.exe
PID 4516 wrote to memory of 4420 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 4516 wrote to memory of 4420 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 4516 wrote to memory of 860 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 4516 wrote to memory of 860 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 5076 wrote to memory of 3752 N/A C:\Users\Admin\AppData\Roaming\Free Nitro V1.exe C:\Windows\System32\cmd.exe
PID 5076 wrote to memory of 3752 N/A C:\Users\Admin\AppData\Roaming\Free Nitro V1.exe C:\Windows\System32\cmd.exe
PID 3752 wrote to memory of 3680 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 3752 wrote to memory of 3680 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 5076 wrote to memory of 32 N/A C:\Users\Admin\AppData\Roaming\Free Nitro V1.exe C:\Windows\system32\NOTEPAD.EXE
PID 5076 wrote to memory of 32 N/A C:\Users\Admin\AppData\Roaming\Free Nitro V1.exe C:\Windows\system32\NOTEPAD.EXE

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\Free Nitro V1 (NICHT ÖFFNEN).exe

"C:\Users\Admin\AppData\Local\Temp\Free Nitro V1 (NICHT ÖFFNEN).exe"

C:\Users\Admin\AppData\Roaming\Free Nitro V1.exe

"C:\Users\Admin\AppData\Roaming\Free Nitro V1.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet & wmic shadowcopy delete

C:\Windows\system32\vssadmin.exe

vssadmin delete shadows /all /quiet

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\System32\Wbem\WMIC.exe

wmic shadowcopy delete

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} recoveryenabled no

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet

C:\Windows\system32\wbadmin.exe

wbadmin delete catalog -quiet

C:\Windows\system32\wbengine.exe

"C:\Windows\system32\wbengine.exe"

C:\Windows\System32\vdsldr.exe

C:\Windows\System32\vdsldr.exe -Embedding

C:\Windows\System32\vds.exe

C:\Windows\System32\vds.exe

C:\Windows\system32\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\read_it.txt

Network

Country Destination Domain Proto
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.155:443 www.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 155.61.62.23.in-addr.arpa udp
NL 23.62.61.155:443 www.bing.com tcp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp

Files

memory/3192-0-0x00000000008B0000-0x00000000008BC000-memory.dmp

memory/3192-1-0x00007FFB5AE73000-0x00007FFB5AE75000-memory.dmp

C:\Users\Admin\AppData\Roaming\Free Nitro V1.exe

MD5 15b098986a7466a4c5262f4d4034aa70
SHA1 85eef8e7bcbd7358ba4eeed6e2813b2eb394f32f
SHA256 251502f58eaa174cc8e0644573a8f12e766d662b4c8d88db99080dc73748bd14
SHA512 e48b29e292c6c89d28ea6b9fce4b7560fed82faa9848fcd9c227edab2f376b670e5a5b7b57a59e525456893858d5dbf7d1acd5a09f42004fea24799b5f736530

memory/5076-14-0x00007FFB5AE70000-0x00007FFB5B931000-memory.dmp

memory/5076-22-0x00007FFB5AE70000-0x00007FFB5B931000-memory.dmp

C:\Users\Admin\Documents\read_it.txt

MD5 c3100858c2ef177fbcb0be8a79c5d808
SHA1 f72d55236d91dc5f25ba7449e905b10f93550211
SHA256 3ced8d9de724facb6a6c15d7e83bb7e6da14b6621594044f106f06f392aa8365
SHA512 d5bc0605d51574de1d01d393255ba4fe1698afedd13042f26793fee939ec33b1d5411e401dd14dba9a14e25c4fc8b7d7a1906af0828d30f33fc35dac2f032f0c

memory/5076-461-0x00007FFB5AE70000-0x00007FFB5B931000-memory.dmp