Analysis
-
max time kernel
1794s -
max time network
1506s -
platform
windows10-2004_x64 -
resource
win10v2004-20230703-en -
resource tags
arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system -
submitted
08-08-2023 17:58
Behavioral task
behavioral1
Sample
Hazard-Nuker.exe
Resource
win10v2004-20230703-en
8 signatures
1800 seconds
General
-
Target
Hazard-Nuker.exe
-
Size
261KB
-
MD5
2fc3e8ef37c14a67847253cb9438bbef
-
SHA1
b38fba1194eaa65f59746d635751f107b9c763ae
-
SHA256
ac9376d351bfde2935460c184dd71e7a4123cdb88c057da27f72386a477d19fe
-
SHA512
b756682435a8316ebbcd4d65e0b064514c6f6332fee363f600d23650ca06c7647f530d2edcf0e82f1994a6b4b986f12d8a0495f2263cd6f94dd19e3074f92639
-
SSDEEP
3072:fiO7Hla/f/gue2f9bw5hZkOeE0jkaL6r:fdHla/fouek9AKki6
Score
10/10
Malware Config
Signatures
-
Contains code to disable Windows Defender 1 IoCs
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
resource yara_rule behavioral1/memory/2228-133-0x0000000000710000-0x0000000000756000-memory.dmp disable_win_def -
StormKitty
StormKitty is an open source info stealer written in C#.
-
StormKitty payload 1 IoCs
resource yara_rule behavioral1/memory/2228-133-0x0000000000710000-0x0000000000756000-memory.dmp family_stormkitty -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nvidiaDValueOn = "C:\\Users\\Admin\\AppData\\Local\\NVIDIA Local Drivers\\DriversUpdateProcess_x64.exe" Hazard-Nuker.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 11 checkip.dyndns.org -
Program crash 1 IoCs
pid pid_target Process procid_target 2840 2228 WerFault.exe 80 -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2228 Hazard-Nuker.exe 2228 Hazard-Nuker.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2228 Hazard-Nuker.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Hazard-Nuker.exe"C:\Users\Admin\AppData\Local\Temp\Hazard-Nuker.exe"1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2228 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2228 -s 15282⤵
- Program crash
PID:2840
-
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 408 -p 2228 -ip 22281⤵PID:1696