Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

NezurLoader.exe

windows7-x64

3

NezurLoader.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    40s
  • max time network
    52s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07/01/2024, 03:17

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    NezurLoader.exe

  • Size

    71KB

  • MD5

    858aec1e5d6c068cbc99167b5f9b7c6f

  • SHA1

    392d9d7218285cfe2d96c01503a60aea0c6535d1

  • SHA256

    cf269203bdad4b5675cc947003542e4f4ec6257223ab86cc7c8abdfc7d89b13f

  • SHA512

    6b052aa4ede7596217e96f57434609b8c069b0c8e7c0da3e7535f3e68ebddd2e4b5225911a18ae64fd23e6e869c9579940f3bade5a9c57a6c089a2923b0b0ec7

  • SSDEEP

    384:ix1BWsK2AVb+Uv3B0lWhESfzKn+nQJS2S68tQzWJq5XXSjwc:iod2SO5XS0c

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 1 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\NezurLoader.exe
    "C:\Users\Admin\AppData\Local\Temp\NezurLoader.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2488
    • C:\Windows\SysWOW64\reg.exe
      "C:\Windows\system32\reg.exe" add "HKCU\Software\Classes\ms-settings\shell\open\command" /d "wscript.exe C:\Users\Admin\AppData\Local\Temp\tokyofrance54102.vbs" /f
      2⤵
      • Modifies registry class
      PID:4232
    • C:\Windows\SysWOW64\reg.exe
      "C:\Windows\system32\reg.exe" add "HKCU\Software\Classes\ms-settings\shell\open\command" /v DelegateExecute /d "0" /f
      2⤵
      • Modifies registry class
      PID:1472
    • C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /C computerdefaults.exe
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:968
      • C:\Windows\SysWOW64\ComputerDefaults.exe
        computerdefaults.exe
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4524
        • C:\Windows\SysWOW64\wscript.exe
          "wscript.exe" C:\Users\Admin\AppData\Local\Temp\tokyofrance54102.vbs
          4⤵
          • Checks computer location settings
          • Suspicious use of WriteProcessMemory
          PID:3132
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\System32\cmd.exe" /C del C:\Windows\System32\drivers\etc\hosts
            5⤵
              PID:2840

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\Costura\14AB1F611E6F230882BCE5B215C3F3AB\32\sqlite.interop.dll
      Filesize

      1.4MB

      MD5

      6f2fdecc48e7d72ca1eb7f17a97e59ad

      SHA1

      fcbc8c4403e5c8194ee69158d7e70ee7dbd4c056

      SHA256

      70e48ef5c14766f3601c97451b47859fddcbe7f237e1c5200cea8e7a7609d809

      SHA512

      fea98a3d6fff1497551dc6583dd92798dcac764070a350fd381e856105a6411c94effd4b189b7a32608ff610422b8dbd6d93393c5da99ee66d4569d45191dc8b

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\tokyofrance54102.vbs
      Filesize

      171B

      MD5

      a34267102c21aff46aecc85598924544

      SHA1

      77268af47c6a4b9c6be7f7487b2c9b233d49d435

      SHA256

      eba7ab5c248e46dbe70470b41ebf25a378b4eff9ce632adff927ac1f95583d44

      SHA512

      5d320312b93b46c9051a20c82d6405a3f2c78b23adb3ab3e71aad854b65b500937de7ca2986cf79967386d689beecccf676d89afde8ecc5d5ad0cb4ae2bf38a3

      Download Submit

    • memory/2488-0-0x0000000000C50000-0x0000000000C5A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/2488-1-0x0000000005650000-0x00000000056E2000-memory.dmp

      Filesize

      584KB

      Download

    • memory/2488-2-0x0000000074C30000-0x00000000753E0000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/2488-3-0x0000000005CA0000-0x0000000006244000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/2488-4-0x0000000005600000-0x0000000005610000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2488-8-0x000000000E340000-0x000000000F3EE000-memory.dmp

      Filesize

      16.7MB

      Download

    • memory/2488-9-0x0000000074C30000-0x00000000753E0000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/2488-15-0x0000000005600000-0x0000000005610000-memory.dmp

      Filesize

      64KB

      Download