Overview

overview

6

Static

static

3

Nezur (1).zip

windows7-x64

1

Nezur (1).zip

windows10-2004-x64

1

Nezur.exe

windows7-x64

1

Nezur.exe

windows10-2004-x64

1

README.txt

windows7-x64

1

README.txt

windows10-2004-x64

1

auto_load.txt

windows7-x64

1

auto_load.txt

windows10-2004-x64

1

configs/autosave.cfg

windows7-x64

3

configs/autosave.cfg

windows10-2004-x64

3

lua51.dll

windows7-x64

3

lua51.dll

windows10-2004-x64

3

start.bat

windows7-x64

6

start.bat

windows10-2004-x64

6

Resubmissions

14-02-2024 03:14

240214-drczaafe3s 6

13-02-2024 22:25

240213-2b1bmsbg82 6

Analysis

  • max time kernel
    118s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    13-02-2024 22:25

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    configs/autosave.cfg

  • Size

    916B

  • MD5

    024ab27dfe02dbcd5357528ac4dbe028

  • SHA1

    2f2b7df7b4557e274d4255cebd65d6d7c125cf95

  • SHA256

    c029522bb51f2eea602e3818be4b495282cc2d8da92421f8bf3ced7dc46098bd

  • SHA512

    f87d48447e5663be7e63f7f7934d33c795f2201acc753720bbf77af49cf8ab44b6f9618a2a22dd8f08a5d67424ca0c7c566b15b3f172edc34af4b29a23b5d137

Score
3/10

Malware Config

Signatures

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 9 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\configs\autosave.cfg
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2264
    • C:\Windows\system32\rundll32.exe
      "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\configs\autosave.cfg
      2⤵
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:2036
      • C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\configs\autosave.cfg"
        3⤵
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of SetWindowsHookEx
        PID:2800

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents
    Filesize

    3KB

    MD5

    d0375c1548d8a6a567b748d8cc4b8123

    SHA1

    0de14aac4669552f99f4e6246fd7862ac87fb334

    SHA256

    fa81a4f296fd1d427a10a9a64f958dd9ca93c1ad4bc574d908125378c37863b9

    SHA512

    bb40c147fb470d1e49811125ebcb1e7a93e4eaaade2fee6495470f3da7a7b2d07e270a118cc1ed3e2f78e72dfbc3e96e0d36a00f1c24337af61b84964966d41b

    Download Submit