Analysis

  • max time kernel
    114s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-it
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-itlocale:it-itos:windows10-2004-x64systemwindows
  • submitted
    02/03/2024, 22:48

General

  • Target

    Nezur.exe

  • Size

    2.3MB

  • MD5

    490ff45ffb331fe7d1af3e8be7505943

  • SHA1

    3dbaf10c1b701299d1a2e805b6a007f4e22e028d

  • SHA256

    68fc232535a29649d46dc5f9108a2a59b2b4ef7aad09fa675b497c7f1b585d1b

  • SHA512

    79ccefd495dfde1ddcd28ac57aa6033ba6b08255ee4ec6b844d716adf25fc74cc7e77fb68696af617563969eef2c5d5bbd982c124b5c5eed3e79eacf21363bb2

  • SSDEEP

    24576:uR+gKf3Iv02rq6s1Hm3MRWj3D2CotikzCEkXuSMOSByL8X:X/Ue6MG8A3eCISMOSB

Score
8/10

Malware Config

Signatures

  • Sets service image path in registry 2 TTPs 1 IoCs
  • Checks processor information in registry 2 TTPs 8 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry class 1 IoCs
  • Suspicious behavior: LoadsDriver 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\Nezur.exe
    "C:\Users\Admin\AppData\Local\Temp\Nezur.exe"
    1⤵
    • Sets service image path in registry
    • Suspicious behavior: LoadsDriver
    • Suspicious use of AdjustPrivilegeToken
    PID:2292
  • C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3676
    • C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe"
      2⤵
      • Checks processor information in registry
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:116
      • C:\Program Files\Mozilla Firefox\firefox.exe
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="116.0.1137267429\185598148" -parentBuildID 20221007134813 -prefsHandle 1924 -prefMapHandle 1916 -prefsLen 20749 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {1d853db9-b01f-4ce1-ade8-8076dfe25c0a} 116 "\\.\pipe\gecko-crash-server-pipe.116" 2016 154f4ceec58 gpu
        3⤵
          PID:1040
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="116.1.1428793565\711344106" -parentBuildID 20221007134813 -prefsHandle 2396 -prefMapHandle 2392 -prefsLen 20785 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a78aa0b1-6a5e-47f2-9a11-c46c66661f9e} 116 "\\.\pipe\gecko-crash-server-pipe.116" 2408 154f4bfd858 socket
          3⤵
          • Checks processor information in registry
          PID:748
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="116.2.783608327\1247372142" -childID 1 -isForBrowser -prefsHandle 3424 -prefMapHandle 3420 -prefsLen 20823 -prefMapSize 233444 -jsInitHandle 1224 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {79e1d4f9-085d-46c4-a44e-79e0684c5087} 116 "\\.\pipe\gecko-crash-server-pipe.116" 3436 154f8cac158 tab
          3⤵
            PID:1200
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="116.3.2142880874\381891291" -childID 2 -isForBrowser -prefsHandle 3128 -prefMapHandle 3040 -prefsLen 26066 -prefMapSize 233444 -jsInitHandle 1224 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c88a18a7-6a9b-4bc5-85bb-d4d3284facca} 116 "\\.\pipe\gecko-crash-server-pipe.116" 3672 154e8461c58 tab
            3⤵
              PID:1416
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="116.4.468452932\1682337514" -childID 3 -isForBrowser -prefsHandle 3824 -prefMapHandle 3820 -prefsLen 26066 -prefMapSize 233444 -jsInitHandle 1224 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {62ac4478-c716-4fe0-a360-718bb407e4d8} 116 "\\.\pipe\gecko-crash-server-pipe.116" 2912 154f91fbe58 tab
              3⤵
                PID:3684
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="116.5.370840418\1348486177" -childID 4 -isForBrowser -prefsHandle 4856 -prefMapHandle 4936 -prefsLen 26125 -prefMapSize 233444 -jsInitHandle 1224 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c4da655e-6867-4778-90b5-8986c5a9dc46} 116 "\\.\pipe\gecko-crash-server-pipe.116" 4976 154f91f9458 tab
                3⤵
                  PID:4988
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="116.6.45025195\216765837" -childID 5 -isForBrowser -prefsHandle 5080 -prefMapHandle 5084 -prefsLen 26125 -prefMapSize 233444 -jsInitHandle 1224 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {62615586-7e93-4009-827c-955eb9ccfd0b} 116 "\\.\pipe\gecko-crash-server-pipe.116" 4920 154fb194c58 tab
                  3⤵
                    PID:4824
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="116.7.267100102\1520985145" -childID 6 -isForBrowser -prefsHandle 5280 -prefMapHandle 5284 -prefsLen 26125 -prefMapSize 233444 -jsInitHandle 1224 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {81c62a88-75b5-4f4c-9d96-0b6bbef3d122} 116 "\\.\pipe\gecko-crash-server-pipe.116" 5272 154fb192558 tab
                    3⤵
                      PID:4312
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=it --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4064 --field-trial-handle=2220,i,17752012012504442513,579370378644961515,262144 --variations-seed-version /prefetch:8
                  1⤵
                    PID:5904

                  Network

                        MITRE ATT&CK Enterprise v15

                        Replay Monitor

                        Loading Replay Monitor...

                        Downloads

                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\f97d9gc7.default-release\datareporting\glean\db\data.safe.bin

                          Filesize

                          2KB

                          MD5

                          cf34e38ef27bcf375ed4bbdc9fbcf0f3

                          SHA1

                          2e7495b1d5f4d63beabd54330926ebdc9157e1a0

                          SHA256

                          f7690b0f5fe45cdb1427c739614d8a128dd361bb89f70d6499b55e88b20640ca

                          SHA512

                          8ecf991d27b6b704f1c52afcbc336373b80c6137d4b6ccc170038b7e36f6cbe0c90e7ff963e46994b2c895855b29476aad22b2494aea01873c553d647f6c0a51

                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\f97d9gc7.default-release\datareporting\glean\pending_pings\15706b5c-494f-4a72-9890-d3f737873ab6

                          Filesize

                          746B

                          MD5

                          af2c94bc6484d3cda157d0bef52e7d13

                          SHA1

                          5337aa071e67213542ec29f22369bba7a5990153

                          SHA256

                          d0be23d1f42d93fa19b8d01255336812f86e68962911aa2a4d194d0825408323

                          SHA512

                          721cb86810a88c62631448a0414efc22efad17c87dfafadd4cda23dd4160c1a7c6421b3bf7e11c9c46f6df73e33c36fc385d9c086861195e986265677ec4e786

                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\f97d9gc7.default-release\datareporting\glean\pending_pings\d007c988-4231-472a-aebb-3dd03d30db53

                          Filesize

                          10KB

                          MD5

                          b73912225f327625487edeec45441718

                          SHA1

                          f88b6aa3dd536f1e577f400cc5823394bfc79e4e

                          SHA256

                          2a225a0de5b7fadccd22841a591a8cbe9d766402130747ee417ecb371e832715

                          SHA512

                          052bba7ad3438cfb40b659ec54f74995f781922b79cd04c17d2ea88e3639641b003cdd7c80d33d169e28f2dca8398e49b302a00ac606b0f504dcad64d2c84586

                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\f97d9gc7.default-release\prefs-1.js

                          Filesize

                          6KB

                          MD5

                          7e7c356908416e325490aacc338c7820

                          SHA1

                          80cfc5f7c56a3ff0fe0e3f666fc3a465367b5e4a

                          SHA256

                          1a1d1af1bacff5512ae3269c6593a3b49267139290c6654c69aa9a0d943a767b

                          SHA512

                          2b17407f021e6826d25390243cf4c6350ad3631b0b22a5d0c9b68b5decc0b62429517203aacb6cd4dc9ea973d9d2c35d970660a48a424f77c09d62dfda2ad438

                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\f97d9gc7.default-release\prefs-1.js

                          Filesize

                          6KB

                          MD5

                          1a6fd1e334cccdbf59d453ce44ccc77a

                          SHA1

                          ff0d01d45d12ede8fbe39ec3dd01d7d85a57f018

                          SHA256

                          84b47130311b40fec354a08ce3e6f68285be3591144f7db3b9a75663fcd6ef4e

                          SHA512

                          254959f74c33fd2b4d4f39551fa36c5ae9375ded03c65f08d9f47f7e0d014f7eedc314b810a7fb8461ca363a043e19c6b2794cc672a497db33bc5d6ca85fea93

                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\f97d9gc7.default-release\prefs.js

                          Filesize

                          6KB

                          MD5

                          a0397d6a9b197196d2bc61559b1aff07

                          SHA1

                          be2ba383e80a39a0e1484335a8ab5b86a8f68c66

                          SHA256

                          ffbfb35ad5ff22f440312a00044cfc4009795696a3703d6ec704526515470df5

                          SHA512

                          88492508a836b79b051641fdacd99690a5cd1529027226b144a17acc88632d7e4e22b839f260c79919e9baaabf81de81730dc85d8ee9954ec83414f96a5ed5f0

                        • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\f97d9gc7.default-release\sessionstore.jsonlz4

                          Filesize

                          886B

                          MD5

                          e816786b75d52e4b5415558231825fde

                          SHA1

                          d9ef56be6ab1a0c07227c4e42d6bf1df9de963eb

                          SHA256

                          8735ec2c7cc4b4c52b204589e049ed5c3ef8b5ef1ce888ff454e319f9803a126

                          SHA512

                          f0c8c0624d0322db1fb2a9c79a6ad0686d90283e1ee8f9c2e9310f5271a33c5c6a3148435c3b405646a523501b548487eb38d5b9b05225cbb5ab9ff50561ac41