Analysis
-
max time kernel
114s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-it -
resource tags
arch:x64arch:x86image:win10v2004-20240226-itlocale:it-itos:windows10-2004-x64systemwindows -
submitted
02/03/2024, 22:48
Static task
static1
Behavioral task
behavioral1
Sample
Nezur.exe
Resource
win10v2004-20240226-it
General
-
Target
Nezur.exe
-
Size
2.3MB
-
MD5
490ff45ffb331fe7d1af3e8be7505943
-
SHA1
3dbaf10c1b701299d1a2e805b6a007f4e22e028d
-
SHA256
68fc232535a29649d46dc5f9108a2a59b2b4ef7aad09fa675b497c7f1b585d1b
-
SHA512
79ccefd495dfde1ddcd28ac57aa6033ba6b08255ee4ec6b844d716adf25fc74cc7e77fb68696af617563969eef2c5d5bbd982c124b5c5eed3e79eacf21363bb2
-
SSDEEP
24576:uR+gKf3Iv02rq6s1Hm3MRWj3D2CotikzCEkXuSMOSByL8X:X/Ue6MG8A3eCISMOSB
Malware Config
Signatures
-
Sets service image path in registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\frAQBc8Wsa1xVPfv\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\frAQBc8Wsa1xVPfv" Nezur.exe -
Checks processor information in registry 2 TTPs 8 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000_Classes\Local Settings firefox.exe -
Suspicious behavior: LoadsDriver 1 IoCs
pid Process 2292 Nezur.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 2292 Nezur.exe Token: SeLoadDriverPrivilege 2292 Nezur.exe Token: SeDebugPrivilege 116 firefox.exe Token: SeDebugPrivilege 116 firefox.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
pid Process 116 firefox.exe 116 firefox.exe 116 firefox.exe 116 firefox.exe -
Suspicious use of SendNotifyMessage 3 IoCs
pid Process 116 firefox.exe 116 firefox.exe 116 firefox.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 116 firefox.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3676 wrote to memory of 116 3676 firefox.exe 101 PID 3676 wrote to memory of 116 3676 firefox.exe 101 PID 3676 wrote to memory of 116 3676 firefox.exe 101 PID 3676 wrote to memory of 116 3676 firefox.exe 101 PID 3676 wrote to memory of 116 3676 firefox.exe 101 PID 3676 wrote to memory of 116 3676 firefox.exe 101 PID 3676 wrote to memory of 116 3676 firefox.exe 101 PID 3676 wrote to memory of 116 3676 firefox.exe 101 PID 3676 wrote to memory of 116 3676 firefox.exe 101 PID 3676 wrote to memory of 116 3676 firefox.exe 101 PID 3676 wrote to memory of 116 3676 firefox.exe 101 PID 116 wrote to memory of 1040 116 firefox.exe 102 PID 116 wrote to memory of 1040 116 firefox.exe 102 PID 116 wrote to memory of 748 116 firefox.exe 103 PID 116 wrote to memory of 748 116 firefox.exe 103 PID 116 wrote to memory of 748 116 firefox.exe 103 PID 116 wrote to memory of 748 116 firefox.exe 103 PID 116 wrote to memory of 748 116 firefox.exe 103 PID 116 wrote to memory of 748 116 firefox.exe 103 PID 116 wrote to memory of 748 116 firefox.exe 103 PID 116 wrote to memory of 748 116 firefox.exe 103 PID 116 wrote to memory of 748 116 firefox.exe 103 PID 116 wrote to memory of 748 116 firefox.exe 103 PID 116 wrote to memory of 748 116 firefox.exe 103 PID 116 wrote to memory of 748 116 firefox.exe 103 PID 116 wrote to memory of 748 116 firefox.exe 103 PID 116 wrote to memory of 748 116 firefox.exe 103 PID 116 wrote to memory of 748 116 firefox.exe 103 PID 116 wrote to memory of 748 116 firefox.exe 103 PID 116 wrote to memory of 748 116 firefox.exe 103 PID 116 wrote to memory of 748 116 firefox.exe 103 PID 116 wrote to memory of 748 116 firefox.exe 103 PID 116 wrote to memory of 748 116 firefox.exe 103 PID 116 wrote to memory of 748 116 firefox.exe 103 PID 116 wrote to memory of 748 116 firefox.exe 103 PID 116 wrote to memory of 748 116 firefox.exe 103 PID 116 wrote to memory of 748 116 firefox.exe 103 PID 116 wrote to memory of 748 116 firefox.exe 103 PID 116 wrote to memory of 748 116 firefox.exe 103 PID 116 wrote to memory of 748 116 firefox.exe 103 PID 116 wrote to memory of 748 116 firefox.exe 103 PID 116 wrote to memory of 748 116 firefox.exe 103 PID 116 wrote to memory of 748 116 firefox.exe 103 PID 116 wrote to memory of 748 116 firefox.exe 103 PID 116 wrote to memory of 748 116 firefox.exe 103 PID 116 wrote to memory of 748 116 firefox.exe 103 PID 116 wrote to memory of 748 116 firefox.exe 103 PID 116 wrote to memory of 748 116 firefox.exe 103 PID 116 wrote to memory of 748 116 firefox.exe 103 PID 116 wrote to memory of 748 116 firefox.exe 103 PID 116 wrote to memory of 748 116 firefox.exe 103 PID 116 wrote to memory of 748 116 firefox.exe 103 PID 116 wrote to memory of 748 116 firefox.exe 103 PID 116 wrote to memory of 748 116 firefox.exe 103 PID 116 wrote to memory of 748 116 firefox.exe 103 PID 116 wrote to memory of 748 116 firefox.exe 103 PID 116 wrote to memory of 748 116 firefox.exe 103 PID 116 wrote to memory of 748 116 firefox.exe 103 PID 116 wrote to memory of 748 116 firefox.exe 103 PID 116 wrote to memory of 748 116 firefox.exe 103 PID 116 wrote to memory of 748 116 firefox.exe 103 PID 116 wrote to memory of 1200 116 firefox.exe 104 PID 116 wrote to memory of 1200 116 firefox.exe 104 PID 116 wrote to memory of 1200 116 firefox.exe 104 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Nezur.exe"C:\Users\Admin\AppData\Local\Temp\Nezur.exe"1⤵
- Sets service image path in registry
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
PID:2292
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3676 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"2⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:116 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="116.0.1137267429\185598148" -parentBuildID 20221007134813 -prefsHandle 1924 -prefMapHandle 1916 -prefsLen 20749 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {1d853db9-b01f-4ce1-ade8-8076dfe25c0a} 116 "\\.\pipe\gecko-crash-server-pipe.116" 2016 154f4ceec58 gpu3⤵PID:1040
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="116.1.1428793565\711344106" -parentBuildID 20221007134813 -prefsHandle 2396 -prefMapHandle 2392 -prefsLen 20785 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a78aa0b1-6a5e-47f2-9a11-c46c66661f9e} 116 "\\.\pipe\gecko-crash-server-pipe.116" 2408 154f4bfd858 socket3⤵
- Checks processor information in registry
PID:748
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="116.2.783608327\1247372142" -childID 1 -isForBrowser -prefsHandle 3424 -prefMapHandle 3420 -prefsLen 20823 -prefMapSize 233444 -jsInitHandle 1224 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {79e1d4f9-085d-46c4-a44e-79e0684c5087} 116 "\\.\pipe\gecko-crash-server-pipe.116" 3436 154f8cac158 tab3⤵PID:1200
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="116.3.2142880874\381891291" -childID 2 -isForBrowser -prefsHandle 3128 -prefMapHandle 3040 -prefsLen 26066 -prefMapSize 233444 -jsInitHandle 1224 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c88a18a7-6a9b-4bc5-85bb-d4d3284facca} 116 "\\.\pipe\gecko-crash-server-pipe.116" 3672 154e8461c58 tab3⤵PID:1416
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="116.4.468452932\1682337514" -childID 3 -isForBrowser -prefsHandle 3824 -prefMapHandle 3820 -prefsLen 26066 -prefMapSize 233444 -jsInitHandle 1224 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {62ac4478-c716-4fe0-a360-718bb407e4d8} 116 "\\.\pipe\gecko-crash-server-pipe.116" 2912 154f91fbe58 tab3⤵PID:3684
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="116.5.370840418\1348486177" -childID 4 -isForBrowser -prefsHandle 4856 -prefMapHandle 4936 -prefsLen 26125 -prefMapSize 233444 -jsInitHandle 1224 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c4da655e-6867-4778-90b5-8986c5a9dc46} 116 "\\.\pipe\gecko-crash-server-pipe.116" 4976 154f91f9458 tab3⤵PID:4988
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="116.6.45025195\216765837" -childID 5 -isForBrowser -prefsHandle 5080 -prefMapHandle 5084 -prefsLen 26125 -prefMapSize 233444 -jsInitHandle 1224 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {62615586-7e93-4009-827c-955eb9ccfd0b} 116 "\\.\pipe\gecko-crash-server-pipe.116" 4920 154fb194c58 tab3⤵PID:4824
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="116.7.267100102\1520985145" -childID 6 -isForBrowser -prefsHandle 5280 -prefMapHandle 5284 -prefsLen 26125 -prefMapSize 233444 -jsInitHandle 1224 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {81c62a88-75b5-4f4c-9d96-0b6bbef3d122} 116 "\\.\pipe\gecko-crash-server-pipe.116" 5272 154fb192558 tab3⤵PID:4312
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=it --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4064 --field-trial-handle=2220,i,17752012012504442513,579370378644961515,262144 --variations-seed-version /prefetch:81⤵PID:5904
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\f97d9gc7.default-release\datareporting\glean\db\data.safe.bin
Filesize2KB
MD5cf34e38ef27bcf375ed4bbdc9fbcf0f3
SHA12e7495b1d5f4d63beabd54330926ebdc9157e1a0
SHA256f7690b0f5fe45cdb1427c739614d8a128dd361bb89f70d6499b55e88b20640ca
SHA5128ecf991d27b6b704f1c52afcbc336373b80c6137d4b6ccc170038b7e36f6cbe0c90e7ff963e46994b2c895855b29476aad22b2494aea01873c553d647f6c0a51
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\f97d9gc7.default-release\datareporting\glean\pending_pings\15706b5c-494f-4a72-9890-d3f737873ab6
Filesize746B
MD5af2c94bc6484d3cda157d0bef52e7d13
SHA15337aa071e67213542ec29f22369bba7a5990153
SHA256d0be23d1f42d93fa19b8d01255336812f86e68962911aa2a4d194d0825408323
SHA512721cb86810a88c62631448a0414efc22efad17c87dfafadd4cda23dd4160c1a7c6421b3bf7e11c9c46f6df73e33c36fc385d9c086861195e986265677ec4e786
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\f97d9gc7.default-release\datareporting\glean\pending_pings\d007c988-4231-472a-aebb-3dd03d30db53
Filesize10KB
MD5b73912225f327625487edeec45441718
SHA1f88b6aa3dd536f1e577f400cc5823394bfc79e4e
SHA2562a225a0de5b7fadccd22841a591a8cbe9d766402130747ee417ecb371e832715
SHA512052bba7ad3438cfb40b659ec54f74995f781922b79cd04c17d2ea88e3639641b003cdd7c80d33d169e28f2dca8398e49b302a00ac606b0f504dcad64d2c84586
-
Filesize
6KB
MD57e7c356908416e325490aacc338c7820
SHA180cfc5f7c56a3ff0fe0e3f666fc3a465367b5e4a
SHA2561a1d1af1bacff5512ae3269c6593a3b49267139290c6654c69aa9a0d943a767b
SHA5122b17407f021e6826d25390243cf4c6350ad3631b0b22a5d0c9b68b5decc0b62429517203aacb6cd4dc9ea973d9d2c35d970660a48a424f77c09d62dfda2ad438
-
Filesize
6KB
MD51a6fd1e334cccdbf59d453ce44ccc77a
SHA1ff0d01d45d12ede8fbe39ec3dd01d7d85a57f018
SHA25684b47130311b40fec354a08ce3e6f68285be3591144f7db3b9a75663fcd6ef4e
SHA512254959f74c33fd2b4d4f39551fa36c5ae9375ded03c65f08d9f47f7e0d014f7eedc314b810a7fb8461ca363a043e19c6b2794cc672a497db33bc5d6ca85fea93
-
Filesize
6KB
MD5a0397d6a9b197196d2bc61559b1aff07
SHA1be2ba383e80a39a0e1484335a8ab5b86a8f68c66
SHA256ffbfb35ad5ff22f440312a00044cfc4009795696a3703d6ec704526515470df5
SHA51288492508a836b79b051641fdacd99690a5cd1529027226b144a17acc88632d7e4e22b839f260c79919e9baaabf81de81730dc85d8ee9954ec83414f96a5ed5f0
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\f97d9gc7.default-release\sessionstore.jsonlz4
Filesize886B
MD5e816786b75d52e4b5415558231825fde
SHA1d9ef56be6ab1a0c07227c4e42d6bf1df9de963eb
SHA2568735ec2c7cc4b4c52b204589e049ed5c3ef8b5ef1ce888ff454e319f9803a126
SHA512f0c8c0624d0322db1fb2a9c79a6ad0686d90283e1ee8f9c2e9310f5271a33c5c6a3148435c3b405646a523501b548487eb38d5b9b05225cbb5ab9ff50561ac41