Analysis Overview
SHA256
68fc232535a29649d46dc5f9108a2a59b2b4ef7aad09fa675b497c7f1b585d1b
Threat Level: Likely malicious
The file Nezur.exe was found to be: Likely malicious.
Malicious Activity Summary
Sets service image path in registry
Drops file in System32 directory
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
Suspicious use of AdjustPrivilegeToken
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates system info in registry
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-03-02 23:21
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-03-02 23:21
Reported
2024-03-02 23:24
Platform
win7-20240221-en
Max time kernel
45s
Max time network
125s
Command Line
Signatures
Sets service image path in registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\frAQBc8Wsa1xVPfv\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\frAQBc8Wsa1xVPfv" | C:\Users\Admin\AppData\Local\Temp\Nezur.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\System32\GroupPolicy | C:\Windows\system32\mmc.exe | N/A |
| File opened for modification | C:\Windows\System32\GroupPolicy\gpt.ini | C:\Windows\system32\mmc.exe | N/A |
| File opened for modification | C:\Windows\system32\secpol.msc | C:\Windows\system32\mmc.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Nezur.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\mmc.exe | N/A |
| N/A | N/A | C:\Windows\system32\mmc.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Nezur.exe
"C:\Users\Admin\AppData\Local\Temp\Nezur.exe"
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 832 -s 240
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef65c9758,0x7fef65c9768,0x7fef65c9778
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1168 --field-trial-handle=1288,i,15579457462087202270,14039968749966236178,131072 /prefetch:2
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1516 --field-trial-handle=1288,i,15579457462087202270,14039968749966236178,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1640 --field-trial-handle=1288,i,15579457462087202270,14039968749966236178,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2036 --field-trial-handle=1288,i,15579457462087202270,14039968749966236178,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2164 --field-trial-handle=1288,i,15579457462087202270,14039968749966236178,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1484 --field-trial-handle=1288,i,15579457462087202270,14039968749966236178,131072 /prefetch:2
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=1316 --field-trial-handle=1288,i,15579457462087202270,14039968749966236178,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3676 --field-trial-handle=1288,i,15579457462087202270,14039968749966236178,131072 /prefetch:8
C:\Windows\system32\mmc.exe
"C:\Windows\system32\mmc.exe" "C:\Windows\system32\secpol.msc" /s
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=3708 --field-trial-handle=1288,i,15579457462087202270,14039968749966236178,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=2072 --field-trial-handle=1288,i,15579457462087202270,14039968749966236178,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=1872 --field-trial-handle=1288,i,15579457462087202270,14039968749966236178,131072 /prefetch:1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.google.com | udp |
| GB | 172.217.16.228:443 | www.google.com | udp |
| GB | 172.217.16.228:443 | www.google.com | tcp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | content-autofill.googleapis.com | udp |
| GB | 142.250.187.202:443 | content-autofill.googleapis.com | tcp |
| US | 8.8.8.8:53 | beacons.gcp.gvt2.com | udp |
| DE | 172.217.16.131:443 | beacons.gcp.gvt2.com | tcp |
| GB | 142.250.187.202:443 | content-autofill.googleapis.com | udp |
| DE | 172.217.16.131:443 | beacons.gcp.gvt2.com | udp |
| US | 8.8.8.8:53 | www.google.com | udp |
Files
memory/832-2-0x0000000140000000-0x00000001405E8000-memory.dmp
\??\pipe\crashpad_2288_JJQMBFXOMAXCLSYG
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\000007.dbtmp
| MD5 | 18e723571b00fb1694a3bad6c78e4054 |
| SHA1 | afcc0ef32d46fe59e0483f9a3c891d3034d12f32 |
| SHA256 | 8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa |
| SHA512 | 43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1
| MD5 | f50f89a0a91564d0b8a211f8921aa7de |
| SHA1 | 112403a17dd69d5b9018b8cede023cb3b54eab7d |
| SHA256 | b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec |
| SHA512 | bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58 |
memory/2344-69-0x0000000002230000-0x0000000002231000-memory.dmp
memory/2344-72-0x00000000027C0000-0x00000000027DE000-memory.dmp
memory/2344-73-0x000007FEF1A00000-0x000007FEF239D000-memory.dmp
memory/2344-74-0x0000000004A80000-0x0000000004B00000-memory.dmp
memory/2344-75-0x000007FEF1A00000-0x000007FEF239D000-memory.dmp
memory/2344-77-0x00000000031D0000-0x00000000031FB000-memory.dmp
memory/2344-76-0x0000000004A80000-0x0000000004B00000-memory.dmp
memory/2344-78-0x0000000004A80000-0x0000000004B00000-memory.dmp
memory/2344-87-0x000007FFFFF00000-0x000007FFFFF10000-memory.dmp
memory/2344-88-0x0000000004A80000-0x0000000004B00000-memory.dmp
memory/2344-89-0x000007FEF1A00000-0x000007FEF239D000-memory.dmp
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000001
| MD5 | 89d79dbf26a3c2e22ddd95766fe3173d |
| SHA1 | f38fd066eef4cf4e72a934548eafb5f6abb00b53 |
| SHA256 | 367ef9ec8dc07f84fed51cac5c75dc1ac87688bbf8f5da8e17655e7917bd7b69 |
| SHA512 | ab7ce168e6f59e2250b82ec62857c2f2b08e5a548de85ac82177ac550729287ead40382a7c8a92fbce7f53b106d199b1c8adbb770e47287fc70ea0ea858faba6 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | cfdbf76955905c4607fb3c8eb64dcd87 |
| SHA1 | e70d3deefdd697fb299ac0dd270520e8621aad50 |
| SHA256 | 96c780f2282875c2fa3303f2fcb988ba5037255711555c837bc076bd909f72e5 |
| SHA512 | fdde39d8cc36cff18aae59dacba20e4e23aa4898cb19b82eb9cde53194925e4bcd06ab0f4f6e9daa2a987bdfc1619bdebaca2ce05ce30224c69b0fb28ed80838 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
| MD5 | 8f49afd8f73a24ee8bb9e60f26f9d15c |
| SHA1 | 153ef8e1c92f3d6228fff77977429f86bff6f033 |
| SHA256 | 42b5119a55cf21e8f9067a0403c72780b58753f56cfb92fdf0c02ab3559d9170 |
| SHA512 | e3b548764aa2c3c0457164111198a41772a44a500ef72f44335f3a170870ba015439d95b694e45b31da63373cac3e95f99adc7dafc769d612b73133fee8604e0 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 186d38499d76d068e1161ad7d5abf227 |
| SHA1 | f74a80e00f4436426f18e219c3dbb48f365afee6 |
| SHA256 | 45d5306def5ea601743903ded940eca52d13edbd4287b1ca69e7e2d2524baf61 |
| SHA512 | fa20f1171d5dd4215a85960d0a8b9549c408ce17e41b357fe68231e1755cd9444ad5fbd0e9aa36dfdbf8cbd95a98f283eb337df2ef3dfa5adad2838e69e66798 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
| MD5 | 103363e76272893e0e938a59826cfc7d |
| SHA1 | 385f2ac0b0b122ebbaeb160ab56725b594805bab |
| SHA256 | 38e016354dfa46f2ce83e82742a60289b43ad38fa3a083143ebf9fe1d8735b81 |
| SHA512 | 32657d453a3b2e116b263f67c5484aef7220d3927231b05f9b390d5f6f31de5bbef099e9c6ca0f1b214eba1a6520774462f2804ff6fe68db6f5c9cb320a85137 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00000b
| MD5 | fc2a7d2849daca79b4c1b6146aee0392 |
| SHA1 | aef22b22492edfae8d6377cde0af97d93fbfd2dc |
| SHA256 | 89e6b3d18f1e4872bdbfc2e684d6298452508c66119055a84db3b2e04bca28b6 |
| SHA512 | fad22bca0222e150e9cf1f655630d127853d4083f974d1c7695ce78b7e0ef49591db1c779b551aa81a78b9a8f96d162231682e36322803a1d456ad2ad873dfc5 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | f90f951359da96e67978426f27ec6bd0 |
| SHA1 | 1d51b52c7c465f544d2e0782d9c9fad8c6afa355 |
| SHA256 | 9b19c13354612d88e13b4f84198ceee9852f1d65b5290c0445f7ded83a924679 |
| SHA512 | 6241adc4c21cee441ae507e7f82b2a468fef1570c503b781eb3f9d942dd20a338a79dce173b87e26ca6e5b55714e2165c35d98850176261303d12cf5a5196996 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
| MD5 | 23c2d940e9805d8a082ccf2c1097ccc1 |
| SHA1 | ae37cf0e8bfa1533374840ff58a208676bd110c2 |
| SHA256 | a282070823225ade47ceebf0621fcac76a5a4525ec222f9a8dffa4b89c59bf67 |
| SHA512 | 8f16b081b0f8c82c0f94d8cf3c3829bb3f746bd48bd07f455e8b1a0c6fca869a5286b64d2b1065806606afaeef59a7fff48b913f70d7f1a80d6c6bd26b2b6397 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 4cab6cbce8edadf22fc55a8956ccc325 |
| SHA1 | 6318a4490adea0594f2d6c71091c947d64f2b962 |
| SHA256 | 536d11a9dc2a5da82046dbe61b5602d159803b1552d3dfbfa3d5c82b84e7ea6d |
| SHA512 | d3e39dec8c88d35657042b1fc5ce8a136cf6d0379fc7b5ae9dc18582f491beefb59c76f2db74d5d029888ac43d0e39b085d83ad910213f20e8c8949a23543b36 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
| MD5 | 190df7332edb5114f71c2c73be3390b7 |
| SHA1 | d49b5a7d6430e0d31a0c3fe8d9e1e6835e1fcca3 |
| SHA256 | 8d71586355c85d8cd5157443b61df61cdd389eceddb3299c2f29418669e03c43 |
| SHA512 | 862f0f21e3b712c5b3642d1c8d0776aea30fd366481bb2083533fddb422a116f65f4baefc9e6871a7579c70b23edfc862c23544c0c8fe1a22222ca4f9b91cfd1 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
| MD5 | 0254894a0374ced96380cfad0fc9c62d |
| SHA1 | d8a3c24bf00ae763b45d1abd9ba10065f9577b73 |
| SHA256 | 5afb33d233e4bb58b225a01c6de745dea4bd62f45c8768fd0bcfa2926b60005e |
| SHA512 | 8b638fa6d30625bf0243c769ceeb222b0622b5ea16e5fb6e620be2b49884115f7672d4117c2372a768717111f0932703f7338ccc17855c57bd8684afcd9d126e |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\45f859a5-1369-4901-8865-235d40868fc8.tmp
| MD5 | 8915fc935db5ae595c699a0e083054ba |
| SHA1 | bc65dcf6f47d2637964643861980dde1e659e8e2 |
| SHA256 | 36d979a535665d077163c10f1da581ccea0bcb4501e1d74a3c69dffedd7b9699 |
| SHA512 | 76898c9e643610d9c25fa802bee3aa7656fcccf0a33e90a2e99d2e50f1347419976a77d3e99c790e29d49e65f9ae46a3e04f260cb9aa3705b6ad6bd1e9a87c9c |
Analysis: behavioral2
Detonation Overview
Submitted
2024-03-02 23:21
Reported
2024-03-02 23:24
Platform
win10v2004-20240226-en
Max time kernel
92s
Max time network
127s
Command Line
Signatures
Sets service image path in registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\frAQBc8Wsa1xVPfv\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\frAQBc8Wsa1xVPfv" | C:\Users\Admin\AppData\Local\Temp\Nezur.exe | N/A |
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Nezur.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Nezur.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Nezur.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\Nezur.exe
"C:\Users\Admin\AppData\Local\Temp\Nezur.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 180.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.71.91.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |