Analysis
-
max time kernel
16s -
max time network
18s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
09/04/2024, 00:55
Static task
static1
Behavioral task
behavioral1
Sample
Nexus v2.2.0.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
Nexus v2.2.0.exe
Resource
win10v2004-20231215-en
General
-
Target
Nexus v2.2.0.exe
-
Size
14.7MB
-
MD5
9d3515d804748c2291c5025d0606c647
-
SHA1
b88473d4d4a3c730d79e6b4200debc7c74251e45
-
SHA256
9d77d8e588704dc8694395478a4bd44727d8bae25a1ec988f593ef20f7da4adb
-
SHA512
5deb96e8da3cb2185df05f638d7ad4a42f4f92aff5efcfd177693a67a316b17678b165d7d3f7aa5b1800554d5dd39ce6f186b26956358ec9b9a7861ae2f50b87
-
SSDEEP
393216:lo9GKTGAdRi7p9nGistTgOmeX3dnCLRhr7hb0oHtE/BBsc:lOdTGAL+bLA+e9nC9hrhRtEPsc
Malware Config
Signatures
-
ACProtect 1.3x - 1.4x DLL software 1 IoCs
Detects file using ACProtect software.
resource yara_rule behavioral2/files/0x0006000000023220-21.dat acprotect -
Executes dropped EXE 1 IoCs
pid Process 4700 Nexus v2.2.0.tmp -
Loads dropped DLL 6 IoCs
pid Process 4700 Nexus v2.2.0.tmp 4700 Nexus v2.2.0.tmp 4700 Nexus v2.2.0.tmp 4700 Nexus v2.2.0.tmp 4700 Nexus v2.2.0.tmp 4700 Nexus v2.2.0.tmp -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\is-BCD8S.tmp Nexus v2.2.0.tmp -
Drops file in Program Files directory 8 IoCs
description ioc Process File created C:\Program Files (x86)\Uninstall Nexus\unins000.dat Nexus v2.2.0.tmp File created C:\Program Files (x86)\Uninstall Nexus\is-EV4D4.tmp Nexus v2.2.0.tmp File created C:\Program Files (x86)\is-F12OS.tmp Nexus v2.2.0.tmp File created C:\Program Files (x86)\Common Files\Digidesign\DAE\Plug-Ins\is-FH432.tmp Nexus v2.2.0.tmp File created C:\Program Files (x86)\Common Files\Digidesign\DAE\Plug-Ins\is-DEVP7.tmp Nexus v2.2.0.tmp File created C:\Program Files (x86)\Manual\is-OJRO9.tmp Nexus v2.2.0.tmp File created C:\Program Files (x86)\Manual\is-1I74T.tmp Nexus v2.2.0.tmp File opened for modification C:\Program Files (x86)\Uninstall Nexus\unins000.dat Nexus v2.2.0.tmp -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 4700 Nexus v2.2.0.tmp -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 5064 wrote to memory of 4700 5064 Nexus v2.2.0.exe 83 PID 5064 wrote to memory of 4700 5064 Nexus v2.2.0.exe 83 PID 5064 wrote to memory of 4700 5064 Nexus v2.2.0.exe 83
Processes
-
C:\Users\Admin\AppData\Local\Temp\Nexus v2.2.0.exe"C:\Users\Admin\AppData\Local\Temp\Nexus v2.2.0.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:5064 -
C:\Users\Admin\AppData\Local\Temp\is-NUGDE.tmp\Nexus v2.2.0.tmp"C:\Users\Admin\AppData\Local\Temp\is-NUGDE.tmp\Nexus v2.2.0.tmp" /SL5="$7016E,15020542,53248,C:\Users\Admin\AppData\Local\Temp\Nexus v2.2.0.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
PID:4700
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
96KB
MD5286d9b79aae13b0b8eec19eff6e112c5
SHA172dabedbf90ea9cb7cdad6bfcf4bb34f0dcce41e
SHA25661813f57a29d7f29467f1dd1c96eebea84e5f51b0b0e74e5f6f905edd6c48aed
SHA5127d223805d9624a4120d141cec112c0b93909b880521e27a9f8a4a351d9866d6b2e655067fb163be1ca3e7d60b29582cd7879b8ad85eb0f6221bccf60da3fb735
-
Filesize
120KB
MD57aaf9f850b21512678623a9206f572a3
SHA11b13e31efa4b32e368010e6a4d02436373220279
SHA256ad46a43f535d647ab6ed9a8badcee1eff3497e45348844be327f505905b66e2b
SHA512af2e2fe324928da0c9d59fa9f20bc5614ffe414b5d460296c81452acd0952ee523b75e6a7163c35a52b5b7e134739736331297da6e466d64edf3785222f7ab9d
-
Filesize
363KB
MD5b31ad1bacfd7c51f35e052b8c7047d44
SHA1ba58ae4a4a28cd2a4c2a7b85d260e105fa6e79de
SHA256117ae53cf3e8bc95e6297a15d8365efd792da04df90744d4e244bbf72075ccc3
SHA5122a4c0d3f7065a9272bd70e8fd121e80d9c4e3d9089285841b245790f4789704c27cb88333ddbf3bbecbc26af926b7ffd7a722352c7f418c84a9087cb1a748368
-
Filesize
2.0MB
MD531e3fe928c4524cbc648205296e600e9
SHA1593e056da172480921dff41adfd08bd224b2baec
SHA256268b637662ddf5ea58ae7a531a075dc71076f1093b6f9e68a0c1db8f79ca4349
SHA51210569aade996407d3b749eb35bc961f827a5c90c158bceea89f4344c6d57aaf33c9831b52e71ba32171c725928b636cfc5a5e86b839185efe7ec97cfa0597b0e
-
Filesize
669KB
MD5df378ec3751fa0b4815a15b0a7bf365b
SHA137bc361f0ed1c94033a49cb8c4a3880c72b3d74e
SHA256c9015443a8680296828834326dcdc982c8ed8f6ec6c69f219cac39c3e94b8798
SHA512515c372ae640d797d66553cd6930ead79466a9176ec338fe7e6f5383d77b92c378ba83092828b81c62885a3895dbc084e1cfb0b1cf949eeacf36a35aa91b3925