Analysis
-
max time kernel
171s -
max time network
169s -
platform
windows10-2004_x64 -
resource
win10v2004-20240319-en -
resource tags
arch:x64arch:x86image:win10v2004-20240319-enlocale:en-usos:windows10-2004-x64system -
submitted
12/04/2024, 02:23
Behavioral task
behavioral1
Sample
Nezur.exe
Resource
win7-20240221-en
13 signatures
150 seconds
General
-
Target
Nezur.exe
-
Size
4.6MB
-
MD5
483bc175a855a89d93cb00577bbb7920
-
SHA1
55b1ca916684328da9b004083189bf92ccd29138
-
SHA256
42317a2bf653554d75fee360889868dca0d1fa4cd8db24dac5e616e4ea6208c3
-
SHA512
3b186a5f644711634a331d7bf771cb7247a889fe65c3fc138de20cbb45f2f83bf060e6257444812d681015b8fddf1af03282a941ebd3019c5673a79cc1cc4ea7
-
SSDEEP
98304:URkvYI8Xa9jB6TKw/h4z+sLDuOl/+ooXE9jwzb6G:USvUa9jwk+sew/+ooXE4
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Nezur.exe -
Stops running service(s) 3 TTPs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Nezur.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Nezur.exe -
resource yara_rule behavioral2/memory/2036-0-0x00007FF633F10000-0x00007FF634AC6000-memory.dmp themida behavioral2/memory/2036-2-0x00007FF633F10000-0x00007FF634AC6000-memory.dmp themida behavioral2/memory/2036-3-0x00007FF633F10000-0x00007FF634AC6000-memory.dmp themida behavioral2/memory/2036-4-0x00007FF633F10000-0x00007FF634AC6000-memory.dmp themida behavioral2/memory/2036-5-0x00007FF633F10000-0x00007FF634AC6000-memory.dmp themida behavioral2/memory/2036-6-0x00007FF633F10000-0x00007FF634AC6000-memory.dmp themida behavioral2/memory/2036-7-0x00007FF633F10000-0x00007FF634AC6000-memory.dmp themida behavioral2/memory/2036-8-0x00007FF633F10000-0x00007FF634AC6000-memory.dmp themida behavioral2/memory/2036-9-0x00007FF633F10000-0x00007FF634AC6000-memory.dmp themida behavioral2/memory/2036-10-0x00007FF633F10000-0x00007FF634AC6000-memory.dmp themida behavioral2/memory/2036-11-0x00007FF633F10000-0x00007FF634AC6000-memory.dmp themida behavioral2/memory/2036-12-0x00007FF633F10000-0x00007FF634AC6000-memory.dmp themida behavioral2/memory/2036-13-0x00007FF633F10000-0x00007FF634AC6000-memory.dmp themida behavioral2/memory/2036-15-0x00007FF633F10000-0x00007FF634AC6000-memory.dmp themida behavioral2/memory/2036-16-0x00007FF633F10000-0x00007FF634AC6000-memory.dmp themida behavioral2/memory/2036-17-0x00007FF633F10000-0x00007FF634AC6000-memory.dmp themida behavioral2/memory/2036-18-0x00007FF633F10000-0x00007FF634AC6000-memory.dmp themida behavioral2/memory/2036-19-0x00007FF633F10000-0x00007FF634AC6000-memory.dmp themida behavioral2/memory/2036-20-0x00007FF633F10000-0x00007FF634AC6000-memory.dmp themida behavioral2/memory/2036-21-0x00007FF633F10000-0x00007FF634AC6000-memory.dmp themida behavioral2/memory/2036-22-0x00007FF633F10000-0x00007FF634AC6000-memory.dmp themida behavioral2/memory/2036-23-0x00007FF633F10000-0x00007FF634AC6000-memory.dmp themida -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Nezur.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 2036 Nezur.exe -
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 1012 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Kills process with taskkill 5 IoCs
pid Process 4828 taskkill.exe 1592 taskkill.exe 2292 taskkill.exe 5072 taskkill.exe 1488 taskkill.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2036 Nezur.exe 2036 Nezur.exe 2036 Nezur.exe 2036 Nezur.exe 2036 Nezur.exe 2036 Nezur.exe 2036 Nezur.exe 2036 Nezur.exe 2036 Nezur.exe 2036 Nezur.exe 2036 Nezur.exe 2036 Nezur.exe 2036 Nezur.exe 2036 Nezur.exe 2036 Nezur.exe 2036 Nezur.exe 2036 Nezur.exe 2036 Nezur.exe 2036 Nezur.exe 2036 Nezur.exe 2036 Nezur.exe 2036 Nezur.exe 2036 Nezur.exe 2036 Nezur.exe 2036 Nezur.exe 2036 Nezur.exe 2036 Nezur.exe 2036 Nezur.exe 2036 Nezur.exe 2036 Nezur.exe 2036 Nezur.exe 2036 Nezur.exe 2036 Nezur.exe 2036 Nezur.exe 2036 Nezur.exe 2036 Nezur.exe 2036 Nezur.exe 2036 Nezur.exe 2036 Nezur.exe 2036 Nezur.exe 2036 Nezur.exe 2036 Nezur.exe 2036 Nezur.exe 2036 Nezur.exe 2036 Nezur.exe 2036 Nezur.exe 2036 Nezur.exe 2036 Nezur.exe 2036 Nezur.exe 2036 Nezur.exe 2036 Nezur.exe 2036 Nezur.exe 2036 Nezur.exe 2036 Nezur.exe 2036 Nezur.exe 2036 Nezur.exe 2036 Nezur.exe 2036 Nezur.exe 2036 Nezur.exe 2036 Nezur.exe 2036 Nezur.exe 2036 Nezur.exe 2036 Nezur.exe 2036 Nezur.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
description pid Process Token: SeDebugPrivilege 1488 taskkill.exe Token: SeDebugPrivilege 4828 taskkill.exe Token: SeDebugPrivilege 1592 taskkill.exe Token: SeDebugPrivilege 2292 taskkill.exe Token: SeDebugPrivilege 5072 taskkill.exe -
Suspicious use of WriteProcessMemory 36 IoCs
description pid Process procid_target PID 2036 wrote to memory of 1104 2036 Nezur.exe 100 PID 2036 wrote to memory of 1104 2036 Nezur.exe 100 PID 1104 wrote to memory of 4540 1104 cmd.exe 102 PID 1104 wrote to memory of 4540 1104 cmd.exe 102 PID 1104 wrote to memory of 1148 1104 cmd.exe 103 PID 1104 wrote to memory of 1148 1104 cmd.exe 103 PID 1104 wrote to memory of 1576 1104 cmd.exe 104 PID 1104 wrote to memory of 1576 1104 cmd.exe 104 PID 2036 wrote to memory of 5080 2036 Nezur.exe 105 PID 2036 wrote to memory of 5080 2036 Nezur.exe 105 PID 5080 wrote to memory of 1488 5080 cmd.exe 106 PID 5080 wrote to memory of 1488 5080 cmd.exe 106 PID 2036 wrote to memory of 4588 2036 Nezur.exe 120 PID 2036 wrote to memory of 4588 2036 Nezur.exe 120 PID 2036 wrote to memory of 3644 2036 Nezur.exe 112 PID 2036 wrote to memory of 3644 2036 Nezur.exe 112 PID 2036 wrote to memory of 532 2036 Nezur.exe 116 PID 2036 wrote to memory of 532 2036 Nezur.exe 116 PID 532 wrote to memory of 4828 532 cmd.exe 117 PID 532 wrote to memory of 4828 532 cmd.exe 117 PID 2036 wrote to memory of 3112 2036 Nezur.exe 125 PID 2036 wrote to memory of 3112 2036 Nezur.exe 125 PID 3112 wrote to memory of 1012 3112 cmd.exe 119 PID 3112 wrote to memory of 1012 3112 cmd.exe 119 PID 2036 wrote to memory of 4588 2036 Nezur.exe 120 PID 2036 wrote to memory of 4588 2036 Nezur.exe 120 PID 4588 wrote to memory of 1592 4588 cmd.exe 121 PID 4588 wrote to memory of 1592 4588 cmd.exe 121 PID 2036 wrote to memory of 4984 2036 Nezur.exe 122 PID 2036 wrote to memory of 4984 2036 Nezur.exe 122 PID 4984 wrote to memory of 2292 4984 cmd.exe 124 PID 4984 wrote to memory of 2292 4984 cmd.exe 124 PID 2036 wrote to memory of 2916 2036 Nezur.exe 127 PID 2036 wrote to memory of 2916 2036 Nezur.exe 127 PID 2916 wrote to memory of 5072 2916 cmd.exe 128 PID 2916 wrote to memory of 5072 2916 cmd.exe 128
Processes
-
C:\Users\Admin\AppData\Local\Temp\Nezur.exe"C:\Users\Admin\AppData\Local\Temp\Nezur.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2036 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\Nezur.exe" MD5 | find /i /v "md5" | find /i /v "certutil"2⤵
- Suspicious use of WriteProcessMemory
PID:1104 -
C:\Windows\system32\certutil.execertutil -hashfile "C:\Users\Admin\AppData\Local\Temp\Nezur.exe" MD53⤵PID:4540
-
-
C:\Windows\system32\find.exefind /i /v "md5"3⤵PID:1148
-
-
C:\Windows\system32\find.exefind /i /v "certutil"3⤵PID:1576
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
PID:5080 -
C:\Windows\system32\taskkill.exetaskkill /f /im HTTPDebuggerUI.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1488
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://key.nezur.io/2⤵PID:4588
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://1cheats.com/store/product/41-nezur-key-bypass-lifetime-license/2⤵PID:3644
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
PID:532 -
C:\Windows\system32\taskkill.exetaskkill /f /im HTTPDebuggerSvc.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4828
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
PID:3112 -
C:\Windows\system32\sc.exesc stop HTTPDebuggerPro3⤵
- Launches sc.exe
PID:1012
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
PID:4588 -
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1592
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
PID:4984 -
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2292
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
PID:2916 -
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5072
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --mojo-platform-channel-handle=5148 --field-trial-handle=2808,i,4621512294509789388,1545966267740426092,262144 --variations-seed-version /prefetch:11⤵PID:3160
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --mojo-platform-channel-handle=5028 --field-trial-handle=2808,i,4621512294509789388,1545966267740426092,262144 --variations-seed-version /prefetch:11⤵PID:708
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=5408 --field-trial-handle=2808,i,4621512294509789388,1545966267740426092,262144 --variations-seed-version /prefetch:81⤵PID:4656
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --mojo-platform-channel-handle=5788 --field-trial-handle=2808,i,4621512294509789388,1545966267740426092,262144 --variations-seed-version /prefetch:11⤵PID:856
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=21 --mojo-platform-channel-handle=5824 --field-trial-handle=2808,i,4621512294509789388,1545966267740426092,262144 --variations-seed-version /prefetch:11⤵PID:1180
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=22 --mojo-platform-channel-handle=5996 --field-trial-handle=2808,i,4621512294509789388,1545966267740426092,262144 --variations-seed-version /prefetch:11⤵PID:3172
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=6304 --field-trial-handle=2808,i,4621512294509789388,1545966267740426092,262144 --variations-seed-version /prefetch:81⤵PID:3112
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=24 --mojo-platform-channel-handle=6440 --field-trial-handle=2808,i,4621512294509789388,1545966267740426092,262144 --variations-seed-version /prefetch:11⤵PID:2232
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=25 --mojo-platform-channel-handle=6316 --field-trial-handle=2808,i,4621512294509789388,1545966267740426092,262144 --variations-seed-version /prefetch:11⤵PID:2060
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --no-appcompat-clear --mojo-platform-channel-handle=6616 --field-trial-handle=2808,i,4621512294509789388,1545966267740426092,262144 --variations-seed-version /prefetch:81⤵PID:4596
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=27 --mojo-platform-channel-handle=3876 --field-trial-handle=2808,i,4621512294509789388,1545966267740426092,262144 --variations-seed-version /prefetch:11⤵PID:2412
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=28 --mojo-platform-channel-handle=6940 --field-trial-handle=2808,i,4621512294509789388,1545966267740426092,262144 --variations-seed-version /prefetch:11⤵PID:1600
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --lang=en-US --service-sandbox-type=collections --no-appcompat-clear --mojo-platform-channel-handle=7104 --field-trial-handle=2808,i,4621512294509789388,1545966267740426092,262144 --variations-seed-version /prefetch:81⤵PID:3096