Analysis
-
max time kernel
149s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system -
submitted
25-04-2024 03:39
Static task
static1
Behavioral task
behavioral1
Sample
d1b880b4a5e9107ef5b1717b144043dbed9e506b28ade198a3d068b7f1b03aa2.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
d1b880b4a5e9107ef5b1717b144043dbed9e506b28ade198a3d068b7f1b03aa2.exe
Resource
win10v2004-20240412-en
General
-
Target
d1b880b4a5e9107ef5b1717b144043dbed9e506b28ade198a3d068b7f1b03aa2.exe
-
Size
368KB
-
MD5
6eb87a458d8b7298ee772ce8db45e5ff
-
SHA1
172bc64d221d7730cf3ec930a115622db7307ede
-
SHA256
d1b880b4a5e9107ef5b1717b144043dbed9e506b28ade198a3d068b7f1b03aa2
-
SHA512
ae335da85517e84433bdfcbd27fc58bcbe314d8e13e46e8375068e3233f0fb5c01133090b51a0b6476a1e6b80d0eaf6d57841b56ab953bba068be23561d01baf
-
SSDEEP
1536:EsPAPMcbmkiw+667MIBf28zPJtC6IoD/QWgxektFAo11iy:jPAPMcbmLf2RxIvy
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
Processes:
nyvum.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" nyvum.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
d1b880b4a5e9107ef5b1717b144043dbed9e506b28ade198a3d068b7f1b03aa2.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation d1b880b4a5e9107ef5b1717b144043dbed9e506b28ade198a3d068b7f1b03aa2.exe -
Executes dropped EXE 1 IoCs
Processes:
nyvum.exepid process 3676 nyvum.exe -
Adds Run key to start application 2 TTPs 52 IoCs
Processes:
nyvum.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nyvum = "C:\\Users\\Admin\\nyvum.exe /K" nyvum.exe Set value (str) \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nyvum = "C:\\Users\\Admin\\nyvum.exe /p" nyvum.exe Set value (str) \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nyvum = "C:\\Users\\Admin\\nyvum.exe /n" nyvum.exe Set value (str) \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nyvum = "C:\\Users\\Admin\\nyvum.exe /r" nyvum.exe Set value (str) \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nyvum = "C:\\Users\\Admin\\nyvum.exe /j" nyvum.exe Set value (str) \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nyvum = "C:\\Users\\Admin\\nyvum.exe /i" nyvum.exe Set value (str) \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nyvum = "C:\\Users\\Admin\\nyvum.exe /D" nyvum.exe Set value (str) \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nyvum = "C:\\Users\\Admin\\nyvum.exe /y" nyvum.exe Set value (str) \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nyvum = "C:\\Users\\Admin\\nyvum.exe /E" nyvum.exe Set value (str) \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nyvum = "C:\\Users\\Admin\\nyvum.exe /P" nyvum.exe Set value (str) \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nyvum = "C:\\Users\\Admin\\nyvum.exe /a" nyvum.exe Set value (str) \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nyvum = "C:\\Users\\Admin\\nyvum.exe /H" nyvum.exe Set value (str) \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nyvum = "C:\\Users\\Admin\\nyvum.exe /T" nyvum.exe Set value (str) \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nyvum = "C:\\Users\\Admin\\nyvum.exe /I" nyvum.exe Set value (str) \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nyvum = "C:\\Users\\Admin\\nyvum.exe /g" nyvum.exe Set value (str) \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nyvum = "C:\\Users\\Admin\\nyvum.exe /w" nyvum.exe Set value (str) \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nyvum = "C:\\Users\\Admin\\nyvum.exe /B" nyvum.exe Set value (str) \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nyvum = "C:\\Users\\Admin\\nyvum.exe /Y" nyvum.exe Set value (str) \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nyvum = "C:\\Users\\Admin\\nyvum.exe /W" nyvum.exe Set value (str) \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nyvum = "C:\\Users\\Admin\\nyvum.exe /J" nyvum.exe Set value (str) \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nyvum = "C:\\Users\\Admin\\nyvum.exe /C" nyvum.exe Set value (str) \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nyvum = "C:\\Users\\Admin\\nyvum.exe /k" nyvum.exe Set value (str) \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nyvum = "C:\\Users\\Admin\\nyvum.exe /A" nyvum.exe Set value (str) \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nyvum = "C:\\Users\\Admin\\nyvum.exe /f" nyvum.exe Set value (str) \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nyvum = "C:\\Users\\Admin\\nyvum.exe /x" nyvum.exe Set value (str) \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nyvum = "C:\\Users\\Admin\\nyvum.exe /t" nyvum.exe Set value (str) \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nyvum = "C:\\Users\\Admin\\nyvum.exe /Z" nyvum.exe Set value (str) \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nyvum = "C:\\Users\\Admin\\nyvum.exe /d" nyvum.exe Set value (str) \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nyvum = "C:\\Users\\Admin\\nyvum.exe /L" nyvum.exe Set value (str) \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nyvum = "C:\\Users\\Admin\\nyvum.exe /e" nyvum.exe Set value (str) \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nyvum = "C:\\Users\\Admin\\nyvum.exe /N" nyvum.exe Set value (str) \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nyvum = "C:\\Users\\Admin\\nyvum.exe /m" nyvum.exe Set value (str) \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nyvum = "C:\\Users\\Admin\\nyvum.exe /O" nyvum.exe Set value (str) \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nyvum = "C:\\Users\\Admin\\nyvum.exe /R" nyvum.exe Set value (str) \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nyvum = "C:\\Users\\Admin\\nyvum.exe /s" nyvum.exe Set value (str) \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nyvum = "C:\\Users\\Admin\\nyvum.exe /u" nyvum.exe Set value (str) \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nyvum = "C:\\Users\\Admin\\nyvum.exe /F" nyvum.exe Set value (str) \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nyvum = "C:\\Users\\Admin\\nyvum.exe /X" nyvum.exe Set value (str) \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nyvum = "C:\\Users\\Admin\\nyvum.exe /M" nyvum.exe Set value (str) \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nyvum = "C:\\Users\\Admin\\nyvum.exe /q" nyvum.exe Set value (str) \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nyvum = "C:\\Users\\Admin\\nyvum.exe /o" nyvum.exe Set value (str) \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nyvum = "C:\\Users\\Admin\\nyvum.exe /b" nyvum.exe Set value (str) \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nyvum = "C:\\Users\\Admin\\nyvum.exe /v" nyvum.exe Set value (str) \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nyvum = "C:\\Users\\Admin\\nyvum.exe /G" nyvum.exe Set value (str) \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nyvum = "C:\\Users\\Admin\\nyvum.exe /c" nyvum.exe Set value (str) \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nyvum = "C:\\Users\\Admin\\nyvum.exe /h" nyvum.exe Set value (str) \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nyvum = "C:\\Users\\Admin\\nyvum.exe /z" nyvum.exe Set value (str) \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nyvum = "C:\\Users\\Admin\\nyvum.exe /V" nyvum.exe Set value (str) \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nyvum = "C:\\Users\\Admin\\nyvum.exe /S" nyvum.exe Set value (str) \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nyvum = "C:\\Users\\Admin\\nyvum.exe /Q" nyvum.exe Set value (str) \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nyvum = "C:\\Users\\Admin\\nyvum.exe /l" nyvum.exe Set value (str) \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nyvum = "C:\\Users\\Admin\\nyvum.exe /U" nyvum.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
nyvum.exepid process 3676 nyvum.exe 3676 nyvum.exe 3676 nyvum.exe 3676 nyvum.exe 3676 nyvum.exe 3676 nyvum.exe 3676 nyvum.exe 3676 nyvum.exe 3676 nyvum.exe 3676 nyvum.exe 3676 nyvum.exe 3676 nyvum.exe 3676 nyvum.exe 3676 nyvum.exe 3676 nyvum.exe 3676 nyvum.exe 3676 nyvum.exe 3676 nyvum.exe 3676 nyvum.exe 3676 nyvum.exe 3676 nyvum.exe 3676 nyvum.exe 3676 nyvum.exe 3676 nyvum.exe 3676 nyvum.exe 3676 nyvum.exe 3676 nyvum.exe 3676 nyvum.exe 3676 nyvum.exe 3676 nyvum.exe 3676 nyvum.exe 3676 nyvum.exe 3676 nyvum.exe 3676 nyvum.exe 3676 nyvum.exe 3676 nyvum.exe 3676 nyvum.exe 3676 nyvum.exe 3676 nyvum.exe 3676 nyvum.exe 3676 nyvum.exe 3676 nyvum.exe 3676 nyvum.exe 3676 nyvum.exe 3676 nyvum.exe 3676 nyvum.exe 3676 nyvum.exe 3676 nyvum.exe 3676 nyvum.exe 3676 nyvum.exe 3676 nyvum.exe 3676 nyvum.exe 3676 nyvum.exe 3676 nyvum.exe 3676 nyvum.exe 3676 nyvum.exe 3676 nyvum.exe 3676 nyvum.exe 3676 nyvum.exe 3676 nyvum.exe 3676 nyvum.exe 3676 nyvum.exe 3676 nyvum.exe 3676 nyvum.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
d1b880b4a5e9107ef5b1717b144043dbed9e506b28ade198a3d068b7f1b03aa2.exenyvum.exepid process 4948 d1b880b4a5e9107ef5b1717b144043dbed9e506b28ade198a3d068b7f1b03aa2.exe 3676 nyvum.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
d1b880b4a5e9107ef5b1717b144043dbed9e506b28ade198a3d068b7f1b03aa2.exenyvum.exedescription pid process target process PID 4948 wrote to memory of 3676 4948 d1b880b4a5e9107ef5b1717b144043dbed9e506b28ade198a3d068b7f1b03aa2.exe nyvum.exe PID 4948 wrote to memory of 3676 4948 d1b880b4a5e9107ef5b1717b144043dbed9e506b28ade198a3d068b7f1b03aa2.exe nyvum.exe PID 4948 wrote to memory of 3676 4948 d1b880b4a5e9107ef5b1717b144043dbed9e506b28ade198a3d068b7f1b03aa2.exe nyvum.exe PID 3676 wrote to memory of 4948 3676 nyvum.exe d1b880b4a5e9107ef5b1717b144043dbed9e506b28ade198a3d068b7f1b03aa2.exe PID 3676 wrote to memory of 4948 3676 nyvum.exe d1b880b4a5e9107ef5b1717b144043dbed9e506b28ade198a3d068b7f1b03aa2.exe PID 3676 wrote to memory of 4948 3676 nyvum.exe d1b880b4a5e9107ef5b1717b144043dbed9e506b28ade198a3d068b7f1b03aa2.exe PID 3676 wrote to memory of 4948 3676 nyvum.exe d1b880b4a5e9107ef5b1717b144043dbed9e506b28ade198a3d068b7f1b03aa2.exe PID 3676 wrote to memory of 4948 3676 nyvum.exe d1b880b4a5e9107ef5b1717b144043dbed9e506b28ade198a3d068b7f1b03aa2.exe PID 3676 wrote to memory of 4948 3676 nyvum.exe d1b880b4a5e9107ef5b1717b144043dbed9e506b28ade198a3d068b7f1b03aa2.exe PID 3676 wrote to memory of 4948 3676 nyvum.exe d1b880b4a5e9107ef5b1717b144043dbed9e506b28ade198a3d068b7f1b03aa2.exe PID 3676 wrote to memory of 4948 3676 nyvum.exe d1b880b4a5e9107ef5b1717b144043dbed9e506b28ade198a3d068b7f1b03aa2.exe PID 3676 wrote to memory of 4948 3676 nyvum.exe d1b880b4a5e9107ef5b1717b144043dbed9e506b28ade198a3d068b7f1b03aa2.exe PID 3676 wrote to memory of 4948 3676 nyvum.exe d1b880b4a5e9107ef5b1717b144043dbed9e506b28ade198a3d068b7f1b03aa2.exe PID 3676 wrote to memory of 4948 3676 nyvum.exe d1b880b4a5e9107ef5b1717b144043dbed9e506b28ade198a3d068b7f1b03aa2.exe PID 3676 wrote to memory of 4948 3676 nyvum.exe d1b880b4a5e9107ef5b1717b144043dbed9e506b28ade198a3d068b7f1b03aa2.exe PID 3676 wrote to memory of 4948 3676 nyvum.exe d1b880b4a5e9107ef5b1717b144043dbed9e506b28ade198a3d068b7f1b03aa2.exe PID 3676 wrote to memory of 4948 3676 nyvum.exe d1b880b4a5e9107ef5b1717b144043dbed9e506b28ade198a3d068b7f1b03aa2.exe PID 3676 wrote to memory of 4948 3676 nyvum.exe d1b880b4a5e9107ef5b1717b144043dbed9e506b28ade198a3d068b7f1b03aa2.exe PID 3676 wrote to memory of 4948 3676 nyvum.exe d1b880b4a5e9107ef5b1717b144043dbed9e506b28ade198a3d068b7f1b03aa2.exe PID 3676 wrote to memory of 4948 3676 nyvum.exe d1b880b4a5e9107ef5b1717b144043dbed9e506b28ade198a3d068b7f1b03aa2.exe PID 3676 wrote to memory of 4948 3676 nyvum.exe d1b880b4a5e9107ef5b1717b144043dbed9e506b28ade198a3d068b7f1b03aa2.exe PID 3676 wrote to memory of 4948 3676 nyvum.exe d1b880b4a5e9107ef5b1717b144043dbed9e506b28ade198a3d068b7f1b03aa2.exe PID 3676 wrote to memory of 4948 3676 nyvum.exe d1b880b4a5e9107ef5b1717b144043dbed9e506b28ade198a3d068b7f1b03aa2.exe PID 3676 wrote to memory of 4948 3676 nyvum.exe d1b880b4a5e9107ef5b1717b144043dbed9e506b28ade198a3d068b7f1b03aa2.exe PID 3676 wrote to memory of 4948 3676 nyvum.exe d1b880b4a5e9107ef5b1717b144043dbed9e506b28ade198a3d068b7f1b03aa2.exe PID 3676 wrote to memory of 4948 3676 nyvum.exe d1b880b4a5e9107ef5b1717b144043dbed9e506b28ade198a3d068b7f1b03aa2.exe PID 3676 wrote to memory of 4948 3676 nyvum.exe d1b880b4a5e9107ef5b1717b144043dbed9e506b28ade198a3d068b7f1b03aa2.exe PID 3676 wrote to memory of 4948 3676 nyvum.exe d1b880b4a5e9107ef5b1717b144043dbed9e506b28ade198a3d068b7f1b03aa2.exe PID 3676 wrote to memory of 4948 3676 nyvum.exe d1b880b4a5e9107ef5b1717b144043dbed9e506b28ade198a3d068b7f1b03aa2.exe PID 3676 wrote to memory of 4948 3676 nyvum.exe d1b880b4a5e9107ef5b1717b144043dbed9e506b28ade198a3d068b7f1b03aa2.exe PID 3676 wrote to memory of 4948 3676 nyvum.exe d1b880b4a5e9107ef5b1717b144043dbed9e506b28ade198a3d068b7f1b03aa2.exe PID 3676 wrote to memory of 4948 3676 nyvum.exe d1b880b4a5e9107ef5b1717b144043dbed9e506b28ade198a3d068b7f1b03aa2.exe PID 3676 wrote to memory of 4948 3676 nyvum.exe d1b880b4a5e9107ef5b1717b144043dbed9e506b28ade198a3d068b7f1b03aa2.exe PID 3676 wrote to memory of 4948 3676 nyvum.exe d1b880b4a5e9107ef5b1717b144043dbed9e506b28ade198a3d068b7f1b03aa2.exe PID 3676 wrote to memory of 4948 3676 nyvum.exe d1b880b4a5e9107ef5b1717b144043dbed9e506b28ade198a3d068b7f1b03aa2.exe PID 3676 wrote to memory of 4948 3676 nyvum.exe d1b880b4a5e9107ef5b1717b144043dbed9e506b28ade198a3d068b7f1b03aa2.exe PID 3676 wrote to memory of 4948 3676 nyvum.exe d1b880b4a5e9107ef5b1717b144043dbed9e506b28ade198a3d068b7f1b03aa2.exe PID 3676 wrote to memory of 4948 3676 nyvum.exe d1b880b4a5e9107ef5b1717b144043dbed9e506b28ade198a3d068b7f1b03aa2.exe PID 3676 wrote to memory of 4948 3676 nyvum.exe d1b880b4a5e9107ef5b1717b144043dbed9e506b28ade198a3d068b7f1b03aa2.exe PID 3676 wrote to memory of 4948 3676 nyvum.exe d1b880b4a5e9107ef5b1717b144043dbed9e506b28ade198a3d068b7f1b03aa2.exe PID 3676 wrote to memory of 4948 3676 nyvum.exe d1b880b4a5e9107ef5b1717b144043dbed9e506b28ade198a3d068b7f1b03aa2.exe PID 3676 wrote to memory of 4948 3676 nyvum.exe d1b880b4a5e9107ef5b1717b144043dbed9e506b28ade198a3d068b7f1b03aa2.exe PID 3676 wrote to memory of 4948 3676 nyvum.exe d1b880b4a5e9107ef5b1717b144043dbed9e506b28ade198a3d068b7f1b03aa2.exe PID 3676 wrote to memory of 4948 3676 nyvum.exe d1b880b4a5e9107ef5b1717b144043dbed9e506b28ade198a3d068b7f1b03aa2.exe PID 3676 wrote to memory of 4948 3676 nyvum.exe d1b880b4a5e9107ef5b1717b144043dbed9e506b28ade198a3d068b7f1b03aa2.exe PID 3676 wrote to memory of 4948 3676 nyvum.exe d1b880b4a5e9107ef5b1717b144043dbed9e506b28ade198a3d068b7f1b03aa2.exe PID 3676 wrote to memory of 4948 3676 nyvum.exe d1b880b4a5e9107ef5b1717b144043dbed9e506b28ade198a3d068b7f1b03aa2.exe PID 3676 wrote to memory of 4948 3676 nyvum.exe d1b880b4a5e9107ef5b1717b144043dbed9e506b28ade198a3d068b7f1b03aa2.exe PID 3676 wrote to memory of 4948 3676 nyvum.exe d1b880b4a5e9107ef5b1717b144043dbed9e506b28ade198a3d068b7f1b03aa2.exe PID 3676 wrote to memory of 4948 3676 nyvum.exe d1b880b4a5e9107ef5b1717b144043dbed9e506b28ade198a3d068b7f1b03aa2.exe PID 3676 wrote to memory of 4948 3676 nyvum.exe d1b880b4a5e9107ef5b1717b144043dbed9e506b28ade198a3d068b7f1b03aa2.exe PID 3676 wrote to memory of 4948 3676 nyvum.exe d1b880b4a5e9107ef5b1717b144043dbed9e506b28ade198a3d068b7f1b03aa2.exe PID 3676 wrote to memory of 4948 3676 nyvum.exe d1b880b4a5e9107ef5b1717b144043dbed9e506b28ade198a3d068b7f1b03aa2.exe PID 3676 wrote to memory of 4948 3676 nyvum.exe d1b880b4a5e9107ef5b1717b144043dbed9e506b28ade198a3d068b7f1b03aa2.exe PID 3676 wrote to memory of 4948 3676 nyvum.exe d1b880b4a5e9107ef5b1717b144043dbed9e506b28ade198a3d068b7f1b03aa2.exe PID 3676 wrote to memory of 4948 3676 nyvum.exe d1b880b4a5e9107ef5b1717b144043dbed9e506b28ade198a3d068b7f1b03aa2.exe PID 3676 wrote to memory of 4948 3676 nyvum.exe d1b880b4a5e9107ef5b1717b144043dbed9e506b28ade198a3d068b7f1b03aa2.exe PID 3676 wrote to memory of 4948 3676 nyvum.exe d1b880b4a5e9107ef5b1717b144043dbed9e506b28ade198a3d068b7f1b03aa2.exe PID 3676 wrote to memory of 4948 3676 nyvum.exe d1b880b4a5e9107ef5b1717b144043dbed9e506b28ade198a3d068b7f1b03aa2.exe PID 3676 wrote to memory of 4948 3676 nyvum.exe d1b880b4a5e9107ef5b1717b144043dbed9e506b28ade198a3d068b7f1b03aa2.exe PID 3676 wrote to memory of 4948 3676 nyvum.exe d1b880b4a5e9107ef5b1717b144043dbed9e506b28ade198a3d068b7f1b03aa2.exe PID 3676 wrote to memory of 4948 3676 nyvum.exe d1b880b4a5e9107ef5b1717b144043dbed9e506b28ade198a3d068b7f1b03aa2.exe PID 3676 wrote to memory of 4948 3676 nyvum.exe d1b880b4a5e9107ef5b1717b144043dbed9e506b28ade198a3d068b7f1b03aa2.exe PID 3676 wrote to memory of 4948 3676 nyvum.exe d1b880b4a5e9107ef5b1717b144043dbed9e506b28ade198a3d068b7f1b03aa2.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\d1b880b4a5e9107ef5b1717b144043dbed9e506b28ade198a3d068b7f1b03aa2.exe"C:\Users\Admin\AppData\Local\Temp\d1b880b4a5e9107ef5b1717b144043dbed9e506b28ade198a3d068b7f1b03aa2.exe"1⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\nyvum.exe"C:\Users\Admin\nyvum.exe"2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\nyvum.exeFilesize
368KB
MD53d53f78989c7fab189342a8a5d68e681
SHA1a12d0c9cac5571a66d1385dc5c4880ce5d6311bd
SHA256c8e3056f939710588b91a7d1a88bbd7d92b99553b65b0c7f9b1d7be237968e2a
SHA512fb06861b9fb7ce4b51e193f16af5c8ec788c6d1ae45ad7b218f840d06a4ce6139dac31d3a0ce88becb9edd3ba5f38ceb563ab9ae8d519d2827c7eeabd7bdd4d1