Analysis
-
max time kernel
173s -
max time network
158s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
-
submitted
01-06-2024 15:22
General
-
Target
NixiusLoader.exe
-
Size
1.7MB
-
MD5
6912a8233a9f1eadba03ab278aa232c9
-
SHA1
137c0b915a4e1b519bb23a1735e155dcaa2eabd1
-
SHA256
9491ab0aa4778dfaff511cd415d73d968a279ce76aedf68c0aea63352c671245
-
SHA512
45c240dcb2565c4e478e12f5d815f1cdb2e94d85b901f59786e35e265dba6d1355ffae8907660f642bb307d807b940d2e773385f947fd5951bac965f62762330
-
SSDEEP
24576:C2JOqc6x8e9T5dN+pZIELCRbuO/2Y5TR+ucfc+S44xQrMUfc+S4:r3c6x8ET5daZ5LUbuOeY5RzxQrM
Malware Config
Signatures
-
Downloads MZ/PE file
-
Executes dropped EXE 1 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 10 IoCs
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies registry class 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 9 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 11 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of FindShellTrayWindow 26 IoCs
-
Suspicious use of SendNotifyMessage 24 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\NixiusLoader.exe"C:\Users\Admin\AppData\Local\Temp\NixiusLoader.exe"1⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://link-center.net/829313/nixius2⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffea6c846f8,0x7ffea6c84708,0x7ffea6c847183⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2124,14294505779330900755,1495368205228482214,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2144 /prefetch:23⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2124,14294505779330900755,1495368205228482214,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2220 /prefetch:33⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2124,14294505779330900755,1495368205228482214,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2876 /prefetch:83⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,14294505779330900755,1495368205228482214,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3400 /prefetch:13⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,14294505779330900755,1495368205228482214,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3408 /prefetch:13⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,14294505779330900755,1495368205228482214,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4784 /prefetch:13⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,14294505779330900755,1495368205228482214,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4816 /prefetch:13⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,14294505779330900755,1495368205228482214,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5548 /prefetch:13⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,14294505779330900755,1495368205228482214,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5692 /prefetch:13⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2124,14294505779330900755,1495368205228482214,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6172 /prefetch:83⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2124,14294505779330900755,1495368205228482214,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6172 /prefetch:83⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,14294505779330900755,1495368205228482214,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5956 /prefetch:13⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,14294505779330900755,1495368205228482214,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5116 /prefetch:13⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,14294505779330900755,1495368205228482214,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6252 /prefetch:13⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,14294505779330900755,1495368205228482214,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5912 /prefetch:13⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,14294505779330900755,1495368205228482214,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6200 /prefetch:13⤵
-
-
-
C:\Users\Admin\AppData\Roaming\Nixius\smi.exe"C:\Users\Admin\AppData\Roaming\Nixius\smi.exe" inject -p "Content Warning" -a "C:\Users\Admin\AppData\Local\Temp\MgNnxUbrlzrRWurNnz0A6igIg8eVcCMDc7Go7xA9\EXMTGBENqbGBEAzo9EHyzFOinozZnCQzy05jVMCf.dll" -n TestCheat -c Loader -m Load2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\ExitInvoke.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}1⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DisplayEnhancementService1⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD5439b5e04ca18c7fb02cf406e6eb24167
SHA1e0c5bb6216903934726e3570b7d63295b9d28987
SHA256247d0658695a1eb44924a32363906e37e9864ba742fe35362a71f3a520ad2654
SHA512d0241e397060eebd4535197de4f1ae925aa88ae413a3a9ded6e856b356c4324dfd45dddfef9a536f04e4a258e8fe5dc1586d92d1d56b649f75ded8eddeb1f3e2
-
Filesize
152B
MD5a8e767fd33edd97d306efb6905f93252
SHA1a6f80ace2b57599f64b0ae3c7381f34e9456f9d3
SHA256c8077a9fc79e2691ef321d556c4ce9933ca0570f2bbaa32fa32999dfd5f908bb
SHA51207b748582fe222795bce74919aa06e9a09025c14493edb6f3b1f112d9a97ac2225fe0904cac9adf2a62c98c42f7877076e409803014f0afd395f4cc8be207241
-
Filesize
720B
MD5f3909554dce64202927f5b6e43b7dfed
SHA13c1599ca443e06f02b728669634b059cb21c9bfe
SHA25635f6b1169ecf0a3cebc70bdb63e36d433ea94b19ac2ec692a4638d34a3133d19
SHA51205d19415cf13e1a32287982290423ea6afb7f302d5a9f65d9707c1212cff20f0da9da8be21a15c2e0077557741924b98f73bf4bf8930db965b052bf2466a2a02
-
Filesize
3KB
MD538cea31290082a2764c40c2f68567508
SHA19f1ea88cbc8b2fcc6aa9f3327711b94c1aae12c9
SHA25656ea35747bb76582d59b945722bc465b4892c149de5277674e303edb6ab2ff1c
SHA51215fd4c2ace1957ee4e5891b90e8b03cdb2b403015b7e73e32f863396031d41ddaeedef6dd9a34561ba518647716d80d652cc16c89f22d7dcc65b847a323f38b0
-
Filesize
5KB
MD574c056dbbba285c7eae1349c8466ddf2
SHA12137bfb26e8b1a311a24a25bf0d375ee6a171901
SHA256d64df06d1fb95e94c85f5fe202186a4cb1407f613e7a15c98a25867576e04262
SHA5129907accbf2bb36fcb7c0c81663d08a121c37c1c386a1a274fcb8138e8b6a685f450e53700c1dd5e67b75472ca36900003dde9ce4e10432ddfd9401bed574eb87
-
Filesize
7KB
MD5437c3ffe7c3882e655cbfa2cd71a3b97
SHA1bdcde6a46c9f35a2f1e7a8f4ef3300d70f42985c
SHA256bfd030b8521a7e17a68b4a5845c8431be3d852f97ccd10b34b7d79531eebb3dd
SHA5129e5480247104ea319a11dfd86f53d77973dad2b62e76fba8e766ea8e64f948a71c7642de9dda25a45aae7914717adb5f4abe3e96e1e5d887b365034afa371bc9
-
Filesize
7KB
MD5870d79e7a95e9b32d1450c612a7612df
SHA14dfc80a88ac72c52ed14c454e007112d09ae6d23
SHA256ddf473e3e28841980b340cf361708e7faf3d7d4ad09bd283ac576af241047dd4
SHA512812d7f8b816043a6ae872a6af54ebf29d2c715094622c3b0fff048bb1012d7b3cef946241d2ded4f45744e41f872984302b38ff3f0c8d5f3041643fb504f98d4
-
Filesize
8KB
MD5500d7d445d8b3705bf45f3bb979e12c2
SHA1bb96b3d383d132e11c75abe42d9a06b89e38ebc9
SHA256af88204863d2e8cdfc9060843771905b649c81d0bbdcba10a97a1f5444626b9a
SHA5121cf7385e2cca746bc1aa734bec94872056dba6190601fd3958dc0f104a756add9b714aa36a0a1221615e307c00edd62dbe30017633ddf58e4a5b18f0cf8f7978
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
11KB
MD58594d2804df986816bb44574d863f0cb
SHA12dd33a57dd96720b1964df785422f4ec61ddd8ab
SHA256f5933018dbeb117278b2c18d76b4d1d94482bc47096710f2130309fcf5363125
SHA51207aaff7e3c714a48b825164936d33fa539c1a79565454a7caba6c6e0fedfb2aad03b2daaf8475ec4f70d86d137a454adbf6b04251117dc285f6e81a504745db2
-
Filesize
11KB
MD51a13a11b4af96b1b3e6525079cd9fd42
SHA1ff5ec11be7d682c4304c49ffc2e340f948d5bdeb
SHA25608dca737363fe043f2c429485ef9deb288943250d7146e50be42a3931f41f762
SHA51277dcdd3985892094e6338843ec53f96fb0830ba74301fc36ec6f85c62baedc549852f47d457402f6264d603e30ebd065691a5bf57d9d0b4cfc694a5df6b04f6a
-
Filesize
11KB
MD53bae1f15bdce521f8ba2124e6ff7b594
SHA1f623fa3051423c5c4fc34a190476e8d2322088cb
SHA25633d7219d7d85983aa26dfa0d75ade266c3cce756550aae2717a4b8ec0200e6c3
SHA512cebc9412b57b13967815e526a582769a0373bf9978b625786c226d099ab70f8ff98e22b0e443bf09ad83581e3d5dc4c0c4bd78c30c4a2a31ef4a425769bba80c
-
Filesize
24KB
MD571d51bc16f1c2e9b04270c98985ba324
SHA10e9b3fa0df44f6ea33f4b49917b0fe57dbccb898
SHA256610e09a5f3b05b568143305bc5061ed316b346fd406539215c03acc8457521b0
SHA512f40c52df8d6d3f17991d5827a7377d5babc08dd5bf748d2131408c9783729fc498c1bb89aab4b9f91974d87eda47e5a7dfb130043d327059a278ade66029e356
-
Filesize
12KB
MD5b47619dfc37f1d54f7bf248a0c25cee6
SHA1a1d73f9c4c42574366ebb11ddc34c1a950e55805
SHA256a4e4fa49c31cbd3ece8f10d8ce39de551d3178b782c91f2a1f2f1da773be6343
SHA5124bb079290237c047070d114dd1878b120d849bcb910611a77d7f910575bb10ecb84d692509f1347d8ba080c7ca11e6d0081e9d21665d91c566b4861a7dacf261
-
Filesize
5.6MB
-
Filesize
7.7MB
-
Filesize
4KB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
624KB
-
Filesize
4KB
-
Filesize
584KB
-
Filesize
408KB
-
Filesize
3.8MB
-
Filesize
1.7MB
-
Filesize
40KB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
40KB
-
Filesize
48KB