Analysis
-
max time kernel
1794s -
max time network
1564s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
13-06-2024 13:57
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
Nexus Release.rar
Resource
win7-20240508-en
windows7-x64
8 signatures
1800 seconds
Behavioral task
behavioral2
Sample
Nexus Release.rar
Resource
win10v2004-20240508-en
windows10-2004-x64
3 signatures
1800 seconds
General
-
Target
Nexus Release.rar
-
Size
20.1MB
-
MD5
ab3c1fd848d5570a40bb17a8d7b2107a
-
SHA1
351090de4d1200f7d53810fd4534ba56372a21f3
-
SHA256
b895ad7a2e10bc61670d50322612490e99a66cfd95a7a005a7ce5662617083f5
-
SHA512
03c38e025af6b195e26a78f203e60b6c059c34508af93c545aa06bbc8fe1fbd87afc6d50246d799c9459a322134241d46a7c4915d74e318a2f01cc64069f7b32
-
SSDEEP
393216:nezoWhX6DGw9q7AMeMW5wnfctGqovafOdPG9EZP/0CPa0o7rPKsZ4GsVwD:ezhXFw9q7feMWsfEcmOo9acga0CrPgJs
Score
3/10
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_Classes\Local Settings rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_Classes\Local Settings rundll32.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 2464 vlc.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2464 vlc.exe -
Suspicious use of FindShellTrayWindow 8 IoCs
pid Process 2464 vlc.exe 2464 vlc.exe 2464 vlc.exe 2464 vlc.exe 2464 vlc.exe 2464 vlc.exe 2464 vlc.exe 2464 vlc.exe -
Suspicious use of SendNotifyMessage 7 IoCs
pid Process 2464 vlc.exe 2464 vlc.exe 2464 vlc.exe 2464 vlc.exe 2464 vlc.exe 2464 vlc.exe 2464 vlc.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2464 vlc.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 1700 wrote to memory of 2560 1700 cmd.exe 30 PID 1700 wrote to memory of 2560 1700 cmd.exe 30 PID 1700 wrote to memory of 2560 1700 cmd.exe 30 PID 2560 wrote to memory of 2548 2560 rundll32.exe 31 PID 2560 wrote to memory of 2548 2560 rundll32.exe 31 PID 2560 wrote to memory of 2548 2560 rundll32.exe 31 PID 2548 wrote to memory of 2464 2548 rundll32.exe 33 PID 2548 wrote to memory of 2464 2548 rundll32.exe 33 PID 2548 wrote to memory of 2464 2548 rundll32.exe 33
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\Nexus Release.rar"1⤵
- Suspicious use of WriteProcessMemory
PID:1700 -
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Nexus Release.rar2⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2560 -
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Nexus Release.rar3⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2548 -
C:\Program Files\VideoLAN\VLC\vlc.exe"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\AppData\Local\Temp\Nexus Release.rar"4⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2464
-
-
-