afd81af01e638ec00a59c3e6fbb0d47efc610f05c0edfc889d9b3d316ecab0d7

Analysis

max time kernel
977s
max time network
848s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
23/07/2024, 03:29

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

Nexus [PRIVATE].jar
Size

27.5MB
MD5

680388897632eddbaf1b84ab558b4c8f
SHA1

823f4c255fbddfa9cd5e9fbbd6f4160100137f4a
SHA256

afd81af01e638ec00a59c3e6fbb0d47efc610f05c0edfc889d9b3d316ecab0d7
SHA512

605fd8c4c58c83e2f7068db7d1f0cd3e50ed30e3b038301d46d7bb6e796252af4947dbf80c102bd37c7a48b81b37cf1f3f6168042a5ab55e19ecb4e248a3707a
SSDEEP

393216:bG1gC+Vc+iLMiCvQ/HqroOZnfRQ1EpE+O7S9OxHgL436sRR5o8iKs8wfJ:at+ygiCvNoOZW1ClOmagG1sNfJ

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
988	chrome.exe
988	chrome.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeShutdownPrivilege	988	chrome.exe
Token: SeShutdownPrivilege	988	chrome.exe
Token: SeShutdownPrivilege	988	chrome.exe
Token: SeShutdownPrivilege	988	chrome.exe
Token: SeShutdownPrivilege	988	chrome.exe
Token: SeShutdownPrivilege	988	chrome.exe
Token: SeShutdownPrivilege	988	chrome.exe
Token: SeShutdownPrivilege	988	chrome.exe
Token: SeShutdownPrivilege	988	chrome.exe
Token: SeShutdownPrivilege	988	chrome.exe
Token: SeShutdownPrivilege	988	chrome.exe
Token: SeShutdownPrivilege	988	chrome.exe

Suspicious use of FindShellTrayWindow 36 IoCs

pid	Process
988	chrome.exe
988	chrome.exe
988	chrome.exe
988	chrome.exe
988	chrome.exe
988	chrome.exe
988	chrome.exe
988	chrome.exe
988	chrome.exe
988	chrome.exe
988	chrome.exe
988	chrome.exe
988	chrome.exe
988	chrome.exe
988	chrome.exe
988	chrome.exe
988	chrome.exe
988	chrome.exe
988	chrome.exe
988	chrome.exe
988	chrome.exe
988	chrome.exe
988	chrome.exe
988	chrome.exe
988	chrome.exe
988	chrome.exe
988	chrome.exe
988	chrome.exe
988	chrome.exe
988	chrome.exe
988	chrome.exe
988	chrome.exe
988	chrome.exe
988	chrome.exe
988	chrome.exe
988	chrome.exe

Suspicious use of SendNotifyMessage 32 IoCs

pid	Process
988	chrome.exe
988	chrome.exe
988	chrome.exe
988	chrome.exe
988	chrome.exe
988	chrome.exe
988	chrome.exe
988	chrome.exe
988	chrome.exe
988	chrome.exe
988	chrome.exe
988	chrome.exe
988	chrome.exe
988	chrome.exe
988	chrome.exe
988	chrome.exe
988	chrome.exe
988	chrome.exe
988	chrome.exe
988	chrome.exe
988	chrome.exe
988	chrome.exe
988	chrome.exe
988	chrome.exe
988	chrome.exe
988	chrome.exe
988	chrome.exe
988	chrome.exe
988	chrome.exe
988	chrome.exe
988	chrome.exe
988	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 988 wrote to memory of 680	988	chrome.exe	36
PID 988 wrote to memory of 680	988	chrome.exe	36
PID 988 wrote to memory of 680	988	chrome.exe	36
PID 988 wrote to memory of 2016	988	chrome.exe	38
PID 988 wrote to memory of 2016	988	chrome.exe	38
PID 988 wrote to memory of 2016	988	chrome.exe	38
PID 988 wrote to memory of 2016	988	chrome.exe	38
PID 988 wrote to memory of 2016	988	chrome.exe	38
PID 988 wrote to memory of 2016	988	chrome.exe	38
PID 988 wrote to memory of 2016	988	chrome.exe	38
PID 988 wrote to memory of 2016	988	chrome.exe	38
PID 988 wrote to memory of 2016	988	chrome.exe	38
PID 988 wrote to memory of 2016	988	chrome.exe	38
PID 988 wrote to memory of 2016	988	chrome.exe	38
PID 988 wrote to memory of 2016	988	chrome.exe	38
PID 988 wrote to memory of 2016	988	chrome.exe	38
PID 988 wrote to memory of 2016	988	chrome.exe	38
PID 988 wrote to memory of 2016	988	chrome.exe	38
PID 988 wrote to memory of 2016	988	chrome.exe	38
PID 988 wrote to memory of 2016	988	chrome.exe	38
PID 988 wrote to memory of 2016	988	chrome.exe	38
PID 988 wrote to memory of 2016	988	chrome.exe	38
PID 988 wrote to memory of 2016	988	chrome.exe	38
PID 988 wrote to memory of 2016	988	chrome.exe	38
PID 988 wrote to memory of 2016	988	chrome.exe	38
PID 988 wrote to memory of 2016	988	chrome.exe	38
PID 988 wrote to memory of 2016	988	chrome.exe	38
PID 988 wrote to memory of 2016	988	chrome.exe	38
PID 988 wrote to memory of 2016	988	chrome.exe	38
PID 988 wrote to memory of 2016	988	chrome.exe	38
PID 988 wrote to memory of 2016	988	chrome.exe	38
PID 988 wrote to memory of 2016	988	chrome.exe	38
PID 988 wrote to memory of 2016	988	chrome.exe	38
PID 988 wrote to memory of 2016	988	chrome.exe	38
PID 988 wrote to memory of 2016	988	chrome.exe	38
PID 988 wrote to memory of 2016	988	chrome.exe	38
PID 988 wrote to memory of 2016	988	chrome.exe	38
PID 988 wrote to memory of 2016	988	chrome.exe	38
PID 988 wrote to memory of 2016	988	chrome.exe	38
PID 988 wrote to memory of 2016	988	chrome.exe	38
PID 988 wrote to memory of 2016	988	chrome.exe	38
PID 988 wrote to memory of 2016	988	chrome.exe	38
PID 988 wrote to memory of 1632	988	chrome.exe	39
PID 988 wrote to memory of 1632	988	chrome.exe	39
PID 988 wrote to memory of 1632	988	chrome.exe	39
PID 988 wrote to memory of 2180	988	chrome.exe	40
PID 988 wrote to memory of 2180	988	chrome.exe	40
PID 988 wrote to memory of 2180	988	chrome.exe	40
PID 988 wrote to memory of 2180	988	chrome.exe	40
PID 988 wrote to memory of 2180	988	chrome.exe	40
PID 988 wrote to memory of 2180	988	chrome.exe	40
PID 988 wrote to memory of 2180	988	chrome.exe	40
PID 988 wrote to memory of 2180	988	chrome.exe	40
PID 988 wrote to memory of 2180	988	chrome.exe	40
PID 988 wrote to memory of 2180	988	chrome.exe	40
PID 988 wrote to memory of 2180	988	chrome.exe	40
PID 988 wrote to memory of 2180	988	chrome.exe	40
PID 988 wrote to memory of 2180	988	chrome.exe	40
PID 988 wrote to memory of 2180	988	chrome.exe	40
PID 988 wrote to memory of 2180	988	chrome.exe	40
PID 988 wrote to memory of 2180	988	chrome.exe	40
PID 988 wrote to memory of 2180	988	chrome.exe	40
PID 988 wrote to memory of 2180	988	chrome.exe	40
PID 988 wrote to memory of 2180	988	chrome.exe	40

C:\Windows\system32\java.exe
java -jar "C:\Users\Admin\AppData\Local\Temp\Nexus [PRIVATE].jar"
1⤵
PID:292

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:1220

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:1760

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:988
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef62c9758,0x7fef62c9768,0x7fef62c9778
  2⤵
  PID:680
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1196 --field-trial-handle=1312,i,7426879448985209676,18301084770468008861,131072 /prefetch:2
  2⤵
  PID:2016
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1528 --field-trial-handle=1312,i,7426879448985209676,18301084770468008861,131072 /prefetch:8
  2⤵
  PID:1632
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1612 --field-trial-handle=1312,i,7426879448985209676,18301084770468008861,131072 /prefetch:8
  2⤵
  PID:2180
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2256 --field-trial-handle=1312,i,7426879448985209676,18301084770468008861,131072 /prefetch:1
  2⤵
  PID:1096
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2264 --field-trial-handle=1312,i,7426879448985209676,18301084770468008861,131072 /prefetch:1
  2⤵
  PID:936
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1020 --field-trial-handle=1312,i,7426879448985209676,18301084770468008861,131072 /prefetch:2
  2⤵
  PID:2988
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=1464 --field-trial-handle=1312,i,7426879448985209676,18301084770468008861,131072 /prefetch:1
  2⤵
  PID:2932
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3636 --field-trial-handle=1312,i,7426879448985209676,18301084770468008861,131072 /prefetch:8
  2⤵
  PID:1344

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2476

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\000007.dbtmp

Filesize
16B

MD5
18e723571b00fb1694a3bad6c78e4054

SHA1
afcc0ef32d46fe59e0483f9a3c891d3034d12f32

SHA256
8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

SHA512
43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ce42eef8-af84-4ccb-8c41-0558a15c587b.tmp

Filesize
308KB

MD5
899649f6e8f953112d579f720a81a36d

SHA1
bd0aa7d4819eab272c67db4e31b6eae2c8a571da

SHA256
27b16621f0fd5b16faa6b9265490e4ea4fce2d46fb3ad76387f35669e93896ce

SHA512
9f1fe42461650918bf26158d63168c289aed5544b8039ff3f3b212c355982b174887d9c6aed0149f0f055ed069dd99e3816cbcb1f6b16ff0c5076d96d487f233

Download Submit
memory/292-2-0x00000000025C0000-0x0000000002830000-memory.dmp

Filesize
2.4MB

Download
memory/292-10-0x0000000000150000-0x0000000000151000-memory.dmp

Filesize
4KB

Download
memory/292-11-0x00000000025C0000-0x0000000002830000-memory.dmp

Filesize
2.4MB

Download