Overview
overview
9Static
static
3Nexus v1.13.exe
windows7-x64
7Nexus v1.13.exe
windows10-2004-x64
9$PLUGINSDI...ls.dll
windows7-x64
3$PLUGINSDI...ls.dll
windows10-2004-x64
3$PLUGINSDI...em.dll
windows7-x64
3$PLUGINSDI...em.dll
windows10-2004-x64
3$PLUGINSDIR/app-64.7z
windows7-x64
3$PLUGINSDIR/app-64.7z
windows10-2004-x64
3locales/pt-BR.pak
windows7-x64
3locales/pt-BR.pak
windows10-2004-x64
3locales/pt-PT.pak
windows7-x64
3locales/pt-PT.pak
windows10-2004-x64
3locales/ro.pak
windows7-x64
3locales/ro.pak
windows10-2004-x64
3locales/ru.pak
windows7-x64
3locales/ru.pak
windows10-2004-x64
3locales/sk.pak
windows7-x64
3locales/sk.pak
windows10-2004-x64
3locales/sl.pak
windows7-x64
3locales/sl.pak
windows10-2004-x64
3locales/sr.pak
windows7-x64
3locales/sr.pak
windows10-2004-x64
3locales/sv.pak
windows7-x64
3locales/sv.pak
windows10-2004-x64
3locales/sw.pak
windows7-x64
3locales/sw.pak
windows10-2004-x64
3locales/ta.pak
windows7-x64
3locales/ta.pak
windows10-2004-x64
3locales/te.pak
windows7-x64
3locales/te.pak
windows10-2004-x64
3locales/th.pak
windows7-x64
3locales/th.pak
windows10-2004-x64
3Analysis
-
max time kernel
132s -
max time network
142s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
06/08/2024, 16:53
Static task
static1
Behavioral task
behavioral1
Sample
Nexus v1.13.exe
Resource
win7-20240704-en
windows7-x64
Behavioral task
behavioral2
Sample
Nexus v1.13.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral3
Sample
$PLUGINSDIR/StdUtils.dll
Resource
win7-20240705-en
windows7-x64
Behavioral task
behavioral4
Sample
$PLUGINSDIR/StdUtils.dll
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral5
Sample
$PLUGINSDIR/System.dll
Resource
win7-20240729-en
windows7-x64
Behavioral task
behavioral6
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral7
Sample
$PLUGINSDIR/app-64.7z
Resource
win7-20240708-en
windows7-x64
Behavioral task
behavioral8
Sample
$PLUGINSDIR/app-64.7z
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral9
Sample
locales/pt-BR.pak
Resource
win7-20240708-en
windows7-x64
Behavioral task
behavioral10
Sample
locales/pt-BR.pak
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral11
Sample
locales/pt-PT.pak
Resource
win7-20240704-en
windows7-x64
Behavioral task
behavioral12
Sample
locales/pt-PT.pak
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral13
Sample
locales/ro.pak
Resource
win7-20240705-en
windows7-x64
Behavioral task
behavioral14
Sample
locales/ro.pak
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral15
Sample
locales/ru.pak
Resource
win7-20240729-en
windows7-x64
Behavioral task
behavioral16
Sample
locales/ru.pak
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral17
Sample
locales/sk.pak
Resource
win7-20240704-en
windows7-x64
Behavioral task
behavioral18
Sample
locales/sk.pak
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral19
Sample
locales/sl.pak
Resource
win7-20240704-en
windows7-x64
Behavioral task
behavioral20
Sample
locales/sl.pak
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral21
Sample
locales/sr.pak
Resource
win7-20240705-en
windows7-x64
Behavioral task
behavioral22
Sample
locales/sr.pak
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral23
Sample
locales/sv.pak
Resource
win7-20240729-en
windows7-x64
Behavioral task
behavioral24
Sample
locales/sv.pak
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral25
Sample
locales/sw.pak
Resource
win7-20240704-en
windows7-x64
Behavioral task
behavioral26
Sample
locales/sw.pak
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral27
Sample
locales/ta.pak
Resource
win7-20240705-en
windows7-x64
Behavioral task
behavioral28
Sample
locales/ta.pak
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral29
Sample
locales/te.pak
Resource
win7-20240729-en
windows7-x64
Behavioral task
behavioral30
Sample
locales/te.pak
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral31
Sample
locales/th.pak
Resource
win7-20240704-en
windows7-x64
Behavioral task
behavioral32
Sample
locales/th.pak
Resource
win10v2004-20240802-en
windows10-2004-x64
General
-
Target
locales/th.pak
-
Size
964KB
-
MD5
4917873d8118906bdc08f31afb1ea078
-
SHA1
49440a3b156d7703533367f8f13f66ec166db6e9
-
SHA256
d051b400096922089f6daa723fac18c9640ba203b2879aac4ca89b05738dd32d
-
SHA512
30e6446bad54b86be553fa293c7a92ec221adb54b99624ed69702df75347a98697158041a45f77ece4e7ed0fda41306ef21eb27981f24f0a4e42e8306175a88e
-
SSDEEP
12288:OgFN2HN9LyZYA1T6z1L/LLftDjsAnILwgv1V5UBGsL3fBj8BlzEdq3Ro9lGdI9uN:OgFYdK5J5j
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 12 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\pak_auto_file OpenWith.exe Set value (str) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\.pak\ = "pak_auto_file" OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\pak_auto_file\shell\edit\command OpenWith.exe Set value (str) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\pak_auto_file\shell\edit\command\ = "%SystemRoot%\\system32\\NOTEPAD.EXE %1" OpenWith.exe Set value (str) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\pak_auto_file\shell\open\command\ = "%SystemRoot%\\system32\\NOTEPAD.EXE %1" OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings cmd.exe Key created \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\.pak OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\pak_auto_file\shell OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\pak_auto_file\shell\open OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\pak_auto_file\shell\open\command OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\pak_auto_file\shell\edit OpenWith.exe -
Opens file in notepad (likely ransom note) 1 IoCs
pid Process 4708 NOTEPAD.EXE -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 5044 OpenWith.exe -
Suspicious use of SetWindowsHookEx 21 IoCs
pid Process 5044 OpenWith.exe 5044 OpenWith.exe 5044 OpenWith.exe 5044 OpenWith.exe 5044 OpenWith.exe 5044 OpenWith.exe 5044 OpenWith.exe 5044 OpenWith.exe 5044 OpenWith.exe 5044 OpenWith.exe 5044 OpenWith.exe 5044 OpenWith.exe 5044 OpenWith.exe 5044 OpenWith.exe 5044 OpenWith.exe 5044 OpenWith.exe 5044 OpenWith.exe 5044 OpenWith.exe 5044 OpenWith.exe 5044 OpenWith.exe 5044 OpenWith.exe -
Suspicious use of WriteProcessMemory 2 IoCs
description pid Process procid_target PID 5044 wrote to memory of 4708 5044 OpenWith.exe 95 PID 5044 wrote to memory of 4708 5044 OpenWith.exe 95
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\locales\th.pak1⤵
- Modifies registry class
PID:684
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5044 -
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\locales\th.pak2⤵
- Opens file in notepad (likely ransom note)
PID:4708
-