Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    16s
  • max time network
    19s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240802-en
  • resource tags

    arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    07/08/2024, 14:15

General

  • Target

    Nezur.exe

  • Size

    26.4MB

  • MD5

    242715cb665b8410e4bca82aa6c47476

  • SHA1

    eece88ef2f4efbcec39dc9d3a6bed1600f5e7861

  • SHA256

    6ed077d48ce4d849af7b450c3a9dc9dddf7651016609ca52948c442aad1ff948

  • SHA512

    5c81bd6826bc530e1304d5f0a7ad1bfa8b6851e3d0f0e056138ff03c8f8331d4c5a2e3014060b1f61b7b3867853f890b3575443562fada9434da52d98b882648

  • SSDEEP

    196608:zOM8Wb0guheg856w6Vr8utDq+S0KW1Hs3VaTnJ45/9iD54+V11bFv4ztbK+nmtzc:zOM8heg7YB+S0KW1HlTqzQc

Score
3/10

Malware Config

Signatures

  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • System Time Discovery 1 TTPs 1 IoCs

    Adversary may gather the system time and/or time zone settings from a local or remote system.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs
  • Suspicious use of FindShellTrayWindow 26 IoCs
  • Suspicious use of SendNotifyMessage 12 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Nezur.exe
    "C:\Users\Admin\AppData\Local\Temp\Nezur.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1536
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://aka.ms/dotnet-core-applaunch?missing_runtime=true&arch=x86&rid=win10-x86&apphost_version=7.0.16&gui=true
      2⤵
      • System Time Discovery
      • Enumerates system info in registry
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:912
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffaa6203cb8,0x7ffaa6203cc8,0x7ffaa6203cd8
        3⤵
          PID:3728
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1896,18159704501436757192,12095158953761429885,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1956 /prefetch:2
          3⤵
            PID:4464
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1896,18159704501436757192,12095158953761429885,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2052 /prefetch:3
            3⤵
            • Suspicious behavior: EnumeratesProcesses
            PID:2340
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1896,18159704501436757192,12095158953761429885,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2536 /prefetch:8
            3⤵
              PID:3404
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,18159704501436757192,12095158953761429885,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3224 /prefetch:1
              3⤵
                PID:4352
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,18159704501436757192,12095158953761429885,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3256 /prefetch:1
                3⤵
                  PID:2224
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,18159704501436757192,12095158953761429885,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4632 /prefetch:1
                  3⤵
                    PID:4864
              • C:\Windows\System32\CompPkgSrv.exe
                C:\Windows\System32\CompPkgSrv.exe -Embedding
                1⤵
                  PID:1960
                • C:\Windows\System32\CompPkgSrv.exe
                  C:\Windows\System32\CompPkgSrv.exe -Embedding
                  1⤵
                    PID:3276
                  • C:\Windows\system32\svchost.exe
                    C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
                    1⤵
                      PID:1248

                    Network

                    MITRE ATT&CK Enterprise v15

                    Replay Monitor

                    Loading Replay Monitor...

                    Downloads

                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                      Filesize

                      152B

                      MD5

                      026e0c65239e15ba609a874aeac2dc33

                      SHA1

                      a75e1622bc647ab73ab3bb2809872c2730dcf2df

                      SHA256

                      593f20dfb73d2b81a17bfcc1f246848080dfc96898a1a62c5ddca62105ed1292

                      SHA512

                      9fb7644c87bdd3430700f42137154069badbf2b7a67e5ac6c364382bca8cba95136d460f49279b346703d4b4fd81087e884822a01a2a38901568a3c3e3387569

                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                      Filesize

                      152B

                      MD5

                      228fefc98d7fb5b4e27c6abab1de7207

                      SHA1

                      ada493791316e154a906ec2c83c412adf3a7061a

                      SHA256

                      448d09169319374935a249b1fc76bcf2430b4e1436611f3c2f3331b6eafe55a2

                      SHA512

                      fa74f1cc5da8db978a7a5b8c9ebff3cd433660db7e91ce03c44a1d543dd667a51659ba79270d3d783d52b9e45d76d0f9467458df1482ded72ea79c873b2a5e56

                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

                      Filesize

                      188B

                      MD5

                      4c68fa9da4031e4f6bce89afb698f67a

                      SHA1

                      05253b06c10ab70558beac773286ef6c56292e6c

                      SHA256

                      9556882e8bef920eb50efe55b57afacc70c710e8ab808eb95b04e8d4b88eed2e

                      SHA512

                      e750014f86f1ff47103a585b912659913f4b40c284444747c770d3ca870cbd2ca1f249406b815c518c59d5b6f95ff3761bd56912ec799a22170ca0f7aa9a7ce1

                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                      Filesize

                      5KB

                      MD5

                      c2c90400ea86fad4e2c36e9d0312571e

                      SHA1

                      6383b8ca9d72129ae4448135f264d2ca154dda4c

                      SHA256

                      99241727e53595b66871c487c4dbf95d52c95f8f56a3c20f8fd048541a0b915c

                      SHA512

                      82960c729ed297344c710300f3c2b25f7403eb10cec7eaa5fb943bc2e7d1bbef8406d7b1b2887f13f6e4a330cf7039e01b1a0b52da9ec8df4fafd3f317c7aead

                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                      Filesize

                      5KB

                      MD5

                      5333fb8e78f0e6bd960b56bbbce12d08

                      SHA1

                      a9c8b831942635b6d6998cc59700044d4a51aaec

                      SHA256

                      592819e6b896088e38ab6d129d1567004750367a1b9e9ccac2487d630a0cd3c6

                      SHA512

                      ee9fd42de924a17e06e760c30947b484b07e7b6bc408815309c3414b61e7f244b9015d079292f463c7e70d7605ad4e919f09ed8ff83c9ea42845258b723a3eea

                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                      Filesize

                      5KB

                      MD5

                      07706f532094f9f6875d58a3c9e20e33

                      SHA1

                      1ebfb236928c63ffad9a3e4b3d9be4548763c762

                      SHA256

                      f599a4c7b39bf354d06004a30eb01113f96afc1aa979198008663de9417dbd3c

                      SHA512

                      88f77495b204c994d506f2af1d00c3617a661cd8bb4bf28950dc18fc177fa5fa8a31f28f2afcfd2d7ca05a96d677859d039f355b049463bb263d0805af9bb0fd

                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                      Filesize

                      10KB

                      MD5

                      362f8539c693a23ae2c5958a923b03f8

                      SHA1

                      75d9c9ea7afad66a59bf00e15443d2361276ac58

                      SHA256

                      8e48b31497cf10f593b207b4d25958217d4e3955e195fc949670f85e69e0996d

                      SHA512

                      e26ed79b22d23e352e0e6e19c56f87734b0cb4e71d4878e4aa78f56a03b594f9c67f03a8fb9d869b1f2a9183cfee7bc723c8765775f81b47318b3553ba6a6d7d

                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                      Filesize

                      10KB

                      MD5

                      9f3959781a59d725e3474bfcc4ed2c7c

                      SHA1

                      626a3c94947a468c99a9c4731885273538c5c781

                      SHA256

                      4b0992feecb4d03cc910e576331521c907ab0a394f8774fdc8a95bce8cc8b6e6

                      SHA512

                      eec7854350db3228f6acb0d398fbdf4fab0768a7b48670257913594419adc34a3d6b2442e65594261dd951c807e0b368a009facdb195013bb285c98ea9c537bc