Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
16s -
max time network
19s -
platform
windows11-21h2_x64 -
resource
win11-20240802-en -
resource tags
arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system -
submitted
07/08/2024, 14:15
Static task
static1
Behavioral task
behavioral1
Sample
Nezur.exe
Resource
win11-20240802-en
General
-
Target
Nezur.exe
-
Size
26.4MB
-
MD5
242715cb665b8410e4bca82aa6c47476
-
SHA1
eece88ef2f4efbcec39dc9d3a6bed1600f5e7861
-
SHA256
6ed077d48ce4d849af7b450c3a9dc9dddf7651016609ca52948c442aad1ff948
-
SHA512
5c81bd6826bc530e1304d5f0a7ad1bfa8b6851e3d0f0e056138ff03c8f8331d4c5a2e3014060b1f61b7b3867853f890b3575443562fada9434da52d98b882648
-
SSDEEP
196608:zOM8Wb0guheg856w6Vr8utDq+S0KW1Hs3VaTnJ45/9iD54+V11bFv4ztbK+nmtzc:zOM8heg7YB+S0KW1HlTqzQc
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nezur.exe -
System Time Discovery 1 TTPs 1 IoCs
Adversary may gather the system time and/or time zone settings from a local or remote system.
pid Process 912 msedge.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 2340 msedge.exe 2340 msedge.exe 912 msedge.exe 912 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs
pid Process 912 msedge.exe 912 msedge.exe 912 msedge.exe -
Suspicious use of FindShellTrayWindow 26 IoCs
pid Process 912 msedge.exe 912 msedge.exe 912 msedge.exe 912 msedge.exe 912 msedge.exe 912 msedge.exe 912 msedge.exe 912 msedge.exe 912 msedge.exe 912 msedge.exe 912 msedge.exe 912 msedge.exe 912 msedge.exe 912 msedge.exe 912 msedge.exe 912 msedge.exe 912 msedge.exe 912 msedge.exe 912 msedge.exe 912 msedge.exe 912 msedge.exe 912 msedge.exe 912 msedge.exe 912 msedge.exe 912 msedge.exe 912 msedge.exe -
Suspicious use of SendNotifyMessage 12 IoCs
pid Process 912 msedge.exe 912 msedge.exe 912 msedge.exe 912 msedge.exe 912 msedge.exe 912 msedge.exe 912 msedge.exe 912 msedge.exe 912 msedge.exe 912 msedge.exe 912 msedge.exe 912 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1536 wrote to memory of 912 1536 Nezur.exe 83 PID 1536 wrote to memory of 912 1536 Nezur.exe 83 PID 912 wrote to memory of 3728 912 msedge.exe 84 PID 912 wrote to memory of 3728 912 msedge.exe 84 PID 912 wrote to memory of 4464 912 msedge.exe 85 PID 912 wrote to memory of 4464 912 msedge.exe 85 PID 912 wrote to memory of 4464 912 msedge.exe 85 PID 912 wrote to memory of 4464 912 msedge.exe 85 PID 912 wrote to memory of 4464 912 msedge.exe 85 PID 912 wrote to memory of 4464 912 msedge.exe 85 PID 912 wrote to memory of 4464 912 msedge.exe 85 PID 912 wrote to memory of 4464 912 msedge.exe 85 PID 912 wrote to memory of 4464 912 msedge.exe 85 PID 912 wrote to memory of 4464 912 msedge.exe 85 PID 912 wrote to memory of 4464 912 msedge.exe 85 PID 912 wrote to memory of 4464 912 msedge.exe 85 PID 912 wrote to memory of 4464 912 msedge.exe 85 PID 912 wrote to memory of 4464 912 msedge.exe 85 PID 912 wrote to memory of 4464 912 msedge.exe 85 PID 912 wrote to memory of 4464 912 msedge.exe 85 PID 912 wrote to memory of 4464 912 msedge.exe 85 PID 912 wrote to memory of 4464 912 msedge.exe 85 PID 912 wrote to memory of 4464 912 msedge.exe 85 PID 912 wrote to memory of 4464 912 msedge.exe 85 PID 912 wrote to memory of 4464 912 msedge.exe 85 PID 912 wrote to memory of 4464 912 msedge.exe 85 PID 912 wrote to memory of 4464 912 msedge.exe 85 PID 912 wrote to memory of 4464 912 msedge.exe 85 PID 912 wrote to memory of 4464 912 msedge.exe 85 PID 912 wrote to memory of 4464 912 msedge.exe 85 PID 912 wrote to memory of 4464 912 msedge.exe 85 PID 912 wrote to memory of 4464 912 msedge.exe 85 PID 912 wrote to memory of 4464 912 msedge.exe 85 PID 912 wrote to memory of 4464 912 msedge.exe 85 PID 912 wrote to memory of 4464 912 msedge.exe 85 PID 912 wrote to memory of 4464 912 msedge.exe 85 PID 912 wrote to memory of 4464 912 msedge.exe 85 PID 912 wrote to memory of 4464 912 msedge.exe 85 PID 912 wrote to memory of 4464 912 msedge.exe 85 PID 912 wrote to memory of 4464 912 msedge.exe 85 PID 912 wrote to memory of 4464 912 msedge.exe 85 PID 912 wrote to memory of 4464 912 msedge.exe 85 PID 912 wrote to memory of 4464 912 msedge.exe 85 PID 912 wrote to memory of 4464 912 msedge.exe 85 PID 912 wrote to memory of 2340 912 msedge.exe 86 PID 912 wrote to memory of 2340 912 msedge.exe 86 PID 912 wrote to memory of 3404 912 msedge.exe 87 PID 912 wrote to memory of 3404 912 msedge.exe 87 PID 912 wrote to memory of 3404 912 msedge.exe 87 PID 912 wrote to memory of 3404 912 msedge.exe 87 PID 912 wrote to memory of 3404 912 msedge.exe 87 PID 912 wrote to memory of 3404 912 msedge.exe 87 PID 912 wrote to memory of 3404 912 msedge.exe 87 PID 912 wrote to memory of 3404 912 msedge.exe 87 PID 912 wrote to memory of 3404 912 msedge.exe 87 PID 912 wrote to memory of 3404 912 msedge.exe 87 PID 912 wrote to memory of 3404 912 msedge.exe 87 PID 912 wrote to memory of 3404 912 msedge.exe 87 PID 912 wrote to memory of 3404 912 msedge.exe 87 PID 912 wrote to memory of 3404 912 msedge.exe 87 PID 912 wrote to memory of 3404 912 msedge.exe 87 PID 912 wrote to memory of 3404 912 msedge.exe 87 PID 912 wrote to memory of 3404 912 msedge.exe 87 PID 912 wrote to memory of 3404 912 msedge.exe 87
Processes
-
C:\Users\Admin\AppData\Local\Temp\Nezur.exe"C:\Users\Admin\AppData\Local\Temp\Nezur.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1536 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://aka.ms/dotnet-core-applaunch?missing_runtime=true&arch=x86&rid=win10-x86&apphost_version=7.0.16&gui=true2⤵
- System Time Discovery
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:912 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffaa6203cb8,0x7ffaa6203cc8,0x7ffaa6203cd83⤵PID:3728
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1896,18159704501436757192,12095158953761429885,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1956 /prefetch:23⤵PID:4464
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1896,18159704501436757192,12095158953761429885,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2052 /prefetch:33⤵
- Suspicious behavior: EnumeratesProcesses
PID:2340
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1896,18159704501436757192,12095158953761429885,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2536 /prefetch:83⤵PID:3404
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,18159704501436757192,12095158953761429885,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3224 /prefetch:13⤵PID:4352
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,18159704501436757192,12095158953761429885,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3256 /prefetch:13⤵PID:2224
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,18159704501436757192,12095158953761429885,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4632 /prefetch:13⤵PID:4864
-
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1960
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3276
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc1⤵PID:1248
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD5026e0c65239e15ba609a874aeac2dc33
SHA1a75e1622bc647ab73ab3bb2809872c2730dcf2df
SHA256593f20dfb73d2b81a17bfcc1f246848080dfc96898a1a62c5ddca62105ed1292
SHA5129fb7644c87bdd3430700f42137154069badbf2b7a67e5ac6c364382bca8cba95136d460f49279b346703d4b4fd81087e884822a01a2a38901568a3c3e3387569
-
Filesize
152B
MD5228fefc98d7fb5b4e27c6abab1de7207
SHA1ada493791316e154a906ec2c83c412adf3a7061a
SHA256448d09169319374935a249b1fc76bcf2430b4e1436611f3c2f3331b6eafe55a2
SHA512fa74f1cc5da8db978a7a5b8c9ebff3cd433660db7e91ce03c44a1d543dd667a51659ba79270d3d783d52b9e45d76d0f9467458df1482ded72ea79c873b2a5e56
-
Filesize
188B
MD54c68fa9da4031e4f6bce89afb698f67a
SHA105253b06c10ab70558beac773286ef6c56292e6c
SHA2569556882e8bef920eb50efe55b57afacc70c710e8ab808eb95b04e8d4b88eed2e
SHA512e750014f86f1ff47103a585b912659913f4b40c284444747c770d3ca870cbd2ca1f249406b815c518c59d5b6f95ff3761bd56912ec799a22170ca0f7aa9a7ce1
-
Filesize
5KB
MD5c2c90400ea86fad4e2c36e9d0312571e
SHA16383b8ca9d72129ae4448135f264d2ca154dda4c
SHA25699241727e53595b66871c487c4dbf95d52c95f8f56a3c20f8fd048541a0b915c
SHA51282960c729ed297344c710300f3c2b25f7403eb10cec7eaa5fb943bc2e7d1bbef8406d7b1b2887f13f6e4a330cf7039e01b1a0b52da9ec8df4fafd3f317c7aead
-
Filesize
5KB
MD55333fb8e78f0e6bd960b56bbbce12d08
SHA1a9c8b831942635b6d6998cc59700044d4a51aaec
SHA256592819e6b896088e38ab6d129d1567004750367a1b9e9ccac2487d630a0cd3c6
SHA512ee9fd42de924a17e06e760c30947b484b07e7b6bc408815309c3414b61e7f244b9015d079292f463c7e70d7605ad4e919f09ed8ff83c9ea42845258b723a3eea
-
Filesize
5KB
MD507706f532094f9f6875d58a3c9e20e33
SHA11ebfb236928c63ffad9a3e4b3d9be4548763c762
SHA256f599a4c7b39bf354d06004a30eb01113f96afc1aa979198008663de9417dbd3c
SHA51288f77495b204c994d506f2af1d00c3617a661cd8bb4bf28950dc18fc177fa5fa8a31f28f2afcfd2d7ca05a96d677859d039f355b049463bb263d0805af9bb0fd
-
Filesize
10KB
MD5362f8539c693a23ae2c5958a923b03f8
SHA175d9c9ea7afad66a59bf00e15443d2361276ac58
SHA2568e48b31497cf10f593b207b4d25958217d4e3955e195fc949670f85e69e0996d
SHA512e26ed79b22d23e352e0e6e19c56f87734b0cb4e71d4878e4aa78f56a03b594f9c67f03a8fb9d869b1f2a9183cfee7bc723c8765775f81b47318b3553ba6a6d7d
-
Filesize
10KB
MD59f3959781a59d725e3474bfcc4ed2c7c
SHA1626a3c94947a468c99a9c4731885273538c5c781
SHA2564b0992feecb4d03cc910e576331521c907ab0a394f8774fdc8a95bce8cc8b6e6
SHA512eec7854350db3228f6acb0d398fbdf4fab0768a7b48670257913594419adc34a3d6b2442e65594261dd951c807e0b368a009facdb195013bb285c98ea9c537bc