Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
1766s -
max time network
1159s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
12/08/2024, 04:44
Static task
static1
Behavioral task
behavioral1
Sample
Nezur.zip
Resource
win10v2004-20240802-en
Behavioral task
behavioral2
Sample
Launcher.bat
Resource
win10v2004-20240802-en
Behavioral task
behavioral3
Sample
compiler.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral4
Sample
config
Resource
win10v2004-20240802-en
Behavioral task
behavioral5
Sample
lua51.dll
Resource
win10v2004-20240802-en
General
-
Target
Launcher.bat
-
Size
311B
-
MD5
365ac921ece415c40ef7af7e24a3bb59
-
SHA1
e73502e289f4d9b9acbe344c1ae0149b0f38aa2b
-
SHA256
dc56d38eeb1eb3c0a03d14aae8ecdf9757421d9ffb56035266d1837c367e1679
-
SHA512
60072fb9cce9fb3bc629d9623e94600d81d45ba1c9affc816f29b30d9fff904209ffb68521732fd2866fbe71db3774bf4c39074e63ef13dbefb83dc0812189a3
Malware Config
Signatures
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 6 ip-api.com -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\Setup\Scripts\ErrorHandler.cmd compiler.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language compiler.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language compiler.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1468 schtasks.exe 1156 schtasks.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 3380 wrote to memory of 1828 3380 cmd.exe 85 PID 3380 wrote to memory of 1828 3380 cmd.exe 85 PID 3380 wrote to memory of 1828 3380 cmd.exe 85 PID 1828 wrote to memory of 3756 1828 compiler.exe 96 PID 1828 wrote to memory of 3756 1828 compiler.exe 96 PID 1828 wrote to memory of 3756 1828 compiler.exe 96 PID 3756 wrote to memory of 1468 3756 compiler.exe 97 PID 3756 wrote to memory of 1468 3756 compiler.exe 97 PID 3756 wrote to memory of 1468 3756 compiler.exe 97 PID 3756 wrote to memory of 1156 3756 compiler.exe 98 PID 3756 wrote to memory of 1156 3756 compiler.exe 98 PID 3756 wrote to memory of 1156 3756 compiler.exe 98 PID 3756 wrote to memory of 4476 3756 compiler.exe 101 PID 3756 wrote to memory of 4476 3756 compiler.exe 101 PID 3756 wrote to memory of 4476 3756 compiler.exe 101
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Launcher.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:3380 -
C:\Users\Admin\AppData\Local\Temp\compiler.execompiler.exe config2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1828 -
C:\Users\Admin\AppData\Local\Temp\compiler.exe"C:\Users\Admin\AppData\Local\Temp\compiler.exe" "C:\Users\Admin\AppData\Roaming\tmp\conf.lua"3⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3756 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc daily /st 10:34 /f /tn BrowserMaintenanceTask_ODA0 /tr ""C:\Users\Admin\AppData\Local\OWYsN2YsN2YsYTAsOWUsODYsOGMsOTYsNjQsN2Ms\ODA0.exe" "C:\Users\Admin\AppData\Local\OWYsN2YsN2YsYTAsOWUsODYsOGMsOTYsNjQsN2Ms\conf.lua""4⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:1468
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc daily /st 10:34 /f /tn Setup /tr "C:/Windows/System32/oobe/Setup.exe" /rl highest4⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:1156
-
-
C:\Users\Admin\AppData\Local\Temp\compiler.exe"C:\Users\Admin\AppData\Local\Temp\compiler.exe" "C:\Users\Admin\AppData\Roaming\tmp\conf.lua"4⤵PID:4476
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
280B
MD5a66b7796ff6187b51f5747254c94f21d
SHA1980d0fba2fa21527709831b7fcf92e0443696c11
SHA256661b208091012d429b08254dad6b7312ec5ce369dc3a7d03b0359308ad0793b9
SHA5124ffaf245aeb244fed74200585f5a3c197fec954c399e201901ea50a02e9ff012519deeddbf03b195b1d5e6c0120272e7db64b83f882f17d2a206fafd957111ee
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_89854CA6A0F0936A4D2ECA78845CEA25
Filesize1KB
MD527b4ac4d33ea87ea34c6bf4463e9f5fe
SHA1e4dac1f826d4b0acd8e1f247fe95fe5847eb4809
SHA25695999c081ad63d5303fce13b5f586f6a82d9c795ea7fcc76d3b3e9f45c34c023
SHA512f359086dac50291abfb54790d7d3d0486ab90b8dfd31848a44861a79a81ac17474f233aad97c7218301a41957da367a2913dbcf54cb5a298d1a6c35feda22851
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\D0E1C4B6144E7ECAB3F020E4A19EFC29_B5F77004C894173A10E3A199871D2D90
Filesize980B
MD55d6dae1d7d3c9fc51cfd907674ae2459
SHA1c027d7158cbe1da2953a70d6790018092a4dd999
SHA2565d95365c08dd688efe20765e3f6a3b6b0c4870db4c92edd27d5f89d18ac6c4c3
SHA5125406b1f7817544d06d5fd47f630e629c0df7e54d16c23b45ab0916bad823bb3390f20c82643aac59064271fbd349ce219e1348389c4825286731fa5beb53747b
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04
Filesize471B
MD5ee8e439af57ae234508d59d4e8695b0e
SHA11d052fdaf110d16526226e7f8656d0ae1a2c2b20
SHA2562faeecdb2251ce6ee9cb43a4ed7eec02731f18d5711d9f7cbde0146beec4feaa
SHA51245c73203f2efba97b5da32f1586e956fb23203c20903c8c0d0655b81593d077620315516e362c07bf6a4bb0196632e0c33fe8af034666d535e21a4e8f776ce04
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\A66A8DB907BADC9D16AD67B2FBFFDD5C
Filesize480B
MD56d9c4824951b960bb06316a750926545
SHA13615cd061a77c49532d701baf6e0d973df8d37bb
SHA256d9d0294a429f4d47b205737fe56d60cb8507b9c7de1f2042f74231ea29717fb2
SHA5121e59b2f36e04763c48a187765e399b9e4e7258a0e059480572ac2d2b72f492f9c2ec77c421e93a2b9463ada86887bc87c182468f0645dd6812ccd2d339693224
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_89854CA6A0F0936A4D2ECA78845CEA25
Filesize482B
MD5fe233d80b85436f24abbfb07a48513fe
SHA1d55f2077a03c1c1877a399f62c303ef1998e1001
SHA256d229c3d8ac25f90ae349edfef76f7bcf657318e427958eabaa611dda39a947b1
SHA51286f415502161e86a620fc615900136880e8b20142a5ac113947e254e8c4f8d3ef5efc467dd0f126c48bde99d0f8d42d52917476fad9f66bdcdf259b74777b5fb
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\D0E1C4B6144E7ECAB3F020E4A19EFC29_B5F77004C894173A10E3A199871D2D90
Filesize480B
MD51388b08282f83487f5db2a2dcd88b168
SHA1888cd225b39cbf4424c4030bf4809a2098b26bce
SHA256c4c6bfa3fdbb9f0f18ddf09bda04c63f7ac3489fd173463244fc271c192ffc34
SHA512f567ebf194e6c91960be73d4c9bca11705cdc48ebaa140b3fb400963899c7c7e0c17398bf0bffe61455d174855ef1e5fb3ee9620bd3a7ff5f17b3ad04c62cf42
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04
Filesize412B
MD565e7fd9ec95632bfb03f1e0a0e38d92f
SHA13d350f104d87b77014574b31192ab6e6fe22c541
SHA2562a4e147322cc72b7f2bdbb9d65747f56d5e18f8252443217cb0345652bdfb964
SHA512d7e5b625ae0e0fe7df7c855c622efa28c9e81fe4815cc555ec507e0fe6c821629cddcc977928b5b6ae4a614e6f746c583efe2b5b97e28528c45d7a48ecd20b5c
-
Filesize
896KB
MD56621f92e253c53901a45c7eae20938fc
SHA17e3759b02202ffaef0e2e41666edf7af66360b65
SHA2561d359835b097d15a97f9f77359939b79e7d63697eb23de72c88d39b5467fc77b
SHA5127616351db372c1c391ba5e3cbbada8db17b5d06dc03cb064eaa27083ecf101c3b7d1757ec8dca752200cf5b7118ffdcf818c09dd20f890a0f1dc564db3d1f05e
-
Filesize
311B
MD59105750f17d90587cfdb3073e3db4b41
SHA168299e57ccb94050710511c9fba7f144af55038d
SHA256325bea9d40295cd711d613b7dcb0958e04a537f751b177573a9c40303a4879f9
SHA51207fcd8e2811bc7d8a481694d32a8d220a03ec99dfd8b9f55de99ff8327d392c6afbd821358b5087e29120b5a6d706f258c723585d3c69a26c1b0c385722256de
-
Filesize
3.5MB
MD57ea017d6a07abe8d41251e572c06a1d4
SHA11e07d6ca5fe45ef4144db3da6796ddd0c1fa0393
SHA25617622ec279605b0a82c8d09230b79d29e443f3cd68481b7a6a79efe90d8eb0e0
SHA5125a09ff3bddccf288a5e0ba9f9942f4bbcc6bc2048118f0b1c9f8712537f630d6d8067768dc716d7223d2ce0fc30154707f0173da3c067306d55a6612b6f4c005
-
Filesize
298KB
MD5a6e82e3f005f61929f62c981670138b1
SHA171f15a319a5f8f353068b6463d153e7bcc4ebf23
SHA256289b7cd5419091154d2db0c1c70e7580ccde22ebe59b03ada35e95ee6b530bd7
SHA5120691bc3995e0bae2048c966a7f3c207cfd708fa691b2f95b85618c136ab3bb65d4201b4d9d690b3a3b7812c52c537175a91af6efcf98959ed5fca84aa7467cce
-
Filesize
1KB
MD5782b86e62396e45cd6a37682f1e0694a
SHA1a58545a1e89bbabef68b883dbea3e7d021e9393a
SHA256a9b00e2c58ccd88f647b7533bacea1d54d520c685de841539e5cef574dbf8480
SHA5120792996b0225b1aa0f2c939a53a752788fe3aee493928988d70947a3b66cb0101108c2e35bcb9038fd717e9b7ea2a747423df98f37c7fa7a188750fdf3ce6ea1