Analysis
-
max time kernel
1795s -
max time network
1800s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
12-08-2024 04:44
Static task
static1
Behavioral task
behavioral1
Sample
Nezur.zip
Resource
win10v2004-20240802-en
Behavioral task
behavioral2
Sample
Launcher.bat
Resource
win10v2004-20240802-en
Behavioral task
behavioral3
Sample
compiler.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral4
Sample
config
Resource
win10v2004-20240802-en
Behavioral task
behavioral5
Sample
lua51.dll
Resource
win10v2004-20240802-en
General
-
Target
lua51.dll
-
Size
389KB
-
MD5
ae41bf4152700a5ca903d1a0627c7344
-
SHA1
dcf1825c1a2dcd3507231ed14c24fc84e5edf56e
-
SHA256
f453ccf48ed30fb6aa34ff4b345d79eae83f561fedb0b2afeae537b241eea185
-
SHA512
99c8315dbd6ad1383eb647362649c601600bc158f51cdae5d67f6f7c752f45e3836d352c66ca9bd376a231a7e6cfb67c059bf1fa27c43ff1662da9f678bd8cec
-
SSDEEP
12288:2iZ+ox9piQ8G27pC6Yyu5t60O0MJuAghAuNwABK:2e19pm7pCuCt6+w
Malware Config
Signatures
-
Program crash 1 IoCs
pid pid_target Process procid_target 32 4996 WerFault.exe 89 -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 3624 wrote to memory of 4996 3624 rundll32.exe 89 PID 3624 wrote to memory of 4996 3624 rundll32.exe 89 PID 3624 wrote to memory of 4996 3624 rundll32.exe 89
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\lua51.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:3624 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\lua51.dll,#12⤵
- System Location Discovery: System Language Discovery
PID:4996 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4996 -s 6043⤵
- Program crash
PID:32
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 4996 -ip 49961⤵PID:1248
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4292,i,12470628711992022444,7767535593390851522,262144 --variations-seed-version --mojo-platform-channel-handle=1436 /prefetch:81⤵PID:3136
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4860,i,12470628711992022444,7767535593390851522,262144 --variations-seed-version --mojo-platform-channel-handle=3776 /prefetch:81⤵PID:1920