Overview
overview
8Static
static
1Nuker/ThemeCreator.py
windows11-21h2-x64
3Nuker/main.py
windows11-21h2-x64
3Nuker/run.bat
windows11-21h2-x64
1Nuker/util...t__.py
windows11-21h2-x64
3Nuker/util...11.pyc
windows11-21h2-x64
3Nuker/util...11.pyc
windows11-21h2-x64
3Nuker/util...11.pyc
windows11-21h2-x64
3Nuker/util...11.pyc
windows11-21h2-x64
3Nuker/util...11.pyc
windows11-21h2-x64
3Nuker/util...11.pyc
windows11-21h2-x64
3Nuker/util...11.pyc
windows11-21h2-x64
3Nuker/util...11.pyc
windows11-21h2-x64
3Nuker/utils/bot.py
windows11-21h2-x64
3Nuker/utils/ctime.py
windows11-21h2-x64
3Nuker/utils/ids.py
windows11-21h2-x64
3Nuker/utils/logger.py
windows11-21h2-x64
3Nuker/utils/nuker.py
windows11-21h2-x64
3Nuker/util...eme.py
windows11-21h2-x64
3Nuker/utils/themes.py
windows11-21h2-x64
3install python.bat
windows11-21h2-x64
8Analysis
-
max time kernel
31s -
platform
windows11-21h2_x64 -
resource
win11-20240802-en -
resource tags
arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system -
submitted
13/09/2024, 16:24
Static task
static1
Behavioral task
behavioral1
Sample
Nuker/ThemeCreator.py
Resource
win11-20240802-en
windows11-21h2-x64
Behavioral task
behavioral2
Sample
Nuker/main.py
Resource
win11-20240802-en
windows11-21h2-x64
Behavioral task
behavioral3
Sample
Nuker/run.bat
Resource
win11-20240802-en
windows11-21h2-x64
Behavioral task
behavioral4
Sample
Nuker/utils/__init__.py
Resource
win11-20240802-en
windows11-21h2-x64
Behavioral task
behavioral5
Sample
Nuker/utils/__pycache__/__init__.cpython-311.pyc
Resource
win11-20240802-en
windows11-21h2-x64
Behavioral task
behavioral6
Sample
Nuker/utils/__pycache__/bot.cpython-311.pyc
Resource
win11-20240802-en
windows11-21h2-x64
Behavioral task
behavioral7
Sample
Nuker/utils/__pycache__/ctime.cpython-311.pyc
Resource
win11-20240802-en
windows11-21h2-x64
Behavioral task
behavioral8
Sample
Nuker/utils/__pycache__/ids.cpython-311.pyc
Resource
win11-20240802-en
windows11-21h2-x64
Behavioral task
behavioral9
Sample
Nuker/utils/__pycache__/logger.cpython-311.pyc
Resource
win11-20240802-en
windows11-21h2-x64
Behavioral task
behavioral10
Sample
Nuker/utils/__pycache__/nuker.cpython-311.pyc
Resource
win11-20240802-en
windows11-21h2-x64
Behavioral task
behavioral11
Sample
Nuker/utils/__pycache__/ogtheme.cpython-311.pyc
Resource
win11-20240802-en
windows11-21h2-x64
Behavioral task
behavioral12
Sample
Nuker/utils/__pycache__/themes.cpython-311.pyc
Resource
win11-20240802-en
windows11-21h2-x64
Behavioral task
behavioral13
Sample
Nuker/utils/bot.py
Resource
win11-20240802-en
windows11-21h2-x64
Behavioral task
behavioral14
Sample
Nuker/utils/ctime.py
Resource
win11-20240802-en
windows11-21h2-x64
Behavioral task
behavioral15
Sample
Nuker/utils/ids.py
Resource
win11-20240802-en
windows11-21h2-x64
Behavioral task
behavioral16
Sample
Nuker/utils/logger.py
Resource
win11-20240802-en
windows11-21h2-x64
Behavioral task
behavioral17
Sample
Nuker/utils/nuker.py
Resource
win11-20240802-en
windows11-21h2-x64
Behavioral task
behavioral18
Sample
Nuker/utils/ogtheme.py
Resource
win11-20240802-en
windows11-21h2-x64
Behavioral task
behavioral19
Sample
Nuker/utils/themes.py
Resource
win11-20240802-en
windows11-21h2-x64
Behavioral task
behavioral20
Sample
install python.bat
Resource
win11-20240802-en
windows11-21h2-x64
General
-
Target
Nuker/ThemeCreator.py
-
Size
11KB
-
MD5
8e0e50b236923364c383652756687266
-
SHA1
711dc03269ba9d1450eab476c375bfc0df13570c
-
SHA256
9ce4400a80115eb7e2322c2673615577fa85bc188ce587f8a46d63b4d499f1c2
-
SHA512
de70a30220800f1784890519e0d1d122a9d848e2feef11277525e087b679e45b812afd93742b5afc3d07a6a2f8e8aa0ea257dca942b8d4fd1ff917667c85dacc
-
SSDEEP
96:fRcAZEgbh6UM16N4Ka8S8jlNG1TPd1qv+AGI4lXLY444d3O6U1:ZvRldM1wQ5GlNG1T11qvV4lXs444s6U1
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 38 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000_Classes\Local Settings OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 OpenWith.exe Set value (int) \REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0" OpenWith.exe Set value (int) \REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0" OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1 OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg OpenWith.exe Set value (int) \REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4" OpenWith.exe Set value (str) \REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic" OpenWith.exe Set value (data) \REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 OpenWith.exe Set value (int) \REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1" OpenWith.exe Set value (str) \REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell OpenWith.exe Set value (data) \REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 8c003100000000000259fc7e110050524f4752417e310000740009000400efbec55259610259fc7e2e0000003f0000000000010000000000000000004a00000000005b9b9400500072006f006700720061006d002000460069006c0065007300000040007300680065006c006c00330032002e0064006c006c002c002d0032003100370038003100000018000000 OpenWith.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ OpenWith.exe Set value (int) \REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1" OpenWith.exe Set value (int) \REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257" OpenWith.exe Set value (data) \REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots OpenWith.exe Key created \Registry\User\S-1-5-21-2842058299-443432012-2465494467-1000_Classes\NotificationData OpenWith.exe Set value (int) \REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU OpenWith.exe Set value (data) \REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell OpenWith.exe Set value (data) \REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000_Classes\Local Settings cmd.exe Set value (data) \REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff OpenWith.exe Set value (data) \REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000 OpenWith.exe Set value (data) \REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 19002f433a5c000000000000000000000000000000000000000000 OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 OpenWith.exe Set value (int) \REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16" OpenWith.exe Set value (data) \REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 OpenWith.exe Set value (data) \REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff OpenWith.exe Set value (data) \REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 OpenWith.exe Set value (int) \REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\NodeSlot = "1" OpenWith.exe Set value (data) \REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = ffffffff OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags OpenWith.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 5852 OpenWith.exe -
Suspicious use of SetWindowsHookEx 28 IoCs
pid Process 5852 OpenWith.exe 5852 OpenWith.exe 5852 OpenWith.exe 5852 OpenWith.exe 5852 OpenWith.exe 5852 OpenWith.exe 5852 OpenWith.exe 5852 OpenWith.exe 5852 OpenWith.exe 5852 OpenWith.exe 5852 OpenWith.exe 5852 OpenWith.exe 5852 OpenWith.exe 5852 OpenWith.exe 5852 OpenWith.exe 5852 OpenWith.exe 5852 OpenWith.exe 5852 OpenWith.exe 5852 OpenWith.exe 5852 OpenWith.exe 5852 OpenWith.exe 5852 OpenWith.exe 5852 OpenWith.exe 5852 OpenWith.exe 5852 OpenWith.exe 5852 OpenWith.exe 5852 OpenWith.exe 5852 OpenWith.exe
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\Nuker\ThemeCreator.py1⤵
- Modifies registry class
PID:5348
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:5852