General
-
Target
Nexus_protected.exe
-
Size
1.3MB
-
Sample
240914-njy7nasamf
-
MD5
ce38980b61fdbcb5c6141b9c0e95a202
-
SHA1
12f08aefa3340205633aa0f0c12082ba048f55db
-
SHA256
923c96f05781c45795868dcaae91c5b68caab6a2be633e7162ef1d46190a1bdd
-
SHA512
4a41fb63c06ab33bfd3ecf4dce6cf5db22bd32909415f209a5d61cfbb46ae0318e080ad78ff8d991fc73bb6f8afb64259aeb523191d21c414711761669bdb65a
-
SSDEEP
24576:/NIJPRcrmRLvv/oBTPyqMCJ54ZmKRmFIbOAE18FSF8P9Nd1MUt+DikJ4H:/CPRcryggQz4ZLRmOKAEOFQ8PcUt4iG
Malware Config
Targets
-
-
Target
Nexus_protected.exe
-
Size
1.3MB
-
MD5
ce38980b61fdbcb5c6141b9c0e95a202
-
SHA1
12f08aefa3340205633aa0f0c12082ba048f55db
-
SHA256
923c96f05781c45795868dcaae91c5b68caab6a2be633e7162ef1d46190a1bdd
-
SHA512
4a41fb63c06ab33bfd3ecf4dce6cf5db22bd32909415f209a5d61cfbb46ae0318e080ad78ff8d991fc73bb6f8afb64259aeb523191d21c414711761669bdb65a
-
SSDEEP
24576:/NIJPRcrmRLvv/oBTPyqMCJ54ZmKRmFIbOAE18FSF8P9Nd1MUt+DikJ4H:/CPRcryggQz4ZLRmOKAEOFQ8PcUt4iG
Score10/10-
Modifies Windows Defender Real-time Protection settings
-
Modifies Windows Defender notification settings
-
Modifies security service
-
Blocklisted process makes network request
-
Command and Scripting Interpreter: PowerShell
Powershell Invoke Web Request.
-
Downloads MZ/PE file
-
Drops file in Drivers directory
-
Event Triggered Execution: Image File Execution Options Injection
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Legitimate hosting services abused for malware hosting/C2
-
Modifies Security services
Modifies the startup behavior of a security service.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
MITRE ATT&CK Enterprise v15
Persistence
Create or Modify System Process
3Windows Service
3Event Triggered Execution
1Image File Execution Options Injection
1Privilege Escalation
Create or Modify System Process
3Windows Service
3Event Triggered Execution
1Image File Execution Options Injection
1