83e0b3e2ce3d11126ab08acedb6dda8b56d60c7633fdf831a059d63fb44d4c6e

Analysis

max time kernel
122s
max time network
135s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
02/10/2024, 21:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Nexus_WINDOWS.pck
Size

170.7MB
MD5

3995a88f26e99ecf5e6b07a3b7470d4d
SHA1

926433cacb1856ae6fce8645672fd8d3124dd6c1
SHA256

943fd16f29580285c5e088a04528f1b23a6e6f256d69315315c78af21e5201bc
SHA512

dd2f042ed807586841aaa9262a92e456094240768333da0ddfc6315218bc7b14a325c3ee59c87edbe8752a9db30bad8a301d9eaa3f6a0e1486f6b75ea5f70b39
SSDEEP

3145728:klOj/51SH2AMslbEEMyd+sJ8rB4dCW80hNDX0N6dqW15x8pGFMLGAYmW:klOT50H2NBDv4kW8uN70EdqY5+pcM2m

Score

3^/10

discovery

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AcroRd32.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000_Classes\Local Settings	rundll32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2608	AcroRd32.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2608	AcroRd32.exe
2608	AcroRd32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 564 wrote to memory of 2804	564	cmd.exe	32
PID 564 wrote to memory of 2804	564	cmd.exe	32
PID 564 wrote to memory of 2804	564	cmd.exe	32
PID 2804 wrote to memory of 2608	2804	rundll32.exe	33
PID 2804 wrote to memory of 2608	2804	rundll32.exe	33
PID 2804 wrote to memory of 2608	2804	rundll32.exe	33
PID 2804 wrote to memory of 2608	2804	rundll32.exe	33

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\Nexus_WINDOWS.pck
1⤵
- Suspicious use of WriteProcessMemory
PID:564
- C:\Windows\system32\rundll32.exe
  "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Nexus_WINDOWS.pck
  2⤵
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2804
- - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Nexus_WINDOWS.pck"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    PID:2608

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
8bff2d7314691bb379315f2c78f44f5b

SHA1
097fb7846764c13fa92fd3dda9247082223754d4

SHA256
10bf72f7b4bf262e140c40f2b36d3eab9d2831c0192b724caafe0bf94742c7a8

SHA512
97f1ea683b19b7d812ae2104e8e673454a5b930b9431fad321db03a222bb2f52175ed33019a9ba2a4bfe2a70ae52a1fd83d7300cf084e97c0f42c2a68e790c96

Download Submit