Analysis

  • max time kernel
    144s
  • max time network
    143s
  • platform
    windows10-ltsc 2021_x64
  • resource
    win10ltsc2021-20241023-en
  • resource tags

    arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system
  • submitted
    16-11-2024 03:48

General

  • Target

    nezur.exe

  • Size

    47KB

  • MD5

    60ea224fad8adf65358117a39a4bd365

  • SHA1

    1eb47f8bc6d41ef26915e1f5292a830b4060dd67

  • SHA256

    a4d68abab530b30e8060ef2ded1bc57036ca53be7c3b5fbfdf62f65640ef82d9

  • SHA512

    2ea92e0abaa49537eca5d6f834275679e02c426d68c29298118f2202a11798209a013ab82caaca1670d6192886945137af31b96ed91e6b654f04849dba9c1800

  • SSDEEP

    768:IuGE1THwoPNWUtHT1MHmo2qz79WjIDfWEs7PIILiU0bMusLmNzg5DhcA5Avfc5nK:IuGE1THbF1m2MXfrILwbDsw05DhDa4nK

Malware Config

Extracted

Family

asyncrat

Version

0.5.8

Botnet

Default

C2

127.0.0.1:6606

127.0.0.1:7707

127.0.0.1:8808

127.0.0.1:55112

147.185.221.23:6606

147.185.221.23:7707

147.185.221.23:8808

147.185.221.23:55112

Mutex

YdG4sJsjPfA4

Attributes
  • delay

    3

  • install

    true

  • install_file

    nezur.exe

  • install_folder

    %AppData%

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

  • Asyncrat family
  • Async RAT payload 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Delays execution with timeout.exe 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 21 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\nezur.exe
    "C:\Users\Admin\AppData\Local\Temp\nezur.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1412
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "nezur" /tr '"C:\Users\Admin\AppData\Roaming\nezur.exe"' & exit
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1632
      • C:\Windows\SysWOW64\schtasks.exe
        schtasks /create /f /sc onlogon /rl highest /tn "nezur" /tr '"C:\Users\Admin\AppData\Roaming\nezur.exe"'
        3⤵
        • System Location Discovery: System Language Discovery
        • Scheduled Task/Job: Scheduled Task
        PID:3580
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpCCB6.tmp.bat""
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3848
      • C:\Windows\SysWOW64\timeout.exe
        timeout 3
        3⤵
        • System Location Discovery: System Language Discovery
        • Delays execution with timeout.exe
        PID:1052
      • C:\Users\Admin\AppData\Roaming\nezur.exe
        "C:\Users\Admin\AppData\Roaming\nezur.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:1460

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\nezur.exe.log

    Filesize

    522B

    MD5

    00da7f1e650af65ee27f2c786561d83b

    SHA1

    071e8622f304964d2350202c1ca9db34d71d29e9

    SHA256

    706d2dc5cd3f617834859782684b201a324ed5e8edc9bdea38e886341c931776

    SHA512

    ae22913cafaf59eee00c2775a9c29d110e11b8f9732c9c2ad69acc30f95d59d983ff269d31a5747aff8971bcde31f83fb40dc6a3656ab3d272f35c194bb90b12

  • C:\Users\Admin\AppData\Local\Temp\tmpCCB6.tmp.bat

    Filesize

    149B

    MD5

    86982d353bc1c9996b9babd4dc5ad4f8

    SHA1

    97291e090120e73182143c673f9f240f2dc854ae

    SHA256

    ed7a6a646ceb7253fc70d66d838abf0fab2e1e4c47cbcefd0314cb11c2b4a459

    SHA512

    07e21f260a570608b6a1341bda173119db39a7aece9f6e1e0b885cfed136cf8bcda7617911b9e745e26ebb49d43bf6dbde9ec89051efa11bff5414ab9d275735

  • C:\Users\Admin\AppData\Roaming\nezur.exe

    Filesize

    47KB

    MD5

    60ea224fad8adf65358117a39a4bd365

    SHA1

    1eb47f8bc6d41ef26915e1f5292a830b4060dd67

    SHA256

    a4d68abab530b30e8060ef2ded1bc57036ca53be7c3b5fbfdf62f65640ef82d9

    SHA512

    2ea92e0abaa49537eca5d6f834275679e02c426d68c29298118f2202a11798209a013ab82caaca1670d6192886945137af31b96ed91e6b654f04849dba9c1800

  • memory/1412-0-0x0000000074D3E000-0x0000000074D3F000-memory.dmp

    Filesize

    4KB

  • memory/1412-1-0x0000000000DC0000-0x0000000000DD2000-memory.dmp

    Filesize

    72KB

  • memory/1412-2-0x0000000074D30000-0x00000000754E1000-memory.dmp

    Filesize

    7.7MB

  • memory/1412-3-0x00000000057E0000-0x000000000587C000-memory.dmp

    Filesize

    624KB

  • memory/1412-8-0x0000000074D30000-0x00000000754E1000-memory.dmp

    Filesize

    7.7MB

  • memory/1460-14-0x0000000074D30000-0x00000000754E1000-memory.dmp

    Filesize

    7.7MB

  • memory/1460-15-0x0000000074D30000-0x00000000754E1000-memory.dmp

    Filesize

    7.7MB