Analysis
-
max time kernel
144s -
max time network
143s -
platform
windows10-ltsc 2021_x64 -
resource
win10ltsc2021-20241023-en -
resource tags
arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system -
submitted
16-11-2024 03:48
General
-
Target
nezur.exe
-
Size
47KB
-
MD5
60ea224fad8adf65358117a39a4bd365
-
SHA1
1eb47f8bc6d41ef26915e1f5292a830b4060dd67
-
SHA256
a4d68abab530b30e8060ef2ded1bc57036ca53be7c3b5fbfdf62f65640ef82d9
-
SHA512
2ea92e0abaa49537eca5d6f834275679e02c426d68c29298118f2202a11798209a013ab82caaca1670d6192886945137af31b96ed91e6b654f04849dba9c1800
-
SSDEEP
768:IuGE1THwoPNWUtHT1MHmo2qz79WjIDfWEs7PIILiU0bMusLmNzg5DhcA5Avfc5nK:IuGE1THbF1m2MXfrILwbDsw05DhDa4nK
Malware Config
Extracted
asyncrat
0.5.8
Default
127.0.0.1:6606
127.0.0.1:7707
127.0.0.1:8808
127.0.0.1:55112
147.185.221.23:6606
147.185.221.23:7707
147.185.221.23:8808
147.185.221.23:55112
YdG4sJsjPfA4
-
delay
3
-
install
true
-
install_file
nezur.exe
-
install_folder
%AppData%
Signatures
-
Asyncrat family
-
Async RAT payload 1 IoCs
resource yara_rule behavioral1/files/0x00280000000450c9-11.dat family_asyncrat -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000\Control Panel\International\Geo\Nation nezur.exe -
Executes dropped EXE 1 IoCs
pid Process 1460 nezur.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nezur.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nezur.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 1052 timeout.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 3580 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 21 IoCs
pid Process 1412 nezur.exe 1412 nezur.exe 1412 nezur.exe 1412 nezur.exe 1412 nezur.exe 1412 nezur.exe 1412 nezur.exe 1412 nezur.exe 1412 nezur.exe 1412 nezur.exe 1412 nezur.exe 1412 nezur.exe 1412 nezur.exe 1412 nezur.exe 1412 nezur.exe 1412 nezur.exe 1412 nezur.exe 1412 nezur.exe 1412 nezur.exe 1412 nezur.exe 1412 nezur.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1412 nezur.exe Token: SeDebugPrivilege 1460 nezur.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 1412 wrote to memory of 1632 1412 nezur.exe 87 PID 1412 wrote to memory of 1632 1412 nezur.exe 87 PID 1412 wrote to memory of 1632 1412 nezur.exe 87 PID 1412 wrote to memory of 3848 1412 nezur.exe 88 PID 1412 wrote to memory of 3848 1412 nezur.exe 88 PID 1412 wrote to memory of 3848 1412 nezur.exe 88 PID 3848 wrote to memory of 1052 3848 cmd.exe 91 PID 3848 wrote to memory of 1052 3848 cmd.exe 91 PID 3848 wrote to memory of 1052 3848 cmd.exe 91 PID 1632 wrote to memory of 3580 1632 cmd.exe 92 PID 1632 wrote to memory of 3580 1632 cmd.exe 92 PID 1632 wrote to memory of 3580 1632 cmd.exe 92 PID 3848 wrote to memory of 1460 3848 cmd.exe 94 PID 3848 wrote to memory of 1460 3848 cmd.exe 94 PID 3848 wrote to memory of 1460 3848 cmd.exe 94
Processes
-
C:\Users\Admin\AppData\Local\Temp\nezur.exe"C:\Users\Admin\AppData\Local\Temp\nezur.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1412 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "nezur" /tr '"C:\Users\Admin\AppData\Roaming\nezur.exe"' & exit2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1632 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "nezur" /tr '"C:\Users\Admin\AppData\Roaming\nezur.exe"'3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:3580
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpCCB6.tmp.bat""2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3848 -
C:\Windows\SysWOW64\timeout.exetimeout 33⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
PID:1052
-
-
C:\Users\Admin\AppData\Roaming\nezur.exe"C:\Users\Admin\AppData\Roaming\nezur.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1460
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
522B
MD500da7f1e650af65ee27f2c786561d83b
SHA1071e8622f304964d2350202c1ca9db34d71d29e9
SHA256706d2dc5cd3f617834859782684b201a324ed5e8edc9bdea38e886341c931776
SHA512ae22913cafaf59eee00c2775a9c29d110e11b8f9732c9c2ad69acc30f95d59d983ff269d31a5747aff8971bcde31f83fb40dc6a3656ab3d272f35c194bb90b12
-
Filesize
149B
MD586982d353bc1c9996b9babd4dc5ad4f8
SHA197291e090120e73182143c673f9f240f2dc854ae
SHA256ed7a6a646ceb7253fc70d66d838abf0fab2e1e4c47cbcefd0314cb11c2b4a459
SHA51207e21f260a570608b6a1341bda173119db39a7aece9f6e1e0b885cfed136cf8bcda7617911b9e745e26ebb49d43bf6dbde9ec89051efa11bff5414ab9d275735
-
Filesize
47KB
MD560ea224fad8adf65358117a39a4bd365
SHA11eb47f8bc6d41ef26915e1f5292a830b4060dd67
SHA256a4d68abab530b30e8060ef2ded1bc57036ca53be7c3b5fbfdf62f65640ef82d9
SHA5122ea92e0abaa49537eca5d6f834275679e02c426d68c29298118f2202a11798209a013ab82caaca1670d6192886945137af31b96ed91e6b654f04849dba9c1800