Edit tour

Windows Analysis Report
Nezur.zip

Overview

General Information

Sample name:	Nezur.zip
Analysis ID:	1381905
MD5:	af97dda652b878779309c854dbb05475
SHA1:	ecca25d21b423c7f89c7727533a162e68368cbd3
SHA256:	9b022527c62a75e4646df18d77accea72e30bbe6e35be379f14dff5e2951c922
Infos:

Detection

Score:	56
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Command shell drops VBS files

Found suspicious ZIP file

Potential malicious VBS script found (suspicious strings)

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Creates a process in suspended mode (likely to inject code)

Drops PE files

Found WSH timer for Javascript or VBS script (likely evasive script)

May check the online IP address of the machine

Queries the volume information (name, serial number etc) of a device

Uses cacls to modify the permissions of files

Classification

Process Tree

System is w10x64_ra

7zG.exe (PID: 1780 cmdline: "C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\user\Downloads\mGYRbZUhoR\Nezur\" -ad -an -ai#7zMap13722:94:7zEvent29886 MD5: 50F289DF0C19484E970849AAC4E6F977)

cmd.exe (PID: 4336 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\Downloads\mGYRbZUhoR\Nezur\start.bat" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 4356 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cacls.exe (PID: 5712 cmdline: C:\Windows\system32\cacls.exe" "C:\Windows\system32\config\system MD5: A353590E06C976809F14906746109758)

wscript.exe (PID: 2212 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\getadmin.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)

cmd.exe (PID: 6184 cmdline: "C:\Windows\System32\cmd.exe" /c C:\Users\user\DOWNLO~1\MGYRBZ~1\Nezur\start.bat MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 2832 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cacls.exe (PID: 2392 cmdline: C:\Windows\system32\cacls.exe" "C:\Windows\system32\config\system MD5: A353590E06C976809F14906746109758)

Nezur.exe (PID: 2704 cmdline: Nezur.exe auto_load.txt MD5: DD98A43CB27EFD5BCC29EFB23FDD6CA5)

conhost.exe (PID: 980 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 6236 cmdline: "C:\Windows\System32\cmd.exe" /C "C:\Users\user\Downloads\mGYRbZUhoR\Nezur\start.bat" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 2464 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cacls.exe (PID: 1748 cmdline: C:\Windows\system32\cacls.exe" "C:\Windows\system32\config\system MD5: A353590E06C976809F14906746109758)

Nezur.exe (PID: 6392 cmdline: Nezur.exe auto_load.txt MD5: DD98A43CB27EFD5BCC29EFB23FDD6CA5)

conhost.exe (PID: 1300 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 4376 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\Downloads\mGYRbZUhoR\Nezur\start.bat" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 6108 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cacls.exe (PID: 1072 cmdline: C:\Windows\system32\cacls.exe" "C:\Windows\system32\config\system MD5: A353590E06C976809F14906746109758)

wscript.exe (PID: 4948 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\getadmin.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)

cmd.exe (PID: 1440 cmdline: "C:\Windows\System32\cmd.exe" /c C:\Users\user\DOWNLO~1\MGYRBZ~1\Nezur\start.bat MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 4260 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cacls.exe (PID: 6260 cmdline: C:\Windows\system32\cacls.exe" "C:\Windows\system32\config\system MD5: A353590E06C976809F14906746109758)

Nezur.exe (PID: 2780 cmdline: Nezur.exe auto_load.txt MD5: DD98A43CB27EFD5BCC29EFB23FDD6CA5)

conhost.exe (PID: 6004 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 7072 cmdline: "C:\Windows\System32\cmd.exe" /C "C:\Users\user\Downloads\mGYRbZUhoR\Nezur\start.bat" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 2920 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cacls.exe (PID: 6104 cmdline: C:\Windows\system32\cacls.exe" "C:\Windows\system32\config\system MD5: A353590E06C976809F14906746109758)

Nezur.exe (PID: 5248 cmdline: Nezur.exe auto_load.txt MD5: DD98A43CB27EFD5BCC29EFB23FDD6CA5)

conhost.exe (PID: 5548 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

Nezur.exe (PID: 7152 cmdline: "C:\Users\user\Downloads\mGYRbZUhoR\Nezur\Nezur.exe" C:\Users\user\Downloads\mGYRbZUhoR\Nezur\auto_load.txt MD5: DD98A43CB27EFD5BCC29EFB23FDD6CA5)

conhost.exe (PID: 3776 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 4836 cmdline: "C:\Windows\System32\cmd.exe" /C "C:\Users\user\Downloads\mGYRbZUhoR\Nezur\start.bat" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 6056 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cacls.exe (PID: 5008 cmdline: C:\Windows\system32\cacls.exe" "C:\Windows\system32\config\system MD5: A353590E06C976809F14906746109758)

Nezur.exe (PID: 4984 cmdline: Nezur.exe auto_load.txt MD5: DD98A43CB27EFD5BCC29EFB23FDD6CA5)

conhost.exe (PID: 5956 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 996 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\Downloads\mGYRbZUhoR\Nezur\start.bat" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 60 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cacls.exe (PID: 4676 cmdline: C:\Windows\system32\cacls.exe" "C:\Windows\system32\config\system MD5: A353590E06C976809F14906746109758)

wscript.exe (PID: 5328 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\getadmin.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)

cmd.exe (PID: 4476 cmdline: "C:\Windows\System32\cmd.exe" /c C:\Users\user\DOWNLO~1\MGYRBZ~1\Nezur\start.bat MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 5952 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cacls.exe (PID: 6152 cmdline: C:\Windows\system32\cacls.exe" "C:\Windows\system32\config\system MD5: A353590E06C976809F14906746109758)

Nezur.exe (PID: 908 cmdline: Nezur.exe auto_load.txt MD5: DD98A43CB27EFD5BCC29EFB23FDD6CA5)

conhost.exe (PID: 4412 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cleanup

Yara Signatures

⊘No yara matches

Sigma Signatures

⊘No Sigma rule has matched

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

• Compliance
• Networking
• System Summary
• Persistence and Installation Behavior
• Hooking and other Techniques for Hiding and Protection
• Malware Analysis System Evasion
• HIPS / PFW / Operating System Protection Evasion
• Language, Device and Operating System Detection

Click to jump to signature section

Show All Signature Results

Source: C:\Program Files\7-Zip\7zG.exe

File created: C:\Users\user\Downloads\mGYRbZUhoR\Nezur\README.txt

Source: unknown

DNS query: name: ip-api.com

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

HTTP traffic detected: GET /json/?fields=query,status,countryCode,city,timezone HTTP/1.1Content-Type: application/json; charset=utf-16User-Agent: WinterHost: ip-api.comCache-Control: no-cache

Source: unknown

DNS traffic detected: queries for: ip-api.com

System Summary

Found suspicious ZIP file

Source: Nezur.zip

Zip Entry: start.bat

Potential malicious VBS script found (suspicious strings)

Source: C:\Windows\System32\cmd.exe

Dropped file: UAC.ShellExecute "cmd.exe", "/c C:\Users\user\DOWNLO~1\MGYRBZ~1\Nezur\start.bat ", "", "runas", 1

Jump to dropped file

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Source: C:\Windows\System32\wscript.exe

COM Object queried: Shell Automation Service HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{13709620-C279-11CE-A49E-444553540000}

Source: classification engine

Classification label: mal56.winZIP@66/10@1/21

Source: C:\Program Files\7-Zip\7zG.exe

File created: C:\Users\user\Downloads\mGYRbZUhoR\Nezur

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4356:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2832:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1300:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2920:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6108:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4412:120:WilError_03
Source: C:\Users\user\Downloads\mGYRbZUhoR\Nezur\Nezur.exe	Mutant created: \Sessions\1\BaseNamedObjects\Winter747
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6056:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2464:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4260:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5956:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5548:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3776:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6004:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5952:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:60:120:WilError_03

Source: C:\Windows\System32\cmd.exe

File created: C:\Users\user\AppData\Local\Temp\getadmin.vbs

Source: unknown

Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Downloads\mGYRbZUhoR\Nezur\start.bat" "

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\getadmin.vbs"

Source: C:\Windows\System32\cmd.exe

File read: C:\Users\user\Desktop\desktop.ini

Source: C:\Program Files\7-Zip\7zG.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: unknown	Process created: C:\Program Files\7-Zip\7zG.exe "C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\user\Downloads\mGYRbZUhoR\Nezur\" -ad -an -ai#7zMap13722:94:7zEvent29886
Source: unknown	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Downloads\mGYRbZUhoR\Nezur\start.bat" "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cacls.exe C:\Windows\system32\cacls.exe" "C:\Windows\system32\config\system
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\getadmin.vbs"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c C:\Users\user\DOWNLO~1\MGYRBZ~1\Nezur\start.bat
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cacls.exe C:\Windows\system32\cacls.exe" "C:\Windows\system32\config\system
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\Downloads\mGYRbZUhoR\Nezur\Nezur.exe Nezur.exe auto_load.txt
Source: C:\Users\user\Downloads\mGYRbZUhoR\Nezur\Nezur.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cacls.exe C:\Windows\system32\cacls.exe" "C:\Windows\system32\config\system
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\getadmin.vbs"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cacls.exe C:\Windows\system32\cacls.exe" "C:\Windows\system32\config\system
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\Downloads\mGYRbZUhoR\Nezur\Nezur.exe Nezur.exe auto_load.txt
Source: unknown	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\Downloads\mGYRbZUhoR\Nezur\start.bat"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cacls.exe C:\Windows\system32\cacls.exe" "C:\Windows\system32\config\system
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\Downloads\mGYRbZUhoR\Nezur\Nezur.exe Nezur.exe auto_load.txt
Source: C:\Users\user\Downloads\mGYRbZUhoR\Nezur\Nezur.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cacls.exe C:\Windows\system32\cacls.exe" "C:\Windows\system32\config\system
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\Downloads\mGYRbZUhoR\Nezur\Nezur.exe Nezur.exe auto_load.txt
Source: unknown	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Downloads\mGYRbZUhoR\Nezur\start.bat" "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cacls.exe C:\Windows\system32\cacls.exe" "C:\Windows\system32\config\system
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\getadmin.vbs"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c C:\Users\user\DOWNLO~1\MGYRBZ~1\Nezur\start.bat
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cacls.exe C:\Windows\system32\cacls.exe" "C:\Windows\system32\config\system
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\Downloads\mGYRbZUhoR\Nezur\Nezur.exe Nezur.exe auto_load.txt
Source: C:\Users\user\Downloads\mGYRbZUhoR\Nezur\Nezur.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\Downloads\mGYRbZUhoR\Nezur\start.bat"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cacls.exe C:\Windows\system32\cacls.exe" "C:\Windows\system32\config\system
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\Downloads\mGYRbZUhoR\Nezur\Nezur.exe Nezur.exe auto_load.txt
Source: C:\Users\user\Downloads\mGYRbZUhoR\Nezur\Nezur.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cacls.exe C:\Windows\system32\cacls.exe" "C:\Windows\system32\config\system
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\getadmin.vbs"
Source: unknown	Process created: C:\Users\user\Downloads\mGYRbZUhoR\Nezur\Nezur.exe "C:\Users\user\Downloads\mGYRbZUhoR\Nezur\Nezur.exe" C:\Users\user\Downloads\mGYRbZUhoR\Nezur\auto_load.txt
Source: C:\Users\user\Downloads\mGYRbZUhoR\Nezur\Nezur.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cacls.exe C:\Windows\system32\cacls.exe" "C:\Windows\system32\config\system
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\Downloads\mGYRbZUhoR\Nezur\Nezur.exe Nezur.exe auto_load.txt
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cacls.exe C:\Windows\system32\cacls.exe" "C:\Windows\system32\config\system
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\Downloads\mGYRbZUhoR\Nezur\Nezur.exe Nezur.exe auto_load.txt
Source: unknown	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\Downloads\mGYRbZUhoR\Nezur\start.bat"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cacls.exe C:\Windows\system32\cacls.exe" "C:\Windows\system32\config\system
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\Downloads\mGYRbZUhoR\Nezur\Nezur.exe Nezur.exe auto_load.txt
Source: C:\Users\user\Downloads\mGYRbZUhoR\Nezur\Nezur.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Downloads\mGYRbZUhoR\Nezur\start.bat" "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cacls.exe C:\Windows\system32\cacls.exe" "C:\Windows\system32\config\system
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\getadmin.vbs"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c C:\Users\user\DOWNLO~1\MGYRBZ~1\Nezur\start.bat
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cacls.exe C:\Windows\system32\cacls.exe" "C:\Windows\system32\config\system
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\Downloads\mGYRbZUhoR\Nezur\Nezur.exe Nezur.exe auto_load.txt
Source: C:\Users\user\Downloads\mGYRbZUhoR\Nezur\Nezur.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cacls.exe C:\Windows\system32\cacls.exe" "C:\Windows\system32\config\system
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\Downloads\mGYRbZUhoR\Nezur\Nezur.exe Nezur.exe auto_load.txt
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cacls.exe C:\Windows\system32\cacls.exe" "C:\Windows\system32\config\system
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\getadmin.vbs"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cacls.exe C:\Windows\system32\cacls.exe" "C:\Windows\system32\config\system
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\Downloads\mGYRbZUhoR\Nezur\Nezur.exe Nezur.exe auto_load.txt

Source: C:\Program Files\7-Zip\7zG.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{56FDF344-FD6D-11d0-958A-006097C9A090}\InProcServer32

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files\7-Zip\7zG.exe

Window detected: Number of UI elements: 15

Persistence and Installation Behavior

Command shell drops VBS files

Source: C:\Windows\System32\cmd.exe	File created: C:\Users\user\AppData\Local\Temp\getadmin.vbs
Source: C:\Windows\System32\cmd.exe	File created: C:\Users\user\AppData\Local\Temp\getadmin.vbs
Source: C:\Windows\System32\cmd.exe	File created: C:\Users\user\AppData\Local\Temp\getadmin.vbs

Source: C:\Program Files\7-Zip\7zG.exe	File created: C:\Users\user\Downloads\mGYRbZUhoR\Nezur\lua51.dll			Jump to dropped file
Source: C:\Program Files\7-Zip\7zG.exe	File created: C:\Users\user\Downloads\mGYRbZUhoR\Nezur\Nezur.exe			Jump to dropped file

Source: C:\Program Files\7-Zip\7zG.exe

File created: C:\Users\user\Downloads\mGYRbZUhoR\Nezur\README.txt

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\cacls.exe C:\Windows\system32\cacls.exe" "C:\Windows\system32\config\system

Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Downloads\mGYRbZUhoR\Nezur\Nezur.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Downloads\mGYRbZUhoR\Nezur\Nezur.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Downloads\mGYRbZUhoR\Nezur\Nezur.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX

Source: C:\Windows\System32\wscript.exe	Window found: window name: WSH-Timer
Source: C:\Windows\System32\wscript.exe	Window found: window name: WSH-Timer
Source: C:\Windows\System32\wscript.exe	Window found: window name: WSH-Timer

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cacls.exe C:\Windows\system32\cacls.exe" "C:\Windows\system32\config\system
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\getadmin.vbs"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cacls.exe C:\Windows\system32\cacls.exe" "C:\Windows\system32\config\system
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\Downloads\mGYRbZUhoR\Nezur\Nezur.exe Nezur.exe auto_load.txt
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cacls.exe C:\Windows\system32\cacls.exe" "C:\Windows\system32\config\system
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\Downloads\mGYRbZUhoR\Nezur\Nezur.exe Nezur.exe auto_load.txt
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cacls.exe C:\Windows\system32\cacls.exe" "C:\Windows\system32\config\system
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\getadmin.vbs"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cacls.exe C:\Windows\system32\cacls.exe" "C:\Windows\system32\config\system
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\Downloads\mGYRbZUhoR\Nezur\Nezur.exe Nezur.exe auto_load.txt
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cacls.exe C:\Windows\system32\cacls.exe" "C:\Windows\system32\config\system
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\Downloads\mGYRbZUhoR\Nezur\Nezur.exe Nezur.exe auto_load.txt
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cacls.exe C:\Windows\system32\cacls.exe" "C:\Windows\system32\config\system
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\Downloads\mGYRbZUhoR\Nezur\Nezur.exe Nezur.exe auto_load.txt
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cacls.exe C:\Windows\system32\cacls.exe" "C:\Windows\system32\config\system
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\getadmin.vbs"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cacls.exe C:\Windows\system32\cacls.exe" "C:\Windows\system32\config\system
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\Downloads\mGYRbZUhoR\Nezur\Nezur.exe Nezur.exe auto_load.txt

Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	212 Scripting	Valid Accounts	Windows Management Instrumentation	1 Services File Permissions Weakness	1 Services File Permissions Weakness	1 Masquerading	OS Credential Dumping	1 File and Directory Discovery	Remote Services	Data from Local System	2 Non-Application Layer Protocol	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	212 Scripting	11 Process Injection	1 Services File Permissions Weakness	LSASS Memory	12 System Information Discovery	Remote Desktop Protocol	Data from Removable Media	2 Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	11 Process Injection	Security Account Manager	1 System Network Configuration Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Ingress Tool Transfer	Automated Exfiltration	Data Encrypted for Impact

Source	Detection	Scanner	Label	Link
C:\Users\user\Downloads\mGYRbZUhoR\Nezur\Nezur.exe	3%	ReversingLabs
C:\Users\user\Downloads\mGYRbZUhoR\Nezur\lua51.dll	3%	ReversingLabs

Name	IP	Active	Malicious	Antivirus Detection	Reputation
ip-api.com	208.95.112.1	true	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://ip-api.com/json/?fields=query,status,countryCode,city,timezone	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
208.95.112.1	ip-api.com	United States		53334	TUT-ASUS	false
23.54.201.219	unknown	United States		16625	AKAMAI-ASUS	false

General Information

Joe Sandbox version:	39.0.0 Ruby
Analysis ID:	1381905
Start date and time:	2024-01-26 20:44:49 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultwindowsinteractivecookbook.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	54
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	1
Technologies:	EGA enabled
Analysis Mode:	stream
Analysis stop reason:	Timeout
Sample name:	Nezur.zip
Detection:	MAL
Classification:	mal56.winZIP@66/10@1/21
Cookbook Comments:	Found application associated with file extension: .zip

Warnings

Exclude process from analysis (whitelisted): SIHClient.exe
Excluded IPs from analysis (whitelisted): 23.54.201.219
Excluded domains from analysis (whitelisted): slscr.update.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: Nezur.zip

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\HAYXG4SY\json[1].json

Download File

Process:	C:\Users\user\Downloads\mGYRbZUhoR\Nezur\Nezur.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	109
Entropy (8bit):	4.636579831743151
Encrypted:	false
SSDEEP:
MD5:	32C10AB47E31A6FC74F2A012C67D5011
SHA1:	BC419BE2869B284532464E276D56BABFEB687661
SHA-256:	7CFE53ED655A99E8CDD0BF258A2C1EAA2D5B23C92FFB966BE93763EB00259B0F
SHA-512:	31053DD59C73727C31EE0D72D75B09C05D2E666811AFB92938142738DAA418B9FE937A10C251D8C45EA0BA07319672C140BF5D9982EA84BD5E35C3898EDEE168
Malicious:	false
Reputation:	low
Preview:	{"status":"success","countryCode":"US","city":"Atlanta","timezone":"America/New_York","query":"81.181.57.74"}

C:\Users\user\AppData\Local\Temp\getadmin.vbs

Download File

Process:	C:\Windows\System32\cmd.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	147
Entropy (8bit):	5.164665865819676
Encrypted:	false
SSDEEP:
MD5:	91B5187A287D7FA25B27DE459B13EE5E
SHA1:	F11FF1D448686CFA85FB234E23FFA573680E2847
SHA-256:	70302F46C9F9F7F7CD4B46C5A9A42DF6D3E8EA291EF7B0C874C3473E43541E49
SHA-512:	82E50DBEBB27F77857CAC46F4BD1E93E9AF9D0068E1304EE1A11F3A834F928B4C77988E2EDC7D188416EB47BB663866A9E9065EC63DFE5F69BD37D9B88301153
Malicious:	true
Reputation:	low
Preview:	Set UAC = CreateObject("Shell.Application") ..UAC.ShellExecute "cmd.exe", "/c C:\Users\user\DOWNLO~1\MGYRBZ~1\Nezur\start.bat ", "", "runas", 1 ..

C:\Users\user\Downloads\mGYRbZUhoR\Nezur\Nezur.exe

Download File

Process:	C:\Program Files\7-Zip\7zG.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	91136
Entropy (8bit):	6.34670024833589
Encrypted:	false
SSDEEP:
MD5:	DD98A43CB27EFD5BCC29EFB23FDD6CA5
SHA1:	38F621F3F0DF5764938015B56ECFA54948DDE8F5
SHA-256:	1CF20B8449EA84C684822A5E8AB3672213072DB8267061537D1CE4EC2C30C42A
SHA-512:	871A2079892B1EB54CB761AEBD500AC8DA96489C3071C32A3DAB00200F74F4E12B9AB6C62623C53AEA5B8BE3FC031FB1B3E628FFE15D73323D917083240742B0
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 3%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...................................:...................c.......c.......c.......[..............[.......[.......Rich....................PE..L.....gZ.............................'............@.......................................@.................................$V..<...............................T... N..............................@N..@............................................text............................... ..`.rdata..^_.......`..................@..@.data........`.......H..............@....reloc..T............R..............@..B................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\Downloads\mGYRbZUhoR\Nezur\README.txt

Download File

Process:	C:\Program Files\7-Zip\7zG.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1280
Entropy (8bit):	5.1879148053347794
Encrypted:	false
SSDEEP:
MD5:	4D61D6CF953627733AC13DD5E6CC8E69
SHA1:	B930E8C44BB9AD460936AEC495D53341954AEE07
SHA-256:	667BCF026DCD5BCE1D13F834B0E369F3EA97DE875A46E11C0B3D5399113E7556
SHA-512:	A5110FA0240B8A9F77B18F134FF4ECF76D6EEDF3ECABCE932C8F97F3E2EDF355E925734A2FDB170723B6BAA9C26500C955536520874FFE0E6F98F440FB9B2C15
Malicious:	false
Reputation:	low
Preview:	Thank you for downloading from the official website: https://www.nezur.pro....Procedure of installation:..1. First extract the zip, run "start" file or drag "auto_load" on "Nezur"..2. Second finish the key system..3. Paste the key..4. Join and game it auto injects so no need to inject..5. Enable anything you need..6. For triggerbot to work make it look like this: https://cdn.discordapp.com/attachments/1127231700028629082/1158075515681382504/image.png?ex=651aed5e&is=65199bde&hm=f9556f78904bf1dcdf9a127d8103973838f530ff43006062ed2cd877069ad708&..7. For aimbot/aimlock to work make it look like this: https://cdn.discordapp.com/attachments/1127231700028629082/1158075747525730324/image.png?ex=651aed96&is=65199c16&hm=5f4885b9fc30ecc1731fdbc09b5568ca424d581ac680d892a6a9989d171c2824&..8. Change your settings to this: https://cdn.discordapp.com/attachments/1127231700028629082/1158075855625527407/image.png?ex=651aedaf&is=65199c2f&hm=aad2c3676f8edc56871d57c424f9d23eca492f62ded9f6394b14d4ba6820d863&

C:\Users\user\Downloads\mGYRbZUhoR\Nezur\auto_load.txt

Download File

Process:	C:\Program Files\7-Zip\7zG.exe
File Type:	data
Category:	dropped
Size (bytes):	192435
Entropy (8bit):	6.196471432315464
Encrypted:	false
SSDEEP:
MD5:	1E6B9406FD84312CB2BBD29293F1A344
SHA1:	543A81B1E1934C1CF0232A20869C428727A25454
SHA-256:	CF63912C3B3CCFACD48E8C35FC5FDD401135E6D56978FC0012CE86B0A4A81E0F
SHA-512:	A977E8E98734DA9624C92CE2BD2AE3B2F3D3B910A961339AA223A00828536E979B8B6B603DDF7952E2625B1AE26D1E2931AA4C6DFA47DE9908B536780D06767F
Malicious:	false
Reputation:	low
Preview:	.LJ..........<-...........X.4.-...................U...-...............-.......X...-.......-...-...-...!...........)...%...#...B.......)...%...#...-...........B...-.......B... .......!...........!...........!.......4...>...>...>...>.......6...9...-...D............remove.table.......................@....................)-...8.......X...X.#.4.......-.......................6...9.......B...'...<...)...).......)...M...6...9...........B...-...B... ... .......8.......8...&...<...O...L................byte..len.string....................-.......8...L.......0.......-...........-...-...)...<...-...L........I.......-...-...8.......<...-...8.......X...-...-...,...<...<...K....................L..................L...............;).......)...M...-...8...-...8...8.......<...O...-.......X...-...+...B...-.......B...-...)..+B...-...)..B...-...)..,B.......-...3...<...<...<...2...L...X...-...4...4...-...)..B...-...<...-...)..+B...<...-...)..,B...3...<...2...D...K..................+.......-...-...4...

C:\Users\user\Downloads\mGYRbZUhoR\Nezur\configs\autosave.cfg

Download File

Process:	C:\Program Files\7-Zip\7zG.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	916
Entropy (8bit):	4.938578928527749
Encrypted:	false
SSDEEP:
MD5:	024AB27DFE02DBCD5357528AC4DBE028
SHA1:	2F2B7DF7B4557E274D4255CEBD65D6D7C125CF95
SHA-256:	C029522BB51F2EEA602E3818BE4B495282CC2D8DA92421F8BF3CED7DC46098BD
SHA-512:	F87D48447E5663BE7E63F7F7934D33C795F2201ACC753720BBF77AF49CF8AB44B6F9618A2A22DD8F08A5D67424CA0C7C566B15B3F172EDC34AF4B29A23B5D137
Malicious:	false
Reputation:	low
Preview:	{"AIMBOT_AUTO_PREDICTION":false,"AIMBOT_BODYPART":0,"AIMBOT_DISTANCE_CHECK":false,"AIMBOT_DISTANCE_STUDS":2664,"AIMBOT_ENABLED":true,"AIMBOT_FOV":103,"AIMBOT_HEALTH_CHECK":false,"AIMBOT_KEYBIND":2,"AIMBOT_PREDICTION":false,"AIMBOT_PREDICTION_X":1.0,"AIMBOT_PREDICTION_Y":1.0,"AIMBOT_SENSITIVITY":0.34700000286102295,"AIMBOT_SHAKE":false,"AIMBOT_SHAKE_INTENSITY":1,"AIMBOT_SMOOTHING":2,"AIMBOT_TEAMCHECK":true,"AIMBOT_USE_FOV":true,"AIMBOT_X_OFFSET":0,"AIMBOT_Y_OFFSET":0,"SETTING_FPS":500,"SETTING_FPS_COUNTER":true,"SETTING_STREAMSPOOF":false,"SETTING_VSYNC":true,"VISUALS_BOX":true,"VISUALS_BOX_TYPE":1,"VISUALS_DISTANCE_CHECK":false,"VISUALS_DISTANCE_LABEL":true,"VISUALS_DISTANCE_STUDS":10000,"VISUALS_DRAW_FOV":true,"VISUALS_ENABLED":true,"VISUALS_HEALTH":false,"VISUALS_LOOK_AT":false,"VISUALS_NAME_LABEL":false,"VISUALS_TARGET_INFO":false,"VISUALS_TEAMCHECK":true,"VISUALS_TRACER":true,"VISUALS_TRACER_POS":1}

C:\Users\user\Downloads\mGYRbZUhoR\Nezur\lua51.dll

Download File

Process:	C:\Program Files\7-Zip\7zG.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	606208
Entropy (8bit):	6.7850772365784655
Encrypted:	false
SSDEEP:
MD5:	3DFF7448B43FCFB4DC65E0040B0FFB88
SHA1:	583CDAB08519D99F49234965FFD07688CCF52C56
SHA-256:	FF976F6E965E3793E278FA9BF5E80B9B226A0B3932B9DA764BFFC8E41E6CDB60
SHA-512:	CDCBE0EC9DDD6B605161E3C30CE3DE721F1333FCE85985E88928086B1578435DC67373C3DC3492ED8EAE0D63987CAC633AA4099B205989DCBB91CBBFC8F6A394
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 3%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........O..\|...\|...\|.......\|...y.?.\|...x..\|...}...\|...}...\|......\|...y..\|...x..\|...\|...\|...x...\|...\|...\|...~...\|.Rich..\|.........................PE..L.....gZ...........!.....\|...........<....................................................@.....................................(............................@..l0..@...............................`...@............................................text....{.......\|.................. ..`.rdata..............................@..@.data........ ......................@....reloc..l0...@...2..................@..B................................................................................................................................................................................................................................................................................................................................

C:\Users\user\Downloads\mGYRbZUhoR\Nezur\start.bat

Download File

Process:	C:\Program Files\7-Zip\7zG.exe
File Type:	DOS batch file, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	548
Entropy (8bit):	5.175168398554481
Encrypted:	false
SSDEEP:
MD5:	12C37BF6537BFDF93B80C31F6D1391B2
SHA1:	43DF564E4988008F3E97167837F58F1452CF3D13
SHA-256:	CAB7B8973DD5F7252AF6A1A080DEEC442ACD1E6BDD6C7476BD73E39553751222
SHA-512:	C59645DA2377EC2EB8C4CA75174379134DC657741EE324FC6FD38170B9704852BF136A919FE0363EA85BEFE61E8838EF74DAD07E365392D8F8F6462BB1BA75F9
Malicious:	false
Reputation:	low
Preview:	@echo off....>nul 2>&1 "%SYSTEMROOT%\system32\cacls.exe" "%SYSTEMROOT%\system32\config\system"....if '%errorlevel%' NEQ '0' (.. goto UACPrompt..) else ( goto gotAdmin )....:UACPrompt.. echo Set UAC = CreateObject^("Shell.Application"^) > "%temp%\getadmin.vbs".. set params = %*:"=".. echo UAC.ShellExecute "cmd.exe", "/c %~s0 %params%", "", "runas", 1 >> "%temp%\getadmin.vbs".... "%temp%\getadmin.vbs".. del "%temp%\getadmin.vbs".. exit /B....:gotAdmin.. pushd "%CD%".. CD /D "%~dp0"......start Nezur.exe auto_load.txt..

\Device\Null

Download File

Process:	C:\Windows\System32\cacls.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	121
Entropy (8bit):	4.323081947925383
Encrypted:	false
SSDEEP:
MD5:	43B1EC1407EA9C0219A563FFFEEAE780
SHA1:	C42041802E99A95E6CBAE13E3E20EBFBA3237BB2
SHA-256:	7E5146BF6F0B6AA61AFD4E3A6031D6DEF0F37523A22D75086B8E0E21D22E4B16
SHA-512:	5307D7E089BEA4DAC250D0B606C80DF13CCA0A7ECB622BF61B37AD736FFC44EA68F9B993E4743F2AB220FF950E9D9B423524D4E10C0B2D1CE280A7D9B5095DE0
Malicious:	false
Reputation:	low
Preview:	C:\Windows\system32\config\SYSTEM NT AUTHORITY\SYSTEM:F .. BUILTIN\Administrators:F ....

Static File Info

General

File type:	Zip archive data, at least v1.0 to extract, compression method=store
Entropy (8bit):	7.996725517887312
TrID:	ZIP compressed archive (8000/1) 99.91% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.09%
File name:	Nezur.zip
File size:	489'483 bytes
MD5:	af97dda652b878779309c854dbb05475
SHA1:	ecca25d21b423c7f89c7727533a162e68368cbd3
SHA256:	9b022527c62a75e4646df18d77accea72e30bbe6e35be379f14dff5e2951c922
SHA512:	50f0d9ccf9ef3b7a5fceb326ce5cd25b71ff6bcb5e0b15d5c70f925e1d03781f3c34433bd83bd804419e23ba1d212ff56b2cd30d8d398e5eed4ad4af46694b5c
SSDEEP:	12288:5iN+kU0Yz3jBL75xwc4XscIFl4zA6fzvBLzkwRM:cKjRdxwr81FlQxfDxzk3
TLSH:	EAA423110DAD2D94C18838521D6509F211A16CCAEE3DECACF4E1D8A1BFE3C92EF76597
File Content Preview:	PK.........-7X................configs/PK........n.5X.E..F...........configs/autosave.cfgu.;o.0....s....-.a.`.>...&.C;u.c...k............@V........R.$..o/...wN'..54...g...J..9.by.[.m..8:.v^....4..>..+.uA...=..J.../.O..!".n.?.s.Ol.k....JK..d+....!........i?

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the binaries used by services. Adversaries may use flaws in the permissions of Windows services to replace the binary that is executed upon service start. These service processes may automatically execute specific binaries as part of their functionality or to perform other actions. If the permissions on the file system directory containing a target binary, or permissions on the binary itself are improperly set, then the target binary may be overwritten with another binary using user-level permissions and executed by the original process. If the original process and thread are running under a higher permissions level, then the replaced binary will also execute under higher-level permissions, which could include SYSTEM.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Process: Process Creation, Service: Service Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Nezur.zip

Overview

General Information

Detection

Signatures

Classification

Process Tree

Yara Signatures

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

Compliance

Networking

System Summary

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

World Map of Contacted IPs

Public IPs

General Information

Warnings

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\HAYXG4SY\json[1].json

C:\Users\user\AppData\Local\Temp\getadmin.vbs

C:\Users\user\Downloads\mGYRbZUhoR\Nezur\Nezur.exe

C:\Users\user\Downloads\mGYRbZUhoR\Nezur\README.txt

C:\Users\user\Downloads\mGYRbZUhoR\Nezur\auto_load.txt

C:\Users\user\Downloads\mGYRbZUhoR\Nezur\configs\autosave.cfg

C:\Users\user\Downloads\mGYRbZUhoR\Nezur\lua51.dll

C:\Users\user\Downloads\mGYRbZUhoR\Nezur\start.bat

\Device\Null

Static File Info

General

Windows Analysis Report
Nezur.zip