df4da6874570d3e753519898684bbad60378725d24f9557f5d5294fcfd795a29

Analysis

max time kernel
119s
max time network
124s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
30-06-2024 16:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Nyx.exe
Size

3.5MB
MD5

00ec60cd1add4a2f61e48c7b0a6c810f
SHA1

174af7f09725d67d522e65066d3e3662da50a4e2
SHA256

df4da6874570d3e753519898684bbad60378725d24f9557f5d5294fcfd795a29
SHA512

244afaa72bea7b46633dbaf79bdac388dfaf190e88d3a7675d16b36cfaeb39e9b47f1dc6ac1ddc059c64e091dfff562460ac83f9e669e42c3f90ac9fc44c1003
SSDEEP

98304:zcwncs4fUCBRTna03MfhwbIZosECIMRvl:Ywnc3HdahZ4IgCr

Score

9^/10

evasion themida trojan

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

Nyx.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Nyx.exe
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.

Query Registry
T1012

System Information Discovery
T1082

Processes:

Nyx.exe

description ioc process

Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Nyx.exe
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Nyx.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Nyx.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Nyx.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Nyx.exe

Themida packer 3 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
behavioral1/memory/1096-29-0x0000000001330000-0x0000000001C70000-memory.dmp	themida
behavioral1/memory/1096-30-0x0000000001330000-0x0000000001C70000-memory.dmp	themida
behavioral1/memory/1096-33-0x0000000001330000-0x0000000001C70000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

Nyx.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Nyx.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

Nyx.exe

pid process

1096 Nyx.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2836 1096 WerFault.exe Nyx.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

Nyx.exe

pid process

1096 Nyx.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Nyx.exe

pid	process
1096	Nyx.exe

pid	pid_target	process	target process
2836	1096	WerFault.exe	Nyx.exe

pid	process
1096	Nyx.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

Nyx.exe

description	pid	process	target process
PID 1096 wrote to memory of 2836	1096	Nyx.exe	WerFault.exe
PID 1096 wrote to memory of 2836	1096	Nyx.exe	WerFault.exe
PID 1096 wrote to memory of 2836	1096	Nyx.exe	WerFault.exe
PID 1096 wrote to memory of 2836	1096	Nyx.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\Nyx.exe
"C:\Users\Admin\AppData\Local\Temp\Nyx.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1096

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1096 -s 856
2⤵
- Program crash
PID:2836

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1096-0-0x0000000001330000-0x0000000001C70000-memory.dmp

Filesize
9.2MB

Download
memory/1096-1-0x00000000757A1000-0x00000000757A2000-memory.dmp

Filesize
4KB

Download
memory/1096-2-0x0000000075790000-0x00000000758A0000-memory.dmp

Filesize
1.1MB

Download
memory/1096-5-0x0000000075790000-0x00000000758A0000-memory.dmp

Filesize
1.1MB

Download
memory/1096-4-0x0000000075790000-0x00000000758A0000-memory.dmp

Filesize
1.1MB

Download
memory/1096-3-0x0000000075790000-0x00000000758A0000-memory.dmp

Filesize
1.1MB

Download
memory/1096-15-0x0000000075790000-0x00000000758A0000-memory.dmp

Filesize
1.1MB

Download
memory/1096-14-0x0000000075790000-0x00000000758A0000-memory.dmp

Filesize
1.1MB

Download
memory/1096-13-0x0000000075790000-0x00000000758A0000-memory.dmp

Filesize
1.1MB

Download
memory/1096-12-0x0000000075790000-0x00000000758A0000-memory.dmp

Filesize
1.1MB

Download
memory/1096-11-0x0000000075790000-0x00000000758A0000-memory.dmp

Filesize
1.1MB

Download
memory/1096-10-0x0000000075790000-0x00000000758A0000-memory.dmp

Filesize
1.1MB

Download
memory/1096-9-0x0000000075790000-0x00000000758A0000-memory.dmp

Filesize
1.1MB

Download
memory/1096-8-0x0000000075790000-0x00000000758A0000-memory.dmp

Filesize
1.1MB

Download
memory/1096-7-0x0000000075790000-0x00000000758A0000-memory.dmp

Filesize
1.1MB

Download
memory/1096-6-0x0000000075790000-0x00000000758A0000-memory.dmp

Filesize
1.1MB

Download
memory/1096-21-0x0000000075790000-0x00000000758A0000-memory.dmp

Filesize
1.1MB

Download
memory/1096-28-0x0000000075790000-0x00000000758A0000-memory.dmp

Filesize
1.1MB

Download
memory/1096-27-0x0000000075790000-0x00000000758A0000-memory.dmp

Filesize
1.1MB

Download
memory/1096-26-0x0000000075790000-0x00000000758A0000-memory.dmp

Filesize
1.1MB

Download
memory/1096-25-0x0000000075790000-0x00000000758A0000-memory.dmp

Filesize
1.1MB

Download
memory/1096-24-0x0000000075790000-0x00000000758A0000-memory.dmp

Filesize
1.1MB

Download
memory/1096-23-0x0000000075790000-0x00000000758A0000-memory.dmp

Filesize
1.1MB

Download
memory/1096-22-0x0000000075790000-0x00000000758A0000-memory.dmp

Filesize
1.1MB

Download
memory/1096-20-0x0000000075790000-0x00000000758A0000-memory.dmp

Filesize
1.1MB

Download
memory/1096-19-0x0000000075790000-0x00000000758A0000-memory.dmp

Filesize
1.1MB

Download
memory/1096-29-0x0000000001330000-0x0000000001C70000-memory.dmp

Filesize
9.2MB

Download
memory/1096-30-0x0000000001330000-0x0000000001C70000-memory.dmp

Filesize
9.2MB

Download
memory/1096-33-0x0000000001330000-0x0000000001C70000-memory.dmp

Filesize
9.2MB

Download
memory/1096-34-0x0000000075790000-0x00000000758A0000-memory.dmp

Filesize
1.1MB

Download