Analysis
-
max time kernel
93s -
max time network
101s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
30-06-2024 16:44
Behavioral task
behavioral1
Sample
Nyx.exe
Resource
win7-20240221-en
windows7-x64
8 signatures
150 seconds
General
-
Target
Nyx.exe
-
Size
3.5MB
-
MD5
00ec60cd1add4a2f61e48c7b0a6c810f
-
SHA1
174af7f09725d67d522e65066d3e3662da50a4e2
-
SHA256
df4da6874570d3e753519898684bbad60378725d24f9557f5d5294fcfd795a29
-
SHA512
244afaa72bea7b46633dbaf79bdac388dfaf190e88d3a7675d16b36cfaeb39e9b47f1dc6ac1ddc059c64e091dfff562460ac83f9e669e42c3f90ac9fc44c1003
-
SSDEEP
98304:zcwncs4fUCBRTna03MfhwbIZosECIMRvl:Ywnc3HdahZ4IgCr
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
Processes:
Nyx.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Nyx.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
Nyx.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Nyx.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Nyx.exe -
Processes:
resource yara_rule behavioral2/memory/2944-10-0x0000000000330000-0x0000000000C70000-memory.dmp themida behavioral2/memory/2944-11-0x0000000000330000-0x0000000000C70000-memory.dmp themida behavioral2/memory/2944-17-0x0000000000330000-0x0000000000C70000-memory.dmp themida -
Processes:
Nyx.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Nyx.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
Nyx.exepid process 2944 Nyx.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2700 2944 WerFault.exe Nyx.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
Nyx.exepid process 2944 Nyx.exe 2944 Nyx.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Nyx.exe"C:\Users\Admin\AppData\Local\Temp\Nyx.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2944 -s 14762⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 208 -p 2944 -ip 29441⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2944-0-0x0000000000330000-0x0000000000C70000-memory.dmpFilesize
9.2MB
-
memory/2944-5-0x00000000759B0000-0x0000000075AA0000-memory.dmpFilesize
960KB
-
memory/2944-4-0x00000000759B0000-0x0000000075AA0000-memory.dmpFilesize
960KB
-
memory/2944-3-0x00000000759B0000-0x0000000075AA0000-memory.dmpFilesize
960KB
-
memory/2944-2-0x00000000759B0000-0x0000000075AA0000-memory.dmpFilesize
960KB
-
memory/2944-1-0x00000000759D0000-0x00000000759D1000-memory.dmpFilesize
4KB
-
memory/2944-6-0x00000000759B0000-0x0000000075AA0000-memory.dmpFilesize
960KB
-
memory/2944-7-0x00000000759B0000-0x0000000075AA0000-memory.dmpFilesize
960KB
-
memory/2944-10-0x0000000000330000-0x0000000000C70000-memory.dmpFilesize
9.2MB
-
memory/2944-11-0x0000000000330000-0x0000000000C70000-memory.dmpFilesize
9.2MB
-
memory/2944-12-0x0000000006AB0000-0x0000000007054000-memory.dmpFilesize
5.6MB
-
memory/2944-13-0x00000000037A0000-0x0000000003832000-memory.dmpFilesize
584KB
-
memory/2944-14-0x0000000003770000-0x000000000377A000-memory.dmpFilesize
40KB
-
memory/2944-16-0x00000000759B0000-0x0000000075AA0000-memory.dmpFilesize
960KB
-
memory/2944-17-0x0000000000330000-0x0000000000C70000-memory.dmpFilesize
9.2MB