Analysis

  • max time kernel
    117s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    04/02/2024, 19:10

General

  • Target

    8fedbd9e477e16a12f812c2b77f18d20.exe

  • Size

    1.4MB

  • MD5

    8fedbd9e477e16a12f812c2b77f18d20

  • SHA1

    d7326469524fa8b5322ab945f23304f66ac77906

  • SHA256

    497d46eecb32775155b8b1ea64c705bfc67f63b970c38d5f27fc62ac4a53403d

  • SHA512

    4855631ab304aa0347e45f2b4c11451d62268eda1e883bf5b898ae9e983a48c9768b8c97f45a2465fe62c52fe891f3cebae3a0968e39aa261195664c1dc99591

  • SSDEEP

    24576:QvbkfOB2nhhUYTLcBZZSikgBDlHDPE4wauYv4FKbdPSXqfWZ7wFVbFYakUHa:gbuo6hhUYTIHBjuU4FKbYXqfcEVbGn

Malware Config

Signatures

  • ACProtect 1.3x - 1.4x DLL software 3 IoCs

    Detects file using ACProtect software.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 9 IoCs
  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Installs/modifies Browser Helper Object 2 TTPs 2 IoCs

    BHOs are DLL modules which act as plugins for Internet Explorer.

  • Drops file in Program Files directory 11 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 40 IoCs
  • Suspicious use of WriteProcessMemory 35 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8fedbd9e477e16a12f812c2b77f18d20.exe
    "C:\Users\Admin\AppData\Local\Temp\8fedbd9e477e16a12f812c2b77f18d20.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in Program Files directory
    • Suspicious use of WriteProcessMemory
    PID:2356
    • C:\Program Files (x86)\nuri-web\nuriweb_setup_09.exe
      "C:\Program Files (x86)\nuri-web\nuriweb_setup_09.exe" /VERYSILENT
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:2776
      • C:\Users\Admin\AppData\Local\Temp\is-1RE34.tmp\is-36JLA.tmp
        "C:\Users\Admin\AppData\Local\Temp\is-1RE34.tmp\is-36JLA.tmp" /SL4 $2009A "C:\Program Files (x86)\nuri-web\nuriweb_setup_09.exe" 1209921 57344 /VERYSILENT
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Adds Run key to start application
        • Drops file in Program Files directory
        • Suspicious use of WriteProcessMemory
        PID:2932
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\system32\cmd.exe" /C ""C:\Program Files (x86)\nuri-web\del_bat.cmd""
          4⤵
            PID:2856
          • C:\Users\Admin\AppData\Local\Temp\is-G5Q6N.tmp\_isetup\_RegDLL.tmp
            _RegDLL.tmp 544 536
            4⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Installs/modifies Browser Helper Object
            • Modifies registry class
            PID:2592
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\del_nsis_bat.cmd" "
        2⤵
        • Deletes itself
        PID:2788

    Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Program Files (x86)\nuri-web\del_bat.cmd

            Filesize

            202B

            MD5

            1facd5b5a62fc3c72c6b0157d2a2697f

            SHA1

            5c89dbbee5598a435b2be32a0fa77ed1ebe306b0

            SHA256

            c4c9323a9995f02dd3ad14c1771ae3cce77b873f79ece5b48866349827d09114

            SHA512

            6ec3e6ee6608e652e54a849dc090805cca34bda9ccfdaf34723290e110b29eb7b2e517b82eb463ad1c527299d5a929a974f2cc384784562b6270f3e977398a7a

          • C:\Program Files (x86)\nuri-web\nuriweb_setup_09.exe

            Filesize

            825KB

            MD5

            1b266d2a395c88a1f7e12dcb8f5c401c

            SHA1

            b23937b7311e1a30c1b5c17d7857bb814f32982d

            SHA256

            a78701f9ad83756b9149a940b044846059fa1685d73035b5c0631da304776239

            SHA512

            d8ee48f7aa3d83336a984efe8879df477b93cc3d1a7d34ead0bb51a953d6f35db571aa54b7b030afb2db15f14d26ded8020e9e991e46fb8d2228d8b6025e83eb

          • C:\Program Files (x86)\nuri-web\nuriweb_setup_09.exe

            Filesize

            758KB

            MD5

            6873a202f9b1988a080a04e4c98f1baa

            SHA1

            28263054dc0d51763c85f63258333946647b217b

            SHA256

            6b66258b031e26ab2ba62f6c4f06f29f454508abbf499c313d593029dd2dfa56

            SHA512

            7a68b3fa91890c0d648a0bee50d11bda6ec79759f47d435a5c23abb9bbd49fdc044c77e0d839c064e4ba47955249320fdf65a0b72a4320b18586d4e3855cca91

          • C:\Program Files\nuri-web\nuriweb.dll

            Filesize

            410KB

            MD5

            4179e5d67eda72d0544709db908f5b1f

            SHA1

            b7d5405d8bce6ea370a793f787b7076fab2bca0c

            SHA256

            73573f821d99f3b6b24e3ef8ec1c261ec0067302411b4815801a9080420f205b

            SHA512

            42228729b3db13a879d29b3ea52e0985cab984c4016a936e482fa4e75343603a728272508cf1ef8e175779c8317cd27954a9ef17997879f220f3cc6e4cc15c73

          • C:\Users\Admin\AppData\Local\Temp\del_nsis_bat.cmd

            Filesize

            257B

            MD5

            37e82a46f543bd6b3d04623280098fe6

            SHA1

            d21fa52fe1d7662d3fa342c8e7ce87a8d3fab2c5

            SHA256

            b4006c5fdc77f4bbf0658668edebe6ba8818a0935bd4f29c13b1ff9ddf0707a7

            SHA512

            1e236767976c569045167489d4701fa4286a844568cf532b6080d1007c366a11321b802c58b17b135b16eaff898f445c5b270bc3ecdb8c1d7523413fa3b2b1fb

          • C:\Users\Admin\AppData\Local\Temp\is-1RE34.tmp\is-36JLA.tmp

            Filesize

            514KB

            MD5

            1b83c7e901be158e04f61259a9fb9347

            SHA1

            1dc3bdae6a3ae82e141b8ee14eca3b296adde141

            SHA256

            f5222a3b76432e3fc1da1b2fe9a05dee51549e5630c9556fd3303645993f0bfa

            SHA512

            676240bf52dfe226da9fa8581c06eb24cf377a70d92d053d8e9f506c8f3d33f878ab1bdc35f24d8a1fce35177291f283e17ae05f36ddf9c4d3def689a8058142

          • C:\Users\Admin\AppData\Local\Temp\is-1RE34.tmp\is-36JLA.tmp

            Filesize

            656KB

            MD5

            7b67ee14334e715ded8820ab11514651

            SHA1

            81315d90dc4ed6c6ed25a694610b7f73be26d7d5

            SHA256

            73d08ebd6fd1e512f08349bc47b483861333947e5faa5d55b01446c59b9073cf

            SHA512

            2e44237a26135101049b0df80a884623a4a89001e8950ed7b8bb05d6482c4eaf8899ae1a23de2af5a10a6b73ac60f9dbf4fe058639ec375a842347f1bb133eff

          • C:\Users\Admin\AppData\Local\Temp\is-G5Q6N.tmp\_isetup\_RegDLL.tmp

            Filesize

            3KB

            MD5

            c594b792b9c556ea62a30de541d2fb03

            SHA1

            69e0207515e913243b94c2d3a116d232ff79af5f

            SHA256

            5dcc1e0a197922907bca2c4369f778bd07ee4b1bbbdf633e987a028a314d548e

            SHA512

            387bd07857b0de67c04e0abf89b754691683f30515726045ff382da9b6b7f36570e38fae9eca5c4f0110ce9bb421d8045a5ec273c4c47b5831948564763ed144

          • \Program Files (x86)\nuri-web\nuriweb_setup_09.exe

            Filesize

            1.4MB

            MD5

            3dff19046a4f35845470fdbb70ef7269

            SHA1

            c8d0f6142aa0af7b7fdde19b756aea76be4db2b6

            SHA256

            2a6df78a47c76d1b1fa2bcb4f1dc6cdeaa3d8605c09db01b34664242c1c58eb2

            SHA512

            3ef61f557303d57eb5b8d791b2c599b50f050ce7be8bea11ed395db8f07e797d44d1c915bb572d3f0d4d131edcff99681bd5978a92f9d2e48f0fa1935702e291

          • \Program Files (x86)\nuri-web\nuriweb_setup_09.exe

            Filesize

            628KB

            MD5

            135d473302849b192e812aefd2cbd38d

            SHA1

            d8d4de5cf6660471b4f2be6a48b4ce4273b15969

            SHA256

            e7455d6d8c129e35db6f5c11dba425d66c1aaf936a3ab31c2d8518042883d874

            SHA512

            e4fd475b7a78650b36f876475dcc1992752d7bec96aca8a7b3b9bc644b29a0cf1e9e77cf847bdf67be560d0e029a3f8cf969dd72bb2812a1c303d623b80133fe

          • \Program Files (x86)\nuri-web\nuriweb_setup_09.exe

            Filesize

            574KB

            MD5

            d059252814454cdd2cfe7065d042fb50

            SHA1

            f3f345c0daed12c49d1050d155b4f57941f9dac8

            SHA256

            59413a5fb3e9afa731966b0b2ecdf4178835d0f4340a5ac123c9b324e253dffa

            SHA512

            795f2fbe78b9bb4c9c4be0e778af8ef366495fd053840e16e9bf0af9fcfa42e2a27f6e88a863753a791aa1d4fbf5dcf3ccc5fe7c91b5aaf7bfa730ddca408d9d

          • \Program Files\nuri-web\nuriweb.dll

            Filesize

            429KB

            MD5

            ea3577ff84ed57d4bc86278bacb00b1b

            SHA1

            54f28342f3f3cce8b98a3c170d63247f4af19fe7

            SHA256

            379861ccd5a88e71f911581bea92f275bdea8f674e8c761e4d701afb5d586ee4

            SHA512

            73c226fc6f45424d5e5dad42b8cdd48c69ef4f3e6cef9ab0e2d4f62e1649f9dbba2c91b176491df54e0e3cffa3720bc4d1bcda51f4b9467d587809f4f0f87021

          • \Program Files\nuri-web\sqlite3.dll

            Filesize

            275KB

            MD5

            ca32bd7555d692fae488ec5864ce0ebc

            SHA1

            7cb21ae715ab154ac4658bb9d04348865577c25a

            SHA256

            f2aec7bf629d289ebd69abfa6f7296c8e349ae7384d261b3462db99dd86435fa

            SHA512

            d848ab9f2c552b0bb320df3981a1ee6c7ce3befb2fd37d4659a564cea95d2bdf41702fa6e465070aa0f7272ba21ab26ca1bec96702345cc7a0d7e8bc1ed42b44

          • \Users\Admin\AppData\Local\Temp\is-1RE34.tmp\is-36JLA.tmp

            Filesize

            478KB

            MD5

            2f5bd2847bc6ef3b58ebc59c747191f2

            SHA1

            f27d08e0ebd4817eb7b17eee89c82a11de91db48

            SHA256

            f57f4a38e304f7c4d640ea68f2191e0d08b44f6bbcc8d15a0d72c3d7abb87791

            SHA512

            234857ccbb265c5f39c6f5815cee70c5219a5fb613b97635e0d2cb25675e3f2a5126082ef336ffdffda4e2219733273e01c0bfd7062829ffc06c150607b5d562

          • \Users\Admin\AppData\Local\Temp\is-G5Q6N.tmp\_isetup\_shfoldr.dll

            Filesize

            22KB

            MD5

            92dc6ef532fbb4a5c3201469a5b5eb63

            SHA1

            3e89ff837147c16b4e41c30d6c796374e0b8e62c

            SHA256

            9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

            SHA512

            9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

          • memory/2592-58-0x0000000002350000-0x000000000248A000-memory.dmp

            Filesize

            1.2MB

          • memory/2776-16-0x0000000000400000-0x0000000000414000-memory.dmp

            Filesize

            80KB

          • memory/2776-18-0x0000000000400000-0x0000000000414000-memory.dmp

            Filesize

            80KB

          • memory/2776-64-0x0000000000400000-0x0000000000414000-memory.dmp

            Filesize

            80KB

          • memory/2932-63-0x0000000000400000-0x00000000004B5000-memory.dmp

            Filesize

            724KB