Analysis

  • max time kernel
    90s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231222-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04/02/2024, 19:10

General

  • Target

    8fedbd9e477e16a12f812c2b77f18d20.exe

  • Size

    1.4MB

  • MD5

    8fedbd9e477e16a12f812c2b77f18d20

  • SHA1

    d7326469524fa8b5322ab945f23304f66ac77906

  • SHA256

    497d46eecb32775155b8b1ea64c705bfc67f63b970c38d5f27fc62ac4a53403d

  • SHA512

    4855631ab304aa0347e45f2b4c11451d62268eda1e883bf5b898ae9e983a48c9768b8c97f45a2465fe62c52fe891f3cebae3a0968e39aa261195664c1dc99591

  • SSDEEP

    24576:QvbkfOB2nhhUYTLcBZZSikgBDlHDPE4wauYv4FKbdPSXqfWZ7wFVbFYakUHa:gbuo6hhUYTIHBjuU4FKbYXqfcEVbGn

Malware Config

Signatures

  • ACProtect 1.3x - 1.4x DLL software 2 IoCs

    Detects file using ACProtect software.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 3 IoCs
  • UPX packed file 5 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Installs/modifies Browser Helper Object 2 TTPs 2 IoCs

    BHOs are DLL modules which act as plugins for Internet Explorer.

  • Drops file in Program Files directory 11 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 40 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8fedbd9e477e16a12f812c2b77f18d20.exe
    "C:\Users\Admin\AppData\Local\Temp\8fedbd9e477e16a12f812c2b77f18d20.exe"
    1⤵
    • Checks computer location settings
    • Drops file in Program Files directory
    • Suspicious use of WriteProcessMemory
    PID:1684
    • C:\Program Files (x86)\nuri-web\nuriweb_setup_09.exe
      "C:\Program Files (x86)\nuri-web\nuriweb_setup_09.exe" /VERYSILENT
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:2284
      • C:\Users\Admin\AppData\Local\Temp\is-M1I0B.tmp\is-CVQJF.tmp
        "C:\Users\Admin\AppData\Local\Temp\is-M1I0B.tmp\is-CVQJF.tmp" /SL4 $6011C "C:\Program Files (x86)\nuri-web\nuriweb_setup_09.exe" 1209921 57344 /VERYSILENT
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Drops file in Program Files directory
        • Suspicious use of WriteProcessMemory
        PID:1628
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\system32\cmd.exe" /C ""C:\Program Files (x86)\nuri-web\del_bat.cmd""
          4⤵
            PID:4948
          • C:\Users\Admin\AppData\Local\Temp\is-IMA7H.tmp\_isetup\_RegDLL.tmp
            _RegDLL.tmp 1216 1156
            4⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Installs/modifies Browser Helper Object
            • Modifies registry class
            PID:1368
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\del_nsis_bat.cmd" "
        2⤵
          PID:5040

      Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Program Files (x86)\nuri-web\del_bat.cmd

              Filesize

              202B

              MD5

              1facd5b5a62fc3c72c6b0157d2a2697f

              SHA1

              5c89dbbee5598a435b2be32a0fa77ed1ebe306b0

              SHA256

              c4c9323a9995f02dd3ad14c1771ae3cce77b873f79ece5b48866349827d09114

              SHA512

              6ec3e6ee6608e652e54a849dc090805cca34bda9ccfdaf34723290e110b29eb7b2e517b82eb463ad1c527299d5a929a974f2cc384784562b6270f3e977398a7a

            • C:\Program Files (x86)\nuri-web\nuriweb_setup_09.exe

              Filesize

              746KB

              MD5

              c93e460a70541233bfeb50b31e5d5fef

              SHA1

              a7fcdcd6fbfdd2dd0278c50e7712664f5f1e594b

              SHA256

              738191ea3025141d155436f4c00b45cff8064b4c53ec6b184ef77e71433c6c09

              SHA512

              936675509518ce9778120630469cb76bada2f57119042433bdcb27d18c86626d2757eba65262fc5e8dae77db9bc06813cd779f9931e556db1da2318cbe6d757b

            • C:\Program Files (x86)\nuri-web\nuriweb_setup_09.exe

              Filesize

              756KB

              MD5

              87f16156e85e783f801fbe1b4f386596

              SHA1

              d3eff0bb89a840b2cae9d4a35377260058712cbf

              SHA256

              a40352dee10e8657abc20674cbaa8728479dfa48483f68febcfdd51cafef384c

              SHA512

              a25cbf3a87ee1138a3d75ef0123f8eb3e7e044f847b916784c8a0eb4028d4d9d78175ef29d8e8d6b7781f022630423a265d5e01096d67283f160ea2fcdc4c7a8

            • C:\Program Files\nuri-web\nuriweb.dll

              Filesize

              429KB

              MD5

              ea3577ff84ed57d4bc86278bacb00b1b

              SHA1

              54f28342f3f3cce8b98a3c170d63247f4af19fe7

              SHA256

              379861ccd5a88e71f911581bea92f275bdea8f674e8c761e4d701afb5d586ee4

              SHA512

              73c226fc6f45424d5e5dad42b8cdd48c69ef4f3e6cef9ab0e2d4f62e1649f9dbba2c91b176491df54e0e3cffa3720bc4d1bcda51f4b9467d587809f4f0f87021

            • C:\Program Files\nuri-web\sqlite3.dll

              Filesize

              275KB

              MD5

              ca32bd7555d692fae488ec5864ce0ebc

              SHA1

              7cb21ae715ab154ac4658bb9d04348865577c25a

              SHA256

              f2aec7bf629d289ebd69abfa6f7296c8e349ae7384d261b3462db99dd86435fa

              SHA512

              d848ab9f2c552b0bb320df3981a1ee6c7ce3befb2fd37d4659a564cea95d2bdf41702fa6e465070aa0f7272ba21ab26ca1bec96702345cc7a0d7e8bc1ed42b44

            • C:\Users\Admin\AppData\Local\Temp\del_nsis_bat.cmd

              Filesize

              257B

              MD5

              37e82a46f543bd6b3d04623280098fe6

              SHA1

              d21fa52fe1d7662d3fa342c8e7ce87a8d3fab2c5

              SHA256

              b4006c5fdc77f4bbf0658668edebe6ba8818a0935bd4f29c13b1ff9ddf0707a7

              SHA512

              1e236767976c569045167489d4701fa4286a844568cf532b6080d1007c366a11321b802c58b17b135b16eaff898f445c5b270bc3ecdb8c1d7523413fa3b2b1fb

            • C:\Users\Admin\AppData\Local\Temp\is-IMA7H.tmp\_isetup\_RegDLL.tmp

              Filesize

              3KB

              MD5

              c594b792b9c556ea62a30de541d2fb03

              SHA1

              69e0207515e913243b94c2d3a116d232ff79af5f

              SHA256

              5dcc1e0a197922907bca2c4369f778bd07ee4b1bbbdf633e987a028a314d548e

              SHA512

              387bd07857b0de67c04e0abf89b754691683f30515726045ff382da9b6b7f36570e38fae9eca5c4f0110ce9bb421d8045a5ec273c4c47b5831948564763ed144

            • C:\Users\Admin\AppData\Local\Temp\is-M1I0B.tmp\is-CVQJF.tmp

              Filesize

              604KB

              MD5

              b27fcbe50d1dfcfb06c867fb39be2aac

              SHA1

              7793946bfb2bf902c1ce5b8a23537d458708aa05

              SHA256

              39e9eb81d99508be615becb0a4e5f2059638ab95c45712a598983dfe77abd51c

              SHA512

              2c2049044a6cdc9fed7c8534a66ac2dbeccac58ba29808647e69e036dfa65adadd1d61fa42e432dbaf41e514df67a6d0f498cd79484abe85b31c92f6582cf34d

            • C:\Users\Admin\AppData\Local\Temp\is-M1I0B.tmp\is-CVQJF.tmp

              Filesize

              592KB

              MD5

              2c79756045f159e06de9e75b33d0c4bf

              SHA1

              c05f3693d5b1b09c544e5845137c82f24278873e

              SHA256

              0d9bb29b273f866f1fc85b9f0b19483ecd57b20b53befd87cd1bc8d810cd2b10

              SHA512

              996eea70169e72611f7d2c283e8d25cadcdf024e7121001859c2d561e4facff187e7d698568d3ec1bcbad9bb72fdcba5097852bdeebc1e80e5ceed46bd7fdee1

            • memory/1368-46-0x0000000060900000-0x000000006096F000-memory.dmp

              Filesize

              444KB

            • memory/1368-44-0x0000000002250000-0x000000000238A000-memory.dmp

              Filesize

              1.2MB

            • memory/1368-42-0x0000000002250000-0x000000000238A000-memory.dmp

              Filesize

              1.2MB

            • memory/1628-15-0x0000000000510000-0x0000000000511000-memory.dmp

              Filesize

              4KB

            • memory/1628-51-0x0000000000400000-0x00000000004B5000-memory.dmp

              Filesize

              724KB

            • memory/2284-5-0x0000000000400000-0x0000000000414000-memory.dmp

              Filesize

              80KB

            • memory/2284-52-0x0000000000400000-0x0000000000414000-memory.dmp

              Filesize

              80KB