Analysis
-
max time kernel
90s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20231222-en -
resource tags
arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system -
submitted
04/02/2024, 19:10
Static task
static1
Behavioral task
behavioral1
Sample
8fedbd9e477e16a12f812c2b77f18d20.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
8fedbd9e477e16a12f812c2b77f18d20.exe
Resource
win10v2004-20231222-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/InstallOptions.dll
Resource
win7-20231215-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/InstallOptions.dll
Resource
win10v2004-20231215-en
Behavioral task
behavioral5
Sample
nuriweb_setup_09.exe
Resource
win7-20231215-en
Behavioral task
behavioral6
Sample
nuriweb_setup_09.exe
Resource
win10v2004-20231215-en
General
-
Target
8fedbd9e477e16a12f812c2b77f18d20.exe
-
Size
1.4MB
-
MD5
8fedbd9e477e16a12f812c2b77f18d20
-
SHA1
d7326469524fa8b5322ab945f23304f66ac77906
-
SHA256
497d46eecb32775155b8b1ea64c705bfc67f63b970c38d5f27fc62ac4a53403d
-
SHA512
4855631ab304aa0347e45f2b4c11451d62268eda1e883bf5b898ae9e983a48c9768b8c97f45a2465fe62c52fe891f3cebae3a0968e39aa261195664c1dc99591
-
SSDEEP
24576:QvbkfOB2nhhUYTLcBZZSikgBDlHDPE4wauYv4FKbdPSXqfWZ7wFVbFYakUHa:gbuo6hhUYTIHBjuU4FKbYXqfcEVbGn
Malware Config
Signatures
-
ACProtect 1.3x - 1.4x DLL software 2 IoCs
Detects file using ACProtect software.
resource yara_rule behavioral2/files/0x0007000000023168-41.dat acprotect behavioral2/files/0x0007000000023166-45.dat acprotect -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation 8fedbd9e477e16a12f812c2b77f18d20.exe -
Executes dropped EXE 3 IoCs
pid Process 2284 nuriweb_setup_09.exe 1628 is-CVQJF.tmp 1368 _RegDLL.tmp -
Loads dropped DLL 3 IoCs
pid Process 1368 _RegDLL.tmp 1368 _RegDLL.tmp 1368 _RegDLL.tmp -
resource yara_rule behavioral2/files/0x0007000000023168-41.dat upx behavioral2/files/0x0007000000023166-45.dat upx behavioral2/memory/1368-46-0x0000000060900000-0x000000006096F000-memory.dmp upx behavioral2/memory/1368-44-0x0000000002250000-0x000000000238A000-memory.dmp upx behavioral2/memory/1368-42-0x0000000002250000-0x000000000238A000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nuriweb = "c:\\program files\\nuri-web\\nuriweb.exe" is-CVQJF.tmp -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Installs/modifies Browser Helper Object 2 TTPs 2 IoCs
BHOs are DLL modules which act as plugins for Internet Explorer.
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AAED77EA-6F21-4539-B8D9-9276A2E1B96E}\NoExplorer = "1" _RegDLL.tmp Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{AAED77EA-6F21-4539-B8D9-9276A2E1B96E} _RegDLL.tmp -
Drops file in Program Files directory 11 IoCs
description ioc Process File created C:\Program Files\nuri-web\is-IUSJV.tmp is-CVQJF.tmp File created C:\Program Files\nuri-web\is-IEJDJ.tmp is-CVQJF.tmp File created C:\Program Files\nuri-web\is-LL7JM.tmp is-CVQJF.tmp File created C:\Program Files\nuri-web\is-NR1Q8.tmp is-CVQJF.tmp File opened for modification C:\Program Files\nuri-web\unins000.dat is-CVQJF.tmp File created C:\Program Files (x86)\nuri-web\del_bat.cmd is-CVQJF.tmp File created C:\Program Files\nuri-web\is-QMCQD.tmp is-CVQJF.tmp File created C:\Program Files\nuri-web\is-FL1S1.tmp is-CVQJF.tmp File created C:\Program Files\nuri-web\is-UF2PD.tmp is-CVQJF.tmp File created C:\Program Files (x86)\nuri-web\nuriweb_setup_09.exe 8fedbd9e477e16a12f812c2b77f18d20.exe File created C:\Program Files\nuri-web\unins000.dat is-CVQJF.tmp -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 40 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AA63B696-1B5D-4C18-93BC-F18D570EA36F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" _RegDLL.tmp Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AA63B696-1B5D-4C18-93BC-F18D570EA36F}\TypeLib\ = "{AA0E4D5E-942E-45E8-8893-749E0AFEEA4F}" _RegDLL.tmp Key created \REGISTRY\MACHINE\SOFTWARE\Classes\nuriweb.nuriweb\Clsid _RegDLL.tmp Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AAED77EA-6F21-4539-B8D9-9276A2E1B96E}\TypeLib\ = "{AA0E4D5E-942E-45E8-8893-749E0AFEEA4F}" _RegDLL.tmp Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AA63B696-1B5D-4C18-93BC-F18D570EA36F}\TypeLib _RegDLL.tmp Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\nuriweb.nuriweb\ = "nuriweb Object" _RegDLL.tmp Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{AA0E4D5E-942E-45E8-8893-749E0AFEEA4F} _RegDLL.tmp Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{AA0E4D5E-942E-45E8-8893-749E0AFEEA4F}\1.0\ = "nuriweb Library" _RegDLL.tmp Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AA63B696-1B5D-4C18-93BC-F18D570EA36F} _RegDLL.tmp Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AA63B696-1B5D-4C18-93BC-F18D570EA36F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" _RegDLL.tmp Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AAED77EA-6F21-4539-B8D9-9276A2E1B96E}\ = "nuriweb Class" _RegDLL.tmp Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{AA0E4D5E-942E-45E8-8893-749E0AFEEA4F}\1.0\FLAGS\ = "0" _RegDLL.tmp Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{AA0E4D5E-942E-45E8-8893-749E0AFEEA4F}\1.0\HELPDIR\ = "C:\\Program Files\\nuri-web\\" _RegDLL.tmp Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AAED77EA-6F21-4539-B8D9-9276A2E1B96E}\Version _RegDLL.tmp Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AAED77EA-6F21-4539-B8D9-9276A2E1B96E}\TypeLib _RegDLL.tmp Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AA63B696-1B5D-4C18-93BC-F18D570EA36F}\TypeLib\Version = "1.0" _RegDLL.tmp Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AA63B696-1B5D-4C18-93BC-F18D570EA36F} _RegDLL.tmp Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AAED77EA-6F21-4539-B8D9-9276A2E1B96E}\ProgID _RegDLL.tmp Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AAED77EA-6F21-4539-B8D9-9276A2E1B96E}\ProgID\ = "nuriweb.nuriweb" _RegDLL.tmp Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AAED77EA-6F21-4539-B8D9-9276A2E1B96E}\InprocServer32 _RegDLL.tmp Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AAED77EA-6F21-4539-B8D9-9276A2E1B96E}\InprocServer32\ThreadingModel = "Apartment" _RegDLL.tmp Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{AA0E4D5E-942E-45E8-8893-749E0AFEEA4F}\1.0\0 _RegDLL.tmp Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{AA0E4D5E-942E-45E8-8893-749E0AFEEA4F}\1.0\0\win32 _RegDLL.tmp Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AA63B696-1B5D-4C18-93BC-F18D570EA36F}\ = "Inuriweb" _RegDLL.tmp Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AAED77EA-6F21-4539-B8D9-9276A2E1B96E}\ = "nuriweb Object" _RegDLL.tmp Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AA63B696-1B5D-4C18-93BC-F18D570EA36F}\ = "Inuriweb" _RegDLL.tmp Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AAED77EA-6F21-4539-B8D9-9276A2E1B96E} _RegDLL.tmp Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{AA0E4D5E-942E-45E8-8893-749E0AFEEA4F}\1.0 _RegDLL.tmp Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{AA0E4D5E-942E-45E8-8893-749E0AFEEA4F}\1.0\0\win32\ = "C:\\Program Files\\nuri-web\\nuriweb.dll" _RegDLL.tmp Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{AA0E4D5E-942E-45E8-8893-749E0AFEEA4F}\1.0\HELPDIR _RegDLL.tmp Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AA63B696-1B5D-4C18-93BC-F18D570EA36F}\TypeLib _RegDLL.tmp Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{AA0E4D5E-942E-45E8-8893-749E0AFEEA4F}\1.0\FLAGS _RegDLL.tmp Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AA63B696-1B5D-4C18-93BC-F18D570EA36F}\ProxyStubClsid32 _RegDLL.tmp Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AA63B696-1B5D-4C18-93BC-F18D570EA36F}\TypeLib\Version = "1.0" _RegDLL.tmp Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\nuriweb.nuriweb\Clsid\ = "{AAED77EA-6F21-4539-B8D9-9276A2E1B96E}" _RegDLL.tmp Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AAED77EA-6F21-4539-B8D9-9276A2E1B96E}\Version\ = "1.0" _RegDLL.tmp Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AA63B696-1B5D-4C18-93BC-F18D570EA36F}\TypeLib\ = "{AA0E4D5E-942E-45E8-8893-749E0AFEEA4F}" _RegDLL.tmp Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AA63B696-1B5D-4C18-93BC-F18D570EA36F}\ProxyStubClsid32 _RegDLL.tmp Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AAED77EA-6F21-4539-B8D9-9276A2E1B96E}\InprocServer32\ = "C:\\PROGRA~1\\nuri-web\\nuriweb.dll" _RegDLL.tmp Key created \REGISTRY\MACHINE\SOFTWARE\Classes\nuriweb.nuriweb _RegDLL.tmp -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 1684 wrote to memory of 2284 1684 8fedbd9e477e16a12f812c2b77f18d20.exe 83 PID 1684 wrote to memory of 2284 1684 8fedbd9e477e16a12f812c2b77f18d20.exe 83 PID 1684 wrote to memory of 2284 1684 8fedbd9e477e16a12f812c2b77f18d20.exe 83 PID 2284 wrote to memory of 1628 2284 nuriweb_setup_09.exe 89 PID 2284 wrote to memory of 1628 2284 nuriweb_setup_09.exe 89 PID 2284 wrote to memory of 1628 2284 nuriweb_setup_09.exe 89 PID 1628 wrote to memory of 4948 1628 is-CVQJF.tmp 93 PID 1628 wrote to memory of 4948 1628 is-CVQJF.tmp 93 PID 1628 wrote to memory of 4948 1628 is-CVQJF.tmp 93 PID 1684 wrote to memory of 5040 1684 8fedbd9e477e16a12f812c2b77f18d20.exe 90 PID 1684 wrote to memory of 5040 1684 8fedbd9e477e16a12f812c2b77f18d20.exe 90 PID 1684 wrote to memory of 5040 1684 8fedbd9e477e16a12f812c2b77f18d20.exe 90 PID 1628 wrote to memory of 1368 1628 is-CVQJF.tmp 94 PID 1628 wrote to memory of 1368 1628 is-CVQJF.tmp 94 PID 1628 wrote to memory of 1368 1628 is-CVQJF.tmp 94
Processes
-
C:\Users\Admin\AppData\Local\Temp\8fedbd9e477e16a12f812c2b77f18d20.exe"C:\Users\Admin\AppData\Local\Temp\8fedbd9e477e16a12f812c2b77f18d20.exe"1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1684 -
C:\Program Files (x86)\nuri-web\nuriweb_setup_09.exe"C:\Program Files (x86)\nuri-web\nuriweb_setup_09.exe" /VERYSILENT2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2284 -
C:\Users\Admin\AppData\Local\Temp\is-M1I0B.tmp\is-CVQJF.tmp"C:\Users\Admin\AppData\Local\Temp\is-M1I0B.tmp\is-CVQJF.tmp" /SL4 $6011C "C:\Program Files (x86)\nuri-web\nuriweb_setup_09.exe" 1209921 57344 /VERYSILENT3⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1628 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C ""C:\Program Files (x86)\nuri-web\del_bat.cmd""4⤵PID:4948
-
-
C:\Users\Admin\AppData\Local\Temp\is-IMA7H.tmp\_isetup\_RegDLL.tmp_RegDLL.tmp 1216 11564⤵
- Executes dropped EXE
- Loads dropped DLL
- Installs/modifies Browser Helper Object
- Modifies registry class
PID:1368
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\del_nsis_bat.cmd" "2⤵PID:5040
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
202B
MD51facd5b5a62fc3c72c6b0157d2a2697f
SHA15c89dbbee5598a435b2be32a0fa77ed1ebe306b0
SHA256c4c9323a9995f02dd3ad14c1771ae3cce77b873f79ece5b48866349827d09114
SHA5126ec3e6ee6608e652e54a849dc090805cca34bda9ccfdaf34723290e110b29eb7b2e517b82eb463ad1c527299d5a929a974f2cc384784562b6270f3e977398a7a
-
Filesize
746KB
MD5c93e460a70541233bfeb50b31e5d5fef
SHA1a7fcdcd6fbfdd2dd0278c50e7712664f5f1e594b
SHA256738191ea3025141d155436f4c00b45cff8064b4c53ec6b184ef77e71433c6c09
SHA512936675509518ce9778120630469cb76bada2f57119042433bdcb27d18c86626d2757eba65262fc5e8dae77db9bc06813cd779f9931e556db1da2318cbe6d757b
-
Filesize
756KB
MD587f16156e85e783f801fbe1b4f386596
SHA1d3eff0bb89a840b2cae9d4a35377260058712cbf
SHA256a40352dee10e8657abc20674cbaa8728479dfa48483f68febcfdd51cafef384c
SHA512a25cbf3a87ee1138a3d75ef0123f8eb3e7e044f847b916784c8a0eb4028d4d9d78175ef29d8e8d6b7781f022630423a265d5e01096d67283f160ea2fcdc4c7a8
-
Filesize
429KB
MD5ea3577ff84ed57d4bc86278bacb00b1b
SHA154f28342f3f3cce8b98a3c170d63247f4af19fe7
SHA256379861ccd5a88e71f911581bea92f275bdea8f674e8c761e4d701afb5d586ee4
SHA51273c226fc6f45424d5e5dad42b8cdd48c69ef4f3e6cef9ab0e2d4f62e1649f9dbba2c91b176491df54e0e3cffa3720bc4d1bcda51f4b9467d587809f4f0f87021
-
Filesize
275KB
MD5ca32bd7555d692fae488ec5864ce0ebc
SHA17cb21ae715ab154ac4658bb9d04348865577c25a
SHA256f2aec7bf629d289ebd69abfa6f7296c8e349ae7384d261b3462db99dd86435fa
SHA512d848ab9f2c552b0bb320df3981a1ee6c7ce3befb2fd37d4659a564cea95d2bdf41702fa6e465070aa0f7272ba21ab26ca1bec96702345cc7a0d7e8bc1ed42b44
-
Filesize
257B
MD537e82a46f543bd6b3d04623280098fe6
SHA1d21fa52fe1d7662d3fa342c8e7ce87a8d3fab2c5
SHA256b4006c5fdc77f4bbf0658668edebe6ba8818a0935bd4f29c13b1ff9ddf0707a7
SHA5121e236767976c569045167489d4701fa4286a844568cf532b6080d1007c366a11321b802c58b17b135b16eaff898f445c5b270bc3ecdb8c1d7523413fa3b2b1fb
-
Filesize
3KB
MD5c594b792b9c556ea62a30de541d2fb03
SHA169e0207515e913243b94c2d3a116d232ff79af5f
SHA2565dcc1e0a197922907bca2c4369f778bd07ee4b1bbbdf633e987a028a314d548e
SHA512387bd07857b0de67c04e0abf89b754691683f30515726045ff382da9b6b7f36570e38fae9eca5c4f0110ce9bb421d8045a5ec273c4c47b5831948564763ed144
-
Filesize
604KB
MD5b27fcbe50d1dfcfb06c867fb39be2aac
SHA17793946bfb2bf902c1ce5b8a23537d458708aa05
SHA25639e9eb81d99508be615becb0a4e5f2059638ab95c45712a598983dfe77abd51c
SHA5122c2049044a6cdc9fed7c8534a66ac2dbeccac58ba29808647e69e036dfa65adadd1d61fa42e432dbaf41e514df67a6d0f498cd79484abe85b31c92f6582cf34d
-
Filesize
592KB
MD52c79756045f159e06de9e75b33d0c4bf
SHA1c05f3693d5b1b09c544e5845137c82f24278873e
SHA2560d9bb29b273f866f1fc85b9f0b19483ecd57b20b53befd87cd1bc8d810cd2b10
SHA512996eea70169e72611f7d2c283e8d25cadcdf024e7121001859c2d561e4facff187e7d698568d3ec1bcbad9bb72fdcba5097852bdeebc1e80e5ceed46bd7fdee1