Analysis
-
max time kernel
150s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
04/02/2024, 19:10
Static task
static1
Behavioral task
behavioral1
Sample
8fedbd9e477e16a12f812c2b77f18d20.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
8fedbd9e477e16a12f812c2b77f18d20.exe
Resource
win10v2004-20231222-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/InstallOptions.dll
Resource
win7-20231215-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/InstallOptions.dll
Resource
win10v2004-20231215-en
Behavioral task
behavioral5
Sample
nuriweb_setup_09.exe
Resource
win7-20231215-en
Behavioral task
behavioral6
Sample
nuriweb_setup_09.exe
Resource
win10v2004-20231215-en
General
-
Target
nuriweb_setup_09.exe
-
Size
1.4MB
-
MD5
3dff19046a4f35845470fdbb70ef7269
-
SHA1
c8d0f6142aa0af7b7fdde19b756aea76be4db2b6
-
SHA256
2a6df78a47c76d1b1fa2bcb4f1dc6cdeaa3d8605c09db01b34664242c1c58eb2
-
SHA512
3ef61f557303d57eb5b8d791b2c599b50f050ce7be8bea11ed395db8f07e797d44d1c915bb572d3f0d4d131edcff99681bd5978a92f9d2e48f0fa1935702e291
-
SSDEEP
24576:BfOyq/gnp9nn1Mp01xYTLcBZ9S3kABDjHDgE1watY040gbQPSCqADZQwBJ6eiajg:BGMp51Mp07YTIHCjf140gbPCqAmCJ6Ug
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 3044 is-0VBRK.tmp -
Loads dropped DLL 3 IoCs
pid Process 2932 nuriweb_setup_09.exe 3044 is-0VBRK.tmp 3044 is-0VBRK.tmp -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3044 is-0VBRK.tmp -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 2932 wrote to memory of 3044 2932 nuriweb_setup_09.exe 28 PID 2932 wrote to memory of 3044 2932 nuriweb_setup_09.exe 28 PID 2932 wrote to memory of 3044 2932 nuriweb_setup_09.exe 28 PID 2932 wrote to memory of 3044 2932 nuriweb_setup_09.exe 28 PID 2932 wrote to memory of 3044 2932 nuriweb_setup_09.exe 28 PID 2932 wrote to memory of 3044 2932 nuriweb_setup_09.exe 28 PID 2932 wrote to memory of 3044 2932 nuriweb_setup_09.exe 28 PID 3044 wrote to memory of 1980 3044 is-0VBRK.tmp 29 PID 3044 wrote to memory of 1980 3044 is-0VBRK.tmp 29 PID 3044 wrote to memory of 1980 3044 is-0VBRK.tmp 29 PID 3044 wrote to memory of 1980 3044 is-0VBRK.tmp 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\nuriweb_setup_09.exe"C:\Users\Admin\AppData\Local\Temp\nuriweb_setup_09.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2932 -
C:\Users\Admin\AppData\Local\Temp\is-E86UJ.tmp\is-0VBRK.tmp"C:\Users\Admin\AppData\Local\Temp\is-E86UJ.tmp\is-0VBRK.tmp" /SL4 $3014E "C:\Users\Admin\AppData\Local\Temp\nuriweb_setup_09.exe" 1209921 573442⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:3044 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C ""C:\Users\Admin\AppData\Local\Temp\del_bat.cmd""3⤵PID:1980
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
208B
MD5303d340adc5eda8d6b56339554162a90
SHA1a4f9810ff2b24cf7134155469f687e79b40b9c9d
SHA2567aa8102e5cf816a3d1a39f01c94455567517a68e16722ec91314f64c213101fe
SHA512bdf4a4496c47e639f3ee6a35c8bc1a1cd7458781c66c3505b771da1f3b889354f909b0d2bddb21ef2b1873d44c2728e0d304077aa59865ac4f958f4b8758b18e
-
Filesize
22KB
MD592dc6ef532fbb4a5c3201469a5b5eb63
SHA13e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA2569884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA5129908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3
-
Filesize
661KB
MD5f745b25cab277f7f9adef431504cd2f7
SHA10e879e4b8e8900c5b7c1300f61bb6059d88da267
SHA2563aa09fb7d514ee7ad7e98e009bf9fc4891150772b280b975410da9be37dd634d
SHA512ae072e23f7fa34f9752e756ef470f0d6df39286c920822c4404ace0b6723aff4b2f7cea7208a5a7c8efa16e3a03a36e04eda7459c09bb0342b8f15e5ae3cc59d