Analysis
-
max time kernel
151s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
04/02/2024, 19:10
Static task
static1
Behavioral task
behavioral1
Sample
8fedbd9e477e16a12f812c2b77f18d20.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
8fedbd9e477e16a12f812c2b77f18d20.exe
Resource
win10v2004-20231222-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/InstallOptions.dll
Resource
win7-20231215-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/InstallOptions.dll
Resource
win10v2004-20231215-en
Behavioral task
behavioral5
Sample
nuriweb_setup_09.exe
Resource
win7-20231215-en
Behavioral task
behavioral6
Sample
nuriweb_setup_09.exe
Resource
win10v2004-20231215-en
General
-
Target
nuriweb_setup_09.exe
-
Size
1.4MB
-
MD5
3dff19046a4f35845470fdbb70ef7269
-
SHA1
c8d0f6142aa0af7b7fdde19b756aea76be4db2b6
-
SHA256
2a6df78a47c76d1b1fa2bcb4f1dc6cdeaa3d8605c09db01b34664242c1c58eb2
-
SHA512
3ef61f557303d57eb5b8d791b2c599b50f050ce7be8bea11ed395db8f07e797d44d1c915bb572d3f0d4d131edcff99681bd5978a92f9d2e48f0fa1935702e291
-
SSDEEP
24576:BfOyq/gnp9nn1Mp01xYTLcBZ9S3kABDjHDgE1watY040gbQPSCqADZQwBJ6eiajg:BGMp51Mp07YTIHCjf140gbPCqAmCJ6Ug
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 4856 is-8SDSL.tmp -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 4776 wrote to memory of 4856 4776 nuriweb_setup_09.exe 84 PID 4776 wrote to memory of 4856 4776 nuriweb_setup_09.exe 84 PID 4776 wrote to memory of 4856 4776 nuriweb_setup_09.exe 84 PID 4856 wrote to memory of 1784 4856 is-8SDSL.tmp 85 PID 4856 wrote to memory of 1784 4856 is-8SDSL.tmp 85 PID 4856 wrote to memory of 1784 4856 is-8SDSL.tmp 85
Processes
-
C:\Users\Admin\AppData\Local\Temp\nuriweb_setup_09.exe"C:\Users\Admin\AppData\Local\Temp\nuriweb_setup_09.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4776 -
C:\Users\Admin\AppData\Local\Temp\is-76QDD.tmp\is-8SDSL.tmp"C:\Users\Admin\AppData\Local\Temp\is-76QDD.tmp\is-8SDSL.tmp" /SL4 $4021A "C:\Users\Admin\AppData\Local\Temp\nuriweb_setup_09.exe" 1209921 573442⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4856 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C ""C:\Users\Admin\AppData\Local\Temp\del_bat.cmd""3⤵PID:1784
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
208B
MD5303d340adc5eda8d6b56339554162a90
SHA1a4f9810ff2b24cf7134155469f687e79b40b9c9d
SHA2567aa8102e5cf816a3d1a39f01c94455567517a68e16722ec91314f64c213101fe
SHA512bdf4a4496c47e639f3ee6a35c8bc1a1cd7458781c66c3505b771da1f3b889354f909b0d2bddb21ef2b1873d44c2728e0d304077aa59865ac4f958f4b8758b18e
-
Filesize
661KB
MD5f745b25cab277f7f9adef431504cd2f7
SHA10e879e4b8e8900c5b7c1300f61bb6059d88da267
SHA2563aa09fb7d514ee7ad7e98e009bf9fc4891150772b280b975410da9be37dd634d
SHA512ae072e23f7fa34f9752e756ef470f0d6df39286c920822c4404ace0b6723aff4b2f7cea7208a5a7c8efa16e3a03a36e04eda7459c09bb0342b8f15e5ae3cc59d