Analysis Overview
SHA256
497d46eecb32775155b8b1ea64c705bfc67f63b970c38d5f27fc62ac4a53403d
Threat Level: Shows suspicious behavior
The file 8fedbd9e477e16a12f812c2b77f18d20 was found to be: Shows suspicious behavior.
Malicious Activity Summary
Loads dropped DLL
Checks computer location settings
Executes dropped EXE
UPX packed file
Deletes itself
ACProtect 1.3x - 1.4x DLL software
Checks installed software on the system
Installs/modifies Browser Helper Object
Adds Run key to start application
Drops file in Program Files directory
Enumerates physical storage devices
Unsigned PE
Program crash
NSIS installer
Modifies registry class
Suspicious use of WriteProcessMemory
Suspicious behavior: GetForegroundWindowSpam
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-02-04 19:10
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
NSIS installer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-02-04 19:10
Reported
2024-02-04 19:12
Platform
win7-20231215-en
Max time kernel
117s
Max time network
118s
Command Line
Signatures
ACProtect 1.3x - 1.4x DLL software
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\nuri-web\nuriweb_setup_09.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-1RE34.tmp\is-36JLA.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-G5Q6N.tmp\_isetup\_RegDLL.tmp | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8fedbd9e477e16a12f812c2b77f18d20.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\nuri-web\nuriweb_setup_09.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\nuri-web\nuriweb_setup_09.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\nuri-web\nuriweb_setup_09.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-1RE34.tmp\is-36JLA.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-1RE34.tmp\is-36JLA.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-1RE34.tmp\is-36JLA.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-G5Q6N.tmp\_isetup\_RegDLL.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-G5Q6N.tmp\_isetup\_RegDLL.tmp | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\nuriweb = "c:\\program files\\nuri-web\\nuriweb.exe" | C:\Users\Admin\AppData\Local\Temp\is-1RE34.tmp\is-36JLA.tmp | N/A |
Checks installed software on the system
Installs/modifies Browser Helper Object
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{AAED77EA-6F21-4539-B8D9-9276A2E1B96E} | C:\Users\Admin\AppData\Local\Temp\is-G5Q6N.tmp\_isetup\_RegDLL.tmp | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{AAED77EA-6F21-4539-B8D9-9276A2E1B96E}\NoExplorer = "1" | C:\Users\Admin\AppData\Local\Temp\is-G5Q6N.tmp\_isetup\_RegDLL.tmp | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\nuri-web\del_bat.cmd | C:\Users\Admin\AppData\Local\Temp\is-1RE34.tmp\is-36JLA.tmp | N/A |
| File created | C:\Program Files\nuri-web\is-Q1SOP.tmp | C:\Users\Admin\AppData\Local\Temp\is-1RE34.tmp\is-36JLA.tmp | N/A |
| File created | C:\Program Files\nuri-web\is-M0SOA.tmp | C:\Users\Admin\AppData\Local\Temp\is-1RE34.tmp\is-36JLA.tmp | N/A |
| File created | C:\Program Files\nuri-web\is-HLQBI.tmp | C:\Users\Admin\AppData\Local\Temp\is-1RE34.tmp\is-36JLA.tmp | N/A |
| File opened for modification | C:\Program Files\nuri-web\unins000.dat | C:\Users\Admin\AppData\Local\Temp\is-1RE34.tmp\is-36JLA.tmp | N/A |
| File created | C:\Program Files\nuri-web\is-6H2T7.tmp | C:\Users\Admin\AppData\Local\Temp\is-1RE34.tmp\is-36JLA.tmp | N/A |
| File created | C:\Program Files (x86)\nuri-web\nuriweb_setup_09.exe | C:\Users\Admin\AppData\Local\Temp\8fedbd9e477e16a12f812c2b77f18d20.exe | N/A |
| File created | C:\Program Files\nuri-web\unins000.dat | C:\Users\Admin\AppData\Local\Temp\is-1RE34.tmp\is-36JLA.tmp | N/A |
| File created | C:\Program Files\nuri-web\is-364GA.tmp | C:\Users\Admin\AppData\Local\Temp\is-1RE34.tmp\is-36JLA.tmp | N/A |
| File created | C:\Program Files\nuri-web\is-VQR3U.tmp | C:\Users\Admin\AppData\Local\Temp\is-1RE34.tmp\is-36JLA.tmp | N/A |
| File created | C:\Program Files\nuri-web\is-AT8F3.tmp | C:\Users\Admin\AppData\Local\Temp\is-1RE34.tmp\is-36JLA.tmp | N/A |
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{AA0E4D5E-942E-45E8-8893-749E0AFEEA4F}\1.0\0 | C:\Users\Admin\AppData\Local\Temp\is-G5Q6N.tmp\_isetup\_RegDLL.tmp | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{AA63B696-1B5D-4C18-93BC-F18D570EA36F} | C:\Users\Admin\AppData\Local\Temp\is-G5Q6N.tmp\_isetup\_RegDLL.tmp | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{AA63B696-1B5D-4C18-93BC-F18D570EA36F}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\is-G5Q6N.tmp\_isetup\_RegDLL.tmp | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{AA63B696-1B5D-4C18-93BC-F18D570EA36F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\is-G5Q6N.tmp\_isetup\_RegDLL.tmp | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AA63B696-1B5D-4C18-93BC-F18D570EA36F} | C:\Users\Admin\AppData\Local\Temp\is-G5Q6N.tmp\_isetup\_RegDLL.tmp | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AA63B696-1B5D-4C18-93BC-F18D570EA36F}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\is-G5Q6N.tmp\_isetup\_RegDLL.tmp | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AAED77EA-6F21-4539-B8D9-9276A2E1B96E}\InprocServer32 | C:\Users\Admin\AppData\Local\Temp\is-G5Q6N.tmp\_isetup\_RegDLL.tmp | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AAED77EA-6F21-4539-B8D9-9276A2E1B96E}\ProgID\ = "nuriweb.nuriweb" | C:\Users\Admin\AppData\Local\Temp\is-G5Q6N.tmp\_isetup\_RegDLL.tmp | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AAED77EA-6F21-4539-B8D9-9276A2E1B96E}\Version\ = "1.0" | C:\Users\Admin\AppData\Local\Temp\is-G5Q6N.tmp\_isetup\_RegDLL.tmp | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{AA0E4D5E-942E-45E8-8893-749E0AFEEA4F}\1.0 | C:\Users\Admin\AppData\Local\Temp\is-G5Q6N.tmp\_isetup\_RegDLL.tmp | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{AA63B696-1B5D-4C18-93BC-F18D570EA36F}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\is-G5Q6N.tmp\_isetup\_RegDLL.tmp | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AAED77EA-6F21-4539-B8D9-9276A2E1B96E}\Version | C:\Users\Admin\AppData\Local\Temp\is-G5Q6N.tmp\_isetup\_RegDLL.tmp | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AAED77EA-6F21-4539-B8D9-9276A2E1B96E}\ = "nuriweb Class" | C:\Users\Admin\AppData\Local\Temp\is-G5Q6N.tmp\_isetup\_RegDLL.tmp | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{AA0E4D5E-942E-45E8-8893-749E0AFEEA4F}\1.0\ = "nuriweb Library" | C:\Users\Admin\AppData\Local\Temp\is-G5Q6N.tmp\_isetup\_RegDLL.tmp | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{AA0E4D5E-942E-45E8-8893-749E0AFEEA4F}\1.0\FLAGS | C:\Users\Admin\AppData\Local\Temp\is-G5Q6N.tmp\_isetup\_RegDLL.tmp | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{AA0E4D5E-942E-45E8-8893-749E0AFEEA4F}\1.0\FLAGS\ = "0" | C:\Users\Admin\AppData\Local\Temp\is-G5Q6N.tmp\_isetup\_RegDLL.tmp | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AA63B696-1B5D-4C18-93BC-F18D570EA36F}\TypeLib | C:\Users\Admin\AppData\Local\Temp\is-G5Q6N.tmp\_isetup\_RegDLL.tmp | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AAED77EA-6F21-4539-B8D9-9276A2E1B96E}\ = "nuriweb Object" | C:\Users\Admin\AppData\Local\Temp\is-G5Q6N.tmp\_isetup\_RegDLL.tmp | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\nuriweb.nuriweb\ = "nuriweb Object" | C:\Users\Admin\AppData\Local\Temp\is-G5Q6N.tmp\_isetup\_RegDLL.tmp | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\nuriweb.nuriweb\Clsid | C:\Users\Admin\AppData\Local\Temp\is-G5Q6N.tmp\_isetup\_RegDLL.tmp | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\nuriweb.nuriweb\Clsid\ = "{AAED77EA-6F21-4539-B8D9-9276A2E1B96E}" | C:\Users\Admin\AppData\Local\Temp\is-G5Q6N.tmp\_isetup\_RegDLL.tmp | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AAED77EA-6F21-4539-B8D9-9276A2E1B96E}\TypeLib | C:\Users\Admin\AppData\Local\Temp\is-G5Q6N.tmp\_isetup\_RegDLL.tmp | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AAED77EA-6F21-4539-B8D9-9276A2E1B96E}\TypeLib\ = "{AA0E4D5E-942E-45E8-8893-749E0AFEEA4F}" | C:\Users\Admin\AppData\Local\Temp\is-G5Q6N.tmp\_isetup\_RegDLL.tmp | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{AA63B696-1B5D-4C18-93BC-F18D570EA36F}\TypeLib\ = "{AA0E4D5E-942E-45E8-8893-749E0AFEEA4F}" | C:\Users\Admin\AppData\Local\Temp\is-G5Q6N.tmp\_isetup\_RegDLL.tmp | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AA63B696-1B5D-4C18-93BC-F18D570EA36F}\ = "Inuriweb" | C:\Users\Admin\AppData\Local\Temp\is-G5Q6N.tmp\_isetup\_RegDLL.tmp | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AA63B696-1B5D-4C18-93BC-F18D570EA36F}\TypeLib\ = "{AA0E4D5E-942E-45E8-8893-749E0AFEEA4F}" | C:\Users\Admin\AppData\Local\Temp\is-G5Q6N.tmp\_isetup\_RegDLL.tmp | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\nuriweb.nuriweb | C:\Users\Admin\AppData\Local\Temp\is-G5Q6N.tmp\_isetup\_RegDLL.tmp | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AAED77EA-6F21-4539-B8D9-9276A2E1B96E}\InprocServer32\ = "C:\\PROGRA~1\\nuri-web\\nuriweb.dll" | C:\Users\Admin\AppData\Local\Temp\is-G5Q6N.tmp\_isetup\_RegDLL.tmp | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AAED77EA-6F21-4539-B8D9-9276A2E1B96E}\InprocServer32\ThreadingModel = "Apartment" | C:\Users\Admin\AppData\Local\Temp\is-G5Q6N.tmp\_isetup\_RegDLL.tmp | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{AA0E4D5E-942E-45E8-8893-749E0AFEEA4F}\1.0\0\win32 | C:\Users\Admin\AppData\Local\Temp\is-G5Q6N.tmp\_isetup\_RegDLL.tmp | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{AA0E4D5E-942E-45E8-8893-749E0AFEEA4F}\1.0\0\win32\ = "C:\\Program Files\\nuri-web\\nuriweb.dll" | C:\Users\Admin\AppData\Local\Temp\is-G5Q6N.tmp\_isetup\_RegDLL.tmp | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{AA63B696-1B5D-4C18-93BC-F18D570EA36F}\ = "Inuriweb" | C:\Users\Admin\AppData\Local\Temp\is-G5Q6N.tmp\_isetup\_RegDLL.tmp | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AA63B696-1B5D-4C18-93BC-F18D570EA36F}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\is-G5Q6N.tmp\_isetup\_RegDLL.tmp | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AAED77EA-6F21-4539-B8D9-9276A2E1B96E} | C:\Users\Admin\AppData\Local\Temp\is-G5Q6N.tmp\_isetup\_RegDLL.tmp | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{AA0E4D5E-942E-45E8-8893-749E0AFEEA4F} | C:\Users\Admin\AppData\Local\Temp\is-G5Q6N.tmp\_isetup\_RegDLL.tmp | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{AA0E4D5E-942E-45E8-8893-749E0AFEEA4F}\1.0\HELPDIR | C:\Users\Admin\AppData\Local\Temp\is-G5Q6N.tmp\_isetup\_RegDLL.tmp | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{AA0E4D5E-942E-45E8-8893-749E0AFEEA4F}\1.0\HELPDIR\ = "C:\\Program Files\\nuri-web\\" | C:\Users\Admin\AppData\Local\Temp\is-G5Q6N.tmp\_isetup\_RegDLL.tmp | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{AA63B696-1B5D-4C18-93BC-F18D570EA36F}\TypeLib | C:\Users\Admin\AppData\Local\Temp\is-G5Q6N.tmp\_isetup\_RegDLL.tmp | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AA63B696-1B5D-4C18-93BC-F18D570EA36F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\is-G5Q6N.tmp\_isetup\_RegDLL.tmp | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AAED77EA-6F21-4539-B8D9-9276A2E1B96E}\ProgID | C:\Users\Admin\AppData\Local\Temp\is-G5Q6N.tmp\_isetup\_RegDLL.tmp | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\8fedbd9e477e16a12f812c2b77f18d20.exe
"C:\Users\Admin\AppData\Local\Temp\8fedbd9e477e16a12f812c2b77f18d20.exe"
C:\Program Files (x86)\nuri-web\nuriweb_setup_09.exe
"C:\Program Files (x86)\nuri-web\nuriweb_setup_09.exe" /VERYSILENT
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\del_nsis_bat.cmd" "
C:\Users\Admin\AppData\Local\Temp\is-1RE34.tmp\is-36JLA.tmp
"C:\Users\Admin\AppData\Local\Temp\is-1RE34.tmp\is-36JLA.tmp" /SL4 $2009A "C:\Program Files (x86)\nuri-web\nuriweb_setup_09.exe" 1209921 57344 /VERYSILENT
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C ""C:\Program Files (x86)\nuri-web\del_bat.cmd""
C:\Users\Admin\AppData\Local\Temp\is-G5Q6N.tmp\_isetup\_RegDLL.tmp
_RegDLL.tmp 544 536
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | counter.nuri-web.com | udp |
| KR | 210.114.6.168:80 | counter.nuri-web.com | tcp |
Files
\Program Files (x86)\nuri-web\nuriweb_setup_09.exe
| MD5 | 3dff19046a4f35845470fdbb70ef7269 |
| SHA1 | c8d0f6142aa0af7b7fdde19b756aea76be4db2b6 |
| SHA256 | 2a6df78a47c76d1b1fa2bcb4f1dc6cdeaa3d8605c09db01b34664242c1c58eb2 |
| SHA512 | 3ef61f557303d57eb5b8d791b2c599b50f050ce7be8bea11ed395db8f07e797d44d1c915bb572d3f0d4d131edcff99681bd5978a92f9d2e48f0fa1935702e291 |
C:\Program Files (x86)\nuri-web\nuriweb_setup_09.exe
| MD5 | 6873a202f9b1988a080a04e4c98f1baa |
| SHA1 | 28263054dc0d51763c85f63258333946647b217b |
| SHA256 | 6b66258b031e26ab2ba62f6c4f06f29f454508abbf499c313d593029dd2dfa56 |
| SHA512 | 7a68b3fa91890c0d648a0bee50d11bda6ec79759f47d435a5c23abb9bbd49fdc044c77e0d839c064e4ba47955249320fdf65a0b72a4320b18586d4e3855cca91 |
\Program Files (x86)\nuri-web\nuriweb_setup_09.exe
| MD5 | d059252814454cdd2cfe7065d042fb50 |
| SHA1 | f3f345c0daed12c49d1050d155b4f57941f9dac8 |
| SHA256 | 59413a5fb3e9afa731966b0b2ecdf4178835d0f4340a5ac123c9b324e253dffa |
| SHA512 | 795f2fbe78b9bb4c9c4be0e778af8ef366495fd053840e16e9bf0af9fcfa42e2a27f6e88a863753a791aa1d4fbf5dcf3ccc5fe7c91b5aaf7bfa730ddca408d9d |
\Program Files (x86)\nuri-web\nuriweb_setup_09.exe
| MD5 | 135d473302849b192e812aefd2cbd38d |
| SHA1 | d8d4de5cf6660471b4f2be6a48b4ce4273b15969 |
| SHA256 | e7455d6d8c129e35db6f5c11dba425d66c1aaf936a3ab31c2d8518042883d874 |
| SHA512 | e4fd475b7a78650b36f876475dcc1992752d7bec96aca8a7b3b9bc644b29a0cf1e9e77cf847bdf67be560d0e029a3f8cf969dd72bb2812a1c303d623b80133fe |
memory/2776-16-0x0000000000400000-0x0000000000414000-memory.dmp
C:\Program Files (x86)\nuri-web\nuriweb_setup_09.exe
| MD5 | 1b266d2a395c88a1f7e12dcb8f5c401c |
| SHA1 | b23937b7311e1a30c1b5c17d7857bb814f32982d |
| SHA256 | a78701f9ad83756b9149a940b044846059fa1685d73035b5c0631da304776239 |
| SHA512 | d8ee48f7aa3d83336a984efe8879df477b93cc3d1a7d34ead0bb51a953d6f35db571aa54b7b030afb2db15f14d26ded8020e9e991e46fb8d2228d8b6025e83eb |
\Users\Admin\AppData\Local\Temp\is-1RE34.tmp\is-36JLA.tmp
| MD5 | 2f5bd2847bc6ef3b58ebc59c747191f2 |
| SHA1 | f27d08e0ebd4817eb7b17eee89c82a11de91db48 |
| SHA256 | f57f4a38e304f7c4d640ea68f2191e0d08b44f6bbcc8d15a0d72c3d7abb87791 |
| SHA512 | 234857ccbb265c5f39c6f5815cee70c5219a5fb613b97635e0d2cb25675e3f2a5126082ef336ffdffda4e2219733273e01c0bfd7062829ffc06c150607b5d562 |
memory/2776-18-0x0000000000400000-0x0000000000414000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\del_nsis_bat.cmd
| MD5 | 37e82a46f543bd6b3d04623280098fe6 |
| SHA1 | d21fa52fe1d7662d3fa342c8e7ce87a8d3fab2c5 |
| SHA256 | b4006c5fdc77f4bbf0658668edebe6ba8818a0935bd4f29c13b1ff9ddf0707a7 |
| SHA512 | 1e236767976c569045167489d4701fa4286a844568cf532b6080d1007c366a11321b802c58b17b135b16eaff898f445c5b270bc3ecdb8c1d7523413fa3b2b1fb |
C:\Users\Admin\AppData\Local\Temp\is-1RE34.tmp\is-36JLA.tmp
| MD5 | 7b67ee14334e715ded8820ab11514651 |
| SHA1 | 81315d90dc4ed6c6ed25a694610b7f73be26d7d5 |
| SHA256 | 73d08ebd6fd1e512f08349bc47b483861333947e5faa5d55b01446c59b9073cf |
| SHA512 | 2e44237a26135101049b0df80a884623a4a89001e8950ed7b8bb05d6482c4eaf8899ae1a23de2af5a10a6b73ac60f9dbf4fe058639ec375a842347f1bb133eff |
C:\Users\Admin\AppData\Local\Temp\is-1RE34.tmp\is-36JLA.tmp
| MD5 | 1b83c7e901be158e04f61259a9fb9347 |
| SHA1 | 1dc3bdae6a3ae82e141b8ee14eca3b296adde141 |
| SHA256 | f5222a3b76432e3fc1da1b2fe9a05dee51549e5630c9556fd3303645993f0bfa |
| SHA512 | 676240bf52dfe226da9fa8581c06eb24cf377a70d92d053d8e9f506c8f3d33f878ab1bdc35f24d8a1fce35177291f283e17ae05f36ddf9c4d3def689a8058142 |
C:\Program Files (x86)\nuri-web\del_bat.cmd
| MD5 | 1facd5b5a62fc3c72c6b0157d2a2697f |
| SHA1 | 5c89dbbee5598a435b2be32a0fa77ed1ebe306b0 |
| SHA256 | c4c9323a9995f02dd3ad14c1771ae3cce77b873f79ece5b48866349827d09114 |
| SHA512 | 6ec3e6ee6608e652e54a849dc090805cca34bda9ccfdaf34723290e110b29eb7b2e517b82eb463ad1c527299d5a929a974f2cc384784562b6270f3e977398a7a |
\Users\Admin\AppData\Local\Temp\is-G5Q6N.tmp\_isetup\_shfoldr.dll
| MD5 | 92dc6ef532fbb4a5c3201469a5b5eb63 |
| SHA1 | 3e89ff837147c16b4e41c30d6c796374e0b8e62c |
| SHA256 | 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87 |
| SHA512 | 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3 |
\Program Files\nuri-web\sqlite3.dll
| MD5 | ca32bd7555d692fae488ec5864ce0ebc |
| SHA1 | 7cb21ae715ab154ac4658bb9d04348865577c25a |
| SHA256 | f2aec7bf629d289ebd69abfa6f7296c8e349ae7384d261b3462db99dd86435fa |
| SHA512 | d848ab9f2c552b0bb320df3981a1ee6c7ce3befb2fd37d4659a564cea95d2bdf41702fa6e465070aa0f7272ba21ab26ca1bec96702345cc7a0d7e8bc1ed42b44 |
memory/2592-58-0x0000000002350000-0x000000000248A000-memory.dmp
\Program Files\nuri-web\nuriweb.dll
| MD5 | ea3577ff84ed57d4bc86278bacb00b1b |
| SHA1 | 54f28342f3f3cce8b98a3c170d63247f4af19fe7 |
| SHA256 | 379861ccd5a88e71f911581bea92f275bdea8f674e8c761e4d701afb5d586ee4 |
| SHA512 | 73c226fc6f45424d5e5dad42b8cdd48c69ef4f3e6cef9ab0e2d4f62e1649f9dbba2c91b176491df54e0e3cffa3720bc4d1bcda51f4b9467d587809f4f0f87021 |
C:\Program Files\nuri-web\nuriweb.dll
| MD5 | 4179e5d67eda72d0544709db908f5b1f |
| SHA1 | b7d5405d8bce6ea370a793f787b7076fab2bca0c |
| SHA256 | 73573f821d99f3b6b24e3ef8ec1c261ec0067302411b4815801a9080420f205b |
| SHA512 | 42228729b3db13a879d29b3ea52e0985cab984c4016a936e482fa4e75343603a728272508cf1ef8e175779c8317cd27954a9ef17997879f220f3cc6e4cc15c73 |
C:\Users\Admin\AppData\Local\Temp\is-G5Q6N.tmp\_isetup\_RegDLL.tmp
| MD5 | c594b792b9c556ea62a30de541d2fb03 |
| SHA1 | 69e0207515e913243b94c2d3a116d232ff79af5f |
| SHA256 | 5dcc1e0a197922907bca2c4369f778bd07ee4b1bbbdf633e987a028a314d548e |
| SHA512 | 387bd07857b0de67c04e0abf89b754691683f30515726045ff382da9b6b7f36570e38fae9eca5c4f0110ce9bb421d8045a5ec273c4c47b5831948564763ed144 |
memory/2932-63-0x0000000000400000-0x00000000004B5000-memory.dmp
memory/2776-64-0x0000000000400000-0x0000000000414000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-02-04 19:10
Reported
2024-02-04 19:12
Platform
win10v2004-20231222-en
Max time kernel
90s
Max time network
149s
Command Line
Signatures
ACProtect 1.3x - 1.4x DLL software
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\8fedbd9e477e16a12f812c2b77f18d20.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\nuri-web\nuriweb_setup_09.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-M1I0B.tmp\is-CVQJF.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-IMA7H.tmp\_isetup\_RegDLL.tmp | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-IMA7H.tmp\_isetup\_RegDLL.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-IMA7H.tmp\_isetup\_RegDLL.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-IMA7H.tmp\_isetup\_RegDLL.tmp | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nuriweb = "c:\\program files\\nuri-web\\nuriweb.exe" | C:\Users\Admin\AppData\Local\Temp\is-M1I0B.tmp\is-CVQJF.tmp | N/A |
Checks installed software on the system
Installs/modifies Browser Helper Object
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AAED77EA-6F21-4539-B8D9-9276A2E1B96E}\NoExplorer = "1" | C:\Users\Admin\AppData\Local\Temp\is-IMA7H.tmp\_isetup\_RegDLL.tmp | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{AAED77EA-6F21-4539-B8D9-9276A2E1B96E} | C:\Users\Admin\AppData\Local\Temp\is-IMA7H.tmp\_isetup\_RegDLL.tmp | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files\nuri-web\is-IUSJV.tmp | C:\Users\Admin\AppData\Local\Temp\is-M1I0B.tmp\is-CVQJF.tmp | N/A |
| File created | C:\Program Files\nuri-web\is-IEJDJ.tmp | C:\Users\Admin\AppData\Local\Temp\is-M1I0B.tmp\is-CVQJF.tmp | N/A |
| File created | C:\Program Files\nuri-web\is-LL7JM.tmp | C:\Users\Admin\AppData\Local\Temp\is-M1I0B.tmp\is-CVQJF.tmp | N/A |
| File created | C:\Program Files\nuri-web\is-NR1Q8.tmp | C:\Users\Admin\AppData\Local\Temp\is-M1I0B.tmp\is-CVQJF.tmp | N/A |
| File opened for modification | C:\Program Files\nuri-web\unins000.dat | C:\Users\Admin\AppData\Local\Temp\is-M1I0B.tmp\is-CVQJF.tmp | N/A |
| File created | C:\Program Files (x86)\nuri-web\del_bat.cmd | C:\Users\Admin\AppData\Local\Temp\is-M1I0B.tmp\is-CVQJF.tmp | N/A |
| File created | C:\Program Files\nuri-web\is-QMCQD.tmp | C:\Users\Admin\AppData\Local\Temp\is-M1I0B.tmp\is-CVQJF.tmp | N/A |
| File created | C:\Program Files\nuri-web\is-FL1S1.tmp | C:\Users\Admin\AppData\Local\Temp\is-M1I0B.tmp\is-CVQJF.tmp | N/A |
| File created | C:\Program Files\nuri-web\is-UF2PD.tmp | C:\Users\Admin\AppData\Local\Temp\is-M1I0B.tmp\is-CVQJF.tmp | N/A |
| File created | C:\Program Files (x86)\nuri-web\nuriweb_setup_09.exe | C:\Users\Admin\AppData\Local\Temp\8fedbd9e477e16a12f812c2b77f18d20.exe | N/A |
| File created | C:\Program Files\nuri-web\unins000.dat | C:\Users\Admin\AppData\Local\Temp\is-M1I0B.tmp\is-CVQJF.tmp | N/A |
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AA63B696-1B5D-4C18-93BC-F18D570EA36F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\is-IMA7H.tmp\_isetup\_RegDLL.tmp | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AA63B696-1B5D-4C18-93BC-F18D570EA36F}\TypeLib\ = "{AA0E4D5E-942E-45E8-8893-749E0AFEEA4F}" | C:\Users\Admin\AppData\Local\Temp\is-IMA7H.tmp\_isetup\_RegDLL.tmp | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\nuriweb.nuriweb\Clsid | C:\Users\Admin\AppData\Local\Temp\is-IMA7H.tmp\_isetup\_RegDLL.tmp | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AAED77EA-6F21-4539-B8D9-9276A2E1B96E}\TypeLib\ = "{AA0E4D5E-942E-45E8-8893-749E0AFEEA4F}" | C:\Users\Admin\AppData\Local\Temp\is-IMA7H.tmp\_isetup\_RegDLL.tmp | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AA63B696-1B5D-4C18-93BC-F18D570EA36F}\TypeLib | C:\Users\Admin\AppData\Local\Temp\is-IMA7H.tmp\_isetup\_RegDLL.tmp | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\nuriweb.nuriweb\ = "nuriweb Object" | C:\Users\Admin\AppData\Local\Temp\is-IMA7H.tmp\_isetup\_RegDLL.tmp | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{AA0E4D5E-942E-45E8-8893-749E0AFEEA4F} | C:\Users\Admin\AppData\Local\Temp\is-IMA7H.tmp\_isetup\_RegDLL.tmp | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{AA0E4D5E-942E-45E8-8893-749E0AFEEA4F}\1.0\ = "nuriweb Library" | C:\Users\Admin\AppData\Local\Temp\is-IMA7H.tmp\_isetup\_RegDLL.tmp | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AA63B696-1B5D-4C18-93BC-F18D570EA36F} | C:\Users\Admin\AppData\Local\Temp\is-IMA7H.tmp\_isetup\_RegDLL.tmp | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AA63B696-1B5D-4C18-93BC-F18D570EA36F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\is-IMA7H.tmp\_isetup\_RegDLL.tmp | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AAED77EA-6F21-4539-B8D9-9276A2E1B96E}\ = "nuriweb Class" | C:\Users\Admin\AppData\Local\Temp\is-IMA7H.tmp\_isetup\_RegDLL.tmp | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{AA0E4D5E-942E-45E8-8893-749E0AFEEA4F}\1.0\FLAGS\ = "0" | C:\Users\Admin\AppData\Local\Temp\is-IMA7H.tmp\_isetup\_RegDLL.tmp | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{AA0E4D5E-942E-45E8-8893-749E0AFEEA4F}\1.0\HELPDIR\ = "C:\\Program Files\\nuri-web\\" | C:\Users\Admin\AppData\Local\Temp\is-IMA7H.tmp\_isetup\_RegDLL.tmp | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AAED77EA-6F21-4539-B8D9-9276A2E1B96E}\Version | C:\Users\Admin\AppData\Local\Temp\is-IMA7H.tmp\_isetup\_RegDLL.tmp | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AAED77EA-6F21-4539-B8D9-9276A2E1B96E}\TypeLib | C:\Users\Admin\AppData\Local\Temp\is-IMA7H.tmp\_isetup\_RegDLL.tmp | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AA63B696-1B5D-4C18-93BC-F18D570EA36F}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\is-IMA7H.tmp\_isetup\_RegDLL.tmp | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AA63B696-1B5D-4C18-93BC-F18D570EA36F} | C:\Users\Admin\AppData\Local\Temp\is-IMA7H.tmp\_isetup\_RegDLL.tmp | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AAED77EA-6F21-4539-B8D9-9276A2E1B96E}\ProgID | C:\Users\Admin\AppData\Local\Temp\is-IMA7H.tmp\_isetup\_RegDLL.tmp | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AAED77EA-6F21-4539-B8D9-9276A2E1B96E}\ProgID\ = "nuriweb.nuriweb" | C:\Users\Admin\AppData\Local\Temp\is-IMA7H.tmp\_isetup\_RegDLL.tmp | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AAED77EA-6F21-4539-B8D9-9276A2E1B96E}\InprocServer32 | C:\Users\Admin\AppData\Local\Temp\is-IMA7H.tmp\_isetup\_RegDLL.tmp | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AAED77EA-6F21-4539-B8D9-9276A2E1B96E}\InprocServer32\ThreadingModel = "Apartment" | C:\Users\Admin\AppData\Local\Temp\is-IMA7H.tmp\_isetup\_RegDLL.tmp | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{AA0E4D5E-942E-45E8-8893-749E0AFEEA4F}\1.0\0 | C:\Users\Admin\AppData\Local\Temp\is-IMA7H.tmp\_isetup\_RegDLL.tmp | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{AA0E4D5E-942E-45E8-8893-749E0AFEEA4F}\1.0\0\win32 | C:\Users\Admin\AppData\Local\Temp\is-IMA7H.tmp\_isetup\_RegDLL.tmp | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AA63B696-1B5D-4C18-93BC-F18D570EA36F}\ = "Inuriweb" | C:\Users\Admin\AppData\Local\Temp\is-IMA7H.tmp\_isetup\_RegDLL.tmp | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AAED77EA-6F21-4539-B8D9-9276A2E1B96E}\ = "nuriweb Object" | C:\Users\Admin\AppData\Local\Temp\is-IMA7H.tmp\_isetup\_RegDLL.tmp | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AA63B696-1B5D-4C18-93BC-F18D570EA36F}\ = "Inuriweb" | C:\Users\Admin\AppData\Local\Temp\is-IMA7H.tmp\_isetup\_RegDLL.tmp | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AAED77EA-6F21-4539-B8D9-9276A2E1B96E} | C:\Users\Admin\AppData\Local\Temp\is-IMA7H.tmp\_isetup\_RegDLL.tmp | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{AA0E4D5E-942E-45E8-8893-749E0AFEEA4F}\1.0 | C:\Users\Admin\AppData\Local\Temp\is-IMA7H.tmp\_isetup\_RegDLL.tmp | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{AA0E4D5E-942E-45E8-8893-749E0AFEEA4F}\1.0\0\win32\ = "C:\\Program Files\\nuri-web\\nuriweb.dll" | C:\Users\Admin\AppData\Local\Temp\is-IMA7H.tmp\_isetup\_RegDLL.tmp | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{AA0E4D5E-942E-45E8-8893-749E0AFEEA4F}\1.0\HELPDIR | C:\Users\Admin\AppData\Local\Temp\is-IMA7H.tmp\_isetup\_RegDLL.tmp | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AA63B696-1B5D-4C18-93BC-F18D570EA36F}\TypeLib | C:\Users\Admin\AppData\Local\Temp\is-IMA7H.tmp\_isetup\_RegDLL.tmp | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{AA0E4D5E-942E-45E8-8893-749E0AFEEA4F}\1.0\FLAGS | C:\Users\Admin\AppData\Local\Temp\is-IMA7H.tmp\_isetup\_RegDLL.tmp | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AA63B696-1B5D-4C18-93BC-F18D570EA36F}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\is-IMA7H.tmp\_isetup\_RegDLL.tmp | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AA63B696-1B5D-4C18-93BC-F18D570EA36F}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\is-IMA7H.tmp\_isetup\_RegDLL.tmp | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\nuriweb.nuriweb\Clsid\ = "{AAED77EA-6F21-4539-B8D9-9276A2E1B96E}" | C:\Users\Admin\AppData\Local\Temp\is-IMA7H.tmp\_isetup\_RegDLL.tmp | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AAED77EA-6F21-4539-B8D9-9276A2E1B96E}\Version\ = "1.0" | C:\Users\Admin\AppData\Local\Temp\is-IMA7H.tmp\_isetup\_RegDLL.tmp | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AA63B696-1B5D-4C18-93BC-F18D570EA36F}\TypeLib\ = "{AA0E4D5E-942E-45E8-8893-749E0AFEEA4F}" | C:\Users\Admin\AppData\Local\Temp\is-IMA7H.tmp\_isetup\_RegDLL.tmp | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AA63B696-1B5D-4C18-93BC-F18D570EA36F}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\is-IMA7H.tmp\_isetup\_RegDLL.tmp | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AAED77EA-6F21-4539-B8D9-9276A2E1B96E}\InprocServer32\ = "C:\\PROGRA~1\\nuri-web\\nuriweb.dll" | C:\Users\Admin\AppData\Local\Temp\is-IMA7H.tmp\_isetup\_RegDLL.tmp | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\nuriweb.nuriweb | C:\Users\Admin\AppData\Local\Temp\is-IMA7H.tmp\_isetup\_RegDLL.tmp | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\8fedbd9e477e16a12f812c2b77f18d20.exe
"C:\Users\Admin\AppData\Local\Temp\8fedbd9e477e16a12f812c2b77f18d20.exe"
C:\Program Files (x86)\nuri-web\nuriweb_setup_09.exe
"C:\Program Files (x86)\nuri-web\nuriweb_setup_09.exe" /VERYSILENT
C:\Users\Admin\AppData\Local\Temp\is-M1I0B.tmp\is-CVQJF.tmp
"C:\Users\Admin\AppData\Local\Temp\is-M1I0B.tmp\is-CVQJF.tmp" /SL4 $6011C "C:\Program Files (x86)\nuri-web\nuriweb_setup_09.exe" 1209921 57344 /VERYSILENT
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\del_nsis_bat.cmd" "
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C ""C:\Program Files (x86)\nuri-web\del_bat.cmd""
C:\Users\Admin\AppData\Local\Temp\is-IMA7H.tmp\_isetup\_RegDLL.tmp
_RegDLL.tmp 1216 1156
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | counter.nuri-web.com | udp |
| KR | 210.114.6.168:80 | counter.nuri-web.com | tcp |
| US | 8.8.8.8:53 | 175.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 168.6.114.210.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 45.179.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
Files
C:\Program Files (x86)\nuri-web\nuriweb_setup_09.exe
| MD5 | c93e460a70541233bfeb50b31e5d5fef |
| SHA1 | a7fcdcd6fbfdd2dd0278c50e7712664f5f1e594b |
| SHA256 | 738191ea3025141d155436f4c00b45cff8064b4c53ec6b184ef77e71433c6c09 |
| SHA512 | 936675509518ce9778120630469cb76bada2f57119042433bdcb27d18c86626d2757eba65262fc5e8dae77db9bc06813cd779f9931e556db1da2318cbe6d757b |
memory/2284-5-0x0000000000400000-0x0000000000414000-memory.dmp
C:\Program Files (x86)\nuri-web\nuriweb_setup_09.exe
| MD5 | 87f16156e85e783f801fbe1b4f386596 |
| SHA1 | d3eff0bb89a840b2cae9d4a35377260058712cbf |
| SHA256 | a40352dee10e8657abc20674cbaa8728479dfa48483f68febcfdd51cafef384c |
| SHA512 | a25cbf3a87ee1138a3d75ef0123f8eb3e7e044f847b916784c8a0eb4028d4d9d78175ef29d8e8d6b7781f022630423a265d5e01096d67283f160ea2fcdc4c7a8 |
C:\Users\Admin\AppData\Local\Temp\is-M1I0B.tmp\is-CVQJF.tmp
| MD5 | 2c79756045f159e06de9e75b33d0c4bf |
| SHA1 | c05f3693d5b1b09c544e5845137c82f24278873e |
| SHA256 | 0d9bb29b273f866f1fc85b9f0b19483ecd57b20b53befd87cd1bc8d810cd2b10 |
| SHA512 | 996eea70169e72611f7d2c283e8d25cadcdf024e7121001859c2d561e4facff187e7d698568d3ec1bcbad9bb72fdcba5097852bdeebc1e80e5ceed46bd7fdee1 |
C:\Users\Admin\AppData\Local\Temp\is-M1I0B.tmp\is-CVQJF.tmp
| MD5 | b27fcbe50d1dfcfb06c867fb39be2aac |
| SHA1 | 7793946bfb2bf902c1ce5b8a23537d458708aa05 |
| SHA256 | 39e9eb81d99508be615becb0a4e5f2059638ab95c45712a598983dfe77abd51c |
| SHA512 | 2c2049044a6cdc9fed7c8534a66ac2dbeccac58ba29808647e69e036dfa65adadd1d61fa42e432dbaf41e514df67a6d0f498cd79484abe85b31c92f6582cf34d |
C:\Program Files (x86)\nuri-web\del_bat.cmd
| MD5 | 1facd5b5a62fc3c72c6b0157d2a2697f |
| SHA1 | 5c89dbbee5598a435b2be32a0fa77ed1ebe306b0 |
| SHA256 | c4c9323a9995f02dd3ad14c1771ae3cce77b873f79ece5b48866349827d09114 |
| SHA512 | 6ec3e6ee6608e652e54a849dc090805cca34bda9ccfdaf34723290e110b29eb7b2e517b82eb463ad1c527299d5a929a974f2cc384784562b6270f3e977398a7a |
C:\Users\Admin\AppData\Local\Temp\del_nsis_bat.cmd
| MD5 | 37e82a46f543bd6b3d04623280098fe6 |
| SHA1 | d21fa52fe1d7662d3fa342c8e7ce87a8d3fab2c5 |
| SHA256 | b4006c5fdc77f4bbf0658668edebe6ba8818a0935bd4f29c13b1ff9ddf0707a7 |
| SHA512 | 1e236767976c569045167489d4701fa4286a844568cf532b6080d1007c366a11321b802c58b17b135b16eaff898f445c5b270bc3ecdb8c1d7523413fa3b2b1fb |
memory/1628-15-0x0000000000510000-0x0000000000511000-memory.dmp
C:\Program Files\nuri-web\nuriweb.dll
| MD5 | ea3577ff84ed57d4bc86278bacb00b1b |
| SHA1 | 54f28342f3f3cce8b98a3c170d63247f4af19fe7 |
| SHA256 | 379861ccd5a88e71f911581bea92f275bdea8f674e8c761e4d701afb5d586ee4 |
| SHA512 | 73c226fc6f45424d5e5dad42b8cdd48c69ef4f3e6cef9ab0e2d4f62e1649f9dbba2c91b176491df54e0e3cffa3720bc4d1bcda51f4b9467d587809f4f0f87021 |
C:\Program Files\nuri-web\sqlite3.dll
| MD5 | ca32bd7555d692fae488ec5864ce0ebc |
| SHA1 | 7cb21ae715ab154ac4658bb9d04348865577c25a |
| SHA256 | f2aec7bf629d289ebd69abfa6f7296c8e349ae7384d261b3462db99dd86435fa |
| SHA512 | d848ab9f2c552b0bb320df3981a1ee6c7ce3befb2fd37d4659a564cea95d2bdf41702fa6e465070aa0f7272ba21ab26ca1bec96702345cc7a0d7e8bc1ed42b44 |
memory/1368-46-0x0000000060900000-0x000000006096F000-memory.dmp
memory/1368-44-0x0000000002250000-0x000000000238A000-memory.dmp
memory/1368-42-0x0000000002250000-0x000000000238A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-IMA7H.tmp\_isetup\_RegDLL.tmp
| MD5 | c594b792b9c556ea62a30de541d2fb03 |
| SHA1 | 69e0207515e913243b94c2d3a116d232ff79af5f |
| SHA256 | 5dcc1e0a197922907bca2c4369f778bd07ee4b1bbbdf633e987a028a314d548e |
| SHA512 | 387bd07857b0de67c04e0abf89b754691683f30515726045ff382da9b6b7f36570e38fae9eca5c4f0110ce9bb421d8045a5ec273c4c47b5831948564763ed144 |
memory/1628-51-0x0000000000400000-0x00000000004B5000-memory.dmp
memory/2284-52-0x0000000000400000-0x0000000000414000-memory.dmp
Analysis: behavioral3
Detonation Overview
Submitted
2024-02-04 19:10
Reported
2024-02-04 19:12
Platform
win7-20231215-en
Max time kernel
122s
Max time network
126s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallOptions.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallOptions.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2304 -s 248
Network
Files
Analysis: behavioral4
Detonation Overview
Submitted
2024-02-04 19:10
Reported
2024-02-04 19:13
Platform
win10v2004-20231215-en
Max time kernel
92s
Max time network
150s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4200 wrote to memory of 960 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4200 wrote to memory of 960 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4200 wrote to memory of 960 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallOptions.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallOptions.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 960 -ip 960
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 960 -s 644
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 210.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 45.179.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.179.17.96.in-addr.arpa | udp |
Files
Analysis: behavioral5
Detonation Overview
Submitted
2024-02-04 19:10
Reported
2024-02-04 19:12
Platform
win7-20231215-en
Max time kernel
150s
Max time network
122s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-E86UJ.tmp\is-0VBRK.tmp | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\nuriweb_setup_09.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-E86UJ.tmp\is-0VBRK.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-E86UJ.tmp\is-0VBRK.tmp | N/A |
Enumerates physical storage devices
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-E86UJ.tmp\is-0VBRK.tmp | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\nuriweb_setup_09.exe
"C:\Users\Admin\AppData\Local\Temp\nuriweb_setup_09.exe"
C:\Users\Admin\AppData\Local\Temp\is-E86UJ.tmp\is-0VBRK.tmp
"C:\Users\Admin\AppData\Local\Temp\is-E86UJ.tmp\is-0VBRK.tmp" /SL4 $3014E "C:\Users\Admin\AppData\Local\Temp\nuriweb_setup_09.exe" 1209921 57344
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C ""C:\Users\Admin\AppData\Local\Temp\del_bat.cmd""
Network
Files
memory/2932-1-0x0000000000400000-0x0000000000414000-memory.dmp
\Users\Admin\AppData\Local\Temp\is-E86UJ.tmp\is-0VBRK.tmp
| MD5 | f745b25cab277f7f9adef431504cd2f7 |
| SHA1 | 0e879e4b8e8900c5b7c1300f61bb6059d88da267 |
| SHA256 | 3aa09fb7d514ee7ad7e98e009bf9fc4891150772b280b975410da9be37dd634d |
| SHA512 | ae072e23f7fa34f9752e756ef470f0d6df39286c920822c4404ace0b6723aff4b2f7cea7208a5a7c8efa16e3a03a36e04eda7459c09bb0342b8f15e5ae3cc59d |
memory/3044-9-0x00000000003D0000-0x00000000003D1000-memory.dmp
\Users\Admin\AppData\Local\Temp\is-34DJR.tmp\_isetup\_shfoldr.dll
| MD5 | 92dc6ef532fbb4a5c3201469a5b5eb63 |
| SHA1 | 3e89ff837147c16b4e41c30d6c796374e0b8e62c |
| SHA256 | 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87 |
| SHA512 | 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3 |
C:\Users\Admin\AppData\Local\Temp\del_bat.cmd
| MD5 | 303d340adc5eda8d6b56339554162a90 |
| SHA1 | a4f9810ff2b24cf7134155469f687e79b40b9c9d |
| SHA256 | 7aa8102e5cf816a3d1a39f01c94455567517a68e16722ec91314f64c213101fe |
| SHA512 | bdf4a4496c47e639f3ee6a35c8bc1a1cd7458781c66c3505b771da1f3b889354f909b0d2bddb21ef2b1873d44c2728e0d304077aa59865ac4f958f4b8758b18e |
memory/2932-19-0x0000000000400000-0x0000000000414000-memory.dmp
memory/3044-20-0x0000000000400000-0x00000000004B5000-memory.dmp
memory/3044-23-0x00000000003D0000-0x00000000003D1000-memory.dmp
Analysis: behavioral6
Detonation Overview
Submitted
2024-02-04 19:10
Reported
2024-02-04 19:13
Platform
win10v2004-20231215-en
Max time kernel
151s
Max time network
151s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-76QDD.tmp\is-8SDSL.tmp | N/A |
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4776 wrote to memory of 4856 | N/A | C:\Users\Admin\AppData\Local\Temp\nuriweb_setup_09.exe | C:\Users\Admin\AppData\Local\Temp\is-76QDD.tmp\is-8SDSL.tmp |
| PID 4776 wrote to memory of 4856 | N/A | C:\Users\Admin\AppData\Local\Temp\nuriweb_setup_09.exe | C:\Users\Admin\AppData\Local\Temp\is-76QDD.tmp\is-8SDSL.tmp |
| PID 4776 wrote to memory of 4856 | N/A | C:\Users\Admin\AppData\Local\Temp\nuriweb_setup_09.exe | C:\Users\Admin\AppData\Local\Temp\is-76QDD.tmp\is-8SDSL.tmp |
| PID 4856 wrote to memory of 1784 | N/A | C:\Users\Admin\AppData\Local\Temp\is-76QDD.tmp\is-8SDSL.tmp | C:\Windows\SysWOW64\cmd.exe |
| PID 4856 wrote to memory of 1784 | N/A | C:\Users\Admin\AppData\Local\Temp\is-76QDD.tmp\is-8SDSL.tmp | C:\Windows\SysWOW64\cmd.exe |
| PID 4856 wrote to memory of 1784 | N/A | C:\Users\Admin\AppData\Local\Temp\is-76QDD.tmp\is-8SDSL.tmp | C:\Windows\SysWOW64\cmd.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\nuriweb_setup_09.exe
"C:\Users\Admin\AppData\Local\Temp\nuriweb_setup_09.exe"
C:\Users\Admin\AppData\Local\Temp\is-76QDD.tmp\is-8SDSL.tmp
"C:\Users\Admin\AppData\Local\Temp\is-76QDD.tmp\is-8SDSL.tmp" /SL4 $4021A "C:\Users\Admin\AppData\Local\Temp\nuriweb_setup_09.exe" 1209921 57344
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C ""C:\Users\Admin\AppData\Local\Temp\del_bat.cmd""
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 176.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.171.91.138.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 64.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 16.234.44.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 61.179.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 45.179.17.96.in-addr.arpa | udp |
Files
memory/4776-1-0x0000000000400000-0x0000000000414000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-76QDD.tmp\is-8SDSL.tmp
| MD5 | f745b25cab277f7f9adef431504cd2f7 |
| SHA1 | 0e879e4b8e8900c5b7c1300f61bb6059d88da267 |
| SHA256 | 3aa09fb7d514ee7ad7e98e009bf9fc4891150772b280b975410da9be37dd634d |
| SHA512 | ae072e23f7fa34f9752e756ef470f0d6df39286c920822c4404ace0b6723aff4b2f7cea7208a5a7c8efa16e3a03a36e04eda7459c09bb0342b8f15e5ae3cc59d |
memory/4856-7-0x0000000000660000-0x0000000000661000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\del_bat.cmd
| MD5 | 303d340adc5eda8d6b56339554162a90 |
| SHA1 | a4f9810ff2b24cf7134155469f687e79b40b9c9d |
| SHA256 | 7aa8102e5cf816a3d1a39f01c94455567517a68e16722ec91314f64c213101fe |
| SHA512 | bdf4a4496c47e639f3ee6a35c8bc1a1cd7458781c66c3505b771da1f3b889354f909b0d2bddb21ef2b1873d44c2728e0d304077aa59865ac4f958f4b8758b18e |
memory/4776-15-0x0000000000400000-0x0000000000414000-memory.dmp
memory/4856-16-0x0000000000400000-0x00000000004B5000-memory.dmp
memory/4856-18-0x0000000000660000-0x0000000000661000-memory.dmp