Malware Analysis Report

2025-08-05 16:44

Sample ID 240204-xvg7ysggc9
Target 8fedbd9e477e16a12f812c2b77f18d20
SHA256 497d46eecb32775155b8b1ea64c705bfc67f63b970c38d5f27fc62ac4a53403d
Tags
adware discovery persistence stealer upx
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

497d46eecb32775155b8b1ea64c705bfc67f63b970c38d5f27fc62ac4a53403d

Threat Level: Shows suspicious behavior

The file 8fedbd9e477e16a12f812c2b77f18d20 was found to be: Shows suspicious behavior.

Malicious Activity Summary

adware discovery persistence stealer upx

Loads dropped DLL

Checks computer location settings

Executes dropped EXE

UPX packed file

Deletes itself

ACProtect 1.3x - 1.4x DLL software

Checks installed software on the system

Installs/modifies Browser Helper Object

Adds Run key to start application

Drops file in Program Files directory

Enumerates physical storage devices

Unsigned PE

Program crash

NSIS installer

Modifies registry class

Suspicious use of WriteProcessMemory

Suspicious behavior: GetForegroundWindowSpam

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-02-04 19:10

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-04 19:10

Reported

2024-02-04 19:12

Platform

win7-20231215-en

Max time kernel

117s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8fedbd9e477e16a12f812c2b77f18d20.exe"

Signatures

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\nuriweb = "c:\\program files\\nuri-web\\nuriweb.exe" C:\Users\Admin\AppData\Local\Temp\is-1RE34.tmp\is-36JLA.tmp N/A

Checks installed software on the system

discovery

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{AAED77EA-6F21-4539-B8D9-9276A2E1B96E} C:\Users\Admin\AppData\Local\Temp\is-G5Q6N.tmp\_isetup\_RegDLL.tmp N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{AAED77EA-6F21-4539-B8D9-9276A2E1B96E}\NoExplorer = "1" C:\Users\Admin\AppData\Local\Temp\is-G5Q6N.tmp\_isetup\_RegDLL.tmp N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\nuri-web\del_bat.cmd C:\Users\Admin\AppData\Local\Temp\is-1RE34.tmp\is-36JLA.tmp N/A
File created C:\Program Files\nuri-web\is-Q1SOP.tmp C:\Users\Admin\AppData\Local\Temp\is-1RE34.tmp\is-36JLA.tmp N/A
File created C:\Program Files\nuri-web\is-M0SOA.tmp C:\Users\Admin\AppData\Local\Temp\is-1RE34.tmp\is-36JLA.tmp N/A
File created C:\Program Files\nuri-web\is-HLQBI.tmp C:\Users\Admin\AppData\Local\Temp\is-1RE34.tmp\is-36JLA.tmp N/A
File opened for modification C:\Program Files\nuri-web\unins000.dat C:\Users\Admin\AppData\Local\Temp\is-1RE34.tmp\is-36JLA.tmp N/A
File created C:\Program Files\nuri-web\is-6H2T7.tmp C:\Users\Admin\AppData\Local\Temp\is-1RE34.tmp\is-36JLA.tmp N/A
File created C:\Program Files (x86)\nuri-web\nuriweb_setup_09.exe C:\Users\Admin\AppData\Local\Temp\8fedbd9e477e16a12f812c2b77f18d20.exe N/A
File created C:\Program Files\nuri-web\unins000.dat C:\Users\Admin\AppData\Local\Temp\is-1RE34.tmp\is-36JLA.tmp N/A
File created C:\Program Files\nuri-web\is-364GA.tmp C:\Users\Admin\AppData\Local\Temp\is-1RE34.tmp\is-36JLA.tmp N/A
File created C:\Program Files\nuri-web\is-VQR3U.tmp C:\Users\Admin\AppData\Local\Temp\is-1RE34.tmp\is-36JLA.tmp N/A
File created C:\Program Files\nuri-web\is-AT8F3.tmp C:\Users\Admin\AppData\Local\Temp\is-1RE34.tmp\is-36JLA.tmp N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{AA0E4D5E-942E-45E8-8893-749E0AFEEA4F}\1.0\0 C:\Users\Admin\AppData\Local\Temp\is-G5Q6N.tmp\_isetup\_RegDLL.tmp N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{AA63B696-1B5D-4C18-93BC-F18D570EA36F} C:\Users\Admin\AppData\Local\Temp\is-G5Q6N.tmp\_isetup\_RegDLL.tmp N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{AA63B696-1B5D-4C18-93BC-F18D570EA36F}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\is-G5Q6N.tmp\_isetup\_RegDLL.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{AA63B696-1B5D-4C18-93BC-F18D570EA36F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\is-G5Q6N.tmp\_isetup\_RegDLL.tmp N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AA63B696-1B5D-4C18-93BC-F18D570EA36F} C:\Users\Admin\AppData\Local\Temp\is-G5Q6N.tmp\_isetup\_RegDLL.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AA63B696-1B5D-4C18-93BC-F18D570EA36F}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\is-G5Q6N.tmp\_isetup\_RegDLL.tmp N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AAED77EA-6F21-4539-B8D9-9276A2E1B96E}\InprocServer32 C:\Users\Admin\AppData\Local\Temp\is-G5Q6N.tmp\_isetup\_RegDLL.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AAED77EA-6F21-4539-B8D9-9276A2E1B96E}\ProgID\ = "nuriweb.nuriweb" C:\Users\Admin\AppData\Local\Temp\is-G5Q6N.tmp\_isetup\_RegDLL.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AAED77EA-6F21-4539-B8D9-9276A2E1B96E}\Version\ = "1.0" C:\Users\Admin\AppData\Local\Temp\is-G5Q6N.tmp\_isetup\_RegDLL.tmp N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{AA0E4D5E-942E-45E8-8893-749E0AFEEA4F}\1.0 C:\Users\Admin\AppData\Local\Temp\is-G5Q6N.tmp\_isetup\_RegDLL.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{AA63B696-1B5D-4C18-93BC-F18D570EA36F}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\is-G5Q6N.tmp\_isetup\_RegDLL.tmp N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AAED77EA-6F21-4539-B8D9-9276A2E1B96E}\Version C:\Users\Admin\AppData\Local\Temp\is-G5Q6N.tmp\_isetup\_RegDLL.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AAED77EA-6F21-4539-B8D9-9276A2E1B96E}\ = "nuriweb Class" C:\Users\Admin\AppData\Local\Temp\is-G5Q6N.tmp\_isetup\_RegDLL.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{AA0E4D5E-942E-45E8-8893-749E0AFEEA4F}\1.0\ = "nuriweb Library" C:\Users\Admin\AppData\Local\Temp\is-G5Q6N.tmp\_isetup\_RegDLL.tmp N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{AA0E4D5E-942E-45E8-8893-749E0AFEEA4F}\1.0\FLAGS C:\Users\Admin\AppData\Local\Temp\is-G5Q6N.tmp\_isetup\_RegDLL.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{AA0E4D5E-942E-45E8-8893-749E0AFEEA4F}\1.0\FLAGS\ = "0" C:\Users\Admin\AppData\Local\Temp\is-G5Q6N.tmp\_isetup\_RegDLL.tmp N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AA63B696-1B5D-4C18-93BC-F18D570EA36F}\TypeLib C:\Users\Admin\AppData\Local\Temp\is-G5Q6N.tmp\_isetup\_RegDLL.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AAED77EA-6F21-4539-B8D9-9276A2E1B96E}\ = "nuriweb Object" C:\Users\Admin\AppData\Local\Temp\is-G5Q6N.tmp\_isetup\_RegDLL.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\nuriweb.nuriweb\ = "nuriweb Object" C:\Users\Admin\AppData\Local\Temp\is-G5Q6N.tmp\_isetup\_RegDLL.tmp N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\nuriweb.nuriweb\Clsid C:\Users\Admin\AppData\Local\Temp\is-G5Q6N.tmp\_isetup\_RegDLL.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\nuriweb.nuriweb\Clsid\ = "{AAED77EA-6F21-4539-B8D9-9276A2E1B96E}" C:\Users\Admin\AppData\Local\Temp\is-G5Q6N.tmp\_isetup\_RegDLL.tmp N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AAED77EA-6F21-4539-B8D9-9276A2E1B96E}\TypeLib C:\Users\Admin\AppData\Local\Temp\is-G5Q6N.tmp\_isetup\_RegDLL.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AAED77EA-6F21-4539-B8D9-9276A2E1B96E}\TypeLib\ = "{AA0E4D5E-942E-45E8-8893-749E0AFEEA4F}" C:\Users\Admin\AppData\Local\Temp\is-G5Q6N.tmp\_isetup\_RegDLL.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{AA63B696-1B5D-4C18-93BC-F18D570EA36F}\TypeLib\ = "{AA0E4D5E-942E-45E8-8893-749E0AFEEA4F}" C:\Users\Admin\AppData\Local\Temp\is-G5Q6N.tmp\_isetup\_RegDLL.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AA63B696-1B5D-4C18-93BC-F18D570EA36F}\ = "Inuriweb" C:\Users\Admin\AppData\Local\Temp\is-G5Q6N.tmp\_isetup\_RegDLL.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AA63B696-1B5D-4C18-93BC-F18D570EA36F}\TypeLib\ = "{AA0E4D5E-942E-45E8-8893-749E0AFEEA4F}" C:\Users\Admin\AppData\Local\Temp\is-G5Q6N.tmp\_isetup\_RegDLL.tmp N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\nuriweb.nuriweb C:\Users\Admin\AppData\Local\Temp\is-G5Q6N.tmp\_isetup\_RegDLL.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AAED77EA-6F21-4539-B8D9-9276A2E1B96E}\InprocServer32\ = "C:\\PROGRA~1\\nuri-web\\nuriweb.dll" C:\Users\Admin\AppData\Local\Temp\is-G5Q6N.tmp\_isetup\_RegDLL.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AAED77EA-6F21-4539-B8D9-9276A2E1B96E}\InprocServer32\ThreadingModel = "Apartment" C:\Users\Admin\AppData\Local\Temp\is-G5Q6N.tmp\_isetup\_RegDLL.tmp N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{AA0E4D5E-942E-45E8-8893-749E0AFEEA4F}\1.0\0\win32 C:\Users\Admin\AppData\Local\Temp\is-G5Q6N.tmp\_isetup\_RegDLL.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{AA0E4D5E-942E-45E8-8893-749E0AFEEA4F}\1.0\0\win32\ = "C:\\Program Files\\nuri-web\\nuriweb.dll" C:\Users\Admin\AppData\Local\Temp\is-G5Q6N.tmp\_isetup\_RegDLL.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{AA63B696-1B5D-4C18-93BC-F18D570EA36F}\ = "Inuriweb" C:\Users\Admin\AppData\Local\Temp\is-G5Q6N.tmp\_isetup\_RegDLL.tmp N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AA63B696-1B5D-4C18-93BC-F18D570EA36F}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\is-G5Q6N.tmp\_isetup\_RegDLL.tmp N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AAED77EA-6F21-4539-B8D9-9276A2E1B96E} C:\Users\Admin\AppData\Local\Temp\is-G5Q6N.tmp\_isetup\_RegDLL.tmp N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{AA0E4D5E-942E-45E8-8893-749E0AFEEA4F} C:\Users\Admin\AppData\Local\Temp\is-G5Q6N.tmp\_isetup\_RegDLL.tmp N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{AA0E4D5E-942E-45E8-8893-749E0AFEEA4F}\1.0\HELPDIR C:\Users\Admin\AppData\Local\Temp\is-G5Q6N.tmp\_isetup\_RegDLL.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{AA0E4D5E-942E-45E8-8893-749E0AFEEA4F}\1.0\HELPDIR\ = "C:\\Program Files\\nuri-web\\" C:\Users\Admin\AppData\Local\Temp\is-G5Q6N.tmp\_isetup\_RegDLL.tmp N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{AA63B696-1B5D-4C18-93BC-F18D570EA36F}\TypeLib C:\Users\Admin\AppData\Local\Temp\is-G5Q6N.tmp\_isetup\_RegDLL.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AA63B696-1B5D-4C18-93BC-F18D570EA36F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\is-G5Q6N.tmp\_isetup\_RegDLL.tmp N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AAED77EA-6F21-4539-B8D9-9276A2E1B96E}\ProgID C:\Users\Admin\AppData\Local\Temp\is-G5Q6N.tmp\_isetup\_RegDLL.tmp N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2356 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\8fedbd9e477e16a12f812c2b77f18d20.exe C:\Program Files (x86)\nuri-web\nuriweb_setup_09.exe
PID 2356 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\8fedbd9e477e16a12f812c2b77f18d20.exe C:\Program Files (x86)\nuri-web\nuriweb_setup_09.exe
PID 2356 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\8fedbd9e477e16a12f812c2b77f18d20.exe C:\Program Files (x86)\nuri-web\nuriweb_setup_09.exe
PID 2356 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\8fedbd9e477e16a12f812c2b77f18d20.exe C:\Program Files (x86)\nuri-web\nuriweb_setup_09.exe
PID 2356 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\8fedbd9e477e16a12f812c2b77f18d20.exe C:\Program Files (x86)\nuri-web\nuriweb_setup_09.exe
PID 2356 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\8fedbd9e477e16a12f812c2b77f18d20.exe C:\Program Files (x86)\nuri-web\nuriweb_setup_09.exe
PID 2356 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\8fedbd9e477e16a12f812c2b77f18d20.exe C:\Program Files (x86)\nuri-web\nuriweb_setup_09.exe
PID 2356 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\8fedbd9e477e16a12f812c2b77f18d20.exe C:\Windows\SysWOW64\cmd.exe
PID 2356 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\8fedbd9e477e16a12f812c2b77f18d20.exe C:\Windows\SysWOW64\cmd.exe
PID 2356 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\8fedbd9e477e16a12f812c2b77f18d20.exe C:\Windows\SysWOW64\cmd.exe
PID 2356 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\8fedbd9e477e16a12f812c2b77f18d20.exe C:\Windows\SysWOW64\cmd.exe
PID 2356 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\8fedbd9e477e16a12f812c2b77f18d20.exe C:\Windows\SysWOW64\cmd.exe
PID 2356 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\8fedbd9e477e16a12f812c2b77f18d20.exe C:\Windows\SysWOW64\cmd.exe
PID 2356 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\8fedbd9e477e16a12f812c2b77f18d20.exe C:\Windows\SysWOW64\cmd.exe
PID 2776 wrote to memory of 2932 N/A C:\Program Files (x86)\nuri-web\nuriweb_setup_09.exe C:\Users\Admin\AppData\Local\Temp\is-1RE34.tmp\is-36JLA.tmp
PID 2776 wrote to memory of 2932 N/A C:\Program Files (x86)\nuri-web\nuriweb_setup_09.exe C:\Users\Admin\AppData\Local\Temp\is-1RE34.tmp\is-36JLA.tmp
PID 2776 wrote to memory of 2932 N/A C:\Program Files (x86)\nuri-web\nuriweb_setup_09.exe C:\Users\Admin\AppData\Local\Temp\is-1RE34.tmp\is-36JLA.tmp
PID 2776 wrote to memory of 2932 N/A C:\Program Files (x86)\nuri-web\nuriweb_setup_09.exe C:\Users\Admin\AppData\Local\Temp\is-1RE34.tmp\is-36JLA.tmp
PID 2776 wrote to memory of 2932 N/A C:\Program Files (x86)\nuri-web\nuriweb_setup_09.exe C:\Users\Admin\AppData\Local\Temp\is-1RE34.tmp\is-36JLA.tmp
PID 2776 wrote to memory of 2932 N/A C:\Program Files (x86)\nuri-web\nuriweb_setup_09.exe C:\Users\Admin\AppData\Local\Temp\is-1RE34.tmp\is-36JLA.tmp
PID 2776 wrote to memory of 2932 N/A C:\Program Files (x86)\nuri-web\nuriweb_setup_09.exe C:\Users\Admin\AppData\Local\Temp\is-1RE34.tmp\is-36JLA.tmp
PID 2932 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\is-1RE34.tmp\is-36JLA.tmp C:\Windows\SysWOW64\cmd.exe
PID 2932 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\is-1RE34.tmp\is-36JLA.tmp C:\Windows\SysWOW64\cmd.exe
PID 2932 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\is-1RE34.tmp\is-36JLA.tmp C:\Windows\SysWOW64\cmd.exe
PID 2932 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\is-1RE34.tmp\is-36JLA.tmp C:\Windows\SysWOW64\cmd.exe
PID 2932 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\is-1RE34.tmp\is-36JLA.tmp C:\Windows\SysWOW64\cmd.exe
PID 2932 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\is-1RE34.tmp\is-36JLA.tmp C:\Windows\SysWOW64\cmd.exe
PID 2932 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\is-1RE34.tmp\is-36JLA.tmp C:\Windows\SysWOW64\cmd.exe
PID 2932 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\is-1RE34.tmp\is-36JLA.tmp C:\Users\Admin\AppData\Local\Temp\is-G5Q6N.tmp\_isetup\_RegDLL.tmp
PID 2932 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\is-1RE34.tmp\is-36JLA.tmp C:\Users\Admin\AppData\Local\Temp\is-G5Q6N.tmp\_isetup\_RegDLL.tmp
PID 2932 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\is-1RE34.tmp\is-36JLA.tmp C:\Users\Admin\AppData\Local\Temp\is-G5Q6N.tmp\_isetup\_RegDLL.tmp
PID 2932 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\is-1RE34.tmp\is-36JLA.tmp C:\Users\Admin\AppData\Local\Temp\is-G5Q6N.tmp\_isetup\_RegDLL.tmp
PID 2932 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\is-1RE34.tmp\is-36JLA.tmp C:\Users\Admin\AppData\Local\Temp\is-G5Q6N.tmp\_isetup\_RegDLL.tmp
PID 2932 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\is-1RE34.tmp\is-36JLA.tmp C:\Users\Admin\AppData\Local\Temp\is-G5Q6N.tmp\_isetup\_RegDLL.tmp
PID 2932 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\is-1RE34.tmp\is-36JLA.tmp C:\Users\Admin\AppData\Local\Temp\is-G5Q6N.tmp\_isetup\_RegDLL.tmp

Processes

C:\Users\Admin\AppData\Local\Temp\8fedbd9e477e16a12f812c2b77f18d20.exe

"C:\Users\Admin\AppData\Local\Temp\8fedbd9e477e16a12f812c2b77f18d20.exe"

C:\Program Files (x86)\nuri-web\nuriweb_setup_09.exe

"C:\Program Files (x86)\nuri-web\nuriweb_setup_09.exe" /VERYSILENT

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\del_nsis_bat.cmd" "

C:\Users\Admin\AppData\Local\Temp\is-1RE34.tmp\is-36JLA.tmp

"C:\Users\Admin\AppData\Local\Temp\is-1RE34.tmp\is-36JLA.tmp" /SL4 $2009A "C:\Program Files (x86)\nuri-web\nuriweb_setup_09.exe" 1209921 57344 /VERYSILENT

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /C ""C:\Program Files (x86)\nuri-web\del_bat.cmd""

C:\Users\Admin\AppData\Local\Temp\is-G5Q6N.tmp\_isetup\_RegDLL.tmp

_RegDLL.tmp 544 536

Network

Country Destination Domain Proto
US 8.8.8.8:53 counter.nuri-web.com udp
KR 210.114.6.168:80 counter.nuri-web.com tcp

Files

\Program Files (x86)\nuri-web\nuriweb_setup_09.exe

MD5 3dff19046a4f35845470fdbb70ef7269
SHA1 c8d0f6142aa0af7b7fdde19b756aea76be4db2b6
SHA256 2a6df78a47c76d1b1fa2bcb4f1dc6cdeaa3d8605c09db01b34664242c1c58eb2
SHA512 3ef61f557303d57eb5b8d791b2c599b50f050ce7be8bea11ed395db8f07e797d44d1c915bb572d3f0d4d131edcff99681bd5978a92f9d2e48f0fa1935702e291

C:\Program Files (x86)\nuri-web\nuriweb_setup_09.exe

MD5 6873a202f9b1988a080a04e4c98f1baa
SHA1 28263054dc0d51763c85f63258333946647b217b
SHA256 6b66258b031e26ab2ba62f6c4f06f29f454508abbf499c313d593029dd2dfa56
SHA512 7a68b3fa91890c0d648a0bee50d11bda6ec79759f47d435a5c23abb9bbd49fdc044c77e0d839c064e4ba47955249320fdf65a0b72a4320b18586d4e3855cca91

\Program Files (x86)\nuri-web\nuriweb_setup_09.exe

MD5 d059252814454cdd2cfe7065d042fb50
SHA1 f3f345c0daed12c49d1050d155b4f57941f9dac8
SHA256 59413a5fb3e9afa731966b0b2ecdf4178835d0f4340a5ac123c9b324e253dffa
SHA512 795f2fbe78b9bb4c9c4be0e778af8ef366495fd053840e16e9bf0af9fcfa42e2a27f6e88a863753a791aa1d4fbf5dcf3ccc5fe7c91b5aaf7bfa730ddca408d9d

\Program Files (x86)\nuri-web\nuriweb_setup_09.exe

MD5 135d473302849b192e812aefd2cbd38d
SHA1 d8d4de5cf6660471b4f2be6a48b4ce4273b15969
SHA256 e7455d6d8c129e35db6f5c11dba425d66c1aaf936a3ab31c2d8518042883d874
SHA512 e4fd475b7a78650b36f876475dcc1992752d7bec96aca8a7b3b9bc644b29a0cf1e9e77cf847bdf67be560d0e029a3f8cf969dd72bb2812a1c303d623b80133fe

memory/2776-16-0x0000000000400000-0x0000000000414000-memory.dmp

C:\Program Files (x86)\nuri-web\nuriweb_setup_09.exe

MD5 1b266d2a395c88a1f7e12dcb8f5c401c
SHA1 b23937b7311e1a30c1b5c17d7857bb814f32982d
SHA256 a78701f9ad83756b9149a940b044846059fa1685d73035b5c0631da304776239
SHA512 d8ee48f7aa3d83336a984efe8879df477b93cc3d1a7d34ead0bb51a953d6f35db571aa54b7b030afb2db15f14d26ded8020e9e991e46fb8d2228d8b6025e83eb

\Users\Admin\AppData\Local\Temp\is-1RE34.tmp\is-36JLA.tmp

MD5 2f5bd2847bc6ef3b58ebc59c747191f2
SHA1 f27d08e0ebd4817eb7b17eee89c82a11de91db48
SHA256 f57f4a38e304f7c4d640ea68f2191e0d08b44f6bbcc8d15a0d72c3d7abb87791
SHA512 234857ccbb265c5f39c6f5815cee70c5219a5fb613b97635e0d2cb25675e3f2a5126082ef336ffdffda4e2219733273e01c0bfd7062829ffc06c150607b5d562

memory/2776-18-0x0000000000400000-0x0000000000414000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\del_nsis_bat.cmd

MD5 37e82a46f543bd6b3d04623280098fe6
SHA1 d21fa52fe1d7662d3fa342c8e7ce87a8d3fab2c5
SHA256 b4006c5fdc77f4bbf0658668edebe6ba8818a0935bd4f29c13b1ff9ddf0707a7
SHA512 1e236767976c569045167489d4701fa4286a844568cf532b6080d1007c366a11321b802c58b17b135b16eaff898f445c5b270bc3ecdb8c1d7523413fa3b2b1fb

C:\Users\Admin\AppData\Local\Temp\is-1RE34.tmp\is-36JLA.tmp

MD5 7b67ee14334e715ded8820ab11514651
SHA1 81315d90dc4ed6c6ed25a694610b7f73be26d7d5
SHA256 73d08ebd6fd1e512f08349bc47b483861333947e5faa5d55b01446c59b9073cf
SHA512 2e44237a26135101049b0df80a884623a4a89001e8950ed7b8bb05d6482c4eaf8899ae1a23de2af5a10a6b73ac60f9dbf4fe058639ec375a842347f1bb133eff

C:\Users\Admin\AppData\Local\Temp\is-1RE34.tmp\is-36JLA.tmp

MD5 1b83c7e901be158e04f61259a9fb9347
SHA1 1dc3bdae6a3ae82e141b8ee14eca3b296adde141
SHA256 f5222a3b76432e3fc1da1b2fe9a05dee51549e5630c9556fd3303645993f0bfa
SHA512 676240bf52dfe226da9fa8581c06eb24cf377a70d92d053d8e9f506c8f3d33f878ab1bdc35f24d8a1fce35177291f283e17ae05f36ddf9c4d3def689a8058142

C:\Program Files (x86)\nuri-web\del_bat.cmd

MD5 1facd5b5a62fc3c72c6b0157d2a2697f
SHA1 5c89dbbee5598a435b2be32a0fa77ed1ebe306b0
SHA256 c4c9323a9995f02dd3ad14c1771ae3cce77b873f79ece5b48866349827d09114
SHA512 6ec3e6ee6608e652e54a849dc090805cca34bda9ccfdaf34723290e110b29eb7b2e517b82eb463ad1c527299d5a929a974f2cc384784562b6270f3e977398a7a

\Users\Admin\AppData\Local\Temp\is-G5Q6N.tmp\_isetup\_shfoldr.dll

MD5 92dc6ef532fbb4a5c3201469a5b5eb63
SHA1 3e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA256 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA512 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

\Program Files\nuri-web\sqlite3.dll

MD5 ca32bd7555d692fae488ec5864ce0ebc
SHA1 7cb21ae715ab154ac4658bb9d04348865577c25a
SHA256 f2aec7bf629d289ebd69abfa6f7296c8e349ae7384d261b3462db99dd86435fa
SHA512 d848ab9f2c552b0bb320df3981a1ee6c7ce3befb2fd37d4659a564cea95d2bdf41702fa6e465070aa0f7272ba21ab26ca1bec96702345cc7a0d7e8bc1ed42b44

memory/2592-58-0x0000000002350000-0x000000000248A000-memory.dmp

\Program Files\nuri-web\nuriweb.dll

MD5 ea3577ff84ed57d4bc86278bacb00b1b
SHA1 54f28342f3f3cce8b98a3c170d63247f4af19fe7
SHA256 379861ccd5a88e71f911581bea92f275bdea8f674e8c761e4d701afb5d586ee4
SHA512 73c226fc6f45424d5e5dad42b8cdd48c69ef4f3e6cef9ab0e2d4f62e1649f9dbba2c91b176491df54e0e3cffa3720bc4d1bcda51f4b9467d587809f4f0f87021

C:\Program Files\nuri-web\nuriweb.dll

MD5 4179e5d67eda72d0544709db908f5b1f
SHA1 b7d5405d8bce6ea370a793f787b7076fab2bca0c
SHA256 73573f821d99f3b6b24e3ef8ec1c261ec0067302411b4815801a9080420f205b
SHA512 42228729b3db13a879d29b3ea52e0985cab984c4016a936e482fa4e75343603a728272508cf1ef8e175779c8317cd27954a9ef17997879f220f3cc6e4cc15c73

C:\Users\Admin\AppData\Local\Temp\is-G5Q6N.tmp\_isetup\_RegDLL.tmp

MD5 c594b792b9c556ea62a30de541d2fb03
SHA1 69e0207515e913243b94c2d3a116d232ff79af5f
SHA256 5dcc1e0a197922907bca2c4369f778bd07ee4b1bbbdf633e987a028a314d548e
SHA512 387bd07857b0de67c04e0abf89b754691683f30515726045ff382da9b6b7f36570e38fae9eca5c4f0110ce9bb421d8045a5ec273c4c47b5831948564763ed144

memory/2932-63-0x0000000000400000-0x00000000004B5000-memory.dmp

memory/2776-64-0x0000000000400000-0x0000000000414000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-02-04 19:10

Reported

2024-02-04 19:12

Platform

win10v2004-20231222-en

Max time kernel

90s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8fedbd9e477e16a12f812c2b77f18d20.exe"

Signatures

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\8fedbd9e477e16a12f812c2b77f18d20.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nuriweb = "c:\\program files\\nuri-web\\nuriweb.exe" C:\Users\Admin\AppData\Local\Temp\is-M1I0B.tmp\is-CVQJF.tmp N/A

Checks installed software on the system

discovery

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AAED77EA-6F21-4539-B8D9-9276A2E1B96E}\NoExplorer = "1" C:\Users\Admin\AppData\Local\Temp\is-IMA7H.tmp\_isetup\_RegDLL.tmp N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{AAED77EA-6F21-4539-B8D9-9276A2E1B96E} C:\Users\Admin\AppData\Local\Temp\is-IMA7H.tmp\_isetup\_RegDLL.tmp N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\nuri-web\is-IUSJV.tmp C:\Users\Admin\AppData\Local\Temp\is-M1I0B.tmp\is-CVQJF.tmp N/A
File created C:\Program Files\nuri-web\is-IEJDJ.tmp C:\Users\Admin\AppData\Local\Temp\is-M1I0B.tmp\is-CVQJF.tmp N/A
File created C:\Program Files\nuri-web\is-LL7JM.tmp C:\Users\Admin\AppData\Local\Temp\is-M1I0B.tmp\is-CVQJF.tmp N/A
File created C:\Program Files\nuri-web\is-NR1Q8.tmp C:\Users\Admin\AppData\Local\Temp\is-M1I0B.tmp\is-CVQJF.tmp N/A
File opened for modification C:\Program Files\nuri-web\unins000.dat C:\Users\Admin\AppData\Local\Temp\is-M1I0B.tmp\is-CVQJF.tmp N/A
File created C:\Program Files (x86)\nuri-web\del_bat.cmd C:\Users\Admin\AppData\Local\Temp\is-M1I0B.tmp\is-CVQJF.tmp N/A
File created C:\Program Files\nuri-web\is-QMCQD.tmp C:\Users\Admin\AppData\Local\Temp\is-M1I0B.tmp\is-CVQJF.tmp N/A
File created C:\Program Files\nuri-web\is-FL1S1.tmp C:\Users\Admin\AppData\Local\Temp\is-M1I0B.tmp\is-CVQJF.tmp N/A
File created C:\Program Files\nuri-web\is-UF2PD.tmp C:\Users\Admin\AppData\Local\Temp\is-M1I0B.tmp\is-CVQJF.tmp N/A
File created C:\Program Files (x86)\nuri-web\nuriweb_setup_09.exe C:\Users\Admin\AppData\Local\Temp\8fedbd9e477e16a12f812c2b77f18d20.exe N/A
File created C:\Program Files\nuri-web\unins000.dat C:\Users\Admin\AppData\Local\Temp\is-M1I0B.tmp\is-CVQJF.tmp N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AA63B696-1B5D-4C18-93BC-F18D570EA36F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\is-IMA7H.tmp\_isetup\_RegDLL.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AA63B696-1B5D-4C18-93BC-F18D570EA36F}\TypeLib\ = "{AA0E4D5E-942E-45E8-8893-749E0AFEEA4F}" C:\Users\Admin\AppData\Local\Temp\is-IMA7H.tmp\_isetup\_RegDLL.tmp N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\nuriweb.nuriweb\Clsid C:\Users\Admin\AppData\Local\Temp\is-IMA7H.tmp\_isetup\_RegDLL.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AAED77EA-6F21-4539-B8D9-9276A2E1B96E}\TypeLib\ = "{AA0E4D5E-942E-45E8-8893-749E0AFEEA4F}" C:\Users\Admin\AppData\Local\Temp\is-IMA7H.tmp\_isetup\_RegDLL.tmp N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AA63B696-1B5D-4C18-93BC-F18D570EA36F}\TypeLib C:\Users\Admin\AppData\Local\Temp\is-IMA7H.tmp\_isetup\_RegDLL.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\nuriweb.nuriweb\ = "nuriweb Object" C:\Users\Admin\AppData\Local\Temp\is-IMA7H.tmp\_isetup\_RegDLL.tmp N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{AA0E4D5E-942E-45E8-8893-749E0AFEEA4F} C:\Users\Admin\AppData\Local\Temp\is-IMA7H.tmp\_isetup\_RegDLL.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{AA0E4D5E-942E-45E8-8893-749E0AFEEA4F}\1.0\ = "nuriweb Library" C:\Users\Admin\AppData\Local\Temp\is-IMA7H.tmp\_isetup\_RegDLL.tmp N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AA63B696-1B5D-4C18-93BC-F18D570EA36F} C:\Users\Admin\AppData\Local\Temp\is-IMA7H.tmp\_isetup\_RegDLL.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AA63B696-1B5D-4C18-93BC-F18D570EA36F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\is-IMA7H.tmp\_isetup\_RegDLL.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AAED77EA-6F21-4539-B8D9-9276A2E1B96E}\ = "nuriweb Class" C:\Users\Admin\AppData\Local\Temp\is-IMA7H.tmp\_isetup\_RegDLL.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{AA0E4D5E-942E-45E8-8893-749E0AFEEA4F}\1.0\FLAGS\ = "0" C:\Users\Admin\AppData\Local\Temp\is-IMA7H.tmp\_isetup\_RegDLL.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{AA0E4D5E-942E-45E8-8893-749E0AFEEA4F}\1.0\HELPDIR\ = "C:\\Program Files\\nuri-web\\" C:\Users\Admin\AppData\Local\Temp\is-IMA7H.tmp\_isetup\_RegDLL.tmp N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AAED77EA-6F21-4539-B8D9-9276A2E1B96E}\Version C:\Users\Admin\AppData\Local\Temp\is-IMA7H.tmp\_isetup\_RegDLL.tmp N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AAED77EA-6F21-4539-B8D9-9276A2E1B96E}\TypeLib C:\Users\Admin\AppData\Local\Temp\is-IMA7H.tmp\_isetup\_RegDLL.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AA63B696-1B5D-4C18-93BC-F18D570EA36F}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\is-IMA7H.tmp\_isetup\_RegDLL.tmp N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AA63B696-1B5D-4C18-93BC-F18D570EA36F} C:\Users\Admin\AppData\Local\Temp\is-IMA7H.tmp\_isetup\_RegDLL.tmp N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AAED77EA-6F21-4539-B8D9-9276A2E1B96E}\ProgID C:\Users\Admin\AppData\Local\Temp\is-IMA7H.tmp\_isetup\_RegDLL.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AAED77EA-6F21-4539-B8D9-9276A2E1B96E}\ProgID\ = "nuriweb.nuriweb" C:\Users\Admin\AppData\Local\Temp\is-IMA7H.tmp\_isetup\_RegDLL.tmp N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AAED77EA-6F21-4539-B8D9-9276A2E1B96E}\InprocServer32 C:\Users\Admin\AppData\Local\Temp\is-IMA7H.tmp\_isetup\_RegDLL.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AAED77EA-6F21-4539-B8D9-9276A2E1B96E}\InprocServer32\ThreadingModel = "Apartment" C:\Users\Admin\AppData\Local\Temp\is-IMA7H.tmp\_isetup\_RegDLL.tmp N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{AA0E4D5E-942E-45E8-8893-749E0AFEEA4F}\1.0\0 C:\Users\Admin\AppData\Local\Temp\is-IMA7H.tmp\_isetup\_RegDLL.tmp N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{AA0E4D5E-942E-45E8-8893-749E0AFEEA4F}\1.0\0\win32 C:\Users\Admin\AppData\Local\Temp\is-IMA7H.tmp\_isetup\_RegDLL.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AA63B696-1B5D-4C18-93BC-F18D570EA36F}\ = "Inuriweb" C:\Users\Admin\AppData\Local\Temp\is-IMA7H.tmp\_isetup\_RegDLL.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AAED77EA-6F21-4539-B8D9-9276A2E1B96E}\ = "nuriweb Object" C:\Users\Admin\AppData\Local\Temp\is-IMA7H.tmp\_isetup\_RegDLL.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AA63B696-1B5D-4C18-93BC-F18D570EA36F}\ = "Inuriweb" C:\Users\Admin\AppData\Local\Temp\is-IMA7H.tmp\_isetup\_RegDLL.tmp N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AAED77EA-6F21-4539-B8D9-9276A2E1B96E} C:\Users\Admin\AppData\Local\Temp\is-IMA7H.tmp\_isetup\_RegDLL.tmp N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{AA0E4D5E-942E-45E8-8893-749E0AFEEA4F}\1.0 C:\Users\Admin\AppData\Local\Temp\is-IMA7H.tmp\_isetup\_RegDLL.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{AA0E4D5E-942E-45E8-8893-749E0AFEEA4F}\1.0\0\win32\ = "C:\\Program Files\\nuri-web\\nuriweb.dll" C:\Users\Admin\AppData\Local\Temp\is-IMA7H.tmp\_isetup\_RegDLL.tmp N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{AA0E4D5E-942E-45E8-8893-749E0AFEEA4F}\1.0\HELPDIR C:\Users\Admin\AppData\Local\Temp\is-IMA7H.tmp\_isetup\_RegDLL.tmp N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AA63B696-1B5D-4C18-93BC-F18D570EA36F}\TypeLib C:\Users\Admin\AppData\Local\Temp\is-IMA7H.tmp\_isetup\_RegDLL.tmp N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{AA0E4D5E-942E-45E8-8893-749E0AFEEA4F}\1.0\FLAGS C:\Users\Admin\AppData\Local\Temp\is-IMA7H.tmp\_isetup\_RegDLL.tmp N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AA63B696-1B5D-4C18-93BC-F18D570EA36F}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\is-IMA7H.tmp\_isetup\_RegDLL.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AA63B696-1B5D-4C18-93BC-F18D570EA36F}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\is-IMA7H.tmp\_isetup\_RegDLL.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\nuriweb.nuriweb\Clsid\ = "{AAED77EA-6F21-4539-B8D9-9276A2E1B96E}" C:\Users\Admin\AppData\Local\Temp\is-IMA7H.tmp\_isetup\_RegDLL.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AAED77EA-6F21-4539-B8D9-9276A2E1B96E}\Version\ = "1.0" C:\Users\Admin\AppData\Local\Temp\is-IMA7H.tmp\_isetup\_RegDLL.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AA63B696-1B5D-4C18-93BC-F18D570EA36F}\TypeLib\ = "{AA0E4D5E-942E-45E8-8893-749E0AFEEA4F}" C:\Users\Admin\AppData\Local\Temp\is-IMA7H.tmp\_isetup\_RegDLL.tmp N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AA63B696-1B5D-4C18-93BC-F18D570EA36F}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\is-IMA7H.tmp\_isetup\_RegDLL.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AAED77EA-6F21-4539-B8D9-9276A2E1B96E}\InprocServer32\ = "C:\\PROGRA~1\\nuri-web\\nuriweb.dll" C:\Users\Admin\AppData\Local\Temp\is-IMA7H.tmp\_isetup\_RegDLL.tmp N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\nuriweb.nuriweb C:\Users\Admin\AppData\Local\Temp\is-IMA7H.tmp\_isetup\_RegDLL.tmp N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1684 wrote to memory of 2284 N/A C:\Users\Admin\AppData\Local\Temp\8fedbd9e477e16a12f812c2b77f18d20.exe C:\Program Files (x86)\nuri-web\nuriweb_setup_09.exe
PID 1684 wrote to memory of 2284 N/A C:\Users\Admin\AppData\Local\Temp\8fedbd9e477e16a12f812c2b77f18d20.exe C:\Program Files (x86)\nuri-web\nuriweb_setup_09.exe
PID 1684 wrote to memory of 2284 N/A C:\Users\Admin\AppData\Local\Temp\8fedbd9e477e16a12f812c2b77f18d20.exe C:\Program Files (x86)\nuri-web\nuriweb_setup_09.exe
PID 2284 wrote to memory of 1628 N/A C:\Program Files (x86)\nuri-web\nuriweb_setup_09.exe C:\Users\Admin\AppData\Local\Temp\is-M1I0B.tmp\is-CVQJF.tmp
PID 2284 wrote to memory of 1628 N/A C:\Program Files (x86)\nuri-web\nuriweb_setup_09.exe C:\Users\Admin\AppData\Local\Temp\is-M1I0B.tmp\is-CVQJF.tmp
PID 2284 wrote to memory of 1628 N/A C:\Program Files (x86)\nuri-web\nuriweb_setup_09.exe C:\Users\Admin\AppData\Local\Temp\is-M1I0B.tmp\is-CVQJF.tmp
PID 1628 wrote to memory of 4948 N/A C:\Users\Admin\AppData\Local\Temp\is-M1I0B.tmp\is-CVQJF.tmp C:\Windows\SysWOW64\cmd.exe
PID 1628 wrote to memory of 4948 N/A C:\Users\Admin\AppData\Local\Temp\is-M1I0B.tmp\is-CVQJF.tmp C:\Windows\SysWOW64\cmd.exe
PID 1628 wrote to memory of 4948 N/A C:\Users\Admin\AppData\Local\Temp\is-M1I0B.tmp\is-CVQJF.tmp C:\Windows\SysWOW64\cmd.exe
PID 1684 wrote to memory of 5040 N/A C:\Users\Admin\AppData\Local\Temp\8fedbd9e477e16a12f812c2b77f18d20.exe C:\Windows\SysWOW64\cmd.exe
PID 1684 wrote to memory of 5040 N/A C:\Users\Admin\AppData\Local\Temp\8fedbd9e477e16a12f812c2b77f18d20.exe C:\Windows\SysWOW64\cmd.exe
PID 1684 wrote to memory of 5040 N/A C:\Users\Admin\AppData\Local\Temp\8fedbd9e477e16a12f812c2b77f18d20.exe C:\Windows\SysWOW64\cmd.exe
PID 1628 wrote to memory of 1368 N/A C:\Users\Admin\AppData\Local\Temp\is-M1I0B.tmp\is-CVQJF.tmp C:\Users\Admin\AppData\Local\Temp\is-IMA7H.tmp\_isetup\_RegDLL.tmp
PID 1628 wrote to memory of 1368 N/A C:\Users\Admin\AppData\Local\Temp\is-M1I0B.tmp\is-CVQJF.tmp C:\Users\Admin\AppData\Local\Temp\is-IMA7H.tmp\_isetup\_RegDLL.tmp
PID 1628 wrote to memory of 1368 N/A C:\Users\Admin\AppData\Local\Temp\is-M1I0B.tmp\is-CVQJF.tmp C:\Users\Admin\AppData\Local\Temp\is-IMA7H.tmp\_isetup\_RegDLL.tmp

Processes

C:\Users\Admin\AppData\Local\Temp\8fedbd9e477e16a12f812c2b77f18d20.exe

"C:\Users\Admin\AppData\Local\Temp\8fedbd9e477e16a12f812c2b77f18d20.exe"

C:\Program Files (x86)\nuri-web\nuriweb_setup_09.exe

"C:\Program Files (x86)\nuri-web\nuriweb_setup_09.exe" /VERYSILENT

C:\Users\Admin\AppData\Local\Temp\is-M1I0B.tmp\is-CVQJF.tmp

"C:\Users\Admin\AppData\Local\Temp\is-M1I0B.tmp\is-CVQJF.tmp" /SL4 $6011C "C:\Program Files (x86)\nuri-web\nuriweb_setup_09.exe" 1209921 57344 /VERYSILENT

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\del_nsis_bat.cmd" "

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /C ""C:\Program Files (x86)\nuri-web\del_bat.cmd""

C:\Users\Admin\AppData\Local\Temp\is-IMA7H.tmp\_isetup\_RegDLL.tmp

_RegDLL.tmp 1216 1156

Network

Country Destination Domain Proto
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 counter.nuri-web.com udp
KR 210.114.6.168:80 counter.nuri-web.com tcp
US 8.8.8.8:53 175.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 168.6.114.210.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 45.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp

Files

C:\Program Files (x86)\nuri-web\nuriweb_setup_09.exe

MD5 c93e460a70541233bfeb50b31e5d5fef
SHA1 a7fcdcd6fbfdd2dd0278c50e7712664f5f1e594b
SHA256 738191ea3025141d155436f4c00b45cff8064b4c53ec6b184ef77e71433c6c09
SHA512 936675509518ce9778120630469cb76bada2f57119042433bdcb27d18c86626d2757eba65262fc5e8dae77db9bc06813cd779f9931e556db1da2318cbe6d757b

memory/2284-5-0x0000000000400000-0x0000000000414000-memory.dmp

C:\Program Files (x86)\nuri-web\nuriweb_setup_09.exe

MD5 87f16156e85e783f801fbe1b4f386596
SHA1 d3eff0bb89a840b2cae9d4a35377260058712cbf
SHA256 a40352dee10e8657abc20674cbaa8728479dfa48483f68febcfdd51cafef384c
SHA512 a25cbf3a87ee1138a3d75ef0123f8eb3e7e044f847b916784c8a0eb4028d4d9d78175ef29d8e8d6b7781f022630423a265d5e01096d67283f160ea2fcdc4c7a8

C:\Users\Admin\AppData\Local\Temp\is-M1I0B.tmp\is-CVQJF.tmp

MD5 2c79756045f159e06de9e75b33d0c4bf
SHA1 c05f3693d5b1b09c544e5845137c82f24278873e
SHA256 0d9bb29b273f866f1fc85b9f0b19483ecd57b20b53befd87cd1bc8d810cd2b10
SHA512 996eea70169e72611f7d2c283e8d25cadcdf024e7121001859c2d561e4facff187e7d698568d3ec1bcbad9bb72fdcba5097852bdeebc1e80e5ceed46bd7fdee1

C:\Users\Admin\AppData\Local\Temp\is-M1I0B.tmp\is-CVQJF.tmp

MD5 b27fcbe50d1dfcfb06c867fb39be2aac
SHA1 7793946bfb2bf902c1ce5b8a23537d458708aa05
SHA256 39e9eb81d99508be615becb0a4e5f2059638ab95c45712a598983dfe77abd51c
SHA512 2c2049044a6cdc9fed7c8534a66ac2dbeccac58ba29808647e69e036dfa65adadd1d61fa42e432dbaf41e514df67a6d0f498cd79484abe85b31c92f6582cf34d

C:\Program Files (x86)\nuri-web\del_bat.cmd

MD5 1facd5b5a62fc3c72c6b0157d2a2697f
SHA1 5c89dbbee5598a435b2be32a0fa77ed1ebe306b0
SHA256 c4c9323a9995f02dd3ad14c1771ae3cce77b873f79ece5b48866349827d09114
SHA512 6ec3e6ee6608e652e54a849dc090805cca34bda9ccfdaf34723290e110b29eb7b2e517b82eb463ad1c527299d5a929a974f2cc384784562b6270f3e977398a7a

C:\Users\Admin\AppData\Local\Temp\del_nsis_bat.cmd

MD5 37e82a46f543bd6b3d04623280098fe6
SHA1 d21fa52fe1d7662d3fa342c8e7ce87a8d3fab2c5
SHA256 b4006c5fdc77f4bbf0658668edebe6ba8818a0935bd4f29c13b1ff9ddf0707a7
SHA512 1e236767976c569045167489d4701fa4286a844568cf532b6080d1007c366a11321b802c58b17b135b16eaff898f445c5b270bc3ecdb8c1d7523413fa3b2b1fb

memory/1628-15-0x0000000000510000-0x0000000000511000-memory.dmp

C:\Program Files\nuri-web\nuriweb.dll

MD5 ea3577ff84ed57d4bc86278bacb00b1b
SHA1 54f28342f3f3cce8b98a3c170d63247f4af19fe7
SHA256 379861ccd5a88e71f911581bea92f275bdea8f674e8c761e4d701afb5d586ee4
SHA512 73c226fc6f45424d5e5dad42b8cdd48c69ef4f3e6cef9ab0e2d4f62e1649f9dbba2c91b176491df54e0e3cffa3720bc4d1bcda51f4b9467d587809f4f0f87021

C:\Program Files\nuri-web\sqlite3.dll

MD5 ca32bd7555d692fae488ec5864ce0ebc
SHA1 7cb21ae715ab154ac4658bb9d04348865577c25a
SHA256 f2aec7bf629d289ebd69abfa6f7296c8e349ae7384d261b3462db99dd86435fa
SHA512 d848ab9f2c552b0bb320df3981a1ee6c7ce3befb2fd37d4659a564cea95d2bdf41702fa6e465070aa0f7272ba21ab26ca1bec96702345cc7a0d7e8bc1ed42b44

memory/1368-46-0x0000000060900000-0x000000006096F000-memory.dmp

memory/1368-44-0x0000000002250000-0x000000000238A000-memory.dmp

memory/1368-42-0x0000000002250000-0x000000000238A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-IMA7H.tmp\_isetup\_RegDLL.tmp

MD5 c594b792b9c556ea62a30de541d2fb03
SHA1 69e0207515e913243b94c2d3a116d232ff79af5f
SHA256 5dcc1e0a197922907bca2c4369f778bd07ee4b1bbbdf633e987a028a314d548e
SHA512 387bd07857b0de67c04e0abf89b754691683f30515726045ff382da9b6b7f36570e38fae9eca5c4f0110ce9bb421d8045a5ec273c4c47b5831948564763ed144

memory/1628-51-0x0000000000400000-0x00000000004B5000-memory.dmp

memory/2284-52-0x0000000000400000-0x0000000000414000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2024-02-04 19:10

Reported

2024-02-04 19:12

Platform

win7-20231215-en

Max time kernel

122s

Max time network

126s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallOptions.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallOptions.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallOptions.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2304 -s 248

Network

N/A

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-02-04 19:10

Reported

2024-02-04 19:13

Platform

win10v2004-20231215-en

Max time kernel

92s

Max time network

150s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallOptions.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4200 wrote to memory of 960 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4200 wrote to memory of 960 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4200 wrote to memory of 960 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallOptions.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallOptions.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 960 -ip 960

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 960 -s 644

Network

Country Destination Domain Proto
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 210.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 45.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 68.179.17.96.in-addr.arpa udp

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2024-02-04 19:10

Reported

2024-02-04 19:12

Platform

win7-20231215-en

Max time kernel

150s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\nuriweb_setup_09.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-E86UJ.tmp\is-0VBRK.tmp N/A

Enumerates physical storage devices

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-E86UJ.tmp\is-0VBRK.tmp N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2932 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\nuriweb_setup_09.exe C:\Users\Admin\AppData\Local\Temp\is-E86UJ.tmp\is-0VBRK.tmp
PID 2932 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\nuriweb_setup_09.exe C:\Users\Admin\AppData\Local\Temp\is-E86UJ.tmp\is-0VBRK.tmp
PID 2932 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\nuriweb_setup_09.exe C:\Users\Admin\AppData\Local\Temp\is-E86UJ.tmp\is-0VBRK.tmp
PID 2932 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\nuriweb_setup_09.exe C:\Users\Admin\AppData\Local\Temp\is-E86UJ.tmp\is-0VBRK.tmp
PID 2932 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\nuriweb_setup_09.exe C:\Users\Admin\AppData\Local\Temp\is-E86UJ.tmp\is-0VBRK.tmp
PID 2932 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\nuriweb_setup_09.exe C:\Users\Admin\AppData\Local\Temp\is-E86UJ.tmp\is-0VBRK.tmp
PID 2932 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\nuriweb_setup_09.exe C:\Users\Admin\AppData\Local\Temp\is-E86UJ.tmp\is-0VBRK.tmp
PID 3044 wrote to memory of 1980 N/A C:\Users\Admin\AppData\Local\Temp\is-E86UJ.tmp\is-0VBRK.tmp C:\Windows\SysWOW64\cmd.exe
PID 3044 wrote to memory of 1980 N/A C:\Users\Admin\AppData\Local\Temp\is-E86UJ.tmp\is-0VBRK.tmp C:\Windows\SysWOW64\cmd.exe
PID 3044 wrote to memory of 1980 N/A C:\Users\Admin\AppData\Local\Temp\is-E86UJ.tmp\is-0VBRK.tmp C:\Windows\SysWOW64\cmd.exe
PID 3044 wrote to memory of 1980 N/A C:\Users\Admin\AppData\Local\Temp\is-E86UJ.tmp\is-0VBRK.tmp C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\nuriweb_setup_09.exe

"C:\Users\Admin\AppData\Local\Temp\nuriweb_setup_09.exe"

C:\Users\Admin\AppData\Local\Temp\is-E86UJ.tmp\is-0VBRK.tmp

"C:\Users\Admin\AppData\Local\Temp\is-E86UJ.tmp\is-0VBRK.tmp" /SL4 $3014E "C:\Users\Admin\AppData\Local\Temp\nuriweb_setup_09.exe" 1209921 57344

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /C ""C:\Users\Admin\AppData\Local\Temp\del_bat.cmd""

Network

N/A

Files

memory/2932-1-0x0000000000400000-0x0000000000414000-memory.dmp

\Users\Admin\AppData\Local\Temp\is-E86UJ.tmp\is-0VBRK.tmp

MD5 f745b25cab277f7f9adef431504cd2f7
SHA1 0e879e4b8e8900c5b7c1300f61bb6059d88da267
SHA256 3aa09fb7d514ee7ad7e98e009bf9fc4891150772b280b975410da9be37dd634d
SHA512 ae072e23f7fa34f9752e756ef470f0d6df39286c920822c4404ace0b6723aff4b2f7cea7208a5a7c8efa16e3a03a36e04eda7459c09bb0342b8f15e5ae3cc59d

memory/3044-9-0x00000000003D0000-0x00000000003D1000-memory.dmp

\Users\Admin\AppData\Local\Temp\is-34DJR.tmp\_isetup\_shfoldr.dll

MD5 92dc6ef532fbb4a5c3201469a5b5eb63
SHA1 3e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA256 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA512 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

C:\Users\Admin\AppData\Local\Temp\del_bat.cmd

MD5 303d340adc5eda8d6b56339554162a90
SHA1 a4f9810ff2b24cf7134155469f687e79b40b9c9d
SHA256 7aa8102e5cf816a3d1a39f01c94455567517a68e16722ec91314f64c213101fe
SHA512 bdf4a4496c47e639f3ee6a35c8bc1a1cd7458781c66c3505b771da1f3b889354f909b0d2bddb21ef2b1873d44c2728e0d304077aa59865ac4f958f4b8758b18e

memory/2932-19-0x0000000000400000-0x0000000000414000-memory.dmp

memory/3044-20-0x0000000000400000-0x00000000004B5000-memory.dmp

memory/3044-23-0x00000000003D0000-0x00000000003D1000-memory.dmp

Analysis: behavioral6

Detonation Overview

Submitted

2024-02-04 19:10

Reported

2024-02-04 19:13

Platform

win10v2004-20231215-en

Max time kernel

151s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\nuriweb_setup_09.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\nuriweb_setup_09.exe

"C:\Users\Admin\AppData\Local\Temp\nuriweb_setup_09.exe"

C:\Users\Admin\AppData\Local\Temp\is-76QDD.tmp\is-8SDSL.tmp

"C:\Users\Admin\AppData\Local\Temp\is-76QDD.tmp\is-8SDSL.tmp" /SL4 $4021A "C:\Users\Admin\AppData\Local\Temp\nuriweb_setup_09.exe" 1209921 57344

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /C ""C:\Users\Admin\AppData\Local\Temp\del_bat.cmd""

Network

Country Destination Domain Proto
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 176.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 81.171.91.138.in-addr.arpa udp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 16.234.44.23.in-addr.arpa udp
US 8.8.8.8:53 61.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 45.179.17.96.in-addr.arpa udp

Files

memory/4776-1-0x0000000000400000-0x0000000000414000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-76QDD.tmp\is-8SDSL.tmp

MD5 f745b25cab277f7f9adef431504cd2f7
SHA1 0e879e4b8e8900c5b7c1300f61bb6059d88da267
SHA256 3aa09fb7d514ee7ad7e98e009bf9fc4891150772b280b975410da9be37dd634d
SHA512 ae072e23f7fa34f9752e756ef470f0d6df39286c920822c4404ace0b6723aff4b2f7cea7208a5a7c8efa16e3a03a36e04eda7459c09bb0342b8f15e5ae3cc59d

memory/4856-7-0x0000000000660000-0x0000000000661000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\del_bat.cmd

MD5 303d340adc5eda8d6b56339554162a90
SHA1 a4f9810ff2b24cf7134155469f687e79b40b9c9d
SHA256 7aa8102e5cf816a3d1a39f01c94455567517a68e16722ec91314f64c213101fe
SHA512 bdf4a4496c47e639f3ee6a35c8bc1a1cd7458781c66c3505b771da1f3b889354f909b0d2bddb21ef2b1873d44c2728e0d304077aa59865ac4f958f4b8758b18e

memory/4776-15-0x0000000000400000-0x0000000000414000-memory.dmp

memory/4856-16-0x0000000000400000-0x00000000004B5000-memory.dmp

memory/4856-18-0x0000000000660000-0x0000000000661000-memory.dmp