Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

nurik.exe

windows10-ltsc 2021-x64

10

nurik.exe

windows11-21h2-x64

Analysis

  • max time kernel
    88s
  • max time network
    115s
  • platform
    windows11-21h2_x64
  • resource
    win11-20241007-en
  • resource tags

    arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    13/11/2024, 12:55 UTC

Sharing

Copy URL
Twitter E-mail

Errors

Reason
Machine shutdown
Report Analysis Logs

General

  • Target

    nurik.exe

  • Size

    333KB

  • MD5

    f6e15a4eba5f1bcfd4c60ad8c4b2f9b7

  • SHA1

    e929b611283987c4dc213b7ce786bb5762fbcaaf

  • SHA256

    bcd7b068992fb848fc3ba76021b3e095d0a0682c17146b4d836fa2a7846a2e0f

  • SHA512

    474c63a3dc03ddc3baf0463723ac991bd0cec08ebeaa64b867c91ae8624bbe37e1b1011e05f55ed7f1135f96931d654b243e8634d6dc367bd5ced05a6c1d7070

  • SSDEEP

    6144:ChCaXLv7nv96n5wmrHtU0wd9vKPoYYqUOiD:gbnFLUNeYYq7

Score
10/10
bootkitdiscoveryevasionexecutionpersistencetrojan

Malware Config

Signatures

  • UAC bypass 3 TTPs 1 IoCs
    evasiontrojan
  • Windows security bypass 2 TTPs 2 IoCs
    evasiontrojan
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Event Triggered Execution: Image File Execution Options Injection 1 TTPs 12 IoCs
    persistence
  • Executes dropped EXE 1 IoCs
  • Windows security modification 2 TTPs 3 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 1 IoCs
  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Kills process with taskkill 5 IoCs
    evasion
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 26 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs
  • System policy modification 1 TTPs 3 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\nurik.exe
    "C:\Users\Admin\AppData\Local\Temp\nurik.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4520
    • C:\Windows\SysWOW64\TASKKILL.exe
      TASKKILL /F /IM wscript.exe
      2⤵
      • System Location Discovery: System Language Discovery
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:2020
    • C:\Windows\SysWOW64\TASKKILL.exe
      TASKKILL /F /IM cmd.exe
      2⤵
      • System Location Discovery: System Language Discovery
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:3460
    • C:\Windows\SysWOW64\taskkill.exe
      taskkill /f im Wireshark.exe
      2⤵
      • System Location Discovery: System Language Discovery
      • Kills process with taskkill
      PID:3968
    • C:\Windows\SysWOW64\schtasks.exe
      schtasks /delete /tn "MicrosoftEdgeUpdateTaskMachine" /f
      2⤵
      • System Location Discovery: System Language Discovery
      PID:1996
    • C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /sc minute /mo 1 /tn "MicrosoftEdgeUpdateTaskMachine" /tr C:\Users\Admin\AppData\Local\Temp\nurik.exe
      2⤵
      • System Location Discovery: System Language Discovery
      • Scheduled Task/Job: Scheduled Task
      PID:784
    • C:\Users\Admin\AppData\Local\Temp\1891a9f000924ff9afea8af30362cd90.exe
      "C:\Users\Admin\AppData\Local\Temp\1891a9f000924ff9afea8af30362cd90.exe"
      2⤵
      • UAC bypass
      • Windows security bypass
      • Event Triggered Execution: Image File Execution Options Injection
      • Executes dropped EXE
      • Windows security modification
      • Adds Run key to start application
      • Checks whether UAC is enabled
      • Writes to the Master Boot Record (MBR)
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:4576
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /c schtasks /create /tn "GoogleUpdateTaskMachineUK" /sc MINUTE /mo 1 /tr "C:\Users\Admin\AppData\Local\Temp\1891a9f000924ff9afea8af30362cd90.exe" /rl HIGHEST /f
        3⤵
          PID:4704
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\1891a9f000924ff9afea8af30362cd90.exe'"
          3⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious use of AdjustPrivilegeToken
          PID:848
    • C:\Users\Admin\AppData\Local\Temp\nurik.exe
      C:\Users\Admin\AppData\Local\Temp\nurik.exe
      1⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4664
      • C:\Windows\SysWOW64\TASKKILL.exe
        TASKKILL /F /IM wscript.exe
        2⤵
        • System Location Discovery: System Language Discovery
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2940
      • C:\Windows\SysWOW64\TASKKILL.exe
        TASKKILL /F /IM cmd.exe
        2⤵
        • System Location Discovery: System Language Discovery
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:3312
    • C:\Windows\explorer.exe
      explorer.exe
      1⤵
        PID:3508

      Network

      • flag-us
        DNS
        2.tcp.eu.ngrok.io
        nurik.exe
        Remote address:
        8.8.8.8:53
        Request
        2.tcp.eu.ngrok.io
        IN A
        Response
        2.tcp.eu.ngrok.io
        IN A
        18.157.68.73
      • flag-us
        DNS
        8.8.8.8.in-addr.arpa
        nurik.exe
        Remote address:
        8.8.8.8:53
        Request
        8.8.8.8.in-addr.arpa
        IN PTR
        Response
        8.8.8.8.in-addr.arpa
        IN PTR
        dnsgoogle
      • flag-us
        DNS
        73.68.157.18.in-addr.arpa
        nurik.exe
        Remote address:
        8.8.8.8:53
        Request
        73.68.157.18.in-addr.arpa
        IN PTR
        Response
        73.68.157.18.in-addr.arpa
        IN PTR
        ec2-18-157-68-73 eu-central-1compute amazonawscom
      • flag-us
        DNS
        nexusrules.officeapps.live.com
        nurik.exe
        Remote address:
        8.8.8.8:53
        Request
        nexusrules.officeapps.live.com
        IN A
        Response
        nexusrules.officeapps.live.com
        IN CNAME
        prod.nexusrules.live.com.akadns.net
        prod.nexusrules.live.com.akadns.net
        IN A
        52.111.229.48
      • flag-us
        DNS
        48.229.111.52.in-addr.arpa
        nurik.exe
        Remote address:
        8.8.8.8:53
        Request
        48.229.111.52.in-addr.arpa
        IN PTR
        Response
      • 18.157.68.73:18445
        2.tcp.eu.ngrok.io
        nurik.exe
        23.7kB
         742.4kB
         426
        787
      • 18.157.68.73:18445
        2.tcp.eu.ngrok.io
        nurik.exe
        195.8kB
         5.2kB
         171
        126
      • 8.8.8.8:53
        2.tcp.eu.ngrok.io
        dns
        nurik.exe
        348 B
         604 B
         5
        5

        DNS Request

        2.tcp.eu.ngrok.io

        DNS Response

        18.157.68.73

        DNS Request

        8.8.8.8.in-addr.arpa

        DNS Request

        73.68.157.18.in-addr.arpa

        DNS Request

        nexusrules.officeapps.live.com

        DNS Response

        52.111.229.48

        DNS Request

        48.229.111.52.in-addr.arpa

      MITRE ATT&CK Enterprise v15

      Reconnaissance

      Resource Development

      Initial Access

      Execution

      Command and Scripting Interpreter

      1
      T1059

      PowerShell

      1
      T1059.001

      Scheduled Task/Job

      1
      T1053

      Scheduled Task

      1
      T1053.005

      Persistence

      Boot or Logon Autostart Execution

      1
      T1547

      Registry Run Keys / Startup Folder

      1
      T1547.001

      Event Triggered Execution

      1
      T1546

      Image File Execution Options Injection

      1
      T1546.012

      Pre-OS Boot

      1
      T1542

      Bootkit

      1
      T1542.003

      Scheduled Task/Job

      1
      T1053

      Scheduled Task

      1
      T1053.005

      Privilege Escalation

      Abuse Elevation Control Mechanism

      1
      T1548

      Bypass User Account Control

      1
      T1548.002

      Boot or Logon Autostart Execution

      1
      T1547

      Registry Run Keys / Startup Folder

      1
      T1547.001

      Event Triggered Execution

      1
      T1546

      Image File Execution Options Injection

      1
      T1546.012

      Scheduled Task/Job

      1
      T1053

      Scheduled Task

      1
      T1053.005

      Defense Evasion

      Abuse Elevation Control Mechanism

      1
      T1548

      Bypass User Account Control

      1
      T1548.002

      Impair Defenses

      3
      T1562

      Disable or Modify Tools

      3
      T1562.001

      Modify Registry

      5
      T1112

      Pre-OS Boot

      1
      T1542

      Bootkit

      1
      T1542.003

      Credential Access

      Discovery

      System Information Discovery

      2
      T1082

      System Location Discovery

      1
      T1614

      System Language Discovery

      1
      T1614.001

      Lateral Movement

      Collection

      Command and Control

      Web Service

      1
      T1102

      Exfiltration

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\1891a9f000924ff9afea8af30362cd90.exe
        Filesize

        529KB

        MD5

        d4a2e9c2470e0a8d6da5bf55a55af4c7

        SHA1

        c2d2b46c1647f9ee47c57e0e689e969a558ff38a

        SHA256

        0308f3e960c42d9cea793b31dd9b60c2a01c4892370575336d98ea42d2e91098

        SHA512

        51b3866504427dfcd57b1c27057585fd4a5c830bad92cefc23ff9d7dd20bb801bf66de1aa41b69c41e4e8699de6ef85955e1a712d1ffbaa7cab9161de87d8460

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_mzepzpmo.eme.ps1
        Filesize

        60B

        MD5

        d17fe0a3f47be24a6453e9ef58c94641

        SHA1

        6ab83620379fc69f80c0242105ddffd7d98d5d9d

        SHA256

        96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

        SHA512

        5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

        Download Submit

      • memory/848-28-0x0000022BDC6D0000-0x0000022BDC6F2000-memory.dmp

        Filesize

        136KB

        Download

      • memory/4520-3-0x0000000074760000-0x0000000074D11000-memory.dmp

        Filesize

        5.7MB

        Download

      • memory/4520-4-0x0000000074760000-0x0000000074D11000-memory.dmp

        Filesize

        5.7MB

        Download

      • memory/4520-7-0x0000000074760000-0x0000000074D11000-memory.dmp

        Filesize

        5.7MB

        Download

      • memory/4520-8-0x0000000074760000-0x0000000074D11000-memory.dmp

        Filesize

        5.7MB

        Download

      • memory/4520-9-0x0000000074760000-0x0000000074D11000-memory.dmp

        Filesize

        5.7MB

        Download

      • memory/4520-10-0x0000000074760000-0x0000000074D11000-memory.dmp

        Filesize

        5.7MB

        Download

      • memory/4520-0-0x0000000074761000-0x0000000074762000-memory.dmp

        Filesize

        4KB

        Download

      • memory/4520-2-0x0000000074760000-0x0000000074D11000-memory.dmp

        Filesize

        5.7MB

        Download

      • memory/4520-1-0x0000000074760000-0x0000000074D11000-memory.dmp

        Filesize

        5.7MB

        Download

      • memory/4576-19-0x0000000000400000-0x00000000005C3000-memory.dmp

        Filesize

        1.8MB

        Download

      • memory/4576-42-0x0000000000400000-0x00000000005C3000-memory.dmp

        Filesize

        1.8MB

        Download

      • memory/4576-41-0x0000000000400000-0x00000000005C3000-memory.dmp

        Filesize

        1.8MB

        Download

      We care about your privacy.

      This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.