Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    88s
  • max time network
    115s
  • platform
    windows11-21h2_x64
  • resource
    win11-20241007-en
  • resource tags

    arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    13/11/2024, 12:55 UTC

Errors

Reason
Machine shutdown

General

  • Target

    nurik.exe

  • Size

    333KB

  • MD5

    f6e15a4eba5f1bcfd4c60ad8c4b2f9b7

  • SHA1

    e929b611283987c4dc213b7ce786bb5762fbcaaf

  • SHA256

    bcd7b068992fb848fc3ba76021b3e095d0a0682c17146b4d836fa2a7846a2e0f

  • SHA512

    474c63a3dc03ddc3baf0463723ac991bd0cec08ebeaa64b867c91ae8624bbe37e1b1011e05f55ed7f1135f96931d654b243e8634d6dc367bd5ced05a6c1d7070

  • SSDEEP

    6144:ChCaXLv7nv96n5wmrHtU0wd9vKPoYYqUOiD:gbnFLUNeYYq7

Malware Config

Signatures

  • UAC bypass 3 TTPs 1 IoCs
  • Windows security bypass 2 TTPs 2 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Event Triggered Execution: Image File Execution Options Injection 1 TTPs 12 IoCs
  • Executes dropped EXE 1 IoCs
  • Windows security modification 2 TTPs 3 IoCs
  • Adds Run key to start application 2 TTPs 3 IoCs
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 1 IoCs
  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Kills process with taskkill 5 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 26 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs
  • System policy modification 1 TTPs 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\nurik.exe
    "C:\Users\Admin\AppData\Local\Temp\nurik.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4520
    • C:\Windows\SysWOW64\TASKKILL.exe
      TASKKILL /F /IM wscript.exe
      2⤵
      • System Location Discovery: System Language Discovery
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:2020
    • C:\Windows\SysWOW64\TASKKILL.exe
      TASKKILL /F /IM cmd.exe
      2⤵
      • System Location Discovery: System Language Discovery
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:3460
    • C:\Windows\SysWOW64\taskkill.exe
      taskkill /f im Wireshark.exe
      2⤵
      • System Location Discovery: System Language Discovery
      • Kills process with taskkill
      PID:3968
    • C:\Windows\SysWOW64\schtasks.exe
      schtasks /delete /tn "MicrosoftEdgeUpdateTaskMachine" /f
      2⤵
      • System Location Discovery: System Language Discovery
      PID:1996
    • C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /sc minute /mo 1 /tn "MicrosoftEdgeUpdateTaskMachine" /tr C:\Users\Admin\AppData\Local\Temp\nurik.exe
      2⤵
      • System Location Discovery: System Language Discovery
      • Scheduled Task/Job: Scheduled Task
      PID:784
    • C:\Users\Admin\AppData\Local\Temp\1891a9f000924ff9afea8af30362cd90.exe
      "C:\Users\Admin\AppData\Local\Temp\1891a9f000924ff9afea8af30362cd90.exe"
      2⤵
      • UAC bypass
      • Windows security bypass
      • Event Triggered Execution: Image File Execution Options Injection
      • Executes dropped EXE
      • Windows security modification
      • Adds Run key to start application
      • Checks whether UAC is enabled
      • Writes to the Master Boot Record (MBR)
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:4576
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /c schtasks /create /tn "GoogleUpdateTaskMachineUK" /sc MINUTE /mo 1 /tr "C:\Users\Admin\AppData\Local\Temp\1891a9f000924ff9afea8af30362cd90.exe" /rl HIGHEST /f
        3⤵
          PID:4704
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\1891a9f000924ff9afea8af30362cd90.exe'"
          3⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious use of AdjustPrivilegeToken
          PID:848
    • C:\Users\Admin\AppData\Local\Temp\nurik.exe
      C:\Users\Admin\AppData\Local\Temp\nurik.exe
      1⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4664
      • C:\Windows\SysWOW64\TASKKILL.exe
        TASKKILL /F /IM wscript.exe
        2⤵
        • System Location Discovery: System Language Discovery
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2940
      • C:\Windows\SysWOW64\TASKKILL.exe
        TASKKILL /F /IM cmd.exe
        2⤵
        • System Location Discovery: System Language Discovery
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:3312
    • C:\Windows\explorer.exe
      explorer.exe
      1⤵
        PID:3508

      Network

      • flag-us
        DNS
        2.tcp.eu.ngrok.io
        nurik.exe
        Remote address:
        8.8.8.8:53
        Request
        2.tcp.eu.ngrok.io
        IN A
        Response
        2.tcp.eu.ngrok.io
        IN A
        18.157.68.73
      • flag-us
        DNS
        8.8.8.8.in-addr.arpa
        nurik.exe
        Remote address:
        8.8.8.8:53
        Request
        8.8.8.8.in-addr.arpa
        IN PTR
        Response
        8.8.8.8.in-addr.arpa
        IN PTR
        dnsgoogle
      • flag-us
        DNS
        73.68.157.18.in-addr.arpa
        nurik.exe
        Remote address:
        8.8.8.8:53
        Request
        73.68.157.18.in-addr.arpa
        IN PTR
        Response
        73.68.157.18.in-addr.arpa
        IN PTR
        ec2-18-157-68-73 eu-central-1compute amazonawscom
      • flag-us
        DNS
        nexusrules.officeapps.live.com
        nurik.exe
        Remote address:
        8.8.8.8:53
        Request
        nexusrules.officeapps.live.com
        IN A
        Response
        nexusrules.officeapps.live.com
        IN CNAME
        prod.nexusrules.live.com.akadns.net
        prod.nexusrules.live.com.akadns.net
        IN A
        52.111.229.48
      • flag-us
        DNS
        48.229.111.52.in-addr.arpa
        nurik.exe
        Remote address:
        8.8.8.8:53
        Request
        48.229.111.52.in-addr.arpa
        IN PTR
        Response
      • 18.157.68.73:18445
        2.tcp.eu.ngrok.io
        nurik.exe
        23.7kB
        742.4kB
        426
        787
      • 18.157.68.73:18445
        2.tcp.eu.ngrok.io
        nurik.exe
        195.8kB
        5.2kB
        171
        126
      • 8.8.8.8:53
        2.tcp.eu.ngrok.io
        dns
        nurik.exe
        348 B
        604 B
        5
        5

        DNS Request

        2.tcp.eu.ngrok.io

        DNS Response

        18.157.68.73

        DNS Request

        8.8.8.8.in-addr.arpa

        DNS Request

        73.68.157.18.in-addr.arpa

        DNS Request

        nexusrules.officeapps.live.com

        DNS Response

        52.111.229.48

        DNS Request

        48.229.111.52.in-addr.arpa

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\1891a9f000924ff9afea8af30362cd90.exe

        Filesize

        529KB

        MD5

        d4a2e9c2470e0a8d6da5bf55a55af4c7

        SHA1

        c2d2b46c1647f9ee47c57e0e689e969a558ff38a

        SHA256

        0308f3e960c42d9cea793b31dd9b60c2a01c4892370575336d98ea42d2e91098

        SHA512

        51b3866504427dfcd57b1c27057585fd4a5c830bad92cefc23ff9d7dd20bb801bf66de1aa41b69c41e4e8699de6ef85955e1a712d1ffbaa7cab9161de87d8460

      • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_mzepzpmo.eme.ps1

        Filesize

        60B

        MD5

        d17fe0a3f47be24a6453e9ef58c94641

        SHA1

        6ab83620379fc69f80c0242105ddffd7d98d5d9d

        SHA256

        96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

        SHA512

        5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

      • memory/848-28-0x0000022BDC6D0000-0x0000022BDC6F2000-memory.dmp

        Filesize

        136KB

      • memory/4520-3-0x0000000074760000-0x0000000074D11000-memory.dmp

        Filesize

        5.7MB

      • memory/4520-4-0x0000000074760000-0x0000000074D11000-memory.dmp

        Filesize

        5.7MB

      • memory/4520-7-0x0000000074760000-0x0000000074D11000-memory.dmp

        Filesize

        5.7MB

      • memory/4520-8-0x0000000074760000-0x0000000074D11000-memory.dmp

        Filesize

        5.7MB

      • memory/4520-9-0x0000000074760000-0x0000000074D11000-memory.dmp

        Filesize

        5.7MB

      • memory/4520-10-0x0000000074760000-0x0000000074D11000-memory.dmp

        Filesize

        5.7MB

      • memory/4520-0-0x0000000074761000-0x0000000074762000-memory.dmp

        Filesize

        4KB

      • memory/4520-2-0x0000000074760000-0x0000000074D11000-memory.dmp

        Filesize

        5.7MB

      • memory/4520-1-0x0000000074760000-0x0000000074D11000-memory.dmp

        Filesize

        5.7MB

      • memory/4576-19-0x0000000000400000-0x00000000005C3000-memory.dmp

        Filesize

        1.8MB

      • memory/4576-42-0x0000000000400000-0x00000000005C3000-memory.dmp

        Filesize

        1.8MB

      • memory/4576-41-0x0000000000400000-0x00000000005C3000-memory.dmp

        Filesize

        1.8MB

      We care about your privacy.

      This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.