Overview

overview

10

Static

static

3

nurik.exe

windows10-ltsc 2021-x64

10

nurik.exe

windows11-21h2-x64

Analysis

  • max time kernel
    88s
  • max time network
    115s
  • platform
    windows11-21h2_x64
  • resource
    win11-20241007-en
  • resource tags

    arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    13-11-2024 12:55

Sharing

Copy URL
Twitter E-mail

Errors

Reason
Machine shutdown
Report Analysis Logs

General

  • Target

    nurik.exe

  • Size

    333KB

  • MD5

    f6e15a4eba5f1bcfd4c60ad8c4b2f9b7

  • SHA1

    e929b611283987c4dc213b7ce786bb5762fbcaaf

  • SHA256

    bcd7b068992fb848fc3ba76021b3e095d0a0682c17146b4d836fa2a7846a2e0f

  • SHA512

    474c63a3dc03ddc3baf0463723ac991bd0cec08ebeaa64b867c91ae8624bbe37e1b1011e05f55ed7f1135f96931d654b243e8634d6dc367bd5ced05a6c1d7070

  • SSDEEP

    6144:ChCaXLv7nv96n5wmrHtU0wd9vKPoYYqUOiD:gbnFLUNeYYq7

Score
10/10
bootkitdiscoveryevasionexecutionpersistencetrojan

Malware Config

Signatures

  • UAC bypass 3 TTPs 1 IoCs
    evasiontrojan
  • Windows security bypass 2 TTPs 2 IoCs
    evasiontrojan
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Event Triggered Execution: Image File Execution Options Injection 1 TTPs 12 IoCs
    persistence
  • Executes dropped EXE 1 IoCs
  • Windows security modification 2 TTPs 3 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 1 IoCs
  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Kills process with taskkill 5 IoCs
    evasion
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 26 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs
  • System policy modification 1 TTPs 3 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\nurik.exe
    "C:\Users\Admin\AppData\Local\Temp\nurik.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4520
    • C:\Windows\SysWOW64\TASKKILL.exe
      TASKKILL /F /IM wscript.exe
      2⤵
      • System Location Discovery: System Language Discovery
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:2020
    • C:\Windows\SysWOW64\TASKKILL.exe
      TASKKILL /F /IM cmd.exe
      2⤵
      • System Location Discovery: System Language Discovery
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:3460
    • C:\Windows\SysWOW64\taskkill.exe
      taskkill /f im Wireshark.exe
      2⤵
      • System Location Discovery: System Language Discovery
      • Kills process with taskkill
      PID:3968
    • C:\Windows\SysWOW64\schtasks.exe
      schtasks /delete /tn "MicrosoftEdgeUpdateTaskMachine" /f
      2⤵
      • System Location Discovery: System Language Discovery
      PID:1996
    • C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /sc minute /mo 1 /tn "MicrosoftEdgeUpdateTaskMachine" /tr C:\Users\Admin\AppData\Local\Temp\nurik.exe
      2⤵
      • System Location Discovery: System Language Discovery
      • Scheduled Task/Job: Scheduled Task
      PID:784
    • C:\Users\Admin\AppData\Local\Temp\1891a9f000924ff9afea8af30362cd90.exe
      "C:\Users\Admin\AppData\Local\Temp\1891a9f000924ff9afea8af30362cd90.exe"
      2⤵
      • UAC bypass
      • Windows security bypass
      • Event Triggered Execution: Image File Execution Options Injection
      • Executes dropped EXE
      • Windows security modification
      • Adds Run key to start application
      • Checks whether UAC is enabled
      • Writes to the Master Boot Record (MBR)
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:4576
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /c schtasks /create /tn "GoogleUpdateTaskMachineUK" /sc MINUTE /mo 1 /tr "C:\Users\Admin\AppData\Local\Temp\1891a9f000924ff9afea8af30362cd90.exe" /rl HIGHEST /f
        3⤵
          PID:4704
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\1891a9f000924ff9afea8af30362cd90.exe'"
          3⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious use of AdjustPrivilegeToken
          PID:848
    • C:\Users\Admin\AppData\Local\Temp\nurik.exe
      C:\Users\Admin\AppData\Local\Temp\nurik.exe
      1⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4664
      • C:\Windows\SysWOW64\TASKKILL.exe
        TASKKILL /F /IM wscript.exe
        2⤵
        • System Location Discovery: System Language Discovery
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2940
      • C:\Windows\SysWOW64\TASKKILL.exe
        TASKKILL /F /IM cmd.exe
        2⤵
        • System Location Discovery: System Language Discovery
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:3312
    • C:\Windows\explorer.exe
      explorer.exe
      1⤵
        PID:3508

      Network

      MITRE ATT&CK Enterprise v15

      Reconnaissance

      Resource Development

      Initial Access

      Execution

      Command and Scripting Interpreter

      1
      T1059

      PowerShell

      1
      T1059.001

      Scheduled Task/Job

      1
      T1053

      Scheduled Task

      1
      T1053.005

      Persistence

      Boot or Logon Autostart Execution

      1
      T1547

      Registry Run Keys / Startup Folder

      1
      T1547.001

      Event Triggered Execution

      1
      T1546

      Image File Execution Options Injection

      1
      T1546.012

      Pre-OS Boot

      1
      T1542

      Bootkit

      1
      T1542.003

      Scheduled Task/Job

      1
      T1053

      Scheduled Task

      1
      T1053.005

      Privilege Escalation

      Abuse Elevation Control Mechanism

      1
      T1548

      Bypass User Account Control

      1
      T1548.002

      Boot or Logon Autostart Execution

      1
      T1547

      Registry Run Keys / Startup Folder

      1
      T1547.001

      Event Triggered Execution

      1
      T1546

      Image File Execution Options Injection

      1
      T1546.012

      Scheduled Task/Job

      1
      T1053

      Scheduled Task

      1
      T1053.005

      Defense Evasion

      Abuse Elevation Control Mechanism

      1
      T1548

      Bypass User Account Control

      1
      T1548.002

      Impair Defenses

      3
      T1562

      Disable or Modify Tools

      3
      T1562.001

      Modify Registry

      5
      T1112

      Pre-OS Boot

      1
      T1542

      Bootkit

      1
      T1542.003

      Credential Access

      Discovery

      System Information Discovery

      2
      T1082

      System Location Discovery

      1
      T1614

      System Language Discovery

      1
      T1614.001

      Lateral Movement

      Collection

      Command and Control

      Web Service

      1
      T1102

      Exfiltration

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\1891a9f000924ff9afea8af30362cd90.exe
        Filesize

        529KB

        MD5

        d4a2e9c2470e0a8d6da5bf55a55af4c7

        SHA1

        c2d2b46c1647f9ee47c57e0e689e969a558ff38a

        SHA256

        0308f3e960c42d9cea793b31dd9b60c2a01c4892370575336d98ea42d2e91098

        SHA512

        51b3866504427dfcd57b1c27057585fd4a5c830bad92cefc23ff9d7dd20bb801bf66de1aa41b69c41e4e8699de6ef85955e1a712d1ffbaa7cab9161de87d8460

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_mzepzpmo.eme.ps1
        Filesize

        60B

        MD5

        d17fe0a3f47be24a6453e9ef58c94641

        SHA1

        6ab83620379fc69f80c0242105ddffd7d98d5d9d

        SHA256

        96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

        SHA512

        5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

        Download Submit

      • memory/848-28-0x0000022BDC6D0000-0x0000022BDC6F2000-memory.dmp

        Filesize

        136KB

        Download

      • memory/4520-3-0x0000000074760000-0x0000000074D11000-memory.dmp

        Filesize

        5.7MB

        Download

      • memory/4520-4-0x0000000074760000-0x0000000074D11000-memory.dmp

        Filesize

        5.7MB

        Download

      • memory/4520-7-0x0000000074760000-0x0000000074D11000-memory.dmp

        Filesize

        5.7MB

        Download

      • memory/4520-8-0x0000000074760000-0x0000000074D11000-memory.dmp

        Filesize

        5.7MB

        Download

      • memory/4520-9-0x0000000074760000-0x0000000074D11000-memory.dmp

        Filesize

        5.7MB

        Download

      • memory/4520-10-0x0000000074760000-0x0000000074D11000-memory.dmp

        Filesize

        5.7MB

        Download

      • memory/4520-0-0x0000000074761000-0x0000000074762000-memory.dmp

        Filesize

        4KB

        Download

      • memory/4520-2-0x0000000074760000-0x0000000074D11000-memory.dmp

        Filesize

        5.7MB

        Download

      • memory/4520-1-0x0000000074760000-0x0000000074D11000-memory.dmp

        Filesize

        5.7MB

        Download

      • memory/4576-19-0x0000000000400000-0x00000000005C3000-memory.dmp

        Filesize

        1.8MB

        Download

      • memory/4576-42-0x0000000000400000-0x00000000005C3000-memory.dmp

        Filesize

        1.8MB

        Download

      • memory/4576-41-0x0000000000400000-0x00000000005C3000-memory.dmp

        Filesize

        1.8MB

        Download