f644bef519fc0243633d13f18c97c96d76b95b6f2cbad2a2507fb8177b7e4d1d

General

Target

notice.exe
Size

350.0MB
MD5

e74116c5efc7492fa74334a39e22afe8
SHA1

393e81a3d525e8b582355d855d2c367047e4e0b0
SHA256

f644bef519fc0243633d13f18c97c96d76b95b6f2cbad2a2507fb8177b7e4d1d
SHA512

64999f89597bed1857252b98ffd03fba27c9514af0fb430de3913a58e035d619823bcb45a4aa5ec89abdf807f89f9db57d3856e97885144992d03804d79a2352

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

notice.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,\"C:\\Users\\Admin\\AppData\\Roaming\\qwveqwveqw.exe\","	notice.exe

Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

notice.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Control Panel\International\Geo\Nation notice.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

notice.exe

description pid process target process

PID 1216 set thread context of 4536 1216 notice.exe notice.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2932 4536 WerFault.exe notice.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Control Panel\International\Geo\Nation	notice.exe

description	pid	process	target process
PID 1216 set thread context of 4536	1216	notice.exe	notice.exe

pid	pid_target	process	target process
2932	4536	WerFault.exe	notice.exe

Modifies data under HKEY_USERS 6 IoCs

Processes:

svchost.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\IdentityCRL\Immersive\production\Property	svchost.exe
Set value (data)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\IdentityCRL\Immersive\production\Property\0018400647F126EC = 0100000001000000d08c9ddf0115d1118c7a00c04fc297eb01000000d79ef4adb8e2df4e96c16fb9ef12577e000000000200000000001066000000010000200000007deebc300aa7909f324d3c40ece1879b5545ec8eccbde300c9c87d6291425e54000000000e800000000200002000000083e4f0cbd3d2349e1f2ccf01cb523a274a5c26b46d3b9b25cc50c1beba940195800000007e4b5b1aca48cf26a2aebf2f5bc4cd8440adc0153e03b000bcb1e1680373fbd101cefc62f8933af6d0ec890844d3f4c4bfe05749683e1066b637373d67aa562376f72c6c3596e9fc4cdf6b112275ac5c999176dc67f39fbfe9559198e5832dcbf1f4a0d16adc571b110391196593d8f91d6375d391138020211a6c3c0bee44d24000000053e9d54225474cb20f088d767080cadd30e76df42393adb85578f1c85c399c67744f8f3abeca0b221edb79f6e89dffed1b774a4581f682ce1b4a689de5989a5c	svchost.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\IdentityCRL\Immersive\production\Token\{D6D5A677-0872-4AB0-9442-BB792FCE85C5}	svchost.exe
Set value (data)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\IdentityCRL\Immersive\production\Token\{D6D5A677-0872-4AB0-9442-BB792FCE85C5}\DeviceTicket = 0100000001000000d08c9ddf0115d1118c7a00c04fc297eb01000000d79ef4adb8e2df4e96c16fb9ef12577e00000000020000000000106600000001000020000000c6662c2ecc75e238fad5b6d2e7beb940d794cb7bfa797083a1adefbc9b468986000000000e8000000002000020000000ec699308768792ad57205cc019fcd8057e1a8f0246fcd4f98022de8230f5116e100d00000f2d1ec5146d48aaccacb1ed3b939908af765c98469d31738f0a30f8433e8c9cbd9c2ffb259217b6a1749af415aafedb68d5cb28f1d81922f88d7a6be0f3c6f87c154b879d3d195655a87d359b4236444b4425017588d39f5839a34e728e347acea6c0c921d394cbe5f06c7b2548ed3753a13e8441e7c1882ebf769d37c51099929b06993d20d69ecffc90f5c45c22744ebffee793b3b0fc31fa57dd06a5978f02d4abeaa71057fc5edf19395c246f5982fe6d2f6310917a775dfe9318fafd60f92a3d019767586cb3948d8b688abbbe84de0d9537f0df5ec3f245f043dcd74cf3e119493fd2d00143771ca489a145d1e10599bf95f83a4404b53ba42c0c09637d1f5e93bbcc8d0e172fcc54c297089e27ab007a2d663b03cb2afb96bd9a9d85d18669eb8b1ed2d5dc81942c4c18f28ed05e46010282402422a1228d402b53767edab36c70f2446cb8c94a42aa9cf9d8d37085d3f06ccc304f9ae36087fa2dc8ab55bb190b568d495fbcb20ab6c9ac7902dd97d21a9af272fb067366b42b9592ff4d0995dfaf753b57ed1839fd280ed6af502e35287fa39496da449e11210a2de7897fa747fa2bcd9a45aff1ec7992ec8800510b5828051f86786fe709d9a20291fadf44177ea69250826e6fde1085d3ebd94d0ab835b3f0ff46ef68c5a68c8b6a4c10472bfc1b858d17213882ff526cf2d348b22022089b9901d549a1da6b3a90736ac1611a43863cc589ef0df4f0c96f9e43ac60b809dfdd1fc0b798cc993507bd4f9a6e714f5d07ee15ab44a56632af79349de5064a0eeca95d52ac1ff09e126dec2d0439f3f32f57ae91476b7a3f779b3ed37635ca7507d6997eb5d06f33fefbb5749dd6229a0ba901bcdee45c8af3376654cc14ca121e7c0f7fd775db8542c91a03daffc8955477d3ff44890fc663a7e6c3c895b641de124370ad55d66b1c851e26503e89b27c9660cc5e1686de19c28c18463ccbfab51b33230eae4539999214cc116239881260afabf5a5816f0d860f73211020f58727c97651da431a4c812960018d8ce65c26edd4b3bb1a04fa25812854358c210e61e6546c5c1e8425b83e2f3fd355bd5f81a685cadf7814b5a9021412ec1b1de76d3bfaae71f3f7651151033a247a1f4bd5007ada3b944979c77c047b11a7cf9db5fb949a2ca4ff7741a4a509c866bbccd9c6e6b5da38a1af9358954c30139b0d8fb004693bc55e49b4538f2cd6cb2bd5270251dc7483f8ce77a207d4c8fada9f6039d8e26ad6b9a725b7a0474c7ca05f286979deac204aa32d97dcd471c34137360c9df36cf7ba86d3cb9b886a297985ea6f2a52b1448d1192909441993bbb7cfd57c13c46132c1c5837218015724321def11a722d75737eafcf9380fb33fcb348087a6a6be33e18b1c45eeb6dcd23931f197320547991648343e1e192b5b5cdf35c24b35159b40864ca1e70895e92fb5f102348685626a4a2e6200047488988cff113e138f17732ae560f6d77995710c6a5a77b513696b8d2c68eea750e28be22b84845b4b7ad799b6eadf7e194f82b983fec61cb4e7ee9e2e7d5d49de873140952ef95844ef28b6fc694d9e4de61eb75177a5dd35d2cc754202e824b09a0863056d73ce6cd263f423d6cc575b5b0fd75ad88279976a0ace8cebc768e315f6e5f05779fbb8096be4a2d6984516eb9babe65a793d48162fe8c68c705d333784270856d6c2c394afc548e2c312ae9a6c50c7765bbc2d535171eb39e8b8884e6308f961583ffc68390c059237d2a8329e3141e4db82af1b5269066e964fe756dd850ac3967b23bce82795177dcd4636ae0ad83d5c38d2a7e661580a8ba8e8bfc8616fb27151e4d316931e945702dc958ea00f73d62f6bb2e364000e15ed920e97a4d5935d5dad1e630436b9c8e4965feb3cbd3c9ae927c3820d26b94fded61bf55046fec9e675552dfc2a39ca032c5839be9698dca8889029acd63f9fcdb394aa44a7fe58a49ad90c2cfb758ccccbd1e1a085507c3dc59255bb65c4fc83b3a90b9e18fb7d33af65e9b8d0103979fb9185ccda0039ea12429c31d6afe0b51d1f876ec5fe69e77a9553cead7cedead6773eb4545144a9595ce2a0e2b7c94dcbd1731f93e9355161107e39bbc6646e698ef28118bfbe9fa65bc67eb7f344ecbd2576c325b21e300b4f732842fc622af142f75bc2843fc8cb8d549cf7e7d0a507b28db50c00e7dc3141f16eecf46df25856d1a747acfe371a5a563920b44103c33861709e94fa88a07c4becbc86ed300b8d6f0ee3f0b9c7dfd8c152b2c490605d00a77ed3a6ced73026a55b65da85b9a82fc1322b9f1b91006a661df5a5e133b0628b8a16dc1c064ba5593a579dc5332d80b130fcd87290c001e25212c965b2f84bc0515ce1535f1365c55f293fde13d3437f1c6c8ff861c2ca9eb471aea6f21b6c3ab0c98501f97d339722ad958c7db7dfbe801753c1851720bb75ba0fbea9cdde044d2be2051769f04ce1ba1a6c758386504f1e71aa94dd3aebdab4d1e8649e87046708fc218dd6b02fb6318932783e80f47a795eba35e238d5d31dd8f062091e5bd18cd89fc7b7451bd369b2cb1dc0935ca5d8ccab002f5d48c546964d62dab9a84927078b9bc1651e8e2403b200f946cd2c0e40890ba077dce1212a0079c0dfefb7ac4d84028959592d610cc3a680cdfd1b470ae5e6a2d49e1de2d53b5084ecd4f9cc97aa1a54653cc6bc3fa5274b273f897b59ba64f683df3ea857a77fdb68b5b45bdf4ec507dc3d78db7a4e2169cf8a1dc6f1fbe3303677f598c071aba50f9f08a79ccfaaa19499855a7564886f8c2e4e886d00245dba93bec132e989c44eb060f30ff00c77d3a452bdaefd3726c52f4632a64be70625685b8ece32e0a59ece31e3ff7bd234ccd8cf92f1f73aacc437855c47ad73d43636924295788a937a338b54984d8db83176e06be18a62d3384c674f2940d470334e8073aee6d2f5b9b34c2109fdcf80302a2818ae84abd05f858e331b37febf0343c8377f3a319c3687213bea1e0421dd6520a4922ceea56072ad0fd0b79c2e72b2f3696d89e27c62aadaeb7bbae680c97a3d5de3e58f3119b061fe61c7793b65cacff545c0aa68af52acbcd812df89728003c44fcf7d0c445b8f623f9f37b018b4097703dc9e0618adba7521cbfa823e4c3437c6de3a72e89b984f65e23acf41e9cecc963a0169b66a87de28f86825bc6575305bbd922a68090cf701c0deb5c69e8a13532d461fabde7db6f667e690d36eb97a8c45de7fc69b48eec05a706d64608fe18ffcee91bdfc6559985e6f7e1619174b421902a65707f60d6ea37fdbd713466ddfec4f7aff71e3d5f8ff588261690e26fee37fd35fb428113d311837639fd103ad16861657616dff6497eecc0e74ff1e044595652186ab3182c4762fae3ee2b06de64efe7f56256ae5f407b6f93e85668752aae296aa80442c2617c325baefacf8d4ba4c7bf7745119209328b90b3c89a902984d686075652447f8e448f4e52fc1b1607af504c1a124957d253f6544474995a2139e4fb3448062f7b16c1d4f40198217164a2feb259553f383f16eac7408a7f35f093d05a4542b3491b554e7d2fff2269bf4ed7e24df894766d8ef4fc599c0b3fd083281553b0a12a3de31580568cc031cc2976d9907620a282f380a17431bde899bfd6e2c0227107713caf0f57bd609f770ceb2494b17339a64f1b3f49b6a43b0d356cf7c800b97af871e924022586989e90c1056e257b0c2a929d40188c2a68677900a8efdf2ee35579fe662cdb0a60b034da96209668dc3a3dd658cb671fb144f2b481c1d1238ac0cfceb228cf6320e02080bd12258e9c978be7dc8cba673e474dc72a7b411212c6bf05edbda9244d439ae7a4ebca5b8fe96c019478dee0bfe83a93614cd5ccb3641b85570bafcc81498ba9c440e5114a69c9b07689b2b43b0ed475079b94d1a56386f68b3fd4524484dd1a9c2f508a9060d6596e05962f218b2f2970dc1f9a08bfa103d7122bfbaed1a9f8555d6f08ad096629fc5abd9fc32a71d3787a2d372b6eb7cd2065e44c99760205baf00ef1a8cf8c261b6ab6c1a7a696a880850d0a0e601d1dd4839b5029ae04322c829f12a5c411b8cbeaa9df7b01028845aeb1638432e657c42e6a9c132b4eba0e3b9e272cb813622f6271f95eda6dd58ea4a12ff2a8f33138f82aa956111450efc02de3c82c431dc03c5815c366b829bbc409a29faf03655e19fcba13ec4fee27481c0450edc4f3a93e7d5278ce0e7e77153e543053b7fd04dffb14ec26309fba110857167a408e99b58f08c0d72b5fd87af5164b784094bfd1a18730c690e8473f229c99b1d42c679e9acd7c10fe5468626a30a5776e540fa60d10848ef2dad1f736c20fb979b2c1690c7bd5762c1bd3bc120ca8bcd869047a2a3ed30110e8cea2b7e6e6962d97c25b6cdcd83aae338bc4f92339e7aa7be62c071bad12a0b32e82585da3c699905885956cc802bcbf0618d0af94fac65339db3983207a537693061c55c487f32b57e9baddf1c4b124c511924413f75cb91d1f514b362e2bb7408ea59d026125cc9808bba6aa590a967b04500358b3c7821c58feb17da1ad275e87f7628d63634c99236a09dd650eda158b87960a7ac641fc02d6788968409cb58560a42731739dd157280930cf1666764a975bd6f714527b5867d2f7a02bd11ea9c27dadb91d211c6d110cf837a54b9f57020cf8a69d4000000078a3d7054d8950282cd065dda8bbaf109c5e12cd76fdb5305b1c5953ee4608103d3d25c293d1080af01988f54878e3919434028b3888d5a4e66364526a28b59e	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\IdentityCRL\Immersive\production\Token\{D6D5A677-0872-4AB0-9442-BB792FCE85C5}\DeviceId = "0018400647F126EC"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\IdentityCRL\Immersive\production\Token\{D6D5A677-0872-4AB0-9442-BB792FCE85C5}\ApplicationFlags = "1"	svchost.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

powershell.exenotice.exe

pid process

2200 powershell.exe
2200 powershell.exe
1216 notice.exe
1216 notice.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

powershell.exenotice.exe

description pid process

Token: SeDebugPrivilege 2200 powershell.exe
Token: SeDebugPrivilege 1216 notice.exe

pid	process
2200	powershell.exe
2200	powershell.exe
1216	notice.exe
1216	notice.exe

description	pid	process
Token: SeDebugPrivilege	2200	powershell.exe
Token: SeDebugPrivilege	1216	notice.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

notice.exe

description	pid	process	target process
PID 1216 wrote to memory of 2200	1216	notice.exe	powershell.exe
PID 1216 wrote to memory of 2200	1216	notice.exe	powershell.exe
PID 1216 wrote to memory of 2200	1216	notice.exe	powershell.exe
PID 1216 wrote to memory of 4536	1216	notice.exe	notice.exe
PID 1216 wrote to memory of 4536	1216	notice.exe	notice.exe
PID 1216 wrote to memory of 4536	1216	notice.exe	notice.exe
PID 1216 wrote to memory of 4536	1216	notice.exe	notice.exe
PID 1216 wrote to memory of 4536	1216	notice.exe	notice.exe
PID 1216 wrote to memory of 4536	1216	notice.exe	notice.exe
PID 1216 wrote to memory of 4536	1216	notice.exe	notice.exe
PID 1216 wrote to memory of 4536	1216	notice.exe	notice.exe
PID 1216 wrote to memory of 4536	1216	notice.exe	notice.exe
PID 1216 wrote to memory of 4536	1216	notice.exe	notice.exe

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
1⤵
- Modifies data under HKEY_USERS
PID:836

C:\Users\Admin\AppData\Local\Temp\notice.exe
"C:\Users\Admin\AppData\Local\Temp\notice.exe"
1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1216
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2200
- C:\Users\Admin\AppData\Local\Temp\notice.exe
  C:\Users\Admin\AppData\Local\Temp\notice.exe
  2⤵
  PID:4536
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4536 -s 240
    3⤵
    - Program crash
    PID:2932

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4536 -ip 4536
1⤵
PID:2328

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

1

T1004

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1216-134-0x0000000000690000-0x00000000006B8000-memory.dmp

Filesize
160KB

Download
memory/1216-146-0x0000000005DF0000-0x0000000005EA2000-memory.dmp

Filesize
712KB

Download
memory/1216-145-0x0000000005CE0000-0x0000000005D30000-memory.dmp

Filesize
320KB

Download
memory/2200-138-0x0000000004E70000-0x0000000004E92000-memory.dmp

Filesize
136KB

Download
memory/2200-144-0x0000000006CE0000-0x0000000006CFA000-memory.dmp

Filesize
104KB

Download
memory/2200-139-0x0000000004F10000-0x0000000004F76000-memory.dmp

Filesize
408KB

Download
memory/2200-140-0x00000000055C0000-0x0000000005626000-memory.dmp

Filesize
408KB

Download
memory/2200-141-0x0000000005CF0000-0x0000000005D0E000-memory.dmp

Filesize
120KB

Download
memory/2200-142-0x0000000002905000-0x0000000002907000-memory.dmp

Filesize
8KB

Download
memory/2200-143-0x0000000007330000-0x00000000079AA000-memory.dmp

Filesize
6.5MB

Download
memory/2200-137-0x0000000004F90000-0x00000000055B8000-memory.dmp

Filesize
6.2MB

Download
memory/2200-136-0x0000000002880000-0x00000000028B6000-memory.dmp

Filesize
216KB

Download
memory/2200-135-0x0000000000000000-mapping.dmp

Download
memory/4536-147-0x0000000000000000-mapping.dmp

Download
memory/4536-148-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/4536-149-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/4536-150-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads