c1b41466187d6cc5e42a7657ca8ef7f6ba653e6ab89cfc26f771dffcdce92d79

Analysis

max time kernel
151s
max time network
133s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
30/10/2022, 19:59

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

c1b41466187d6cc5e42a7657ca8ef7f6ba653e6ab89cfc26f771dffcdce92d79.exe
Size

60KB
MD5

a0c8dbe972246a2966bd5fa36a15d525
SHA1

2db552e64357aa4c2a95c1b574bf6b6e5df21a9f
SHA256

c1b41466187d6cc5e42a7657ca8ef7f6ba653e6ab89cfc26f771dffcdce92d79
SHA512

4c10508f4879d116c1c8c45a5dcfbe49909a46c85515433785ff7bc9e449f8c16b5409b592ab3da5c9b366e9c5e54c68a1e30be1218489b8508b855a7332d3c5
SSDEEP

768:VmCFzLK9EMxnCtX2pwTw6a0PZfbFVbMznoK2NY1IxLOEIXxRDOeu:Vf4xnu2sw6a0PZfZVwbnaElXxRDO/

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	noeule.exe

Executes dropped EXE 1 IoCs

pid	Process
4608	noeule.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	c1b41466187d6cc5e42a7657ca8ef7f6ba653e6ab89cfc26f771dffcdce92d79.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows\CurrentVersion\Run\	noeule.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\noeule = "C:\\Users\\Admin\\noeule.exe"	noeule.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4608	noeule.exe
4608	noeule.exe
4608	noeule.exe
4608	noeule.exe
4608	noeule.exe
4608	noeule.exe
4608	noeule.exe
4608	noeule.exe
4608	noeule.exe
4608	noeule.exe
4608	noeule.exe
4608	noeule.exe
4608	noeule.exe
4608	noeule.exe
4608	noeule.exe
4608	noeule.exe
4608	noeule.exe
4608	noeule.exe
4608	noeule.exe
4608	noeule.exe
4608	noeule.exe
4608	noeule.exe
4608	noeule.exe
4608	noeule.exe
4608	noeule.exe
4608	noeule.exe
4608	noeule.exe
4608	noeule.exe
4608	noeule.exe
4608	noeule.exe
4608	noeule.exe
4608	noeule.exe
4608	noeule.exe
4608	noeule.exe
4608	noeule.exe
4608	noeule.exe
4608	noeule.exe
4608	noeule.exe
4608	noeule.exe
4608	noeule.exe
4608	noeule.exe
4608	noeule.exe
4608	noeule.exe
4608	noeule.exe
4608	noeule.exe
4608	noeule.exe
4608	noeule.exe
4608	noeule.exe
4608	noeule.exe
4608	noeule.exe
4608	noeule.exe
4608	noeule.exe
4608	noeule.exe
4608	noeule.exe
4608	noeule.exe
4608	noeule.exe
4608	noeule.exe
4608	noeule.exe
4608	noeule.exe
4608	noeule.exe
4608	noeule.exe
4608	noeule.exe
4608	noeule.exe
4608	noeule.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4752	c1b41466187d6cc5e42a7657ca8ef7f6ba653e6ab89cfc26f771dffcdce92d79.exe
4608	noeule.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4752 wrote to memory of 4608	4752	c1b41466187d6cc5e42a7657ca8ef7f6ba653e6ab89cfc26f771dffcdce92d79.exe	88
PID 4752 wrote to memory of 4608	4752	c1b41466187d6cc5e42a7657ca8ef7f6ba653e6ab89cfc26f771dffcdce92d79.exe	88
PID 4752 wrote to memory of 4608	4752	c1b41466187d6cc5e42a7657ca8ef7f6ba653e6ab89cfc26f771dffcdce92d79.exe	88
PID 4608 wrote to memory of 4752	4608	noeule.exe	81
PID 4608 wrote to memory of 4752	4608	noeule.exe	81
PID 4608 wrote to memory of 4752	4608	noeule.exe	81
PID 4608 wrote to memory of 4752	4608	noeule.exe	81
PID 4608 wrote to memory of 4752	4608	noeule.exe	81
PID 4608 wrote to memory of 4752	4608	noeule.exe	81
PID 4608 wrote to memory of 4752	4608	noeule.exe	81
PID 4608 wrote to memory of 4752	4608	noeule.exe	81
PID 4608 wrote to memory of 4752	4608	noeule.exe	81
PID 4608 wrote to memory of 4752	4608	noeule.exe	81
PID 4608 wrote to memory of 4752	4608	noeule.exe	81
PID 4608 wrote to memory of 4752	4608	noeule.exe	81
PID 4608 wrote to memory of 4752	4608	noeule.exe	81
PID 4608 wrote to memory of 4752	4608	noeule.exe	81
PID 4608 wrote to memory of 4752	4608	noeule.exe	81
PID 4608 wrote to memory of 4752	4608	noeule.exe	81
PID 4608 wrote to memory of 4752	4608	noeule.exe	81
PID 4608 wrote to memory of 4752	4608	noeule.exe	81
PID 4608 wrote to memory of 4752	4608	noeule.exe	81
PID 4608 wrote to memory of 4752	4608	noeule.exe	81
PID 4608 wrote to memory of 4752	4608	noeule.exe	81
PID 4608 wrote to memory of 4752	4608	noeule.exe	81
PID 4608 wrote to memory of 4752	4608	noeule.exe	81
PID 4608 wrote to memory of 4752	4608	noeule.exe	81
PID 4608 wrote to memory of 4752	4608	noeule.exe	81
PID 4608 wrote to memory of 4752	4608	noeule.exe	81
PID 4608 wrote to memory of 4752	4608	noeule.exe	81
PID 4608 wrote to memory of 4752	4608	noeule.exe	81
PID 4608 wrote to memory of 4752	4608	noeule.exe	81
PID 4608 wrote to memory of 4752	4608	noeule.exe	81
PID 4608 wrote to memory of 4752	4608	noeule.exe	81
PID 4608 wrote to memory of 4752	4608	noeule.exe	81
PID 4608 wrote to memory of 4752	4608	noeule.exe	81
PID 4608 wrote to memory of 4752	4608	noeule.exe	81
PID 4608 wrote to memory of 4752	4608	noeule.exe	81
PID 4608 wrote to memory of 4752	4608	noeule.exe	81
PID 4608 wrote to memory of 4752	4608	noeule.exe	81
PID 4608 wrote to memory of 4752	4608	noeule.exe	81
PID 4608 wrote to memory of 4752	4608	noeule.exe	81
PID 4608 wrote to memory of 4752	4608	noeule.exe	81
PID 4608 wrote to memory of 4752	4608	noeule.exe	81
PID 4608 wrote to memory of 4752	4608	noeule.exe	81
PID 4608 wrote to memory of 4752	4608	noeule.exe	81
PID 4608 wrote to memory of 4752	4608	noeule.exe	81
PID 4608 wrote to memory of 4752	4608	noeule.exe	81
PID 4608 wrote to memory of 4752	4608	noeule.exe	81
PID 4608 wrote to memory of 4752	4608	noeule.exe	81
PID 4608 wrote to memory of 4752	4608	noeule.exe	81
PID 4608 wrote to memory of 4752	4608	noeule.exe	81
PID 4608 wrote to memory of 4752	4608	noeule.exe	81
PID 4608 wrote to memory of 4752	4608	noeule.exe	81
PID 4608 wrote to memory of 4752	4608	noeule.exe	81
PID 4608 wrote to memory of 4752	4608	noeule.exe	81
PID 4608 wrote to memory of 4752	4608	noeule.exe	81
PID 4608 wrote to memory of 4752	4608	noeule.exe	81
PID 4608 wrote to memory of 4752	4608	noeule.exe	81
PID 4608 wrote to memory of 4752	4608	noeule.exe	81
PID 4608 wrote to memory of 4752	4608	noeule.exe	81
PID 4608 wrote to memory of 4752	4608	noeule.exe	81
PID 4608 wrote to memory of 4752	4608	noeule.exe	81
PID 4608 wrote to memory of 4752	4608	noeule.exe	81

C:\Users\Admin\AppData\Local\Temp\c1b41466187d6cc5e42a7657ca8ef7f6ba653e6ab89cfc26f771dffcdce92d79.exe
"C:\Users\Admin\AppData\Local\Temp\c1b41466187d6cc5e42a7657ca8ef7f6ba653e6ab89cfc26f771dffcdce92d79.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4752
- C:\Users\Admin\noeule.exe
  "C:\Users\Admin\noeule.exe"
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4608

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\noeule.exe

Filesize
60KB

MD5
d8c068243f4326afb8408960993c1542

SHA1
b76b08d2bb2158e85d28e2f2a752d39c5ce05358

SHA256
281d3d2e2bc2b4c772a4c710defdbb83298468825804484045e51cd214aba225

SHA512
47e4f904f051dfe15f84d80cc2a689721ca622e603b795a36907323756674bd0d3d8a7cb9e893ccb076aaa43dbe0892ed7d37912506bb9f802cd42a70f3e9e91

Download Submit
C:\Users\Admin\noeule.exe

Filesize
60KB

MD5
d8c068243f4326afb8408960993c1542

SHA1
b76b08d2bb2158e85d28e2f2a752d39c5ce05358

SHA256
281d3d2e2bc2b4c772a4c710defdbb83298468825804484045e51cd214aba225

SHA512
47e4f904f051dfe15f84d80cc2a689721ca622e603b795a36907323756674bd0d3d8a7cb9e893ccb076aaa43dbe0892ed7d37912506bb9f802cd42a70f3e9e91

Download Submit