Analysis
-
max time kernel
179s -
max time network
191s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
24-11-2022 00:18
Static task
static1
Behavioral task
behavioral1
Sample
f8655c88b1cc2696a0acfc97a44264420a81e12a68f0cc145852f8337311680a.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
f8655c88b1cc2696a0acfc97a44264420a81e12a68f0cc145852f8337311680a.exe
Resource
win10v2004-20221111-en
General
-
Target
f8655c88b1cc2696a0acfc97a44264420a81e12a68f0cc145852f8337311680a.exe
-
Size
228KB
-
MD5
35845c3135b9f72abee1edb811aa8f42
-
SHA1
4d7e9432351ecba1f84aff1a70fcc9550b1bb0af
-
SHA256
f8655c88b1cc2696a0acfc97a44264420a81e12a68f0cc145852f8337311680a
-
SHA512
0740bfecaf5183743393c9180f2ee99128af15c956247cb57ed0605e8c31f28fdbfcfb4d24c6c472120835e6e48a8636bbe317880f664ce895b02abdfc5bdff9
-
SSDEEP
6144:dm2J3PFKs7aFwKWwalhrEqxF6snji81RUinKZHg/7SR:dm2FPhAmZIH+7E
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
Processes:
f8655c88b1cc2696a0acfc97a44264420a81e12a68f0cc145852f8337311680a.exenouluo.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" f8655c88b1cc2696a0acfc97a44264420a81e12a68f0cc145852f8337311680a.exe Set value (int) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" nouluo.exe -
Executes dropped EXE 1 IoCs
Processes:
nouluo.exepid process 4280 nouluo.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
f8655c88b1cc2696a0acfc97a44264420a81e12a68f0cc145852f8337311680a.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation f8655c88b1cc2696a0acfc97a44264420a81e12a68f0cc145852f8337311680a.exe -
Adds Run key to start application 2 TTPs 29 IoCs
Processes:
nouluo.exef8655c88b1cc2696a0acfc97a44264420a81e12a68f0cc145852f8337311680a.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nouluo = "C:\\Users\\Admin\\nouluo.exe /d" nouluo.exe Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nouluo = "C:\\Users\\Admin\\nouluo.exe /n" nouluo.exe Key created \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Windows\CurrentVersion\Run\ f8655c88b1cc2696a0acfc97a44264420a81e12a68f0cc145852f8337311680a.exe Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nouluo = "C:\\Users\\Admin\\nouluo.exe /f" nouluo.exe Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nouluo = "C:\\Users\\Admin\\nouluo.exe /h" nouluo.exe Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nouluo = "C:\\Users\\Admin\\nouluo.exe /x" nouluo.exe Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nouluo = "C:\\Users\\Admin\\nouluo.exe /w" nouluo.exe Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nouluo = "C:\\Users\\Admin\\nouluo.exe /b" nouluo.exe Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nouluo = "C:\\Users\\Admin\\nouluo.exe /o" nouluo.exe Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nouluo = "C:\\Users\\Admin\\nouluo.exe /m" f8655c88b1cc2696a0acfc97a44264420a81e12a68f0cc145852f8337311680a.exe Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nouluo = "C:\\Users\\Admin\\nouluo.exe /c" nouluo.exe Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nouluo = "C:\\Users\\Admin\\nouluo.exe /i" nouluo.exe Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nouluo = "C:\\Users\\Admin\\nouluo.exe /e" nouluo.exe Key created \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Windows\CurrentVersion\Run\ nouluo.exe Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nouluo = "C:\\Users\\Admin\\nouluo.exe /m" nouluo.exe Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nouluo = "C:\\Users\\Admin\\nouluo.exe /y" nouluo.exe Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nouluo = "C:\\Users\\Admin\\nouluo.exe /q" nouluo.exe Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nouluo = "C:\\Users\\Admin\\nouluo.exe /a" nouluo.exe Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nouluo = "C:\\Users\\Admin\\nouluo.exe /r" nouluo.exe Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nouluo = "C:\\Users\\Admin\\nouluo.exe /k" nouluo.exe Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nouluo = "C:\\Users\\Admin\\nouluo.exe /v" nouluo.exe Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nouluo = "C:\\Users\\Admin\\nouluo.exe /s" nouluo.exe Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nouluo = "C:\\Users\\Admin\\nouluo.exe /p" nouluo.exe Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nouluo = "C:\\Users\\Admin\\nouluo.exe /t" nouluo.exe Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nouluo = "C:\\Users\\Admin\\nouluo.exe /g" nouluo.exe Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nouluo = "C:\\Users\\Admin\\nouluo.exe /u" nouluo.exe Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nouluo = "C:\\Users\\Admin\\nouluo.exe /z" nouluo.exe Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nouluo = "C:\\Users\\Admin\\nouluo.exe /j" nouluo.exe Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nouluo = "C:\\Users\\Admin\\nouluo.exe /l" nouluo.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
f8655c88b1cc2696a0acfc97a44264420a81e12a68f0cc145852f8337311680a.exenouluo.exepid process 4532 f8655c88b1cc2696a0acfc97a44264420a81e12a68f0cc145852f8337311680a.exe 4532 f8655c88b1cc2696a0acfc97a44264420a81e12a68f0cc145852f8337311680a.exe 4280 nouluo.exe 4280 nouluo.exe 4280 nouluo.exe 4280 nouluo.exe 4280 nouluo.exe 4280 nouluo.exe 4280 nouluo.exe 4280 nouluo.exe 4280 nouluo.exe 4280 nouluo.exe 4280 nouluo.exe 4280 nouluo.exe 4280 nouluo.exe 4280 nouluo.exe 4280 nouluo.exe 4280 nouluo.exe 4280 nouluo.exe 4280 nouluo.exe 4280 nouluo.exe 4280 nouluo.exe 4280 nouluo.exe 4280 nouluo.exe 4280 nouluo.exe 4280 nouluo.exe 4280 nouluo.exe 4280 nouluo.exe 4280 nouluo.exe 4280 nouluo.exe 4280 nouluo.exe 4280 nouluo.exe 4280 nouluo.exe 4280 nouluo.exe 4280 nouluo.exe 4280 nouluo.exe 4280 nouluo.exe 4280 nouluo.exe 4280 nouluo.exe 4280 nouluo.exe 4280 nouluo.exe 4280 nouluo.exe 4280 nouluo.exe 4280 nouluo.exe 4280 nouluo.exe 4280 nouluo.exe 4280 nouluo.exe 4280 nouluo.exe 4280 nouluo.exe 4280 nouluo.exe 4280 nouluo.exe 4280 nouluo.exe 4280 nouluo.exe 4280 nouluo.exe 4280 nouluo.exe 4280 nouluo.exe 4280 nouluo.exe 4280 nouluo.exe 4280 nouluo.exe 4280 nouluo.exe 4280 nouluo.exe 4280 nouluo.exe 4280 nouluo.exe 4280 nouluo.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
f8655c88b1cc2696a0acfc97a44264420a81e12a68f0cc145852f8337311680a.exenouluo.exepid process 4532 f8655c88b1cc2696a0acfc97a44264420a81e12a68f0cc145852f8337311680a.exe 4280 nouluo.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
f8655c88b1cc2696a0acfc97a44264420a81e12a68f0cc145852f8337311680a.exedescription pid process target process PID 4532 wrote to memory of 4280 4532 f8655c88b1cc2696a0acfc97a44264420a81e12a68f0cc145852f8337311680a.exe nouluo.exe PID 4532 wrote to memory of 4280 4532 f8655c88b1cc2696a0acfc97a44264420a81e12a68f0cc145852f8337311680a.exe nouluo.exe PID 4532 wrote to memory of 4280 4532 f8655c88b1cc2696a0acfc97a44264420a81e12a68f0cc145852f8337311680a.exe nouluo.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\f8655c88b1cc2696a0acfc97a44264420a81e12a68f0cc145852f8337311680a.exe"C:\Users\Admin\AppData\Local\Temp\f8655c88b1cc2696a0acfc97a44264420a81e12a68f0cc145852f8337311680a.exe"1⤵
- Modifies visiblity of hidden/system files in Explorer
- Checks computer location settings
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\nouluo.exe"C:\Users\Admin\nouluo.exe"2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\nouluo.exeFilesize
228KB
MD56ba44066cf67bdb56cb03d409ab5899c
SHA187e5c49bf935c13ee09148f00591f5d8196ff663
SHA2563991291788fe763963b1b32ad5e32ffe34d357604e84ec5bf0fc178d5c422417
SHA512fd9f296d017c19e2a1822f1721e905560e58451a3bb26410e3de5e37a10d9408b65a247dd6b2c7414ba04b2a93e7e097a474f2732dc115ab5b38c9c3452df972
-
C:\Users\Admin\nouluo.exeFilesize
228KB
MD56ba44066cf67bdb56cb03d409ab5899c
SHA187e5c49bf935c13ee09148f00591f5d8196ff663
SHA2563991291788fe763963b1b32ad5e32ffe34d357604e84ec5bf0fc178d5c422417
SHA512fd9f296d017c19e2a1822f1721e905560e58451a3bb26410e3de5e37a10d9408b65a247dd6b2c7414ba04b2a93e7e097a474f2732dc115ab5b38c9c3452df972
-
memory/4280-134-0x0000000000000000-mapping.dmp