b8628cd175e73fe1d8d51f0b15b4389b78dd12a2eb9ae8fdd286c11ca7cf43e9

General

Target

b8628cd175e73fe1d8d51f0b15b4389b78dd12a2eb9ae8fdd286c11ca7cf43e9.exe
Size

252KB
MD5

0539065b43e4e75d5e100593dd034f36
SHA1

bb173ebb6ebd0c1d47215c78647a539a70526632
SHA256

b8628cd175e73fe1d8d51f0b15b4389b78dd12a2eb9ae8fdd286c11ca7cf43e9
SHA512

d7d293c47862adf0f2789cd22304340cb7ca6db495883bac99e515941825b76abb04ca7cb637cc062d4c869594b778d81266eaab7d51bee5c55e80b437f38d21
SSDEEP

6144:Orh0e5rhVz84rjL1/gq0n74Gp+QFbLVBvOP+c+EdMUutF:+h0KrhK4rjL1/gq0n74Gp+QFbLV0+RUa

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Processes:

b8628cd175e73fe1d8d51f0b15b4389b78dd12a2eb9ae8fdd286c11ca7cf43e9.exenoikio.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	b8628cd175e73fe1d8d51f0b15b4389b78dd12a2eb9ae8fdd286c11ca7cf43e9.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	noikio.exe

Executes dropped EXE 1 IoCs

Processes:

noikio.exe

pid process

1712 noikio.exe

pid	process
1712	noikio.exe

Loads dropped DLL 2 IoCs

Processes:

b8628cd175e73fe1d8d51f0b15b4389b78dd12a2eb9ae8fdd286c11ca7cf43e9.exe

pid	process
1120	b8628cd175e73fe1d8d51f0b15b4389b78dd12a2eb9ae8fdd286c11ca7cf43e9.exe
1120	b8628cd175e73fe1d8d51f0b15b4389b78dd12a2eb9ae8fdd286c11ca7cf43e9.exe

Adds Run key to start application 2 TTPs 49 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

noikio.exeb8628cd175e73fe1d8d51f0b15b4389b78dd12a2eb9ae8fdd286c11ca7cf43e9.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\noikio = "C:\\Users\\Admin\\noikio.exe /k"	noikio.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\noikio = "C:\\Users\\Admin\\noikio.exe /L"	noikio.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\noikio = "C:\\Users\\Admin\\noikio.exe /e"	noikio.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\noikio = "C:\\Users\\Admin\\noikio.exe /C"	noikio.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\noikio = "C:\\Users\\Admin\\noikio.exe /g"	noikio.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\noikio = "C:\\Users\\Admin\\noikio.exe /X"	noikio.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\	b8628cd175e73fe1d8d51f0b15b4389b78dd12a2eb9ae8fdd286c11ca7cf43e9.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\noikio = "C:\\Users\\Admin\\noikio.exe /Q"	noikio.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\noikio = "C:\\Users\\Admin\\noikio.exe /T"	noikio.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\noikio = "C:\\Users\\Admin\\noikio.exe /A"	noikio.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\noikio = "C:\\Users\\Admin\\noikio.exe /i"	noikio.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\noikio = "C:\\Users\\Admin\\noikio.exe /m"	noikio.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\noikio = "C:\\Users\\Admin\\noikio.exe /n"	noikio.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\noikio = "C:\\Users\\Admin\\noikio.exe /c"	noikio.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\noikio = "C:\\Users\\Admin\\noikio.exe /S"	noikio.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\noikio = "C:\\Users\\Admin\\noikio.exe /w"	noikio.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\noikio = "C:\\Users\\Admin\\noikio.exe /P"	noikio.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\noikio = "C:\\Users\\Admin\\noikio.exe /B"	noikio.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\noikio = "C:\\Users\\Admin\\noikio.exe /K"	noikio.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\noikio = "C:\\Users\\Admin\\noikio.exe /y"	noikio.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\noikio = "C:\\Users\\Admin\\noikio.exe /E"	noikio.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\noikio = "C:\\Users\\Admin\\noikio.exe /o"	noikio.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\noikio = "C:\\Users\\Admin\\noikio.exe /O"	noikio.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\noikio = "C:\\Users\\Admin\\noikio.exe /z"	noikio.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\noikio = "C:\\Users\\Admin\\noikio.exe /a"	noikio.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\noikio = "C:\\Users\\Admin\\noikio.exe /j"	noikio.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\noikio = "C:\\Users\\Admin\\noikio.exe /b"	b8628cd175e73fe1d8d51f0b15b4389b78dd12a2eb9ae8fdd286c11ca7cf43e9.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\noikio = "C:\\Users\\Admin\\noikio.exe /J"	noikio.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\noikio = "C:\\Users\\Admin\\noikio.exe /I"	noikio.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\noikio = "C:\\Users\\Admin\\noikio.exe /U"	noikio.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\noikio = "C:\\Users\\Admin\\noikio.exe /f"	noikio.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\noikio = "C:\\Users\\Admin\\noikio.exe /h"	noikio.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\noikio = "C:\\Users\\Admin\\noikio.exe /Z"	noikio.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\noikio = "C:\\Users\\Admin\\noikio.exe /V"	noikio.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\noikio = "C:\\Users\\Admin\\noikio.exe /u"	noikio.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\noikio = "C:\\Users\\Admin\\noikio.exe /F"	noikio.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\noikio = "C:\\Users\\Admin\\noikio.exe /t"	noikio.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\noikio = "C:\\Users\\Admin\\noikio.exe /N"	noikio.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\noikio = "C:\\Users\\Admin\\noikio.exe /H"	noikio.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\noikio = "C:\\Users\\Admin\\noikio.exe /v"	noikio.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\noikio = "C:\\Users\\Admin\\noikio.exe /M"	noikio.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\noikio = "C:\\Users\\Admin\\noikio.exe /W"	noikio.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\noikio = "C:\\Users\\Admin\\noikio.exe /q"	noikio.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\noikio = "C:\\Users\\Admin\\noikio.exe /R"	noikio.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\noikio = "C:\\Users\\Admin\\noikio.exe /l"	noikio.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\noikio = "C:\\Users\\Admin\\noikio.exe /p"	noikio.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\noikio = "C:\\Users\\Admin\\noikio.exe /x"	noikio.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\	noikio.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\noikio = "C:\\Users\\Admin\\noikio.exe /s"	noikio.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

b8628cd175e73fe1d8d51f0b15b4389b78dd12a2eb9ae8fdd286c11ca7cf43e9.exenoikio.exe

pid	process
1120	b8628cd175e73fe1d8d51f0b15b4389b78dd12a2eb9ae8fdd286c11ca7cf43e9.exe
1712	noikio.exe
1712	noikio.exe
1712	noikio.exe
1712	noikio.exe
1712	noikio.exe
1712	noikio.exe
1712	noikio.exe
1712	noikio.exe
1712	noikio.exe
1712	noikio.exe
1712	noikio.exe
1712	noikio.exe
1712	noikio.exe
1712	noikio.exe
1712	noikio.exe
1712	noikio.exe
1712	noikio.exe
1712	noikio.exe
1712	noikio.exe
1712	noikio.exe
1712	noikio.exe
1712	noikio.exe
1712	noikio.exe
1712	noikio.exe
1712	noikio.exe
1712	noikio.exe
1712	noikio.exe
1712	noikio.exe
1712	noikio.exe
1712	noikio.exe
1712	noikio.exe
1712	noikio.exe
1712	noikio.exe
1712	noikio.exe
1712	noikio.exe
1712	noikio.exe
1712	noikio.exe
1712	noikio.exe
1712	noikio.exe
1712	noikio.exe
1712	noikio.exe
1712	noikio.exe
1712	noikio.exe
1712	noikio.exe
1712	noikio.exe
1712	noikio.exe
1712	noikio.exe
1712	noikio.exe
1712	noikio.exe
1712	noikio.exe
1712	noikio.exe
1712	noikio.exe
1712	noikio.exe
1712	noikio.exe
1712	noikio.exe
1712	noikio.exe
1712	noikio.exe
1712	noikio.exe
1712	noikio.exe
1712	noikio.exe
1712	noikio.exe
1712	noikio.exe
1712	noikio.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

b8628cd175e73fe1d8d51f0b15b4389b78dd12a2eb9ae8fdd286c11ca7cf43e9.exenoikio.exe

pid process

1120 b8628cd175e73fe1d8d51f0b15b4389b78dd12a2eb9ae8fdd286c11ca7cf43e9.exe
1712 noikio.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

b8628cd175e73fe1d8d51f0b15b4389b78dd12a2eb9ae8fdd286c11ca7cf43e9.exe

description	pid	process	target process
PID 1120 wrote to memory of 1712	1120	b8628cd175e73fe1d8d51f0b15b4389b78dd12a2eb9ae8fdd286c11ca7cf43e9.exe	noikio.exe
PID 1120 wrote to memory of 1712	1120	b8628cd175e73fe1d8d51f0b15b4389b78dd12a2eb9ae8fdd286c11ca7cf43e9.exe	noikio.exe
PID 1120 wrote to memory of 1712	1120	b8628cd175e73fe1d8d51f0b15b4389b78dd12a2eb9ae8fdd286c11ca7cf43e9.exe	noikio.exe
PID 1120 wrote to memory of 1712	1120	b8628cd175e73fe1d8d51f0b15b4389b78dd12a2eb9ae8fdd286c11ca7cf43e9.exe	noikio.exe

C:\Users\Admin\AppData\Local\Temp\b8628cd175e73fe1d8d51f0b15b4389b78dd12a2eb9ae8fdd286c11ca7cf43e9.exe
"C:\Users\Admin\AppData\Local\Temp\b8628cd175e73fe1d8d51f0b15b4389b78dd12a2eb9ae8fdd286c11ca7cf43e9.exe"
1⤵
- Modifies visiblity of hidden/system files in Explorer
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1120

C:\Users\Admin\noikio.exe
"C:\Users\Admin\noikio.exe"
2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1712

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

1

T1158

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

Modify Registry

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\noikio.exe

Filesize
252KB

MD5
8c07019dfbb143f103ad108eef93103b

SHA1
394c2b21738ca739e8d3c00f36938171cd4b17a1

SHA256
b9168016add6c87dfd36fe04449b87866d7444320271f5dcf1b4d7ee77a076ce

SHA512
b275c18378218e09b84228abcf4885aad5b7a96e7f833f0bb9cd32ddd73450fd65395a9dc22da039b3f6c27d792d70642ffdf68ec1b3964dd9fc9a7fe1bef52e

Download Submit
C:\Users\Admin\noikio.exe

Filesize
252KB

MD5
8c07019dfbb143f103ad108eef93103b

SHA1
394c2b21738ca739e8d3c00f36938171cd4b17a1

SHA256
b9168016add6c87dfd36fe04449b87866d7444320271f5dcf1b4d7ee77a076ce

SHA512
b275c18378218e09b84228abcf4885aad5b7a96e7f833f0bb9cd32ddd73450fd65395a9dc22da039b3f6c27d792d70642ffdf68ec1b3964dd9fc9a7fe1bef52e

Download Submit
\Users\Admin\noikio.exe

Filesize
252KB

MD5
8c07019dfbb143f103ad108eef93103b

SHA1
394c2b21738ca739e8d3c00f36938171cd4b17a1

SHA256
b9168016add6c87dfd36fe04449b87866d7444320271f5dcf1b4d7ee77a076ce

SHA512
b275c18378218e09b84228abcf4885aad5b7a96e7f833f0bb9cd32ddd73450fd65395a9dc22da039b3f6c27d792d70642ffdf68ec1b3964dd9fc9a7fe1bef52e

Download Submit
\Users\Admin\noikio.exe

Filesize
252KB

MD5
8c07019dfbb143f103ad108eef93103b

SHA1
394c2b21738ca739e8d3c00f36938171cd4b17a1

SHA256
b9168016add6c87dfd36fe04449b87866d7444320271f5dcf1b4d7ee77a076ce

SHA512
b275c18378218e09b84228abcf4885aad5b7a96e7f833f0bb9cd32ddd73450fd65395a9dc22da039b3f6c27d792d70642ffdf68ec1b3964dd9fc9a7fe1bef52e

Download Submit
memory/1120-56-0x0000000075291000-0x0000000075293000-memory.dmp

Filesize
8KB

Download
memory/1712-59-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads