8f63e5104e3370a9076890ccfdf42770a44dac3d6a21e9dcc63876ba8df1ec4f

Analysis

max time kernel
150s
max time network
81s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
05/12/2022, 10:11

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

8f63e5104e3370a9076890ccfdf42770a44dac3d6a21e9dcc63876ba8df1ec4f.exe
Size

268KB
MD5

5a58f8e02b74e10bec3c5c08e4d799d1
SHA1

7718b32f36ff2e6206046436b4711cd2e3aa5d04
SHA256

8f63e5104e3370a9076890ccfdf42770a44dac3d6a21e9dcc63876ba8df1ec4f
SHA512

412d2ca32dc94b6dd7d9f806cc1c6403d1d5e50ab8bbfd08fb86ab656d27623a6df2c9b63f71c332911f0820ac58fa3122552fb8cdbac065bc6c22001264062c
SSDEEP

6144:Sawz2Eu+yV2PL9JhCNjKV6MG31luID8NLJTPxhMbmNPjiiSI5:SLMs0Nz8tJTZhMiiQ

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	8f63e5104e3370a9076890ccfdf42770a44dac3d6a21e9dcc63876ba8df1ec4f.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	noexeo.exe

Executes dropped EXE 1 IoCs

pid	Process
1520	noexeo.exe

Loads dropped DLL 2 IoCs

pid	Process
1672	8f63e5104e3370a9076890ccfdf42770a44dac3d6a21e9dcc63876ba8df1ec4f.exe
1672	8f63e5104e3370a9076890ccfdf42770a44dac3d6a21e9dcc63876ba8df1ec4f.exe

Adds Run key to start application 2 TTPs 29 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\noexeo = "C:\\Users\\Admin\\noexeo.exe /e"	noexeo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\noexeo = "C:\\Users\\Admin\\noexeo.exe /h"	noexeo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\noexeo = "C:\\Users\\Admin\\noexeo.exe /c"	noexeo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\noexeo = "C:\\Users\\Admin\\noexeo.exe /u"	noexeo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\noexeo = "C:\\Users\\Admin\\noexeo.exe /j"	noexeo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\noexeo = "C:\\Users\\Admin\\noexeo.exe /n"	noexeo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\noexeo = "C:\\Users\\Admin\\noexeo.exe /w"	noexeo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\noexeo = "C:\\Users\\Admin\\noexeo.exe /o"	noexeo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\noexeo = "C:\\Users\\Admin\\noexeo.exe /r"	noexeo.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\	8f63e5104e3370a9076890ccfdf42770a44dac3d6a21e9dcc63876ba8df1ec4f.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\noexeo = "C:\\Users\\Admin\\noexeo.exe /n"	8f63e5104e3370a9076890ccfdf42770a44dac3d6a21e9dcc63876ba8df1ec4f.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\noexeo = "C:\\Users\\Admin\\noexeo.exe /a"	noexeo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\noexeo = "C:\\Users\\Admin\\noexeo.exe /p"	noexeo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\noexeo = "C:\\Users\\Admin\\noexeo.exe /g"	noexeo.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\	noexeo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\noexeo = "C:\\Users\\Admin\\noexeo.exe /v"	noexeo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\noexeo = "C:\\Users\\Admin\\noexeo.exe /s"	noexeo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\noexeo = "C:\\Users\\Admin\\noexeo.exe /d"	noexeo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\noexeo = "C:\\Users\\Admin\\noexeo.exe /i"	noexeo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\noexeo = "C:\\Users\\Admin\\noexeo.exe /l"	noexeo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\noexeo = "C:\\Users\\Admin\\noexeo.exe /z"	noexeo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\noexeo = "C:\\Users\\Admin\\noexeo.exe /x"	noexeo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\noexeo = "C:\\Users\\Admin\\noexeo.exe /b"	noexeo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\noexeo = "C:\\Users\\Admin\\noexeo.exe /y"	noexeo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\noexeo = "C:\\Users\\Admin\\noexeo.exe /q"	noexeo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\noexeo = "C:\\Users\\Admin\\noexeo.exe /m"	noexeo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\noexeo = "C:\\Users\\Admin\\noexeo.exe /k"	noexeo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\noexeo = "C:\\Users\\Admin\\noexeo.exe /t"	noexeo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\noexeo = "C:\\Users\\Admin\\noexeo.exe /f"	noexeo.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1672	8f63e5104e3370a9076890ccfdf42770a44dac3d6a21e9dcc63876ba8df1ec4f.exe
1520	noexeo.exe
1520	noexeo.exe
1520	noexeo.exe
1520	noexeo.exe
1520	noexeo.exe
1520	noexeo.exe
1520	noexeo.exe
1520	noexeo.exe
1520	noexeo.exe
1520	noexeo.exe
1520	noexeo.exe
1520	noexeo.exe
1520	noexeo.exe
1520	noexeo.exe
1520	noexeo.exe
1520	noexeo.exe
1520	noexeo.exe
1520	noexeo.exe
1520	noexeo.exe
1520	noexeo.exe
1520	noexeo.exe
1520	noexeo.exe
1520	noexeo.exe
1520	noexeo.exe
1520	noexeo.exe
1520	noexeo.exe
1520	noexeo.exe
1520	noexeo.exe
1520	noexeo.exe
1520	noexeo.exe
1520	noexeo.exe
1520	noexeo.exe
1520	noexeo.exe
1520	noexeo.exe
1520	noexeo.exe
1520	noexeo.exe
1520	noexeo.exe
1520	noexeo.exe
1520	noexeo.exe
1520	noexeo.exe
1520	noexeo.exe
1520	noexeo.exe
1520	noexeo.exe
1520	noexeo.exe
1520	noexeo.exe
1520	noexeo.exe
1520	noexeo.exe
1520	noexeo.exe
1520	noexeo.exe
1520	noexeo.exe
1520	noexeo.exe
1520	noexeo.exe
1520	noexeo.exe
1520	noexeo.exe
1520	noexeo.exe
1520	noexeo.exe
1520	noexeo.exe
1520	noexeo.exe
1520	noexeo.exe
1520	noexeo.exe
1520	noexeo.exe
1520	noexeo.exe
1520	noexeo.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1672	8f63e5104e3370a9076890ccfdf42770a44dac3d6a21e9dcc63876ba8df1ec4f.exe
1520	noexeo.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1672 wrote to memory of 1520	1672	8f63e5104e3370a9076890ccfdf42770a44dac3d6a21e9dcc63876ba8df1ec4f.exe	27
PID 1672 wrote to memory of 1520	1672	8f63e5104e3370a9076890ccfdf42770a44dac3d6a21e9dcc63876ba8df1ec4f.exe	27
PID 1672 wrote to memory of 1520	1672	8f63e5104e3370a9076890ccfdf42770a44dac3d6a21e9dcc63876ba8df1ec4f.exe	27
PID 1672 wrote to memory of 1520	1672	8f63e5104e3370a9076890ccfdf42770a44dac3d6a21e9dcc63876ba8df1ec4f.exe	27

C:\Users\Admin\AppData\Local\Temp\8f63e5104e3370a9076890ccfdf42770a44dac3d6a21e9dcc63876ba8df1ec4f.exe
"C:\Users\Admin\AppData\Local\Temp\8f63e5104e3370a9076890ccfdf42770a44dac3d6a21e9dcc63876ba8df1ec4f.exe"
1⤵
- Modifies visiblity of hidden/system files in Explorer
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1672
- C:\Users\Admin\noexeo.exe
  "C:\Users\Admin\noexeo.exe"
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:1520

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\noexeo.exe

Filesize
268KB

MD5
19028ba619eb4f7d347a8bd37e76df88

SHA1
e8dce6cc9d1bc20c948912f8106aafcc7482b915

SHA256
83e58bfb58963b96dc52535b0f6294cc373bf0d0b2c85ceebf15809268d5db1d

SHA512
a4f13d43b15d952cd306bbac054bdcc6eb052b6c838891771179b7175c4413be4eed641355beb2a966383f6b0b4327271744dfd5387d5683a467a22008846488

Download Submit
C:\Users\Admin\noexeo.exe

Filesize
268KB

MD5
19028ba619eb4f7d347a8bd37e76df88

SHA1
e8dce6cc9d1bc20c948912f8106aafcc7482b915

SHA256
83e58bfb58963b96dc52535b0f6294cc373bf0d0b2c85ceebf15809268d5db1d

SHA512
a4f13d43b15d952cd306bbac054bdcc6eb052b6c838891771179b7175c4413be4eed641355beb2a966383f6b0b4327271744dfd5387d5683a467a22008846488

Download Submit
\Users\Admin\noexeo.exe

Filesize
268KB

MD5
19028ba619eb4f7d347a8bd37e76df88

SHA1
e8dce6cc9d1bc20c948912f8106aafcc7482b915

SHA256
83e58bfb58963b96dc52535b0f6294cc373bf0d0b2c85ceebf15809268d5db1d

SHA512
a4f13d43b15d952cd306bbac054bdcc6eb052b6c838891771179b7175c4413be4eed641355beb2a966383f6b0b4327271744dfd5387d5683a467a22008846488

Download Submit
\Users\Admin\noexeo.exe

Filesize
268KB

MD5
19028ba619eb4f7d347a8bd37e76df88

SHA1
e8dce6cc9d1bc20c948912f8106aafcc7482b915

SHA256
83e58bfb58963b96dc52535b0f6294cc373bf0d0b2c85ceebf15809268d5db1d

SHA512
a4f13d43b15d952cd306bbac054bdcc6eb052b6c838891771179b7175c4413be4eed641355beb2a966383f6b0b4327271744dfd5387d5683a467a22008846488

Download Submit
memory/1672-56-0x0000000075111000-0x0000000075113000-memory.dmp

Filesize
8KB

Download