Overview
overview
3Static
static
1nekonoelle...an.zip
windows7-x64
1nekonoelle...an.zip
windows10-2004-x64
1NekoNoelle...le.ini
windows7-x64
1NekoNoelle...le.ini
windows10-2004-x64
1NekoNoelle...nd.buf
windows7-x64
3NekoNoelle...nd.buf
windows10-2004-x64
3NekoNoelle...ody.ib
windows7-x64
3NekoNoelle...ody.ib
windows10-2004-x64
3NekoNoelle...se.dds
windows7-x64
3NekoNoelle...se.dds
windows10-2004-x64
3NekoNoelle...ap.dds
windows7-x64
3NekoNoelle...ap.dds
windows10-2004-x64
3NekoNoelle...ess.ib
windows7-x64
3NekoNoelle...ess.ib
windows10-2004-x64
3NekoNoelle...se.dds
windows7-x64
3NekoNoelle...se.dds
windows10-2004-x64
3NekoNoelle...ap.dds
windows7-x64
3NekoNoelle...ap.dds
windows10-2004-x64
3NekoNoelle...se.dds
windows7-x64
3NekoNoelle...se.dds
windows10-2004-x64
3NekoNoelle...ead.ib
windows7-x64
3NekoNoelle...ead.ib
windows10-2004-x64
3NekoNoelle...se.dds
windows7-x64
3NekoNoelle...se.dds
windows10-2004-x64
3NekoNoelle...ap.dds
windows7-x64
3NekoNoelle...ap.dds
windows10-2004-x64
3NekoNoelle...on.buf
windows7-x64
3NekoNoelle...on.buf
windows10-2004-x64
3NekoNoelle...rd.buf
windows7-x64
3NekoNoelle...rd.buf
windows10-2004-x64
3NekoNoelle...le.ini
windows7-x64
1NekoNoelle...le.ini
windows10-2004-x64
1Analysis
-
max time kernel
151s -
max time network
29s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
24/05/2023, 20:02
Static task
static1
Behavioral task
behavioral1
Sample
nekonoelle_103_by_nerujikan.zip
Resource
win7-20230220-en
windows7-x64
Behavioral task
behavioral2
Sample
nekonoelle_103_by_nerujikan.zip
Resource
win10v2004-20230220-en
windows10-2004-x64
Behavioral task
behavioral3
Sample
NekoNoelle[1.0.3] by Nerujikan/NekoNoelle/DISABLEDNoelle.ini
Resource
win7-20230220-en
windows7-x64
Behavioral task
behavioral4
Sample
NekoNoelle[1.0.3] by Nerujikan/NekoNoelle/DISABLEDNoelle.ini
Resource
win10v2004-20230220-en
windows10-2004-x64
Behavioral task
behavioral5
Sample
NekoNoelle[1.0.3] by Nerujikan/NekoNoelle/NoelleBlend.buf
Resource
win7-20230220-en
windows7-x64
Behavioral task
behavioral6
Sample
NekoNoelle[1.0.3] by Nerujikan/NekoNoelle/NoelleBlend.buf
Resource
win10v2004-20230221-en
windows10-2004-x64
Behavioral task
behavioral7
Sample
NekoNoelle[1.0.3] by Nerujikan/NekoNoelle/NoelleBody.ib
Resource
win7-20230220-en
windows7-x64
Behavioral task
behavioral8
Sample
NekoNoelle[1.0.3] by Nerujikan/NekoNoelle/NoelleBody.ib
Resource
win10v2004-20230220-en
windows10-2004-x64
Behavioral task
behavioral9
Sample
NekoNoelle[1.0.3] by Nerujikan/NekoNoelle/NoelleBodyDiffuse.dds
Resource
win7-20230220-en
windows7-x64
Behavioral task
behavioral10
Sample
NekoNoelle[1.0.3] by Nerujikan/NekoNoelle/NoelleBodyDiffuse.dds
Resource
win10v2004-20230220-en
windows10-2004-x64
Behavioral task
behavioral11
Sample
NekoNoelle[1.0.3] by Nerujikan/NekoNoelle/NoelleBodyLightMap.dds
Resource
win7-20230220-en
windows7-x64
Behavioral task
behavioral12
Sample
NekoNoelle[1.0.3] by Nerujikan/NekoNoelle/NoelleBodyLightMap.dds
Resource
win10v2004-20230221-en
windows10-2004-x64
Behavioral task
behavioral13
Sample
NekoNoelle[1.0.3] by Nerujikan/NekoNoelle/NoelleDress.ib
Resource
win7-20230220-en
windows7-x64
Behavioral task
behavioral14
Sample
NekoNoelle[1.0.3] by Nerujikan/NekoNoelle/NoelleDress.ib
Resource
win10v2004-20230220-en
windows10-2004-x64
Behavioral task
behavioral15
Sample
NekoNoelle[1.0.3] by Nerujikan/NekoNoelle/NoelleDressDiffuse.dds
Resource
win7-20230220-en
windows7-x64
Behavioral task
behavioral16
Sample
NekoNoelle[1.0.3] by Nerujikan/NekoNoelle/NoelleDressDiffuse.dds
Resource
win10v2004-20230220-en
windows10-2004-x64
Behavioral task
behavioral17
Sample
NekoNoelle[1.0.3] by Nerujikan/NekoNoelle/NoelleDressLightMap.dds
Resource
win7-20230220-en
windows7-x64
Behavioral task
behavioral18
Sample
NekoNoelle[1.0.3] by Nerujikan/NekoNoelle/NoelleDressLightMap.dds
Resource
win10v2004-20230220-en
windows10-2004-x64
Behavioral task
behavioral19
Sample
NekoNoelle[1.0.3] by Nerujikan/NekoNoelle/NoelleFaceHeadDiffuse.dds
Resource
win7-20230220-en
windows7-x64
Behavioral task
behavioral20
Sample
NekoNoelle[1.0.3] by Nerujikan/NekoNoelle/NoelleFaceHeadDiffuse.dds
Resource
win10v2004-20230220-en
windows10-2004-x64
Behavioral task
behavioral21
Sample
NekoNoelle[1.0.3] by Nerujikan/NekoNoelle/NoelleHead.ib
Resource
win7-20230220-en
windows7-x64
Behavioral task
behavioral22
Sample
NekoNoelle[1.0.3] by Nerujikan/NekoNoelle/NoelleHead.ib
Resource
win10v2004-20230221-en
windows10-2004-x64
Behavioral task
behavioral23
Sample
NekoNoelle[1.0.3] by Nerujikan/NekoNoelle/NoelleHeadDiffuse.dds
Resource
win7-20230220-en
windows7-x64
Behavioral task
behavioral24
Sample
NekoNoelle[1.0.3] by Nerujikan/NekoNoelle/NoelleHeadDiffuse.dds
Resource
win10v2004-20230220-en
windows10-2004-x64
Behavioral task
behavioral25
Sample
NekoNoelle[1.0.3] by Nerujikan/NekoNoelle/NoelleHeadLightMap.dds
Resource
win7-20230220-en
windows7-x64
Behavioral task
behavioral26
Sample
NekoNoelle[1.0.3] by Nerujikan/NekoNoelle/NoelleHeadLightMap.dds
Resource
win10v2004-20230220-en
windows10-2004-x64
Behavioral task
behavioral27
Sample
NekoNoelle[1.0.3] by Nerujikan/NekoNoelle/NoellePosition.buf
Resource
win7-20230220-en
windows7-x64
Behavioral task
behavioral28
Sample
NekoNoelle[1.0.3] by Nerujikan/NekoNoelle/NoellePosition.buf
Resource
win10v2004-20230220-en
windows10-2004-x64
Behavioral task
behavioral29
Sample
NekoNoelle[1.0.3] by Nerujikan/NekoNoelle/NoelleTexcoord.buf
Resource
win7-20230220-en
windows7-x64
Behavioral task
behavioral30
Sample
NekoNoelle[1.0.3] by Nerujikan/NekoNoelle/NoelleTexcoord.buf
Resource
win10v2004-20230220-en
windows10-2004-x64
Behavioral task
behavioral31
Sample
NekoNoelle[1.0.3] by Nerujikan/NekoNoelle2/DISABLEDNoelle.ini
Resource
win7-20230220-en
windows7-x64
Behavioral task
behavioral32
Sample
NekoNoelle[1.0.3] by Nerujikan/NekoNoelle2/DISABLEDNoelle.ini
Resource
win10v2004-20230220-en
windows10-2004-x64
General
-
Target
NekoNoelle[1.0.3] by Nerujikan/NekoNoelle/NoelleFaceHeadDiffuse.dds
-
Size
1.0MB
-
MD5
c960f0818ba2dac6c0b89e41f50399dd
-
SHA1
6784c241ff9906e5a32a8bbf4abf3c0cd78a50af
-
SHA256
f02c2326256fc4a2c521ff3afd4f852b549927ccbc8371d93b6a43fe9418cde2
-
SHA512
90b3fb62c8559acba0ce9dd9e00ba649e37895f4478cf1dbf092fe14f50bc5db6092710e67b3a1e19ed5be61283f78fe4753dfa104530f58f332d5922ace0535
-
SSDEEP
6144:B3AtMmpiLmYhFmTpKL54K3tLSlK7S0OSFImNnZ7qAkQQOvi7o5kCgkluuIgPAqxs:+Mxp0MVR9Mh4AQpgWYDAK
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 9 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000_Classes\Local Settings rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000_CLASSES\dds_auto_file\ rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000_CLASSES\.dds\ = "dds_auto_file" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000_CLASSES\dds_auto_file\shell\Read rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000_CLASSES\dds_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000_CLASSES\dds_auto_file rundll32.exe Key created \REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000_CLASSES\.dds rundll32.exe Key created \REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000_CLASSES\dds_auto_file\shell rundll32.exe Key created \REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000_CLASSES\dds_auto_file\shell\Read\command rundll32.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 528 AcroRd32.exe 528 AcroRd32.exe 528 AcroRd32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 1336 wrote to memory of 1732 1336 cmd.exe 28 PID 1336 wrote to memory of 1732 1336 cmd.exe 28 PID 1336 wrote to memory of 1732 1336 cmd.exe 28 PID 1732 wrote to memory of 528 1732 rundll32.exe 29 PID 1732 wrote to memory of 528 1732 rundll32.exe 29 PID 1732 wrote to memory of 528 1732 rundll32.exe 29 PID 1732 wrote to memory of 528 1732 rundll32.exe 29
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\NekoNoelle[1.0.3] by Nerujikan\NekoNoelle\NoelleFaceHeadDiffuse.dds"1⤵
- Suspicious use of WriteProcessMemory
PID:1336 -
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\NekoNoelle[1.0.3] by Nerujikan\NekoNoelle\NoelleFaceHeadDiffuse.dds2⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1732 -
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\NekoNoelle[1.0.3] by Nerujikan\NekoNoelle\NoelleFaceHeadDiffuse.dds"3⤵
- Suspicious use of SetWindowsHookEx
PID:528
-
-