aa934fadb092f1c9963d69b5b20e847cadf456a85d60622725b93eba0359ede9

General

Target

Notiom_Setup.exe
Size

366.2MB
MD5

830e85cc28b3f34f7d60452a62cb68e4
SHA1

447dcdf35f842399e7fb8774fded2d132fcf1c37
SHA256

aa934fadb092f1c9963d69b5b20e847cadf456a85d60622725b93eba0359ede9
SHA512

456ae63dd482a224550b4cf8640dbccf8a1e650f12ea648aff67436cf70da6714c4e3d7cf4600ff8f355ab3ab0807bc643827d30fe4dcebcd89b870df4093b84
SSDEEP

6291456:3Ba9L+p9JzwTd+gFrvvOaa8R9vnNA9V7DuFI9ZpMCeJ1duhTFSUbvM0l9NZjOTPN:3l9VwQ83Xxr/NA916cZmCeJ+Fvgq97Ox

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1696	Notiom_Setup.tmp
1968	7z.exe

Loads dropped DLL 1 IoCs

pid	Process
1968	7z.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Script User-Agent 1 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	71	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
4884	vlc.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1696	Notiom_Setup.tmp
1696	Notiom_Setup.tmp

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4884	vlc.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeRestorePrivilege	1968	7z.exe
Token: 35	1968	7z.exe
Token: SeSecurityPrivilege	1968	7z.exe
Token: SeSecurityPrivilege	1968	7z.exe

Suspicious use of FindShellTrayWindow 5 IoCs

pid	Process
1696	Notiom_Setup.tmp
4884	vlc.exe
4884	vlc.exe
4884	vlc.exe
4884	vlc.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
4884	vlc.exe
4884	vlc.exe
4884	vlc.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4884	vlc.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 5112 wrote to memory of 1696	5112	Notiom_Setup.exe	96
PID 5112 wrote to memory of 1696	5112	Notiom_Setup.exe	96
PID 5112 wrote to memory of 1696	5112	Notiom_Setup.exe	96
PID 1696 wrote to memory of 3428	1696	Notiom_Setup.tmp	110
PID 1696 wrote to memory of 3428	1696	Notiom_Setup.tmp	110
PID 1696 wrote to memory of 3428	1696	Notiom_Setup.tmp	110
PID 3428 wrote to memory of 1968	3428	CMD.exe	112
PID 3428 wrote to memory of 1968	3428	CMD.exe	112
PID 1696 wrote to memory of 4272	1696	Notiom_Setup.tmp	113
PID 1696 wrote to memory of 4272	1696	Notiom_Setup.tmp	113
PID 1696 wrote to memory of 4272	1696	Notiom_Setup.tmp	113
PID 1696 wrote to memory of 360	1696	Notiom_Setup.tmp	115
PID 1696 wrote to memory of 360	1696	Notiom_Setup.tmp	115
PID 1696 wrote to memory of 360	1696	Notiom_Setup.tmp	115
PID 1696 wrote to memory of 1416	1696	Notiom_Setup.tmp	118
PID 1696 wrote to memory of 1416	1696	Notiom_Setup.tmp	118
PID 1696 wrote to memory of 1416	1696	Notiom_Setup.tmp	118

C:\Users\Admin\AppData\Local\Temp\Notiom_Setup.exe
"C:\Users\Admin\AppData\Local\Temp\Notiom_Setup.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:5112
- C:\Users\Admin\AppData\Local\Temp\is-GISAH.tmp\Notiom_Setup.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-GISAH.tmp\Notiom_Setup.tmp" /SL5="$90050,383069178,1146880,C:\Users\Admin\AppData\Local\Temp\Notiom_Setup.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:1696
- - C:\Windows\SysWOW64\CMD.exe
    "CMD" /C "C:\Users\Admin\AppData\Roaming\NotiomApp\ValueSince.7z.bat"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3428
  - - C:\Users\Admin\AppData\Roaming\NotiomApp\7z.exe
      "C:\Users\Admin\AppData\Roaming\NotiomApp\7z.exe" x -aoa "C:\Users\Admin\AppData\Roaming\NotiomApp\ValueSince.7z" -p"4da54277862cc1a4" -o"C:\Users\Admin\AppData\Roaming\NotiomApp\"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of AdjustPrivilegeToken
      PID:1968
- - C:\Windows\SysWOW64\CMD.exe
    "CMD" /C del "C:\Users\Admin\AppData\Roaming\NotiomApp\ValueSince.7z.bat"
    3⤵
    PID:4272
- - C:\Windows\SysWOW64\CMD.exe
    "CMD" /C del "ValueSince.7z"
    3⤵
    PID:360
- - C:\Windows\SysWOW64\cmd.exe
    "cmd" /C "C:\Users\Admin\AppData\Roaming\NotiomApp\Notiom Setup 2.0.53.exe"
    3⤵
    PID:1416

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Desktop\RestoreWrite.mp3"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:4884

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\is-GISAH.tmp\Notiom_Setup.tmp

Filesize
3.3MB

MD5
d3b766e0579fe9e02e2f5ceaabb88932

SHA1
1fb2bb8c42e6a5aa1748810314e18e5de80ae70c

SHA256
cdc5e2a09f1121ea7c801ba636112934b7b9b17b9c9aae2ce71f5fef2e91ae86

SHA512
a3f976aa8e1e3b4b7c93ed7cb5f921e760780a8017b6663a0152124c7f7f9b2d41f491fbed331a68f0c096671a96e98505cc075d3cc10bdf80590d6b3343afa4

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-GISAH.tmp\Notiom_Setup.tmp

Filesize
3.3MB

MD5
d3b766e0579fe9e02e2f5ceaabb88932

SHA1
1fb2bb8c42e6a5aa1748810314e18e5de80ae70c

SHA256
cdc5e2a09f1121ea7c801ba636112934b7b9b17b9c9aae2ce71f5fef2e91ae86

SHA512
a3f976aa8e1e3b4b7c93ed7cb5f921e760780a8017b6663a0152124c7f7f9b2d41f491fbed331a68f0c096671a96e98505cc075d3cc10bdf80590d6b3343afa4

Download Submit
C:\Users\Admin\AppData\Roaming\NotiomApp\7z.dll

Filesize
1.7MB

MD5
bbf51226a8670475f283a2d57460d46c

SHA1
6388883ced0ce14ede20c7798338673ff8d6204a

SHA256
73578f14d50f747efa82527a503f1ad542f9db170e2901eddb54d6bce93fc00e

SHA512
f68eb9c4ba0d923082107cff2f0e7f78e80be243b9d92cfab7298f59461fcca2c5c944d4577f161f11a2011c0958a3c32896eba4f0e89cd9f8aed97ab5bc74f9

Download Submit
C:\Users\Admin\AppData\Roaming\NotiomApp\7z.dll

Filesize
1.7MB

MD5
bbf51226a8670475f283a2d57460d46c

SHA1
6388883ced0ce14ede20c7798338673ff8d6204a

SHA256
73578f14d50f747efa82527a503f1ad542f9db170e2901eddb54d6bce93fc00e

SHA512
f68eb9c4ba0d923082107cff2f0e7f78e80be243b9d92cfab7298f59461fcca2c5c944d4577f161f11a2011c0958a3c32896eba4f0e89cd9f8aed97ab5bc74f9

Download Submit
C:\Users\Admin\AppData\Roaming\NotiomApp\7z.exe

Filesize
532KB

MD5
fe522d8659618e3a50aafd8ac1518638

SHA1
7d1b392121da91393f69d124928f9fe50d62f785

SHA256
254cf6411d38903b2440819f7e0a847f0cfee7f8096cfad9e90fea62f42b0c23

SHA512
fbbcb853b77ac038e4b7f7668e9fefdc7ba3592c6899cddfd72125d68d0b2d6b858baa3987907d58a5333ea9a4d5eb0ab8b7535a6263738f96212a6146c49b81

Download Submit
C:\Users\Admin\AppData\Roaming\NotiomApp\ValueSince.7z

Filesize
186B

MD5
0555a4d4918a77e2184c19e83331c340

SHA1
8288528c6055e223e83a10ad08cb923d9aa9ac4d

SHA256
74e5d32065383fa0c05d399d0d445851b0b278965d127b9c1763e8bf043f984a

SHA512
f3624a883cb32b0bf8eaad28c060e092ec1152c25c188788e6b00f9112c4687c8c616fbbc2190565e71754dcbb0480289d95073faa400fcb04778328cc8d112e

Download Submit
C:\Users\Admin\AppData\Roaming\NotiomApp\ValueSince.7z.bat

Filesize
180B

MD5
b9e26b6c24b6e2be22de4ffedd2f657a

SHA1
65599a65d680cc39801f4ef79520e704498a5c6e

SHA256
33314da53e528dc2449b5afad80c4666078d5dc2a5d6fb6719295b7b937f0add

SHA512
087cbce2bd4eebd64b4cdd8200a16857b60971c262c41063f488af3290aa68380091b5e93c2d7d2f9e862ec2d323ffcefa3bf484e2d2a5c36b3548e225cfdebf

Download Submit
C:\Users\Admin\AppData\Roaming\NotiomApp\ValueSince.7z.txt

Filesize
25B

MD5
3df47a3809ad575bd7d6e8ebf0338fda

SHA1
d28042b5968f955c5cf8297a029d5951d1c9d7fe

SHA256
6a8320064bfdc9530636dacc1474e98437ba3291fca337aa91d35d90204e9bea

SHA512
7d60d92841c3d0dc86af5c97edf2b53c47f942df31534513220bf2aaffe4ff93c8a06ea74d99228aad74304d945e1df85d11743174efd103c6c34df0eeff7579

Download Submit
memory/1696-6-0x0000000000D90000-0x0000000000D91000-memory.dmp

Filesize
4KB

Download
memory/1696-39-0x0000000000400000-0x0000000000761000-memory.dmp

Filesize
3.4MB

Download
memory/1696-37-0x0000000000D90000-0x0000000000D91000-memory.dmp

Filesize
4KB

Download
memory/1696-36-0x0000000000400000-0x0000000000761000-memory.dmp

Filesize
3.4MB

Download
memory/1696-43-0x0000000000400000-0x0000000000761000-memory.dmp

Filesize
3.4MB

Download
memory/1696-70-0x0000000000400000-0x0000000000761000-memory.dmp

Filesize
3.4MB

Download
memory/1696-41-0x0000000000400000-0x0000000000761000-memory.dmp

Filesize
3.4MB

Download
memory/1696-72-0x0000000000400000-0x0000000000761000-memory.dmp

Filesize
3.4MB

Download
memory/4884-82-0x00007FFBAB520000-0x00007FFBAB554000-memory.dmp

Filesize
208KB

Download
memory/4884-84-0x00007FFB99010000-0x00007FFB9A0BB000-memory.dmp

Filesize
16.7MB

Download
memory/4884-83-0x00007FFB9AB10000-0x00007FFB9ADC4000-memory.dmp

Filesize
2.7MB

Download
memory/4884-81-0x00007FF72CBD0000-0x00007FF72CCC8000-memory.dmp

Filesize
992KB

Download
memory/5112-73-0x0000000000400000-0x0000000000525000-memory.dmp

Filesize
1.1MB

Download
memory/5112-1-0x0000000000400000-0x0000000000525000-memory.dmp

Filesize
1.1MB

Download
memory/5112-27-0x0000000000400000-0x0000000000525000-memory.dmp

Filesize
1.1MB

Download

Analysis

Sharing