Analysis
-
max time kernel
150s -
max time network
145s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
25/12/2023, 04:45
Static task
static1
Behavioral task
behavioral1
Sample
05e7034160522201de6324078818b562.exe
Resource
win7-20231215-en
General
-
Target
05e7034160522201de6324078818b562.exe
-
Size
512KB
-
MD5
05e7034160522201de6324078818b562
-
SHA1
29d72e130ce958186446839139d25e0415cdc587
-
SHA256
8679615f3852762d7dd71fcd657b86cdf0c4f56dcf3e6e991b65770752c57bfe
-
SHA512
5d566113f3ed3df1a4baebc8ce80a300901a5ab8e20dafaabf33e824c26191f4281c64a783901743ebd71e69602b239f4158819a536e3d147d7e629c5efe4e9a
-
SSDEEP
12288:WNge6O1X/GkpN4hpCHvmc+5zR2JqaAwUKPF2mqhScG:Q96SPGm4b06aqpwl2mqIc
Malware Config
Signatures
-
Modifies security service 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "3" 3nob.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" naoquo.exe Set value (int) \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" vrSlJ6C3.exe -
Disables taskbar notifications via registry modification
-
Modifies Installed Components in the registry 2 TTPs 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe -
Deletes itself 1 IoCs
pid Process 2804 cmd.exe -
Executes dropped EXE 12 IoCs
pid Process 2988 vrSlJ6C3.exe 2544 naoquo.exe 2844 2nob.exe 2432 2nob.exe 3024 2nob.exe 1448 2nob.exe 2700 2nob.exe 1976 2nob.exe 1460 3nob.exe 1376 3nob.exe 1160 FEF8.tmp 2272 3nob.exe -
Loads dropped DLL 17 IoCs
pid Process 2232 05e7034160522201de6324078818b562.exe 2232 05e7034160522201de6324078818b562.exe 2988 vrSlJ6C3.exe 2988 vrSlJ6C3.exe 2232 05e7034160522201de6324078818b562.exe 2232 05e7034160522201de6324078818b562.exe 1644 WerFault.exe 1644 WerFault.exe 1644 WerFault.exe 1644 WerFault.exe 1644 WerFault.exe 1644 WerFault.exe 1644 WerFault.exe 2232 05e7034160522201de6324078818b562.exe 2232 05e7034160522201de6324078818b562.exe 1460 3nob.exe 1460 3nob.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral1/memory/3024-43-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/3024-45-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/3024-48-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1448-59-0x0000000000400000-0x0000000000455000-memory.dmp upx behavioral1/memory/3024-61-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1448-57-0x0000000000400000-0x0000000000455000-memory.dmp upx behavioral1/memory/1448-69-0x0000000000400000-0x0000000000455000-memory.dmp upx behavioral1/memory/2700-70-0x0000000000400000-0x0000000000407000-memory.dmp upx behavioral1/memory/1448-64-0x0000000000400000-0x0000000000455000-memory.dmp upx behavioral1/memory/2700-72-0x0000000000400000-0x0000000000407000-memory.dmp upx behavioral1/memory/1448-74-0x0000000000400000-0x0000000000455000-memory.dmp upx behavioral1/memory/1448-76-0x0000000000400000-0x0000000000455000-memory.dmp upx behavioral1/memory/2700-79-0x0000000000400000-0x0000000000407000-memory.dmp upx behavioral1/memory/2700-84-0x0000000000400000-0x0000000000407000-memory.dmp upx behavioral1/memory/2700-87-0x0000000000400000-0x0000000000407000-memory.dmp upx behavioral1/memory/1976-88-0x0000000000400000-0x000000000040A000-memory.dmp upx behavioral1/memory/1976-98-0x0000000000400000-0x000000000040A000-memory.dmp upx behavioral1/memory/1976-102-0x0000000000400000-0x000000000040A000-memory.dmp upx behavioral1/memory/1976-107-0x0000000000400000-0x000000000040A000-memory.dmp upx behavioral1/memory/1976-106-0x0000000000400000-0x000000000040A000-memory.dmp upx behavioral1/memory/2700-86-0x0000000000400000-0x0000000000407000-memory.dmp upx behavioral1/memory/1976-112-0x0000000000400000-0x000000000040A000-memory.dmp upx behavioral1/memory/1976-113-0x0000000000400000-0x000000000040A000-memory.dmp upx behavioral1/memory/1976-109-0x0000000000400000-0x000000000040A000-memory.dmp upx behavioral1/memory/1976-108-0x0000000000400000-0x000000000040A000-memory.dmp upx behavioral1/memory/3024-56-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/3024-55-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/3024-52-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/3024-51-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/3024-123-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2700-126-0x0000000000400000-0x0000000000407000-memory.dmp upx behavioral1/memory/1460-128-0x0000000000400000-0x000000000046A000-memory.dmp upx behavioral1/memory/1460-130-0x0000000000400000-0x000000000046A000-memory.dmp upx behavioral1/memory/1460-134-0x0000000000400000-0x000000000046A000-memory.dmp upx behavioral1/memory/1460-141-0x0000000000400000-0x000000000046A000-memory.dmp upx behavioral1/memory/1376-217-0x0000000000400000-0x000000000046A000-memory.dmp upx behavioral1/memory/2272-361-0x0000000000400000-0x000000000046A000-memory.dmp upx -
Adds Run key to start application 2 TTPs 54 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\Run\naoquo = "C:\\Users\\Admin\\naoquo.exe /m" naoquo.exe Set value (str) \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\Run\naoquo = "C:\\Users\\Admin\\naoquo.exe /B" naoquo.exe Set value (str) \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\Run\naoquo = "C:\\Users\\Admin\\naoquo.exe /G" naoquo.exe Set value (str) \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\Run\naoquo = "C:\\Users\\Admin\\naoquo.exe /g" naoquo.exe Set value (str) \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\Run\naoquo = "C:\\Users\\Admin\\naoquo.exe /i" naoquo.exe Set value (str) \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\Run\naoquo = "C:\\Users\\Admin\\naoquo.exe /T" naoquo.exe Set value (str) \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\Run\naoquo = "C:\\Users\\Admin\\naoquo.exe /b" naoquo.exe Set value (str) \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\Run\naoquo = "C:\\Users\\Admin\\naoquo.exe /N" naoquo.exe Set value (str) \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\Run\naoquo = "C:\\Users\\Admin\\naoquo.exe /j" naoquo.exe Set value (str) \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\Run\naoquo = "C:\\Users\\Admin\\naoquo.exe /y" naoquo.exe Set value (str) \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\Run\naoquo = "C:\\Users\\Admin\\naoquo.exe /D" naoquo.exe Set value (str) \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\Run\naoquo = "C:\\Users\\Admin\\naoquo.exe /o" naoquo.exe Set value (str) \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\Run\naoquo = "C:\\Users\\Admin\\naoquo.exe /l" naoquo.exe Set value (str) \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\Run\naoquo = "C:\\Users\\Admin\\naoquo.exe /q" naoquo.exe Set value (str) \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\Run\naoquo = "C:\\Users\\Admin\\naoquo.exe /Y" naoquo.exe Set value (str) \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\Run\naoquo = "C:\\Users\\Admin\\naoquo.exe /F" naoquo.exe Set value (str) \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\Run\naoquo = "C:\\Users\\Admin\\naoquo.exe /O" naoquo.exe Set value (str) \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\Run\naoquo = "C:\\Users\\Admin\\naoquo.exe /C" naoquo.exe Set value (str) \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\Run\naoquo = "C:\\Users\\Admin\\naoquo.exe /H" naoquo.exe Set value (str) \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\Run\naoquo = "C:\\Users\\Admin\\naoquo.exe /K" naoquo.exe Set value (str) \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\Run\naoquo = "C:\\Users\\Admin\\naoquo.exe /A" naoquo.exe Set value (str) \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\Run\naoquo = "C:\\Users\\Admin\\naoquo.exe /P" naoquo.exe Set value (str) \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\Run\naoquo = "C:\\Users\\Admin\\naoquo.exe /R" naoquo.exe Set value (str) \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\Run\naoquo = "C:\\Users\\Admin\\naoquo.exe /u" naoquo.exe Set value (str) \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\Run\naoquo = "C:\\Users\\Admin\\naoquo.exe /L" naoquo.exe Set value (str) \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\Run\naoquo = "C:\\Users\\Admin\\naoquo.exe /R" vrSlJ6C3.exe Set value (str) \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\Run\naoquo = "C:\\Users\\Admin\\naoquo.exe /I" naoquo.exe Set value (str) \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\Run\naoquo = "C:\\Users\\Admin\\naoquo.exe /n" naoquo.exe Set value (str) \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\Run\naoquo = "C:\\Users\\Admin\\naoquo.exe /X" naoquo.exe Set value (str) \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\Run\naoquo = "C:\\Users\\Admin\\naoquo.exe /p" naoquo.exe Set value (str) \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\Run\naoquo = "C:\\Users\\Admin\\naoquo.exe /r" naoquo.exe Set value (str) \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\Run\naoquo = "C:\\Users\\Admin\\naoquo.exe /Q" naoquo.exe Set value (str) \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\Run\naoquo = "C:\\Users\\Admin\\naoquo.exe /V" naoquo.exe Set value (str) \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\Run\naoquo = "C:\\Users\\Admin\\naoquo.exe /J" naoquo.exe Set value (str) \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\Run\naoquo = "C:\\Users\\Admin\\naoquo.exe /x" naoquo.exe Set value (str) \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\Run\naoquo = "C:\\Users\\Admin\\naoquo.exe /v" naoquo.exe Set value (str) \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\Run\naoquo = "C:\\Users\\Admin\\naoquo.exe /k" naoquo.exe Set value (str) \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\Run\naoquo = "C:\\Users\\Admin\\naoquo.exe /S" naoquo.exe Set value (str) \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\Run\naoquo = "C:\\Users\\Admin\\naoquo.exe /f" naoquo.exe Set value (str) \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\Run\naoquo = "C:\\Users\\Admin\\naoquo.exe /z" naoquo.exe Set value (str) \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\Run\naoquo = "C:\\Users\\Admin\\naoquo.exe /w" naoquo.exe Set value (str) \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\Run\naoquo = "C:\\Users\\Admin\\naoquo.exe /c" naoquo.exe Set value (str) \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\Run\naoquo = "C:\\Users\\Admin\\naoquo.exe /a" naoquo.exe Set value (str) \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\Run\naoquo = "C:\\Users\\Admin\\naoquo.exe /h" naoquo.exe Set value (str) \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\Run\naoquo = "C:\\Users\\Admin\\naoquo.exe /M" naoquo.exe Set value (str) \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\Run\naoquo = "C:\\Users\\Admin\\naoquo.exe /t" naoquo.exe Set value (str) \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\Run\naoquo = "C:\\Users\\Admin\\naoquo.exe /Z" naoquo.exe Set value (str) \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\Run\naoquo = "C:\\Users\\Admin\\naoquo.exe /U" naoquo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\88C.exe = "C:\\Program Files (x86)\\LP\\F37A\\88C.exe" 3nob.exe Set value (str) \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\Run\naoquo = "C:\\Users\\Admin\\naoquo.exe /s" naoquo.exe Set value (str) \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\Run\naoquo = "C:\\Users\\Admin\\naoquo.exe /d" naoquo.exe Set value (str) \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\Run\naoquo = "C:\\Users\\Admin\\naoquo.exe /E" naoquo.exe Set value (str) \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\Run\naoquo = "C:\\Users\\Admin\\naoquo.exe /W" naoquo.exe Set value (str) \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\Run\naoquo = "C:\\Users\\Admin\\naoquo.exe /e" naoquo.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum 2nob.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 2nob.exe -
Suspicious use of SetThreadContext 5 IoCs
description pid Process procid_target PID 2844 set thread context of 2432 2844 2nob.exe 35 PID 2844 set thread context of 3024 2844 2nob.exe 36 PID 2844 set thread context of 1448 2844 2nob.exe 37 PID 2844 set thread context of 2700 2844 2nob.exe 38 PID 2844 set thread context of 1976 2844 2nob.exe 40 -
Drops file in Program Files directory 3 IoCs
description ioc Process File created C:\Program Files (x86)\LP\F37A\88C.exe 3nob.exe File opened for modification C:\Program Files (x86)\LP\F37A\FEF8.tmp 3nob.exe File opened for modification C:\Program Files (x86)\LP\F37A\88C.exe 3nob.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 1644 1448 WerFault.exe 37 -
Enumerates processes with tasklist 1 TTPs 2 IoCs
pid Process 2324 tasklist.exe 1172 tasklist.exe -
Modifies registry class 5 IoCs
description ioc Process Set value (data) \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff explorer.exe Key created \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Key created \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots explorer.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2988 vrSlJ6C3.exe 2988 vrSlJ6C3.exe 3024 2nob.exe 2544 naoquo.exe 2544 naoquo.exe 2544 naoquo.exe 3024 2nob.exe 2544 naoquo.exe 2544 naoquo.exe 2544 naoquo.exe 2544 naoquo.exe 2544 naoquo.exe 2544 naoquo.exe 2544 naoquo.exe 2544 naoquo.exe 2544 naoquo.exe 2544 naoquo.exe 2544 naoquo.exe 2544 naoquo.exe 2544 naoquo.exe 2544 naoquo.exe 1460 3nob.exe 1460 3nob.exe 1460 3nob.exe 1460 3nob.exe 1460 3nob.exe 1460 3nob.exe 2544 naoquo.exe 2544 naoquo.exe 2544 naoquo.exe 2544 naoquo.exe 2544 naoquo.exe 2544 naoquo.exe 2544 naoquo.exe 2544 naoquo.exe 2544 naoquo.exe 2544 naoquo.exe 2544 naoquo.exe 2544 naoquo.exe 2544 naoquo.exe 2544 naoquo.exe 2544 naoquo.exe 2544 naoquo.exe 2544 naoquo.exe 2544 naoquo.exe 2544 naoquo.exe 2544 naoquo.exe 2544 naoquo.exe 2544 naoquo.exe 2544 naoquo.exe 2544 naoquo.exe 2544 naoquo.exe 2544 naoquo.exe 2544 naoquo.exe 2544 naoquo.exe 2544 naoquo.exe 2544 naoquo.exe 1460 3nob.exe 1460 3nob.exe 1460 3nob.exe 1460 3nob.exe 1460 3nob.exe 1460 3nob.exe 1460 3nob.exe -
Suspicious use of AdjustPrivilegeToken 17 IoCs
description pid Process Token: SeDebugPrivilege 1172 tasklist.exe Token: SeRestorePrivilege 1632 msiexec.exe Token: SeTakeOwnershipPrivilege 1632 msiexec.exe Token: SeSecurityPrivilege 1632 msiexec.exe Token: SeDebugPrivilege 2324 tasklist.exe Token: SeShutdownPrivilege 2460 explorer.exe Token: SeShutdownPrivilege 2460 explorer.exe Token: SeShutdownPrivilege 2460 explorer.exe Token: SeShutdownPrivilege 2460 explorer.exe Token: SeShutdownPrivilege 2460 explorer.exe Token: SeShutdownPrivilege 2460 explorer.exe Token: SeShutdownPrivilege 2460 explorer.exe Token: SeShutdownPrivilege 2460 explorer.exe Token: SeShutdownPrivilege 2460 explorer.exe Token: SeShutdownPrivilege 2460 explorer.exe Token: SeShutdownPrivilege 2460 explorer.exe Token: SeShutdownPrivilege 2460 explorer.exe -
Suspicious use of FindShellTrayWindow 28 IoCs
pid Process 2460 explorer.exe 2460 explorer.exe 2460 explorer.exe 2460 explorer.exe 2460 explorer.exe 2460 explorer.exe 2460 explorer.exe 2460 explorer.exe 2460 explorer.exe 2460 explorer.exe 2460 explorer.exe 2460 explorer.exe 2460 explorer.exe 2460 explorer.exe 2460 explorer.exe 2460 explorer.exe 2460 explorer.exe 2460 explorer.exe 2460 explorer.exe 2460 explorer.exe 2460 explorer.exe 2460 explorer.exe 2460 explorer.exe 2460 explorer.exe 2460 explorer.exe 2460 explorer.exe 2460 explorer.exe 2460 explorer.exe -
Suspicious use of SendNotifyMessage 18 IoCs
pid Process 2460 explorer.exe 2460 explorer.exe 2460 explorer.exe 2460 explorer.exe 2460 explorer.exe 2460 explorer.exe 2460 explorer.exe 2460 explorer.exe 2460 explorer.exe 2460 explorer.exe 2460 explorer.exe 2460 explorer.exe 2460 explorer.exe 2460 explorer.exe 2460 explorer.exe 2460 explorer.exe 2460 explorer.exe 2460 explorer.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 2232 05e7034160522201de6324078818b562.exe 2988 vrSlJ6C3.exe 2544 naoquo.exe 2844 2nob.exe 2700 2nob.exe 1976 2nob.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2232 wrote to memory of 2988 2232 05e7034160522201de6324078818b562.exe 28 PID 2232 wrote to memory of 2988 2232 05e7034160522201de6324078818b562.exe 28 PID 2232 wrote to memory of 2988 2232 05e7034160522201de6324078818b562.exe 28 PID 2232 wrote to memory of 2988 2232 05e7034160522201de6324078818b562.exe 28 PID 2988 wrote to memory of 2544 2988 vrSlJ6C3.exe 29 PID 2988 wrote to memory of 2544 2988 vrSlJ6C3.exe 29 PID 2988 wrote to memory of 2544 2988 vrSlJ6C3.exe 29 PID 2988 wrote to memory of 2544 2988 vrSlJ6C3.exe 29 PID 2988 wrote to memory of 1736 2988 vrSlJ6C3.exe 30 PID 2988 wrote to memory of 1736 2988 vrSlJ6C3.exe 30 PID 2988 wrote to memory of 1736 2988 vrSlJ6C3.exe 30 PID 2988 wrote to memory of 1736 2988 vrSlJ6C3.exe 30 PID 1736 wrote to memory of 1172 1736 cmd.exe 32 PID 1736 wrote to memory of 1172 1736 cmd.exe 32 PID 1736 wrote to memory of 1172 1736 cmd.exe 32 PID 1736 wrote to memory of 1172 1736 cmd.exe 32 PID 2232 wrote to memory of 2844 2232 05e7034160522201de6324078818b562.exe 33 PID 2232 wrote to memory of 2844 2232 05e7034160522201de6324078818b562.exe 33 PID 2232 wrote to memory of 2844 2232 05e7034160522201de6324078818b562.exe 33 PID 2232 wrote to memory of 2844 2232 05e7034160522201de6324078818b562.exe 33 PID 2844 wrote to memory of 2432 2844 2nob.exe 35 PID 2844 wrote to memory of 2432 2844 2nob.exe 35 PID 2844 wrote to memory of 2432 2844 2nob.exe 35 PID 2844 wrote to memory of 2432 2844 2nob.exe 35 PID 2844 wrote to memory of 2432 2844 2nob.exe 35 PID 2844 wrote to memory of 3024 2844 2nob.exe 36 PID 2844 wrote to memory of 3024 2844 2nob.exe 36 PID 2844 wrote to memory of 3024 2844 2nob.exe 36 PID 2844 wrote to memory of 3024 2844 2nob.exe 36 PID 2844 wrote to memory of 3024 2844 2nob.exe 36 PID 2844 wrote to memory of 3024 2844 2nob.exe 36 PID 2844 wrote to memory of 3024 2844 2nob.exe 36 PID 2844 wrote to memory of 3024 2844 2nob.exe 36 PID 2844 wrote to memory of 1448 2844 2nob.exe 37 PID 2844 wrote to memory of 1448 2844 2nob.exe 37 PID 2844 wrote to memory of 1448 2844 2nob.exe 37 PID 2844 wrote to memory of 1448 2844 2nob.exe 37 PID 2844 wrote to memory of 1448 2844 2nob.exe 37 PID 2844 wrote to memory of 1448 2844 2nob.exe 37 PID 2844 wrote to memory of 1448 2844 2nob.exe 37 PID 2844 wrote to memory of 1448 2844 2nob.exe 37 PID 2844 wrote to memory of 2700 2844 2nob.exe 38 PID 2844 wrote to memory of 2700 2844 2nob.exe 38 PID 2844 wrote to memory of 2700 2844 2nob.exe 38 PID 2844 wrote to memory of 2700 2844 2nob.exe 38 PID 2844 wrote to memory of 2700 2844 2nob.exe 38 PID 2844 wrote to memory of 2700 2844 2nob.exe 38 PID 2844 wrote to memory of 2700 2844 2nob.exe 38 PID 2844 wrote to memory of 2700 2844 2nob.exe 38 PID 2844 wrote to memory of 1976 2844 2nob.exe 40 PID 2844 wrote to memory of 1976 2844 2nob.exe 40 PID 2844 wrote to memory of 1976 2844 2nob.exe 40 PID 2844 wrote to memory of 1976 2844 2nob.exe 40 PID 1448 wrote to memory of 1644 1448 2nob.exe 39 PID 1448 wrote to memory of 1644 1448 2nob.exe 39 PID 1448 wrote to memory of 1644 1448 2nob.exe 39 PID 1448 wrote to memory of 1644 1448 2nob.exe 39 PID 2844 wrote to memory of 1976 2844 2nob.exe 40 PID 2844 wrote to memory of 1976 2844 2nob.exe 40 PID 2844 wrote to memory of 1976 2844 2nob.exe 40 PID 2844 wrote to memory of 1976 2844 2nob.exe 40 PID 2232 wrote to memory of 1460 2232 05e7034160522201de6324078818b562.exe 41 PID 2232 wrote to memory of 1460 2232 05e7034160522201de6324078818b562.exe 41 PID 2232 wrote to memory of 1460 2232 05e7034160522201de6324078818b562.exe 41 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer 3nob.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth = "1" 3nob.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\05e7034160522201de6324078818b562.exe"C:\Users\Admin\AppData\Local\Temp\05e7034160522201de6324078818b562.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2232 -
C:\Users\Admin\vrSlJ6C3.exeC:\Users\Admin\vrSlJ6C3.exe2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2988 -
C:\Users\Admin\naoquo.exe"C:\Users\Admin\naoquo.exe"3⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2544
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c tasklist&&del vrSlJ6C3.exe3⤵
- Suspicious use of WriteProcessMemory
PID:1736 -
C:\Windows\SysWOW64\tasklist.exetasklist4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1172
-
-
-
-
C:\Users\Admin\2nob.exeC:\Users\Admin\2nob.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2844 -
C:\Users\Admin\2nob.exe"C:\Users\Admin\2nob.exe"3⤵
- Executes dropped EXE
PID:2432
-
-
C:\Users\Admin\2nob.exe"C:\Users\Admin\2nob.exe"3⤵
- Executes dropped EXE
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
PID:3024
-
-
C:\Users\Admin\2nob.exe"C:\Users\Admin\2nob.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1448 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1448 -s 1004⤵
- Loads dropped DLL
- Program crash
PID:1644
-
-
-
C:\Users\Admin\2nob.exe"C:\Users\Admin\2nob.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2700
-
-
C:\Users\Admin\2nob.exe"C:\Users\Admin\2nob.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1976
-
-
-
C:\Users\Admin\3nob.exeC:\Users\Admin\3nob.exe2⤵
- Modifies security service
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- System policy modification
PID:1460 -
C:\Users\Admin\3nob.exeC:\Users\Admin\3nob.exe startC:\Users\Admin\AppData\Roaming\A6A96\03EF3.exe%C:\Users\Admin\AppData\Roaming\A6A963⤵
- Executes dropped EXE
PID:1376
-
-
C:\Program Files (x86)\LP\F37A\FEF8.tmp"C:\Program Files (x86)\LP\F37A\FEF8.tmp"3⤵
- Executes dropped EXE
PID:1160
-
-
C:\Users\Admin\3nob.exeC:\Users\Admin\3nob.exe startC:\Program Files (x86)\96F92\lvvm.exe%C:\Program Files (x86)\96F923⤵
- Executes dropped EXE
PID:2272
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c tasklist&&del 05e7034160522201de6324078818b562.exe2⤵
- Deletes itself
PID:2804 -
C:\Windows\SysWOW64\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:2324
-
-
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1632
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Modifies Installed Components in the registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2460
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Create or Modify System Process
1Windows Service
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
125KB
MD54e63eb49570bccc05858aa1b45dac020
SHA16e8c96b8a2607e4b54117355725e6c87d524cb56
SHA2561f70aadf0951afa756d8f1f974a7c929d2bcee1d5b98fb449e707467146baeb4
SHA5125323e5be565759592e84521af89807b1b52174b77363b7d2f8ca3f1348a4ab00df80e07fc82e71a185c0c6d9e7d318d91b9e3838055736ee691e8a6e271019d4
-
Filesize
1KB
MD53d570c210fb024b7cbf4b09e9633caa0
SHA125faced7d56d8eddbe7828c42f4dc5f585994f7a
SHA256aad966dfa2ae28f8931dcf5391e83c07d54b68a4b0bd736d2ee14bf9c3cf3740
SHA512a9a4622bd5a7a7ec275c9ad7e97772f4365f8cfac6b5e7e1f9e761b7d418d7ac1a52e1e6ab90c085babab9e143b974fcf44fba203e630d8d28bfcb1dd11f1935
-
Filesize
272KB
MD57ddee7ec4bd22ba0b43bc4105e5b7901
SHA19fb11a97faff55730d5f838db2bfd5dbcce9f0b6
SHA256e765624ac2a2e40e95befcf847804345e74d3a35872f279c5d86f6a0dc51071f
SHA512c1307d2851949d8809a71f3255cabfb18c2b9e5a41633bf09192ccf778026f894e0b6564502763bac440b1442e2b6fcff90e8b0090b9503290bd140875ea62fc
-
Filesize
600B
MD506271584bb50ffba5efbaeb14a25252c
SHA1cb7806d89b23562e9ecac2456c8838de6f1c9a7d
SHA2569a3407de338956cc51426d1322ef3081c8f64f386a300ad6f9351de3bb0b8717
SHA512581517e0ad4f56532ce27fb51421c20a7a88be801bf24d51d2bdf8802f6b6351a6fa215033eb80b181b4b8cad5f47552a7bcad46a331b7c2819af55c3ef8c5fb
-
Filesize
897B
MD50536693024e452c275bd239e1ac52085
SHA10628804cd88e0896bd781443ca3d779f9205412a
SHA256e4c80362fa69c0611e79f76ad19c923a1db1b8a82d5f842f440b7fe6a67dc4c4
SHA5125cbacca89d0ac9ec329a180be9ebacd2178287afaf9b05b5d9f11a0d69797b584e6f0b97b7152288fe5b569058927e2261798294a36c3c46001337aa53cfa159
-
Filesize
1KB
MD5b6f6788bd284e192dd1882d14333f3b7
SHA136c380087613f808c604b93e406ad67a45ad163c
SHA25613d0fbb28de36e98bded8c9f4df5b791a7bdc4253647beff1ba09340df579dac
SHA512a6d175b46ea9e100706730ffd13ce1b3b5380ed383b31a479c56489968c5e2bb72b2c9b6d0314cc5cd3be918e27b90534c83c5dcd6c65ad455335da2095da8e5
-
Filesize
96KB
MD574a1e9547eb8c42e9ca482c5c8bdd261
SHA1c56c60e84b4ef45065289636cfdfab21654acdb3
SHA256f4ac8ead1ff2f95c2b50405531d433d7af912b8f848095d3cb00401576ee90fb
SHA512ae90627a5f1485383b6de178aea4b36f9e44891d78fe5a274d1632727dd71906061323725a7c3c106b039cb65e10ea7e9c7d277ce35fb0ac6458fdc3e346ecb9
-
Filesize
148KB
MD5b7146cf0b0ce852ffb2edc1b43499d36
SHA17a65b2d9a243f0a9d5e1d22e19619c9b057cfdf7
SHA2563c553adafe4adc74c390d9190aca168b822a902bbab695988de7efe30b2c3f4d
SHA512d182fb2afe61832da56b7446de87ca8f65965b7a0cc284dd4d51df0453d304c157e2dea302239f038e71f73f7dd662d138903366367601b42aa3c4b03416a711
-
Filesize
180KB
MD5790652deb064b56f35df2755aa75d836
SHA143c010ef7aab7696383888d394ac85bfda57866d
SHA256c658fe61eff83aa4fba88ab5925b3b4488ef4350163e638d65e5deba84cc7ff9
SHA512359657ac9a740a7bf4e14c5ca0f7c15436860db7548ddbdf8c602e2d95a6cf1d4bc3e1203ab2128c61f913aeb8fd5cc031d7b0ad3e9b7a61609b65fd6d87d7d5
-
Filesize
180KB
MD57401ba7763fe55ddc93dd8bac9ec9879
SHA10dcdcf981aa98b878e311626478bf71545051ecd
SHA2564cba3615f537b6273a7fa8be2f96942b27dc858fa1cd217f8db1ab1a5ffb21ab
SHA51257b744717249d6e97b90a09c2a5e5636df6ebc0f6c1a48fac27ce536391b3bc31b1554e1ac252aa26d40f15b7f039d6c9b25df782db0ab55155284fc9d601d8c