3e6e580b858b29c962266a76471aae36c2df80e0d799842e07344c733d31e368

Analysis

max time kernel
161s
max time network
168s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
13/02/2024, 05:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

98a5c8ef85c3e1a1db2162e0da2fb7ee.exe
Size

156KB
MD5

98a5c8ef85c3e1a1db2162e0da2fb7ee
SHA1

10bf7efcf63d37dcc9fcb1457560f1804f16974a
SHA256

3e6e580b858b29c962266a76471aae36c2df80e0d799842e07344c733d31e368
SHA512

87ddf5cc2dbfa52c9bf4b4e5b7d4927d35cf1b45b17ae954458a4ff9b267400a477b3921eebd84996941f25c3b84ed732f1e5211596ee6ae1f67e6eb7d101118
SSDEEP

3072:bAEcTATe0pBI1xkaGU0vBpT8k/QvbawuxtUYqBd5hAmamQAMHfhRvuWxx0g4oQZq:bXc4e0pBI1xkaH0vBpT8kltDr8L5DMHZ

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	98a5c8ef85c3e1a1db2162e0da2fb7ee.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	nokul.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	98a5c8ef85c3e1a1db2162e0da2fb7ee.exe

Executes dropped EXE 1 IoCs

pid	Process
4032	nokul.exe

Adds Run key to start application 2 TTPs 51 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nokul = "C:\\Users\\Admin\\nokul.exe /h"	nokul.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nokul = "C:\\Users\\Admin\\nokul.exe /V"	nokul.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nokul = "C:\\Users\\Admin\\nokul.exe /K"	nokul.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nokul = "C:\\Users\\Admin\\nokul.exe /p"	nokul.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nokul = "C:\\Users\\Admin\\nokul.exe /w"	nokul.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nokul = "C:\\Users\\Admin\\nokul.exe /o"	nokul.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nokul = "C:\\Users\\Admin\\nokul.exe /R"	nokul.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nokul = "C:\\Users\\Admin\\nokul.exe /H"	nokul.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nokul = "C:\\Users\\Admin\\nokul.exe /P"	nokul.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nokul = "C:\\Users\\Admin\\nokul.exe /Q"	nokul.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nokul = "C:\\Users\\Admin\\nokul.exe /l"	nokul.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nokul = "C:\\Users\\Admin\\nokul.exe /g"	nokul.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nokul = "C:\\Users\\Admin\\nokul.exe /C"	nokul.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nokul = "C:\\Users\\Admin\\nokul.exe /N"	nokul.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nokul = "C:\\Users\\Admin\\nokul.exe /m"	nokul.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nokul = "C:\\Users\\Admin\\nokul.exe /E"	nokul.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nokul = "C:\\Users\\Admin\\nokul.exe /i"	nokul.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nokul = "C:\\Users\\Admin\\nokul.exe /I"	nokul.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nokul = "C:\\Users\\Admin\\nokul.exe /a"	nokul.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nokul = "C:\\Users\\Admin\\nokul.exe /Z"	nokul.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nokul = "C:\\Users\\Admin\\nokul.exe /U"	nokul.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nokul = "C:\\Users\\Admin\\nokul.exe /U"	98a5c8ef85c3e1a1db2162e0da2fb7ee.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nokul = "C:\\Users\\Admin\\nokul.exe /D"	nokul.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nokul = "C:\\Users\\Admin\\nokul.exe /X"	nokul.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nokul = "C:\\Users\\Admin\\nokul.exe /B"	nokul.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nokul = "C:\\Users\\Admin\\nokul.exe /z"	nokul.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nokul = "C:\\Users\\Admin\\nokul.exe /W"	nokul.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nokul = "C:\\Users\\Admin\\nokul.exe /q"	nokul.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nokul = "C:\\Users\\Admin\\nokul.exe /b"	nokul.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nokul = "C:\\Users\\Admin\\nokul.exe /e"	nokul.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nokul = "C:\\Users\\Admin\\nokul.exe /k"	nokul.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nokul = "C:\\Users\\Admin\\nokul.exe /r"	nokul.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nokul = "C:\\Users\\Admin\\nokul.exe /c"	nokul.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nokul = "C:\\Users\\Admin\\nokul.exe /L"	nokul.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nokul = "C:\\Users\\Admin\\nokul.exe /S"	nokul.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nokul = "C:\\Users\\Admin\\nokul.exe /T"	nokul.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nokul = "C:\\Users\\Admin\\nokul.exe /Y"	nokul.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nokul = "C:\\Users\\Admin\\nokul.exe /G"	nokul.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nokul = "C:\\Users\\Admin\\nokul.exe /u"	nokul.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nokul = "C:\\Users\\Admin\\nokul.exe /t"	nokul.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nokul = "C:\\Users\\Admin\\nokul.exe /f"	nokul.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nokul = "C:\\Users\\Admin\\nokul.exe /n"	nokul.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nokul = "C:\\Users\\Admin\\nokul.exe /F"	nokul.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nokul = "C:\\Users\\Admin\\nokul.exe /A"	nokul.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nokul = "C:\\Users\\Admin\\nokul.exe /y"	nokul.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nokul = "C:\\Users\\Admin\\nokul.exe /J"	nokul.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nokul = "C:\\Users\\Admin\\nokul.exe /M"	nokul.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nokul = "C:\\Users\\Admin\\nokul.exe /v"	nokul.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nokul = "C:\\Users\\Admin\\nokul.exe /s"	nokul.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nokul = "C:\\Users\\Admin\\nokul.exe /O"	nokul.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nokul = "C:\\Users\\Admin\\nokul.exe /x"	nokul.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2488	98a5c8ef85c3e1a1db2162e0da2fb7ee.exe
2488	98a5c8ef85c3e1a1db2162e0da2fb7ee.exe
4032	nokul.exe
4032	nokul.exe
4032	nokul.exe
4032	nokul.exe
4032	nokul.exe
4032	nokul.exe
4032	nokul.exe
4032	nokul.exe
4032	nokul.exe
4032	nokul.exe
4032	nokul.exe
4032	nokul.exe
4032	nokul.exe
4032	nokul.exe
4032	nokul.exe
4032	nokul.exe
4032	nokul.exe
4032	nokul.exe
4032	nokul.exe
4032	nokul.exe
4032	nokul.exe
4032	nokul.exe
4032	nokul.exe
4032	nokul.exe
4032	nokul.exe
4032	nokul.exe
4032	nokul.exe
4032	nokul.exe
4032	nokul.exe
4032	nokul.exe
4032	nokul.exe
4032	nokul.exe
4032	nokul.exe
4032	nokul.exe
4032	nokul.exe
4032	nokul.exe
4032	nokul.exe
4032	nokul.exe
4032	nokul.exe
4032	nokul.exe
4032	nokul.exe
4032	nokul.exe
4032	nokul.exe
4032	nokul.exe
4032	nokul.exe
4032	nokul.exe
4032	nokul.exe
4032	nokul.exe
4032	nokul.exe
4032	nokul.exe
4032	nokul.exe
4032	nokul.exe
4032	nokul.exe
4032	nokul.exe
4032	nokul.exe
4032	nokul.exe
4032	nokul.exe
4032	nokul.exe
4032	nokul.exe
4032	nokul.exe
4032	nokul.exe
4032	nokul.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2488	98a5c8ef85c3e1a1db2162e0da2fb7ee.exe
4032	nokul.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2488 wrote to memory of 4032	2488	98a5c8ef85c3e1a1db2162e0da2fb7ee.exe	87
PID 2488 wrote to memory of 4032	2488	98a5c8ef85c3e1a1db2162e0da2fb7ee.exe	87
PID 2488 wrote to memory of 4032	2488	98a5c8ef85c3e1a1db2162e0da2fb7ee.exe	87

C:\Users\Admin\AppData\Local\Temp\98a5c8ef85c3e1a1db2162e0da2fb7ee.exe
"C:\Users\Admin\AppData\Local\Temp\98a5c8ef85c3e1a1db2162e0da2fb7ee.exe"
1⤵
- Modifies visiblity of hidden/system files in Explorer
- Checks computer location settings
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2488
- C:\Users\Admin\nokul.exe
  "C:\Users\Admin\nokul.exe"
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:4032

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\nokul.exe

Filesize
156KB

MD5
00c32b21eab4d1d6952c48724a80fddd

SHA1
3388e97fce44b2532be6f025fe5ee4896e3e86da

SHA256
bc21b0fef7079f5efb4ad9f1b697de68b0c41830e56361ea77f450124709cc20

SHA512
bd50a0cf70462e85730f4f2e53effc748819b4f13e78c6b39e20dcfcd0f73860987dd68149d8f4df2c397da50079248a955c4284a922fc6cfe20f31515d259af

Download Submit