Analysis
-
max time kernel
100s -
max time network
81s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system -
submitted
02-06-2024 14:40
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
Noctuary.exe
Resource
win10-20240404-en
windows10-1703-x64
6 signatures
150 seconds
General
-
Target
Noctuary.exe
-
Size
638KB
-
MD5
855cc6f11e92a2cd9ed0e2a48981bb0d
-
SHA1
a42ea901f89a74fd696cfcf476522c3dbf0ba78a
-
SHA256
015d9cfc6f7d52a68f9adc9008fed2a17da25ff20a8b03fa0216ff13a2f929e2
-
SHA512
efc72ca510c90d29159a331149d2d97c2e578a7396f0e7b0adb10c0b6a19216357677191ea2ee8d3570c51bad238e11e23ae571916c6d3cb0798344ab12d9a31
-
SSDEEP
12288:D4eClj7abE2zx4yhn+pbsoS+fmgRyK/estrbGmfL:EB7abE2zx4yhnWbsoS+fmgRyK/estXGc
Score
4/10
Malware Config
Signatures
-
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\rescache\_merged\4183903823\2290032291.pri taskmgr.exe File created C:\Windows\rescache\_merged\1601268389\715946058.pri taskmgr.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe -
Suspicious behavior: EnumeratesProcesses 57 IoCs
pid Process 4140 taskmgr.exe 4140 taskmgr.exe 4140 taskmgr.exe 4140 taskmgr.exe 4140 taskmgr.exe 4140 taskmgr.exe 4140 taskmgr.exe 4140 taskmgr.exe 4140 taskmgr.exe 4140 taskmgr.exe 4140 taskmgr.exe 4140 taskmgr.exe 4140 taskmgr.exe 4140 taskmgr.exe 4140 taskmgr.exe 4140 taskmgr.exe 4140 taskmgr.exe 4140 taskmgr.exe 4140 taskmgr.exe 4140 taskmgr.exe 4140 taskmgr.exe 4140 taskmgr.exe 4140 taskmgr.exe 4140 taskmgr.exe 4140 taskmgr.exe 4140 taskmgr.exe 4140 taskmgr.exe 4140 taskmgr.exe 4140 taskmgr.exe 4140 taskmgr.exe 4140 taskmgr.exe 4140 taskmgr.exe 4140 taskmgr.exe 4140 taskmgr.exe 4140 taskmgr.exe 4140 taskmgr.exe 4140 taskmgr.exe 4140 taskmgr.exe 4140 taskmgr.exe 4140 taskmgr.exe 4140 taskmgr.exe 4140 taskmgr.exe 4140 taskmgr.exe 4140 taskmgr.exe 4140 taskmgr.exe 4140 taskmgr.exe 4140 taskmgr.exe 4140 taskmgr.exe 4140 taskmgr.exe 4140 taskmgr.exe 4140 taskmgr.exe 4140 taskmgr.exe 4140 taskmgr.exe 4140 taskmgr.exe 4140 taskmgr.exe 4140 taskmgr.exe 4140 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 4140 taskmgr.exe Token: SeSystemProfilePrivilege 4140 taskmgr.exe Token: SeCreateGlobalPrivilege 4140 taskmgr.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 4140 taskmgr.exe 4140 taskmgr.exe 4140 taskmgr.exe 4140 taskmgr.exe 4140 taskmgr.exe 4140 taskmgr.exe 4140 taskmgr.exe 4140 taskmgr.exe 4140 taskmgr.exe 4140 taskmgr.exe 4140 taskmgr.exe 4140 taskmgr.exe 4140 taskmgr.exe 4140 taskmgr.exe 4140 taskmgr.exe 4140 taskmgr.exe 4140 taskmgr.exe 4140 taskmgr.exe 4140 taskmgr.exe 4140 taskmgr.exe 4140 taskmgr.exe 4140 taskmgr.exe 4140 taskmgr.exe 4140 taskmgr.exe 4140 taskmgr.exe 4140 taskmgr.exe 4140 taskmgr.exe 4140 taskmgr.exe 4140 taskmgr.exe 4140 taskmgr.exe 4140 taskmgr.exe 4140 taskmgr.exe 4140 taskmgr.exe 4140 taskmgr.exe 4140 taskmgr.exe 4140 taskmgr.exe 4140 taskmgr.exe 4140 taskmgr.exe 4140 taskmgr.exe 4140 taskmgr.exe 4140 taskmgr.exe 4140 taskmgr.exe 4140 taskmgr.exe 4140 taskmgr.exe 4140 taskmgr.exe 4140 taskmgr.exe 4140 taskmgr.exe 4140 taskmgr.exe 4140 taskmgr.exe 4140 taskmgr.exe 4140 taskmgr.exe 4140 taskmgr.exe 4140 taskmgr.exe 4140 taskmgr.exe 4140 taskmgr.exe 4140 taskmgr.exe 4140 taskmgr.exe 4140 taskmgr.exe 4140 taskmgr.exe 4140 taskmgr.exe 4140 taskmgr.exe 4140 taskmgr.exe 4140 taskmgr.exe 4140 taskmgr.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 4140 taskmgr.exe 4140 taskmgr.exe 4140 taskmgr.exe 4140 taskmgr.exe 4140 taskmgr.exe 4140 taskmgr.exe 4140 taskmgr.exe 4140 taskmgr.exe 4140 taskmgr.exe 4140 taskmgr.exe 4140 taskmgr.exe 4140 taskmgr.exe 4140 taskmgr.exe 4140 taskmgr.exe 4140 taskmgr.exe 4140 taskmgr.exe 4140 taskmgr.exe 4140 taskmgr.exe 4140 taskmgr.exe 4140 taskmgr.exe 4140 taskmgr.exe 4140 taskmgr.exe 4140 taskmgr.exe 4140 taskmgr.exe 4140 taskmgr.exe 4140 taskmgr.exe 4140 taskmgr.exe 4140 taskmgr.exe 4140 taskmgr.exe 4140 taskmgr.exe 4140 taskmgr.exe 4140 taskmgr.exe 4140 taskmgr.exe 4140 taskmgr.exe 4140 taskmgr.exe 4140 taskmgr.exe 4140 taskmgr.exe 4140 taskmgr.exe 4140 taskmgr.exe 4140 taskmgr.exe 4140 taskmgr.exe 4140 taskmgr.exe 4140 taskmgr.exe 4140 taskmgr.exe 4140 taskmgr.exe 4140 taskmgr.exe 4140 taskmgr.exe 4140 taskmgr.exe 4140 taskmgr.exe 4140 taskmgr.exe 4140 taskmgr.exe 4140 taskmgr.exe 4140 taskmgr.exe 4140 taskmgr.exe 4140 taskmgr.exe 4140 taskmgr.exe 4140 taskmgr.exe 4140 taskmgr.exe 4140 taskmgr.exe 4140 taskmgr.exe 4140 taskmgr.exe 4140 taskmgr.exe 4140 taskmgr.exe 4140 taskmgr.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Noctuary.exe"C:\Users\Admin\AppData\Local\Temp\Noctuary.exe"1⤵PID:4804
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:2500
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4140