Analysis

  • max time kernel
    45s
  • max time network
    33s
  • platform
    windows7_x64
  • resource
    win7-20240220-en
  • resource tags

    arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
  • submitted
    13-06-2024 06:17

General

  • Target

    NocturneEXT.exe

  • Size

    49.5MB

  • MD5

    6666944b24c3c23a26a7f6fe666a03cc

  • SHA1

    da3a5af7d5b84df7515bf69b4164324846790f4c

  • SHA256

    ae8b2f5026ddc2467c6697ed32a777918ea744227e363ad5dc558623e98b5212

  • SHA512

    da86f8ba7f909bf51a24cff98efd6eda226de145349fb068dc56ba31fd0d098bcb1a6d6f53b426cc04b48c7a78d95b5813ec3ba8b8abe5af2fc661379721175e

  • SSDEEP

    786432:vhHxLVm81KmkRcFnievnuelra7jpaBynVKc6mIvmGpn+Pk4YXjJarteo94Ny8xMn:vNxLV16eGeUOcV2FmMSYzW94ARfKu

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\NocturneEXT.exe
    "C:\Users\Admin\AppData\Local\Temp\NocturneEXT.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:1920
    • C:\Users\Admin\AppData\Local\Temp\onefile_1920_133627331197806000\RuntimeBroker.exe
      "C:\Users\Admin\AppData\Local\Temp\NocturneEXT.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      PID:2328
  • C:\Windows\explorer.exe
    "C:\Windows\explorer.exe"
    1⤵
      PID:2216

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\onefile_1920_133627331197806000\python311.dll

      Filesize

      5.5MB

      MD5

      58e01abc9c9b5c885635180ed104fe95

      SHA1

      1c2f7216b125539d63bd111a7aba615c69deb8ba

      SHA256

      de1b95d2e951fc048c84684bc7df4346138910544ee335b61fc8e65f360c3837

      SHA512

      cd32c77191309d99aeed47699501b357b35669123f0dd70ed97c3791a009d1855ab27162db24a4bd9e719b68ee3b0539ee6db88e71abb9a2d4d629f87bc2c081

    • \Users\Admin\AppData\Local\Temp\onefile_1920_133627331197806000\RuntimeBroker.exe

      Filesize

      41.6MB

      MD5

      9cc2f30445f37afa73f8630d26028e34

      SHA1

      ed6353a00d28051912f4df855a042e9278376ad3

      SHA256

      abbbc82c6c8230219e91d06e55926fefd551469a5c1105816508bedb05b5c28b

      SHA512

      bdd8b2321da7227f7a062b19d8a273822d3022266d842bccfb7a8c5aeeecc3ccee5ffeddc87a65070d901077971f5bd35a0b2ccb2166d035ec36de1bb97968ec

    • memory/1920-181-0x000000013F5D0000-0x0000000142765000-memory.dmp

      Filesize

      49.6MB

    • memory/2328-93-0x000000013FEB0000-0x00000001428EC000-memory.dmp

      Filesize

      42.2MB