Analysis
-
max time kernel
45s -
max time network
33s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
13-06-2024 06:17
Static task
static1
Behavioral task
behavioral1
Sample
NocturneEXT.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
NocturneEXT.exe
Resource
win10v2004-20240226-en
General
-
Target
NocturneEXT.exe
-
Size
49.5MB
-
MD5
6666944b24c3c23a26a7f6fe666a03cc
-
SHA1
da3a5af7d5b84df7515bf69b4164324846790f4c
-
SHA256
ae8b2f5026ddc2467c6697ed32a777918ea744227e363ad5dc558623e98b5212
-
SHA512
da86f8ba7f909bf51a24cff98efd6eda226de145349fb068dc56ba31fd0d098bcb1a6d6f53b426cc04b48c7a78d95b5813ec3ba8b8abe5af2fc661379721175e
-
SSDEEP
786432:vhHxLVm81KmkRcFnievnuelra7jpaBynVKc6mIvmGpn+Pk4YXjJarteo94Ny8xMn:vNxLV16eGeUOcV2FmMSYzW94ARfKu
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2328 RuntimeBroker.exe -
Loads dropped DLL 2 IoCs
pid Process 1920 NocturneEXT.exe 2328 RuntimeBroker.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 1920 wrote to memory of 2328 1920 NocturneEXT.exe 28 PID 1920 wrote to memory of 2328 1920 NocturneEXT.exe 28 PID 1920 wrote to memory of 2328 1920 NocturneEXT.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\NocturneEXT.exe"C:\Users\Admin\AppData\Local\Temp\NocturneEXT.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1920 -
C:\Users\Admin\AppData\Local\Temp\onefile_1920_133627331197806000\RuntimeBroker.exe"C:\Users\Admin\AppData\Local\Temp\NocturneEXT.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2328
-
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"1⤵PID:2216
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5.5MB
MD558e01abc9c9b5c885635180ed104fe95
SHA11c2f7216b125539d63bd111a7aba615c69deb8ba
SHA256de1b95d2e951fc048c84684bc7df4346138910544ee335b61fc8e65f360c3837
SHA512cd32c77191309d99aeed47699501b357b35669123f0dd70ed97c3791a009d1855ab27162db24a4bd9e719b68ee3b0539ee6db88e71abb9a2d4d629f87bc2c081
-
Filesize
41.6MB
MD59cc2f30445f37afa73f8630d26028e34
SHA1ed6353a00d28051912f4df855a042e9278376ad3
SHA256abbbc82c6c8230219e91d06e55926fefd551469a5c1105816508bedb05b5c28b
SHA512bdd8b2321da7227f7a062b19d8a273822d3022266d842bccfb7a8c5aeeecc3ccee5ffeddc87a65070d901077971f5bd35a0b2ccb2166d035ec36de1bb97968ec