Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
13-06-2024 18:07
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
noclick.exe
Resource
win7-20240221-en
2 signatures
150 seconds
Behavioral task
behavioral2
Sample
noclick.exe
Resource
win10v2004-20240611-en
4 signatures
150 seconds
General
-
Target
noclick.exe
-
Size
137KB
-
MD5
66a6b7cbea8224b95d218f2a350a672d
-
SHA1
ac827fc12a64b6728c2a68bee125439904dc9d5e
-
SHA256
4c33cafb4c0fb2d93417bfadd870f7b12d2bcf0a1cc2454aeba8a26e69af7649
-
SHA512
61deeb7b08c7e9a1d0405043106ec8ce19119719147f8d55bc990f10cddd0aa3d87ef9744fefc19ab16b5e0234f5f708f21f3a6e8fa550f6f71dbc27003e18ac
-
SSDEEP
1536:68mAkOs/WhP1f4/VgzgWHNPJ0BvWhvqM5zmQd3vyL3+rMPAruINeTbLLRAst3lYq:67lD+x1f4/YgBWs5iu7bLxX
Score
1/10
Malware Config
Signatures
-
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
dwm.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 dwm.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags dwm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 dwm.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags dwm.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID dwm.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID dwm.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
Processes:
dwm.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS dwm.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU dwm.exe -
Modifies data under HKEY_USERS 18 IoCs
Processes:
dwm.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root dwm.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople dwm.exe Key created \REGISTRY\USER\.DEFAULT\Software dwm.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates dwm.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA dwm.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft dwm.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates dwm.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople dwm.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E dwm.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache dwm.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies dwm.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust dwm.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing dwm.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA dwm.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed dwm.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft dwm.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed dwm.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust dwm.exe -
Suspicious use of AdjustPrivilegeToken 8 IoCs
Processes:
dwm.exedescription pid process Token: SeCreateGlobalPrivilege 5932 dwm.exe Token: SeChangeNotifyPrivilege 5932 dwm.exe Token: 33 5932 dwm.exe Token: SeIncBasePriorityPrivilege 5932 dwm.exe Token: SeShutdownPrivilege 5932 dwm.exe Token: SeCreatePagefilePrivilege 5932 dwm.exe Token: SeShutdownPrivilege 5932 dwm.exe Token: SeCreatePagefilePrivilege 5932 dwm.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\noclick.exe"C:\Users\Admin\AppData\Local\Temp\noclick.exe"1⤵PID:4124
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:5932