Analysis
-
max time kernel
61s -
max time network
74s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
01-11-2024 17:48
Static task
static1
Behavioral task
behavioral1
Sample
Noxic.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
Noxic.exe
Resource
win10v2004-20241007-en
Errors
General
-
Target
Noxic.exe
-
Size
97.1MB
-
MD5
3a74f44c697eab7f7d4be6f8f45f2fa3
-
SHA1
9911e33b3db1ffe049f56ee1d5af12c189a02c3a
-
SHA256
d317c6c038ca4e934f981c1c37d3d47b891249b10c7ce3e24d6ad3306a9a36dc
-
SHA512
1e047418c6249363674612892389919971e722e8ac5c29bf365c4d41404aba9c2dbf9c76bb7c486da95f09883550d7d7fa24e631a9c91a9d02752e2133fb708a
-
SSDEEP
3145728:Ch2VRVK8iQnLWFQM3K7f7+O5cjdsJIHxabE1:Ch2vVBf6R3Wf7+6ikS3
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 2248 Noxic App.exe 1248 Noxic App.exe -
Loads dropped DLL 9 IoCs
pid Process 2804 Noxic.exe 2804 Noxic.exe 1280 Process not Found 1280 Process not Found 1280 Process not Found 1280 Process not Found 2248 Noxic App.exe 1280 Process not Found 1248 Noxic App.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\Noxic = "C:\\Users\\Admin\\AppData\\Roaming\\Noxic\\Noxic App.exe" Noxic.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Noxic.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: 33 812 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 812 AUDIODG.EXE Token: 33 812 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 812 AUDIODG.EXE -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2804 Noxic.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2804 wrote to memory of 2248 2804 Noxic.exe 31 PID 2804 wrote to memory of 2248 2804 Noxic.exe 31 PID 2804 wrote to memory of 2248 2804 Noxic.exe 31 PID 2804 wrote to memory of 2248 2804 Noxic.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\Noxic.exe"C:\Users\Admin\AppData\Local\Temp\Noxic.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2804 -
C:\Users\Admin\AppData\Roaming\Noxic\Noxic App.exe"C:\Users\Admin\AppData\Roaming\Noxic\Noxic App.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2248
-
-
C:\Users\Admin\AppData\Roaming\Noxic\Noxic App.exe"C:\Users\Admin\AppData\Roaming\Noxic\Noxic App.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1248
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x01⤵PID:776
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x5601⤵
- Suspicious use of AdjustPrivilegeToken
PID:812
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x11⤵PID:2188
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.7MB
MD5d57dd69a4d084427ea5eef777de66f68
SHA1cacb8e06a475b2125708ae70153aa1ca525177b0
SHA256858612d51120907bede6782a6f13a5f0b391d11ed9a35af0647126831d9843b4
SHA512517637325aff7416e16e25f33b491025e8791e71ae3df76effc6b2910e9e651604f856d2ad6058ceee13e87a7e0e33c0c572388e76a64f902be88f175a51973a