Analysis

  • max time kernel
    1800s
  • max time network
    1803s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01-11-2024 17:48

General

  • Target

    Noxic.exe

  • Size

    97.1MB

  • MD5

    3a74f44c697eab7f7d4be6f8f45f2fa3

  • SHA1

    9911e33b3db1ffe049f56ee1d5af12c189a02c3a

  • SHA256

    d317c6c038ca4e934f981c1c37d3d47b891249b10c7ce3e24d6ad3306a9a36dc

  • SHA512

    1e047418c6249363674612892389919971e722e8ac5c29bf365c4d41404aba9c2dbf9c76bb7c486da95f09883550d7d7fa24e631a9c91a9d02752e2133fb708a

  • SSDEEP

    3145728:Ch2VRVK8iQnLWFQM3K7f7+O5cjdsJIHxabE1:Ch2vVBf6R3Wf7+6ikS3

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 4 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 6 IoCs
  • Loads dropped DLL 11 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Noxic.exe
    "C:\Users\Admin\AppData\Local\Temp\Noxic.exe"
    1⤵
    • Checks computer location settings
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2072
    • C:\Users\Admin\AppData\Roaming\Noxic\Noxic App.exe
      "C:\Users\Admin\AppData\Roaming\Noxic\Noxic App.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1372
      • C:\Users\Admin\AppData\Roaming\Noxic\Noxic App.exe
        "C:\Users\Admin\AppData\Roaming\Noxic\Noxic App.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\noxic-app-nativefier-00f9eb" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=1720 --field-trial-handle=1724,i,17879730654309423032,17647884270193813831,262144 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        PID:5064
      • C:\Users\Admin\AppData\Roaming\Noxic\Noxic App.exe
        "C:\Users\Admin\AppData\Roaming\Noxic\Noxic App.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\noxic-app-nativefier-00f9eb" --mojo-platform-channel-handle=1984 --field-trial-handle=1724,i,17879730654309423032,17647884270193813831,262144 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        PID:2104
      • C:\Users\Admin\AppData\Roaming\Noxic\Noxic App.exe
        "C:\Users\Admin\AppData\Roaming\Noxic\Noxic App.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\noxic-app-nativefier-00f9eb" --app-user-model-id=noxic-app-nativefier-00f9eb --app-path="C:\Users\Admin\AppData\Roaming\Noxic\resources\app" --no-sandbox --no-zygote --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --mojo-platform-channel-handle=2256 --field-trial-handle=1724,i,17879730654309423032,17647884270193813831,262144 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:1
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Loads dropped DLL
        PID:1064
      • C:\Users\Admin\AppData\Roaming\Noxic\Noxic App.exe
        "C:\Users\Admin\AppData\Roaming\Noxic\Noxic App.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\noxic-app-nativefier-00f9eb" --app-user-model-id=noxic-app-nativefier-00f9eb --app-path="C:\Users\Admin\AppData\Roaming\Noxic\resources\app" --enable-sandbox --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3024 --field-trial-handle=1724,i,17879730654309423032,17647884270193813831,262144 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:1
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Loads dropped DLL
        PID:2032
      • C:\Users\Admin\AppData\Roaming\Noxic\Noxic App.exe
        "C:\Users\Admin\AppData\Roaming\Noxic\Noxic App.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --user-data-dir="C:\Users\Admin\AppData\Roaming\noxic-app-nativefier-00f9eb" --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAkAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=3232 --field-trial-handle=1724,i,17879730654309423032,17647884270193813831,262144 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious behavior: EnumeratesProcesses
        PID:5036

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dic

    Filesize

    2B

    MD5

    f3b25701fe362ec84616a93a45ce9998

    SHA1

    d62636d8caec13f04e28442a0a6fa1afeb024bbb

    SHA256

    b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

    SHA512

    98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

  • C:\Users\Admin\AppData\Roaming\Noxic\chrome_100_percent.pak

    Filesize

    132KB

    MD5

    443c58245eeb233d319abf7150b99c31

    SHA1

    f889ce6302bd8cfbb68ee9a6d8252e58b63e492d

    SHA256

    99ca6947d97df212e45782bbd5d97bfb42112872e1c42bab4209ceedf66dc760

    SHA512

    081f3ee4a5e40fdc8bb6f16f2cfd47edde2bd8f3b5349775526092a770b090c05308d4289ecdda3d541cf7f0579ac64b529930fd128edad9b0991dfa00b0e9bc

  • C:\Users\Admin\AppData\Roaming\Noxic\chrome_200_percent.pak

    Filesize

    191KB

    MD5

    81b5b74fe16c7c81870f539d5c263397

    SHA1

    27526cc2b68a6d2b539bd75317a20c9c5e43c889

    SHA256

    cb4fd141a5c4d188a3ecb203e9d41a3afca648724160e212289adcac666fbff4

    SHA512

    b2670e2dfa495ccc7874c21d0413cfbebfd4a2f14fc0217e823ec6a16ac1181f8e06bfe7c2d32543167bc3a2e929c7f0af1a5f90182e95913ba2292fa7cadb80

  • C:\Users\Admin\AppData\Roaming\Noxic\d3dcompiler_47.dll

    Filesize

    4.7MB

    MD5

    2191e768cc2e19009dad20dc999135a3

    SHA1

    f49a46ba0e954e657aaed1c9019a53d194272b6a

    SHA256

    7353f25dc5cf84d09894e3e0461cef0e56799adbc617fce37620ca67240b547d

    SHA512

    5adcb00162f284c16ec78016d301fc11559dd0a781ffbeff822db22efbed168b11d7e5586ea82388e9503b0c7d3740cf2a08e243877f5319202491c8a641c970

  • C:\Users\Admin\AppData\Roaming\Noxic\ffmpeg.dll

    Filesize

    2.7MB

    MD5

    d57dd69a4d084427ea5eef777de66f68

    SHA1

    cacb8e06a475b2125708ae70153aa1ca525177b0

    SHA256

    858612d51120907bede6782a6f13a5f0b391d11ed9a35af0647126831d9843b4

    SHA512

    517637325aff7416e16e25f33b491025e8791e71ae3df76effc6b2910e9e651604f856d2ad6058ceee13e87a7e0e33c0c572388e76a64f902be88f175a51973a

  • C:\Users\Admin\AppData\Roaming\Noxic\icudtl.dat

    Filesize

    10.1MB

    MD5

    2134e5dbc46fb1c46eac0fe1af710ec3

    SHA1

    dbecf2d193ae575aba4217194d4136bd9291d4db

    SHA256

    ee3c8883effd90edfb0ff5b758c560cbca25d1598fcb55b80ef67e990dd19d41

    SHA512

    b9b50614d9baebf6378e5164d70be7fe7ef3051cfff38733fe3c7448c5de292754bbbb8da833e26115a185945be419be8dd1030fc230ed69f388479853bc0fcb

  • C:\Users\Admin\AppData\Roaming\Noxic\libEGL.dll

    Filesize

    469KB

    MD5

    7cd0e7709799aa650cec030526b6606f

    SHA1

    03c06228884c3793da997b4a6ad719c518f430ac

    SHA256

    20d16cf4c5513a11f8f9c5a9f0fb5a0309f351d3f3d53438b4cfbb68e3466b8a

    SHA512

    1f4cc8b74e09354d0b3dde8ecc1e3d577d1b62d9dd25d0902d5264a72e80d09b363ee46abbe4eb7f67cecb02c1f272282825bcc95329eefd3bac48d33b43528d

  • C:\Users\Admin\AppData\Roaming\Noxic\libGLESv2.dll

    Filesize

    7.1MB

    MD5

    793f527cf248726bb0111026f80c6467

    SHA1

    2fbda331832bac5801ff0ed3234658bd8af29ec6

    SHA256

    acafb1080be066cf10dc3f0f75ef73fb55738fdaac450dee7ee6f672ea9fc23c

    SHA512

    5f14782237f49f621a040927ced199f678a64b147a19a8045c8916f95402906f94ce5a8a0aceb7ab29dded96d0284f0264c67286b97faee8e51d44d7de8a4410

  • C:\Users\Admin\AppData\Roaming\Noxic\locales\en-US.pak

    Filesize

    351KB

    MD5

    06d28839ea0b3aab4597ba8646a53a96

    SHA1

    9c6a74aae8c783546d613c6f38cbfc8f5e3736f1

    SHA256

    69c1a2e1b30d83612decf1a8dd7b124a04f58e9f2465876726f02f7f7d5eb54a

    SHA512

    a432542dc98795ce0ea6fa4a6bbcbae8ba126f1fda025a9ad6ff3fa67eee85dcf7afc6678f5100bb1543c4d00ac75043ea92e64b65c9ef6bd946ce3dc4d5ae71

  • C:\Users\Admin\AppData\Roaming\Noxic\resources.pak

    Filesize

    4.9MB

    MD5

    c02a7646179764432f18e2e3aa30582d

    SHA1

    d8fe2b0b9f3ecb621b958c7b50bfcd958036fcbe

    SHA256

    c5dad6ac71492b89c21909966fd24a94ac8205f97ae85c9731d1131d7bc927e4

    SHA512

    95bdb007443756a21cc4ba8dfee90bcec3ab46eaf45d1a6adb7500368e1ac4f4cad9a410be34708672977517c31351cff0395d7159def49215980d1de87835d4

  • C:\Users\Admin\AppData\Roaming\Noxic\resources\app\icon.ico

    Filesize

    169KB

    MD5

    76736a156daa04efc6298d5d22dd33d4

    SHA1

    8999c831944ab8973db2c9832600df29f44ece5a

    SHA256

    f520026e6794da6455bdb33ccbe5d855b49d157bd3e2469967f5dae2a419dbeb

    SHA512

    c5728813f8faa1c4a7a619894f55911679d03d63eab98b6af3a87169ed6b7dcf116a3e09d999353a15e6cb37872de12b6a565b39a66d1d7c53d0d17ba48a6f25

  • C:\Users\Admin\AppData\Roaming\Noxic\resources\app\lib\main.js

    Filesize

    497KB

    MD5

    c5cc8c567f8cf454a75d1fe52b1b4e10

    SHA1

    d468190f6a7fab2d1cf37e271318be2c06f9e08b

    SHA256

    c1c720603c33896d213b06f7d2c056f6a5dd38874365bd9a816675c9d5fa6654

    SHA512

    b6dc23b8d53066d26b217429c6fb8bcab74335ab2a19ada666888523ba34e07093139cf56c28b118ca1f7c58a2c77a56467a71f6938cfcc8ff3cebdd06948f74

  • C:\Users\Admin\AppData\Roaming\Noxic\resources\app\lib\preload.js

    Filesize

    12KB

    MD5

    cfd7e6489b0d63738319982f68ff935e

    SHA1

    d05ab48d9dc3a52946511c2c4cf5de0fcb4f1290

    SHA256

    d50ca2fa212df1c1ff69b5d26ba594bd39bfd86a71b068a650cc577e5dc9a94e

    SHA512

    9b4c0fb83033163f8e8e35c9da2d33265f7d36eefa22774399abaf867e3d22a3e0cba71f2bb2037fe055e5b9932b25dd98a63b7543c3a15f2667ec40d7bcdf93

  • C:\Users\Admin\AppData\Roaming\Noxic\resources\app\nativefier.json

    Filesize

    1016B

    MD5

    649d80ed9be5956a8352a170cd94adf9

    SHA1

    d2d1473aab229d282b7adf39384b2ee311e63e57

    SHA256

    5fd5fae6c7cceff2700ab55cc3eef4fcda32766556ab11d9df0bcff724f62c6d

    SHA512

    0f4cc4c1d62e1d4973bf9cdd818080d443f5096e5acfb28d7d5044ab9926230fd56ff51acc5b2da50cce6e0739ddfd06ad91b9060cfc0ad2882292559d594d59

  • C:\Users\Admin\AppData\Roaming\Noxic\resources\app\package.json

    Filesize

    596B

    MD5

    76c54d2e7c5010bd9ca18d78c332d840

    SHA1

    a7b8c314c48816ee6433cfad09b89a0623317ed7

    SHA256

    598659ffdf7609e491e338b289713371ac00230835fd854141a09ecaa53dccf1

    SHA512

    c2a63ad09d617181b9d5777997386d8526337f18e870a40d7275a366d41ce2ace805ad0c326c8197ba2eec6be84e1e1e2711bc0462bf6a5c89f8c87832a3c27d

  • C:\Users\Admin\AppData\Roaming\Noxic\v8_context_snapshot.bin

    Filesize

    564KB

    MD5

    d414e2c9406a9fe119a25ee53a9fcf49

    SHA1

    71b38aa1a71750c699cb2a55e7524e00dd8af041

    SHA256

    3aacd67dee9d3e7b43799c1d4fed178a247faa087de14b2d13ef67eb512e4297

    SHA512

    fa79b61f7d2f3b0d0d32e0d88d48eb4d5b81ea73efbc001a2710fc76fed14c099dc08988b279b874f239e8cb9d47ab11a1533d9b5ac10fb8325da9361c31cb29

  • C:\Users\Admin\AppData\Roaming\Noxic\vk_swiftshader.dll

    Filesize

    5.0MB

    MD5

    60ff770a0a18ebf2473a25d65bbef2c4

    SHA1

    e9dc07d13f8e9a9c679765967a764a95311fcb4a

    SHA256

    541b416b14a0fa5d17f3b6e1eec4f4aa06dbf3c5b16654246605cee9ef6afa5a

    SHA512

    f1c79c2b3c00e3ec57db0db4bf55bf5669e10eca9161d9ff7087f410c691482a3b45bd5f0af89550352747975ce10613cff287fb8945ea6b762bca3bcfe22b30

  • C:\Users\Admin\AppData\Roaming\noxic-app-nativefier-00f9eb\Code Cache\js\index-dir\the-real-index

    Filesize

    48B

    MD5

    03330018fb0dd90219ba24a6142305f2

    SHA1

    8368b038b1d1aa6a9288aedb92d56c05bd407a63

    SHA256

    ae78e8c51e952031572f5f9319bf46fd7ca9405bcef09928f8f800b79b2d8fc3

    SHA512

    2748b8d111e81953714ce6918771fc737bd5c20b6191902030954a6099ff2207361cd43a980cc1435f708eadbfaf6a66e1d29b053c9223cbcda4c0073222078c

  • C:\Users\Admin\AppData\Roaming\noxic-app-nativefier-00f9eb\Code Cache\js\index-dir\the-real-index

    Filesize

    360B

    MD5

    803ef646c9fdf3cb866d82ff1f455771

    SHA1

    5d1099149ff4516fb69613bef3bc33dd14922662

    SHA256

    f70f927d17e3e2ee2bba957068f13cbc16e48b8672947b9a5f243f0f9814293a

    SHA512

    2a379292888c552c1e64e333b02f769dd033696705247dcbb2eb3dd736fcfef04cead3b21c85230e1fe14b5741c5595d6066f4727f34ec386140d04ac6c32762

  • C:\Users\Admin\AppData\Roaming\noxic-app-nativefier-00f9eb\Network\Network Persistent State

    Filesize

    1KB

    MD5

    ab9aedc43a8f2b6a6e1ed2e2106708de

    SHA1

    fb770bee3cdb2883b8ca29c713a078724b745b12

    SHA256

    94a764bc1dae50a40a54a57d239476c5431741db6a26676ce8533de99f640b63

    SHA512

    f39139a5f9aa7f1a674cf6b25a0bd5b281cb249ee129474fb9877903759cb65661d0e8507a53e63c5f9b448e89babc0ede9b16bb6157b26444332d7fff99a902

  • C:\Users\Admin\AppData\Roaming\noxic-app-nativefier-00f9eb\Network\Network Persistent State

    Filesize

    1KB

    MD5

    002c8e2c7540967dc351f45da6a3d71f

    SHA1

    e7ff3403f57189eefc39f1fff4b923307e71b7c6

    SHA256

    904cc496b5cf9728796f9cd2936ad3f15fa0d36a12430accb23a92be37531547

    SHA512

    60d5bfeb183bd3da4360d5f05a38134c9afd8a78ef346d06a1502f85dea068a9a4638f661df9a3b8c3d83be7ea731810eb674d8162218a19fd98e03a29d8b965

  • C:\Users\Admin\AppData\Roaming\noxic-app-nativefier-00f9eb\Network\Network Persistent State

    Filesize

    1KB

    MD5

    957be37ab5d2c3e1188ff1211c122985

    SHA1

    e87e0c7a63d7991e0789cdd065dc987df20e3049

    SHA256

    1d0972e59a77c105bd99197dca6aec3b5245d1392b72092445e85650ce87af28

    SHA512

    27cba3b5b5311d72745633b5c99683a5b446c69622428ba389cd594dd930a04d3717fc50526d21a1bb191a1d6cb32e178511bf4977873a842d4e01a87246a88d

  • C:\Users\Admin\AppData\Roaming\noxic-app-nativefier-00f9eb\Network\Network Persistent State~RFe590a85.TMP

    Filesize

    59B

    MD5

    2800881c775077e1c4b6e06bf4676de4

    SHA1

    2873631068c8b3b9495638c865915be822442c8b

    SHA256

    226eec4486509917aa336afebd6ff65777b75b65f1fb06891d2a857a9421a974

    SHA512

    e342407ab65cc68f1b3fd706cd0a37680a0864ffd30a6539730180ede2cdcd732cc97ae0b9ef7db12da5c0f83e429df0840dbf7596aca859a0301665e517377b

  • C:\Users\Admin\AppData\Roaming\noxic-app-nativefier-00f9eb\Session Storage\CURRENT

    Filesize

    16B

    MD5

    46295cac801e5d4857d09837238a6394

    SHA1

    44e0fa1b517dbf802b18faf0785eeea6ac51594b

    SHA256

    0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

    SHA512

    8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

  • memory/2032-307-0x00007FFB26CB0000-0x00007FFB26CB1000-memory.dmp

    Filesize

    4KB

  • memory/2032-308-0x00007FFB272F0000-0x00007FFB272F1000-memory.dmp

    Filesize

    4KB

  • memory/2072-0-0x0000000002600000-0x0000000002601000-memory.dmp

    Filesize

    4KB

  • memory/2072-203-0x0000000000400000-0x0000000000708000-memory.dmp

    Filesize

    3.0MB

  • memory/2072-10-0x0000000002600000-0x0000000002601000-memory.dmp

    Filesize

    4KB

  • memory/2072-9-0x0000000000400000-0x0000000000708000-memory.dmp

    Filesize

    3.0MB

  • memory/5036-367-0x00000278F4CD0000-0x00000278F4CD1000-memory.dmp

    Filesize

    4KB

  • memory/5036-368-0x00000278F4CD0000-0x00000278F4CD1000-memory.dmp

    Filesize

    4KB

  • memory/5036-356-0x00000278F4CD0000-0x00000278F4CD1000-memory.dmp

    Filesize

    4KB

  • memory/5036-366-0x00000278F4CD0000-0x00000278F4CD1000-memory.dmp

    Filesize

    4KB

  • memory/5036-365-0x00000278F4CD0000-0x00000278F4CD1000-memory.dmp

    Filesize

    4KB

  • memory/5036-364-0x00000278F4CD0000-0x00000278F4CD1000-memory.dmp

    Filesize

    4KB

  • memory/5036-363-0x00000278F4CD0000-0x00000278F4CD1000-memory.dmp

    Filesize

    4KB

  • memory/5036-362-0x00000278F4CD0000-0x00000278F4CD1000-memory.dmp

    Filesize

    4KB

  • memory/5036-357-0x00000278F4CD0000-0x00000278F4CD1000-memory.dmp

    Filesize

    4KB

  • memory/5036-358-0x00000278F4CD0000-0x00000278F4CD1000-memory.dmp

    Filesize

    4KB