Analysis
-
max time kernel
117s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
08/11/2024, 23:34
Static task
static1
Behavioral task
behavioral1
Sample
Noxic.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
Noxic.exe
Resource
win10v2004-20241007-en
General
-
Target
Noxic.exe
-
Size
97.1MB
-
MD5
3a74f44c697eab7f7d4be6f8f45f2fa3
-
SHA1
9911e33b3db1ffe049f56ee1d5af12c189a02c3a
-
SHA256
d317c6c038ca4e934f981c1c37d3d47b891249b10c7ce3e24d6ad3306a9a36dc
-
SHA512
1e047418c6249363674612892389919971e722e8ac5c29bf365c4d41404aba9c2dbf9c76bb7c486da95f09883550d7d7fa24e631a9c91a9d02752e2133fb708a
-
SSDEEP
3145728:Ch2VRVK8iQnLWFQM3K7f7+O5cjdsJIHxabE1:Ch2vVBf6R3Wf7+6ikS3
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2464 Noxic App.exe -
Loads dropped DLL 7 IoCs
pid Process 2892 Noxic.exe 2892 Noxic.exe 1196 Process not Found 1196 Process not Found 1196 Process not Found 1196 Process not Found 2464 Noxic App.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\Noxic = "C:\\Users\\Admin\\AppData\\Roaming\\Noxic\\Noxic App.exe" Noxic.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Noxic.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2892 wrote to memory of 2464 2892 Noxic.exe 32 PID 2892 wrote to memory of 2464 2892 Noxic.exe 32 PID 2892 wrote to memory of 2464 2892 Noxic.exe 32 PID 2892 wrote to memory of 2464 2892 Noxic.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\Noxic.exe"C:\Users\Admin\AppData\Local\Temp\Noxic.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2892 -
C:\Users\Admin\AppData\Roaming\Noxic\Noxic App.exe"C:\Users\Admin\AppData\Roaming\Noxic\Noxic App.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2464
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.7MB
MD5d57dd69a4d084427ea5eef777de66f68
SHA1cacb8e06a475b2125708ae70153aa1ca525177b0
SHA256858612d51120907bede6782a6f13a5f0b391d11ed9a35af0647126831d9843b4
SHA512517637325aff7416e16e25f33b491025e8791e71ae3df76effc6b2910e9e651604f856d2ad6058ceee13e87a7e0e33c0c572388e76a64f902be88f175a51973a