hxxps://github[.]com/novihacks/novihacks-advanced/blob/main/novihacks-advanced[.]zip

General

Target

https://github.com/novihacks/novihacks-advanced/blob/main/novihacks-advanced.zip

Score

6^/10

Malware Config

Signatures

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Modifies Internet Explorer Phishing Filter 1 TTPs 2 IoCs

Modify Registry

T1112

Processes:

iexplore.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\PhishingFilter	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\PhishingFilter\ClientSupported_MigrationTime = 40ff6fbf34ffd801	iexplore.exe

Modifies Internet Explorer settings 1 TTPs 38 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = b0b1859134ffd801	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{9866F431-6B27-11ED-91E9-EEBA1A0FFCD1} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000256ed27e8919d04f83812f84ee5c95da00000000020000000000106600000001000020000000d20ae9952a72543f91ad5048af87bcc3cd0fe15236e831bf44f5de05360c3bb3000000000e8000000002000020000000fd60ac69b9bcc0ad81a797e8a09d1760c713ac8c5dde4af57c548292bcef63db90000000aafdb402719606d86fb1665082dcb9f304a76622ec9166bc5e5def310d81f8dc1ef17c36dc25b11ef4fb1b93a27db9148c53e5e5f916e74351d9ce57b1b8bae8be0c2520b2cc924d5fc1069da8d89dfdd48bf272ae5f62b4338eeeb38567fa0172403dcadabbedad18e8104306b880bdea07b60959f82d9ab737a2271acb4bc5aa86dcafa8119b3193a316877c83cc3e400000008a304d1d85d026781f4aef1ff4b9c2ee9bacd39096c219a9ffa9b638dbe3d51117462a28444b7347d362124dbc742baa164c9f62d14ebcc00281dbb4cc3a5102	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "375970341"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000256ed27e8919d04f83812f84ee5c95da00000000020000000000106600000001000020000000a4c45c87308d36da4f49d6164a802a99aa8da8196af2b4ecdfb906e70be4862c000000000e80000000020000200000001d1b4f21dc592513b3b391126a6a7734754ae8bfe33821e11d396fdfe4291779200000009aa102049f4c879e1157dd9413903c9ea6e539628c4ed44badfc910c652ab4ef40000000f20b39984e762dc815ba8d6d62c18a57599b7f3d9a647b7c2d5a095296513520676941eeb9a109bd241fa64d6fb2aa75e1e335aa3fe8a0697ac73ac1e3ab86af	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

AUDIODG.EXE

description	pid	process
Token: 33	1372	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1372	AUDIODG.EXE
Token: 33	1372	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1372	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

iexplore.exe

pid process

1220 iexplore.exe
1220 iexplore.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

1220 iexplore.exe
1220 iexplore.exe
580 IEXPLORE.EXE
580 IEXPLORE.EXE
580 IEXPLORE.EXE
580 IEXPLORE.EXE

pid	process
1220	iexplore.exe
1220	iexplore.exe

pid	process
1220	iexplore.exe
1220	iexplore.exe
580	IEXPLORE.EXE
580	IEXPLORE.EXE
580	IEXPLORE.EXE
580	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

iexplore.exe

description	pid	process	target process
PID 1220 wrote to memory of 580	1220	iexplore.exe	IEXPLORE.EXE
PID 1220 wrote to memory of 580	1220	iexplore.exe	IEXPLORE.EXE
PID 1220 wrote to memory of 580	1220	iexplore.exe	IEXPLORE.EXE
PID 1220 wrote to memory of 580	1220	iexplore.exe	IEXPLORE.EXE

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://github.com/novihacks/novihacks-advanced/blob/main/novihacks-advanced.zip
1⤵
- Modifies Internet Explorer Phishing Filter
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1220

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1220 CREDAT:275457 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:580

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x50c
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1372

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

Web Service

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4c646bfb7f80ae3b0f25e817461ce848

SHA1
abebcacea724fc7a23b0af8dc5e083f59b96a2fd

SHA256
520ccfc7dac8e8ed67192406485bd2da365a7c7d410d9e824e41022323dd03d1

SHA512
ed2cf75bc85c571f004fa36d4cf2530e4049ee938f2d250f41547d41082f89b0bcec879c2962583291620084d6eb0e79aa1ea6de1fb71795344dcc203b7f4e82

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\t9o3c8r\imagestore.dat

Filesize
1KB

MD5
2188c4ff26ee91831f352464f1eaa230

SHA1
cd69e713ee56b7703651ace59f9e8271b1c7311b

SHA256
df7276ebcf65822d227a2992061921b6db7b654ce46ad8d60836740da9356ca1

SHA512
7d4b91089f8c29db9453df7b69028b88e805a1ff97406cd2604a35397b2c9d313801e185a75f21a84be76c454fe1553e47df853db112a6131066d1b1e9ab4d16

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6OB1Q09Y\novihacks-advanced.zip.se9eu1l.partial

Filesize
17.5MB

MD5
cf779a02aa4479a0fe9c93374b8184b5

SHA1
7b43795b03017cd57fe11a896161851202139962

SHA256
1d9049dda6d9dce99f914fbbfb4b283b08e16d093f19edc5ac113e901e725d2d

SHA512
5323fd4874a1944093ec63db075fd56d36c570777fdac84de4d89c788a09c2ab9da2ccc8628afb31fb86d2529925e489f1b8b8b0cc2c2aeda920a66ca5fc5b18

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\LXW0ZV7T.txt

Filesize
608B

MD5
36965604349d28008a2163ecdd8c58b6

SHA1
0dfc8cc24489d1e0f79bc4326802d8428235182e

SHA256
578d75edb64063ba34ce8609c7cf3e232e873d55e77ea0cbf15d58a65ec45841

SHA512
948e551d19b2b12fc8f85680fadecbb4c10da5af388901e1f2c40d4d83ffbc7b2b1f8497944f4fb4f58342a8b72ef176cb2aca2c0e8fbc49157e57c56979a754

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads