efecb17d9d73082bf28a6e7c6bb87a81c65a59b2d4d14251678da3cffa6a12a1

Analysis

max time kernel
3s
max time network
65s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
24-01-2024 18:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NVCleanstall_1.16.0.exe
Size

3.8MB
MD5

41421866b825dbdcc5f29a0bbd484362
SHA1

f7637ef22c82a108ab4668baca40e4f03eb49a5c
SHA256

efecb17d9d73082bf28a6e7c6bb87a81c65a59b2d4d14251678da3cffa6a12a1
SHA512

72ba988029e87661ad2adf68f79d054febe499d2fb3220518df7372b953d761acf88470f1620f7660eba963c42bc9327ad070b0c386282f6654f80b0ed50599d
SSDEEP

49152:5FEVBwhGaOQ52kLkEfg3fBDW4mJVUEtc3W4TDyJw7so4c7ckyRKPk9gZPeR0XjBO:5aPJaOQ5UB6Bxu9TDyJw4cXyIuaWR0rs

Score

1^/10

Malware Config

Signatures

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeShutdownPrivilege	5068	NVCleanstall_1.16.0.exe
Token: SeCreatePagefilePrivilege	5068	NVCleanstall_1.16.0.exe
Token: SeDebugPrivilege	5068	NVCleanstall_1.16.0.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\NVCleanstall_1.16.0.exe
"C:\Users\Admin\AppData\Local\Temp\NVCleanstall_1.16.0.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5068
- C:\Users\Admin\AppData\Local\Temp\NVCleanstall_Installer.exe
  "C:\Users\Admin\AppData\Local\Temp\NVCleanstall_Installer.exe" /ver=1.16.0
  2⤵
  PID:3692
- - C:\Users\Admin\AppData\Local\Temp\is-HIL5U.tmp\NVCleanstall_Installer.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-HIL5U.tmp\NVCleanstall_Installer.tmp" /SL5="$C004E,721408,721408,C:\Users\Admin\AppData\Local\Temp\NVCleanstall_Installer.exe" /ver=1.16.0
    3⤵
    PID:4124
  - - C:\Program Files\NVCleanstall\NVCleanstall.exe
      "C:\Program Files\NVCleanstall\NVCleanstall.exe"
      4⤵
      PID:1340
  - - C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe" /C ""C:\Users\Admin\AppData\Local\Temp\SelfDelete.bat""
      4⤵
      PID:3916

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\NVCleanstall\NVCleanstall.exe

Filesize
269KB

MD5
926feb7067c053fd4b7f5e3853d75353

SHA1
7f32c6be6b646b7299654ad8e3996cbad9917e43

SHA256
91fbfc74d91f24d24257e5357d1bc34d685b89c6590a35481299fc5f899d2528

SHA512
0e5c4f603674e29d638a371628352c05ba4a0f747d2e10bc98396ba6e753ba3167a64636bcda1787d8e304a9b957cc53b82de0b2a926e5a22d5489188b0c81d9

Download Submit
C:\Program Files\NVCleanstall\NVCleanstall.exe

Filesize
208KB

MD5
75a8c58a6f8c02e0d85c69a351beead5

SHA1
14e075aaf24ac604a190ab538a9cd580bd932f6c

SHA256
df65d5de15efe95f3fe785c2b61baf1f33ecd0c4262a8211f05e2487dcf8580c

SHA512
b50d139c224d3742f54c4958c6eed1d9374a1a4a7eb02a34ff94d63bf93b3212e0127c2b9b48bde3182b986da423ea420f3957735eb4baf664cea09e5f483f86

Download Submit
C:\Program Files\NVCleanstall\NVCleanstall.exe

Filesize
251KB

MD5
91b266d63c6253d240f3fb73f0975d26

SHA1
8579e15691c8812e29af470325ac7b545d02a2d2

SHA256
e4e8f4ecdcf0d5d3427a49a7a4d2da662e4fbef1e15d9d19a4cc28a4b5db6c82

SHA512
d7d70ebf207c5edacc198908618dc156a9812bf7443edade17f824139b41711dc1c0589fc70f208a5cb8f757a00ad8c6fc2a6b07c9a6cfeef976d3ff83b27064

Download Submit
C:\Users\Admin\AppData\Local\Temp\NVCleanstall_Installer.exe

Filesize
432KB

MD5
5a668c2aa39634c9f37bbeec0969c3b4

SHA1
24a41cbc57b717cf4ad20e18f344fc6f0d1223f4

SHA256
402ff76fb84f34fa22f91c686c3fe8117b5e3555972d9ea98495a620c49e52bf

SHA512
f2fd254bd74cd660a4641a1f23ea2e17ad239919821e309d2778151b4631ae4ead32e6e804bee3bf57307aa9b6993fd7482ce82bfd7883a5bd8f93c88efd9cc2

Download Submit
C:\Users\Admin\AppData\Local\Temp\NVCleanstall_Installer.exe

Filesize
517KB

MD5
137202bada4751243c13d58ccd58c96c

SHA1
444bfe6b55efa9fbb414728b3d6f44dca54e71c6

SHA256
3d9f37100d6bae0541d8234d978aa5a59cd11c2b21b7743a2a66a457aefa70b7

SHA512
910bc418efb3cc7dbca3a62b292330ea56a53021929fb72487fd325b4134c77c05f17a626a82a1322b687abbe1898322078d15f9da807834356e7eb7f18f8e3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\NVCleanstall_Installer.exe

Filesize
262KB

MD5
2f75442c818c452d61a2da7c01ed04ce

SHA1
4e285cbc782c00a44d841da851ad9ab2cadc8434

SHA256
d58fef0824cc9a108f68b3b4105c311daac95d89028cc2af8bd91dfa0efbf35f

SHA512
768c83950b16e09929b00606f3e46d0f65b0eb585e7f374e04033306ffe6cb65a45b70a5cb7414785b446d6446b66b60d1051cce22d2f1714daa4c718753f047

Download Submit
C:\Users\Admin\AppData\Local\Temp\NVCleanstall_Installer_Data.exe

Filesize
437KB

MD5
5f9b42863b46b19142904f60a84cad41

SHA1
aca3e0c686ede84d7c6ef67a320bb94efb42352d

SHA256
c9d7a832b7fb6d9406acfc7c2aec973cc410d4eed98cc8ebcafbc07905aaa750

SHA512
2b3a1d8c6d827f8b62c80cdfeef702c81c44a1a53859ea0eb52baa3cdeea51d0abfc3790f058ff283bd4862a28befd43a46a04d8b5a9333b42d967ddc8de157f

Download Submit
C:\Users\Admin\AppData\Local\Temp\SelfDelete.bat

Filesize
360B

MD5
03e3138dc0696cc89dbf163eec666500

SHA1
5169a5b8fcefbbcc2cd2dae938a22548a595fe12

SHA256
f1cfbb839a0994effe9be5375dff9c4e22e41cc8f844c10dc2550f08c010d113

SHA512
b1040e6991b57a272e1f4fac89425b9182343ed09dfbb03063aefb8658db2e3254518bc584c6a00f114cf7af3e1c0668f68693249a8d1fad1f800c0e44cf9b11

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-HIL5U.tmp\NVCleanstall_Installer.tmp

Filesize
329KB

MD5
f4a7d9598e392b3c170474a8f2a3cde2

SHA1
0d61dc4fb9e2fd15557511c15b3bad583d213f3f

SHA256
5d59a08e06307d86376afd10b40c477a44e69659f2bcf2f48ddf710f6568ed3d

SHA512
a456ce38b6ecbe438370c178657dd2a81a9d1e889bcf2cd4d5c0d3d31ff929a2418631b8fef9b6f649addd9c71f2a13ed2556537e07a79a4a82c33039fde8c5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-HIL5U.tmp\NVCleanstall_Installer.tmp

Filesize
483KB

MD5
2739cd3407391a51ba928eee853b1696

SHA1
249cf00866b4c7aa93aabe7abc43b2f0cc8a5cff

SHA256
db96344929404d1fbabc02b0325bb2205cab4ab6f50e92bba22daebbdbc684de

SHA512
6c53c33bdd2702b982a5fc0ca17b88f63799c77fe4ab01f903215dc394a906702b6d1ba60440d766a5cac2599e5b245b3f64549d5d86a73f8dc678325f0f1a7c

Download Submit
memory/1340-66-0x000001D0F9BB0000-0x000001D0F9BC0000-memory.dmp

Filesize
64KB

Download
memory/1340-68-0x000001D0F9BB0000-0x000001D0F9BC0000-memory.dmp

Filesize
64KB

Download
memory/1340-72-0x000001D0F9BB0000-0x000001D0F9BC0000-memory.dmp

Filesize
64KB

Download
memory/1340-70-0x000001D0F9BB0000-0x000001D0F9BC0000-memory.dmp

Filesize
64KB

Download
memory/1340-67-0x000001D0F9BB0000-0x000001D0F9BC0000-memory.dmp

Filesize
64KB

Download
memory/1340-71-0x000001D0F9BB0000-0x000001D0F9BC0000-memory.dmp

Filesize
64KB

Download
memory/1340-61-0x00007FFB14240000-0x00007FFB14D01000-memory.dmp

Filesize
10.8MB

Download
memory/1340-69-0x00007FFB14240000-0x00007FFB14D01000-memory.dmp

Filesize
10.8MB

Download
memory/3692-27-0x0000000000400000-0x00000000004BE000-memory.dmp

Filesize
760KB

Download
memory/3692-36-0x0000000000400000-0x00000000004BE000-memory.dmp

Filesize
760KB

Download
memory/3692-62-0x0000000000400000-0x00000000004BE000-memory.dmp

Filesize
760KB

Download
memory/3692-30-0x0000000000400000-0x00000000004BE000-memory.dmp

Filesize
760KB

Download
memory/4124-60-0x0000000000400000-0x0000000000679000-memory.dmp

Filesize
2.5MB

Download
memory/4124-34-0x0000000002540000-0x0000000002541000-memory.dmp

Filesize
4KB

Download
memory/4124-37-0x0000000000400000-0x0000000000679000-memory.dmp

Filesize
2.5MB

Download
memory/5068-0-0x000001C990500000-0x000001C9908C4000-memory.dmp

Filesize
3.8MB

Download
memory/5068-8-0x000001C9AAE40000-0x000001C9AAE50000-memory.dmp

Filesize
64KB

Download
memory/5068-12-0x000001C9AAE40000-0x000001C9AAE50000-memory.dmp

Filesize
64KB

Download
memory/5068-11-0x00007FFB14240000-0x00007FFB14D01000-memory.dmp

Filesize
10.8MB

Download
memory/5068-15-0x000001C9AAE40000-0x000001C9AAE50000-memory.dmp

Filesize
64KB

Download
memory/5068-10-0x000001C9ACEF0000-0x000001C9ACEFE000-memory.dmp

Filesize
56KB

Download
memory/5068-14-0x000001C9ACF80000-0x000001C9ACF88000-memory.dmp

Filesize
32KB

Download
memory/5068-9-0x000001C9ACF40000-0x000001C9ACF78000-memory.dmp

Filesize
224KB

Download
memory/5068-65-0x00007FFB14240000-0x00007FFB14D01000-memory.dmp

Filesize
10.8MB

Download
memory/5068-13-0x000001C9AAE40000-0x000001C9AAE50000-memory.dmp

Filesize
64KB

Download
memory/5068-7-0x000001C9ACEA0000-0x000001C9ACEA8000-memory.dmp

Filesize
32KB

Download
memory/5068-6-0x000001C9AAE40000-0x000001C9AAE50000-memory.dmp

Filesize
64KB

Download
memory/5068-5-0x000001C992430000-0x000001C992436000-memory.dmp

Filesize
24KB

Download
memory/5068-4-0x000001C9ACFF0000-0x000001C9AD4BC000-memory.dmp

Filesize
4.8MB

Download
memory/5068-3-0x000001C992460000-0x000001C992482000-memory.dmp

Filesize
136KB

Download
memory/5068-2-0x000001C9AAE50000-0x000001C9AB410000-memory.dmp

Filesize
5.8MB

Download
memory/5068-1-0x00007FFB14240000-0x00007FFB14D01000-memory.dmp

Filesize
10.8MB

Download