Analysis

  • max time kernel
    148s
  • max time network
    156s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240221-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22/02/2024, 18:08

General

  • Target

    NovaInstaller.exe

  • Size

    152.1MB

  • MD5

    01586514c91b035342b92789601710b7

  • SHA1

    7497f2ab937b123dafbd8769b9f62207e32063c1

  • SHA256

    b8b96d300bf7ac2d39d20bfcfe77ad3dde7214323b503850b8d131266ba68573

  • SHA512

    d2fedfa7451ff5a14287ba95ff1718949f1dc71226538cf1978009920f9384cf7c0dc0f5c2ad79cf5abaf6faa12ec95f0f987c223c8b735cf1097323ababb819

  • SSDEEP

    786432:85FEeqL+07t0WN3KPqiVUTyqjg+NnRUTEKsKgqTtLwSTRpf4P1wT1ixZrs36cHSl:8I7LJ2TVUiKStTAxZrsqc4z

Malware Config

Signatures

  • Downloads MZ/PE file
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 4 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • Checks SCSI registry key(s) 3 TTPs 5 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies registry class 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Users\Admin\AppData\Local\Temp\NovaInstaller.exe
    "C:\Users\Admin\AppData\Local\Temp\NovaInstaller.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4220
    • C:\Users\Admin\AppData\Local\Temp\vc_redist.x64.exe
      "vc_redist.x64.exe" /install /quiet /norestart
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:1708
      • C:\Windows\Temp\{64BC4BF4-1274-4A7A-B025-78C3F1911308}\.cr\vc_redist.x64.exe
        "C:\Windows\Temp\{64BC4BF4-1274-4A7A-B025-78C3F1911308}\.cr\vc_redist.x64.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\vc_redist.x64.exe" -burn.filehandle.attached=520 -burn.filehandle.self=540 /install /quiet /norestart
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:3860
        • C:\Windows\Temp\{75020117-100F-4BE7-A9D5-E471861604E2}\.be\VC_redist.x64.exe
          "C:\Windows\Temp\{75020117-100F-4BE7-A9D5-E471861604E2}\.be\VC_redist.x64.exe" -q -burn.elevated BurnPipe.{472BD820-B034-4B98-8F6C-C966D0298679} {57C6BF00-3285-4967-BF72-F091D99D4408} 3860
          4⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • Modifies registry class
          PID:3304
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 3860 -s 1236
          4⤵
          • Program crash
          PID:1632
    • C:\Users\Admin\AppData\Local\Temp\dotnet-sdk-6.0.405-win-x64.exe
      "dotnet-sdk-6.0.405-win-x64.exe" /install /quiet
      2⤵
      • Executes dropped EXE
      PID:3012
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Checks SCSI registry key(s)
    • Suspicious use of AdjustPrivilegeToken
    PID:4928
  • C:\Windows\system32\srtasks.exe
    C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:3660
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 3860 -ip 3860
    1⤵
      PID:1760

    Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\.net\NovaInstaller\uztLljCegqSJbgApdKxz7vVm_L3UFNo=\D3DCompiler_47_cor3.dll

            Filesize

            4.7MB

            MD5

            03a60a6652caf4f49ea5912ce4e1b33c

            SHA1

            a0d949d4af7b1048dc55e39d1d1260a1e0660c4f

            SHA256

            b23e7b820ed5c6ea7dcd77817e2cd79f1cec9561d457172287ee634a8bd658c3

            SHA512

            6711d40d171ea200c92d062226a69f33eb41e9232d74291ef6f0202de73cf4dc54fbdd769104d2bb3e89dc2d81f2f2f3479e4258a5d6a54c545e56b07746b4c4

          • C:\Users\Admin\AppData\Local\Temp\.net\NovaInstaller\uztLljCegqSJbgApdKxz7vVm_L3UFNo=\PresentationNative_cor3.dll

            Filesize

            1.2MB

            MD5

            607039b9e741f29a5996d255ae7ea39f

            SHA1

            9ea6ef007bee59e05dd9dd994da2a56a8675a021

            SHA256

            be81804da3077e93880b506e3f3061403ce6bf9ce50b9c0fcc63bb50b4352369

            SHA512

            0766c98228f6ccc907674e3b9cebe64eee234138b8d3f00848433388ad609fa38d17a961227e683e92241b163aa30cf06708a458f2bc4d3704d5aa7a7182ca50

          • C:\Users\Admin\AppData\Local\Temp\.net\NovaInstaller\uztLljCegqSJbgApdKxz7vVm_L3UFNo=\wpfgfx_cor3.dll

            Filesize

            1.9MB

            MD5

            9c828f9cca7da40407bfe9521bae6402

            SHA1

            da09914b5a96c3ddf038e3cb176a8b5f31d71ae8

            SHA256

            7f9d0cd50f10c55848027e1fb9d7d780ebbf1eadbb5edd899f2af359aa9681e8

            SHA512

            01db920eb96999cb83d0e42c20ceb19b7aaed3d3c4ed71e26528cf05f8751f53885faab5255025c26ea4d1d479a460fc797d102dd22aebb550bd85f0748b6c0b

          • C:\Users\Admin\AppData\Local\Temp\dotnet-sdk-6.0.405-win-x64.exe

            Filesize

            11.6MB

            MD5

            a0771e2cb6ba8b02851a079de72dd5a9

            SHA1

            8f57f6aa30cf12c89d5778fe304b9e572e21ba32

            SHA256

            0b56c725d8ed505390fdf69c9ee71fa86487e12dd4ba78f371a5a2b4cc7bf4be

            SHA512

            53d2a52698919e92468fdade279d809f04bbcd7c47333437a0faaad137986ba96172c922af5cb31dada0d71ce682639c080834ce67a305ec57348df3ee642106

          • C:\Users\Admin\AppData\Local\Temp\dotnet-sdk-6.0.405-win-x64.exe

            Filesize

            11.9MB

            MD5

            9206f265d5494890973e3595d4f36be1

            SHA1

            3eab95b3ca683711be99f7c4d21d1f851adf3c63

            SHA256

            12bddfb456ab20be1040a82fa8a39251826e720093dcb08c92796f8a4ac93471

            SHA512

            fd1a75c22cfa758ca5abc8de689dd9554a695851b715b8200ed9978a15518d3fe2513ee76427a2b33ee39b7b91037c3e8e2562a966814000b8af3c71caea5996

          • C:\Users\Admin\AppData\Local\Temp\vc_redist.x64.exe

            Filesize

            6.2MB

            MD5

            9869746a0f9ad13ba9cd9e4a942896de

            SHA1

            d114255b271ebdbb6d29c1898bf78ccecd92ed22

            SHA256

            3bb6fb8a9ec7dfb576316dad2057f6015a1bd3362c5bf8ca6d76fb8304aaf2bb

            SHA512

            87cb6aa67a164f7acbf40f84bbe221cbf8a5861d6b9b8511dc94588643664448c8b1d34b95acf9014eb43d9e24b5bd93440d073e8b28201676e61168344e5c2f

          • C:\Users\Admin\AppData\Local\Temp\vc_redist.x64.exe

            Filesize

            3.0MB

            MD5

            6d7b8a872106bc27873d6b612f5f39a3

            SHA1

            24c85bd8887dc078eed4411fa5b83ffb19ff92c0

            SHA256

            7c0928de9ba2c9dfb3f2d573d8126b048e422f01c1549dfb39816a528f7cae48

            SHA512

            b77bc1f339db44c30a976127f59412989b53b045e399c08428557058159f2030fbc901e2843ed904d3e716971611a2283023004855d99b2ced9e6a7c7b2086dc

          • C:\Windows\Temp\{64BC4BF4-1274-4A7A-B025-78C3F1911308}\.cr\vc_redist.x64.exe

            Filesize

            635KB

            MD5

            b73be38096eddc4d427fbbfdd8cf15bd

            SHA1

            534f605fd43cc7089e448e5fa1b1a2d56de14779

            SHA256

            ab1164dcaf6c7d7d4905881f332a7b6f854be46e36b860c44d9eedc96ab6607a

            SHA512

            5af779926d344bc7c4140725f90cddad5eb778f5ca4856d5a31a6084424964d205638815eab4454e0ea34ea56fafca19fadd1eb2779dc6b7f277e4e4ce4b1603

          • C:\Windows\Temp\{75020117-100F-4BE7-A9D5-E471861604E2}\.ba\logo.png

            Filesize

            1KB

            MD5

            d6bd210f227442b3362493d046cea233

            SHA1

            ff286ac8370fc655aea0ef35e9cf0bfcb6d698de

            SHA256

            335a256d4779ec5dcf283d007fb56fd8211bbcaf47dcd70fe60ded6a112744ef

            SHA512

            464aaab9e08de610ad34b97d4076e92dc04c2cdc6669f60bfc50f0f9ce5d71c31b8943bd84cee1a04fb9ab5bbed3442bd41d9cb21a0dd170ea97c463e1ce2b5b

          • C:\Windows\Temp\{75020117-100F-4BE7-A9D5-E471861604E2}\.ba\wixstdba.dll

            Filesize

            191KB

            MD5

            eab9caf4277829abdf6223ec1efa0edd

            SHA1

            74862ecf349a9bedd32699f2a7a4e00b4727543d

            SHA256

            a4efbdb2ce55788ffe92a244cb775efd475526ef5b61ad78de2bcdfaddac7041

            SHA512

            45b15ade68e0a90ea7300aeb6dca9bc9e347a63dba5ce72a635957564d1bdf0b1584a5e34191916498850fc7b3b7ecfbcbfcb246b39dbf59d47f66bc825c6fd2

          • memory/4220-27-0x000002CAA2110000-0x000002CAA2190000-memory.dmp

            Filesize

            512KB

          • memory/4220-66-0x000002CAA21E0000-0x000002CAA2227000-memory.dmp

            Filesize

            284KB

          • memory/4220-39-0x000002CAA1B80000-0x000002CAA1B87000-memory.dmp

            Filesize

            28KB

          • memory/4220-42-0x000002CAA1C40000-0x000002CAA1C59000-memory.dmp

            Filesize

            100KB

          • memory/4220-45-0x000002CAA1CA0000-0x000002CAA1CB6000-memory.dmp

            Filesize

            88KB

          • memory/4220-48-0x000002CAA1D30000-0x000002CAA1D70000-memory.dmp

            Filesize

            256KB

          • memory/4220-51-0x000002CAA1CC0000-0x000002CAA1CD8000-memory.dmp

            Filesize

            96KB

          • memory/4220-54-0x000002CAA1C80000-0x000002CAA1C92000-memory.dmp

            Filesize

            72KB

          • memory/4220-33-0x000002CAA1BA0000-0x000002CAA1BA5000-memory.dmp

            Filesize

            20KB

          • memory/4220-60-0x000002CAA2290000-0x000002CAA2384000-memory.dmp

            Filesize

            976KB

          • memory/4220-63-0x000002CAA1D70000-0x000002CAA1D78000-memory.dmp

            Filesize

            32KB

          • memory/4220-36-0x000002CAA1C60000-0x000002CAA1C73000-memory.dmp

            Filesize

            76KB

          • memory/4220-69-0x000002CAA2230000-0x000002CAA225A000-memory.dmp

            Filesize

            168KB

          • memory/4220-72-0x000002CAA64E0000-0x000002CAA6CFC000-memory.dmp

            Filesize

            8.1MB

          • memory/4220-30-0x000002CAA1B90000-0x000002CAA1B9D000-memory.dmp

            Filesize

            52KB

          • memory/4220-5-0x0000000180000000-0x0000000180A25000-memory.dmp

            Filesize

            10.1MB

          • memory/4220-24-0x000002CAA3A60000-0x000002CAA42A2000-memory.dmp

            Filesize

            8.3MB

          • memory/4220-21-0x000002CAA1C00000-0x000002CAA1C3E000-memory.dmp

            Filesize

            248KB

          • memory/4220-18-0x000002CAA1BB0000-0x000002CAA1BF4000-memory.dmp

            Filesize

            272KB

          • memory/4220-15-0x000002CAA1FB0000-0x000002CAA210E000-memory.dmp

            Filesize

            1.4MB

          • memory/4220-12-0x000002CAA1D80000-0x000002CAA1FA8000-memory.dmp

            Filesize

            2.2MB

          • memory/4220-246-0x00007FF628C10000-0x00007FF62953D000-memory.dmp

            Filesize

            9.2MB

          • memory/4220-8-0x000002CAA2AD0000-0x000002CAA3A58000-memory.dmp

            Filesize

            15.5MB

          • memory/4220-9-0x00007FF628C10000-0x00007FF62953D000-memory.dmp

            Filesize

            9.2MB