Analysis
-
max time kernel
148s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20240221-en -
resource tags
arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system -
submitted
22/02/2024, 18:08
Static task
static1
Behavioral task
behavioral1
Sample
NovaInstaller.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
NovaInstaller.exe
Resource
win10v2004-20240221-en
General
-
Target
NovaInstaller.exe
-
Size
152.1MB
-
MD5
01586514c91b035342b92789601710b7
-
SHA1
7497f2ab937b123dafbd8769b9f62207e32063c1
-
SHA256
b8b96d300bf7ac2d39d20bfcfe77ad3dde7214323b503850b8d131266ba68573
-
SHA512
d2fedfa7451ff5a14287ba95ff1718949f1dc71226538cf1978009920f9384cf7c0dc0f5c2ad79cf5abaf6faa12ec95f0f987c223c8b735cf1097323ababb819
-
SSDEEP
786432:85FEeqL+07t0WN3KPqiVUTyqjg+NnRUTEKsKgqTtLwSTRpf4P1wT1ixZrs36cHSl:8I7LJ2TVUiKStTAxZrsqc4z
Malware Config
Signatures
-
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1414748551-1520717498-2956787782-1000\Control Panel\International\Geo\Nation vc_redist.x64.exe -
Executes dropped EXE 4 IoCs
pid Process 1708 vc_redist.x64.exe 3860 vc_redist.x64.exe 3304 VC_redist.x64.exe 3012 dotnet-sdk-6.0.405-win-x64.exe -
Loads dropped DLL 4 IoCs
pid Process 4220 NovaInstaller.exe 4220 NovaInstaller.exe 4220 NovaInstaller.exe 3860 vc_redist.x64.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\{c649ede4-f16a-4486-a117-dcc2f2a35165} = "\"C:\\ProgramData\\Package Cache\\{c649ede4-f16a-4486-a117-dcc2f2a35165}\\VC_redist.x64.exe\" /burn.runonce" VC_redist.x64.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 1632 3860 WerFault.exe 90 -
Checks SCSI registry key(s) 3 TTPs 5 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 000000000400000086aa1aaef4cad2bf0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff00000000270101000008000086aa1aae0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff00000000070001000068090086aa1aae000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d86aa1aae000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff00000000000000000000000086aa1aae00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr vssvc.exe -
Modifies registry class 6 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\VC,redist.x64,amd64,14.38,bundle\Version = "14.38.33135.0" VC_redist.x64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\VC,redist.x64,amd64,14.38,bundle\DisplayName = "Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.38.33135" VC_redist.x64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\VC,redist.x64,amd64,14.38,bundle\Dependents\{c649ede4-f16a-4486-a117-dcc2f2a35165} VC_redist.x64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\VC,redist.x64,amd64,14.38,bundle\Dependents VC_redist.x64.exe Key created \REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\VC,redist.x64,amd64,14.38,bundle VC_redist.x64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\VC,redist.x64,amd64,14.38,bundle\ = "{c649ede4-f16a-4486-a117-dcc2f2a35165}" VC_redist.x64.exe -
Suspicious use of AdjustPrivilegeToken 12 IoCs
description pid Process Token: SeDebugPrivilege 4220 NovaInstaller.exe Token: SeBackupPrivilege 4928 vssvc.exe Token: SeRestorePrivilege 4928 vssvc.exe Token: SeAuditPrivilege 4928 vssvc.exe Token: SeBackupPrivilege 3660 srtasks.exe Token: SeRestorePrivilege 3660 srtasks.exe Token: SeSecurityPrivilege 3660 srtasks.exe Token: SeTakeOwnershipPrivilege 3660 srtasks.exe Token: SeBackupPrivilege 3660 srtasks.exe Token: SeRestorePrivilege 3660 srtasks.exe Token: SeSecurityPrivilege 3660 srtasks.exe Token: SeTakeOwnershipPrivilege 3660 srtasks.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 4220 wrote to memory of 1708 4220 NovaInstaller.exe 89 PID 4220 wrote to memory of 1708 4220 NovaInstaller.exe 89 PID 4220 wrote to memory of 1708 4220 NovaInstaller.exe 89 PID 1708 wrote to memory of 3860 1708 vc_redist.x64.exe 90 PID 1708 wrote to memory of 3860 1708 vc_redist.x64.exe 90 PID 1708 wrote to memory of 3860 1708 vc_redist.x64.exe 90 PID 3860 wrote to memory of 3304 3860 vc_redist.x64.exe 91 PID 3860 wrote to memory of 3304 3860 vc_redist.x64.exe 91 PID 3860 wrote to memory of 3304 3860 vc_redist.x64.exe 91 PID 4220 wrote to memory of 3012 4220 NovaInstaller.exe 103 PID 4220 wrote to memory of 3012 4220 NovaInstaller.exe 103 PID 4220 wrote to memory of 3012 4220 NovaInstaller.exe 103 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\NovaInstaller.exe"C:\Users\Admin\AppData\Local\Temp\NovaInstaller.exe"1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4220 -
C:\Users\Admin\AppData\Local\Temp\vc_redist.x64.exe"vc_redist.x64.exe" /install /quiet /norestart2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1708 -
C:\Windows\Temp\{64BC4BF4-1274-4A7A-B025-78C3F1911308}\.cr\vc_redist.x64.exe"C:\Windows\Temp\{64BC4BF4-1274-4A7A-B025-78C3F1911308}\.cr\vc_redist.x64.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\vc_redist.x64.exe" -burn.filehandle.attached=520 -burn.filehandle.self=540 /install /quiet /norestart3⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3860 -
C:\Windows\Temp\{75020117-100F-4BE7-A9D5-E471861604E2}\.be\VC_redist.x64.exe"C:\Windows\Temp\{75020117-100F-4BE7-A9D5-E471861604E2}\.be\VC_redist.x64.exe" -q -burn.elevated BurnPipe.{472BD820-B034-4B98-8F6C-C966D0298679} {57C6BF00-3285-4967-BF72-F091D99D4408} 38604⤵
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
PID:3304
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3860 -s 12364⤵
- Program crash
PID:1632
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\dotnet-sdk-6.0.405-win-x64.exe"dotnet-sdk-6.0.405-win-x64.exe" /install /quiet2⤵
- Executes dropped EXE
PID:3012
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:4928
-
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:21⤵
- Suspicious use of AdjustPrivilegeToken
PID:3660
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 3860 -ip 38601⤵PID:1760
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\.net\NovaInstaller\uztLljCegqSJbgApdKxz7vVm_L3UFNo=\D3DCompiler_47_cor3.dll
Filesize4.7MB
MD503a60a6652caf4f49ea5912ce4e1b33c
SHA1a0d949d4af7b1048dc55e39d1d1260a1e0660c4f
SHA256b23e7b820ed5c6ea7dcd77817e2cd79f1cec9561d457172287ee634a8bd658c3
SHA5126711d40d171ea200c92d062226a69f33eb41e9232d74291ef6f0202de73cf4dc54fbdd769104d2bb3e89dc2d81f2f2f3479e4258a5d6a54c545e56b07746b4c4
-
C:\Users\Admin\AppData\Local\Temp\.net\NovaInstaller\uztLljCegqSJbgApdKxz7vVm_L3UFNo=\PresentationNative_cor3.dll
Filesize1.2MB
MD5607039b9e741f29a5996d255ae7ea39f
SHA19ea6ef007bee59e05dd9dd994da2a56a8675a021
SHA256be81804da3077e93880b506e3f3061403ce6bf9ce50b9c0fcc63bb50b4352369
SHA5120766c98228f6ccc907674e3b9cebe64eee234138b8d3f00848433388ad609fa38d17a961227e683e92241b163aa30cf06708a458f2bc4d3704d5aa7a7182ca50
-
C:\Users\Admin\AppData\Local\Temp\.net\NovaInstaller\uztLljCegqSJbgApdKxz7vVm_L3UFNo=\wpfgfx_cor3.dll
Filesize1.9MB
MD59c828f9cca7da40407bfe9521bae6402
SHA1da09914b5a96c3ddf038e3cb176a8b5f31d71ae8
SHA2567f9d0cd50f10c55848027e1fb9d7d780ebbf1eadbb5edd899f2af359aa9681e8
SHA51201db920eb96999cb83d0e42c20ceb19b7aaed3d3c4ed71e26528cf05f8751f53885faab5255025c26ea4d1d479a460fc797d102dd22aebb550bd85f0748b6c0b
-
Filesize
11.6MB
MD5a0771e2cb6ba8b02851a079de72dd5a9
SHA18f57f6aa30cf12c89d5778fe304b9e572e21ba32
SHA2560b56c725d8ed505390fdf69c9ee71fa86487e12dd4ba78f371a5a2b4cc7bf4be
SHA51253d2a52698919e92468fdade279d809f04bbcd7c47333437a0faaad137986ba96172c922af5cb31dada0d71ce682639c080834ce67a305ec57348df3ee642106
-
Filesize
11.9MB
MD59206f265d5494890973e3595d4f36be1
SHA13eab95b3ca683711be99f7c4d21d1f851adf3c63
SHA25612bddfb456ab20be1040a82fa8a39251826e720093dcb08c92796f8a4ac93471
SHA512fd1a75c22cfa758ca5abc8de689dd9554a695851b715b8200ed9978a15518d3fe2513ee76427a2b33ee39b7b91037c3e8e2562a966814000b8af3c71caea5996
-
Filesize
6.2MB
MD59869746a0f9ad13ba9cd9e4a942896de
SHA1d114255b271ebdbb6d29c1898bf78ccecd92ed22
SHA2563bb6fb8a9ec7dfb576316dad2057f6015a1bd3362c5bf8ca6d76fb8304aaf2bb
SHA51287cb6aa67a164f7acbf40f84bbe221cbf8a5861d6b9b8511dc94588643664448c8b1d34b95acf9014eb43d9e24b5bd93440d073e8b28201676e61168344e5c2f
-
Filesize
3.0MB
MD56d7b8a872106bc27873d6b612f5f39a3
SHA124c85bd8887dc078eed4411fa5b83ffb19ff92c0
SHA2567c0928de9ba2c9dfb3f2d573d8126b048e422f01c1549dfb39816a528f7cae48
SHA512b77bc1f339db44c30a976127f59412989b53b045e399c08428557058159f2030fbc901e2843ed904d3e716971611a2283023004855d99b2ced9e6a7c7b2086dc
-
Filesize
635KB
MD5b73be38096eddc4d427fbbfdd8cf15bd
SHA1534f605fd43cc7089e448e5fa1b1a2d56de14779
SHA256ab1164dcaf6c7d7d4905881f332a7b6f854be46e36b860c44d9eedc96ab6607a
SHA5125af779926d344bc7c4140725f90cddad5eb778f5ca4856d5a31a6084424964d205638815eab4454e0ea34ea56fafca19fadd1eb2779dc6b7f277e4e4ce4b1603
-
Filesize
1KB
MD5d6bd210f227442b3362493d046cea233
SHA1ff286ac8370fc655aea0ef35e9cf0bfcb6d698de
SHA256335a256d4779ec5dcf283d007fb56fd8211bbcaf47dcd70fe60ded6a112744ef
SHA512464aaab9e08de610ad34b97d4076e92dc04c2cdc6669f60bfc50f0f9ce5d71c31b8943bd84cee1a04fb9ab5bbed3442bd41d9cb21a0dd170ea97c463e1ce2b5b
-
Filesize
191KB
MD5eab9caf4277829abdf6223ec1efa0edd
SHA174862ecf349a9bedd32699f2a7a4e00b4727543d
SHA256a4efbdb2ce55788ffe92a244cb775efd475526ef5b61ad78de2bcdfaddac7041
SHA51245b15ade68e0a90ea7300aeb6dca9bc9e347a63dba5ce72a635957564d1bdf0b1584a5e34191916498850fc7b3b7ecfbcbfcb246b39dbf59d47f66bc825c6fd2