b8b96d300bf7ac2d39d20bfcfe77ad3dde7214323b503850b8d131266ba68573

General

Target

NovaInstaller.exe
Size

152.1MB
MD5

01586514c91b035342b92789601710b7
SHA1

7497f2ab937b123dafbd8769b9f62207e32063c1
SHA256

b8b96d300bf7ac2d39d20bfcfe77ad3dde7214323b503850b8d131266ba68573
SHA512

d2fedfa7451ff5a14287ba95ff1718949f1dc71226538cf1978009920f9384cf7c0dc0f5c2ad79cf5abaf6faa12ec95f0f987c223c8b735cf1097323ababb819
SSDEEP

786432:85FEeqL+07t0WN3KPqiVUTyqjg+NnRUTEKsKgqTtLwSTRpf4P1wT1ixZrs36cHSl:8I7LJ2TVUiKStTAxZrsqc4z

Score

8^/10

Malware Config

Signatures

Downloads MZ/PE file

Loads dropped DLL 3 IoCs

pid	Process
3012	NovaInstaller.exe
3012	NovaInstaller.exe
3012	NovaInstaller.exe

Modifies system certificate store 2 TTPs 2 IoCs

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	NovaInstaller.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	NovaInstaller.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3012	NovaInstaller.exe

C:\Users\Admin\AppData\Local\Temp\NovaInstaller.exe
"C:\Users\Admin\AppData\Local\Temp\NovaInstaller.exe"
1⤵
- Loads dropped DLL
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
PID:3012

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
67KB

MD5
753df6889fd7410a2e9fe333da83a429

SHA1
3c425f16e8267186061dd48ac1c77c122962456e

SHA256
b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78

SHA512
9d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar5C3B.tmp

Filesize
175KB

MD5
dd73cead4b93366cf3465c8cd32e2796

SHA1
74546226dfe9ceb8184651e920d1dbfb432b314e

SHA256
a6752b7851b591550e4625b832a393aabcc428de18d83e8593cd540f7d7cae22

SHA512
ce1bdd595065c94fa528badf4a6a8777893807d6789267612755df818ba6ffe55e4df429710aea29526ee4aa8ef20e25f2f05341da53992157d21ae032c0fb63

Download Submit
\Users\Admin\AppData\Local\Temp\.net\NovaInstaller\uztLljCegqSJbgApdKxz7vVm_L3UFNo=\D3DCompiler_47_cor3.dll

Filesize
4.7MB

MD5
03a60a6652caf4f49ea5912ce4e1b33c

SHA1
a0d949d4af7b1048dc55e39d1d1260a1e0660c4f

SHA256
b23e7b820ed5c6ea7dcd77817e2cd79f1cec9561d457172287ee634a8bd658c3

SHA512
6711d40d171ea200c92d062226a69f33eb41e9232d74291ef6f0202de73cf4dc54fbdd769104d2bb3e89dc2d81f2f2f3479e4258a5d6a54c545e56b07746b4c4

Download Submit
\Users\Admin\AppData\Local\Temp\.net\NovaInstaller\uztLljCegqSJbgApdKxz7vVm_L3UFNo=\PresentationNative_cor3.dll

Filesize
1.2MB

MD5
607039b9e741f29a5996d255ae7ea39f

SHA1
9ea6ef007bee59e05dd9dd994da2a56a8675a021

SHA256
be81804da3077e93880b506e3f3061403ce6bf9ce50b9c0fcc63bb50b4352369

SHA512
0766c98228f6ccc907674e3b9cebe64eee234138b8d3f00848433388ad609fa38d17a961227e683e92241b163aa30cf06708a458f2bc4d3704d5aa7a7182ca50

Download Submit
\Users\Admin\AppData\Local\Temp\.net\NovaInstaller\uztLljCegqSJbgApdKxz7vVm_L3UFNo=\wpfgfx_cor3.dll

Filesize
1.9MB

MD5
9c828f9cca7da40407bfe9521bae6402

SHA1
da09914b5a96c3ddf038e3cb176a8b5f31d71ae8

SHA256
7f9d0cd50f10c55848027e1fb9d7d780ebbf1eadbb5edd899f2af359aa9681e8

SHA512
01db920eb96999cb83d0e42c20ceb19b7aaed3d3c4ed71e26528cf05f8751f53885faab5255025c26ea4d1d479a460fc797d102dd22aebb550bd85f0748b6c0b

Download Submit
memory/3012-27-0x0000000022E80000-0x0000000022F00000-memory.dmp

Filesize
512KB

Download
memory/3012-21-0x0000000001D50000-0x0000000001D8E000-memory.dmp

Filesize
248KB

Download
memory/3012-24-0x0000000024E40000-0x0000000025682000-memory.dmp

Filesize
8.3MB

Download
memory/3012-5-0x0000000180000000-0x0000000180A25000-memory.dmp

Filesize
10.1MB

Download
memory/3012-30-0x0000000000480000-0x000000000048D000-memory.dmp

Filesize
52KB

Download
memory/3012-33-0x0000000000490000-0x0000000000495000-memory.dmp

Filesize
20KB

Download
memory/3012-36-0x0000000001D90000-0x0000000001DA3000-memory.dmp

Filesize
76KB

Download
memory/3012-42-0x00000000004A0000-0x00000000004B9000-memory.dmp

Filesize
100KB

Download
memory/3012-45-0x0000000001E50000-0x0000000001E66000-memory.dmp

Filesize
88KB

Download
memory/3012-39-0x0000000000470000-0x0000000000477000-memory.dmp

Filesize
28KB

Download
memory/3012-48-0x0000000002270000-0x00000000022B0000-memory.dmp

Filesize
256KB

Download
memory/3012-54-0x0000000001DB0000-0x0000000001DC2000-memory.dmp

Filesize
72KB

Download
memory/3012-51-0x0000000001E70000-0x0000000001E88000-memory.dmp

Filesize
96KB

Download
memory/3012-18-0x0000000000750000-0x0000000000794000-memory.dmp

Filesize
272KB

Download
memory/3012-60-0x0000000023590000-0x0000000023684000-memory.dmp

Filesize
976KB

Download
memory/3012-63-0x0000000002250000-0x0000000002258000-memory.dmp

Filesize
32KB

Download
memory/3012-66-0x0000000022FF0000-0x0000000023037000-memory.dmp

Filesize
284KB

Download
memory/3012-69-0x0000000022F00000-0x0000000022F2A000-memory.dmp

Filesize
168KB

Download
memory/3012-72-0x0000000025EB0000-0x00000000266CC000-memory.dmp

Filesize
8.1MB

Download
memory/3012-15-0x0000000022AC0000-0x0000000022C1E000-memory.dmp

Filesize
1.4MB

Download
memory/3012-12-0x0000000023160000-0x0000000023388000-memory.dmp

Filesize
2.2MB

Download
memory/3012-125-0x00000000230C0000-0x00000000230CA000-memory.dmp

Filesize
40KB

Download
memory/3012-126-0x00000000230C0000-0x00000000230CA000-memory.dmp

Filesize
40KB

Download
memory/3012-187-0x000000013FC40000-0x000000014056D000-memory.dmp

Filesize
9.2MB

Download
memory/3012-188-0x00000000230C0000-0x00000000230CA000-memory.dmp

Filesize
40KB

Download
memory/3012-8-0x0000000023EB0000-0x0000000024E38000-memory.dmp

Filesize
15.5MB

Download
memory/3012-9-0x000000013FC40000-0x000000014056D000-memory.dmp

Filesize
9.2MB

Download

Analysis

Sharing