Analysis
-
max time kernel
121s -
max time network
127s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
-
submitted
09/05/2024, 10:40
General
-
Target
NovaInstaller.exe
-
Size
152.1MB
-
MD5
73e8d276bd6ae53017d14a478b2bb98c
-
SHA1
9f88bbbda8f27b31a806fc4fa8894e85f0fcf38e
-
SHA256
39975e5d11fcbb449a216986235f6c3ffd39448f9984d63c8b58a9878a90f5e6
-
SHA512
b3dbf65def9796807b315f7b8a453d8759a402653bd2768fdb291ebe80e44e429fe194ebdd11e503524e7e07c4da4ba6c7bb40451584ab241e6be8ca864b0aeb
-
SSDEEP
786432:85FEiqL+07t0WN3KPqiVUTyqjg+NnRUTEKsKgqTtLwSTRpf4P1wT1ixZrs36cHSv:8IPLJ2TVUiKStTAxZrsqc4Z
Malware Config
Signatures
-
Downloads MZ/PE file
-
Executes dropped EXE 3 IoCs
-
Loads dropped DLL 13 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in Program Files directory 1 IoCs
-
Drops file in Windows directory 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
-
Modifies registry class 6 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 25 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\NovaInstaller.exe"C:\Users\Admin\AppData\Local\Temp\NovaInstaller.exe"1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\windowsdesktop-runtime-6.0.15-win-x64.exe"windowsdesktop-runtime-6.0.15-win-x64.exe" /S2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\Temp\{1F32F2DB-8FB2-4632-8F2A-26A170E075F8}\.cr\windowsdesktop-runtime-6.0.15-win-x64.exe"C:\Windows\Temp\{1F32F2DB-8FB2-4632-8F2A-26A170E075F8}\.cr\windowsdesktop-runtime-6.0.15-win-x64.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\windowsdesktop-runtime-6.0.15-win-x64.exe" -burn.filehandle.attached=184 -burn.filehandle.self=192 /S3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\Temp\{CDB18C54-5360-45CF-BCB4-8851B1B021E0}\.be\windowsdesktop-runtime-6.0.21-win-x64.exe"C:\Windows\Temp\{CDB18C54-5360-45CF-BCB4-8851B1B021E0}\.be\windowsdesktop-runtime-6.0.21-win-x64.exe" -q -burn.elevated BurnPipe.{6A390B40-01F4-465F-A859-62E9F9B5ACFD} {A964DB98-7458-4E77-8BAA-185C4ADFAA5A} 8324⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 832 -s 3284⤵
- Loads dropped DLL
- Program crash
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
68KB
MD529f65ba8e88c063813cc50a4ea544e93
SHA105a7040d5c127e68c25d81cc51271ffb8bef3568
SHA2561ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa
-
Filesize
177KB
MD5435a9ac180383f9fa094131b173a2f7b
SHA176944ea657a9db94f9a4bef38f88c46ed4166983
SHA25667dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34
SHA5121a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a
-
Filesize
4KB
MD59eb0320dfbf2bd541e6a55c01ddc9f20
SHA1eb282a66d29594346531b1ff886d455e1dcd6d99
SHA2569095bf7b6baa0107b40a4a6d727215be077133a190f4ca9bd89a176842141e79
SHA5129ada3a1757a493fbb004bd767fab8f77430af69d71479f340b8b8ede904cc94cd733700db593a4a2d2e1184c0081fd0648318d867128e1cb461021314990931d
-
Filesize
4.7MB
MD503a60a6652caf4f49ea5912ce4e1b33c
SHA1a0d949d4af7b1048dc55e39d1d1260a1e0660c4f
SHA256b23e7b820ed5c6ea7dcd77817e2cd79f1cec9561d457172287ee634a8bd658c3
SHA5126711d40d171ea200c92d062226a69f33eb41e9232d74291ef6f0202de73cf4dc54fbdd769104d2bb3e89dc2d81f2f2f3479e4258a5d6a54c545e56b07746b4c4
-
Filesize
1.2MB
MD5607039b9e741f29a5996d255ae7ea39f
SHA19ea6ef007bee59e05dd9dd994da2a56a8675a021
SHA256be81804da3077e93880b506e3f3061403ce6bf9ce50b9c0fcc63bb50b4352369
SHA5120766c98228f6ccc907674e3b9cebe64eee234138b8d3f00848433388ad609fa38d17a961227e683e92241b163aa30cf06708a458f2bc4d3704d5aa7a7182ca50
-
Filesize
1.9MB
MD59c828f9cca7da40407bfe9521bae6402
SHA1da09914b5a96c3ddf038e3cb176a8b5f31d71ae8
SHA2567f9d0cd50f10c55848027e1fb9d7d780ebbf1eadbb5edd899f2af359aa9681e8
SHA51201db920eb96999cb83d0e42c20ceb19b7aaed3d3c4ed71e26528cf05f8751f53885faab5255025c26ea4d1d479a460fc797d102dd22aebb550bd85f0748b6c0b
-
Filesize
610KB
MD5ff67a2a55ed6998ab527273d547fc00f
SHA1852712b95ca05de8f336f07ff9ac672281b91215
SHA25671dc12e39274b7a94f1a44b1ebe1a1507adf9884db5fdcd4cd9346b4c9fbe0c9
SHA51248eb6bcb087d23ffb4e85501d23e55a4a15e8e0d2b4ca402a46df5946640f7e33c47deb785142af0fbc8cb10b6f9731500a370168cb43fd02642b29a880151d9
-
Filesize
197KB
MD54356ee50f0b1a878e270614780ddf095
SHA1b5c0915f023b2e4ed3e122322abc40c4437909af
SHA25641a8787fdc9467f563438daba4131191aa1eb588a81beb9a89fe8bd886c16104
SHA512b9e482efe9189683dabfc9feff8b386d7eba4ecf070f42a1eebee6052cfb181a19497f831f1ea6429cfcce1d4865a5d279b24bd738d702902e9887bb9f0c4691
-
Filesize
512KB
-
Filesize
976KB
-
Filesize
96KB
-
Filesize
256KB
-
Filesize
88KB
-
Filesize
10.1MB
-
Filesize
100KB
-
Filesize
28KB
-
Filesize
76KB
-
Filesize
20KB
-
Filesize
52KB
-
Filesize
32KB
-
Filesize
284KB
-
Filesize
72KB
-
Filesize
168KB
-
Filesize
8.1MB
-
Filesize
272KB
-
Filesize
8.3MB
-
Filesize
40KB
-
Filesize
40KB
-
Filesize
248KB
-
Filesize
1.4MB
-
Filesize
40KB
-
Filesize
15.5MB
-
Filesize
2.2MB
-
Filesize
4KB
