d4edaa6438dadc7c0b82655a5fe3054ddcf2932f55a177a0f08919484f930796

General

Target

Nova Launcher V2.exe
Size

121KB
MD5

11f6b755147b4ca6b441620c0ac39268
SHA1

c93ca611430e685572cbdd7b762633a91b0671ad
SHA256

d4edaa6438dadc7c0b82655a5fe3054ddcf2932f55a177a0f08919484f930796
SHA512

5465d1e5df7a0e34bab7c997a777b86ea447a3519ab993e65216b9dae54e6285ae50b953979736a87b748520ef502a3c6e513b0f4bcdf864addb9247caa1562b
SSDEEP

3072:paPSy6sZ7z/N7kvRS6s5nTsz4IwqJOSIHbBFiMa:tyXrNcNs5nTsyHHb6M

Score

8^/10

execution persistence

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1572	powershell.exe
4824	powershell.exe
560	powershell.exe
1308	powershell.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000\Software\Microsoft\Windows\CurrentVersion\Run\System32 = "C:\\Users\\Admin\\System32.exe"	Nova Launcher V2.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4264	schtasks.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
1572	powershell.exe
1572	powershell.exe
4824	powershell.exe
4824	powershell.exe
560	powershell.exe
560	powershell.exe
1308	powershell.exe
1308	powershell.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	1496	Nova Launcher V2.exe
Token: SeDebugPrivilege	1572	powershell.exe
Token: SeDebugPrivilege	4824	powershell.exe
Token: SeDebugPrivilege	560	powershell.exe
Token: SeDebugPrivilege	1308	powershell.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 1496 wrote to memory of 1572	1496	Nova Launcher V2.exe	82
PID 1496 wrote to memory of 1572	1496	Nova Launcher V2.exe	82
PID 1496 wrote to memory of 4824	1496	Nova Launcher V2.exe	84
PID 1496 wrote to memory of 4824	1496	Nova Launcher V2.exe	84
PID 1496 wrote to memory of 560	1496	Nova Launcher V2.exe	86
PID 1496 wrote to memory of 560	1496	Nova Launcher V2.exe	86
PID 1496 wrote to memory of 1308	1496	Nova Launcher V2.exe	88
PID 1496 wrote to memory of 1308	1496	Nova Launcher V2.exe	88
PID 1496 wrote to memory of 4264	1496	Nova Launcher V2.exe	90
PID 1496 wrote to memory of 4264	1496	Nova Launcher V2.exe	90

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Nova Launcher V2.exe
"C:\Users\Admin\AppData\Local\Temp\Nova Launcher V2.exe"
1⤵
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1496
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nova Launcher V2.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1572
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Nova Launcher V2.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4824
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\System32.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:560
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'System32.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1308
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "System32" /tr "C:\Users\Admin\System32.exe"
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:4264

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
991c786c3c03a8d69ce838fc3a4bd0d2

SHA1
f936279c34ed27835dd5bf7b2f737e801bd2b7e0

SHA256
308025496dc5620144270d6f6acd81d9c2b25244fc73bb95226470b1ce1cefb0

SHA512
4f0cc6cd5a78609f3cc1a4892e9cf415f2a9e6bb8b61983ca899109738bbafa395cf85cdf704021c7b78a83091d661a90a1f16cf2ac24a5d2c8f49ce532e213b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
94381cc2318d4c7b5fd158d0475bc4c5

SHA1
5fa16cfe97a935ca6e65399d58616adf71509f9e

SHA256
170b0901caffd7cea527a09465cdd07d151e37212ae3b6d842a7acd92cfcf7c0

SHA512
e868b496f381867aff2dc2fea21d65a9232f43c21bae7d0ca396d209482dff05e71fe3e401f41d4734f509cee38dbf68c24bbd239c326ac54ba5bc272f3ba2ab

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
fb9fada5651a2593ce0268bd1ee523a6

SHA1
870a5771f5033c5a7cc418701790bf1dc139383d

SHA256
292dffc35560c53f5e8c2c5fc5345ecef3bcda441ac4226dc953d16ed1d1955b

SHA512
310746aec847ec95c5ce9b2ef05ef95b9a93ac7b00839becd742f8a5191172d248cd6ef06a96c32f3dea005263c0d81b01b126fdd47c033930f5ed1af0192a97

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
2e0391d00f5bfbc34be70790f14d5edf

SHA1
fcb04d8599c23967de4f154a101be480933ab0d0

SHA256
1c0c0c86d7c736fc9fb148ac7cd6e67565dc5b76fa116ae3b000a79e91855136

SHA512
231b9cc6efb928f0748cef04f287d9204c4f7d2eb4bc27f345e9a1afc6d0675057978ca44d1a95334ee2380709aa6dbe74015fedff8f17611a64efcfb9f64d2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_1onulcgk.xzt.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/1496-1-0x00000000000E0000-0x0000000000108000-memory.dmp

Filesize
160KB

Download
memory/1496-54-0x00007FFA1FC60000-0x00007FFA20722000-memory.dmp

Filesize
10.8MB

Download
memory/1496-0-0x00007FFA1FC63000-0x00007FFA1FC65000-memory.dmp

Filesize
8KB

Download
memory/1572-13-0x00007FFA1FC60000-0x00007FFA20722000-memory.dmp

Filesize
10.8MB

Download
memory/1572-17-0x00007FFA1FC60000-0x00007FFA20722000-memory.dmp

Filesize
10.8MB

Download
memory/1572-18-0x00007FFA1FC60000-0x00007FFA20722000-memory.dmp

Filesize
10.8MB

Download
memory/1572-14-0x00007FFA1FC60000-0x00007FFA20722000-memory.dmp

Filesize
10.8MB

Download
memory/1572-12-0x00007FFA1FC60000-0x00007FFA20722000-memory.dmp

Filesize
10.8MB

Download
memory/1572-11-0x00007FFA1FC60000-0x00007FFA20722000-memory.dmp

Filesize
10.8MB

Download
memory/1572-10-0x000001EF2B6B0000-0x000001EF2B6D2000-memory.dmp

Filesize
136KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads