Overview

overview

6

Static

static

1

NovaLaunch...ae.msi

windows11-21h2-x64

6

Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240709-en
  • resource tags

    arch:x64arch:x86image:win11-20240709-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    21/07/2024, 18:19

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    NovaLauncher_11b0e9c62e0dfc7e3ce1251f38dad5ae.msi

  • Size

    7.1MB

  • MD5

    11b0e9c62e0dfc7e3ce1251f38dad5ae

  • SHA1

    fecde9f0459ab0fe90e6897aebf3c0c0a5bcb00f

  • SHA256

    191f014b1168a7e1a6440467f72d810028aa42507a26b45e653413ed3531c3cb

  • SHA512

    8d143b65207ffe58935450114d99d44cc2f0ee364377880f350beb565006f0ec0ed59a02e0b7e542779897c8caac640f97f909e9ed46525def02bd233236b645

  • SSDEEP

    196608:oEWqqlBJKK09BYzW+ZUl4sK8bF/9NH5iPbPOt:o3Fls9BYzw4sK8bF/aTOt

Score
6/10
persistenceprivilege_escalation

Malware Config

Signatures

  • Blocklisted process makes network request 4 IoCs
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 2 IoCs
  • Drops file in Windows directory 13 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Event Triggered Execution: Accessibility Features 1 TTPs

    Windows contains accessibility features that may be used by adversaries to establish persistence and/or elevate privileges.

    persistenceprivilege_escalation
  • Event Triggered Execution: Installer Packages 1 TTPs 1 IoCs
    persistenceprivilege_escalation
  • Checks SCSI registry key(s) 3 TTPs 8 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\NovaLauncher_11b0e9c62e0dfc7e3ce1251f38dad5ae.msi
    1⤵
    • Blocklisted process makes network request
    • Enumerates connected drives
    • Event Triggered Execution: Installer Packages
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:3492
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3648
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding C732DE00F72F16C251A5FA82B9D4B905 C
      2⤵
      • Loads dropped DLL
      PID:1168
    • C:\Windows\system32\srtasks.exe
      C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
      2⤵
        PID:1520
      • C:\Windows\syswow64\MsiExec.exe
        C:\Windows\syswow64\MsiExec.exe -Embedding 01EE8B06172FA1BD3C9F462FB586BFC3
        2⤵
        • Loads dropped DLL
        PID:960
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Checks SCSI registry key(s)
      PID:3712
    • C:\Windows\system32\svchost.exe
      C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
      1⤵
        PID:952
      • C:\Windows\system32\osk.exe
        "C:\Windows\system32\osk.exe"
        1⤵
        • Suspicious use of SetWindowsHookEx
        PID:1748
      • C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
        "C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
        1⤵
        • Modifies registry class
        • Suspicious use of SetWindowsHookEx
        PID:720
      • C:\Windows\system32\AUDIODG.EXE
        C:\Windows\system32\AUDIODG.EXE 0x00000000000004C0 0x00000000000004E0
        1⤵
          PID:1700
        • C:\Windows\System32\Taskmgr.exe
          "C:\Windows\System32\Taskmgr.exe"
          1⤵
          • Checks SCSI registry key(s)
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SendNotifyMessage
          PID:4060
        • C:\Program Files\Project Nova\Nova Launcher\NovaLauncher.Web.exe
          "C:\Program Files\Project Nova\Nova Launcher\NovaLauncher.Web.exe"
          1⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          PID:3360
        • C:\Program Files\Project Nova\Nova Launcher\NovaLauncher.Web.exe
          "C:\Program Files\Project Nova\Nova Launcher\NovaLauncher.Web.exe"
          1⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          PID:4272

        Network

              MITRE ATT&CK Enterprise v15

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Config.Msi\e57f137.rbs
                Filesize

                9KB

                MD5

                afa610dfb5efc01e84ad13b2bfe34020

                SHA1

                959d0adf0b607d3aad401c95d26c4d43fa6ccc1e

                SHA256

                b7009aa034b70c90754eea012a0e36a56ecad23e519e4f89f51e06058d228e28

                SHA512

                4168599a56d113db647b245314a2ca4ea9c3ecf07ce5f418816c22887b123c411d694d507e8b4ed67de251987494544f1102313da82b6597b289e6c36412cc48

                Download Submit

              • C:\Program Files\Project Nova\Nova Launcher\NovaLauncher.Web.exe
                Filesize

                23.2MB

                MD5

                59bb0fd848be9f14836cebd201b58fb4

                SHA1

                21afc232f8e8140d44bd71ab512b9752cbb8787f

                SHA256

                3666776536098176ef1c89afcefc74eca42c4c07f05503c0a781e1a6a7ce06ea

                SHA512

                54dfa1e1e8ffd252bbc04aaccdf263d5ed480064c5514172acbd1362b4b6dc706df74aa94a547f8be98fc010a8e899cd46093172870a7a8c3abf26fdc668de4d

                Download Submit

              • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\248DDD9FCF61002E219645695E3FFC98_8161B15032C07B64978FB2EBA40D052B
                Filesize

                727B

                MD5

                3a06eca4086a985dc381f07d01384431

                SHA1

                0a609e27429a474129efbd04670883c54dcf9e1d

                SHA256

                bb894a1c3a43da0c2c940293f0859eb0325803d8618456069c368390d317c436

                SHA512

                0f3740396bd56e01edfa30794dbfb0545ce4810cae6151495bf318e735ba97b3291c4206f2644f7bb89875465a1270692c7241df704e2e15e257e081938fc7b2

                Download Submit

              • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\FE17BEC2A573BC9AE36869D0274FFA19_6DA81F04C5F9EAD2CD0268808FCE61E1
                Filesize

                727B

                MD5

                7a3b8457313a521e0d44f91765a4e041

                SHA1

                4ea8ecb5e7b4c11f4c491caf6cee7ced5ec4c267

                SHA256

                2b08ecf53bb8b6c430659926148f896102dc80b5f38b0ec5efe122199659651c

                SHA512

                7349fd1b8c490d540a8bb25f40587f9874ff5d9b1f9bdb2ea69db9218ebdbdccea5e4d6645fbd1098d051b008b1ebfd12a619c3a4d6fb54940705ab14933e159

                Download Submit

              • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\248DDD9FCF61002E219645695E3FFC98_8161B15032C07B64978FB2EBA40D052B
                Filesize

                478B

                MD5

                0a471d4d772734547bc8dcd9b1c51446

                SHA1

                519267a09d8b4a4697cedd6101ee7ff9967e9f35

                SHA256

                fcf7602cfbb1167dffe37ac5d2aa3e1f81c382b96649f39c38c5c835aae4249e

                SHA512

                66b3da5a8c02c8d5d17a81d401f956a23c10d8c154dbe3d6c9b88112d9072d16f7e820fb818e08d53683d28826363bcc9d3511838e80f307782b1d69f12dddd9

                Download Submit

              • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FE17BEC2A573BC9AE36869D0274FFA19_6DA81F04C5F9EAD2CD0268808FCE61E1
                Filesize

                478B

                MD5

                dded6ac8b3c59a92fe5c0569b6ceef61

                SHA1

                04a1e55b799499b834a1bbc64b2064a1fc2ecf60

                SHA256

                957e4baaf98358212a8dbe865d28593f6217346ef037e720668fa8813cc9b672

                SHA512

                1816de85abde7cc9af833867c71c9ad4e9797a51a2b646f2255d4c178ad61cef00c75916fbe5ad6beaaa77c412ca6d94af88c172b106d3b642ff163507ea9495

                Download Submit

              • C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat
                Filesize

                10KB

                MD5

                5f7a48eb6f3614131075b16c51ce1f3b

                SHA1

                974cf14d16f9b73df7a9a4682a7f3996421471ce

                SHA256

                300af9817d180f7a8114e6e83c21e7d75c82eec63b59c3e2e3e72da9f7047c10

                SHA512

                025c707f68e44a2d747a8678c3d2d718b5b1c5a6135ddbb7f12df6e40b399a8dc73d927b779214e66e5104bf7edd10fa729d8832c712c86868fea6faf3a3cf38

                Download Submit

              • C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat
                Filesize

                10KB

                MD5

                1338c0b23ef09d90485503f3754d6173

                SHA1

                d042d03d04d312e14ce19c9f153d74a5291b0221

                SHA256

                693f67bb605db323373461eb90b579da2f590150a3dab99072d2af90460a8da9

                SHA512

                85b9a176e871d07137c303253991ac6460fdba4a182dcf17cdce97d252736641907f2b87950f982d579f6a9adf233080862686228cd9c69aedb67394f6b8eef9

                Download Submit

              • C:\Users\Admin\AppData\Local\Sentry\1B5A6FBA371851648D43F30C84A8B5E3AEA6BD63\.installation
                Filesize

                36B

                MD5

                7ae48f63228d7e282ab07fa066e72d02

                SHA1

                de74eaa96890ceaad7218325a5f713ab04ed54d0

                SHA256

                279a91a56471f46accc0c6e79c01bef24445a05709159508f48a9af98649400c

                SHA512

                f8a5bb1fd3aa5dd66ce927a5a26628a2c3de7c9d5390c5c65275e1c84090c25b4e3f393899b415f26b066684db5e1db8f43052c5c597d91704d23292b7a1043f

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\MSIA18F.tmp
                Filesize

                285KB

                MD5

                b77a2a2768b9cc78a71bbffb9812b978

                SHA1

                b70e27eb446fe1c3bc8ea03dabbee2739a782e04

                SHA256

                f74c97b1a53541b059d3bfafe41a79005ce5065f8210d7de9f1b600dc4e28aa0

                SHA512

                a8b16bc60f8559c78c64ca9e85cd7fd704bba1f55b362465b7accef1bb853d1c9616995a35f972256c57fbe877ce880398ba1fbceaa658604883aa12dcbc4f57

                Download Submit

              • C:\Users\Admin\AppData\Roaming\Microsoft\Installer\{7DB911F8-3389-425C-88DE-4689E209F6E8}\_3712A3D946B4A1C3E58903.exe
                Filesize

                4KB

                MD5

                3772bc572222ee4b4536e308d41b00a0

                SHA1

                278ed102dc1ca22ab912f95a5be5c801ae475e10

                SHA256

                a93caaaab2d4d9560a8acf5c9622f55ae31500bd1c173c658bb8f88c52b56834

                SHA512

                f88b488a8312f2e2452ddacdbac8b0e509d182163506b282607c6869cd2545111c8d53b480443d1081e39dc742b38539fbb124a6e32cad15380f17f7b72fdca6

                Download Submit

              • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Nova.lnk
                Filesize

                2KB

                MD5

                eb3b6f2ea8b83b9d9b61486ae9da3dd4

                SHA1

                38649efebe9671cde61e5b0547aff5025d3e89e5

                SHA256

                1dff44ba83f27137124958f51234b01fb2a0d2a8cef8fb961dba496fbf35de53

                SHA512

                572daa6350d2d4e96f0de5c1e2f4d83e4f46a0539f2cecc82accf41f6fb180cd00a2fdd016a1cef5516175f89bc1f762584275f7e4cc70954c2adcc33035f174

                Download Submit

              • C:\Windows\Installer\e57f136.msi
                Filesize

                7.1MB

                MD5

                11b0e9c62e0dfc7e3ce1251f38dad5ae

                SHA1

                fecde9f0459ab0fe90e6897aebf3c0c0a5bcb00f

                SHA256

                191f014b1168a7e1a6440467f72d810028aa42507a26b45e653413ed3531c3cb

                SHA512

                8d143b65207ffe58935450114d99d44cc2f0ee364377880f350beb565006f0ec0ed59a02e0b7e542779897c8caac640f97f909e9ed46525def02bd233236b645

                Download Submit

              • \??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2
                Filesize

                12.8MB

                MD5

                5f2392df8fbc81bd66b972df866c63aa

                SHA1

                324731358d5367cfbee6e44743f5aec7ce70803c

                SHA256

                e3f8b8c3cc7a637332dc9b0cbb800fd8bcf80940fff508fd74164635c5d02adf

                SHA512

                110fe8aa21e9dda1c9c7deb4771c042d26ac947ffd696217c37e3ae292e2a90eb7162edb3cc228e64a6e4f73a7602e6a741db74dcd92586a0fcf7975329bf48a

                Download Submit

              • \??\Volume{e0cbb267-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{639b8edc-0b1c-4e31-9c50-1581e771530d}_OnDiskSnapshotProp
                Filesize

                6KB

                MD5

                88b707ab2e34a1c2b54cd56869324c5a

                SHA1

                ad878b799a0620e8766f0dcdd900222b32e99d41

                SHA256

                05228e5cdae16eba6c00e090df79b4915b4911d0dde000b7ed2296fb4d3ce840

                SHA512

                bff854fcaab05a23c6c3b8802281d10766a8f5ed738a352ab96fa1f72fcf4d04c8d946be21bd27701a53e661d0ec25a424f9adb4ee1d1159208783a14cc86c69

                Download Submit

              • memory/4060-78-0x000001776AB50000-0x000001776AB51000-memory.dmp

                Filesize

                4KB

                Download

              • memory/4060-89-0x000001776AB50000-0x000001776AB51000-memory.dmp

                Filesize

                4KB

                Download

              • memory/4060-88-0x000001776AB50000-0x000001776AB51000-memory.dmp

                Filesize

                4KB

                Download

              • memory/4060-87-0x000001776AB50000-0x000001776AB51000-memory.dmp

                Filesize

                4KB

                Download

              • memory/4060-86-0x000001776AB50000-0x000001776AB51000-memory.dmp

                Filesize

                4KB

                Download

              • memory/4060-85-0x000001776AB50000-0x000001776AB51000-memory.dmp

                Filesize

                4KB

                Download

              • memory/4060-84-0x000001776AB50000-0x000001776AB51000-memory.dmp

                Filesize

                4KB

                Download

              • memory/4060-90-0x000001776AB50000-0x000001776AB51000-memory.dmp

                Filesize

                4KB

                Download

              • memory/4060-80-0x000001776AB50000-0x000001776AB51000-memory.dmp

                Filesize

                4KB

                Download

              • memory/4060-79-0x000001776AB50000-0x000001776AB51000-memory.dmp

                Filesize

                4KB

                Download