Analysis
-
max time kernel
50s -
max time network
51s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
-
submitted
03/08/2024, 04:54
General
-
Target
https://github.com/Pojoiis/NovaCheat
Malware Config
Signatures
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies registry class 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 8 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
-
Suspicious use of FindShellTrayWindow 33 IoCs
-
Suspicious use of SendNotifyMessage 24 IoCs
-
Suspicious use of SetWindowsHookEx 18 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/Pojoiis/NovaCheat1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xdc,0x108,0x7ffabcee46f8,0x7ffabcee4708,0x7ffabcee47182⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2124,4332946557177412973,5610406621516781262,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2136 /prefetch:22⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2124,4332946557177412973,5610406621516781262,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2252 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2124,4332946557177412973,5610406621516781262,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2716 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,4332946557177412973,5610406621516781262,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3292 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,4332946557177412973,5610406621516781262,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3304 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2124,4332946557177412973,5610406621516781262,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5184 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2124,4332946557177412973,5610406621516781262,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5184 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,4332946557177412973,5610406621516781262,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5244 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,4332946557177412973,5610406621516781262,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5264 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,4332946557177412973,5610406621516781262,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5640 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,4332946557177412973,5610406621516781262,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5644 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2124,4332946557177412973,5610406621516781262,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5372 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,4332946557177412973,5610406621516781262,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5320 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2124,4332946557177412973,5610406621516781262,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5916 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\NovaCheat-main\NovaCheat-main\README.md2⤵
-
-
C:\Users\Admin\Downloads\NovaCheat-main\NovaCheat-main\Cat.WTF by encorscheets\Cat.WTF_Nova.exe"C:\Users\Admin\Downloads\NovaCheat-main\NovaCheat-main\Cat.WTF by encorscheets\Cat.WTF_Nova.exe"1⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\Downloads\NovaCheat-main\NovaCheat-main\Cat.WTF by encorscheets\Cat.WTF_Nova.exe" MD5 | find /i /v "md5" | find /i /v "certutil"2⤵
-
C:\Windows\system32\certutil.execertutil -hashfile "C:\Users\Admin\Downloads\NovaCheat-main\NovaCheat-main\Cat.WTF by encorscheets\Cat.WTF_Nova.exe" MD53⤵
-
-
C:\Windows\system32\find.exefind /i /v "md5"3⤵
-
-
C:\Windows\system32\find.exefind /i /v "certutil"3⤵
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD5d7114a6cd851f9bf56cf771c37d664a2
SHA1769c5d04fd83e583f15ab1ef659de8f883ecab8a
SHA256d2c75c7d68c474d4b8847b4ba6cfd09fe90717f46dd398c86483d825a66e977e
SHA51233bdae2305ae98e7c0de576de5a6600bd70a425e7b891d745cba9de992036df1b3d1df9572edb0f89f320e50962d06532dae9491985b6b57fd37d5f46f7a2ff8
-
Filesize
152B
MD5719923124ee00fb57378e0ebcbe894f7
SHA1cc356a7d27b8b27dc33f21bd4990f286ee13a9f9
SHA256aa22ab845fa08c786bd3366ec39f733d5be80e9ac933ed115ff048ff30090808
SHA512a207b6646500d0d504cf70ee10f57948e58dab7f214ad2e7c4af0e7ca23ce1d37c8c745873137e6c55bdcf0f527031a66d9cc54805a0eac3678be6dd497a5bbc
-
Filesize
2KB
MD59c0e149d81f80f6c8bc35e2d1d5ebfb6
SHA1ca1661cc22e8b0b49f441b0fb7a8741c36ca3052
SHA2563d2b2d530cb4a02afac9d21d265f54b6e7029626df5950f64de4c053f55b905f
SHA512f755143679b19e22adccb57c3be1a21bd7daa5a2390a23c19c6bf4b730bcbfd717a3c343916dfe0e3f0e922b856672abcdc9c3b81a4690e3afd2a2e2a9fb8f68
-
Filesize
6KB
MD5750e5b7c6f9da948b3e7bca1986e8289
SHA13caedd19328102ce6186993b5be4966757a1aeba
SHA2567fdd07d7ab6afbf5a300c18dc7fddceaac0f75897be860fa3fd94356f6532bed
SHA51256c2a233d62f6b49643e8d536441e710bae54a0daee0c971dfef52231b957a7aa2b8dbbc6dd600b5cdbecf895ee192ffb35ff270f47d62d948d957a03a5a175e
-
Filesize
6KB
MD5e711a644394aeaa7436c40b4271ad13c
SHA13c09b3709ad2b76b8a9078b9f8606d5a9dd5e183
SHA25634036f723ac49127ce86a835612cba75627bfeb334e63cf77241b29cdeb65590
SHA512c8329fd48ba70f388dd8e56adc0a984624509092b49fd75613f1f9d7b6fdc00d56f88d197af7b459ae38da77cbb550c570421150d6949f44507f903478ad5ac5
-
Filesize
1KB
MD55de5ccd06ee7e55a1a3abb1e2a9ad087
SHA1dd0a9420ff0e74a41ad1d21971a58edae6d6fd78
SHA256ffa0f512dd0f0a8b15b19c344908145bda49837dcf8344bd618e6ac17de5ea56
SHA512aef4904fcbfc1efdd73cca1df3ef8476c98fea5a7b6488daf3adef23793551528b5fff63ec1e8c27f96040030bf842e20f72c2b85fee08bb3f4ba91ca6e5842a
-
Filesize
874B
MD548e896e7f455d3392883030cb3b14cb0
SHA117816013b94835c1d9c7bb2fcda349dd54048cb5
SHA2569bb586817fb7c5c5de187e1e6be38a4efa84d875873d72aa4b1ad82009c79546
SHA5120fa4ed826fc8b5b877dc2596e41e1faa07a9aebad2975c77e2a97cb9676d0cd18a910615f432b0928692b2113c1548e9ef6264076f772b3c2b9da53ab590c034
-
Filesize
6KB
MD5a0a9deec15a653d6bea9dc364908fbf3
SHA17069cb4b7d2725ac4099119252c5b55f33b49162
SHA256b77c4aee5fc6b31002b191bf8047d19c66b7e0d1ccedeb2d1c4f18455ac77fac
SHA512fdac7af6b2600e583a9477268a0c55009480abc43c9b6cd92aeea0c193d60ff61059b0d1298b8b3382bd1dcf2ca9605612aae52b690790b2adfb458edee9ef00
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
10KB
MD56e1a9e18952c16542f228654198d4d1a
SHA194649a3605c8af86e6e1d2fb25172bbfa9dd8bea
SHA256fbe8b5e0962e88d67a4c8abd1cebca270948bfb446e251e9eda88c22afafe524
SHA512a0b740238738ee0c7bb15cd3ec5e38f44bf8a97539f68273e82963523a446edb954378e014c3be7ad4ad7c5f3219c39bd8c76482102b20a16add28a3435da5e3
-
Filesize
10KB
MD574ce2d7acc9ac552fc9d404d3eba63b0
SHA16ccae6dff099ef1b6b7229bd77816a0b2ff46f7d
SHA2566806fb2683432eeed4a600b27e649f1fa430850dfeee08eb6ac3d31c7f4bf9bf
SHA51292264f2f32158fc4e7ae5b75b1ab37653031c1d5394e1639ecf0ee709701b5af934711a5b71db327105cbdccf42a6be374a9ca6e518802c2925459ae932f3994
-
Filesize
276KB
MD57406ebbe6d0cbe26eaa457a51db1f33e
SHA1673bedf85e6535eef8691259eb581510e52d7934
SHA256da346df1aa500a8df516891c32a9fc5578d596e34fa412cec3eaad8eab89a149
SHA512e729d46a3de7ffe2b88855cae5451bd3795f92600e6301ddf8173ca42953d0c50bae7cb3dab049d304cf6bec0da7faa2c1584f3d87e1d34786dc0e142df1ff56