Overview

overview

4

Static

static

1

NovaCleaner (2).bat

windows10-1703-x64

4

Resubmissions

16-09-2024 21:36

240916-1gdjds1cpm 4

16-09-2024 16:35

240916-t3mkvsyakq 10

Analysis

  • max time kernel
    88s
  • max time network
    90s
  • platform
    windows10-1703_x64
  • resource
    win10-20240404-en
  • resource tags

    arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
  • submitted
    16-09-2024 21:36

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    NovaCleaner (2).bat

  • Size

    255KB

  • MD5

    8bca51ba24f374227fa533dd8a8601b0

  • SHA1

    3dc731c21b55da7a382050ee0cb84a042dfb734f

  • SHA256

    9d1eef45a93d66894f60a7f3614e2274e300c734db2ce31315783f1b4da36bb4

  • SHA512

    deff501edafede1765725fa95a286ff71602ba10507e49171a2fe184f1ea872d10e911aabd8690363d3f99bc3385bebc9dfbefbf8a889bdcb505bc37e50b1138

  • SSDEEP

    1536:ANoZxBOz2oQfgCWfr3bwUWgn8q01L5LvLpLjL5sff4oH9sffzs:NfgCW4UWgnh4oH9qzs

Score
4/10
execution

Malware Config

Signatures

  • Drops file in Windows directory 2 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Using powershell.exe command.

    execution
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 8 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 6 IoCs
  • Suspicious behavior: AddClipboardFormatListener 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of SetWindowsHookEx 14 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\NovaCleaner (2).bat"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3620
    • C:\Windows\system32\chcp.com
      chcp 65001
      2⤵
        PID:2840
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell -NoProfile -Command "& {
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2268
    • C:\Windows\system32\taskmgr.exe
      "C:\Windows\system32\taskmgr.exe" /4
      1⤵
      • Drops file in Windows directory
      • Checks SCSI registry key(s)
      • Checks processor information in registry
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:4536
    • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
      "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\Documents\Are.docx" /o ""
      1⤵
      • Checks processor information in registry
      • Enumerates system info in registry
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      PID:3616
    • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
      "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\Documents\Are.docx" /o ""
      1⤵
      • Checks processor information in registry
      • Enumerates system info in registry
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      PID:2980

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9
      Filesize

      471B

      MD5

      c5ae9f54c69f9746498f9a30aadf6d0f

      SHA1

      fd076d7133bce1925d86039f32abf2ff8dac3d94

      SHA256

      19a14eb8d7c9b00e80577a7199763fcea0e2feddcdb0b19def90bf631c7cba9d

      SHA512

      3904209e4cae0f35795f076daaaeec12ce46200f99e9216340b7f6b636b809e0dd451101263f0a534bd3e42ec79fc1ee85f2fcd7562d05cbd1df9ea6c5300af8

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9
      Filesize

      420B

      MD5

      7fc5fc98f1dcea56c7b4955337dbbde6

      SHA1

      6137e0661112e00cb48ed4d6636ffd5c0ccb1ba6

      SHA256

      2171586828cbefbae9baebbd9e4e1741a487f47a2a7cc638a17c89f8c36a4f45

      SHA512

      2e5ce16f75fe1d7c42b05d584c67893d6b7ae14e3e0719bfb2cbf0ae5cbb742059cadec7f758d65d3511a9cd59826a40eef186aa4cfbe442caf993528a11068b

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.CampaignStates.json
      Filesize

      21B

      MD5

      f1b59332b953b3c99b3c95a44249c0d2

      SHA1

      1b16a2ca32bf8481e18ff8b7365229b598908991

      SHA256

      138e49660d259061d8152137abd8829acdfb78b69179890beb489fe3ffe23e0c

      SHA512

      3c1f99ecc394df3741be875fbe8d95e249d1d9ac220805794a22caf81620d5fdd3cce19260d94c0829b3160b28a2b4042e46b56398e60f72134e49254e9679a4

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.GovernedChannelStates.json
      Filesize

      417B

      MD5

      c56ff60fbd601e84edd5a0ff1010d584

      SHA1

      342abb130dabeacde1d8ced806d67a3aef00a749

      SHA256

      200e8cc8dd12e22c9720be73092eafb620435d4569dbdcdba9404ace2aa4343c

      SHA512

      acd2054fddb33b55b58b870edd4eb6a3cdd3131dfe6139cb3d27054ac2b2a460694c9be9c2a1da0f85606e95e7f393cf16868b6c654e78a664799bc3418da86e

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.Settings.json
      Filesize

      87B

      MD5

      e4e83f8123e9740b8aa3c3dfa77c1c04

      SHA1

      5281eae96efde7b0e16a1d977f005f0d3bd7aad0

      SHA256

      6034f27b0823b2a6a76fe296e851939fd05324d0af9d55f249c79af118b0eb31

      SHA512

      bd6b33fd2bbce4a46991bc0d877695d16f7e60b1959a0defc79b627e569e5c6cac7b4ad4e3e1d8389a08584602a51cf84d44cf247f03beb95f7d307fbba12bb9

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.SurveyHistoryStats.json
      Filesize

      14B

      MD5

      6ca4960355e4951c72aa5f6364e459d5

      SHA1

      2fd90b4ec32804dff7a41b6e63c8b0a40b592113

      SHA256

      88301f0b7e96132a2699a8bce47d120855c7f0a37054540019e3204d6bcbaba3

      SHA512

      8544cd778717788b7484faf2001f463320a357db63cb72715c1395ef19d32eec4278bab07f15de3f4fed6af7e4f96c41908a0c45be94d5cdd8121877eccf310d

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\DC3929CF-D067-4CB0-A58E-9B69EA594DF8
      Filesize

      171KB

      MD5

      a01563efb3d881c62fa29f6b9b488c75

      SHA1

      8dfb64190702099710fb759e8818171326d4fcb0

      SHA256

      899771c716889c04d41f8ad8921f6777df1e3276d7acb8a3ec473c0d01e44f27

      SHA512

      4f2e904c66e69effe70c4dcae8b85fe1aede49d50712672354837f3e52072ca62430ef8dd746bf33dc5200ffcd23a2811c0b8573b26ae90293293a48ac6815aa

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Office\DLP\mip\logs\mip_sdk.miplog
      Filesize

      21KB

      MD5

      36edb2d4841f813d71b4d7674b26e5c3

      SHA1

      127602e52ff9af29d7c654f23687beb58cde166d

      SHA256

      51f3b1869ddd6b95394ea88de8fcc4bda56d463755a0a745d858b3b64c9e8e76

      SHA512

      b7398db681ce974b22a302406b8d8b76a3c7a118f7bb2674c523e621d1b39dd61804049649050a177c13b44fd10b6911178cd25a47823a02e1c7b093578680ce

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\winword.exe.db
      Filesize

      24KB

      MD5

      b00f3f56c104c94e03cd2ad8452c14e7

      SHA1

      51b78e45015e0d9d62fbdf31b75a22535a107204

      SHA256

      ba2b669020334ff01a85bfc900ea4371ea557bd315f154875d9bdfdc16ae8b50

      SHA512

      93e1609be5bbb414c285f37432ce93294c3d1583ef46c7c6c570c122f0b166c34b0ad87de708005c8af97dee27923ba53395a34c2563cdadf3c0a708848b3525

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\74a0ad00a184813f0b8867eb2f8dfef7227a18a4.tbres
      Filesize

      2KB

      MD5

      a5e6bd2736c05daaa6da8bf273c4c074

      SHA1

      3704df4f0be213d0e18f559b370abe20d7ff9d43

      SHA256

      1c0bced5ab2e3dd8939840d7b5258f7e4f0b73974a0c89eced9bfdadf1a4a859

      SHA512

      62394a6442aa87747d79b4f8d921970bdad8900bf4b55b0832b66c27b5e0b76921aaf7a630088f64a2861973f52b3ae865f21e4bcbf126015c6a8af7a9f85dcb

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_cti1y1i0.xot.ps1
      Filesize

      1B

      MD5

      c4ca4238a0b923820dcc509a6f75849b

      SHA1

      356a192b7913b04c54574d18c28d46e6395428ab

      SHA256

      6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

      SHA512

      4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\Are.docx (2).LNK
      Filesize

      1KB

      MD5

      c041878515864e319c73367c4c89206d

      SHA1

      6c1b633776fe2d8ddf7a9663723895cf0b4cf1f6

      SHA256

      e96c3fe2aa6701f61f5912742845d48b1ee1c00ca5311eacc0710b95b472b5a5

      SHA512

      874c2e16c988bbd7458a38ff8d9aab741ecfe9c8cdadba34f8c4a30fafe7a612dd1ab6f1639daaf204a89ebe0dd01b722ae88b4a2c19542fcd7667e9f91ae270

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat
      Filesize

      242B

      MD5

      70f05cbb6526ced53019a618b457ec18

      SHA1

      6bfd533a311046bf2377bb9a58152a74dde51ffc

      SHA256

      b6d401e0802177a17c880c4aad4068fefdc90b140e1f10b94d0ca7961c851773

      SHA512

      8c0300e5b18465a40ddfd18a7a959056905970c0614a9f3c5d6c66932ed16947a5843c331e0a8fc64b0e58cc6bf18cf3d92444645197d5c543315eaf746d0017

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat
      Filesize

      222B

      MD5

      d7b64993f7dedb792ef00f99ab4fb3d5

      SHA1

      2ad6efb43fe5e6de69b6e4313833ad8b799b3bd4

      SHA256

      e71bb4c4d5d9969a3a958ff9dbd3f878830e1984706637a0a51d63f2e208667c

      SHA512

      28c666bf91f8caad1f63ea997e608c053f1bc223683953a1240fe417e04e5304e3d1768d83d0ecf873034c87f881d87a2d87272ba5324a9613523e1dda86151e

      Download Submit

    • memory/2268-35-0x00007FF872340000-0x00007FF872D2C000-memory.dmp

      Filesize

      9.9MB

      Download

    • memory/2268-5-0x000002236B2E0000-0x000002236B302000-memory.dmp

      Filesize

      136KB

      Download

    • memory/2268-8-0x00007FF872340000-0x00007FF872D2C000-memory.dmp

      Filesize

      9.9MB

      Download

    • memory/2268-9-0x000002236B490000-0x000002236B506000-memory.dmp

      Filesize

      472KB

      Download

    • memory/2268-0-0x00007FF872343000-0x00007FF872344000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2268-10-0x00007FF872340000-0x00007FF872D2C000-memory.dmp

      Filesize

      9.9MB

      Download

    • memory/2268-31-0x00007FF872340000-0x00007FF872D2C000-memory.dmp

      Filesize

      9.9MB

      Download

    • memory/3616-299-0x00007FF83E930000-0x00007FF83E940000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3616-43-0x00007FF83E930000-0x00007FF83E940000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3616-42-0x00007FF83E930000-0x00007FF83E940000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3616-41-0x00007FF83E930000-0x00007FF83E940000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3616-44-0x00007FF83E930000-0x00007FF83E940000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3616-47-0x00007FF83AE90000-0x00007FF83AEA0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3616-48-0x00007FF83AE90000-0x00007FF83AEA0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3616-296-0x00007FF83E930000-0x00007FF83E940000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3616-297-0x00007FF83E930000-0x00007FF83E940000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3616-298-0x00007FF83E930000-0x00007FF83E940000-memory.dmp

      Filesize

      64KB

      Download