9c8f9348a7104a6477335a4115c0a1fcb881540c3b66b3cc13991f38bd73a70c

Analysis

max time kernel
64s
max time network
19s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
01/03/2025, 22:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NovalUPDATED/Noval/NovalClient.exe
Size

89KB
MD5

193cf6ebb53410e9d283c7fa249cbc27
SHA1

de4ce04aaf927f35df0c049c0c7c759aa89de8ea
SHA256

efa4393fd460946721a1cfe9e6d65b29248836af9e1eeabef2d3a90fd02f3368
SHA512

4a775b43e7a8ba5c6642ccbcf34f68ce1456e8f50e2c8a8e812f825bc6822e70735b4de895f6bdd4ab06bd6b78c797560521f0e7b4551337e1042e8d402bc7ea
SSDEEP

1536:n7fbN3eEDhDPA/pICdUkbBtW7upvaLU0bI5taxKo0IOlnToIfpwYOU:77DhdC6kzWypvaQ0FxyNTBfpF

Score

3^/10

discovery

Malware Config

Signatures

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NovalClient.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2792 wrote to memory of 2936	2792	NovalClient.exe	31
PID 2792 wrote to memory of 2936	2792	NovalClient.exe	31
PID 2792 wrote to memory of 2936	2792	NovalClient.exe	31
PID 2792 wrote to memory of 2936	2792	NovalClient.exe	31

C:\Users\Admin\AppData\Local\Temp\NovalUPDATED\Noval\NovalClient.exe
"C:\Users\Admin\AppData\Local\Temp\NovalUPDATED\Noval\NovalClient.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2792
- C:\Windows\system32\cmd.exe
  "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\645E.tmp\645F.tmp\6460.bat C:\Users\Admin\AppData\Local\Temp\NovalUPDATED\Noval\NovalClient.exe"
  2⤵
  PID:2936

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\645E.tmp\645F.tmp\6460.bat

Filesize
22B

MD5
deafc0c01bad3e97f1edbd3d1e1b1872

SHA1
3fd54162bc00f745dfbd033d5830dd1a8a8ab662

SHA256
2a7024692b56de7f7b1b3b6588704e033e1b9eefc79d75730ebc87142fc67e63

SHA512
8c14349e6a18fa6b59a0aedc96f8008f89c3ec93552af196ed78db2d9e66e18108a15704777fdb32cdcad33f4194b65c297d6988014b8aad0b3775a49182c782

Download Submit