Analysis

  • max time kernel
    203s
  • max time network
    203s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240419-en
  • resource tags

    arch:x64arch:x86image:win11-20240419-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    07-05-2024 00:25

General

  • Target

    http://temp.sh/VxgsU/test.exe

Malware Config

Signatures

  • NanoCore

    NanoCore is a remote access tool (RAT) with a variety of capabilities.

  • Executes dropped EXE 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
  • Drops file in Program Files directory 4 IoCs
  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • NTFS ADS 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 18 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 35 IoCs
  • Suspicious use of SendNotifyMessage 12 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://temp.sh/VxgsU/test.exe
    1⤵
    • Enumerates system info in registry
    • NTFS ADS
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:952
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff95eb93cb8,0x7ff95eb93cc8,0x7ff95eb93cd8
      2⤵
        PID:3508
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1920,13578484731922196149,13546208939635937492,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1928 /prefetch:2
        2⤵
          PID:4588
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1920,13578484731922196149,13546208939635937492,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2024 /prefetch:3
          2⤵
          • Suspicious behavior: EnumeratesProcesses
          PID:2096
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1920,13578484731922196149,13546208939635937492,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2524 /prefetch:8
          2⤵
            PID:4928
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,13578484731922196149,13546208939635937492,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3204 /prefetch:1
            2⤵
              PID:1756
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,13578484731922196149,13546208939635937492,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3212 /prefetch:1
              2⤵
                PID:544
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,13578484731922196149,13546208939635937492,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4644 /prefetch:1
                2⤵
                  PID:2460
                • C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1920,13578484731922196149,13546208939635937492,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3208 /prefetch:8
                  2⤵
                  • Suspicious behavior: EnumeratesProcesses
                  PID:444
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1920,13578484731922196149,13546208939635937492,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5176 /prefetch:8
                  2⤵
                  • Suspicious behavior: EnumeratesProcesses
                  PID:944
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,13578484731922196149,13546208939635937492,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5416 /prefetch:1
                  2⤵
                    PID:4020
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,13578484731922196149,13546208939635937492,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3548 /prefetch:1
                    2⤵
                      PID:2556
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,13578484731922196149,13546208939635937492,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5124 /prefetch:1
                      2⤵
                        PID:2520
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,13578484731922196149,13546208939635937492,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5660 /prefetch:1
                        2⤵
                          PID:4476
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,13578484731922196149,13546208939635937492,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5868 /prefetch:1
                          2⤵
                            PID:1836
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1920,13578484731922196149,13546208939635937492,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6008 /prefetch:8
                            2⤵
                              PID:1824
                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1920,13578484731922196149,13546208939635937492,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5788 /prefetch:8
                              2⤵
                              • NTFS ADS
                              • Suspicious behavior: EnumeratesProcesses
                              PID:3340
                            • C:\Users\Admin\Downloads\test.exe
                              "C:\Users\Admin\Downloads\test.exe"
                              2⤵
                              • Executes dropped EXE
                              • Adds Run key to start application
                              • Checks whether UAC is enabled
                              • Drops file in Program Files directory
                              • NTFS ADS
                              • Suspicious behavior: EnumeratesProcesses
                              • Suspicious behavior: GetForegroundWindowSpam
                              • Suspicious use of AdjustPrivilegeToken
                              PID:1992
                              • C:\Windows\SysWOW64\schtasks.exe
                                "schtasks.exe" /create /f /tn "DPI Host" /xml "C:\Users\Admin\AppData\Local\Temp\tmpC4B7.tmp"
                                3⤵
                                • Creates scheduled task(s)
                                PID:1544
                              • C:\Windows\SysWOW64\schtasks.exe
                                "schtasks.exe" /create /f /tn "DPI Host Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmpC506.tmp"
                                3⤵
                                • Creates scheduled task(s)
                                PID:3748
                            • C:\Users\Admin\Downloads\test.exe
                              "C:\Users\Admin\Downloads\test.exe"
                              2⤵
                              • Executes dropped EXE
                              PID:2100
                            • C:\Users\Admin\Downloads\test.exe
                              "C:\Users\Admin\Downloads\test.exe"
                              2⤵
                              • Executes dropped EXE
                              PID:5076
                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1920,13578484731922196149,13546208939635937492,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=2512 /prefetch:2
                              2⤵
                              • Suspicious behavior: EnumeratesProcesses
                              PID:2964
                          • C:\Windows\System32\CompPkgSrv.exe
                            C:\Windows\System32\CompPkgSrv.exe -Embedding
                            1⤵
                              PID:4000
                            • C:\Windows\System32\CompPkgSrv.exe
                              C:\Windows\System32\CompPkgSrv.exe -Embedding
                              1⤵
                                PID:3896

                              Network

                              MITRE ATT&CK Enterprise v15

                              Replay Monitor

                              Loading Replay Monitor...

                              Downloads

                              • C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\test.exe.log

                                Filesize

                                496B

                                MD5

                                6ed125591a35af626ab11db7798153cd

                                SHA1

                                a05f6586e3cab6ce2499897e4b8ae27254c4ceed

                                SHA256

                                a4e29c5cbf8acd8b9bca612e3f6f99de4fe126286ee3d765e1192999460eb8a8

                                SHA512

                                0ab5b48ed65b15c0004189bc7232ab76d7a2a5950f71303caba7282e4896ae11a7e0257a01d31ad1a7c256e12ef04ce1ceb3ca92227e2520a10d0d7865d2d10c

                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                                Filesize

                                152B

                                MD5

                                ade01a8cdbbf61f66497f88012a684d1

                                SHA1

                                9ff2e8985d9a101a77c85b37c4ac9d4df2525a1f

                                SHA256

                                f49e20af78caf0d737f6dbcfc5cc32701a35eb092b3f0ab24cf339604cb049b5

                                SHA512

                                fa024bd58e63402b06503679a396b8b4b1bc67dc041d473785957f56f7d972317ec8560827c8008989d2754b90e23fc984a85ed7496f05cb4edc2d8000ae622b

                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                                Filesize

                                152B

                                MD5

                                d0f84c55517d34a91f12cccf1d3af583

                                SHA1

                                52bd01e6ab1037d31106f8bf6e2552617c201cea

                                SHA256

                                9a24c67c3ec89f5cf8810eba1fdefc7775044c71ed78a8eb51c8d2225ad1bc4c

                                SHA512

                                94764fe7f6d8c182beec398fa8c3a1948d706ab63121b8c9f933eef50172c506a1fd015172b7b6bac898ecbfd33e00a4a0758b1c8f2f4534794c39f076cd6171

                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                Filesize

                                5KB

                                MD5

                                80220f025810276136e8524d3863ab24

                                SHA1

                                53aba0c869beb0e272aa6998704ba1148f24f6c2

                                SHA256

                                d8087275b674a478487a0052fa1f6a1f84f590bd99868495926007930f5a7ccc

                                SHA512

                                2ea60d03d439f29cf6e56a761c8b2f3ae085f811ffb488045e5e44908b14f3436ecfbb15d111d10201264cf7ca4e6936eb8429ad98ca88a4645fa2841218c2f6

                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                Filesize

                                6KB

                                MD5

                                9dbe50bbd92f77fc31ba25dfb2f16160

                                SHA1

                                ec1cde27fa803c2c882175565e28970e0ec81c78

                                SHA256

                                a305b624c26ef8e1893430a5b7e339c64b72d5b23abc792cf4de01b188d26a7e

                                SHA512

                                f2bf23db2ccd59e705f3b925d380232d57a06bda7817f90226218ab68dfbd8ef9d547a58033d85a8f006137b017d61ae9985eee01766706fd18cc9b1b6922300

                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

                                Filesize

                                16B

                                MD5

                                46295cac801e5d4857d09837238a6394

                                SHA1

                                44e0fa1b517dbf802b18faf0785eeea6ac51594b

                                SHA256

                                0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

                                SHA512

                                8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

                                Filesize

                                16B

                                MD5

                                206702161f94c5cd39fadd03f4014d98

                                SHA1

                                bd8bfc144fb5326d21bd1531523d9fb50e1b600a

                                SHA256

                                1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

                                SHA512

                                0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                                Filesize

                                11KB

                                MD5

                                4e1f2a172dcb87d504685c9fce67fefa

                                SHA1

                                f24a8b98986573172260b45003074c491e622e0f

                                SHA256

                                dd5d30e370db12871d113aef2c2d3ad700cc1e4c2fc0a10bc5aa3f20e2c0c362

                                SHA512

                                814bdbd0b81c5651cae3a4675b3ff13b7fa564251efb57d0f28af1452311b5bf7ef45ed26db377962be62abc342e8a571c3bf101292518634ea31d957640c31c

                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                                Filesize

                                11KB

                                MD5

                                37a728344910a5dc56d03070ec02483b

                                SHA1

                                e7d3ec5481bd7ef93570fbf26c295affb5310e2d

                                SHA256

                                6cea95dcfa6b6bb396dc53ee58f4d69b71dba8367a48dafe24ef88e76f2d4ef9

                                SHA512

                                6d4a370cd1a602762a1e3031583520d7a69d16c3f0ba874db3be361fe9e58e052fa137b3a694ee861586b9399aa75e2c67ec76e2507f02f505c2b9e518d4f1ab

                              • C:\Users\Admin\AppData\Local\Temp\tmpC4B7.tmp

                                Filesize

                                1KB

                                MD5

                                f21646e4dabfac1ce7f0f28c38337efd

                                SHA1

                                684cec400948cbb8894e89e2a87eb8c1de4bc5ae

                                SHA256

                                989fb9c40eddeeceba07516afd449164dec5b10e88de29670a9feab7217f502c

                                SHA512

                                a7f9649412c6583e3ef40793a7d0a2fa41e95a9a492e9998a0f61941e80ed1a22b513b57e92840252443615492036adb29ea05da0e7005dfe309faacc738fd8a

                              • C:\Users\Admin\AppData\Local\Temp\tmpC506.tmp

                                Filesize

                                1KB

                                MD5

                                acd483df2f8ed28b2ad2bbcfe774f43f

                                SHA1

                                e89d74ed4ba3824e652e1f4267bb8b60e3b50581

                                SHA256

                                3ee6ae0dca5c4564f13e70f2a70ecbe979c9d9d575cd9762f15039aaa3823a86

                                SHA512

                                59a9003c18f714c1ab14238bf2891b602ae3d8de49785a72e629648240176b29aabc741d7bdd244f06d5fe1a52c905b6288a0fe401f49df342200749a7de2092

                              • C:\Users\Admin\Downloads\Unconfirmed 787649.crdownload

                                Filesize

                                203KB

                                MD5

                                d81c787b59f17d1dc750513b108dde09

                                SHA1

                                79b952d43937588095f19b9e009516c324afd4d4

                                SHA256

                                3f73cfff83369f8696a451ce2c03a2eed2696a3cdca321dd03c34c70d21fec49

                                SHA512

                                3c317bb71700903e851c6b4d0b944a5d945cb3dfec45fe03b6e7cc2cb6cce87f61fe44df1c89f0b3c97e5b39d9a15138c2c969ca64bab042d58b3d396d2dbd65

                              • C:\Users\Admin\Downloads\test.exe:Zone.Identifier

                                Filesize

                                110B

                                MD5

                                7bd87cce71afb9bb0029ead150e4ff48

                                SHA1

                                dc36f04b6b04aab714a7db48c8512a988676018a

                                SHA256

                                f6d7a30ec64ce32a921acf7b8ee55935553f43f11edc520dbb63a8c3a57f93c7

                                SHA512

                                f701ef9daee4a7617204c5c28fa36d4dd3fbc6e304c7fdd0d4189ad62088eb3fb88a513390e68a5e91a276f8dfe1a47a32b3a00aded494205528a9701ff14e54

                              • \??\pipe\LOCAL\crashpad_952_CCCOHVGPTMBXGURY

                                MD5

                                d41d8cd98f00b204e9800998ecf8427e

                                SHA1

                                da39a3ee5e6b4b0d3255bfef95601890afd80709

                                SHA256

                                e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

                                SHA512

                                cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e