Analysis

  • max time kernel
    240s
  • max time network
    242s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240419-en
  • resource tags

    arch:x64arch:x86image:win11-20240419-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    07-05-2024 00:29

General

  • Target

    http://temp.sh/mqiqs/test3.exe

Malware Config

Signatures

  • NanoCore

    NanoCore is a remote access tool (RAT) with a variety of capabilities.

  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
  • Drops file in Program Files directory 4 IoCs
  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • NTFS ADS 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 22 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 35 IoCs
  • Suspicious use of SendNotifyMessage 12 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://temp.sh/mqiqs/test3.exe
    1⤵
    • Enumerates system info in registry
    • NTFS ADS
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:3044
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0x48,0x10c,0x7ffade9a3cb8,0x7ffade9a3cc8,0x7ffade9a3cd8
      2⤵
        PID:3100
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1748,7944531645963541448,673540388816981265,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1880 /prefetch:2
        2⤵
          PID:4052
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1748,7944531645963541448,673540388816981265,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2380 /prefetch:3
          2⤵
          • Suspicious behavior: EnumeratesProcesses
          PID:4792
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1748,7944531645963541448,673540388816981265,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2680 /prefetch:8
          2⤵
            PID:3336
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1748,7944531645963541448,673540388816981265,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3244 /prefetch:1
            2⤵
              PID:1220
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1748,7944531645963541448,673540388816981265,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3376 /prefetch:1
              2⤵
                PID:3804
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1748,7944531645963541448,673540388816981265,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4616 /prefetch:1
                2⤵
                  PID:2072
                • C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1748,7944531645963541448,673540388816981265,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5456 /prefetch:8
                  2⤵
                  • Suspicious behavior: EnumeratesProcesses
                  PID:5056
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1748,7944531645963541448,673540388816981265,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5452 /prefetch:1
                  2⤵
                    PID:2140
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1748,7944531645963541448,673540388816981265,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5596 /prefetch:1
                    2⤵
                      PID:1728
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1748,7944531645963541448,673540388816981265,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5364 /prefetch:1
                      2⤵
                        PID:3976
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1748,7944531645963541448,673540388816981265,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4996 /prefetch:1
                        2⤵
                          PID:3580
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1748,7944531645963541448,673540388816981265,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3368 /prefetch:1
                          2⤵
                            PID:2444
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1748,7944531645963541448,673540388816981265,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4812 /prefetch:8
                            2⤵
                              PID:4084
                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1748,7944531645963541448,673540388816981265,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5960 /prefetch:8
                              2⤵
                              • Suspicious behavior: EnumeratesProcesses
                              PID:1824
                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1748,7944531645963541448,673540388816981265,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5512 /prefetch:8
                              2⤵
                              • NTFS ADS
                              • Suspicious behavior: EnumeratesProcesses
                              PID:3140
                            • C:\Users\Admin\Downloads\test3.exe
                              "C:\Users\Admin\Downloads\test3.exe"
                              2⤵
                              • Executes dropped EXE
                              • Adds Run key to start application
                              • Checks whether UAC is enabled
                              • Drops file in Program Files directory
                              • NTFS ADS
                              • Suspicious behavior: EnumeratesProcesses
                              • Suspicious behavior: GetForegroundWindowSpam
                              • Suspicious use of AdjustPrivilegeToken
                              PID:72
                              • C:\Windows\SysWOW64\schtasks.exe
                                "schtasks.exe" /create /f /tn "DOS Host" /xml "C:\Users\Admin\AppData\Local\Temp\tmp7762.tmp"
                                3⤵
                                • Creates scheduled task(s)
                                PID:4968
                              • C:\Windows\SysWOW64\schtasks.exe
                                "schtasks.exe" /create /f /tn "DOS Host Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp77C1.tmp"
                                3⤵
                                • Creates scheduled task(s)
                                PID:3000
                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1748,7944531645963541448,673540388816981265,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=5248 /prefetch:2
                              2⤵
                              • Suspicious behavior: EnumeratesProcesses
                              PID:1728
                          • C:\Windows\System32\CompPkgSrv.exe
                            C:\Windows\System32\CompPkgSrv.exe -Embedding
                            1⤵
                              PID:3488
                            • C:\Windows\System32\CompPkgSrv.exe
                              C:\Windows\System32\CompPkgSrv.exe -Embedding
                              1⤵
                                PID:3124

                              Network

                              MITRE ATT&CK Enterprise v15

                              Replay Monitor

                              Loading Replay Monitor...

                              Downloads

                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\665a6637-20ac-421b-aef8-9e06e2d2124c.tmp

                                Filesize

                                11KB

                                MD5

                                06109a15a869fb8bfebcea0d26e3a9e9

                                SHA1

                                4bd6c02356b8f9689c042818493f60b118185aea

                                SHA256

                                ae07a130db7b3aacaffa1ec563e07bb28ddbcee3efaf33aadfe4df8506f32a11

                                SHA512

                                80f56b8446be4d704cdf27b68f3853647eb7caa478e0f5722cd7793632fbfffe70bf48251b321fa9d4ec91b9e97ce7672d9ff63efc6fe2da20dcb5c810a9339f

                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                                Filesize

                                152B

                                MD5

                                5a85ad170d758e61ae5648c9402be224

                                SHA1

                                e6dfce354b5e9719bc4b28a24bb8241fc433e16f

                                SHA256

                                af0da8b5ad8127ae0ef7773bc9c4b145ed3fe7fbef4c48278649e1e3aa5ce617

                                SHA512

                                641414d91c993f74b6b71654522359d606c7f94ac0fcca6478d1bc33c30f4a9fdb9ce6f8e281c79a2f9b9670fda8a4ccdd80e7d64347c1f66d8c9ef024bcb09b

                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                                Filesize

                                152B

                                MD5

                                22cececc69be16a1c696b62b4e66f90e

                                SHA1

                                b20b7f87f8bc64c1008b06a6528fc9c9da449c2f

                                SHA256

                                d940b85bc83f69e8370a801951eb6b8bb97efbb3aa427664105db76e44707258

                                SHA512

                                2b2e548f2c8f84d321ef2afdf31128065c3593b884ca8111b05800960b5378b99c7efa6165d02fba4c11e6e4b49b14e419d89f76d55ef574f4ac2b7d6ecb3d48

                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                Filesize

                                5KB

                                MD5

                                9c50ee9b0ef283a8966267606b9dcf77

                                SHA1

                                b8bdba5da2385e33296fdbb7c102c06f7ac2e08b

                                SHA256

                                3df23c0249af7b7420a33e97a479d5e54738350465686530f16bc078a23a6066

                                SHA512

                                d8f9348c66677d4152a8f0020d0b384df8d83684c7064c40a29d60444770a72c38f00b2f0e8742ddb1cbef7eb3aefa4cc642ba6eeb5b97c5a8c7fa697417f80a

                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                Filesize

                                6KB

                                MD5

                                ef009217adc09b4659c969215742b46d

                                SHA1

                                fc8793c67ed6afd129e247f16de39258d17661b1

                                SHA256

                                3ea91091946ba3aba1b70552e6e6ed392f6dd6d35e56e89bbff69cc65d64eed9

                                SHA512

                                143f7f0d8b8ed1384eb3b8a7b7c14cb3638b0a1844221e00c809904eac0cbc8d88ed2daa1beeed36207f03a27d5af8bd4ef663bb69df8417ee430abff3f0ac78

                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

                                Filesize

                                16B

                                MD5

                                6752a1d65b201c13b62ea44016eb221f

                                SHA1

                                58ecf154d01a62233ed7fb494ace3c3d4ffce08b

                                SHA256

                                0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

                                SHA512

                                9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                                Filesize

                                11KB

                                MD5

                                823955581324a9f082bdfc5c52955d15

                                SHA1

                                b7e8775f16a5b05fbbea823532eb60191716bce4

                                SHA256

                                eb975586a73431bcd3f2966562dfdd3a87257ebcd0805a0379e8311c9a67955c

                                SHA512

                                786a8ed6b33d4366139bbd40c59c6d945df11e177a9ecbdba5482bffda37eb6b8b095d24e378ea388ad134e4b5f054447bfdde7cb19ea3511d7a9a4183d827b2

                              • C:\Users\Admin\AppData\Local\Temp\tmp7762.tmp

                                Filesize

                                1KB

                                MD5

                                7cb364043b7733ba69840f3b1217059e

                                SHA1

                                df908edd0728ffe503b7cd1102e713722c94c44e

                                SHA256

                                c2826f5cd344010894be45638f135584028f1c57962063c41734bc98712b3ceb

                                SHA512

                                e80062330c48c1637fa414fc8bd1ff47de5bae62f399e981772e5c790209db7a1f6a1abb13cf7969cc741f95cf721857ed37330dd0033ecc23e4cbcf7cc36bbd

                              • C:\Users\Admin\AppData\Local\Temp\tmp77C1.tmp

                                Filesize

                                1KB

                                MD5

                                e380299eb53398115b7125b2b75c4798

                                SHA1

                                ee59b86ea0abf4097ff94bd940521c583803b036

                                SHA256

                                edb658b6577a80126eaacdf2a566755b63d7b2438fe0bcf3aea83930036811f3

                                SHA512

                                d9e3f3b1370fe4fce4a631a5d0669cef34bfe83dec146b606eff562c7cc450639304a732104f425a7ccfdded58064f28a98434a59ed8d93b595d64d1e1a2dde1

                              • C:\Users\Admin\Downloads\Unconfirmed 549371.crdownload

                                Filesize

                                203KB

                                MD5

                                af5fdd17a785437f713bb19a25fd5f9f

                                SHA1

                                86981c75a2328cddd4eb54f0b385bc1871289129

                                SHA256

                                b7ea6c1b09b2259cd3573c393109c27419f9f364c10ac884ff3fdc0f4e8482f2

                                SHA512

                                31cf9b9c4abd6c105768c5543665f1e5e0626d62f0bfda1572fb4a4138e7a5dcf5988c66fa071bf7b82a945e007a281cbda39c7aa19a15419e9065ddabd23c11

                              • C:\Users\Admin\Downloads\test3.exe:Zone.Identifier

                                Filesize

                                26B

                                MD5

                                fbccf14d504b7b2dbcb5a5bda75bd93b

                                SHA1

                                d59fc84cdd5217c6cf74785703655f78da6b582b

                                SHA256

                                eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

                                SHA512

                                aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

                              • \??\pipe\LOCAL\crashpad_3044_KVLZSVHCVMSQQNAF

                                MD5

                                d41d8cd98f00b204e9800998ecf8427e

                                SHA1

                                da39a3ee5e6b4b0d3255bfef95601890afd80709

                                SHA256

                                e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

                                SHA512

                                cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e