Analysis

  • max time kernel
    152s
  • max time network
    167s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240419-en
  • resource tags

    arch:x64arch:x86image:win11-20240419-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    07-05-2024 00:34

General

  • Target

    http://temp.sh/kjfco/test5.exe

Malware Config

Signatures

  • NanoCore

    NanoCore is a remote access tool (RAT) with a variety of capabilities.

  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
  • Drops file in Program Files directory 4 IoCs
  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • NTFS ADS 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 22 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 35 IoCs
  • Suspicious use of SendNotifyMessage 12 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://temp.sh/kjfco/test5.exe
    1⤵
    • Enumerates system info in registry
    • NTFS ADS
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:2988
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffe6e853cb8,0x7ffe6e853cc8,0x7ffe6e853cd8
      2⤵
        PID:692
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1820,2426221369896500895,9180446409506669679,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1912 /prefetch:2
        2⤵
          PID:2444
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1820,2426221369896500895,9180446409506669679,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2384 /prefetch:3
          2⤵
          • Suspicious behavior: EnumeratesProcesses
          PID:2004
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1820,2426221369896500895,9180446409506669679,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2716 /prefetch:8
          2⤵
            PID:1932
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1820,2426221369896500895,9180446409506669679,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3228 /prefetch:1
            2⤵
              PID:5080
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1820,2426221369896500895,9180446409506669679,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3260 /prefetch:1
              2⤵
                PID:572
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1820,2426221369896500895,9180446409506669679,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4676 /prefetch:1
                2⤵
                  PID:960
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1820,2426221369896500895,9180446409506669679,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4880 /prefetch:1
                  2⤵
                    PID:4032
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1820,2426221369896500895,9180446409506669679,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4592 /prefetch:1
                    2⤵
                      PID:3832
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1820,2426221369896500895,9180446409506669679,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5496 /prefetch:1
                      2⤵
                        PID:2932
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1820,2426221369896500895,9180446409506669679,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5704 /prefetch:8
                        2⤵
                          PID:4932
                        • C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1820,2426221369896500895,9180446409506669679,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5848 /prefetch:8
                          2⤵
                          • Suspicious behavior: EnumeratesProcesses
                          PID:1312
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1820,2426221369896500895,9180446409506669679,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4416 /prefetch:1
                          2⤵
                            PID:3028
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1820,2426221369896500895,9180446409506669679,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5128 /prefetch:1
                            2⤵
                              PID:3536
                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1820,2426221369896500895,9180446409506669679,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5228 /prefetch:8
                              2⤵
                              • NTFS ADS
                              • Suspicious behavior: EnumeratesProcesses
                              PID:4112
                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1820,2426221369896500895,9180446409506669679,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4884 /prefetch:8
                              2⤵
                              • Suspicious behavior: EnumeratesProcesses
                              PID:1540
                            • C:\Users\Admin\Downloads\test5.exe
                              "C:\Users\Admin\Downloads\test5.exe"
                              2⤵
                              • Executes dropped EXE
                              • Adds Run key to start application
                              • Checks whether UAC is enabled
                              • Drops file in Program Files directory
                              • NTFS ADS
                              • Suspicious behavior: EnumeratesProcesses
                              • Suspicious behavior: GetForegroundWindowSpam
                              • Suspicious use of AdjustPrivilegeToken
                              PID:3900
                              • C:\Windows\SysWOW64\schtasks.exe
                                "schtasks.exe" /create /f /tn "WAN Monitor" /xml "C:\Users\Admin\AppData\Local\Temp\tmp7E67.tmp"
                                3⤵
                                • Creates scheduled task(s)
                                PID:3548
                              • C:\Windows\SysWOW64\schtasks.exe
                                "schtasks.exe" /create /f /tn "WAN Monitor Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp7ED6.tmp"
                                3⤵
                                • Creates scheduled task(s)
                                PID:960
                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1820,2426221369896500895,9180446409506669679,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=6560 /prefetch:2
                              2⤵
                              • Suspicious behavior: EnumeratesProcesses
                              PID:2852
                          • C:\Windows\System32\CompPkgSrv.exe
                            C:\Windows\System32\CompPkgSrv.exe -Embedding
                            1⤵
                              PID:3236
                            • C:\Windows\System32\CompPkgSrv.exe
                              C:\Windows\System32\CompPkgSrv.exe -Embedding
                              1⤵
                                PID:4108

                              Network

                              MITRE ATT&CK Enterprise v15

                              Replay Monitor

                              Loading Replay Monitor...

                              Downloads

                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                                Filesize

                                152B

                                MD5

                                b5710c39b3d1cd6dd0e5d30fbe1146d6

                                SHA1

                                bf018f8a3e87605bfeca89d5a71776bfc8de0b47

                                SHA256

                                770d04df1484883a18accb258ecfa407d328c32c0ccbd8866c1203c5dfb4981f

                                SHA512

                                0f868e4ce284984662d8f0ff6e76f1a53e074a7223122a75efa7bb90d0204bc59bee4b36c215d219a03707c642e13f5efce0c3c57f46659a0cb1e7fd2f4d3cf1

                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                                Filesize

                                152B

                                MD5

                                8d5e555f6429eb64461265a024abf016

                                SHA1

                                05a5dca6408d473d82fe45ebc8e4843653ad55af

                                SHA256

                                0344fd65882ba51695a10e1312e65f08d58afca83771c9d545e181829d6b5ed1

                                SHA512

                                be5edfdcda1ba0db9fbab48ee1b643f1b03821e24048892d18033094fec14171035179e987a08dd91a1c25d91d9256837a4105f6765afd225a868f3e95050b8f

                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                Filesize

                                5KB

                                MD5

                                da3f2094d96c0974d4d6df9afb7a57e9

                                SHA1

                                639b3f8ddb0d4f0eab95983678873bac3b1fc5b0

                                SHA256

                                e210c6da3f14d6af8fe244d60aaca915559c3c1d6a637ad615a3f473bf254ce3

                                SHA512

                                0311460cd38f833b74c5746c36de42f7d595489feac4abf49c1b235b308b63a4387bb793885624b3d25996799dbce4428ea32fa7ff83fc1dea0a7cb8a044f69e

                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                Filesize

                                6KB

                                MD5

                                8338b698f996e222141ccb5c00d5dbdd

                                SHA1

                                b2c1c33f6ac37e725071738684c545d2a9d82d58

                                SHA256

                                d4c2637f192ed572805cfceb0cd7426a6e52320d8cf4e741b1afa713c37a06ca

                                SHA512

                                bd73049014659f0183f88425a9efce6649571d3beeafcc52d2211a93425e4d29a396ef6ba53ec49bbf9bafcc5bd3d64b22324100f23427a3e8a9fd840ab282a9

                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

                                Filesize

                                16B

                                MD5

                                6752a1d65b201c13b62ea44016eb221f

                                SHA1

                                58ecf154d01a62233ed7fb494ace3c3d4ffce08b

                                SHA256

                                0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

                                SHA512

                                9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                                Filesize

                                11KB

                                MD5

                                03a76c1cb78a628b8fa7d5309564ef99

                                SHA1

                                1a539b32665a09172e13d001112d2ef380c0fd0c

                                SHA256

                                ac5836193048c1016070bf99e83e60cffca6d79fa31ea8ce86def5d2c1240d1e

                                SHA512

                                891a17d700556098d3f5c94cb7f3cdbb29a1d21f69117322504ed46b911d8dbcbb8f4fd7ce8ae0f4c3b3fa57bee937d6b936ab4ae92ee3ccaee9720d1c3c3c05

                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                                Filesize

                                11KB

                                MD5

                                719104bfd224a17047d844735b1baa56

                                SHA1

                                b6bca9460ed326a4952d48acc1fb9a470418c52e

                                SHA256

                                8d09ecdc94da079ad95797165fad514890b2b07ae7c0a9b593a2b4217ed17d3c

                                SHA512

                                b8d51efba6ef0c2826c59e5707339dff1ac23dce05835dff575703ed8cab8b023cdb72d63644cae17fd8625bf3a48e0fce1ea1c8c591834a6f3b62ae887645d7

                              • C:\Users\Admin\AppData\Local\Temp\tmp7E67.tmp

                                Filesize

                                1KB

                                MD5

                                9ff878a081307963766a325090bff284

                                SHA1

                                a25ae86bdb373ee3a5cfd220e8c02601b732f206

                                SHA256

                                399ab32ba61cc33418e8a39110c036255ec9fdc21c005c82c6c588c6bf2e4be3

                                SHA512

                                6f6ca43adc524494d278744959361c55c3163bb3107f11d30a773fe519d20729cac1b1f4acd45356cbc598cef79b2bf2e33f1d06bcdfb4450c771ac6c76f7885

                              • C:\Users\Admin\AppData\Local\Temp\tmp7ED6.tmp

                                Filesize

                                1KB

                                MD5

                                3461ac1fc77ae695ae7352b82fd675f6

                                SHA1

                                20e3be402700f1a8f2d3a6b5044fb0c06f5cbce8

                                SHA256

                                7bc3d3da76fda38b23fb2c0db8fda613c8cd1bfbbab32793a91c7c1487d75245

                                SHA512

                                9adbba245769bab387642ce7de86c4e1500a4d995a09999deeb9296451c238b5fdca9860dbab92961f10dc11e99df3345919b1ee42c36bf9d07813e2ccc72027

                              • C:\Users\Admin\Downloads\Unconfirmed 372337.crdownload

                                Filesize

                                210KB

                                MD5

                                e7191e9871a050831068e4605ecfcce6

                                SHA1

                                7ce43eec1646f28c4c5bd32c9d261378f8447e34

                                SHA256

                                72be7e72f7143af9e0f61d9830ab38116f24f29effdac706e77a8e49605aba61

                                SHA512

                                a8717395d750d51ad46c180137a7ed0d1968f8e42db86b40921cc95e8ba463235d0aed1cac5c50b4bd8ebadbc3719be4eced84660b6e5eb4f9842291aae9ba34

                              • C:\Users\Admin\Downloads\test5.exe:Zone.Identifier

                                Filesize

                                112B

                                MD5

                                d5ce88cdf5444e256ee794cb27b64e21

                                SHA1

                                a5434c67d6a26b248df20fef8fec7dc622b18934

                                SHA256

                                1d4e176c23a4486789e0174c155067ff25c165966e4650a24d383a8c6b209a9c

                                SHA512

                                b7a42970dc8cda16c59dc62c2904e6776b199e55d647ea5adc7ade533ea68a1c2f3c2c31bcc39a2dae85eeb41bcd6956df68fd656cd02a571b46077b4e11031a

                              • \??\pipe\LOCAL\crashpad_2988_SFRQXEPUHMGNTEYK

                                MD5

                                d41d8cd98f00b204e9800998ecf8427e

                                SHA1

                                da39a3ee5e6b4b0d3255bfef95601890afd80709

                                SHA256

                                e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

                                SHA512

                                cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e