Analysis
-
max time kernel
131s -
max time network
134s -
platform
windows10-ltsc 2021_x64 -
resource
win10ltsc2021-20241211-en -
resource tags
-
submitted
17-12-2024 17:15
General
-
Target
Redtiger.exe
-
Size
392KB
-
MD5
038a96760c75c7d244b0da2bf6505f41
-
SHA1
e152655cedb9cc5a1128f47c005ed657e45d61f6
-
SHA256
87f1f59eb643561a0cce0b6e5be3851281cf680cbc5468c46e30efee15ef7e2d
-
SHA512
2fe291ab8f9c805192624ec4d7ed1a1b28398628795ab6395e3977cf224b1cdca2309b455aac13d3181038550bca9a52f6e864a3cd2c25ae016df18120acfaf4
-
SSDEEP
6144:rLV6Bta6dtJmakIM5KN+Qw1iry+ZaRJngF/5/S5rZsv31jaCXs9ht7eYr0j4NS:rLV6BtpmkFmgSJnQSqvFWRht7eq0X
Malware Config
Signatures
-
NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
-
Nanocore family
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Drops file in Program Files directory 3 IoCs
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of FindShellTrayWindow 5 IoCs
-
Suspicious use of SendNotifyMessage 2 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\Redtiger.exe"C:\Users\Admin\AppData\Local\Temp\Redtiger.exe"1⤵
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files\VideoLAN\VLC\vlc.exe"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Desktop\UnprotectMerge.rmi"1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\UnprotectHide.htm1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x144,0x148,0x14c,0x120,0x150,0x7ffcd46946f8,0x7ffcd4694708,0x7ffcd46947182⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2204,13666872780464181273,3504321804403780694,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2212 /prefetch:22⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2204,13666872780464181273,3504321804403780694,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2264 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2204,13666872780464181273,3504321804403780694,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2896 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,13666872780464181273,3504321804403780694,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3360 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,13666872780464181273,3504321804403780694,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3376 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings2⤵
- Drops file in Program Files directory
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x26c,0x270,0x274,0x240,0x278,0x7ff7de8b5460,0x7ff7de8b5470,0x7ff7de8b54803⤵
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2204,13666872780464181273,3504321804403780694,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5556 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2204,13666872780464181273,3504321804403780694,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5556 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,13666872780464181273,3504321804403780694,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5612 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,13666872780464181273,3504321804403780694,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5560 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,13666872780464181273,3504321804403780694,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3556 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,13666872780464181273,3504321804403780694,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4956 /prefetch:12⤵
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD577fe0ce7e1f9c9ec2f198ad2536bf753
SHA12a366472f227a24f3c0fba0af544676ea58438d7
SHA256c69ca7653724e1e9e52518de8f4f030813e1431223d5b6ad3270531d8df89f00
SHA512e8d4e17b93fb19364eeeffc5b1016fdbe566a8b8d702005291ff263367840b8ccc76290d8a3ad457d40fb5d1c2204bdaa5acba9374236c77935ebb0fe597a095
-
Filesize
152B
MD50d57a449c855203411a38d5ae80bc24c
SHA1b361032efa556fc4557bbad595ce89c4b0c13dba
SHA256bb59bab10e406cd91bdfe4fc0e8ce2817a6ca32fc731ccb3f90b6b79c1a46c21
SHA5128d4244dc9c0e9518cd71aacaa54d43c1e2d74519e3e692160b2b040d00aac25c4ba7a5705391e50957d46c8c711dc07604effea3bc06c8956ecf717f61008da3
-
Filesize
264KB
MD5d0736c016b148e3ff676b39c7a629324
SHA18cc91fc18737377f12b8b640be5268685e1c6540
SHA256c575b5eb2576df248a8667717106e24e3939a6ce1cae09c674e49c3944178688
SHA5123e95d6bb8f2fccbebb2fed0f4f28099be7a01b424b53210afb111cedf11019f00f049e1db4806ab7015e71705ed555c6a7e18e275698ea811ab537d08b3cd81f
-
Filesize
8KB
MD50962291d6d367570bee5454721c17e11
SHA159d10a893ef321a706a9255176761366115bedcb
SHA256ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7
SHA512f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed
-
Filesize
8KB
MD541876349cb12d6db992f1309f22df3f0
SHA15cf26b3420fc0302cd0a71e8d029739b8765be27
SHA256e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c
SHA512e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e
-
Filesize
41B
MD55af87dfd673ba2115e2fcf5cfdb727ab
SHA1d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b
-
Filesize
8KB
MD5cf89d16bb9107c631daabf0c0ee58efb
SHA13ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b
SHA256d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e
SHA5128cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0
-
Filesize
111B
MD5285252a2f6327d41eab203dc2f402c67
SHA1acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA2565dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA51211ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d
-
Filesize
59B
MD52800881c775077e1c4b6e06bf4676de4
SHA12873631068c8b3b9495638c865915be822442c8b
SHA256226eec4486509917aa336afebd6ff65777b75b65f1fb06891d2a857a9421a974
SHA512e342407ab65cc68f1b3fd706cd0a37680a0864ffd30a6539730180ede2cdcd732cc97ae0b9ef7db12da5c0f83e429df0840dbf7596aca859a0301665e517377b
-
Filesize
5KB
MD503e1a79fa0056e4cefbfa89cbe6b1b87
SHA1031b76ef74fb5fcc2bca05f8808dad41b01c23cf
SHA25673b3ae7d7bafb20334283a13fd8f0c3ed72e664c22e16600e38cf0d65e5c0d5b
SHA512372d40576fed0333a29cb6ccfb375ac3dfa6124c77f4346d642f2d817b8624edfb28a62b6f1cdff8c243c07a3a40ae897e055b7fcd875819ec83ad54de18a7ee
-
Filesize
6KB
MD5bc76e5ae45a94e6fba0dd0f1386c4d70
SHA15846166a73681fb1a5f27ee0d2d1f228572fa551
SHA256dd0f25e6f8b1d72af820e347e1d3720fab7de5b82c3b79fbbb94c3fa50a16d42
SHA5124e86d34c72b03fbc8a8e4be4d1763a1e45c39dda1263cb93faef99da983651789d85e1350dc3e1f17fb1247d436b07e6b7540f94793ea2046bf4f914c63447fd
-
Filesize
5KB
MD58385dbdb5c6f40bd64cfbcc22636314c
SHA1135daed4924bdea5b7a97e179ccd48dc09451966
SHA256b2b44a60a551de1e1c3603865a086ece12b442eaa45a8e35c925aebdb927aadc
SHA512ebc9432c5b4bcd35c9f98dd5318f0e43c3ced5243b93ccedb0ff1b0716060e233561861bd38950f7d79b06f7a6abd6c45631ae01810505eef72291b7993841b2
-
Filesize
5KB
MD539f9fd1bb08a56f44745dd811a0bab84
SHA1adc83fe6b9a3b1f30b17c6123d0cf47008faa9c1
SHA256833f6f1bff4108acc29843c0a01927a0191d457dba404cf41a8c74476c6b9afe
SHA512bf655f2dd129cd7ab8d9a27608d88a5ce8e4e2a3935143c89528cb97e5c37b5ec164107bca872c34db0eca16e68d7240a5f48baf41f4f21b5c130ce02a2ddea8
-
Filesize
24KB
MD59b2345e425acf05ffaa1dee20d4fdbe7
SHA1aecf86c5a5d24b77aea68f6bc99e7f42c9048bc3
SHA2561eb6cc0eab0b222c1111dba69db74281366b9f5dc9f8707ff215b09155c58d14
SHA512647fc97d693b709ef3b0877b6de1d4f9f4e1085d35b809d27360ede1be52b37f9a967fb80ce43be35d60b52409c7e4036376d7d931c96f0660a2eeffa58a8208
-
Filesize
24KB
MD577006dacd174a80aa9b867f95d5df337
SHA17078db638c72ee5cf4ede7911e4421cc4ae103c7
SHA2565e22af33da2ed3f3197d9c899a8fec5e2716b54be019c484cd59960da8f143d9
SHA512e8268ed24af38eaebda4cd864e5580ed1bb63e3e4b72a27fe3404baeb7c8c944a7e79282712ac9d0b33f0123654dedb1984633d6ae2a5b412d6536e2b0389bb2
-
Filesize
70KB
MD5e5e3377341056643b0494b6842c0b544
SHA1d53fd8e256ec9d5cef8ef5387872e544a2df9108
SHA256e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25
SHA51283f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef
-
Filesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
9KB
MD529542986295572336329c65d6fb6b68e
SHA18cd34c101e065f15120798f51556a73243c3c045
SHA25644e8b63f5bfb3caa4ef13f59bb6de3ff3c401b987b0872dd3641a06c4b22daaf
SHA51233ea79f52a5a4686592f97cbace20ef8910a8c97422d7f180dd9076b808567bf1928fc19bf4f394f426756449f7293099f35bcec6d2787935cc25b73e3252f0d
-
Filesize
11KB
MD529bc938426506f2c01315f09cc3204fa
SHA1630ae6c079a5d8f0caaadbae5d2fbae09363d587
SHA256b5779eecffde05eda50c782d032bc367b15a79742949688394e73f0f8d997541
SHA512f64ea320ed9979de22e290375a1ce52a435c877ff01c4875dd1589616a679863aa04956f0f4e82e08c42df24cddf89c106ca54bfcc2433d06537902e3b5a9323
-
Filesize
3KB
MD59ea8bb18cd280bb40a98865b26a16423
SHA164c85c5d289d58b21460f664a4307ae0374f7996
SHA2560c43afa7c9327bbb77993fa48b997794518566c1d170f18be0b3b873eec69fc8
SHA5126ea865e9dfabadfc05a478c773a533091337224af5fdde58c82191cee6e011b437a3cd1ae1469daecf8c4fe5e29fcfdea748635419a33d8646344e4085710d45
-
Filesize
3KB
MD5d5896104bd31f30d1aba6d43f459a834
SHA1cd8653d6b7b151163ef472f687efb2b7f3bf6743
SHA25613f521537ca4ccf9c2f4ec17c29d4c69a9fb15ddff46b636dee47c8e691219ad
SHA512697313d1b56fcdb672480f37ca1ce4dab17de304ceb3324428af1ca7d4dc5985b5526536b1c64df85146b266b981de792b9a50cbc2d4a0af0d10d7780edafa7b
-
Filesize
68KB
-
Filesize
260KB
-
Filesize
2.0MB
-
Filesize
208KB
-
Filesize
92KB
-
Filesize
2.7MB
-
Filesize
92KB
-
Filesize
96KB
-
Filesize
68KB
-
Filesize
212KB
-
Filesize
68KB
-
Filesize
68KB
-
Filesize
68KB
-
Filesize
96KB
-
Filesize
132KB
-
Filesize
116KB
-
Filesize
16.7MB
-
Filesize
68KB
-
Filesize
992KB
-
Filesize
4KB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
4KB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB