Analysis
-
max time kernel
25s -
max time network
27s -
platform
windows10-1703_x64 -
resource
win10-20240221-en -
resource tags
arch:x64arch:x86image:win10-20240221-enlocale:en-usos:windows10-1703-x64system -
submitted
01/03/2024, 11:05
Static task
static1
General
-
Target
NanoCore 1.2.2.0_Cracked By Alcatraz3222.rar
-
Size
6.0MB
-
MD5
018e7d97045c5887468501f83aeaabc8
-
SHA1
08164ff3d19c55db15e031d66176ef897f248b1d
-
SHA256
7946e7eb4c07a11f19e8bcbf7356c0140f48d110c26306c7461812daf5d7a1d9
-
SHA512
d49fceac389b27c0f4be3496d074344ccf81dc9d96716100aab3d9b8a81fff82f6a7e6ee93da27231955a9a7ea0816ac962804dd53915a47a6c0f8a9d87a93fe
-
SSDEEP
98304:XsGP8lyIaK3xPgsVDlMinK4xYIVCKWSkpPXq0A5CPEgYgRif0fj6QlNb6YFxeLLb:c48ZlbllF/xJCNSKPa0AMP5RRL6QflF2
Malware Config
Extracted
asyncrat
0.5.7B
nano
dool.ddns.net:1606
AsyncMutex_6SI8OkPnk
-
delay
3
-
install
true
-
install_file
svchost.exe
-
install_folder
%Temp%
Signatures
-
Async RAT payload 1 IoCs
resource yara_rule behavioral1/files/0x000600000001ad67-767.dat family_asyncrat -
Executes dropped EXE 3 IoCs
pid Process 3236 NanoCore.exe 1112 NanoCore.exe 2240 svchost.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\AppCompat\Programs\Amcache.hve.tmp dw20.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-682446400-748730298-2471801445-1000_Classes\Local Settings cmd.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 3268 PING.EXE -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2788 dw20.exe 2788 dw20.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 976 7zFM.exe -
Suspicious use of AdjustPrivilegeToken 8 IoCs
description pid Process Token: SeRestorePrivilege 976 7zFM.exe Token: 35 976 7zFM.exe Token: SeSecurityPrivilege 976 7zFM.exe Token: SeDebugPrivilege 1112 NanoCore.exe Token: SeRestorePrivilege 2788 dw20.exe Token: SeBackupPrivilege 2788 dw20.exe Token: SeBackupPrivilege 2788 dw20.exe Token: SeDebugPrivilege 2240 svchost.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 976 7zFM.exe 976 7zFM.exe -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 1020 wrote to memory of 976 1020 cmd.exe 74 PID 1020 wrote to memory of 976 1020 cmd.exe 74 PID 3236 wrote to memory of 1112 3236 NanoCore.exe 79 PID 3236 wrote to memory of 1112 3236 NanoCore.exe 79 PID 3236 wrote to memory of 1112 3236 NanoCore.exe 79 PID 3236 wrote to memory of 2240 3236 NanoCore.exe 80 PID 3236 wrote to memory of 2240 3236 NanoCore.exe 80 PID 3236 wrote to memory of 2240 3236 NanoCore.exe 80 PID 3236 wrote to memory of 4688 3236 NanoCore.exe 81 PID 3236 wrote to memory of 4688 3236 NanoCore.exe 81 PID 3236 wrote to memory of 4688 3236 NanoCore.exe 81 PID 4688 wrote to memory of 3268 4688 cmd.exe 83 PID 4688 wrote to memory of 3268 4688 cmd.exe 83 PID 4688 wrote to memory of 3268 4688 cmd.exe 83 PID 1112 wrote to memory of 2788 1112 NanoCore.exe 84 PID 1112 wrote to memory of 2788 1112 NanoCore.exe 84 PID 1112 wrote to memory of 2788 1112 NanoCore.exe 84
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\NanoCore 1.2.2.0_Cracked By Alcatraz3222.rar"1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1020 -
C:\Program Files\7-Zip\7zFM.exe"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\NanoCore 1.2.2.0_Cracked By Alcatraz3222.rar"2⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:976
-
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:3744
-
C:\Users\Admin\AppData\Local\Temp\NanoCore 1.2.2.0_Cracked By Alcatraz3222\NanoCore.exe"C:\Users\Admin\AppData\Local\Temp\NanoCore 1.2.2.0_Cracked By Alcatraz3222\NanoCore.exe"1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3236 -
C:\Users\Admin\AppData\Local\Temp\NanoCore.exe"C:\Users\Admin\AppData\Local\Temp\NanoCore.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1112 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exedw20.exe -x -s 11083⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2788
-
-
-
C:\Users\Admin\AppData\Local\Temp\svchost.exe"C:\Users\Admin\AppData\Local\Temp\svchost.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2240
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c ping -n 3 127.0.0.1 & copy /Y "C:\Users\Admin\AppData\Local\Temp\NanoCore.exe" "C:\Users\Admin\AppData\Local\Temp\NanoCore 1.2.2.0_Cracked By Alcatraz3222\NanoCore.exe" >> NUL2⤵
- Suspicious use of WriteProcessMemory
PID:4688 -
C:\Windows\SysWOW64\PING.EXEping -n 3 127.0.0.13⤵
- Runs ping.exe
PID:3268
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.2MB
MD5582c1464562374ef36e266c3c881ac77
SHA15bac94ad083b0467cae59cd3f9649a7de0f43723
SHA2565ebeaf3ed77ac8dbbc14e05cada6059e39dd2a1b3fcfcb5cb49db2e68752dcc9
SHA512f7e7f742f3901f1e8b8cba9245ad90b886fcbade1347b3f3d00fec07d15d8883368a56e647c766dbffcadc6da7cb6285a5454732a447bebfe96c033701e644b3
-
C:\Users\Admin\AppData\Local\Temp\NanoCore 1.2.2.0_Cracked By Alcatraz3222\Resources\ListIcons\flag_aq.png
Filesize351B
MD5b841c2ebdca6bb23c15c98da4aa671d7
SHA142f562132fe6e9a5029247a2b9666395dd5ad9b0
SHA256b668f1a313e57c97a5abd0212631ea6211aace15b10f1ca82484f23f7d6924b5
SHA512e093c2c454e8ceb318df0629f5f7e8494213e69caef640dd4554f3c250029e8a06b4c5add9c13e457f901c3d328738b66db524a8404617e486fd8c564dd04c90
-
C:\Users\Admin\AppData\Local\Temp\NanoCore 1.2.2.0_Cracked By Alcatraz3222\Resources\ListIcons\flag_cx.png
Filesize626B
MD5fbf02dad6f60392ce777d006d5762248
SHA1f9d95e6e5e25b83953e4f898bf99636d85511709
SHA25645203a04468ff78fb3434f46799ca630172e04f97c566f8e143539a80c48bfc5
SHA5129f5b7b5399cb7c8b41cda202eac5a344524f135fd2e32a5f312917c7684ee13a94976984154355297bb31fd06435efe91456e189bb5f1c9d6010dfad01415b4f
-
C:\Users\Admin\AppData\Local\Temp\NanoCore 1.2.2.0_Cracked By Alcatraz3222\Resources\ListIcons\flag_gp.png
Filesize546B
MD55ac0d15234533136bf6ec230686a4aa5
SHA12f208a8baf30d13aa23382d3821cc73c4aa466f0
SHA2565cceb033c0262b5905f88d5905777471e9f1b0b0d9cb857f2361e88ada73610d
SHA512d6215183f13e36a268b849056fe1479ebd36eab4b6f175cbdd3a4ecd4ba4df7734189a2f9e9d69ee344ca63baf2c9ef10f62663cc721e9c9c59775d5e84e2268
-
C:\Users\Admin\AppData\Local\Temp\NanoCore 1.2.2.0_Cracked By Alcatraz3222\Resources\ListIcons\flag_sj.png
Filesize562B
MD54f82c2e83eab05d2bd9baaeff6c81a96
SHA1e1cd3981d14653bf5df976ece649120134e88546
SHA25615493361692068154ac1b1baf8878c179b353996dcda4d63e0322ea37f998f9b
SHA512b69030fffb689094952eb472b272e1d18b40d0f11e3bba647c9b01226ccf072d276cc31ce3a1ffcbc84c5de82bedfe7fc2466fb060ff50e528f7c258179e626d
-
Filesize
1.4MB
MD51728acc244115cbafd3b810277d2e321
SHA1be64732f46c8a26a5bbf9d7f69c7f031b2c5180b
SHA256ec359f50ca15395f273899c0ff7c0cd87ab5c2e23fdcfc6c72fedc0097161d4b
SHA5128c59fdd29181f28e5698de78adf63934632e644a87088400f1b7ab1653622e4bc3a4145094601211a2db4bcbd04ea5f1ac44129907fbb727fe24a1f3652c7034
-
Filesize
45KB
MD549dda59f0c4cdd8edceb12c8a656be01
SHA1fd07e12453e858cc7f9f36fcd580a770fdf61f09
SHA256e55d1db22d0aeb018ed7fc2a5cf6d0c72941cb0ea0af08ffd370aa89b38fea37
SHA51256dec368a6a44dcd9c2f8ff583d10f14a4e6701bb76186a011e3e98657fc92338a012d66284f6b21b4a5ee7f1a2739232672c65d5273bc9ca31e16f43bc52ec4