Analysis

  • max time kernel
    25s
  • max time network
    27s
  • platform
    windows10-1703_x64
  • resource
    win10-20240221-en
  • resource tags

    arch:x64arch:x86image:win10-20240221-enlocale:en-usos:windows10-1703-x64system
  • submitted
    01/03/2024, 11:05

General

  • Target

    NanoCore 1.2.2.0_Cracked By Alcatraz3222.rar

  • Size

    6.0MB

  • MD5

    018e7d97045c5887468501f83aeaabc8

  • SHA1

    08164ff3d19c55db15e031d66176ef897f248b1d

  • SHA256

    7946e7eb4c07a11f19e8bcbf7356c0140f48d110c26306c7461812daf5d7a1d9

  • SHA512

    d49fceac389b27c0f4be3496d074344ccf81dc9d96716100aab3d9b8a81fff82f6a7e6ee93da27231955a9a7ea0816ac962804dd53915a47a6c0f8a9d87a93fe

  • SSDEEP

    98304:XsGP8lyIaK3xPgsVDlMinK4xYIVCKWSkpPXq0A5CPEgYgRif0fj6QlNb6YFxeLLb:c48ZlbllF/xJCNSKPa0AMP5RRL6QflF2

Score
10/10

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

nano

C2

dool.ddns.net:1606

Mutex

AsyncMutex_6SI8OkPnk

Attributes
  • delay

    3

  • install

    true

  • install_file

    svchost.exe

  • install_folder

    %Temp%

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

  • Async RAT payload 1 IoCs
  • Executes dropped EXE 3 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 1 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c "C:\Users\Admin\AppData\Local\Temp\NanoCore 1.2.2.0_Cracked By Alcatraz3222.rar"
    1⤵
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:1020
    • C:\Program Files\7-Zip\7zFM.exe
      "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\NanoCore 1.2.2.0_Cracked By Alcatraz3222.rar"
      2⤵
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      PID:976
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    1⤵
      PID:3744
    • C:\Users\Admin\AppData\Local\Temp\NanoCore 1.2.2.0_Cracked By Alcatraz3222\NanoCore.exe
      "C:\Users\Admin\AppData\Local\Temp\NanoCore 1.2.2.0_Cracked By Alcatraz3222\NanoCore.exe"
      1⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:3236
      • C:\Users\Admin\AppData\Local\Temp\NanoCore.exe
        "C:\Users\Admin\AppData\Local\Temp\NanoCore.exe"
        2⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1112
        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
          dw20.exe -x -s 1108
          3⤵
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2788
      • C:\Users\Admin\AppData\Local\Temp\svchost.exe
        "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
        2⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:2240
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe" /c ping -n 3 127.0.0.1 & copy /Y "C:\Users\Admin\AppData\Local\Temp\NanoCore.exe" "C:\Users\Admin\AppData\Local\Temp\NanoCore 1.2.2.0_Cracked By Alcatraz3222\NanoCore.exe" >> NUL
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:4688
        • C:\Windows\SysWOW64\PING.EXE
          ping -n 3 127.0.0.1
          3⤵
          • Runs ping.exe
          PID:3268

    Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\NanoCore 1.2.2.0_Cracked By Alcatraz3222\NanoCore.exe

            Filesize

            1.2MB

            MD5

            582c1464562374ef36e266c3c881ac77

            SHA1

            5bac94ad083b0467cae59cd3f9649a7de0f43723

            SHA256

            5ebeaf3ed77ac8dbbc14e05cada6059e39dd2a1b3fcfcb5cb49db2e68752dcc9

            SHA512

            f7e7f742f3901f1e8b8cba9245ad90b886fcbade1347b3f3d00fec07d15d8883368a56e647c766dbffcadc6da7cb6285a5454732a447bebfe96c033701e644b3

          • C:\Users\Admin\AppData\Local\Temp\NanoCore 1.2.2.0_Cracked By Alcatraz3222\Resources\ListIcons\flag_aq.png

            Filesize

            351B

            MD5

            b841c2ebdca6bb23c15c98da4aa671d7

            SHA1

            42f562132fe6e9a5029247a2b9666395dd5ad9b0

            SHA256

            b668f1a313e57c97a5abd0212631ea6211aace15b10f1ca82484f23f7d6924b5

            SHA512

            e093c2c454e8ceb318df0629f5f7e8494213e69caef640dd4554f3c250029e8a06b4c5add9c13e457f901c3d328738b66db524a8404617e486fd8c564dd04c90

          • C:\Users\Admin\AppData\Local\Temp\NanoCore 1.2.2.0_Cracked By Alcatraz3222\Resources\ListIcons\flag_cx.png

            Filesize

            626B

            MD5

            fbf02dad6f60392ce777d006d5762248

            SHA1

            f9d95e6e5e25b83953e4f898bf99636d85511709

            SHA256

            45203a04468ff78fb3434f46799ca630172e04f97c566f8e143539a80c48bfc5

            SHA512

            9f5b7b5399cb7c8b41cda202eac5a344524f135fd2e32a5f312917c7684ee13a94976984154355297bb31fd06435efe91456e189bb5f1c9d6010dfad01415b4f

          • C:\Users\Admin\AppData\Local\Temp\NanoCore 1.2.2.0_Cracked By Alcatraz3222\Resources\ListIcons\flag_gp.png

            Filesize

            546B

            MD5

            5ac0d15234533136bf6ec230686a4aa5

            SHA1

            2f208a8baf30d13aa23382d3821cc73c4aa466f0

            SHA256

            5cceb033c0262b5905f88d5905777471e9f1b0b0d9cb857f2361e88ada73610d

            SHA512

            d6215183f13e36a268b849056fe1479ebd36eab4b6f175cbdd3a4ecd4ba4df7734189a2f9e9d69ee344ca63baf2c9ef10f62663cc721e9c9c59775d5e84e2268

          • C:\Users\Admin\AppData\Local\Temp\NanoCore 1.2.2.0_Cracked By Alcatraz3222\Resources\ListIcons\flag_sj.png

            Filesize

            562B

            MD5

            4f82c2e83eab05d2bd9baaeff6c81a96

            SHA1

            e1cd3981d14653bf5df976ece649120134e88546

            SHA256

            15493361692068154ac1b1baf8878c179b353996dcda4d63e0322ea37f998f9b

            SHA512

            b69030fffb689094952eb472b272e1d18b40d0f11e3bba647c9b01226ccf072d276cc31ce3a1ffcbc84c5de82bedfe7fc2466fb060ff50e528f7c258179e626d

          • C:\Users\Admin\AppData\Local\Temp\NanoCore.exe

            Filesize

            1.4MB

            MD5

            1728acc244115cbafd3b810277d2e321

            SHA1

            be64732f46c8a26a5bbf9d7f69c7f031b2c5180b

            SHA256

            ec359f50ca15395f273899c0ff7c0cd87ab5c2e23fdcfc6c72fedc0097161d4b

            SHA512

            8c59fdd29181f28e5698de78adf63934632e644a87088400f1b7ab1653622e4bc3a4145094601211a2db4bcbd04ea5f1ac44129907fbb727fe24a1f3652c7034

          • C:\Users\Admin\AppData\Local\Temp\svchost.exe

            Filesize

            45KB

            MD5

            49dda59f0c4cdd8edceb12c8a656be01

            SHA1

            fd07e12453e858cc7f9f36fcd580a770fdf61f09

            SHA256

            e55d1db22d0aeb018ed7fc2a5cf6d0c72941cb0ea0af08ffd370aa89b38fea37

            SHA512

            56dec368a6a44dcd9c2f8ff583d10f14a4e6701bb76186a011e3e98657fc92338a012d66284f6b21b4a5ee7f1a2739232672c65d5273bc9ca31e16f43bc52ec4

          • memory/1112-775-0x0000000002D30000-0x0000000002D31000-memory.dmp

            Filesize

            4KB

          • memory/1112-773-0x0000000002D60000-0x0000000002D70000-memory.dmp

            Filesize

            64KB

          • memory/1112-774-0x0000000072C60000-0x0000000073210000-memory.dmp

            Filesize

            5.7MB

          • memory/1112-771-0x0000000072C60000-0x0000000073210000-memory.dmp

            Filesize

            5.7MB

          • memory/1112-780-0x0000000002D60000-0x0000000002D70000-memory.dmp

            Filesize

            64KB

          • memory/1112-781-0x0000000002D60000-0x0000000002D70000-memory.dmp

            Filesize

            64KB

          • memory/1112-788-0x0000000072C60000-0x0000000073210000-memory.dmp

            Filesize

            5.7MB

          • memory/2240-770-0x0000000000030000-0x0000000000042000-memory.dmp

            Filesize

            72KB

          • memory/2240-772-0x0000000072570000-0x0000000072C5E000-memory.dmp

            Filesize

            6.9MB

          • memory/2240-784-0x0000000004D00000-0x0000000004E00000-memory.dmp

            Filesize

            1024KB

          • memory/2240-785-0x0000000004E00000-0x0000000004E9C000-memory.dmp

            Filesize

            624KB