Malware Analysis Report

2025-06-16 05:44

Sample ID 240301-m68tyafg96
Target NanoCore 1.2.2.0_Cracked By Alcatraz3222.rar
SHA256 7946e7eb4c07a11f19e8bcbf7356c0140f48d110c26306c7461812daf5d7a1d9
Tags
asyncrat nano rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

7946e7eb4c07a11f19e8bcbf7356c0140f48d110c26306c7461812daf5d7a1d9

Threat Level: Known bad

The file NanoCore 1.2.2.0_Cracked By Alcatraz3222.rar was found to be: Known bad.

Malicious Activity Summary

asyncrat nano rat

AsyncRat

Async RAT payload

Executes dropped EXE

Drops file in Windows directory

Enumerates physical storage devices

Modifies registry class

Runs ping.exe

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-01 11:05

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-01 11:05

Reported

2024-03-01 11:06

Platform

win10-20240221-en

Max time kernel

25s

Max time network

27s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\NanoCore 1.2.2.0_Cracked By Alcatraz3222.rar"

Signatures

AsyncRat

rat asyncrat

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\AppCompat\Programs\Amcache.hve.tmp C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-682446400-748730298-2471801445-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: 35 N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\NanoCore.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1020 wrote to memory of 976 N/A C:\Windows\system32\cmd.exe C:\Program Files\7-Zip\7zFM.exe
PID 1020 wrote to memory of 976 N/A C:\Windows\system32\cmd.exe C:\Program Files\7-Zip\7zFM.exe
PID 3236 wrote to memory of 1112 N/A C:\Users\Admin\AppData\Local\Temp\NanoCore 1.2.2.0_Cracked By Alcatraz3222\NanoCore.exe C:\Users\Admin\AppData\Local\Temp\NanoCore.exe
PID 3236 wrote to memory of 1112 N/A C:\Users\Admin\AppData\Local\Temp\NanoCore 1.2.2.0_Cracked By Alcatraz3222\NanoCore.exe C:\Users\Admin\AppData\Local\Temp\NanoCore.exe
PID 3236 wrote to memory of 1112 N/A C:\Users\Admin\AppData\Local\Temp\NanoCore 1.2.2.0_Cracked By Alcatraz3222\NanoCore.exe C:\Users\Admin\AppData\Local\Temp\NanoCore.exe
PID 3236 wrote to memory of 2240 N/A C:\Users\Admin\AppData\Local\Temp\NanoCore 1.2.2.0_Cracked By Alcatraz3222\NanoCore.exe C:\Users\Admin\AppData\Local\Temp\svchost.exe
PID 3236 wrote to memory of 2240 N/A C:\Users\Admin\AppData\Local\Temp\NanoCore 1.2.2.0_Cracked By Alcatraz3222\NanoCore.exe C:\Users\Admin\AppData\Local\Temp\svchost.exe
PID 3236 wrote to memory of 2240 N/A C:\Users\Admin\AppData\Local\Temp\NanoCore 1.2.2.0_Cracked By Alcatraz3222\NanoCore.exe C:\Users\Admin\AppData\Local\Temp\svchost.exe
PID 3236 wrote to memory of 4688 N/A C:\Users\Admin\AppData\Local\Temp\NanoCore 1.2.2.0_Cracked By Alcatraz3222\NanoCore.exe C:\Windows\SysWOW64\cmd.exe
PID 3236 wrote to memory of 4688 N/A C:\Users\Admin\AppData\Local\Temp\NanoCore 1.2.2.0_Cracked By Alcatraz3222\NanoCore.exe C:\Windows\SysWOW64\cmd.exe
PID 3236 wrote to memory of 4688 N/A C:\Users\Admin\AppData\Local\Temp\NanoCore 1.2.2.0_Cracked By Alcatraz3222\NanoCore.exe C:\Windows\SysWOW64\cmd.exe
PID 4688 wrote to memory of 3268 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 4688 wrote to memory of 3268 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 4688 wrote to memory of 3268 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1112 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\NanoCore.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
PID 1112 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\NanoCore.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
PID 1112 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\NanoCore.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\NanoCore 1.2.2.0_Cracked By Alcatraz3222.rar"

C:\Program Files\7-Zip\7zFM.exe

"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\NanoCore 1.2.2.0_Cracked By Alcatraz3222.rar"

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Users\Admin\AppData\Local\Temp\NanoCore 1.2.2.0_Cracked By Alcatraz3222\NanoCore.exe

"C:\Users\Admin\AppData\Local\Temp\NanoCore 1.2.2.0_Cracked By Alcatraz3222\NanoCore.exe"

C:\Users\Admin\AppData\Local\Temp\NanoCore.exe

"C:\Users\Admin\AppData\Local\Temp\NanoCore.exe"

C:\Users\Admin\AppData\Local\Temp\svchost.exe

"C:\Users\Admin\AppData\Local\Temp\svchost.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c ping -n 3 127.0.0.1 & copy /Y "C:\Users\Admin\AppData\Local\Temp\NanoCore.exe" "C:\Users\Admin\AppData\Local\Temp\NanoCore 1.2.2.0_Cracked By Alcatraz3222\NanoCore.exe" >> NUL

C:\Windows\SysWOW64\PING.EXE

ping -n 3 127.0.0.1

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe

dw20.exe -x -s 1108

Network

Country Destination Domain Proto
US 8.8.8.8:53 129.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 dool.ddns.net udp
DE 94.131.109.101:1606 dool.ddns.net tcp

Files

C:\Users\Admin\AppData\Local\Temp\NanoCore 1.2.2.0_Cracked By Alcatraz3222\Resources\ListIcons\flag_aq.png

MD5 b841c2ebdca6bb23c15c98da4aa671d7
SHA1 42f562132fe6e9a5029247a2b9666395dd5ad9b0
SHA256 b668f1a313e57c97a5abd0212631ea6211aace15b10f1ca82484f23f7d6924b5
SHA512 e093c2c454e8ceb318df0629f5f7e8494213e69caef640dd4554f3c250029e8a06b4c5add9c13e457f901c3d328738b66db524a8404617e486fd8c564dd04c90

C:\Users\Admin\AppData\Local\Temp\NanoCore 1.2.2.0_Cracked By Alcatraz3222\Resources\ListIcons\flag_cx.png

MD5 fbf02dad6f60392ce777d006d5762248
SHA1 f9d95e6e5e25b83953e4f898bf99636d85511709
SHA256 45203a04468ff78fb3434f46799ca630172e04f97c566f8e143539a80c48bfc5
SHA512 9f5b7b5399cb7c8b41cda202eac5a344524f135fd2e32a5f312917c7684ee13a94976984154355297bb31fd06435efe91456e189bb5f1c9d6010dfad01415b4f

C:\Users\Admin\AppData\Local\Temp\NanoCore 1.2.2.0_Cracked By Alcatraz3222\Resources\ListIcons\flag_gp.png

MD5 5ac0d15234533136bf6ec230686a4aa5
SHA1 2f208a8baf30d13aa23382d3821cc73c4aa466f0
SHA256 5cceb033c0262b5905f88d5905777471e9f1b0b0d9cb857f2361e88ada73610d
SHA512 d6215183f13e36a268b849056fe1479ebd36eab4b6f175cbdd3a4ecd4ba4df7734189a2f9e9d69ee344ca63baf2c9ef10f62663cc721e9c9c59775d5e84e2268

C:\Users\Admin\AppData\Local\Temp\NanoCore 1.2.2.0_Cracked By Alcatraz3222\Resources\ListIcons\flag_sj.png

MD5 4f82c2e83eab05d2bd9baaeff6c81a96
SHA1 e1cd3981d14653bf5df976ece649120134e88546
SHA256 15493361692068154ac1b1baf8878c179b353996dcda4d63e0322ea37f998f9b
SHA512 b69030fffb689094952eb472b272e1d18b40d0f11e3bba647c9b01226ccf072d276cc31ce3a1ffcbc84c5de82bedfe7fc2466fb060ff50e528f7c258179e626d

C:\Users\Admin\AppData\Local\Temp\NanoCore 1.2.2.0_Cracked By Alcatraz3222\NanoCore.exe

MD5 582c1464562374ef36e266c3c881ac77
SHA1 5bac94ad083b0467cae59cd3f9649a7de0f43723
SHA256 5ebeaf3ed77ac8dbbc14e05cada6059e39dd2a1b3fcfcb5cb49db2e68752dcc9
SHA512 f7e7f742f3901f1e8b8cba9245ad90b886fcbade1347b3f3d00fec07d15d8883368a56e647c766dbffcadc6da7cb6285a5454732a447bebfe96c033701e644b3

C:\Users\Admin\AppData\Local\Temp\NanoCore.exe

MD5 1728acc244115cbafd3b810277d2e321
SHA1 be64732f46c8a26a5bbf9d7f69c7f031b2c5180b
SHA256 ec359f50ca15395f273899c0ff7c0cd87ab5c2e23fdcfc6c72fedc0097161d4b
SHA512 8c59fdd29181f28e5698de78adf63934632e644a87088400f1b7ab1653622e4bc3a4145094601211a2db4bcbd04ea5f1ac44129907fbb727fe24a1f3652c7034

C:\Users\Admin\AppData\Local\Temp\svchost.exe

MD5 49dda59f0c4cdd8edceb12c8a656be01
SHA1 fd07e12453e858cc7f9f36fcd580a770fdf61f09
SHA256 e55d1db22d0aeb018ed7fc2a5cf6d0c72941cb0ea0af08ffd370aa89b38fea37
SHA512 56dec368a6a44dcd9c2f8ff583d10f14a4e6701bb76186a011e3e98657fc92338a012d66284f6b21b4a5ee7f1a2739232672c65d5273bc9ca31e16f43bc52ec4

memory/1112-771-0x0000000072C60000-0x0000000073210000-memory.dmp

memory/2240-770-0x0000000000030000-0x0000000000042000-memory.dmp

memory/2240-772-0x0000000072570000-0x0000000072C5E000-memory.dmp

memory/1112-773-0x0000000002D60000-0x0000000002D70000-memory.dmp

memory/1112-774-0x0000000072C60000-0x0000000073210000-memory.dmp

memory/1112-775-0x0000000002D30000-0x0000000002D31000-memory.dmp

memory/1112-780-0x0000000002D60000-0x0000000002D70000-memory.dmp

memory/1112-781-0x0000000002D60000-0x0000000002D70000-memory.dmp

memory/2240-784-0x0000000004D00000-0x0000000004E00000-memory.dmp

memory/2240-785-0x0000000004E00000-0x0000000004E9C000-memory.dmp

memory/1112-788-0x0000000072C60000-0x0000000073210000-memory.dmp