Analysis Overview
SHA256
7946e7eb4c07a11f19e8bcbf7356c0140f48d110c26306c7461812daf5d7a1d9
Threat Level: Known bad
The file NanoCore 1.2.2.0_Cracked By Alcatraz3222.rar was found to be: Known bad.
Malicious Activity Summary
AsyncRat
Async RAT payload
Executes dropped EXE
Drops file in Windows directory
Enumerates physical storage devices
Modifies registry class
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-03-01 11:05
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-03-01 11:05
Reported
2024-03-01 11:06
Platform
win10-20240221-en
Max time kernel
25s
Max time network
27s
Command Line
Signatures
AsyncRat
Async RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\NanoCore 1.2.2.0_Cracked By Alcatraz3222\NanoCore.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\NanoCore.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\svchost.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\AppCompat\Programs\Amcache.hve.tmp | C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe | N/A |
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-682446400-748730298-2471801445-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeRestorePrivilege | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| Token: 35 | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\NanoCore.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\svchost.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\NanoCore 1.2.2.0_Cracked By Alcatraz3222.rar"
C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\NanoCore 1.2.2.0_Cracked By Alcatraz3222.rar"
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
C:\Users\Admin\AppData\Local\Temp\NanoCore 1.2.2.0_Cracked By Alcatraz3222\NanoCore.exe
"C:\Users\Admin\AppData\Local\Temp\NanoCore 1.2.2.0_Cracked By Alcatraz3222\NanoCore.exe"
C:\Users\Admin\AppData\Local\Temp\NanoCore.exe
"C:\Users\Admin\AppData\Local\Temp\NanoCore.exe"
C:\Users\Admin\AppData\Local\Temp\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\svchost.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c ping -n 3 127.0.0.1 & copy /Y "C:\Users\Admin\AppData\Local\Temp\NanoCore.exe" "C:\Users\Admin\AppData\Local\Temp\NanoCore 1.2.2.0_Cracked By Alcatraz3222\NanoCore.exe" >> NUL
C:\Windows\SysWOW64\PING.EXE
ping -n 3 127.0.0.1
C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 1108
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 129.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | dool.ddns.net | udp |
| DE | 94.131.109.101:1606 | dool.ddns.net | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\NanoCore 1.2.2.0_Cracked By Alcatraz3222\Resources\ListIcons\flag_aq.png
| MD5 | b841c2ebdca6bb23c15c98da4aa671d7 |
| SHA1 | 42f562132fe6e9a5029247a2b9666395dd5ad9b0 |
| SHA256 | b668f1a313e57c97a5abd0212631ea6211aace15b10f1ca82484f23f7d6924b5 |
| SHA512 | e093c2c454e8ceb318df0629f5f7e8494213e69caef640dd4554f3c250029e8a06b4c5add9c13e457f901c3d328738b66db524a8404617e486fd8c564dd04c90 |
C:\Users\Admin\AppData\Local\Temp\NanoCore 1.2.2.0_Cracked By Alcatraz3222\Resources\ListIcons\flag_cx.png
| MD5 | fbf02dad6f60392ce777d006d5762248 |
| SHA1 | f9d95e6e5e25b83953e4f898bf99636d85511709 |
| SHA256 | 45203a04468ff78fb3434f46799ca630172e04f97c566f8e143539a80c48bfc5 |
| SHA512 | 9f5b7b5399cb7c8b41cda202eac5a344524f135fd2e32a5f312917c7684ee13a94976984154355297bb31fd06435efe91456e189bb5f1c9d6010dfad01415b4f |
C:\Users\Admin\AppData\Local\Temp\NanoCore 1.2.2.0_Cracked By Alcatraz3222\Resources\ListIcons\flag_gp.png
| MD5 | 5ac0d15234533136bf6ec230686a4aa5 |
| SHA1 | 2f208a8baf30d13aa23382d3821cc73c4aa466f0 |
| SHA256 | 5cceb033c0262b5905f88d5905777471e9f1b0b0d9cb857f2361e88ada73610d |
| SHA512 | d6215183f13e36a268b849056fe1479ebd36eab4b6f175cbdd3a4ecd4ba4df7734189a2f9e9d69ee344ca63baf2c9ef10f62663cc721e9c9c59775d5e84e2268 |
C:\Users\Admin\AppData\Local\Temp\NanoCore 1.2.2.0_Cracked By Alcatraz3222\Resources\ListIcons\flag_sj.png
| MD5 | 4f82c2e83eab05d2bd9baaeff6c81a96 |
| SHA1 | e1cd3981d14653bf5df976ece649120134e88546 |
| SHA256 | 15493361692068154ac1b1baf8878c179b353996dcda4d63e0322ea37f998f9b |
| SHA512 | b69030fffb689094952eb472b272e1d18b40d0f11e3bba647c9b01226ccf072d276cc31ce3a1ffcbc84c5de82bedfe7fc2466fb060ff50e528f7c258179e626d |
C:\Users\Admin\AppData\Local\Temp\NanoCore 1.2.2.0_Cracked By Alcatraz3222\NanoCore.exe
| MD5 | 582c1464562374ef36e266c3c881ac77 |
| SHA1 | 5bac94ad083b0467cae59cd3f9649a7de0f43723 |
| SHA256 | 5ebeaf3ed77ac8dbbc14e05cada6059e39dd2a1b3fcfcb5cb49db2e68752dcc9 |
| SHA512 | f7e7f742f3901f1e8b8cba9245ad90b886fcbade1347b3f3d00fec07d15d8883368a56e647c766dbffcadc6da7cb6285a5454732a447bebfe96c033701e644b3 |
C:\Users\Admin\AppData\Local\Temp\NanoCore.exe
| MD5 | 1728acc244115cbafd3b810277d2e321 |
| SHA1 | be64732f46c8a26a5bbf9d7f69c7f031b2c5180b |
| SHA256 | ec359f50ca15395f273899c0ff7c0cd87ab5c2e23fdcfc6c72fedc0097161d4b |
| SHA512 | 8c59fdd29181f28e5698de78adf63934632e644a87088400f1b7ab1653622e4bc3a4145094601211a2db4bcbd04ea5f1ac44129907fbb727fe24a1f3652c7034 |
C:\Users\Admin\AppData\Local\Temp\svchost.exe
| MD5 | 49dda59f0c4cdd8edceb12c8a656be01 |
| SHA1 | fd07e12453e858cc7f9f36fcd580a770fdf61f09 |
| SHA256 | e55d1db22d0aeb018ed7fc2a5cf6d0c72941cb0ea0af08ffd370aa89b38fea37 |
| SHA512 | 56dec368a6a44dcd9c2f8ff583d10f14a4e6701bb76186a011e3e98657fc92338a012d66284f6b21b4a5ee7f1a2739232672c65d5273bc9ca31e16f43bc52ec4 |
memory/1112-771-0x0000000072C60000-0x0000000073210000-memory.dmp
memory/2240-770-0x0000000000030000-0x0000000000042000-memory.dmp
memory/2240-772-0x0000000072570000-0x0000000072C5E000-memory.dmp
memory/1112-773-0x0000000002D60000-0x0000000002D70000-memory.dmp
memory/1112-774-0x0000000072C60000-0x0000000073210000-memory.dmp
memory/1112-775-0x0000000002D30000-0x0000000002D31000-memory.dmp
memory/1112-780-0x0000000002D60000-0x0000000002D70000-memory.dmp
memory/1112-781-0x0000000002D60000-0x0000000002D70000-memory.dmp
memory/2240-784-0x0000000004D00000-0x0000000004E00000-memory.dmp
memory/2240-785-0x0000000004E00000-0x0000000004E9C000-memory.dmp
memory/1112-788-0x0000000072C60000-0x0000000073210000-memory.dmp