ceb348dfa61b34bebce021fa783b0afdb874ea7205f75e7fb42b01898439be75

Analysis

max time kernel
121s
max time network
125s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
07/09/2024, 13:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NanoCore 1.2.2.0_Cracked By Alcatraz3222/Plugins/MiscTools.ncp
Size

66KB
MD5

78e3006fc6468eb7dfc7761072b84ac6
SHA1

e46cae768d2754f48a29b7e424a9bddf0d67bcd8
SHA256

3a3a3b105eefb45e3b70cc1592e484df02df7020d5154e8c2e5d7d439e295e46
SHA512

0daa1cc9ddae70f442ee5eed784523dc1378b9d095edfaec1df95e02f00d09b461d60ee180f716f7ba755543ef7b0c87d791a454cf254dde0033b8615b2841e8
SSDEEP

1536:XQqCFuF5vS0ZDQkDxpFVQs7fablxN1MY+I4U1UdpYao6wCh6K5:X3C3yXLOs7abl5rKC6EY

Score

3^/10

discovery

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AcroRd32.exe

Modifies registry class 9 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\ncp_auto_file	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\ncp_auto_file\	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\.ncp	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\.ncp\ = "ncp_auto_file"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\ncp_auto_file\shell\Read	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\ncp_auto_file\shell	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\ncp_auto_file\shell\Read\command	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\ncp_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\""	rundll32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2708	AcroRd32.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2708	AcroRd32.exe
2708	AcroRd32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2380 wrote to memory of 2516	2380	cmd.exe	31
PID 2380 wrote to memory of 2516	2380	cmd.exe	31
PID 2380 wrote to memory of 2516	2380	cmd.exe	31
PID 2516 wrote to memory of 2708	2516	rundll32.exe	32
PID 2516 wrote to memory of 2708	2516	rundll32.exe	32
PID 2516 wrote to memory of 2708	2516	rundll32.exe	32
PID 2516 wrote to memory of 2708	2516	rundll32.exe	32

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\NanoCore 1.2.2.0_Cracked By Alcatraz3222\Plugins\MiscTools.ncp"
1⤵
- Suspicious use of WriteProcessMemory
PID:2380
- C:\Windows\system32\rundll32.exe
  "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\NanoCore 1.2.2.0_Cracked By Alcatraz3222\Plugins\MiscTools.ncp
  2⤵
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2516
- - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\NanoCore 1.2.2.0_Cracked By Alcatraz3222\Plugins\MiscTools.ncp"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    PID:2708

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
bdbbfcd6b4f7e8c65ce2962efd461e4f

SHA1
26a88e6f2af38ebaa42dd68c3c23cf702d4ef21a

SHA256
0450081070d50ec6ef67134f86c9941d35e9fda7818dae486fc1067da80a1788

SHA512
f7b568dc7c2aeb43d10a52c48ca46a6edd447ac9204af15356c4f3d3139bf8ca933f72a557ec3f8726f13ae7c1356616ab7efec76682e9e7583b0bf8baa5dda0

Download Submit