Resubmissions
13-12-2024 17:44
241213-wbgxeaxphq 1013-12-2024 17:15
241213-vsrmhavpgs 1013-12-2024 17:14
241213-vshdtsxjhl 1013-12-2024 17:13
241213-vrge5svpc1 10Analysis
-
max time kernel
715s -
max time network
660s -
platform
windows10-ltsc 2021_x64 -
resource
win10ltsc2021-20241211-en -
resource tags
-
submitted
13-12-2024 17:13
General
-
Target
NanoCore 1.2.2.0_Cracked By Alcatraz3222/PluginCompiler.exe
-
Size
75KB
-
MD5
e2d1c5df11f9573f6c5d0a7ad1a79fbf
-
SHA1
b32bf571aca1b51af48f7f2f955aaf1bbdc5aa2f
-
SHA256
0b41b2fcd0f1a4e913d3efe293f713849d59efebb27bac060ab31bed51ac2f6b
-
SHA512
9c9ae7baa504dd34311f5730280f6a49e10eefdb145d2d29849e385a7da47c8f2c182cd6f39949f5904ef8462fc5c3dfaf1bc4cc8bff50c6750c9edc886192e0
-
SSDEEP
1536:iyVzgm8NqToL6n975lw8FDx39EhPKu4iV1Y:iyVMLUTos5SAx3ChPKpiVe
Malware Config
Signatures
-
NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
-
Nanocore family
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Drops file in Program Files directory 1 IoCs
-
Drops file in Windows directory 1 IoCs
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies data under HKEY_USERS 2 IoCs
-
Modifies registry class 33 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 5 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs
-
Suspicious use of AdjustPrivilegeToken 23 IoCs
-
Suspicious use of FindShellTrayWindow 40 IoCs
-
Suspicious use of SendNotifyMessage 24 IoCs
-
Suspicious use of SetWindowsHookEx 11 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\NanoCore 1.2.2.0_Cracked By Alcatraz3222\PluginCompiler.exe"C:\Users\Admin\AppData\Local\Temp\NanoCore 1.2.2.0_Cracked By Alcatraz3222\PluginCompiler.exe"1⤵
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x220,0x224,0x228,0x204,0x22c,0x7ff86f51cc40,0x7ff86f51cc4c,0x7ff86f51cc582⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2024,i,2599745817360237970,12977543706434053948,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=2004 /prefetch:22⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1876,i,2599745817360237970,12977543706434053948,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=2116 /prefetch:32⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2144,i,2599745817360237970,12977543706434053948,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=2472 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3140,i,2599745817360237970,12977543706434053948,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=3160 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3180,i,2599745817360237970,12977543706434053948,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=3208 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3656,i,2599745817360237970,12977543706434053948,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=3624 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4140,i,2599745817360237970,12977543706434053948,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=4604 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5020,i,2599745817360237970,12977543706434053948,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=5060 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5200,i,2599745817360237970,12977543706434053948,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=5396 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5380,i,2599745817360237970,12977543706434053948,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=5528 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc1⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Users\Admin\Desktop\Alcatraz3222.exe"C:\Users\Admin\Desktop\Alcatraz3222.exe"1⤵
- Adds Run key to start application
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "WAN Service" /xml "C:\Users\Admin\AppData\Local\Temp\tmpC9B8.tmp"2⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "WAN Service Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmpCAF1.tmp"2⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5245c60631f7bfa5590e9a6a373649f9e
SHA15b0f98ab72815f4b47d66150a4cec0f75a79d178
SHA256eb07a063a09c80efd2fc74c925791c01452d01f3dc560ad31b8577b3dfa6e8ee
SHA51251180885399bf13f57dff2252503eeaea1cab31eb97cf8c4d741b98776423e9992abeaec279d27d0c3da0fa56a1b8a48c333faff2fe78c62b86bb4dd7cff54ec
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
356B
MD567049a9624054c3c2d8b5003b41e35a4
SHA1bf5f309e219791dcee0d00c3757b3cea42b0bb7d
SHA256edd1064cfa2e0f1c628a05c9d1140862f8b052ae4bf6f4468a8074da45b9ce10
SHA512c58c23616283f61eb378eb6984ab290d8d689a61514bb52061783c582c0f3e0b13ca01b0e5d40d7f7afa5ba3c3dc35dd1c65b0d3daff469dd5a0dbd548bf434a
-
Filesize
8KB
MD588255d0315facaa70603871a446b9ee6
SHA135d05212ae1adc34423f4e7af726f6025cb47d91
SHA25663f47d37967b381f18edbdb6efb36f0c3067af77f11c5283ddea7a2e7d536ba0
SHA51218d9c9129e98e56f67daaa06071b7c51fc8fcc434d381abeafd8d8495e7c822424d0e967aa970355a1eb01b2245f15ab68e2a7bdf556eb3dd86cdfef5405b4d3
-
Filesize
15KB
MD5eec9ad4fb3c0693cf8e5fcfae3ebbb67
SHA178f1036c069ffc1b3b0070604c90f69a018518ad
SHA2567f26438384ced0e94875bd5f0b52fb3e84667e0001e63de870cee66198e97565
SHA5126637872d0a814e8ab3abfa82f378dd3d95ef17b8aef5240a90febfe62a80f3c7b948a99d23aa87b7a566a4c4d794dc01b46292c26d1e219fac1837946ec15858
-
Filesize
234KB
MD547d5a6a4ea78348f0c0237ff800bf4b7
SHA11239dca424585dbf4b9a663b075b4c334037c0a4
SHA2560a0b1bd4252f1b6bf364253a6a9def80a3ebd82f51b168521ff72733bc736951
SHA5121e795b54829c280a1a939d114d284cd7a532793fbc72f2604b9d929f8f0fbc8387de4f17c6ae605acfa5d02d8fcf8d5487da5b3a8a63b98fc52a97489249cb6b
-
Filesize
234KB
MD567054f5ad75502a2763c4e921f86e74e
SHA15095f14d6ccd09f073c02104cc56410562929279
SHA2565efc4cd92f5380509c8d6368c646cba6495c810a592085b0ac0bb305a2bcf90c
SHA512c0bb4543fc7ac1f1535e9fd80478afc85a848502f81470d86cf41d5cf96c3523a6b143d20926eeba5c320a6514540ddd4f532be68a5a663ae49e3140cdaafc6b
-
Filesize
264KB
MD5f50f89a0a91564d0b8a211f8921aa7de
SHA1112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58
-
Filesize
1KB
MD58f3588ab2432d9ba18d378cdc45d5784
SHA11f7c236195b594d50cd46c6866baf19146080d9d
SHA2563fe5dbfeb226d73efe3501d5090b6e1959967236dba89039afeca4b50483c3c0
SHA51267e6466ed3302eb38d18a922ce5795fd9845bfe39adf319b92643047ac7f834cf7407c6b3307a89d3fe12f2358856887b041acc7cc8c71d262a0a201f1227135
-
Filesize
1KB
MD59f0deb7cf87b4ae4efde9cc98ff481db
SHA1760265641ce176e555c64bedb494f6f75fd0bd27
SHA256a57110ccf892c8ca9c9b28b2608f4d37a8b5df1bfcf1411e7c62b500e82fabda
SHA5126517829d9a09df437a340485bb87183c7a80135a76296308120e0ab385f5ffa7369a2ace9655ffaf1c594869cc6a20015520b6b0c681217b641b3c58127a29de
-
Filesize
156KB
MD58f4d07c6b62acf696fe4aef50c563d4c
SHA11e8084c0f5efe4ef30fe8c29cdc70fbe150b6aa7
SHA25685170c50e8284a2edb8cbeae0bbe3b953c4ac4b83ff3795c232db1bef018f7da
SHA5126e4376a6dfa5c9aa2aa8d1612a751ebd26299e886bb3a37f4e16ed102b1884729427faed423a740e33a7ece18698000204f130702b200fb8e6ae219dbba47474
-
Filesize
9.6MB
-
Filesize
9.6MB
-
Filesize
9.6MB
-
Filesize
9.6MB
-
Filesize
9.6MB
-
Filesize
9.6MB
-
Filesize
4KB
-
Filesize
9.6MB
-
Filesize
9.6MB
-
Filesize
4KB
-
Filesize
304KB
-
Filesize
32KB
-
Filesize
624KB
-
Filesize
9.6MB
-
Filesize
4.8MB
-
Filesize
664KB