Resubmissions
13-12-2024 17:44
241213-wbgxeaxphq 1013-12-2024 17:15
241213-vsrmhavpgs 1013-12-2024 17:14
241213-vshdtsxjhl 1013-12-2024 17:13
241213-vrge5svpc1 10Analysis
-
max time kernel
716s -
max time network
562s -
platform
windows11-21h2_x64 -
resource
win11-20241007-en -
resource tags
-
submitted
13-12-2024 17:13
General
-
Target
NanoCore 1.2.2.0_Cracked By Alcatraz3222/PluginCompiler.exe
-
Size
75KB
-
MD5
e2d1c5df11f9573f6c5d0a7ad1a79fbf
-
SHA1
b32bf571aca1b51af48f7f2f955aaf1bbdc5aa2f
-
SHA256
0b41b2fcd0f1a4e913d3efe293f713849d59efebb27bac060ab31bed51ac2f6b
-
SHA512
9c9ae7baa504dd34311f5730280f6a49e10eefdb145d2d29849e385a7da47c8f2c182cd6f39949f5904ef8462fc5c3dfaf1bc4cc8bff50c6750c9edc886192e0
-
SSDEEP
1536:iyVzgm8NqToL6n975lw8FDx39EhPKu4iV1Y:iyVMLUTos5SAx3ChPKpiVe
Malware Config
Signatures
-
NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
-
Nanocore family
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Drops file in Program Files directory 3 IoCs
-
Drops file in Windows directory 1 IoCs
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies data under HKEY_USERS 2 IoCs
-
Modifies registry class 35 IoCs
-
NTFS ADS 2 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 5 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs
-
Suspicious use of AdjustPrivilegeToken 13 IoCs
-
Suspicious use of FindShellTrayWindow 34 IoCs
-
Suspicious use of SendNotifyMessage 12 IoCs
-
Suspicious use of SetWindowsHookEx 12 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\NanoCore 1.2.2.0_Cracked By Alcatraz3222\PluginCompiler.exe"C:\Users\Admin\AppData\Local\Temp\NanoCore 1.2.2.0_Cracked By Alcatraz3222\PluginCompiler.exe"1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8d391cc40,0x7ff8d391cc4c,0x7ff8d391cc582⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2012,i,3907243389941327840,18442353490007029411,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2008 /prefetch:22⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1772,i,3907243389941327840,18442353490007029411,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2152 /prefetch:32⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2220,i,3907243389941327840,18442353490007029411,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1944 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3092,i,3907243389941327840,18442353490007029411,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3240 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3160,i,3907243389941327840,18442353490007029411,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3268 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4292,i,3907243389941327840,18442353490007029411,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4324 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4272,i,3907243389941327840,18442353490007029411,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3064 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4928,i,3907243389941327840,18442353490007029411,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5072 /prefetch:82⤵
- NTFS ADS
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5168,i,3907243389941327840,18442353490007029411,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3744 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5240,i,3907243389941327840,18442353490007029411,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5316 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc1⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Users\Admin\Desktop\Alcatraz3222.exe"C:\Users\Admin\Desktop\Alcatraz3222.exe"1⤵
- Adds Run key to start application
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "AGP Manager" /xml "C:\Users\Admin\AppData\Local\Temp\tmpEBA.tmp"2⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "AGP Manager Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmpEE9.tmp"2⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
-
-
C:\Users\Admin\Desktop\Alcatraz3222.exe"C:\Users\Admin\Desktop\Alcatraz3222.exe"1⤵
- System Location Discovery: System Language Discovery
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
9KB
MD5fe25af823d73903b48036c93db78a48a
SHA1c1c7af79f648e82670bfa62bc43d4759d8ec067f
SHA256e61ccccd796f9b8d7b00d20a4f745ff5f434ba3d4038ec52158f7d1693b6870f
SHA512e912c298cd6edc87e8e6d7f81852a9ce6fb865f5a11ef9b817f44463ee0bdbed4f71fcab2305213da845f7af29a5c4e89a5d74253d3c72e0695623e65b4c3eb8
-
Filesize
649B
MD52c2b29da9aa5844997863219b707dbfb
SHA1099eb1e6dd955dbfd6a5fc084ef3ca915d1658d3
SHA25608d5df9e930d3933d1920d56ff4b6a7a090a55c362ceeb8bcf84372a7a3a71de
SHA5129ff040cc1783696bbc2cabf6194d3dc0d2523c23f2de235d5abf9738326c07b265060ee88d44411b58fbfbe26604f42ae118a79f4e561c7d2d2c363be27c2e7f
-
Filesize
1KB
MD5db0a3dbd7eac21dcf92e176512170c76
SHA1a82845fbadbf6be23306dbc6ec171ecf59509d0e
SHA25665fbe5a873c7ed4bc8f78509f73700bdfdd515641810298d4c0eb62c731c3dd9
SHA512365a8088b63e40e006cdb630af1a513c9ce5db86eff9426436ece4c4611264bcf4805016a49e706269ae766d2d482211df28654f7e87d3e7c865e4155c5a9b1b
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
356B
MD519570223daa467fd17dd21b953d8ad76
SHA1abf607a36ead591b1507b6830d6d87cecf27e07d
SHA2561d36b1d2a6330920804f46593e00d0444f1de75fbf092d16ce445fce0394e1f5
SHA5123632755b1e1587c1ba357881b5e410ab4c4ca39ef3249784ce24b090fa78848594ac3a48fcd71182adf87b0b56c94434716d8b5ee6fbb863e078906469edb6a4
-
Filesize
15KB
MD56d95fbfa3f578ebb1e0709f9f0d0e983
SHA1370e63ded5272a4cf8bdee1bce659df2fdaa092e
SHA25616b0b1db63f953dee9b2f3b8a427eee0a879fab1c8dbf0568745df35a4501e06
SHA5122a98854442d29b91a9d41ed9a77275e8514c567526c0d28ee686104697e7c32ab7a12346a7f8c6576639806088399c21a1d4ff75a23ed28526cdd6b26d29986a
-
Filesize
231KB
MD5eeeb0eab022d39f7cfe20c9457774b10
SHA1f0813e95c8514f79b0a237c9ccaae403b0323123
SHA2564e42b949a73fabca57c03354b9e9d5a39509d8bbd588d8430f4ed2e24a360937
SHA51239cec1088b9981a7115cc99174b1cef71c25b1cf1fe0b11c2e213d7e187a9a612e047442501a793cc95fec6d736291814faad6203740c55275ff639f2caab6c2
-
Filesize
264KB
MD5f50f89a0a91564d0b8a211f8921aa7de
SHA1112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58
-
Filesize
14KB
MD52e7c86609c067de1d9bbbdd835da39b9
SHA130b24f5c9b71397501318eab292517044ae539d0
SHA256120275aff52e2d6d327112d07260e1660111c0b84a3019a57e6e0ce9a59569ea
SHA512bfdf4939a1635a638a1445132a27483e3fa5413e5a5dd87e8ecf6306774e8e20afb44f0b0b3a6a16fbf52aeb44e4ff91e0433e3ad1be7c997c67bf5e036a7d85
-
Filesize
1KB
MD58f3588ab2432d9ba18d378cdc45d5784
SHA11f7c236195b594d50cd46c6866baf19146080d9d
SHA2563fe5dbfeb226d73efe3501d5090b6e1959967236dba89039afeca4b50483c3c0
SHA51267e6466ed3302eb38d18a922ce5795fd9845bfe39adf319b92643047ac7f834cf7407c6b3307a89d3fe12f2358856887b041acc7cc8c71d262a0a201f1227135
-
Filesize
1KB
MD5885d6dd30570594e167fadb59d9ca0ea
SHA19981e583644c4eb9cf5056615a0e1c2913c8983b
SHA2567155bc082d1713d77c2797575ee0ade8467fb7012f5376c1d6f4aa618141a7d2
SHA5121623218143c2c25a7c85fa9da8e0f251f04a5eb848c4d0aa10bfb78688518b82393a2b3c7f287a9dc06a366ef9f46d0d4e2d246ad4cef4554a74c0bb6ff9dd2a
-
Filesize
156KB
MD58f4d07c6b62acf696fe4aef50c563d4c
SHA11e8084c0f5efe4ef30fe8c29cdc70fbe150b6aa7
SHA25685170c50e8284a2edb8cbeae0bbe3b953c4ac4b83ff3795c232db1bef018f7da
SHA5126e4376a6dfa5c9aa2aa8d1612a751ebd26299e886bb3a37f4e16ed102b1884729427faed423a740e33a7ece18698000204f130702b200fb8e6ae219dbba47474
-
Filesize
26B
MD5fbccf14d504b7b2dbcb5a5bda75bd93b
SHA1d59fc84cdd5217c6cf74785703655f78da6b582b
SHA256eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913
SHA512aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98
-
Filesize
304KB
-
Filesize
9.6MB
-
Filesize
9.6MB
-
Filesize
9.6MB
-
Filesize
9.6MB
-
Filesize
9.6MB
-
Filesize
4KB
-
Filesize
9.6MB
-
Filesize
9.6MB
-
Filesize
4KB
-
Filesize
32KB
-
Filesize
9.6MB
-
Filesize
624KB
-
Filesize
4.8MB
-
Filesize
9.6MB
-
Filesize
664KB