nanocore | ceb348dfa61b34bebce021fa783b0afdb874ea7205f75e7fb42b01898439be75

Resubmissions

13-12-2024 17:44

241213-wbgxeaxphq 10

13-12-2024 17:15

241213-vsrmhavpgs 10

13-12-2024 17:14

241213-vshdtsxjhl 10

13-12-2024 17:13

241213-vrge5svpc1 10

Analysis

max time kernel
725s
max time network
616s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
13-12-2024 17:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NanoCore 1.2.2.0_Cracked By Alcatraz3222/ServerPlugin.dll
Size

28KB
MD5

952c62ec830c63380beb72ad923d35dc
SHA1

6700baa1fb1877129e79402dfe237f0b84221b69
SHA256

2e5fbfb7932b117a2f6093dc346cdee4a5702e39739d9c40d27bfd1580f6f0d7
SHA512

5dc19d7d6ab7670ded766f357e481328c8df4a96ac3c2a00194a5ccea8c34bca0e34cfea3d9d17934db384d302446be2fec9853438371561d70580665bffe121
SSDEEP

384:7LmAEURVWGSCyo6/NLoqwXEsZmLTdFuoKy:vm1izOlg0ZKy

Score

10^/10

nanocore discovery evasion keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

10.127.0.101:54984

Mutex

18fe6997-f24c-4ede-8562-23db3cd75697

Attributes

activate_away_mode
true
backup_connection_host
10.127.0.101
backup_dns_server
8.8.4.4
buffer_size
65535
build_time
2024-09-24T19:11:11.405145136Z
bypass_user_account_control
false
bypass_user_account_control_data
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+
clear_access_control
true
clear_zone_identifier
false
connect_delay
4000
connection_port
54984
default_group
Default
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
18fe6997-f24c-4ede-8562-23db3cd75697
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
primary_dns_server
8.8.8.8
request_elevation
false
restart_delay
5000
run_delay
0
run_on_startup
false
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore
Nanocore family
nanocore

Executes dropped EXE 3 IoCs

pid	Process
2880	Alcatraz3222.exe
2400	Alcatraz3222.exe
2308	Alcatraz3222.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\DHCP Manager = "C:\\Program Files (x86)\\DHCP Manager\\dhcpmgr.exe"	Alcatraz3222.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Alcatraz3222.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\DHCP Manager\dhcpmgr.exe	Alcatraz3222.exe
File created	C:\Program Files (x86)\DHCP Manager\dhcpmgr.exe	Alcatraz3222.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Alcatraz3222.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Alcatraz3222.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Alcatraz3222.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
1776	PING.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Gathers network information 2 TTPs 1 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
980	ipconfig.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
1776	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3056	schtasks.exe
2384	schtasks.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2828	chrome.exe
2828	chrome.exe
2880	Alcatraz3222.exe
2880	Alcatraz3222.exe
2880	Alcatraz3222.exe
2880	Alcatraz3222.exe
2880	Alcatraz3222.exe
2880	Alcatraz3222.exe
2880	Alcatraz3222.exe
2880	Alcatraz3222.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2880	Alcatraz3222.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2828	chrome.exe
Token: SeShutdownPrivilege	2828	chrome.exe
Token: SeShutdownPrivilege	2828	chrome.exe
Token: SeShutdownPrivilege	2828	chrome.exe
Token: SeShutdownPrivilege	2828	chrome.exe
Token: SeShutdownPrivilege	2828	chrome.exe
Token: SeShutdownPrivilege	2828	chrome.exe
Token: SeShutdownPrivilege	2828	chrome.exe
Token: SeShutdownPrivilege	2828	chrome.exe
Token: SeShutdownPrivilege	2828	chrome.exe
Token: SeShutdownPrivilege	2828	chrome.exe
Token: SeShutdownPrivilege	2828	chrome.exe
Token: SeShutdownPrivilege	2828	chrome.exe
Token: SeShutdownPrivilege	2828	chrome.exe
Token: SeShutdownPrivilege	2828	chrome.exe
Token: SeShutdownPrivilege	2828	chrome.exe
Token: SeShutdownPrivilege	2828	chrome.exe
Token: SeShutdownPrivilege	2828	chrome.exe
Token: SeShutdownPrivilege	2828	chrome.exe
Token: SeShutdownPrivilege	2828	chrome.exe
Token: SeShutdownPrivilege	2828	chrome.exe
Token: SeShutdownPrivilege	2828	chrome.exe
Token: SeShutdownPrivilege	2828	chrome.exe
Token: SeShutdownPrivilege	2828	chrome.exe
Token: SeShutdownPrivilege	2828	chrome.exe
Token: SeShutdownPrivilege	2828	chrome.exe
Token: SeShutdownPrivilege	2828	chrome.exe
Token: SeShutdownPrivilege	2828	chrome.exe
Token: SeShutdownPrivilege	2828	chrome.exe
Token: SeShutdownPrivilege	2828	chrome.exe
Token: SeShutdownPrivilege	2828	chrome.exe
Token: SeShutdownPrivilege	2828	chrome.exe
Token: SeShutdownPrivilege	2828	chrome.exe
Token: SeShutdownPrivilege	2828	chrome.exe
Token: SeShutdownPrivilege	2828	chrome.exe
Token: SeShutdownPrivilege	2828	chrome.exe
Token: SeShutdownPrivilege	2828	chrome.exe
Token: SeShutdownPrivilege	2828	chrome.exe
Token: SeShutdownPrivilege	2828	chrome.exe
Token: SeShutdownPrivilege	2828	chrome.exe
Token: SeShutdownPrivilege	2828	chrome.exe
Token: SeShutdownPrivilege	2828	chrome.exe
Token: SeShutdownPrivilege	2828	chrome.exe
Token: SeShutdownPrivilege	2828	chrome.exe
Token: SeShutdownPrivilege	2828	chrome.exe
Token: SeShutdownPrivilege	2828	chrome.exe
Token: SeShutdownPrivilege	2828	chrome.exe
Token: SeShutdownPrivilege	2828	chrome.exe
Token: SeShutdownPrivilege	2828	chrome.exe
Token: SeShutdownPrivilege	2828	chrome.exe
Token: SeShutdownPrivilege	2828	chrome.exe
Token: SeShutdownPrivilege	2828	chrome.exe
Token: SeShutdownPrivilege	2828	chrome.exe
Token: SeShutdownPrivilege	2828	chrome.exe
Token: SeShutdownPrivilege	2828	chrome.exe
Token: SeShutdownPrivilege	2828	chrome.exe
Token: SeShutdownPrivilege	2828	chrome.exe
Token: SeShutdownPrivilege	2828	chrome.exe
Token: SeShutdownPrivilege	2828	chrome.exe
Token: SeShutdownPrivilege	2828	chrome.exe
Token: SeShutdownPrivilege	2828	chrome.exe
Token: SeShutdownPrivilege	2828	chrome.exe
Token: SeShutdownPrivilege	2828	chrome.exe
Token: SeShutdownPrivilege	2828	chrome.exe

Suspicious use of FindShellTrayWindow 43 IoCs

pid	Process
2828	chrome.exe
2828	chrome.exe
2828	chrome.exe
2828	chrome.exe
2828	chrome.exe
2828	chrome.exe
2828	chrome.exe
2828	chrome.exe
2828	chrome.exe
2828	chrome.exe
2828	chrome.exe
2828	chrome.exe
2828	chrome.exe
2828	chrome.exe
2828	chrome.exe
2828	chrome.exe
2828	chrome.exe
2828	chrome.exe
2828	chrome.exe
2828	chrome.exe
2828	chrome.exe
2828	chrome.exe
2828	chrome.exe
2828	chrome.exe
2828	chrome.exe
2828	chrome.exe
2828	chrome.exe
2828	chrome.exe
2828	chrome.exe
2828	chrome.exe
2828	chrome.exe
2828	chrome.exe
2828	chrome.exe
2828	chrome.exe
2828	chrome.exe
2828	chrome.exe
2828	chrome.exe
2828	chrome.exe
2828	chrome.exe
2828	chrome.exe
2828	chrome.exe
2828	chrome.exe
2068	7zG.exe

Suspicious use of SendNotifyMessage 32 IoCs

pid	Process
2828	chrome.exe
2828	chrome.exe
2828	chrome.exe
2828	chrome.exe
2828	chrome.exe
2828	chrome.exe
2828	chrome.exe
2828	chrome.exe
2828	chrome.exe
2828	chrome.exe
2828	chrome.exe
2828	chrome.exe
2828	chrome.exe
2828	chrome.exe
2828	chrome.exe
2828	chrome.exe
2828	chrome.exe
2828	chrome.exe
2828	chrome.exe
2828	chrome.exe
2828	chrome.exe
2828	chrome.exe
2828	chrome.exe
2828	chrome.exe
2828	chrome.exe
2828	chrome.exe
2828	chrome.exe
2828	chrome.exe
2828	chrome.exe
2828	chrome.exe
2828	chrome.exe
2828	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2828 wrote to memory of 2868	2828	chrome.exe	32
PID 2828 wrote to memory of 2868	2828	chrome.exe	32
PID 2828 wrote to memory of 2868	2828	chrome.exe	32
PID 2828 wrote to memory of 992	2828	chrome.exe	34
PID 2828 wrote to memory of 992	2828	chrome.exe	34
PID 2828 wrote to memory of 992	2828	chrome.exe	34
PID 2828 wrote to memory of 992	2828	chrome.exe	34
PID 2828 wrote to memory of 992	2828	chrome.exe	34
PID 2828 wrote to memory of 992	2828	chrome.exe	34
PID 2828 wrote to memory of 992	2828	chrome.exe	34
PID 2828 wrote to memory of 992	2828	chrome.exe	34
PID 2828 wrote to memory of 992	2828	chrome.exe	34
PID 2828 wrote to memory of 992	2828	chrome.exe	34
PID 2828 wrote to memory of 992	2828	chrome.exe	34
PID 2828 wrote to memory of 992	2828	chrome.exe	34
PID 2828 wrote to memory of 992	2828	chrome.exe	34
PID 2828 wrote to memory of 992	2828	chrome.exe	34
PID 2828 wrote to memory of 992	2828	chrome.exe	34
PID 2828 wrote to memory of 992	2828	chrome.exe	34
PID 2828 wrote to memory of 992	2828	chrome.exe	34
PID 2828 wrote to memory of 992	2828	chrome.exe	34
PID 2828 wrote to memory of 992	2828	chrome.exe	34
PID 2828 wrote to memory of 992	2828	chrome.exe	34
PID 2828 wrote to memory of 992	2828	chrome.exe	34
PID 2828 wrote to memory of 992	2828	chrome.exe	34
PID 2828 wrote to memory of 992	2828	chrome.exe	34
PID 2828 wrote to memory of 992	2828	chrome.exe	34
PID 2828 wrote to memory of 992	2828	chrome.exe	34
PID 2828 wrote to memory of 992	2828	chrome.exe	34
PID 2828 wrote to memory of 992	2828	chrome.exe	34
PID 2828 wrote to memory of 992	2828	chrome.exe	34
PID 2828 wrote to memory of 992	2828	chrome.exe	34
PID 2828 wrote to memory of 992	2828	chrome.exe	34
PID 2828 wrote to memory of 992	2828	chrome.exe	34
PID 2828 wrote to memory of 992	2828	chrome.exe	34
PID 2828 wrote to memory of 992	2828	chrome.exe	34
PID 2828 wrote to memory of 992	2828	chrome.exe	34
PID 2828 wrote to memory of 992	2828	chrome.exe	34
PID 2828 wrote to memory of 992	2828	chrome.exe	34
PID 2828 wrote to memory of 992	2828	chrome.exe	34
PID 2828 wrote to memory of 992	2828	chrome.exe	34
PID 2828 wrote to memory of 992	2828	chrome.exe	34
PID 2828 wrote to memory of 2108	2828	chrome.exe	35
PID 2828 wrote to memory of 2108	2828	chrome.exe	35
PID 2828 wrote to memory of 2108	2828	chrome.exe	35
PID 2828 wrote to memory of 2680	2828	chrome.exe	36
PID 2828 wrote to memory of 2680	2828	chrome.exe	36
PID 2828 wrote to memory of 2680	2828	chrome.exe	36
PID 2828 wrote to memory of 2680	2828	chrome.exe	36
PID 2828 wrote to memory of 2680	2828	chrome.exe	36
PID 2828 wrote to memory of 2680	2828	chrome.exe	36
PID 2828 wrote to memory of 2680	2828	chrome.exe	36
PID 2828 wrote to memory of 2680	2828	chrome.exe	36
PID 2828 wrote to memory of 2680	2828	chrome.exe	36
PID 2828 wrote to memory of 2680	2828	chrome.exe	36
PID 2828 wrote to memory of 2680	2828	chrome.exe	36
PID 2828 wrote to memory of 2680	2828	chrome.exe	36
PID 2828 wrote to memory of 2680	2828	chrome.exe	36
PID 2828 wrote to memory of 2680	2828	chrome.exe	36
PID 2828 wrote to memory of 2680	2828	chrome.exe	36
PID 2828 wrote to memory of 2680	2828	chrome.exe	36
PID 2828 wrote to memory of 2680	2828	chrome.exe	36
PID 2828 wrote to memory of 2680	2828	chrome.exe	36
PID 2828 wrote to memory of 2680	2828	chrome.exe	36

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\NanoCore 1.2.2.0_Cracked By Alcatraz3222\ServerPlugin.dll",#1
1⤵
PID:2352

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2828
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef6969758,0x7fef6969768,0x7fef6969778
  2⤵
  PID:2868
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1176 --field-trial-handle=1240,i,4287629427571719180,6014470783616569566,131072 /prefetch:2
  2⤵
  PID:992
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1524 --field-trial-handle=1240,i,4287629427571719180,6014470783616569566,131072 /prefetch:8
  2⤵
  PID:2108
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1576 --field-trial-handle=1240,i,4287629427571719180,6014470783616569566,131072 /prefetch:8
  2⤵
  PID:2680
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2156 --field-trial-handle=1240,i,4287629427571719180,6014470783616569566,131072 /prefetch:1
  2⤵
  PID:968
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2164 --field-trial-handle=1240,i,4287629427571719180,6014470783616569566,131072 /prefetch:1
  2⤵
  PID:1856
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1560 --field-trial-handle=1240,i,4287629427571719180,6014470783616569566,131072 /prefetch:2
  2⤵
  PID:2456
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=2992 --field-trial-handle=1240,i,4287629427571719180,6014470783616569566,131072 /prefetch:1
  2⤵
  PID:2604
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3696 --field-trial-handle=1240,i,4287629427571719180,6014470783616569566,131072 /prefetch:8
  2⤵
  PID:900
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=3732 --field-trial-handle=1240,i,4287629427571719180,6014470783616569566,131072 /prefetch:1
  2⤵
  PID:2148
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2424 --field-trial-handle=1240,i,4287629427571719180,6014470783616569566,131072 /prefetch:8
  2⤵
  PID:2432
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2484 --field-trial-handle=1240,i,4287629427571719180,6014470783616569566,131072 /prefetch:8
  2⤵
  PID:2244
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3828 --field-trial-handle=1240,i,4287629427571719180,6014470783616569566,131072 /prefetch:8
  2⤵
  PID:2820
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3980 --field-trial-handle=1240,i,4287629427571719180,6014470783616569566,131072 /prefetch:8
  2⤵
  PID:2608
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=1120 --field-trial-handle=1240,i,4287629427571719180,6014470783616569566,131072 /prefetch:1
  2⤵
  PID:2860

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:3060

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\" -an -ai#7zMap23157:86:7zEvent20105
1⤵
- Suspicious use of FindShellTrayWindow
PID:2068

C:\Users\Admin\Desktop\Alcatraz3222.exe
"C:\Users\Admin\Desktop\Alcatraz3222.exe"
1⤵
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
PID:2880
- C:\Windows\SysWOW64\schtasks.exe
  "schtasks.exe" /create /f /tn "DHCP Manager" /xml "C:\Users\Admin\AppData\Local\Temp\tmp9982.tmp"
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:3056
- C:\Windows\SysWOW64\schtasks.exe
  "schtasks.exe" /create /f /tn "DHCP Manager Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp9A0F.tmp"
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:2384

C:\Users\Admin\Desktop\Alcatraz3222.exe
"C:\Users\Admin\Desktop\Alcatraz3222.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2400

C:\Users\Admin\Desktop\Alcatraz3222.exe
"C:\Users\Admin\Desktop\Alcatraz3222.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2308

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
1⤵
PID:2856
- C:\Windows\system32\ipconfig.exe
  ipconfig
  2⤵
  - Gathers network information
  PID:980
- C:\Windows\system32\PING.EXE
  ping 10.127.0.101
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:1776

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\70739482-ef67-4ec6-bcc8-67b63e44b0db.tmp

Filesize
346KB

MD5
087b04a510c9bd7a6315dc28a6ec7eb4

SHA1
cec47b82a41f31a7afaa9c066e726af6bf516960

SHA256
5ae0b9ac95a178aa16145a7cd3a8b90cd882546e2c7a648abaf89fedcc92ceff

SHA512
ff5bc7eccaa86e7a859ed8b880949d8a9cdb5dd85a1b2311684f59523ff1c87289feb7c1d7d6c55e6a176d616e1f336c74da41644b346261ca7026a8883a3a5b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
363B

MD5
36b8c10f99f044840d0739dd1879ef47

SHA1
fe4696f813f3768e6fe7951dd7f1cbbd99e25090

SHA256
f6acf58c2747f35291b08bf0784e88c08b9653008db565d0a814f2b24f528212

SHA512
013f284d20b0f6854f0e2672ee795f762aa2c867efd031a51d2cfa31ce4d0cf01e3fcb11c12ba22c71dfa2ee0362f54055baae7777e47a3cff6734d3ca78dd1b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
c70ed8bd87ed0fa04b071cf28a861b73

SHA1
99e1d1c6cbc38d447d786a0f47bca8ca673eecbb

SHA256
d430d99c5d0a1d4bfb1f72943d33212b647a86994199280c0ff22bb71adf9183

SHA512
2193d91906d525b52913d7602c03a551c6a1e82db14ac11393d2cc0d216bc055ab4b8f8ae60a206f0caa3691d83e96d165776280f8eba9bb920c7d6abb520bba

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
45822ba3931168e4aa51e527228a37cc

SHA1
728a07abe8bb27176950abab8667201ed0fe4d1c

SHA256
95abb5f7850e091540d1b6506e9c878e11073729ee87c24a4dbf9395cad706ba

SHA512
dacba78af45c463d49d6ce6eb406b74fa320680b48f6fb141c87b36746c72aa59b94b2269cb16940dd32e02f3ee1b5d965fac797b28f548ae0fcc6f0aaf309e6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\000007.dbtmp

Filesize
16B

MD5
18e723571b00fb1694a3bad6c78e4054

SHA1
afcc0ef32d46fe59e0483f9a3c891d3034d12f32

SHA256
8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

SHA512
43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
170KB

MD5
5e19e62a6d6c94511bde570dac617d92

SHA1
4ce2ff37c7ef6237385834024435445ab5eaa582

SHA256
45a3525ed4c14dd24894f9bd141c193b1576a89267f7713fada65f963c2ef5bb

SHA512
4fb8f807b44f54229adcc93999c912a4708d1734acdd293f1f7430d33049c91b00e2c85298fc3de154e7ede4857412d74107b7425a0160de051619c08ac82c78

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
346KB

MD5
608b18aac6f092868db317646785afc9

SHA1
ed1db1c9d4dc9185a2c45e51a8aaab261dc3dda0

SHA256
88be1fc44dac415e863ec97ae5efd5e14e4f596357c13a2c2f9dee8e2f641b43

SHA512
7678aabc44557685dfa762a675a3d61a79d39c5dcd3f6d46f9a50feaa42697bc189f83f1dde9f026d37aebc2adee84e52ec7be906adc4757050e0556555263e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp9982.tmp

Filesize
1KB

MD5
8f3588ab2432d9ba18d378cdc45d5784

SHA1
1f7c236195b594d50cd46c6866baf19146080d9d

SHA256
3fe5dbfeb226d73efe3501d5090b6e1959967236dba89039afeca4b50483c3c0

SHA512
67e6466ed3302eb38d18a922ce5795fd9845bfe39adf319b92643047ac7f834cf7407c6b3307a89d3fe12f2358856887b041acc7cc8c71d262a0a201f1227135

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp9A0F.tmp

Filesize
1KB

MD5
cdf5683344404764a0f3592e9db8a5a1

SHA1
6705943b404de237cdd7080c05af25e2b1b6410c

SHA256
1ea0af7c86be3e61c281ada0470c6dcf178834380def1903b5bb78b49440ffff

SHA512
23c56873ca8520784cc1d6b0b4211b373fff6fb429872932e5274801d3b9d786566877cd16d1ffa0adca8c7aebb0b935701a0c071073edfbdb319002f99a182b

Download Submit
C:\Users\Admin\Desktop\Alcatraz3222.exe

Filesize
203KB

MD5
af544346474589b80974bfe6d13f8002

SHA1
854fe87f8f778ba7b68e85deb90638ef11ec7e17

SHA256
1a426d8e4ed9e1a16a8eba3c3154aec0dc4f8ff8dca07767a4be7088a477c8ac

SHA512
9fe119583d33f0e99b8d05a19e5d37c7a16c6463efec32cc434ea3cc41e3a750d74a7c6876cf945eab7589305311008c849184107851995a98d2fcdb26a1f21b

Download Submit
C:\Users\Admin\Downloads\alcatraz3222.zip

Filesize
156KB

MD5
8f4d07c6b62acf696fe4aef50c563d4c

SHA1
1e8084c0f5efe4ef30fe8c29cdc70fbe150b6aa7

SHA256
85170c50e8284a2edb8cbeae0bbe3b953c4ac4b83ff3795c232db1bef018f7da

SHA512
6e4376a6dfa5c9aa2aa8d1612a751ebd26299e886bb3a37f4e16ed102b1884729427faed423a740e33a7ece18698000204f130702b200fb8e6ae219dbba47474

Download Submit
memory/2880-221-0x00000000744A1000-0x00000000744A2000-memory.dmp

Filesize
4KB

Download
memory/2880-222-0x00000000744A0000-0x0000000074A4B000-memory.dmp

Filesize
5.7MB

Download
memory/2880-223-0x00000000744A0000-0x0000000074A4B000-memory.dmp

Filesize
5.7MB

Download
memory/2880-231-0x00000000744A0000-0x0000000074A4B000-memory.dmp

Filesize
5.7MB

Download
memory/2880-232-0x00000000744A0000-0x0000000074A4B000-memory.dmp

Filesize
5.7MB

Download