Analysis
-
max time kernel
148s -
max time network
133s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
25-10-2024 00:22
Static task
static1
Behavioral task
behavioral1
Sample
2024-10-25_5f6b7ad587ec1fe9c1afdfb1bc12463a_snatch.exe
Resource
win7-20240708-en
General
-
Target
2024-10-25_5f6b7ad587ec1fe9c1afdfb1bc12463a_snatch.exe
-
Size
2.1MB
-
MD5
5f6b7ad587ec1fe9c1afdfb1bc12463a
-
SHA1
b53bc71f7e1bb23378c18856cc038c6522cd1441
-
SHA256
80518576d0012cbaafa633be79c472de9fb46c0484cd238c8d8cb0d7f2dac02d
-
SHA512
bf11b1199950cc9d3f7444e22050ab424add02b663cf7c034fb9c27ba0428ee4f4866d89081eea9103ffc9eec6ce0bb7c6a5cd926f2b9d6ed4a51288ff902b24
-
SSDEEP
24576:dYDqXSb84KRDMNR9r0hLxAnLGzOnqNDD+tJjEYGpUU3e4q+CjL71FL38D1PKMeY8:dYJr0G2xYGpUMqv38D1rUdFmH4
Malware Config
Extracted
nanocore
1.2.2.0
pkaraven.ddns.net:8282
127.0.0.1:8282
5d3aa83f-9e45-499f-aac7-e76ef2b005e8
-
activate_away_mode
true
-
backup_connection_host
127.0.0.1
-
backup_dns_server
37.235.1.177
-
buffer_size
65535
-
build_time
2024-07-30T21:10:14.350969836Z
-
bypass_user_account_control
true
- bypass_user_account_control_data
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
8282
-
default_group
ANNEX1
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
5d3aa83f-9e45-499f-aac7-e76ef2b005e8
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
pkaraven.ddns.net
-
primary_dns_server
37.235.1.174
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
false
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Signatures
-
Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 1592 powershell.exe 1908 powershell.exe 2680 powershell.exe 2600 powershell.exe 2680 powershell.exe -
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\6a4b671bb78e5c6f.exe 2024-10-25_5f6b7ad587ec1fe9c1afdfb1bc12463a_snatch.exe -
Executes dropped EXE 2 IoCs
pid Process 2768 6a4b671bb78e5c6f.exe 2352 6a4b671bb78e5c6f.exe -
Loads dropped DLL 2 IoCs
pid Process 2280 2024-10-25_5f6b7ad587ec1fe9c1afdfb1bc12463a_snatch.exe 2280 2024-10-25_5f6b7ad587ec1fe9c1afdfb1bc12463a_snatch.exe -
Unexpected DNS network traffic destination 6 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
description ioc Destination IP 37.235.1.174 Destination IP 37.235.1.174 Destination IP 37.235.1.174 Destination IP 37.235.1.177 Destination IP 37.235.1.177 Destination IP 37.235.1.177 -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\PCI Manager = "C:\\Program Files (x86)\\PCI Manager\\pcimgr.exe" 6a4b671bb78e5c6f.exe -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 6a4b671bb78e5c6f.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2768 set thread context of 2352 2768 6a4b671bb78e5c6f.exe 41 -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\Program Files (x86)\PCI Manager\pcimgr.exe 6a4b671bb78e5c6f.exe File opened for modification C:\Program Files (x86)\PCI Manager\pcimgr.exe 6a4b671bb78e5c6f.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 8 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6a4b671bb78e5c6f.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-10-25_5f6b7ad587ec1fe9c1afdfb1bc12463a_snatch.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6a4b671bb78e5c6f.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1004 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 11 IoCs
pid Process 2680 powershell.exe 2680 powershell.exe 2680 powershell.exe 2600 powershell.exe 2768 6a4b671bb78e5c6f.exe 1592 powershell.exe 1908 powershell.exe 2768 6a4b671bb78e5c6f.exe 2352 6a4b671bb78e5c6f.exe 2352 6a4b671bb78e5c6f.exe 2352 6a4b671bb78e5c6f.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2352 6a4b671bb78e5c6f.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
description pid Process Token: SeDebugPrivilege 2680 powershell.exe Token: SeDebugPrivilege 2600 powershell.exe Token: SeDebugPrivilege 2768 6a4b671bb78e5c6f.exe Token: SeDebugPrivilege 1592 powershell.exe Token: SeDebugPrivilege 1908 powershell.exe Token: SeDebugPrivilege 2352 6a4b671bb78e5c6f.exe -
Suspicious use of WriteProcessMemory 33 IoCs
description pid Process procid_target PID 2280 wrote to memory of 2680 2280 2024-10-25_5f6b7ad587ec1fe9c1afdfb1bc12463a_snatch.exe 30 PID 2280 wrote to memory of 2680 2280 2024-10-25_5f6b7ad587ec1fe9c1afdfb1bc12463a_snatch.exe 30 PID 2280 wrote to memory of 2680 2280 2024-10-25_5f6b7ad587ec1fe9c1afdfb1bc12463a_snatch.exe 30 PID 2280 wrote to memory of 2680 2280 2024-10-25_5f6b7ad587ec1fe9c1afdfb1bc12463a_snatch.exe 30 PID 2280 wrote to memory of 2768 2280 2024-10-25_5f6b7ad587ec1fe9c1afdfb1bc12463a_snatch.exe 32 PID 2280 wrote to memory of 2768 2280 2024-10-25_5f6b7ad587ec1fe9c1afdfb1bc12463a_snatch.exe 32 PID 2280 wrote to memory of 2768 2280 2024-10-25_5f6b7ad587ec1fe9c1afdfb1bc12463a_snatch.exe 32 PID 2280 wrote to memory of 2768 2280 2024-10-25_5f6b7ad587ec1fe9c1afdfb1bc12463a_snatch.exe 32 PID 2680 wrote to memory of 2600 2680 powershell.exe 33 PID 2680 wrote to memory of 2600 2680 powershell.exe 33 PID 2680 wrote to memory of 2600 2680 powershell.exe 33 PID 2680 wrote to memory of 2600 2680 powershell.exe 33 PID 2768 wrote to memory of 1592 2768 6a4b671bb78e5c6f.exe 35 PID 2768 wrote to memory of 1592 2768 6a4b671bb78e5c6f.exe 35 PID 2768 wrote to memory of 1592 2768 6a4b671bb78e5c6f.exe 35 PID 2768 wrote to memory of 1592 2768 6a4b671bb78e5c6f.exe 35 PID 2768 wrote to memory of 1908 2768 6a4b671bb78e5c6f.exe 37 PID 2768 wrote to memory of 1908 2768 6a4b671bb78e5c6f.exe 37 PID 2768 wrote to memory of 1908 2768 6a4b671bb78e5c6f.exe 37 PID 2768 wrote to memory of 1908 2768 6a4b671bb78e5c6f.exe 37 PID 2768 wrote to memory of 1004 2768 6a4b671bb78e5c6f.exe 38 PID 2768 wrote to memory of 1004 2768 6a4b671bb78e5c6f.exe 38 PID 2768 wrote to memory of 1004 2768 6a4b671bb78e5c6f.exe 38 PID 2768 wrote to memory of 1004 2768 6a4b671bb78e5c6f.exe 38 PID 2768 wrote to memory of 2352 2768 6a4b671bb78e5c6f.exe 41 PID 2768 wrote to memory of 2352 2768 6a4b671bb78e5c6f.exe 41 PID 2768 wrote to memory of 2352 2768 6a4b671bb78e5c6f.exe 41 PID 2768 wrote to memory of 2352 2768 6a4b671bb78e5c6f.exe 41 PID 2768 wrote to memory of 2352 2768 6a4b671bb78e5c6f.exe 41 PID 2768 wrote to memory of 2352 2768 6a4b671bb78e5c6f.exe 41 PID 2768 wrote to memory of 2352 2768 6a4b671bb78e5c6f.exe 41 PID 2768 wrote to memory of 2352 2768 6a4b671bb78e5c6f.exe 41 PID 2768 wrote to memory of 2352 2768 6a4b671bb78e5c6f.exe 41
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-10-25_5f6b7ad587ec1fe9c1afdfb1bc12463a_snatch.exe"C:\Users\Admin\AppData\Local\Temp\2024-10-25_5f6b7ad587ec1fe9c1afdfb1bc12463a_snatch.exe"1⤵
- Drops startup file
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2280 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -Command " do { $process = Start-Process powershell -ArgumentList '-Command Add-MpPreference -ExclusionPath \"C:\Users\"' -Verb runas -PassThru -WindowStyle Hidden -Wait -ErrorAction SilentlyContinue } while ($null -eq $process) "2⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2680 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionPath "C:\Users"3⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2600
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\6a4b671bb78e5c6f.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\6a4b671bb78e5c6f.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2768 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\6a4b671bb78e5c6f.exe"3⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1592
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\FhRoTtY.exe"3⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1908
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\FhRoTtY" /XML "C:\Users\Admin\AppData\Local\Temp\tmp9685.tmp"3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:1004
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\6a4b671bb78e5c6f.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\6a4b671bb78e5c6f.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:2352
-
-
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD59e56e5eae8b3b8ba05822ea1c7de8b1b
SHA189e344ab0f8835ca84771b86f163b29d27d59f48
SHA256f6d4cff1e9bda290ef84ca16b70846975b4605b5fbcf29859e6ac7b171ad0ba4
SHA5125640d6613e767ddd8e3b797dedf8fd994022ae293daa939e0266b6a5a6596d74a7c809fe86f452fb0764b3eb3174278dd182f98c947bb5a75eb6ef1a905ae888
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\HOAFH7AZ1HD2B30RSJ84.temp
Filesize7KB
MD5e4107ae6e06e63757c370646653d7f30
SHA1fcda48b76e5c01fd5d7b4ff0b81c3fb045678595
SHA25627798648ae5fc6caa834fd964215a969b645308a701c0819523ab564f8c7735e
SHA512e89c4e8cbd045ec069c6015f7fd9c09ed22e9bbc00f2d68f45b3f8d0f40155bf22bf840b3eaa33c2753bfb78bb00d6a6c3fdd9bd8fc862b3994d5c50068f20ad
-
Filesize
626KB
MD524c2f611285e2c29daeffd1181ff3953
SHA1ba06d339dde1450b93767d414c325a69bee89155
SHA256dd5a5fb1f821117c4d9c324fabb8454614a44b78f8ece89ff22ae90b8c9f3c8a
SHA5126ed857ae392d1a33c69906b4d62750d9bbd1349de231a666afbc4ea74ba25c8955517a8e0a2e6e2d9f95bb3f06d5adbf3b1db3df0b0fdc44ccae094a8bde21c1