nanocore | 80518576d0012cbaafa633be79c472de9fb46c0484cd238c8d8cb0d7f2dac02d

Analysis

max time kernel
148s
max time network
133s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
25-10-2024 00:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-10-25_5f6b7ad587ec1fe9c1afdfb1bc12463a_snatch.exe
Size

2.1MB
MD5

5f6b7ad587ec1fe9c1afdfb1bc12463a
SHA1

b53bc71f7e1bb23378c18856cc038c6522cd1441
SHA256

80518576d0012cbaafa633be79c472de9fb46c0484cd238c8d8cb0d7f2dac02d
SHA512

bf11b1199950cc9d3f7444e22050ab424add02b663cf7c034fb9c27ba0428ee4f4866d89081eea9103ffc9eec6ce0bb7c6a5cd926f2b9d6ed4a51288ff902b24
SSDEEP

24576:dYDqXSb84KRDMNR9r0hLxAnLGzOnqNDD+tJjEYGpUU3e4q+CjL71FL38D1PKMeY8:dYJr0G2xYGpUMqv38D1rUdFmH4

Score

10^/10

nanocore discovery evasion execution keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

pkaraven.ddns.net:8282

127.0.0.1:8282

Mutex

5d3aa83f-9e45-499f-aac7-e76ef2b005e8

Attributes

activate_away_mode
true
backup_connection_host
127.0.0.1
backup_dns_server
37.235.1.177
buffer_size
65535
build_time
2024-07-30T21:10:14.350969836Z
bypass_user_account_control
true
bypass_user_account_control_data
clear_access_control
true
clear_zone_identifier
false
connect_delay
4000
connection_port
8282
default_group
ANNEX1
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
5d3aa83f-9e45-499f-aac7-e76ef2b005e8
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
pkaraven.ddns.net
primary_dns_server
37.235.1.174
request_elevation
true
restart_delay
5000
run_delay
0
run_on_startup
false
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore

Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1592	powershell.exe
1908	powershell.exe
2680	powershell.exe
2600	powershell.exe
2680	powershell.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\6a4b671bb78e5c6f.exe	2024-10-25_5f6b7ad587ec1fe9c1afdfb1bc12463a_snatch.exe

Executes dropped EXE 2 IoCs

pid	Process
2768	6a4b671bb78e5c6f.exe
2352	6a4b671bb78e5c6f.exe

Loads dropped DLL 2 IoCs

pid	Process
2280	2024-10-25_5f6b7ad587ec1fe9c1afdfb1bc12463a_snatch.exe
2280	2024-10-25_5f6b7ad587ec1fe9c1afdfb1bc12463a_snatch.exe

Unexpected DNS network traffic destination 6 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	37.235.1.174
Destination IP	37.235.1.174
Destination IP	37.235.1.174
Destination IP	37.235.1.177
Destination IP	37.235.1.177
Destination IP	37.235.1.177

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\PCI Manager = "C:\\Program Files (x86)\\PCI Manager\\pcimgr.exe"	6a4b671bb78e5c6f.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	6a4b671bb78e5c6f.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2768 set thread context of 2352	2768	6a4b671bb78e5c6f.exe	41

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\PCI Manager\pcimgr.exe	6a4b671bb78e5c6f.exe
File opened for modification	C:\Program Files (x86)\PCI Manager\pcimgr.exe	6a4b671bb78e5c6f.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6a4b671bb78e5c6f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-10-25_5f6b7ad587ec1fe9c1afdfb1bc12463a_snatch.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6a4b671bb78e5c6f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1004	schtasks.exe

Suspicious behavior: EnumeratesProcesses 11 IoCs

pid	Process
2680	powershell.exe
2680	powershell.exe
2680	powershell.exe
2600	powershell.exe
2768	6a4b671bb78e5c6f.exe
1592	powershell.exe
1908	powershell.exe
2768	6a4b671bb78e5c6f.exe
2352	6a4b671bb78e5c6f.exe
2352	6a4b671bb78e5c6f.exe
2352	6a4b671bb78e5c6f.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2352	6a4b671bb78e5c6f.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	2680	powershell.exe
Token: SeDebugPrivilege	2600	powershell.exe
Token: SeDebugPrivilege	2768	6a4b671bb78e5c6f.exe
Token: SeDebugPrivilege	1592	powershell.exe
Token: SeDebugPrivilege	1908	powershell.exe
Token: SeDebugPrivilege	2352	6a4b671bb78e5c6f.exe

Suspicious use of WriteProcessMemory 33 IoCs

description	pid	Process	procid_target
PID 2280 wrote to memory of 2680	2280	2024-10-25_5f6b7ad587ec1fe9c1afdfb1bc12463a_snatch.exe	30
PID 2280 wrote to memory of 2680	2280	2024-10-25_5f6b7ad587ec1fe9c1afdfb1bc12463a_snatch.exe	30
PID 2280 wrote to memory of 2680	2280	2024-10-25_5f6b7ad587ec1fe9c1afdfb1bc12463a_snatch.exe	30
PID 2280 wrote to memory of 2680	2280	2024-10-25_5f6b7ad587ec1fe9c1afdfb1bc12463a_snatch.exe	30
PID 2280 wrote to memory of 2768	2280	2024-10-25_5f6b7ad587ec1fe9c1afdfb1bc12463a_snatch.exe	32
PID 2280 wrote to memory of 2768	2280	2024-10-25_5f6b7ad587ec1fe9c1afdfb1bc12463a_snatch.exe	32
PID 2280 wrote to memory of 2768	2280	2024-10-25_5f6b7ad587ec1fe9c1afdfb1bc12463a_snatch.exe	32
PID 2280 wrote to memory of 2768	2280	2024-10-25_5f6b7ad587ec1fe9c1afdfb1bc12463a_snatch.exe	32
PID 2680 wrote to memory of 2600	2680	powershell.exe	33
PID 2680 wrote to memory of 2600	2680	powershell.exe	33
PID 2680 wrote to memory of 2600	2680	powershell.exe	33
PID 2680 wrote to memory of 2600	2680	powershell.exe	33
PID 2768 wrote to memory of 1592	2768	6a4b671bb78e5c6f.exe	35
PID 2768 wrote to memory of 1592	2768	6a4b671bb78e5c6f.exe	35
PID 2768 wrote to memory of 1592	2768	6a4b671bb78e5c6f.exe	35
PID 2768 wrote to memory of 1592	2768	6a4b671bb78e5c6f.exe	35
PID 2768 wrote to memory of 1908	2768	6a4b671bb78e5c6f.exe	37
PID 2768 wrote to memory of 1908	2768	6a4b671bb78e5c6f.exe	37
PID 2768 wrote to memory of 1908	2768	6a4b671bb78e5c6f.exe	37
PID 2768 wrote to memory of 1908	2768	6a4b671bb78e5c6f.exe	37
PID 2768 wrote to memory of 1004	2768	6a4b671bb78e5c6f.exe	38
PID 2768 wrote to memory of 1004	2768	6a4b671bb78e5c6f.exe	38
PID 2768 wrote to memory of 1004	2768	6a4b671bb78e5c6f.exe	38
PID 2768 wrote to memory of 1004	2768	6a4b671bb78e5c6f.exe	38
PID 2768 wrote to memory of 2352	2768	6a4b671bb78e5c6f.exe	41
PID 2768 wrote to memory of 2352	2768	6a4b671bb78e5c6f.exe	41
PID 2768 wrote to memory of 2352	2768	6a4b671bb78e5c6f.exe	41
PID 2768 wrote to memory of 2352	2768	6a4b671bb78e5c6f.exe	41
PID 2768 wrote to memory of 2352	2768	6a4b671bb78e5c6f.exe	41
PID 2768 wrote to memory of 2352	2768	6a4b671bb78e5c6f.exe	41
PID 2768 wrote to memory of 2352	2768	6a4b671bb78e5c6f.exe	41
PID 2768 wrote to memory of 2352	2768	6a4b671bb78e5c6f.exe	41
PID 2768 wrote to memory of 2352	2768	6a4b671bb78e5c6f.exe	41

C:\Users\Admin\AppData\Local\Temp\2024-10-25_5f6b7ad587ec1fe9c1afdfb1bc12463a_snatch.exe
"C:\Users\Admin\AppData\Local\Temp\2024-10-25_5f6b7ad587ec1fe9c1afdfb1bc12463a_snatch.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2280
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command " do { $process = Start-Process powershell -ArgumentList '-Command Add-MpPreference -ExclusionPath \"C:\Users\"' -Verb runas -PassThru -WindowStyle Hidden -Wait -ErrorAction SilentlyContinue } while ($null -eq $process) "
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2680
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionPath "C:\Users"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2600
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\6a4b671bb78e5c6f.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\6a4b671bb78e5c6f.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2768
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\6a4b671bb78e5c6f.exe"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1592
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\FhRoTtY.exe"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1908
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\FhRoTtY" /XML "C:\Users\Admin\AppData\Local\Temp\tmp9685.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:1004
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\6a4b671bb78e5c6f.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\6a4b671bb78e5c6f.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    PID:2352

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp9685.tmp

Filesize
1KB

MD5
9e56e5eae8b3b8ba05822ea1c7de8b1b

SHA1
89e344ab0f8835ca84771b86f163b29d27d59f48

SHA256
f6d4cff1e9bda290ef84ca16b70846975b4605b5fbcf29859e6ac7b171ad0ba4

SHA512
5640d6613e767ddd8e3b797dedf8fd994022ae293daa939e0266b6a5a6596d74a7c809fe86f452fb0764b3eb3174278dd182f98c947bb5a75eb6ef1a905ae888

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\HOAFH7AZ1HD2B30RSJ84.temp

Filesize
7KB

MD5
e4107ae6e06e63757c370646653d7f30

SHA1
fcda48b76e5c01fd5d7b4ff0b81c3fb045678595

SHA256
27798648ae5fc6caa834fd964215a969b645308a701c0819523ab564f8c7735e

SHA512
e89c4e8cbd045ec069c6015f7fd9c09ed22e9bbc00f2d68f45b3f8d0f40155bf22bf840b3eaa33c2753bfb78bb00d6a6c3fdd9bd8fc862b3994d5c50068f20ad

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\6a4b671bb78e5c6f.exe

Filesize
626KB

MD5
24c2f611285e2c29daeffd1181ff3953

SHA1
ba06d339dde1450b93767d414c325a69bee89155

SHA256
dd5a5fb1f821117c4d9c324fabb8454614a44b78f8ece89ff22ae90b8c9f3c8a

SHA512
6ed857ae392d1a33c69906b4d62750d9bbd1349de231a666afbc4ea74ba25c8955517a8e0a2e6e2d9f95bb3f06d5adbf3b1db3df0b0fdc44ccae094a8bde21c1

Download Submit
memory/2352-59-0x00000000003F0000-0x00000000003FA000-memory.dmp

Filesize
40KB

Download
memory/2352-46-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2352-48-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2352-60-0x0000000000A60000-0x0000000000A7E000-memory.dmp

Filesize
120KB

Download
memory/2352-50-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2352-52-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2352-53-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2352-61-0x00000000005D0000-0x00000000005DA000-memory.dmp

Filesize
40KB

Download
memory/2352-55-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2352-56-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2352-44-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2680-15-0x0000000071600000-0x0000000071BAB000-memory.dmp

Filesize
5.7MB

Download
memory/2680-25-0x0000000071600000-0x0000000071BAB000-memory.dmp

Filesize
5.7MB

Download
memory/2680-17-0x0000000071600000-0x0000000071BAB000-memory.dmp

Filesize
5.7MB

Download
memory/2680-16-0x0000000071600000-0x0000000071BAB000-memory.dmp

Filesize
5.7MB

Download
memory/2680-14-0x0000000071600000-0x0000000071BAB000-memory.dmp

Filesize
5.7MB

Download
memory/2680-13-0x0000000071601000-0x0000000071602000-memory.dmp

Filesize
4KB

Download
memory/2768-28-0x0000000005CB0000-0x0000000005D2A000-memory.dmp

Filesize
488KB

Download
memory/2768-27-0x0000000004DC0000-0x0000000004E00000-memory.dmp

Filesize
256KB

Download
memory/2768-26-0x000000007468E000-0x000000007468F000-memory.dmp

Filesize
4KB

Download
memory/2768-19-0x00000000003F0000-0x0000000000402000-memory.dmp

Filesize
72KB

Download
memory/2768-18-0x0000000004DC0000-0x0000000004E00000-memory.dmp

Filesize
256KB

Download
memory/2768-10-0x0000000001310000-0x00000000013B0000-memory.dmp

Filesize
640KB

Download
memory/2768-9-0x000000007468E000-0x000000007468F000-memory.dmp

Filesize
4KB

Download