nanocore | 219d74704d5161e7885512a94bf8c8d01561e1314619147be5daecc6c12f0f3c

Analysis

max time kernel
147s
max time network
148s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
23-06-2024 13:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

kittys.exe
Size

671KB
MD5

941eca130a778ffce73956131c874bd1
SHA1

3ef17bcccab78161a0a0b6232e95fa26230c384a
SHA256

219d74704d5161e7885512a94bf8c8d01561e1314619147be5daecc6c12f0f3c
SHA512

1ee8722506771b03accc17da06593b2524ceb883409a5a70c0d1d9728727ac5a74f0819e0f2e3ff45e7c449edbbd1a20006e3d8e76d5be638bca45c77ad9f652
SSDEEP

12288:HLV6BtpmkESwAJ8VAMj6Uf5DwfzcEu54gIdlsI14/uMhrj6zTP3yF2BdY:rApfESwy8V665DwfzcEu54Vn1S3VsL3U

Score

10^/10

nanocore evasion keylogger persistence spyware stealer trojan

Malware Config

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore
Adds Run key to start application 2 TTPs 1 IoCs
persistence

Registry Run Keys / Startup Folder
T1547.001

Modify Registry
T1112

Processes:

kittys.exe

description ioc process

Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\NAS Host = "C:\\Program Files (x86)\\NAS Host\\nashost.exe" kittys.exe
Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

kittys.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA kittys.exe
Drops file in Program Files directory 2 IoCs

Processes:

kittys.exe

description ioc process

File created C:\Program Files (x86)\NAS Host\nashost.exe kittys.exe
File opened for modification C:\Program Files (x86)\NAS Host\nashost.exe kittys.exe
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exeschtasks.exe

pid process

2212 schtasks.exe
3048 schtasks.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

kittys.exe

pid process

2820 kittys.exe
2820 kittys.exe
2820 kittys.exe
2820 kittys.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

kittys.exe

pid process

2820 kittys.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

kittys.exe

description pid process

Token: SeDebugPrivilege 2820 kittys.exe
Token: SeDebugPrivilege 2820 kittys.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\NAS Host = "C:\\Program Files (x86)\\NAS Host\\nashost.exe"	kittys.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	kittys.exe

description	ioc	process
File created	C:\Program Files (x86)\NAS Host\nashost.exe	kittys.exe
File opened for modification	C:\Program Files (x86)\NAS Host\nashost.exe	kittys.exe

pid	process
2212	schtasks.exe
3048	schtasks.exe

pid	process
2820	kittys.exe
2820	kittys.exe
2820	kittys.exe
2820	kittys.exe

pid	process
2820	kittys.exe

description	pid	process
Token: SeDebugPrivilege	2820	kittys.exe
Token: SeDebugPrivilege	2820	kittys.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

kittys.exe

description	pid	process	target process
PID 2820 wrote to memory of 2212	2820	kittys.exe	schtasks.exe
PID 2820 wrote to memory of 2212	2820	kittys.exe	schtasks.exe
PID 2820 wrote to memory of 2212	2820	kittys.exe	schtasks.exe
PID 2820 wrote to memory of 2212	2820	kittys.exe	schtasks.exe
PID 2820 wrote to memory of 3048	2820	kittys.exe	schtasks.exe
PID 2820 wrote to memory of 3048	2820	kittys.exe	schtasks.exe
PID 2820 wrote to memory of 3048	2820	kittys.exe	schtasks.exe
PID 2820 wrote to memory of 3048	2820	kittys.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\kittys.exe
"C:\Users\Admin\AppData\Local\Temp\kittys.exe"
1⤵
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2820

C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "NAS Host" /xml "C:\Users\Admin\AppData\Local\Temp\tmp256B.tmp"
2⤵
- Scheduled Task/Job: Scheduled Task
PID:2212

C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "NAS Host Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp2618.tmp"
2⤵
- Scheduled Task/Job: Scheduled Task
PID:3048

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp256B.tmp
Filesize
1KB

MD5
2ca7f7b3b2a84ff70a4c8e0db6ef6662

SHA1
2e7c298ee0ba72b119b691fc071beab10925b3e5

SHA256
83f3136dce0c0baa7a52658944206cc4ba7d5efa84038452bff64bbd46023598

SHA512
c9f7910f2c720abf833888097982f5834dbb8524039dbaa3145b4fa36db0d11fe1f1dbfbf20def88536523349e94d47dc2c6e5ccf2ed906930a3f8294f983f50

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp2618.tmp
Filesize
1KB

MD5
9f554f602c22cfc20079e966d177fadb

SHA1
789baa3425849bf239e47c6bcf352e6693a8c337

SHA256
4c760d5fe0c06cf4bf554170870f41181c61a217c37eb826903094dda86dd1f1

SHA512
b83e3e97dbe38ec4c64d9bef65e2521416f2d7434d78d05e66f729a2e0fbfea3f9bc6f6c4abaf76555af89a9565dfc0853d99067be9042dd66ed6246696eecbb

Download Submit
memory/2820-0-0x0000000074C51000-0x0000000074C52000-memory.dmp

Filesize
4KB

Download
memory/2820-1-0x0000000074C50000-0x00000000751FB000-memory.dmp

Filesize
5.7MB

Download
memory/2820-2-0x0000000074C50000-0x00000000751FB000-memory.dmp

Filesize
5.7MB

Download
memory/2820-10-0x0000000074C50000-0x00000000751FB000-memory.dmp

Filesize
5.7MB

Download