Malware Analysis Report

2025-08-10 19:46

Sample ID 221114-mq39hsgg62
Target P.O. DARLLY-029-11-2022,pdf.exe
SHA256 c0cc05dd4b5399522304d246e3cd7cdd017f36699678e62a83fb30cf44979dbb
Tags
nanocore evasion keylogger persistence spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c0cc05dd4b5399522304d246e3cd7cdd017f36699678e62a83fb30cf44979dbb

Threat Level: Known bad

The file P.O. DARLLY-029-11-2022,pdf.exe was found to be: Known bad.

Malicious Activity Summary

nanocore evasion keylogger persistence spyware stealer trojan

NanoCore

Adds Run key to start application

Checks whether UAC is enabled

Suspicious use of SetThreadContext

Drops file in Program Files directory

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Creates scheduled task(s)

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-11-14 10:41

Signatures

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2022-11-14 10:41

Reported

2022-11-14 10:43

Platform

win10v2004-20220812-en

Max time kernel

146s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\P.O. DARLLY-029-11-2022,pdf.exe"

Signatures

NanoCore

keylogger trojan stealer spyware nanocore

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DDP Host = "C:\\Program Files (x86)\\DDP Host\\ddphost.exe" C:\Users\Admin\AppData\Local\Temp\P.O. DARLLY-029-11-2022,pdf.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\P.O. DARLLY-029-11-2022,pdf.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3144 set thread context of 3636 N/A C:\Users\Admin\AppData\Local\Temp\P.O. DARLLY-029-11-2022,pdf.exe C:\Users\Admin\AppData\Local\Temp\P.O. DARLLY-029-11-2022,pdf.exe

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\DDP Host\ddphost.exe C:\Users\Admin\AppData\Local\Temp\P.O. DARLLY-029-11-2022,pdf.exe N/A
File opened for modification C:\Program Files (x86)\DDP Host\ddphost.exe C:\Users\Admin\AppData\Local\Temp\P.O. DARLLY-029-11-2022,pdf.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\P.O. DARLLY-029-11-2022,pdf.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\P.O. DARLLY-029-11-2022,pdf.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\P.O. DARLLY-029-11-2022,pdf.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3144 wrote to memory of 3636 N/A C:\Users\Admin\AppData\Local\Temp\P.O. DARLLY-029-11-2022,pdf.exe C:\Users\Admin\AppData\Local\Temp\P.O. DARLLY-029-11-2022,pdf.exe
PID 3144 wrote to memory of 3636 N/A C:\Users\Admin\AppData\Local\Temp\P.O. DARLLY-029-11-2022,pdf.exe C:\Users\Admin\AppData\Local\Temp\P.O. DARLLY-029-11-2022,pdf.exe
PID 3144 wrote to memory of 3636 N/A C:\Users\Admin\AppData\Local\Temp\P.O. DARLLY-029-11-2022,pdf.exe C:\Users\Admin\AppData\Local\Temp\P.O. DARLLY-029-11-2022,pdf.exe
PID 3144 wrote to memory of 3636 N/A C:\Users\Admin\AppData\Local\Temp\P.O. DARLLY-029-11-2022,pdf.exe C:\Users\Admin\AppData\Local\Temp\P.O. DARLLY-029-11-2022,pdf.exe
PID 3144 wrote to memory of 3636 N/A C:\Users\Admin\AppData\Local\Temp\P.O. DARLLY-029-11-2022,pdf.exe C:\Users\Admin\AppData\Local\Temp\P.O. DARLLY-029-11-2022,pdf.exe
PID 3144 wrote to memory of 3636 N/A C:\Users\Admin\AppData\Local\Temp\P.O. DARLLY-029-11-2022,pdf.exe C:\Users\Admin\AppData\Local\Temp\P.O. DARLLY-029-11-2022,pdf.exe
PID 3144 wrote to memory of 3636 N/A C:\Users\Admin\AppData\Local\Temp\P.O. DARLLY-029-11-2022,pdf.exe C:\Users\Admin\AppData\Local\Temp\P.O. DARLLY-029-11-2022,pdf.exe
PID 3144 wrote to memory of 3636 N/A C:\Users\Admin\AppData\Local\Temp\P.O. DARLLY-029-11-2022,pdf.exe C:\Users\Admin\AppData\Local\Temp\P.O. DARLLY-029-11-2022,pdf.exe
PID 3636 wrote to memory of 3432 N/A C:\Users\Admin\AppData\Local\Temp\P.O. DARLLY-029-11-2022,pdf.exe C:\Windows\SysWOW64\schtasks.exe
PID 3636 wrote to memory of 3432 N/A C:\Users\Admin\AppData\Local\Temp\P.O. DARLLY-029-11-2022,pdf.exe C:\Windows\SysWOW64\schtasks.exe
PID 3636 wrote to memory of 3432 N/A C:\Users\Admin\AppData\Local\Temp\P.O. DARLLY-029-11-2022,pdf.exe C:\Windows\SysWOW64\schtasks.exe
PID 3636 wrote to memory of 2260 N/A C:\Users\Admin\AppData\Local\Temp\P.O. DARLLY-029-11-2022,pdf.exe C:\Windows\SysWOW64\schtasks.exe
PID 3636 wrote to memory of 2260 N/A C:\Users\Admin\AppData\Local\Temp\P.O. DARLLY-029-11-2022,pdf.exe C:\Windows\SysWOW64\schtasks.exe
PID 3636 wrote to memory of 2260 N/A C:\Users\Admin\AppData\Local\Temp\P.O. DARLLY-029-11-2022,pdf.exe C:\Windows\SysWOW64\schtasks.exe

Processes

C:\Users\Admin\AppData\Local\Temp\P.O. DARLLY-029-11-2022,pdf.exe

"C:\Users\Admin\AppData\Local\Temp\P.O. DARLLY-029-11-2022,pdf.exe"

C:\Users\Admin\AppData\Local\Temp\P.O. DARLLY-029-11-2022,pdf.exe

"C:\Users\Admin\AppData\Local\Temp\P.O. DARLLY-029-11-2022,pdf.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks.exe" /create /f /tn "DDP Host" /xml "C:\Users\Admin\AppData\Local\Temp\tmp4C7A.tmp"

C:\Windows\SysWOW64\schtasks.exe

"schtasks.exe" /create /f /tn "DDP Host Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp54B8.tmp"

Network

Country Destination Domain Proto
N/A 95.101.78.106:80 tcp
N/A 93.184.220.29:80 tcp
N/A 20.44.10.122:443 tcp
N/A 8.8.8.8:53 albertsamco76.ddns.net udp
N/A 8.8.4.4:53 albertsamco76.ddns.net udp
N/A 8.8.8.8:53 albertsamco76.ddns.net udp
N/A 104.110.191.133:80 tcp
N/A 104.110.191.133:80 tcp
N/A 104.110.191.133:80 tcp
N/A 8.8.8.8:53 albertsamco76.ddns.net udp
N/A 8.8.4.4:53 albertsamco76.ddns.net udp
N/A 8.8.8.8:53 albertsamco76.ddns.net udp
N/A 8.8.8.8:53 albertsamco76.ddns.net udp
N/A 8.8.4.4:53 albertsamco76.ddns.net udp
N/A 8.8.8.8:53 albertsamco76.ddns.net udp
N/A 79.134.225.71:7480 tcp
N/A 79.134.225.71:7480 tcp
N/A 79.134.225.71:7480 tcp
N/A 8.8.8.8:53 albertsamco76.ddns.net udp
N/A 8.8.4.4:53 albertsamco76.ddns.net udp
N/A 8.8.8.8:53 albertsamco76.ddns.net udp
N/A 8.8.8.8:53 albertsamco76.ddns.net udp
N/A 8.8.4.4:53 albertsamco76.ddns.net udp
N/A 8.8.8.8:53 albertsamco76.ddns.net udp
N/A 8.8.8.8:53 albertsamco76.ddns.net udp
N/A 8.8.4.4:53 albertsamco76.ddns.net udp
N/A 8.8.8.8:53 albertsamco76.ddns.net udp
N/A 79.134.225.71:7480 tcp
N/A 79.134.225.71:7480 tcp
N/A 79.134.225.71:7480 tcp
N/A 8.8.8.8:53 albertsamco76.ddns.net udp
N/A 8.8.4.4:53 albertsamco76.ddns.net udp
N/A 8.8.8.8:53 albertsamco76.ddns.net udp
N/A 8.8.8.8:53 albertsamco76.ddns.net udp
N/A 8.8.4.4:53 albertsamco76.ddns.net udp
N/A 8.8.8.8:53 albertsamco76.ddns.net udp

Files

memory/3144-132-0x0000000000FF0000-0x0000000001098000-memory.dmp

memory/3144-133-0x0000000005FD0000-0x0000000006574000-memory.dmp

memory/3144-134-0x0000000005AC0000-0x0000000005B52000-memory.dmp

memory/3144-135-0x0000000005A50000-0x0000000005A5A000-memory.dmp

memory/3144-136-0x00000000096E0000-0x000000000977C000-memory.dmp

memory/3636-137-0x0000000000000000-mapping.dmp

memory/3636-138-0x0000000000400000-0x000000000043A000-memory.dmp

memory/3432-139-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\tmp4C7A.tmp

MD5 ddba6df11ce0826c227768ada6246301
SHA1 460842f994327b94ba2f9ba8393c23440e785609
SHA256 1a5cf1a672396a05694b122b4c4be02e61b5409ab1e8af41c63182ecae0204d4
SHA512 9c3ac8562b9c4772692ca474c677bef70543929b346e653544d5a7bb94e093d5a60494fad3a1712ef8c7da4b488852321227583e135544696f655c19b11d3d79

memory/2260-141-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\tmp54B8.tmp

MD5 2271642ca970891700e3f48439739ed8
SHA1 cd472df2349f7db9e1e460d0ee28acd97b8a8793
SHA256 7aba66abbcb0b13455609174db23aed495a9adbef0e0acd28baa9c92445eda68
SHA512 4669a4ef8ec28cdb852ffc1401576b1bf9a9d837797d7d92bc88c18b3097404f36854e50167b309706fef400cabc43c876569ce2797ba85eb169a2783b8fe807

Analysis: behavioral1

Detonation Overview

Submitted

2022-11-14 10:41

Reported

2022-11-14 10:43

Platform

win7-20220812-en

Max time kernel

147s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\P.O. DARLLY-029-11-2022,pdf.exe"

Signatures

NanoCore

keylogger trojan stealer spyware nanocore

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\NTFS Monitor = "C:\\Program Files (x86)\\NTFS Monitor\\ntfsmon.exe" C:\Users\Admin\AppData\Local\Temp\P.O. DARLLY-029-11-2022,pdf.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\P.O. DARLLY-029-11-2022,pdf.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1756 set thread context of 2012 N/A C:\Users\Admin\AppData\Local\Temp\P.O. DARLLY-029-11-2022,pdf.exe C:\Users\Admin\AppData\Local\Temp\P.O. DARLLY-029-11-2022,pdf.exe

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\NTFS Monitor\ntfsmon.exe C:\Users\Admin\AppData\Local\Temp\P.O. DARLLY-029-11-2022,pdf.exe N/A
File opened for modification C:\Program Files (x86)\NTFS Monitor\ntfsmon.exe C:\Users\Admin\AppData\Local\Temp\P.O. DARLLY-029-11-2022,pdf.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\P.O. DARLLY-029-11-2022,pdf.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\P.O. DARLLY-029-11-2022,pdf.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\P.O. DARLLY-029-11-2022,pdf.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1756 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\P.O. DARLLY-029-11-2022,pdf.exe C:\Users\Admin\AppData\Local\Temp\P.O. DARLLY-029-11-2022,pdf.exe
PID 1756 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\P.O. DARLLY-029-11-2022,pdf.exe C:\Users\Admin\AppData\Local\Temp\P.O. DARLLY-029-11-2022,pdf.exe
PID 1756 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\P.O. DARLLY-029-11-2022,pdf.exe C:\Users\Admin\AppData\Local\Temp\P.O. DARLLY-029-11-2022,pdf.exe
PID 1756 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\P.O. DARLLY-029-11-2022,pdf.exe C:\Users\Admin\AppData\Local\Temp\P.O. DARLLY-029-11-2022,pdf.exe
PID 1756 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\P.O. DARLLY-029-11-2022,pdf.exe C:\Users\Admin\AppData\Local\Temp\P.O. DARLLY-029-11-2022,pdf.exe
PID 1756 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\P.O. DARLLY-029-11-2022,pdf.exe C:\Users\Admin\AppData\Local\Temp\P.O. DARLLY-029-11-2022,pdf.exe
PID 1756 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\P.O. DARLLY-029-11-2022,pdf.exe C:\Users\Admin\AppData\Local\Temp\P.O. DARLLY-029-11-2022,pdf.exe
PID 1756 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\P.O. DARLLY-029-11-2022,pdf.exe C:\Users\Admin\AppData\Local\Temp\P.O. DARLLY-029-11-2022,pdf.exe
PID 1756 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\P.O. DARLLY-029-11-2022,pdf.exe C:\Users\Admin\AppData\Local\Temp\P.O. DARLLY-029-11-2022,pdf.exe
PID 2012 wrote to memory of 276 N/A C:\Users\Admin\AppData\Local\Temp\P.O. DARLLY-029-11-2022,pdf.exe C:\Windows\SysWOW64\schtasks.exe
PID 2012 wrote to memory of 276 N/A C:\Users\Admin\AppData\Local\Temp\P.O. DARLLY-029-11-2022,pdf.exe C:\Windows\SysWOW64\schtasks.exe
PID 2012 wrote to memory of 276 N/A C:\Users\Admin\AppData\Local\Temp\P.O. DARLLY-029-11-2022,pdf.exe C:\Windows\SysWOW64\schtasks.exe
PID 2012 wrote to memory of 276 N/A C:\Users\Admin\AppData\Local\Temp\P.O. DARLLY-029-11-2022,pdf.exe C:\Windows\SysWOW64\schtasks.exe
PID 2012 wrote to memory of 1312 N/A C:\Users\Admin\AppData\Local\Temp\P.O. DARLLY-029-11-2022,pdf.exe C:\Windows\SysWOW64\schtasks.exe
PID 2012 wrote to memory of 1312 N/A C:\Users\Admin\AppData\Local\Temp\P.O. DARLLY-029-11-2022,pdf.exe C:\Windows\SysWOW64\schtasks.exe
PID 2012 wrote to memory of 1312 N/A C:\Users\Admin\AppData\Local\Temp\P.O. DARLLY-029-11-2022,pdf.exe C:\Windows\SysWOW64\schtasks.exe
PID 2012 wrote to memory of 1312 N/A C:\Users\Admin\AppData\Local\Temp\P.O. DARLLY-029-11-2022,pdf.exe C:\Windows\SysWOW64\schtasks.exe

Processes

C:\Users\Admin\AppData\Local\Temp\P.O. DARLLY-029-11-2022,pdf.exe

"C:\Users\Admin\AppData\Local\Temp\P.O. DARLLY-029-11-2022,pdf.exe"

C:\Users\Admin\AppData\Local\Temp\P.O. DARLLY-029-11-2022,pdf.exe

"C:\Users\Admin\AppData\Local\Temp\P.O. DARLLY-029-11-2022,pdf.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks.exe" /create /f /tn "NTFS Monitor" /xml "C:\Users\Admin\AppData\Local\Temp\tmpDEEB.tmp"

C:\Windows\SysWOW64\schtasks.exe

"schtasks.exe" /create /f /tn "NTFS Monitor Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmpE024.tmp"

Network

Country Destination Domain Proto
N/A 8.8.8.8:53 albertsamco76.ddns.net udp
N/A 8.8.4.4:53 albertsamco76.ddns.net udp
N/A 8.8.8.8:53 albertsamco76.ddns.net udp
N/A 8.8.8.8:53 albertsamco76.ddns.net udp
N/A 8.8.4.4:53 albertsamco76.ddns.net udp
N/A 8.8.8.8:53 albertsamco76.ddns.net udp
N/A 8.8.4.4:53 albertsamco76.ddns.net udp
N/A 79.134.225.71:7480 tcp
N/A 79.134.225.71:7480 tcp
N/A 79.134.225.71:7480 tcp
N/A 8.8.8.8:53 albertsamco76.ddns.net udp
N/A 8.8.4.4:53 albertsamco76.ddns.net udp
N/A 8.8.8.8:53 albertsamco76.ddns.net udp
N/A 8.8.4.4:53 albertsamco76.ddns.net udp
N/A 8.8.8.8:53 albertsamco76.ddns.net udp
N/A 8.8.4.4:53 albertsamco76.ddns.net udp
N/A 79.134.225.71:7480 tcp
N/A 79.134.225.71:7480 tcp
N/A 79.134.225.71:7480 tcp
N/A 8.8.8.8:53 albertsamco76.ddns.net udp
N/A 8.8.4.4:53 albertsamco76.ddns.net udp

Files

memory/1756-54-0x0000000000E10000-0x0000000000EB8000-memory.dmp

memory/1756-55-0x0000000076871000-0x0000000076873000-memory.dmp

memory/1756-56-0x00000000004F0000-0x0000000000508000-memory.dmp

memory/1756-57-0x0000000000480000-0x000000000048C000-memory.dmp

memory/1756-58-0x0000000007EE0000-0x0000000007F6A000-memory.dmp

memory/1756-59-0x0000000000DB0000-0x0000000000DFE000-memory.dmp

memory/2012-60-0x0000000000400000-0x000000000043A000-memory.dmp

memory/2012-61-0x0000000000400000-0x000000000043A000-memory.dmp

memory/2012-63-0x0000000000400000-0x000000000043A000-memory.dmp

memory/2012-64-0x0000000000400000-0x000000000043A000-memory.dmp

memory/2012-66-0x0000000000400000-0x000000000043A000-memory.dmp

memory/2012-67-0x000000000041E792-mapping.dmp

memory/2012-69-0x0000000000400000-0x000000000043A000-memory.dmp

memory/2012-71-0x0000000000400000-0x000000000043A000-memory.dmp

memory/276-73-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\tmpDEEB.tmp

MD5 ddba6df11ce0826c227768ada6246301
SHA1 460842f994327b94ba2f9ba8393c23440e785609
SHA256 1a5cf1a672396a05694b122b4c4be02e61b5409ab1e8af41c63182ecae0204d4
SHA512 9c3ac8562b9c4772692ca474c677bef70543929b346e653544d5a7bb94e093d5a60494fad3a1712ef8c7da4b488852321227583e135544696f655c19b11d3d79

memory/1312-75-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\tmpE024.tmp

MD5 981e126601526eaa5b0ad45c496c4465
SHA1 d610d6a21a8420cc73fcd3e54ddae75a5897b28b
SHA256 11ae277dfa39e7038b782ca6557339e7fe88533fe83705c356a1500a1402d527
SHA512 a59fb704d931ccb7e1ec1a7b98e24ccd8708be529066c6de4b673098cdebef539f7f50d9e051c43954b5a8e7f810862b3a4ede170f131e080dadc3e763ed4bdb

memory/2012-77-0x00000000003D0000-0x00000000003DA000-memory.dmp

memory/2012-78-0x00000000003E0000-0x00000000003FE000-memory.dmp

memory/2012-79-0x00000000004C0000-0x00000000004CA000-memory.dmp