Malware Analysis Report

2025-08-10 19:47

Sample ID 221114-xem39sch79
Target 85605a584d908e5a32d91767940f7aab.exe
SHA256 3f0a89e3647d4ff575fc0c8db1ea5e9f7dbf2c0041f90ec2ef26c7eab69b34f8
Tags
nanocore keylogger persistence spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

3f0a89e3647d4ff575fc0c8db1ea5e9f7dbf2c0041f90ec2ef26c7eab69b34f8

Threat Level: Known bad

The file 85605a584d908e5a32d91767940f7aab.exe was found to be: Known bad.

Malicious Activity Summary

nanocore keylogger persistence spyware stealer trojan

NanoCore

Checks computer location settings

Adds Run key to start application

Suspicious use of SetThreadContext

Drops file in Program Files directory

Enumerates physical storage devices

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-11-14 18:46

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-11-14 18:46

Reported

2022-11-14 18:48

Platform

win7-20220812-en

Max time kernel

149s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\85605a584d908e5a32d91767940f7aab.exe"

Signatures

NanoCore

keylogger trojan stealer spyware nanocore

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SCSI Service = "C:\\Program Files (x86)\\SCSI Service\\scsisvc.exe" C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1100 set thread context of 2044 N/A C:\Users\Admin\AppData\Local\Temp\85605a584d908e5a32d91767940f7aab.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\SCSI Service\scsisvc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
File opened for modification C:\Program Files (x86)\SCSI Service\scsisvc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\85605a584d908e5a32d91767940f7aab.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1100 wrote to memory of 1348 N/A C:\Users\Admin\AppData\Local\Temp\85605a584d908e5a32d91767940f7aab.exe C:\Windows\SysWOW64\schtasks.exe
PID 1100 wrote to memory of 1348 N/A C:\Users\Admin\AppData\Local\Temp\85605a584d908e5a32d91767940f7aab.exe C:\Windows\SysWOW64\schtasks.exe
PID 1100 wrote to memory of 1348 N/A C:\Users\Admin\AppData\Local\Temp\85605a584d908e5a32d91767940f7aab.exe C:\Windows\SysWOW64\schtasks.exe
PID 1100 wrote to memory of 1348 N/A C:\Users\Admin\AppData\Local\Temp\85605a584d908e5a32d91767940f7aab.exe C:\Windows\SysWOW64\schtasks.exe
PID 1100 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\Temp\85605a584d908e5a32d91767940f7aab.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 1100 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\Temp\85605a584d908e5a32d91767940f7aab.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 1100 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\Temp\85605a584d908e5a32d91767940f7aab.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 1100 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\Temp\85605a584d908e5a32d91767940f7aab.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 1100 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\Temp\85605a584d908e5a32d91767940f7aab.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 1100 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\Temp\85605a584d908e5a32d91767940f7aab.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 1100 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\Temp\85605a584d908e5a32d91767940f7aab.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 1100 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\Temp\85605a584d908e5a32d91767940f7aab.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 1100 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\Temp\85605a584d908e5a32d91767940f7aab.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Processes

C:\Users\Admin\AppData\Local\Temp\85605a584d908e5a32d91767940f7aab.exe

"C:\Users\Admin\AppData\Local\Temp\85605a584d908e5a32d91767940f7aab.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\TztnPxRQQq" /XML "C:\Users\Admin\AppData\Local\Temp\tmp6817.tmp"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

"{path}"

Network

Country Destination Domain Proto
N/A 8.8.8.8:53 maxlogs.webhop.me udp
N/A 79.134.225.69:1620 maxlogs.webhop.me tcp
N/A 8.8.8.8:53 maxlogs.webhop.me udp
N/A 79.134.225.69:1620 maxlogs.webhop.me tcp
N/A 8.8.8.8:53 maxlogs.webhop.me udp
N/A 79.134.225.69:1620 maxlogs.webhop.me tcp
N/A 8.8.8.8:53 maxlogs.webhop.me udp
N/A 79.134.225.69:1620 maxlogs.webhop.me tcp
N/A 8.8.8.8:53 maxlogs.webhop.me udp
N/A 79.134.225.69:1620 maxlogs.webhop.me tcp
N/A 8.8.8.8:53 maxlogs.webhop.me udp
N/A 79.134.225.69:1620 maxlogs.webhop.me tcp
N/A 8.8.8.8:53 maxlogs.webhop.me udp
N/A 79.134.225.69:1620 maxlogs.webhop.me tcp
N/A 8.8.8.8:53 maxlogs.webhop.me udp
N/A 79.134.225.69:1620 maxlogs.webhop.me tcp
N/A 8.8.8.8:53 maxlogs.webhop.me udp
N/A 79.134.225.69:1620 maxlogs.webhop.me tcp
N/A 8.8.8.8:53 maxlogs.webhop.me udp
N/A 79.134.225.69:1620 maxlogs.webhop.me tcp
N/A 8.8.8.8:53 maxlogs.webhop.me udp
N/A 79.134.225.69:1620 maxlogs.webhop.me tcp
N/A 8.8.8.8:53 maxlogs.webhop.me udp
N/A 79.134.225.69:1620 maxlogs.webhop.me tcp
N/A 8.8.8.8:53 maxlogs.webhop.me udp
N/A 79.134.225.69:1620 maxlogs.webhop.me tcp
N/A 8.8.8.8:53 maxlogs.webhop.me udp
N/A 79.134.225.69:1620 maxlogs.webhop.me tcp
N/A 8.8.8.8:53 maxlogs.webhop.me udp
N/A 79.134.225.69:1620 maxlogs.webhop.me tcp
N/A 8.8.8.8:53 maxlogs.webhop.me udp
N/A 79.134.225.69:1620 maxlogs.webhop.me tcp
N/A 8.8.8.8:53 maxlogs.webhop.me udp
N/A 79.134.225.69:1620 maxlogs.webhop.me tcp
N/A 8.8.8.8:53 maxlogs.webhop.me udp
N/A 79.134.225.69:1620 maxlogs.webhop.me tcp

Files

memory/1100-54-0x00000000012A0000-0x000000000138A000-memory.dmp

memory/1100-55-0x00000000763F1000-0x00000000763F3000-memory.dmp

memory/1100-56-0x00000000005D0000-0x00000000005E2000-memory.dmp

memory/1100-57-0x0000000005700000-0x000000000578C000-memory.dmp

memory/1100-58-0x0000000004CA0000-0x0000000004CDA000-memory.dmp

memory/1348-59-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\tmp6817.tmp

MD5 dbad560061053f3ac9fdac7a020fd242
SHA1 fb1e829d9140aea21ac30bf6f29e8ce6f02a01db
SHA256 5b36c4b645ffada7f7f8e53cbbd2f64b22d997d4c4fe0632171c87e8e985724d
SHA512 dd65fe52bdd78f57528127dcee2eba0e484472188d824af606817e92733e2d31e8dc38f327953596bba0b1c7b8e8cfb0f8a1caf77e2a28cc8c076d068c3b59da

memory/2044-61-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2044-62-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2044-64-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2044-65-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2044-67-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2044-68-0x000000000041E792-mapping.dmp

memory/2044-70-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2044-72-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2044-74-0x00000000003E0000-0x00000000003EA000-memory.dmp

memory/2044-75-0x0000000000440000-0x000000000045E000-memory.dmp

memory/2044-76-0x00000000003F0000-0x00000000003FA000-memory.dmp

memory/2044-77-0x0000000004805000-0x0000000004816000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-11-14 18:46

Reported

2022-11-14 18:48

Platform

win10v2004-20220901-en

Max time kernel

147s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\85605a584d908e5a32d91767940f7aab.exe"

Signatures

NanoCore

keylogger trojan stealer spyware nanocore

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\85605a584d908e5a32d91767940f7aab.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DHCP Subsystem = "C:\\Program Files (x86)\\DHCP Subsystem\\dhcpss.exe" C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2696 set thread context of 4624 N/A C:\Users\Admin\AppData\Local\Temp\85605a584d908e5a32d91767940f7aab.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\DHCP Subsystem\dhcpss.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
File opened for modification C:\Program Files (x86)\DHCP Subsystem\dhcpss.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\85605a584d908e5a32d91767940f7aab.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2696 wrote to memory of 1920 N/A C:\Users\Admin\AppData\Local\Temp\85605a584d908e5a32d91767940f7aab.exe C:\Windows\SysWOW64\schtasks.exe
PID 2696 wrote to memory of 1920 N/A C:\Users\Admin\AppData\Local\Temp\85605a584d908e5a32d91767940f7aab.exe C:\Windows\SysWOW64\schtasks.exe
PID 2696 wrote to memory of 1920 N/A C:\Users\Admin\AppData\Local\Temp\85605a584d908e5a32d91767940f7aab.exe C:\Windows\SysWOW64\schtasks.exe
PID 2696 wrote to memory of 4624 N/A C:\Users\Admin\AppData\Local\Temp\85605a584d908e5a32d91767940f7aab.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 2696 wrote to memory of 4624 N/A C:\Users\Admin\AppData\Local\Temp\85605a584d908e5a32d91767940f7aab.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 2696 wrote to memory of 4624 N/A C:\Users\Admin\AppData\Local\Temp\85605a584d908e5a32d91767940f7aab.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 2696 wrote to memory of 4624 N/A C:\Users\Admin\AppData\Local\Temp\85605a584d908e5a32d91767940f7aab.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 2696 wrote to memory of 4624 N/A C:\Users\Admin\AppData\Local\Temp\85605a584d908e5a32d91767940f7aab.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 2696 wrote to memory of 4624 N/A C:\Users\Admin\AppData\Local\Temp\85605a584d908e5a32d91767940f7aab.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 2696 wrote to memory of 4624 N/A C:\Users\Admin\AppData\Local\Temp\85605a584d908e5a32d91767940f7aab.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 2696 wrote to memory of 4624 N/A C:\Users\Admin\AppData\Local\Temp\85605a584d908e5a32d91767940f7aab.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Processes

C:\Users\Admin\AppData\Local\Temp\85605a584d908e5a32d91767940f7aab.exe

"C:\Users\Admin\AppData\Local\Temp\85605a584d908e5a32d91767940f7aab.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\TztnPxRQQq" /XML "C:\Users\Admin\AppData\Local\Temp\tmp271F.tmp"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

"{path}"

Network

Country Destination Domain Proto
N/A 20.189.173.5:443 tcp
N/A 8.8.8.8:53 maxlogs.webhop.me udp
N/A 79.134.225.69:1620 maxlogs.webhop.me tcp
N/A 8.8.8.8:53 maxlogs.webhop.me udp
N/A 79.134.225.69:1620 maxlogs.webhop.me tcp
N/A 8.253.208.120:80 tcp
N/A 8.253.208.120:80 tcp
N/A 8.253.208.120:80 tcp
N/A 8.8.8.8:53 maxlogs.webhop.me udp
N/A 79.134.225.69:1620 maxlogs.webhop.me tcp
N/A 8.8.8.8:53 maxlogs.webhop.me udp
N/A 79.134.225.69:1620 maxlogs.webhop.me tcp
N/A 8.8.8.8:53 maxlogs.webhop.me udp
N/A 79.134.225.69:1620 maxlogs.webhop.me tcp
N/A 8.8.8.8:53 maxlogs.webhop.me udp
N/A 79.134.225.69:1620 maxlogs.webhop.me tcp
N/A 8.8.8.8:53 maxlogs.webhop.me udp
N/A 79.134.225.69:1620 maxlogs.webhop.me tcp
N/A 8.8.8.8:53 maxlogs.webhop.me udp
N/A 79.134.225.69:1620 maxlogs.webhop.me tcp
N/A 8.8.8.8:53 maxlogs.webhop.me udp
N/A 79.134.225.69:1620 maxlogs.webhop.me tcp
N/A 8.8.8.8:53 maxlogs.webhop.me udp
N/A 79.134.225.69:1620 maxlogs.webhop.me tcp
N/A 8.8.8.8:53 maxlogs.webhop.me udp
N/A 79.134.225.69:1620 maxlogs.webhop.me tcp
N/A 8.8.8.8:53 maxlogs.webhop.me udp
N/A 79.134.225.69:1620 maxlogs.webhop.me tcp
N/A 8.8.8.8:53 maxlogs.webhop.me udp
N/A 79.134.225.69:1620 maxlogs.webhop.me tcp
N/A 8.8.8.8:53 maxlogs.webhop.me udp
N/A 79.134.225.69:1620 maxlogs.webhop.me tcp
N/A 8.8.8.8:53 maxlogs.webhop.me udp
N/A 79.134.225.69:1620 maxlogs.webhop.me tcp
N/A 8.8.8.8:53 maxlogs.webhop.me udp
N/A 79.134.225.69:1620 maxlogs.webhop.me tcp
N/A 8.8.8.8:53 maxlogs.webhop.me udp
N/A 79.134.225.69:1620 maxlogs.webhop.me tcp
N/A 8.8.8.8:53 maxlogs.webhop.me udp
N/A 79.134.225.69:1620 maxlogs.webhop.me tcp
N/A 8.8.8.8:53 maxlogs.webhop.me udp
N/A 79.134.225.69:1620 maxlogs.webhop.me tcp

Files

memory/2696-132-0x0000000000440000-0x000000000052A000-memory.dmp

memory/2696-133-0x0000000005450000-0x00000000059F4000-memory.dmp

memory/2696-134-0x0000000004F40000-0x0000000004FD2000-memory.dmp

memory/2696-135-0x0000000004FE0000-0x000000000507C000-memory.dmp

memory/2696-136-0x0000000004ED0000-0x0000000004EDA000-memory.dmp

memory/1920-137-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\tmp271F.tmp

MD5 ae2fa56e63450ec6f0ec73354ed5107c
SHA1 334f269e184f8d76f8b4fdba70e7c4c853af5943
SHA256 abc08be05a8132aa8e151a04d53621bd3e4a0bfe395f8bd97c4598d0bb28bf60
SHA512 a5d2df15877f1d5c92c5090d46931814e169b0f9e47e22aaf86b70c48972f5ac85fffafc83448b4ed7664cd9a41c177a8f110aa01fd159bdb705b357c8b3715b

memory/4624-139-0x0000000000000000-mapping.dmp

memory/4624-140-0x0000000000400000-0x0000000000438000-memory.dmp