Malware Analysis Report

2025-08-10 19:46

Sample ID 221116-hpw2lahe76
Target 984-66-0x0000000000370000-0x00000000003A8000-memory.dmp
SHA256 5f47f87da3c5f4ce232551ed141709430fb667041ecf474d0da4f360927d54d2
Tags
nanocore evasion keylogger persistence spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

5f47f87da3c5f4ce232551ed141709430fb667041ecf474d0da4f360927d54d2

Threat Level: Known bad

The file 984-66-0x0000000000370000-0x00000000003A8000-memory.dmp was found to be: Known bad.

Malicious Activity Summary

nanocore evasion keylogger persistence spyware stealer trojan

Nanocore family

NanoCore

Adds Run key to start application

Checks whether UAC is enabled

Drops file in Program Files directory

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious behavior: GetForegroundWindowSpam

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-11-16 06:55

Signatures

Nanocore family

nanocore

Analysis: behavioral2

Detonation Overview

Submitted

2022-11-16 06:55

Reported

2022-11-16 06:57

Platform

win10v2004-20220812-en

Max time kernel

62s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\984-66-0x0000000000370000-0x00000000003A8000-memory.exe"

Signatures

NanoCore

keylogger trojan stealer spyware nanocore

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\AGP Monitor = "C:\\Program Files (x86)\\AGP Monitor\\agpmon.exe" C:\Users\Admin\AppData\Local\Temp\984-66-0x0000000000370000-0x00000000003A8000-memory.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\984-66-0x0000000000370000-0x00000000003A8000-memory.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\AGP Monitor\agpmon.exe C:\Users\Admin\AppData\Local\Temp\984-66-0x0000000000370000-0x00000000003A8000-memory.exe N/A
File opened for modification C:\Program Files (x86)\AGP Monitor\agpmon.exe C:\Users\Admin\AppData\Local\Temp\984-66-0x0000000000370000-0x00000000003A8000-memory.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\984-66-0x0000000000370000-0x00000000003A8000-memory.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\984-66-0x0000000000370000-0x00000000003A8000-memory.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\984-66-0x0000000000370000-0x00000000003A8000-memory.exe

"C:\Users\Admin\AppData\Local\Temp\984-66-0x0000000000370000-0x00000000003A8000-memory.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks.exe" /create /f /tn "AGP Monitor" /xml "C:\Users\Admin\AppData\Local\Temp\tmp67C7.tmp"

C:\Windows\SysWOW64\schtasks.exe

"schtasks.exe" /create /f /tn "AGP Monitor Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp68A3.tmp"

Network

Country Destination Domain Proto
N/A 8.8.8.8:53 nanomalay23.hopto.org udp
N/A 85.208.136.69:6932 nanomalay23.hopto.org tcp
N/A 93.184.221.240:80 tcp
N/A 93.184.221.240:80 tcp
N/A 13.69.109.130:443 tcp

Files

memory/644-132-0x0000000074C70000-0x0000000075221000-memory.dmp

memory/2272-133-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\tmp67C7.tmp

MD5 ea52dc2a5be4a37fee4000aa4216a1b3
SHA1 24cb4a529163e3a7d61c0f15263c4e07dd4d1571
SHA256 1513de352c6926ed3969eabbc46a1a88be16ef562f27c337eed2258f00fbe5fa
SHA512 e22a41240adb898384a50136c967dd8566056ac8c8478dbf25dd670d90645b756de2cc387ac72e00dc4e7bd48537f82ad5b076cc2c58110a3b031af89cf412b5

memory/3208-135-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\tmp68A3.tmp

MD5 157cd55403665c49c9fd3ca1196c4397
SHA1 4feed6e606b41bb617274471349582963182756b
SHA256 49d903f84313feb16bd189c58b6c206f98b05da00ea0da881e2ff0c893b6ba5e
SHA512 bea7e3caa9c37cadd772a6d3ee0d9ed47de6b3e880cd58649be2939cacd00f70d4edc1ad177e432539267bb520094d9cda3f781cdfc69122f3775242321c11b8

memory/644-137-0x0000000074C70000-0x0000000075221000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2022-11-16 06:55

Reported

2022-11-16 06:57

Platform

win7-20220901-en

Max time kernel

46s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\984-66-0x0000000000370000-0x00000000003A8000-memory.exe"

Signatures

NanoCore

keylogger trojan stealer spyware nanocore

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\AGP Manager = "C:\\Program Files (x86)\\AGP Manager\\agpmgr.exe" C:\Users\Admin\AppData\Local\Temp\984-66-0x0000000000370000-0x00000000003A8000-memory.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\984-66-0x0000000000370000-0x00000000003A8000-memory.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\AGP Manager\agpmgr.exe C:\Users\Admin\AppData\Local\Temp\984-66-0x0000000000370000-0x00000000003A8000-memory.exe N/A
File opened for modification C:\Program Files (x86)\AGP Manager\agpmgr.exe C:\Users\Admin\AppData\Local\Temp\984-66-0x0000000000370000-0x00000000003A8000-memory.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\984-66-0x0000000000370000-0x00000000003A8000-memory.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\984-66-0x0000000000370000-0x00000000003A8000-memory.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\984-66-0x0000000000370000-0x00000000003A8000-memory.exe

"C:\Users\Admin\AppData\Local\Temp\984-66-0x0000000000370000-0x00000000003A8000-memory.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks.exe" /create /f /tn "AGP Manager" /xml "C:\Users\Admin\AppData\Local\Temp\tmp1AB3.tmp"

C:\Windows\SysWOW64\schtasks.exe

"schtasks.exe" /create /f /tn "AGP Manager Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp1C68.tmp"

Network

Country Destination Domain Proto
N/A 8.8.8.8:53 nanomalay23.hopto.org udp
N/A 85.208.136.69:6932 nanomalay23.hopto.org tcp

Files

memory/1200-54-0x0000000075AC1000-0x0000000075AC3000-memory.dmp

memory/832-55-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\tmp1AB3.tmp

MD5 ea52dc2a5be4a37fee4000aa4216a1b3
SHA1 24cb4a529163e3a7d61c0f15263c4e07dd4d1571
SHA256 1513de352c6926ed3969eabbc46a1a88be16ef562f27c337eed2258f00fbe5fa
SHA512 e22a41240adb898384a50136c967dd8566056ac8c8478dbf25dd670d90645b756de2cc387ac72e00dc4e7bd48537f82ad5b076cc2c58110a3b031af89cf412b5

memory/796-57-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\tmp1C68.tmp

MD5 885d6dd30570594e167fadb59d9ca0ea
SHA1 9981e583644c4eb9cf5056615a0e1c2913c8983b
SHA256 7155bc082d1713d77c2797575ee0ade8467fb7012f5376c1d6f4aa618141a7d2
SHA512 1623218143c2c25a7c85fa9da8e0f251f04a5eb848c4d0aa10bfb78688518b82393a2b3c7f287a9dc06a366ef9f46d0d4e2d246ad4cef4554a74c0bb6ff9dd2a

memory/1200-59-0x00000000748F0000-0x0000000074E9B000-memory.dmp

memory/1200-60-0x00000000748F0000-0x0000000074E9B000-memory.dmp