Malware Analysis Report

2025-08-10 19:46

Sample ID 221116-hv57fsde2s
Target nanocore.payload-disk
SHA256 16cac6ab6a3818548a35543c5ec18b5802e9e768cdb89c8f0459a2992d30deac
Tags
nanocore evasion keylogger persistence spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

16cac6ab6a3818548a35543c5ec18b5802e9e768cdb89c8f0459a2992d30deac

Threat Level: Known bad

The file nanocore.payload-disk was found to be: Known bad.

Malicious Activity Summary

nanocore evasion keylogger persistence spyware stealer trojan

Nanocore family

NanoCore

Adds Run key to start application

Checks whether UAC is enabled

Drops file in Program Files directory

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-11-16 07:04

Signatures

Nanocore family

nanocore

Analysis: behavioral1

Detonation Overview

Submitted

2022-11-16 07:04

Reported

2022-11-16 07:07

Platform

win7-20221111-en

Max time kernel

35s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\nanocore.exe"

Signatures

NanoCore

keylogger trojan stealer spyware nanocore

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ISS Manager = "C:\\Program Files (x86)\\ISS Manager\\issmgr.exe" C:\Users\Admin\AppData\Local\Temp\nanocore.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\nanocore.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\ISS Manager\issmgr.exe C:\Users\Admin\AppData\Local\Temp\nanocore.exe N/A
File opened for modification C:\Program Files (x86)\ISS Manager\issmgr.exe C:\Users\Admin\AppData\Local\Temp\nanocore.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\nanocore.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\nanocore.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\nanocore.exe

"C:\Users\Admin\AppData\Local\Temp\nanocore.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks.exe" /create /f /tn "ISS Manager" /xml "C:\Users\Admin\AppData\Local\Temp\tmpDF6.tmp"

C:\Windows\SysWOW64\schtasks.exe

"schtasks.exe" /create /f /tn "ISS Manager Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmpFFA.tmp"

Network

Country Destination Domain Proto
N/A 8.8.8.8:53 nanomalay23.hopto.org udp
N/A 85.208.136.69:6932 nanomalay23.hopto.org tcp
N/A 176.113.115.157:419 tcp
N/A 176.113.115.155:419 tcp
N/A 176.113.115.156:419 tcp
N/A 80.66.75.4:419 tcp
N/A 176.113.115.154:419 tcp
N/A 213.91.128.133:10060 tcp
N/A 176.113.115.153:419 tcp

Files

memory/2020-54-0x00000000767B1000-0x00000000767B3000-memory.dmp

memory/1212-55-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\tmpDF6.tmp

MD5 c1537facbed38a07cf8821a32f017448
SHA1 4c5f1d0254eb77121a18368e4d4ee285c79788cd
SHA256 9901fdbb36b1748082ee1eb8d151d904f37ba2887d4373f41864851a9cb40d2a
SHA512 fdd2c85d8ee3888fb21ed20dbcf2147c53195d2c12e2f4c883c379999b5c40ed19987e5e2220ffa2c7b52f3e20f1f71d03a23b86f931fdb56e109314ef36e93a

memory/1512-57-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\tmpFFA.tmp

MD5 ea7095fa975a5ac043c9de2899ce61d0
SHA1 ba4e21d0728fb1b4b87006c2e8ceb6109c9046a3
SHA256 5a1ba7b1b91e0bb7aedcfa82dc687972abb31f72ae1613ac586938ef0843f30f
SHA512 b52c8f1b58f263a3d1ad1ef9939167853a5f55033d9ad8976130174c7118407711a0703266c7d2d542bc2ca8119f875e35cc791b9dd70ef83b5310ac1e7cd1cb

memory/2020-59-0x0000000074F70000-0x000000007551B000-memory.dmp

memory/2020-60-0x0000000074F70000-0x000000007551B000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-11-16 07:04

Reported

2022-11-16 07:07

Platform

win10v2004-20221111-en

Max time kernel

108s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\nanocore.exe"

Signatures

NanoCore

keylogger trojan stealer spyware nanocore

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\PCI Manager = "C:\\Program Files (x86)\\PCI Manager\\pcimgr.exe" C:\Users\Admin\AppData\Local\Temp\nanocore.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\nanocore.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\PCI Manager\pcimgr.exe C:\Users\Admin\AppData\Local\Temp\nanocore.exe N/A
File opened for modification C:\Program Files (x86)\PCI Manager\pcimgr.exe C:\Users\Admin\AppData\Local\Temp\nanocore.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\nanocore.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\nanocore.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\nanocore.exe

"C:\Users\Admin\AppData\Local\Temp\nanocore.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks.exe" /create /f /tn "PCI Manager" /xml "C:\Users\Admin\AppData\Local\Temp\tmp7B4F.tmp"

C:\Windows\SysWOW64\schtasks.exe

"schtasks.exe" /create /f /tn "PCI Manager Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp7C3A.tmp"

Network

Country Destination Domain Proto
N/A 8.8.8.8:53 nanomalay23.hopto.org udp
N/A 85.208.136.69:6932 nanomalay23.hopto.org tcp
N/A 20.189.173.14:443 tcp
N/A 20.123.104.105:443 tcp
N/A 84.53.175.11:80 tcp
N/A 84.53.175.11:80 tcp
N/A 67.26.105.254:80 tcp
N/A 104.80.225.205:443 tcp

Files

memory/4620-132-0x0000000000000000-mapping.dmp

memory/4256-133-0x00000000753C0000-0x0000000075971000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp7B4F.tmp

MD5 c1537facbed38a07cf8821a32f017448
SHA1 4c5f1d0254eb77121a18368e4d4ee285c79788cd
SHA256 9901fdbb36b1748082ee1eb8d151d904f37ba2887d4373f41864851a9cb40d2a
SHA512 fdd2c85d8ee3888fb21ed20dbcf2147c53195d2c12e2f4c883c379999b5c40ed19987e5e2220ffa2c7b52f3e20f1f71d03a23b86f931fdb56e109314ef36e93a

memory/2904-135-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\tmp7C3A.tmp

MD5 da7aec92f4b1e721f6eeccec52db4901
SHA1 e1bc32c2277c42aec2356f6242ee427af53c2a52
SHA256 7bcfd205f07bffa61c788644c1d6639d03126c46fdbd6550f7e21795dc78b3c0
SHA512 340e234cdfb1b327369378131629f0ff5538c6a1c578c59bfc1b66442ff3f5793f119db13b8d3f158969071eb0fc0c7fbe5c79094572fac0cea528489bf11720

memory/4256-137-0x00000000753C0000-0x0000000075971000-memory.dmp