Malware Analysis Report

2025-08-10 19:46

Sample ID 221116-vxzhxacb73
Target 0x00070000000133dd-55.dat
SHA256 b4869c17fe516e2f8fe649349710de4b7e8667a30714fe66746fe6248025a36b
Tags
nanocore evasion keylogger spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b4869c17fe516e2f8fe649349710de4b7e8667a30714fe66746fe6248025a36b

Threat Level: Known bad

The file 0x00070000000133dd-55.dat was found to be: Known bad.

Malicious Activity Summary

nanocore evasion keylogger spyware stealer trojan

NanoCore

Nanocore family

Checks whether UAC is enabled

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

Creates scheduled task(s)

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-11-16 17:22

Signatures

Nanocore family

nanocore

Analysis: behavioral1

Detonation Overview

Submitted

2022-11-16 17:22

Reported

2022-11-16 17:25

Platform

win7-20221111-en

Max time kernel

130s

Max time network

142s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0x00070000000133dd-55.exe"

Signatures

NanoCore

keylogger trojan stealer spyware nanocore

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\0x00070000000133dd-55.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\0x00070000000133dd-55.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0x00070000000133dd-55.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\0x00070000000133dd-55.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0x00070000000133dd-55.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\0x00070000000133dd-55.exe

"C:\Users\Admin\AppData\Local\Temp\0x00070000000133dd-55.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks.exe" /create /f /tn "PCI Subsystem" /xml "C:\Users\Admin\AppData\Local\Temp\tmpFBA.tmp"

Network

Country Destination Domain Proto
N/A 8.8.8.8:53 concideritdone.duckdns.org udp
N/A 156.96.44.168:6969 concideritdone.duckdns.org tcp
N/A 8.8.8.8:53 concideritdone.duckdns.org udp
N/A 156.96.44.168:6969 concideritdone.duckdns.org tcp
N/A 8.8.8.8:53 concideritdone.duckdns.org udp
N/A 156.96.44.168:6969 concideritdone.duckdns.org tcp
N/A 127.0.0.1:6969 tcp
N/A 127.0.0.1:6969 tcp
N/A 127.0.0.1:6969 tcp
N/A 8.8.8.8:53 concideritdone.duckdns.org udp
N/A 156.96.44.168:6969 concideritdone.duckdns.org tcp
N/A 8.8.8.8:53 concideritdone.duckdns.org udp
N/A 156.96.44.168:6969 concideritdone.duckdns.org tcp

Files

memory/1304-54-0x0000000075F21000-0x0000000075F23000-memory.dmp

memory/956-55-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\tmpFBA.tmp

MD5 072ceb82811717faf72e59a39f27e9a2
SHA1 d70d266cd6448ede16c77da0358a158f2e785e49
SHA256 3f4e7b4932f31d0af570b83f4cf98112f168736f2a97bab88c69b2f1a56edfef
SHA512 caf754391f13b9e668ca385642c0212fae1f8ef2cfb9a03c2f3a3fb8f87eac55a9f4a91f7b41d85769338be48d1e511f0b354ed0a41fdab573b1094faab1b80f

memory/1304-57-0x0000000074190000-0x000000007473B000-memory.dmp

memory/1304-58-0x0000000074190000-0x000000007473B000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-11-16 17:22

Reported

2022-11-16 17:25

Platform

win10v2004-20220812-en

Max time kernel

139s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0x00070000000133dd-55.exe"

Signatures

NanoCore

keylogger trojan stealer spyware nanocore

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\0x00070000000133dd-55.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\0x00070000000133dd-55.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0x00070000000133dd-55.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\0x00070000000133dd-55.exe

"C:\Users\Admin\AppData\Local\Temp\0x00070000000133dd-55.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks.exe" /create /f /tn "AGP Monitor" /xml "C:\Users\Admin\AppData\Local\Temp\tmp71BA.tmp"

Network

Country Destination Domain Proto
N/A 8.8.8.8:53 concideritdone.duckdns.org udp
N/A 156.96.44.168:6969 concideritdone.duckdns.org tcp
N/A 8.8.8.8:53 concideritdone.duckdns.org udp
N/A 156.96.44.168:6969 concideritdone.duckdns.org tcp
N/A 8.8.8.8:53 concideritdone.duckdns.org udp
N/A 156.96.44.168:6969 concideritdone.duckdns.org tcp
N/A 20.189.173.10:443 tcp
N/A 127.0.0.1:6969 tcp
N/A 127.0.0.1:6969 tcp
N/A 8.238.110.126:80 tcp
N/A 127.0.0.1:6969 tcp
N/A 8.8.8.8:53 concideritdone.duckdns.org udp
N/A 156.96.44.168:6969 concideritdone.duckdns.org tcp
N/A 8.8.8.8:53 concideritdone.duckdns.org udp
N/A 156.96.44.168:6969 concideritdone.duckdns.org tcp
N/A 8.8.8.8:53 concideritdone.duckdns.org udp
N/A 156.96.44.168:6969 concideritdone.duckdns.org tcp
N/A 127.0.0.1:6969 tcp
N/A 127.0.0.1:6969 tcp
N/A 127.0.0.1:6969 tcp
N/A 8.8.8.8:53 concideritdone.duckdns.org udp
N/A 156.96.44.168:6969 concideritdone.duckdns.org tcp

Files

memory/1088-132-0x0000000074E10000-0x00000000753C1000-memory.dmp

memory/4292-133-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\tmp71BA.tmp

MD5 072ceb82811717faf72e59a39f27e9a2
SHA1 d70d266cd6448ede16c77da0358a158f2e785e49
SHA256 3f4e7b4932f31d0af570b83f4cf98112f168736f2a97bab88c69b2f1a56edfef
SHA512 caf754391f13b9e668ca385642c0212fae1f8ef2cfb9a03c2f3a3fb8f87eac55a9f4a91f7b41d85769338be48d1e511f0b354ed0a41fdab573b1094faab1b80f

memory/1088-135-0x0000000074E10000-0x00000000753C1000-memory.dmp