Malware Analysis Report

2025-08-10 19:47

Sample ID 221117-2p154agb54
Target tmp
SHA256 ac353acd9090c3683dcf6b122ea09a38bcb8aad4f274f2ecbde5ecb3a06036d2
Tags
nanocore evasion keylogger persistence spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ac353acd9090c3683dcf6b122ea09a38bcb8aad4f274f2ecbde5ecb3a06036d2

Threat Level: Known bad

The file tmp was found to be: Known bad.

Malicious Activity Summary

nanocore evasion keylogger persistence spyware stealer trojan

NanoCore

Adds Run key to start application

Checks whether UAC is enabled

Suspicious use of SetThreadContext

Drops file in Program Files directory

Creates scheduled task(s)

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-11-17 22:46

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-11-17 22:46

Reported

2022-11-17 22:48

Platform

win7-20220812-en

Max time kernel

148s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\tmp.exe"

Signatures

NanoCore

keylogger trojan stealer spyware nanocore

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\UDP Service = "C:\\Program Files (x86)\\UDP Service\\udpsv.exe" C:\Users\Admin\AppData\Local\Temp\tmp.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\tmp.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1300 set thread context of 1904 N/A C:\Users\Admin\AppData\Local\Temp\tmp.exe C:\Users\Admin\AppData\Local\Temp\tmp.exe

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\UDP Service\udpsv.exe C:\Users\Admin\AppData\Local\Temp\tmp.exe N/A
File opened for modification C:\Program Files (x86)\UDP Service\udpsv.exe C:\Users\Admin\AppData\Local\Temp\tmp.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\tmp.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1300 wrote to memory of 1904 N/A C:\Users\Admin\AppData\Local\Temp\tmp.exe C:\Users\Admin\AppData\Local\Temp\tmp.exe
PID 1300 wrote to memory of 1904 N/A C:\Users\Admin\AppData\Local\Temp\tmp.exe C:\Users\Admin\AppData\Local\Temp\tmp.exe
PID 1300 wrote to memory of 1904 N/A C:\Users\Admin\AppData\Local\Temp\tmp.exe C:\Users\Admin\AppData\Local\Temp\tmp.exe
PID 1300 wrote to memory of 1904 N/A C:\Users\Admin\AppData\Local\Temp\tmp.exe C:\Users\Admin\AppData\Local\Temp\tmp.exe
PID 1300 wrote to memory of 1904 N/A C:\Users\Admin\AppData\Local\Temp\tmp.exe C:\Users\Admin\AppData\Local\Temp\tmp.exe
PID 1300 wrote to memory of 1904 N/A C:\Users\Admin\AppData\Local\Temp\tmp.exe C:\Users\Admin\AppData\Local\Temp\tmp.exe
PID 1300 wrote to memory of 1904 N/A C:\Users\Admin\AppData\Local\Temp\tmp.exe C:\Users\Admin\AppData\Local\Temp\tmp.exe
PID 1300 wrote to memory of 1904 N/A C:\Users\Admin\AppData\Local\Temp\tmp.exe C:\Users\Admin\AppData\Local\Temp\tmp.exe
PID 1300 wrote to memory of 1904 N/A C:\Users\Admin\AppData\Local\Temp\tmp.exe C:\Users\Admin\AppData\Local\Temp\tmp.exe
PID 1904 wrote to memory of 972 N/A C:\Users\Admin\AppData\Local\Temp\tmp.exe C:\Windows\SysWOW64\schtasks.exe
PID 1904 wrote to memory of 972 N/A C:\Users\Admin\AppData\Local\Temp\tmp.exe C:\Windows\SysWOW64\schtasks.exe
PID 1904 wrote to memory of 972 N/A C:\Users\Admin\AppData\Local\Temp\tmp.exe C:\Windows\SysWOW64\schtasks.exe
PID 1904 wrote to memory of 972 N/A C:\Users\Admin\AppData\Local\Temp\tmp.exe C:\Windows\SysWOW64\schtasks.exe
PID 1904 wrote to memory of 268 N/A C:\Users\Admin\AppData\Local\Temp\tmp.exe C:\Windows\SysWOW64\schtasks.exe
PID 1904 wrote to memory of 268 N/A C:\Users\Admin\AppData\Local\Temp\tmp.exe C:\Windows\SysWOW64\schtasks.exe
PID 1904 wrote to memory of 268 N/A C:\Users\Admin\AppData\Local\Temp\tmp.exe C:\Windows\SysWOW64\schtasks.exe
PID 1904 wrote to memory of 268 N/A C:\Users\Admin\AppData\Local\Temp\tmp.exe C:\Windows\SysWOW64\schtasks.exe

Processes

C:\Users\Admin\AppData\Local\Temp\tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp.exe"

C:\Users\Admin\AppData\Local\Temp\tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks.exe" /create /f /tn "UDP Service" /xml "C:\Users\Admin\AppData\Local\Temp\tmp3E2A.tmp"

C:\Windows\SysWOW64\schtasks.exe

"schtasks.exe" /create /f /tn "UDP Service Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp401E.tmp"

Network

Country Destination Domain Proto
N/A 8.8.8.8:53 tzitziklishop.ddns.net udp
N/A 41.216.183.170:1665 tzitziklishop.ddns.net tcp
N/A 8.8.8.8:53 tzitziklishop.ddns.net udp
N/A 41.216.183.170:1665 tzitziklishop.ddns.net tcp
N/A 8.8.8.8:53 tzitziklishop.ddns.net udp
N/A 41.216.183.170:1665 tzitziklishop.ddns.net tcp
N/A 127.0.0.1:1665 tcp
N/A 127.0.0.1:1665 tcp
N/A 127.0.0.1:1665 tcp
N/A 8.8.8.8:53 tzitziklishop.ddns.net udp
N/A 41.216.183.170:1665 tzitziklishop.ddns.net tcp
N/A 8.8.8.8:53 tzitziklishop.ddns.net udp
N/A 41.216.183.170:1665 tzitziklishop.ddns.net tcp
N/A 8.8.8.8:53 tzitziklishop.ddns.net udp
N/A 41.216.183.170:1665 tzitziklishop.ddns.net tcp
N/A 127.0.0.1:1665 tcp
N/A 127.0.0.1:1665 tcp
N/A 127.0.0.1:1665 tcp
N/A 8.8.8.8:53 tzitziklishop.ddns.net udp
N/A 41.216.183.170:1665 tzitziklishop.ddns.net tcp
N/A 8.8.8.8:53 tzitziklishop.ddns.net udp
N/A 41.216.183.170:1665 tzitziklishop.ddns.net tcp
N/A 8.8.8.8:53 tzitziklishop.ddns.net udp
N/A 41.216.183.170:1665 tzitziklishop.ddns.net tcp

Files

memory/1300-54-0x0000000000140000-0x000000000024C000-memory.dmp

memory/1300-55-0x0000000074F41000-0x0000000074F43000-memory.dmp

memory/1300-56-0x0000000004DD0000-0x0000000004E6E000-memory.dmp

memory/1300-57-0x00000000003C0000-0x00000000003D8000-memory.dmp

memory/1300-58-0x0000000000350000-0x000000000035C000-memory.dmp

memory/1300-59-0x0000000005870000-0x00000000058F0000-memory.dmp

memory/1300-60-0x00000000050A0000-0x00000000050E6000-memory.dmp

memory/1904-61-0x0000000000400000-0x0000000000438000-memory.dmp

memory/1904-62-0x0000000000400000-0x0000000000438000-memory.dmp

memory/1904-64-0x0000000000400000-0x0000000000438000-memory.dmp

memory/1904-65-0x0000000000400000-0x0000000000438000-memory.dmp

memory/1904-67-0x0000000000400000-0x0000000000438000-memory.dmp

memory/1904-68-0x000000000041E792-mapping.dmp

memory/1904-70-0x0000000000400000-0x0000000000438000-memory.dmp

memory/1904-72-0x0000000000400000-0x0000000000438000-memory.dmp

memory/972-74-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\tmp3E2A.tmp

MD5 3f4dcafa44c36f23e4db2b2315fd09da
SHA1 8c83089d6f6c887a77af9b42ca09969f3b2f83f6
SHA256 b8475eb97200b8a15eaf07e0a2cddc5c95e5bc3e7a98685364c9796480de57dc
SHA512 e0624dd6cf0d5e014e96a323d2f7ebe13b683af71bd6ddafa3005cdc2f3c764cfca509262d442fc844b4b390d241ccf3eb36d30043d3d6f6e955a2ee9f792678

memory/268-76-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\tmp401E.tmp

MD5 0a24db62cb5b84309c4803346caaa25d
SHA1 67660778f61bb44168c33ed3fe56ed86cf9583e8
SHA256 38d38647af394a04ee6add9f05c43244f04e64a6b96257f4b241a5038efa82df
SHA512 d25d9df063f44595d5e0bf890755bd387655131ff369eeedf3d11ffcc6202ca4455bbb33a8a926dd06839cbd1ddec3d06809b3c66a82c6518aa14beaa469a548

memory/1904-78-0x00000000003E0000-0x00000000003EA000-memory.dmp

memory/1904-79-0x0000000000440000-0x000000000045E000-memory.dmp

memory/1904-80-0x00000000003F0000-0x00000000003FA000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-11-17 22:46

Reported

2022-11-17 22:48

Platform

win10v2004-20221111-en

Max time kernel

144s

Max time network

137s

Command Line

"C:\Users\Admin\AppData\Local\Temp\tmp.exe"

Signatures

NanoCore

keylogger trojan stealer spyware nanocore

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DSL Manager = "C:\\Program Files (x86)\\DSL Manager\\dslmgr.exe" C:\Users\Admin\AppData\Local\Temp\tmp.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\tmp.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1448 set thread context of 60 N/A C:\Users\Admin\AppData\Local\Temp\tmp.exe C:\Users\Admin\AppData\Local\Temp\tmp.exe

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\DSL Manager\dslmgr.exe C:\Users\Admin\AppData\Local\Temp\tmp.exe N/A
File opened for modification C:\Program Files (x86)\DSL Manager\dslmgr.exe C:\Users\Admin\AppData\Local\Temp\tmp.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\tmp.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1448 wrote to memory of 60 N/A C:\Users\Admin\AppData\Local\Temp\tmp.exe C:\Users\Admin\AppData\Local\Temp\tmp.exe
PID 1448 wrote to memory of 60 N/A C:\Users\Admin\AppData\Local\Temp\tmp.exe C:\Users\Admin\AppData\Local\Temp\tmp.exe
PID 1448 wrote to memory of 60 N/A C:\Users\Admin\AppData\Local\Temp\tmp.exe C:\Users\Admin\AppData\Local\Temp\tmp.exe
PID 1448 wrote to memory of 60 N/A C:\Users\Admin\AppData\Local\Temp\tmp.exe C:\Users\Admin\AppData\Local\Temp\tmp.exe
PID 1448 wrote to memory of 60 N/A C:\Users\Admin\AppData\Local\Temp\tmp.exe C:\Users\Admin\AppData\Local\Temp\tmp.exe
PID 1448 wrote to memory of 60 N/A C:\Users\Admin\AppData\Local\Temp\tmp.exe C:\Users\Admin\AppData\Local\Temp\tmp.exe
PID 1448 wrote to memory of 60 N/A C:\Users\Admin\AppData\Local\Temp\tmp.exe C:\Users\Admin\AppData\Local\Temp\tmp.exe
PID 1448 wrote to memory of 60 N/A C:\Users\Admin\AppData\Local\Temp\tmp.exe C:\Users\Admin\AppData\Local\Temp\tmp.exe
PID 60 wrote to memory of 1356 N/A C:\Users\Admin\AppData\Local\Temp\tmp.exe C:\Windows\SysWOW64\schtasks.exe
PID 60 wrote to memory of 1356 N/A C:\Users\Admin\AppData\Local\Temp\tmp.exe C:\Windows\SysWOW64\schtasks.exe
PID 60 wrote to memory of 1356 N/A C:\Users\Admin\AppData\Local\Temp\tmp.exe C:\Windows\SysWOW64\schtasks.exe
PID 60 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\tmp.exe C:\Windows\SysWOW64\schtasks.exe
PID 60 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\tmp.exe C:\Windows\SysWOW64\schtasks.exe
PID 60 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\tmp.exe C:\Windows\SysWOW64\schtasks.exe

Processes

C:\Users\Admin\AppData\Local\Temp\tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp.exe"

C:\Users\Admin\AppData\Local\Temp\tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks.exe" /create /f /tn "DSL Manager" /xml "C:\Users\Admin\AppData\Local\Temp\tmp2FBB.tmp"

C:\Windows\SysWOW64\schtasks.exe

"schtasks.exe" /create /f /tn "DSL Manager Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp3058.tmp"

Network

Country Destination Domain Proto
N/A 93.184.221.240:80 tcp
N/A 93.184.221.240:80 tcp
N/A 104.80.225.205:443 tcp
N/A 8.8.8.8:53 tzitziklishop.ddns.net udp
N/A 41.216.183.170:1665 tzitziklishop.ddns.net tcp
N/A 8.253.208.121:80 tcp
N/A 8.253.208.121:80 tcp
N/A 8.8.8.8:53 tzitziklishop.ddns.net udp
N/A 41.216.183.170:1665 tzitziklishop.ddns.net tcp
N/A 8.8.8.8:53 tzitziklishop.ddns.net udp
N/A 41.216.183.170:1665 tzitziklishop.ddns.net tcp
N/A 127.0.0.1:1665 tcp
N/A 127.0.0.1:1665 tcp
N/A 127.0.0.1:1665 tcp
N/A 8.8.8.8:53 tzitziklishop.ddns.net udp
N/A 41.216.183.170:1665 tzitziklishop.ddns.net tcp
N/A 8.8.8.8:53 tzitziklishop.ddns.net udp
N/A 41.216.183.170:1665 tzitziklishop.ddns.net tcp
N/A 8.8.8.8:53 tzitziklishop.ddns.net udp
N/A 41.216.183.170:1665 tzitziklishop.ddns.net tcp
N/A 127.0.0.1:1665 tcp
N/A 127.0.0.1:1665 tcp
N/A 127.0.0.1:1665 tcp
N/A 8.8.8.8:53 tzitziklishop.ddns.net udp
N/A 41.216.183.170:1665 tzitziklishop.ddns.net tcp
N/A 8.8.8.8:53 tzitziklishop.ddns.net udp
N/A 41.216.183.170:1665 tzitziklishop.ddns.net tcp
N/A 8.8.8.8:53 tzitziklishop.ddns.net udp
N/A 41.216.183.170:1665 tzitziklishop.ddns.net tcp
N/A 127.0.0.1:1665 tcp
N/A 127.0.0.1:1665 tcp

Files

memory/1448-132-0x0000000000E70000-0x0000000000F7C000-memory.dmp

memory/1448-133-0x0000000005E30000-0x00000000062FC000-memory.dmp

memory/1448-134-0x0000000005960000-0x00000000059F2000-memory.dmp

memory/1448-135-0x00000000068B0000-0x0000000006E54000-memory.dmp

memory/1448-136-0x0000000005A10000-0x0000000005A1A000-memory.dmp

memory/1448-137-0x0000000008570000-0x000000000860C000-memory.dmp

memory/60-138-0x0000000000000000-mapping.dmp

memory/60-139-0x0000000000400000-0x0000000000438000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\tmp.exe.log

MD5 fdc4633e85bab26f0cab03369eb0e7fd
SHA1 0f83c3ee3641d61a1dae8d0228e661996af6516f
SHA256 47bfdefe51ac7302d4e3eed870e0a51e4d0058f19f36f124469011609a7ec508
SHA512 43b78af443ab94294b8879097abe797d12388f55bcbc27147a270ca89fc55b45096d8c12a2e81f4e99d8288c791f4e76942193cd50be58733c145dc0c8fd29e7

memory/1356-141-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\tmp2FBB.tmp

MD5 3f4dcafa44c36f23e4db2b2315fd09da
SHA1 8c83089d6f6c887a77af9b42ca09969f3b2f83f6
SHA256 b8475eb97200b8a15eaf07e0a2cddc5c95e5bc3e7a98685364c9796480de57dc
SHA512 e0624dd6cf0d5e014e96a323d2f7ebe13b683af71bd6ddafa3005cdc2f3c764cfca509262d442fc844b4b390d241ccf3eb36d30043d3d6f6e955a2ee9f792678

memory/2592-143-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\tmp3058.tmp

MD5 a0bcaf1694d4fcae2c44258530850f35
SHA1 99e9ccea3a9dca8d94808f6488fdc37c0b3bfe73
SHA256 099c4a82d8e8ddf5ff801a8f08fb5a143834506e936ce846b380a42eb24e888e
SHA512 ad3f2fbc09f7d57c24a35a62f00251c93d480e065f3b7fbc7133736cb144a3031fdc9f3e8be8a1c6dcdb8b3def654618faab416f66a28628ab71e55de4df0da3