Malware Analysis Report

2025-08-10 19:47

Sample ID 221118-czd1wacc5w
Target 9d9f2c64c077d3240f88906f3e73559c5bf554809a1e8974f8c8f28704c576ea
SHA256 9d9f2c64c077d3240f88906f3e73559c5bf554809a1e8974f8c8f28704c576ea
Tags
nanocore keylogger persistence spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

9d9f2c64c077d3240f88906f3e73559c5bf554809a1e8974f8c8f28704c576ea

Threat Level: Known bad

The file 9d9f2c64c077d3240f88906f3e73559c5bf554809a1e8974f8c8f28704c576ea was found to be: Known bad.

Malicious Activity Summary

nanocore keylogger persistence spyware stealer trojan

NanoCore

Adds Run key to start application

Suspicious use of SetThreadContext

Drops file in Program Files directory

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-11-18 02:30

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-11-18 02:30

Reported

2022-11-18 02:33

Platform

win10v2004-20220812-en

Max time kernel

64s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9d9f2c64c077d3240f88906f3e73559c5bf554809a1e8974f8c8f28704c576ea.exe"

Signatures

NanoCore

keylogger trojan stealer spyware nanocore

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DDP Manager = "C:\\Program Files (x86)\\DDP Manager\\ddpmgr.exe" C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 956 set thread context of 1240 N/A C:\Users\Admin\AppData\Local\Temp\9d9f2c64c077d3240f88906f3e73559c5bf554809a1e8974f8c8f28704c576ea.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\DDP Manager\ddpmgr.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
File opened for modification C:\Program Files (x86)\DDP Manager\ddpmgr.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9d9f2c64c077d3240f88906f3e73559c5bf554809a1e8974f8c8f28704c576ea.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 956 wrote to memory of 1240 N/A C:\Users\Admin\AppData\Local\Temp\9d9f2c64c077d3240f88906f3e73559c5bf554809a1e8974f8c8f28704c576ea.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 956 wrote to memory of 1240 N/A C:\Users\Admin\AppData\Local\Temp\9d9f2c64c077d3240f88906f3e73559c5bf554809a1e8974f8c8f28704c576ea.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 956 wrote to memory of 1240 N/A C:\Users\Admin\AppData\Local\Temp\9d9f2c64c077d3240f88906f3e73559c5bf554809a1e8974f8c8f28704c576ea.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 956 wrote to memory of 1240 N/A C:\Users\Admin\AppData\Local\Temp\9d9f2c64c077d3240f88906f3e73559c5bf554809a1e8974f8c8f28704c576ea.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 956 wrote to memory of 1240 N/A C:\Users\Admin\AppData\Local\Temp\9d9f2c64c077d3240f88906f3e73559c5bf554809a1e8974f8c8f28704c576ea.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 956 wrote to memory of 1240 N/A C:\Users\Admin\AppData\Local\Temp\9d9f2c64c077d3240f88906f3e73559c5bf554809a1e8974f8c8f28704c576ea.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 956 wrote to memory of 1240 N/A C:\Users\Admin\AppData\Local\Temp\9d9f2c64c077d3240f88906f3e73559c5bf554809a1e8974f8c8f28704c576ea.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 956 wrote to memory of 1240 N/A C:\Users\Admin\AppData\Local\Temp\9d9f2c64c077d3240f88906f3e73559c5bf554809a1e8974f8c8f28704c576ea.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Processes

C:\Users\Admin\AppData\Local\Temp\9d9f2c64c077d3240f88906f3e73559c5bf554809a1e8974f8c8f28704c576ea.exe

"C:\Users\Admin\AppData\Local\Temp\9d9f2c64c077d3240f88906f3e73559c5bf554809a1e8974f8c8f28704c576ea.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Network

Country Destination Domain Proto
N/A 8.8.8.8:53 lndcin.com udp
N/A 162.213.255.22:80 lndcin.com tcp
N/A 8.8.8.8:53 maxlogs.webhop.me udp
N/A 79.134.225.6:1620 maxlogs.webhop.me tcp
N/A 209.197.3.8:80 tcp
N/A 209.197.3.8:80 tcp
N/A 20.189.173.4:443 tcp

Files

memory/956-132-0x0000000000CC0000-0x0000000000CC8000-memory.dmp

memory/956-133-0x0000000005D90000-0x0000000006334000-memory.dmp

memory/956-134-0x0000000005680000-0x0000000005712000-memory.dmp

memory/956-135-0x0000000005670000-0x000000000567A000-memory.dmp

memory/956-136-0x000000000AFF0000-0x000000000B012000-memory.dmp

memory/1240-137-0x0000000000000000-mapping.dmp

memory/1240-138-0x0000000000400000-0x0000000000438000-memory.dmp

memory/1240-139-0x0000000005620000-0x00000000056BC000-memory.dmp

memory/1240-140-0x0000000006E00000-0x0000000006E66000-memory.dmp