Malware Analysis Report

2025-08-10 19:47

Sample ID 221118-hjl97scf9w
Target 9c8b27cd0131c5451b869eebce9518bf.exe
SHA256 9d9f2c64c077d3240f88906f3e73559c5bf554809a1e8974f8c8f28704c576ea
Tags
nanocore keylogger persistence spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

9d9f2c64c077d3240f88906f3e73559c5bf554809a1e8974f8c8f28704c576ea

Threat Level: Known bad

The file 9c8b27cd0131c5451b869eebce9518bf.exe was found to be: Known bad.

Malicious Activity Summary

nanocore keylogger persistence spyware stealer trojan

NanoCore

Adds Run key to start application

Suspicious use of SetThreadContext

Drops file in Program Files directory

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-11-18 06:46

Signatures

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2022-11-18 06:46

Reported

2022-11-18 06:48

Platform

win10v2004-20220812-en

Max time kernel

69s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9c8b27cd0131c5451b869eebce9518bf.exe"

Signatures

NanoCore

keylogger trojan stealer spyware nanocore

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\AGP Monitor = "C:\\Program Files (x86)\\AGP Monitor\\agpmon.exe" C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2112 set thread context of 540 N/A C:\Users\Admin\AppData\Local\Temp\9c8b27cd0131c5451b869eebce9518bf.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\AGP Monitor\agpmon.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
File opened for modification C:\Program Files (x86)\AGP Monitor\agpmon.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9c8b27cd0131c5451b869eebce9518bf.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\9c8b27cd0131c5451b869eebce9518bf.exe

"C:\Users\Admin\AppData\Local\Temp\9c8b27cd0131c5451b869eebce9518bf.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Network

Country Destination Domain Proto
N/A 8.8.8.8:53 lndcin.com udp
N/A 162.213.255.22:80 lndcin.com tcp
N/A 8.8.8.8:53 maxlogs.webhop.me udp
N/A 79.134.225.6:1620 maxlogs.webhop.me tcp
N/A 8.238.23.254:80 tcp
N/A 8.238.23.254:80 tcp
N/A 51.116.253.170:443 tcp
N/A 93.184.221.240:80 tcp
N/A 93.184.221.240:80 tcp
N/A 93.184.221.240:80 tcp
N/A 93.184.220.29:80 tcp

Files

memory/2112-132-0x0000000000FE0000-0x0000000000FE8000-memory.dmp

memory/2112-133-0x0000000006090000-0x0000000006634000-memory.dmp

memory/2112-134-0x00000000059C0000-0x0000000005A52000-memory.dmp

memory/2112-135-0x0000000005990000-0x000000000599A000-memory.dmp

memory/2112-136-0x000000000B330000-0x000000000B352000-memory.dmp

memory/540-137-0x0000000000000000-mapping.dmp

memory/540-138-0x0000000000400000-0x0000000000438000-memory.dmp

memory/540-139-0x0000000005760000-0x00000000057FC000-memory.dmp

memory/540-140-0x0000000006F10000-0x0000000006F76000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2022-11-18 06:46

Reported

2022-11-18 06:48

Platform

win7-20221111-en

Max time kernel

55s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9c8b27cd0131c5451b869eebce9518bf.exe"

Signatures

NanoCore

keylogger trojan stealer spyware nanocore

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\NTFS Monitor = "C:\\Program Files (x86)\\NTFS Monitor\\ntfsmon.exe" C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1272 set thread context of 1176 N/A C:\Users\Admin\AppData\Local\Temp\9c8b27cd0131c5451b869eebce9518bf.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\NTFS Monitor\ntfsmon.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
File opened for modification C:\Program Files (x86)\NTFS Monitor\ntfsmon.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9c8b27cd0131c5451b869eebce9518bf.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1272 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Local\Temp\9c8b27cd0131c5451b869eebce9518bf.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 1272 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Local\Temp\9c8b27cd0131c5451b869eebce9518bf.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 1272 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Local\Temp\9c8b27cd0131c5451b869eebce9518bf.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 1272 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Local\Temp\9c8b27cd0131c5451b869eebce9518bf.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 1272 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Local\Temp\9c8b27cd0131c5451b869eebce9518bf.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 1272 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Local\Temp\9c8b27cd0131c5451b869eebce9518bf.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 1272 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Local\Temp\9c8b27cd0131c5451b869eebce9518bf.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 1272 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Local\Temp\9c8b27cd0131c5451b869eebce9518bf.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 1272 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Local\Temp\9c8b27cd0131c5451b869eebce9518bf.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Processes

C:\Users\Admin\AppData\Local\Temp\9c8b27cd0131c5451b869eebce9518bf.exe

"C:\Users\Admin\AppData\Local\Temp\9c8b27cd0131c5451b869eebce9518bf.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Network

Country Destination Domain Proto
N/A 8.8.8.8:53 lndcin.com udp
N/A 162.213.255.22:80 lndcin.com tcp
N/A 8.8.8.8:53 maxlogs.webhop.me udp
N/A 79.134.225.6:1620 maxlogs.webhop.me tcp

Files

memory/1272-54-0x0000000000940000-0x0000000000948000-memory.dmp

memory/1272-55-0x0000000075531000-0x0000000075533000-memory.dmp

memory/1272-56-0x000000000A040000-0x000000000A262000-memory.dmp

memory/1176-57-0x0000000000400000-0x0000000000438000-memory.dmp

memory/1176-58-0x0000000000400000-0x0000000000438000-memory.dmp

memory/1176-60-0x0000000000400000-0x0000000000438000-memory.dmp

memory/1176-61-0x0000000000400000-0x0000000000438000-memory.dmp

memory/1176-63-0x0000000000400000-0x0000000000438000-memory.dmp

memory/1176-64-0x000000000041E792-mapping.dmp

memory/1176-66-0x0000000000400000-0x0000000000438000-memory.dmp

memory/1176-68-0x0000000000400000-0x0000000000438000-memory.dmp

memory/1176-70-0x0000000000290000-0x000000000029A000-memory.dmp

memory/1176-71-0x00000000002C0000-0x00000000002DE000-memory.dmp

memory/1176-72-0x00000000002A0000-0x00000000002AA000-memory.dmp

memory/1176-73-0x0000000004EF5000-0x0000000004F06000-memory.dmp

memory/1176-74-0x00000000005D0000-0x00000000005E2000-memory.dmp

memory/1176-75-0x0000000000AC0000-0x0000000000ADA000-memory.dmp

memory/1176-76-0x0000000000AE0000-0x0000000000AEE000-memory.dmp

memory/1176-77-0x0000000000C00000-0x0000000000C12000-memory.dmp

memory/1176-79-0x0000000000E20000-0x0000000000E2E000-memory.dmp

memory/1176-78-0x0000000000E10000-0x0000000000E1C000-memory.dmp

memory/1176-80-0x0000000000E30000-0x0000000000E44000-memory.dmp

memory/1176-81-0x0000000000E40000-0x0000000000E50000-memory.dmp

memory/1176-82-0x0000000000F90000-0x0000000000FA4000-memory.dmp

memory/1176-83-0x0000000000FE0000-0x0000000000FEE000-memory.dmp

memory/1176-84-0x00000000048F0000-0x000000000491E000-memory.dmp

memory/1176-85-0x0000000001000000-0x0000000001014000-memory.dmp