Malware Analysis Report

2025-08-05 14:33

Sample ID 221126-2zpvtafa7v
Target 3dcdd7d9f93d651bfe8cac02938594a8de76cc11c07dbbce369432ab06e9084b
SHA256 3dcdd7d9f93d651bfe8cac02938594a8de76cc11c07dbbce369432ab06e9084b
Tags
nanocore evasion keylogger persistence spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

3dcdd7d9f93d651bfe8cac02938594a8de76cc11c07dbbce369432ab06e9084b

Threat Level: Known bad

The file 3dcdd7d9f93d651bfe8cac02938594a8de76cc11c07dbbce369432ab06e9084b was found to be: Known bad.

Malicious Activity Summary

nanocore evasion keylogger persistence spyware stealer trojan

NanoCore

Nanocore family

Checks whether UAC is enabled

Adds Run key to start application

Drops file in Program Files directory

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-11-26 23:01

Signatures

Nanocore family

nanocore

Analysis: behavioral1

Detonation Overview

Submitted

2022-11-26 23:01

Reported

2022-11-27 16:40

Platform

win7-20221111-en

Max time kernel

161s

Max time network

179s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3dcdd7d9f93d651bfe8cac02938594a8de76cc11c07dbbce369432ab06e9084b.exe"

Signatures

NanoCore

keylogger trojan stealer spyware nanocore

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ISS Manager = "C:\\Program Files (x86)\\ISS Manager\\issmgr.exe" C:\Users\Admin\AppData\Local\Temp\3dcdd7d9f93d651bfe8cac02938594a8de76cc11c07dbbce369432ab06e9084b.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\3dcdd7d9f93d651bfe8cac02938594a8de76cc11c07dbbce369432ab06e9084b.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\ISS Manager\issmgr.exe C:\Users\Admin\AppData\Local\Temp\3dcdd7d9f93d651bfe8cac02938594a8de76cc11c07dbbce369432ab06e9084b.exe N/A
File opened for modification C:\Program Files (x86)\ISS Manager\issmgr.exe C:\Users\Admin\AppData\Local\Temp\3dcdd7d9f93d651bfe8cac02938594a8de76cc11c07dbbce369432ab06e9084b.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\3dcdd7d9f93d651bfe8cac02938594a8de76cc11c07dbbce369432ab06e9084b.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3dcdd7d9f93d651bfe8cac02938594a8de76cc11c07dbbce369432ab06e9084b.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\3dcdd7d9f93d651bfe8cac02938594a8de76cc11c07dbbce369432ab06e9084b.exe

"C:\Users\Admin\AppData\Local\Temp\3dcdd7d9f93d651bfe8cac02938594a8de76cc11c07dbbce369432ab06e9084b.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks.exe" /create /f /tn "ISS Manager" /xml "C:\Users\Admin\AppData\Local\Temp\tmpDA8.tmp"

C:\Windows\SysWOW64\schtasks.exe

"schtasks.exe" /create /f /tn "ISS Manager Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp20AC.tmp"

Network

Country Destination Domain Proto
N/A 8.8.8.8:53 actuall.ddns.net udp
N/A 8.8.4.4:53 actuall.ddns.net udp
N/A 8.8.8.8:53 actuall.ddns.net udp
N/A 8.8.8.8:53 actuall.ddns.net udp
N/A 8.8.4.4:53 actuall.ddns.net udp
N/A 8.8.8.8:53 lazyshare.net udp
N/A 8.8.8.8:53 actuall.ddns.net udp
N/A 8.8.4.4:53 actuall.ddns.net udp
N/A 35.212.156.187:80 lazyshare.net tcp
N/A 127.0.0.1:9005 tcp
N/A 127.0.0.1:9005 tcp
N/A 127.0.0.1:9005 tcp
N/A 8.8.8.8:53 actuall.ddns.net udp
N/A 8.8.4.4:53 actuall.ddns.net udp
N/A 8.8.8.8:53 actuall.ddns.net udp
N/A 8.8.4.4:53 actuall.ddns.net udp
N/A 8.8.8.8:53 actuall.ddns.net udp
N/A 8.8.4.4:53 actuall.ddns.net udp
N/A 127.0.0.1:9005 tcp
N/A 127.0.0.1:9005 tcp
N/A 127.0.0.1:9005 tcp
N/A 8.8.8.8:53 actuall.ddns.net udp
N/A 8.8.4.4:53 actuall.ddns.net udp
N/A 8.8.8.8:53 actuall.ddns.net udp
N/A 8.8.4.4:53 actuall.ddns.net udp
N/A 8.8.8.8:53 actuall.ddns.net udp
N/A 8.8.4.4:53 actuall.ddns.net udp
N/A 127.0.0.1:9005 tcp
N/A 127.0.0.1:9005 tcp
N/A 127.0.0.1:9005 tcp
N/A 8.8.8.8:53 actuall.ddns.net udp
N/A 8.8.4.4:53 actuall.ddns.net udp

Files

memory/1628-54-0x0000000075BE1000-0x0000000075BE3000-memory.dmp

memory/1628-55-0x0000000074620000-0x0000000074BCB000-memory.dmp

memory/1428-56-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\tmpDA8.tmp

MD5 37e353043872dd9871820b5a1b667a3c
SHA1 d957a0d83dad1fd90156b80260ed980c2215c2b3
SHA256 a8b0fcd21f2cd626bd19bca8900f6fa993ce554378cb48e670e90a6388e368a2
SHA512 b76d8e64de10c2df82248896adba3b01439f0fb71b3b890d4fcf0eef46a7cb60be7375b633a9daf2130696a4280131a82e34514c0e0cf7a6573227dd2e013fb2

memory/1480-58-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\tmp20AC.tmp

MD5 ea7095fa975a5ac043c9de2899ce61d0
SHA1 ba4e21d0728fb1b4b87006c2e8ceb6109c9046a3
SHA256 5a1ba7b1b91e0bb7aedcfa82dc687972abb31f72ae1613ac586938ef0843f30f
SHA512 b52c8f1b58f263a3d1ad1ef9939167853a5f55033d9ad8976130174c7118407711a0703266c7d2d542bc2ca8119f875e35cc791b9dd70ef83b5310ac1e7cd1cb

memory/1628-60-0x0000000074620000-0x0000000074BCB000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-11-26 23:01

Reported

2022-11-27 16:39

Platform

win10v2004-20220901-en

Max time kernel

149s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3dcdd7d9f93d651bfe8cac02938594a8de76cc11c07dbbce369432ab06e9084b.exe"

Signatures

NanoCore

keylogger trojan stealer spyware nanocore

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DHCP Subsystem = "C:\\Program Files (x86)\\DHCP Subsystem\\dhcpss.exe" C:\Users\Admin\AppData\Local\Temp\3dcdd7d9f93d651bfe8cac02938594a8de76cc11c07dbbce369432ab06e9084b.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\3dcdd7d9f93d651bfe8cac02938594a8de76cc11c07dbbce369432ab06e9084b.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\DHCP Subsystem\dhcpss.exe C:\Users\Admin\AppData\Local\Temp\3dcdd7d9f93d651bfe8cac02938594a8de76cc11c07dbbce369432ab06e9084b.exe N/A
File opened for modification C:\Program Files (x86)\DHCP Subsystem\dhcpss.exe C:\Users\Admin\AppData\Local\Temp\3dcdd7d9f93d651bfe8cac02938594a8de76cc11c07dbbce369432ab06e9084b.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\3dcdd7d9f93d651bfe8cac02938594a8de76cc11c07dbbce369432ab06e9084b.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3dcdd7d9f93d651bfe8cac02938594a8de76cc11c07dbbce369432ab06e9084b.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\3dcdd7d9f93d651bfe8cac02938594a8de76cc11c07dbbce369432ab06e9084b.exe

"C:\Users\Admin\AppData\Local\Temp\3dcdd7d9f93d651bfe8cac02938594a8de76cc11c07dbbce369432ab06e9084b.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks.exe" /create /f /tn "DHCP Subsystem" /xml "C:\Users\Admin\AppData\Local\Temp\tmpAD7B.tmp"

C:\Windows\SysWOW64\schtasks.exe

"schtasks.exe" /create /f /tn "DHCP Subsystem Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmpAED4.tmp"

Network

Country Destination Domain Proto
N/A 8.8.8.8:53 actuall.ddns.net udp
N/A 8.8.4.4:53 actuall.ddns.net udp
N/A 8.8.8.8:53 actuall.ddns.net udp
N/A 8.8.8.8:53 lazyshare.net udp
N/A 35.212.156.187:80 lazyshare.net tcp
N/A 8.8.8.8:53 actuall.ddns.net udp
N/A 8.8.4.4:53 actuall.ddns.net udp
N/A 8.8.8.8:53 actuall.ddns.net udp
N/A 8.8.4.4:53 actuall.ddns.net udp
N/A 8.8.8.8:53 actuall.ddns.net udp
N/A 93.184.221.240:80 tcp
N/A 104.80.225.205:443 tcp
N/A 127.0.0.1:9005 tcp
N/A 127.0.0.1:9005 tcp
N/A 127.0.0.1:9005 tcp
N/A 51.132.193.104:443 tcp
N/A 8.8.8.8:53 actuall.ddns.net udp
N/A 8.8.4.4:53 actuall.ddns.net udp
N/A 8.8.8.8:53 actuall.ddns.net udp
N/A 8.8.8.8:53 actuall.ddns.net udp
N/A 8.8.4.4:53 actuall.ddns.net udp
N/A 8.8.8.8:53 actuall.ddns.net udp
N/A 8.8.4.4:53 actuall.ddns.net udp
N/A 8.8.8.8:53 actuall.ddns.net udp
N/A 93.184.221.240:80 tcp
N/A 93.184.221.240:80 tcp
N/A 93.184.221.240:80 tcp
N/A 127.0.0.1:9005 tcp
N/A 127.0.0.1:9005 tcp
N/A 127.0.0.1:9005 tcp
N/A 8.8.8.8:53 actuall.ddns.net udp
N/A 8.8.4.4:53 actuall.ddns.net udp
N/A 8.8.8.8:53 actuall.ddns.net udp
N/A 8.8.8.8:53 actuall.ddns.net udp
N/A 8.8.4.4:53 actuall.ddns.net udp
N/A 8.8.8.8:53 actuall.ddns.net udp
N/A 8.8.4.4:53 actuall.ddns.net udp
N/A 8.8.8.8:53 actuall.ddns.net udp
N/A 127.0.0.1:9005 tcp
N/A 127.0.0.1:9005 tcp
N/A 127.0.0.1:9005 tcp
N/A 8.8.8.8:53 actuall.ddns.net udp
N/A 8.8.4.4:53 actuall.ddns.net udp
N/A 8.8.8.8:53 actuall.ddns.net udp
N/A 8.8.8.8:53 actuall.ddns.net udp
N/A 8.8.4.4:53 actuall.ddns.net udp
N/A 8.8.8.8:53 actuall.ddns.net udp
N/A 8.8.4.4:53 actuall.ddns.net udp
N/A 8.8.8.8:53 actuall.ddns.net udp
N/A 127.0.0.1:9005 tcp
N/A 127.0.0.1:9005 tcp
N/A 127.0.0.1:9005 tcp
N/A 8.8.8.8:53 actuall.ddns.net udp
N/A 8.8.4.4:53 actuall.ddns.net udp
N/A 8.8.8.8:53 actuall.ddns.net udp
N/A 8.8.8.8:53 actuall.ddns.net udp
N/A 8.8.4.4:53 actuall.ddns.net udp
N/A 8.8.8.8:53 actuall.ddns.net udp
N/A 8.8.4.4:53 actuall.ddns.net udp
N/A 8.8.8.8:53 actuall.ddns.net udp
N/A 127.0.0.1:9005 tcp
N/A 127.0.0.1:9005 tcp
N/A 127.0.0.1:9005 tcp

Files

memory/372-135-0x0000000000000000-mapping.dmp

memory/1508-136-0x00000000750E0000-0x0000000075691000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpAD7B.tmp

MD5 37e353043872dd9871820b5a1b667a3c
SHA1 d957a0d83dad1fd90156b80260ed980c2215c2b3
SHA256 a8b0fcd21f2cd626bd19bca8900f6fa993ce554378cb48e670e90a6388e368a2
SHA512 b76d8e64de10c2df82248896adba3b01439f0fb71b3b890d4fcf0eef46a7cb60be7375b633a9daf2130696a4280131a82e34514c0e0cf7a6573227dd2e013fb2

memory/4660-138-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\tmpAED4.tmp

MD5 2f26d92c1eeead3896820e56ec46f6f1
SHA1 d95533b61eed7d89e4ada56bc566d60e42ac1f61
SHA256 99a158463ce40c750bad6991ae1fceece305a0dbf8e209dd7147b5d539756bfa
SHA512 6c1ed12d5e1afcd9e7f327e0153786fd8594f75a995f341c408ef014e69917452a9fe99c511f0249aceb57b3045b707f1fd3f404e4086cfbf0aadcb3318db892

memory/1508-140-0x00000000750E0000-0x0000000075691000-memory.dmp