Malware Analysis Report

2025-08-05 14:34

Sample ID 221126-3kmbtadb58
Target a91a05b74b2d81e3c08103ae753a2d5c85b49388af5e65016254a650971d4627
SHA256 a91a05b74b2d81e3c08103ae753a2d5c85b49388af5e65016254a650971d4627
Tags
nanocore keylogger persistence spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a91a05b74b2d81e3c08103ae753a2d5c85b49388af5e65016254a650971d4627

Threat Level: Known bad

The file a91a05b74b2d81e3c08103ae753a2d5c85b49388af5e65016254a650971d4627 was found to be: Known bad.

Malicious Activity Summary

nanocore keylogger persistence spyware stealer trojan

NanoCore

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Suspicious use of SetThreadContext

Drops file in Program Files directory

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-11-26 23:34

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-11-26 23:34

Reported

2022-11-27 17:01

Platform

win7-20221111-en

Max time kernel

207s

Max time network

217s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a91a05b74b2d81e3c08103ae753a2d5c85b49388af5e65016254a650971d4627.exe"

Signatures

NanoCore

keylogger trojan stealer spyware nanocore

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\67txe32ttuv2bg\oxglqmghppn.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\PCI Subsystem = "C:\\Program Files (x86)\\PCI Subsystem\\pciss.exe" C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1092 set thread context of 340 N/A C:\Users\Admin\67txe32ttuv2bg\oxglqmghppn.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\PCI Subsystem\pciss.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
File opened for modification C:\Program Files (x86)\PCI Subsystem\pciss.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\67txe32ttuv2bg\oxglqmghppn.exe N/A
N/A N/A C:\Users\Admin\67txe32ttuv2bg\oxglqmghppn.exe N/A
N/A N/A C:\Users\Admin\67txe32ttuv2bg\oxglqmghppn.exe N/A
N/A N/A C:\Users\Admin\67txe32ttuv2bg\oxglqmghppn.exe N/A
N/A N/A C:\Users\Admin\67txe32ttuv2bg\oxglqmghppn.exe N/A
N/A N/A C:\Users\Admin\67txe32ttuv2bg\oxglqmghppn.exe N/A
N/A N/A C:\Users\Admin\67txe32ttuv2bg\oxglqmghppn.exe N/A
N/A N/A C:\Users\Admin\67txe32ttuv2bg\oxglqmghppn.exe N/A
N/A N/A C:\Users\Admin\67txe32ttuv2bg\oxglqmghppn.exe N/A
N/A N/A C:\Users\Admin\67txe32ttuv2bg\oxglqmghppn.exe N/A
N/A N/A C:\Users\Admin\67txe32ttuv2bg\oxglqmghppn.exe N/A
N/A N/A C:\Users\Admin\67txe32ttuv2bg\oxglqmghppn.exe N/A
N/A N/A C:\Users\Admin\67txe32ttuv2bg\oxglqmghppn.exe N/A
N/A N/A C:\Users\Admin\67txe32ttuv2bg\oxglqmghppn.exe N/A
N/A N/A C:\Users\Admin\67txe32ttuv2bg\oxglqmghppn.exe N/A
N/A N/A C:\Users\Admin\67txe32ttuv2bg\oxglqmghppn.exe N/A
N/A N/A C:\Users\Admin\67txe32ttuv2bg\oxglqmghppn.exe N/A
N/A N/A C:\Users\Admin\67txe32ttuv2bg\oxglqmghppn.exe N/A
N/A N/A C:\Users\Admin\67txe32ttuv2bg\oxglqmghppn.exe N/A
N/A N/A C:\Users\Admin\67txe32ttuv2bg\oxglqmghppn.exe N/A
N/A N/A C:\Users\Admin\67txe32ttuv2bg\oxglqmghppn.exe N/A
N/A N/A C:\Users\Admin\67txe32ttuv2bg\oxglqmghppn.exe N/A
N/A N/A C:\Users\Admin\67txe32ttuv2bg\oxglqmghppn.exe N/A
N/A N/A C:\Users\Admin\67txe32ttuv2bg\oxglqmghppn.exe N/A
N/A N/A C:\Users\Admin\67txe32ttuv2bg\oxglqmghppn.exe N/A
N/A N/A C:\Users\Admin\67txe32ttuv2bg\oxglqmghppn.exe N/A
N/A N/A C:\Users\Admin\67txe32ttuv2bg\oxglqmghppn.exe N/A
N/A N/A C:\Users\Admin\67txe32ttuv2bg\oxglqmghppn.exe N/A
N/A N/A C:\Users\Admin\67txe32ttuv2bg\oxglqmghppn.exe N/A
N/A N/A C:\Users\Admin\67txe32ttuv2bg\oxglqmghppn.exe N/A
N/A N/A C:\Users\Admin\67txe32ttuv2bg\oxglqmghppn.exe N/A
N/A N/A C:\Users\Admin\67txe32ttuv2bg\oxglqmghppn.exe N/A
N/A N/A C:\Users\Admin\67txe32ttuv2bg\oxglqmghppn.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
N/A N/A C:\Users\Admin\67txe32ttuv2bg\oxglqmghppn.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
N/A N/A C:\Users\Admin\67txe32ttuv2bg\oxglqmghppn.exe N/A
N/A N/A C:\Users\Admin\67txe32ttuv2bg\oxglqmghppn.exe N/A
N/A N/A C:\Users\Admin\67txe32ttuv2bg\oxglqmghppn.exe N/A
N/A N/A C:\Users\Admin\67txe32ttuv2bg\oxglqmghppn.exe N/A
N/A N/A C:\Users\Admin\67txe32ttuv2bg\oxglqmghppn.exe N/A
N/A N/A C:\Users\Admin\67txe32ttuv2bg\oxglqmghppn.exe N/A
N/A N/A C:\Users\Admin\67txe32ttuv2bg\oxglqmghppn.exe N/A
N/A N/A C:\Users\Admin\67txe32ttuv2bg\oxglqmghppn.exe N/A
N/A N/A C:\Users\Admin\67txe32ttuv2bg\oxglqmghppn.exe N/A
N/A N/A C:\Users\Admin\67txe32ttuv2bg\oxglqmghppn.exe N/A
N/A N/A C:\Users\Admin\67txe32ttuv2bg\oxglqmghppn.exe N/A
N/A N/A C:\Users\Admin\67txe32ttuv2bg\oxglqmghppn.exe N/A
N/A N/A C:\Users\Admin\67txe32ttuv2bg\oxglqmghppn.exe N/A
N/A N/A C:\Users\Admin\67txe32ttuv2bg\oxglqmghppn.exe N/A
N/A N/A C:\Users\Admin\67txe32ttuv2bg\oxglqmghppn.exe N/A
N/A N/A C:\Users\Admin\67txe32ttuv2bg\oxglqmghppn.exe N/A
N/A N/A C:\Users\Admin\67txe32ttuv2bg\oxglqmghppn.exe N/A
N/A N/A C:\Users\Admin\67txe32ttuv2bg\oxglqmghppn.exe N/A
N/A N/A C:\Users\Admin\67txe32ttuv2bg\oxglqmghppn.exe N/A
N/A N/A C:\Users\Admin\67txe32ttuv2bg\oxglqmghppn.exe N/A
N/A N/A C:\Users\Admin\67txe32ttuv2bg\oxglqmghppn.exe N/A
N/A N/A C:\Users\Admin\67txe32ttuv2bg\oxglqmghppn.exe N/A
N/A N/A C:\Users\Admin\67txe32ttuv2bg\oxglqmghppn.exe N/A
N/A N/A C:\Users\Admin\67txe32ttuv2bg\oxglqmghppn.exe N/A
N/A N/A C:\Users\Admin\67txe32ttuv2bg\oxglqmghppn.exe N/A
N/A N/A C:\Users\Admin\67txe32ttuv2bg\oxglqmghppn.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1224 wrote to memory of 1092 N/A C:\Users\Admin\AppData\Local\Temp\a91a05b74b2d81e3c08103ae753a2d5c85b49388af5e65016254a650971d4627.exe C:\Users\Admin\67txe32ttuv2bg\oxglqmghppn.exe
PID 1224 wrote to memory of 1092 N/A C:\Users\Admin\AppData\Local\Temp\a91a05b74b2d81e3c08103ae753a2d5c85b49388af5e65016254a650971d4627.exe C:\Users\Admin\67txe32ttuv2bg\oxglqmghppn.exe
PID 1224 wrote to memory of 1092 N/A C:\Users\Admin\AppData\Local\Temp\a91a05b74b2d81e3c08103ae753a2d5c85b49388af5e65016254a650971d4627.exe C:\Users\Admin\67txe32ttuv2bg\oxglqmghppn.exe
PID 1224 wrote to memory of 1092 N/A C:\Users\Admin\AppData\Local\Temp\a91a05b74b2d81e3c08103ae753a2d5c85b49388af5e65016254a650971d4627.exe C:\Users\Admin\67txe32ttuv2bg\oxglqmghppn.exe
PID 1224 wrote to memory of 1092 N/A C:\Users\Admin\AppData\Local\Temp\a91a05b74b2d81e3c08103ae753a2d5c85b49388af5e65016254a650971d4627.exe C:\Users\Admin\67txe32ttuv2bg\oxglqmghppn.exe
PID 1224 wrote to memory of 1092 N/A C:\Users\Admin\AppData\Local\Temp\a91a05b74b2d81e3c08103ae753a2d5c85b49388af5e65016254a650971d4627.exe C:\Users\Admin\67txe32ttuv2bg\oxglqmghppn.exe
PID 1224 wrote to memory of 1092 N/A C:\Users\Admin\AppData\Local\Temp\a91a05b74b2d81e3c08103ae753a2d5c85b49388af5e65016254a650971d4627.exe C:\Users\Admin\67txe32ttuv2bg\oxglqmghppn.exe
PID 1092 wrote to memory of 340 N/A C:\Users\Admin\67txe32ttuv2bg\oxglqmghppn.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1092 wrote to memory of 340 N/A C:\Users\Admin\67txe32ttuv2bg\oxglqmghppn.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1092 wrote to memory of 340 N/A C:\Users\Admin\67txe32ttuv2bg\oxglqmghppn.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1092 wrote to memory of 340 N/A C:\Users\Admin\67txe32ttuv2bg\oxglqmghppn.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1092 wrote to memory of 340 N/A C:\Users\Admin\67txe32ttuv2bg\oxglqmghppn.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1092 wrote to memory of 340 N/A C:\Users\Admin\67txe32ttuv2bg\oxglqmghppn.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1092 wrote to memory of 340 N/A C:\Users\Admin\67txe32ttuv2bg\oxglqmghppn.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1092 wrote to memory of 340 N/A C:\Users\Admin\67txe32ttuv2bg\oxglqmghppn.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1092 wrote to memory of 340 N/A C:\Users\Admin\67txe32ttuv2bg\oxglqmghppn.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Processes

C:\Users\Admin\AppData\Local\Temp\a91a05b74b2d81e3c08103ae753a2d5c85b49388af5e65016254a650971d4627.exe

"C:\Users\Admin\AppData\Local\Temp\a91a05b74b2d81e3c08103ae753a2d5c85b49388af5e65016254a650971d4627.exe"

C:\Users\Admin\67txe32ttuv2bg\oxglqmghppn.exe

"C:\Users\Admin\67txe32ttuv2bg\oxglqmghppn.exe" scmwrrzoij

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

Network

Country Destination Domain Proto
N/A 8.8.8.8:53 bravebizzle.no-ip.biz udp
N/A 8.8.4.4:53 bravebizzle.no-ip.biz udp
N/A 8.8.8.8:53 bravebizzle.no-ip.biz udp
N/A 8.8.8.8:53 bravebizzle.no-ip.biz udp
N/A 8.8.4.4:53 bravebizzle.no-ip.biz udp
N/A 8.8.8.8:53 bravebizzle.no-ip.biz udp
N/A 8.8.4.4:53 bravebizzle.no-ip.biz udp
N/A 23.105.131.183:1177 tcp

Files

memory/1224-54-0x0000000075291000-0x0000000075293000-memory.dmp

\Users\Admin\67txe32ttuv2bg\oxglqmghppn.exe

MD5 71d8f6d5dc35517275bc38ebcc815f9f
SHA1 cae4e8c730de5a01d30aabeb3e5cb2136090ed8d
SHA256 fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b
SHA512 4826f45000ea50d9044e3ef11e83426281fbd5f3f5a25f9786c2e487b4cf26b04f6f900ca6e70440644c9d75f700a4c908ab6f398f59c65ee1bff85dfef4ce59

\Users\Admin\67txe32ttuv2bg\oxglqmghppn.exe

MD5 71d8f6d5dc35517275bc38ebcc815f9f
SHA1 cae4e8c730de5a01d30aabeb3e5cb2136090ed8d
SHA256 fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b
SHA512 4826f45000ea50d9044e3ef11e83426281fbd5f3f5a25f9786c2e487b4cf26b04f6f900ca6e70440644c9d75f700a4c908ab6f398f59c65ee1bff85dfef4ce59

\Users\Admin\67txe32ttuv2bg\oxglqmghppn.exe

MD5 71d8f6d5dc35517275bc38ebcc815f9f
SHA1 cae4e8c730de5a01d30aabeb3e5cb2136090ed8d
SHA256 fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b
SHA512 4826f45000ea50d9044e3ef11e83426281fbd5f3f5a25f9786c2e487b4cf26b04f6f900ca6e70440644c9d75f700a4c908ab6f398f59c65ee1bff85dfef4ce59

\Users\Admin\67txe32ttuv2bg\oxglqmghppn.exe

MD5 71d8f6d5dc35517275bc38ebcc815f9f
SHA1 cae4e8c730de5a01d30aabeb3e5cb2136090ed8d
SHA256 fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b
SHA512 4826f45000ea50d9044e3ef11e83426281fbd5f3f5a25f9786c2e487b4cf26b04f6f900ca6e70440644c9d75f700a4c908ab6f398f59c65ee1bff85dfef4ce59

memory/1092-59-0x0000000000000000-mapping.dmp

C:\Users\Admin\67txe32ttuv2bg\oxglqmghppn.exe

MD5 71d8f6d5dc35517275bc38ebcc815f9f
SHA1 cae4e8c730de5a01d30aabeb3e5cb2136090ed8d
SHA256 fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b
SHA512 4826f45000ea50d9044e3ef11e83426281fbd5f3f5a25f9786c2e487b4cf26b04f6f900ca6e70440644c9d75f700a4c908ab6f398f59c65ee1bff85dfef4ce59

C:\Users\Admin\67txe32ttuv2bg\scmwrrzoij

MD5 3eb4279899ba49dbc6244b644bb0a156
SHA1 42062100d29ebb74a5c50d3dc2150789db06cc58
SHA256 80003ff0e0ef09ba55b497f3e157e887a4c998e323cbcd83d276573f2beccfcf
SHA512 3c705600d7f9bf7c0f9baccc587793d051f601c7d8588a0ea33c185eaa8d93f04e52b7b33b5b44fdb27633c0af33ed802c5fc66e9d56c17032d424eb74407974

C:\Users\Admin\67TXE3~1\WBPGOQ~1.UFR

MD5 6a5abf9b5dc57110ea8ef9bd64ab4851
SHA1 a50e297ebea757da559938cfa0f677acb1bd2c20
SHA256 0c689d6e066060550a35297e6f18cb5c01b0d3bad976bd0be5fbc271234fe4f5
SHA512 9c4286019f56203e4a37530ba4a2defd77789132250739230f4cf46286f7ec7d269e3ef98ea89714bf5b417ae0e217324f3720ac3c7ecaedb0ef2f0e171cea92

C:\Users\Admin\67TXE3~1\eucf.TCK

MD5 00fcb14d3ec891ef487d8f4618b7b45c
SHA1 9f4f046a8aa1fdd374e252f9eadd51a4ce682ce4
SHA256 f9102f75119180dd0f1b28d5336849fdce20df1265ce68bead27191d9f794fce
SHA512 364c63b1b974f3aecbbd073fa01ed6032f734713cd14ec11ac86f6eebe401ecefce13b18e96f0e98ab200b17186706dad04c5a6dccefd8df736c3b8f3650b90f

memory/340-65-0x0000000000270000-0x00000000002EC000-memory.dmp

memory/340-68-0x000000000028E792-mapping.dmp

memory/340-67-0x0000000000270000-0x00000000002EC000-memory.dmp

memory/340-70-0x0000000000270000-0x00000000002EC000-memory.dmp

memory/340-72-0x0000000000270000-0x00000000002EC000-memory.dmp

memory/340-74-0x0000000000670000-0x000000000067A000-memory.dmp

memory/340-75-0x0000000000680000-0x0000000000692000-memory.dmp

memory/340-76-0x0000000000690000-0x00000000006AA000-memory.dmp

memory/340-77-0x0000000000780000-0x0000000000794000-memory.dmp

memory/340-78-0x0000000000790000-0x00000000007AE000-memory.dmp

memory/340-79-0x0000000000810000-0x000000000081A000-memory.dmp

memory/340-80-0x0000000000860000-0x000000000086E000-memory.dmp

memory/340-81-0x0000000000910000-0x000000000093E000-memory.dmp

memory/340-82-0x00000000008C0000-0x00000000008D4000-memory.dmp

memory/340-83-0x0000000004DA5000-0x0000000004DB6000-memory.dmp

memory/340-84-0x0000000004DA5000-0x0000000004DB6000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-11-26 23:34

Reported

2022-11-27 17:01

Platform

win10v2004-20221111-en

Max time kernel

176s

Max time network

209s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a91a05b74b2d81e3c08103ae753a2d5c85b49388af5e65016254a650971d4627.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\a91a05b74b2d81e3c08103ae753a2d5c85b49388af5e65016254a650971d4627.exe

"C:\Users\Admin\AppData\Local\Temp\a91a05b74b2d81e3c08103ae753a2d5c85b49388af5e65016254a650971d4627.exe"

Network

Country Destination Domain Proto
N/A 209.197.3.8:80 tcp
N/A 209.197.3.8:80 tcp
N/A 93.184.221.240:80 tcp
N/A 93.184.221.240:80 tcp
N/A 104.80.225.205:443 tcp
N/A 104.208.16.89:443 tcp
N/A 93.184.221.240:80 tcp
N/A 93.184.221.240:80 tcp
N/A 93.184.221.240:80 tcp
N/A 93.184.221.240:80 tcp
N/A 93.184.221.240:80 tcp
N/A 93.184.221.240:80 tcp

Files

N/A