Malware Analysis Report

2025-08-05 14:34

Sample ID 221126-3l949sdc63
Target a028f14dde5e1cf076c6d180edc994cf385a91a7b0e858156bec56bc00877256
SHA256 a028f14dde5e1cf076c6d180edc994cf385a91a7b0e858156bec56bc00877256
Tags
nanocore evasion keylogger persistence spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a028f14dde5e1cf076c6d180edc994cf385a91a7b0e858156bec56bc00877256

Threat Level: Known bad

The file a028f14dde5e1cf076c6d180edc994cf385a91a7b0e858156bec56bc00877256 was found to be: Known bad.

Malicious Activity Summary

nanocore evasion keylogger persistence spyware stealer trojan

NanoCore

Executes dropped EXE

Checks computer location settings

Loads dropped DLL

Adds Run key to start application

Checks whether UAC is enabled

Drops file in Program Files directory

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-11-26 23:37

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-11-26 23:37

Reported

2022-11-27 17:05

Platform

win7-20220901-en

Max time kernel

150s

Max time network

46s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a028f14dde5e1cf076c6d180edc994cf385a91a7b0e858156bec56bc00877256.exe"

Signatures

NanoCore

keylogger trojan stealer spyware nanocore

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ce6Katu8cP.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\AGP Manager = "C:\\Program Files (x86)\\AGP Manager\\agpmgr.exe" C:\Users\Admin\AppData\Local\Temp\ce6Katu8cP.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\ce6Katu8cP.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\AGP Manager\agpmgr.exe C:\Users\Admin\AppData\Local\Temp\ce6Katu8cP.exe N/A
File created C:\Program Files (x86)\AGP Manager\agpmgr.exe C:\Users\Admin\AppData\Local\Temp\ce6Katu8cP.exe N/A

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\a028f14dde5e1cf076c6d180edc994cf385a91a7b0e858156bec56bc00877256.exe

"C:\Users\Admin\AppData\Local\Temp\a028f14dde5e1cf076c6d180edc994cf385a91a7b0e858156bec56bc00877256.exe"

C:\Users\Admin\AppData\Local\Temp\ce6Katu8cP.exe

"C:\Users\Admin\AppData\Local\Temp\ce6Katu8cP.exe"

Network

Country Destination Domain Proto
N/A 8.8.8.8:53 steffenernst.ddns.net udp

Files

memory/1632-54-0x0000000000BD0000-0x0000000000BFC000-memory.dmp

memory/1632-55-0x0000000076BA1000-0x0000000076BA3000-memory.dmp

memory/1632-56-0x0000000000300000-0x0000000000312000-memory.dmp

\Users\Admin\AppData\Local\Temp\ce6Katu8cP.exe

MD5 27ddcce8f1fce61204719d271f240aae
SHA1 7684d14fe04f0865fa1bdcb539f1223b1a17a194
SHA256 7c6403534a369f4f1184ed6283b89913b67c597facfeac7b18daf2685e08a879
SHA512 37f6b5cd8e8c65e1fbf1ec8115d97cabdf10a1882fb33db27508be0d3337214f08b89b69017ff2c6368538c4f76c992ac55914ed2b0d06cb3d40d6012466516b

\Users\Admin\AppData\Local\Temp\ce6Katu8cP.exe

MD5 27ddcce8f1fce61204719d271f240aae
SHA1 7684d14fe04f0865fa1bdcb539f1223b1a17a194
SHA256 7c6403534a369f4f1184ed6283b89913b67c597facfeac7b18daf2685e08a879
SHA512 37f6b5cd8e8c65e1fbf1ec8115d97cabdf10a1882fb33db27508be0d3337214f08b89b69017ff2c6368538c4f76c992ac55914ed2b0d06cb3d40d6012466516b

C:\Users\Admin\AppData\Local\Temp\ce6Katu8cP.exe

MD5 27ddcce8f1fce61204719d271f240aae
SHA1 7684d14fe04f0865fa1bdcb539f1223b1a17a194
SHA256 7c6403534a369f4f1184ed6283b89913b67c597facfeac7b18daf2685e08a879
SHA512 37f6b5cd8e8c65e1fbf1ec8115d97cabdf10a1882fb33db27508be0d3337214f08b89b69017ff2c6368538c4f76c992ac55914ed2b0d06cb3d40d6012466516b

memory/2040-59-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\ce6Katu8cP.exe

MD5 27ddcce8f1fce61204719d271f240aae
SHA1 7684d14fe04f0865fa1bdcb539f1223b1a17a194
SHA256 7c6403534a369f4f1184ed6283b89913b67c597facfeac7b18daf2685e08a879
SHA512 37f6b5cd8e8c65e1fbf1ec8115d97cabdf10a1882fb33db27508be0d3337214f08b89b69017ff2c6368538c4f76c992ac55914ed2b0d06cb3d40d6012466516b

memory/2040-63-0x000000006F9A0000-0x000000006FF4B000-memory.dmp

memory/2040-64-0x000000006F9A0000-0x000000006FF4B000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-11-26 23:37

Reported

2022-11-27 17:05

Platform

win10v2004-20220812-en

Max time kernel

155s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a028f14dde5e1cf076c6d180edc994cf385a91a7b0e858156bec56bc00877256.exe"

Signatures

NanoCore

keylogger trojan stealer spyware nanocore

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\6QZxCPSXxz.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\a028f14dde5e1cf076c6d180edc994cf385a91a7b0e858156bec56bc00877256.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DDP Manager = "C:\\Program Files (x86)\\DDP Manager\\ddpmgr.exe" C:\Users\Admin\AppData\Local\Temp\6QZxCPSXxz.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\6QZxCPSXxz.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\DDP Manager\ddpmgr.exe C:\Users\Admin\AppData\Local\Temp\6QZxCPSXxz.exe N/A
File opened for modification C:\Program Files (x86)\DDP Manager\ddpmgr.exe C:\Users\Admin\AppData\Local\Temp\6QZxCPSXxz.exe N/A

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\a028f14dde5e1cf076c6d180edc994cf385a91a7b0e858156bec56bc00877256.exe

"C:\Users\Admin\AppData\Local\Temp\a028f14dde5e1cf076c6d180edc994cf385a91a7b0e858156bec56bc00877256.exe"

C:\Users\Admin\AppData\Local\Temp\6QZxCPSXxz.exe

"C:\Users\Admin\AppData\Local\Temp\6QZxCPSXxz.exe"

Network

Country Destination Domain Proto
N/A 52.168.117.170:443 tcp
N/A 93.184.220.29:80 tcp
N/A 178.79.208.1:80 tcp
N/A 178.79.208.1:80 tcp
N/A 178.79.208.1:80 tcp
N/A 8.8.8.8:53 steffenernst.ddns.net udp
N/A 8.8.8.8:53 steffenernst.ddns.net udp
N/A 8.8.8.8:53 steffenernst.ddns.net udp
N/A 8.8.8.8:53 steffenernst.ddns.net udp
N/A 8.8.8.8:53 steffenernst.ddns.net udp
N/A 8.8.8.8:53 steffenernst.ddns.net udp
N/A 8.8.8.8:53 steffenernst.ddns.net udp
N/A 8.8.8.8:53 steffenernst.ddns.net udp
N/A 8.8.8.8:53 steffenernst.ddns.net udp
N/A 8.8.8.8:53 steffenernst.ddns.net udp
N/A 8.8.8.8:53 steffenernst.ddns.net udp
N/A 8.8.8.8:53 steffenernst.ddns.net udp
N/A 8.8.8.8:53 steffenernst.ddns.net udp
N/A 8.8.8.8:53 steffenernst.ddns.net udp
N/A 8.8.8.8:53 udp

Files

memory/2736-132-0x0000000000450000-0x000000000047C000-memory.dmp

memory/2736-133-0x0000000004E20000-0x0000000004EBC000-memory.dmp

memory/2736-134-0x0000000005660000-0x0000000005C04000-memory.dmp

memory/2736-135-0x0000000004FA0000-0x0000000005032000-memory.dmp

memory/2736-136-0x0000000004E10000-0x0000000004E1A000-memory.dmp

memory/2736-137-0x0000000005040000-0x0000000005096000-memory.dmp

memory/2016-138-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\6QZxCPSXxz.exe

MD5 27ddcce8f1fce61204719d271f240aae
SHA1 7684d14fe04f0865fa1bdcb539f1223b1a17a194
SHA256 7c6403534a369f4f1184ed6283b89913b67c597facfeac7b18daf2685e08a879
SHA512 37f6b5cd8e8c65e1fbf1ec8115d97cabdf10a1882fb33db27508be0d3337214f08b89b69017ff2c6368538c4f76c992ac55914ed2b0d06cb3d40d6012466516b

C:\Users\Admin\AppData\Local\Temp\6QZxCPSXxz.exe

MD5 27ddcce8f1fce61204719d271f240aae
SHA1 7684d14fe04f0865fa1bdcb539f1223b1a17a194
SHA256 7c6403534a369f4f1184ed6283b89913b67c597facfeac7b18daf2685e08a879
SHA512 37f6b5cd8e8c65e1fbf1ec8115d97cabdf10a1882fb33db27508be0d3337214f08b89b69017ff2c6368538c4f76c992ac55914ed2b0d06cb3d40d6012466516b

memory/2016-141-0x00000000703A0000-0x0000000070951000-memory.dmp

memory/2016-142-0x00000000703A0000-0x0000000070951000-memory.dmp