Malware Analysis Report

2025-08-05 14:33

Sample ID 221126-3te9vsdg34
Target c3237e897a6290571c6311cbc4fab1507ea2ad631342a1f2824f2980fb07d38d
SHA256 c3237e897a6290571c6311cbc4fab1507ea2ad631342a1f2824f2980fb07d38d
Tags
nanocore evasion keylogger persistence spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c3237e897a6290571c6311cbc4fab1507ea2ad631342a1f2824f2980fb07d38d

Threat Level: Known bad

The file c3237e897a6290571c6311cbc4fab1507ea2ad631342a1f2824f2980fb07d38d was found to be: Known bad.

Malicious Activity Summary

nanocore evasion keylogger persistence spyware stealer trojan

Nanocore family

NanoCore

Checks whether UAC is enabled

Adds Run key to start application

Drops file in Program Files directory

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious behavior: GetForegroundWindowSpam

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-11-26 23:48

Signatures

Nanocore family

nanocore

Analysis: behavioral1

Detonation Overview

Submitted

2022-11-26 23:48

Reported

2022-11-27 17:19

Platform

win7-20220901-en

Max time kernel

148s

Max time network

49s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c3237e897a6290571c6311cbc4fab1507ea2ad631342a1f2824f2980fb07d38d.exe"

Signatures

NanoCore

keylogger trojan stealer spyware nanocore

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\AGP Manager = "C:\\Program Files (x86)\\AGP Manager\\agpmgr.exe" C:\Users\Admin\AppData\Local\Temp\c3237e897a6290571c6311cbc4fab1507ea2ad631342a1f2824f2980fb07d38d.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\c3237e897a6290571c6311cbc4fab1507ea2ad631342a1f2824f2980fb07d38d.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\AGP Manager\agpmgr.exe C:\Users\Admin\AppData\Local\Temp\c3237e897a6290571c6311cbc4fab1507ea2ad631342a1f2824f2980fb07d38d.exe N/A
File created C:\Program Files (x86)\AGP Manager\agpmgr.exe C:\Users\Admin\AppData\Local\Temp\c3237e897a6290571c6311cbc4fab1507ea2ad631342a1f2824f2980fb07d38d.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\c3237e897a6290571c6311cbc4fab1507ea2ad631342a1f2824f2980fb07d38d.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c3237e897a6290571c6311cbc4fab1507ea2ad631342a1f2824f2980fb07d38d.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c3237e897a6290571c6311cbc4fab1507ea2ad631342a1f2824f2980fb07d38d.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\c3237e897a6290571c6311cbc4fab1507ea2ad631342a1f2824f2980fb07d38d.exe

"C:\Users\Admin\AppData\Local\Temp\c3237e897a6290571c6311cbc4fab1507ea2ad631342a1f2824f2980fb07d38d.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks.exe" /create /f /tn "AGP Manager" /xml "C:\Users\Admin\AppData\Local\Temp\tmp9C2.tmp"

C:\Windows\SysWOW64\schtasks.exe

"schtasks.exe" /create /f /tn "AGP Manager Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmpD99.tmp"

Network

Country Destination Domain Proto
N/A 8.8.8.8:53 markus13.chickenkiller.com udp
N/A 127.0.0.2:1640 tcp
N/A 127.0.0.2:1640 tcp
N/A 127.0.0.2:1640 tcp
N/A 127.0.0.2:1640 tcp
N/A 127.0.0.2:1640 tcp
N/A 127.0.0.2:1640 tcp
N/A 127.0.0.2:1640 tcp
N/A 127.0.0.2:1640 tcp
N/A 127.0.0.2:1640 tcp
N/A 127.0.0.2:1640 tcp
N/A 127.0.0.2:1640 tcp
N/A 127.0.0.2:1640 tcp
N/A 127.0.0.2:1640 tcp
N/A 127.0.0.2:1640 tcp
N/A 127.0.0.2:1640 tcp
N/A 127.0.0.2:1640 tcp
N/A 127.0.0.2:1640 tcp
N/A 127.0.0.2:1640 tcp
N/A 127.0.0.2:1640 tcp
N/A 127.0.0.2:1640 tcp
N/A 127.0.0.2:1640 tcp
N/A 127.0.0.2:1640 tcp

Files

memory/1168-54-0x00000000760E1000-0x00000000760E3000-memory.dmp

memory/1640-55-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\tmp9C2.tmp

MD5 3a73c4001d745adf4e70e4562531ffec
SHA1 fb10145c878e931fb318fc7c51817cf7e6fae687
SHA256 5f9514bf173f3f8403fe7f931e922629f839103d91bd73d77916561dcc13b019
SHA512 0299413bc5094710d399f8a50253f4aa0a68cd14024da4713917b305bc6e57ecf7385846563bd16bdfab88671237df31c943b7587c3fcd7137820f5f07c68534

memory/1168-57-0x0000000074720000-0x0000000074CCB000-memory.dmp

memory/764-58-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\tmpD99.tmp

MD5 885d6dd30570594e167fadb59d9ca0ea
SHA1 9981e583644c4eb9cf5056615a0e1c2913c8983b
SHA256 7155bc082d1713d77c2797575ee0ade8467fb7012f5376c1d6f4aa618141a7d2
SHA512 1623218143c2c25a7c85fa9da8e0f251f04a5eb848c4d0aa10bfb78688518b82393a2b3c7f287a9dc06a366ef9f46d0d4e2d246ad4cef4554a74c0bb6ff9dd2a

memory/1168-60-0x0000000074720000-0x0000000074CCB000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-11-26 23:48

Reported

2022-11-27 17:19

Platform

win10v2004-20220901-en

Max time kernel

149s

Max time network

137s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c3237e897a6290571c6311cbc4fab1507ea2ad631342a1f2824f2980fb07d38d.exe"

Signatures

NanoCore

keylogger trojan stealer spyware nanocore

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DHCP Subsystem = "C:\\Program Files (x86)\\DHCP Subsystem\\dhcpss.exe" C:\Users\Admin\AppData\Local\Temp\c3237e897a6290571c6311cbc4fab1507ea2ad631342a1f2824f2980fb07d38d.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\c3237e897a6290571c6311cbc4fab1507ea2ad631342a1f2824f2980fb07d38d.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\DHCP Subsystem\dhcpss.exe C:\Users\Admin\AppData\Local\Temp\c3237e897a6290571c6311cbc4fab1507ea2ad631342a1f2824f2980fb07d38d.exe N/A
File opened for modification C:\Program Files (x86)\DHCP Subsystem\dhcpss.exe C:\Users\Admin\AppData\Local\Temp\c3237e897a6290571c6311cbc4fab1507ea2ad631342a1f2824f2980fb07d38d.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\c3237e897a6290571c6311cbc4fab1507ea2ad631342a1f2824f2980fb07d38d.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c3237e897a6290571c6311cbc4fab1507ea2ad631342a1f2824f2980fb07d38d.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c3237e897a6290571c6311cbc4fab1507ea2ad631342a1f2824f2980fb07d38d.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\c3237e897a6290571c6311cbc4fab1507ea2ad631342a1f2824f2980fb07d38d.exe

"C:\Users\Admin\AppData\Local\Temp\c3237e897a6290571c6311cbc4fab1507ea2ad631342a1f2824f2980fb07d38d.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks.exe" /create /f /tn "DHCP Subsystem" /xml "C:\Users\Admin\AppData\Local\Temp\tmpDF58.tmp"

C:\Windows\SysWOW64\schtasks.exe

"schtasks.exe" /create /f /tn "DHCP Subsystem Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmpE14D.tmp"

Network

Country Destination Domain Proto
N/A 8.8.8.8:53 markus13.chickenkiller.com udp
N/A 127.0.0.2:1640 tcp
N/A 127.0.0.2:1640 tcp
N/A 127.0.0.2:1640 tcp
N/A 52.182.141.63:443 tcp
N/A 2.18.109.224:443 tcp
N/A 127.0.0.2:1640 tcp
N/A 127.0.0.2:1640 tcp
N/A 93.184.221.240:80 tcp
N/A 93.184.221.240:80 tcp
N/A 93.184.221.240:80 tcp
N/A 127.0.0.2:1640 tcp
N/A 127.0.0.2:1640 tcp
N/A 127.0.0.2:1640 tcp
N/A 127.0.0.2:1640 tcp
N/A 127.0.0.2:1640 tcp
N/A 127.0.0.2:1640 tcp
N/A 93.184.221.240:80 tcp
N/A 127.0.0.2:1640 tcp
N/A 127.0.0.2:1640 tcp
N/A 127.0.0.2:1640 tcp
N/A 127.0.0.2:1640 tcp
N/A 127.0.0.2:1640 tcp
N/A 127.0.0.2:1640 tcp
N/A 127.0.0.2:1640 tcp
N/A 127.0.0.2:1640 tcp
N/A 127.0.0.2:1640 tcp
N/A 127.0.0.2:1640 tcp
N/A 127.0.0.2:1640 tcp
N/A 127.0.0.2:1640 tcp
N/A 127.0.0.2:1640 tcp
N/A 127.0.0.2:1640 tcp

Files

memory/3868-132-0x0000000074750000-0x0000000074D01000-memory.dmp

memory/4924-133-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\tmpDF58.tmp

MD5 3a73c4001d745adf4e70e4562531ffec
SHA1 fb10145c878e931fb318fc7c51817cf7e6fae687
SHA256 5f9514bf173f3f8403fe7f931e922629f839103d91bd73d77916561dcc13b019
SHA512 0299413bc5094710d399f8a50253f4aa0a68cd14024da4713917b305bc6e57ecf7385846563bd16bdfab88671237df31c943b7587c3fcd7137820f5f07c68534

memory/364-135-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\tmpE14D.tmp

MD5 2f26d92c1eeead3896820e56ec46f6f1
SHA1 d95533b61eed7d89e4ada56bc566d60e42ac1f61
SHA256 99a158463ce40c750bad6991ae1fceece305a0dbf8e209dd7147b5d539756bfa
SHA512 6c1ed12d5e1afcd9e7f327e0153786fd8594f75a995f341c408ef014e69917452a9fe99c511f0249aceb57b3045b707f1fd3f404e4086cfbf0aadcb3318db892

memory/3868-137-0x0000000074750000-0x0000000074D01000-memory.dmp