Malware Analysis Report

2025-08-05 14:33

Sample ID 221127-aaf3tsec94
Target b4f5c995616b6fcf2365f902247d36552179b8cfd7a3895a1e9222bc37db0377
SHA256 b4f5c995616b6fcf2365f902247d36552179b8cfd7a3895a1e9222bc37db0377
Tags
nanocore evasion keylogger persistence spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b4f5c995616b6fcf2365f902247d36552179b8cfd7a3895a1e9222bc37db0377

Threat Level: Known bad

The file b4f5c995616b6fcf2365f902247d36552179b8cfd7a3895a1e9222bc37db0377 was found to be: Known bad.

Malicious Activity Summary

nanocore evasion keylogger persistence spyware stealer trojan

Nanocore family

NanoCore

Adds Run key to start application

Checks whether UAC is enabled

Drops file in Program Files directory

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-11-27 00:00

Signatures

Nanocore family

nanocore

Analysis: behavioral1

Detonation Overview

Submitted

2022-11-27 00:00

Reported

2022-11-27 17:38

Platform

win7-20220812-en

Max time kernel

167s

Max time network

184s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b4f5c995616b6fcf2365f902247d36552179b8cfd7a3895a1e9222bc37db0377.exe"

Signatures

NanoCore

keylogger trojan stealer spyware nanocore

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SCSI Service = "C:\\Program Files (x86)\\SCSI Service\\scsisvc.exe" C:\Users\Admin\AppData\Local\Temp\b4f5c995616b6fcf2365f902247d36552179b8cfd7a3895a1e9222bc37db0377.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\b4f5c995616b6fcf2365f902247d36552179b8cfd7a3895a1e9222bc37db0377.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\SCSI Service\scsisvc.exe C:\Users\Admin\AppData\Local\Temp\b4f5c995616b6fcf2365f902247d36552179b8cfd7a3895a1e9222bc37db0377.exe N/A
File created C:\Program Files (x86)\SCSI Service\scsisvc.exe C:\Users\Admin\AppData\Local\Temp\b4f5c995616b6fcf2365f902247d36552179b8cfd7a3895a1e9222bc37db0377.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\b4f5c995616b6fcf2365f902247d36552179b8cfd7a3895a1e9222bc37db0377.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\b4f5c995616b6fcf2365f902247d36552179b8cfd7a3895a1e9222bc37db0377.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\b4f5c995616b6fcf2365f902247d36552179b8cfd7a3895a1e9222bc37db0377.exe

"C:\Users\Admin\AppData\Local\Temp\b4f5c995616b6fcf2365f902247d36552179b8cfd7a3895a1e9222bc37db0377.exe"

Network

Country Destination Domain Proto
N/A 8.8.8.8:53 asshost.ydns.eu udp
N/A 191.96.6.55:333 asshost.ydns.eu tcp
N/A 8.8.8.8:53 asshost.ydns.eu udp
N/A 191.96.6.55:333 asshost.ydns.eu tcp
N/A 8.8.8.8:53 asshost.ydns.eu udp
N/A 191.96.6.55:333 asshost.ydns.eu tcp
N/A 8.8.8.8:53 asshost.duckdns.org udp
N/A 191.96.6.55:333 asshost.duckdns.org tcp
N/A 8.8.8.8:53 asshost.duckdns.org udp
N/A 191.96.6.55:333 asshost.duckdns.org tcp
N/A 8.8.8.8:53 asshost.duckdns.org udp
N/A 191.96.6.55:333 asshost.duckdns.org tcp

Files

memory/1976-54-0x0000000076321000-0x0000000076323000-memory.dmp

memory/1976-55-0x0000000074830000-0x0000000074DDB000-memory.dmp

memory/1976-56-0x0000000074830000-0x0000000074DDB000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-11-27 00:00

Reported

2022-11-27 17:38

Platform

win10v2004-20220812-en

Max time kernel

179s

Max time network

186s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b4f5c995616b6fcf2365f902247d36552179b8cfd7a3895a1e9222bc37db0377.exe"

Signatures

NanoCore

keylogger trojan stealer spyware nanocore

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DDP Host = "C:\\Program Files (x86)\\DDP Host\\ddphost.exe" C:\Users\Admin\AppData\Local\Temp\b4f5c995616b6fcf2365f902247d36552179b8cfd7a3895a1e9222bc37db0377.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\b4f5c995616b6fcf2365f902247d36552179b8cfd7a3895a1e9222bc37db0377.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\DDP Host\ddphost.exe C:\Users\Admin\AppData\Local\Temp\b4f5c995616b6fcf2365f902247d36552179b8cfd7a3895a1e9222bc37db0377.exe N/A
File opened for modification C:\Program Files (x86)\DDP Host\ddphost.exe C:\Users\Admin\AppData\Local\Temp\b4f5c995616b6fcf2365f902247d36552179b8cfd7a3895a1e9222bc37db0377.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\b4f5c995616b6fcf2365f902247d36552179b8cfd7a3895a1e9222bc37db0377.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\b4f5c995616b6fcf2365f902247d36552179b8cfd7a3895a1e9222bc37db0377.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\b4f5c995616b6fcf2365f902247d36552179b8cfd7a3895a1e9222bc37db0377.exe

"C:\Users\Admin\AppData\Local\Temp\b4f5c995616b6fcf2365f902247d36552179b8cfd7a3895a1e9222bc37db0377.exe"

Network

Country Destination Domain Proto
N/A 20.44.10.122:443 tcp
N/A 8.8.8.8:53 asshost.ydns.eu udp
N/A 191.96.6.55:333 asshost.ydns.eu tcp
N/A 104.110.191.140:80 tcp
N/A 104.110.191.140:80 tcp
N/A 104.110.191.140:80 tcp
N/A 8.8.8.8:53 asshost.ydns.eu udp
N/A 191.96.6.55:333 asshost.ydns.eu tcp
N/A 8.8.8.8:53 asshost.ydns.eu udp
N/A 191.96.6.55:333 asshost.ydns.eu tcp
N/A 8.8.8.8:53 176.122.125.40.in-addr.arpa udp
N/A 8.8.8.8:53 asshost.duckdns.org udp
N/A 191.96.6.55:333 asshost.duckdns.org tcp
N/A 8.8.8.8:53 asshost.duckdns.org udp
N/A 191.96.6.55:333 asshost.duckdns.org tcp
N/A 8.8.8.8:53 asshost.duckdns.org udp
N/A 191.96.6.55:333 asshost.duckdns.org tcp
N/A 8.8.8.8:53 asshost.ydns.eu udp
N/A 191.96.6.55:333 asshost.ydns.eu tcp
N/A 8.8.8.8:53 asshost.ydns.eu udp
N/A 191.96.6.55:333 asshost.ydns.eu tcp
N/A 8.8.8.8:53 asshost.ydns.eu udp
N/A 191.96.6.55:333 asshost.ydns.eu tcp

Files

memory/4956-132-0x00000000745F0000-0x0000000074BA1000-memory.dmp

memory/4956-133-0x00000000745F0000-0x0000000074BA1000-memory.dmp