Malware Analysis Report

2025-06-16 06:19

Sample ID 231226-kjwvrabfb3
Target 605c35366b7c51d33746d7173b9a5169
SHA256 4a67899d740ecd593679a000e4fd663474307306640d8862a2d986ba4ce3b189
Tags
nanocore keylogger persistence spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

4a67899d740ecd593679a000e4fd663474307306640d8862a2d986ba4ce3b189

Threat Level: Known bad

The file 605c35366b7c51d33746d7173b9a5169 was found to be: Known bad.

Malicious Activity Summary

nanocore keylogger persistence spyware stealer trojan

NanoCore

Checks computer location settings

Adds Run key to start application

Suspicious use of SetThreadContext

Drops file in Program Files directory

Enumerates physical storage devices

Unsigned PE

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-26 08:38

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-26 08:38

Reported

2024-01-06 06:45

Platform

win7-20231215-en

Max time kernel

60s

Max time network

145s

Command Line

"C:\Users\Admin\AppData\Local\Temp\605c35366b7c51d33746d7173b9a5169.exe"

Signatures

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\605c35366b7c51d33746d7173b9a5169.exe

"C:\Users\Admin\AppData\Local\Temp\605c35366b7c51d33746d7173b9a5169.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks.exe" /create /f /tn "LAN Service Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp8B9.tmp"

C:\Windows\SysWOW64\schtasks.exe

"schtasks.exe" /create /f /tn "LAN Service" /xml "C:\Users\Admin\AppData\Local\Temp\tmp879.tmp"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\sjxNYmz" /XML "C:\Users\Admin\AppData\Local\Temp\tmp751.tmp"

Network

Country Destination Domain Proto
US 8.8.8.8:53 1116.hopto.org udp
RU 194.147.140.136:1116 1116.hopto.org tcp
US 8.8.8.8:53 1116.hopto.org udp
RU 194.147.140.136:1116 1116.hopto.org tcp
US 8.8.8.8:53 1116.hopto.org udp
RU 194.147.140.136:1116 1116.hopto.org tcp
DE 185.140.53.9:1116 tcp
DE 185.140.53.9:1116 tcp
DE 185.140.53.9:1116 tcp

Files

memory/1680-1-0x0000000073FC0000-0x00000000746AE000-memory.dmp

memory/1680-0-0x0000000000FE0000-0x00000000010FE000-memory.dmp

memory/1680-2-0x0000000004820000-0x0000000004860000-memory.dmp

memory/1680-3-0x00000000004E0000-0x0000000000502000-memory.dmp

memory/1680-4-0x0000000073FC0000-0x00000000746AE000-memory.dmp

memory/1680-5-0x0000000004820000-0x0000000004860000-memory.dmp

memory/1680-6-0x0000000005460000-0x00000000054E2000-memory.dmp

memory/1680-7-0x0000000000A70000-0x0000000000AAA000-memory.dmp

memory/2896-29-0x0000000073FC0000-0x00000000746AE000-memory.dmp

memory/2896-30-0x0000000004DA0000-0x0000000004DE0000-memory.dmp

memory/1680-28-0x0000000073FC0000-0x00000000746AE000-memory.dmp

memory/2896-40-0x0000000000580000-0x000000000058A000-memory.dmp

memory/2896-39-0x0000000000550000-0x000000000056E000-memory.dmp

memory/2896-38-0x0000000000540000-0x000000000054A000-memory.dmp

memory/2896-27-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2896-25-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2896-23-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2896-21-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2896-19-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2896-17-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2896-15-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2896-13-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2896-41-0x0000000073FC0000-0x00000000746AE000-memory.dmp

memory/2896-42-0x0000000004DA0000-0x0000000004DE0000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-26 08:38

Reported

2024-01-06 06:46

Platform

win10v2004-20231215-en

Max time kernel

167s

Max time network

179s

Command Line

"C:\Users\Admin\AppData\Local\Temp\605c35366b7c51d33746d7173b9a5169.exe"

Signatures

NanoCore

keylogger trojan stealer spyware nanocore

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\605c35366b7c51d33746d7173b9a5169.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ARP Manager = "C:\\Program Files (x86)\\ARP Manager\\arpmgr.exe" C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4292 set thread context of 4892 N/A C:\Users\Admin\AppData\Local\Temp\605c35366b7c51d33746d7173b9a5169.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\ARP Manager\arpmgr.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
File opened for modification C:\Program Files (x86)\ARP Manager\arpmgr.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\605c35366b7c51d33746d7173b9a5169.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4292 wrote to memory of 320 N/A C:\Users\Admin\AppData\Local\Temp\605c35366b7c51d33746d7173b9a5169.exe C:\Windows\SysWOW64\schtasks.exe
PID 4292 wrote to memory of 320 N/A C:\Users\Admin\AppData\Local\Temp\605c35366b7c51d33746d7173b9a5169.exe C:\Windows\SysWOW64\schtasks.exe
PID 4292 wrote to memory of 320 N/A C:\Users\Admin\AppData\Local\Temp\605c35366b7c51d33746d7173b9a5169.exe C:\Windows\SysWOW64\schtasks.exe
PID 4292 wrote to memory of 4892 N/A C:\Users\Admin\AppData\Local\Temp\605c35366b7c51d33746d7173b9a5169.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 4292 wrote to memory of 4892 N/A C:\Users\Admin\AppData\Local\Temp\605c35366b7c51d33746d7173b9a5169.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 4292 wrote to memory of 4892 N/A C:\Users\Admin\AppData\Local\Temp\605c35366b7c51d33746d7173b9a5169.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 4292 wrote to memory of 4892 N/A C:\Users\Admin\AppData\Local\Temp\605c35366b7c51d33746d7173b9a5169.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 4292 wrote to memory of 4892 N/A C:\Users\Admin\AppData\Local\Temp\605c35366b7c51d33746d7173b9a5169.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 4292 wrote to memory of 4892 N/A C:\Users\Admin\AppData\Local\Temp\605c35366b7c51d33746d7173b9a5169.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 4292 wrote to memory of 4892 N/A C:\Users\Admin\AppData\Local\Temp\605c35366b7c51d33746d7173b9a5169.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 4292 wrote to memory of 4892 N/A C:\Users\Admin\AppData\Local\Temp\605c35366b7c51d33746d7173b9a5169.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 4892 wrote to memory of 2292 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\SysWOW64\schtasks.exe
PID 4892 wrote to memory of 2292 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\SysWOW64\schtasks.exe
PID 4892 wrote to memory of 2292 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\SysWOW64\schtasks.exe
PID 4892 wrote to memory of 2500 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\SysWOW64\schtasks.exe
PID 4892 wrote to memory of 2500 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\SysWOW64\schtasks.exe
PID 4892 wrote to memory of 2500 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\SysWOW64\schtasks.exe

Processes

C:\Users\Admin\AppData\Local\Temp\605c35366b7c51d33746d7173b9a5169.exe

"C:\Users\Admin\AppData\Local\Temp\605c35366b7c51d33746d7173b9a5169.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\sjxNYmz" /XML "C:\Users\Admin\AppData\Local\Temp\tmp64.tmp"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks.exe" /create /f /tn "ARP Manager" /xml "C:\Users\Admin\AppData\Local\Temp\tmp749.tmp"

C:\Windows\SysWOW64\schtasks.exe

"schtasks.exe" /create /f /tn "ARP Manager Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp10C0.tmp"

Network

Country Destination Domain Proto
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 21.53.126.40.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 1116.hopto.org udp
RU 194.147.140.136:1116 1116.hopto.org tcp
US 8.8.8.8:53 1116.hopto.org udp
RU 194.147.140.136:1116 1116.hopto.org tcp
US 8.8.8.8:53 178.223.142.52.in-addr.arpa udp
US 8.8.8.8:53 84.65.42.20.in-addr.arpa udp
US 8.8.8.8:53 1116.hopto.org udp
RU 194.147.140.136:1116 1116.hopto.org tcp
DE 185.140.53.9:1116 tcp
DE 185.140.53.9:1116 tcp

Files

memory/4292-1-0x0000000000D50000-0x0000000000E6E000-memory.dmp

memory/4292-0-0x0000000075190000-0x0000000075940000-memory.dmp

memory/4292-2-0x00000000058A0000-0x000000000593C000-memory.dmp

memory/4292-3-0x0000000005EF0000-0x0000000006494000-memory.dmp

memory/4292-4-0x0000000005940000-0x00000000059D2000-memory.dmp

memory/4292-5-0x0000000005B10000-0x0000000005B20000-memory.dmp

memory/4292-6-0x0000000005850000-0x000000000585A000-memory.dmp

memory/4292-7-0x0000000005B80000-0x0000000005BD6000-memory.dmp

memory/4292-8-0x0000000005D90000-0x0000000005DB2000-memory.dmp

memory/4292-9-0x0000000075190000-0x0000000075940000-memory.dmp

memory/4292-10-0x0000000005B10000-0x0000000005B20000-memory.dmp

memory/4292-11-0x00000000016E0000-0x0000000001762000-memory.dmp

memory/4292-12-0x00000000015E0000-0x000000000161A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp64.tmp

MD5 5ab73a4127f2b244bb189cb2390cb47c
SHA1 2257d69c15a7e9cf669acb09d47a6deae90b510c
SHA256 6c823819052208efc65d3615a7a193122b2c94fb3914a11737cae1568e09a189
SHA512 dbd310258e537d9b3fd442c22d582a5160f4d7b0a5fdb4602102b4893ce9a080b9fea772433477c744f6718a864860fd8e2867e3dd835bd5ac6a06aa6c646bf8

memory/4892-18-0x0000000000400000-0x0000000000438000-memory.dmp

memory/4892-21-0x0000000075190000-0x0000000075940000-memory.dmp

memory/4292-20-0x0000000075190000-0x0000000075940000-memory.dmp

memory/4892-22-0x0000000005330000-0x0000000005340000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp749.tmp

MD5 8cad1b41587ced0f1e74396794f31d58
SHA1 11054bf74fcf5e8e412768035e4dae43aa7b710f
SHA256 3086d914f6b23268f8a12cb1a05516cd5465c2577e1d1e449f1b45c8e5e8f83c
SHA512 99c2ef89029de51a866df932841684b7fc912df21e10e2dd0d09e400203bbdc6cba6319a31780b7bf8b286d2cea8ea3fc7d084348bf2f002ab4f5a34218ccbef

C:\Users\Admin\AppData\Local\Temp\tmp10C0.tmp

MD5 b6fc28b9f341812fc919e0d4c5ac0941
SHA1 d49341ec5a78189830dbf64b2bb553d0fbe06e88
SHA256 2aacf4d9629bbec978f5a9ecfe8009cd18cfb5dbde09507937e0aaa13b1aeaba
SHA512 166ece1d42a5f438142bc5df5f34b30ee17de5844383bb7517200ee77d77b1b8096e963739cc9188602742984d2e1dc8bc9788d8ae12010e5a05415676e29fdf

memory/4892-31-0x00000000061E0000-0x00000000061FE000-memory.dmp

memory/4892-30-0x0000000005FE0000-0x0000000005FEA000-memory.dmp

memory/4892-32-0x0000000006440000-0x000000000644A000-memory.dmp

memory/4892-33-0x0000000005330000-0x0000000005340000-memory.dmp

memory/4892-34-0x0000000075190000-0x0000000075940000-memory.dmp

memory/4892-35-0x0000000005330000-0x0000000005340000-memory.dmp

memory/4892-36-0x0000000005330000-0x0000000005340000-memory.dmp