Malware Analysis Report

2025-06-16 06:19

Sample ID 240106-mxp1gafgc2
Target 605c35366b7c51d33746d7173b9a5169.exe
SHA256 4a67899d740ecd593679a000e4fd663474307306640d8862a2d986ba4ce3b189
Tags
nanocore keylogger persistence spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

4a67899d740ecd593679a000e4fd663474307306640d8862a2d986ba4ce3b189

Threat Level: Known bad

The file 605c35366b7c51d33746d7173b9a5169.exe was found to be: Known bad.

Malicious Activity Summary

nanocore keylogger persistence spyware stealer trojan

NanoCore

Adds Run key to start application

Suspicious use of SetThreadContext

Drops file in Program Files directory

Enumerates physical storage devices

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-06 10:50

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-06 10:50

Reported

2024-01-06 10:54

Platform

win7-20231215-en

Max time kernel

144s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\605c35366b7c51d33746d7173b9a5169.exe"

Signatures

NanoCore

keylogger trojan stealer spyware nanocore

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LAN Monitor = "C:\\Program Files (x86)\\LAN Monitor\\lanmon.exe" C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2780 set thread context of 440 N/A C:\Users\Admin\AppData\Local\Temp\605c35366b7c51d33746d7173b9a5169.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\LAN Monitor\lanmon.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
File opened for modification C:\Program Files (x86)\LAN Monitor\lanmon.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2780 wrote to memory of 560 N/A C:\Users\Admin\AppData\Local\Temp\605c35366b7c51d33746d7173b9a5169.exe C:\Windows\SysWOW64\schtasks.exe
PID 2780 wrote to memory of 560 N/A C:\Users\Admin\AppData\Local\Temp\605c35366b7c51d33746d7173b9a5169.exe C:\Windows\SysWOW64\schtasks.exe
PID 2780 wrote to memory of 560 N/A C:\Users\Admin\AppData\Local\Temp\605c35366b7c51d33746d7173b9a5169.exe C:\Windows\SysWOW64\schtasks.exe
PID 2780 wrote to memory of 560 N/A C:\Users\Admin\AppData\Local\Temp\605c35366b7c51d33746d7173b9a5169.exe C:\Windows\SysWOW64\schtasks.exe
PID 2780 wrote to memory of 440 N/A C:\Users\Admin\AppData\Local\Temp\605c35366b7c51d33746d7173b9a5169.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2780 wrote to memory of 440 N/A C:\Users\Admin\AppData\Local\Temp\605c35366b7c51d33746d7173b9a5169.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2780 wrote to memory of 440 N/A C:\Users\Admin\AppData\Local\Temp\605c35366b7c51d33746d7173b9a5169.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2780 wrote to memory of 440 N/A C:\Users\Admin\AppData\Local\Temp\605c35366b7c51d33746d7173b9a5169.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2780 wrote to memory of 440 N/A C:\Users\Admin\AppData\Local\Temp\605c35366b7c51d33746d7173b9a5169.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2780 wrote to memory of 440 N/A C:\Users\Admin\AppData\Local\Temp\605c35366b7c51d33746d7173b9a5169.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2780 wrote to memory of 440 N/A C:\Users\Admin\AppData\Local\Temp\605c35366b7c51d33746d7173b9a5169.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2780 wrote to memory of 440 N/A C:\Users\Admin\AppData\Local\Temp\605c35366b7c51d33746d7173b9a5169.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2780 wrote to memory of 440 N/A C:\Users\Admin\AppData\Local\Temp\605c35366b7c51d33746d7173b9a5169.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2780 wrote to memory of 440 N/A C:\Users\Admin\AppData\Local\Temp\605c35366b7c51d33746d7173b9a5169.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2780 wrote to memory of 440 N/A C:\Users\Admin\AppData\Local\Temp\605c35366b7c51d33746d7173b9a5169.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2780 wrote to memory of 440 N/A C:\Users\Admin\AppData\Local\Temp\605c35366b7c51d33746d7173b9a5169.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 440 wrote to memory of 2440 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\SysWOW64\schtasks.exe
PID 440 wrote to memory of 2440 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\SysWOW64\schtasks.exe
PID 440 wrote to memory of 2440 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\SysWOW64\schtasks.exe
PID 440 wrote to memory of 2440 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\SysWOW64\schtasks.exe
PID 440 wrote to memory of 952 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\SysWOW64\schtasks.exe
PID 440 wrote to memory of 952 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\SysWOW64\schtasks.exe
PID 440 wrote to memory of 952 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\SysWOW64\schtasks.exe
PID 440 wrote to memory of 952 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\SysWOW64\schtasks.exe

Processes

C:\Users\Admin\AppData\Local\Temp\605c35366b7c51d33746d7173b9a5169.exe

"C:\Users\Admin\AppData\Local\Temp\605c35366b7c51d33746d7173b9a5169.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\sjxNYmz" /XML "C:\Users\Admin\AppData\Local\Temp\tmp65E4.tmp"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks.exe" /create /f /tn "LAN Monitor" /xml "C:\Users\Admin\AppData\Local\Temp\tmp6D63.tmp"

C:\Windows\SysWOW64\schtasks.exe

"schtasks.exe" /create /f /tn "LAN Monitor Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp6EEA.tmp"

Network

Country Destination Domain Proto
US 8.8.8.8:53 1116.hopto.org udp
RU 194.147.140.136:1116 1116.hopto.org tcp
US 8.8.8.8:53 1116.hopto.org udp
RU 194.147.140.136:1116 1116.hopto.org tcp
US 8.8.8.8:53 1116.hopto.org udp
RU 194.147.140.136:1116 1116.hopto.org tcp
DE 185.140.53.9:1116 tcp
DE 185.140.53.9:1116 tcp
DE 185.140.53.9:1116 tcp

Files

memory/2780-0-0x0000000001360000-0x000000000147E000-memory.dmp

memory/2780-1-0x0000000074310000-0x00000000749FE000-memory.dmp

memory/2780-2-0x0000000004D70000-0x0000000004DB0000-memory.dmp

memory/2780-3-0x0000000000580000-0x00000000005A2000-memory.dmp

memory/2780-4-0x0000000074310000-0x00000000749FE000-memory.dmp

memory/2780-5-0x0000000004D70000-0x0000000004DB0000-memory.dmp

memory/2780-6-0x0000000004F20000-0x0000000004FA2000-memory.dmp

memory/2780-7-0x00000000011A0000-0x00000000011DA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp65E4.tmp

MD5 76008acf5c08aa64e40a96ba1cd5e783
SHA1 f506f4d5e4743b2c33f3a4d93260c93d7b838245
SHA256 8aab931900a539ffb3d82d6c0e3d9d165bd9fe55eac5bff2c13081c7e0528b16
SHA512 15615c34dd626a51dd8b4ee54e52a909c773f72341c8d8b4ad070ff8ef36a8e0e27a11747b5b1e3cb2a11d5952c5a54bf268028f718b2e81a97af422285c31cd

memory/440-13-0x0000000000400000-0x0000000000438000-memory.dmp

memory/440-15-0x0000000000400000-0x0000000000438000-memory.dmp

memory/440-17-0x0000000000400000-0x0000000000438000-memory.dmp

memory/440-19-0x0000000000400000-0x0000000000438000-memory.dmp

memory/440-21-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/440-23-0x0000000000400000-0x0000000000438000-memory.dmp

memory/440-25-0x0000000000400000-0x0000000000438000-memory.dmp

memory/440-27-0x0000000000400000-0x0000000000438000-memory.dmp

memory/440-29-0x0000000074310000-0x00000000749FE000-memory.dmp

memory/2780-28-0x0000000074310000-0x00000000749FE000-memory.dmp

memory/440-30-0x0000000004C00000-0x0000000004C40000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp6D63.tmp

MD5 8cad1b41587ced0f1e74396794f31d58
SHA1 11054bf74fcf5e8e412768035e4dae43aa7b710f
SHA256 3086d914f6b23268f8a12cb1a05516cd5465c2577e1d1e449f1b45c8e5e8f83c
SHA512 99c2ef89029de51a866df932841684b7fc912df21e10e2dd0d09e400203bbdc6cba6319a31780b7bf8b286d2cea8ea3fc7d084348bf2f002ab4f5a34218ccbef

C:\Users\Admin\AppData\Local\Temp\tmp6EEA.tmp

MD5 ecf141ec69adbb2a5c3dd5c85cd0ec39
SHA1 0ad224632fa58d103142c05c44a142f3d7208291
SHA256 64d8cfa0b25afee269839cd5fc0b66e5643bc318e5f4d3ce1b9dba2456c83316
SHA512 4821b062d6672f3ed07833cfd7ab9abb533850b451b632d781fbfad8238fcd5ac52855f1f239547ae2d1c1477959f022430302a75cfd3c19a8473af72a1ef201

memory/440-38-0x00000000003F0000-0x00000000003FA000-memory.dmp

memory/440-39-0x0000000000440000-0x000000000045E000-memory.dmp

memory/440-40-0x0000000000460000-0x000000000046A000-memory.dmp

memory/440-41-0x0000000004C00000-0x0000000004C40000-memory.dmp

memory/440-42-0x0000000074310000-0x00000000749FE000-memory.dmp

memory/440-43-0x0000000004C00000-0x0000000004C40000-memory.dmp

memory/440-44-0x0000000004C00000-0x0000000004C40000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-06 10:50

Reported

2024-01-06 10:53

Platform

win10v2004-20231215-en

Max time kernel

57s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\605c35366b7c51d33746d7173b9a5169.exe"

Signatures

NanoCore

keylogger trojan stealer spyware nanocore

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\605c35366b7c51d33746d7173b9a5169.exe

"C:\Users\Admin\AppData\Local\Temp\605c35366b7c51d33746d7173b9a5169.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks.exe" /create /f /tn "NAT Subsystem Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp2FD6.tmp"

C:\Windows\SysWOW64\schtasks.exe

"schtasks.exe" /create /f /tn "NAT Subsystem" /xml "C:\Users\Admin\AppData\Local\Temp\tmp2FB6.tmp"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\sjxNYmz" /XML "C:\Users\Admin\AppData\Local\Temp\tmp2E20.tmp"

Network

Country Destination Domain Proto
US 8.8.8.8:53 22.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 173.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 138.91.171.81:80 tcp
US 8.8.8.8:53 195.233.44.23.in-addr.arpa udp
GB 23.44.234.16:80 tcp
US 8.8.8.8:53 16.234.44.23.in-addr.arpa udp
US 8.8.8.8:53 211.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 211.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 udp
N/A 40.68.123.157:443 tcp
US 8.8.8.8:53 udp
N/A 40.68.123.157:443 tcp
N/A 40.68.123.157:443 tcp
US 8.8.8.8:53 udp
N/A 51.124.78.146:443 tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
N/A 20.3.187.198:443 tcp
N/A 51.124.78.146:443 tcp
N/A 51.124.78.146:443 tcp
US 8.8.8.8:53 udp
N/A 40.68.123.157:443 tcp
US 8.8.8.8:53 udp
N/A 20.3.187.198:443 tcp
US 8.8.8.8:53 udp
N/A 40.68.123.157:443 tcp
US 8.8.8.8:53 udp
N/A 40.68.123.157:443 tcp
N/A 92.123.241.104:80 tcp
N/A 92.123.241.104:80 tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
GB 88.221.135.217:80 tcp
N/A 20.54.110.119:443 tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
N/A 20.3.187.198:443 tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 20.231.121.79:80 tcp
RU 194.147.140.136:1116 tcp
DE 185.140.53.9:1116 tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp

Files

memory/4972-1-0x0000000074BA0000-0x0000000075350000-memory.dmp

memory/4972-2-0x00000000058A0000-0x000000000593C000-memory.dmp

memory/4972-3-0x0000000005EF0000-0x0000000006494000-memory.dmp

memory/4972-4-0x00000000059E0000-0x0000000005A72000-memory.dmp

memory/4972-7-0x0000000005B70000-0x0000000005BC6000-memory.dmp

memory/4972-6-0x0000000005950000-0x000000000595A000-memory.dmp

memory/4972-5-0x0000000005850000-0x0000000005860000-memory.dmp

memory/4972-0-0x0000000000D90000-0x0000000000EAE000-memory.dmp

memory/4972-8-0x0000000005C40000-0x0000000005C62000-memory.dmp

memory/4972-9-0x0000000074BA0000-0x0000000075350000-memory.dmp

memory/4972-10-0x0000000005850000-0x0000000005860000-memory.dmp

memory/4972-12-0x0000000007180000-0x00000000071BA000-memory.dmp

memory/4972-11-0x0000000007100000-0x0000000007182000-memory.dmp

memory/3020-18-0x0000000000400000-0x0000000000438000-memory.dmp

memory/3020-22-0x0000000005440000-0x0000000005450000-memory.dmp

memory/4972-21-0x0000000074BA0000-0x0000000075350000-memory.dmp

memory/3020-20-0x0000000074BA0000-0x0000000075350000-memory.dmp

memory/3020-31-0x0000000006270000-0x000000000628E000-memory.dmp

memory/3020-32-0x0000000005430000-0x000000000543A000-memory.dmp

memory/3020-30-0x00000000051E0000-0x00000000051EA000-memory.dmp

memory/3020-33-0x0000000074BA0000-0x0000000075350000-memory.dmp

memory/3020-34-0x0000000005440000-0x0000000005450000-memory.dmp