Malware Analysis Report

2025-04-13 21:10

Sample ID 240127-fzz5wsdhh8
Target 795f466f1d7046801dff29d26e922b35
SHA256 81c5ece1954156740f639f838730f9f27f2dbb17b7752f525a715d4bc0fa03e8
Tags
nanocore evasion keylogger persistence spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

81c5ece1954156740f639f838730f9f27f2dbb17b7752f525a715d4bc0fa03e8

Threat Level: Known bad

The file 795f466f1d7046801dff29d26e922b35 was found to be: Known bad.

Malicious Activity Summary

nanocore evasion keylogger persistence spyware stealer trojan

NanoCore

Checks whether UAC is enabled

Adds Run key to start application

Suspicious use of SetThreadContext

Drops file in Program Files directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Creates scheduled task(s)

Checks processor information in registry

Enumerates system info in registry

Suspicious use of WriteProcessMemory

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-27 05:19

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-27 05:19

Reported

2024-01-27 05:21

Platform

win7-20231215-en

Max time kernel

145s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\795f466f1d7046801dff29d26e922b35.exe"

Signatures

NanoCore

keylogger trojan stealer spyware nanocore

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WPA Host = "C:\\Program Files (x86)\\WPA Host\\wpahost.exe" C:\Users\Admin\AppData\Local\Temp\795f466f1d7046801dff29d26e922b35.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\795f466f1d7046801dff29d26e922b35.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2668 set thread context of 2716 N/A C:\Users\Admin\AppData\Local\Temp\795f466f1d7046801dff29d26e922b35.exe C:\Users\Admin\AppData\Local\Temp\795f466f1d7046801dff29d26e922b35.exe

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\WPA Host\wpahost.exe C:\Users\Admin\AppData\Local\Temp\795f466f1d7046801dff29d26e922b35.exe N/A
File opened for modification C:\Program Files (x86)\WPA Host\wpahost.exe C:\Users\Admin\AppData\Local\Temp\795f466f1d7046801dff29d26e922b35.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\795f466f1d7046801dff29d26e922b35.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\795f466f1d7046801dff29d26e922b35.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\795f466f1d7046801dff29d26e922b35.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\795f466f1d7046801dff29d26e922b35.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2668 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Local\Temp\795f466f1d7046801dff29d26e922b35.exe C:\Users\Admin\AppData\Local\Temp\795f466f1d7046801dff29d26e922b35.exe
PID 2668 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Local\Temp\795f466f1d7046801dff29d26e922b35.exe C:\Users\Admin\AppData\Local\Temp\795f466f1d7046801dff29d26e922b35.exe
PID 2668 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Local\Temp\795f466f1d7046801dff29d26e922b35.exe C:\Users\Admin\AppData\Local\Temp\795f466f1d7046801dff29d26e922b35.exe
PID 2668 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Local\Temp\795f466f1d7046801dff29d26e922b35.exe C:\Users\Admin\AppData\Local\Temp\795f466f1d7046801dff29d26e922b35.exe
PID 2668 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\795f466f1d7046801dff29d26e922b35.exe C:\Users\Admin\AppData\Local\Temp\795f466f1d7046801dff29d26e922b35.exe
PID 2668 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\795f466f1d7046801dff29d26e922b35.exe C:\Users\Admin\AppData\Local\Temp\795f466f1d7046801dff29d26e922b35.exe
PID 2668 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\795f466f1d7046801dff29d26e922b35.exe C:\Users\Admin\AppData\Local\Temp\795f466f1d7046801dff29d26e922b35.exe
PID 2668 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\795f466f1d7046801dff29d26e922b35.exe C:\Users\Admin\AppData\Local\Temp\795f466f1d7046801dff29d26e922b35.exe
PID 2668 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\795f466f1d7046801dff29d26e922b35.exe C:\Users\Admin\AppData\Local\Temp\795f466f1d7046801dff29d26e922b35.exe
PID 2668 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\795f466f1d7046801dff29d26e922b35.exe C:\Users\Admin\AppData\Local\Temp\795f466f1d7046801dff29d26e922b35.exe
PID 2668 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\795f466f1d7046801dff29d26e922b35.exe C:\Users\Admin\AppData\Local\Temp\795f466f1d7046801dff29d26e922b35.exe
PID 2668 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\795f466f1d7046801dff29d26e922b35.exe C:\Users\Admin\AppData\Local\Temp\795f466f1d7046801dff29d26e922b35.exe
PID 2668 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\795f466f1d7046801dff29d26e922b35.exe C:\Users\Admin\AppData\Local\Temp\795f466f1d7046801dff29d26e922b35.exe
PID 2668 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\795f466f1d7046801dff29d26e922b35.exe C:\Users\Admin\AppData\Local\Temp\795f466f1d7046801dff29d26e922b35.exe
PID 2668 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\795f466f1d7046801dff29d26e922b35.exe C:\Users\Admin\AppData\Local\Temp\795f466f1d7046801dff29d26e922b35.exe
PID 2668 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\795f466f1d7046801dff29d26e922b35.exe C:\Users\Admin\AppData\Local\Temp\795f466f1d7046801dff29d26e922b35.exe
PID 2668 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\795f466f1d7046801dff29d26e922b35.exe C:\Users\Admin\AppData\Local\Temp\795f466f1d7046801dff29d26e922b35.exe
PID 2716 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\795f466f1d7046801dff29d26e922b35.exe C:\Windows\SysWOW64\schtasks.exe
PID 2716 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\795f466f1d7046801dff29d26e922b35.exe C:\Windows\SysWOW64\schtasks.exe
PID 2716 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\795f466f1d7046801dff29d26e922b35.exe C:\Windows\SysWOW64\schtasks.exe
PID 2716 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\795f466f1d7046801dff29d26e922b35.exe C:\Windows\SysWOW64\schtasks.exe
PID 2716 wrote to memory of 1236 N/A C:\Users\Admin\AppData\Local\Temp\795f466f1d7046801dff29d26e922b35.exe C:\Windows\SysWOW64\schtasks.exe
PID 2716 wrote to memory of 1236 N/A C:\Users\Admin\AppData\Local\Temp\795f466f1d7046801dff29d26e922b35.exe C:\Windows\SysWOW64\schtasks.exe
PID 2716 wrote to memory of 1236 N/A C:\Users\Admin\AppData\Local\Temp\795f466f1d7046801dff29d26e922b35.exe C:\Windows\SysWOW64\schtasks.exe
PID 2716 wrote to memory of 1236 N/A C:\Users\Admin\AppData\Local\Temp\795f466f1d7046801dff29d26e922b35.exe C:\Windows\SysWOW64\schtasks.exe

Processes

C:\Users\Admin\AppData\Local\Temp\795f466f1d7046801dff29d26e922b35.exe

"C:\Users\Admin\AppData\Local\Temp\795f466f1d7046801dff29d26e922b35.exe"

C:\Users\Admin\AppData\Local\Temp\795f466f1d7046801dff29d26e922b35.exe

"C:\Users\Admin\AppData\Local\Temp\795f466f1d7046801dff29d26e922b35.exe"

C:\Users\Admin\AppData\Local\Temp\795f466f1d7046801dff29d26e922b35.exe

"C:\Users\Admin\AppData\Local\Temp\795f466f1d7046801dff29d26e922b35.exe"

C:\Users\Admin\AppData\Local\Temp\795f466f1d7046801dff29d26e922b35.exe

"C:\Users\Admin\AppData\Local\Temp\795f466f1d7046801dff29d26e922b35.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks.exe" /create /f /tn "WPA Host" /xml "C:\Users\Admin\AppData\Local\Temp\tmp4A1A.tmp"

C:\Windows\SysWOW64\schtasks.exe

"schtasks.exe" /create /f /tn "WPA Host Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp4CAB.tmp"

Network

Country Destination Domain Proto
US 8.8.8.8:53 shutdown1337.ddns.net udp
US 8.8.4.4:53 shutdown1337.ddns.net udp
US 8.8.8.8:53 shutdown1337.ddns.net udp
US 8.8.8.8:53 shutdown1337.ddns.net udp
US 8.8.4.4:53 shutdown1337.ddns.net udp
US 8.8.8.8:53 shutdown1337.ddns.net udp
US 8.8.4.4:53 shutdown1337.ddns.net udp
N/A 192.168.1.67:10134 tcp
N/A 192.168.1.67:10134 tcp
N/A 192.168.1.67:10134 tcp
US 8.8.8.8:53 shutdown1337.ddns.net udp
US 8.8.4.4:53 shutdown1337.ddns.net udp
US 8.8.8.8:53 shutdown1337.ddns.net udp
US 8.8.4.4:53 shutdown1337.ddns.net udp
US 8.8.8.8:53 shutdown1337.ddns.net udp
US 8.8.4.4:53 shutdown1337.ddns.net udp
N/A 192.168.1.67:10134 tcp
N/A 192.168.1.67:10134 tcp
N/A 192.168.1.67:10134 tcp
US 8.8.8.8:53 shutdown1337.ddns.net udp
US 8.8.4.4:53 shutdown1337.ddns.net udp
US 8.8.8.8:53 shutdown1337.ddns.net udp
US 8.8.4.4:53 shutdown1337.ddns.net udp
US 8.8.8.8:53 shutdown1337.ddns.net udp
US 8.8.4.4:53 shutdown1337.ddns.net udp
N/A 192.168.1.67:10134 tcp
N/A 192.168.1.67:10134 tcp
N/A 192.168.1.67:10134 tcp
US 8.8.8.8:53 shutdown1337.ddns.net udp
US 8.8.4.4:53 shutdown1337.ddns.net udp
US 8.8.8.8:53 shutdown1337.ddns.net udp
US 8.8.4.4:53 shutdown1337.ddns.net udp
US 8.8.8.8:53 shutdown1337.ddns.net udp
US 8.8.4.4:53 shutdown1337.ddns.net udp
N/A 192.168.1.67:10134 tcp
N/A 192.168.1.67:10134 tcp
N/A 192.168.1.67:10134 tcp

Files

memory/2668-0-0x0000000073F50000-0x00000000744FB000-memory.dmp

memory/2668-1-0x0000000073F50000-0x00000000744FB000-memory.dmp

memory/2668-2-0x0000000000520000-0x0000000000560000-memory.dmp

memory/2668-3-0x0000000000520000-0x0000000000560000-memory.dmp

memory/2668-4-0x0000000000520000-0x0000000000560000-memory.dmp

memory/2716-5-0x0000000000400000-0x0000000000472000-memory.dmp

memory/2716-7-0x0000000000400000-0x0000000000472000-memory.dmp

memory/2716-9-0x0000000000400000-0x0000000000472000-memory.dmp

memory/2716-10-0x0000000000400000-0x0000000000472000-memory.dmp

memory/2716-11-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2716-13-0x0000000000400000-0x0000000000472000-memory.dmp

memory/2716-15-0x0000000000400000-0x0000000000472000-memory.dmp

memory/2668-16-0x0000000073F50000-0x00000000744FB000-memory.dmp

memory/2716-18-0x0000000000400000-0x0000000000472000-memory.dmp

memory/2716-19-0x00000000739A0000-0x0000000073F4B000-memory.dmp

memory/2716-22-0x0000000000540000-0x0000000000580000-memory.dmp

memory/2716-24-0x00000000739A0000-0x0000000073F4B000-memory.dmp

memory/2716-25-0x0000000000400000-0x0000000000472000-memory.dmp

memory/2716-26-0x0000000000400000-0x0000000000472000-memory.dmp

memory/2716-27-0x0000000000400000-0x0000000000472000-memory.dmp

memory/2716-28-0x0000000000400000-0x0000000000472000-memory.dmp

memory/2716-23-0x0000000000400000-0x0000000000472000-memory.dmp

memory/2716-21-0x0000000000400000-0x0000000000472000-memory.dmp

memory/2716-29-0x0000000000400000-0x0000000000472000-memory.dmp

memory/2716-31-0x0000000000400000-0x0000000000472000-memory.dmp

memory/2716-33-0x0000000000400000-0x0000000000472000-memory.dmp

memory/2716-34-0x0000000000400000-0x0000000000472000-memory.dmp

memory/2716-37-0x0000000000400000-0x0000000000472000-memory.dmp

memory/2716-39-0x0000000000400000-0x0000000000472000-memory.dmp

memory/2716-40-0x0000000000400000-0x0000000000472000-memory.dmp

memory/2716-42-0x0000000000400000-0x0000000000472000-memory.dmp

memory/2716-43-0x0000000000540000-0x0000000000580000-memory.dmp

memory/2716-45-0x0000000000540000-0x0000000000580000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp4A1A.tmp

MD5 1e066fb33041a599e72459f8e659972e
SHA1 1c4787d843093c56a328003247a74b23238224e7
SHA256 44d6b3fbd67563b2f32086a6ec66d726db9ef425821af249ece97da48854d361
SHA512 f1e8d8055951009a3289a4237df6597cd0aac83ba5b379f535b127459c8e04ddcf2e17346840a180409f4ed212113b3f9545e2e623b9a6e203bca4e35ff9e395

C:\Users\Admin\AppData\Local\Temp\tmp4CAB.tmp

MD5 819bdbdac3be050783d203020e6c4c30
SHA1 a373521fceb21cac8b93e55ee48578e40a6e740b
SHA256 0e5dedca6d0d3c50ebcedb5bbf51ef3d434eb6b43da46764205de7636131f053
SHA512 cece1c4d8b4db79fc6e3cd225efaccdf9d2493f28991b1d48439944af38aaa61a215bd00a0beedcbdecc4f1ec5be0843774375a483f3d4a573a3980c54798cbd

memory/2716-52-0x00000000739A0000-0x0000000073F4B000-memory.dmp

memory/2716-53-0x0000000000540000-0x0000000000580000-memory.dmp

memory/2716-54-0x00000000739A0000-0x0000000073F4B000-memory.dmp

memory/2716-55-0x0000000000540000-0x0000000000580000-memory.dmp

memory/2716-56-0x0000000000540000-0x0000000000580000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-27 05:19

Reported

2024-01-27 05:22

Platform

win10v2004-20231215-en

Max time kernel

142s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\795f466f1d7046801dff29d26e922b35.exe"

Signatures

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\795f466f1d7046801dff29d26e922b35.exe

"C:\Users\Admin\AppData\Local\Temp\795f466f1d7046801dff29d26e922b35.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe

dw20.exe -x -s 1076

Network

Country Destination Domain Proto
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 79.121.231.20.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 15.173.189.20.in-addr.arpa udp

Files

memory/2724-0-0x0000000075180000-0x0000000075731000-memory.dmp

memory/2724-1-0x0000000075180000-0x0000000075731000-memory.dmp

memory/2724-2-0x0000000000DF0000-0x0000000000E00000-memory.dmp

memory/2724-9-0x0000000075180000-0x0000000075731000-memory.dmp