Malware Analysis Report

2025-04-13 21:10

Sample ID 240127-pmta9acag3
Target 7a40d67c8a78ef63bda595ab16f5ac0f
SHA256 e2baf0f5b01a92323fa0f46207e5b9ae09ec8945ef722b912d3559d43c6e907c
Tags
nanocore evasion keylogger spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e2baf0f5b01a92323fa0f46207e5b9ae09ec8945ef722b912d3559d43c6e907c

Threat Level: Known bad

The file 7a40d67c8a78ef63bda595ab16f5ac0f was found to be: Known bad.

Malicious Activity Summary

nanocore evasion keylogger spyware stealer trojan

NanoCore

Checks computer location settings

Checks whether UAC is enabled

Suspicious use of SetThreadContext

Unsigned PE

Enumerates physical storage devices

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-27 12:27

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-27 12:27

Reported

2024-01-27 12:29

Platform

win7-20231215-en

Max time kernel

146s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7a40d67c8a78ef63bda595ab16f5ac0f.exe"

Signatures

NanoCore

keylogger trojan stealer spyware nanocore

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\7a40d67c8a78ef63bda595ab16f5ac0f.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2336 set thread context of 596 N/A C:\Users\Admin\AppData\Local\Temp\7a40d67c8a78ef63bda595ab16f5ac0f.exe C:\Users\Admin\AppData\Local\Temp\7a40d67c8a78ef63bda595ab16f5ac0f.exe

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7a40d67c8a78ef63bda595ab16f5ac0f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7a40d67c8a78ef63bda595ab16f5ac0f.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7a40d67c8a78ef63bda595ab16f5ac0f.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7a40d67c8a78ef63bda595ab16f5ac0f.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2336 wrote to memory of 524 N/A C:\Users\Admin\AppData\Local\Temp\7a40d67c8a78ef63bda595ab16f5ac0f.exe C:\Windows\SysWOW64\schtasks.exe
PID 2336 wrote to memory of 524 N/A C:\Users\Admin\AppData\Local\Temp\7a40d67c8a78ef63bda595ab16f5ac0f.exe C:\Windows\SysWOW64\schtasks.exe
PID 2336 wrote to memory of 524 N/A C:\Users\Admin\AppData\Local\Temp\7a40d67c8a78ef63bda595ab16f5ac0f.exe C:\Windows\SysWOW64\schtasks.exe
PID 2336 wrote to memory of 524 N/A C:\Users\Admin\AppData\Local\Temp\7a40d67c8a78ef63bda595ab16f5ac0f.exe C:\Windows\SysWOW64\schtasks.exe
PID 2336 wrote to memory of 596 N/A C:\Users\Admin\AppData\Local\Temp\7a40d67c8a78ef63bda595ab16f5ac0f.exe C:\Users\Admin\AppData\Local\Temp\7a40d67c8a78ef63bda595ab16f5ac0f.exe
PID 2336 wrote to memory of 596 N/A C:\Users\Admin\AppData\Local\Temp\7a40d67c8a78ef63bda595ab16f5ac0f.exe C:\Users\Admin\AppData\Local\Temp\7a40d67c8a78ef63bda595ab16f5ac0f.exe
PID 2336 wrote to memory of 596 N/A C:\Users\Admin\AppData\Local\Temp\7a40d67c8a78ef63bda595ab16f5ac0f.exe C:\Users\Admin\AppData\Local\Temp\7a40d67c8a78ef63bda595ab16f5ac0f.exe
PID 2336 wrote to memory of 596 N/A C:\Users\Admin\AppData\Local\Temp\7a40d67c8a78ef63bda595ab16f5ac0f.exe C:\Users\Admin\AppData\Local\Temp\7a40d67c8a78ef63bda595ab16f5ac0f.exe
PID 2336 wrote to memory of 596 N/A C:\Users\Admin\AppData\Local\Temp\7a40d67c8a78ef63bda595ab16f5ac0f.exe C:\Users\Admin\AppData\Local\Temp\7a40d67c8a78ef63bda595ab16f5ac0f.exe
PID 2336 wrote to memory of 596 N/A C:\Users\Admin\AppData\Local\Temp\7a40d67c8a78ef63bda595ab16f5ac0f.exe C:\Users\Admin\AppData\Local\Temp\7a40d67c8a78ef63bda595ab16f5ac0f.exe
PID 2336 wrote to memory of 596 N/A C:\Users\Admin\AppData\Local\Temp\7a40d67c8a78ef63bda595ab16f5ac0f.exe C:\Users\Admin\AppData\Local\Temp\7a40d67c8a78ef63bda595ab16f5ac0f.exe
PID 2336 wrote to memory of 596 N/A C:\Users\Admin\AppData\Local\Temp\7a40d67c8a78ef63bda595ab16f5ac0f.exe C:\Users\Admin\AppData\Local\Temp\7a40d67c8a78ef63bda595ab16f5ac0f.exe
PID 2336 wrote to memory of 596 N/A C:\Users\Admin\AppData\Local\Temp\7a40d67c8a78ef63bda595ab16f5ac0f.exe C:\Users\Admin\AppData\Local\Temp\7a40d67c8a78ef63bda595ab16f5ac0f.exe

Processes

C:\Users\Admin\AppData\Local\Temp\7a40d67c8a78ef63bda595ab16f5ac0f.exe

"C:\Users\Admin\AppData\Local\Temp\7a40d67c8a78ef63bda595ab16f5ac0f.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\uTptUfOsJI" /XML "C:\Users\Admin\AppData\Local\Temp\tmp5206.tmp"

C:\Users\Admin\AppData\Local\Temp\7a40d67c8a78ef63bda595ab16f5ac0f.exe

"C:\Users\Admin\AppData\Local\Temp\7a40d67c8a78ef63bda595ab16f5ac0f.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 fablousy.kozow.com udp
NO 194.5.98.75:4050 fablousy.kozow.com tcp
US 8.8.8.8:53 fablousy.kozow.com udp
NO 194.5.98.75:4050 fablousy.kozow.com tcp
US 8.8.8.8:53 fablousy.kozow.com udp
NO 194.5.98.75:4050 fablousy.kozow.com tcp
N/A 127.0.0.1:4050 tcp
N/A 127.0.0.1:4050 tcp
N/A 127.0.0.1:4050 tcp
US 8.8.8.8:53 fablousy.kozow.com udp
NO 194.5.98.75:4050 fablousy.kozow.com tcp
US 8.8.8.8:53 fablousy.kozow.com udp
NO 194.5.98.75:4050 fablousy.kozow.com tcp

Files

memory/2336-0-0x0000000001260000-0x00000000013F0000-memory.dmp

memory/2336-1-0x0000000074550000-0x0000000074C3E000-memory.dmp

memory/2336-2-0x0000000001090000-0x00000000010D0000-memory.dmp

memory/2336-3-0x00000000001C0000-0x00000000001DE000-memory.dmp

memory/2336-4-0x0000000074550000-0x0000000074C3E000-memory.dmp

memory/2336-5-0x0000000001090000-0x00000000010D0000-memory.dmp

memory/2336-6-0x0000000005840000-0x00000000058EA000-memory.dmp

memory/2336-7-0x0000000000AB0000-0x0000000000AEA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp5206.tmp

MD5 6bd631165363f9d2a16b51b4a04e8da7
SHA1 3f7e3f7850f18cdb9ea4f269421a21957c0640ae
SHA256 126119e16b352ec912c0dd2ed4a7dd573fb61be98afa4e020de08376eec287b0
SHA512 bffea97ac73a0074caa6f549525a21c4679dd9a6275dbfd3f39feac2583acc3b024ee2cfb782440e31f0664ea9d2ecef98f58a0f5853fc4088547002ceac189f

memory/596-13-0x0000000000400000-0x0000000000438000-memory.dmp

memory/596-14-0x0000000000400000-0x0000000000438000-memory.dmp

memory/596-15-0x0000000000400000-0x0000000000438000-memory.dmp

memory/596-16-0x0000000000400000-0x0000000000438000-memory.dmp

memory/596-17-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/596-19-0x0000000000400000-0x0000000000438000-memory.dmp

memory/596-21-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2336-24-0x0000000074550000-0x0000000074C3E000-memory.dmp

memory/596-23-0x0000000000400000-0x0000000000438000-memory.dmp

memory/596-25-0x0000000073E60000-0x000000007454E000-memory.dmp

memory/596-26-0x0000000000F80000-0x0000000000FC0000-memory.dmp

memory/596-28-0x00000000004C0000-0x00000000004CA000-memory.dmp

memory/596-29-0x00000000005D0000-0x00000000005EE000-memory.dmp

memory/596-30-0x0000000000680000-0x000000000068A000-memory.dmp

memory/596-31-0x0000000073E60000-0x000000007454E000-memory.dmp

memory/596-32-0x0000000000F80000-0x0000000000FC0000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-27 12:27

Reported

2024-01-27 12:29

Platform

win10v2004-20231222-en

Max time kernel

149s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7a40d67c8a78ef63bda595ab16f5ac0f.exe"

Signatures

NanoCore

keylogger trojan stealer spyware nanocore

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\7a40d67c8a78ef63bda595ab16f5ac0f.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\7a40d67c8a78ef63bda595ab16f5ac0f.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4944 set thread context of 3988 N/A C:\Users\Admin\AppData\Local\Temp\7a40d67c8a78ef63bda595ab16f5ac0f.exe C:\Users\Admin\AppData\Local\Temp\7a40d67c8a78ef63bda595ab16f5ac0f.exe

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7a40d67c8a78ef63bda595ab16f5ac0f.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7a40d67c8a78ef63bda595ab16f5ac0f.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7a40d67c8a78ef63bda595ab16f5ac0f.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4944 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\7a40d67c8a78ef63bda595ab16f5ac0f.exe C:\Windows\SysWOW64\schtasks.exe
PID 4944 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\7a40d67c8a78ef63bda595ab16f5ac0f.exe C:\Windows\SysWOW64\schtasks.exe
PID 4944 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\7a40d67c8a78ef63bda595ab16f5ac0f.exe C:\Windows\SysWOW64\schtasks.exe
PID 4944 wrote to memory of 4668 N/A C:\Users\Admin\AppData\Local\Temp\7a40d67c8a78ef63bda595ab16f5ac0f.exe C:\Users\Admin\AppData\Local\Temp\7a40d67c8a78ef63bda595ab16f5ac0f.exe
PID 4944 wrote to memory of 4668 N/A C:\Users\Admin\AppData\Local\Temp\7a40d67c8a78ef63bda595ab16f5ac0f.exe C:\Users\Admin\AppData\Local\Temp\7a40d67c8a78ef63bda595ab16f5ac0f.exe
PID 4944 wrote to memory of 4668 N/A C:\Users\Admin\AppData\Local\Temp\7a40d67c8a78ef63bda595ab16f5ac0f.exe C:\Users\Admin\AppData\Local\Temp\7a40d67c8a78ef63bda595ab16f5ac0f.exe
PID 4944 wrote to memory of 3380 N/A C:\Users\Admin\AppData\Local\Temp\7a40d67c8a78ef63bda595ab16f5ac0f.exe C:\Users\Admin\AppData\Local\Temp\7a40d67c8a78ef63bda595ab16f5ac0f.exe
PID 4944 wrote to memory of 3380 N/A C:\Users\Admin\AppData\Local\Temp\7a40d67c8a78ef63bda595ab16f5ac0f.exe C:\Users\Admin\AppData\Local\Temp\7a40d67c8a78ef63bda595ab16f5ac0f.exe
PID 4944 wrote to memory of 3380 N/A C:\Users\Admin\AppData\Local\Temp\7a40d67c8a78ef63bda595ab16f5ac0f.exe C:\Users\Admin\AppData\Local\Temp\7a40d67c8a78ef63bda595ab16f5ac0f.exe
PID 4944 wrote to memory of 3988 N/A C:\Users\Admin\AppData\Local\Temp\7a40d67c8a78ef63bda595ab16f5ac0f.exe C:\Users\Admin\AppData\Local\Temp\7a40d67c8a78ef63bda595ab16f5ac0f.exe
PID 4944 wrote to memory of 3988 N/A C:\Users\Admin\AppData\Local\Temp\7a40d67c8a78ef63bda595ab16f5ac0f.exe C:\Users\Admin\AppData\Local\Temp\7a40d67c8a78ef63bda595ab16f5ac0f.exe
PID 4944 wrote to memory of 3988 N/A C:\Users\Admin\AppData\Local\Temp\7a40d67c8a78ef63bda595ab16f5ac0f.exe C:\Users\Admin\AppData\Local\Temp\7a40d67c8a78ef63bda595ab16f5ac0f.exe
PID 4944 wrote to memory of 3988 N/A C:\Users\Admin\AppData\Local\Temp\7a40d67c8a78ef63bda595ab16f5ac0f.exe C:\Users\Admin\AppData\Local\Temp\7a40d67c8a78ef63bda595ab16f5ac0f.exe
PID 4944 wrote to memory of 3988 N/A C:\Users\Admin\AppData\Local\Temp\7a40d67c8a78ef63bda595ab16f5ac0f.exe C:\Users\Admin\AppData\Local\Temp\7a40d67c8a78ef63bda595ab16f5ac0f.exe
PID 4944 wrote to memory of 3988 N/A C:\Users\Admin\AppData\Local\Temp\7a40d67c8a78ef63bda595ab16f5ac0f.exe C:\Users\Admin\AppData\Local\Temp\7a40d67c8a78ef63bda595ab16f5ac0f.exe
PID 4944 wrote to memory of 3988 N/A C:\Users\Admin\AppData\Local\Temp\7a40d67c8a78ef63bda595ab16f5ac0f.exe C:\Users\Admin\AppData\Local\Temp\7a40d67c8a78ef63bda595ab16f5ac0f.exe
PID 4944 wrote to memory of 3988 N/A C:\Users\Admin\AppData\Local\Temp\7a40d67c8a78ef63bda595ab16f5ac0f.exe C:\Users\Admin\AppData\Local\Temp\7a40d67c8a78ef63bda595ab16f5ac0f.exe

Processes

C:\Users\Admin\AppData\Local\Temp\7a40d67c8a78ef63bda595ab16f5ac0f.exe

"C:\Users\Admin\AppData\Local\Temp\7a40d67c8a78ef63bda595ab16f5ac0f.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\uTptUfOsJI" /XML "C:\Users\Admin\AppData\Local\Temp\tmp3BDB.tmp"

C:\Users\Admin\AppData\Local\Temp\7a40d67c8a78ef63bda595ab16f5ac0f.exe

"C:\Users\Admin\AppData\Local\Temp\7a40d67c8a78ef63bda595ab16f5ac0f.exe"

C:\Users\Admin\AppData\Local\Temp\7a40d67c8a78ef63bda595ab16f5ac0f.exe

"C:\Users\Admin\AppData\Local\Temp\7a40d67c8a78ef63bda595ab16f5ac0f.exe"

C:\Users\Admin\AppData\Local\Temp\7a40d67c8a78ef63bda595ab16f5ac0f.exe

"C:\Users\Admin\AppData\Local\Temp\7a40d67c8a78ef63bda595ab16f5ac0f.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 209.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 80.14.97.104.in-addr.arpa udp
US 8.8.8.8:53 fablousy.kozow.com udp
NO 194.5.98.75:4050 fablousy.kozow.com tcp
US 8.8.8.8:53 fablousy.kozow.com udp
NO 194.5.98.75:4050 fablousy.kozow.com tcp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 fablousy.kozow.com udp
NO 194.5.98.75:4050 fablousy.kozow.com tcp
N/A 127.0.0.1:4050 tcp
N/A 127.0.0.1:4050 tcp
N/A 127.0.0.1:4050 tcp
US 8.8.8.8:53 fablousy.kozow.com udp
NO 194.5.98.75:4050 fablousy.kozow.com tcp
US 8.8.8.8:53 12.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 udp
NO 194.5.98.75:4050 tcp

Files

memory/4944-1-0x0000000074F60000-0x0000000075710000-memory.dmp

memory/4944-0-0x00000000009D0000-0x0000000000B60000-memory.dmp

memory/4944-2-0x0000000005AC0000-0x0000000006064000-memory.dmp

memory/4944-3-0x00000000055B0000-0x0000000005642000-memory.dmp

memory/4944-4-0x0000000005760000-0x0000000005770000-memory.dmp

memory/4944-5-0x0000000005560000-0x000000000556A000-memory.dmp

memory/4944-6-0x0000000006BA0000-0x0000000006C3C000-memory.dmp

memory/4944-7-0x0000000006B00000-0x0000000006B1E000-memory.dmp

memory/4944-8-0x0000000074F60000-0x0000000075710000-memory.dmp

memory/4944-9-0x0000000005760000-0x0000000005770000-memory.dmp

memory/4944-10-0x0000000006EB0000-0x0000000006F5A000-memory.dmp

memory/4944-11-0x0000000006B60000-0x0000000006B9A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp3BDB.tmp

MD5 a8312b3e81ba60ee5a4987159b88c157
SHA1 4bcefaa659645a2b92c7d5c23a81b9120090fc9c
SHA256 eb59fd50309022602a46f5c798a49ae6fbc88935e639bc91b6f5bb479ab4be2f
SHA512 74b5c4d8dc1bdeb33e9323794f92b366204efbdd9f9110cdffa022f4600a3e7cfa87102fda87cd836c3c09b4b7272d0ae9ea0d63cb58842970b597def6a4f547

memory/3988-17-0x0000000000400000-0x0000000000438000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\7a40d67c8a78ef63bda595ab16f5ac0f.exe.log

MD5 8ec831f3e3a3f77e4a7b9cd32b48384c
SHA1 d83f09fd87c5bd86e045873c231c14836e76a05c
SHA256 7667e538030e3f8ce2886e47a01af24cb0ea70528b1e821c5d8832c5076cb982
SHA512 26bffa2406b66368bd412bf25869a792631455645992cdcade2dbc13a2e56fb546414a6a9223b94c96c38d89187add6678d4779a88b38b0c9e36be8527b213c3

memory/4944-20-0x0000000074F60000-0x0000000075710000-memory.dmp

memory/3988-21-0x0000000074F60000-0x0000000075710000-memory.dmp

memory/3988-22-0x00000000052E0000-0x00000000052F0000-memory.dmp

memory/3988-24-0x00000000052C0000-0x00000000052CA000-memory.dmp

memory/3988-25-0x0000000005DA0000-0x0000000005DBE000-memory.dmp

memory/3988-26-0x0000000005EC0000-0x0000000005ECA000-memory.dmp

memory/3988-27-0x0000000074F60000-0x0000000075710000-memory.dmp

memory/3988-28-0x00000000052E0000-0x00000000052F0000-memory.dmp