Malware Analysis Report

2025-04-13 21:10

Sample ID 240127-pzzzkaecbm
Target PDFextractor.exe
SHA256 fcbe2ceaf680fc8f9b379dc41fc3d88887478965321551b385a40dd42c6dd4cc
Tags
nanocore evasion keylogger persistence spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

fcbe2ceaf680fc8f9b379dc41fc3d88887478965321551b385a40dd42c6dd4cc

Threat Level: Known bad

The file PDFextractor.exe was found to be: Known bad.

Malicious Activity Summary

nanocore evasion keylogger persistence spyware stealer trojan

Nanocore family

NanoCore

Adds Run key to start application

Checks whether UAC is enabled

Drops file in Program Files directory

Unsigned PE

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-27 12:46

Signatures

Nanocore family

nanocore

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-27 12:46

Reported

2024-01-27 12:49

Platform

win7-20231215-en

Max time kernel

118s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\PDFextractor.exe"

Signatures

NanoCore

keylogger trojan stealer spyware nanocore

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\PCI Service = "C:\\Program Files (x86)\\PCI Service\\pcisvc.exe" C:\Users\Admin\AppData\Local\Temp\PDFextractor.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\PDFextractor.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\PCI Service\pcisvc.exe C:\Users\Admin\AppData\Local\Temp\PDFextractor.exe N/A
File opened for modification C:\Program Files (x86)\PCI Service\pcisvc.exe C:\Users\Admin\AppData\Local\Temp\PDFextractor.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\PDFextractor.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PDFextractor.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\PDFextractor.exe

"C:\Users\Admin\AppData\Local\Temp\PDFextractor.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks.exe" /create /f /tn "PCI Service" /xml "C:\Users\Admin\AppData\Local\Temp\tmp5A60.tmp"

C:\Windows\SysWOW64\schtasks.exe

"schtasks.exe" /create /f /tn "PCI Service Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp5CC1.tmp"

Network

Country Destination Domain Proto
US 8.8.8.8:53 divert64.hopto.org udp
CA 142.67.130.172:54999 divert64.hopto.org tcp

Files

memory/2192-0-0x00000000747F0000-0x0000000074D9B000-memory.dmp

memory/2192-2-0x0000000002220000-0x0000000002260000-memory.dmp

memory/2192-1-0x00000000747F0000-0x0000000074D9B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp5A60.tmp

MD5 7f6c0b45ec5c38500de95eddd09ddac8
SHA1 a38c639dd5c13d7f128f8bbae211d5f9ff8bd2f4
SHA256 e90517f2caaba84a9999518915f3fd5771f3d38ce60de95bae0a095be652cc5c
SHA512 aa93bbf8d3586f923cde1e29b37cec3793b5a40b15f8e2b1d5337e1e4182f3faa23dbb9b8fc01bde4a939826aea5ef8555094926b1de45a4a88f70f5086c188e

C:\Users\Admin\AppData\Local\Temp\tmp5CC1.tmp

MD5 a4f6fa4537e2dcf0d3e2802c0f070a4d
SHA1 03545095bfeddd7656b5b8547ab84a810324a94f
SHA256 192ac26e1895b267149bde35c55327f4a441693495239da5899062924d45bd11
SHA512 a4293123d718b0511a8301a7f536e403cecf8bc89f25f9dc4692b293eb8a554a8eb67993a26fe0e96792b6eb3573b34e9b270777cafe95c2383268da6d40fd2e

memory/2192-12-0x00000000747F0000-0x0000000074D9B000-memory.dmp

memory/2192-13-0x00000000747F0000-0x0000000074D9B000-memory.dmp

memory/2192-14-0x0000000002220000-0x0000000002260000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-27 12:46

Reported

2024-01-27 12:49

Platform

win10v2004-20231215-en

Max time kernel

143s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\PDFextractor.exe"

Signatures

NanoCore

keylogger trojan stealer spyware nanocore

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\NAT Service = "C:\\Program Files (x86)\\NAT Service\\natsv.exe" C:\Users\Admin\AppData\Local\Temp\PDFextractor.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\PDFextractor.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\NAT Service\natsv.exe C:\Users\Admin\AppData\Local\Temp\PDFextractor.exe N/A
File opened for modification C:\Program Files (x86)\NAT Service\natsv.exe C:\Users\Admin\AppData\Local\Temp\PDFextractor.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\PDFextractor.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PDFextractor.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\PDFextractor.exe

"C:\Users\Admin\AppData\Local\Temp\PDFextractor.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks.exe" /create /f /tn "NAT Service" /xml "C:\Users\Admin\AppData\Local\Temp\tmp5861.tmp"

C:\Windows\SysWOW64\schtasks.exe

"schtasks.exe" /create /f /tn "NAT Service Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp58C0.tmp"

Network

Country Destination Domain Proto
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 divert64.hopto.org udp
CA 142.67.130.172:54999 divert64.hopto.org tcp
US 8.8.8.8:53 172.130.67.142.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 177.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 4.173.189.20.in-addr.arpa udp

Files

memory/4072-0-0x0000000075470000-0x0000000075A21000-memory.dmp

memory/4072-2-0x0000000075470000-0x0000000075A21000-memory.dmp

memory/4072-1-0x0000000000A80000-0x0000000000A90000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp5861.tmp

MD5 7f6c0b45ec5c38500de95eddd09ddac8
SHA1 a38c639dd5c13d7f128f8bbae211d5f9ff8bd2f4
SHA256 e90517f2caaba84a9999518915f3fd5771f3d38ce60de95bae0a095be652cc5c
SHA512 aa93bbf8d3586f923cde1e29b37cec3793b5a40b15f8e2b1d5337e1e4182f3faa23dbb9b8fc01bde4a939826aea5ef8555094926b1de45a4a88f70f5086c188e

C:\Users\Admin\AppData\Local\Temp\tmp58C0.tmp

MD5 cd8e69b89899eb65a199cc8019e502ad
SHA1 19ae04c02d02e2828e4513de66734c383660d1a5
SHA256 cf1a9b78745b0f788fea2f579f1e3a82efc7425edb1f35abb8dd8e1cbaaf03ef
SHA512 9a2bf35fc687ec6ac81ad3fe16f82f104ad880be6b36afc7297264de09d50e85d9d3376ed9378d56b08ef94ca700b886cc40768587fc623c7fb6117265bd7033

memory/4072-10-0x0000000000A80000-0x0000000000A90000-memory.dmp

memory/4072-13-0x0000000075470000-0x0000000075A21000-memory.dmp

memory/4072-14-0x0000000000A80000-0x0000000000A90000-memory.dmp

memory/4072-15-0x0000000075470000-0x0000000075A21000-memory.dmp

memory/4072-16-0x0000000000A80000-0x0000000000A90000-memory.dmp