Malware Analysis Report

2025-04-13 21:10

Sample ID 240127-zbk6lsddbp
Target tmp
SHA256 1b0f0f68bba4c25b14187378bebf8db9dce85ec634e7375b53a287ad2dc12ea2
Tags
nanocore evasion keylogger persistence spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

1b0f0f68bba4c25b14187378bebf8db9dce85ec634e7375b53a287ad2dc12ea2

Threat Level: Known bad

The file tmp was found to be: Known bad.

Malicious Activity Summary

nanocore evasion keylogger persistence spyware stealer trojan

Nanocore family

NanoCore

Adds Run key to start application

Checks whether UAC is enabled

Drops file in Program Files directory

Unsigned PE

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-27 20:32

Signatures

Nanocore family

nanocore

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-27 20:32

Reported

2024-01-27 20:35

Platform

win7-20231215-en

Max time kernel

120s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\tmp.exe"

Signatures

NanoCore

keylogger trojan stealer spyware nanocore

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LAN Monitor = "C:\\Program Files (x86)\\LAN Monitor\\lanmon.exe" C:\Users\Admin\AppData\Local\Temp\tmp.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\tmp.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\LAN Monitor\lanmon.exe C:\Users\Admin\AppData\Local\Temp\tmp.exe N/A
File opened for modification C:\Program Files (x86)\LAN Monitor\lanmon.exe C:\Users\Admin\AppData\Local\Temp\tmp.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\tmp.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks.exe" /create /f /tn "LAN Monitor" /xml "C:\Users\Admin\AppData\Local\Temp\tmp7A5E.tmp"

C:\Windows\SysWOW64\schtasks.exe

"schtasks.exe" /create /f /tn "LAN Monitor Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp7C62.tmp"

Network

Country Destination Domain Proto
US 8.8.8.8:53 victacking.ddns.net udp
GP 90.15.154.112:4899 victacking.ddns.net tcp

Files

memory/2884-0-0x0000000074670000-0x0000000074C1B000-memory.dmp

memory/2884-2-0x0000000000AA0000-0x0000000000AE0000-memory.dmp

memory/2884-1-0x0000000074670000-0x0000000074C1B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp7A5E.tmp

MD5 3f4dcafa44c36f23e4db2b2315fd09da
SHA1 8c83089d6f6c887a77af9b42ca09969f3b2f83f6
SHA256 b8475eb97200b8a15eaf07e0a2cddc5c95e5bc3e7a98685364c9796480de57dc
SHA512 e0624dd6cf0d5e014e96a323d2f7ebe13b683af71bd6ddafa3005cdc2f3c764cfca509262d442fc844b4b390d241ccf3eb36d30043d3d6f6e955a2ee9f792678

C:\Users\Admin\AppData\Local\Temp\tmp7C62.tmp

MD5 ecf141ec69adbb2a5c3dd5c85cd0ec39
SHA1 0ad224632fa58d103142c05c44a142f3d7208291
SHA256 64d8cfa0b25afee269839cd5fc0b66e5643bc318e5f4d3ce1b9dba2456c83316
SHA512 4821b062d6672f3ed07833cfd7ab9abb533850b451b632d781fbfad8238fcd5ac52855f1f239547ae2d1c1477959f022430302a75cfd3c19a8473af72a1ef201

memory/2884-13-0x0000000074670000-0x0000000074C1B000-memory.dmp

memory/2884-14-0x0000000074670000-0x0000000074C1B000-memory.dmp

memory/2884-15-0x0000000000AA0000-0x0000000000AE0000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-27 20:32

Reported

2024-01-27 20:35

Platform

win10v2004-20231222-en

Max time kernel

88s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\tmp.exe"

Signatures

NanoCore

keylogger trojan stealer spyware nanocore

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SMTP Subsystem = "C:\\Program Files (x86)\\SMTP Subsystem\\smtpss.exe" C:\Users\Admin\AppData\Local\Temp\tmp.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\tmp.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\SMTP Subsystem\smtpss.exe C:\Users\Admin\AppData\Local\Temp\tmp.exe N/A
File opened for modification C:\Program Files (x86)\SMTP Subsystem\smtpss.exe C:\Users\Admin\AppData\Local\Temp\tmp.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\tmp.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks.exe" /create /f /tn "SMTP Subsystem" /xml "C:\Users\Admin\AppData\Local\Temp\tmp41FA.tmp"

C:\Windows\SysWOW64\schtasks.exe

"schtasks.exe" /create /f /tn "SMTP Subsystem Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp4259.tmp"

Network

Country Destination Domain Proto
US 8.8.8.8:53 victacking.ddns.net udp
GP 90.15.154.112:4899 victacking.ddns.net tcp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 74.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 112.154.15.90.in-addr.arpa udp
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 23.160.77.104.in-addr.arpa udp
US 8.8.8.8:53 56.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp

Files

memory/3056-0-0x0000000074DD0000-0x0000000075381000-memory.dmp

memory/3056-1-0x0000000074DD0000-0x0000000075381000-memory.dmp

memory/3056-2-0x00000000015D0000-0x00000000015E0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp41FA.tmp

MD5 3f4dcafa44c36f23e4db2b2315fd09da
SHA1 8c83089d6f6c887a77af9b42ca09969f3b2f83f6
SHA256 b8475eb97200b8a15eaf07e0a2cddc5c95e5bc3e7a98685364c9796480de57dc
SHA512 e0624dd6cf0d5e014e96a323d2f7ebe13b683af71bd6ddafa3005cdc2f3c764cfca509262d442fc844b4b390d241ccf3eb36d30043d3d6f6e955a2ee9f792678

C:\Users\Admin\AppData\Local\Temp\tmp4259.tmp

MD5 0339b45ef206f4becc88be0d65e24b9e
SHA1 6503a1851f4ccd8c80a31f96bd7ae40d962c9fad
SHA256 3d568a47a8944a47f4aed6982755ac7ff7dda469cc1c81c213ecaa5d89de1f83
SHA512 c98f4513db34d50510dd986e0d812545c442bd5bef26932032b165759627fab4e00c95fe907ab3416a8a1042bfa77aa516c479f1ff7d1ec2f21ae66df8f72551

memory/3056-10-0x00000000015D0000-0x00000000015E0000-memory.dmp

memory/3056-19-0x0000000074DD0000-0x0000000075381000-memory.dmp

memory/3056-20-0x0000000074DD0000-0x0000000075381000-memory.dmp

memory/3056-21-0x00000000015D0000-0x00000000015E0000-memory.dmp

memory/3056-22-0x00000000015D0000-0x00000000015E0000-memory.dmp