Malware Analysis Report

2024-10-23 19:44

Sample ID 240428-ksac4sca97
Target 2384_InstallUtil_exe_Reflective_00000000038964E0
SHA256 fc565edd736e70f3f4047d2066f7f63cc6491b9bddd9419d39cd02323733d767
Tags
nanocore evasion keylogger persistence spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

fc565edd736e70f3f4047d2066f7f63cc6491b9bddd9419d39cd02323733d767

Threat Level: Known bad

The file 2384_InstallUtil_exe_Reflective_00000000038964E0 was found to be: Known bad.

Malicious Activity Summary

nanocore evasion keylogger persistence spyware stealer trojan

NanoCore

Adds Run key to start application

Checks whether UAC is enabled

Suspicious use of SetThreadContext

Drops file in Program Files directory

Unsigned PE

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious behavior: GetForegroundWindowSpam

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-28 08:51

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-28 08:51

Reported

2024-04-28 08:53

Platform

win7-20231129-en

Max time kernel

137s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2384_InstallUtil_exe_Reflective_00000000038964E0.exe"

Signatures

NanoCore

keylogger trojan stealer spyware nanocore

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\TCP Service = "C:\\Program Files (x86)\\TCP Service\\tcpsv.exe" C:\Users\Admin\AppData\Local\Temp\2384_InstallUtil_exe_Reflective_00000000038964E0.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\2384_InstallUtil_exe_Reflective_00000000038964E0.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\TCP Service\tcpsv.exe C:\Users\Admin\AppData\Local\Temp\2384_InstallUtil_exe_Reflective_00000000038964E0.exe N/A
File opened for modification C:\Program Files (x86)\TCP Service\tcpsv.exe C:\Users\Admin\AppData\Local\Temp\2384_InstallUtil_exe_Reflective_00000000038964E0.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2384_InstallUtil_exe_Reflective_00000000038964E0.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2384_InstallUtil_exe_Reflective_00000000038964E0.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2384_InstallUtil_exe_Reflective_00000000038964E0.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2360 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\2384_InstallUtil_exe_Reflective_00000000038964E0.exe C:\Users\Admin\AppData\Local\Temp\2384_InstallUtil_exe_Reflective_00000000038964E0.exe
PID 2360 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\2384_InstallUtil_exe_Reflective_00000000038964E0.exe C:\Users\Admin\AppData\Local\Temp\2384_InstallUtil_exe_Reflective_00000000038964E0.exe
PID 2360 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\2384_InstallUtil_exe_Reflective_00000000038964E0.exe C:\Users\Admin\AppData\Local\Temp\2384_InstallUtil_exe_Reflective_00000000038964E0.exe
PID 2360 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\2384_InstallUtil_exe_Reflective_00000000038964E0.exe C:\Users\Admin\AppData\Local\Temp\2384_InstallUtil_exe_Reflective_00000000038964E0.exe
PID 2360 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\2384_InstallUtil_exe_Reflective_00000000038964E0.exe C:\Users\Admin\AppData\Local\Temp\2384_InstallUtil_exe_Reflective_00000000038964E0.exe
PID 2360 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\2384_InstallUtil_exe_Reflective_00000000038964E0.exe C:\Users\Admin\AppData\Local\Temp\2384_InstallUtil_exe_Reflective_00000000038964E0.exe
PID 2360 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\2384_InstallUtil_exe_Reflective_00000000038964E0.exe C:\Users\Admin\AppData\Local\Temp\2384_InstallUtil_exe_Reflective_00000000038964E0.exe
PID 2360 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\2384_InstallUtil_exe_Reflective_00000000038964E0.exe C:\Users\Admin\AppData\Local\Temp\2384_InstallUtil_exe_Reflective_00000000038964E0.exe
PID 2360 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\2384_InstallUtil_exe_Reflective_00000000038964E0.exe C:\Users\Admin\AppData\Local\Temp\2384_InstallUtil_exe_Reflective_00000000038964E0.exe
PID 2360 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\2384_InstallUtil_exe_Reflective_00000000038964E0.exe C:\Users\Admin\AppData\Local\Temp\2384_InstallUtil_exe_Reflective_00000000038964E0.exe
PID 2360 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\2384_InstallUtil_exe_Reflective_00000000038964E0.exe C:\Users\Admin\AppData\Local\Temp\2384_InstallUtil_exe_Reflective_00000000038964E0.exe
PID 2360 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\2384_InstallUtil_exe_Reflective_00000000038964E0.exe C:\Users\Admin\AppData\Local\Temp\2384_InstallUtil_exe_Reflective_00000000038964E0.exe
PID 2888 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\2384_InstallUtil_exe_Reflective_00000000038964E0.exe C:\Windows\SysWOW64\schtasks.exe
PID 2888 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\2384_InstallUtil_exe_Reflective_00000000038964E0.exe C:\Windows\SysWOW64\schtasks.exe
PID 2888 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\2384_InstallUtil_exe_Reflective_00000000038964E0.exe C:\Windows\SysWOW64\schtasks.exe
PID 2888 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\2384_InstallUtil_exe_Reflective_00000000038964E0.exe C:\Windows\SysWOW64\schtasks.exe
PID 2888 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\2384_InstallUtil_exe_Reflective_00000000038964E0.exe C:\Windows\SysWOW64\schtasks.exe
PID 2888 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\2384_InstallUtil_exe_Reflective_00000000038964E0.exe C:\Windows\SysWOW64\schtasks.exe
PID 2888 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\2384_InstallUtil_exe_Reflective_00000000038964E0.exe C:\Windows\SysWOW64\schtasks.exe
PID 2888 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\2384_InstallUtil_exe_Reflective_00000000038964E0.exe C:\Windows\SysWOW64\schtasks.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2384_InstallUtil_exe_Reflective_00000000038964E0.exe

"C:\Users\Admin\AppData\Local\Temp\2384_InstallUtil_exe_Reflective_00000000038964E0.exe"

C:\Users\Admin\AppData\Local\Temp\2384_InstallUtil_exe_Reflective_00000000038964E0.exe

"C:\Users\Admin\AppData\Local\Temp\2384_InstallUtil_exe_Reflective_00000000038964E0.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks.exe" /create /f /tn "TCP Service" /xml "C:\Users\Admin\AppData\Local\Temp\tmp7E73.tmp"

C:\Windows\SysWOW64\schtasks.exe

"schtasks.exe" /create /f /tn "TCP Service Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp7F00.tmp"

Network

Country Destination Domain Proto
US 8.8.8.8:53 snopper13.ddns.net udp
US 8.8.8.8:53 snopper13.ddns.net udp
US 8.8.8.8:53 snopper13.ddns.net udp
NL 185.208.211.17:1996 tcp
NL 185.208.211.17:1996 tcp
NL 185.208.211.17:1996 tcp
US 8.8.8.8:53 snopper13.ddns.net udp
US 8.8.8.8:53 snopper13.ddns.net udp
US 8.8.8.8:53 snopper13.ddns.net udp
NL 185.208.211.17:1996 tcp
NL 185.208.211.17:1996 tcp
NL 185.208.211.17:1996 tcp

Files

memory/2360-0-0x0000000074CB0000-0x000000007525B000-memory.dmp

memory/2360-1-0x0000000074CB0000-0x000000007525B000-memory.dmp

memory/2360-2-0x0000000000B60000-0x0000000000BA0000-memory.dmp

memory/2360-3-0x0000000074CB0000-0x000000007525B000-memory.dmp

memory/2360-4-0x0000000000B60000-0x0000000000BA0000-memory.dmp

memory/2888-6-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2888-5-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2888-7-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2888-15-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2888-17-0x00000000022D0000-0x0000000002310000-memory.dmp

memory/2888-16-0x0000000074CB0000-0x000000007525B000-memory.dmp

memory/2888-18-0x0000000074CB0000-0x000000007525B000-memory.dmp

memory/2888-13-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2888-11-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2888-9-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2888-8-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2360-19-0x0000000074CB0000-0x000000007525B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp7E73.tmp

MD5 f3a59537639fe8c78e90e3371c80e8ad
SHA1 c08bb8a2536160f1067061b7285bb63b2c5db05f
SHA256 5746babdcd4ff5472d674376fb6d2fab529a58efc9fd55a28d28c83699e07620
SHA512 1d189bd1d84b068bf9d155e819aad65e8c18cfb2d30f8c53a8394e19786a3f933c4ab6e17e91aa57b0ff38feebc2179cabaafe9f941135ed3909a7313510f06c

C:\Users\Admin\AppData\Local\Temp\tmp7F00.tmp

MD5 93fc3117767507c9889abd12dc667d22
SHA1 1096e4cfa0c35756e3c3fb866c1e4c1e59115df9
SHA256 684997dd4ce15031cec8f2f93933b1d41d7bf5cbbff655dd64377b07055c449a
SHA512 e403348ee77bd3e7c45245dd5dae81c3ea130d5cf342f630982772ce5f75548b292013480e2831d68cf51349b64afde4589d4eec94b567d20f0a01e3b9549bdc

memory/2888-27-0x0000000074CB0000-0x000000007525B000-memory.dmp

memory/2888-28-0x00000000022D0000-0x0000000002310000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-28 08:51

Reported

2024-04-28 08:53

Platform

win10v2004-20240419-en

Max time kernel

136s

Max time network

145s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2384_InstallUtil_exe_Reflective_00000000038964E0.exe"

Signatures

NanoCore

keylogger trojan stealer spyware nanocore

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WPA Service = "C:\\Program Files (x86)\\WPA Service\\wpasvc.exe" C:\Users\Admin\AppData\Local\Temp\2384_InstallUtil_exe_Reflective_00000000038964E0.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\2384_InstallUtil_exe_Reflective_00000000038964E0.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\WPA Service\wpasvc.exe C:\Users\Admin\AppData\Local\Temp\2384_InstallUtil_exe_Reflective_00000000038964E0.exe N/A
File opened for modification C:\Program Files (x86)\WPA Service\wpasvc.exe C:\Users\Admin\AppData\Local\Temp\2384_InstallUtil_exe_Reflective_00000000038964E0.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2384_InstallUtil_exe_Reflective_00000000038964E0.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2384_InstallUtil_exe_Reflective_00000000038964E0.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2384_InstallUtil_exe_Reflective_00000000038964E0.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2284 wrote to memory of 4580 N/A C:\Users\Admin\AppData\Local\Temp\2384_InstallUtil_exe_Reflective_00000000038964E0.exe C:\Users\Admin\AppData\Local\Temp\2384_InstallUtil_exe_Reflective_00000000038964E0.exe
PID 2284 wrote to memory of 4580 N/A C:\Users\Admin\AppData\Local\Temp\2384_InstallUtil_exe_Reflective_00000000038964E0.exe C:\Users\Admin\AppData\Local\Temp\2384_InstallUtil_exe_Reflective_00000000038964E0.exe
PID 2284 wrote to memory of 4580 N/A C:\Users\Admin\AppData\Local\Temp\2384_InstallUtil_exe_Reflective_00000000038964E0.exe C:\Users\Admin\AppData\Local\Temp\2384_InstallUtil_exe_Reflective_00000000038964E0.exe
PID 2284 wrote to memory of 4580 N/A C:\Users\Admin\AppData\Local\Temp\2384_InstallUtil_exe_Reflective_00000000038964E0.exe C:\Users\Admin\AppData\Local\Temp\2384_InstallUtil_exe_Reflective_00000000038964E0.exe
PID 2284 wrote to memory of 4580 N/A C:\Users\Admin\AppData\Local\Temp\2384_InstallUtil_exe_Reflective_00000000038964E0.exe C:\Users\Admin\AppData\Local\Temp\2384_InstallUtil_exe_Reflective_00000000038964E0.exe
PID 2284 wrote to memory of 4580 N/A C:\Users\Admin\AppData\Local\Temp\2384_InstallUtil_exe_Reflective_00000000038964E0.exe C:\Users\Admin\AppData\Local\Temp\2384_InstallUtil_exe_Reflective_00000000038964E0.exe
PID 2284 wrote to memory of 4580 N/A C:\Users\Admin\AppData\Local\Temp\2384_InstallUtil_exe_Reflective_00000000038964E0.exe C:\Users\Admin\AppData\Local\Temp\2384_InstallUtil_exe_Reflective_00000000038964E0.exe
PID 2284 wrote to memory of 4580 N/A C:\Users\Admin\AppData\Local\Temp\2384_InstallUtil_exe_Reflective_00000000038964E0.exe C:\Users\Admin\AppData\Local\Temp\2384_InstallUtil_exe_Reflective_00000000038964E0.exe
PID 4580 wrote to memory of 2216 N/A C:\Users\Admin\AppData\Local\Temp\2384_InstallUtil_exe_Reflective_00000000038964E0.exe C:\Windows\SysWOW64\schtasks.exe
PID 4580 wrote to memory of 2216 N/A C:\Users\Admin\AppData\Local\Temp\2384_InstallUtil_exe_Reflective_00000000038964E0.exe C:\Windows\SysWOW64\schtasks.exe
PID 4580 wrote to memory of 2216 N/A C:\Users\Admin\AppData\Local\Temp\2384_InstallUtil_exe_Reflective_00000000038964E0.exe C:\Windows\SysWOW64\schtasks.exe
PID 4580 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\2384_InstallUtil_exe_Reflective_00000000038964E0.exe C:\Windows\SysWOW64\schtasks.exe
PID 4580 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\2384_InstallUtil_exe_Reflective_00000000038964E0.exe C:\Windows\SysWOW64\schtasks.exe
PID 4580 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\2384_InstallUtil_exe_Reflective_00000000038964E0.exe C:\Windows\SysWOW64\schtasks.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2384_InstallUtil_exe_Reflective_00000000038964E0.exe

"C:\Users\Admin\AppData\Local\Temp\2384_InstallUtil_exe_Reflective_00000000038964E0.exe"

C:\Users\Admin\AppData\Local\Temp\2384_InstallUtil_exe_Reflective_00000000038964E0.exe

"C:\Users\Admin\AppData\Local\Temp\2384_InstallUtil_exe_Reflective_00000000038964E0.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks.exe" /create /f /tn "WPA Service" /xml "C:\Users\Admin\AppData\Local\Temp\tmpBFC6.tmp"

C:\Windows\SysWOW64\schtasks.exe

"schtasks.exe" /create /f /tn "WPA Service Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmpC034.tmp"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 8.8.8.8:53 snopper13.ddns.net udp
US 8.8.8.8:53 g.bing.com udp
US 8.8.4.4:53 snopper13.ddns.net udp
US 8.8.8.8:53 4.4.8.8.in-addr.arpa udp
US 8.8.8.8:53 snopper13.ddns.net udp
US 8.8.8.8:53 snopper13.ddns.net udp
US 8.8.4.4:53 snopper13.ddns.net udp
US 8.8.8.8:53 snopper13.ddns.net udp
US 8.8.8.8:53 snopper13.ddns.net udp
US 8.8.4.4:53 snopper13.ddns.net udp
US 8.8.8.8:53 snopper13.ddns.net udp

Files

memory/2284-0-0x0000000074C10000-0x00000000751C1000-memory.dmp

memory/2284-1-0x0000000074C10000-0x00000000751C1000-memory.dmp

memory/2284-2-0x0000000000BD0000-0x0000000000BE0000-memory.dmp

memory/2284-3-0x0000000074C10000-0x00000000751C1000-memory.dmp

memory/4580-4-0x0000000000400000-0x0000000000438000-memory.dmp

memory/4580-6-0x0000000074C10000-0x00000000751C1000-memory.dmp

memory/4580-8-0x0000000074C10000-0x00000000751C1000-memory.dmp

memory/2284-9-0x0000000074C10000-0x00000000751C1000-memory.dmp

memory/4580-7-0x00000000014D0000-0x00000000014E0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpBFC6.tmp

MD5 f3a59537639fe8c78e90e3371c80e8ad
SHA1 c08bb8a2536160f1067061b7285bb63b2c5db05f
SHA256 5746babdcd4ff5472d674376fb6d2fab529a58efc9fd55a28d28c83699e07620
SHA512 1d189bd1d84b068bf9d155e819aad65e8c18cfb2d30f8c53a8394e19786a3f933c4ab6e17e91aa57b0ff38feebc2179cabaafe9f941135ed3909a7313510f06c

C:\Users\Admin\AppData\Local\Temp\tmpC034.tmp

MD5 1c18d34e4c00b9a6b81126a2f10bbb74
SHA1 9c975e7627bdb8d7af3615684d59fa02c3b81902
SHA256 ee68aecf2917fd9ddd167e6403d3149ac3dd7f346f3c9c66b6d75620b0ccd621
SHA512 75a3ecebd55c8e433199122925c7c612fe3ea23a93fbca10ed83c80f11396da428581e36c42e98a0eef5210630cea040ed0da076bfcb620ddb38dee7152b816d

memory/4580-17-0x00000000014D0000-0x00000000014E0000-memory.dmp

memory/4580-18-0x0000000074C10000-0x00000000751C1000-memory.dmp

memory/4580-19-0x00000000014D0000-0x00000000014E0000-memory.dmp

memory/4580-20-0x00000000014D0000-0x00000000014E0000-memory.dmp