Malware Analysis Report

2024-10-19 07:12

Sample ID 240501-y2fhdahh53
Target 33cd194d9a7b17ca1d56590d3c8995744f6e5f7fdafa4eaf27c043b25fb846f2
SHA256 33cd194d9a7b17ca1d56590d3c8995744f6e5f7fdafa4eaf27c043b25fb846f2
Tags
nanocore evasion keylogger persistence spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

33cd194d9a7b17ca1d56590d3c8995744f6e5f7fdafa4eaf27c043b25fb846f2

Threat Level: Known bad

The file 33cd194d9a7b17ca1d56590d3c8995744f6e5f7fdafa4eaf27c043b25fb846f2 was found to be: Known bad.

Malicious Activity Summary

nanocore evasion keylogger persistence spyware stealer trojan

NanoCore

Nanocore family

Adds Run key to start application

Checks whether UAC is enabled

Drops file in Program Files directory

Unsigned PE

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-01 20:16

Signatures

Nanocore family

nanocore

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-01 20:16

Reported

2024-05-01 20:19

Platform

win7-20231129-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\33cd194d9a7b17ca1d56590d3c8995744f6e5f7fdafa4eaf27c043b25fb846f2.exe"

Signatures

NanoCore

keylogger trojan stealer spyware nanocore

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\TCP Service = "C:\\Program Files (x86)\\TCP Service\\tcpsv.exe" C:\Users\Admin\AppData\Local\Temp\33cd194d9a7b17ca1d56590d3c8995744f6e5f7fdafa4eaf27c043b25fb846f2.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\33cd194d9a7b17ca1d56590d3c8995744f6e5f7fdafa4eaf27c043b25fb846f2.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\TCP Service\tcpsv.exe C:\Users\Admin\AppData\Local\Temp\33cd194d9a7b17ca1d56590d3c8995744f6e5f7fdafa4eaf27c043b25fb846f2.exe N/A
File opened for modification C:\Program Files (x86)\TCP Service\tcpsv.exe C:\Users\Admin\AppData\Local\Temp\33cd194d9a7b17ca1d56590d3c8995744f6e5f7fdafa4eaf27c043b25fb846f2.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\33cd194d9a7b17ca1d56590d3c8995744f6e5f7fdafa4eaf27c043b25fb846f2.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\33cd194d9a7b17ca1d56590d3c8995744f6e5f7fdafa4eaf27c043b25fb846f2.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\33cd194d9a7b17ca1d56590d3c8995744f6e5f7fdafa4eaf27c043b25fb846f2.exe

"C:\Users\Admin\AppData\Local\Temp\33cd194d9a7b17ca1d56590d3c8995744f6e5f7fdafa4eaf27c043b25fb846f2.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks.exe" /create /f /tn "TCP Service" /xml "C:\Users\Admin\AppData\Local\Temp\tmp118E.tmp"

C:\Windows\SysWOW64\schtasks.exe

"schtasks.exe" /create /f /tn "TCP Service Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp121B.tmp"

Network

Country Destination Domain Proto
US 8.8.8.8:53 client245.sytes.net udp
US 8.8.4.4:53 client245.sytes.net udp
US 8.8.8.8:53 client245.sytes.net udp
US 8.8.8.8:53 client245.sytes.net udp
US 8.8.4.4:53 client245.sytes.net udp
US 8.8.8.8:53 client245.sytes.net udp
US 8.8.4.4:53 client245.sytes.net udp
N/A 127.0.0.1:54984 tcp
N/A 127.0.0.1:54984 tcp
N/A 127.0.0.1:54984 tcp
US 8.8.8.8:53 client245.sytes.net udp
US 8.8.4.4:53 client245.sytes.net udp
US 8.8.8.8:53 client245.sytes.net udp
US 8.8.4.4:53 client245.sytes.net udp
US 8.8.8.8:53 client245.sytes.net udp
US 8.8.4.4:53 client245.sytes.net udp
N/A 127.0.0.1:54984 tcp
N/A 127.0.0.1:54984 tcp
N/A 127.0.0.1:54984 tcp
US 8.8.8.8:53 client245.sytes.net udp
US 8.8.4.4:53 client245.sytes.net udp
US 8.8.8.8:53 client245.sytes.net udp
US 8.8.4.4:53 client245.sytes.net udp
US 8.8.8.8:53 client245.sytes.net udp
US 8.8.4.4:53 client245.sytes.net udp
N/A 127.0.0.1:54984 tcp
N/A 127.0.0.1:54984 tcp
N/A 127.0.0.1:54984 tcp
US 8.8.8.8:53 client245.sytes.net udp
US 8.8.4.4:53 client245.sytes.net udp
US 8.8.8.8:53 client245.sytes.net udp
US 8.8.4.4:53 client245.sytes.net udp
US 8.8.8.8:53 client245.sytes.net udp
US 8.8.4.4:53 client245.sytes.net udp
N/A 127.0.0.1:54984 tcp
N/A 127.0.0.1:54984 tcp
N/A 127.0.0.1:54984 tcp
US 8.8.8.8:53 client245.sytes.net udp
US 8.8.4.4:53 client245.sytes.net udp
US 8.8.8.8:53 client245.sytes.net udp
US 8.8.4.4:53 client245.sytes.net udp
US 8.8.8.8:53 client245.sytes.net udp
US 8.8.4.4:53 client245.sytes.net udp
N/A 127.0.0.1:54984 tcp
N/A 127.0.0.1:54984 tcp
N/A 127.0.0.1:54984 tcp
US 8.8.8.8:53 client245.sytes.net udp
US 8.8.4.4:53 client245.sytes.net udp
US 8.8.8.8:53 client245.sytes.net udp
US 8.8.4.4:53 client245.sytes.net udp
US 8.8.8.8:53 client245.sytes.net udp
US 8.8.4.4:53 client245.sytes.net udp

Files

memory/624-0-0x00000000745B1000-0x00000000745B2000-memory.dmp

memory/624-1-0x00000000745B0000-0x0000000074B5B000-memory.dmp

memory/624-2-0x00000000745B0000-0x0000000074B5B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp118E.tmp

MD5 738b8c70bec70e1b8baf7c485f8f21f1
SHA1 ce03d545d04974cddcb76d9271420e35aa3988fe
SHA256 20178631f0bf141384df0e447496346e0daf33208f7133da999b26a73af49b89
SHA512 648e80c0913af44a107e146c53bcff80746e1ed36866edc752f5815ffd3fae935ae47fc69e48c48efcf11685d3d4cf6b5b5276b8f06c9aba6d1fc170c571db48

C:\Users\Admin\AppData\Local\Temp\tmp121B.tmp

MD5 93fc3117767507c9889abd12dc667d22
SHA1 1096e4cfa0c35756e3c3fb866c1e4c1e59115df9
SHA256 684997dd4ce15031cec8f2f93933b1d41d7bf5cbbff655dd64377b07055c449a
SHA512 e403348ee77bd3e7c45245dd5dae81c3ea130d5cf342f630982772ce5f75548b292013480e2831d68cf51349b64afde4589d4eec94b567d20f0a01e3b9549bdc

memory/624-10-0x00000000745B0000-0x0000000074B5B000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-01 20:16

Reported

2024-05-01 20:19

Platform

win10v2004-20240419-en

Max time kernel

150s

Max time network

134s

Command Line

"C:\Users\Admin\AppData\Local\Temp\33cd194d9a7b17ca1d56590d3c8995744f6e5f7fdafa4eaf27c043b25fb846f2.exe"

Signatures

NanoCore

keylogger trojan stealer spyware nanocore

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WPA Service = "C:\\Program Files (x86)\\WPA Service\\wpasvc.exe" C:\Users\Admin\AppData\Local\Temp\33cd194d9a7b17ca1d56590d3c8995744f6e5f7fdafa4eaf27c043b25fb846f2.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\33cd194d9a7b17ca1d56590d3c8995744f6e5f7fdafa4eaf27c043b25fb846f2.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\WPA Service\wpasvc.exe C:\Users\Admin\AppData\Local\Temp\33cd194d9a7b17ca1d56590d3c8995744f6e5f7fdafa4eaf27c043b25fb846f2.exe N/A
File opened for modification C:\Program Files (x86)\WPA Service\wpasvc.exe C:\Users\Admin\AppData\Local\Temp\33cd194d9a7b17ca1d56590d3c8995744f6e5f7fdafa4eaf27c043b25fb846f2.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\33cd194d9a7b17ca1d56590d3c8995744f6e5f7fdafa4eaf27c043b25fb846f2.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\33cd194d9a7b17ca1d56590d3c8995744f6e5f7fdafa4eaf27c043b25fb846f2.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\33cd194d9a7b17ca1d56590d3c8995744f6e5f7fdafa4eaf27c043b25fb846f2.exe

"C:\Users\Admin\AppData\Local\Temp\33cd194d9a7b17ca1d56590d3c8995744f6e5f7fdafa4eaf27c043b25fb846f2.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks.exe" /create /f /tn "WPA Service" /xml "C:\Users\Admin\AppData\Local\Temp\tmp3CF9.tmp"

C:\Windows\SysWOW64\schtasks.exe

"schtasks.exe" /create /f /tn "WPA Service Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp3D68.tmp"

Network

Country Destination Domain Proto
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 241.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 client245.sytes.net udp
US 8.8.4.4:53 client245.sytes.net udp
US 8.8.8.8:53 client245.sytes.net udp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 4.4.8.8.in-addr.arpa udp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 client245.sytes.net udp
US 8.8.4.4:53 client245.sytes.net udp
US 8.8.8.8:53 client245.sytes.net udp
US 8.8.4.4:53 client245.sytes.net udp
US 8.8.8.8:53 client245.sytes.net udp
N/A 127.0.0.1:54984 tcp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
N/A 127.0.0.1:54984 tcp
N/A 127.0.0.1:54984 tcp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 client245.sytes.net udp
US 8.8.4.4:53 client245.sytes.net udp
US 8.8.8.8:53 client245.sytes.net udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 142.53.16.96.in-addr.arpa udp
US 8.8.8.8:53 client245.sytes.net udp
US 8.8.4.4:53 client245.sytes.net udp
US 8.8.8.8:53 client245.sytes.net udp
US 8.8.4.4:53 client245.sytes.net udp
US 8.8.8.8:53 client245.sytes.net udp
N/A 127.0.0.1:54984 tcp
N/A 127.0.0.1:54984 tcp
N/A 127.0.0.1:54984 tcp
US 8.8.8.8:53 client245.sytes.net udp
US 8.8.4.4:53 client245.sytes.net udp
US 8.8.8.8:53 client245.sytes.net udp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 76.143.109.104.in-addr.arpa udp
US 8.8.8.8:53 client245.sytes.net udp
US 8.8.4.4:53 client245.sytes.net udp
US 8.8.8.8:53 client245.sytes.net udp
US 8.8.4.4:53 client245.sytes.net udp
US 8.8.8.8:53 client245.sytes.net udp
N/A 127.0.0.1:54984 tcp
N/A 127.0.0.1:54984 tcp
N/A 127.0.0.1:54984 tcp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 client245.sytes.net udp
US 8.8.4.4:53 client245.sytes.net udp
US 8.8.8.8:53 client245.sytes.net udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 client245.sytes.net udp
US 8.8.4.4:53 client245.sytes.net udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 client245.sytes.net udp
US 8.8.4.4:53 client245.sytes.net udp
US 8.8.8.8:53 client245.sytes.net udp
N/A 127.0.0.1:54984 tcp
N/A 127.0.0.1:54984 tcp
N/A 127.0.0.1:54984 tcp
US 8.8.8.8:53 client245.sytes.net udp
US 8.8.4.4:53 client245.sytes.net udp
US 8.8.8.8:53 client245.sytes.net udp
US 8.8.8.8:53 client245.sytes.net udp
US 8.8.4.4:53 client245.sytes.net udp
US 8.8.8.8:53 client245.sytes.net udp
US 8.8.4.4:53 client245.sytes.net udp
US 8.8.8.8:53 client245.sytes.net udp
N/A 127.0.0.1:54984 tcp
N/A 127.0.0.1:54984 tcp
N/A 127.0.0.1:54984 tcp

Files

memory/864-0-0x0000000074FC2000-0x0000000074FC3000-memory.dmp

memory/864-1-0x0000000074FC0000-0x0000000075571000-memory.dmp

memory/864-2-0x0000000074FC0000-0x0000000075571000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp3CF9.tmp

MD5 738b8c70bec70e1b8baf7c485f8f21f1
SHA1 ce03d545d04974cddcb76d9271420e35aa3988fe
SHA256 20178631f0bf141384df0e447496346e0daf33208f7133da999b26a73af49b89
SHA512 648e80c0913af44a107e146c53bcff80746e1ed36866edc752f5815ffd3fae935ae47fc69e48c48efcf11685d3d4cf6b5b5276b8f06c9aba6d1fc170c571db48

C:\Users\Admin\AppData\Local\Temp\tmp3D68.tmp

MD5 1c18d34e4c00b9a6b81126a2f10bbb74
SHA1 9c975e7627bdb8d7af3615684d59fa02c3b81902
SHA256 ee68aecf2917fd9ddd167e6403d3149ac3dd7f346f3c9c66b6d75620b0ccd621
SHA512 75a3ecebd55c8e433199122925c7c612fe3ea23a93fbca10ed83c80f11396da428581e36c42e98a0eef5210630cea040ed0da076bfcb620ddb38dee7152b816d

memory/864-10-0x0000000074FC0000-0x0000000075571000-memory.dmp

memory/864-11-0x0000000074FC2000-0x0000000074FC3000-memory.dmp

memory/864-12-0x0000000074FC0000-0x0000000075571000-memory.dmp

memory/864-13-0x0000000074FC0000-0x0000000075571000-memory.dmp