Malware Analysis Report

2024-08-06 14:44

Sample ID 240623-qc8tmavgjl
Target sd.exe
SHA256 1be5176e2bdc3b3434e8dc95c902e0cfaaaf7a23fc8203b413effc121011ad30
Tags
nanocore collection evasion keylogger persistence spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

1be5176e2bdc3b3434e8dc95c902e0cfaaaf7a23fc8203b413effc121011ad30

Threat Level: Known bad

The file sd.exe was found to be: Known bad.

Malicious Activity Summary

nanocore collection evasion keylogger persistence spyware stealer trojan

Nanocore family

NanoCore

NirSoft MailPassView

Nirsoft

Uses the VBS compiler for execution

Accesses Microsoft Outlook accounts

Checks whether UAC is enabled

Adds Run key to start application

Suspicious use of SetThreadContext

Drops file in Program Files directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious behavior: GetForegroundWindowSpam

Scheduled Task/Job: Scheduled Task

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Scripting
T1064
Scheduled Task/Job
T1053
Scheduled Task
T1053.005
Persistence
TA0003
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Scheduled Task/Job
T1053
Scheduled Task
T1053.005
Privilege Escalation
TA0004
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Scheduled Task/Job
T1053
Scheduled Task
T1053.005
Defense Evasion
TA0005
Scripting
T1064
Modify Registry
T1112
Credential Access
TA0006
Discovery
TA0007
System Information Discovery
T1082
Lateral Movement
TA0008
Collection
TA0009
Email Collection
T1114
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-06-23 13:08

Signatures

Nanocore family

nanocore

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-23 13:08

Reported

2024-06-23 13:10

Platform

win7-20240419-en

Max time kernel

122s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\sd.exe"

Signatures

NanoCore

keylogger trojan stealer spyware nanocore

NirSoft MailPassView

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Nirsoft

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Uses the VBS compiler for execution

Accesses Microsoft Outlook accounts

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts \??\c:\windows\microsoft.net\framework\v2.0.50727\vbc.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\DOS Manager = "C:\\Program Files (x86)\\DOS Manager\\dosmgr.exe" C:\Users\Admin\AppData\Local\Temp\sd.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\sd.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3000 set thread context of 2648 N/A C:\Users\Admin\AppData\Local\Temp\sd.exe \??\c:\windows\microsoft.net\framework\v2.0.50727\vbc.exe
PID 3000 set thread context of 2904 N/A C:\Users\Admin\AppData\Local\Temp\sd.exe \??\c:\windows\microsoft.net\framework\v2.0.50727\vbc.exe

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\DOS Manager\dosmgr.exe C:\Users\Admin\AppData\Local\Temp\sd.exe N/A
File opened for modification C:\Program Files (x86)\DOS Manager\dosmgr.exe C:\Users\Admin\AppData\Local\Temp\sd.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\sd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sd.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\sd.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\sd.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3000 wrote to memory of 1580 N/A C:\Users\Admin\AppData\Local\Temp\sd.exe C:\Windows\SysWOW64\schtasks.exe
PID 3000 wrote to memory of 1580 N/A C:\Users\Admin\AppData\Local\Temp\sd.exe C:\Windows\SysWOW64\schtasks.exe
PID 3000 wrote to memory of 1580 N/A C:\Users\Admin\AppData\Local\Temp\sd.exe C:\Windows\SysWOW64\schtasks.exe
PID 3000 wrote to memory of 1580 N/A C:\Users\Admin\AppData\Local\Temp\sd.exe C:\Windows\SysWOW64\schtasks.exe
PID 3000 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Local\Temp\sd.exe C:\Windows\SysWOW64\schtasks.exe
PID 3000 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Local\Temp\sd.exe C:\Windows\SysWOW64\schtasks.exe
PID 3000 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Local\Temp\sd.exe C:\Windows\SysWOW64\schtasks.exe
PID 3000 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Local\Temp\sd.exe C:\Windows\SysWOW64\schtasks.exe
PID 3000 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\sd.exe \??\c:\windows\microsoft.net\framework\v2.0.50727\vbc.exe
PID 3000 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\sd.exe \??\c:\windows\microsoft.net\framework\v2.0.50727\vbc.exe
PID 3000 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\sd.exe \??\c:\windows\microsoft.net\framework\v2.0.50727\vbc.exe
PID 3000 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\sd.exe \??\c:\windows\microsoft.net\framework\v2.0.50727\vbc.exe
PID 3000 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\sd.exe \??\c:\windows\microsoft.net\framework\v2.0.50727\vbc.exe
PID 3000 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\sd.exe \??\c:\windows\microsoft.net\framework\v2.0.50727\vbc.exe
PID 3000 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\sd.exe \??\c:\windows\microsoft.net\framework\v2.0.50727\vbc.exe
PID 3000 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\sd.exe \??\c:\windows\microsoft.net\framework\v2.0.50727\vbc.exe
PID 3000 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\sd.exe \??\c:\windows\microsoft.net\framework\v2.0.50727\vbc.exe
PID 3000 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\sd.exe \??\c:\windows\microsoft.net\framework\v2.0.50727\vbc.exe
PID 3000 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\sd.exe \??\c:\windows\microsoft.net\framework\v2.0.50727\vbc.exe
PID 3000 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\sd.exe \??\c:\windows\microsoft.net\framework\v2.0.50727\vbc.exe
PID 3000 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\sd.exe \??\c:\windows\microsoft.net\framework\v2.0.50727\vbc.exe
PID 3000 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\sd.exe \??\c:\windows\microsoft.net\framework\v2.0.50727\vbc.exe
PID 3000 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\sd.exe \??\c:\windows\microsoft.net\framework\v2.0.50727\vbc.exe
PID 3000 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\sd.exe \??\c:\windows\microsoft.net\framework\v2.0.50727\vbc.exe
PID 3000 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\sd.exe \??\c:\windows\microsoft.net\framework\v2.0.50727\vbc.exe
PID 3000 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\sd.exe \??\c:\windows\microsoft.net\framework\v2.0.50727\vbc.exe
PID 3000 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\sd.exe \??\c:\windows\microsoft.net\framework\v2.0.50727\vbc.exe
PID 3000 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\sd.exe \??\c:\windows\microsoft.net\framework\v2.0.50727\vbc.exe

Processes

C:\Users\Admin\AppData\Local\Temp\sd.exe

"C:\Users\Admin\AppData\Local\Temp\sd.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks.exe" /create /f /tn "DOS Manager" /xml "C:\Users\Admin\AppData\Local\Temp\tmp944.tmp"

C:\Windows\SysWOW64\schtasks.exe

"schtasks.exe" /create /f /tn "DOS Manager Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp9C2.tmp"

\??\c:\windows\microsoft.net\framework\v2.0.50727\vbc.exe

"c:\windows\microsoft.net\framework\v2.0.50727\vbc.exe" /shtml "C:\Users\Admin\AppData\Local\Temp\yvzgduvx.yya"

\??\c:\windows\microsoft.net\framework\v2.0.50727\vbc.exe

"c:\windows\microsoft.net\framework\v2.0.50727\vbc.exe" /shtml "C:\Users\Admin\AppData\Local\Temp\paun2wqs.hse"

Network

Country Destination Domain Proto
US 8.8.8.8:53 care-somewhere.gl.at.ply.gg udp
US 147.185.221.20:38177 care-somewhere.gl.at.ply.gg tcp
US 147.185.221.20:38177 care-somewhere.gl.at.ply.gg tcp

Files

memory/3000-0-0x0000000074191000-0x0000000074192000-memory.dmp

memory/3000-1-0x0000000074190000-0x000000007473B000-memory.dmp

memory/3000-2-0x0000000074190000-0x000000007473B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp944.tmp

MD5 f7d890eac080bcc878916c23c4b34c3d
SHA1 efa80352399bfd5c91b958dbc45228560e3a2b7e
SHA256 a7c1ea9b3651907399af17cb4bbaa5696b6a4f0bdcb04640842fa7af3bf0a670
SHA512 a03dfd061d8fe7d01333fbdc641a92d9daa56dd21758ce788ea3a5114de16fcc37acd5f7bb0aaad5b23dc74c50ce51ab80603f429bd61292d81497ce68287085

C:\Users\Admin\AppData\Local\Temp\tmp9C2.tmp

MD5 8f5713b14cee3089852f6c8d2a7a7d57
SHA1 8bffbea05715c6434ad593cce8a2c737f80ff788
SHA256 ab3ce102242c3144f87bcbfe83984a478821cd09e62c0e5211b2ab37dde02d2c
SHA512 82bd2378c2d6bb34a1ad3f2d26bfea583fc8403691bed6668521ba3e8bc7bdbdf142f872ddbc8e5251550f47c9bbee4eb3d0d6096f80d85259082cf68a454c72

memory/3000-13-0x0000000074190000-0x000000007473B000-memory.dmp

memory/2648-14-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2648-18-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2648-27-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2648-25-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2648-23-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2648-22-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2648-20-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2648-16-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2648-28-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2648-31-0x0000000000400000-0x000000000041B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\yvzgduvx.yya

MD5 69b2a2e17e78d24abee9f1de2f04811a
SHA1 d19c109704e83876ab3527457f9418a7d053aa33
SHA256 1b1491f21e64681f8fdc27b2265e2274fb7813eecb6ad8b446d2e431f6300edd
SHA512 eb7269979bc4187520636fe3d7b3089f2c7c02e81c4ce2a738ade680f72c61c67fe9577eeaa09d3ca93f34b60be8c434d2cfbfed6566e783f6611279f056150f

memory/2904-34-0x0000000000400000-0x0000000000453000-memory.dmp

memory/2904-37-0x0000000000400000-0x0000000000453000-memory.dmp

memory/2904-35-0x0000000000400000-0x0000000000453000-memory.dmp

memory/2904-44-0x0000000000400000-0x0000000000453000-memory.dmp

memory/2904-42-0x0000000000400000-0x0000000000453000-memory.dmp

memory/2904-39-0x0000000000400000-0x0000000000453000-memory.dmp

memory/2904-38-0x0000000000400000-0x0000000000453000-memory.dmp

memory/2904-45-0x0000000000400000-0x0000000000453000-memory.dmp

memory/2904-47-0x0000000000400000-0x0000000000453000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\paun2wqs.hse

MD5 919e671c3d5959a91ef2d4c377d2b2ff
SHA1 b1202b19512bbd390d3d5164792501c87bb42c41
SHA256 d2e079df7cf6388315368ba79bf099ad2ff5428af51bf5abf2d99a2d7c5eb651
SHA512 f3298256372beab8efe81b2e08d3b3869281f625de1ee13189c6b95eb2134d223df6f64cc9e490dd6b52a53aa936adc17bd5dfe4e50ee0fe420f3ebae276381c

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-23 13:08

Reported

2024-06-23 13:10

Platform

win10v2004-20240508-en

Max time kernel

144s

Max time network

131s

Command Line

"C:\Users\Admin\AppData\Local\Temp\sd.exe"

Signatures

NanoCore

keylogger trojan stealer spyware nanocore

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\AGP Service = "C:\\Program Files (x86)\\AGP Service\\agpsv.exe" C:\Users\Admin\AppData\Local\Temp\sd.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\sd.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\AGP Service\agpsv.exe C:\Users\Admin\AppData\Local\Temp\sd.exe N/A
File opened for modification C:\Program Files (x86)\AGP Service\agpsv.exe C:\Users\Admin\AppData\Local\Temp\sd.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\sd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sd.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\sd.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\sd.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1732 wrote to memory of 3176 N/A C:\Users\Admin\AppData\Local\Temp\sd.exe C:\Windows\SysWOW64\schtasks.exe
PID 1732 wrote to memory of 3176 N/A C:\Users\Admin\AppData\Local\Temp\sd.exe C:\Windows\SysWOW64\schtasks.exe
PID 1732 wrote to memory of 3176 N/A C:\Users\Admin\AppData\Local\Temp\sd.exe C:\Windows\SysWOW64\schtasks.exe
PID 1732 wrote to memory of 3904 N/A C:\Users\Admin\AppData\Local\Temp\sd.exe C:\Windows\SysWOW64\schtasks.exe
PID 1732 wrote to memory of 3904 N/A C:\Users\Admin\AppData\Local\Temp\sd.exe C:\Windows\SysWOW64\schtasks.exe
PID 1732 wrote to memory of 3904 N/A C:\Users\Admin\AppData\Local\Temp\sd.exe C:\Windows\SysWOW64\schtasks.exe

Processes

C:\Users\Admin\AppData\Local\Temp\sd.exe

"C:\Users\Admin\AppData\Local\Temp\sd.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks.exe" /create /f /tn "AGP Service" /xml "C:\Users\Admin\AppData\Local\Temp\tmp7714.tmp"

C:\Windows\SysWOW64\schtasks.exe

"schtasks.exe" /create /f /tn "AGP Service Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp7763.tmp"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 care-somewhere.gl.at.ply.gg udp
US 8.8.8.8:53 care-somewhere.gl.at.ply.gg udp
N/A 127.0.0.1:38177 tcp
N/A 127.0.0.1:38177 tcp
N/A 127.0.0.1:38177 tcp
US 8.8.8.8:53 care-somewhere.gl.at.ply.gg udp
US 8.8.8.8:53 care-somewhere.gl.at.ply.gg udp
N/A 127.0.0.1:38177 tcp
N/A 127.0.0.1:38177 tcp
N/A 127.0.0.1:38177 tcp
US 8.8.8.8:53 care-somewhere.gl.at.ply.gg udp
US 8.8.8.8:53 care-somewhere.gl.at.ply.gg udp
N/A 127.0.0.1:38177 tcp
N/A 127.0.0.1:38177 tcp

Files

memory/1732-0-0x0000000074FB2000-0x0000000074FB3000-memory.dmp

memory/1732-1-0x0000000074FB0000-0x0000000075561000-memory.dmp

memory/1732-2-0x0000000074FB0000-0x0000000075561000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp7714.tmp

MD5 f7d890eac080bcc878916c23c4b34c3d
SHA1 efa80352399bfd5c91b958dbc45228560e3a2b7e
SHA256 a7c1ea9b3651907399af17cb4bbaa5696b6a4f0bdcb04640842fa7af3bf0a670
SHA512 a03dfd061d8fe7d01333fbdc641a92d9daa56dd21758ce788ea3a5114de16fcc37acd5f7bb0aaad5b23dc74c50ce51ab80603f429bd61292d81497ce68287085

C:\Users\Admin\AppData\Local\Temp\tmp7763.tmp

MD5 7a81ae69c04c8d95261eb5f490b7f869
SHA1 9f4f484d306fea15b2e7f9f16db660833bb1f8ce
SHA256 ce3933e772f663a834335cc2071e5e7b2d49a065b51d84a259054b8ef663e785
SHA512 8260ab83106752a488e164bbed63ef334d34399bc9a5c09a0cfceba6aef48eafe5c64e4dfbd353ac3edfff2523b16c2b0287d34833a293c4436e068fae656de8

memory/1732-10-0x0000000074FB0000-0x0000000075561000-memory.dmp

memory/1732-11-0x0000000074FB2000-0x0000000074FB3000-memory.dmp

memory/1732-12-0x0000000074FB0000-0x0000000075561000-memory.dmp

memory/1732-13-0x0000000074FB0000-0x0000000075561000-memory.dmp