Malware Analysis Report

2024-10-19 07:05

Sample ID 240805-cje81atfkk
Target 350d5e7320be3cf579bf1afacdbb46c0N.exe
SHA256 f65d1cded5374ab70cfb0f316f045bc01a0f7dba4cb1cb1edf19a923282b525d
Tags
nanocore discovery evasion keylogger spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f65d1cded5374ab70cfb0f316f045bc01a0f7dba4cb1cb1edf19a923282b525d

Threat Level: Known bad

The file 350d5e7320be3cf579bf1afacdbb46c0N.exe was found to be: Known bad.

Malicious Activity Summary

nanocore discovery evasion keylogger spyware stealer trojan

NanoCore

Checks computer location settings

Checks whether UAC is enabled

Suspicious use of SetThreadContext

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Scheduled Task/Job: Scheduled Task

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-05 02:06

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-05 02:06

Reported

2024-08-05 02:08

Platform

win7-20240705-en

Max time kernel

120s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\350d5e7320be3cf579bf1afacdbb46c0N.exe"

Signatures

NanoCore

keylogger trojan stealer spyware nanocore

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\350d5e7320be3cf579bf1afacdbb46c0N.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1904 set thread context of 2652 N/A C:\Users\Admin\AppData\Local\Temp\350d5e7320be3cf579bf1afacdbb46c0N.exe C:\Users\Admin\AppData\Local\Temp\350d5e7320be3cf579bf1afacdbb46c0N.exe

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\350d5e7320be3cf579bf1afacdbb46c0N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\350d5e7320be3cf579bf1afacdbb46c0N.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\350d5e7320be3cf579bf1afacdbb46c0N.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\350d5e7320be3cf579bf1afacdbb46c0N.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1904 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\350d5e7320be3cf579bf1afacdbb46c0N.exe C:\Windows\SysWOW64\schtasks.exe
PID 1904 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\350d5e7320be3cf579bf1afacdbb46c0N.exe C:\Windows\SysWOW64\schtasks.exe
PID 1904 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\350d5e7320be3cf579bf1afacdbb46c0N.exe C:\Windows\SysWOW64\schtasks.exe
PID 1904 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\350d5e7320be3cf579bf1afacdbb46c0N.exe C:\Windows\SysWOW64\schtasks.exe
PID 1904 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\350d5e7320be3cf579bf1afacdbb46c0N.exe C:\Users\Admin\AppData\Local\Temp\350d5e7320be3cf579bf1afacdbb46c0N.exe
PID 1904 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\350d5e7320be3cf579bf1afacdbb46c0N.exe C:\Users\Admin\AppData\Local\Temp\350d5e7320be3cf579bf1afacdbb46c0N.exe
PID 1904 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\350d5e7320be3cf579bf1afacdbb46c0N.exe C:\Users\Admin\AppData\Local\Temp\350d5e7320be3cf579bf1afacdbb46c0N.exe
PID 1904 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\350d5e7320be3cf579bf1afacdbb46c0N.exe C:\Users\Admin\AppData\Local\Temp\350d5e7320be3cf579bf1afacdbb46c0N.exe
PID 1904 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\350d5e7320be3cf579bf1afacdbb46c0N.exe C:\Users\Admin\AppData\Local\Temp\350d5e7320be3cf579bf1afacdbb46c0N.exe
PID 1904 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\350d5e7320be3cf579bf1afacdbb46c0N.exe C:\Users\Admin\AppData\Local\Temp\350d5e7320be3cf579bf1afacdbb46c0N.exe
PID 1904 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\350d5e7320be3cf579bf1afacdbb46c0N.exe C:\Users\Admin\AppData\Local\Temp\350d5e7320be3cf579bf1afacdbb46c0N.exe
PID 1904 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\350d5e7320be3cf579bf1afacdbb46c0N.exe C:\Users\Admin\AppData\Local\Temp\350d5e7320be3cf579bf1afacdbb46c0N.exe
PID 1904 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\350d5e7320be3cf579bf1afacdbb46c0N.exe C:\Users\Admin\AppData\Local\Temp\350d5e7320be3cf579bf1afacdbb46c0N.exe

Processes

C:\Users\Admin\AppData\Local\Temp\350d5e7320be3cf579bf1afacdbb46c0N.exe

"C:\Users\Admin\AppData\Local\Temp\350d5e7320be3cf579bf1afacdbb46c0N.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\VsRwbjnFmPB" /XML "C:\Users\Admin\AppData\Local\Temp\tmpC19A.tmp"

C:\Users\Admin\AppData\Local\Temp\350d5e7320be3cf579bf1afacdbb46c0N.exe

"C:\Users\Admin\AppData\Local\Temp\350d5e7320be3cf579bf1afacdbb46c0N.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 savagesquad.ooguy.com udp

Files

memory/1904-0-0x0000000074E21000-0x0000000074E22000-memory.dmp

memory/1904-1-0x0000000074E20000-0x00000000753CB000-memory.dmp

memory/1904-2-0x0000000074E20000-0x00000000753CB000-memory.dmp

memory/1904-3-0x0000000074E20000-0x00000000753CB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpC19A.tmp

MD5 09a669719a8aef5a1830387b41feaaba
SHA1 dcae3f4a7d37dd475c248fed96c32a3b18684b01
SHA256 122d53a5f99860ab687e68bf5c9e4be1d3e0f06307a1157f214f4749e6f2f360
SHA512 a0eba5e54e8a16bb1ad012475650752dbd3cda12a16d6067d66fac214c39d7bbd510c57788512a303877dbe9573bbb5a13cac23cfae660010de3c872671adaf9

memory/2652-9-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2652-17-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2652-15-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2652-13-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2652-11-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2652-23-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2652-21-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2652-19-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2652-25-0x0000000074E20000-0x00000000753CB000-memory.dmp

memory/2652-24-0x0000000074E20000-0x00000000753CB000-memory.dmp

memory/1904-26-0x0000000074E20000-0x00000000753CB000-memory.dmp

memory/2652-28-0x0000000074E20000-0x00000000753CB000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-05 02:06

Reported

2024-08-05 02:08

Platform

win10v2004-20240802-en

Max time kernel

118s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\350d5e7320be3cf579bf1afacdbb46c0N.exe"

Signatures

NanoCore

keylogger trojan stealer spyware nanocore

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\350d5e7320be3cf579bf1afacdbb46c0N.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\350d5e7320be3cf579bf1afacdbb46c0N.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4992 set thread context of 3060 N/A C:\Users\Admin\AppData\Local\Temp\350d5e7320be3cf579bf1afacdbb46c0N.exe C:\Users\Admin\AppData\Local\Temp\350d5e7320be3cf579bf1afacdbb46c0N.exe

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\350d5e7320be3cf579bf1afacdbb46c0N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\350d5e7320be3cf579bf1afacdbb46c0N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\350d5e7320be3cf579bf1afacdbb46c0N.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\350d5e7320be3cf579bf1afacdbb46c0N.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4992 wrote to memory of 1324 N/A C:\Users\Admin\AppData\Local\Temp\350d5e7320be3cf579bf1afacdbb46c0N.exe C:\Windows\SysWOW64\schtasks.exe
PID 4992 wrote to memory of 1324 N/A C:\Users\Admin\AppData\Local\Temp\350d5e7320be3cf579bf1afacdbb46c0N.exe C:\Windows\SysWOW64\schtasks.exe
PID 4992 wrote to memory of 1324 N/A C:\Users\Admin\AppData\Local\Temp\350d5e7320be3cf579bf1afacdbb46c0N.exe C:\Windows\SysWOW64\schtasks.exe
PID 4992 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\350d5e7320be3cf579bf1afacdbb46c0N.exe C:\Users\Admin\AppData\Local\Temp\350d5e7320be3cf579bf1afacdbb46c0N.exe
PID 4992 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\350d5e7320be3cf579bf1afacdbb46c0N.exe C:\Users\Admin\AppData\Local\Temp\350d5e7320be3cf579bf1afacdbb46c0N.exe
PID 4992 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\350d5e7320be3cf579bf1afacdbb46c0N.exe C:\Users\Admin\AppData\Local\Temp\350d5e7320be3cf579bf1afacdbb46c0N.exe
PID 4992 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\350d5e7320be3cf579bf1afacdbb46c0N.exe C:\Users\Admin\AppData\Local\Temp\350d5e7320be3cf579bf1afacdbb46c0N.exe
PID 4992 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\350d5e7320be3cf579bf1afacdbb46c0N.exe C:\Users\Admin\AppData\Local\Temp\350d5e7320be3cf579bf1afacdbb46c0N.exe
PID 4992 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\350d5e7320be3cf579bf1afacdbb46c0N.exe C:\Users\Admin\AppData\Local\Temp\350d5e7320be3cf579bf1afacdbb46c0N.exe
PID 4992 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\350d5e7320be3cf579bf1afacdbb46c0N.exe C:\Users\Admin\AppData\Local\Temp\350d5e7320be3cf579bf1afacdbb46c0N.exe
PID 4992 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\350d5e7320be3cf579bf1afacdbb46c0N.exe C:\Users\Admin\AppData\Local\Temp\350d5e7320be3cf579bf1afacdbb46c0N.exe

Processes

C:\Users\Admin\AppData\Local\Temp\350d5e7320be3cf579bf1afacdbb46c0N.exe

"C:\Users\Admin\AppData\Local\Temp\350d5e7320be3cf579bf1afacdbb46c0N.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\VsRwbjnFmPB" /XML "C:\Users\Admin\AppData\Local\Temp\tmp7E43.tmp"

C:\Users\Admin\AppData\Local\Temp\350d5e7320be3cf579bf1afacdbb46c0N.exe

"C:\Users\Admin\AppData\Local\Temp\350d5e7320be3cf579bf1afacdbb46c0N.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 147.142.123.92.in-addr.arpa udp
US 8.8.8.8:53 savagesquad.ooguy.com udp
US 8.8.8.8:53 savagesquad.ooguy.com udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 savagesquad.ooguy.com udp
US 8.8.8.8:53 savagesquad.ooguy.com udp
US 8.8.8.8:53 savagesquad.ooguy.com udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 savagesquad.ooguy.com udp
US 8.8.8.8:53 savagesquad.ooguy.com udp
US 8.8.8.8:53 savagesquad.ooguy.com udp
US 8.8.8.8:53 savagesquad.ooguy.com udp

Files

memory/4992-0-0x0000000074D62000-0x0000000074D63000-memory.dmp

memory/4992-1-0x0000000074D60000-0x0000000075311000-memory.dmp

memory/4992-2-0x0000000074D60000-0x0000000075311000-memory.dmp

memory/4992-3-0x0000000074D62000-0x0000000074D63000-memory.dmp

memory/4992-4-0x0000000074D60000-0x0000000075311000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp7E43.tmp

MD5 6fdc6da05762a26f3ef1cd3283b47a72
SHA1 68e2780e8dfcf37796d7ef1287fd2559b3a50d8c
SHA256 99bdefc451c9ffad51d709944906ccc7c651c1e44e908bc40bc5f581651defbf
SHA512 3e07e3d22296c4ea70aced2793f036f1df8bdb4bdbb675551a15d213bd252175052c774777fab4f14d9f2598fb59e406a8bd09968d536e2ef6f8827b390f58bd

memory/3060-10-0x0000000000400000-0x0000000000438000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\350d5e7320be3cf579bf1afacdbb46c0N.exe.log

MD5 49461f799113a05a28d6b992090c22ce
SHA1 4049a26ca32ff9ed84fd748b75b36b73e17510ce
SHA256 efa0ab0bd196baf69522d0e11a8bb384a1f0e1806590db7b6ed34abcf6faf5c3
SHA512 dffd0fc9f13c5821f9a55bbfb0e1cb980b29903228805fda0331de68ef1ecfa7e716ebcb50c1a2429e5373f6c9e31977472e04769adf9feac8c7fe10f1814bc5

memory/4992-13-0x0000000074D60000-0x0000000075311000-memory.dmp

memory/3060-14-0x0000000074D60000-0x0000000075311000-memory.dmp

memory/3060-15-0x0000000074D60000-0x0000000075311000-memory.dmp

memory/3060-17-0x0000000074D60000-0x0000000075311000-memory.dmp

memory/3060-18-0x0000000074D60000-0x0000000075311000-memory.dmp

memory/3060-19-0x0000000074D60000-0x0000000075311000-memory.dmp