Malware Analysis Report

2024-10-19 07:05

Sample ID 240806-a123zstemp
Target nanocore33.exe
SHA256 17eac070872ee1f07031f278a602881696a5852372a6a85168c48bf9f6540087
Tags
nanocore discovery evasion keylogger spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

17eac070872ee1f07031f278a602881696a5852372a6a85168c48bf9f6540087

Threat Level: Known bad

The file nanocore33.exe was found to be: Known bad.

Malicious Activity Summary

nanocore discovery evasion keylogger spyware stealer trojan

Nanocore family

NanoCore

Checks whether UAC is enabled

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-06 00:41

Signatures

Nanocore family

nanocore

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-06 00:41

Reported

2024-08-06 00:44

Platform

win7-20240708-en

Max time kernel

122s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\nanocore33.exe"

Signatures

NanoCore

keylogger trojan stealer spyware nanocore

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\nanocore33.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\nanocore33.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\nanocore33.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\nanocore33.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\nanocore33.exe

"C:\Users\Admin\AppData\Local\Temp\nanocore33.exe"

Network

Country Destination Domain Proto
US 147.185.221.21:9388 tcp

Files

memory/2388-0-0x0000000074471000-0x0000000074472000-memory.dmp

memory/2388-1-0x0000000074470000-0x0000000074A1B000-memory.dmp

memory/2388-2-0x0000000074470000-0x0000000074A1B000-memory.dmp

memory/2388-7-0x0000000074470000-0x0000000074A1B000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-06 00:41

Reported

2024-08-06 00:44

Platform

win10v2004-20240802-en

Max time kernel

94s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\nanocore33.exe"

Signatures

NanoCore

keylogger trojan stealer spyware nanocore

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\nanocore33.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\nanocore33.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\nanocore33.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\nanocore33.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\nanocore33.exe

"C:\Users\Admin\AppData\Local\Temp\nanocore33.exe"

Network

Country Destination Domain Proto
US 147.185.221.21:9388 tcp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 21.221.185.147.in-addr.arpa udp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 147.142.123.92.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp

Files

memory/1880-0-0x0000000074952000-0x0000000074953000-memory.dmp

memory/1880-1-0x0000000074950000-0x0000000074F01000-memory.dmp

memory/1880-2-0x0000000074950000-0x0000000074F01000-memory.dmp

memory/1880-4-0x0000000074950000-0x0000000074F01000-memory.dmp

memory/1880-8-0x0000000074952000-0x0000000074953000-memory.dmp

memory/1880-9-0x0000000074950000-0x0000000074F01000-memory.dmp

memory/1880-10-0x0000000074950000-0x0000000074F01000-memory.dmp

memory/1880-11-0x0000000074950000-0x0000000074F01000-memory.dmp