Malware Analysis Report

2024-10-19 07:05

Sample ID 240806-s3c6rawgph
Target c7d3425a23b5b8d3d00eded5b83c0710N.exe
SHA256 c9e7703faad3960594c4a4135f5ca3a6dca4dd0113af162e56b50c30fc55fa45
Tags
nanocore discovery evasion keylogger persistence spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c9e7703faad3960594c4a4135f5ca3a6dca4dd0113af162e56b50c30fc55fa45

Threat Level: Known bad

The file c7d3425a23b5b8d3d00eded5b83c0710N.exe was found to be: Known bad.

Malicious Activity Summary

nanocore discovery evasion keylogger persistence spyware stealer trojan

NanoCore

Executes dropped EXE

Checks computer location settings

Loads dropped DLL

Adds Run key to start application

Checks whether UAC is enabled

Suspicious use of SetThreadContext

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-06 15:38

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-06 15:38

Reported

2024-08-06 15:40

Platform

win7-20240704-en

Max time kernel

117s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c7d3425a23b5b8d3d00eded5b83c0710N.exe"

Signatures

NanoCore

keylogger trojan stealer spyware nanocore

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\b1b2dqljdx3 = "C:\\Users\\Admin\\AppData\\Roaming\\b1b2dqljdx3\\a1punf5t2of.exe" C:\Users\Admin\AppData\Local\Temp\c7d3425a23b5b8d3d00eded5b83c0710N.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2664 set thread context of 3004 N/A C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\c7d3425a23b5b8d3d00eded5b83c0710N.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2080 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\c7d3425a23b5b8d3d00eded5b83c0710N.exe C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe
PID 2080 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\c7d3425a23b5b8d3d00eded5b83c0710N.exe C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe
PID 2080 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\c7d3425a23b5b8d3d00eded5b83c0710N.exe C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe
PID 2080 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\c7d3425a23b5b8d3d00eded5b83c0710N.exe C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe
PID 2080 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\c7d3425a23b5b8d3d00eded5b83c0710N.exe C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe
PID 2080 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\c7d3425a23b5b8d3d00eded5b83c0710N.exe C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe
PID 2080 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\c7d3425a23b5b8d3d00eded5b83c0710N.exe C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe
PID 2664 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe
PID 2664 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe
PID 2664 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe
PID 2664 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe
PID 2664 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe
PID 2664 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe
PID 2664 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe
PID 2664 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe
PID 2664 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe
PID 2664 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe
PID 2664 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe
PID 2664 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe

Processes

C:\Users\Admin\AppData\Local\Temp\c7d3425a23b5b8d3d00eded5b83c0710N.exe

"C:\Users\Admin\AppData\Local\Temp\c7d3425a23b5b8d3d00eded5b83c0710N.exe"

C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe

"C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe"

C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe

"C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 sysupdate24.ddns.net udp

Files

memory/2080-0-0x0000000074491000-0x0000000074492000-memory.dmp

memory/2080-1-0x0000000074490000-0x0000000074A3B000-memory.dmp

memory/2080-2-0x0000000074490000-0x0000000074A3B000-memory.dmp

memory/2080-3-0x0000000074490000-0x0000000074A3B000-memory.dmp

\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe

MD5 a1aeefe191425c6e3451128223426746
SHA1 469900583db4053d7f1a880e417800b5254fc549
SHA256 79034208c8ab9c9c2f46a36dbc8a1495281f439adf395c60d6a8d1117117553b
SHA512 4805a6e792ede974340208ea2f40a12bf007ed0243bf30e52575eb91c28559a375bb853f7446aa50b3f0e17ec2844ba4d5af617cf172736c18c7e4773e903576

memory/2080-12-0x0000000074490000-0x0000000074A3B000-memory.dmp

memory/2664-13-0x0000000074490000-0x0000000074A3B000-memory.dmp

memory/2664-14-0x0000000074490000-0x0000000074A3B000-memory.dmp

memory/2664-16-0x0000000074490000-0x0000000074A3B000-memory.dmp

memory/2664-15-0x0000000074490000-0x0000000074A3B000-memory.dmp

memory/3004-19-0x0000000000400000-0x0000000000438000-memory.dmp

memory/3004-18-0x0000000000400000-0x0000000000438000-memory.dmp

memory/3004-31-0x0000000000400000-0x0000000000438000-memory.dmp

memory/3004-30-0x0000000000400000-0x0000000000438000-memory.dmp

memory/3004-25-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/3004-24-0x0000000000400000-0x0000000000438000-memory.dmp

memory/3004-22-0x0000000000400000-0x0000000000438000-memory.dmp

memory/3004-20-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2664-33-0x0000000074490000-0x0000000074A3B000-memory.dmp

memory/2664-34-0x0000000074490000-0x0000000074A3B000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-06 15:38

Reported

2024-08-06 15:40

Platform

win10v2004-20240802-en

Max time kernel

96s

Max time network

97s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c7d3425a23b5b8d3d00eded5b83c0710N.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\c7d3425a23b5b8d3d00eded5b83c0710N.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\b1b2dqljdx3 = "C:\\Users\\Admin\\AppData\\Roaming\\b1b2dqljdx3\\a1punf5t2of.exe" C:\Users\Admin\AppData\Local\Temp\c7d3425a23b5b8d3d00eded5b83c0710N.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\c7d3425a23b5b8d3d00eded5b83c0710N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\c7d3425a23b5b8d3d00eded5b83c0710N.exe

"C:\Users\Admin\AppData\Local\Temp\c7d3425a23b5b8d3d00eded5b83c0710N.exe"

C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe

"C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe"

C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe

"C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 20.58.20.217.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp

Files

memory/2504-0-0x0000000075142000-0x0000000075143000-memory.dmp

memory/2504-1-0x0000000075140000-0x00000000756F1000-memory.dmp

memory/2504-2-0x0000000075140000-0x00000000756F1000-memory.dmp

memory/2504-3-0x0000000075140000-0x00000000756F1000-memory.dmp

C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe

MD5 791a10fd1c80039cb9e3f4d2667e75f3
SHA1 850af1ddc02a37a7660cd3c2a05e40875943fd7b
SHA256 7821cffe27ba8b113562c7c2e3baebbc1a7c8c63cef8ac8aa1d0220dd9456ce2
SHA512 b5a3e8c1286135e78c4f7c45a7f37dbaf271c50dadbcef75f166d9ea80069c6ecad4201eda9c0d2d9a7461e677e6eaa82465c16cb12c59f34edff7e5a5010be3

memory/2504-17-0x0000000075140000-0x00000000756F1000-memory.dmp

memory/4860-19-0x0000000075140000-0x00000000756F1000-memory.dmp

memory/4860-18-0x0000000075140000-0x00000000756F1000-memory.dmp

memory/4860-20-0x0000000075140000-0x00000000756F1000-memory.dmp

memory/4860-22-0x0000000075140000-0x00000000756F1000-memory.dmp