Malware Analysis Report

2024-10-23 19:38

Sample ID 240815-dxmexaxcll
Target bb936870fe8af1aefa1eec876801cae0N.exe
SHA256 c3a0cddf3cb0389fdd9c8029f3dc4638f511b93950c56fb811310987b51ee901
Tags
nanocore discovery evasion keylogger persistence spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c3a0cddf3cb0389fdd9c8029f3dc4638f511b93950c56fb811310987b51ee901

Threat Level: Known bad

The file bb936870fe8af1aefa1eec876801cae0N.exe was found to be: Known bad.

Malicious Activity Summary

nanocore discovery evasion keylogger persistence spyware stealer trojan

NanoCore

Loads dropped DLL

Checks computer location settings

Executes dropped EXE

Checks whether UAC is enabled

Adds Run key to start application

Suspicious use of SetThreadContext

Unsigned PE

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-15 03:23

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-15 03:23

Reported

2024-08-15 03:25

Platform

win7-20240708-en

Max time kernel

119s

Max time network

25s

Command Line

"C:\Users\Admin\AppData\Local\Temp\bb936870fe8af1aefa1eec876801cae0N.exe"

Signatures

NanoCore

keylogger trojan stealer spyware nanocore

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\b1b2dqljdx3 = "C:\\Users\\Admin\\AppData\\Roaming\\b1b2dqljdx3\\a1punf5t2of.exe" C:\Users\Admin\AppData\Local\Temp\bb936870fe8af1aefa1eec876801cae0N.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2928 set thread context of 2560 N/A C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\bb936870fe8af1aefa1eec876801cae0N.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2360 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\bb936870fe8af1aefa1eec876801cae0N.exe C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe
PID 2360 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\bb936870fe8af1aefa1eec876801cae0N.exe C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe
PID 2360 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\bb936870fe8af1aefa1eec876801cae0N.exe C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe
PID 2360 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\bb936870fe8af1aefa1eec876801cae0N.exe C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe
PID 2360 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\bb936870fe8af1aefa1eec876801cae0N.exe C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe
PID 2360 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\bb936870fe8af1aefa1eec876801cae0N.exe C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe
PID 2360 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\bb936870fe8af1aefa1eec876801cae0N.exe C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe
PID 2928 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe
PID 2928 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe
PID 2928 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe
PID 2928 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe
PID 2928 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe
PID 2928 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe
PID 2928 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe
PID 2928 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe
PID 2928 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe
PID 2928 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe
PID 2928 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe
PID 2928 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe

Processes

C:\Users\Admin\AppData\Local\Temp\bb936870fe8af1aefa1eec876801cae0N.exe

"C:\Users\Admin\AppData\Local\Temp\bb936870fe8af1aefa1eec876801cae0N.exe"

C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe

"C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe"

C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe

"C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 sysupdate24.ddns.net udp

Files

memory/2360-0-0x0000000074F21000-0x0000000074F22000-memory.dmp

memory/2360-2-0x0000000074F20000-0x00000000754CB000-memory.dmp

memory/2360-1-0x0000000074F20000-0x00000000754CB000-memory.dmp

memory/2360-3-0x0000000074F20000-0x00000000754CB000-memory.dmp

\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe

MD5 923a44d8b877decc931be3a433dd45fc
SHA1 3bcd27f16fe93d236ad35df3b4012f10547d8f96
SHA256 f02e882ad1ca5f460b040135556062dc239061035ae2c6aa29e328ce0ec85c1e
SHA512 bf3d37173b73059d1ca26ca7872b19207859920fa77125932fd739badfa7cc6433365fd233dc9a2f8730c29ed286dbc4e7934b7cd3ffe0bd72d468e193e09944

memory/2360-12-0x0000000074F20000-0x00000000754CB000-memory.dmp

memory/2928-14-0x0000000074F20000-0x00000000754CB000-memory.dmp

memory/2928-13-0x0000000074F20000-0x00000000754CB000-memory.dmp

memory/2928-16-0x0000000074F20000-0x00000000754CB000-memory.dmp

memory/2928-15-0x0000000074F20000-0x00000000754CB000-memory.dmp

memory/2560-20-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2560-18-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2560-22-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2560-34-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2560-32-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2560-27-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2560-26-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2560-24-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2928-36-0x0000000074F20000-0x00000000754CB000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-15 03:23

Reported

2024-08-15 03:25

Platform

win10v2004-20240802-en

Max time kernel

119s

Max time network

102s

Command Line

"C:\Users\Admin\AppData\Local\Temp\bb936870fe8af1aefa1eec876801cae0N.exe"

Signatures

NanoCore

keylogger trojan stealer spyware nanocore

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\bb936870fe8af1aefa1eec876801cae0N.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\b1b2dqljdx3 = "C:\\Users\\Admin\\AppData\\Roaming\\b1b2dqljdx3\\a1punf5t2of.exe" C:\Users\Admin\AppData\Local\Temp\bb936870fe8af1aefa1eec876801cae0N.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4012 set thread context of 4292 N/A C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\bb936870fe8af1aefa1eec876801cae0N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3436 wrote to memory of 4012 N/A C:\Users\Admin\AppData\Local\Temp\bb936870fe8af1aefa1eec876801cae0N.exe C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe
PID 3436 wrote to memory of 4012 N/A C:\Users\Admin\AppData\Local\Temp\bb936870fe8af1aefa1eec876801cae0N.exe C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe
PID 3436 wrote to memory of 4012 N/A C:\Users\Admin\AppData\Local\Temp\bb936870fe8af1aefa1eec876801cae0N.exe C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe
PID 4012 wrote to memory of 4292 N/A C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe
PID 4012 wrote to memory of 4292 N/A C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe
PID 4012 wrote to memory of 4292 N/A C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe
PID 4012 wrote to memory of 4292 N/A C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe
PID 4012 wrote to memory of 4292 N/A C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe
PID 4012 wrote to memory of 4292 N/A C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe
PID 4012 wrote to memory of 4292 N/A C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe
PID 4012 wrote to memory of 4292 N/A C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe

Processes

C:\Users\Admin\AppData\Local\Temp\bb936870fe8af1aefa1eec876801cae0N.exe

"C:\Users\Admin\AppData\Local\Temp\bb936870fe8af1aefa1eec876801cae0N.exe"

C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe

"C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe"

C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe

"C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 sysupdate24.ddns.net udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 192.142.123.92.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp

Files

memory/3436-0-0x0000000074B42000-0x0000000074B43000-memory.dmp

memory/3436-1-0x0000000074B40000-0x00000000750F1000-memory.dmp

memory/3436-2-0x0000000074B40000-0x00000000750F1000-memory.dmp

C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe

MD5 87df6a89c07b0493486309a000dbbc34
SHA1 97d1414c53c4737ae6ad2e8765337fbc4665f529
SHA256 4d7dec1e7f62e338e0b820e8e7c73b94029627663628430e22c7f355b30641a0
SHA512 fac28cf07ea5f1827ed55a9ffff21f5af8885020653273b6c347a27583e7a6ee58e7317f0ccf605983651ce893f7e052a66a16d2bef66b38469b7bb19a9efaa3

memory/4012-16-0x0000000074B40000-0x00000000750F1000-memory.dmp

memory/4012-18-0x0000000074B40000-0x00000000750F1000-memory.dmp

memory/3436-17-0x0000000074B40000-0x00000000750F1000-memory.dmp

memory/4012-19-0x0000000074B40000-0x00000000750F1000-memory.dmp

memory/4292-22-0x0000000000400000-0x0000000000438000-memory.dmp

memory/4292-21-0x0000000000400000-0x0000000000438000-memory.dmp

memory/4292-20-0x0000000000400000-0x0000000000438000-memory.dmp

memory/4292-25-0x0000000074B40000-0x00000000750F1000-memory.dmp

memory/4292-26-0x0000000074B40000-0x00000000750F1000-memory.dmp

memory/4292-27-0x0000000074B40000-0x00000000750F1000-memory.dmp

memory/4292-29-0x0000000074B40000-0x00000000750F1000-memory.dmp

memory/4012-30-0x0000000074B40000-0x00000000750F1000-memory.dmp

memory/4012-32-0x0000000074B40000-0x00000000750F1000-memory.dmp

memory/4292-33-0x0000000074B40000-0x00000000750F1000-memory.dmp

memory/4292-34-0x0000000074B40000-0x00000000750F1000-memory.dmp