Malware Analysis Report

2024-12-07 14:12

Sample ID 241114-3ewy3avfjd
Target 7a698045d9ef597fb483ef9f7b342a2cf0e1b5b7347b6794484052a8f6dc3aeb
SHA256 7a698045d9ef597fb483ef9f7b342a2cf0e1b5b7347b6794484052a8f6dc3aeb
Tags
discovery persistence nanocore evasion keylogger spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

7a698045d9ef597fb483ef9f7b342a2cf0e1b5b7347b6794484052a8f6dc3aeb

Threat Level: Known bad

The file 7a698045d9ef597fb483ef9f7b342a2cf0e1b5b7347b6794484052a8f6dc3aeb was found to be: Known bad.

Malicious Activity Summary

discovery persistence nanocore evasion keylogger spyware stealer trojan

Nanocore family

NanoCore

Loads dropped DLL

Checks computer location settings

Executes dropped EXE

Adds Run key to start application

Checks whether UAC is enabled

Suspicious use of SetThreadContext

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-14 23:26

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-14 23:26

Reported

2024-11-14 23:28

Platform

win7-20240729-en

Max time kernel

120s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7a698045d9ef597fb483ef9f7b342a2cf0e1b5b7347b6794484052a8f6dc3aeb.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\b1b2dqljdx3 = "C:\\Users\\Admin\\AppData\\Roaming\\b1b2dqljdx3\\a1punf5t2of.exe" C:\Users\Admin\AppData\Local\Temp\7a698045d9ef597fb483ef9f7b342a2cf0e1b5b7347b6794484052a8f6dc3aeb.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7a698045d9ef597fb483ef9f7b342a2cf0e1b5b7347b6794484052a8f6dc3aeb.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3068 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\7a698045d9ef597fb483ef9f7b342a2cf0e1b5b7347b6794484052a8f6dc3aeb.exe C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe
PID 3068 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\7a698045d9ef597fb483ef9f7b342a2cf0e1b5b7347b6794484052a8f6dc3aeb.exe C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe
PID 3068 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\7a698045d9ef597fb483ef9f7b342a2cf0e1b5b7347b6794484052a8f6dc3aeb.exe C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe
PID 3068 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\7a698045d9ef597fb483ef9f7b342a2cf0e1b5b7347b6794484052a8f6dc3aeb.exe C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe
PID 3068 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\7a698045d9ef597fb483ef9f7b342a2cf0e1b5b7347b6794484052a8f6dc3aeb.exe C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe
PID 3068 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\7a698045d9ef597fb483ef9f7b342a2cf0e1b5b7347b6794484052a8f6dc3aeb.exe C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe
PID 3068 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\7a698045d9ef597fb483ef9f7b342a2cf0e1b5b7347b6794484052a8f6dc3aeb.exe C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe
PID 2792 wrote to memory of 1660 N/A C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe
PID 2792 wrote to memory of 1660 N/A C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe
PID 2792 wrote to memory of 1660 N/A C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe
PID 2792 wrote to memory of 1660 N/A C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe
PID 2792 wrote to memory of 1660 N/A C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe
PID 2792 wrote to memory of 1660 N/A C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe
PID 2792 wrote to memory of 1660 N/A C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe

Processes

C:\Users\Admin\AppData\Local\Temp\7a698045d9ef597fb483ef9f7b342a2cf0e1b5b7347b6794484052a8f6dc3aeb.exe

"C:\Users\Admin\AppData\Local\Temp\7a698045d9ef597fb483ef9f7b342a2cf0e1b5b7347b6794484052a8f6dc3aeb.exe"

C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe

"C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe"

C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe

"C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe"

Network

N/A

Files

memory/3068-0-0x0000000074081000-0x0000000074082000-memory.dmp

memory/3068-1-0x0000000074080000-0x000000007462B000-memory.dmp

memory/3068-2-0x0000000074080000-0x000000007462B000-memory.dmp

memory/3068-3-0x0000000074080000-0x000000007462B000-memory.dmp

memory/3068-4-0x0000000074080000-0x000000007462B000-memory.dmp

memory/3068-5-0x0000000074080000-0x000000007462B000-memory.dmp

\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe

MD5 297fce85a4d854e44dd4a82ba67c262b
SHA1 cb99421d05f3f07f3ff991ef4ca531b9202f916c
SHA256 b36ba34496e490ad582029d1ae47e352df6450255626a278b80fdf86f8e200e0
SHA512 ed2a87f1c7ce2cb3ae796ac1f962297374c84f57bdb624d41608c2e00b72d141ca02f85daa064c145eb055e1fade1668ca5a048a30794123c1299bbbd0499272

memory/2792-15-0x0000000074080000-0x000000007462B000-memory.dmp

memory/2792-18-0x0000000074080000-0x000000007462B000-memory.dmp

memory/3068-14-0x0000000074080000-0x000000007462B000-memory.dmp

memory/2792-17-0x0000000074080000-0x000000007462B000-memory.dmp

memory/2792-16-0x0000000074080000-0x000000007462B000-memory.dmp

memory/2792-19-0x0000000074080000-0x000000007462B000-memory.dmp

memory/2792-20-0x0000000074080000-0x000000007462B000-memory.dmp

memory/2792-22-0x0000000074080000-0x000000007462B000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-14 23:26

Reported

2024-11-14 23:28

Platform

win10v2004-20241007-en

Max time kernel

148s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7a698045d9ef597fb483ef9f7b342a2cf0e1b5b7347b6794484052a8f6dc3aeb.exe"

Signatures

NanoCore

keylogger trojan stealer spyware nanocore

Nanocore family

nanocore

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\7a698045d9ef597fb483ef9f7b342a2cf0e1b5b7347b6794484052a8f6dc3aeb.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\b1b2dqljdx3 = "C:\\Users\\Admin\\AppData\\Roaming\\b1b2dqljdx3\\a1punf5t2of.exe" C:\Users\Admin\AppData\Local\Temp\7a698045d9ef597fb483ef9f7b342a2cf0e1b5b7347b6794484052a8f6dc3aeb.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 968 set thread context of 312 N/A C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7a698045d9ef597fb483ef9f7b342a2cf0e1b5b7347b6794484052a8f6dc3aeb.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2260 wrote to memory of 968 N/A C:\Users\Admin\AppData\Local\Temp\7a698045d9ef597fb483ef9f7b342a2cf0e1b5b7347b6794484052a8f6dc3aeb.exe C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe
PID 2260 wrote to memory of 968 N/A C:\Users\Admin\AppData\Local\Temp\7a698045d9ef597fb483ef9f7b342a2cf0e1b5b7347b6794484052a8f6dc3aeb.exe C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe
PID 2260 wrote to memory of 968 N/A C:\Users\Admin\AppData\Local\Temp\7a698045d9ef597fb483ef9f7b342a2cf0e1b5b7347b6794484052a8f6dc3aeb.exe C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe
PID 968 wrote to memory of 312 N/A C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe
PID 968 wrote to memory of 312 N/A C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe
PID 968 wrote to memory of 312 N/A C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe
PID 968 wrote to memory of 312 N/A C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe
PID 968 wrote to memory of 312 N/A C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe
PID 968 wrote to memory of 312 N/A C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe
PID 968 wrote to memory of 312 N/A C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe
PID 968 wrote to memory of 312 N/A C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe

Processes

C:\Users\Admin\AppData\Local\Temp\7a698045d9ef597fb483ef9f7b342a2cf0e1b5b7347b6794484052a8f6dc3aeb.exe

"C:\Users\Admin\AppData\Local\Temp\7a698045d9ef597fb483ef9f7b342a2cf0e1b5b7347b6794484052a8f6dc3aeb.exe"

C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe

"C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe"

C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe

"C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 sysupdate24.ddns.net udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 49.192.11.51.in-addr.arpa udp

Files

memory/2260-0-0x00000000748E2000-0x00000000748E3000-memory.dmp

memory/2260-1-0x00000000748E0000-0x0000000074E91000-memory.dmp

memory/2260-2-0x00000000748E0000-0x0000000074E91000-memory.dmp

memory/2260-3-0x00000000748E0000-0x0000000074E91000-memory.dmp

memory/2260-4-0x00000000748E2000-0x00000000748E3000-memory.dmp

memory/2260-5-0x00000000748E0000-0x0000000074E91000-memory.dmp

memory/2260-6-0x00000000748E0000-0x0000000074E91000-memory.dmp

memory/2260-7-0x00000000748E0000-0x0000000074E91000-memory.dmp

C:\Users\Admin\AppData\Roaming\b1b2dqljdx3\a1punf5t2of.exe

MD5 e501141c4be1ac49c197642cb0547b23
SHA1 2b26939f5c6689cc2e83963f560080f4ff4c2acb
SHA256 a93da9c51143c256127d8ef08343db2919d2f9f339249e197b99b90415795ccc
SHA512 bcd81e54e9ae5142d8c1cc6e604ea757ce4d7e80f91a6d9775f5a38805dc8768f63db1de99e8e3acf955b5c42929daecfa68e85677aa75421eabd5652002ccf3

memory/2260-22-0x00000000748E0000-0x0000000074E91000-memory.dmp

memory/968-21-0x00000000748E0000-0x0000000074E91000-memory.dmp

memory/968-23-0x00000000748E0000-0x0000000074E91000-memory.dmp

memory/968-24-0x00000000748E0000-0x0000000074E91000-memory.dmp

memory/968-25-0x00000000748E0000-0x0000000074E91000-memory.dmp

memory/968-26-0x00000000748E0000-0x0000000074E91000-memory.dmp

memory/968-27-0x00000000748E0000-0x0000000074E91000-memory.dmp

memory/312-29-0x0000000000400000-0x0000000000438000-memory.dmp

memory/312-30-0x0000000000400000-0x0000000000438000-memory.dmp

memory/312-28-0x0000000000400000-0x0000000000438000-memory.dmp

memory/312-35-0x00000000748E0000-0x0000000074E91000-memory.dmp

memory/312-34-0x00000000748E0000-0x0000000074E91000-memory.dmp

memory/312-33-0x00000000748E0000-0x0000000074E91000-memory.dmp

memory/312-37-0x00000000748E0000-0x0000000074E91000-memory.dmp

memory/312-38-0x00000000748E0000-0x0000000074E91000-memory.dmp

memory/312-39-0x00000000748E0000-0x0000000074E91000-memory.dmp

memory/312-40-0x00000000748E0000-0x0000000074E91000-memory.dmp

memory/968-42-0x00000000748E0000-0x0000000074E91000-memory.dmp

memory/312-43-0x00000000748E0000-0x0000000074E91000-memory.dmp