Malware Analysis Report

2025-04-13 20:48

Sample ID 250127-b8v53svrhj
Target 46f92ebe290305fbfa65465b24f2c058c3ad05ec6e0858345d00d407efbe1994.exe
SHA256 46f92ebe290305fbfa65465b24f2c058c3ad05ec6e0858345d00d407efbe1994
Tags
nanocore defense_evasion discovery keylogger persistence spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

46f92ebe290305fbfa65465b24f2c058c3ad05ec6e0858345d00d407efbe1994

Threat Level: Known bad

The file 46f92ebe290305fbfa65465b24f2c058c3ad05ec6e0858345d00d407efbe1994.exe was found to be: Known bad.

Malicious Activity Summary

nanocore defense_evasion discovery keylogger persistence spyware stealer trojan

Nanocore family

NanoCore

Checks computer location settings

Loads dropped DLL

Executes dropped EXE

Checks whether UAC is enabled

Adds Run key to start application

Suspicious use of SetThreadContext

System Location Discovery: System Language Discovery

Unsigned PE

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-01-27 01:49

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-01-27 01:49

Reported

2025-01-27 01:51

Platform

win7-20240903-en

Max time kernel

119s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\46f92ebe290305fbfa65465b24f2c058c3ad05ec6e0858345d00d407efbe1994.exe"

Signatures

NanoCore

keylogger trojan stealer spyware nanocore

Nanocore family

nanocore

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\c5e4gxfvd4v\ximo2ubzn1i.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\c5e4gxfvd4v = "C:\\Users\\Admin\\AppData\\Roaming\\c5e4gxfvd4v\\ximo2ubzn1i.exe" C:\Users\Admin\AppData\Local\Temp\46f92ebe290305fbfa65465b24f2c058c3ad05ec6e0858345d00d407efbe1994.exe N/A

Checks whether UAC is enabled

defense_evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2760 set thread context of 2620 N/A C:\Users\Admin\AppData\Roaming\c5e4gxfvd4v\ximo2ubzn1i.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\46f92ebe290305fbfa65465b24f2c058c3ad05ec6e0858345d00d407efbe1994.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\c5e4gxfvd4v\ximo2ubzn1i.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2192 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\46f92ebe290305fbfa65465b24f2c058c3ad05ec6e0858345d00d407efbe1994.exe C:\Users\Admin\AppData\Roaming\c5e4gxfvd4v\ximo2ubzn1i.exe
PID 2192 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\46f92ebe290305fbfa65465b24f2c058c3ad05ec6e0858345d00d407efbe1994.exe C:\Users\Admin\AppData\Roaming\c5e4gxfvd4v\ximo2ubzn1i.exe
PID 2192 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\46f92ebe290305fbfa65465b24f2c058c3ad05ec6e0858345d00d407efbe1994.exe C:\Users\Admin\AppData\Roaming\c5e4gxfvd4v\ximo2ubzn1i.exe
PID 2192 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\46f92ebe290305fbfa65465b24f2c058c3ad05ec6e0858345d00d407efbe1994.exe C:\Users\Admin\AppData\Roaming\c5e4gxfvd4v\ximo2ubzn1i.exe
PID 2760 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Roaming\c5e4gxfvd4v\ximo2ubzn1i.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
PID 2760 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Roaming\c5e4gxfvd4v\ximo2ubzn1i.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
PID 2760 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Roaming\c5e4gxfvd4v\ximo2ubzn1i.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
PID 2760 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Roaming\c5e4gxfvd4v\ximo2ubzn1i.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
PID 2760 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Roaming\c5e4gxfvd4v\ximo2ubzn1i.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
PID 2760 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Roaming\c5e4gxfvd4v\ximo2ubzn1i.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
PID 2760 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Roaming\c5e4gxfvd4v\ximo2ubzn1i.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
PID 2760 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Roaming\c5e4gxfvd4v\ximo2ubzn1i.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
PID 2760 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Roaming\c5e4gxfvd4v\ximo2ubzn1i.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
PID 2760 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Roaming\c5e4gxfvd4v\ximo2ubzn1i.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
PID 2760 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Roaming\c5e4gxfvd4v\ximo2ubzn1i.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
PID 2760 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Roaming\c5e4gxfvd4v\ximo2ubzn1i.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe

Processes

C:\Users\Admin\AppData\Local\Temp\46f92ebe290305fbfa65465b24f2c058c3ad05ec6e0858345d00d407efbe1994.exe

"C:\Users\Admin\AppData\Local\Temp\46f92ebe290305fbfa65465b24f2c058c3ad05ec6e0858345d00d407efbe1994.exe"

C:\Users\Admin\AppData\Roaming\c5e4gxfvd4v\ximo2ubzn1i.exe

"C:\Users\Admin\AppData\Roaming\c5e4gxfvd4v\ximo2ubzn1i.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"

Network

Country Destination Domain Proto
FR 178.32.224.116:46218 tcp
FR 178.32.224.116:46218 tcp
FR 178.32.224.116:46218 tcp
FR 178.32.224.116:46218 tcp
FR 178.32.224.116:46218 tcp
FR 178.32.224.116:46218 tcp

Files

memory/2192-0-0x0000000074E8E000-0x0000000074E8F000-memory.dmp

memory/2192-1-0x0000000001370000-0x00000000013DE000-memory.dmp

memory/2192-2-0x0000000074E80000-0x000000007556E000-memory.dmp

memory/2192-3-0x0000000000AC0000-0x0000000000AFC000-memory.dmp

\Users\Admin\AppData\Roaming\c5e4gxfvd4v\ximo2ubzn1i.exe

MD5 00ca7a3e1fc5c55ffcfdc878407f719d
SHA1 1b5f0e05a942c26a2b7d8994ad70fa08ddb229b8
SHA256 1d674abda4b72984bcfa7f53078c50a524862ebf27e9cfc9301c55a4c8318ff5
SHA512 241d67fea70984da9de33f832c5b739e1b56a1ecab6d5731cb0b39460b9204f91b427b104ba3e7afea84bc951d50ea72a938f3e7f7c55cbebf5a2c9a09c7c068

memory/2760-12-0x0000000074E80000-0x000000007556E000-memory.dmp

memory/2760-13-0x0000000000090000-0x00000000000FE000-memory.dmp

memory/2192-14-0x0000000074E80000-0x000000007556E000-memory.dmp

memory/2760-15-0x0000000074E80000-0x000000007556E000-memory.dmp

memory/2620-16-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2620-20-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2620-27-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2620-28-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2620-23-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2620-22-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2620-18-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2620-17-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2620-30-0x0000000000780000-0x000000000078A000-memory.dmp

memory/2620-31-0x0000000000870000-0x000000000088E000-memory.dmp

memory/2620-32-0x0000000000890000-0x000000000089A000-memory.dmp

memory/2760-33-0x0000000074E80000-0x000000007556E000-memory.dmp

memory/2760-34-0x0000000074E80000-0x000000007556E000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2025-01-27 01:49

Reported

2025-01-27 01:51

Platform

win10v2004-20241007-en

Max time kernel

94s

Max time network

96s

Command Line

"C:\Users\Admin\AppData\Local\Temp\46f92ebe290305fbfa65465b24f2c058c3ad05ec6e0858345d00d407efbe1994.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\46f92ebe290305fbfa65465b24f2c058c3ad05ec6e0858345d00d407efbe1994.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\c5e4gxfvd4v\ximo2ubzn1i.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\c5e4gxfvd4v = "C:\\Users\\Admin\\AppData\\Roaming\\c5e4gxfvd4v\\ximo2ubzn1i.exe" C:\Users\Admin\AppData\Local\Temp\46f92ebe290305fbfa65465b24f2c058c3ad05ec6e0858345d00d407efbe1994.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\46f92ebe290305fbfa65465b24f2c058c3ad05ec6e0858345d00d407efbe1994.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\c5e4gxfvd4v\ximo2ubzn1i.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\46f92ebe290305fbfa65465b24f2c058c3ad05ec6e0858345d00d407efbe1994.exe

"C:\Users\Admin\AppData\Local\Temp\46f92ebe290305fbfa65465b24f2c058c3ad05ec6e0858345d00d407efbe1994.exe"

C:\Users\Admin\AppData\Roaming\c5e4gxfvd4v\ximo2ubzn1i.exe

"C:\Users\Admin\AppData\Roaming\c5e4gxfvd4v\ximo2ubzn1i.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 98.250.22.2.in-addr.arpa udp
US 8.8.8.8:53 167.173.78.104.in-addr.arpa udp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 133.130.81.91.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 214.72.21.2.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp

Files

memory/2596-0-0x0000000074BDE000-0x0000000074BDF000-memory.dmp

memory/2596-1-0x0000000000350000-0x00000000003BE000-memory.dmp

memory/2596-2-0x0000000005280000-0x0000000005824000-memory.dmp

memory/2596-3-0x0000000004CD0000-0x0000000004D62000-memory.dmp

memory/2596-4-0x0000000004C80000-0x0000000004C8A000-memory.dmp

memory/2596-5-0x0000000074BD0000-0x0000000075380000-memory.dmp

memory/2596-6-0x0000000004F10000-0x0000000004F4C000-memory.dmp

C:\Users\Admin\AppData\Roaming\c5e4gxfvd4v\ximo2ubzn1i.exe

MD5 9323d0d485a83a1ea7ee63932ef56322
SHA1 d97f24c2c98c7deba08b6ea5707d84022ec3dca3
SHA256 009a298be874cc883107343764ffc3a511d1640445dc96b284937057172174f7
SHA512 a9c901eedf40040b43e68a17bea6a8eaa0dd2199b305845ac0e26e6a0f6deb8b855e7b901924af2d01f423e4851cd55f06d07a8d15add26df1d692eb790fe9e7

memory/2596-20-0x0000000074BD0000-0x0000000075380000-memory.dmp

memory/3504-21-0x0000000074BD0000-0x0000000075380000-memory.dmp

memory/3504-22-0x0000000074BD0000-0x0000000075380000-memory.dmp

memory/3504-23-0x0000000074BD0000-0x0000000075380000-memory.dmp

memory/3504-25-0x0000000074BD0000-0x0000000075380000-memory.dmp