Analysis Overview
SHA256
4a00588e366b27273cc7b3a7dc14addaddc207fdc3b6965e5cb995c1ace2fd04
Threat Level: Known bad
The file Tempspoffer.exe was found to be: Known bad.
Malicious Activity Summary
NanoCore
Nanocore family
Executes dropped EXE
Checks computer location settings
Loads dropped DLL
Checks whether UAC is enabled
Adds Run key to start application
Drops file in Program Files directory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Scheduled Task/Job: Scheduled Task
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2025-01-28 23:11
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2025-01-28 23:11
Reported
2025-01-28 23:14
Platform
win7-20240903-en
Max time kernel
117s
Max time network
152s
Command Line
Signatures
NanoCore
Nanocore family
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX0\spoffer.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX1\Temp sppoffer.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX2\Google Chrome.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Tempspoffer.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX0\spoffer.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\DHCP Manager = "C:\\Program Files (x86)\\DHCP Manager\\dhcpmgr.exe" | C:\Users\Admin\AppData\Local\Temp\RarSFX2\Google Chrome.exe | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\RarSFX2\Google Chrome.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\DHCP Manager\dhcpmgr.exe | C:\Users\Admin\AppData\Local\Temp\RarSFX2\Google Chrome.exe | N/A |
| File opened for modification | C:\Program Files (x86)\DHCP Manager\dhcpmgr.exe | C:\Users\Admin\AppData\Local\Temp\RarSFX2\Google Chrome.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\RarSFX2\Google Chrome.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX2\Google Chrome.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX2\Google Chrome.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX2\Google Chrome.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX2\Google Chrome.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX2\Google Chrome.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX2\Google Chrome.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX2\Google Chrome.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX2\Google Chrome.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX2\Google Chrome.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX2\Google Chrome.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX2\Google Chrome.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX2\Google Chrome.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX2\Google Chrome.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX2\Google Chrome.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Tempspoffer.exe
"C:\Users\Admin\AppData\Local\Temp\Tempspoffer.exe"
C:\Users\Admin\AppData\Local\Temp\RarSFX0\spoffer.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\spoffer.exe"
C:\Users\Admin\AppData\Local\Temp\RarSFX1\Temp sppoffer.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX1\Temp sppoffer.exe"
C:\Users\Admin\AppData\Local\Temp\RarSFX2\Google Chrome.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX2\Google Chrome.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "DHCP Manager" /xml "C:\Users\Admin\AppData\Local\Temp\tmpD2C9.tmp"
C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "DHCP Manager Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmpD357.tmp"
Network
| Country | Destination | Domain | Proto |
| IS | 157.97.11.134:80 | tcp | |
| IS | 157.97.11.134:80 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\RarSFX0\spoffer.exe
| MD5 | f096b2300f64c3fb11d06562a97bc298 |
| SHA1 | 768afdd542a4be396b10033ed7e4f02f36b8236a |
| SHA256 | 30ba7c29fe54659ef3d4615df1a198096e55c8f7642d70522fb474da9aa4172e |
| SHA512 | 7a7aaf43905a9c31e0df95d39e44513dea0c5aafb2f2debba769faf604139a7d81a42a500d7cf1c7a30a18e94950ae963c4ab20e3f78ca4c603b15fc336e508d |
C:\Users\Admin\AppData\Local\Temp\RarSFX1\Temp sppoffer.exe
| MD5 | 7bfd75f09aa7e17d66e9cb4a4149748b |
| SHA1 | 79c47f031fa264907f06295985d1b5e1b0ce35d5 |
| SHA256 | b953c0f984cefd10df18006b4dac295474931059ec39b38cd519c8c8d3dae14b |
| SHA512 | 703470beff1df7ebde61c1e5631f1aec7d36813907b2dc504f1e0ba0d7f18592f8fc8d43bd54b8066b6c08f29a5cb9fb6cb5b0e8160a3081332c347aed341119 |
C:\Users\Admin\AppData\Local\Temp\RarSFX2\Google Chrome.exe
| MD5 | 39dc955ee6e7b3eefd55691689adb50d |
| SHA1 | fa9fa0a367d4e47906e387da0357865f60541ff0 |
| SHA256 | 5b4033f97ff12ecc172d1ea985f0a474cfbf124d74cb892377f963c530223c48 |
| SHA512 | e976c02b4976aadfc3e633653bc576ac8949f3a47f1dc78ac1cdbca7b80bda1ffc9b82d5eb8f44b587dba0bb2e26e2d3135fadeb70241363fc5ee260d58479fb |
C:\Users\Admin\AppData\Local\Temp\tmpD2C9.tmp
| MD5 | fc6066e1f63e193b1d0c3d59db5c029c |
| SHA1 | ac288c28a25c191726a89eba9e1f3476c756826a |
| SHA256 | 35f383f371aa89cec328c0e4fb0ee13a0ee4e728b545f6c4af631f831509bb46 |
| SHA512 | 3622b5e1d1acbbd636f5df9038359033b657702fd0079d8721709e8acb24db0c70c28202119d264101ba61724933284c801aab79e3b6bba42321e2ea6b34a03c |
C:\Users\Admin\AppData\Local\Temp\tmpD357.tmp
| MD5 | cdf5683344404764a0f3592e9db8a5a1 |
| SHA1 | 6705943b404de237cdd7080c05af25e2b1b6410c |
| SHA256 | 1ea0af7c86be3e61c281ada0470c6dcf178834380def1903b5bb78b49440ffff |
| SHA512 | 23c56873ca8520784cc1d6b0b4211b373fff6fb429872932e5274801d3b9d786566877cd16d1ffa0adca8c7aebb0b935701a0c071073edfbdb319002f99a182b |
Analysis: behavioral2
Detonation Overview
Submitted
2025-01-28 23:11
Reported
2025-01-29 08:29
Platform
win10v2004-20241007-en
Max time kernel
148s
Max time network
155s
Command Line
Signatures
NanoCore
Nanocore family
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Tempspoffer.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\RarSFX0\spoffer.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\RarSFX1\Temp sppoffer.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX0\spoffer.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX1\Temp sppoffer.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX2\Google Chrome.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DHCP Host = "C:\\Program Files (x86)\\DHCP Host\\dhcphost.exe" | C:\Users\Admin\AppData\Local\Temp\RarSFX2\Google Chrome.exe | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\RarSFX2\Google Chrome.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\DHCP Host\dhcphost.exe | C:\Users\Admin\AppData\Local\Temp\RarSFX2\Google Chrome.exe | N/A |
| File opened for modification | C:\Program Files (x86)\DHCP Host\dhcphost.exe | C:\Users\Admin\AppData\Local\Temp\RarSFX2\Google Chrome.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\RarSFX2\Google Chrome.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX2\Google Chrome.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX2\Google Chrome.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX2\Google Chrome.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX2\Google Chrome.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX2\Google Chrome.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Tempspoffer.exe
"C:\Users\Admin\AppData\Local\Temp\Tempspoffer.exe"
C:\Users\Admin\AppData\Local\Temp\RarSFX0\spoffer.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\spoffer.exe"
C:\Users\Admin\AppData\Local\Temp\RarSFX1\Temp sppoffer.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX1\Temp sppoffer.exe"
C:\Users\Admin\AppData\Local\Temp\RarSFX2\Google Chrome.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX2\Google Chrome.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "DHCP Host" /xml "C:\Users\Admin\AppData\Local\Temp\tmpBBCE.tmp"
C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "DHCP Host Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmpBC5C.tmp"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.153.16.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 5.114.82.104.in-addr.arpa | udp |
| IS | 157.97.11.134:80 | tcp | |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| IS | 157.97.11.134:80 | tcp | |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| IS | 157.97.11.134:80 | tcp | |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| IS | 157.97.11.134:80 | tcp | |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 180.129.81.91.in-addr.arpa | udp |
| IS | 157.97.11.134:80 | tcp | |
| IS | 157.97.11.134:80 | tcp | |
| US | 8.8.8.8:53 | 11.153.16.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| IS | 157.97.11.134:80 | tcp | |
| IS | 157.97.11.134:80 | tcp | |
| IS | 157.97.11.134:80 | tcp | |
| US | 8.8.8.8:53 | 167.173.78.104.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\RarSFX0\spoffer.exe
| MD5 | f096b2300f64c3fb11d06562a97bc298 |
| SHA1 | 768afdd542a4be396b10033ed7e4f02f36b8236a |
| SHA256 | 30ba7c29fe54659ef3d4615df1a198096e55c8f7642d70522fb474da9aa4172e |
| SHA512 | 7a7aaf43905a9c31e0df95d39e44513dea0c5aafb2f2debba769faf604139a7d81a42a500d7cf1c7a30a18e94950ae963c4ab20e3f78ca4c603b15fc336e508d |
C:\Users\Admin\AppData\Local\Temp\RarSFX1\Temp sppoffer.exe
| MD5 | 7bfd75f09aa7e17d66e9cb4a4149748b |
| SHA1 | 79c47f031fa264907f06295985d1b5e1b0ce35d5 |
| SHA256 | b953c0f984cefd10df18006b4dac295474931059ec39b38cd519c8c8d3dae14b |
| SHA512 | 703470beff1df7ebde61c1e5631f1aec7d36813907b2dc504f1e0ba0d7f18592f8fc8d43bd54b8066b6c08f29a5cb9fb6cb5b0e8160a3081332c347aed341119 |
C:\Users\Admin\AppData\Local\Temp\RarSFX2\Google Chrome.exe
| MD5 | 39dc955ee6e7b3eefd55691689adb50d |
| SHA1 | fa9fa0a367d4e47906e387da0357865f60541ff0 |
| SHA256 | 5b4033f97ff12ecc172d1ea985f0a474cfbf124d74cb892377f963c530223c48 |
| SHA512 | e976c02b4976aadfc3e633653bc576ac8949f3a47f1dc78ac1cdbca7b80bda1ffc9b82d5eb8f44b587dba0bb2e26e2d3135fadeb70241363fc5ee260d58479fb |
C:\Users\Admin\AppData\Local\Temp\tmpBBCE.tmp
| MD5 | fc6066e1f63e193b1d0c3d59db5c029c |
| SHA1 | ac288c28a25c191726a89eba9e1f3476c756826a |
| SHA256 | 35f383f371aa89cec328c0e4fb0ee13a0ee4e728b545f6c4af631f831509bb46 |
| SHA512 | 3622b5e1d1acbbd636f5df9038359033b657702fd0079d8721709e8acb24db0c70c28202119d264101ba61724933284c801aab79e3b6bba42321e2ea6b34a03c |
C:\Users\Admin\AppData\Local\Temp\tmpBC5C.tmp
| MD5 | 0479d5f304ef2d7e3c15fb24a99f88c1 |
| SHA1 | 8edbb1450a656fac5f5e96779ffe440ee8c1aec9 |
| SHA256 | 112557c2b2d0c669a3b115129dc32f005341e965330fa8f2ad3e5de1926594bc |
| SHA512 | 537e8d87e5cd975f0e69bb145f81d6e9d7b0d82eed143ac351304ea38577137386a51fdb7357ec6d641eb04ff5f51e249bba2db8a4b5bf2934d561394a4a3f15 |