Malware Analysis Report

2025-04-13 20:47

Sample ID 250128-26ecnaxkbl
Target Tempspoffer.exe
SHA256 4a00588e366b27273cc7b3a7dc14addaddc207fdc3b6965e5cb995c1ace2fd04
Tags
nanocore defense_evasion discovery keylogger persistence spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

4a00588e366b27273cc7b3a7dc14addaddc207fdc3b6965e5cb995c1ace2fd04

Threat Level: Known bad

The file Tempspoffer.exe was found to be: Known bad.

Malicious Activity Summary

nanocore defense_evasion discovery keylogger persistence spyware stealer trojan

NanoCore

Nanocore family

Executes dropped EXE

Checks computer location settings

Loads dropped DLL

Checks whether UAC is enabled

Adds Run key to start application

Drops file in Program Files directory

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Scheduled Task/Job: Scheduled Task

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-01-28 23:11

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-01-28 23:11

Reported

2025-01-28 23:14

Platform

win7-20240903-en

Max time kernel

117s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Tempspoffer.exe"

Signatures

NanoCore

keylogger trojan stealer spyware nanocore

Nanocore family

nanocore

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Tempspoffer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\spoffer.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\DHCP Manager = "C:\\Program Files (x86)\\DHCP Manager\\dhcpmgr.exe" C:\Users\Admin\AppData\Local\Temp\RarSFX2\Google Chrome.exe N/A

Checks whether UAC is enabled

defense_evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\RarSFX2\Google Chrome.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\DHCP Manager\dhcpmgr.exe C:\Users\Admin\AppData\Local\Temp\RarSFX2\Google Chrome.exe N/A
File opened for modification C:\Program Files (x86)\DHCP Manager\dhcpmgr.exe C:\Users\Admin\AppData\Local\Temp\RarSFX2\Google Chrome.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\RarSFX2\Google Chrome.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX2\Google Chrome.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX2\Google Chrome.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1248 wrote to memory of 1256 N/A C:\Users\Admin\AppData\Local\Temp\Tempspoffer.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\spoffer.exe
PID 1248 wrote to memory of 1256 N/A C:\Users\Admin\AppData\Local\Temp\Tempspoffer.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\spoffer.exe
PID 1248 wrote to memory of 1256 N/A C:\Users\Admin\AppData\Local\Temp\Tempspoffer.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\spoffer.exe
PID 1256 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\spoffer.exe C:\Users\Admin\AppData\Local\Temp\RarSFX1\Temp sppoffer.exe
PID 1256 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\spoffer.exe C:\Users\Admin\AppData\Local\Temp\RarSFX1\Temp sppoffer.exe
PID 1256 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\spoffer.exe C:\Users\Admin\AppData\Local\Temp\RarSFX1\Temp sppoffer.exe
PID 2820 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\Temp sppoffer.exe C:\Users\Admin\AppData\Local\Temp\RarSFX2\Google Chrome.exe
PID 2820 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\Temp sppoffer.exe C:\Users\Admin\AppData\Local\Temp\RarSFX2\Google Chrome.exe
PID 2820 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\Temp sppoffer.exe C:\Users\Admin\AppData\Local\Temp\RarSFX2\Google Chrome.exe
PID 2820 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\Temp sppoffer.exe C:\Users\Admin\AppData\Local\Temp\RarSFX2\Google Chrome.exe
PID 2672 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX2\Google Chrome.exe C:\Windows\SysWOW64\schtasks.exe
PID 2672 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX2\Google Chrome.exe C:\Windows\SysWOW64\schtasks.exe
PID 2672 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX2\Google Chrome.exe C:\Windows\SysWOW64\schtasks.exe
PID 2672 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX2\Google Chrome.exe C:\Windows\SysWOW64\schtasks.exe
PID 2672 wrote to memory of 1796 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX2\Google Chrome.exe C:\Windows\SysWOW64\schtasks.exe
PID 2672 wrote to memory of 1796 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX2\Google Chrome.exe C:\Windows\SysWOW64\schtasks.exe
PID 2672 wrote to memory of 1796 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX2\Google Chrome.exe C:\Windows\SysWOW64\schtasks.exe
PID 2672 wrote to memory of 1796 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX2\Google Chrome.exe C:\Windows\SysWOW64\schtasks.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Tempspoffer.exe

"C:\Users\Admin\AppData\Local\Temp\Tempspoffer.exe"

C:\Users\Admin\AppData\Local\Temp\RarSFX0\spoffer.exe

"C:\Users\Admin\AppData\Local\Temp\RarSFX0\spoffer.exe"

C:\Users\Admin\AppData\Local\Temp\RarSFX1\Temp sppoffer.exe

"C:\Users\Admin\AppData\Local\Temp\RarSFX1\Temp sppoffer.exe"

C:\Users\Admin\AppData\Local\Temp\RarSFX2\Google Chrome.exe

"C:\Users\Admin\AppData\Local\Temp\RarSFX2\Google Chrome.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks.exe" /create /f /tn "DHCP Manager" /xml "C:\Users\Admin\AppData\Local\Temp\tmpD2C9.tmp"

C:\Windows\SysWOW64\schtasks.exe

"schtasks.exe" /create /f /tn "DHCP Manager Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmpD357.tmp"

Network

Country Destination Domain Proto
IS 157.97.11.134:80 tcp
IS 157.97.11.134:80 tcp

Files

C:\Users\Admin\AppData\Local\Temp\RarSFX0\spoffer.exe

MD5 f096b2300f64c3fb11d06562a97bc298
SHA1 768afdd542a4be396b10033ed7e4f02f36b8236a
SHA256 30ba7c29fe54659ef3d4615df1a198096e55c8f7642d70522fb474da9aa4172e
SHA512 7a7aaf43905a9c31e0df95d39e44513dea0c5aafb2f2debba769faf604139a7d81a42a500d7cf1c7a30a18e94950ae963c4ab20e3f78ca4c603b15fc336e508d

C:\Users\Admin\AppData\Local\Temp\RarSFX1\Temp sppoffer.exe

MD5 7bfd75f09aa7e17d66e9cb4a4149748b
SHA1 79c47f031fa264907f06295985d1b5e1b0ce35d5
SHA256 b953c0f984cefd10df18006b4dac295474931059ec39b38cd519c8c8d3dae14b
SHA512 703470beff1df7ebde61c1e5631f1aec7d36813907b2dc504f1e0ba0d7f18592f8fc8d43bd54b8066b6c08f29a5cb9fb6cb5b0e8160a3081332c347aed341119

C:\Users\Admin\AppData\Local\Temp\RarSFX2\Google Chrome.exe

MD5 39dc955ee6e7b3eefd55691689adb50d
SHA1 fa9fa0a367d4e47906e387da0357865f60541ff0
SHA256 5b4033f97ff12ecc172d1ea985f0a474cfbf124d74cb892377f963c530223c48
SHA512 e976c02b4976aadfc3e633653bc576ac8949f3a47f1dc78ac1cdbca7b80bda1ffc9b82d5eb8f44b587dba0bb2e26e2d3135fadeb70241363fc5ee260d58479fb

C:\Users\Admin\AppData\Local\Temp\tmpD2C9.tmp

MD5 fc6066e1f63e193b1d0c3d59db5c029c
SHA1 ac288c28a25c191726a89eba9e1f3476c756826a
SHA256 35f383f371aa89cec328c0e4fb0ee13a0ee4e728b545f6c4af631f831509bb46
SHA512 3622b5e1d1acbbd636f5df9038359033b657702fd0079d8721709e8acb24db0c70c28202119d264101ba61724933284c801aab79e3b6bba42321e2ea6b34a03c

C:\Users\Admin\AppData\Local\Temp\tmpD357.tmp

MD5 cdf5683344404764a0f3592e9db8a5a1
SHA1 6705943b404de237cdd7080c05af25e2b1b6410c
SHA256 1ea0af7c86be3e61c281ada0470c6dcf178834380def1903b5bb78b49440ffff
SHA512 23c56873ca8520784cc1d6b0b4211b373fff6fb429872932e5274801d3b9d786566877cd16d1ffa0adca8c7aebb0b935701a0c071073edfbdb319002f99a182b

Analysis: behavioral2

Detonation Overview

Submitted

2025-01-28 23:11

Reported

2025-01-29 08:29

Platform

win10v2004-20241007-en

Max time kernel

148s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Tempspoffer.exe"

Signatures

NanoCore

keylogger trojan stealer spyware nanocore

Nanocore family

nanocore

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Tempspoffer.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\RarSFX0\spoffer.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\RarSFX1\Temp sppoffer.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DHCP Host = "C:\\Program Files (x86)\\DHCP Host\\dhcphost.exe" C:\Users\Admin\AppData\Local\Temp\RarSFX2\Google Chrome.exe N/A

Checks whether UAC is enabled

defense_evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\RarSFX2\Google Chrome.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\DHCP Host\dhcphost.exe C:\Users\Admin\AppData\Local\Temp\RarSFX2\Google Chrome.exe N/A
File opened for modification C:\Program Files (x86)\DHCP Host\dhcphost.exe C:\Users\Admin\AppData\Local\Temp\RarSFX2\Google Chrome.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\RarSFX2\Google Chrome.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX2\Google Chrome.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX2\Google Chrome.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3956 wrote to memory of 4756 N/A C:\Users\Admin\AppData\Local\Temp\Tempspoffer.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\spoffer.exe
PID 3956 wrote to memory of 4756 N/A C:\Users\Admin\AppData\Local\Temp\Tempspoffer.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\spoffer.exe
PID 4756 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\spoffer.exe C:\Users\Admin\AppData\Local\Temp\RarSFX1\Temp sppoffer.exe
PID 4756 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\spoffer.exe C:\Users\Admin\AppData\Local\Temp\RarSFX1\Temp sppoffer.exe
PID 2004 wrote to memory of 3876 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\Temp sppoffer.exe C:\Users\Admin\AppData\Local\Temp\RarSFX2\Google Chrome.exe
PID 2004 wrote to memory of 3876 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\Temp sppoffer.exe C:\Users\Admin\AppData\Local\Temp\RarSFX2\Google Chrome.exe
PID 2004 wrote to memory of 3876 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\Temp sppoffer.exe C:\Users\Admin\AppData\Local\Temp\RarSFX2\Google Chrome.exe
PID 3876 wrote to memory of 2184 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX2\Google Chrome.exe C:\Windows\SysWOW64\schtasks.exe
PID 3876 wrote to memory of 2184 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX2\Google Chrome.exe C:\Windows\SysWOW64\schtasks.exe
PID 3876 wrote to memory of 2184 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX2\Google Chrome.exe C:\Windows\SysWOW64\schtasks.exe
PID 3876 wrote to memory of 2072 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX2\Google Chrome.exe C:\Windows\SysWOW64\schtasks.exe
PID 3876 wrote to memory of 2072 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX2\Google Chrome.exe C:\Windows\SysWOW64\schtasks.exe
PID 3876 wrote to memory of 2072 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX2\Google Chrome.exe C:\Windows\SysWOW64\schtasks.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Tempspoffer.exe

"C:\Users\Admin\AppData\Local\Temp\Tempspoffer.exe"

C:\Users\Admin\AppData\Local\Temp\RarSFX0\spoffer.exe

"C:\Users\Admin\AppData\Local\Temp\RarSFX0\spoffer.exe"

C:\Users\Admin\AppData\Local\Temp\RarSFX1\Temp sppoffer.exe

"C:\Users\Admin\AppData\Local\Temp\RarSFX1\Temp sppoffer.exe"

C:\Users\Admin\AppData\Local\Temp\RarSFX2\Google Chrome.exe

"C:\Users\Admin\AppData\Local\Temp\RarSFX2\Google Chrome.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks.exe" /create /f /tn "DHCP Host" /xml "C:\Users\Admin\AppData\Local\Temp\tmpBBCE.tmp"

C:\Windows\SysWOW64\schtasks.exe

"schtasks.exe" /create /f /tn "DHCP Host Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmpBC5C.tmp"

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 8.153.16.2.in-addr.arpa udp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 5.114.82.104.in-addr.arpa udp
IS 157.97.11.134:80 tcp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
IS 157.97.11.134:80 tcp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
IS 157.97.11.134:80 tcp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
IS 157.97.11.134:80 tcp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 180.129.81.91.in-addr.arpa udp
IS 157.97.11.134:80 tcp
IS 157.97.11.134:80 tcp
US 8.8.8.8:53 11.153.16.2.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
IS 157.97.11.134:80 tcp
IS 157.97.11.134:80 tcp
IS 157.97.11.134:80 tcp
US 8.8.8.8:53 167.173.78.104.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\RarSFX0\spoffer.exe

MD5 f096b2300f64c3fb11d06562a97bc298
SHA1 768afdd542a4be396b10033ed7e4f02f36b8236a
SHA256 30ba7c29fe54659ef3d4615df1a198096e55c8f7642d70522fb474da9aa4172e
SHA512 7a7aaf43905a9c31e0df95d39e44513dea0c5aafb2f2debba769faf604139a7d81a42a500d7cf1c7a30a18e94950ae963c4ab20e3f78ca4c603b15fc336e508d

C:\Users\Admin\AppData\Local\Temp\RarSFX1\Temp sppoffer.exe

MD5 7bfd75f09aa7e17d66e9cb4a4149748b
SHA1 79c47f031fa264907f06295985d1b5e1b0ce35d5
SHA256 b953c0f984cefd10df18006b4dac295474931059ec39b38cd519c8c8d3dae14b
SHA512 703470beff1df7ebde61c1e5631f1aec7d36813907b2dc504f1e0ba0d7f18592f8fc8d43bd54b8066b6c08f29a5cb9fb6cb5b0e8160a3081332c347aed341119

C:\Users\Admin\AppData\Local\Temp\RarSFX2\Google Chrome.exe

MD5 39dc955ee6e7b3eefd55691689adb50d
SHA1 fa9fa0a367d4e47906e387da0357865f60541ff0
SHA256 5b4033f97ff12ecc172d1ea985f0a474cfbf124d74cb892377f963c530223c48
SHA512 e976c02b4976aadfc3e633653bc576ac8949f3a47f1dc78ac1cdbca7b80bda1ffc9b82d5eb8f44b587dba0bb2e26e2d3135fadeb70241363fc5ee260d58479fb

C:\Users\Admin\AppData\Local\Temp\tmpBBCE.tmp

MD5 fc6066e1f63e193b1d0c3d59db5c029c
SHA1 ac288c28a25c191726a89eba9e1f3476c756826a
SHA256 35f383f371aa89cec328c0e4fb0ee13a0ee4e728b545f6c4af631f831509bb46
SHA512 3622b5e1d1acbbd636f5df9038359033b657702fd0079d8721709e8acb24db0c70c28202119d264101ba61724933284c801aab79e3b6bba42321e2ea6b34a03c

C:\Users\Admin\AppData\Local\Temp\tmpBC5C.tmp

MD5 0479d5f304ef2d7e3c15fb24a99f88c1
SHA1 8edbb1450a656fac5f5e96779ffe440ee8c1aec9
SHA256 112557c2b2d0c669a3b115129dc32f005341e965330fa8f2ad3e5de1926594bc
SHA512 537e8d87e5cd975f0e69bb145f81d6e9d7b0d82eed143ac351304ea38577137386a51fdb7357ec6d641eb04ff5f51e249bba2db8a4b5bf2934d561394a4a3f15