analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

3.zip

Full analysis: https://app.any.run/tasks/cee2e517-6bb4-4496-9404-7c9fda907a45
Verdict: Malicious activity
Threats:

NanoCore is a Remote Access Trojan or RAT. This malware is highly customizable with plugins which allow attackers to tailor its functionality to their needs. Nanocore is created with the .NET framework and it’s available for purchase for just $25 from its “official” website.

Analysis date: April 15, 2019, 06:35:59
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
rat
nanocore
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

B61F7BF24495BFC0DF4682C541141B3A

SHA1:

7A6D0775ACCA13E9459FEB4530B7983FD5E38F74

SHA256:

01731DDA9DD309309672159E7EAB6D9875FF6DED32D9478C57066ED4BFDC6B0B

SSDEEP:

49152:tNhd7eV2z9L8Stszor+RYUGWRWVQ64GCujZSb6UgTalnR9JFV:7hd7g2Csb+r9RMQGCSob6mTJn

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Application was dropped or rewritten from another process

      • BlackChecker.exe (PID: 1344)
      • BlackChecker.exe (PID: 2684)
    • Loads dropped or rewritten executable

      • SearchProtocolHost.exe (PID: 3908)
      • explorer.exe (PID: 2036)
    • Loads the Task Scheduler COM API

      • mmc.exe (PID: 3432)
      • schtasks.exe (PID: 2892)
      • schtasks.exe (PID: 2292)
    • Changes the autorun value in the registry

      • BlackChecker.exe (PID: 1344)
      • BlackChecker.exe (PID: 2684)
    • NanoCore was detected

      • BlackChecker.exe (PID: 2684)
    • Uses Task Scheduler to run other applications

      • BlackChecker.exe (PID: 1344)
  • SUSPICIOUS

    • Creates files in the program directory

      • BlackChecker.exe (PID: 1344)
    • Creates files in the user directory

      • BlackChecker.exe (PID: 1344)
      • BlackChecker.exe (PID: 2684)
    • Application launched itself

      • BlackChecker.exe (PID: 2684)
    • Executable content was dropped or overwritten

      • BlackChecker.exe (PID: 1344)
      • BlackChecker.exe (PID: 2684)
  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipFileName: YamlDotNet.dll
ZipUncompressedSize: 198656
ZipCompressedSize: 79460
ZipCRC: 0x035d1ff1
ZipModifyDate: 2018:06:21 17:16:07
ZipCompression: Deflated
ZipBitFlag: -
ZipRequiredVersion: 20
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
46
Monitored processes
9
Malicious processes
4
Suspicious processes
0

Behavior graph

Click at the process to see the details
start drop and start winrar.exe no specs searchprotocolhost.exe no specs #NANOCORE blackchecker.exe blackchecker.exe explorer.exe no specs schtasks.exe no specs schtasks.exe no specs mmc.exe no specs mmc.exe

Process information

PID
CMD
Path
Indicators
Parent process
2596"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\3.zip"C:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.60.0
3908"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe4_ Global\UsGthrCtrlFltPipeMssGthrPipe4 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" C:\Windows\System32\SearchProtocolHost.exeSearchIndexer.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft Windows Search Protocol Host
Exit code:
0
Version:
7.00.7600.16385 (win7_rtm.090713-1255)
2684"C:\Users\admin\Desktop\BlackChecker.exe" C:\Users\admin\Desktop\BlackChecker.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
1344"C:\Users\admin\Desktop\BlackChecker.exe" C:\Users\admin\Desktop\BlackChecker.exe
BlackChecker.exe
User:
admin
Integrity Level:
HIGH
2036C:\Windows\Explorer.EXEC:\Windows\explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2892"schtasks.exe" /create /f /tn "TCP Monitor" /xml "C:\Users\admin\AppData\Local\Temp\tmpC6BD.tmp"C:\Windows\system32\schtasks.exeBlackChecker.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Manages scheduled tasks
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2292"schtasks.exe" /create /f /tn "TCP Monitor Task" /xml "C:\Users\admin\AppData\Local\Temp\tmpC74A.tmp"C:\Windows\system32\schtasks.exeBlackChecker.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Manages scheduled tasks
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
880"C:\Windows\system32\mmc.exe" "C:\Windows\system32\taskschd.msc" /sC:\Windows\system32\mmc.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Management Console
Exit code:
3221226540
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3432"C:\Windows\system32\mmc.exe" "C:\Windows\system32\taskschd.msc" /sC:\Windows\system32\mmc.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft Management Console
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
2 267
Read events
2 057
Write events
209
Delete events
1

Modification events

(PID) Process:(2596) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(2596) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(2596) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(2596) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\3.zip
(PID) Process:(2596) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(2036) explorer.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.zip\OpenWithList
Operation:writeName:a
Value:
WinRAR.exe
(PID) Process:(2036) explorer.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.zip\OpenWithList
Operation:writeName:MRUList
Value:
a
(PID) Process:(2596) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(2596) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(2596) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
Executable files
7
Suspicious files
0
Text files
4
Unknown types
0

Dropped files

PID
Process
Filename
Type
2596WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2596.19765\YamlDotNet.dll
MD5:
SHA256:
2596WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2596.19765\configuration\license.txt
MD5:
SHA256:
2596WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2596.19765\configuration\settings.yml
MD5:
SHA256:
2596WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2596.19765\lists\email-providers.txt
MD5:
SHA256:
2596WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2596.19765\lists\og-names.txt
MD5:
SHA256:
2596WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2596.19765\BlackChecker.exe
MD5:
SHA256:
2596WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2596.19765\HOW TO USE.txt
MD5:
SHA256:
2596WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2596.19765\Newtonsoft.Json.dll
MD5:
SHA256:
2596WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2596.19765\System.ValueTuple.dll
MD5:
SHA256:
2596WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2596.19765\xNet-Ameliorated.dll
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
17
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1344
BlackChecker.exe
69.143.168.108:4445
Comcast Cable Communications, LLC
US
unknown

DNS requests

No data

Threats

No threats detected
Process
Message
mmc.exe
Constructor: Microsoft.TaskScheduler.SnapIn.TaskSchedulerSnapIn
mmc.exe
OnInitialize: Microsoft.TaskScheduler.SnapIn.TaskSchedulerSnapIn
mmc.exe
AddIcons: Microsoft.TaskScheduler.SnapIn.TaskSchedulerSnapIn
mmc.exe
ProcessCommandLineArguments: Microsoft.TaskScheduler.SnapIn.TaskSchedulerSnapIn