analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

parition.exe

Full analysis: https://app.any.run/tasks/1c56e9a8-a1b6-49dd-9248-119272426a7e
Verdict: Malicious activity
Threats:

NanoCore is a Remote Access Trojan or RAT. This malware is highly customizable with plugins which allow attackers to tailor its functionality to their needs. Nanocore is created with the .NET framework and it’s available for purchase for just $25 from its “official” website.

Analysis date: April 15, 2019, 14:10:31
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
trojan
nanocore
rat
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5:

54AD3770E972D59B8B5391E8B3AA145C

SHA1:

88AC63C7EE842EFAADFF5162DC470DA59727876F

SHA256:

03D5BEC857F4A8780B5C693E4ED99448DEB346DFB2F3F9B060FF3F9B373BBA8A

SSDEEP:

6144:tXUvMc+mNuWH11frlfnUZJiehMWvyH8QyJ/GXWjmzoL:ZUvEm4sfrlU+E4H8KwaoL

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Changes the autorun value in the registry

      • parition.exe (PID: 2680)
      • RegAsm.exe (PID: 3268)
    • NanoCore was detected

      • RegAsm.exe (PID: 3268)
    • Application was dropped or rewritten from another process

      • RegAsm.exe (PID: 3268)
    • Connects to CnC server

      • RegAsm.exe (PID: 3268)
  • SUSPICIOUS

    • Creates files in the user directory

      • RegAsm.exe (PID: 3268)
    • Executable content was dropped or overwritten

      • parition.exe (PID: 2680)
      • RegAsm.exe (PID: 3268)
  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Generic CIL Executable (.NET, Mono, etc.) (82.9)
.dll | Win32 Dynamic Link Library (generic) (7.4)
.exe | Win32 Executable (generic) (5.1)
.exe | Generic Win/DOS Executable (2.2)
.exe | DOS Executable Generic (2.2)

EXIF

EXE

AssemblyVersion: 0.0.0.0
ProductVersion: 0.0.0.0
OriginalFileName: LAcKiAjWggiRDFtZm.exe
LegalCopyright:
InternalName: LAcKiAjWggiRDFtZm.exe
FileVersion: 0.0.0.0
FileDescription:
CharacterSet: Unicode
LanguageCode: Neutral
FileSubtype: -
ObjectFileType: Executable application
FileOS: Win32
FileFlags: (none)
FileFlagsMask: 0x003f
ProductVersionNumber: 0.0.0.0
FileVersionNumber: 0.0.0.0
Subsystem: Windows GUI
SubsystemVersion: 4
ImageVersion: -
OSVersion: 4
EntryPoint: 0x482e
UninitializedDataSize: -
InitializedDataSize: 287232
CodeSize: 10752
LinkerVersion: 11
PEType: PE32
TimeStamp: 2018:10:03 17:45:26+02:00
MachineType: Intel 386 or later, and compatibles
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
32
Monitored processes
2
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start parition.exe #NANOCORE regasm.exe

Process information

PID
CMD
Path
Indicators
Parent process
2680"C:\Users\admin\AppData\Local\Temp\parition.exe" C:\Users\admin\AppData\Local\Temp\parition.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Version:
0.0.0.0
3268"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
parition.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft .NET Assembly Registration Utility
Version:
4.6.1055.0 built by: NETFXREL2
Total events
38
Read events
36
Write events
2
Delete events
0

Modification events

(PID) Process:(2680) parition.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:paritotal
Value:
C:\Users\admin\parition.exe
(PID) Process:(3268) RegAsm.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:TCP Monitor
Value:
C:\Users\admin\AppData\Roaming\90059C37-1320-41A4-B58D-2B75A9850D2F\TCP Monitor\tcpmon.exe
Executable files
2
Suspicious files
3
Text files
1
Unknown types
1

Dropped files

PID
Process
Filename
Type
3268RegAsm.exeC:\Users\admin\AppData\Roaming\90059C37-1320-41A4-B58D-2B75A9850D2F\settings.bak
MD5:
SHA256:
3268RegAsm.exeC:\Users\admin\AppData\Roaming\90059C37-1320-41A4-B58D-2B75A9850D2F\run.dattext
MD5:4313579093531138E13F2C6056C3D2A9
SHA256:5799332B62239E9970A9BB54401FFD3D8FBCF69D15D7F42F8222AAE509D9C2E4
2680parition.exeC:\Users\admin\parition.exeexecutable
MD5:54AD3770E972D59B8B5391E8B3AA145C
SHA256:03D5BEC857F4A8780B5C693E4ED99448DEB346DFB2F3F9B060FF3F9B373BBA8A
3268RegAsm.exeC:\Users\admin\AppData\Roaming\90059C37-1320-41A4-B58D-2B75A9850D2F\catalog.datbs
MD5:061E700FE27D852034A5A44BF5985CCF
SHA256:4BBB88AF530693EB4A710B0591D4BAF585837242C5690F5A821BF2FC9CC587CD
3268RegAsm.exeC:\Users\admin\AppData\Roaming\90059C37-1320-41A4-B58D-2B75A9850D2F\settings.binbinary
MD5:ACD3FB4310417DC77FE06F15B0E353E6
SHA256:DC3AE604991C9BB8FF8BC4502AE3D0DB8A3317512C0F432490B103B89C1A4368
3268RegAsm.exeC:\Users\admin\AppData\Roaming\90059C37-1320-41A4-B58D-2B75A9850D2F\TCP Monitor\tcpmon.exeexecutable
MD5:911BDF77EB94E48CA524252A3FD47019
SHA256:A07564A8771DAFA3EBE9ACEAA20C327EFA2D0AC2EDC06B2BBC3EEBDC66600641
3268RegAsm.exeC:\Users\admin\AppData\Roaming\90059C37-1320-41A4-B58D-2B75A9850D2F\storage.datbinary
MD5:0CA9956E5967CBD48189498803097888
SHA256:535452B987718279A4606B726A3DB76C48C74D8D5D4D08D10272511CBC7EB756
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
2
DNS requests
1
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3268
RegAsm.exe
8.8.8.8:53
Google Inc.
US
whitelisted
3268
RegAsm.exe
102.139.251.162:54984
windowsupdaters.zapto.org
malicious

DNS requests

Domain
IP
Reputation
windowsupdaters.zapto.org
  • 102.139.251.162
malicious

Threats

PID
Process
Class
Message
3268
RegAsm.exe
A Network Trojan was detected
ET TROJAN Possible NanoCore C2 60B
3268
RegAsm.exe
A Network Trojan was detected
MALWARE [PTsecurity] NanoCore.RAT
3268
RegAsm.exe
A Network Trojan was detected
ET TROJAN Possible NanoCore C2 64B
3268
RegAsm.exe
A Network Trojan was detected
MALWARE [PTsecurity] NanoCore.RAT
3268
RegAsm.exe
A Network Trojan was detected
ET TROJAN Possible NanoCore C2 64B
3268
RegAsm.exe
A Network Trojan was detected
MALWARE [PTsecurity] NanoCore.RAT
3268
RegAsm.exe
A Network Trojan was detected
MALWARE [PTsecurity] NanoCore.RAT
3268
RegAsm.exe
A Network Trojan was detected
ET TROJAN Possible NanoCore C2 64B
3268
RegAsm.exe
A Network Trojan was detected
MALWARE [PTsecurity] NanoCore.RAT
3268
RegAsm.exe
A Network Trojan was detected
MALWARE [PTsecurity] NanoCore.RAT
14 ETPRO signatures available at the full report
No debug info