File name: | EXIM INQUIRY_4715680.z |
Full analysis: | https://app.any.run/tasks/131dc65c-a025-4c9a-8a12-2f5c1967cfb2 |
Verdict: | Malicious activity |
Threats: | NanoCore is a Remote Access Trojan or RAT. This malware is highly customizable with plugins which allow attackers to tailor its functionality to their needs. Nanocore is created with the .NET framework and it’s available for purchase for just $25 from its “official” website. |
Analysis date: | July 17, 2019, 04:04:32 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/zip |
File info: | Zip archive data, at least v2.0 to extract |
MD5: | 67061B1B8615422E59E9597D7C9C724A |
SHA1: | FAF4BDBAE96403478C0FEA3E524D5ACBD0DE6F04 |
SHA256: | 0E6E93A8DACA854088BA150337B3421E07D34FC662EC262214E02A57F321CF9B |
SSDEEP: | 6144:g1Nx5tnXXwHx3/mxTbLmJFF7Izci2tFQ1SExU46jmxuolczuA8v5f47nnv2IBa/4:If5tXXixPmx3iJFF7mL+JjmwHf8vutBl |
.zip | | | ZIP compressed archive (100) |
---|
ZipFileName: | EXIM INQUIRY_4715680.exe |
---|---|
ZipUncompressedSize: | 923648 |
ZipCompressedSize: | 392313 |
ZipCRC: | 0xea360ccb |
ZipModifyDate: | 2019:07:16 22:40:17 |
ZipCompression: | Deflated |
ZipBitFlag: | - |
ZipRequiredVersion: | 20 |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2860 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\EXIM INQUIRY_4715680.z.zip" | C:\Program Files\WinRAR\WinRAR.exe | explorer.exe | |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Version: 5.60.0 | ||||
2656 | "C:\Users\admin\Desktop\EXIM INQUIRY_4715680.exe" | C:\Users\admin\Desktop\EXIM INQUIRY_4715680.exe | — | explorer.exe |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
2384 | "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | EXIM INQUIRY_4715680.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft .NET Assembly Registration Utility Version: 2.0.50727.5420 (Win7SP1.050727-5400) |
(PID) Process: | (2860) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes |
Operation: | write | Name: | ShellExtBMP |
Value: | |||
(PID) Process: | (2860) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes |
Operation: | write | Name: | ShellExtIcon |
Value: | |||
(PID) Process: | (2860) WinRAR.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\70\52C64B7E |
Operation: | write | Name: | LanguageList |
Value: en-US | |||
(PID) Process: | (2860) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
Operation: | write | Name: | 0 |
Value: C:\Users\admin\AppData\Local\Temp\EXIM INQUIRY_4715680.z.zip | |||
(PID) Process: | (2860) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | name |
Value: 120 | |||
(PID) Process: | (2860) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | size |
Value: 80 | |||
(PID) Process: | (2860) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | type |
Value: 120 | |||
(PID) Process: | (2860) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | mtime |
Value: 100 | |||
(PID) Process: | (2860) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\DialogEditHistory\ExtrPath |
Operation: | write | Name: | 0 |
Value: C:\Users\admin\Desktop | |||
(PID) Process: | (2384) RegAsm.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run |
Operation: | write | Name: | TCP Monitor |
Value: C:\Users\admin\AppData\Roaming\90059C37-1320-41A4-B58D-2B75A9850D2F\TCP Monitor\tcpmon.exe |
PID | Process | Filename | Type | |
---|---|---|---|---|
2384 | RegAsm.exe | C:\Users\admin\AppData\Roaming\90059C37-1320-41A4-B58D-2B75A9850D2F\run.dat | text | |
MD5:9DB8526651CCDA3A3763486409EB1FAB | SHA256:CF829BD047D0E0EA6FBF9894C058883C6EF5DFC6A6D4A698C391284078AA33E3 | |||
2860 | WinRAR.exe | C:\Users\admin\Desktop\EXIM INQUIRY_4715680.exe | executable | |
MD5:1FCC76CB986C3D3598688A305F516096 | SHA256:AF4A990B90312889BCE905FB91DCAEF55A5BCB81F3C2B477E1C2525524F3C0F5 | |||
2384 | RegAsm.exe | C:\Users\admin\AppData\Roaming\90059C37-1320-41A4-B58D-2B75A9850D2F\TCP Monitor\tcpmon.exe | executable | |
MD5:278EDBD499374BF73621F8C1F969D894 | SHA256:C6999B9F79932C3B4F1C461A69D9DC8DC301D6A155ABC33EFE1B6E9E4A038391 |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2384 | RegAsm.exe | 8.8.8.8:53 | — | Google Inc. | US | whitelisted |
2384 | RegAsm.exe | 160.202.163.200:2382 | — | Korea Telecom | KR | malicious |
— | — | 8.8.8.8:53 | — | Google Inc. | US | whitelisted |
2384 | RegAsm.exe | 197.210.52.210:2382 | kalakuta.ddns.net | MTN NIGERIA Communication limited | NG | unknown |
Domain | IP | Reputation |
---|---|---|
kalakuta.ddns.net |
| unknown |