File name: | Sales Contract Docs A612-005-20.ace |
Full analysis: | https://app.any.run/tasks/59a7c84a-0937-42ac-b9f1-98d0d9ed3f90 |
Verdict: | Malicious activity |
Threats: | NanoCore is a Remote Access Trojan or RAT. This malware is highly customizable with plugins which allow attackers to tailor its functionality to their needs. Nanocore is created with the .NET framework and it’s available for purchase for just $25 from its “official” website. |
Analysis date: | May 20, 2019, 12:18:25 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/octet-stream |
File info: | ACE archive data version 20, from Win/32, version 20 to extract, contains AV-String (unregistered), solid |
MD5: | B4AB5D35D4C982AE9CC6DB0C537C04A5 |
SHA1: | B15E5E6C65CCC6BD47B6C5A31BB32208FC6A9ACC |
SHA256: | 0F76EB043361405B9349E09AADD6CA714A24691BD96CE9E43313F8F37878FAC4 |
SSDEEP: | 24576:MkMw2srboMV20mzX+i9o3hBLmvsP5EZjCVq3zla6JfQb3iGll07hYh:+svT0zui9shBqAaAkZPJfQb3OF8 |
.ace | | | ACE compressed archive (100) |
---|
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2948 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\Sales Contract Docs A612-005-20.ace" | C:\Program Files\WinRAR\WinRAR.exe | explorer.exe | |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Version: 5.60.0 | ||||
3076 | "C:\Users\admin\AppData\Local\Temp\Rar$DIa2948.23468\Sales Contract Docs A612-005-20.com" | C:\Users\admin\AppData\Local\Temp\Rar$DIa2948.23468\Sales Contract Docs A612-005-20.com | WinRAR.exe | |
User: admin Company: The Apache Software Foundation Integrity Level: MEDIUM Description: Apache log4net for .NET Framework 4.5 Version: 2.0.8.0 | ||||
3236 | "C:\Windows\System32\cscript.exe" //B //Nologo C:\Users\admin\RegAsm.vbs | C:\Windows\System32\cscript.exe | Sales Contract Docs A612-005-20.com | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Console Based Script Host Exit code: 0 Version: 5.8.7600.16385 | ||||
3888 | "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | Sales Contract Docs A612-005-20.com | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft .NET Assembly Registration Utility Version: 2.0.50727.5420 (Win7SP1.050727-5400) |
(PID) Process: | (2948) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes |
Operation: | write | Name: | ShellExtBMP |
Value: | |||
(PID) Process: | (2948) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes |
Operation: | write | Name: | ShellExtIcon |
Value: | |||
(PID) Process: | (2948) WinRAR.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E |
Operation: | write | Name: | LanguageList |
Value: en-US | |||
(PID) Process: | (2948) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
Operation: | write | Name: | 0 |
Value: C:\Users\admin\AppData\Local\Temp\Sales Contract Docs A612-005-20.ace | |||
(PID) Process: | (2948) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | name |
Value: 120 | |||
(PID) Process: | (2948) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | size |
Value: 80 | |||
(PID) Process: | (2948) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | type |
Value: 120 | |||
(PID) Process: | (2948) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | mtime |
Value: 100 | |||
(PID) Process: | (2948) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\ACE Compression Software\ActiveAce\2.0 |
Operation: | write | Name: | Count |
Value: 0 | |||
(PID) Process: | (2948) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\ACE Compression Software\ActiveAce\2.0 |
Operation: | write | Name: | Name |
Value: 542D4B42647265644B76737A7E794B566767537663764B5B7874767B4B43727A674B44767B7264375478796365767463375378746437562126253A2727223A252739767472171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171717171700 |
PID | Process | Filename | Type | |
---|---|---|---|---|
2948 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DIa2948.23468\Sales Contract Docs A612-005-20.com | executable | |
MD5:9F31F4DEEAB8223DE21F486CDDDCE7BF | SHA256:159410FC60363B074508423200F7018C5691B6CCA5E646E611F168F3546EBE63 | |||
3888 | RegAsm.exe | C:\Users\admin\AppData\Roaming\90059C37-1320-41A4-B58D-2B75A9850D2F\run.dat | binary | |
MD5:494D92612B95371FAC0C1CCE50E591D8 | SHA256:718DD5ABA7208C1E07CF4A9CBCA5EEE05BAB8A52E6723E2E977E99DE8B98E531 | |||
3076 | Sales Contract Docs A612-005-20.com | C:\Users\admin\AppData\Roaming\App.exe | executable | |
MD5:9F31F4DEEAB8223DE21F486CDDDCE7BF | SHA256:159410FC60363B074508423200F7018C5691B6CCA5E646E611F168F3546EBE63 | |||
3236 | cscript.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RegAsm.Lnk | lnk | |
MD5:4793E993148EE78504E1EEAC78E059FA | SHA256:35967E0E69819156C47CBA79632FC93DED99FC64D0603EACBEB7FBC96AD766DF | |||
3076 | Sales Contract Docs A612-005-20.com | C:\Users\admin\RegAsm.vbs | text | |
MD5:F23F2782A7872B9ABB716E7994981D77 | SHA256:7FA1F377343E21103C1C42DE4A16B1E82F17952819A708E7CDA8893FF995C85F | |||
3888 | RegAsm.exe | C:\Users\admin\AppData\Roaming\90059C37-1320-41A4-B58D-2B75A9850D2F\TCP Monitor\tcpmon.exe | executable | |
MD5:278EDBD499374BF73621F8C1F969D894 | SHA256:C6999B9F79932C3B4F1C461A69D9DC8DC301D6A155ABC33EFE1B6E9E4A038391 |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3888 | RegAsm.exe | 184.75.209.172:7030 | — | Amanah Tech Inc. | CA | suspicious |
— | — | 184.75.209.172:7030 | — | Amanah Tech Inc. | CA | suspicious |