analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

NanoCore 1.2.2.0 (1).zip

Full analysis: https://app.any.run/tasks/01976d4e-59aa-40c1-aef2-4e666ba8ada8
Verdict: Malicious activity
Analysis date: November 08, 2018, 18:05:47
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

447BDB4513F3227FF375A7F90111B3F7

SHA1:

269A664F7A0155BB7116BB7DE10D94CD972CC71F

SHA256:

2E29028768904CFCA3EF980998232005E55A064D5156FF82846DD94F86C0800D

SSDEEP:

98304:zr8SNLi4OeqDkBWcmg6OItz1R5dXWr+yl5jvj6Z61UBCFCH/IxCFJDCn03VgkdP7:zJXnIcB6D1JWiyf65B2hkrDK03VlDROg

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Application was dropped or rewritten from another process

      • NanoCore.exe (PID: 1348)
      • PluginCompiler.exe (PID: 3496)
      • NanoCore.exe (PID: 3700)
    • Loads dropped or rewritten executable

      • SearchProtocolHost.exe (PID: 716)
  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 3608)
  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipFileName: NanoCore 1.2.2.0/
ZipUncompressedSize: -
ZipCompressedSize: -
ZipCRC: 0x00000000
ZipModifyDate: 2018:01:21 14:29:24
ZipCompression: None
ZipBitFlag: -
ZipRequiredVersion: 20
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
36
Monitored processes
5
Malicious processes
4
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe nanocore.exe no specs nanocore.exe no specs plugincompiler.exe no specs searchprotocolhost.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3608"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\NanoCore 1.2.2.0 (1).zip"C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.60.0
3700"C:\Users\admin\Desktop\NanoCore 1.2.2.0\NanoCore.exe" C:\Users\admin\Desktop\NanoCore 1.2.2.0\NanoCore.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
NanoCore
Exit code:
3221225595
Version:
1.2.2.0
1348"C:\Users\admin\Desktop\NanoCore 1.2.2.0\NanoCore.exe" C:\Users\admin\Desktop\NanoCore 1.2.2.0\NanoCore.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
NanoCore
Exit code:
3221225595
Version:
1.2.2.0
3496"C:\Users\admin\Desktop\NanoCore 1.2.2.0\PluginCompiler.exe" C:\Users\admin\Desktop\NanoCore 1.2.2.0\PluginCompiler.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Exit code:
3221225595
Version:
1.2.0.0
716"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe14_ Global\UsGthrCtrlFltPipeMssGthrPipe14 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" C:\Windows\System32\SearchProtocolHost.exeSearchIndexer.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft Windows Search Protocol Host
Version:
7.00.7600.16385 (win7_rtm.090713-1255)
Total events
772
Read events
760
Write events
12
Delete events
0

Modification events

(PID) Process:(3608) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(3608) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(3608) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(3608) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\NanoCore 1.2.2.0 (1).zip
(PID) Process:(3608) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(3608) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(3608) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(3608) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(716) SearchProtocolHost.exeKey:HKEY_USERS\.DEFAULT\Software\Classes\Local Settings\MuiCache\5F\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(716) SearchProtocolHost.exeKey:HKEY_USERS\.DEFAULT\Software\Classes\Local Settings\MuiCache\5F\52C64B7E
Operation:writeName:@C:\Windows\System32\msxml3r.dll,-1
Value:
XML Document
Executable files
4
Suspicious files
19
Text files
309
Unknown types
6

Dropped files

PID
Process
Filename
Type
3608WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3608.38982\NanoCore 1.2.2.0\Databases\main.sqlitesqlite
MD5:D763BE72920115E752DC949F9559F1CB
SHA256:95F96791FDC34F00512DB9A1088170C5843939FB283566FEEF98DC93C09B3447
3608WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3608.38982\NanoCore 1.2.2.0\client.binexecutable
MD5:906A949E34472F99BA683EFF21907231
SHA256:9D3EA5AF7DC261BF93C76F55D702A315AA22FB241E4207DC86CD834C262245C8
3608WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3608.38982\NanoCore 1.2.2.0\NanoCore.exeexecutable
MD5:A9FCDB1DF9F40107C98218F3C12528F9
SHA256:A62CE60523E61AD01518C278BCD5A3BD386AECD64A31387F4A41A5A5BCBAA108
3608WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3608.38982\NanoCore 1.2.2.0\builder.logtext
MD5:7C1DFDE6434A38A2DD0F4794B4A51175
SHA256:96EF7F03E4AB6B860C9DA6E8D1817D9DAD6AAFBB93869B1619920FF63D3B8724
3608WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3608.38982\NanoCore 1.2.2.0\Plugins\MultiCore.ncpbinary
MD5:BECB82E1E914E906BE158E3F9DD658AC
SHA256:5494ADF651FC64E3AA6C08E38165D8DBFEC52056CDF4FADAE90B76B0E6816A33
3608WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3608.38982\NanoCore 1.2.2.0\PluginCompiler.exeexecutable
MD5:D2CFF08AFD4FC84614B7038FD966C77B
SHA256:4EBDB8D71B9610452B0B6E47A328E4789D578051B934C8313AF14A84A76998B0
3608WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3608.38982\NanoCore 1.2.2.0\plugins.binbinary
MD5:5E709FC806E8BA3385487699004F6D29
SHA256:9ECBF989DEDF1403DB953FB4E5955C9F63415CBE1F6492C3246BAC405A4D036F
3608WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3608.38982\NanoCore 1.2.2.0\Plugins\NanoBrowser.ncpbinary
MD5:8B13FDC96AF0A84C152F5A601DCC6B06
SHA256:997C41B05150480BCFAE9ABB3132FC807F6C6B511B810B554FDB5AEDF89F5DB0
3608WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3608.38982\NanoCore 1.2.2.0\Databases\network.sqlitesqlite
MD5:856342A3A887715F53CD7277A2B220AF
SHA256:DE1CC5F927BDC0ACE22CF11BEBE0B83977B16338A97724E2489302A0FCDA0173
3608WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3608.38982\NanoCore 1.2.2.0\ClientPlugin.xmlxml
MD5:5D0381A56563B1CA8928E3CF087F1625
SHA256:0497B92461C2A9CE3101D9397FB3079F60979164336A16653D282273D3085BCC
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

No data

DNS requests

No data

Threats

No threats detected
No debug info