File name:

efsui.exe

Full analysis: https://app.any.run/tasks/87dcec22-bf4a-4521-9bf7-bb1e75e72716
Verdict: Malicious activity
Threats:

NanoCore is a Remote Access Trojan or RAT. This malware is highly customizable with plugins which allow attackers to tailor its functionality to their needs. Nanocore is created with the .NET framework and it’s available for purchase for just $25 from its “official” website.

Malware Trends Tracker     >>>
Analysis date: May 29, 2023, 19:02:53
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
nanocore
rat
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5:

BFED121961257C6BC74015682A282572

SHA1:

A6FAB6100AB474A89765FCE36EA351A6F368598C

SHA256:

34CCF9C70F06B37E7FDCCAA2D82815043E98298D22AC91758E929E0AB7F76F1F

SSDEEP:

6144:ULV6Bta6dtJmakIM5MLTS/szPqJ6T8oXb4:ULV6BtpmkbY6hb

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • NANOCORE was detected

      • efsui.exe (PID: 2028)

    • NANOCORE detected by memory dumps

      • efsui.exe (PID: 2028)

    • Connects to the CnC server

      • efsui.exe (PID: 2028)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • efsui.exe (PID: 2028)

    • Connects to unusual port

      • efsui.exe (PID: 2028)

  • INFO

    • Checks supported languages

      • efsui.exe (PID: 2028)
      • wmpnscfg.exe (PID: 3660)

    • Reads the machine GUID from the registry

      • efsui.exe (PID: 2028)
      • wmpnscfg.exe (PID: 3660)

    • Creates files or folders in the user directory

      • efsui.exe (PID: 2028)

    • Reads the computer name

      • efsui.exe (PID: 2028)
      • wmpnscfg.exe (PID: 3660)

    • The process checks LSA protection

      • efsui.exe (PID: 2028)
      • wmpnscfg.exe (PID: 3660)

    • Reads Environment values

      • efsui.exe (PID: 2028)

    • Manual execution by a user

      • wmpnscfg.exe (PID: 3660)

    • Reads product name

      • efsui.exe (PID: 2028)

    • Process checks are UAC notifies on

      • efsui.exe (PID: 2028)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Nanocore

(PID) Process(2028) efsui.exe
KeyboardLoggingTrue
BuildTime2023-02-13 20:33:55.384360
Version1.2.2.0
Mutex0a7e61ea-8cf5-4692-a8b9-0316e01e3a47
DefaultGroupdefault
PrimaryConnectionHostmessi.dns.army
BackupConnectionHostnserv.anondns.net
ConnectionPort13838
RunOnStartupTrue
RequestElevationFalse
BypassUserAccountControlFalse
ClearZoneIdentifierTrue
ClearAccessControlFalse
SetCriticalProcessFalse
PreventSystemSleepTrue
ActivateAwayModeFalse
EnableDebugModeFalse
RunDelay0
ConnectDelay4000
RestartDelay5000
TimeoutInterval5000
KeepAliveTimeout30000
MutexTimeout5000
LanTimeout2500
WanTimeout8000
BufferSize65535
MaxPacketSize10485760
GCThreshold10485760
UseCustomDnsServerTrue
PrimaryDnsServer8.8.8.8
BackupDnsServer8.8.4.4
No Malware configuration.

TRiD

.exe | Generic CIL Executable (.NET, Mono, etc.) (63.1)
.exe | Win64 Executable (generic) (23.8)
.dll | Win32 Dynamic Link Library (generic) (5.6)
.exe | Win32 Executable (generic) (3.8)
.exe | Generic Win/DOS Executable (1.7)

EXIF

EXE

ProductVersion: 10.0.19041.1
ProductName: Microsoft® Windows® Operating System
OriginalFileName: efsui.exe
LegalCopyright: © Microsoft Corporation. All rights reserved.
InternalName: efsui
FileVersion: 10.0.19041.1 (WinBuild.160101.0800)
FileDescription: EFS UI Application
CompanyName: Microsoft Corporation
CharacterSet: Unicode
LanguageCode: English (U.S.)
FileSubtype: -
ObjectFileType: Executable application
FileOS: Windows NT 32-bit
FileFlags: (none)
FileFlagsMask: 0x0000
ProductVersionNumber: 10.0.19041.1
FileVersionNumber: 10.0.19041.1
Subsystem: Windows GUI
SubsystemVersion: 4
ImageVersion: -
OSVersion: 4
EntryPoint: 0x1e792
UninitializedDataSize: -
InitializedDataSize: 98304
CodeSize: 116736
LinkerVersion: 6
PEType: PE32
ImageFileCharacteristics: Executable, No line numbers, No symbols, 32-bit
TimeStamp: 2015:02:22 00:49:37+00:00
MachineType: Intel 386 or later, and compatibles

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 22-Feb-2015 00:49:37
Detected languages:
  • English - United States
CompanyName: Microsoft Corporation
FileDescription: EFS UI Application
FileVersion: 10.0.19041.1 (WinBuild.160101.0800)
InternalName: efsui
LegalCopyright: © Microsoft Corporation. All rights reserved.
OriginalFilename: efsui.exe
ProductName: Microsoft® Windows® Operating System
ProductVersion: 10.0.19041.1

DOS Header

Magic number: MZ
Bytes on last page of file: 0x0090
Pages in file: 0x0003
Relocations: 0x0000
Size of header: 0x0004
Min extra paragraphs: 0x0000
Max extra paragraphs: 0xFFFF
Initial SS value: 0x0000
Initial SP value: 0x00B8
Checksum: 0x0000
Initial IP value: 0x0000
Initial CS value: 0x0000
Overlay number: 0x0000
OEM identifier: 0x0000
OEM information: 0x0000
Address of NE header: 0x00000080

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
Number of sections: 3
Time date stamp: 22-Feb-2015 00:49:37
Pointer to Symbol Table: 0x00000000
Number of symbols: 0
Size of Optional Header: 0x00E0
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_EXECUTABLE_IMAGE
  • IMAGE_FILE_LINE_NUMS_STRIPPED
  • IMAGE_FILE_LOCAL_SYMS_STRIPPED

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
.text
0x00002000
0x0001C798
0x0001C800
IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
6.5981
.reloc
0x00020000
0x0000000C
0x00000200
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
0.10191
.rsrc
0x00022000
0x00017C14
0x00017E00
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
7.98391

Resources

Title
Entropy
Size
Codepage
Language
Type
1
3.45822
884
UNKNOWN
English - United States
RT_VERSION

Imports

mscoree.dll
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
37
Monitored processes
2
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #NANOCORE efsui.exe wmpnscfg.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2028"C:\Users\admin\AppData\Local\Temp\efsui.exe" C:\Users\admin\AppData\Local\Temp\efsui.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
EFS UI Application
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\users\admin\appdata\local\temp\efsui.exe
c:\windows\system32\mscoree.dll
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
Nanocore
(PID) Process(2028) efsui.exe
KeyboardLoggingTrue
BuildTime2023-02-13 20:33:55.384360
Version1.2.2.0
Mutex0a7e61ea-8cf5-4692-a8b9-0316e01e3a47
DefaultGroupdefault
PrimaryConnectionHostmessi.dns.army
BackupConnectionHostnserv.anondns.net
ConnectionPort13838
RunOnStartupTrue
RequestElevationFalse
BypassUserAccountControlFalse
ClearZoneIdentifierTrue
ClearAccessControlFalse
SetCriticalProcessFalse
PreventSystemSleepTrue
ActivateAwayModeFalse
EnableDebugModeFalse
RunDelay0
ConnectDelay4000
RestartDelay5000
TimeoutInterval5000
KeepAliveTimeout30000
MutexTimeout5000
LanTimeout2500
WanTimeout8000
BufferSize65535
MaxPacketSize10485760
GCThreshold10485760
UseCustomDnsServerTrue
PrimaryDnsServer8.8.8.8
BackupDnsServer8.8.4.4
3660"C:\Program Files\Windows Media Player\wmpnscfg.exe"C:\Program Files\Windows Media Player\wmpnscfg.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Media Player Network Sharing Service Configuration Application
Exit code:
0
Version:
12.0.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\program files\windows media player\wmpnscfg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
Total events
472
Read events
469
Write events
0
Delete events
3

Modification events

(PID) Process:(3660) wmpnscfg.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Media Player NSS\3.0\Events\{12C46E68-54D8-40BE-830E-B55CCA259C05}\{08BCD96E-5D75-46AA-B807-A33D6CCC8AD5}
Operation:delete keyName:(default)
Value:
(PID) Process:(3660) wmpnscfg.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Media Player NSS\3.0\Events\{12C46E68-54D8-40BE-830E-B55CCA259C05}
Operation:delete keyName:(default)
Value:
(PID) Process:(3660) wmpnscfg.exeKey:HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Health\{F9ED40FB-C3DB-42B3-9C74-71A29C5A1405}
Operation:delete keyName:(default)
Value:
Executable files
1
Suspicious files
3
Text files
1
Unknown types
0

Dropped files

PID
Process
Filename
Type
2028efsui.exeC:\Users\admin\AppData\Roaming\90059C37-1320-41A4-B58D-2B75A9850D2F\catalog.datbinary
MD5:E84114A8A37465B42E6B039C210FF161
SHA256:CE6648E2E9A999305F7C1CB0AD92C41A9510DB1E64EA36389BFBED1E3DD0E971
2028efsui.exeC:\Users\admin\AppData\Roaming\90059C37-1320-41A4-B58D-2B75A9850D2F\run.dattext
MD5:329512DBFB2F943B9CCFDB8D5C85F006
SHA256:DF894B498869535042B308DDF017379DEAF81561FE15951F28004BE964C4F335
2028efsui.exeC:\Users\admin\AppData\Roaming\90059C37-1320-41A4-B58D-2B75A9850D2F\settings.binbinary
MD5:4E5E92E2369688041CC82EF9650EDED2
SHA256:F8098A6290118F2944B9E7C842BD014377D45844379F863B00D54515A8A64B48
2028efsui.exeC:\Users\admin\AppData\Roaming\90059C37-1320-41A4-B58D-2B75A9850D2F\TCP Monitor\tcpmon.exeexecutable
MD5:BFED121961257C6BC74015682A282572
SHA256:34CCF9C70F06B37E7FDCCAA2D82815043E98298D22AC91758E929E0AB7F76F1F
2028efsui.exeC:\Users\admin\AppData\Roaming\90059C37-1320-41A4-B58D-2B75A9850D2F\storage.datbinary
MD5:4D8AF7EC17CA5B66A617E00BB0C80481
SHA256:4251EF3033BB49F05311505FF955ED0989BA17C04F93B4DE47428A59FDFD33CB
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
8
DNS requests
5
Threats
14

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
4
System
192.168.100.255:137
whitelisted
239.255.255.250:1900
whitelisted
1076
svchost.exe
224.0.0.252:5355
unknown
2028
efsui.exe
134.19.179.211:13838
nserv.anondns.net
Global Layer B.V.
NL
malicious
2028
efsui.exe
185.156.175.43:13838
messi.dns.army
M247 Ltd
CH
malicious

DNS requests

Domain
IP
Reputation
messi.dns.army
  • 185.156.175.43
malicious
nserv.anondns.net
  • 134.19.179.211
malicious

Threats

PID
Process
Class
Message
2028
efsui.exe
Potentially Bad Traffic
ET INFO DYNAMIC_DNS Query to a *.dns .army Domain
2028
efsui.exe
Potentially Bad Traffic
ET INFO DYNAMIC_DNS Query to a *.dns .army Domain
2028
efsui.exe
Potentially Bad Traffic
ET INFO DYNAMIC_DNS Query to a *.dns .army Domain
2028
efsui.exe
Potentially Bad Traffic
ET INFO DYNAMIC_DNS Query to a *.dns .army Domain
2028
efsui.exe
Malware Command and Control Activity Detected
ET MALWARE Possible NanoCore C2 60B
9 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
efsui.exe