analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
URL:

https://onedrive.live.com/download?cid=E5C0B950427FC4A3&resid=E5C0B950427FC4A3%21242&authkey=ACZlRzf_N8LOzl8

Full analysis: https://app.any.run/tasks/39153e3a-7d3d-4d2f-9730-8dc28ca97545
Verdict: Malicious activity
Threats:

NanoCore is a Remote Access Trojan or RAT. This malware is highly customizable with plugins which allow attackers to tailor its functionality to their needs. Nanocore is created with the .NET framework and it’s available for purchase for just $25 from its “official” website.

Malware Trends Tracker     >>>
Analysis date: November 08, 2018, 16:21:35
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
rat
nanocore
Indicators:
MD5:

B602423E92CA4CFC886CE0DDEBAC52AF

SHA1:

03F68E96ACE2CD793BB0E1F4E6709C8177998229

SHA256:

369AE804735C0F107F1EFEBB693866752862A295B6A8757C77577DDFDE7C2EF0

SSDEEP:

3:N8Ck3CTwKblNQa7XzC/X/7XzCkhDppv/5rAdEL:2CkST/ZCa7XzCH7XzCUpn1A+L

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • Revised Quotation8764D.scr (PID: 184)
      • Revised Quotation8764D.scr (PID: 1860)

    • Changes the autorun value in the registry

      • Revised Quotation8764D.scr (PID: 184)
      • Revised Quotation8764D.scr (PID: 1860)

    • NanoCore was detected

      • RegAsm.exe (PID: 1552)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • Revised Quotation8764D.scr (PID: 184)
      • WinRAR.exe (PID: 2676)

    • Starts application with an unusual extension

      • WinRAR.exe (PID: 2676)

    • Creates files in the user directory

      • RegAsm.exe (PID: 1552)

    • Connects to unusual port

      • RegAsm.exe (PID: 1552)

  • INFO

    • Application launched itself

      • iexplore.exe (PID: 2044)
      • chrome.exe (PID: 3488)

    • Reads settings of System Certificates

      • iexplore.exe (PID: 2044)

    • Reads Internet Cache Settings

      • iexplore.exe (PID: 3360)
      • chrome.exe (PID: 3488)

    • Creates files in the user directory

      • iexplore.exe (PID: 2044)
      • iexplore.exe (PID: 3360)

    • Changes settings of System certificates

      • iexplore.exe (PID: 2044)

    • Reads internet explorer settings

      • iexplore.exe (PID: 3360)

    • Changes internet zones settings

      • iexplore.exe (PID: 2044)

    • Adds / modifies Windows certificates

      • iexplore.exe (PID: 2044)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
71
Monitored processes
37
Malicious processes
4
Suspicious processes
1

Behavior graph

Click at the process to see the details
start drop and start iexplore.exe iexplore.exe chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs winrar.exe revised quotation8764d.scr #NANOCORE regasm.exe revised quotation8764d.scr regasm.exe no specs regasm.exe no specs regasm.exe no specs regasm.exe no specs regasm.exe no specs regasm.exe no specs regasm.exe no specs regasm.exe no specs regasm.exe no specs regasm.exe no specs regasm.exe no specs regasm.exe no specs regasm.exe no specs regasm.exe no specs regasm.exe no specs regasm.exe no specs regasm.exe no specs regasm.exe no specs regasm.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2044"C:\Program Files\Internet Explorer\iexplore.exe" -nohomeC:\Program Files\Internet Explorer\iexplore.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Exit code:
1
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
3360"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2044 CREDAT:71937C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Exit code:
3221225547
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
3488"C:\Program Files\Google\Chrome\Application\chrome.exe" C:\Program Files\Google\Chrome\Application\chrome.exe
explorer.exe
User:
admin
Company:
Google Inc.
Integrity Level:
MEDIUM
Description:
Google Chrome
Exit code:
3221225547
Version:
68.0.3440.106
2152"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win32 --annotation=prod=Chrome --annotation=ver=68.0.3440.106 --initial-client-data=0x78,0x7c,0x80,0x74,0x84,0x6cd700b0,0x6cd700c0,0x6cd700ccC:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google Inc.
Integrity Level:
MEDIUM
Description:
Google Chrome
Exit code:
0
Version:
68.0.3440.106
3476"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=watcher --main-thread-id=2072 --on-initialized-event-handle=304 --parent-handle=308 /prefetch:6C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google Inc.
Integrity Level:
MEDIUM
Description:
Google Chrome
Exit code:
0
Version:
68.0.3440.106
2128"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=880,3258717429269868250,4641465333431550347,131072 --enable-features=PasswordImport --gpu-preferences=KAAAAAAAAACAAwBAAQAAAAAAAAAAAGAAEAAAAAAAAAAAAAAAAAAAACgAAAAEAAAAIAAAAAAAAAAoAAAAAAAAADAAAAAAAAAAOAAAAAAAAAAQAAAAAAAAAAAAAAAKAAAAEAAAAAAAAAAAAAAACwAAABAAAAAAAAAAAQAAAAoAAAAQAAAAAAAAAAEAAAALAAAA --service-request-channel-token=170F836BD4F674AF47C507078905CBA5 --mojo-platform-channel-handle=876 --ignored=" --type=renderer " /prefetch:2C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google Inc.
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
68.0.3440.106
3760"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=880,3258717429269868250,4641465333431550347,131072 --enable-features=PasswordImport --service-pipe-token=E82A65140BC55E0179E1128539DDEF3B --lang=en-US --instant-process --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=E82A65140BC55E0179E1128539DDEF3B --renderer-client-id=5 --mojo-platform-channel-handle=1940 /prefetch:1C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google Inc.
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
68.0.3440.106
3604"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=880,3258717429269868250,4641465333431550347,131072 --enable-features=PasswordImport --service-pipe-token=68CCBEDB4EF26FD989E6D4A8D91B9C1C --lang=en-US --extension-process --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=68CCBEDB4EF26FD989E6D4A8D91B9C1C --renderer-client-id=3 --mojo-platform-channel-handle=2144 /prefetch:1C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google Inc.
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
68.0.3440.106
2540"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=880,3258717429269868250,4641465333431550347,131072 --enable-features=PasswordImport --disable-gpu-compositing --service-pipe-token=26140447999CDEA8EFCA0A63D6729885 --lang=en-US --instant-process --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=26140447999CDEA8EFCA0A63D6729885 --renderer-client-id=6 --mojo-platform-channel-handle=3612 /prefetch:1C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google Inc.
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
68.0.3440.106
2648"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --field-trial-handle=880,3258717429269868250,4641465333431550347,131072 --enable-features=PasswordImport --lang=en-US --service-sandbox-type=utility --service-request-channel-token=7F5D917EC1FB9A23756C91C6C76C8967 --mojo-platform-channel-handle=3888 --ignored=" --type=renderer " /prefetch:8C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google Inc.
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
68.0.3440.106
Total events
1 805
Read events
1 644
Write events
0
Delete events
0

Modification events

No data
Executable files
3
Suspicious files
78
Text files
137
Unknown types
14

Dropped files

PID
Process
Filename
Type
2044iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RB73MZ6Y\favicon[1].ico
MD5:
SHA256:
2044iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
MD5:
SHA256:
3360iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\OCDM6JB6\download[1].txt
MD5:
SHA256:
3360iexplore.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\admin@live[2].txt
MD5:
SHA256:
3360iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\U2ZG9DE0\PerfMonitor[1].gif
MD5:
SHA256:
3360iexplore.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][2].txt
MD5:
SHA256:
3360iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\OCDM6JB6\download[1].htmhtml
MD5:34BC33B351FE686C79827779B3FB6E71
SHA256:7DBD4051E499813250639CBCB5B76FE9C710F5850C10D87C2B64D54902EED7EF
3360iexplore.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\admin@live[1].txttext
MD5:2C96CFE19E7044A1563F25DF5EA6574A
SHA256:B94798666D909DB6109FC91AC42F561A383DF9B31DC37EDF4FAB83BADE64366E
3360iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\OCDM6JB6\jquery-1.7.2-39eeb07e[1].jstext
MD5:39EEB07E6802E2B57F5E10A9AD9BCA24
SHA256:D6C15974B6181A68E9B74E4F38FBAC81D640569EF0FBBAA3381CC59683A9763F
3360iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\OCDM6JB6\maincss-aec76c77[1].csstext
MD5:AEC76C77A59885FCB2D01C043118A65A
SHA256:446332E8C993CA5C57C1EC267B71675C4C9E4F72BA3AE4B4AA0468F4E683A0FA
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
3
TCP/UDP connections
68
DNS requests
37
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3360
iexplore.exe
GET
302
52.142.114.176:80
http://g.live.com/9uxp9en-us/ep_bro1
IE
whitelisted
3360
iexplore.exe
GET
301
92.122.197.69:80
http://www.microsoft.com/windows/downloads/ie/getitnow.mspx
DE
html
189 b
whitelisted
2044
iexplore.exe
GET
200
13.107.21.200:80
http://www.bing.com/favicon.ico
US
image
237 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3360
iexplore.exe
52.142.114.2:443
c.live.com
Microsoft Corporation
IE
whitelisted
3360
iexplore.exe
2.16.186.40:443
spoprod-a.akamaihd.net
Akamai International B.V.
whitelisted
3360
iexplore.exe
131.253.33.217:443
onedrive.live.com
Microsoft Corporation
US
whitelisted
3360
iexplore.exe
52.142.114.176:80
g.live.com
Microsoft Corporation
IE
whitelisted
2044
iexplore.exe
13.107.21.200:80
www.bing.com
Microsoft Corporation
US
whitelisted
2044
iexplore.exe
2.19.37.83:443
p.sfx.ms
Akamai International B.V.
whitelisted
3360
iexplore.exe
2.19.37.83:443
p.sfx.ms
Akamai International B.V.
whitelisted
3360
iexplore.exe
204.79.197.200:443
www.bing.com
Microsoft Corporation
US
whitelisted
3360
iexplore.exe
23.54.113.44:443
support.microsoft.com
Akamai International B.V.
NL
whitelisted
3360
iexplore.exe
92.122.197.69:80
www.microsoft.com
Akamai Technologies, Inc.
DE
whitelisted

DNS requests

Domain
IP
Reputation
www.bing.com
  • 13.107.21.200
  • 204.79.197.200
whitelisted
onedrive.live.com
  • 131.253.33.217
  • 204.79.197.217
shared
spoprod-a.akamaihd.net
  • 2.16.186.40
  • 2.16.186.25
whitelisted
p.sfx.ms
  • 2.19.37.83
whitelisted
g.live.com
  • 52.142.114.176
whitelisted
c.live.com
  • 52.142.114.2
whitelisted
c.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted
www.microsoft.com
  • 92.122.197.69
whitelisted
windows.microsoft.com
  • 184.31.91.153
whitelisted
support.microsoft.com
  • 23.54.113.44
whitelisted

Threats

PID
Process
Class
Message
1552
RegAsm.exe
A Network Trojan was detected
SC BAD_UNKNOWN DYNAMIC_DNS Query to a Suspicious *.ddns.net Domain
1552
RegAsm.exe
A Network Trojan was detected
SC BAD_UNKNOWN DYNAMIC_DNS Query to a Suspicious *.ddns.net Domain
1552
RegAsm.exe
A Network Trojan was detected
SC BAD_UNKNOWN DYNAMIC_DNS Query to a Suspicious *.ddns.net Domain
1552
RegAsm.exe
A Network Trojan was detected
SC BAD_UNKNOWN DYNAMIC_DNS Query to a Suspicious *.ddns.net Domain
1552
RegAsm.exe
A Network Trojan was detected
SC BAD_UNKNOWN DYNAMIC_DNS Query to a Suspicious *.ddns.net Domain
1552
RegAsm.exe
A Network Trojan was detected
SC BAD_UNKNOWN DYNAMIC_DNS Query to a Suspicious *.ddns.net Domain
1552
RegAsm.exe
A Network Trojan was detected
SC BAD_UNKNOWN DYNAMIC_DNS Query to a Suspicious *.ddns.net Domain
1552
RegAsm.exe
A Network Trojan was detected
SC BAD_UNKNOWN DYNAMIC_DNS Query to a Suspicious *.ddns.net Domain
1552
RegAsm.exe
A Network Trojan was detected
SC BAD_UNKNOWN DYNAMIC_DNS Query to a Suspicious *.ddns.net Domain
1552
RegAsm.exe
A Network Trojan was detected
SC BAD_UNKNOWN DYNAMIC_DNS Query to a Suspicious *.ddns.net Domain
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
https://onedrive.live.com/download?cid=E5C0B950427FC4A3&resid=E5C0B950427FC4A3%21242&authkey=ACZlRzf_N8LOzl8