URL:

https://onedrive.live.com/download?cid=E5C0B950427FC4A3&resid=E5C0B950427FC4A3%21242&authkey=ACZlRzf_N8LOzl8

Full analysis: https://app.any.run/tasks/39153e3a-7d3d-4d2f-9730-8dc28ca97545
Verdict: Malicious activity
Threats:

NanoCore is a Remote Access Trojan or RAT. This malware is highly customizable with plugins which allow attackers to tailor its functionality to their needs. Nanocore is created with the .NET framework and it’s available for purchase for just $25 from its “official” website.

Malware Trends Tracker     >>>
Analysis date: November 08, 2018, 16:21:35
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
rat
nanocore
Indicators:
MD5:

B602423E92CA4CFC886CE0DDEBAC52AF

SHA1:

03F68E96ACE2CD793BB0E1F4E6709C8177998229

SHA256:

369AE804735C0F107F1EFEBB693866752862A295B6A8757C77577DDFDE7C2EF0

SSDEEP:

3:N8Ck3CTwKblNQa7XzC/X/7XzCkhDppv/5rAdEL:2CkST/ZCa7XzCH7XzCUpn1A+L

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • Revised Quotation8764D.scr (PID: 1860)
      • Revised Quotation8764D.scr (PID: 184)

    • Changes the autorun value in the registry

      • Revised Quotation8764D.scr (PID: 184)
      • Revised Quotation8764D.scr (PID: 1860)

    • NanoCore was detected

      • RegAsm.exe (PID: 1552)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 2676)
      • Revised Quotation8764D.scr (PID: 184)

    • Starts application with an unusual extension

      • WinRAR.exe (PID: 2676)

    • Creates files in the user directory

      • RegAsm.exe (PID: 1552)

    • Connects to unusual port

      • RegAsm.exe (PID: 1552)

  • INFO

    • Application launched itself

      • iexplore.exe (PID: 2044)
      • chrome.exe (PID: 3488)

    • Changes settings of System certificates

      • iexplore.exe (PID: 2044)

    • Reads Internet Cache Settings

      • chrome.exe (PID: 3488)
      • iexplore.exe (PID: 3360)

    • Reads settings of System Certificates

      • iexplore.exe (PID: 2044)

    • Adds / modifies Windows certificates

      • iexplore.exe (PID: 2044)

    • Creates files in the user directory

      • iexplore.exe (PID: 2044)
      • iexplore.exe (PID: 3360)

    • Changes internet zones settings

      • iexplore.exe (PID: 2044)

    • Reads internet explorer settings

      • iexplore.exe (PID: 3360)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
71
Monitored processes
37
Malicious processes
4
Suspicious processes
1

Behavior graph

Click at the process to see the details
start drop and start iexplore.exe iexplore.exe chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs winrar.exe revised quotation8764d.scr #NANOCORE regasm.exe revised quotation8764d.scr regasm.exe no specs regasm.exe no specs regasm.exe no specs regasm.exe no specs regasm.exe no specs regasm.exe no specs regasm.exe no specs regasm.exe no specs regasm.exe no specs regasm.exe no specs regasm.exe no specs regasm.exe no specs regasm.exe no specs regasm.exe no specs regasm.exe no specs regasm.exe no specs regasm.exe no specs regasm.exe no specs regasm.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
116"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeRevised Quotation8764D.scr
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft .NET Assembly Registration Utility
Exit code:
0
Version:
4.6.1055.0 built by: NETFXREL2
Modules
Images
c:\windows\microsoft.net\framework\v4.0.30319\regasm.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\apppatch\acgenral.dll
c:\windows\system32\sechost.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
184"C:\Users\admin\AppData\Local\Temp\Rar$DIa2676.25978\Revised Quotation8764D.scr" /SC:\Users\admin\AppData\Local\Temp\Rar$DIa2676.25978\Revised Quotation8764D.scr
WinRAR.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Exit code:
0
Version:
0.0.0.0
Modules
Images
c:\users\admin\appdata\local\temp\rar$dia2676.25978\revised quotation8764d.scr
c:\systemroot\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
316"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --field-trial-handle=880,3258717429269868250,4641465333431550347,131072 --enable-features=PasswordImport --lang=en-US --no-sandbox --service-request-channel-token=C2D7559977756DAE11108F30E2C71E37 --mojo-platform-channel-handle=3928 /prefetch:8C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google Inc.
Integrity Level:
MEDIUM
Description:
Google Chrome
Exit code:
0
Version:
68.0.3440.106
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\google\chrome\application\68.0.3440.106\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
328"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeRevised Quotation8764D.scr
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft .NET Assembly Registration Utility
Exit code:
0
Version:
4.6.1055.0 built by: NETFXREL2
Modules
Images
c:\windows\microsoft.net\framework\v4.0.30319\regasm.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\apppatch\acgenral.dll
c:\windows\system32\sechost.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
776"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeRevised Quotation8764D.scr
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft .NET Assembly Registration Utility
Exit code:
4294967295
Version:
4.6.1055.0 built by: NETFXREL2
Modules
Images
c:\windows\microsoft.net\framework\v4.0.30319\regasm.exe
c:\systemroot\system32\ntdll.dll
920"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeRevised Quotation8764D.scr
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft .NET Assembly Registration Utility
Exit code:
4294967295
Version:
4.6.1055.0 built by: NETFXREL2
Modules
Images
c:\windows\microsoft.net\framework\v4.0.30319\regasm.exe
c:\systemroot\system32\ntdll.dll
1184"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=880,3258717429269868250,4641465333431550347,131072 --enable-features=PasswordImport --disable-gpu-sandbox --gpu-preferences=KAAAAAAAAACAAwBAAQAAAAAAAAAAAGAAEAAAAAAAAAAAAAAAAAAAACgAAAAEAAAAIAAAAAAAAAAoAAAAAAAAADAAAAAAAAAAOAAAAAAAAAAQAAAAAAAAAAAAAAAKAAAAEAAAAAAAAAAAAAAACwAAABAAAAAAAAAAAQAAAAoAAAAQAAAAAAAAAAEAAAALAAAA --service-request-channel-token=5BF16723DD42F37049EAC363C9FEAA5D --mojo-platform-channel-handle=3972 /prefetch:2C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google Inc.
Integrity Level:
MEDIUM
Description:
Google Chrome
Exit code:
0
Version:
68.0.3440.106
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\google\chrome\application\68.0.3440.106\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
1412"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeRevised Quotation8764D.scr
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft .NET Assembly Registration Utility
Exit code:
0
Version:
4.6.1055.0 built by: NETFXREL2
Modules
Images
c:\windows\microsoft.net\framework\v4.0.30319\regasm.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\apppatch\acgenral.dll
c:\windows\system32\sechost.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
1552"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Revised Quotation8764D.scr
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft .NET Assembly Registration Utility
Exit code:
0
Version:
4.6.1055.0 built by: NETFXREL2
Modules
Images
c:\windows\microsoft.net\framework\v4.0.30319\regasm.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\apppatch\acgenral.dll
c:\windows\system32\sechost.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
1704"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeRevised Quotation8764D.scr
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft .NET Assembly Registration Utility
Exit code:
4294967295
Version:
4.6.1055.0 built by: NETFXREL2
Modules
Images
c:\windows\microsoft.net\framework\v4.0.30319\regasm.exe
c:\systemroot\system32\ntdll.dll
Total events
1 805
Read events
1 644
Write events
156
Delete events
5

Modification events

(PID) Process:(2044) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
Operation:writeName:CompatibilityFlags
Value:
0
(PID) Process:(2044) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
0
(PID) Process:(2044) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
1
(PID) Process:(2044) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones
Operation:writeName:SecuritySafe
Value:
1
(PID) Process:(2044) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:writeName:ProxyEnable
Value:
0
(PID) Process:(2044) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
Operation:writeName:SavedLegacySettings
Value:
4600000069000000010000000000000000000000000000000000000000000000C0E333BBEAB1D301000000000000000000000000020000001700000000000000FE800000000000007D6CB050D9C573F70B000000000000006D00330032005C004D00530049004D004700330032002E0064006C000100000004AA400014AA4000040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000C0A8016400000000000000000000000000000000000000000800000000000000805D3F00983740000008000002000000000000600000002060040000B8A94000020000008802000060040000B8A9400004000000F8010000B284000088B64000B84B400043003A000000000000000000000000000000000000000000
(PID) Process:(2044) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Recovery\Active
Operation:writeName:{685D1DF3-E372-11E8-BFAB-5254004AAD11}
Value:
0
(PID) Process:(2044) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2670000A-7350-4F3C-8081-5663EE0C6C49}\iexplore
Operation:writeName:Type
Value:
4
(PID) Process:(2044) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2670000A-7350-4F3C-8081-5663EE0C6C49}\iexplore
Operation:writeName:Count
Value:
3
(PID) Process:(2044) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2670000A-7350-4F3C-8081-5663EE0C6C49}\iexplore
Operation:writeName:Time
Value:
E2070B0004000800100015003800EE01
Executable files
3
Suspicious files
78
Text files
137
Unknown types
14

Dropped files

PID
Process
Filename
Type
2044iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RB73MZ6Y\favicon[1].ico
MD5:
SHA256:
2044iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
MD5:
SHA256:
3360iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\OCDM6JB6\download[1].txt
MD5:
SHA256:
3360iexplore.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\admin@live[2].txt
MD5:
SHA256:
3360iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\U2ZG9DE0\PerfMonitor[1].gif
MD5:
SHA256:
3360iexplore.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\admin@c.bing[2].txt
MD5:
SHA256:
3360iexplore.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\admin@live[1].txttext
MD5:
SHA256:
3360iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\OCDM6JB6\maincss-aec76c77[1].csstext
MD5:
SHA256:
3360iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\OCDM6JB6\download[1].htmhtml
MD5:
SHA256:
3360iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\OCDM6JB6\legacy_s_legacy-0f159289[1].jstext
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
3
TCP/UDP connections
68
DNS requests
37
Threats
12

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3360
iexplore.exe
GET
302
52.142.114.176:80
http://g.live.com/9uxp9en-us/ep_bro1
IE
whitelisted
3360
iexplore.exe
GET
301
92.122.197.69:80
http://www.microsoft.com/windows/downloads/ie/getitnow.mspx
DE
html
189 b
whitelisted
2044
iexplore.exe
GET
200
13.107.21.200:80
http://www.bing.com/favicon.ico
US
image
237 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2044
iexplore.exe
13.107.21.200:80
www.bing.com
Microsoft Corporation
US
whitelisted
3360
iexplore.exe
131.253.33.217:443
onedrive.live.com
Microsoft Corporation
US
whitelisted
3360
iexplore.exe
2.16.186.40:443
spoprod-a.akamaihd.net
Akamai International B.V.
whitelisted
3360
iexplore.exe
2.19.37.83:443
p.sfx.ms
Akamai International B.V.
whitelisted
2044
iexplore.exe
2.19.37.83:443
p.sfx.ms
Akamai International B.V.
whitelisted
3360
iexplore.exe
52.142.114.176:80
g.live.com
Microsoft Corporation
IE
whitelisted
3360
iexplore.exe
204.79.197.200:443
www.bing.com
Microsoft Corporation
US
whitelisted
3360
iexplore.exe
52.142.114.2:443
c.live.com
Microsoft Corporation
IE
whitelisted
3360
iexplore.exe
92.122.197.69:80
www.microsoft.com
Akamai Technologies, Inc.
DE
whitelisted
3360
iexplore.exe
184.31.91.153:443
windows.microsoft.com
Akamai International B.V.
NL
whitelisted

DNS requests

Domain
IP
Reputation
www.bing.com
  • 13.107.21.200
  • 204.79.197.200
whitelisted
onedrive.live.com
  • 131.253.33.217
  • 204.79.197.217
shared
spoprod-a.akamaihd.net
  • 2.16.186.40
  • 2.16.186.25
whitelisted
p.sfx.ms
  • 2.19.37.83
whitelisted
g.live.com
  • 52.142.114.176
whitelisted
c.live.com
  • 52.142.114.2
whitelisted
c.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted
www.microsoft.com
  • 92.122.197.69
whitelisted
windows.microsoft.com
  • 184.31.91.153
whitelisted
support.microsoft.com
  • 23.54.113.44
malicious

Threats

PID
Process
Class
Message
1552
RegAsm.exe
A Network Trojan was detected
SC BAD_UNKNOWN DYNAMIC_DNS Query to a Suspicious *.ddns.net Domain
1552
RegAsm.exe
A Network Trojan was detected
SC BAD_UNKNOWN DYNAMIC_DNS Query to a Suspicious *.ddns.net Domain
1552
RegAsm.exe
A Network Trojan was detected
SC BAD_UNKNOWN DYNAMIC_DNS Query to a Suspicious *.ddns.net Domain
1552
RegAsm.exe
A Network Trojan was detected
SC BAD_UNKNOWN DYNAMIC_DNS Query to a Suspicious *.ddns.net Domain
1552
RegAsm.exe
A Network Trojan was detected
SC BAD_UNKNOWN DYNAMIC_DNS Query to a Suspicious *.ddns.net Domain
1552
RegAsm.exe
A Network Trojan was detected
SC BAD_UNKNOWN DYNAMIC_DNS Query to a Suspicious *.ddns.net Domain
1552
RegAsm.exe
A Network Trojan was detected
SC BAD_UNKNOWN DYNAMIC_DNS Query to a Suspicious *.ddns.net Domain
1552
RegAsm.exe
A Network Trojan was detected
SC BAD_UNKNOWN DYNAMIC_DNS Query to a Suspicious *.ddns.net Domain
1552
RegAsm.exe
A Network Trojan was detected
SC BAD_UNKNOWN DYNAMIC_DNS Query to a Suspicious *.ddns.net Domain
1552
RegAsm.exe
A Network Trojan was detected
SC BAD_UNKNOWN DYNAMIC_DNS Query to a Suspicious *.ddns.net Domain
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
https://onedrive.live.com/download?cid=E5C0B950427FC4A3&resid=E5C0B950427FC4A3%21242&authkey=ACZlRzf_N8LOzl8