URL: | https://onedrive.live.com/download?cid=E5C0B950427FC4A3&resid=E5C0B950427FC4A3%21242&authkey=ACZlRzf_N8LOzl8 |
Full analysis: | https://app.any.run/tasks/39153e3a-7d3d-4d2f-9730-8dc28ca97545 |
Verdict: | Malicious activity |
Threats: | NanoCore is a Remote Access Trojan or RAT. This malware is highly customizable with plugins which allow attackers to tailor its functionality to their needs. Nanocore is created with the .NET framework and it’s available for purchase for just $25 from its “official” website. |
Analysis date: | November 08, 2018, 16:21:35 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MD5: | B602423E92CA4CFC886CE0DDEBAC52AF |
SHA1: | 03F68E96ACE2CD793BB0E1F4E6709C8177998229 |
SHA256: | 369AE804735C0F107F1EFEBB693866752862A295B6A8757C77577DDFDE7C2EF0 |
SSDEEP: | 3:N8Ck3CTwKblNQa7XzC/X/7XzCkhDppv/5rAdEL:2CkST/ZCa7XzCH7XzCUpn1A+L |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2044 | "C:\Program Files\Internet Explorer\iexplore.exe" -nohome | C:\Program Files\Internet Explorer\iexplore.exe | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Internet Explorer Exit code: 1 Version: 8.00.7600.16385 (win7_rtm.090713-1255) | ||||
3360 | "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2044 CREDAT:71937 | C:\Program Files\Internet Explorer\iexplore.exe | iexplore.exe | |
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Internet Explorer Exit code: 3221225547 Version: 8.00.7600.16385 (win7_rtm.090713-1255) | ||||
3488 | "C:\Program Files\Google\Chrome\Application\chrome.exe" | C:\Program Files\Google\Chrome\Application\chrome.exe | explorer.exe | |
User: admin Company: Google Inc. Integrity Level: MEDIUM Description: Google Chrome Exit code: 3221225547 Version: 68.0.3440.106 | ||||
2152 | "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win32 --annotation=prod=Chrome --annotation=ver=68.0.3440.106 --initial-client-data=0x78,0x7c,0x80,0x74,0x84,0x6cd700b0,0x6cd700c0,0x6cd700cc | C:\Program Files\Google\Chrome\Application\chrome.exe | — | chrome.exe |
User: admin Company: Google Inc. Integrity Level: MEDIUM Description: Google Chrome Exit code: 0 Version: 68.0.3440.106 | ||||
3476 | "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=watcher --main-thread-id=2072 --on-initialized-event-handle=304 --parent-handle=308 /prefetch:6 | C:\Program Files\Google\Chrome\Application\chrome.exe | — | chrome.exe |
User: admin Company: Google Inc. Integrity Level: MEDIUM Description: Google Chrome Exit code: 0 Version: 68.0.3440.106 | ||||
2128 | "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=880,3258717429269868250,4641465333431550347,131072 --enable-features=PasswordImport --gpu-preferences=KAAAAAAAAACAAwBAAQAAAAAAAAAAAGAAEAAAAAAAAAAAAAAAAAAAACgAAAAEAAAAIAAAAAAAAAAoAAAAAAAAADAAAAAAAAAAOAAAAAAAAAAQAAAAAAAAAAAAAAAKAAAAEAAAAAAAAAAAAAAACwAAABAAAAAAAAAAAQAAAAoAAAAQAAAAAAAAAAEAAAALAAAA --service-request-channel-token=170F836BD4F674AF47C507078905CBA5 --mojo-platform-channel-handle=876 --ignored=" --type=renderer " /prefetch:2 | C:\Program Files\Google\Chrome\Application\chrome.exe | — | chrome.exe |
User: admin Company: Google Inc. Integrity Level: LOW Description: Google Chrome Exit code: 0 Version: 68.0.3440.106 | ||||
3760 | "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=880,3258717429269868250,4641465333431550347,131072 --enable-features=PasswordImport --service-pipe-token=E82A65140BC55E0179E1128539DDEF3B --lang=en-US --instant-process --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=E82A65140BC55E0179E1128539DDEF3B --renderer-client-id=5 --mojo-platform-channel-handle=1940 /prefetch:1 | C:\Program Files\Google\Chrome\Application\chrome.exe | — | chrome.exe |
User: admin Company: Google Inc. Integrity Level: LOW Description: Google Chrome Exit code: 0 Version: 68.0.3440.106 | ||||
3604 | "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=880,3258717429269868250,4641465333431550347,131072 --enable-features=PasswordImport --service-pipe-token=68CCBEDB4EF26FD989E6D4A8D91B9C1C --lang=en-US --extension-process --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=68CCBEDB4EF26FD989E6D4A8D91B9C1C --renderer-client-id=3 --mojo-platform-channel-handle=2144 /prefetch:1 | C:\Program Files\Google\Chrome\Application\chrome.exe | — | chrome.exe |
User: admin Company: Google Inc. Integrity Level: LOW Description: Google Chrome Exit code: 0 Version: 68.0.3440.106 | ||||
2540 | "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=880,3258717429269868250,4641465333431550347,131072 --enable-features=PasswordImport --disable-gpu-compositing --service-pipe-token=26140447999CDEA8EFCA0A63D6729885 --lang=en-US --instant-process --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=26140447999CDEA8EFCA0A63D6729885 --renderer-client-id=6 --mojo-platform-channel-handle=3612 /prefetch:1 | C:\Program Files\Google\Chrome\Application\chrome.exe | — | chrome.exe |
User: admin Company: Google Inc. Integrity Level: LOW Description: Google Chrome Exit code: 0 Version: 68.0.3440.106 | ||||
2648 | "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --field-trial-handle=880,3258717429269868250,4641465333431550347,131072 --enable-features=PasswordImport --lang=en-US --service-sandbox-type=utility --service-request-channel-token=7F5D917EC1FB9A23756C91C6C76C8967 --mojo-platform-channel-handle=3888 --ignored=" --type=renderer " /prefetch:8 | C:\Program Files\Google\Chrome\Application\chrome.exe | — | chrome.exe |
User: admin Company: Google Inc. Integrity Level: LOW Description: Google Chrome Exit code: 0 Version: 68.0.3440.106 |
PID | Process | Filename | Type | |
---|---|---|---|---|
2044 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RB73MZ6Y\favicon[1].ico | — | |
MD5:— | SHA256:— | |||
2044 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico | — | |
MD5:— | SHA256:— | |||
3360 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\OCDM6JB6\download[1].txt | — | |
MD5:— | SHA256:— | |||
3360 | iexplore.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\admin@live[2].txt | — | |
MD5:— | SHA256:— | |||
3360 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\U2ZG9DE0\PerfMonitor[1].gif | — | |
MD5:— | SHA256:— | |||
3360 | iexplore.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][2].txt | — | |
MD5:— | SHA256:— | |||
3360 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\OCDM6JB6\download[1].htm | html | |
MD5:34BC33B351FE686C79827779B3FB6E71 | SHA256:7DBD4051E499813250639CBCB5B76FE9C710F5850C10D87C2B64D54902EED7EF | |||
3360 | iexplore.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\admin@live[1].txt | text | |
MD5:2C96CFE19E7044A1563F25DF5EA6574A | SHA256:B94798666D909DB6109FC91AC42F561A383DF9B31DC37EDF4FAB83BADE64366E | |||
3360 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\OCDM6JB6\jquery-1.7.2-39eeb07e[1].js | text | |
MD5:39EEB07E6802E2B57F5E10A9AD9BCA24 | SHA256:D6C15974B6181A68E9B74E4F38FBAC81D640569EF0FBBAA3381CC59683A9763F | |||
3360 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\OCDM6JB6\maincss-aec76c77[1].css | text | |
MD5:AEC76C77A59885FCB2D01C043118A65A | SHA256:446332E8C993CA5C57C1EC267B71675C4C9E4F72BA3AE4B4AA0468F4E683A0FA |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3360 | iexplore.exe | GET | 302 | 52.142.114.176:80 | http://g.live.com/9uxp9en-us/ep_bro1 | IE | — | — | whitelisted |
3360 | iexplore.exe | GET | 301 | 92.122.197.69:80 | http://www.microsoft.com/windows/downloads/ie/getitnow.mspx | DE | html | 189 b | whitelisted |
2044 | iexplore.exe | GET | 200 | 13.107.21.200:80 | http://www.bing.com/favicon.ico | US | image | 237 b | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3360 | iexplore.exe | 52.142.114.2:443 | c.live.com | Microsoft Corporation | IE | whitelisted |
3360 | iexplore.exe | 2.16.186.40:443 | spoprod-a.akamaihd.net | Akamai International B.V. | — | whitelisted |
3360 | iexplore.exe | 131.253.33.217:443 | onedrive.live.com | Microsoft Corporation | US | whitelisted |
3360 | iexplore.exe | 52.142.114.176:80 | g.live.com | Microsoft Corporation | IE | whitelisted |
2044 | iexplore.exe | 13.107.21.200:80 | www.bing.com | Microsoft Corporation | US | whitelisted |
2044 | iexplore.exe | 2.19.37.83:443 | p.sfx.ms | Akamai International B.V. | — | whitelisted |
3360 | iexplore.exe | 2.19.37.83:443 | p.sfx.ms | Akamai International B.V. | — | whitelisted |
3360 | iexplore.exe | 204.79.197.200:443 | www.bing.com | Microsoft Corporation | US | whitelisted |
3360 | iexplore.exe | 23.54.113.44:443 | support.microsoft.com | Akamai International B.V. | NL | whitelisted |
3360 | iexplore.exe | 92.122.197.69:80 | www.microsoft.com | Akamai Technologies, Inc. | DE | whitelisted |
Domain | IP | Reputation |
---|---|---|
www.bing.com |
| whitelisted |
onedrive.live.com |
| shared |
spoprod-a.akamaihd.net |
| whitelisted |
p.sfx.ms |
| whitelisted |
g.live.com |
| whitelisted |
c.live.com |
| whitelisted |
c.bing.com |
| whitelisted |
www.microsoft.com |
| whitelisted |
windows.microsoft.com |
| whitelisted |
support.microsoft.com |
| whitelisted |
PID | Process | Class | Message |
---|---|---|---|
1552 | RegAsm.exe | A Network Trojan was detected | SC BAD_UNKNOWN DYNAMIC_DNS Query to a Suspicious *.ddns.net Domain |
1552 | RegAsm.exe | A Network Trojan was detected | SC BAD_UNKNOWN DYNAMIC_DNS Query to a Suspicious *.ddns.net Domain |
1552 | RegAsm.exe | A Network Trojan was detected | SC BAD_UNKNOWN DYNAMIC_DNS Query to a Suspicious *.ddns.net Domain |
1552 | RegAsm.exe | A Network Trojan was detected | SC BAD_UNKNOWN DYNAMIC_DNS Query to a Suspicious *.ddns.net Domain |
1552 | RegAsm.exe | A Network Trojan was detected | SC BAD_UNKNOWN DYNAMIC_DNS Query to a Suspicious *.ddns.net Domain |
1552 | RegAsm.exe | A Network Trojan was detected | SC BAD_UNKNOWN DYNAMIC_DNS Query to a Suspicious *.ddns.net Domain |
1552 | RegAsm.exe | A Network Trojan was detected | SC BAD_UNKNOWN DYNAMIC_DNS Query to a Suspicious *.ddns.net Domain |
1552 | RegAsm.exe | A Network Trojan was detected | SC BAD_UNKNOWN DYNAMIC_DNS Query to a Suspicious *.ddns.net Domain |
1552 | RegAsm.exe | A Network Trojan was detected | SC BAD_UNKNOWN DYNAMIC_DNS Query to a Suspicious *.ddns.net Domain |
1552 | RegAsm.exe | A Network Trojan was detected | SC BAD_UNKNOWN DYNAMIC_DNS Query to a Suspicious *.ddns.net Domain |