File name:

aa.exe

Full analysis: https://app.any.run/tasks/b5ee0c9c-c747-49ce-8a9a-9ea2045b3ba2
Verdict: Malicious activity
Threats:

NanoCore is a Remote Access Trojan or RAT. This malware is highly customizable with plugins which allow attackers to tailor its functionality to their needs. Nanocore is created with the .NET framework and it’s available for purchase for just $25 from its “official” website.

Malware Trends Tracker     >>>
Analysis date: September 29, 2024, 17:42:00
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
nanocore
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5:

FF2A52BB3DC9B6B725E725AB64EE2A4F

SHA1:

78176DE490EF034C8D3E9FD47682C8D1388BE486

SHA256:

3A7B3E8F648EEF95B7EB3A702D6D5E3DC02C3071837FBCD9F10E06881E4B8022

SSDEEP:

6144:6NFfUMuzkIM5aan64Vx7lrulXkiZtYVAoa:6NFaX3P4VRgRkuYVAoa

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • NANOCORE has been detected (YARA)

      • aa.exe (PID: 5760)

  • SUSPICIOUS

    • Connects to unusual port

      • aa.exe (PID: 5760)

  • INFO

    • Creates files or folders in the user directory

      • aa.exe (PID: 5760)

    • Process checks whether UAC notifications are on

      • aa.exe (PID: 5760)

    • Checks supported languages

      • aa.exe (PID: 5760)

    • The process uses the downloaded file

      • aa.exe (PID: 5760)

    • Reads the computer name

      • aa.exe (PID: 5760)

    • Reads the machine GUID from the registry

      • aa.exe (PID: 5760)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Nanocore

(PID) Process(5760) aa.exe
BuildTime2024-09-29 11:25:27.135888
Version1.2.2.0
Mutex71d32398-48a9-4b06-bdce-e0c1af26ee18
DefaultGroupDefault
PrimaryConnectionHost2.tcp.eu.ngrok.io
BackupConnectionHost/2.tcp.eu.ngrok.io
ConnectionPort10394
RunOnStartupFalse
RequestElevationFalse
BypassUserAccountControlFalse
ClearZoneIdentifierTrue
ClearAccessControlFalse
SetCriticalProcessFalse
PreventSystemSleepTrue
ActivateAwayModeFalse
EnableDebugModeFalse
RunDelay0
ConnectDelay4000
RestartDelay5000
TimeoutInterval5000
KeepAliveTimeout30000
MutexTimeout5000
LanTimeout2500
WanTimeout8000
BufferSize65535
MaxPacketSize10485760
GCThreshold10485760
UseCustomDnsServerTrue
PrimaryDnsServer8.8.8.8
BackupDnsServer8.8.4.4
No Malware configuration.

TRiD

.exe | Generic CIL Executable (.NET, Mono, etc.) (63.1)
.exe | Win64 Executable (generic) (23.8)
.dll | Win32 Dynamic Link Library (generic) (5.6)
.exe | Win32 Executable (generic) (3.8)
.exe | Generic Win/DOS Executable (1.7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2015:02:22 00:49:37+00:00
ImageFileCharacteristics: Executable, No line numbers, No symbols, 32-bit
PEType: PE32
LinkerVersion: 6
CodeSize: 116736
InitializedDataSize: 90112
UninitializedDataSize: -
EntryPoint: 0x1e792
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
119
Monitored processes
1
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #NANOCORE aa.exe

Process information

PID
CMD
Path
Indicators
Parent process
5760"C:\Users\admin\Desktop\aa.exe" C:\Users\admin\Desktop\aa.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\desktop\aa.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
Nanocore
(PID) Process(5760) aa.exe
BuildTime2024-09-29 11:25:27.135888
Version1.2.2.0
Mutex71d32398-48a9-4b06-bdce-e0c1af26ee18
DefaultGroupDefault
PrimaryConnectionHost2.tcp.eu.ngrok.io
BackupConnectionHost/2.tcp.eu.ngrok.io
ConnectionPort10394
RunOnStartupFalse
RequestElevationFalse
BypassUserAccountControlFalse
ClearZoneIdentifierTrue
ClearAccessControlFalse
SetCriticalProcessFalse
PreventSystemSleepTrue
ActivateAwayModeFalse
EnableDebugModeFalse
RunDelay0
ConnectDelay4000
RestartDelay5000
TimeoutInterval5000
KeepAliveTimeout30000
MutexTimeout5000
LanTimeout2500
WanTimeout8000
BufferSize65535
MaxPacketSize10485760
GCThreshold10485760
UseCustomDnsServerTrue
PrimaryDnsServer8.8.8.8
BackupDnsServer8.8.4.4
Total events
457
Read events
457
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
0
Text files
1
Unknown types
0

Dropped files

PID
Process
Filename
Type
5760aa.exeC:\Users\admin\AppData\Roaming\BB926E54-E3CA-40FD-AE90-2764341E7792\run.dattext
MD5:726374694DFC2B2B5C0D7D917150ECD0
SHA256:C202C0A78D0E70A90C089B66A4B4EB77924779600897AA70CED5F3BDC7CC0EFF
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
30
DNS requests
57
Threats
53

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2120
MoUsoCoreWorker.exe
GET
200
23.52.120.96:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
6564
svchost.exe
GET
200
23.52.120.96:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
6564
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
2120
MoUsoCoreWorker.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
3888
svchost.exe
239.255.255.250:1900
whitelisted
4
System
192.168.100.255:138
whitelisted
6564
svchost.exe
23.52.120.96:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
2120
MoUsoCoreWorker.exe
23.52.120.96:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
2120
MoUsoCoreWorker.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
6564
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
  • 20.73.194.208
whitelisted
google.com
  • 142.250.184.238
whitelisted
2.tcp.eu.ngrok.io
  • 18.157.68.73
  • 18.156.13.209
malicious
www.microsoft.com
  • 23.52.120.96
whitelisted

Threats

PID
Process
Class
Message
5760
aa.exe
Misc activity
ET INFO DNS Query to a *.ngrok domain (ngrok.io)
5760
aa.exe
Misc activity
ET INFO DNS Query to a *.ngrok domain (ngrok.io)
5760
aa.exe
Misc activity
ET INFO DNS Query to a *.ngrok domain (ngrok.io)
Misc activity
ET INFO DNS Query to a *.ngrok domain (ngrok.io)
5760
aa.exe
Misc activity
ET INFO DNS Query to a *.ngrok domain (ngrok.io)
5760
aa.exe
Misc activity
ET INFO DNS Query to a *.ngrok domain (ngrok.io)
5760
aa.exe
Misc activity
ET INFO DNS Query to a *.ngrok domain (ngrok.io)
5760
aa.exe
Misc activity
ET INFO DNS Query to a *.ngrok domain (ngrok.io)
5760
aa.exe
Misc activity
ET INFO DNS Query to a *.ngrok domain (ngrok.io)
5760
aa.exe
Misc activity
ET INFO DNS Query to a *.ngrok domain (ngrok.io)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
aa.exe