analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
download:

wcs.exe

Full analysis: https://app.any.run/tasks/48f5e145-7431-41c5-b3fa-ff06112a743f
Verdict: Malicious activity
Threats:

NanoCore is a Remote Access Trojan or RAT. This malware is highly customizable with plugins which allow attackers to tailor its functionality to their needs. Nanocore is created with the .NET framework and it’s available for purchase for just $25 from its “official” website.

Malware Trends Tracker     >>>
Analysis date: May 21, 2019, 01:34:10
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
autoit
rat
nanocore
trojan
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows, RAR self-extracting archive
MD5:

8A5FEDB7F04D9DC99765CA5F75E63CE7

SHA1:

C11CAA748C38496BD0FE400EFDEBC14697F6B235

SHA256:

48F1C0F82E6CA1E247D3A279DD3A2731D7B0BB6889F2719AF738106E1E4D6F0B

SSDEEP:

24576:f2O/GlY2uizxxUiz55PC9ikr6YqNwmxhKbH3rUO46GES9:ritxZQikrGwmxUT3iz9

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes the autorun value in the registry

      • hwu.exe (PID: 2408)

    • Application was dropped or rewritten from another process

      • hwu.exe (PID: 2408)
      • hwu.exe (PID: 3040)

    • NanoCore was detected

      • RegSvcs.exe (PID: 3596)

    • Connects to CnC server

      • RegSvcs.exe (PID: 3596)

  • SUSPICIOUS

    • Drop AutoIt3 executable file

      • wcs.exe (PID: 3072)

    • Executable content was dropped or overwritten

      • wcs.exe (PID: 3072)

    • Application launched itself

      • hwu.exe (PID: 3040)

    • Creates files in the user directory

      • RegSvcs.exe (PID: 3596)

  • INFO

    • Dropped object may contain Bitcoin addresses

      • hwu.exe (PID: 3040)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (35.8)
.exe | Win64 Executable (generic) (31.7)
.scr | Windows screen saver (15)
.dll | Win32 Dynamic Link Library (generic) (7.5)
.exe | Win32 Executable (generic) (5.1)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2012:06:09 15:19:49+02:00
PEType: PE32
LinkerVersion: 9
CodeSize: 74752
InitializedDataSize: 58880
UninitializedDataSize: -
EntryPoint: 0xac87
OSVersion: 5
ImageVersion: -
SubsystemVersion: 5
Subsystem: Windows GUI

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 09-Jun-2012 13:19:49
Detected languages:
  • English - United States
  • Process Default Language
Debug artifacts:
  • d:\Projects\WinRAR\SFX\build\sfxrar32\Release\sfxrar.pdb

DOS Header

Magic number: MZ
Bytes on last page of file: 0x0090
Pages in file: 0x0003
Relocations: 0x0000
Size of header: 0x0004
Min extra paragraphs: 0x0000
Max extra paragraphs: 0xFFFF
Initial SS value: 0x0000
Initial SP value: 0x00B8
Checksum: 0x0000
Initial IP value: 0x0000
Initial CS value: 0x0000
Overlay number: 0x0000
OEM identifier: 0x0000
OEM information: 0x0000
Address of NE header: 0x000000F0

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
Number of sections: 5
Time date stamp: 09-Jun-2012 13:19:49
Pointer to Symbol Table: 0x00000000
Number of symbols: 0
Size of Optional Header: 0x00E0
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_EXECUTABLE_IMAGE
  • IMAGE_FILE_RELOCS_STRIPPED

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
.text
0x00001000
0x0001231E
0x00012400
IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
6.55555
.rdata
0x00014000
0x00001D15
0x00001E00
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
4.99401
.data
0x00016000
0x00017724
0x00000200
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
3.54914
.CRT
0x0002E000
0x00000020
0x00000200
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
0.394141
.rsrc
0x0002F000
0x0000C2C0
0x0000C400
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
6.57442

Resources

Title
Entropy
Size
Codepage
Language
Type
1
5.20816
1464
Latin 1 / Western European
English - United States
RT_MANIFEST
7
3.24143
556
Latin 1 / Western European
English - United States
RT_STRING
8
3.26996
974
Latin 1 / Western European
English - United States
RT_STRING
9
3.04375
530
Latin 1 / Western European
English - United States
RT_STRING
10
3.16254
776
Latin 1 / Western European
English - United States
RT_STRING
11
3.06352
380
Latin 1 / Western European
English - United States
RT_STRING
12
2.33959
102
Latin 1 / Western European
English - United States
RT_STRING
100
1.91924
20
Latin 1 / Western European
Process Default Language
RT_GROUP_ICON
101
4.19099
2998
Latin 1 / Western European
English - United States
RT_BITMAP
ASKNEXTVOL
3.42597
646
Latin 1 / Western European
English - United States
RT_DIALOG

Imports

ADVAPI32.dll
COMCTL32.dll
COMDLG32.dll
GDI32.dll
KERNEL32.dll
OLEAUT32.dll
SHELL32.dll
SHLWAPI.dll
USER32.dll
ole32.dll
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
36
Monitored processes
4
Malicious processes
4
Suspicious processes
0

Behavior graph

Click at the process to see the details
drop and start start wcs.exe hwu.exe no specs hwu.exe #NANOCORE regsvcs.exe

Process information

PID
CMD
Path
Indicators
Parent process
3072"C:\Users\admin\AppData\Local\Temp\wcs.exe" C:\Users\admin\AppData\Local\Temp\wcs.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
3040"C:\Users\admin\AppData\Local\Temp\31060754\hwu.exe" crf=nwv C:\Users\admin\AppData\Local\Temp\31060754\hwu.exewcs.exe
User:
admin
Company:
AutoIt Team
Integrity Level:
MEDIUM
Description:
AutoIt v3 Script
Exit code:
0
Version:
3, 3, 14, 5
2408C:\Users\admin\AppData\Local\Temp\31060754\hwu.exe C:\Users\admin\AppData\Local\Temp\31060754\TKGJPC:\Users\admin\AppData\Local\Temp\31060754\hwu.exe
hwu.exe
User:
admin
Company:
AutoIt Team
Integrity Level:
MEDIUM
Description:
AutoIt v3 Script
Exit code:
0
Version:
3, 3, 14, 5
3596"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
hwu.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft .NET Services Installation Utility
Version:
4.6.1055.0 built by: NETFXREL2
Total events
396
Read events
390
Write events
6
Delete events
0

Modification events

(PID) Process:(3072) wcs.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
0
(PID) Process:(3072) wcs.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
1
(PID) Process:(2408) hwu.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:winlogon.exe
Value:
C:\Users\admin\AppData\Local\Temp\31060754\hwu.exe C:\Users\admin\AppData\Local\Temp\31060754\CRF_NW~1
Executable files
1
Suspicious files
2
Text files
46
Unknown types
1

Dropped files

PID
Process
Filename
Type
3072wcs.exeC:\Users\admin\AppData\Local\Temp\31060754\vrs.xltext
MD5:7F94F68F514EB5E8DAC4C02622FB4B67
SHA256:1AB3B5AEF37E9D80100984859C65D056DEEAD14B59EC6BB19261F9D1A9B5776B
3072wcs.exeC:\Users\admin\AppData\Local\Temp\31060754\ButtonConstants.jpgtext
MD5:70E265F0DC04FC965708A143CCF8335E
SHA256:EE00AF6BC7A82FC03C364071BB44699A9A4AC084776AF424E86A3BB1BE3A5214
3072wcs.exeC:\Users\admin\AppData\Local\Temp\31060754\tdk.mp4text
MD5:803D611D8DD7CCC9C994D49C04748040
SHA256:68E8E50C466F35A086353854DFC0D5700455CA645EDE876E82340E952AD4B425
3072wcs.exeC:\Users\admin\AppData\Local\Temp\31060754\xfx.dattext
MD5:E3DC0B02360DA4B1F8E8BF8C0A45BA9C
SHA256:BAFB7B648A1AC91A515174183773472100727CD55FFB96F998E47E448EB8BA2A
3072wcs.exeC:\Users\admin\AppData\Local\Temp\31060754\hrg.icotext
MD5:D200FAE2D8241C9B9D09726F353C4F28
SHA256:D4E697969E6C902447A17DD6185C2E3A3EEFBA2AE12DFE512CFC3679802BB81E
3072wcs.exeC:\Users\admin\AppData\Local\Temp\31060754\evm.dattext
MD5:76CE74CADF393548C33976FCB692FD08
SHA256:876353D5DB8E9EFBFCEF21BECCC54EA4BBD3D42314D604ABA3B8DF5187ECB9E1
3072wcs.exeC:\Users\admin\AppData\Local\Temp\31060754\ComboConstants.pdftext
MD5:22341186D3871B975EB6CC5B34AD39DD
SHA256:9ACE36DFF85940BE7BADC07FAF768F9685959EF91925A89663D9C1A759647BEB
3072wcs.exeC:\Users\admin\AppData\Local\Temp\31060754\qfg.docxtext
MD5:B9EBC53B3592D0573A2A61EA5B9DA3E8
SHA256:237ABF2EBCEB71EEBC8721ED96D1A8B2EED7C24A26ECA4628544412A4E6983F1
3072wcs.exeC:\Users\admin\AppData\Local\Temp\31060754\fgv.icmtext
MD5:780F64AAE6D026FC5944704DE9D80F7D
SHA256:8CA0227AC778F7CA7896DCA651051F819D5DB116C30135577A86DBD9808B02EC
3072wcs.exeC:\Users\admin\AppData\Local\Temp\31060754\crf=nwvtext
MD5:9CD7C11433C311817FB347E2D06749E3
SHA256:82BC863C3B2EC2FCE59F825FA06045835B76F93E0AA1E66016DB5DAE5A98753E
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
34
DNS requests
20
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3596
RegSvcs.exe
105.112.96.41:58442
bitcoinonemmusdbkup.duckdns.org
NG
unknown
3596
RegSvcs.exe
8.8.8.8:53
Google Inc.
US
whitelisted
3596
RegSvcs.exe
160.202.163.240:58442
bitcoinonemmusdbkup.duckdns.org
Korea Telecom
KR
malicious

DNS requests

Domain
IP
Reputation
bitcoinonemmusdbkup.duckdns.org
  • 105.112.96.41
  • 160.202.163.240
malicious
dns.msftncsi.com
  • 131.107.255.255
shared

Threats

PID
Process
Class
Message
3596
RegSvcs.exe
Misc activity
ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
3596
RegSvcs.exe
Misc activity
ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
3596
RegSvcs.exe
Misc activity
ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
3596
RegSvcs.exe
Misc activity
ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
3596
RegSvcs.exe
Misc activity
ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
3596
RegSvcs.exe
A Network Trojan was detected
ET TROJAN Possible NanoCore C2 64B
3596
RegSvcs.exe
A Network Trojan was detected
MALWARE [PTsecurity] NanoCore.RAT
3596
RegSvcs.exe
A Network Trojan was detected
MALWARE [PTsecurity] NanoCore.RAT
3596
RegSvcs.exe
A Network Trojan was detected
MALWARE [PTsecurity] NanoCore.RAT
3596
RegSvcs.exe
A Network Trojan was detected
ET TROJAN Possible NanoCore C2 64B
50 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
wcs.exe