URL: | https://onedrive.live.com/download?cid=038DADD53A8C2840&resid=38DADD53A8C2840%21109&authkey=AEyqjnWAP_kz2Pg |
Full analysis: | https://app.any.run/tasks/d43451cd-daa0-4d02-8fec-8190e9c5fcac |
Verdict: | Malicious activity |
Threats: | NanoCore is a Remote Access Trojan or RAT. This malware is highly customizable with plugins which allow attackers to tailor its functionality to their needs. Nanocore is created with the .NET framework and it’s available for purchase for just $25 from its “official” website. |
Analysis date: | July 11, 2019, 18:51:41 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MD5: | 3B8FA398FEEB715B437D6323C4DBE2DF |
SHA1: | E50E32A66D7E20190B8D214B7CC335A43CEB36C5 |
SHA256: | 4D34319F33A242ED40E0A09746C213BCDB584EDC8523F790B209FD4C888B5522 |
SSDEEP: | 3:N8Ck3CTwKbl/SXTV017dyhhzXTVyUM3ApplffXI:2CkST/ZcKS7oUMwp/g |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3068 | "C:\Program Files\Mozilla Firefox\firefox.exe" https://onedrive.live.com/download?cid=038DADD53A8C2840&resid=38DADD53A8C2840%21109&authkey=AEyqjnWAP_kz2Pg | C:\Program Files\Mozilla Firefox\firefox.exe | explorer.exe | |
User: admin Company: Mozilla Corporation Integrity Level: MEDIUM Description: Firefox Version: 67.0.4 | ||||
4052 | "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3068.0.867173589\1773753951" -parentBuildID 20190619235627 -greomni "C:\Program Files\Mozilla Firefox\omni.ja" -appomni "C:\Program Files\Mozilla Firefox\browser\omni.ja" -appdir "C:\Program Files\Mozilla Firefox\browser" - 3068 "\\.\pipe\gecko-crash-server-pipe.3068" 1180 gpu | C:\Program Files\Mozilla Firefox\firefox.exe | — | firefox.exe |
User: admin Company: Mozilla Corporation Integrity Level: MEDIUM Description: Firefox Version: 67.0.4 | ||||
3256 | "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3068.3.2136856058\1556151817" -childID 1 -isForBrowser -prefsHandle 1644 -prefMapHandle 1628 -prefsLen 1 -prefMapSize 188076 -parentBuildID 20190619235627 -greomni "C:\Program Files\Mozilla Firefox\omni.ja" -appomni "C:\Program Files\Mozilla Firefox\browser\omni.ja" -appdir "C:\Program Files\Mozilla Firefox\browser" - 3068 "\\.\pipe\gecko-crash-server-pipe.3068" 1740 tab | C:\Program Files\Mozilla Firefox\firefox.exe | firefox.exe | |
User: admin Company: Mozilla Corporation Integrity Level: LOW Description: Firefox Version: 67.0.4 | ||||
3636 | "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3068.13.2008955315\1443597694" -childID 2 -isForBrowser -prefsHandle 2728 -prefMapHandle 2732 -prefsLen 5842 -prefMapSize 188076 -parentBuildID 20190619235627 -greomni "C:\Program Files\Mozilla Firefox\omni.ja" -appomni "C:\Program Files\Mozilla Firefox\browser\omni.ja" -appdir "C:\Program Files\Mozilla Firefox\browser" - 3068 "\\.\pipe\gecko-crash-server-pipe.3068" 2752 tab | C:\Program Files\Mozilla Firefox\firefox.exe | firefox.exe | |
User: admin Company: Mozilla Corporation Integrity Level: LOW Description: Firefox Version: 67.0.4 | ||||
4044 | "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3068.20.1987939786\426965730" -childID 3 -isForBrowser -prefsHandle 3376 -prefMapHandle 3404 -prefsLen 6726 -prefMapSize 188076 -parentBuildID 20190619235627 -greomni "C:\Program Files\Mozilla Firefox\omni.ja" -appomni "C:\Program Files\Mozilla Firefox\browser\omni.ja" -appdir "C:\Program Files\Mozilla Firefox\browser" - 3068 "\\.\pipe\gecko-crash-server-pipe.3068" 3496 tab | C:\Program Files\Mozilla Firefox\firefox.exe | firefox.exe | |
User: admin Company: Mozilla Corporation Integrity Level: LOW Description: Firefox Version: 67.0.4 | ||||
456 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\Purchase Order AB13925.ace" | C:\Program Files\WinRAR\WinRAR.exe | firefox.exe | |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Version: 5.60.0 | ||||
3748 | "C:\Windows\explorer.exe" | C:\Windows\explorer.exe | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Explorer Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
1484 | "C:\Users\admin\Desktop\Purchase Order AB13925.exe" | C:\Users\admin\Desktop\Purchase Order AB13925.exe | — | explorer.exe |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
3648 | "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | Purchase Order AB13925.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft .NET Assembly Registration Utility Version: 2.0.50727.5420 (Win7SP1.050727-5400) | ||||
1736 | "c:\windows\microsoft.net\framework\v2.0.50727\vbc.exe" /shtml "C:\Users\admin\AppData\Local\Temp\nimuzg5m.uwe" | c:\windows\microsoft.net\framework\v2.0.50727\vbc.exe | RegAsm.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Visual Basic Command Line Compiler Exit code: 0 Version: 8.0.50727.5420 |
(PID) Process: | (3068) firefox.exe | Key: | HKEY_CURRENT_USER\Software\Mozilla\Firefox\Launcher |
Operation: | write | Name: | C:\Program Files\Mozilla Firefox\firefox.exe|Browser |
Value: 0000000000000000 | |||
(PID) Process: | (3068) firefox.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings |
Operation: | write | Name: | ProxyEnable |
Value: 0 | |||
(PID) Process: | (3068) firefox.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections |
Operation: | write | Name: | SavedLegacySettings |
Value: 4600000077000000010000000000000000000000000000000000000000000000C0E333BBEAB1D301000000000000000000000000020000001700000000000000FE800000000000007D6CB050D9C573F70B000000000000006D00330032005C004D00530049004D004700330032002E0064006C000100000004AA400014AA4000040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000C0A8016400000000000000000000000000000000000000000800000000000000805D3F00983740000008000002000000000000600000002060040000B8A94000020000008802000060040000B8A9400004000000F8010000B284000088B64000B84B400043003A000000000000000000000000000000000000000000 | |||
(PID) Process: | (3068) firefox.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | UNCAsIntranet |
Value: 0 | |||
(PID) Process: | (3068) firefox.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | AutoDetect |
Value: 1 | |||
(PID) Process: | (3068) firefox.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ace\OpenWithProgids |
Operation: | write | Name: | WinRAR |
Value: | |||
(PID) Process: | (456) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes |
Operation: | write | Name: | ShellExtBMP |
Value: | |||
(PID) Process: | (456) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes |
Operation: | write | Name: | ShellExtIcon |
Value: | |||
(PID) Process: | (456) WinRAR.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\70\52C64B7E |
Operation: | write | Name: | LanguageList |
Value: en-US | |||
(PID) Process: | (456) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
Operation: | write | Name: | 0 |
Value: C:\Users\admin\AppData\Local\Temp\Purchase Order AB13925.ace |
PID | Process | Filename | Type | |
---|---|---|---|---|
3068 | firefox.exe | C:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\qldyz51w.default\startupCache\scriptCache-current.bin | — | |
MD5:— | SHA256:— | |||
3068 | firefox.exe | C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\cookies.sqlite-shm | — | |
MD5:— | SHA256:— | |||
3068 | firefox.exe | C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\prefs-1.js | — | |
MD5:— | SHA256:— | |||
3068 | firefox.exe | C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\pluginreg.dat.tmp | — | |
MD5:— | SHA256:— | |||
3068 | firefox.exe | C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\sessionCheckpoints.json.tmp | — | |
MD5:— | SHA256:— | |||
3068 | firefox.exe | C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-shm | — | |
MD5:— | SHA256:— | |||
3068 | firefox.exe | C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\search.json.mozlz4.tmp | — | |
MD5:— | SHA256:— | |||
3068 | firefox.exe | C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\3561288849sdhlie.sqlite-shm | — | |
MD5:— | SHA256:— | |||
3068 | firefox.exe | C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\cert9.db-journal | — | |
MD5:— | SHA256:— | |||
3068 | firefox.exe | C:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\qldyz51w.default\startupCache\scriptCache-child-current.bin | binary | |
MD5:6A1EF5C5AE2F682A0606848FA329072B | SHA256:29312A09916820DEC3EEE29B40C503FEE9569204E291320BD9C908B3386B1896 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3068 | firefox.exe | POST | 200 | 172.217.16.163:80 | http://ocsp.pki.goog/GTSGIAG3 | US | der | 471 b | whitelisted |
3068 | firefox.exe | GET | 200 | 2.16.106.209:80 | http://detectportal.firefox.com/success.txt | unknown | text | 8 b | whitelisted |
3068 | firefox.exe | POST | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/ | US | der | 471 b | whitelisted |
3068 | firefox.exe | POST | 200 | 172.217.16.163:80 | http://ocsp.pki.goog/GTSGIAG3 | US | der | 471 b | whitelisted |
3068 | firefox.exe | GET | 200 | 2.16.106.209:80 | http://detectportal.firefox.com/success.txt | unknown | text | 8 b | whitelisted |
3068 | firefox.exe | POST | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/ | US | der | 471 b | whitelisted |
3068 | firefox.exe | POST | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/ | US | der | 471 b | whitelisted |
3068 | firefox.exe | POST | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/ | US | der | 471 b | whitelisted |
3068 | firefox.exe | POST | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/ | US | der | 471 b | whitelisted |
3068 | firefox.exe | POST | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/ | US | der | 471 b | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3068 | firefox.exe | 2.16.106.209:80 | detectportal.firefox.com | Akamai International B.V. | — | whitelisted |
3068 | firefox.exe | 93.184.220.29:80 | ocsp.digicert.com | MCI Communications Services, Inc. d/b/a Verizon Business | US | whitelisted |
3068 | firefox.exe | 52.18.148.152:443 | location.services.mozilla.com | Amazon.com, Inc. | IE | unknown |
3068 | firefox.exe | 13.107.42.13:443 | onedrive.live.com | Microsoft Corporation | US | malicious |
3068 | firefox.exe | 35.164.35.9:443 | push.services.mozilla.com | Amazon.com, Inc. | US | unknown |
3068 | firefox.exe | 34.210.151.118:443 | tiles.services.mozilla.com | Amazon.com, Inc. | US | unknown |
3068 | firefox.exe | 13.225.39.58:443 | snippets.cdn.mozilla.net | — | US | unknown |
3068 | firefox.exe | 13.107.42.12:443 | t8bnsw.bn.files.1drv.com | Microsoft Corporation | US | suspicious |
3068 | firefox.exe | 172.217.16.138:443 | safebrowsing.googleapis.com | Google Inc. | US | whitelisted |
3068 | firefox.exe | 52.39.125.163:443 | shavar.services.mozilla.com | Amazon.com, Inc. | US | unknown |
Domain | IP | Reputation |
---|---|---|
detectportal.firefox.com |
| whitelisted |
a1089.dscd.akamai.net |
| whitelisted |
location.services.mozilla.com |
| whitelisted |
locprod1-elb-eu-west-1.prod.mozaws.net |
| whitelisted |
onedrive.live.com |
| shared |
l-0004.l-msedge.net |
| whitelisted |
push.services.mozilla.com |
| whitelisted |
autopush.prod.mozaws.net |
| whitelisted |
ocsp.digicert.com |
| whitelisted |
cs9.wac.phicdn.net |
| whitelisted |
PID | Process | Class | Message |
---|---|---|---|
3648 | RegAsm.exe | A Network Trojan was detected | ET TROJAN Possible NanoCore C2 60B |
3648 | RegAsm.exe | A Network Trojan was detected | MALWARE [PTsecurity] NanoCore.RAT |
3648 | RegAsm.exe | A Network Trojan was detected | MALWARE [PTsecurity] NanoCore.RAT |
3648 | RegAsm.exe | A Network Trojan was detected | MALWARE [PTsecurity] NanoCore.RAT |
3648 | RegAsm.exe | A Network Trojan was detected | MALWARE [PTsecurity] NanoCore.RAT |
3648 | RegAsm.exe | A Network Trojan was detected | MALWARE [PTsecurity] NanoCore.RAT |
3648 | RegAsm.exe | A Network Trojan was detected | ET TROJAN Possible NanoCore C2 60B |
3648 | RegAsm.exe | A Network Trojan was detected | ET TROJAN Possible NanoCore C2 60B |
3648 | RegAsm.exe | A Network Trojan was detected | MALWARE [PTsecurity] NanoCore.RAT |
3648 | RegAsm.exe | A Network Trojan was detected | MALWARE [PTsecurity] NanoCore.RAT |