analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

RE_ENQUIRY.bz

Full analysis: https://app.any.run/tasks/42b6159a-82ca-4b17-9743-60b656c72989
Verdict: Malicious activity
Threats:

NanoCore is a Remote Access Trojan or RAT. This malware is highly customizable with plugins which allow attackers to tailor its functionality to their needs. Nanocore is created with the .NET framework and it’s available for purchase for just $25 from its “official” website.

Analysis date: May 15, 2019, 10:09:22
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
rat
nanocore
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

E407D02CBA11E8743F817E7DE0606939

SHA1:

CBE773C4BD549CC430216D5385C7B8239E548E00

SHA256:

53143915D04FE5B3B16F904899AA254EAEB63FBEB1E2AE17704D2E1A885338C4

SSDEEP:

6144:AyC+ek8/Pv4BOSgloqOe36WY0BLfn/JhQL:Ay1ekgyOKqVKXWfn/J0

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Application was dropped or rewritten from another process

      • 2bbb.exe (PID: 3240)
      • svhost.exe (PID: 3052)
    • Runs app for hidden code execution

      • 2bbb.exe (PID: 3240)
    • NanoCore was detected

      • svhost.exe (PID: 3052)
    • Changes the autorun value in the registry

      • svhost.exe (PID: 3052)
      • reg.exe (PID: 2264)
  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 2820)
      • cmd.exe (PID: 292)
      • svhost.exe (PID: 3052)
      • 2bbb.exe (PID: 3240)
    • Uses REG.EXE to modify Windows registry

      • cmd.exe (PID: 292)
    • Starts CMD.EXE for commands execution

      • 2bbb.exe (PID: 3240)
    • Creates files in the program directory

      • svhost.exe (PID: 3052)
    • Creates files in the user directory

      • svhost.exe (PID: 3052)
  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipFileName: 2bbb.exe
ZipUncompressedSize: 319488
ZipCompressedSize: 243219
ZipCRC: 0x78e670b2
ZipModifyDate: 2019:05:13 23:59:10
ZipCompression: Deflated
ZipBitFlag: -
ZipRequiredVersion: 20
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
44
Monitored processes
7
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start drop and start winrar.exe 2bbb.exe cmd.exe reg.exe #NANOCORE svhost.exe cmd.exe no specs timeout.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2820"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\RE_ENQUIRY.bz.zip"C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.60.0
3240"C:\Users\admin\Desktop\2bbb.exe" C:\Users\admin\Desktop\2bbb.exe
explorer.exe
User:
admin
Company:
Windscribe Limited
Integrity Level:
HIGH
Description:
Windscribe Setup
Exit code:
0
Version:
292"cmd.exe"C:\Windows\system32\cmd.exe
2bbb.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2264reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "C:\Users\admin\AppData\Local\Temp\FolderN\name.exe.lnk" /fC:\Windows\system32\reg.exe
cmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Registry Console Tool
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3052"C:\Users\admin\AppData\Local\Temp\svhost.exe"C:\Users\admin\AppData\Local\Temp\svhost.exe
2bbb.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
MSBuild.exe
Version:
3.5.30729.4926 built by: NetFXw7
3540cmd /c C:\Users\admin\AppData\Local\Temp\FolderN\name.exe.batC:\Windows\system32\cmd.exe2bbb.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2392timeout /t 300C:\Windows\system32\timeout.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
timeout - pauses command processing
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
630
Read events
618
Write events
12
Delete events
0

Modification events

(PID) Process:(2820) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(2820) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(2820) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(2820) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\RE_ENQUIRY.bz.zip
(PID) Process:(2820) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(2820) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(2820) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(2820) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(2820) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\DialogEditHistory\ExtrPath
Operation:writeName:0
Value:
C:\Users\admin\Desktop
(PID) Process:(2264) reg.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows
Operation:writeName:Load
Value:
C:\Users\admin\AppData\Local\Temp\FolderN\name.exe.lnk
Executable files
4
Suspicious files
1
Text files
2
Unknown types
1

Dropped files

PID
Process
Filename
Type
3052svhost.exeC:\Users\admin\AppData\Roaming\90059C37-1320-41A4-B58D-2B75A9850D2F\run.datbinary
MD5:178D036961AC25176BDE285C43A1D6F6
SHA256:26246187EB7F131151446462FF4A52CA58E1FAF456BA6B3CEE4822D597B9912E
292cmd.exeC:\Users\admin\AppData\Local\Temp\FolderN\name.exeexecutable
MD5:5B551DF943F9022993962EB9946C29C1
SHA256:865A436230B98D2AED00CDAF1459CDF5DC585A3ECDF69E2182E96963D3CE38F6
2820WinRAR.exeC:\Users\admin\Desktop\2bbb.exeexecutable
MD5:5B551DF943F9022993962EB9946C29C1
SHA256:865A436230B98D2AED00CDAF1459CDF5DC585A3ECDF69E2182E96963D3CE38F6
32402bbb.exeC:\Users\admin\AppData\Local\Temp\FolderN\name.exe.battext
MD5:4C8485419E996A63B390E1E42AE851A8
SHA256:6B8CCB3DB87E52C95A7EA8D41B7BFF269A26C9573E74AF142525C7DC49EA2467
32402bbb.exeC:\Users\admin\AppData\Local\Temp\FolderN\name.exe.lnklnk
MD5:B7F2CFEC6823A438DBA7530A8F4AE648
SHA256:612F6D646DAAA368D40443AB894042EBB8B93AC485658E78682731BAD9AB52CC
292cmd.exeC:\Users\admin\AppData\Local\Temp\FolderN\name.exe:Zone.Identifiertext
MD5:130A75A932A2FE57BFEA6A65B88DA8F6
SHA256:F2B79CAE559D6772AFC1C2ED9468988178F8B6833D5028A15DEA73CE47D0196E
32402bbb.exeC:\Users\admin\AppData\Local\Temp\svhost.exeexecutable
MD5:2E5F1CF69F92392F8829FC9C9263AE9B
SHA256:51985A57E085D8B17042F0CDC1F905380B792854733EB3275FD8FCE4E3BB886B
3052svhost.exeC:\Program Files\TCP Monitor\tcpmon.exeexecutable
MD5:2E5F1CF69F92392F8829FC9C9263AE9B
SHA256:51985A57E085D8B17042F0CDC1F905380B792854733EB3275FD8FCE4E3BB886B
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
27
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3052
svhost.exe
41.231.120.139:5770
Tunisia BackBone AS
TN
malicious

DNS requests

No data

Threats

No threats detected
No debug info