| File name: | bugs.exe |
| Full analysis: | https://app.any.run/tasks/36e49621-796a-4b6a-acb2-be9adf6b70e6 |
| Verdict: | Malicious activity |
| Threats: | NanoCore is a Remote Access Trojan or RAT. This malware is highly customizable with plugins which allow attackers to tailor its functionality to their needs. Nanocore is created with the .NET framework and it’s available for purchase for just $25 from its “official” website. |
| Analysis date: | November 23, 2023, 09:36:55 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/x-dosexec |
| File info: | PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows |
| MD5: | EF0E0785FFCDA859796A59CEAFF60D73 |
| SHA1: | 3632EBEB2F8490F63C08BAD66092501718CA3A37 |
| SHA256: | 5A3B4EE2DABC14E0A47010A271EB7039335AF3C737E20B41A229B89E4651D5FF |
| SSDEEP: | 3072:CpjFiF4UMYXw+zcgi+oG/j9iaMP2s/HrzFmOsmPb29By0BpT9JTPViYADv608sq:CNFfUMuzkIM5rzFmjmPb29AWphZSvjq |
MALICIOUS
Connects to the CnC server
- bugs.exe (PID: 3196)
NANOCORE has been detected (SURICATA)
- bugs.exe (PID: 3196)
NANOCORE has been detected (YARA)
- bugs.exe (PID: 3196)
SUSPICIOUS
Connects to unusual port
- bugs.exe (PID: 3196)
INFO
Checks supported languages
- bugs.exe (PID: 3196)
- wmpnscfg.exe (PID: 3428)
- wmpnscfg.exe (PID: 3524)
Reads the computer name
- wmpnscfg.exe (PID: 3428)
- bugs.exe (PID: 3196)
- wmpnscfg.exe (PID: 3524)
Process checks are UAC notifies on
- bugs.exe (PID: 3196)
Reads the machine GUID from the registry
- wmpnscfg.exe (PID: 3428)
- bugs.exe (PID: 3196)
- wmpnscfg.exe (PID: 3524)
Reads Environment values
- bugs.exe (PID: 3196)
Creates files or folders in the user directory
- bugs.exe (PID: 3196)
Manual execution by a user
- wmpnscfg.exe (PID: 3524)
Reads product name
- bugs.exe (PID: 3196)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
Nanocore
(PID) Process(3196) bugs.exe
BuildTime2023-11-23 09:36:00.761272
Version1.2.2.0
Mutex7a345de9-4cd2-4a34-b959-40e0c6be48c2
DefaultGroupDefault
PrimaryConnectionHosttelebit.cloud
BackupConnectionHosttelebit.cloud
ConnectionPort5543
RunOnStartupFalse
RequestElevationFalse
BypassUserAccountControlFalse
ClearZoneIdentifierTrue
ClearAccessControlFalse
SetCriticalProcessFalse
PreventSystemSleepTrue
ActivateAwayModeFalse
EnableDebugModeFalse
RunDelay0
ConnectDelay4000
RestartDelay5000
TimeoutInterval5000
KeepAliveTimeout30000
MutexTimeout5000
LanTimeout2500
WanTimeout8000
BufferSize65535
MaxPacketSize10485760
GCThreshold10485760
UseCustomDnsServerTrue
PrimaryDnsServer8.8.8.8
BackupDnsServer8.8.4.4
TRiD
| .exe | | | Generic CIL Executable (.NET, Mono, etc.) (63.1) |
|---|---|---|
| .exe | | | Win64 Executable (generic) (23.8) |
| .dll | | | Win32 Dynamic Link Library (generic) (5.6) |
| .exe | | | Win32 Executable (generic) (3.8) |
| .exe | | | Generic Win/DOS Executable (1.7) |
EXIF
EXE
| MachineType: | Intel 386 or later, and compatibles |
|---|---|
| TimeStamp: | 2015:02:22 01:49:37+01:00 |
| ImageFileCharacteristics: | Executable, No line numbers, No symbols, 32-bit |
| PEType: | PE32 |
| LinkerVersion: | 6 |
| CodeSize: | 116736 |
| InitializedDataSize: | 90112 |
| UninitializedDataSize: | - |
| EntryPoint: | 0x1e792 |
| OSVersion: | 4 |
| ImageVersion: | - |
| SubsystemVersion: | 4 |
| Subsystem: | Windows GUI |
Total processes
40
Monitored processes
3
Malicious processes
1
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 3196 | "C:\Users\admin\AppData\Local\Temp\bugs.exe" | C:\Users\admin\AppData\Local\Temp\bugs.exe | explorer.exe | ||||||||||||
User: admin Integrity Level: MEDIUM Exit code: 1073807364 Modules
Nanocore(PID) Process(3196) bugs.exe BuildTime2023-11-23 09:36:00.761272 Version1.2.2.0 Mutex7a345de9-4cd2-4a34-b959-40e0c6be48c2 DefaultGroupDefault PrimaryConnectionHosttelebit.cloud BackupConnectionHosttelebit.cloud ConnectionPort5543 RunOnStartupFalse RequestElevationFalse BypassUserAccountControlFalse ClearZoneIdentifierTrue ClearAccessControlFalse SetCriticalProcessFalse PreventSystemSleepTrue ActivateAwayModeFalse EnableDebugModeFalse RunDelay0 ConnectDelay4000 RestartDelay5000 TimeoutInterval5000 KeepAliveTimeout30000 MutexTimeout5000 LanTimeout2500 WanTimeout8000 BufferSize65535 MaxPacketSize10485760 GCThreshold10485760 UseCustomDnsServerTrue PrimaryDnsServer8.8.8.8 BackupDnsServer8.8.4.4 | |||||||||||||||
| 3428 | "C:\Program Files\Windows Media Player\wmpnscfg.exe" | C:\Program Files\Windows Media Player\wmpnscfg.exe | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Media Player Network Sharing Service Configuration Application Exit code: 0 Version: 12.0.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 3524 | "C:\Program Files\Windows Media Player\wmpnscfg.exe" | C:\Program Files\Windows Media Player\wmpnscfg.exe | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Media Player Network Sharing Service Configuration Application Exit code: 0 Version: 12.0.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
Total events
499
Read events
493
Write events
0
Delete events
6
Modification events
| (PID) Process: | (3428) wmpnscfg.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Media Player NSS\3.0\Events\{D9C255A5-09C3-4F44-AF6F-3A7102B6D22B}\{E484809C-23CB-4643-90A0-E0EDBE311F21} |
| Operation: | delete key | Name: | (default) |
Value: | |||
| (PID) Process: | (3428) wmpnscfg.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Media Player NSS\3.0\Events\{D9C255A5-09C3-4F44-AF6F-3A7102B6D22B} |
| Operation: | delete key | Name: | (default) |
Value: | |||
| (PID) Process: | (3428) wmpnscfg.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Health\{ADA2D2C1-5D74-47C7-8C9D-49273AAF4C05} |
| Operation: | delete key | Name: | (default) |
Value: | |||
| (PID) Process: | (3524) wmpnscfg.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Media Player NSS\3.0\Events\{1D058363-96B6-45A8-9E58-0705E2003B18}\{D56D7439-F9E2-419D-9BF8-5E2E16BA280A} |
| Operation: | delete key | Name: | (default) |
Value: | |||
| (PID) Process: | (3524) wmpnscfg.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Media Player NSS\3.0\Events\{1D058363-96B6-45A8-9E58-0705E2003B18} |
| Operation: | delete key | Name: | (default) |
Value: | |||
| (PID) Process: | (3524) wmpnscfg.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Health\{861A4BD3-FEE3-4EEE-9443-0A0F31BC4842} |
| Operation: | delete key | Name: | (default) |
Value: | |||
Executable files
0
Suspicious files
4
Text files
1
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 3196 | bugs.exe | C:\Users\admin\AppData\Roaming\90059C37-1320-41A4-B58D-2B75A9850D2F\settings.bin | binary | |
MD5:AE0F5E6CE7122AF264EC533C6B15A27B | SHA256:73B0B92179C61C26589B47E9732CE418B07EDEE3860EE5A2A5FB06F3B8AA9B26 | |||
| 3196 | bugs.exe | C:\Users\admin\AppData\Roaming\90059C37-1320-41A4-B58D-2B75A9850D2F\settings.bak | binary | |
MD5:AE0F5E6CE7122AF264EC533C6B15A27B | SHA256:73B0B92179C61C26589B47E9732CE418B07EDEE3860EE5A2A5FB06F3B8AA9B26 | |||
| 3196 | bugs.exe | C:\Users\admin\AppData\Roaming\90059C37-1320-41A4-B58D-2B75A9850D2F\catalog.dat | binary | |
MD5:32D0AAE13696FF7F8AF33B2D22451028 | SHA256:5347661365E7AD2C1ACC27AB0D150FFA097D9246BB3626FCA06989E976E8DD29 | |||
| 3196 | bugs.exe | C:\Users\admin\AppData\Roaming\90059C37-1320-41A4-B58D-2B75A9850D2F\run.dat | text | |
MD5:38C5D0E214ABB9DC61CD96024D91D4C0 | SHA256:2C17728DBE1C26348B33CDB2BDFF8601F2EFCACDBF270B2862416A1F04B60011 | |||
| 3196 | bugs.exe | C:\Users\admin\AppData\Roaming\90059C37-1320-41A4-B58D-2B75A9850D2F\storage.dat | binary | |
MD5:963D5E2C9C0008DFF05518B47C367A7F | SHA256:5EACF2974C9BB2C2E24CDC651C4840DD6F4B76A98F0E85E90279F1DBB2E6F3C0 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
6
DNS requests
1
Threats
24
HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
1080 | svchost.exe | 224.0.0.252:5355 | — | — | — | unknown |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
2588 | svchost.exe | 239.255.255.250:1900 | — | — | — | whitelisted |
3196 | bugs.exe | 104.248.242.224:5543 | telebit.cloud | DIGITALOCEAN-ASN | DE | unknown |
DNS requests
Domain | IP | Reputation |
|---|---|---|
telebit.cloud |
| malicious |
Threats
PID | Process | Class | Message |
|---|---|---|---|
3196 | bugs.exe | Malware Command and Control Activity Detected | ET MALWARE NanoCore RAT CnC 7 |
3196 | bugs.exe | Malware Command and Control Activity Detected | ET MALWARE NanoCore RAT CnC 7 |
3196 | bugs.exe | Malware Command and Control Activity Detected | ET MALWARE NanoCore RAT CnC 7 |
3196 | bugs.exe | Malware Command and Control Activity Detected | ET MALWARE NanoCore RAT CnC 7 |
3196 | bugs.exe | Malware Command and Control Activity Detected | ET MALWARE NanoCore RAT CnC 7 |
3196 | bugs.exe | Malware Command and Control Activity Detected | ET MALWARE NanoCore RAT Keep-Alive Beacon (Inbound) |
3196 | bugs.exe | Malware Command and Control Activity Detected | ET MALWARE NanoCore RAT CnC 7 |
3196 | bugs.exe | Malware Command and Control Activity Detected | ET MALWARE NanoCore RAT Keep-Alive Beacon (Inbound) |
3196 | bugs.exe | Malware Command and Control Activity Detected | ET MALWARE NanoCore RAT CnC 7 |
3196 | bugs.exe | Malware Command and Control Activity Detected | ET MALWARE NanoCore RAT Keep-Alive Beacon (Inbound) |
1 ETPRO signatures available at the full report