File name: | 6be4c966edc63f37f52fc3a935344f634a8bb064d97200a31c0a3d2459ceda26.doc |
Full analysis: | https://app.any.run/tasks/8eaa07ec-c96b-4c9d-9f14-21065d568ecd |
Verdict: | Malicious activity |
Threats: | NanoCore is a Remote Access Trojan or RAT. This malware is highly customizable with plugins which allow attackers to tailor its functionality to their needs. Nanocore is created with the .NET framework and it’s available for purchase for just $25 from its “official” website. |
Analysis date: | April 25, 2019, 13:47:20 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | text/rtf |
File info: | Rich Text Format data, version 1, unknown character set |
MD5: | FC377DE40FEFA629A91F812EBEBE1D9E |
SHA1: | 00E21829673F1E3F7C00D9017EF0521F8A605134 |
SHA256: | 6BE4C966EDC63F37F52FC3A935344F634A8BB064D97200A31C0A3D2459CEDA26 |
SSDEEP: | 1536:qs0xsETtuPNi9jxQV7eMMET5vQi9jxQVzSubEtK:q7acmTVizc9qV+f0 |
.rtf | | | Rich Text Format (100) |
---|
InternalVersionNumber: | 101 |
---|---|
CharactersWithSpaces: | 52 |
Characters: | 46 |
Words: | 7 |
Pages: | 1 |
TotalEditTime: | 1 minute |
RevisionNumber: | 1 |
ModifyDate: | 2019:04:24 22:47:00 |
CreateDate: | 2019:04:24 22:46:00 |
LastModifiedBy: | Administrator |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2932 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\6be4c966edc63f37f52fc3a935344f634a8bb064d97200a31c0a3d2459ceda26.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
3280 | "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" -Embedding | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | svchost.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Excel Exit code: 0 Version: 14.0.6024.1000 | ||||
2340 | "C:\Users\admin\AppData\Local\Temp\d8yrxmsh.exe" | C:\Users\admin\AppData\Local\Temp\d8yrxmsh.exe | — | EXCEL.EXE |
User: admin Company: omnipotentiality Integrity Level: MEDIUM Description: witneyer Exit code: 0 Version: 1.07.0001 | ||||
3532 | "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" -Embedding | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | svchost.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Excel Exit code: 0 Version: 14.0.6024.1000 | ||||
2744 | "C:\Users\admin\AppData\Local\Temp\d8yrxmsh.exe" | C:\Users\admin\AppData\Local\Temp\d8yrxmsh.exe | — | EXCEL.EXE |
User: admin Company: omnipotentiality Integrity Level: MEDIUM Description: witneyer Exit code: 0 Version: 1.07.0001 | ||||
3864 | "C:\Program Files\Microsoft Office\Office14\excelcnv.exe" -Embedding | C:\Program Files\Microsoft Office\Office14\excelcnv.exe | — | svchost.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Excel Exit code: 0 Version: 14.0.6024.1000 | ||||
3024 | C:\Users\admin\AppData\Local\Temp\d8yrxmsh.exe" | C:\Users\admin\AppData\Local\Temp\d8yrxmsh.exe | d8yrxmsh.exe | |
User: admin Company: omnipotentiality Integrity Level: MEDIUM Description: witneyer Version: 1.07.0001 | ||||
3032 | C:\Users\admin\AppData\Local\Temp\d8yrxmsh.exe" | C:\Users\admin\AppData\Local\Temp\d8yrxmsh.exe | — | d8yrxmsh.exe |
User: admin Company: omnipotentiality Integrity Level: MEDIUM Description: witneyer Exit code: 0 Version: 1.07.0001 |
(PID) Process: | (2932) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems |
Operation: | write | Name: | ps> |
Value: 70733E00740B0000010000000000000000000000 | |||
(PID) Process: | (2932) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
Operation: | write | Name: | 1033 |
Value: Off | |||
(PID) Process: | (2932) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
Operation: | write | Name: | 1033 |
Value: On | |||
(PID) Process: | (2932) WINWORD.EXE | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage |
Operation: | write | Name: | WORDFiles |
Value: 1318649886 | |||
(PID) Process: | (2932) WINWORD.EXE | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage |
Operation: | write | Name: | ProductFiles |
Value: 1318650008 | |||
(PID) Process: | (2932) WINWORD.EXE | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage |
Operation: | write | Name: | ProductFiles |
Value: 1318650009 | |||
(PID) Process: | (2932) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word |
Operation: | write | Name: | MTTT |
Value: 740B00007E4DE3706DFBD40100000000 | |||
(PID) Process: | (2932) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems |
Operation: | write | Name: | yt> |
Value: 79743E00740B000004000000000000008C00000001000000840000003E0043003A005C00550073006500720073005C00610064006D0069006E005C0041007000700044006100740061005C0052006F0061006D0069006E0067005C004D006900630072006F0073006F00660074005C00540065006D0070006C0061007400650073005C004E006F0072006D0061006C002E0064006F0074006D00000000000000 | |||
(PID) Process: | (2932) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems |
Operation: | delete value | Name: | yt> |
Value: 79743E00740B000004000000000000008C00000001000000840000003E0043003A005C00550073006500720073005C00610064006D0069006E005C0041007000700044006100740061005C0052006F0061006D0069006E0067005C004D006900630072006F0073006F00660074005C00540065006D0070006C0061007400650073005C004E006F0072006D0061006C002E0064006F0074006D00000000000000 | |||
(PID) Process: | (2932) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | UNCAsIntranet |
Value: 0 |
PID | Process | Filename | Type | |
---|---|---|---|---|
2932 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVRFB50.tmp.cvr | — | |
MD5:— | SHA256:— | |||
3280 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\CVR255.tmp.cvr | — | |
MD5:— | SHA256:— | |||
3280 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\CabA84.tmp | — | |
MD5:— | SHA256:— | |||
3280 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\TarA85.tmp | — | |
MD5:— | SHA256:— | |||
3280 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\CabA95.tmp | — | |
MD5:— | SHA256:— | |||
3280 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\TarA96.tmp | — | |
MD5:— | SHA256:— | |||
3280 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\CabBA1.tmp | — | |
MD5:— | SHA256:— | |||
3280 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\TarBA2.tmp | — | |
MD5:— | SHA256:— | |||
3532 | EXCEL.EXE | C:\Users\admin\AppData\Local\Temp\CVR13BA.tmp.cvr | — | |
MD5:— | SHA256:— | |||
3532 | EXCEL.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I0488CJO\stub[1].exe | — | |
MD5:— | SHA256:— |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3280 | EXCEL.EXE | GET | 200 | 67.27.159.254:80 | http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab | US | compressed | 55.6 Kb | whitelisted |
3280 | EXCEL.EXE | GET | 200 | 67.27.159.254:80 | http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/47BEABC922EAE80E78783462A79F45C254FDE68B.crt | US | der | 969 b | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3532 | EXCEL.EXE | 104.238.117.30:443 | depedpasay.ph | GoDaddy.com, LLC | US | suspicious |
3024 | d8yrxmsh.exe | 91.192.100.11:7077 | — | SOFTplus Entwicklungen GmbH | CH | malicious |
3280 | EXCEL.EXE | 104.238.117.30:443 | depedpasay.ph | GoDaddy.com, LLC | US | suspicious |
3280 | EXCEL.EXE | 67.27.159.254:80 | www.download.windowsupdate.com | Level 3 Communications, Inc. | US | malicious |
Domain | IP | Reputation |
---|---|---|
depedpasay.ph |
| suspicious |
www.download.windowsupdate.com |
| whitelisted |
PID | Process | Class | Message |
---|---|---|---|
3280 | EXCEL.EXE | Generic Protocol Command Decode | SURICATA STREAM excessive retransmissions |
3024 | d8yrxmsh.exe | A Network Trojan was detected | ET TROJAN Possible NanoCore C2 60B |
3024 | d8yrxmsh.exe | A Network Trojan was detected | MALWARE [PTsecurity] NanoCore.RAT |
3024 | d8yrxmsh.exe | A Network Trojan was detected | MALWARE [PTsecurity] NanoCore.RAT |
3024 | d8yrxmsh.exe | A Network Trojan was detected | MALWARE [PTsecurity] NanoCore.RAT |
3024 | d8yrxmsh.exe | A Network Trojan was detected | MALWARE [PTsecurity] NanoCore.RAT |
3024 | d8yrxmsh.exe | A Network Trojan was detected | MALWARE [PTsecurity] NanoCore.RAT |