analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

geec.exe

Full analysis: https://app.any.run/tasks/f92484ce-d948-4b66-a4c6-a3d9db02591c
Verdict: Malicious activity
Threats:

NanoCore is a Remote Access Trojan or RAT. This malware is highly customizable with plugins which allow attackers to tailor its functionality to their needs. Nanocore is created with the .NET framework and it’s available for purchase for just $25 from its “official” website.

Analysis date: July 17, 2019, 17:20:03
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
rat
nanocore
autoit
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

F71D5C3D92723B79DC6BF3ABD6BBE867

SHA1:

DB97F387BB4BAB100229E9661C9465BB1A278961

SHA256:

74619922864D2354101E329F3F9079EB1B02B438545658C1EF9AC9300B42C033

SSDEEP:

24576:bNA3R5drXTLPdn6B7QjOaP76KLiHMEhQkelZTv0dIjmFHDbeisNIfTKPWI0n:G5Pl6x1aP7AHEXKomx6IOPWIa

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Application was dropped or rewritten from another process

      • wim.exe (PID: 3812)
      • wim.exe (PID: 2532)
      • RegSvcs.exe (PID: 2384)
    • NanoCore was detected

      • RegSvcs.exe (PID: 2384)
    • Changes the autorun value in the registry

      • wim.exe (PID: 3812)
      • RegSvcs.exe (PID: 2384)
  • SUSPICIOUS

    • Application launched itself

      • wim.exe (PID: 2532)
    • Executes scripts

      • geec.exe (PID: 3084)
    • Executable content was dropped or overwritten

      • geec.exe (PID: 3084)
      • RegSvcs.exe (PID: 2384)
    • Drop AutoIt3 executable file

      • geec.exe (PID: 3084)
    • Creates files in the user directory

      • RegSvcs.exe (PID: 2384)
  • INFO

    • Dropped object may contain Bitcoin addresses

      • geec.exe (PID: 3084)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (64.6)
.dll | Win32 Dynamic Link Library (generic) (15.4)
.exe | Win32 Executable (generic) (10.5)
.exe | Generic Win/DOS Executable (4.6)
.exe | DOS Executable Generic (4.6)

EXIF

EXE

Subsystem: Windows GUI
SubsystemVersion: 5.1
ImageVersion: -
OSVersion: 5.1
EntryPoint: 0x1d759
UninitializedDataSize: -
InitializedDataSize: 138240
CodeSize: 190976
LinkerVersion: 14
PEType: PE32
TimeStamp: 2019:04:27 22:03:27+02:00
MachineType: Intel 386 or later, and compatibles

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 27-Apr-2019 20:03:27
Detected languages:
  • English - United States
  • Process Default Language
Debug artifacts:
  • D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb

DOS Header

Magic number: MZ
Bytes on last page of file: 0x0090
Pages in file: 0x0003
Relocations: 0x0000
Size of header: 0x0004
Min extra paragraphs: 0x0000
Max extra paragraphs: 0xFFFF
Initial SS value: 0x0000
Initial SP value: 0x00B8
Checksum: 0x0000
Initial IP value: 0x0000
Initial CS value: 0x0000
Overlay number: 0x0000
OEM identifier: 0x0000
OEM information: 0x0000
Address of NE header: 0x00000110

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
Number of sections: 6
Time date stamp: 27-Apr-2019 20:03:27
Pointer to Symbol Table: 0x00000000
Number of symbols: 0
Size of Optional Header: 0x00E0
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_EXECUTABLE_IMAGE

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
.text
0x00001000
0x0002E854
0x0002EA00
IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
6.69231
.rdata
0x00030000
0x00009A9C
0x00009C00
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
5.13286
.data
0x0003A000
0x000213D0
0x00000C00
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
3.25381
.gfids
0x0005C000
0x000000E8
0x00000200
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
2.11154
.rsrc
0x0005D000
0x0001516C
0x00015200
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
6.79068
.reloc
0x00073000
0x00001FCC
0x00002000
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
6.64554

Resources

Title
Entropy
Size
Codepage
Language
Type
1
5.25329
1875
Latin 1 / Western European
English - United States
RT_MANIFEST
7
3.1586
482
Latin 1 / Western European
English - United States
RT_STRING
8
3.11685
460
Latin 1 / Western European
English - United States
RT_STRING
9
3.15447
494
Latin 1 / Western European
English - United States
RT_STRING
10
2.99727
326
Latin 1 / Western European
English - United States
RT_STRING
11
3.2036
1094
Latin 1 / Western European
English - United States
RT_STRING
12
3.12889
358
Latin 1 / Western European
English - United States
RT_STRING
13
2.95673
288
Latin 1 / Western European
English - United States
RT_STRING
14
2.94627
266
Latin 1 / Western European
English - United States
RT_STRING
15
2.83619
188
Latin 1 / Western European
English - United States
RT_STRING

Imports

KERNEL32.dll
USER32.dll (delay-loaded)
gdiplus.dll
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
36
Monitored processes
5
Malicious processes
5
Suspicious processes
0

Behavior graph

Click at the process to see the details
start geec.exe wscript.exe no specs wim.exe no specs wim.exe #NANOCORE regsvcs.exe

Process information

PID
CMD
Path
Indicators
Parent process
3084"C:\Users\admin\AppData\Local\Temp\geec.exe" C:\Users\admin\AppData\Local\Temp\geec.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
3584"C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\41802843\jbb.vbs" C:\Windows\System32\WScript.exegeec.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.8.7600.16385
2532"C:\Users\admin\AppData\Local\Temp\41802843\wim.exe" trs=evuC:\Users\admin\AppData\Local\Temp\41802843\wim.exeWScript.exe
User:
admin
Company:
AutoIt Team
Integrity Level:
MEDIUM
Description:
AutoIt v3 Script
Exit code:
0
Version:
3, 3, 14, 4
3812C:\Users\admin\AppData\Local\Temp\41802843\wim.exe C:\Users\admin\AppData\Local\Temp\41802843\ZRERGC:\Users\admin\AppData\Local\Temp\41802843\wim.exe
wim.exe
User:
admin
Company:
AutoIt Team
Integrity Level:
MEDIUM
Description:
AutoIt v3 Script
Exit code:
0
Version:
3, 3, 14, 4
2384"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
wim.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft .NET Services Installation Utility
Version:
4.7.3062.0 built by: NET472REL1
Total events
892
Read events
825
Write events
0
Delete events
0

Modification events

No data
Executable files
2
Suspicious files
1
Text files
52
Unknown types
0

Dropped files

PID
Process
Filename
Type
3084geec.exeC:\Users\admin\AppData\Local\Temp\41802843\ifv.dattext
MD5:C06620F41BBF2FF8494F6DA9A183A702
SHA256:6D77C240D3D9481EC50CB2BB7E0FA32E6D3430E0D33E857F54F951FA01AE7B10
3084geec.exeC:\Users\admin\AppData\Local\Temp\41802843\frn.mp4text
MD5:4941386F447DA69499CA405CF1638F55
SHA256:8781C2064078B8960B9DDCCB0A235FEF1E46D08653BC5EEBB0F9B234C0164B69
3084geec.exeC:\Users\admin\AppData\Local\Temp\41802843\nan.dattext
MD5:E9E6CC5E76172FD70FC99E10F4A85A1C
SHA256:57B4D3D2D6F363D97F71E2498C8A12BBFA5AB3A1767353C5430D13C60C22F801
3084geec.exeC:\Users\admin\AppData\Local\Temp\41802843\dqf.mp3text
MD5:9CC33657159CAEA42BE2E80CBF00384D
SHA256:7FBC238E6E029F2F4E90E4CD7B86A1A520A2BB6C8E73CF77AF070E420B827E80
3084geec.exeC:\Users\admin\AppData\Local\Temp\41802843\qmt.txttext
MD5:54E8DEA7B32B9D98316E19123CCFDA18
SHA256:54F4BAFEF3C80AAAA769836B7B48811A9BEB7BBB34A6D3ED61203F04D52D4539
3084geec.exeC:\Users\admin\AppData\Local\Temp\41802843\coc.icmtext
MD5:61B24B6FD41F9DF115AA3B7259DE1721
SHA256:8ADAE25FD787F914098E5085ABE1FED0DBAE7D26060D54A66000B212D22F0096
3084geec.exeC:\Users\admin\AppData\Local\Temp\41802843\trs=evutext
MD5:BD898CF9F652211312EAA1BF67168BF9
SHA256:A2E54152D58A5A9E328096D0B42D21C44838E803596F31AF5220583B396EA6B5
3084geec.exeC:\Users\admin\AppData\Local\Temp\41802843\dnv.pdftext
MD5:1852C9DAD176AB7EF45B213D95833299
SHA256:F287C39F6E7A7BEFA7CB8AD564126FE8747F32D8DA82F6009F7210A712FF7CD5
3084geec.exeC:\Users\admin\AppData\Local\Temp\41802843\jbb.vbstext
MD5:899A4118A1978DE1C8DD2C529D2D4E11
SHA256:6611CE3A165E6550935A391C0B2AE8CF1DCF540938FC2FD98910E52B818EE373
3084geec.exeC:\Users\admin\AppData\Local\Temp\41802843\dgc.ppttext
MD5:CE3A1EDC16DAD8D215B4AF2198DD4418
SHA256:8FAE42D60DF699824036A1100AFEE5A290E3CC9AB41AAD497E1330DC1695473C
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
8
DNS requests
4
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2384
RegSvcs.exe
193.176.87.214:20202
benzkartel.duckdns.org
unknown
2384
RegSvcs.exe
8.8.8.8:53
Google Inc.
US
whitelisted

DNS requests

Domain
IP
Reputation
benzkartel.duckdns.org
  • 193.176.87.214
malicious

Threats

PID
Process
Class
Message
2384
RegSvcs.exe
Misc activity
ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
2384
RegSvcs.exe
Misc activity
ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
2384
RegSvcs.exe
Misc activity
ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
2384
RegSvcs.exe
Misc activity
ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
No debug info