URL: | https://onedrive.live.com/download?cid=40170A61CD65B3E5&resid=40170A61CD65B3E5%21703&authkey=AFODp8zBwNTkDMM |
Full analysis: | https://app.any.run/tasks/9f2a84b3-09e1-44bc-8e75-318890b9c28a |
Verdict: | Malicious activity |
Threats: | NanoCore is a Remote Access Trojan or RAT. This malware is highly customizable with plugins which allow attackers to tailor its functionality to their needs. Nanocore is created with the .NET framework and it’s available for purchase for just $25 from its “official” website. |
Analysis date: | March 31, 2020, 08:19:21 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MD5: | 76FD85CE4F13E0D9A2284D8D02A1CE2F |
SHA1: | 1C266B8DF2EE274F4D6408E3B6175CB418466B21 |
SHA256: | 767232C8A7A116FF06B945DCB38FC48FB2F2F95F4E1B10CF52F9A1B1169716C0 |
SSDEEP: | 3:N8Ck3CTwKbl9T0D8k09hyxpqqJS41:2CkST/Z9Q4V6xpqqJS41 |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2644 | "C:\Program Files\Mozilla Firefox\firefox.exe" "https://onedrive.live.com/download?cid=40170A61CD65B3E5&resid=40170A61CD65B3E5%21703&authkey=AFODp8zBwNTkDMM" | C:\Program Files\Mozilla Firefox\firefox.exe | — | explorer.exe |
User: admin Company: Mozilla Corporation Integrity Level: MEDIUM Description: Firefox Exit code: 0 Version: 68.0.1 | ||||
3764 | "C:\Program Files\Mozilla Firefox\firefox.exe" https://onedrive.live.com/download?cid=40170A61CD65B3E5&resid=40170A61CD65B3E5%21703&authkey=AFODp8zBwNTkDMM | C:\Program Files\Mozilla Firefox\firefox.exe | firefox.exe | |
User: admin Company: Mozilla Corporation Integrity Level: MEDIUM Description: Firefox Version: 68.0.1 | ||||
1800 | "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3764.0.1341437325\876402343" -parentBuildID 20190717172542 -greomni "C:\Program Files\Mozilla Firefox\omni.ja" -appomni "C:\Program Files\Mozilla Firefox\browser\omni.ja" -appdir "C:\Program Files\Mozilla Firefox\browser" - 3764 "\\.\pipe\gecko-crash-server-pipe.3764" 1184 gpu | C:\Program Files\Mozilla Firefox\firefox.exe | — | firefox.exe |
User: admin Company: Mozilla Corporation Integrity Level: MEDIUM Description: Firefox Version: 68.0.1 | ||||
3356 | "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3764.3.702834255\710548357" -childID 1 -isForBrowser -prefsHandle 1712 -prefMapHandle 1376 -prefsLen 1 -prefMapSize 191824 -parentBuildID 20190717172542 -greomni "C:\Program Files\Mozilla Firefox\omni.ja" -appomni "C:\Program Files\Mozilla Firefox\browser\omni.ja" -appdir "C:\Program Files\Mozilla Firefox\browser" - 3764 "\\.\pipe\gecko-crash-server-pipe.3764" 1736 tab | C:\Program Files\Mozilla Firefox\firefox.exe | firefox.exe | |
User: admin Company: Mozilla Corporation Integrity Level: LOW Description: Firefox Version: 68.0.1 | ||||
2488 | "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3764.13.1641941694\370028539" -childID 2 -isForBrowser -prefsHandle 2800 -prefMapHandle 2804 -prefsLen 5996 -prefMapSize 191824 -parentBuildID 20190717172542 -greomni "C:\Program Files\Mozilla Firefox\omni.ja" -appomni "C:\Program Files\Mozilla Firefox\browser\omni.ja" -appdir "C:\Program Files\Mozilla Firefox\browser" - 3764 "\\.\pipe\gecko-crash-server-pipe.3764" 2828 tab | C:\Program Files\Mozilla Firefox\firefox.exe | firefox.exe | |
User: admin Company: Mozilla Corporation Integrity Level: LOW Description: Firefox Version: 68.0.1 | ||||
3048 | "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3764.20.1046534229\1992007167" -childID 3 -isForBrowser -prefsHandle 3668 -prefMapHandle 3672 -prefsLen 7129 -prefMapSize 191824 -parentBuildID 20190717172542 -greomni "C:\Program Files\Mozilla Firefox\omni.ja" -appomni "C:\Program Files\Mozilla Firefox\browser\omni.ja" -appdir "C:\Program Files\Mozilla Firefox\browser" - 3764 "\\.\pipe\gecko-crash-server-pipe.3764" 3692 tab | C:\Program Files\Mozilla Firefox\firefox.exe | firefox.exe | |
User: admin Company: Mozilla Corporation Integrity Level: LOW Description: Firefox Version: 68.0.1 | ||||
2960 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\Downloads\JI-19126-KZ-ST.pdf.xz" | C:\Program Files\WinRAR\WinRAR.exe | firefox.exe | |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Version: 5.60.0 | ||||
872 | "C:\Users\admin\AppData\Local\Temp\Rar$EXa2960.16877\JI-19126-KZ-ST.pdf.exe" | C:\Users\admin\AppData\Local\Temp\Rar$EXa2960.16877\JI-19126-KZ-ST.pdf.exe | — | WinRAR.exe |
User: admin Company: WONDerware Integrity Level: MEDIUM Description: Pretr5 Exit code: 0 Version: 1.00 | ||||
1876 | "C:\Users\admin\AppData\Local\Temp\Rar$EXa2960.16877\JI-19126-KZ-ST.pdf.exe" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | JI-19126-KZ-ST.pdf.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft .NET Assembly Registration Utility Version: 2.0.50727.5420 (Win7SP1.050727-5400) | ||||
3748 | "C:\Windows\explorer.exe" | C:\Windows\explorer.exe | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Explorer Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
3764 | firefox.exe | C:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\qldyz51w.default\startupCache\scriptCache-current.bin | — | |
MD5:— | SHA256:— | |||
3764 | firefox.exe | C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\prefs-1.js | — | |
MD5:— | SHA256:— | |||
3764 | firefox.exe | C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\sessionCheckpoints.json.tmp | — | |
MD5:— | SHA256:— | |||
3764 | firefox.exe | C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\search.json.mozlz4.tmp | — | |
MD5:— | SHA256:— | |||
3764 | firefox.exe | C:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\qldyz51w.default\startupCache\urlCache-current.bin | binary | |
MD5:DE9496ACA551ADE408EF6466A11833A1 | SHA256:8F9C7FDB3E0BC01024E43A8E242468FC4DD4F74C725E32A883571635203DC10A | |||
3764 | firefox.exe | C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\search.json.mozlz4 | jsonlz4 | |
MD5:6D378E0D40B6EACA22C8BCE899A1C5C1 | SHA256:ADA2467B2477ACEFF837AC7820C435AD1EBBE844B2DA31C7AB9AE8D010C7A639 | |||
3764 | firefox.exe | C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\prefs.js | text | |
MD5:354459382F30B8994109C88659DFA1F3 | SHA256:E3E8E2B7E7EECA231620D83C70FA5A926E8B9CE74C51F595F71191DC0B50527E | |||
3764 | firefox.exe | C:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\qldyz51w.default\startupCache\scriptCache-child-current.bin | binary | |
MD5:5027177F513CDAE07DB2330E1DED5934 | SHA256:0C53F16051E738287A4612F68E296238087627E594CFD6DDFA1FECC2E998328B | |||
3764 | firefox.exe | C:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\qldyz51w.default\safebrowsing-updating\block-flash-digest256.sbstore | binary | |
MD5:0E8FE60CCD7E9B4C32589A5743A95302 | SHA256:2B124D4026850A3CFFD28DBACB58AEC28F7DCD4D40BC14E52BBE96D60CE4E749 | |||
3764 | firefox.exe | C:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\qldyz51w.default\safebrowsing-updating\base-track-digest256.sbstore | binary | |
MD5:4A1220FC03E11726F09E9981834345DB | SHA256:6AE7FC0FDBE217104F4034BF6A580A461106B50309ABCCFF6E309124DCA5EF39 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3764 | firefox.exe | GET | 200 | 23.55.110.80:80 | http://detectportal.firefox.com/success.txt | US | text | 8 b | whitelisted |
3764 | firefox.exe | POST | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/ | US | der | 471 b | whitelisted |
3764 | firefox.exe | POST | 200 | 172.217.16.195:80 | http://ocsp.pki.goog/gts1o1 | US | der | 472 b | whitelisted |
3764 | firefox.exe | POST | 200 | 172.217.16.195:80 | http://ocsp.pki.goog/gts1o1 | US | der | 472 b | whitelisted |
3764 | firefox.exe | POST | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/ | US | der | 471 b | whitelisted |
3764 | firefox.exe | GET | 200 | 23.55.110.80:80 | http://detectportal.firefox.com/success.txt | US | text | 8 b | whitelisted |
3764 | firefox.exe | POST | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/ | US | der | 471 b | whitelisted |
1876 | RegAsm.exe | GET | 200 | 172.217.16.195:80 | http://ocsp.pki.goog/gts1o1/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBRCRjDCJxnb3nDwj%2Fxz5aZfZjgXvAQUmNH4bhDrz5vsYJ8YkBug630J%2FSsCEQDL%2FQslYWVuogIAAAAAXGdc | US | der | 472 b | whitelisted |
1876 | RegAsm.exe | GET | 200 | 172.217.16.195:80 | http://ocsp.pki.goog/gsr2/ME4wTDBKMEgwRjAJBgUrDgMCGgUABBTgXIsxbvr2lBkPpoIEVRE6gHlCnAQUm%2BIHV2ccHsBqBt5ZtJot39wZhi4CDQHjtJqhjYqpgSVpULg%3D | US | der | 468 b | whitelisted |
1876 | RegAsm.exe | GET | 200 | 172.217.16.195:80 | http://ocsp.pki.goog/gts1o1/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRCRjDCJxnb3nDwj%2Fxz5aZfZjgXvAQUmNH4bhDrz5vsYJ8YkBug630J%2FSsCEFOOHQjK5IlqCAAAAAAyCmA%3D | US | der | 471 b | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3764 | firefox.exe | 13.107.42.12:443 | wuxbqw.dm.files.1drv.com | Microsoft Corporation | US | suspicious |
3764 | firefox.exe | 13.107.42.13:443 | onedrive.live.com | Microsoft Corporation | US | malicious |
3764 | firefox.exe | 216.58.210.10:443 | safebrowsing.googleapis.com | Google Inc. | US | whitelisted |
3764 | firefox.exe | 93.184.220.29:80 | ocsp.digicert.com | MCI Communications Services, Inc. d/b/a Verizon Business | US | whitelisted |
3764 | firefox.exe | 52.11.143.45:443 | search.services.mozilla.com | Amazon.com, Inc. | US | unknown |
3764 | firefox.exe | 23.55.110.80:80 | detectportal.firefox.com | NTT America, Inc. | US | unknown |
3764 | firefox.exe | 13.225.73.57:443 | snippets.cdn.mozilla.net | — | US | suspicious |
3764 | firefox.exe | 54.191.143.31:443 | push.services.mozilla.com | Amazon.com, Inc. | US | unknown |
3764 | firefox.exe | 172.217.22.14:443 | www.youtube.com | Google Inc. | US | whitelisted |
3764 | firefox.exe | 172.217.16.195:80 | ocsp.pki.goog | Google Inc. | US | whitelisted |
Domain | IP | Reputation |
---|---|---|
detectportal.firefox.com |
| whitelisted |
a1089.dscd.akamai.net |
| whitelisted |
search.services.mozilla.com |
| whitelisted |
search.r53-2.services.mozilla.com |
| whitelisted |
onedrive.live.com |
| shared |
push.services.mozilla.com |
| whitelisted |
autopush.prod.mozaws.net |
| whitelisted |
l-0004.l-msedge.net |
| whitelisted |
snippets.cdn.mozilla.net |
| whitelisted |
d228z91au11ukj.cloudfront.net |
| whitelisted |
PID | Process | Class | Message |
---|---|---|---|
— | — | Potentially Bad Traffic | ET INFO Observed DNS Query to .cloud TLD |
— | — | Potentially Bad Traffic | ET INFO Observed DNS Query to .cloud TLD |
1876 | RegAsm.exe | Potentially Bad Traffic | ET POLICY DNS Query to DynDNS Domain *.hopto .org |
1876 | RegAsm.exe | Potentially Bad Traffic | ET POLICY DNS Query to DynDNS Domain *.hopto .org |
1876 | RegAsm.exe | Potentially Bad Traffic | ET POLICY DNS Query to DynDNS Domain *.hopto .org |
1876 | RegAsm.exe | Potentially Bad Traffic | ET POLICY DNS Query to DynDNS Domain *.hopto .org |
1876 | RegAsm.exe | Potentially Bad Traffic | ET POLICY DNS Query to DynDNS Domain *.hopto .org |
1876 | RegAsm.exe | Potentially Bad Traffic | ET POLICY DNS Query to DynDNS Domain *.hopto .org |
1876 | RegAsm.exe | Potentially Bad Traffic | ET POLICY DNS Query to DynDNS Domain *.hopto .org |
1876 | RegAsm.exe | Potentially Bad Traffic | ET POLICY DNS Query to DynDNS Domain *.hopto .org |