analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

Shipment For Pickup (1).img

Full analysis: https://app.any.run/tasks/c302a36f-692a-428e-b3fa-19ce70201630
Verdict: Malicious activity
Threats:

NanoCore is a Remote Access Trojan or RAT. This malware is highly customizable with plugins which allow attackers to tailor its functionality to their needs. Nanocore is created with the .NET framework and it’s available for purchase for just $25 from its “official” website.

Analysis date: April 23, 2019, 14:42:48
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
trojan
nanocore
rat
Indicators:
MIME: application/x-iso9660-image
File info: UDF filesystem data (version 1.5) 'NEW_FOLDER'
MD5:

43521D9A9FFF124F1E2DF2B9516CFAB0

SHA1:

ABE852A56936E1C7D67BE4E4DD3DEE4EC6FA56FE

SHA256:

7D43786529CC7E2BC1E59B481AAE8347C2BBF16CC658608610DF7411ADE2379F

SSDEEP:

24576:nAHnh+eWsN3skA4RV1Hom2KXMmHaIftYqrdOrwDfPAHpjxgp5:ah+ZkldoPK8YaI7fYJc

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Application was dropped or rewritten from another process

      • Shipment For pickup.exe (PID: 1492)
    • NanoCore was detected

      • RegAsm.exe (PID: 1856)
    • Writes to a start menu file

      • Shipment For pickup.exe (PID: 1492)
    • Connects to CnC server

      • RegAsm.exe (PID: 1856)
  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • Shipment For pickup.exe (PID: 1492)
      • WinRAR.exe (PID: 2844)
    • Creates files in the user directory

      • Shipment For pickup.exe (PID: 1492)
      • RegAsm.exe (PID: 1856)
  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.iso | ISO 9660 CD image (27.6)
.atn | Photoshop Action (27.1)
.gmc | Game Music Creator Music (6.1)

EXIF

Composite

VolumeSize: 2.1 MB

ISO

VolumeModifyDate: 2019:04:22 13:24:23.00+03:00
VolumeCreateDate: 2019:04:22 13:24:23.00+03:00
Software: IMGBURN V2.5.8.0 - THE ULTIMATE IMAGE BURNER!
VolumeSetName: UNDEFINED
RootDirectoryCreateDate: 2019:04:22 13:24:23+03:00
VolumeBlockSize: 2048
VolumeBlockCount: 1056
VolumeName: NEW_FOLDER
No data.
screenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
34
Monitored processes
4
Malicious processes
4
Suspicious processes
0

Behavior graph

Click at the process to see the details
start drop and start rundll32.exe no specs winrar.exe shipment for pickup.exe #NANOCORE regasm.exe

Process information

PID
CMD
Path
Indicators
Parent process
3904"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\admin\AppData\Local\Temp\Shipment For Pickup (1).img.isoC:\Windows\system32\rundll32.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2844"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\Shipment For Pickup (1).img.iso"C:\Program Files\WinRAR\WinRAR.exe
rundll32.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.60.0
1492"C:\Users\admin\AppData\Local\Temp\Rar$EXa2844.11777\Shipment For pickup.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXa2844.11777\Shipment For pickup.exe
WinRAR.exe
User:
admin
Company:
adsmsext
Integrity Level:
MEDIUM
Description:
Dism
Exit code:
0
Version:
792.170.229.116
1856"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
Shipment For pickup.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft .NET Assembly Registration Utility
Version:
2.0.50727.5420 (Win7SP1.050727-5400)
Total events
933
Read events
842
Write events
0
Delete events
0

Modification events

No data
Executable files
2
Suspicious files
3
Text files
2
Unknown types
1

Dropped files

PID
Process
Filename
Type
1492Shipment For pickup.exeC:\Users\admin\RtkAudioService64\BdeSysprep.vbstext
MD5:912F7E416AB3C949B26245048F6251DA
SHA256:906EE841BF9692C64D1B8B0EB7F2601535C3CD143CFE05EB1B6F4807A8E56A41
1856RegAsm.exeC:\Users\admin\AppData\Roaming\90059C37-1320-41A4-B58D-2B75A9850D2F\run.datbinary
MD5:A78790B370681DAA13CD5F901AB84D83
SHA256:D735DD4706865BB12F7E8B5F6B6494EBF6FAD0D3FC7D7386DBDB94F2FD215174
1492Shipment For pickup.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BdeSysprep.urltext
MD5:B2F819A84E8148AB5CC4D2296D4D3430
SHA256:075F074AB883039637A7D7F66C8C437C5240BB8E74F359933ABBE7EB5168F1F5
1492Shipment For pickup.exeC:\Users\admin\RtkAudioService64\AppXDeploymentExtensions.desktop.exeexecutable
MD5:1737ADC66764A84C4497CF0A3755481A
SHA256:142DCC4ECD7910B0563197E3EC5E49AC32A1FF986642BE2F48A78D1DF34BD2CC
2844WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa2844.11777\Shipment For pickup.exeexecutable
MD5:DFCFB54102967329313ECDD248DC91C4
SHA256:7B3AE220F68F358BB435739AEBCFD9E45A7DBFDED4F5E2F75C04B8437911076A
1856RegAsm.exeC:\Users\admin\AppData\Roaming\90059C37-1320-41A4-B58D-2B75A9850D2F\settings.binbinary
MD5:4E5E92E2369688041CC82EF9650EDED2
SHA256:F8098A6290118F2944B9E7C842BD014377D45844379F863B00D54515A8A64B48
1856RegAsm.exeC:\Users\admin\AppData\Roaming\90059C37-1320-41A4-B58D-2B75A9850D2F\catalog.datbs
MD5:9E7D0351E4DF94A9B0BADCEB6A9DB963
SHA256:AAFC7B40C5FE680A2BB549C3B90AABAAC63163F74FFFC0B00277C6BBFF88B757
1856RegAsm.exeC:\Users\admin\AppData\Roaming\90059C37-1320-41A4-B58D-2B75A9850D2F\storage.datbinary
MD5:653DDDCB6C89F6EC51F3DDC0053C5914
SHA256:83B9CAE66800C768887FB270728F6806CBEBDEAD9946FA730F01723847F17FF9
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
4
DNS requests
3
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
8.8.8.8:53
Google Inc.
US
whitelisted
1856
RegAsm.exe
31.220.43.113:7788
adobemoney.linkpc.net
HostHatch, Inc
NL
malicious
1856
RegAsm.exe
8.8.8.8:53
Google Inc.
US
whitelisted

DNS requests

Domain
IP
Reputation
adobemoney.linkpc.net
  • 31.220.43.113
malicious

Threats

PID
Process
Class
Message
1856
RegAsm.exe
A Network Trojan was detected
ET TROJAN Possible NanoCore C2 64B
1856
RegAsm.exe
A Network Trojan was detected
MALWARE [PTsecurity] NanoCore.RAT
1856
RegAsm.exe
A Network Trojan was detected
ET TROJAN Possible NanoCore C2 60B
1856
RegAsm.exe
A Network Trojan was detected
MALWARE [PTsecurity] NanoCore.RAT
1856
RegAsm.exe
A Network Trojan was detected
MALWARE [PTsecurity] NanoCore.RAT
1856
RegAsm.exe
A Network Trojan was detected
MALWARE [PTsecurity] NanoCore.RAT
1856
RegAsm.exe
A Network Trojan was detected
MALWARE [PTsecurity] NanoCore.RAT
1856
RegAsm.exe
A Network Trojan was detected
MALWARE [PTsecurity] NanoCore.RAT
1856
RegAsm.exe
A Network Trojan was detected
MALWARE [PTsecurity] NanoCore.RAT
1856
RegAsm.exe
A Network Trojan was detected
ET TROJAN Possible NanoCore C2 64B
70 ETPRO signatures available at the full report
No debug info