File name:

download.exe

Full analysis: https://app.any.run/tasks/e2d3a900-878f-4d92-840d-c6556bb82306
Verdict: Malicious activity
Threats:

NanoCore is a Remote Access Trojan or RAT. This malware is highly customizable with plugins which allow attackers to tailor its functionality to their needs. Nanocore is created with the .NET framework and it’s available for purchase for just $25 from its “official” website.

Malware Trends Tracker     >>>
Analysis date: May 11, 2024, 11:54:44
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
nanocore
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5:

5577C8755BEE3B80E17E42E80EADDE86

SHA1:

79EBBC3F9D175669EE090F53B93A925B42281B73

SHA256:

85BA99319F22CDE0ABD25E839A7A230A730F1D52E546754873E479BE88E65DA1

SSDEEP:

98304:oPk7tEUpppPxYyTUsAoQ9/hZjipqYW+YHeFJeAuw8agFo2GmX:GdUfAaBE+OzYIoY

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes the login/logoff helper path in the registry

      • download.exe (PID: 3976)
      • download.exe (PID: 1036)
      • download.exe (PID: 1680)
      • download.exe (PID: 372)
      • download.exe (PID: 124)
      • download.exe (PID: 2044)
      • download.exe (PID: 1020)

    • Drops the executable file immediately after the start

      • download.exe (PID: 3976)
      • download.exe (PID: 2044)
      • download.exe (PID: 1020)
      • download.exe (PID: 1036)
      • download.exe (PID: 1680)
      • download.exe (PID: 372)
      • download.exe (PID: 124)

    • NANOCORE has been detected (YARA)

      • download.exe (PID: 3976)
      • download.exe (PID: 124)

  • SUSPICIOUS

    • Reads the Internet Settings

      • download.exe (PID: 3976)
      • download.exe (PID: 2044)
      • download.exe (PID: 1020)
      • download.exe (PID: 1036)
      • download.exe (PID: 1680)
      • download.exe (PID: 372)
      • download.exe (PID: 124)

    • Reads security settings of Internet Explorer

      • download.exe (PID: 3976)
      • download.exe (PID: 2044)
      • download.exe (PID: 1020)
      • download.exe (PID: 1036)
      • download.exe (PID: 1680)
      • download.exe (PID: 372)
      • download.exe (PID: 124)

    • Executable content was dropped or overwritten

      • download.exe (PID: 3976)
      • download.exe (PID: 1036)
      • download.exe (PID: 1680)
      • download.exe (PID: 372)
      • download.exe (PID: 124)
      • download.exe (PID: 1020)
      • download.exe (PID: 2044)

  • INFO

    • Reads the computer name

      • download.exe (PID: 3976)
      • download.exe (PID: 1020)
      • download.exe (PID: 1036)
      • download.exe (PID: 2044)
      • download.exe (PID: 1680)
      • download.exe (PID: 372)
      • download.exe (PID: 124)

    • Creates files or folders in the user directory

      • download.exe (PID: 3976)
      • download.exe (PID: 2044)
      • download.exe (PID: 1036)
      • download.exe (PID: 1680)
      • download.exe (PID: 372)
      • download.exe (PID: 124)
      • download.exe (PID: 1020)

    • Checks supported languages

      • download.exe (PID: 3976)
      • download.exe (PID: 1020)
      • download.exe (PID: 124)
      • download.exe (PID: 1036)
      • download.exe (PID: 2044)
      • download.exe (PID: 1680)
      • download.exe (PID: 372)

    • Create files in a temporary directory

      • download.exe (PID: 3976)
      • download.exe (PID: 1020)
      • download.exe (PID: 1036)
      • download.exe (PID: 1680)
      • download.exe (PID: 372)
      • download.exe (PID: 124)
      • download.exe (PID: 2044)

    • Reads the machine GUID from the registry

      • download.exe (PID: 3976)
      • download.exe (PID: 1020)
      • download.exe (PID: 2044)
      • download.exe (PID: 1036)
      • download.exe (PID: 1680)
      • download.exe (PID: 372)
      • download.exe (PID: 124)

    • Manual execution by a user

      • download.exe (PID: 1020)
      • download.exe (PID: 124)
      • download.exe (PID: 1036)
      • download.exe (PID: 2044)
      • download.exe (PID: 1680)
      • download.exe (PID: 372)

    • Reads Environment values

      • download.exe (PID: 3976)

    • Process checks whether UAC notifications are on

      • download.exe (PID: 3976)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Nanocore

(PID) Process(3976) download.exe
KeyboardLoggingTrue
BuildTime2019-11-09 19:24:07.452512
Version1.2.2.0
Mutex43793517-5193-4f23-ad2d-489b2718da55
DefaultGroupDefault
PrimaryConnectionHostludwigh.duckdns.org
BackupConnectionHostghfsquad.duckdns.org
ConnectionPort54984
RunOnStartupTrue
RequestElevationFalse
BypassUserAccountControlFalse
ClearZoneIdentifierTrue
ClearAccessControlFalse
SetCriticalProcessFalse
PreventSystemSleepTrue
ActivateAwayModeFalse
EnableDebugModeFalse
RunDelay0
ConnectDelay4000
RestartDelay5000
TimeoutInterval5000
KeepAliveTimeout30000
MutexTimeout5000
LanTimeout2500
WanTimeout8000
BufferSize65535
MaxPacketSize10485760
GCThreshold10485760
UseCustomDnsServerTrue
PrimaryDnsServer8.8.8.8
BackupDnsServer8.8.4.4
(PID) Process(124) download.exe
KeyboardLoggingTrue
BuildTime2019-11-09 19:24:07.452512
Version1.2.2.0
Mutex43793517-5193-4f23-ad2d-489b2718da55
DefaultGroupDefault
PrimaryConnectionHostludwigh.duckdns.org
BackupConnectionHostghfsquad.duckdns.org
ConnectionPort54984
RunOnStartupTrue
RequestElevationFalse
BypassUserAccountControlFalse
ClearZoneIdentifierTrue
ClearAccessControlFalse
SetCriticalProcessFalse
PreventSystemSleepTrue
ActivateAwayModeFalse
EnableDebugModeFalse
RunDelay0
ConnectDelay4000
RestartDelay5000
TimeoutInterval5000
KeepAliveTimeout30000
MutexTimeout5000
LanTimeout2500
WanTimeout8000
BufferSize65535
MaxPacketSize10485760
GCThreshold10485760
UseCustomDnsServerTrue
PrimaryDnsServer8.8.8.8
BackupDnsServer8.8.4.4
No Malware configuration.

TRiD

.exe | Generic CIL Executable (.NET, Mono, etc.) (72.2)
.scr | Windows screen saver (12.9)
.dll | Win32 Dynamic Link Library (generic) (6.4)
.exe | Win32 Executable (generic) (4.4)
.exe | Generic Win/DOS Executable (1.9)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2019:11:01 17:01:53+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 48
CodeSize: 4224512
InitializedDataSize: 2048
UninitializedDataSize: -
EntryPoint: 0x4094ae
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 1.0.0.0
ProductVersionNumber: 1.0.0.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
Comments: -
CompanyName: -
FileDescription: ProsCreate
FileVersion: 1.0.0.0
InternalName: ProsCreate.exe
LegalCopyright: Copyright ProsCreate 2019
LegalTrademarks: -
OriginalFileName: ProsCreate.exe
ProductName: ProsCreate
ProductVersion: 1.0.0.0
AssemblyVersion: 1.0.0.0
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
39
Monitored processes
7
Malicious processes
7
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #NANOCORE download.exe download.exe download.exe #NANOCORE download.exe download.exe download.exe download.exe

Process information

PID
CMD
Path
Indicators
Parent process
124"C:\Users\admin\Desktop\download.exe" C:\Users\admin\Desktop\download.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
ProsCreate
Exit code:
0
Version:
1.0.0.0
Modules
Images
c:\users\admin\desktop\download.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
Nanocore
(PID) Process(124) download.exe
KeyboardLoggingTrue
BuildTime2019-11-09 19:24:07.452512
Version1.2.2.0
Mutex43793517-5193-4f23-ad2d-489b2718da55
DefaultGroupDefault
PrimaryConnectionHostludwigh.duckdns.org
BackupConnectionHostghfsquad.duckdns.org
ConnectionPort54984
RunOnStartupTrue
RequestElevationFalse
BypassUserAccountControlFalse
ClearZoneIdentifierTrue
ClearAccessControlFalse
SetCriticalProcessFalse
PreventSystemSleepTrue
ActivateAwayModeFalse
EnableDebugModeFalse
RunDelay0
ConnectDelay4000
RestartDelay5000
TimeoutInterval5000
KeepAliveTimeout30000
MutexTimeout5000
LanTimeout2500
WanTimeout8000
BufferSize65535
MaxPacketSize10485760
GCThreshold10485760
UseCustomDnsServerTrue
PrimaryDnsServer8.8.8.8
BackupDnsServer8.8.4.4
372"C:\Users\admin\Desktop\download.exe" C:\Users\admin\Desktop\download.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
ProsCreate
Exit code:
0
Version:
1.0.0.0
Modules
Images
c:\users\admin\desktop\download.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
1020"C:\Users\admin\Desktop\download.exe" C:\Users\admin\Desktop\download.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
ProsCreate
Exit code:
0
Version:
1.0.0.0
Modules
Images
c:\users\admin\desktop\download.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
1036"C:\Users\admin\Desktop\download.exe" C:\Users\admin\Desktop\download.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
ProsCreate
Exit code:
0
Version:
1.0.0.0
Modules
Images
c:\users\admin\desktop\download.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
1680"C:\Users\admin\Desktop\download.exe" C:\Users\admin\Desktop\download.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
ProsCreate
Exit code:
0
Version:
1.0.0.0
Modules
Images
c:\users\admin\desktop\download.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
2044"C:\Users\admin\Desktop\download.exe" C:\Users\admin\Desktop\download.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
ProsCreate
Exit code:
0
Version:
1.0.0.0
Modules
Images
c:\users\admin\desktop\download.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
3976"C:\Users\admin\AppData\Local\Temp\download.exe" C:\Users\admin\AppData\Local\Temp\download.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
ProsCreate
Version:
1.0.0.0
Modules
Images
c:\users\admin\appdata\local\temp\download.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
Nanocore
(PID) Process(3976) download.exe
KeyboardLoggingTrue
BuildTime2019-11-09 19:24:07.452512
Version1.2.2.0
Mutex43793517-5193-4f23-ad2d-489b2718da55
DefaultGroupDefault
PrimaryConnectionHostludwigh.duckdns.org
BackupConnectionHostghfsquad.duckdns.org
ConnectionPort54984
RunOnStartupTrue
RequestElevationFalse
BypassUserAccountControlFalse
ClearZoneIdentifierTrue
ClearAccessControlFalse
SetCriticalProcessFalse
PreventSystemSleepTrue
ActivateAwayModeFalse
EnableDebugModeFalse
RunDelay0
ConnectDelay4000
RestartDelay5000
TimeoutInterval5000
KeepAliveTimeout30000
MutexTimeout5000
LanTimeout2500
WanTimeout8000
BufferSize65535
MaxPacketSize10485760
GCThreshold10485760
UseCustomDnsServerTrue
PrimaryDnsServer8.8.8.8
BackupDnsServer8.8.4.4
Total events
18 377
Read events
18 314
Write events
63
Delete events
0

Modification events

(PID) Process:(3976) download.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
Operation:writeName:Shell
Value:
"C:\Users\admin\AppData\Roaming\WindowsSecurity\vIfGIAPFn7Jc.exe",explorer.exe
(PID) Process:(3976) download.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(3976) download.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(3976) download.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(3976) download.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(2044) download.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
Operation:writeName:Shell
Value:
"C:\Users\admin\AppData\Roaming\WindowsSecurity\uyXn30s2JQNt.exe",explorer.exe
(PID) Process:(1020) download.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
Operation:writeName:Shell
Value:
"C:\Users\admin\AppData\Roaming\WindowsSecurity\64CQ26lb8qD5.exe",explorer.exe
(PID) Process:(2044) download.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(2044) download.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(2044) download.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
Executable files
14
Suspicious files
0
Text files
1
Unknown types
0

Dropped files

PID
Process
Filename
Type
2044download.exeC:\Users\admin\AppData\Local\Temp\lSkWiKwLap5BIC8U.exeexecutable
MD5:94484D4B22ABF59A05B0DC6542030B91
SHA256:BCD5E6863D5AF75D3C04140E4192709EC1C63162C8447E3484DC72FD75158838
3976download.exeC:\Users\admin\AppData\Local\Temp\2sNKjJWPQnZ0Ydho.exeexecutable
MD5:94484D4B22ABF59A05B0DC6542030B91
SHA256:BCD5E6863D5AF75D3C04140E4192709EC1C63162C8447E3484DC72FD75158838
372download.exeC:\Users\admin\AppData\Local\Temp\mxzfhf6bXvUNvYDO.exeexecutable
MD5:94484D4B22ABF59A05B0DC6542030B91
SHA256:BCD5E6863D5AF75D3C04140E4192709EC1C63162C8447E3484DC72FD75158838
1680download.exeC:\Users\admin\AppData\Roaming\WindowsSecurity\PwyqGe4wJ2vP.exeexecutable
MD5:5577C8755BEE3B80E17E42E80EADDE86
SHA256:85BA99319F22CDE0ABD25E839A7A230A730F1D52E546754873E479BE88E65DA1
372download.exeC:\Users\admin\AppData\Roaming\WindowsSecurity\brK2haE2hVeA.exeexecutable
MD5:5577C8755BEE3B80E17E42E80EADDE86
SHA256:85BA99319F22CDE0ABD25E839A7A230A730F1D52E546754873E479BE88E65DA1
124download.exeC:\Users\admin\AppData\Local\Temp\VSWgsw1hhpmWtqO4.exeexecutable
MD5:94484D4B22ABF59A05B0DC6542030B91
SHA256:BCD5E6863D5AF75D3C04140E4192709EC1C63162C8447E3484DC72FD75158838
3976download.exeC:\Users\admin\AppData\Roaming\WindowsSecurity\vIfGIAPFn7Jc.exeexecutable
MD5:5577C8755BEE3B80E17E42E80EADDE86
SHA256:85BA99319F22CDE0ABD25E839A7A230A730F1D52E546754873E479BE88E65DA1
1020download.exeC:\Users\admin\AppData\Roaming\WindowsSecurity\64CQ26lb8qD5.exeexecutable
MD5:5577C8755BEE3B80E17E42E80EADDE86
SHA256:85BA99319F22CDE0ABD25E839A7A230A730F1D52E546754873E479BE88E65DA1
1680download.exeC:\Users\admin\AppData\Local\Temp\KR1IhiJY6HLaRNkF.exeexecutable
MD5:94484D4B22ABF59A05B0DC6542030B91
SHA256:BCD5E6863D5AF75D3C04140E4192709EC1C63162C8447E3484DC72FD75158838
1036download.exeC:\Users\admin\AppData\Local\Temp\mcfDKqs8DpUuCVoF.exeexecutable
MD5:94484D4B22ABF59A05B0DC6542030B91
SHA256:BCD5E6863D5AF75D3C04140E4192709EC1C63162C8447E3484DC72FD75158838
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
4
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
whitelisted
224.0.0.252:5355
unknown
1088
svchost.exe
224.0.0.252:5355
unknown

DNS requests

No data

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
download.exe