| File name: | file.exe |
| Full analysis: | https://app.any.run/tasks/b932f1fa-494a-4c6f-8e95-decdcc4b951d |
| Verdict: | Malicious activity |
| Threats: | NanoCore is a Remote Access Trojan or RAT. This malware is highly customizable with plugins which allow attackers to tailor its functionality to their needs. Nanocore is created with the .NET framework and it’s available for purchase for just $25 from its “official” website. |
| Analysis date: | February 04, 2024, 18:33:04 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/x-dosexec |
| File info: | PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows |
| MD5: | 2983BB54D0194B59464B242120DCE0D0 |
| SHA1: | 8E059B8EB234ABC9A1FBC9929535045F0CCCC8C0 |
| SHA256: | 9A716C9DEA846B00E9D5AE61D634CAFA74E82B784F681B465F650F99C4442F40 |
| SSDEEP: | 3072:6pjFiF4UMYXw+zcgi+oG/j9iaMP2s/HiuHktWaF7UV+C3GzUmnzfNsj7bC4vm:6NFfUMuzkIM5Pi/7UV+C2lzfyFvm |
MALICIOUS
Drops the executable file immediately after the start
- file.exe (PID: 1504)
- file.exe (PID: 2380)
NANOCORE has been detected (SURICATA)
- file.exe (PID: 2380)
NANOCORE has been detected (YARA)
- file.exe (PID: 2380)
Actions looks like stealing of personal data
- file.exe (PID: 2380)
Steals credentials from Web Browsers
- file.exe (PID: 2380)
Connects to the CnC server
- file.exe (PID: 2380)
SUSPICIOUS
Executable content was dropped or overwritten
- file.exe (PID: 1504)
- file.exe (PID: 2380)
Application launched itself
- file.exe (PID: 1504)
Reads the Internet Settings
- file.exe (PID: 1504)
Starts CMD.EXE for commands execution
- file.exe (PID: 2380)
Process uses IPCONFIG to get network configuration information
- cmd.exe (PID: 3412)
INFO
Reads the machine GUID from the registry
- file.exe (PID: 1504)
- file.exe (PID: 2380)
Process checks whether UAC notifications are on
- file.exe (PID: 1504)
- file.exe (PID: 2380)
Checks supported languages
- file.exe (PID: 1504)
- file.exe (PID: 2380)
Creates files or folders in the user directory
- file.exe (PID: 1504)
- file.exe (PID: 2380)
Reads the computer name
- file.exe (PID: 1504)
- file.exe (PID: 2380)
Create files in a temporary directory
- file.exe (PID: 2380)
Creates files in the program directory
- file.exe (PID: 2380)
Reads Environment values
- file.exe (PID: 2380)
Reads product name
- file.exe (PID: 2380)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
Nanocore
(PID) Process(2380) file.exe
BuildTime2024-02-04 18:32:14.550768
Version1.2.2.0
Mutexa4fd98ed-c72f-4bb4-8a27-cf30631c5962
DefaultGroupDefault
PrimaryConnectionHost
BackupConnectionHostobfuscated.us
ConnectionPort8080
RunOnStartupTrue
RequestElevationTrue
BypassUserAccountControlTrue
ClearZoneIdentifierTrue
ClearAccessControlFalse
SetCriticalProcessFalse
PreventSystemSleepTrue
ActivateAwayModeFalse
EnableDebugModeFalse
RunDelay0
ConnectDelay4000
RestartDelay5000
TimeoutInterval5000
KeepAliveTimeout30000
MutexTimeout5000
LanTimeout2500
WanTimeout8000
BufferSize65535
MaxPacketSize10485760
GCThreshold10485760
UseCustomDnsServerTrue
PrimaryDnsServer8.8.8.8
BackupDnsServer8.8.4.4
TRiD
| .exe | | | Generic CIL Executable (.NET, Mono, etc.) (63.1) |
|---|---|---|
| .exe | | | Win64 Executable (generic) (23.8) |
| .dll | | | Win32 Dynamic Link Library (generic) (5.6) |
| .exe | | | Win32 Executable (generic) (3.8) |
| .exe | | | Generic Win/DOS Executable (1.7) |
EXIF
EXE
| MachineType: | Intel 386 or later, and compatibles |
|---|---|
| TimeStamp: | 2015:02:22 01:49:37+01:00 |
| ImageFileCharacteristics: | Executable, No line numbers, No symbols, 32-bit |
| PEType: | PE32 |
| LinkerVersion: | 6 |
| CodeSize: | 116736 |
| InitializedDataSize: | 90624 |
| UninitializedDataSize: | - |
| EntryPoint: | 0x1e792 |
| OSVersion: | 4 |
| ImageVersion: | - |
| SubsystemVersion: | 4 |
| Subsystem: | Windows GUI |
Total processes
48
Monitored processes
7
Malicious processes
2
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 1504 | "C:\Users\admin\AppData\Local\Temp\file.exe" | C:\Users\admin\AppData\Local\Temp\file.exe | explorer.exe | ||||||||||||
User: admin Integrity Level: MEDIUM Exit code: 0 Modules
| |||||||||||||||
| 2380 | "C:\Users\admin\AppData\Local\Temp\file.exe" | C:\Users\admin\AppData\Local\Temp\file.exe | file.exe | ||||||||||||
User: admin Integrity Level: HIGH Exit code: 0 Modules
Nanocore(PID) Process(2380) file.exe BuildTime2024-02-04 18:32:14.550768 Version1.2.2.0 Mutexa4fd98ed-c72f-4bb4-8a27-cf30631c5962 DefaultGroupDefault PrimaryConnectionHost BackupConnectionHostobfuscated.us ConnectionPort8080 RunOnStartupTrue RequestElevationTrue BypassUserAccountControlTrue ClearZoneIdentifierTrue ClearAccessControlFalse SetCriticalProcessFalse PreventSystemSleepTrue ActivateAwayModeFalse EnableDebugModeFalse RunDelay0 ConnectDelay4000 RestartDelay5000 TimeoutInterval5000 KeepAliveTimeout30000 MutexTimeout5000 LanTimeout2500 WanTimeout8000 BufferSize65535 MaxPacketSize10485760 GCThreshold10485760 UseCustomDnsServerTrue PrimaryDnsServer8.8.8.8 BackupDnsServer8.8.4.4 | |||||||||||||||
| 3084 | "schtasks.exe" /create /f /tn "TCP Monitor Task" /xml "C:\Users\admin\AppData\Local\Temp\tmp3658.tmp" | C:\Windows\System32\schtasks.exe | — | file.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Manages scheduled tasks Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 3244 | "schtasks.exe" /create /f /tn "TCP Monitor" /xml "C:\Users\admin\AppData\Local\Temp\tmp35F9.tmp" | C:\Windows\System32\schtasks.exe | — | file.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Manages scheduled tasks Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 3412 | "cmd.exe" | C:\Windows\System32\cmd.exe | — | file.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows Command Processor Exit code: 4294967295 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
| 3588 | ipconfig | C:\Windows\System32\ipconfig.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: IP Configuration Utility Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 3592 | calc | C:\Windows\System32\calc.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows Calculator Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
Total events
1 571
Read events
1 562
Write events
8
Delete events
1
Modification events
| (PID) Process: | (1504) file.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | ProxyBypass |
Value: 1 | |||
| (PID) Process: | (1504) file.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | IntranetName |
Value: 1 | |||
| (PID) Process: | (1504) file.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | UNCAsIntranet |
Value: 1 | |||
| (PID) Process: | (1504) file.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | AutoDetect |
Value: 0 | |||
| (PID) Process: | (2380) file.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run |
| Operation: | delete value | Name: | TCP Monitor |
Value: C:\Users\admin\AppData\Roaming\90059C37-1320-41A4-B58D-2B75A9850D2F\TCP Monitor\tcpmon.exe | |||
Executable files
2
Suspicious files
3
Text files
4
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 2380 | file.exe | C:\Users\admin\AppData\Local\Temp\tmp35F9.tmp | xml | |
MD5:FD49015C170B3B45E0D3CC1B436E13E5 | SHA256:B5B251C5DD3F73B4FF66B090D4452B204FD0B8D33062A96CB99A5A59E59CF05C | |||
| 1504 | file.exe | C:\Users\admin\AppData\Roaming\90059C37-1320-41A4-B58D-2B75A9850D2F\TCP Monitor\tcpmon.exe | executable | |
MD5:2983BB54D0194B59464B242120DCE0D0 | SHA256:9A716C9DEA846B00E9D5AE61D634CAFA74E82B784F681B465F650F99C4442F40 | |||
| 2380 | file.exe | C:\Program Files\TCP Monitor\tcpmon.exe | executable | |
MD5:2983BB54D0194B59464B242120DCE0D0 | SHA256:9A716C9DEA846B00E9D5AE61D634CAFA74E82B784F681B465F650F99C4442F40 | |||
| 2380 | file.exe | C:\Users\admin\AppData\Roaming\90059C37-1320-41A4-B58D-2B75A9850D2F\task.dat | text | |
MD5:F08B14FCBC3D3D030AC0AE080647A033 | SHA256:7AFA504DB07926614C63433EAE337B209F064390A5C1769FD552510ABC5DBDE1 | |||
| 2380 | file.exe | C:\Users\admin\AppData\Roaming\90059C37-1320-41A4-B58D-2B75A9850D2F\settings.bin | binary | |
MD5:AE0F5E6CE7122AF264EC533C6B15A27B | SHA256:73B0B92179C61C26589B47E9732CE418B07EDEE3860EE5A2A5FB06F3B8AA9B26 | |||
| 2380 | file.exe | C:\Users\admin\AppData\Local\Temp\tmp3658.tmp | xml | |
MD5:E4118E3EC98934AA1D4235C87B44AA31 | SHA256:EFC475D73603DF6A26978D7BCAC27004830137E97FDD1656140B4A08C07470D9 | |||
| 2380 | file.exe | C:\Users\admin\AppData\Roaming\90059C37-1320-41A4-B58D-2B75A9850D2F\storage.dat | binary | |
MD5:963D5E2C9C0008DFF05518B47C367A7F | SHA256:5EACF2974C9BB2C2E24CDC651C4840DD6F4B76A98F0E85E90279F1DBB2E6F3C0 | |||
| 1504 | file.exe | C:\Users\admin\AppData\Roaming\90059C37-1320-41A4-B58D-2B75A9850D2F\run.dat | text | |
MD5:BBEC09BEDA51F47E5E1C4A2F05A07B0A | SHA256:AEC6D33D87013B6BFB7DB3C0F8BFCB5930CA76EB0C3036CEE52E3D524A0AB7B5 | |||
| 2380 | file.exe | C:\Users\admin\AppData\Roaming\90059C37-1320-41A4-B58D-2B75A9850D2F\catalog.dat | binary | |
MD5:32D0AAE13696FF7F8AF33B2D22451028 | SHA256:5347661365E7AD2C1ACC27AB0D150FFA097D9246BB3626FCA06989E976E8DD29 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
6
DNS requests
2
Threats
23
HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
1080 | svchost.exe | 224.0.0.252:5355 | — | — | — | unknown |
2380 | file.exe | 103.13.210.210:8080 | obfuscated.us | ARTERIA Networks Corporation | JP | unknown |
DNS requests
Domain | IP | Reputation |
|---|---|---|
obfuscated.us |
| unknown |
Threats
PID | Process | Class | Message |
|---|---|---|---|
2380 | file.exe | Malware Command and Control Activity Detected | ET MALWARE NanoCore RAT CnC 7 |
2380 | file.exe | Malware Command and Control Activity Detected | ET MALWARE NanoCore RAT Keep-Alive Beacon (Inbound) |
2380 | file.exe | Malware Command and Control Activity Detected | ET MALWARE NanoCore RAT CnC 7 |
2380 | file.exe | Malware Command and Control Activity Detected | ET MALWARE NanoCore RAT Keep-Alive Beacon (Inbound) |
2380 | file.exe | Malware Command and Control Activity Detected | ET MALWARE NanoCore RAT CnC 7 |
2380 | file.exe | Malware Command and Control Activity Detected | ET MALWARE NanoCore RAT CnC 7 |
2380 | file.exe | A Network Trojan was detected | ET MALWARE NanoCore RAT Keepalive Response 1 |
2380 | file.exe | Malware Command and Control Activity Detected | ET MALWARE NanoCore RAT Keep-Alive Beacon (Inbound) |
2380 | file.exe | Malware Command and Control Activity Detected | ET MALWARE NanoCore RAT CnC 7 |
2380 | file.exe | Malware Command and Control Activity Detected | ET MALWARE NanoCore RAT Keep-Alive Beacon (Inbound) |
1 ETPRO signatures available at the full report