URL: | https://onedrive.live.com/download?cid=9E2319E18DD18F2C&resid=9E2319E18DD18F2C%211177&authkey=AEmku_9zpTyYEaI |
Full analysis: | https://app.any.run/tasks/49ec7385-c5a3-49d8-a265-18c4d314bdd2 |
Verdict: | Malicious activity |
Threats: | NanoCore is a Remote Access Trojan or RAT. This malware is highly customizable with plugins which allow attackers to tailor its functionality to their needs. Nanocore is created with the .NET framework and it’s available for purchase for just $25 from its “official” website. |
Analysis date: | April 15, 2019, 06:52:46 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MD5: | 1B964F77D52FCF1DB456146658B6BB9C |
SHA1: | 09973412D294ECB26CA33F8CC0304F3078D8B0EC |
SHA256: | 9B07363ED7102BAA4C878586506046C8843E4BB98DFE6BD495CC486D8F31044B |
SSDEEP: | 3:N8Ck3CTwKblTaE8P1xSWaE8nUzEQrvppzQ393a:2CkST/Zh8iC8neEgpOa |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2824 | "C:\Program Files\Mozilla Firefox\firefox.exe" https://onedrive.live.com/download?cid=9E2319E18DD18F2C&resid=9E2319E18DD18F2C%211177&authkey=AEmku_9zpTyYEaI | C:\Program Files\Mozilla Firefox\firefox.exe | explorer.exe | |
User: admin Company: Mozilla Corporation Integrity Level: MEDIUM Description: Firefox Version: 65.0.2 | ||||
3672 | "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2824.0.2043988810\512344834" -parentBuildID 20190225143501 -greomni "C:\Program Files\Mozilla Firefox\omni.ja" -appomni "C:\Program Files\Mozilla Firefox\browser\omni.ja" -appdir "C:\Program Files\Mozilla Firefox\browser" - "C:\Users\admin\AppData\LocalLow\Mozilla\Temp-{ce348e4c-7d33-445e-89f9-60108c51bcaf}" 2824 "\\.\pipe\gecko-crash-server-pipe.2824" 1132 gpu | C:\Program Files\Mozilla Firefox\firefox.exe | — | firefox.exe |
User: admin Company: Mozilla Corporation Integrity Level: MEDIUM Description: Firefox Version: 65.0.2 | ||||
2368 | "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2824.6.181342058\1211746250" -childID 1 -isForBrowser -prefsHandle 1228 -prefMapHandle 1844 -prefsLen 1 -prefMapSize 180950 -schedulerPrefs 0001,2 -parentBuildID 20190225143501 -greomni "C:\Program Files\Mozilla Firefox\omni.ja" -appomni "C:\Program Files\Mozilla Firefox\browser\omni.ja" -appdir "C:\Program Files\Mozilla Firefox\browser" - 2824 "\\.\pipe\gecko-crash-server-pipe.2824" 1828 tab | C:\Program Files\Mozilla Firefox\firefox.exe | firefox.exe | |
User: admin Company: Mozilla Corporation Integrity Level: LOW Description: Firefox Version: 65.0.2 | ||||
3064 | "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2824.13.780894971\1542022406" -childID 2 -isForBrowser -prefsHandle 2624 -prefMapHandle 2628 -prefsLen 216 -prefMapSize 180950 -schedulerPrefs 0001,2 -parentBuildID 20190225143501 -greomni "C:\Program Files\Mozilla Firefox\omni.ja" -appomni "C:\Program Files\Mozilla Firefox\browser\omni.ja" -appdir "C:\Program Files\Mozilla Firefox\browser" - 2824 "\\.\pipe\gecko-crash-server-pipe.2824" 2640 tab | C:\Program Files\Mozilla Firefox\firefox.exe | firefox.exe | |
User: admin Company: Mozilla Corporation Integrity Level: LOW Description: Firefox Version: 65.0.2 | ||||
3228 | "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2824.20.1049192431\2047913200" -childID 3 -isForBrowser -prefsHandle 3484 -prefMapHandle 3488 -prefsLen 5824 -prefMapSize 180950 -schedulerPrefs 0001,2 -parentBuildID 20190225143501 -greomni "C:\Program Files\Mozilla Firefox\omni.ja" -appomni "C:\Program Files\Mozilla Firefox\browser\omni.ja" -appdir "C:\Program Files\Mozilla Firefox\browser" - 2824 "\\.\pipe\gecko-crash-server-pipe.2824" 3500 tab | C:\Program Files\Mozilla Firefox\firefox.exe | firefox.exe | |
User: admin Company: Mozilla Corporation Integrity Level: LOW Description: Firefox Version: 65.0.2 | ||||
3336 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\Fattura.PDF.xz" | C:\Program Files\WinRAR\WinRAR.exe | firefox.exe | |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Version: 5.60.0 | ||||
3324 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\Fattura.PDF.xz" | C:\Program Files\WinRAR\WinRAR.exe | — | firefox.exe |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Version: 5.60.0 | ||||
3028 | "C:\Users\admin\AppData\Local\Temp\Rar$DIa3336.20786\Fattura.scr" /S | C:\Users\admin\AppData\Local\Temp\Rar$DIa3336.20786\Fattura.scr | WinRAR.exe | |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
3524 | "C:\Users\admin\AppData\Local\Temp\73912898\qal.exe" kmm=qdm | C:\Users\admin\AppData\Local\Temp\73912898\qal.exe | — | Fattura.scr |
User: admin Company: AutoIt Team Integrity Level: MEDIUM Description: AutoIt v3 Script Exit code: 0 Version: 3, 3, 14, 5 | ||||
3492 | C:\Users\admin\AppData\Local\Temp\73912898\qal.exe C:\Users\admin\AppData\Local\Temp\73912898\KMMEG | C:\Users\admin\AppData\Local\Temp\73912898\qal.exe | qal.exe | |
User: admin Company: AutoIt Team Integrity Level: MEDIUM Description: AutoIt v3 Script Exit code: 0 Version: 3, 3, 14, 5 |
(PID) Process: | (2824) firefox.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings |
Operation: | write | Name: | ProxyEnable |
Value: 0 | |||
(PID) Process: | (2824) firefox.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections |
Operation: | write | Name: | SavedLegacySettings |
Value: 460000006E000000010000000000000000000000000000000000000000000000C0E333BBEAB1D301000000000000000000000000020000001700000000000000FE800000000000007D6CB050D9C573F70B000000000000006D00330032005C004D00530049004D004700330032002E0064006C000100000004AA400014AA4000040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000C0A8016400000000000000000000000000000000000000000800000000000000805D3F00983740000008000002000000000000600000002060040000B8A94000020000008802000060040000B8A9400004000000F8010000B284000088B64000B84B400043003A000000000000000000000000000000000000000000 | |||
(PID) Process: | (2824) firefox.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | UNCAsIntranet |
Value: 0 | |||
(PID) Process: | (2824) firefox.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | AutoDetect |
Value: 1 | |||
(PID) Process: | (2824) firefox.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xz\OpenWithProgids |
Operation: | write | Name: | WinRAR |
Value: | |||
(PID) Process: | — | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes |
Operation: | write | Name: | ShellExtBMP |
Value: | |||
(PID) Process: | — | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes |
Operation: | write | Name: | ShellExtIcon |
Value: | |||
(PID) Process: | (3336) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes |
Operation: | write | Name: | ShellExtBMP |
Value: | |||
(PID) Process: | (3336) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes |
Operation: | write | Name: | ShellExtIcon |
Value: | |||
(PID) Process: | (3336) WinRAR.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E |
Operation: | write | Name: | LanguageList |
Value: en-US |
PID | Process | Filename | Type | |
---|---|---|---|---|
2824 | firefox.exe | C:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\qldyz51w.default\startupCache\scriptCache-current.bin | — | |
MD5:— | SHA256:— | |||
2824 | firefox.exe | C:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\qldyz51w.default\cache2\trash19626 | — | |
MD5:— | SHA256:— | |||
2824 | firefox.exe | C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\prefs-1.js | — | |
MD5:— | SHA256:— | |||
2824 | firefox.exe | C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\sessionCheckpoints.json.tmp | — | |
MD5:— | SHA256:— | |||
2824 | firefox.exe | C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\cert9.db-journal | — | |
MD5:— | SHA256:— | |||
2824 | firefox.exe | C:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\qldyz51w.default\safebrowsing-updating\test-malware-simple.sbstore | — | |
MD5:— | SHA256:— | |||
2824 | firefox.exe | C:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\qldyz51w.default\safebrowsing-updating\test-malware-simple.pset | — | |
MD5:— | SHA256:— | |||
2824 | firefox.exe | C:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\qldyz51w.default\safebrowsing-updating\test-phish-simple.sbstore | — | |
MD5:— | SHA256:— | |||
2824 | firefox.exe | C:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\qldyz51w.default\safebrowsing-updating\test-phish-simple.pset | — | |
MD5:— | SHA256:— | |||
2824 | firefox.exe | C:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\qldyz51w.default\safebrowsing-updating\test-unwanted-simple.sbstore | — | |
MD5:— | SHA256:— |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2824 | firefox.exe | POST | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/ | US | der | 471 b | whitelisted |
2824 | firefox.exe | POST | 200 | 172.217.18.99:80 | http://ocsp.pki.goog/GTSGIAG3 | US | der | 471 b | whitelisted |
2824 | firefox.exe | POST | 200 | 172.217.18.99:80 | http://ocsp.pki.goog/GTSGIAG3 | US | der | 471 b | whitelisted |
2824 | firefox.exe | POST | 200 | 172.217.18.99:80 | http://ocsp.pki.goog/GTSGIAG3 | US | der | 471 b | whitelisted |
2824 | firefox.exe | POST | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/ | US | der | 471 b | whitelisted |
2824 | firefox.exe | POST | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/ | US | der | 471 b | whitelisted |
2824 | firefox.exe | POST | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/ | US | der | 471 b | whitelisted |
2824 | firefox.exe | POST | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/ | US | der | 471 b | whitelisted |
2824 | firefox.exe | POST | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/ | US | der | 471 b | whitelisted |
2824 | firefox.exe | GET | 200 | 2.16.186.112:80 | http://detectportal.firefox.com/success.txt | unknown | text | 8 b | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2824 | firefox.exe | 2.16.186.112:80 | detectportal.firefox.com | Akamai International B.V. | — | whitelisted |
2824 | firefox.exe | 93.184.220.29:80 | ocsp.digicert.com | MCI Communications Services, Inc. d/b/a Verizon Business | US | whitelisted |
3392 | RegSvcs.exe | 8.8.8.8:53 | — | Google Inc. | US | whitelisted |
2824 | firefox.exe | 172.217.16.202:443 | safebrowsing.googleapis.com | Google Inc. | US | whitelisted |
2824 | firefox.exe | 52.24.56.107:443 | shavar.services.mozilla.com | Amazon.com, Inc. | US | unknown |
2824 | firefox.exe | 13.107.42.12:443 | ryyupg.db.files.1drv.com | Microsoft Corporation | US | suspicious |
2824 | firefox.exe | 216.58.207.46:443 | sb-ssl.google.com | Google Inc. | US | whitelisted |
2824 | firefox.exe | 172.217.18.99:80 | ocsp.pki.goog | Google Inc. | US | whitelisted |
2824 | firefox.exe | 52.35.250.5:443 | tiles.services.mozilla.com | Amazon.com, Inc. | US | unknown |
2824 | firefox.exe | 52.222.162.48:443 | tracking-protection.cdn.mozilla.net | Amazon.com, Inc. | US | unknown |
Domain | IP | Reputation |
---|---|---|
onedrive.live.com |
| shared |
detectportal.firefox.com |
| whitelisted |
l-0004.l-msedge.net |
| whitelisted |
a1089.dscd.akamai.net |
| whitelisted |
search.services.mozilla.com |
| whitelisted |
search.r53-2.services.mozilla.com |
| whitelisted |
ocsp.digicert.com |
| whitelisted |
cs9.wac.phicdn.net |
| whitelisted |
tiles.services.mozilla.com |
| whitelisted |
tiles.r53-2.services.mozilla.com |
| whitelisted |
PID | Process | Class | Message |
---|---|---|---|
3392 | RegSvcs.exe | A Network Trojan was detected | ET TROJAN Possible NanoCore C2 64B |
3392 | RegSvcs.exe | A Network Trojan was detected | MALWARE [PTsecurity] NanoCore.RAT |
3392 | RegSvcs.exe | A Network Trojan was detected | MALWARE [PTsecurity] NanoCore.RAT |
3392 | RegSvcs.exe | A Network Trojan was detected | MALWARE [PTsecurity] NanoCore.RAT |
3392 | RegSvcs.exe | A Network Trojan was detected | ET TROJAN Possible NanoCore C2 64B |
3392 | RegSvcs.exe | A Network Trojan was detected | MALWARE [PTsecurity] NanoCore.RAT |
3392 | RegSvcs.exe | A Network Trojan was detected | MALWARE [PTsecurity] NanoCore.RAT |
3392 | RegSvcs.exe | A Network Trojan was detected | ET TROJAN Possible NanoCore C2 64B |
3392 | RegSvcs.exe | A Network Trojan was detected | ET TROJAN Possible NanoCore C2 64B |
3392 | RegSvcs.exe | A Network Trojan was detected | MALWARE [PTsecurity] NanoCore.RAT |