URL: | https://www.dropbox.com/s/guzbanwzgn87jqp/Advance%20swift%20copy.pdf.z?dl=1 |
Full analysis: | https://app.any.run/tasks/fdbd18d8-456d-4a93-b42b-a04ddbc3fc43 |
Verdict: | Malicious activity |
Threats: | NanoCore is a Remote Access Trojan or RAT. This malware is highly customizable with plugins which allow attackers to tailor its functionality to their needs. Nanocore is created with the .NET framework and it’s available for purchase for just $25 from its “official” website. |
Analysis date: | July 17, 2019, 08:13:39 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MD5: | 67DDC5D4DA5D2C3E4679966F6E9B9CA7 |
SHA1: | 3D534CA7605EE1C144EC533851E08715945B0510 |
SHA256: | ABF87B1505389F440F669E75D43E269B841BF31EC7B8AC653EDD04DA52128897 |
SSDEEP: | 3:N8DSLcVHGkYgSITEIuXDrKJ5:2OLHkUIT7T |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3436 | "C:\Program Files\Internet Explorer\iexplore.exe" -nohome | C:\Program Files\Internet Explorer\iexplore.exe | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Internet Explorer Exit code: 1 Version: 8.00.7600.16385 (win7_rtm.090713-1255) | ||||
3560 | "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:3436 CREDAT:71937 | C:\Program Files\Internet Explorer\iexplore.exe | iexplore.exe | |
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Internet Explorer Exit code: 0 Version: 8.00.7600.16385 (win7_rtm.090713-1255) | ||||
3460 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\99FORPZD\Advance%20swift%20copy.pdf[1].z" | C:\Program Files\WinRAR\WinRAR.exe | iexplore.exe | |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Version: 5.60.0 | ||||
2192 | "C:\Users\admin\AppData\Local\Temp\Rar$EXa3460.26400\Advance swift copy_DFF8D0F.exe" | C:\Users\admin\AppData\Local\Temp\Rar$EXa3460.26400\Advance swift copy_DFF8D0F.exe | WinRAR.exe | |
User: admin Company: Pullout6 Integrity Level: MEDIUM Description: coexecutor Exit code: 0 Version: 1.03.0004 | ||||
1172 | "C:\Users\admin\AppData\Local\Temp\Rar$EXa3460.26957\pictures sample_3091BB0.exe" | C:\Users\admin\AppData\Local\Temp\Rar$EXa3460.26957\pictures sample_3091BB0.exe | — | WinRAR.exe |
User: admin Company: rectifying4 Integrity Level: MEDIUM Description: Sambucaceae6 Exit code: 0 Version: 1.05.0004 | ||||
2852 | "C:\Windows\System32\WScript.exe" "C:\Users\admin\subfolder\winlogon.vbs" | C:\Windows\System32\WScript.exe | Advance swift copy_DFF8D0F.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Windows Based Script Host Exit code: 0 Version: 5.8.7600.16385 | ||||
3744 | "C:\Users\admin\subfolder\winlogon.exe" | C:\Users\admin\subfolder\winlogon.exe | — | Advance swift copy_DFF8D0F.exe |
User: admin Company: Pullout6 Integrity Level: MEDIUM Description: coexecutor Exit code: 0 Version: 1.03.0004 | ||||
3712 | C:\Users\admin\subfolder\winlogon.exe" | C:\Users\admin\subfolder\winlogon.exe | winlogon.exe | |
User: admin Company: Pullout6 Integrity Level: MEDIUM Description: coexecutor Version: 1.03.0004 | ||||
1352 | "C:\Windows\System32\WScript.exe" "C:\Users\admin\subfolder\winlogon.vbs" | C:\Windows\System32\WScript.exe | pictures sample_3091BB0.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Windows Based Script Host Exit code: 0 Version: 5.8.7600.16385 | ||||
3328 | "C:\Users\admin\subfolder\winlogon.exe" | C:\Users\admin\subfolder\winlogon.exe | — | pictures sample_3091BB0.exe |
User: admin Company: Pullout6 Integrity Level: MEDIUM Description: coexecutor Exit code: 0 Version: 1.03.0004 |
PID | Process | Filename | Type | |
---|---|---|---|---|
3436 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JGRR2OYX\favicon[1].ico | — | |
MD5:— | SHA256:— | |||
3436 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico | — | |
MD5:— | SHA256:— | |||
3560 | iexplore.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\admin@dropbox[1].txt | — | |
MD5:— | SHA256:— | |||
3560 | iexplore.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][1].txt | — | |
MD5:— | SHA256:— | |||
3436 | iexplore.exe | C:\Users\admin\AppData\Local\Temp\~DF62F5E96E72C2D11C.TMP | — | |
MD5:— | SHA256:— | |||
3436 | iexplore.exe | C:\Users\admin\AppData\Local\Temp\~DFFF1DEA2F6E2935B4.TMP | — | |
MD5:— | SHA256:— | |||
3436 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{D0E09653-A86A-11E9-B2FD-5254004A04AF}.dat | — | |
MD5:— | SHA256:— | |||
3560 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\index.dat | dat | |
MD5:EA2021CF6DE7764B108E4164D2920808 | SHA256:590B5278286FE4F6D69A94F64D6DF5BDE824A8B354C66281AEAE94654A344928 | |||
3436 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012019071720190718\index.dat | dat | |
MD5:015BCEEBB8890029BDDF98DF1BCF0DA4 | SHA256:02A8C2AB0EC64137365E41A40CE042EA555C53AB32B914C2CCCA73DC020FA5F7 | |||
3436 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\Active\{D0E09654-A86A-11E9-B2FD-5254004A04AF}.dat | binary | |
MD5:F3A91921B09F32F9FF691AFC9E2AEFAE | SHA256:9CD7C0A9101F69FFB2C0B54B5ACEB6CDFCBD3B47FD63248430A05FD0C1666BD1 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3436 | iexplore.exe | GET | 200 | 204.79.197.200:80 | http://www.bing.com/favicon.ico | US | image | 237 b | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3560 | iexplore.exe | 162.125.66.6:443 | uc742a51cdf1acb5de28933354b5.dl.dropboxusercontent.com | Dropbox, Inc. | DE | shared |
3436 | iexplore.exe | 204.79.197.200:80 | www.bing.com | Microsoft Corporation | US | whitelisted |
3712 | winlogon.exe | 8.8.8.8:53 | — | Google Inc. | US | whitelisted |
3560 | iexplore.exe | 162.125.66.1:443 | www.dropbox.com | Dropbox, Inc. | DE | shared |
3712 | winlogon.exe | 185.247.228.5:3640 | xtracool1.ddns.net | — | — | malicious |
Domain | IP | Reputation |
---|---|---|
www.bing.com |
| whitelisted |
www.dropbox.com |
| shared |
uc742a51cdf1acb5de28933354b5.dl.dropboxusercontent.com |
| malicious |
xtracool1.ddns.net |
| malicious |
PID | Process | Class | Message |
---|---|---|---|
3560 | iexplore.exe | Potential Corporate Privacy Violation | SUSPICIOUS [PTsecurity] Dropbox SSL Payload Request |
3712 | winlogon.exe | A Network Trojan was detected | ET TROJAN Possible NanoCore C2 60B |
3712 | winlogon.exe | A Network Trojan was detected | MALWARE [PTsecurity] NanoCore.RAT |
3712 | winlogon.exe | A Network Trojan was detected | MALWARE [PTsecurity] NanoCore.RAT |
3712 | winlogon.exe | A Network Trojan was detected | MALWARE [PTsecurity] NanoCore.RAT |
3712 | winlogon.exe | A Network Trojan was detected | MALWARE [PTsecurity] NanoCore.RAT |
3712 | winlogon.exe | A Network Trojan was detected | MALWARE [PTsecurity] NanoCore.RAT |
3712 | winlogon.exe | A Network Trojan was detected | MALWARE [PTsecurity] NanoCore.RAT |
3712 | winlogon.exe | A Network Trojan was detected | MALWARE [PTsecurity] NanoCore.RAT |
3712 | winlogon.exe | A Network Trojan was detected | MALWARE [PTsecurity] NanoCore.RAT |