analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
download:

IMPORT%20PO%20COPY%20%26%20PAYMENT.pdf.z

Full analysis: https://app.any.run/tasks/15b41529-ce1f-4a8c-9fc6-8fee27a7f050
Verdict: Malicious activity
Threats:

NanoCore is a Remote Access Trojan or RAT. This malware is highly customizable with plugins which allow attackers to tailor its functionality to their needs. Nanocore is created with the .NET framework and it’s available for purchase for just $25 from its “official” website.

Analysis date: April 23, 2019, 11:47:05
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
autoit
rat
nanocore
trojan
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

08CD951E3F2008B8CA47F9184AF04D48

SHA1:

91C7FD47D8465297E5F5D3F9C60F65F506AAE382

SHA256:

B427942B3713BE15EBC4635B43007D6C26B6E47CBC6E763BC1D9948EE9E674F5

SSDEEP:

24576:x/T8XIrltl3X+jNQyXBmDpRlpmPkYUxzqweFyEm1h:Fbvl3X+bqpdmTweFyEm1h

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Application was dropped or rewritten from another process

      • IMPORT PO COPY & PAYMENT.exe (PID: 676)
      • xmn.exe (PID: 2480)
      • xmn.exe (PID: 3396)
      • RegSvcs.exe (PID: 2852)
    • NanoCore was detected

      • RegSvcs.exe (PID: 2852)
    • Changes the autorun value in the registry

      • xmn.exe (PID: 2480)
      • RegSvcs.exe (PID: 2852)
    • Connects to CnC server

      • RegSvcs.exe (PID: 2852)
  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • IMPORT PO COPY & PAYMENT.exe (PID: 676)
      • WinRAR.exe (PID: 3696)
      • RegSvcs.exe (PID: 2852)
    • Drop AutoIt3 executable file

      • IMPORT PO COPY & PAYMENT.exe (PID: 676)
    • Creates files in the user directory

      • RegSvcs.exe (PID: 2852)
  • INFO

    • Dropped object may contain Bitcoin addresses

      • IMPORT PO COPY & PAYMENT.exe (PID: 676)
      • xmn.exe (PID: 3396)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: -
ZipCompression: Deflated
ZipModifyDate: 2019:04:23 15:38:21
ZipCRC: 0xb9be01e0
ZipCompressedSize: 878852
ZipUncompressedSize: 933356
ZipFileName: IMPORT PO COPY & PAYMENT.exe
No data.
screenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
36
Monitored processes
5
Malicious processes
5
Suspicious processes
0

Behavior graph

Click at the process to see the details
drop and start start drop and start winrar.exe import po copy & payment.exe xmn.exe no specs xmn.exe #NANOCORE regsvcs.exe

Process information

PID
CMD
Path
Indicators
Parent process
3696"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\a8497e25-8b17-4bec-a127-a1681391e016.zip"C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.60.0
676"C:\Users\admin\AppData\Local\Temp\Rar$EXa3696.7043\IMPORT PO COPY & PAYMENT.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXa3696.7043\IMPORT PO COPY & PAYMENT.exe
WinRAR.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
3396"C:\Users\admin\AppData\Local\Temp\48368047\xmn.exe" hxf=ihv C:\Users\admin\AppData\Local\Temp\48368047\xmn.exeIMPORT PO COPY & PAYMENT.exe
User:
admin
Company:
AutoIt Team
Integrity Level:
MEDIUM
Description:
AutoIt v3 Script
Exit code:
0
Version:
3, 3, 14, 5
2480C:\Users\admin\AppData\Local\Temp\48368047\xmn.exe C:\Users\admin\AppData\Local\Temp\48368047\JVWQCC:\Users\admin\AppData\Local\Temp\48368047\xmn.exe
xmn.exe
User:
admin
Company:
AutoIt Team
Integrity Level:
MEDIUM
Description:
AutoIt v3 Script
Exit code:
0
Version:
3, 3, 14, 5
2852"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
xmn.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft .NET Services Installation Utility
Version:
4.6.1055.0 built by: NETFXREL2
Total events
822
Read events
803
Write events
19
Delete events
0

Modification events

(PID) Process:(3696) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(3696) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(3696) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(3696) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\a8497e25-8b17-4bec-a127-a1681391e016.zip
(PID) Process:(3696) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(3696) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(3696) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(3696) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(3696) WinRAR.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
0
(PID) Process:(3696) WinRAR.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
1
Executable files
3
Suspicious files
3
Text files
50
Unknown types
1

Dropped files

PID
Process
Filename
Type
676IMPORT PO COPY & PAYMENT.exeC:\Users\admin\AppData\Local\Temp\48368047\hxf=ihvtext
MD5:15EFF28DCB59D3DD64DCF69667E4474F
SHA256:F01C9E68BAD7F3E7BF1191A6908B2A14040559B55A387B5BCAE8A01758A3F1DD
3696WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa3696.7043\IMPORT PO COPY & PAYMENT.exeexecutable
MD5:D4AAE604429E410816939C7A6AB37415
SHA256:05AAF5BC058D648159D82B32035F59C03E7A0A40B40D98E64A4EAA7031D5C558
676IMPORT PO COPY & PAYMENT.exeC:\Users\admin\AppData\Local\Temp\48368047\bdu.icmtext
MD5:96A38736544ECBFF78A227B629BEB87C
SHA256:20A6898BC52F770516FBA101B2D7FA2A32118720F434D1A29F6557DFE1B7B585
676IMPORT PO COPY & PAYMENT.exeC:\Users\admin\AppData\Local\Temp\48368047\hho.icmtext
MD5:CF86C4F125115E0CF76BF1BFBBE02B7E
SHA256:CF314B2243296044E15796C93AA3C11643594DD4DA9DD90B61CC16AF988E76F9
676IMPORT PO COPY & PAYMENT.exeC:\Users\admin\AppData\Local\Temp\48368047\nrb.docxtext
MD5:96CCB47789B92D830FF44119FC7BCAC4
SHA256:A0BADD587176933717A7DC51AADC7B6D905C410FA9B9FB3361822CA0B1278C88
676IMPORT PO COPY & PAYMENT.exeC:\Users\admin\AppData\Local\Temp\48368047\wgq.txttext
MD5:88240B71B63937310410806A8F86D9ED
SHA256:77B7B248996708EDFA897CF353A3D033AFD06A104EE8B9546E4A77314BC34123
676IMPORT PO COPY & PAYMENT.exeC:\Users\admin\AppData\Local\Temp\48368047\owr.icotext
MD5:12C05E09565A729BB7EF19A9EFB38948
SHA256:6B272E8DBF82A4E3A0516EC96E0C0B8CE4D19A387D8540FF36BADAC7ED52E3FF
676IMPORT PO COPY & PAYMENT.exeC:\Users\admin\AppData\Local\Temp\48368047\vpn.mp4text
MD5:A258C507C96B365BBB1B466F1DE50206
SHA256:7A8E60AEB2A0F01BC8AD3FC8AB152096525EF9B3D3A83A9E5E2B3C55E2F56721
676IMPORT PO COPY & PAYMENT.exeC:\Users\admin\AppData\Local\Temp\48368047\pqc.xltext
MD5:6616198424C1D8F4EE9E24BC52B36506
SHA256:52068234B8E4063A08AE6C2A49B5CAEF7DE91FE7F65C1623E453CF462841090F
676IMPORT PO COPY & PAYMENT.exeC:\Users\admin\AppData\Local\Temp\48368047\uon.pdftext
MD5:33604C607336B8CD19EF45A58EFF2067
SHA256:2581DE48FBA35E6CD79609EA0E111726564807284790A12E32D1566DCD8DF2E4
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
2
DNS requests
1
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2852
RegSvcs.exe
212.7.208.108:8657
rbenjamin9696.ddns.net
LeaseWeb Netherlands B.V.
NL
malicious
2852
RegSvcs.exe
8.8.8.8:53
Google Inc.
US
whitelisted

DNS requests

Domain
IP
Reputation
rbenjamin9696.ddns.net
  • 212.7.208.108
malicious

Threats

PID
Process
Class
Message
2852
RegSvcs.exe
A Network Trojan was detected
ET TROJAN Possible NanoCore C2 60B
2852
RegSvcs.exe
A Network Trojan was detected
MALWARE [PTsecurity] NanoCore.RAT
2852
RegSvcs.exe
A Network Trojan was detected
MALWARE [PTsecurity] NanoCore.RAT
2852
RegSvcs.exe
A Network Trojan was detected
MALWARE [PTsecurity] NanoCore.RAT
2852
RegSvcs.exe
A Network Trojan was detected
MALWARE [PTsecurity] NanoCore.RAT
2852
RegSvcs.exe
A Network Trojan was detected
MALWARE [PTsecurity] NanoCore.RAT
2852
RegSvcs.exe
A Network Trojan was detected
MALWARE [PTsecurity] NanoCore.RAT
9 ETPRO signatures available at the full report
No debug info