| File name: | 6.zip |
| Full analysis: | https://app.any.run/tasks/b0ccd103-9737-434b-90f5-af34a69c97b3 |
| Verdict: | Malicious activity |
| Threats: | NanoCore is a Remote Access Trojan or RAT. This malware is highly customizable with plugins which allow attackers to tailor its functionality to their needs. Nanocore is created with the .NET framework and it’s available for purchase for just $25 from its “official” website. |
| Analysis date: | January 18, 2019, 08:47:11 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/zip |
| File info: | Zip archive data, at least v2.0 to extract |
| MD5: | 2F048704A120CAB340B657E6D00B87FC |
| SHA1: | 9F43C1EB613777529AF55068C556C57D916C422F |
| SHA256: | C5BCB0C9D611A0849599413629E90F8F68C991C8E7F93F7B912873234B111306 |
| SSDEEP: | 98304:EGI5IIwb7bFc1COZ7CSKor+AhTPBeuKGIAI:Ep5/wbC0OrNrBgpd |
MALICIOUS
Application was dropped or rewritten from another process
- Steam Account Checker - FLM.exe (PID: 2400)
- Host Process for Windows Tasks.exe (PID: 3064)
- Regasm.exe (PID: 1724)
- Host Process for Windows Tasks.exe (PID: 4008)
- Host Process for Windows Tasks.exe (PID: 3564)
- Regasm.exe (PID: 2760)
- Regasm.exe (PID: 3340)
- Regasm.exe (PID: 2424)
- Host Process for Windows Tasks.exe (PID: 1088)
Loads dropped or rewritten executable
- SearchProtocolHost.exe (PID: 416)
Loads the Task Scheduler COM API
- schtasks.exe (PID: 3660)
- mmc.exe (PID: 2156)
NanoCore was detected
- Regasm.exe (PID: 2760)
Uses Task Scheduler to run other applications
- Steam Account Checker - FLM.exe (PID: 2400)
Changes the autorun value in the registry
- Regasm.exe (PID: 2760)
SUSPICIOUS
Executable content was dropped or overwritten
- WinRAR.exe (PID: 3036)
- Steam Account Checker - FLM.exe (PID: 2400)
- Regasm.exe (PID: 2760)
Starts itself from another location
- Steam Account Checker - FLM.exe (PID: 2400)
Creates files in the user directory
- Steam Account Checker - FLM.exe (PID: 2400)
- Regasm.exe (PID: 2760)
Connects to unusual port
- Regasm.exe (PID: 2760)
INFO
No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .zip | | | ZIP compressed archive (100) |
|---|
EXIF
ZIP
| ZipRequiredVersion: | 20 |
|---|---|
| ZipBitFlag: | 0x0808 |
| ZipCompression: | None |
| ZipModifyDate: | 2019:01:18 03:27:11 |
| ZipCRC: | 0x393c6741 |
| ZipCompressedSize: | 3241984 |
| ZipUncompressedSize: | 3241984 |
| ZipFileName: | Steam Account Checker/HazardEdit.Tools.dll |
Total processes
47
Monitored processes
14
Malicious processes
4
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 416 | "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe6_ Global\UsGthrCtrlFltPipeMssGthrPipe6 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" | C:\Windows\System32\SearchProtocolHost.exe | — | SearchIndexer.exe | |||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Microsoft Windows Search Protocol Host Exit code: 0 Version: 7.00.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 1088 | "C:\Users\admin\AppData\Roaming\Host Process for Windows Tasks.exe" | C:\Users\admin\AppData\Roaming\Host Process for Windows Tasks.exe | — | taskeng.exe | |||||||||||
User: admin Company: Integrity Level: MEDIUM Description: Exit code: 0 Version: 0.0.0.0 Modules
| |||||||||||||||
| 1156 | "C:\Windows\system32\mmc.exe" "C:\Windows\system32\taskschd.msc" /s | C:\Windows\system32\mmc.exe | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Management Console Exit code: 3221226540 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 1724 | "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Regasm.exe" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\Regasm.exe | — | Host Process for Windows Tasks.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft .NET Assembly Registration Utility Exit code: 0 Version: 4.6.1055.0 built by: NETFXREL2 Modules
| |||||||||||||||
| 2156 | "C:\Windows\system32\mmc.exe" "C:\Windows\system32\taskschd.msc" /s | C:\Windows\system32\mmc.exe | explorer.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Microsoft Management Console Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 2400 | "C:\Users\admin\Desktop\Steam Account Checker\Steam Account Checker - FLM.exe" | C:\Users\admin\Desktop\Steam Account Checker\Steam Account Checker - FLM.exe | explorer.exe | ||||||||||||
User: admin Company: Integrity Level: MEDIUM Description: Exit code: 0 Version: 0.0.0.0 Modules
| |||||||||||||||
| 2424 | "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Regasm.exe" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\Regasm.exe | — | Host Process for Windows Tasks.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft .NET Assembly Registration Utility Exit code: 0 Version: 4.6.1055.0 built by: NETFXREL2 Modules
| |||||||||||||||
| 2760 | "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Regasm.exe" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\Regasm.exe | Host Process for Windows Tasks.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft .NET Assembly Registration Utility Exit code: 0 Version: 4.6.1055.0 built by: NETFXREL2 Modules
| |||||||||||||||
| 3036 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\6.zip" | C:\Program Files\WinRAR\WinRAR.exe | explorer.exe | ||||||||||||
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Exit code: 0 Version: 5.60.0 Modules
| |||||||||||||||
| 3064 | "C:\Users\admin\AppData\Roaming\Host Process for Windows Tasks.exe" | C:\Users\admin\AppData\Roaming\Host Process for Windows Tasks.exe | — | Steam Account Checker - FLM.exe | |||||||||||
User: admin Company: Integrity Level: MEDIUM Description: Exit code: 0 Version: 0.0.0.0 Modules
| |||||||||||||||
Total events
1 228
Read events
1 211
Write events
17
Delete events
0
Modification events
| (PID) Process: | (3036) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes |
| Operation: | write | Name: | ShellExtBMP |
Value: | |||
| (PID) Process: | (3036) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes |
| Operation: | write | Name: | ShellExtIcon |
Value: | |||
| (PID) Process: | (3036) WinRAR.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E |
| Operation: | write | Name: | LanguageList |
Value: en-US | |||
| (PID) Process: | (3036) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
| Operation: | write | Name: | 0 |
Value: C:\Users\admin\AppData\Local\Temp\6.zip | |||
| (PID) Process: | (3036) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | name |
Value: 120 | |||
| (PID) Process: | (3036) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | size |
Value: 80 | |||
| (PID) Process: | (3036) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | type |
Value: 120 | |||
| (PID) Process: | (3036) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | mtime |
Value: 100 | |||
| (PID) Process: | (416) SearchProtocolHost.exe | Key: | HKEY_USERS\.DEFAULT\Software\Classes\Local Settings\MuiCache\5F\52C64B7E |
| Operation: | write | Name: | LanguageList |
Value: en-US | |||
| (PID) Process: | (416) SearchProtocolHost.exe | Key: | HKEY_USERS\.DEFAULT\Software\Classes\Local Settings\MuiCache\5F\52C64B7E |
| Operation: | write | Name: | @C:\Windows\system32\notepad.exe,-469 |
Value: Text Document | |||
Executable files
11
Suspicious files
2
Text files
1
Unknown types
1
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 3036 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa3036.28298\Steam Account Checker\Steam Account Checker - FLM.exe | executable | |
MD5:— | SHA256:— | |||
| 3036 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa3036.28298\Steam Account Checker\ElasticEmail.WebApiClient.dll | executable | |
MD5:— | SHA256:— | |||
| 2760 | Regasm.exe | C:\Users\admin\AppData\Roaming\90059C37-1320-41A4-B58D-2B75A9850D2F\run.dat | binary | |
MD5:— | SHA256:— | |||
| 3036 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa3036.28298\Steam Account Checker\NotificationSound\beep.wav | wav | |
MD5:— | SHA256:— | |||
| 3036 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa3036.28298\Steam Account Checker\Cyotek.Windows.Forms.ColorPicker.dll | executable | |
MD5:— | SHA256:— | |||
| 3036 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa3036.28298\Steam Account Checker\Results\Results From January 12, 2019 @ 07.08\Bad Checked By TCM's Skin Checker.txt | text | |
MD5:— | SHA256:— | |||
| 3036 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa3036.28298\Steam Account Checker\xNet.dll | executable | |
MD5:158DEFD55A804AA8D4D67BFDF7A4AF9C | SHA256:6C7EC4CC31A2CE0B97703B7A42E3448E9B87D96DDA12761CA24D8787AC27CFF1 | |||
| 2760 | Regasm.exe | C:\Users\admin\AppData\Roaming\90059C37-1320-41A4-B58D-2B75A9850D2F\TCP Monitor\tcpmon.exe | executable | |
MD5:911BDF77EB94E48CA524252A3FD47019 | SHA256:A07564A8771DAFA3EBE9ACEAA20C327EFA2D0AC2EDC06B2BBC3EEBDC66600641 | |||
| 3036 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa3036.28298\Steam Account Checker\MailKit.dll | executable | |
MD5:BE99F9896236C6106887959541D22F05 | SHA256:786E2126D22AFABCB42D57CF07760690C18C21007C93ABAED0CB4C7FE2044EB6 | |||
| 3036 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa3036.28298\Steam Account Checker\HazardEdit.Tools.dll | executable | |
MD5:— | SHA256:— | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
24
DNS requests
12
Threats
24
HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
2760 | Regasm.exe | 8.8.8.8:53 | — | Google Inc. | US | malicious |
2760 | Regasm.exe | 82.10.185.160:1085 | piglion.ddns.net | Virgin Media Limited | GB | suspicious |
DNS requests
Domain | IP | Reputation |
|---|---|---|
piglion.ddns.net |
| malicious |
Threats
PID | Process | Class | Message |
|---|---|---|---|
2760 | Regasm.exe | A Network Trojan was detected | SC BAD_UNKNOWN Query to a Suspicious *.ddns.net Domain |
2760 | Regasm.exe | A Network Trojan was detected | SC BAD_UNKNOWN Generic dynamic DNS detection |
2760 | Regasm.exe | A Network Trojan was detected | SC BAD_UNKNOWN Query to a Suspicious *.ddns.net Domain |
2760 | Regasm.exe | A Network Trojan was detected | SC BAD_UNKNOWN Generic dynamic DNS detection |
2760 | Regasm.exe | A Network Trojan was detected | SC BAD_UNKNOWN Query to a Suspicious *.ddns.net Domain |
2760 | Regasm.exe | A Network Trojan was detected | SC BAD_UNKNOWN Generic dynamic DNS detection |
2760 | Regasm.exe | A Network Trojan was detected | SC BAD_UNKNOWN Query to a Suspicious *.ddns.net Domain |
2760 | Regasm.exe | A Network Trojan was detected | SC BAD_UNKNOWN Generic dynamic DNS detection |
2760 | Regasm.exe | A Network Trojan was detected | SC BAD_UNKNOWN Query to a Suspicious *.ddns.net Domain |
2760 | Regasm.exe | A Network Trojan was detected | SC BAD_UNKNOWN Generic dynamic DNS detection |
Process | Message |
|---|---|
mmc.exe | Constructor: Microsoft.TaskScheduler.SnapIn.TaskSchedulerSnapIn
|
mmc.exe | OnInitialize: Microsoft.TaskScheduler.SnapIn.TaskSchedulerSnapIn
|
mmc.exe | AddIcons: Microsoft.TaskScheduler.SnapIn.TaskSchedulerSnapIn
|
mmc.exe | ProcessCommandLineArguments: Microsoft.TaskScheduler.SnapIn.TaskSchedulerSnapIn
|