analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

NanoCore 1.2.2.0.zip

Full analysis: https://app.any.run/tasks/dcc31dce-2005-4c19-90ad-48fcf484f1bc
Verdict: Malicious activity
Analysis date: December 06, 2018, 06:54:56
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/zip
File info: Zip archive data, at least v1.0 to extract
MD5:

5D5F5BE6CD646E13F2396C898FAA9BCE

SHA1:

F89558FBB24D21030B25C1DC693EF61CB41F0D43

SHA256:

CD9B3888CB65067D32581E84CA37F0CC205E4414DEE66EF9F6D10A15933D72CF

SSDEEP:

196608:QKXT4Mv59c0eUeCjAWkzT3nYLekAyzyu9:zTt80nzI06kAyzyw

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Loads dropped or rewritten executable

      • NanoCore.exe (PID: 2196)
      • SearchProtocolHost.exe (PID: 1596)
    • Application was dropped or rewritten from another process

      • NanoCore.exe (PID: 2196)
      • PluginCompiler.exe (PID: 2312)
  • SUSPICIOUS

    • Reads Internet Cache Settings

      • NanoCore.exe (PID: 2196)
    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 3104)
    • Creates files in the user directory

      • NanoCore.exe (PID: 2196)
  • INFO

    • Creates files in the user directory

      • opera.exe (PID: 2996)
      • WINWORD.EXE (PID: 4024)
    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 4024)
    • Application launched itself

      • chrome.exe (PID: 3496)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipFileName: NanoCore 1.2.2.0/
ZipUncompressedSize: -
ZipCompressedSize: -
ZipCRC: 0x00000000
ZipModifyDate: 2018:11:17 21:20:26
ZipCompression: None
ZipBitFlag: -
ZipRequiredVersion: 10
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
58
Monitored processes
17
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe nanocore.exe searchprotocolhost.exe no specs plugincompiler.exe opera.exe chrome.exe chrome.exe no specs chrome.exe no specs wmplayer.exe no specs chrome.exe no specs setup_wm.exe no specs chrome.exe no specs chrome.exe no specs winword.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3104"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\NanoCore 1.2.2.0.zip"C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.60.0
2196"C:\Users\admin\Desktop\NanoCore 1.2.2.0\NanoCore.exe" C:\Users\admin\Desktop\NanoCore 1.2.2.0\NanoCore.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Description:
NanoCore
Exit code:
0
Version:
1.2.2.0
1596"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe2_ Global\UsGthrCtrlFltPipeMssGthrPipe2 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" C:\Windows\System32\SearchProtocolHost.exeSearchIndexer.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft Windows Search Protocol Host
Version:
7.00.7600.16385 (win7_rtm.090713-1255)
2312"C:\Users\admin\Desktop\NanoCore 1.2.2.0\PluginCompiler.exe" C:\Users\admin\Desktop\NanoCore 1.2.2.0\PluginCompiler.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Description:
Exit code:
0
Version:
1.2.0.0
2996"C:\Program Files\Opera\opera.exe" C:\Program Files\Opera\opera.exe
explorer.exe
User:
admin
Company:
Opera Software
Integrity Level:
MEDIUM
Description:
Opera Internet Browser
Exit code:
0
Version:
1748
3496"C:\Program Files\Google\Chrome\Application\chrome.exe" C:\Program Files\Google\Chrome\Application\chrome.exe
explorer.exe
User:
admin
Company:
Google Inc.
Integrity Level:
MEDIUM
Description:
Google Chrome
Exit code:
3221225547
Version:
68.0.3440.106
2204"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win32 --annotation=prod=Chrome --annotation=ver=68.0.3440.106 --initial-client-data=0x78,0x7c,0x80,0x74,0x84,0x6bac00b0,0x6bac00c0,0x6bac00ccC:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google Inc.
Integrity Level:
MEDIUM
Description:
Google Chrome
Exit code:
0
Version:
68.0.3440.106
2180"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=watcher --main-thread-id=3308 --on-initialized-event-handle=304 --parent-handle=308 /prefetch:6C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google Inc.
Integrity Level:
MEDIUM
Description:
Google Chrome
Exit code:
0
Version:
68.0.3440.106
2612"C:\Program Files\Windows Media Player\wmplayer.exe" /prefetch:1C:\Program Files\Windows Media Player\wmplayer.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Media Player
Exit code:
0
Version:
12.0.7600.16385 (win7_rtm.090713-1255)
360"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=892,11979275594380805880,3727513952695735873,131072 --enable-features=PasswordImport --gpu-preferences=KAAAAAAAAACAAwBAAQAAAAAAAAAAAGAAEAAAAAAAAAAAAAAAAAAAACgAAAAEAAAAIAAAAAAAAAAoAAAAAAAAADAAAAAAAAAAOAAAAAAAAAAQAAAAAAAAAAAAAAAKAAAAEAAAAAAAAAAAAAAACwAAABAAAAAAAAAAAQAAAAoAAAAQAAAAAAAAAAEAAAALAAAA --service-request-channel-token=7CF0F13B866206B3C8B92897851EE9AF --mojo-platform-channel-handle=912 --ignored=" --type=renderer " /prefetch:2C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google Inc.
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
68.0.3440.106
Total events
1 840
Read events
1 605
Write events
0
Delete events
0

Modification events

No data
Executable files
8
Suspicious files
112
Text files
421
Unknown types
42

Dropped files

PID
Process
Filename
Type
3104WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3104.32403\NanoCore 1.2.2.0\builder.logtext
MD5:1EB5E804756D82ED0FB4846FB9E9C398
SHA256:D36573F53F48163DE58905AE9B8B11A8DF28FDE6B687BA5272E55B2C586A1203
3104WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3104.32403\NanoCore 1.2.2.0\Exceptions\Server\1.2.2.0\daa8ff5112677ab959cf02d9c2f07392.logtext
MD5:DAA8FF5112677AB959CF02D9C2F07392
SHA256:C9D7CC4DA53214DA02BBB4949EE975AF4A22065ACE57AD1407F9A15DD2E737FD
3104WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3104.32403\NanoCore 1.2.2.0\Databases\main.sqlitesqlite
MD5:BAE99297D96B524FB81FB96B76ABAA42
SHA256:7C3C680B49C197DFBDEEDE96999E863F5654E3EAE51B6B3A01C8129B2E7201B1
3104WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3104.32403\NanoCore 1.2.2.0\Databases\network.sqlitesqlite
MD5:A037725F54B0222F8A9A720C9BC7B606
SHA256:D9FB6F22737445E3238AC5F39CF4C5747ECE33DB8A3D27F08A035A962BD3C2A7
3104WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3104.32403\NanoCore 1.2.2.0\Plugins\MiscTools.ncpbinary
MD5:78E3006FC6468EB7DFC7761072B84AC6
SHA256:3A3A3B105EEFB45E3B70CC1592E484DF02DF7020D5154E8C2E5D7D439E295E46
3104WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3104.32403\NanoCore 1.2.2.0\Plugins\NanoCoreSwiss.ncpbinary
MD5:FCB5AFD01E75ACA8ED9FBD35A46E54F3
SHA256:BF0386F6E9B4A35FEFE5FE917E2BE7C64867EFE24521F18E4567F8AF5F6DD5E5
3104WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3104.32403\NanoCore 1.2.2.0\client.binexecutable
MD5:906A949E34472F99BA683EFF21907231
SHA256:9D3EA5AF7DC261BF93C76F55D702A315AA22FB241E4207DC86CD834C262245C8
3104WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3104.32403\NanoCore 1.2.2.0\Plugins\ManagementPlugin.ncpbinary
MD5:B612C2C9A6D361A5DB14C04BA126119C
SHA256:B86FE4E126A9748A383A34D615B9598C715F2380C0AAD957495C66923902026C
3104WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3104.32403\NanoCore 1.2.2.0\Plugins\AIO.ncpbinary
MD5:60C274CCB344DA9E3D77449F6068D253
SHA256:0A59AAEE013C57F3B6190D683160D88CA1C5868565CBF5ACBB7B17D3E925C602
3104WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3104.32403\NanoCore 1.2.2.0\Plugins\CorePlugin.ncpbinary
MD5:7914E7302F72D330AA5F6C5C8C26DF43
SHA256:F66985518B1E56A04F512D110F5B79F21ED91CBCBF6BD3E17EBA3DCDFB85F9B5
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
16
DNS requests
15
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2996
opera.exe
GET
200
66.225.197.197:80
http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl
US
der
543 b
whitelisted
2996
opera.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTPJvUY%2Bsl%2Bj4yzQuAcL2oQno5fCgQUUWj%2FkK8CB3U8zNllZGKiErhZcjsCEAOXQPQlVpLtFek%2BmcpabOk%3D
US
der
471 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2996
opera.exe
66.225.197.197:80
crl4.digicert.com
CacheNetworks, Inc.
US
whitelisted
3496
chrome.exe
216.58.215.238:443
apis.google.com
Google Inc.
US
whitelisted
3496
chrome.exe
216.58.215.234:443
fonts.googleapis.com
Google Inc.
US
whitelisted
3496
chrome.exe
172.217.168.10:443
safebrowsing.googleapis.com
Google Inc.
US
whitelisted
3496
chrome.exe
172.217.168.36:443
www.google.com
Google Inc.
US
whitelisted
2996
opera.exe
82.145.215.40:443
certs.opera.com
Opera Software AS
whitelisted
2996
opera.exe
93.184.220.29:80
ocsp.digicert.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
3496
chrome.exe
172.217.168.3:443
www.google.de
Google Inc.
US
whitelisted
3496
chrome.exe
216.58.215.227:443
clientservices.googleapis.com
Google Inc.
US
whitelisted
3496
chrome.exe
216.58.215.237:443
accounts.google.com
Google Inc.
US
whitelisted

DNS requests

Domain
IP
Reputation
lazyshare.net
unknown
clientservices.googleapis.com
  • 216.58.215.227
whitelisted
www.google.de
  • 172.217.168.3
whitelisted
safebrowsing.googleapis.com
  • 172.217.168.10
whitelisted
accounts.google.com
  • 216.58.215.237
shared
www.gstatic.com
  • 216.58.215.227
whitelisted
ssl.gstatic.com
  • 216.58.215.227
whitelisted
certs.opera.com
  • 82.145.215.40
whitelisted
crl4.digicert.com
  • 66.225.197.197
whitelisted
ocsp.digicert.com
  • 93.184.220.29
whitelisted

Threats

No threats detected
Process
Message
NanoCore.exe
Trying to load native SQLite library "C:\Users\admin\Desktop\NanoCore 1.2.2.0\x86\SQLite.Interop.dll"...