File name:

svchost.exe

Full analysis: https://app.any.run/tasks/dde01069-7c3f-498a-a128-af14d93bfae2
Verdict: Malicious activity
Threats:

NanoCore is a Remote Access Trojan or RAT. This malware is highly customizable with plugins which allow attackers to tailor its functionality to their needs. Nanocore is created with the .NET framework and it’s available for purchase for just $25 from its “official” website.

Malware Trends Tracker     >>>
Analysis date: November 25, 2023, 10:38:23
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
nanocore
rat
remote
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
MD5:

0973386D176773D2793FF73C204F132D

SHA1:

1B9514B436A72C99DEF27F6518DC3BAB4009614E

SHA256:

E19847108170899628147248A03DD0B6A132EE4B483A2A9CF02C81408F410165

SSDEEP:

98304:YiE4liuICVN4ZgUm13luqM8FBMHBhrDYp8Usvt8/57was2prHUKO5w7vxg52b6xw:YV1k6a

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • svchost.exe (PID: 1668)
      • test.exe (PID: 2976)

    • Connects to the CnC server

      • test.exe (PID: 2976)

    • NANOCORE has been detected (YARA)

      • test.exe (PID: 2976)

    • NANOCORE has been detected (SURICATA)

      • test.exe (PID: 2976)

  • SUSPICIOUS

    • The process checks if it is being run in the virtual environment

      • svchost.exe (PID: 1668)

    • Reads the Internet Settings

      • svchost.exe (PID: 1668)

    • Connects to unusual port

      • test.exe (PID: 2976)

  • INFO

    • Checks supported languages

      • svchost.exe (PID: 1668)
      • test.exe (PID: 2976)
      • wmpnscfg.exe (PID: 2252)

    • Process checks are UAC notifies on

      • test.exe (PID: 2976)

    • Creates files in the program directory

      • test.exe (PID: 2976)

    • Reads the computer name

      • svchost.exe (PID: 1668)
      • test.exe (PID: 2976)
      • wmpnscfg.exe (PID: 2252)

    • Create files in a temporary directory

      • svchost.exe (PID: 1668)

    • Reads the machine GUID from the registry

      • test.exe (PID: 2976)
      • wmpnscfg.exe (PID: 2252)

    • Reads Environment values

      • test.exe (PID: 2976)

    • Creates files or folders in the user directory

      • test.exe (PID: 2976)

    • Reads product name

      • test.exe (PID: 2976)

    • Manual execution by a user

      • wmpnscfg.exe (PID: 2252)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Nanocore

(PID) Process(2976) test.exe
BuildTime2023-11-25 04:46:57.283696
Version1.2.2.0
Mutexc5fa0484-6841-42e6-8369-d6417bb6aa7f
DefaultGroupSlaved
PrimaryConnectionHostreport-reed.gl.at.ply.gg
BackupConnectionHostreport-reed.gl.at.ply.gg
ConnectionPort25786
RunOnStartupTrue
RequestElevationFalse
BypassUserAccountControlFalse
ClearZoneIdentifierTrue
ClearAccessControlTrue
SetCriticalProcessFalse
PreventSystemSleepTrue
ActivateAwayModeFalse
EnableDebugModeFalse
RunDelay0
ConnectDelay4000
RestartDelay5000
TimeoutInterval5000
KeepAliveTimeout30000
MutexTimeout5000
LanTimeout2500
WanTimeout8000
BufferSize65535
MaxPacketSize10485760
GCThreshold10485760
UseCustomDnsServerTrue
PrimaryDnsServer8.8.8.8
BackupDnsServer8.8.4.4
No Malware configuration.

TRiD

.exe | NSIS - Nullsoft Scriptable Install System (94.8)
.exe | Win32 Executable MS Visual C++ (generic) (3.4)
.dll | Win32 Dynamic Link Library (generic) (0.7)
.exe | Win32 Executable (generic) (0.5)
.exe | Generic Win/DOS Executable (0.2)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2007:03:31 17:09:55+02:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit
PEType: PE32
LinkerVersion: 6
CodeSize: 23552
InitializedDataSize: 165376
UninitializedDataSize: 1024
EntryPoint: 0x315d
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
42
Monitored processes
4
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start svchost.exe #NANOCORE test.exe wmpnscfg.exe no specs svchost.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
948"C:\Users\admin\AppData\Local\Temp\svchost.exe" C:\Users\admin\AppData\Local\Temp\svchost.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221226540
Modules
Images
c:\users\admin\appdata\local\temp\svchost.exe
c:\windows\system32\ntdll.dll
1668"C:\Users\admin\AppData\Local\Temp\svchost.exe" C:\Users\admin\AppData\Local\Temp\svchost.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
2252"C:\Program Files\Windows Media Player\wmpnscfg.exe"C:\Program Files\Windows Media Player\wmpnscfg.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Media Player Network Sharing Service Configuration Application
Exit code:
0
Version:
12.0.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\program files\windows media player\wmpnscfg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\ole32.dll
2976"C:\Users\admin\AppData\Local\Temp\test.exe" C:\Users\admin\AppData\Local\Temp\test.exe
svchost.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\test.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\apppatch\acgenral.dll
c:\windows\system32\sechost.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
Nanocore
(PID) Process(2976) test.exe
BuildTime2023-11-25 04:46:57.283696
Version1.2.2.0
Mutexc5fa0484-6841-42e6-8369-d6417bb6aa7f
DefaultGroupSlaved
PrimaryConnectionHostreport-reed.gl.at.ply.gg
BackupConnectionHostreport-reed.gl.at.ply.gg
ConnectionPort25786
RunOnStartupTrue
RequestElevationFalse
BypassUserAccountControlFalse
ClearZoneIdentifierTrue
ClearAccessControlTrue
SetCriticalProcessFalse
PreventSystemSleepTrue
ActivateAwayModeFalse
EnableDebugModeFalse
RunDelay0
ConnectDelay4000
RestartDelay5000
TimeoutInterval5000
KeepAliveTimeout30000
MutexTimeout5000
LanTimeout2500
WanTimeout8000
BufferSize65535
MaxPacketSize10485760
GCThreshold10485760
UseCustomDnsServerTrue
PrimaryDnsServer8.8.8.8
BackupDnsServer8.8.4.4
Total events
1 172
Read events
1 161
Write events
8
Delete events
3

Modification events

(PID) Process:(1668) svchost.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(1668) svchost.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(1668) svchost.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(1668) svchost.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(2252) wmpnscfg.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Media Player NSS\3.0\Events\{2B0B75C8-1254-4AE1-8C01-4CE3EFB67904}\{06B01EA5-A150-4CDE-99B6-BB542FCD6D01}
Operation:delete keyName:(default)
Value:
(PID) Process:(2252) wmpnscfg.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Media Player NSS\3.0\Events\{2B0B75C8-1254-4AE1-8C01-4CE3EFB67904}
Operation:delete keyName:(default)
Value:
(PID) Process:(2252) wmpnscfg.exeKey:HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Health\{B08E24A9-FA0D-479C-8EF2-D2080F7603F4}
Operation:delete keyName:(default)
Value:
Executable files
3
Suspicious files
2
Text files
1
Unknown types
0

Dropped files

PID
Process
Filename
Type
2976test.exeC:\Users\admin\AppData\Roaming\90059C37-1320-41A4-B58D-2B75A9850D2F\run.dattext
MD5:799FE498940C72162CE0494677B960AE
SHA256:2F5BD7E10DA4290692BBFBFFD1B97B8C5A00CF2ADF16716FDD4D0229725EBA23
2976test.exeC:\Users\admin\AppData\Roaming\90059C37-1320-41A4-B58D-2B75A9850D2F\settings.binbinary
MD5:AE0F5E6CE7122AF264EC533C6B15A27B
SHA256:73B0B92179C61C26589B47E9732CE418B07EDEE3860EE5A2A5FB06F3B8AA9B26
1668svchost.exeC:\Users\admin\AppData\Local\Temp\ewan.exeexecutable
MD5:2D07068B96E3F9C25E8B4291BC33B2D7
SHA256:69CC7C6A967922979E4E560CEFE085B359532E6F64B73A58BDFB7FB2F3CAB0FA
2976test.exeC:\Users\admin\AppData\Roaming\90059C37-1320-41A4-B58D-2B75A9850D2F\catalog.datbinary
MD5:32D0AAE13696FF7F8AF33B2D22451028
SHA256:5347661365E7AD2C1ACC27AB0D150FFA097D9246BB3626FCA06989E976E8DD29
2976test.exeC:\Program Files\TCP Monitor\tcpmon.exeexecutable
MD5:3511C9D5FA66610826129D4A821E61ED
SHA256:91627CFFCF4DC45431A510D1BC96E50BEDD34C7D20FCA36823B611C17F311505
1668svchost.exeC:\Users\admin\AppData\Local\Temp\test.exeexecutable
MD5:3511C9D5FA66610826129D4A821E61ED
SHA256:91627CFFCF4DC45431A510D1BC96E50BEDD34C7D20FCA36823B611C17F311505
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
5
DNS requests
1
Threats
40

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
whitelisted
2588
svchost.exe
239.255.255.250:1900
whitelisted
1080
svchost.exe
224.0.0.252:5355
unknown
2976
test.exe
147.185.221.17:25786
report-reed.gl.at.ply.gg
PLAYIT-GG
US
malicious

DNS requests

Domain
IP
Reputation
report-reed.gl.at.ply.gg
  • 147.185.221.17
malicious

Threats

PID
Process
Class
Message
2976
test.exe
Potentially Bad Traffic
ET INFO playit .gg Tunneling Domain in DNS Lookup
2976
test.exe
Malware Command and Control Activity Detected
ET MALWARE NanoCore RAT CnC 7
2976
test.exe
Malware Command and Control Activity Detected
ET MALWARE NanoCore RAT CnC 7
2976
test.exe
Malware Command and Control Activity Detected
ET MALWARE NanoCore RAT Keep-Alive Beacon (Inbound)
2976
test.exe
Malware Command and Control Activity Detected
ET MALWARE NanoCore RAT CnC 7
2976
test.exe
Malware Command and Control Activity Detected
ET MALWARE NanoCore RAT CnC 7
2976
test.exe
Malware Command and Control Activity Detected
ET MALWARE NanoCore RAT CnC 7
2976
test.exe
Malware Command and Control Activity Detected
ET MALWARE NanoCore RAT Keep-Alive Beacon (Inbound)
2976
test.exe
Malware Command and Control Activity Detected
ET MALWARE NanoCore RAT Keep-Alive Beacon (Inbound)
2976
test.exe
Malware Command and Control Activity Detected
ET MALWARE NanoCore RAT Keep-Alive Beacon (Inbound)
2 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
svchost.exe