| File name: | 298645487d872600b093d2cda8f7646278919500.rar |
| Full analysis: | https://app.any.run/tasks/dc358a28-5b89-4c23-bb0c-918e94f61a5c |
| Verdict: | Malicious activity |
| Threats: | NanoCore is a Remote Access Trojan or RAT. This malware is highly customizable with plugins which allow attackers to tailor its functionality to their needs. Nanocore is created with the .NET framework and it’s available for purchase for just $25 from its “official” website. |
| Analysis date: | October 14, 2019, 19:48:14 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 64 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/x-rar |
| File info: | RAR archive data, v5 |
| MD5: | F2860F1115EE8DEC42B9744B25037D0C |
| SHA1: | 298645487D872600B093D2CDA8F7646278919500 |
| SHA256: | E32EBAA9F255060A57B650509E915F57A6AF04E551A049CCE86031324544DA4A |
| SSDEEP: | 12288:EYVavSv4Mke+ntdRWuKZ4ZAnWqFwXzHit9yRvdlnai6pWeXI6Y4VQBF/eMzv:E2aKgi+ntbKWZx0xt9SfaiZKmVv |
MALICIOUS
Application was dropped or rewritten from another process
- Quotaton Docx.exe (PID: 2008)
- RegSvcs.exe (PID: 480)
NANOCORE was detected
- RegSvcs.exe (PID: 480)
Changes the autorun value in the registry
- RegSvcs.exe (PID: 480)
SUSPICIOUS
Executable content was dropped or overwritten
- WinRAR.exe (PID: 2920)
- RegSvcs.exe (PID: 480)
Reads the machine GUID from the registry
- WinRAR.exe (PID: 2920)
Creates files in the user directory
- RegSvcs.exe (PID: 480)
INFO
No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .rar | | | RAR compressed archive (v5.0) (61.5) |
|---|---|---|
| .rar | | | RAR compressed archive (gen) (38.4) |
Total processes
36
Monitored processes
3
Malicious processes
3
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 480 | "C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v2.0.50727\\\\RegSvcs.exe" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe | Quotaton Docx.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft .NET Services Installation Utility Exit code: 0 Version: 2.0.50727.5483 (Win7SP1GDR.050727-5400) Modules
| |||||||||||||||
| 2008 | "C:\Users\admin\AppData\Local\Temp\Rar$EXa2920.1943\Quotaton Docx.exe" | C:\Users\admin\AppData\Local\Temp\Rar$EXa2920.1943\Quotaton Docx.exe | — | WinRAR.exe | |||||||||||
User: admin Integrity Level: MEDIUM Exit code: 0 Modules
| |||||||||||||||
| 2920 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Windows\298645487d872600b093d2cda8f7646278919500.rar" | C:\Program Files\WinRAR\WinRAR.exe | explorer.exe | ||||||||||||
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Exit code: 0 Version: 5.60.0 Modules
| |||||||||||||||
Total events
569
Read events
541
Write events
28
Delete events
0
Modification events
| (PID) Process: | (2920) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes |
| Operation: | write | Name: | ShellExtBMP |
Value: | |||
| (PID) Process: | (2920) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes |
| Operation: | write | Name: | ShellExtIcon |
Value: | |||
| (PID) Process: | (2920) WinRAR.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\12F\52C64B7E |
| Operation: | write | Name: | LanguageList |
Value: en-US | |||
| (PID) Process: | (2920) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
| Operation: | write | Name: | 0 |
Value: C:\Windows\298645487d872600b093d2cda8f7646278919500.rar | |||
| (PID) Process: | (2920) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | name |
Value: 120 | |||
| (PID) Process: | (2920) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | size |
Value: 80 | |||
| (PID) Process: | (2920) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | type |
Value: 120 | |||
| (PID) Process: | (2920) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | mtime |
Value: 100 | |||
| (PID) Process: | (2920) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | ProxyBypass |
Value: 1 | |||
| (PID) Process: | (2920) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | IntranetName |
Value: 1 | |||
Executable files
2
Suspicious files
1
Text files
0
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 480 | RegSvcs.exe | C:\Users\admin\AppData\Roaming\EEEB5D54-7880-42A7-B542-739BBC26CF4B\run.dat | binary | |
MD5:— | SHA256:— | |||
| 2920 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXa2920.1943\Quotaton Docx.exe | executable | |
MD5:— | SHA256:— | |||
| 480 | RegSvcs.exe | C:\Users\admin\AppData\Roaming\EEEB5D54-7880-42A7-B542-739BBC26CF4B\UPNP Host\upnphost.exe | executable | |
MD5:72A9F09010A89860456C6474E2E6D25C | SHA256:7299EB6E11C8704E7CB18F57879550CDD88EF7B2AE8CBA031B795BC5D92CE8E3 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
15
DNS requests
0
Threats
0
HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
480 | RegSvcs.exe | 91.192.100.23:1985 | — | SOFTplus Entwicklungen GmbH | CH | malicious |