analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

NEW ORDER.pdf

Full analysis: https://app.any.run/tasks/a0533738-f8e8-4f28-a0ab-5f4616784954
Verdict: Malicious activity
Threats:

NanoCore is a Remote Access Trojan or RAT. This malware is highly customizable with plugins which allow attackers to tailor its functionality to their needs. Nanocore is created with the .NET framework and it’s available for purchase for just $25 from its “official” website.

Malware Trends Tracker     >>>
Analysis date: July 18, 2019, 13:56:41
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
autoit
rat
nanocore
phishing
phish-pdf
Indicators:
MIME: application/pdf
File info: PDF document, version 1.4
MD5:

49DA7A6A33D92497F44A67E9C87A7063

SHA1:

6FEB181D0A108C3EEF465F31F4210074C25BCD8B

SHA256:

E3CBADC9A0C8ADCE93CBBE76C51FD996C609632AAA4BB16E84A4BCFFBDC2F4F2

SSDEEP:

3072:II97HMb2D3G////pgD/9EpfhLjtGcAqFP6AUpUUInBbT:597sb2C////pC90jtGcV6AUpUUInBH

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • otd.exe (PID: 2872)
      • Filname.scr (PID: 3228)
      • otd.exe (PID: 3528)
      • RegSvcs.exe (PID: 3404)

    • NanoCore was detected

      • RegSvcs.exe (PID: 3404)

    • Changes the autorun value in the registry

      • otd.exe (PID: 2872)
      • RegSvcs.exe (PID: 3404)

  • SUSPICIOUS

    • Starts Internet Explorer

      • AcroRd32.exe (PID: 2888)

    • Executes scripts

      • WinRAR.exe (PID: 2704)
      • Filname.scr (PID: 3228)

    • Starts application with an unusual extension

      • WScript.exe (PID: 3324)

    • Executable content was dropped or overwritten

      • WScript.exe (PID: 3324)
      • Filname.scr (PID: 3228)
      • RegSvcs.exe (PID: 3404)

    • Drop AutoIt3 executable file

      • Filname.scr (PID: 3228)

    • Application launched itself

      • otd.exe (PID: 3528)

    • Creates files in the user directory

      • RegSvcs.exe (PID: 3404)

    • Creates files in the program directory

      • AdobeARM.exe (PID: 3200)

  • INFO

    • Application launched itself

      • AcroRd32.exe (PID: 2888)
      • RdrCEF.exe (PID: 3056)

    • Creates files in the user directory

      • iexplore.exe (PID: 3800)

    • Changes internet zones settings

      • iexplore.exe (PID: 3008)

    • Reads settings of System Certificates

      • iexplore.exe (PID: 3008)

    • Reads Internet Cache Settings

      • iexplore.exe (PID: 3800)

    • Dropped object may contain Bitcoin addresses

      • Filname.scr (PID: 3228)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.pdf | Adobe Portable Document Format (100)

EXIF

XMP

DocumentID: uuid:6254959b-1ee2-41a2-9324-a20e60ff664f
Producer: Nitro Pro 8 (8. 0. 10. 7)
Keywords: -
Description: -
Title: -
Creator: Dollars
Format: application/pdf
MetadataDate: 2017:08:28 04:06:09Z
ModifyDate: 2017:08:28 04:06:09Z
CreatorTool: Nitro Pro 8 (8. 0. 10. 7)
CreateDate: 2017:08:28 04:06:04Z
XMPToolkit: 3.1-701
Xpacket: -

PDF

Producer: Nitro Pro 8 (8. 0. 10. 7)
Author: Dollars
CreateDate: 2017:08:28 04:06:04Z
Creator: Nitro Pro 8 (8. 0. 10. 7)
ModifyDate: 2019:07:18 13:30:33+01:00
PageCount: 1
PageMode: UseNone
Linearized: No
PDFVersion: 1.4
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
49
Monitored processes
16
Malicious processes
9
Suspicious processes
0

Behavior graph

Click at the process to see the details
start drop and start acrord32.exe acrord32.exe no specs rdrcef.exe no specs rdrcef.exe no specs rdrcef.exe no specs iexplore.exe iexplore.exe winrar.exe no specs wscript.exe filname.scr wscript.exe no specs adobearm.exe no specs reader_sl.exe no specs otd.exe no specs otd.exe #NANOCORE regsvcs.exe

Process information

PID
CMD
Path
Indicators
Parent process
2888"C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\admin\AppData\Local\Temp\NEW ORDER.pdf"C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
explorer.exe
User:
admin
Company:
Adobe Systems Incorporated
Integrity Level:
MEDIUM
Description:
Adobe Acrobat Reader DC
Version:
15.23.20070.215641
2388"C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" --type=renderer "C:\Users\admin\AppData\Local\Temp\NEW ORDER.pdf"C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeAcroRd32.exe
User:
admin
Company:
Adobe Systems Incorporated
Integrity Level:
LOW
Description:
Adobe Acrobat Reader DC
Version:
15.23.20070.215641
3056"C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16448250C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exeAcroRd32.exe
User:
admin
Company:
Adobe Systems Incorporated
Integrity Level:
MEDIUM
Description:
Adobe RdrCEF
Version:
15.23.20053.211670
2592"C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-3d-apis --disable-databases --disable-direct-npapi-requests --disable-file-system --disable-notifications --disable-shared-workers --disable-direct-write --lang=en-US --lang=en-US --log-severity=disable --product-version="ReaderServices/15.23.20053 Chrome/45.0.2454.85" --device-scale-factor=1 --enable-delegated-renderer --num-raster-threads=2 --gpu-rasterization-msaa-sample-count=8 --content-image-texture-target=3553 --video-image-texture-target=3553 --disable-accelerated-video-decode --disable-webrtc-hw-encoding --disable-gpu-compositing --channel="3056.0.217419708\1543208519" --allow-no-sandbox-job /prefetch:673131151C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exeRdrCEF.exe
User:
admin
Company:
Adobe Systems Incorporated
Integrity Level:
LOW
Description:
Adobe RdrCEF
Version:
15.23.20053.211670
2720"C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-3d-apis --disable-databases --disable-direct-npapi-requests --disable-file-system --disable-notifications --disable-shared-workers --disable-direct-write --lang=en-US --lang=en-US --log-severity=disable --product-version="ReaderServices/15.23.20053 Chrome/45.0.2454.85" --device-scale-factor=1 --enable-delegated-renderer --num-raster-threads=2 --gpu-rasterization-msaa-sample-count=8 --content-image-texture-target=3553 --video-image-texture-target=3553 --disable-accelerated-video-decode --disable-webrtc-hw-encoding --disable-gpu-compositing --channel="3056.1.953025387\1591327328" --allow-no-sandbox-job /prefetch:673131151C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exeRdrCEF.exe
User:
admin
Company:
Adobe Systems Incorporated
Integrity Level:
LOW
Description:
Adobe RdrCEF
Version:
15.23.20053.211670
3008"C:\Program Files\Internet Explorer\iexplore.exe" -nohomeC:\Program Files\Internet Explorer\iexplore.exe
AcroRd32.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Exit code:
1
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
3800"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:3008 CREDAT:71937C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Exit code:
0
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
2704"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\P420A25I\Quotation[1].ace"C:\Program Files\WinRAR\WinRAR.exeiexplore.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.60.0
3324"C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\Rar$DIa2704.26092\Quotation.js" C:\Windows\System32\WScript.exe
WinRAR.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.8.7600.16385
3228"C:\Users\admin\AppData\Local\Temp\Filname.scr" /SC:\Users\admin\AppData\Local\Temp\Filname.scr
WScript.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Total events
2 573
Read events
2 383
Write events
0
Delete events
0

Modification events

No data
Executable files
3
Suspicious files
4
Text files
75
Unknown types
17

Dropped files

PID
Process
Filename
Type
2388AcroRd32.exeC:\Users\admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages-journal
MD5:
SHA256:
3008iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JGRR2OYX\favicon[1].ico
MD5:
SHA256:
3008iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
MD5:
SHA256:
3800iexplore.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\admin@dropbox[1].txt
MD5:
SHA256:
3800iexplore.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][1].txt
MD5:
SHA256:
3008iexplore.exeC:\Users\admin\AppData\Local\Temp\~DF52C4D5815F83F54F.TMP
MD5:
SHA256:
2388AcroRd32.exeC:\Users\admin\AppData\Local\Temp\acrord32_sbx\A9Rxwpijx_1ob0ca4_1uc.tmp
MD5:
SHA256:
2388AcroRd32.exeC:\Users\admin\AppData\Local\Temp\acrord32_sbx\A9Riahcoy_1ob0ca3_1uc.tmp
MD5:
SHA256:
2388AcroRd32.exeC:\Users\admin\AppData\Local\Temp\acrord32_sbx\A9R1eloapb_1ob0ca6_1uc.tmp
MD5:
SHA256:
2388AcroRd32.exeC:\Users\admin\AppData\Local\Temp\acrord32_sbx\A9R14ipnns_1ob0ca5_1uc.tmp
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
6
TCP/UDP connections
12
DNS requests
9
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2888
AcroRd32.exe
GET
304
2.16.186.33:80
http://acroipm2.adobe.com/15/rdr/ENU/win/nooem/none/consumer/277_15_23_20070.zip
unknown
whitelisted
2888
AcroRd32.exe
GET
304
2.16.186.33:80
http://acroipm2.adobe.com/15/rdr/ENU/win/nooem/none/consumer/281_15_23_20070.zip
unknown
whitelisted
2888
AcroRd32.exe
GET
304
2.16.186.33:80
http://acroipm2.adobe.com/15/rdr/ENU/win/nooem/none/consumer/280_15_23_20070.zip
unknown
whitelisted
2888
AcroRd32.exe
GET
304
2.16.186.33:80
http://acroipm2.adobe.com/15/rdr/ENU/win/nooem/none/consumer/278_15_23_20070.zip
unknown
whitelisted
2888
AcroRd32.exe
GET
304
2.16.186.33:80
http://acroipm2.adobe.com/15/rdr/ENU/win/nooem/none/consumer/message.zip
unknown
whitelisted
3008
iexplore.exe
GET
200
13.107.21.200:80
http://www.bing.com/favicon.ico
US
image
237 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3008
iexplore.exe
13.107.21.200:80
www.bing.com
Microsoft Corporation
US
whitelisted
3800
iexplore.exe
162.125.66.1:443
www.dropbox.com
Dropbox, Inc.
DE
shared
2.18.233.74:443
armmf.adobe.com
Akamai International B.V.
whitelisted
3800
iexplore.exe
162.125.66.6:443
uca4e0bc8bf025e06f76afff9046.dl.dropboxusercontent.com
Dropbox, Inc.
DE
shared
2.16.186.33:80
acroipm2.adobe.com
Akamai International B.V.
whitelisted
3404
RegSvcs.exe
79.134.225.35:19864
xeliteme.us
Andreas Fink trading as Fink Telecom Services
CH
malicious
2888
AcroRd32.exe
2.16.186.33:80
acroipm2.adobe.com
Akamai International B.V.
whitelisted
104.111.214.232:443
ardownload2.adobe.com
Akamai International B.V.
NL
whitelisted
3404
RegSvcs.exe
105.112.96.202:19864
tats2lou.ddns.net
NG
unknown

DNS requests

Domain
IP
Reputation
www.bing.com
  • 13.107.21.200
  • 204.79.197.200
whitelisted
www.dropbox.com
  • 162.125.66.1
shared
uca4e0bc8bf025e06f76afff9046.dl.dropboxusercontent.com
  • 162.125.66.6
malicious
acroipm2.adobe.com
  • 2.16.186.33
  • 2.16.186.32
whitelisted
armmf.adobe.com
  • 2.18.233.74
whitelisted
xeliteme.us
  • 79.134.225.35
malicious
ardownload2.adobe.com
  • 104.111.214.232
whitelisted
tats2lou.ddns.net
  • 105.112.96.202
malicious

Threats

PID
Process
Class
Message
3800
iexplore.exe
Potential Corporate Privacy Violation
SUSPICIOUS [PTsecurity] Dropbox SSL Payload Request
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
NEW ORDER.pdf