Malware analysis ForceOP.zip Malicious activity | ANY.RUN

Add for printing

File name:	ForceOP.zip
Full analysis:	https://app.any.run/tasks/16e30ff4-06c9-4daf-bd16-81e1c146d372
Verdict:	Malicious activity
Threats:	NanoCore is a Remote Access Trojan or RAT. This malware is highly customizable with plugins which allow attackers to tailor its functionality to their needs. Nanocore is created with the .NET framework and it’s available for purchase for just $25 from its “official” website. njRAT is a remote access trojan. It is one of the most widely accessible RATs on the market that features an abundance of educational information. Interested attackers can even find tutorials on YouTube. This allows it to become one of the most popular RATs in the world. njRAT ist ein Trojaner für den Fernzugriff. Es handelt sich um einen der am weitesten verbreiteten RATs auf dem Markt, der eine Fülle von Bildungsinformationen bietet. Interessierte Angreifer können sogar Tutorials auf YouTube finden. Dies macht ihn zu einem der beliebtesten RATs der Welt. Remote access trojans (RATs) are a type of malware that enables attackers to establish complete to partial control over infected computers. Such malicious programs often have a modular design, offering a wide range of functionalities for conducting illicit activities on compromised systems. Some of the most common features of RATs include access to the users’ data, webcam, and keystrokes. This malware is often distributed through phishing emails and links. Malware Trends Tracker >>>
Analysis date:	August 24, 2024, 13:25:28
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	rat njrat bladabindi nanocore remote
Indicators:
MIME:	application/zip
File info:	Zip archive data, at least v2.0 to extract, compression method=deflate
MD5:	899AF6CB1BBBCC8116EFD2DBDBE04291
SHA1:	4FF14D716AA34148082C93BF58F58577F8F313A6
SHA256:	E52C41A8A4BBADDA9866E7E1FC9E15417A2F1146FF9E2B392C48A74B78FABF74
SSDEEP:	98304:I3vfe39VtwRBly99BSWBX8QyxiUNN7p54UL8Tdsi2XYmGGVPee4reFc7sAm6r4oH:Sx+iFKvqmXai7ky8+V8z8f

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 120 seconds
Heavy Evasion option:
Network geolocation:: off
Additional time used:: 60 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.3636.19041.0
Adobe Acrobat (64-bit) (23.001.20093)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (6.20)
FileZilla 3.65.0 (3.65.0)
Google Chrome (122.0.6261.70)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Microsoft Edge (122.0.2365.59)
Microsoft Edge Update (1.3.185.17)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Update Health Tools (3.74.0.0)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (123.0)
Mozilla Maintenance Service (123.0)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15928.20198)
PowerShell 7-x64 (7.3.5.0)
Skype version 8.104 (8.104)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
Update for Windows 10 for x64-based Systems (KB5001716) (8.93.0.0)
VLC media player (3.0.11)
WinRAR 5.91 (64-bit) (5.91.0)
Windows PC Health Check (3.6.2204.08001)

Hotfixes

Client LanguagePack Package
DotNetRollup
DotNetRollup 481
FodMetadata Package
Foundation Package
Hello Face Package
InternetExplorer Optional Package
KB5003791
KB5011048
KB5015684
KB5033052
LanguageFeatures Basic en us Package
LanguageFeatures Handwriting en us Package
LanguageFeatures OCR en us Package
LanguageFeatures Speech en us Package
LanguageFeatures TextToSpeech en us Package
MSPaint FoD Package
MediaPlayer Package
Microsoft OneCore ApplicationModel Sync Desktop FOD Package
Microsoft OneCore DirectX Database FOD Package
NetFx3 OnDemand Package
Notepad FoD Package
OpenSSH Client Package
PowerShell ISE FOD Package
Printing PMCPPC FoD Package
Printing WFS FoD Package
ProfessionalEdition
QuickAssist Package
RollupFix
ServicingStack
ServicingStack 3989
StepsRecorder Package
TabletPCMath Package
UserExperience Desktop Package
WordPad FoD Package

Add for printing

MALICIOUS
- NjRAT is detected
  - fiucinajestemsliczny.exe (PID: 7024)
  - server.exe (PID: 7092)
- Changes the autorun value in the registry
  - fiucinajestembrzydki.exe (PID: 7144)
  - fiucinajestembrzydki.exe (PID: 6532)
  - server.exe (PID: 7092)
- Uses Task Scheduler to run other applications
  - fiucinajestembrzydki.exe (PID: 6532)
- NANOCORE has been detected (SURICATA)
  - fiucinajestembrzydki.exe (PID: 6532)
- Create files in the Startup directory
  - server.exe (PID: 7092)
- Connects to the CnC server
  - fiucinajestembrzydki.exe (PID: 6532)
  - server.exe (PID: 7092)
- NJRAT has been detected (SURICATA)
  - server.exe (PID: 7092)
- NJRAT has been detected (YARA)
  - server.exe (PID: 7092)
- NANOCORE has been detected (YARA)
  - fiucinajestembrzydki.exe (PID: 6532)
SUSPICIOUS
- Starts CMD.EXE for commands execution
  - ForceOP.exe (PID: 6780)
- Drops the executable file immediately after the start
  - ForceOP.exe (PID: 6780)
  - WinRAR.exe (PID: 6636)
  - fiucinajestembrzydki.exe (PID: 7144)
  - fiucinajestemsliczny.exe (PID: 7024)
  - fiucinajestembrzydki.exe (PID: 6532)
  - server.exe (PID: 7092)
- Reads security settings of Internet Explorer
  - WinRAR.exe (PID: 6636)
  - fiucinajestembrzydki.exe (PID: 7144)
  - fiucinajestemsliczny.exe (PID: 7024)
- Node.exe was dropped
  - WinRAR.exe (PID: 6636)
- Executable content was dropped or overwritten
  - ForceOP.exe (PID: 6780)
  - fiucinajestemsliczny.exe (PID: 7024)
  - fiucinajestembrzydki.exe (PID: 7144)
  - fiucinajestembrzydki.exe (PID: 6532)
  - server.exe (PID: 7092)
- The executable file from the user directory is run by the CMD process
  - fiucinajestemsliczny.exe (PID: 7024)
  - fiucinajestembrzydki.exe (PID: 7144)
- Starts itself from another location
  - fiucinajestemsliczny.exe (PID: 7024)
- The process creates files with name similar to system file names
  - fiucinajestembrzydki.exe (PID: 7144)
  - fiucinajestembrzydki.exe (PID: 6532)
- Reads the date of Windows installation
  - fiucinajestemsliczny.exe (PID: 7024)
  - fiucinajestembrzydki.exe (PID: 7144)
- Application launched itself
  - fiucinajestembrzydki.exe (PID: 7144)
- Connects to unusual port
  - fiucinajestembrzydki.exe (PID: 6532)
  - server.exe (PID: 7092)
- Contacting a server suspected of hosting an CnC
  - server.exe (PID: 7092)
  - fiucinajestembrzydki.exe (PID: 6532)
- Uses NETSH.EXE to add a firewall rule or allowed programs
  - server.exe (PID: 7092)
INFO
- Reads Environment values
  - ForceOP.exe (PID: 6780)
  - fiucinajestembrzydki.exe (PID: 6532)
  - server.exe (PID: 7092)
- Checks supported languages
  - ForceOP.exe (PID: 6780)
  - fiucinajestemsliczny.exe (PID: 7024)
  - fiucinajestembrzydki.exe (PID: 7144)
  - fiucinajestembrzydki.exe (PID: 6532)
  - server.exe (PID: 7092)
- Creates files or folders in the user directory
  - ForceOP.exe (PID: 6780)
  - fiucinajestembrzydki.exe (PID: 7144)
  - fiucinajestembrzydki.exe (PID: 6532)
  - server.exe (PID: 7092)
- Create files in a temporary directory
  - ForceOP.exe (PID: 6780)
  - fiucinajestemsliczny.exe (PID: 7024)
  - fiucinajestembrzydki.exe (PID: 6532)
- Reads the computer name
  - ForceOP.exe (PID: 6780)
  - fiucinajestemsliczny.exe (PID: 7024)
  - fiucinajestembrzydki.exe (PID: 7144)
  - fiucinajestembrzydki.exe (PID: 6532)
  - server.exe (PID: 7092)
- Reads product name
  - ForceOP.exe (PID: 6780)
  - fiucinajestembrzydki.exe (PID: 6532)
- Reads the machine GUID from the registry
  - fiucinajestembrzydki.exe (PID: 7144)
  - fiucinajestembrzydki.exe (PID: 6532)
  - server.exe (PID: 7092)
- Process checks computer location settings
  - fiucinajestembrzydki.exe (PID: 7144)
  - fiucinajestemsliczny.exe (PID: 7024)
- Process checks whether UAC notifications are on
  - fiucinajestembrzydki.exe (PID: 7144)
  - fiucinajestembrzydki.exe (PID: 6532)
- Creates files in the program directory
  - fiucinajestembrzydki.exe (PID: 6532)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

NjRat

(PID) Process(7092) server.exe

C2193.203.238.87

Ports5552

BotnetForceOP

Options

Auto-run registry keySoftware\Microsoft\Windows\CurrentVersion\Run\bcd46e84d58aceecbf4188e8c7c796f8

Splitter|'|'|

Version0.7d

Nanocore

(PID) Process(6532) fiucinajestembrzydki.exe

KeyboardLoggingTrue

BuildTime2024-08-19 19:33:16.671608

Version1.2.2.0

Mutex58426eb7-12b3-40a8-8660-d8b12f469708

DefaultGroupDefault

PrimaryConnectionHost193.203.238.87

BackupConnectionHost127.0.0.1

ConnectionPort54984

RunOnStartupTrue

RequestElevationTrue

BypassUserAccountControlTrue

ClearZoneIdentifierTrue

ClearAccessControlTrue

SetCriticalProcessTrue

PreventSystemSleepTrue

ActivateAwayModeTrue

EnableDebugModeFalse

RunDelay0

ConnectDelay4000

RestartDelay5000

TimeoutInterval5000

KeepAliveTimeout30000

MutexTimeout5000

LanTimeout2500

WanTimeout8021

BufferSize65535

MaxPacketSize10485760

GCThreshold10485760

UseCustomDnsServerTrue

PrimaryDnsServer8.8.8.8

BackupDnsServer8.8.4.4

No Malware configuration.

Add for printing

TRiD

.zip	\|	ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion:	20
ZipBitFlag:	-
ZipCompression:	Deflated
ZipModifyDate:	2024:08:21 17:31:24
ZipCRC:	0xccc98960
ZipCompressedSize:	13639600
ZipUncompressedSize:	36895871
ZipFileName:	ForceOP.exe

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

140

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

2480

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

schtasks.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Console Window Host

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

4544

"schtasks.exe" /create /f /tn "LAN Host" /xml "C:\Users\admin\AppData\Local\Temp\tmp213C.tmp"

C:\Windows\SysWOW64\schtasks.exe

—

fiucinajestembrzydki.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Task Scheduler Configuration Tool

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\syswow64\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll

6296

netsh firewall add allowedprogram "C:\Users\admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE

C:\Windows\SysWOW64\netsh.exe

—

server.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Network Command Shell

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\syswow64\netsh.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\oleaut32.dll

6348

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

netsh.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Console Window Host

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

6512

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

schtasks.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Console Window Host

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

6532

"C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\fiucinajestembrzydki.exe"

C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\fiucinajestembrzydki.exe

fiucinajestembrzydki.exe

User:

admin

Integrity Level:

HIGH

Modules

Images
c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\fiucinajestembrzydki.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll

Nanocore

(PID) Process(6532) fiucinajestembrzydki.exe

KeyboardLoggingTrue

BuildTime2024-08-19 19:33:16.671608

Version1.2.2.0

Mutex58426eb7-12b3-40a8-8660-d8b12f469708

DefaultGroupDefault

PrimaryConnectionHost193.203.238.87

BackupConnectionHost127.0.0.1

ConnectionPort54984

RunOnStartupTrue

RequestElevationTrue

BypassUserAccountControlTrue

ClearZoneIdentifierTrue

ClearAccessControlTrue

SetCriticalProcessTrue

PreventSystemSleepTrue

ActivateAwayModeTrue

EnableDebugModeFalse

RunDelay0

ConnectDelay4000

RestartDelay5000

TimeoutInterval5000

KeepAliveTimeout30000

MutexTimeout5000

LanTimeout2500

WanTimeout8021

BufferSize65535

MaxPacketSize10485760

GCThreshold10485760

UseCustomDnsServerTrue

PrimaryDnsServer8.8.8.8

BackupDnsServer8.8.4.4

6556

"schtasks.exe" /create /f /tn "LAN Host Task" /xml "C:\Users\admin\AppData\Local\Temp\tmp21BA.tmp"

C:\Windows\SysWOW64\schtasks.exe

—

fiucinajestembrzydki.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Task Scheduler Configuration Tool

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\syswow64\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll

6636

"C:\Program Files\WinRAR\WinRAR.exe" C:\Users\admin\AppData\Local\Temp\ForceOP.zip

C:\Program Files\WinRAR\WinRAR.exe

—

explorer.exe

User:

admin

Company:

Alexander Roshal

Integrity Level:

MEDIUM

Description:

WinRAR archiver

Version:

5.91.0

Modules

Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll

6780

"C:\Users\admin\AppData\Local\Temp\Rar$EXa6636.25371\ForceOP.exe"

C:\Users\admin\AppData\Local\Temp\Rar$EXa6636.25371\ForceOP.exe

WinRAR.exe

User:

admin

Company:

Node.js

Integrity Level:

MEDIUM

Description:

Node.js JavaScript Runtime

Version:

16.16.0

Modules

Images
c:\users\admin\appdata\local\temp\rar$exa6636.25371\forceop.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\psapi.dll
c:\windows\system32\dbghelp.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\advapi32.dll

6788

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

ForceOP.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Console Window Host

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

Add for printing

Total events

15 260

Read events

15 117

Write events

142

Delete events

Modification events


(PID) Process:	(6636) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface\Themes
Operation:	write	Name:	ShellExtBMP
Value:
(PID) Process:	(6636) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface\Themes
Operation:	write	Name:	ShellExtIcon
Value:
(PID) Process:	(6636) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	1
Value: C:\Users\admin\Desktop\GoogleChromeEnterpriseBundle64.zip
(PID) Process:	(6636) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	0
Value: C:\Users\admin\AppData\Local\Temp\ForceOP.zip
(PID) Process:	(6636) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	name
Value: 120
(PID) Process:	(6636) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	size
Value: 80
(PID) Process:	(6636) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	type
Value: 120
(PID) Process:	(6636) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	mtime
Value: 100
(PID) Process:	(6636) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	ProxyBypass
Value: 1
(PID) Process:	(6636) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	IntranetName
Value: 1

Add for printing

Executable files

Suspicious files

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
6636	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$EXa6636.25371\ForceOP.exe		—
		MD5:—	SHA256:—
6780	ForceOP.exe	C:\Users\admin\AppData\Local\Temp\pkg\1a0a9582c7f361685569cf47e056b1fc4deb3bfa8bdf729de8cf27a57aa06508\win-protect\index.js		binary
		MD5:D292EAE897DE7CD0245F2A78830D7F31	SHA256:BF198C4AEC01941198104A49DAEAA606CEA4A5B1A2B014BCC2AD9FD519954372
7144	fiucinajestembrzydki.exe	C:\Users\admin\AppData\Roaming\BB926E54-E3CA-40FD-AE90-2764341E7792\run.dat		binary
		MD5:E9FBB016D64FB8FD2F658E27C9BD9DB5	SHA256:1D645D8ED5E0DAAE48367E1D92F110BBB777D18A3B13888C34B6EAB45A61C2D2
6780	ForceOP.exe	C:\Users\admin\AppData\Local\Temp\pkg\1a0a9582c7f361685569cf47e056b1fc4deb3bfa8bdf729de8cf27a57aa06508\win-protect\src\addon.cpp		text
		MD5:CB81295486C009B4D089602364975B2A	SHA256:901761E595A351EA9542C939C810BC9F8F6AEA41350A29C360E5997DD8C7D863
6532	fiucinajestembrzydki.exe	C:\Users\admin\AppData\Roaming\BB926E54-E3CA-40FD-AE90-2764341E7792\task.dat		text
		MD5:BE26D34AA56FE4215D433B4772DA2624	SHA256:4759D62AC1447C539C585900BA4067F73D527D70D06E3378B30D454B261CDEB7
6532	fiucinajestembrzydki.exe	C:\Program Files (x86)\LAN Host\lanhost.exe		executable
		MD5:4757E3957A66009DDA083E0CEB0C1605	SHA256:3DDF341BB96D5CB94DA122B59B38D655EBD8DEAC277FCAA9244246F7E131AB04
7144	fiucinajestembrzydki.exe	C:\Users\admin\AppData\Roaming\BB926E54-E3CA-40FD-AE90-2764341E7792\LAN Host\lanhost.exe		executable
		MD5:4757E3957A66009DDA083E0CEB0C1605	SHA256:3DDF341BB96D5CB94DA122B59B38D655EBD8DEAC277FCAA9244246F7E131AB04
6532	fiucinajestembrzydki.exe	C:\Users\admin\AppData\Local\Temp\tmp21BA.tmp		xml
		MD5:54865F98871478B2B88B7F8AA6100915	SHA256:287F7B4372926FF59BB9A14BDFC00AD63F92AF8EFDB2E14F6F6BAF31878FD44E
6532	fiucinajestembrzydki.exe	C:\Users\admin\AppData\Roaming\BB926E54-E3CA-40FD-AE90-2764341E7792\settings.bin		binary
		MD5:4E5E92E2369688041CC82EF9650EDED2	SHA256:F8098A6290118F2944B9E7C842BD014377D45844379F863B00D54515A8A64B48
6532	fiucinajestembrzydki.exe	C:\Users\admin\AppData\Roaming\BB926E54-E3CA-40FD-AE90-2764341E7792\catalog.dat		binary
		MD5:9E7D0351E4DF94A9B0BADCEB6A9DB963	SHA256:AAFC7B40C5FE680A2BB549C3B90AABAAC63163F74FFFC0B00277C6BBFF88B757

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
3276	svchost.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D	unknown	—	—	whitelisted
7012	SIHClient.exe	GET	200	88.221.169.152:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl	unknown	—	—	whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
5464	svchost.exe	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
—	—	192.168.100.255:138	—	—	—	whitelisted
2096	RUXIMICS.exe	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
2120	MoUsoCoreWorker.exe	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4	System	192.168.100.255:137	—	—	—	whitelisted
5464	svchost.exe	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	unknown
6780	ForceOP.exe	49.12.218.71:443	20tz.web.svpj.pl	Hetzner Online GmbH	DE	unknown
3260	svchost.exe	40.115.3.253:443	client.wns.windows.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
2120	MoUsoCoreWorker.exe	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	unknown
3276	svchost.exe	20.190.160.20:443	login.live.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted

DNS requests

Domain	IP	Reputation
settings-win.data.microsoft.com	51.104.136.2 40.127.240.158 4.231.128.59	whitelisted
google.com	216.58.212.142	whitelisted
20tz.web.svpj.pl	49.12.218.71	unknown
client.wns.windows.com	40.115.3.253	whitelisted
login.live.com	20.190.160.20 40.126.32.138 40.126.32.68 40.126.32.76 20.190.160.14 40.126.32.136 20.190.160.22 40.126.32.74	whitelisted
ocsp.digicert.com	192.229.221.95	whitelisted
slscr.update.microsoft.com	52.165.165.26	whitelisted
www.microsoft.com	88.221.169.152	whitelisted
fe3cr.delivery.mp.microsoft.com	52.165.164.15	whitelisted
nexusrules.officeapps.live.com	52.111.243.30	whitelisted

Threats

PID	Process	Class	Message
6532	fiucinajestembrzydki.exe	Malware Command and Control Activity Detected	ET MALWARE NanoCore RAT CnC 7
6532	fiucinajestembrzydki.exe	Malware Command and Control Activity Detected	ET MALWARE NanoCore RAT Keep-Alive Beacon (Inbound)
7092	server.exe	A Network Trojan was detected	ET MALWARE Possible Host Profile Exfiltration In Pipe Delimited Format
7092	server.exe	Malware Command and Control Activity Detected	ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
6532	fiucinajestembrzydki.exe	Malware Command and Control Activity Detected	ET MALWARE NanoCore RAT CnC 7
6532	fiucinajestembrzydki.exe	Malware Command and Control Activity Detected	ET MALWARE NanoCore RAT Keep-Alive Beacon (Inbound)
6532	fiucinajestembrzydki.exe	Malware Command and Control Activity Detected	ET MALWARE NanoCore RAT CnC 7
6532	fiucinajestembrzydki.exe	Malware Command and Control Activity Detected	ET MALWARE NanoCore RAT Keep-Alive Beacon (Inbound)
6532	fiucinajestembrzydki.exe	Malware Command and Control Activity Detected	ET MALWARE NanoCore RAT CnC 7
6532	fiucinajestembrzydki.exe	Malware Command and Control Activity Detected	ET MALWARE NanoCore RAT Keep-Alive Beacon (Inbound)

4 ETPRO signatures available at the full report

Add for printing

No debug info

General Info

ForceOP.zip

899AF6CB1BBBCC8116EFD2DBDBE04291

4FF14D716AA34148082C93BF58F58577F8F313A6

E52C41A8A4BBADDA9866E7E1FC9E15417A2F1146FF9E2B392C48A74B78FABF74

98304:I3vfe39VtwRBly99BSWBX8QyxiUNN7p54UL8Tdsi2XYmGGVPee4reFc7sAm6r4oH:Sx+iFKvqmXai7ky8+V8z8f

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

NjRAT is detected

Changes the autorun value in the registry

Uses Task Scheduler to run other applications

NANOCORE has been detected (SURICATA)

Create files in the Startup directory

Connects to the CnC server

NJRAT has been detected (SURICATA)

NJRAT has been detected (YARA)

NANOCORE has been detected (YARA)

SUSPICIOUS

Starts CMD.EXE for commands execution

Drops the executable file immediately after the start

Reads security settings of Internet Explorer

Node.exe was dropped

Executable content was dropped or overwritten

The executable file from the user directory is run by the CMD process

Starts itself from another location

The process creates files with name similar to system file names

Reads the date of Windows installation

Application launched itself

Connects to unusual port

Contacting a server suspected of hosting an CnC

Uses NETSH.EXE to add a firewall rule or allowed programs

INFO

Reads Environment values

Checks supported languages

Creates files or folders in the user directory

Create files in a temporary directory

Reads the computer name

Reads product name

Reads the machine GUID from the registry

Process checks computer location settings

Process checks whether UAC notifications are on

Creates files in the program directory

Malware configuration

NjRat

Nanocore

Static information

TRiD

EXIF

ZIP

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Malware configuration

Nanocore

Information

Modules

Information

Modules

Information

Modules

Information

Modules