analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

ATT001MGTPROPOSAL_SUBMITTION03984549098549.scr

Full analysis: https://app.any.run/tasks/333405c0-26bf-439f-9969-7e7210c53012
Verdict: Malicious activity
Threats:

NanoCore is a Remote Access Trojan or RAT. This malware is highly customizable with plugins which allow attackers to tailor its functionality to their needs. Nanocore is created with the .NET framework and it’s available for purchase for just $25 from its “official” website.

Analysis date: March 21, 2019, 07:27:42
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
autoit
rat
nanocore
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows, RAR self-extracting archive
MD5:

75F8FA01F886B210FBE36DC37A200F06

SHA1:

F9A031BFD1F654BA20DA286CD2C9BA64DFB0E993

SHA256:

F7F89F5F033F06813E2B2571F3A0BFAD8FBC047A3D510E9B359F054946160273

SSDEEP:

24576:f2O/GlKzBB7bHGUXPwFC1oitrfUxnXqQwmxhKbH3w1GthA034:H7zR/wFCeKaXBwmxUT3zg0o

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Application was dropped or rewritten from another process

      • tlf.exe (PID: 1980)
      • tlf.exe (PID: 2156)
    • Changes the autorun value in the registry

      • RegSvcs.exe (PID: 1588)
      • tlf.exe (PID: 2156)
    • NanoCore was detected

      • RegSvcs.exe (PID: 1588)
  • SUSPICIOUS

    • Drop AutoIt3 executable file

      • ATT001MGTPROPOSAL_SUBMITTION03984549098549.scr (PID: 976)
    • Executable content was dropped or overwritten

      • ATT001MGTPROPOSAL_SUBMITTION03984549098549.scr (PID: 976)
    • Application launched itself

      • tlf.exe (PID: 1980)
    • Creates files in the user directory

      • RegSvcs.exe (PID: 1588)
    • Connects to unusual port

      • RegSvcs.exe (PID: 1588)
  • INFO

    • Dropped object may contain Bitcoin addresses

      • ATT001MGTPROPOSAL_SUBMITTION03984549098549.scr (PID: 976)
      • tlf.exe (PID: 1980)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (35.8)
.exe | Win64 Executable (generic) (31.7)
.scr | Windows screen saver (15)
.dll | Win32 Dynamic Link Library (generic) (7.5)
.exe | Win32 Executable (generic) (5.1)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2012:06:09 15:19:49+02:00
PEType: PE32
LinkerVersion: 9
CodeSize: 74752
InitializedDataSize: 58880
UninitializedDataSize: -
EntryPoint: 0xac87
OSVersion: 5
ImageVersion: -
SubsystemVersion: 5
Subsystem: Windows GUI

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 09-Jun-2012 13:19:49
Detected languages:
  • English - United States
  • Process Default Language
Debug artifacts:
  • d:\Projects\WinRAR\SFX\build\sfxrar32\Release\sfxrar.pdb

DOS Header

Magic number: MZ
Bytes on last page of file: 0x0090
Pages in file: 0x0003
Relocations: 0x0000
Size of header: 0x0004
Min extra paragraphs: 0x0000
Max extra paragraphs: 0xFFFF
Initial SS value: 0x0000
Initial SP value: 0x00B8
Checksum: 0x0000
Initial IP value: 0x0000
Initial CS value: 0x0000
Overlay number: 0x0000
OEM identifier: 0x0000
OEM information: 0x0000
Address of NE header: 0x000000F0

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
Number of sections: 5
Time date stamp: 09-Jun-2012 13:19:49
Pointer to Symbol Table: 0x00000000
Number of symbols: 0
Size of Optional Header: 0x00E0
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_EXECUTABLE_IMAGE
  • IMAGE_FILE_RELOCS_STRIPPED

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
.text
0x00001000
0x0001231E
0x00012400
IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
6.55555
.rdata
0x00014000
0x00001D15
0x00001E00
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
4.99401
.data
0x00016000
0x00017724
0x00000200
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
3.54914
.CRT
0x0002E000
0x00000020
0x00000200
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
0.394141
.rsrc
0x0002F000
0x0000C2C0
0x0000C400
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
5.24596

Resources

Title
Entropy
Size
Codepage
Language
Type
1
5.20816
1464
Latin 1 / Western European
English - United States
RT_MANIFEST
7
3.24143
556
Latin 1 / Western European
English - United States
RT_STRING
8
3.26996
974
Latin 1 / Western European
English - United States
RT_STRING
9
3.04375
530
Latin 1 / Western European
English - United States
RT_STRING
10
3.16254
776
Latin 1 / Western European
English - United States
RT_STRING
11
3.06352
380
Latin 1 / Western European
English - United States
RT_STRING
12
2.33959
102
Latin 1 / Western European
English - United States
RT_STRING
100
1.91924
20
Latin 1 / Western European
Process Default Language
RT_GROUP_ICON
101
4.19099
2998
Latin 1 / Western European
English - United States
RT_BITMAP
ASKNEXTVOL
3.42597
646
Latin 1 / Western European
English - United States
RT_DIALOG

Imports

ADVAPI32.dll
COMCTL32.dll
COMDLG32.dll
GDI32.dll
KERNEL32.dll
OLEAUT32.dll
SHELL32.dll
SHLWAPI.dll
USER32.dll
ole32.dll
No data.
screenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
33
Monitored processes
4
Malicious processes
4
Suspicious processes
0

Behavior graph

Click at the process to see the details
drop and start start att001mgtproposal_submittion03984549098549.scr tlf.exe no specs tlf.exe #NANOCORE regsvcs.exe

Process information

PID
CMD
Path
Indicators
Parent process
976"C:\Users\admin\AppData\Local\Temp\ATT001MGTPROPOSAL_SUBMITTION03984549098549.scr" /SC:\Users\admin\AppData\Local\Temp\ATT001MGTPROPOSAL_SUBMITTION03984549098549.scr
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
1980"C:\Users\admin\AppData\Local\Temp\30993433\tlf.exe" nni=lrp C:\Users\admin\AppData\Local\Temp\30993433\tlf.exeATT001MGTPROPOSAL_SUBMITTION03984549098549.scr
User:
admin
Company:
AutoIt Team
Integrity Level:
MEDIUM
Description:
AutoIt v3 Script
Exit code:
0
Version:
3, 3, 14, 5
2156C:\Users\admin\AppData\Local\Temp\30993433\tlf.exe C:\Users\admin\AppData\Local\Temp\30993433\FMBTGC:\Users\admin\AppData\Local\Temp\30993433\tlf.exe
tlf.exe
User:
admin
Company:
AutoIt Team
Integrity Level:
MEDIUM
Description:
AutoIt v3 Script
Exit code:
0
Version:
3, 3, 14, 5
1588"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
tlf.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft .NET Services Installation Utility
Version:
4.6.1055.0 built by: NETFXREL2
Total events
379
Read events
372
Write events
7
Delete events
0

Modification events

(PID) Process:(976) ATT001MGTPROPOSAL_SUBMITTION03984549098549.scrKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
0
(PID) Process:(976) ATT001MGTPROPOSAL_SUBMITTION03984549098549.scrKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
1
(PID) Process:(2156) tlf.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:WindowsUpdate
Value:
C:\Users\admin\AppData\Local\Temp\30993433\tlf.exe C:\Users\admin\AppData\Local\Temp\30993433\NNI_LR~1
(PID) Process:(1588) RegSvcs.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:TCP Monitor
Value:
C:\Users\admin\AppData\Roaming\90059C37-1320-41A4-B58D-2B75A9850D2F\TCP Monitor\tcpmon.exe
Executable files
1
Suspicious files
0
Text files
48
Unknown types
0

Dropped files

PID
Process
Filename
Type
976ATT001MGTPROPOSAL_SUBMITTION03984549098549.scrC:\Users\admin\AppData\Local\Temp\30993433\huw.mp4text
MD5:8D8B3CED98F77DB0E706F613F36EEB31
SHA256:F64830BA6957505B104C5BA668835BB57C840003EF7FF16CD7FD899B712C0EF7
976ATT001MGTPROPOSAL_SUBMITTION03984549098549.scrC:\Users\admin\AppData\Local\Temp\30993433\DateTimeConstants.ppttext
MD5:1EFE2D2CC2BC438E3D66ABC384570C80
SHA256:8E61349DE57E85C0EB73C43A8DD13722AA639207ABB3A086E354597882315159
976ATT001MGTPROPOSAL_SUBMITTION03984549098549.scrC:\Users\admin\AppData\Local\Temp\30993433\UpDownConstants.docxtext
MD5:AA970FFE50E2396E34B5F34FFA8561EF
SHA256:BB969AA45F8194B7281387B07FE1A1128B83F36BBA5D14333E0EEDCDBCEE7549
976ATT001MGTPROPOSAL_SUBMITTION03984549098549.scrC:\Users\admin\AppData\Local\Temp\30993433\mpv.jpgtext
MD5:8FEC4229DA8843C188E2A1C04DE4C596
SHA256:23F4CE10591261E20404B8C127F92422B8E172A5237BC55B452FFBBA790026E9
976ATT001MGTPROPOSAL_SUBMITTION03984549098549.scrC:\Users\admin\AppData\Local\Temp\30993433\qjt.icotext
MD5:5AD46AC751BFBF1C2AEFB2FB31A1397F
SHA256:2D2528839DEC1900F285854BC0053676F05A7D6B2A2F4DC469C03654DD2F73D3
976ATT001MGTPROPOSAL_SUBMITTION03984549098549.scrC:\Users\admin\AppData\Local\Temp\30993433\mpn.jpgtext
MD5:5325ED6631D781D78E5937E0512B5267
SHA256:9947EE276B84059782B6BEA3F4889D5D306837830C704424732EC6D2E1C1D5C4
976ATT001MGTPROPOSAL_SUBMITTION03984549098549.scrC:\Users\admin\AppData\Local\Temp\30993433\nhp.icotext
MD5:8BA8B99E49632D6741E01A3A7920F7D2
SHA256:4901FBBAE38C347B182CAB079B10C559DF314B504B94CC45FC119F6ECA7DE41F
976ATT001MGTPROPOSAL_SUBMITTION03984549098549.scrC:\Users\admin\AppData\Local\Temp\30993433\ohq.txttext
MD5:10221314E2B8C77A1F634BA7955AC77A
SHA256:B2594E11DD65CA445D1379ACDCC08A5DD3AF86B403387651BB97AE3B8C630B50
976ATT001MGTPROPOSAL_SUBMITTION03984549098549.scrC:\Users\admin\AppData\Local\Temp\30993433\nni=lrptext
MD5:3348D65F92C199E886EFE4FD1FEF93D5
SHA256:00B2776238D65813D0FD4D634DAB49357C4F7F58A3218D980A4CC5123103AC62
976ATT001MGTPROPOSAL_SUBMITTION03984549098549.scrC:\Users\admin\AppData\Local\Temp\30993433\lhd.icmtext
MD5:3432BEEE129EB5CEAF2BBB35FE20258F
SHA256:8E2823446E02A43A220065704618C1ADE922771D70C8FC28EBD5F5260A3ECEC7
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
54
DNS requests
24
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1588
RegSvcs.exe
91.192.100.18:64599
stannanoserve.duckdns.org
SOFTplus Entwicklungen GmbH
CH
malicious
1588
RegSvcs.exe
8.8.8.8:53
Google Inc.
US
whitelisted
1588
RegSvcs.exe
8.8.4.4:53
Google Inc.
US
whitelisted
1588
RegSvcs.exe
79.134.225.23:64599
Andreas Fink trading as Fink Telecom Services
CH
malicious

DNS requests

Domain
IP
Reputation
stannanoserve.duckdns.org
  • 91.192.100.18
malicious

Threats

PID
Process
Class
Message
1588
RegSvcs.exe
Misc activity
ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
1588
RegSvcs.exe
Misc activity
ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
1588
RegSvcs.exe
Misc activity
ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
1588
RegSvcs.exe
Misc activity
ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
1588
RegSvcs.exe
Misc activity
ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
1588
RegSvcs.exe
Misc activity
ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
1588
RegSvcs.exe
Misc activity
ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
1588
RegSvcs.exe
Misc activity
ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
1588
RegSvcs.exe
Misc activity
ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
1588
RegSvcs.exe
Misc activity
ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
No debug info