File name: | Invoice 556510.exe.7z |
Full analysis: | https://app.any.run/tasks/d6ae2fcc-c67a-48d5-9185-f493fc8cb54f |
Verdict: | Malicious activity |
Threats: | NanoCore is a Remote Access Trojan or RAT. This malware is highly customizable with plugins which allow attackers to tailor its functionality to their needs. Nanocore is created with the .NET framework and it’s available for purchase for just $25 from its “official” website. |
Analysis date: | August 13, 2019, 14:05:56 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/x-7z-compressed |
File info: | 7-zip archive data, version 0.3 |
MD5: | 22313C2AD00DE5DA397572A927EC649B |
SHA1: | 68160F86334432CCC68450F17702888C9BE550E4 |
SHA256: | FC1F1FBB8A0EF1C15F73B74E0B5FA6E7FBC78F09427D8CB7FE6B4282410BF633 |
SSDEEP: | 12288:oXPk03BvErmgPQG70cI0ZTB27utdUnxH2GGpANujk:mMkOmg/V3TB2iynVyMuo |
.7z | | | 7-Zip compressed archive (gen) (100) |
---|
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3444 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\Invoice 556510.exe.7z" | C:\Program Files\WinRAR\WinRAR.exe | explorer.exe | |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Version: 5.60.0 | ||||
2512 | "C:\Users\admin\AppData\Local\Temp\Rar$EXb3444.18787\Invoice 556510.exe" | C:\Users\admin\AppData\Local\Temp\Rar$EXb3444.18787\Invoice 556510.exe | WinRAR.exe | |
User: admin Integrity Level: MEDIUM | ||||
3640 | "C:\Windows\System32\cscript.exe" //B //Nologo C:\Users\admin\got.vbs | C:\Windows\System32\cscript.exe | Invoice 556510.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Console Based Script Host Exit code: 0 Version: 5.8.7600.16385 | ||||
3072 | "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | Invoice 556510.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft .NET Assembly Registration Utility Version: 4.7.3062.0 built by: NET472REL1 | ||||
3416 | "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\admin\AppData\Local\Temp\Rar$EXb3444.18787\Invoice 556510.exe" | C:\Windows\System32\cmd.exe | — | Invoice 556510.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
3116 | choice /C Y /N /D Y /T 3 | C:\Windows\system32\choice.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Offers the user a choice Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2900 | "C:\Windows\explorer.exe" | C:\Windows\explorer.exe | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Explorer Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3476 | "C:\Users\admin\AppData\Local\Temp\Rar$EXb3444.18787\Invoice 556510.exe" | C:\Users\admin\AppData\Local\Temp\Rar$EXb3444.18787\Invoice 556510.exe | — | explorer.exe |
User: admin Integrity Level: MEDIUM | ||||
2296 | "C:\Windows\System32\cscript.exe" //B //Nologo C:\Users\admin\got.vbs | C:\Windows\System32\cscript.exe | Invoice 556510.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Console Based Script Host Exit code: 0 Version: 5.8.7600.16385 | ||||
2824 | "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | — | Invoice 556510.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft .NET Assembly Registration Utility Exit code: 0 Version: 4.7.3062.0 built by: NET472REL1 |
(PID) Process: | (3444) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes |
Operation: | write | Name: | ShellExtBMP |
Value: | |||
(PID) Process: | (3444) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes |
Operation: | write | Name: | ShellExtIcon |
Value: | |||
(PID) Process: | (3444) WinRAR.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\72\52C64B7E |
Operation: | write | Name: | LanguageList |
Value: en-US | |||
(PID) Process: | (3444) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
Operation: | write | Name: | 0 |
Value: C:\Users\admin\AppData\Local\Temp\Invoice 556510.exe.7z | |||
(PID) Process: | (3444) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | name |
Value: 120 | |||
(PID) Process: | (3444) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | size |
Value: 80 | |||
(PID) Process: | (3444) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | type |
Value: 120 | |||
(PID) Process: | (3444) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | mtime |
Value: 100 | |||
(PID) Process: | (3444) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface |
Operation: | write | Name: | ShowPassword |
Value: 0 | |||
(PID) Process: | (3444) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | UNCAsIntranet |
Value: 0 |
PID | Process | Filename | Type | |
---|---|---|---|---|
3640 | cscript.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\got.Lnk | lnk | |
MD5:9CBD301C19B0B4DF6BCB4EE7E9023053 | SHA256:0FC6B29FCD8152BBBDB43390DAC4E9504693561D560699938A7D8733E4AF7D86 | |||
2512 | Invoice 556510.exe | C:\Users\admin\AppData\Roaming\filename.exe | executable | |
MD5:83533AE101E54ED82F7D9ADCDC63ADDB | SHA256:C0E6344D8F9D83C8C96687036412A535E8AEE9D543CDA1E3D95903FA0F2A17D5 | |||
3444 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXb3444.18787\Invoice 556510.exe | executable | |
MD5:83533AE101E54ED82F7D9ADCDC63ADDB | SHA256:C0E6344D8F9D83C8C96687036412A535E8AEE9D543CDA1E3D95903FA0F2A17D5 | |||
2512 | Invoice 556510.exe | C:\Users\admin\got.vbs | text | |
MD5:FA93E104B6BAFDAADD9F82C62FA21D01 | SHA256:4C1562A5444E82CD8CC0A6DF104786F7A3BEB3ECBE98DBD821B26FAC6BD17E6C | |||
3476 | Invoice 556510.exe | C:\Users\admin\got.vbs | text | |
MD5:FA93E104B6BAFDAADD9F82C62FA21D01 | SHA256:4C1562A5444E82CD8CC0A6DF104786F7A3BEB3ECBE98DBD821B26FAC6BD17E6C | |||
3072 | RegAsm.exe | C:\Users\admin\AppData\Roaming\90059C37-1320-41A4-B58D-2B75A9850D2F\storage.dat | binary | |
MD5:7E8F4A764B981D5B82D1CC49D341E9C6 | SHA256:0BD3AAC12623520C4E2031C8B96B4A154702F36F97F643158E91E987D317B480 | |||
2296 | cscript.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\got.Lnk | lnk | |
MD5:9CBD301C19B0B4DF6BCB4EE7E9023053 | SHA256:0FC6B29FCD8152BBBDB43390DAC4E9504693561D560699938A7D8733E4AF7D86 | |||
3072 | RegAsm.exe | C:\Users\admin\AppData\Roaming\90059C37-1320-41A4-B58D-2B75A9850D2F\run.dat | binary | |
MD5:070F5FE261B2C43AF63E35952D82320C | SHA256:4F60536AA27BAD4323302AB3C183A24F415486CE7D5CC3274D4B44AD45C33DA4 | |||
3072 | RegAsm.exe | C:\Users\admin\AppData\Roaming\90059C37-1320-41A4-B58D-2B75A9850D2F\catalog.dat | bs | |
MD5:32D0AAE13696FF7F8AF33B2D22451028 | SHA256:5347661365E7AD2C1ACC27AB0D150FFA097D9246BB3626FCA06989E976E8DD29 | |||
3072 | RegAsm.exe | C:\Users\admin\AppData\Roaming\90059C37-1320-41A4-B58D-2B75A9850D2F\settings.bin | binary | |
MD5:4E5E92E2369688041CC82EF9650EDED2 | SHA256:F8098A6290118F2944B9E7C842BD014377D45844379F863B00D54515A8A64B48 |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3072 | RegAsm.exe | 194.5.98.68:4302 | gatm.duckdns.org | — | FR | malicious |
3072 | RegAsm.exe | 8.8.8.8:53 | — | Google Inc. | US | whitelisted |
Domain | IP | Reputation |
---|---|---|
gatm.duckdns.org |
| malicious |
PID | Process | Class | Message |
---|---|---|---|
3072 | RegAsm.exe | Misc activity | ET INFO DYNAMIC_DNS Query to *.duckdns. Domain |
3072 | RegAsm.exe | A Network Trojan was detected | ET TROJAN Possible NanoCore C2 60B |
3072 | RegAsm.exe | A Network Trojan was detected | MALWARE [PTsecurity] NanoCore.RAT |
3072 | RegAsm.exe | A Network Trojan was detected | MALWARE [PTsecurity] NanoCore.RAT |
3072 | RegAsm.exe | A Network Trojan was detected | MALWARE [PTsecurity] NanoCore.RAT |
3072 | RegAsm.exe | A Network Trojan was detected | MALWARE [PTsecurity] NanoCore.RAT |
3072 | RegAsm.exe | A Network Trojan was detected | MALWARE [PTsecurity] NanoCore.RAT |
3072 | RegAsm.exe | A Network Trojan was detected | MALWARE [PTsecurity] NanoCore.RAT |
3072 | RegAsm.exe | Misc activity | ET INFO DYNAMIC_DNS Query to *.duckdns. Domain |
3072 | RegAsm.exe | A Network Trojan was detected | ET TROJAN Possible NanoCore C2 60B |