Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Aug. 12, 2024, 8:49 a.m.	Aug. 12, 2024, 9:13 a.m.

Size	552.5KB
Type	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`1873f27a43f63c02800d6c80014c0235`
SHA256	`4bfcba248d79dfd6c2cba52d7c9ee18842f007bfa0e3ba99ababacb4794e8c6e`
CRC32	`B8AFE02D`
ssdeep	`12288:WLV6BtpmkzPLrQIh+ReoSwN+Jp9rQj3SHdEIzqLPxc3hHyOm:EApfzPfQ9RecEp9NzUi3JyL`
Yara	Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature Malicious_Packer_Zero - Malicious Packer Is_DotNET_EXE - (no description) IsPE32 - (no description)

nano.exe "C:\Users\test22\AppData\Local\Temp\nano.exe"
1508

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
91.92.240.41	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 91.92.240.41:7575 -> 192.168.56.103:49162	2400012	ET DROP Spamhaus DROP Listed Traffic Inbound group 13	Misc Attack
TCP 192.168.56.103:49162 -> 91.92.240.41:7575	2046914	ET MALWARE NanoCore RAT CnC 7	Malware Command and Control Activity Detected
TCP 91.92.240.41:7575 -> 192.168.56.103:49162	2046917	ET MALWARE NanoCore RAT Keep-Alive Beacon (Inbound)	Malware Command and Control Activity Detected
TCP 91.92.240.41:7575 -> 192.168.56.103:49162	2046917	ET MALWARE NanoCore RAT Keep-Alive Beacon (Inbound)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49162 -> 91.92.240.41:7575	2046914	ET MALWARE NanoCore RAT CnC 7	Malware Command and Control Activity Detected
TCP 91.92.240.41:7575 -> 192.168.56.103:49162	2046917	ET MALWARE NanoCore RAT Keep-Alive Beacon (Inbound)	Malware Command and Control Activity Detected
TCP 91.92.240.41:7575 -> 192.168.56.103:49162	2046917	ET MALWARE NanoCore RAT Keep-Alive Beacon (Inbound)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49162 -> 91.92.240.41:7575	2046914	ET MALWARE NanoCore RAT CnC 7	Malware Command and Control Activity Detected
TCP 91.92.240.41:7575 -> 192.168.56.103:49162	2046917	ET MALWARE NanoCore RAT Keep-Alive Beacon (Inbound)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49162 -> 91.92.240.41:7575	2046914	ET MALWARE NanoCore RAT CnC 7	Malware Command and Control Activity Detected
TCP 91.92.240.41:7575 -> 192.168.56.103:49162	2046917	ET MALWARE NanoCore RAT Keep-Alive Beacon (Inbound)	Malware Command and Control Activity Detected
TCP 91.92.240.41:7575 -> 192.168.56.103:49162	2046917	ET MALWARE NanoCore RAT Keep-Alive Beacon (Inbound)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49162 -> 91.92.240.41:7575	2046914	ET MALWARE NanoCore RAT CnC 7	Malware Command and Control Activity Detected
TCP 91.92.240.41:7575 -> 192.168.56.103:49162	2046917	ET MALWARE NanoCore RAT Keep-Alive Beacon (Inbound)	Malware Command and Control Activity Detected
TCP 91.92.240.41:7575 -> 192.168.56.103:49162	2046917	ET MALWARE NanoCore RAT Keep-Alive Beacon (Inbound)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49162 -> 91.92.240.41:7575	2046914	ET MALWARE NanoCore RAT CnC 7	Malware Command and Control Activity Detected
TCP 91.92.240.41:7575 -> 192.168.56.103:49162	2046911	ET MALWARE NanoCore RAT Keepalive Response 3	A Network Trojan was detected
TCP 91.92.240.41:7575 -> 192.168.56.103:49162	2046917	ET MALWARE NanoCore RAT Keep-Alive Beacon (Inbound)	Malware Command and Control Activity Detected
TCP 91.92.240.41:7575 -> 192.168.56.103:49162	2046917	ET MALWARE NanoCore RAT Keep-Alive Beacon (Inbound)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49162 -> 91.92.240.41:7575	2046914	ET MALWARE NanoCore RAT CnC 7	Malware Command and Control Activity Detected
TCP 91.92.240.41:7575 -> 192.168.56.103:49162	2046917	ET MALWARE NanoCore RAT Keep-Alive Beacon (Inbound)	Malware Command and Control Activity Detected
TCP 91.92.240.41:7575 -> 192.168.56.103:49162	2046917	ET MALWARE NanoCore RAT Keep-Alive Beacon (Inbound)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49162 -> 91.92.240.41:7575	2046914	ET MALWARE NanoCore RAT CnC 7	Malware Command and Control Activity Detected
TCP 91.92.240.41:7575 -> 192.168.56.103:49162	2046917	ET MALWARE NanoCore RAT Keep-Alive Beacon (Inbound)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49162 -> 91.92.240.41:7575	2046914	ET MALWARE NanoCore RAT CnC 7	Malware Command and Control Activity Detected
TCP 91.92.240.41:7575 -> 192.168.56.103:49162	2046917	ET MALWARE NanoCore RAT Keep-Alive Beacon (Inbound)	Malware Command and Control Activity Detected
TCP 91.92.240.41:7575 -> 192.168.56.103:49162	2046909	ET MALWARE NanoCore RAT Keepalive Response 1	A Network Trojan was detected
TCP 91.92.240.41:7575 -> 192.168.56.103:49162	2046917	ET MALWARE NanoCore RAT Keep-Alive Beacon (Inbound)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49162 -> 91.92.240.41:7575	2046914	ET MALWARE NanoCore RAT CnC 7	Malware Command and Control Activity Detected
TCP 91.92.240.41:7575 -> 192.168.56.103:49162	2046917	ET MALWARE NanoCore RAT Keep-Alive Beacon (Inbound)	Malware Command and Control Activity Detected
TCP 91.92.240.41:7575 -> 192.168.56.103:49162	2046917	ET MALWARE NanoCore RAT Keep-Alive Beacon (Inbound)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49162 -> 91.92.240.41:7575	2046914	ET MALWARE NanoCore RAT CnC 7	Malware Command and Control Activity Detected
TCP 91.92.240.41:7575 -> 192.168.56.103:49162	2046917	ET MALWARE NanoCore RAT Keep-Alive Beacon (Inbound)	Malware Command and Control Activity Detected
TCP 91.92.240.41:7575 -> 192.168.56.103:49162	2046917	ET MALWARE NanoCore RAT Keep-Alive Beacon (Inbound)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49162 -> 91.92.240.41:7575	2046914	ET MALWARE NanoCore RAT CnC 7	Malware Command and Control Activity Detected
TCP 91.92.240.41:7575 -> 192.168.56.103:49162	2046917	ET MALWARE NanoCore RAT Keep-Alive Beacon (Inbound)	Malware Command and Control Activity Detected
TCP 91.92.240.41:7575 -> 192.168.56.103:49162	2046917	ET MALWARE NanoCore RAT Keep-Alive Beacon (Inbound)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49162 -> 91.92.240.41:7575	2046914	ET MALWARE NanoCore RAT CnC 7	Malware Command and Control Activity Detected
TCP 91.92.240.41:7575 -> 192.168.56.103:49162	2046917	ET MALWARE NanoCore RAT Keep-Alive Beacon (Inbound)	Malware Command and Control Activity Detected
TCP 91.92.240.41:7575 -> 192.168.56.103:49162	2046917	ET MALWARE NanoCore RAT Keep-Alive Beacon (Inbound)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49162 -> 91.92.240.41:7575	2046914	ET MALWARE NanoCore RAT CnC 7	Malware Command and Control Activity Detected
TCP 91.92.240.41:7575 -> 192.168.56.103:49162	2046917	ET MALWARE NanoCore RAT Keep-Alive Beacon (Inbound)	Malware Command and Control Activity Detected
TCP 91.92.240.41:7575 -> 192.168.56.103:49162	2046917	ET MALWARE NanoCore RAT Keep-Alive Beacon (Inbound)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49162 -> 91.92.240.41:7575	2046914	ET MALWARE NanoCore RAT CnC 7	Malware Command and Control Activity Detected
TCP 91.92.240.41:7575 -> 192.168.56.103:49162	2046917	ET MALWARE NanoCore RAT Keep-Alive Beacon (Inbound)	Malware Command and Control Activity Detected
TCP 91.92.240.41:7575 -> 192.168.56.103:49162	2046917	ET MALWARE NanoCore RAT Keep-Alive Beacon (Inbound)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49162 -> 91.92.240.41:7575	2046914	ET MALWARE NanoCore RAT CnC 7	Malware Command and Control Activity Detected
TCP 91.92.240.41:7575 -> 192.168.56.103:49162	2046917	ET MALWARE NanoCore RAT Keep-Alive Beacon (Inbound)	Malware Command and Control Activity Detected
TCP 91.92.240.41:7575 -> 192.168.56.103:49162	2046917	ET MALWARE NanoCore RAT Keep-Alive Beacon (Inbound)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49162 -> 91.92.240.41:7575	2046914	ET MALWARE NanoCore RAT CnC 7	Malware Command and Control Activity Detected
TCP 91.92.240.41:7575 -> 192.168.56.103:49162	2046917	ET MALWARE NanoCore RAT Keep-Alive Beacon (Inbound)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49162 -> 91.92.240.41:7575	2046914	ET MALWARE NanoCore RAT CnC 7	Malware Command and Control Activity Detected
TCP 91.92.240.41:7575 -> 192.168.56.103:49162	2046917	ET MALWARE NanoCore RAT Keep-Alive Beacon (Inbound)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49162 -> 91.92.240.41:7575	2046914	ET MALWARE NanoCore RAT CnC 7	Malware Command and Control Activity Detected
TCP 91.92.240.41:7575 -> 192.168.56.103:49162	2046917	ET MALWARE NanoCore RAT Keep-Alive Beacon (Inbound)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49162 -> 91.92.240.41:7575	2046914	ET MALWARE NanoCore RAT CnC 7	Malware Command and Control Activity Detected
TCP 91.92.240.41:7575 -> 192.168.56.103:49162	2046917	ET MALWARE NanoCore RAT Keep-Alive Beacon (Inbound)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49162 -> 91.92.240.41:7575	2046914	ET MALWARE NanoCore RAT CnC 7	Malware Command and Control Activity Detected
TCP 91.92.240.41:7575 -> 192.168.56.103:49162	2046917	ET MALWARE NanoCore RAT Keep-Alive Beacon (Inbound)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49162 -> 91.92.240.41:7575	2046914	ET MALWARE NanoCore RAT CnC 7	Malware Command and Control Activity Detected
TCP 91.92.240.41:7575 -> 192.168.56.103:49162	2046917	ET MALWARE NanoCore RAT Keep-Alive Beacon (Inbound)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49162 -> 91.92.240.41:7575	2046914	ET MALWARE NanoCore RAT CnC 7	Malware Command and Control Activity Detected

Suricata TLS

No Suricata TLS

Queries for the computername (5 events)

Time & API	Arguments	Status	Return
GetComputerNameW Aug. 12, 2024, 8:49 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 12, 2024, 8:49 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 12, 2024, 8:49 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 12, 2024, 8:49 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 12, 2024, 8:49 a.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Aug. 12, 2024, 8:49 a.m.			0	0

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Aug. 12, 2024, 8:49 a.m.		1	1	0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Allocates read-write-execute memory (usually to unpack itself) (50 out of 139 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Aug. 12, 2024, 8:49 a.m.	process_identifier: 1508 region_size: 262144 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00270000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 12, 2024, 8:49 a.m.	process_identifier: 1508 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00270000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 12, 2024, 8:49 a.m.	process_identifier: 1508 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74021000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 12, 2024, 8:49 a.m.	process_identifier: 1508 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0042a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 12, 2024, 8:49 a.m.	process_identifier: 1508 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74022000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 12, 2024, 8:49 a.m.	process_identifier: 1508 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00422000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 12, 2024, 8:49 a.m.	process_identifier: 1508 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00432000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 12, 2024, 8:49 a.m.	process_identifier: 1508 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00433000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 12, 2024, 8:49 a.m.	process_identifier: 1508 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0046b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 12, 2024, 8:49 a.m.	process_identifier: 1508 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00467000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 12, 2024, 8:49 a.m.	process_identifier: 1508 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00434000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 12, 2024, 8:49 a.m.	process_identifier: 1508 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00435000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 12, 2024, 8:49 a.m.	process_identifier: 1508 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00436000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 12, 2024, 8:49 a.m.	process_identifier: 1508 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0043c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 12, 2024, 8:49 a.m.	process_identifier: 1508 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00d40000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 12, 2024, 8:49 a.m.	process_identifier: 1508 region_size: 327680 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef60000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 12, 2024, 8:49 a.m.	process_identifier: 1508 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef60000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 12, 2024, 8:49 a.m.	process_identifier: 1508 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef60000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 12, 2024, 8:49 a.m.	process_identifier: 1508 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef50000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 12, 2024, 8:49 a.m.	process_identifier: 1508 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef50000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 12, 2024, 8:49 a.m.	process_identifier: 1508 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0045a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 12, 2024, 8:49 a.m.	process_identifier: 1508 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00437000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 12, 2024, 8:49 a.m.	process_identifier: 1508 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0044a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 12, 2024, 8:49 a.m.	process_identifier: 1508 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00447000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 12, 2024, 8:49 a.m.	process_identifier: 1508 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0042b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 12, 2024, 8:49 a.m.	process_identifier: 1508 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00446000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 12, 2024, 8:49 a.m.	process_identifier: 1508 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00438000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 12, 2024, 8:49 a.m.	process_identifier: 1508 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0043a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 12, 2024, 8:49 a.m.	process_identifier: 1508 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00d70000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 12, 2024, 8:49 a.m.	process_identifier: 1508 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00d41000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 12, 2024, 8:49 a.m.	process_identifier: 1508 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00465000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 12, 2024, 8:49 a.m.	process_identifier: 1508 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00d42000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 12, 2024, 8:49 a.m.	process_identifier: 1508 region_size: 524288 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02320000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 12, 2024, 8:49 a.m.	process_identifier: 1508 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02360000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 12, 2024, 8:49 a.m.	process_identifier: 1508 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02361000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 12, 2024, 8:49 a.m.	process_identifier: 1508 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02362000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 12, 2024, 8:49 a.m.	process_identifier: 1508 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02363000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 12, 2024, 8:49 a.m.	process_identifier: 1508 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02364000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 12, 2024, 8:49 a.m.	process_identifier: 1508 region_size: 69632 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02368000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 12, 2024, 8:49 a.m.	process_identifier: 1508 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02379000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 12, 2024, 8:49 a.m.	process_identifier: 1508 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0237a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 12, 2024, 8:49 a.m.	process_identifier: 1508 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0237c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 12, 2024, 8:49 a.m.	process_identifier: 1508 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0237d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 12, 2024, 8:49 a.m.	process_identifier: 1508 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00439000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 12, 2024, 8:49 a.m.	process_identifier: 1508 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0237e000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 12, 2024, 8:49 a.m.	process_identifier: 1508 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0237f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 12, 2024, 8:49 a.m.	process_identifier: 1508 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00d43000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 12, 2024, 8:49 a.m.	process_identifier: 1508 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00d44000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 12, 2024, 8:49 a.m.	process_identifier: 1508 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00d45000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 12, 2024, 8:49 a.m.	process_identifier: 1508 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00452000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Checks whether any human activity is being performed by constantly checking whether the foreground window changed

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x0006d600', u'virtual_address': u'0x00022000', u'entropy': 7.999560253638774, u'name': u'.rsrc', u'virtual_size': u'0x0006d528'}

entropy

7.99956025364

description

A section with a high entropy has been found

entropy

0.792572463768

description

Overall entropy of this PE file is high

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 event)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW Aug. 12, 2024, 8:49 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

One or more of the buffers contains an embedded PE file (14 events)

buffer	Buffer with sha1: 9420a2004c14c4a5e31290936a07bd58dcaa15b3
buffer	Buffer with sha1: 636b8187f0cb59d43c9ee1eedf144043941b62d9
buffer	Buffer with sha1: 4380fb6de89a7776d52214359ce213d24a2239ad
buffer	Buffer with sha1: c19d9db351af75fec019fe76506a455eba7fd168
buffer	Buffer with sha1: c1ef2ca62189121934d1a7944ef1bdc1aa319877
buffer	Buffer with sha1: 063fb8b27c0872c54bff35e2b76d8f522e13f8b4
buffer	Buffer with sha1: 925c5236c59dd8f3efea4b3e091ef735b405a880
buffer	Buffer with sha1: c54e7c5cac5fac68dc564ce64355d948422bf1ce
buffer	Buffer with sha1: dcdec0ea839844e977c1151d2eeedbb0788a34b1
buffer	Buffer with sha1: 0c6598a0a37eaf12ce188fa66bc6c5db394af8a4
buffer	Buffer with sha1: 874b7c3c97cc5b13b9dd172fec5a54bc1f258005
buffer	Buffer with sha1: efa4948abb218e47d809bedd1aff08cfb76d40e1
buffer	Buffer with sha1: 1b68e773e3522fa8edc7cb20d7c7f156b08ec73a
buffer	Buffer with sha1: 874f3caf663265f7dd18fb565d91b7d915031251

Communicates with host for which no DNS query was performed (1 event)

host

91.92.240.41

Looks for the Windows Idle Time to determine the uptime (1 event)

Time & API	Arguments	Status	Return	Repeated
NtQuerySystemInformation Aug. 12, 2024, 8:49 a.m.	information_class: 8 (SystemProcessorPerformanceInformation)	1	0	0

A process attempted to delay the analysis task. (1 event)

description

nano.exe tried to sleep 5456696 seconds, actually delayed analysis time by 5456696 seconds

Installs itself for autorun at Windows startup (1 event)

reg_key

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SMTP Host

reg_value

C:\Program Files (x86)\SMTP Host\smtphost.exe

Executes one or more WMI queries (3 events)

wmi	SELECT DisplayName FROM AntiSpywareProduct
wmi	SELECT DisplayName FROM FirewallProduct
wmi	SELECT DisplayName FROM AntiVirusProduct

Attempts to remove evidence of file being downloaded from the Internet (1 event)

file	C:\Users\test22\AppData\Local\Temp\nano.exe:Zone.Identifier

File has been identified by 62 AntiVirus engines on VirusTotal as malicious (50 out of 62 events)

Bkav	W32.AIDetectMalware.CS
Elastic	Windows.Trojan.Nanocore
CAT-QuickHeal	Trojan.Orbus.C3
Skyhigh	BehavesLike.Win32.Generic.hc
ALYac	Backdoor.MSIL.Agent.GD
Cylance	Unsafe
VIPRE	Backdoor.MSIL.Agent.GD
Sangfor	Suspicious.Win32.Save.a
K7AntiVirus	Trojan ( 700000121 )
BitDefender	Backdoor.MSIL.Agent.GD
K7GW	Trojan ( 700000121 )
Cybereason	malicious.a43f63
Arcabit	Backdoor.MSIL.Agent.GD
VirIT	Trojan.Win32.DownLoader12.BSON
Symantec	Trojan.Nancrat
tehtris	Generic.Malware
ESET-NOD32	MSIL/NanoCore.E
APEX	Malicious
McAfee	GenericRXAA-CZ!1873F27A43F6
Avast	MSIL:NanoCore-B [Trj]
ClamAV	Win.Trojan.NanoCore-9852758-0
Kaspersky	Trojan.MSIL.Agent.fpar
NANO-Antivirus	Trojan.Win32.NanoBot.hmqoyu
MicroWorld-eScan	Backdoor.MSIL.Agent.GD
Rising	Backdoor.NanoCore!1.B6F9 (CLASSIC)
Emsisoft	Trojan.NanoCore (A)
F-Secure	Trojan.TR/Dropper.MSIL.Gen7
DrWeb	Trojan.Nanocore.23
TrendMicro	BKDR_NOANCOOE.SMUPS
McAfeeD	Real Protect-LS!1873F27A43F6
Trapmine	malicious.high.ml.score
FireEye	Generic.mg.1873f27a43f63c02
Sophos	Troj/NanoCor-BT
SentinelOne	Static AI - Malicious PE
Jiangmin	Backdoor.Generic.zwu
Google	Detected
Avira	TR/Dropper.MSIL.Gen7
MAX	malware (ai score=85)
Antiy-AVL	GrayWare/MSIL.NanoCore.a
Kingsoft	malware.kb.c.1000
Gridinsoft	Backdoor.Win32.Noancooe.cc!ni
Xcitium	Backdoor.MSIL.Noancooe.JDE@5s4u9t
Microsoft	Backdoor:MSIL/Nanocore!atmn
ViRobot	Backdoor.Win32.NanoCore.Gen.A
ZoneAlarm	Trojan.MSIL.Agent.fpar
GData	MSIL.Backdoor.Nancat.A
Varist	W32/NanoCore.C.gen!Eldorado
AhnLab-V3	Win-Trojan/Nanocore.Exp
BitDefenderTheta	Gen:NN.ZemsilF.36810.ImW@aKcFB!m
DeepInstinct	MALICIOUS

nano.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All