* MalFamily: "Nanocore" * MalScore: 10.0 * File Name: "Exes_120ac87de83f6000b83d11f1af0c116f.exe" * File Size: 1489408 * File Type: "PE32 executable (GUI) Intel 80386, for MS Windows" * SHA256: "25b1a5c25a791e60d5f5568750b3f549e22f5aee87182d4ff34af46723e65d46" * MD5: "120ac87de83f6000b83d11f1af0c116f" * SHA1: "c8c6ef84a82752beba33f8fee3d682c8319b340b" * SHA512: "9f078f29cc260d7416ef482a6c50c976b2362dccfbeacf323e6f1301e67e5922abefa0beabc3cfaabf086afc6cb9c31698501c5b80cd0ded899ddb34246a38e8" * CRC32: "EF7365FA" * SSDEEP: "24576:xAHnh+eWsN3skA4RV1Hom2KXMmHacHdsFuP1dRIvCSenL1j7UGy6tviA9JzBhf+5:Ih+ZkldoPK8YacHdsFuP1gvCfJ1JQ" * Process Execution: "Exes_120ac87de83f6000b83d11f1af0c116f.exe", "RegAsm.exe", "schtasks.exe", "svchost.exe" * Executed Commands: "\"schtasks.exe\" /create /f /tn \"DSL Subsystem\" /xml \"C:\\Users\\user\\AppData\\Local\\Temp\\tmp1C44.tmp\"" * Signatures Detected: "Description": "Attempts to connect to a dead IP:Port (1 unique times)", "Details": "IP": "79.134.225.84:6734" "Description": "Creates RWX memory", "Details": "Description": "A process attempted to delay the analysis task.", "Details": "Process": "RegAsm.exe tried to sleep 1159 seconds, actually delayed analysis time by 0 seconds" "Description": "At least one IP Address, Domain, or File Name was found in a crypto call", "Details": "ioc": "v2.0.50727" "ioc": "2.0.0.0" "Description": "Expresses interest in specific running processes", "Details": "process": "svchost.exe" "process": "RegAsm.exe" "Description": "Reads data out of its own binary image", "Details": "self_read": "process: Exes_120ac87de83f6000b83d11f1af0c116f.exe, pid: 996, offset: 0x00000000, length: 0x0016ba00" "self_read": "process: RegAsm.exe, pid: 2508, offset: 0x00000000, length: 0x00001000" "self_read": "process: RegAsm.exe, pid: 2508, offset: 0x00000080, length: 0x00000200" "self_read": "process: RegAsm.exe, pid: 2508, offset: 0x00000178, length: 0x00000200" "self_read": "process: RegAsm.exe, pid: 2508, offset: 0x0000a720, length: 0x00000200" "self_read": "process: RegAsm.exe, pid: 2508, offset: 0x0000a73c, length: 0x00000200" "Description": "A process created a hidden window", "Details": "Process": "RegAsm.exe -> \"schtasks.exe\" /create /f /tn \"DSL Subsystem\" /xml \"C:\\Users\\user\\AppData\\Local\\Temp\\tmp1C44.tmp\"" "Description": "The binary likely contains encrypted or compressed data.", "Details": "section": "name: .rsrc, entropy: 7.95, characteristics: IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ, raw_size: 0x000a1400, virtual_size: 0x000a12a8" "Description": "Executed a process and injected code into it, probably while unpacking", "Details": "Injection": "Exes_120ac87de83f6000b83d11f1af0c116f.exe(996) -> RegAsm.exe(2508)" "Description": "Attempts to remove evidence of file being downloaded from the Internet", "Details": "file": "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\RegAsm.exe:Zone.Identifier" "Description": "Attempts to execute a Living Off The Land Binary command for post exeploitation", "Details": "MITRE T1078 - schtask": "(Tactic: Execution, Persistence, Privilege Escalation)" "Description": "Installs itself for autorun at Windows startup", "Details": "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\kqgsEXCwcJ" "data": "C:\\Users\\Public\\kqgsEXCwcJ.vbs" "Description": "Exhibits behavior characteristic of Nanocore RAT", "Details": "Description": "File has been identified by 27 Antiviruses on VirusTotal as malicious", "Details": "FireEye": "Generic.mg.120ac87de83f6000" "McAfee": "Trojan-AitInject.aq" "Malwarebytes": "Trojan.MalPack.AutoIt" "CrowdStrike": "win/malicious_confidence_90% (W)" "F-Prot": "W32/AutoIt.IJ.gen!Eldorado" "APEX": "Malicious" "Kaspersky": "Backdoor.MSIL.NanoBot.atwe" "Paloalto": "generic.ml" "Endgame": "malicious (high confidence)" "Invincea": "heuristic" "McAfee-GW-Edition": "BehavesLike.Win32.Downloader.tc" "Trapmine": "malicious.moderate.ml.score" "Cyren": "W32/AutoIt.IJ.gen!Eldorado" "Antiy-AVL": "Trojan/Generic.ASVCS3S.1E5" "Microsoft": "Trojan:Win32/Wacatac.B!ml" "ZoneAlarm": "Backdoor.MSIL.NanoBot.atwe" "GData": "MSIL.Backdoor.Nancat.WKFI4R" "AhnLab-V3": "Malware/Win32.RL_Generic.R285364" "Acronis": "suspicious" "Cylance": "Unsafe" "ESET-NOD32": "a variant of Win32/Injector.Autoit.EEV" "TrendMicro-HouseCall": "TROJ_GEN.R020H06H819" "Ikarus": "Trojan.Autoit" "MaxSecure": "Trojan.Malware.300983.susgen" "Fortinet": "AutoIt/Injector.EEV!tr" "Cybereason": "malicious.4a8275" "Qihoo-360": "HEUR/QVM10.1.1689.Malware.Gen" "Description": "Creates a slightly modified copy of itself", "Details": "file": "C:\\Users\\user\\AppData\\Roaming\\GfxUIEx\\tttracer.bat" "percent_match": 100 "Description": "Collects information to fingerprint the system", "Details": "Description": "Anomalous binary characteristics", "Details": "anomaly": "Actual checksum does not match that reported in PE header" * Started Service: * Mutexes: "Global\\CLR_CASOFF_MUTEX", "Global\\72291699-88f4-4a61-86bc-93c11f1ceaba", "Global\\.net clr networking" * Modified Files: "C:\\Users\\user\\AppData\\Roaming\\GfxUIEx\\tttracer.bat", "C:\\Users\\Public\\kqgsEXCwcJ.vbs", "C:\\Users\\user\\AppData\\Roaming\\C1515A12-1764-4632-ACE9-A9DFF9253200\\run.dat", "C:\\Users\\user\\AppData\\Local\\Temp\\tmp1C44.tmp", "C:\\Users\\user\\AppData\\Roaming\\C1515A12-1764-4632-ACE9-A9DFF9253200\\task.dat", "C:\\Windows\\sysnative\\Tasks\\DSL Subsystem", "\\Device\\LanmanDatagramReceiver", "C:\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb", "C:\\Windows\\SoftwareDistribution\\DataStore\\Logs\\edb.chk" * Deleted Files: "C:\\Users\\user\\AppData\\Local\\Temp\\tmp1C44.tmp", "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\RegAsm.exe:Zone.Identifier", "C:\\Windows\\Tasks\\DSL Subsystem.job", "C:\\Windows\\SoftwareDistribution\\DataStore\\Logs\\edbtmp.log" * Modified Registry Keys: "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\kqgsEXCwcJ", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\C1D9A312-A6FE-40E8-9092-8D0FAB8741C7\\Path", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\C1D9A312-A6FE-40E8-9092-8D0FAB8741C7\\Hash", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tree\\DSL Subsystem\\Id", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tree\\DSL Subsystem\\Index", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\C1D9A312-A6FE-40E8-9092-8D0FAB8741C7\\Triggers" * Deleted Registry Keys: "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\CompatibilityAdapter\\Signatures\\DSL Subsystem.job", "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\CompatibilityAdapter\\Signatures\\DSL Subsystem.job.fp" * DNS Communications: "type": "A", "request": "cally.duckdns.org", "answers": "data": "79.134.225.84", "type": "A" * Domains: "ip": "79.134.225.84", "domain": "cally.duckdns.org" * Network Communication - ICMP: * Network Communication - HTTP: * Network Communication - SMTP: * Network Communication - Hosts: * Network Communication - IRC: