Edit tour

Windows Analysis Report
ZgzIenrtf5.exe

Overview

General Information

Sample Name:	ZgzIenrtf5.exe
Analysis ID:	560236
MD5:	03efbc1aa782599e235f4c1b0303ffb1
SHA1:	3877473e9e9014bc8eee7782dc81345772e832f9
SHA256:	c5d68d3abd9d6f9b094ea1bdb064ca709cc54de13f86856c4ffe34c64148c87c
Tags:	exeNanoCoreRAT
Infos:

Detection

Nanocore

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Multi AV Scanner detection for submitted file

Malicious sample detected (through community Yara rule)

Sigma detected: NanoCore

Detected Nanocore Rat

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Yara detected Nanocore RAT

Machine Learning detection for sample

.NET source code contains potential unpacker

C2 URLs / IPs found in malware configuration

Hides that the sample has been downloaded from the Internet (zone.identifier)

Uses 32bit PE files

Yara signature match

Antivirus or Machine Learning detection for unpacked file

May sleep (evasive loops) to hinder dynamic analysis

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Internet Provider seen in connection with other malware

Contains long sleeps (>= 3 min)

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Sample file is different than original file name gathered from version info

Detected TCP or UDP traffic on non-standard ports

Classification

Process Tree

System is w10x64

ZgzIenrtf5.exe (PID: 3764 cmdline: "C:\Users\user\Desktop\ZgzIenrtf5.exe" MD5: 03EFBC1AA782599E235F4C1B0303FFB1)

cleanup

Malware Configuration

Threatname: NanoCore

{"Version": "1.2.2.0", "Mutex": "4189f41b-a3e5-405b-b524-4758becc", "Group": "2022", "Domain1": "107.173.60.45", "Domain2": "sys2021.linkpc.net", "Port": 54955, "KeyboardLogging": "Enable", "RunOnStartup": "Disable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4"}

Yara Overview

Initial Sample

Source	Rule	Description	Author	Strings
ZgzIenrtf5.exe	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
ZgzIenrtf5.exe	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
ZgzIenrtf5.exe	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
ZgzIenrtf5.exe	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000000.253185094.0000000000AE2000.00000002.00000001.01000000.00000003.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000000.00000000.253185094.0000000000AE2000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000000.00000000.253185094.0000000000AE2000.00000002.00000001.01000000.00000003.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
00000000.00000003.266607534.00000000045D4000.00000004.00000800.00020000.00000000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x170a:$a: NanoCore 0x172f:$a: NanoCore 0x1788:$a: NanoCore 0x11925:$a: NanoCore 0x1194b:$a: NanoCore 0x119a7:$a: NanoCore 0x1e7fc:$a: NanoCore 0x1e855:$a: NanoCore 0x1e888:$a: NanoCore 0x1eab4:$a: NanoCore 0x1eb30:$a: NanoCore 0x1f149:$a: NanoCore 0x1f292:$a: NanoCore 0x1f766:$a: NanoCore 0x1fa4d:$a: NanoCore 0x1fa64:$a: NanoCore 0x22ded:$a: NanoCore 0x241a7:$a: NanoCore 0x241f1:$a: NanoCore 0x24e4b:$a: NanoCore 0x2a430:$a: NanoCore
Process Memory Space: ZgzIenrtf5.exe PID: 3764	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x99a3d:$x1: NanoCore.ClientPluginHost 0x111ad1:$x1: NanoCore.ClientPluginHost 0x99a67:$x2: IClientNetworkHost 0x111b0e:$x2: IClientNetworkHost 0x1155ff:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x120685:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
Process Memory Space: ZgzIenrtf5.exe PID: 3764	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: ZgzIenrtf5.exe PID: 3764	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x1d1de:$a: NanoCore 0x1dd5f:$a: NanoCore 0x1dddc:$a: NanoCore 0x2c0aa:$a: NanoCore 0x2cd9b:$a: NanoCore 0x2ce18:$a: NanoCore 0x62dad:$a: NanoCore 0x63a77:$a: NanoCore 0x63af4:$a: NanoCore 0x772da:$a: NanoCore 0x77fb2:$a: NanoCore 0x7802f:$a: NanoCore 0x99a18:$a: NanoCore 0x99a3d:$a: NanoCore 0x99a96:$a: NanoCore 0x9d532:$a: NanoCore 0x9d555:$a: NanoCore 0x9d5aa:$a: NanoCore 0xa877b:$a: NanoCore 0xa879f:$a: NanoCore 0xa87f7:$a: NanoCore
Click to see the 2 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.3.ZgzIenrtf5.exe.45dcda6.1.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x6da5:$x1: NanoCore.ClientPluginHost 0x6dd2:$x2: IClientNetworkHost
0.3.ZgzIenrtf5.exe.45dcda6.1.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x6da5:$x2: NanoCore.ClientPluginHost 0x7d74:$s2: FileCommand 0xc776:$s4: PipeCreated 0x6dbf:$s5: IClientLoggingHost
0.3.ZgzIenrtf5.exe.45f6dff.2.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x3831:$x1: NanoCore.ClientPluginHost 0x386a:$x2: IClientNetworkHost
0.3.ZgzIenrtf5.exe.45f6dff.2.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x3831:$x2: NanoCore.ClientPluginHost 0x394c:$s4: PipeCreated 0x384b:$s5: IClientLoggingHost
0.0.ZgzIenrtf5.exe.ae0000.0.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.0.ZgzIenrtf5.exe.ae0000.0.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
0.0.ZgzIenrtf5.exe.ae0000.0.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.0.ZgzIenrtf5.exe.ae0000.0.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
0.3.ZgzIenrtf5.exe.45dcda6.1.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x8b7f:$a: NanoCore 0x8ba5:$a: NanoCore 0x8c01:$a: NanoCore 0x15a56:$a: NanoCore 0x15aaf:$a: NanoCore 0x15ae2:$a: NanoCore 0x15d0e:$a: NanoCore 0x15d8a:$a: NanoCore 0x163a3:$a: NanoCore 0x164ec:$a: NanoCore 0x169c0:$a: NanoCore 0x16ca7:$a: NanoCore 0x16cbe:$a: NanoCore 0x1a047:$a: NanoCore 0x1b401:$a: NanoCore 0x1b44b:$a: NanoCore 0x1c0a5:$a: NanoCore 0x2168a:$a: NanoCore 0x21704:$a: NanoCore 0x2bc99:$a: NanoCore 0x2bd83:$a: NanoCore
0.3.ZgzIenrtf5.exe.45f6dff.2.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x13a8:$a: NanoCore 0x13f2:$a: NanoCore 0x204c:$a: NanoCore 0x7631:$a: NanoCore 0x76ab:$a: NanoCore 0x11c40:$a: NanoCore 0x11d2a:$a: NanoCore 0x12ba1:$a: NanoCore 0x1bd4b:$a: NanoCore 0x1bdac:$a: NanoCore 0x1bdef:$a: NanoCore 0x1be2f:$a: NanoCore 0x1c06b:$a: NanoCore 0x1c10b:$a: NanoCore 0x1c8e3:$a: NanoCore 0x1ced6:$a: NanoCore 0x1d027:$a: NanoCore 0x1de81:$a: NanoCore 0x1e0e8:$a: NanoCore 0x1e0fd:$a: NanoCore 0x1e11c:$a: NanoCore
0.3.ZgzIenrtf5.exe.45f13d1.0.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x142b:$a: NanoCore 0x1484:$a: NanoCore 0x14b7:$a: NanoCore 0x16e3:$a: NanoCore 0x175f:$a: NanoCore 0x1d78:$a: NanoCore 0x1ec1:$a: NanoCore 0x2395:$a: NanoCore 0x267c:$a: NanoCore 0x2693:$a: NanoCore 0x5a1c:$a: NanoCore 0x6dd6:$a: NanoCore 0x6e20:$a: NanoCore 0x7a7a:$a: NanoCore 0xd05f:$a: NanoCore 0xd0d9:$a: NanoCore 0x1766e:$a: NanoCore 0x17758:$a: NanoCore 0x185cf:$a: NanoCore 0x21779:$a: NanoCore 0x217da:$a: NanoCore
Click to see the 6 entries

Sigma Overview

AV Detection

Sigma detected: NanoCore

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\ZgzIenrtf5.exe, ProcessId: 3764, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

E-Banking Fraud

Sigma detected: NanoCore

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\ZgzIenrtf5.exe, ProcessId: 3764, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

Stealing of Sensitive Information

Sigma detected: NanoCore

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\ZgzIenrtf5.exe, ProcessId: 3764, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

Remote Access Functionality

Sigma detected: NanoCore

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\ZgzIenrtf5.exe, ProcessId: 3764, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 0.0.ZgzIenrtf5.exe.ae0000.0.unpack

Malware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "4189f41b-a3e5-405b-b524-4758becc", "Group": "2022", "Domain1": "107.173.60.45", "Domain2": "sys2021.linkpc.net", "Port": 54955, "KeyboardLogging": "Enable", "RunOnStartup": "Disable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4"}

Multi AV Scanner detection for submitted file

Source: ZgzIenrtf5.exe	Virustotal: Detection: 86%	Perma Link
Source: ZgzIenrtf5.exe	Metadefender: Detection: 85%	Perma Link
Source: ZgzIenrtf5.exe	ReversingLabs: Detection: 100%

Antivirus / Scanner detection for submitted sample

Source: ZgzIenrtf5.exe

Avira: detected

Antivirus detection for URL or domain

Source: 107.173.60.45

Avira URL Cloud: Label: malware

Yara detected Nanocore RAT

Source: Yara match	File source: ZgzIenrtf5.exe, type: SAMPLE
Source: Yara match	File source: 0.0.ZgzIenrtf5.exe.ae0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.253185094.0000000000AE2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: ZgzIenrtf5.exe PID: 3764, type: MEMORYSTR

Machine Learning detection for sample

Source: ZgzIenrtf5.exe

Joe Sandbox ML: detected

Source: 0.0.ZgzIenrtf5.exe.ae0000.0.unpack

Avira: Label: TR/Dropper.MSIL.Gen7

Source: ZgzIenrtf5.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED

Source: C:\Users\user\Desktop\ZgzIenrtf5.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll

Source:	Binary string: C:\Users\Liam\Downloads\NanoCoreSwiss\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: ZgzIenrtf5.exe, 00000000.00000003.266607534.00000000045D4000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\NanoCoreStressTester\NanoCoreStressTester\obj\Debug\NanoCoreStressTester.pdb source: ZgzIenrtf5.exe, 00000000.00000003.266607534.00000000045D4000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: G:\Users\Andy\Documents\Visual Studio 2013\Projects\NanocoreBasicPlugin\NanoCoreBase\obj\Debug\NanoCoreBase.pdb source: ZgzIenrtf5.exe, 00000000.00000003.266607534.00000000045D4000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: P:\Visual Studio Projects\Projects 15\NanoNana\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: ZgzIenrtf5.exe, 00000000.00000003.266607534.00000000045D4000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\FileBrowserPlugin\FileBrowserClient\obj\Debug\FileBrowserClient.pdb source: ZgzIenrtf5.exe, 00000000.00000003.266607534.00000000045D4000.00000004.00000800.00020000.00000000.sdmp

Networking

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.7:49760 -> 107.173.60.45:54955
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.7:49764 -> 107.173.60.45:54955
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.7:49765 -> 107.173.60.45:54955
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.7:49766 -> 107.173.60.45:54955
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.7:49767 -> 107.173.60.45:54955
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.7:49770 -> 107.173.60.45:54955
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.7:49771 -> 107.173.60.45:54955
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.7:49772 -> 107.173.60.45:54955
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.7:49773 -> 107.173.60.45:54955
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.7:49780 -> 107.173.60.45:54955
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.7:49782 -> 107.173.60.45:54955
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.7:49790 -> 107.173.60.45:54955
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.7:49792 -> 107.173.60.45:54955
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.7:49800 -> 107.173.60.45:54955
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.7:49816 -> 107.173.60.45:54955
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.7:49833 -> 107.173.60.45:54955
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.7:49835 -> 107.173.60.45:54955
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.7:49836 -> 107.173.60.45:54955
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.7:49851 -> 107.173.60.45:54955
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.7:49864 -> 107.173.60.45:54955
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.7:49865 -> 107.173.60.45:54955
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.7:49866 -> 107.173.60.45:54955

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: 107.173.60.45
Source: Malware configuration extractor	URLs: sys2021.linkpc.net

Source: Joe Sandbox View

ASN Name: AS-COLOCROSSINGUS AS-COLOCROSSINGUS

Source: global traffic

TCP traffic: 192.168.2.7:49760 -> 107.173.60.45:54955

Source: unknown	TCP traffic detected without corresponding DNS query: 107.173.60.45
Source: unknown	TCP traffic detected without corresponding DNS query: 107.173.60.45
Source: unknown	TCP traffic detected without corresponding DNS query: 107.173.60.45
Source: unknown	TCP traffic detected without corresponding DNS query: 107.173.60.45
Source: unknown	TCP traffic detected without corresponding DNS query: 107.173.60.45
Source: unknown	TCP traffic detected without corresponding DNS query: 107.173.60.45
Source: unknown	TCP traffic detected without corresponding DNS query: 107.173.60.45
Source: unknown	TCP traffic detected without corresponding DNS query: 107.173.60.45
Source: unknown	TCP traffic detected without corresponding DNS query: 107.173.60.45
Source: unknown	TCP traffic detected without corresponding DNS query: 107.173.60.45
Source: unknown	TCP traffic detected without corresponding DNS query: 107.173.60.45
Source: unknown	TCP traffic detected without corresponding DNS query: 107.173.60.45
Source: unknown	TCP traffic detected without corresponding DNS query: 107.173.60.45
Source: unknown	TCP traffic detected without corresponding DNS query: 107.173.60.45
Source: unknown	TCP traffic detected without corresponding DNS query: 107.173.60.45
Source: unknown	TCP traffic detected without corresponding DNS query: 107.173.60.45
Source: unknown	TCP traffic detected without corresponding DNS query: 107.173.60.45
Source: unknown	TCP traffic detected without corresponding DNS query: 107.173.60.45
Source: unknown	TCP traffic detected without corresponding DNS query: 107.173.60.45
Source: unknown	TCP traffic detected without corresponding DNS query: 107.173.60.45
Source: unknown	TCP traffic detected without corresponding DNS query: 107.173.60.45
Source: unknown	TCP traffic detected without corresponding DNS query: 107.173.60.45
Source: unknown	TCP traffic detected without corresponding DNS query: 107.173.60.45
Source: unknown	TCP traffic detected without corresponding DNS query: 107.173.60.45
Source: unknown	TCP traffic detected without corresponding DNS query: 107.173.60.45
Source: unknown	TCP traffic detected without corresponding DNS query: 107.173.60.45
Source: unknown	TCP traffic detected without corresponding DNS query: 107.173.60.45
Source: unknown	TCP traffic detected without corresponding DNS query: 107.173.60.45
Source: unknown	TCP traffic detected without corresponding DNS query: 107.173.60.45
Source: unknown	TCP traffic detected without corresponding DNS query: 107.173.60.45
Source: unknown	TCP traffic detected without corresponding DNS query: 107.173.60.45
Source: unknown	TCP traffic detected without corresponding DNS query: 107.173.60.45
Source: unknown	TCP traffic detected without corresponding DNS query: 107.173.60.45
Source: unknown	TCP traffic detected without corresponding DNS query: 107.173.60.45
Source: unknown	TCP traffic detected without corresponding DNS query: 107.173.60.45
Source: unknown	TCP traffic detected without corresponding DNS query: 107.173.60.45
Source: unknown	TCP traffic detected without corresponding DNS query: 107.173.60.45
Source: unknown	TCP traffic detected without corresponding DNS query: 107.173.60.45
Source: unknown	TCP traffic detected without corresponding DNS query: 107.173.60.45
Source: unknown	TCP traffic detected without corresponding DNS query: 107.173.60.45
Source: unknown	TCP traffic detected without corresponding DNS query: 107.173.60.45
Source: unknown	TCP traffic detected without corresponding DNS query: 107.173.60.45
Source: unknown	TCP traffic detected without corresponding DNS query: 107.173.60.45
Source: unknown	TCP traffic detected without corresponding DNS query: 107.173.60.45
Source: unknown	TCP traffic detected without corresponding DNS query: 107.173.60.45
Source: unknown	TCP traffic detected without corresponding DNS query: 107.173.60.45
Source: unknown	TCP traffic detected without corresponding DNS query: 107.173.60.45
Source: unknown	TCP traffic detected without corresponding DNS query: 107.173.60.45
Source: unknown	TCP traffic detected without corresponding DNS query: 107.173.60.45
Source: unknown	TCP traffic detected without corresponding DNS query: 107.173.60.45

Source: ZgzIenrtf5.exe, 00000000.00000003.266607534.00000000045D4000.00000004.00000800.00020000.00000000.sdmp

String found in binary or memory: http://google.com

E-Banking Fraud

Yara detected Nanocore RAT

Source: Yara match	File source: ZgzIenrtf5.exe, type: SAMPLE
Source: Yara match	File source: 0.0.ZgzIenrtf5.exe.ae0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.253185094.0000000000AE2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: ZgzIenrtf5.exe PID: 3764, type: MEMORYSTR

System Summary

Malicious sample detected (through community Yara rule)

Source: ZgzIenrtf5.exe, type: SAMPLE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: ZgzIenrtf5.exe, type: SAMPLE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.3.ZgzIenrtf5.exe.45dcda6.1.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.3.ZgzIenrtf5.exe.45f6dff.2.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.0.ZgzIenrtf5.exe.ae0000.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.0.ZgzIenrtf5.exe.ae0000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.3.ZgzIenrtf5.exe.45dcda6.1.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.3.ZgzIenrtf5.exe.45f6dff.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.3.ZgzIenrtf5.exe.45f13d1.0.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000000.253185094.0000000000AE2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000000.253185094.0000000000AE2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000003.266607534.00000000045D4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: ZgzIenrtf5.exe PID: 3764, type: MEMORYSTR	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: ZgzIenrtf5.exe PID: 3764, type: MEMORYSTR	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>

Source: ZgzIenrtf5.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED

Source: ZgzIenrtf5.exe, type: SAMPLE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: ZgzIenrtf5.exe, type: SAMPLE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: ZgzIenrtf5.exe, type: SAMPLE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.3.ZgzIenrtf5.exe.45dcda6.1.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.3.ZgzIenrtf5.exe.45dcda6.1.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.3.ZgzIenrtf5.exe.45f6dff.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.3.ZgzIenrtf5.exe.45f6dff.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.0.ZgzIenrtf5.exe.ae0000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.0.ZgzIenrtf5.exe.ae0000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.0.ZgzIenrtf5.exe.ae0000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.3.ZgzIenrtf5.exe.45dcda6.1.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.3.ZgzIenrtf5.exe.45f6dff.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.3.ZgzIenrtf5.exe.45f13d1.0.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000000.00000000.253185094.0000000000AE2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000000.00000000.253185094.0000000000AE2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000000.00000003.266607534.00000000045D4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: ZgzIenrtf5.exe PID: 3764, type: MEMORYSTR	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: ZgzIenrtf5.exe PID: 3764, type: MEMORYSTR	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore

Source: ZgzIenrtf5.exe, 00000000.00000003.266607534.00000000045D4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCoreClientPlugin.dll8 vs ZgzIenrtf5.exe
Source: ZgzIenrtf5.exe, 00000000.00000003.266607534.00000000045D4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameManagementClientPlugin.dll4 vs ZgzIenrtf5.exe
Source: ZgzIenrtf5.exe, 00000000.00000003.266607534.00000000045D4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameNanoCoreBase.dll< vs ZgzIenrtf5.exe
Source: ZgzIenrtf5.exe, 00000000.00000003.266607534.00000000045D4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMyClientPlugin.dll4 vs ZgzIenrtf5.exe
Source: ZgzIenrtf5.exe, 00000000.00000003.266607534.00000000045D4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameFileBrowserClient.dllT vs ZgzIenrtf5.exe
Source: ZgzIenrtf5.exe, 00000000.00000003.266607534.00000000045D4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMyClientPlugin.dll@ vs ZgzIenrtf5.exe
Source: ZgzIenrtf5.exe, 00000000.00000003.266607534.00000000045D4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameNanoCoreStressTester.dll< vs ZgzIenrtf5.exe
Source: ZgzIenrtf5.exe, 00000000.00000003.266607534.00000000045D4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameNetworkClientPlugin.dll4 vs ZgzIenrtf5.exe
Source: ZgzIenrtf5.exe, 00000000.00000003.266607534.00000000045D4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSecurityClientPlugin.dll4 vs ZgzIenrtf5.exe
Source: ZgzIenrtf5.exe, 00000000.00000003.266607534.00000000045D4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameAForge.Video.DirectShow.dll4 vs ZgzIenrtf5.exe
Source: ZgzIenrtf5.exe, 00000000.00000003.266607534.00000000045D4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameNAudio.dll4 vs ZgzIenrtf5.exe
Source: ZgzIenrtf5.exe, 00000000.00000003.266607534.00000000045D4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSurveillanceClientPlugin.dll4 vs ZgzIenrtf5.exe
Source: ZgzIenrtf5.exe, 00000000.00000003.266607534.00000000045D4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameToolsClientPlugin.dll4 vs ZgzIenrtf5.exe

Source: ZgzIenrtf5.exe

Static PE information: Section: .rsrc ZLIB complexity 0.999866071429

Source: ZgzIenrtf5.exe	Virustotal: Detection: 86%
Source: ZgzIenrtf5.exe	Metadefender: Detection: 85%
Source: ZgzIenrtf5.exe	ReversingLabs: Detection: 100%

Source: C:\Users\user\Desktop\ZgzIenrtf5.exe

File read: C:\Users\user\Desktop\ZgzIenrtf5.exe

Jump to behavior

Source: ZgzIenrtf5.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\ZgzIenrtf5.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: C:\Users\user\Desktop\ZgzIenrtf5.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32

Source: C:\Users\user\Desktop\ZgzIenrtf5.exe

File created: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A

Jump to behavior

Source: classification engine

Classification label: mal100.troj.evad.winEXE@1/5@0/1

Source: ZgzIenrtf5.exe, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: ZgzIenrtf5.exe, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.0.ZgzIenrtf5.exe.ae0000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 0.0.ZgzIenrtf5.exe.ae0000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)

Source: C:\Users\user\Desktop\ZgzIenrtf5.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
Source: C:\Users\user\Desktop\ZgzIenrtf5.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
Source: C:\Users\user\Desktop\ZgzIenrtf5.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp

Source: C:\Users\user\Desktop\ZgzIenrtf5.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\{4189f41b-a3e5-405b-b524-4758beccda47}
Source: C:\Users\user\Desktop\ZgzIenrtf5.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking

Source: ZgzIenrtf5.exe, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: ZgzIenrtf5.exe, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'CreateDecryptor'
Source: ZgzIenrtf5.exe, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.0.ZgzIenrtf5.exe.ae0000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 0.0.ZgzIenrtf5.exe.ae0000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.0.ZgzIenrtf5.exe.ae0000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: C:\Users\user\Desktop\ZgzIenrtf5.exe

File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll

Source: C:\Users\user\Desktop\ZgzIenrtf5.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll

Source: ZgzIenrtf5.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source:	Binary string: C:\Users\Liam\Downloads\NanoCoreSwiss\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: ZgzIenrtf5.exe, 00000000.00000003.266607534.00000000045D4000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\NanoCoreStressTester\NanoCoreStressTester\obj\Debug\NanoCoreStressTester.pdb source: ZgzIenrtf5.exe, 00000000.00000003.266607534.00000000045D4000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: G:\Users\Andy\Documents\Visual Studio 2013\Projects\NanocoreBasicPlugin\NanoCoreBase\obj\Debug\NanoCoreBase.pdb source: ZgzIenrtf5.exe, 00000000.00000003.266607534.00000000045D4000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: P:\Visual Studio Projects\Projects 15\NanoNana\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: ZgzIenrtf5.exe, 00000000.00000003.266607534.00000000045D4000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\FileBrowserPlugin\FileBrowserClient\obj\Debug\FileBrowserClient.pdb source: ZgzIenrtf5.exe, 00000000.00000003.266607534.00000000045D4000.00000004.00000800.00020000.00000000.sdmp

Data Obfuscation

.NET source code contains potential unpacker

Source: ZgzIenrtf5.exe, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: ZgzIenrtf5.exe, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs	.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.0.ZgzIenrtf5.exe.ae0000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.0.ZgzIenrtf5.exe.ae0000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs	.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])

Source: ZgzIenrtf5.exe, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs	High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
Source: ZgzIenrtf5.exe, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs	High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 0.0.ZgzIenrtf5.exe.ae0000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs	High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 0.0.ZgzIenrtf5.exe.ae0000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs	High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'

Hooking and other Techniques for Hiding and Protection

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Users\user\Desktop\ZgzIenrtf5.exe

File opened: C:\Users\user\Desktop\ZgzIenrtf5.exe:Zone.Identifier read attributes | delete

Source: C:\Users\user\Desktop\ZgzIenrtf5.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\ZgzIenrtf5.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\ZgzIenrtf5.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\ZgzIenrtf5.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\ZgzIenrtf5.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\ZgzIenrtf5.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\ZgzIenrtf5.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\ZgzIenrtf5.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\ZgzIenrtf5.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\ZgzIenrtf5.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\ZgzIenrtf5.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\ZgzIenrtf5.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\ZgzIenrtf5.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\ZgzIenrtf5.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\ZgzIenrtf5.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\ZgzIenrtf5.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\ZgzIenrtf5.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\ZgzIenrtf5.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\ZgzIenrtf5.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\ZgzIenrtf5.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\ZgzIenrtf5.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\ZgzIenrtf5.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\ZgzIenrtf5.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\ZgzIenrtf5.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\ZgzIenrtf5.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\ZgzIenrtf5.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\ZgzIenrtf5.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\ZgzIenrtf5.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\ZgzIenrtf5.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\ZgzIenrtf5.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\ZgzIenrtf5.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\ZgzIenrtf5.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\ZgzIenrtf5.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\ZgzIenrtf5.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\ZgzIenrtf5.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\ZgzIenrtf5.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\ZgzIenrtf5.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\ZgzIenrtf5.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\ZgzIenrtf5.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\ZgzIenrtf5.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\ZgzIenrtf5.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\ZgzIenrtf5.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\ZgzIenrtf5.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\ZgzIenrtf5.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\ZgzIenrtf5.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\ZgzIenrtf5.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\ZgzIenrtf5.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\ZgzIenrtf5.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\ZgzIenrtf5.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\ZgzIenrtf5.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\ZgzIenrtf5.exe	Process information set: NOOPENFILEERRORBOX

Source: C:\Users\user\Desktop\ZgzIenrtf5.exe TID: 6196

Thread sleep time: -922337203685477s >= -30000s

Source: C:\Users\user\Desktop\ZgzIenrtf5.exe

Thread delayed: delay time: 922337203685477

Source: C:\Users\user\Desktop\ZgzIenrtf5.exe	Window / User API: foregroundWindowGot 681
Source: C:\Users\user\Desktop\ZgzIenrtf5.exe	Window / User API: foregroundWindowGot 709

Source: C:\Users\user\Desktop\ZgzIenrtf5.exe

Process information queried: ProcessInformation

Source: C:\Users\user\Desktop\ZgzIenrtf5.exe

Thread delayed: delay time: 922337203685477

Source: ZgzIenrtf5.exe, 00000000.00000003.428666489.0000000001239000.00000004.00000020.00020000.00000000.sdmp, ZgzIenrtf5.exe, 00000000.00000003.345115199.0000000001230000.00000004.00000020.00020000.00000000.sdmp, ZgzIenrtf5.exe, 00000000.00000003.310965222.0000000001230000.00000004.00000020.00020000.00000000.sdmp, ZgzIenrtf5.exe, 00000000.00000003.327147578.0000000001239000.00000004.00000020.00020000.00000000.sdmp, ZgzIenrtf5.exe, 00000000.00000003.377753622.0000000001230000.00000004.00000020.00020000.00000000.sdmp, ZgzIenrtf5.exe, 00000000.00000003.345264925.0000000001239000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\ZgzIenrtf5.exe

Process token adjusted: Debug

Source: C:\Users\user\Desktop\ZgzIenrtf5.exe

Memory allocated: page read and write | page guard

Source: ZgzIenrtf5.exe, 00000000.00000003.377753622.0000000001230000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Managern has been aborted because of either a thread exit or an application request.
Source: ZgzIenrtf5.exe, 00000000.00000003.267807619.000000000127A000.00000004.00000020.00020000.00000000.sdmp, ZgzIenrtf5.exe, 00000000.00000003.428823908.0000000001275000.00000004.00000020.00020000.00000000.sdmp, ZgzIenrtf5.exe, 00000000.00000003.311041106.0000000001275000.00000004.00000020.00020000.00000000.sdmp, ZgzIenrtf5.exe, 00000000.00000003.345144821.0000000001265000.00000004.00000020.00020000.00000000.sdmp, ZgzIenrtf5.exe, 00000000.00000003.428666489.0000000001239000.00000004.00000020.00020000.00000000.sdmp, ZgzIenrtf5.exe, 00000000.00000003.268003698.000000000127A000.00000004.00000020.00020000.00000000.sdmp, ZgzIenrtf5.exe, 00000000.00000003.269915949.000000000127A000.00000004.00000020.00020000.00000000.sdmp, ZgzIenrtf5.exe, 00000000.00000003.269371251.000000000127A000.00000004.00000020.00020000.00000000.sdmp, ZgzIenrtf5.exe, 00000000.00000003.264789773.0000000001279000.00000004.00000020.00020000.00000000.sdmp, ZgzIenrtf5.exe, 00000000.00000003.264327717.0000000001279000.00000004.00000020.00020000.00000000.sdmp, ZgzIenrtf5.exe, 00000000.00000003.266555878.0000000001279000.00000004.00000020.00020000.00000000.sdmp, ZgzIenrtf5.exe, 00000000.00000003.327181994.0000000001265000.00000004.00000020.00020000.00000000.sdmp, ZgzIenrtf5.exe, 00000000.00000003.311025603.0000000001265000.00000004.00000020.00020000.00000000.sdmp, ZgzIenrtf5.exe, 00000000.00000003.269207163.000000000127A000.00000004.00000020.00020000.00000000.sdmp, ZgzIenrtf5.exe, 00000000.00000003.416726966.000000000125C000.00000004.00000020.00020000.00000000.sdmp, ZgzIenrtf5.exe, 00000000.00000003.271493996.000000000127A000.00000004.00000020.00020000.00000000.sdmp, ZgzIenrtf5.exe, 00000000.00000003.270074289.000000000127A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager

Source: C:\Users\user\Desktop\ZgzIenrtf5.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Source: C:\Users\user\Desktop\ZgzIenrtf5.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\ZgzIenrtf5.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\ZgzIenrtf5.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\ZgzIenrtf5.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\ZgzIenrtf5.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\ZgzIenrtf5.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\ZgzIenrtf5.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\ZgzIenrtf5.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\ZgzIenrtf5.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\ZgzIenrtf5.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\ZgzIenrtf5.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\ZgzIenrtf5.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\ZgzIenrtf5.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\ZgzIenrtf5.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\ZgzIenrtf5.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\ZgzIenrtf5.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\ZgzIenrtf5.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\ZgzIenrtf5.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\ZgzIenrtf5.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\ZgzIenrtf5.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\ZgzIenrtf5.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\ZgzIenrtf5.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\ZgzIenrtf5.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\ZgzIenrtf5.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\ZgzIenrtf5.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\ZgzIenrtf5.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\ZgzIenrtf5.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\ZgzIenrtf5.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\ZgzIenrtf5.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\ZgzIenrtf5.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\ZgzIenrtf5.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\ZgzIenrtf5.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\ZgzIenrtf5.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\ZgzIenrtf5.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\ZgzIenrtf5.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\ZgzIenrtf5.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct

Stealing of Sensitive Information

Yara detected Nanocore RAT

Source: Yara match	File source: ZgzIenrtf5.exe, type: SAMPLE
Source: Yara match	File source: 0.0.ZgzIenrtf5.exe.ae0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.253185094.0000000000AE2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: ZgzIenrtf5.exe PID: 3764, type: MEMORYSTR

Remote Access Functionality

Detected Nanocore Rat

Source: ZgzIenrtf5.exe, 00000000.00000003.266607534.00000000045D4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: ZgzIenrtf5.exe, 00000000.00000003.266607534.00000000045D4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreBase.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreBaseClientPluginCommandHandlerResourcesNanoCoreBase.My.ResourcesMySettingsMySettingsPropertyCommandsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketHandleCommandHandleCommandOpenWebsiteHandleCommandMessageBoxSwapMouseButtonfSwapuser32.dllHandleCommandMouseSwapHandleCommandMouseUnswapmciSendStringlpszCommandlpszReturnStringcchReturnLengthhwndCallbackwinmm.dllmciSendStringAHandleCommandCDTrayHandleCommandCDTrayCloseSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__OpenWebsiteMessageBoxCDTrayCDTrayCloseMouseSwapMouseUnswapSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeSendToServerParamArrayAttributeStringProcessStartSystem.Windows.FormsDialogResultShowConversionsReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedNanoCoreBase.Resources.resourcesDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeNanoCoreBase.dll+set CDAudio door open/set CDAudio door closed-NanoCoreBase.Resources3
Source: ZgzIenrtf5.exe, 00000000.00000003.266607534.00000000045D4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationMyClientPlugin.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainMyClientPluginClientPluginMiscCommandHandlerCommandTypeMiscCommandMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleMiscCommandHandleMiscCommandMessageInterpretRecievedcommandtodoloopkeysEnumvalue__MessageStringExceptionMicrosoft.VisualBasic.CompilerServicesOperatorsCompareStringServerComputerMicrosoft.VisualBasic.MyServicesRegistryProxyget_RegistryMicrosoft.Win32RegistryKeyget_LocalMachineConcatInt32SetValueProjectDataSetProjectErrorClearProjectErrorget_LengthStandardModuleAttributeSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeMyClientPlugin.dll'DisableWebcamLights
Source: ZgzIenrtf5.exe, 00000000.00000003.266607534.00000000045D4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationFileBrowserClient.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainFileBrowserClientClientPluginCommandHandlersResourcesFileBrowserClient.My.ResourcesMySettingsMySettingsPropertyFunctionsCommandTypesMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostCurrentDirectoryInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHost_networkHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleCreateDirectoryremoteDirHandleDeleteFileremoteFileisDirectoryHandleOpenFileHandleReceiveFilelocalFileHandleRenameFilenewFileNameHandleSetCurrentDirectorypathHandleDeleteHandleDownloadHandleDrivesHandleFilesHandleGetCurrentDirectoryHandleMachineNameHandleOpenHandleSetCurrentDirectoryPacketHandleUploadHandleRenameHandleCreateSendCurrentDirectorySendDrivesSendFileSendFilesSendMachineNameSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CulturevalueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsSystem.Collections.GenericList`1RemoteFilesRemoteFoldersRemoteDrivesEnumerateRemoteFilesEnumerateRemoteDrivesLogMessagemessageEnumvalue__MachineNameDrivesFilesGetCurrentDirectorySetCurrentDirectoryDownloadUploadOpenDeleteCreateDirectoryRenameSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeEnvironmentSpecialFolderGetFolderPathStringFormatSystem.IODirectoryDirectoryInfoProjectDataExceptionSetProjectErrorClearProjectErrorFileLogClientExceptionProcessStartConvertFromBase64StringWriteAllBytesMoveSendToServerConversionsToBooleanInt32NewLateBindingLateIndexGetEnumeratorEmptyGetEnumeratorget_CurrentTrimConcatMoveNextIDisposableDisposeReadAllBytesToBase64StringIsNullOrEmptyget_MachineNameToUpperget_UserNameReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedFileInfoFileSystemInfoget_FullNameContainsGetDirectoriesget_NameAddGetF
Source: ZgzIenrtf5.exe, 00000000.00000003.266607534.00000000045D4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreStressTester.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreStressTesterClientPluginHTTPFloodSlowLorisSYNFloodTCPNanoCoreStressTester.FloodUDPSendSynCommandHandlerResourcesNanoCoreStressTester.My.ResourcesMySettingsMySettingsPropertyCommandsMethodsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostIClientDataHostDataHostClientGUIDSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHost_DataHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketStartHostToAttackArrayUploadDataSiteUserAgentRefererValuesGeneratecodelengthSystem.ThreadingThreadThreadsPortToAttackTimeToAttackThreadstoUseThreadsEndedattacksAttackRunningFloodnewHostnewPortnewTimenewThreadslolStopSlowlorisStressThreadStart_floodingJob_floodingThreadSystem.NetIPEndPoint_ipEo_synClassHostIsEnabledPortSuperSynSocketsStartSuperSynStopSuperSynSystem.Net.SocketsSocketClientIPPacketsPacketSizeMaxPacketsStopFloodmPacketspSize_sockipEosuperSynSockets__1IAsyncResultOnConnectarSendFloodingstopHTTPBytesSentSYNConnectionsHTTPDataSentMethodTargetAddressTargetStatusupdateBytesnewSYNFloodHandleDDOSCommandHandleStopCommandSystem.TimersElapsedEventArgsbytesTimerElapsedsourceeHandleHTTPCommandHandleSlowlorisCommandHandleTCPCommandHandleUDPCommandHandleSYNCommandSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__sendStressCommandupdateStatusColumnstopStressCommandHTTPSlowlorisSYNSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeExceptionSendToServerProjectDataSetProjectErrorClearProjectErrorTimerNanoCoreIClientNameObjectCollectionget_VariablesGetValueset_Intervalset_EnabledElapsedEventHandleradd_ElapsedParamArrayAttributeRandomGuidStringIsNullOrEmptyArgumentNullExceptionArgumentOutOfRangeExce
Source: ZgzIenrtf5.exe, 00000000.00000000.253185094.0000000000AE2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: ZgzIenrtf5.exe	String found in binary or memory: NanoCore.ClientPluginHost

Yara detected Nanocore RAT

Source: Yara match	File source: ZgzIenrtf5.exe, type: SAMPLE
Source: Yara match	File source: 0.0.ZgzIenrtf5.exe.ae0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.253185094.0000000000AE2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: ZgzIenrtf5.exe PID: 3764, type: MEMORYSTR

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	1 Windows Management Instrumentation	Path Interception	1 Process Injection	1 Masquerading	OS Credential Dumping	11 Security Software Discovery	Remote Services	1 Archive Collected Data	Exfiltration Over Other Network Medium	1 Non-Standard Port	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 Disable or Modify Tools	LSASS Memory	2 Process Discovery	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	1 Remote Access Software	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	21 Virtualization/Sandbox Evasion	Security Account Manager	21 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	1 Application Layer Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	1 Process Injection	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	2 System Information Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	1 Hidden Files and Directories	Cached Domain Credentials	System Owner/User Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	12 Software Packing	DCSync	Network Sniffing	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
ZgzIenrtf5.exe	87%	Virustotal		Browse
ZgzIenrtf5.exe	85%	Metadefender		Browse
ZgzIenrtf5.exe	100%	ReversingLabs	ByteCode-MSIL.Backdoor.NanoCore
ZgzIenrtf5.exe	100%	Avira	TR/Dropper.MSIL.Gen7
ZgzIenrtf5.exe	100%	Joe Sandbox ML

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
0.0.ZgzIenrtf5.exe.ae0000.0.unpack	100%	Avira	TR/Dropper.MSIL.Gen7		Download File

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
107.173.60.45	1%	Virustotal		Browse
107.173.60.45	100%	Avira URL Cloud	malware

Name	Malicious	Antivirus Detection	Reputation
107.173.60.45	true	1%, Virustotal, Browse Avira URL Cloud: malware	unknown
sys2021.linkpc.net	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://google.com	ZgzIenrtf5.exe, 00000000.00000003.266607534.00000000045D4000.00000004.00000800.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
107.173.60.45	unknown	United States		36352	AS-COLOCROSSINGUS	true

General Information

Joe Sandbox Version:	34.0.0 Boulder Opal
Analysis ID:	560236
Start date:	26.01.2022
Start time:	09:45:02
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 6m 16s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	ZgzIenrtf5.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	22
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@1/5@0/1
EGA Information:	Failed
HDC Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe

Warnings

Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
TCP Packets have been reduced to 100
Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe
Excluded IPs from analysis (whitelisted): 23.211.6.115
Excluded domains from analysis (whitelisted): ris.api.iris.microsoft.com, e12564.dspb.akamaiedge.net, client.wns.windows.com, fs.microsoft.com, store-images.s-microsoft.com, ctldl.windowsupdate.com, store-images.s-microsoft.com-c.edgekey.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com
Not all processes where analyzed, report is missing behavior information

Simulations

Behavior and APIs

Time	Type	Description
09:46:06	API Interceptor	972x Sleep call for process: ZgzIenrtf5.exe modified

Process:	C:\Users\user\Desktop\ZgzIenrtf5.exe
File Type:	data
Category:	dropped
Size (bytes):	232
Entropy (8bit):	7.089541637477408
Encrypted:	false
SSDEEP:	3:XrURGizD7cnRNGbgCFKRNX/pBK0jCV83ne+VdWPiKgmR7kkmefoeLBizbCuVkqYM:X4LDAnybgCFcps0OafmCYDlizZr/i/Oh
MD5:	9E7D0351E4DF94A9B0BADCEB6A9DB963
SHA1:	76C6A69B1C31CEA2014D1FD1E222A3DD1E433005
SHA-256:	AAFC7B40C5FE680A2BB549C3B90AABAAC63163F74FFFC0B00277C6BBFF88B757
SHA-512:	93CCF7E046A3C403ECF8BC4F1A8850BA0180FE18926C98B297C5214EB77BC212C8FBCC58412D0307840CF2715B63BE68BACDA95AA98E82835C5C53F17EF38511
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.... S....}FF.2...h.M+....L.#.X..+......*....~f.G0^..;....W2.=...K.~.L..&f...p............:7rH}..../H......L...?...A.K...J.=8x!....+.2e'..E?.G......[.&

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

Download File

Process:	C:\Users\user\Desktop\ZgzIenrtf5.exe
File Type:	ISO-8859 text, with no line terminators
Category:	dropped
Size (bytes):	8
Entropy (8bit):	3.0
Encrypted:	false
SSDEEP:	3:dfl:d9
MD5:	74D04D3CBC86F9FA0D26B5D5CA6F3765
SHA1:	EF3A51C5729BF22CFB8B1AECDC51063879D1170A
SHA-256:	7F87D5B04B82515C9271FC7746408DBB028581F2F0EDA62599FDE036B80E8516
SHA-512:	3F8E9260A3942BD6E0FEC80DFDD92471AB1A0A7B6DF6D7D502DD8A059F132AE804EF04AAC473862EC7E14DF1725EA777D0276A7975B8AD1D94324352B6F72250
Malicious:	true
Reputation:	low
Preview:	{.....H

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\settings.bak

Download File

Process:	C:\Users\user\Desktop\ZgzIenrtf5.exe
File Type:	data
Category:	dropped
Size (bytes):	24
Entropy (8bit):	4.501629167387823
Encrypted:	false
SSDEEP:	3:9bzY6oRDIvYk:RzWDI3
MD5:	ACD3FB4310417DC77FE06F15B0E353E6
SHA1:	80E7002E655EB5765FDEB21114295CB96AD9D5EB
SHA-256:	DC3AE604991C9BB8FF8BC4502AE3D0DB8A3317512C0F432490B103B89C1A4368
SHA-512:	DA46A917DB6276CD4528CFE4AD113292D873CA2EBE53414730F442B83502E5FAF3D1AE87BFA295ADF01E3B44FDBCE239E21A318BFB2CCD1F4753846CB21F6F97
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	9iH...}Z.4..f..J".C;"a

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\settings.bin

Download File

Process:	C:\Users\user\Desktop\ZgzIenrtf5.exe
File Type:	data
Category:	dropped
Size (bytes):	40
Entropy (8bit):	5.153055907333276
Encrypted:	false
SSDEEP:	3:9bzY6oRDT6P2bfVn1:RzWDT621
MD5:	4E5E92E2369688041CC82EF9650EDED2
SHA1:	15E44F2F3194EE232B44E9684163B6F66472C862
SHA-256:	F8098A6290118F2944B9E7C842BD014377D45844379F863B00D54515A8A64B48
SHA-512:	1B368018907A3BC30421FDA2C935B39DC9073B9B1248881E70AD48EDB6CAA256070C1A90B97B0F64BBE61E316DBB8D5B2EC8DBABCD0B0B2999AB50B933671ECB
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	9iH...}Z.4..f.~a........~.~.......3.U.

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\storage.dat

Download File

Process:	C:\Users\user\Desktop\ZgzIenrtf5.exe
File Type:	data
Category:	dropped
Size (bytes):	426832
Entropy (8bit):	7.999527918131335
Encrypted:	true
SSDEEP:	6144:zKfHbamD8WN+JQYrjM7Ei2CsFJjyh9zvgPonV5HqZcPVT4Eb+Z6no3QSzjeMsdF/:zKf137EiDsTjevgArYcPVLoTQS+0iv
MD5:	653DDDCB6C89F6EC51F3DDC0053C5914
SHA1:	4CF7E7D42495CE01C261E4C5C4B8BF6CD76CCEE5
SHA-256:	83B9CAE66800C768887FB270728F6806CBEBDEAD9946FA730F01723847F17FF9
SHA-512:	27A467F2364C21CD1C6C34EF1CA5FFB09B4C3180FC9C025E293374EB807E4382108617BB4B97F8EBBC27581CD6E5988BB5E21276B3CB829C1C0E49A6FC9463A0
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	..g&jo...IPg...GM....R>i...o...I.>.&.r{....8...}...E....v.!7.u3e.. .....db...}.......".t(.xC9.cp.B....7...'.......%......w.^.._.......B.W%.<..i.0.{9.xS...5...)..w..$..C..?`F..u.5.T.X.w'Si..z.n{...Y!m...RA...xg....[7...z..9@.K.-...T..+.ACe....R....enO.....AoNMT.\^....}H&..4I...B.:..@..J...v..rI5..kP......2j....B..B.~.T..>.c..emW;Rn<9..[.r.o....R[....@=...:...L.g<.....I..%4[.G^.~.l'......v.p&.........+..S...9d/.{..H.`@.1..........f.\s...X.a.].<.h...J4...k.x....%3.......3.c..?%....>.!.}..)(.{...H...3..`'].Q.[sN..JX(.%pH....+......(...v.....H...3..8.a_..J..?4...y.N(..D.h..g.jD..I...44Q?..N......oX.A......l...n?./..........$.!..;.^9"H...........OkF....v.m_.e.v..f...."..bq{.....O.-....%R+...-..P.i..t5....2Z# ...#...,L..{..j..heT -=Z.P;...g.m)<owJ].J..../.p..8.u8.&..#.m9...j%..g&....g.x.I,....u.[....>./W...........X...bZ...ex.0..x.}.....Tb...[..H_M._.^N.d&...g._."@4N.pDs].GbT.......&p........Nw...%$=.....{..J.1....2....<E{..<!G..

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.44950897695562
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	ZgzIenrtf5.exe
File size:	207360
MD5:	03efbc1aa782599e235f4c1b0303ffb1
SHA1:	3877473e9e9014bc8eee7782dc81345772e832f9
SHA256:	c5d68d3abd9d6f9b094ea1bdb064ca709cc54de13f86856c4ffe34c64148c87c
SHA512:	15ac77a5d18d1820a1fa72bcb74b13fe1eeffc12d0899af4a8da94d3abe3947dfbf2a55258d896ee76cb9dd50717e2738daea2a630bbe80e00c0d1ad90319511
SSDEEP:	6144:gLV6Bta6dtJmakIM5D6xUtdHfBTQxVqtjreE:gLV6Btpmkxkd/FcVqx9
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....'.T.....................`........... ........@.. .....................................................................

File Icon


Icon Hash:	00828e8e8686b000

Static PE Info

General

Entrypoint:	0x41e792
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
DLL Characteristics:
Time Stamp:	0x54E927A1 [Sun Feb 22 00:49:37 2015 UTC]
TLS Callbacks:
CLR (.Net) Version:	v2.0.50727
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x1e738	0x57	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x22000	0x15da0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x20000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x1c798	0x1c800	False	0.594512404057	data	6.59808579998	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.reloc	0x20000	0xc	0x200	False	0.044921875	data	0.101910425663	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
.rsrc	0x22000	0x15da0	0x15e00	False	0.999866071429	data	7.99790613337	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_RCDATA	0x22058	0x15d48	TIM image, Pixel at (56860,48781) Size=63345x11644

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
01/26/22-09:46:08.216157	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49760	54955	192.168.2.7	107.173.60.45
01/26/22-09:46:14.116786	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49764	54955	192.168.2.7	107.173.60.45
01/26/22-09:46:18.682717	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49765	54955	192.168.2.7	107.173.60.45
01/26/22-09:46:23.198746	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49766	54955	192.168.2.7	107.173.60.45
01/26/22-09:46:27.683212	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49767	54955	192.168.2.7	107.173.60.45
01/26/22-09:46:34.008137	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49770	54955	192.168.2.7	107.173.60.45
01/26/22-09:46:38.414028	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49771	54955	192.168.2.7	107.173.60.45
01/26/22-09:46:42.949617	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49772	54955	192.168.2.7	107.173.60.45
01/26/22-09:46:49.268783	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49773	54955	192.168.2.7	107.173.60.45
01/26/22-09:46:55.337640	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49780	54955	192.168.2.7	107.173.60.45
01/26/22-09:47:01.657634	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49782	54955	192.168.2.7	107.173.60.45
01/26/22-09:47:07.950589	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49790	54955	192.168.2.7	107.173.60.45
01/26/22-09:47:13.975269	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49792	54955	192.168.2.7	107.173.60.45
01/26/22-09:47:20.932232	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49800	54955	192.168.2.7	107.173.60.45
01/26/22-09:47:27.448467	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49816	54955	192.168.2.7	107.173.60.45
01/26/22-09:47:35.133123	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49833	54955	192.168.2.7	107.173.60.45
01/26/22-09:47:41.265641	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49835	54955	192.168.2.7	107.173.60.45
01/26/22-09:47:47.299230	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49836	54955	192.168.2.7	107.173.60.45
01/26/22-09:47:53.344216	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49851	54955	192.168.2.7	107.173.60.45
01/26/22-09:47:59.343769	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49864	54955	192.168.2.7	107.173.60.45
01/26/22-09:48:03.797518	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49865	54955	192.168.2.7	107.173.60.45
01/26/22-09:48:09.718980	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49866	54955	192.168.2.7	107.173.60.45

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 26, 2022 09:46:07.985819101 CET	49760	54955	192.168.2.7	107.173.60.45
Jan 26, 2022 09:46:08.101031065 CET	54955	49760	107.173.60.45	192.168.2.7
Jan 26, 2022 09:46:08.101176977 CET	49760	54955	192.168.2.7	107.173.60.45
Jan 26, 2022 09:46:08.216156960 CET	49760	54955	192.168.2.7	107.173.60.45
Jan 26, 2022 09:46:08.361574888 CET	54955	49760	107.173.60.45	192.168.2.7
Jan 26, 2022 09:46:08.361695051 CET	49760	54955	192.168.2.7	107.173.60.45
Jan 26, 2022 09:46:08.531954050 CET	54955	49760	107.173.60.45	192.168.2.7
Jan 26, 2022 09:46:08.532068968 CET	49760	54955	192.168.2.7	107.173.60.45
Jan 26, 2022 09:46:08.647684097 CET	54955	49760	107.173.60.45	192.168.2.7
Jan 26, 2022 09:46:08.647931099 CET	49760	54955	192.168.2.7	107.173.60.45
Jan 26, 2022 09:46:08.828762054 CET	54955	49760	107.173.60.45	192.168.2.7
Jan 26, 2022 09:46:08.828849077 CET	49760	54955	192.168.2.7	107.173.60.45
Jan 26, 2022 09:46:09.000732899 CET	54955	49760	107.173.60.45	192.168.2.7
Jan 26, 2022 09:46:09.000848055 CET	49760	54955	192.168.2.7	107.173.60.45
Jan 26, 2022 09:46:09.169156075 CET	54955	49760	107.173.60.45	192.168.2.7
Jan 26, 2022 09:46:09.169193983 CET	54955	49760	107.173.60.45	192.168.2.7
Jan 26, 2022 09:46:09.169219017 CET	54955	49760	107.173.60.45	192.168.2.7
Jan 26, 2022 09:46:09.169240952 CET	54955	49760	107.173.60.45	192.168.2.7
Jan 26, 2022 09:46:09.169286013 CET	49760	54955	192.168.2.7	107.173.60.45
Jan 26, 2022 09:46:09.169306993 CET	49760	54955	192.168.2.7	107.173.60.45
Jan 26, 2022 09:46:09.284141064 CET	54955	49760	107.173.60.45	192.168.2.7
Jan 26, 2022 09:46:09.284171104 CET	54955	49760	107.173.60.45	192.168.2.7
Jan 26, 2022 09:46:09.284183979 CET	54955	49760	107.173.60.45	192.168.2.7
Jan 26, 2022 09:46:09.284197092 CET	54955	49760	107.173.60.45	192.168.2.7
Jan 26, 2022 09:46:09.284218073 CET	54955	49760	107.173.60.45	192.168.2.7
Jan 26, 2022 09:46:09.284231901 CET	54955	49760	107.173.60.45	192.168.2.7
Jan 26, 2022 09:46:09.284246922 CET	54955	49760	107.173.60.45	192.168.2.7
Jan 26, 2022 09:46:09.284264088 CET	54955	49760	107.173.60.45	192.168.2.7
Jan 26, 2022 09:46:09.284272909 CET	49760	54955	192.168.2.7	107.173.60.45
Jan 26, 2022 09:46:09.284296036 CET	49760	54955	192.168.2.7	107.173.60.45
Jan 26, 2022 09:46:09.284439087 CET	49760	54955	192.168.2.7	107.173.60.45
Jan 26, 2022 09:46:09.399014950 CET	54955	49760	107.173.60.45	192.168.2.7
Jan 26, 2022 09:46:09.399044037 CET	54955	49760	107.173.60.45	192.168.2.7
Jan 26, 2022 09:46:09.399060965 CET	54955	49760	107.173.60.45	192.168.2.7
Jan 26, 2022 09:46:09.399077892 CET	54955	49760	107.173.60.45	192.168.2.7
Jan 26, 2022 09:46:09.399094105 CET	54955	49760	107.173.60.45	192.168.2.7
Jan 26, 2022 09:46:09.399108887 CET	54955	49760	107.173.60.45	192.168.2.7
Jan 26, 2022 09:46:09.399126053 CET	54955	49760	107.173.60.45	192.168.2.7
Jan 26, 2022 09:46:09.399142027 CET	54955	49760	107.173.60.45	192.168.2.7
Jan 26, 2022 09:46:09.399162054 CET	54955	49760	107.173.60.45	192.168.2.7
Jan 26, 2022 09:46:09.399184942 CET	54955	49760	107.173.60.45	192.168.2.7
Jan 26, 2022 09:46:09.399199963 CET	54955	49760	107.173.60.45	192.168.2.7
Jan 26, 2022 09:46:09.399215937 CET	54955	49760	107.173.60.45	192.168.2.7
Jan 26, 2022 09:46:09.399229050 CET	54955	49760	107.173.60.45	192.168.2.7
Jan 26, 2022 09:46:09.399234056 CET	49760	54955	192.168.2.7	107.173.60.45
Jan 26, 2022 09:46:09.399245024 CET	54955	49760	107.173.60.45	192.168.2.7
Jan 26, 2022 09:46:09.399252892 CET	49760	54955	192.168.2.7	107.173.60.45
Jan 26, 2022 09:46:09.399262905 CET	54955	49760	107.173.60.45	192.168.2.7
Jan 26, 2022 09:46:09.399272919 CET	49760	54955	192.168.2.7	107.173.60.45
Jan 26, 2022 09:46:09.399280071 CET	54955	49760	107.173.60.45	192.168.2.7
Jan 26, 2022 09:46:09.399327993 CET	49760	54955	192.168.2.7	107.173.60.45
Jan 26, 2022 09:46:09.399333000 CET	49760	54955	192.168.2.7	107.173.60.45
Jan 26, 2022 09:46:09.514070034 CET	54955	49760	107.173.60.45	192.168.2.7
Jan 26, 2022 09:46:09.514096975 CET	54955	49760	107.173.60.45	192.168.2.7
Jan 26, 2022 09:46:09.514115095 CET	54955	49760	107.173.60.45	192.168.2.7
Jan 26, 2022 09:46:09.514137983 CET	54955	49760	107.173.60.45	192.168.2.7
Jan 26, 2022 09:46:09.514153957 CET	54955	49760	107.173.60.45	192.168.2.7
Jan 26, 2022 09:46:09.514158010 CET	49760	54955	192.168.2.7	107.173.60.45
Jan 26, 2022 09:46:09.514177084 CET	54955	49760	107.173.60.45	192.168.2.7
Jan 26, 2022 09:46:09.514182091 CET	49760	54955	192.168.2.7	107.173.60.45
Jan 26, 2022 09:46:09.514197111 CET	54955	49760	107.173.60.45	192.168.2.7
Jan 26, 2022 09:46:09.514214993 CET	54955	49760	107.173.60.45	192.168.2.7
Jan 26, 2022 09:46:09.514231920 CET	54955	49760	107.173.60.45	192.168.2.7
Jan 26, 2022 09:46:09.514249086 CET	54955	49760	107.173.60.45	192.168.2.7
Jan 26, 2022 09:46:09.514249086 CET	49760	54955	192.168.2.7	107.173.60.45
Jan 26, 2022 09:46:09.514266014 CET	54955	49760	107.173.60.45	192.168.2.7
Jan 26, 2022 09:46:09.514282942 CET	54955	49760	107.173.60.45	192.168.2.7
Jan 26, 2022 09:46:09.514295101 CET	49760	54955	192.168.2.7	107.173.60.45
Jan 26, 2022 09:46:09.514298916 CET	54955	49760	107.173.60.45	192.168.2.7
Jan 26, 2022 09:46:09.514298916 CET	49760	54955	192.168.2.7	107.173.60.45
Jan 26, 2022 09:46:09.514317036 CET	54955	49760	107.173.60.45	192.168.2.7
Jan 26, 2022 09:46:09.514333963 CET	54955	49760	107.173.60.45	192.168.2.7
Jan 26, 2022 09:46:09.514352083 CET	54955	49760	107.173.60.45	192.168.2.7
Jan 26, 2022 09:46:09.514369011 CET	54955	49760	107.173.60.45	192.168.2.7
Jan 26, 2022 09:46:09.514379978 CET	49760	54955	192.168.2.7	107.173.60.45
Jan 26, 2022 09:46:09.514384985 CET	49760	54955	192.168.2.7	107.173.60.45
Jan 26, 2022 09:46:09.514384985 CET	54955	49760	107.173.60.45	192.168.2.7
Jan 26, 2022 09:46:09.514401913 CET	54955	49760	107.173.60.45	192.168.2.7
Jan 26, 2022 09:46:09.514417887 CET	54955	49760	107.173.60.45	192.168.2.7
Jan 26, 2022 09:46:09.514430046 CET	49760	54955	192.168.2.7	107.173.60.45
Jan 26, 2022 09:46:09.514432907 CET	49760	54955	192.168.2.7	107.173.60.45
Jan 26, 2022 09:46:09.514434099 CET	54955	49760	107.173.60.45	192.168.2.7
Jan 26, 2022 09:46:09.514451981 CET	54955	49760	107.173.60.45	192.168.2.7
Jan 26, 2022 09:46:09.514467955 CET	54955	49760	107.173.60.45	192.168.2.7
Jan 26, 2022 09:46:09.514483929 CET	54955	49760	107.173.60.45	192.168.2.7
Jan 26, 2022 09:46:09.514501095 CET	54955	49760	107.173.60.45	192.168.2.7
Jan 26, 2022 09:46:09.514516115 CET	54955	49760	107.173.60.45	192.168.2.7
Jan 26, 2022 09:46:09.514518976 CET	49760	54955	192.168.2.7	107.173.60.45
Jan 26, 2022 09:46:09.514523983 CET	49760	54955	192.168.2.7	107.173.60.45
Jan 26, 2022 09:46:09.514533997 CET	54955	49760	107.173.60.45	192.168.2.7
Jan 26, 2022 09:46:09.514550924 CET	54955	49760	107.173.60.45	192.168.2.7
Jan 26, 2022 09:46:09.514566898 CET	54955	49760	107.173.60.45	192.168.2.7
Jan 26, 2022 09:46:09.514570951 CET	49760	54955	192.168.2.7	107.173.60.45
Jan 26, 2022 09:46:09.514575005 CET	49760	54955	192.168.2.7	107.173.60.45
Jan 26, 2022 09:46:09.514626026 CET	49760	54955	192.168.2.7	107.173.60.45
Jan 26, 2022 09:46:09.514628887 CET	49760	54955	192.168.2.7	107.173.60.45
Jan 26, 2022 09:46:09.629300117 CET	54955	49760	107.173.60.45	192.168.2.7
Jan 26, 2022 09:46:09.629331112 CET	54955	49760	107.173.60.45	192.168.2.7
Jan 26, 2022 09:46:09.629350901 CET	54955	49760	107.173.60.45	192.168.2.7
Jan 26, 2022 09:46:09.629373074 CET	54955	49760	107.173.60.45	192.168.2.7

Target ID:	0
Start time:	09:46:03
Start date:	26/01/2022
Path:	C:\Users\user\Desktop\ZgzIenrtf5.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\ZgzIenrtf5.exe"
Imagebase:	0xae0000
File size:	207360 bytes
MD5 hash:	03EFBC1AA782599E235F4C1B0303FFB1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000000.253185094.0000000000AE2000.00000002.00000001.01000000.00000003.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000000.253185094.0000000000AE2000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000000.00000000.253185094.0000000000AE2000.00000002.00000001.01000000.00000003.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: NanoCore, Description: unknown, Source: 00000000.00000003.266607534.00000000045D4000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
Reputation:	low

Disassembly

⊘No disassembly

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries.
Tactics:	Command and Control
Data Sources:	Network intrusion detection system, Network protocol analysis, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report ZgzIenrtf5.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: NanoCore

Yara Overview

Initial Sample

Memory Dumps

Unpacked PEs

Sigma Overview

AV Detection

E-Banking Fraud

Stealing of Sensitive Information

Remote Access Functionality

Jbx Signature Overview

AV Detection

Compliance

Networking

E-Banking Fraud

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\catalog.dat

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\settings.bak

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\settings.bin

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\storage.dat

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Windows Analysis Report
ZgzIenrtf5.exe