Edit tour
Windows
Analysis Report
U7Ncg7oAyC.exe
Overview
General Information
| Sample Name: | U7Ncg7oAyC.exe |
| Analysis ID: | 623790 |
| MD5: | 1d2ca2d522f8f4e99609cf7e88e673b4 |
| SHA1: | 7754eade48451776ab6109a0c584573780a4f531 |
| SHA256: | 26e6fe6c78632392c446e53eb0779ec99e0864d09265b9dda557763629ef3396 |
| Tags: | exeNanoCoreRAT |
| Infos: |   |
 | |
Detection
Nanocore
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Detected unpacking (overwrites its own PE header)
Sigma detected: NanoCore
Yara detected AntiVM3
Detected Nanocore Rat
Detected unpacking (changes PE section rights)
Multi AV Scanner detection for dropped file
Yara detected Nanocore RAT
Connects to many ports of the same IP (likely port scanning)
Protects its processes via BreakOnTermination flag
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Machine Learning detection for sample
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Adds a directory exclusion to Windows Defender
Hides that the sample has been downloaded from the Internet (zone.identifier)
Uses schtasks.exe or at.exe to add and modify task schedules
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Installs a raw input device (often for capturing keystrokes)
Sample file is different than original file name gathered from version info
Drops PE files
Detected TCP or UDP traffic on non-standard ports
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Creates a process in suspended mode (likely to inject code)
Classification
- System is w10x64
U7Ncg7oAyC.exe (PID: 6284 cmdline: "C:\Users\ user\Deskt op\U7Ncg7o AyC.exe" MD5: 1D2CA2D522F8F4E99609CF7E88E673B4) 
powershell.exe (PID: 6456 cmdline: C:\Windows \System32\ WindowsPow erShell\v1 .0\powersh ell.exe" A dd-MpPrefe rence -Exc lusionPath "C:\Users \user\AppD ata\Roamin g\LYKZypsu gb.exe MD5: DBA3E6449E97D4E3DF64527EF7012A10) 
conhost.exe (PID: 6468 cmdline: C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) - schtasks.exe (PID: 6476 cmdline:
C:\Windows \System32\ schtasks.e xe" /Creat e /TN "Upd ates\LYKZy psugb" /XM L "C:\User s\user\App Data\Local \Temp\tmp4 3AF.tmp MD5: 15FF7D8324231381BAD48A052F85DF04) - conhost.exe (PID: 6672 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) - U7Ncg7oAyC.exe (PID: 6752 cmdline:
C:\Users\u ser\Deskto p\U7Ncg7oA yC.exe MD5: 1D2CA2D522F8F4E99609CF7E88E673B4) - schtasks.exe (PID: 4132 cmdline:
schtasks.e xe" /creat e /f /tn " DHCP Monit or" /xml " C:\Users\u ser\AppDat a\Local\Te mp\tmp6DAD .tmp MD5: 15FF7D8324231381BAD48A052F85DF04) - conhost.exe (PID: 1328 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) - schtasks.exe (PID: 4352 cmdline:
schtasks.e xe" /creat e /f /tn " DHCP Monit or Task" / xml "C:\Us ers\user\A ppData\Loc al\Temp\tm p7772.tmp MD5: 15FF7D8324231381BAD48A052F85DF04) - conhost.exe (PID: 3572 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
- U7Ncg7oAyC.exe (PID: 2860 cmdline:
C:\Users\u ser\Deskto p\U7Ncg7oA yC.exe 0 MD5: 1D2CA2D522F8F4E99609CF7E88E673B4) - powershell.exe (PID: 5684 cmdline:
C:\Windows \System32\ WindowsPow erShell\v1 .0\powersh ell.exe" A dd-MpPrefe rence -Exc lusionPath "C:\Users \user\AppD ata\Roamin g\LYKZypsu gb.exe MD5: DBA3E6449E97D4E3DF64527EF7012A10) - conhost.exe (PID: 4948 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) - schtasks.exe (PID: 6168 cmdline:
C:\Windows \System32\ schtasks.e xe" /Creat e /TN "Upd ates\LYKZy psugb" /XM L "C:\User s\user\App Data\Local \Temp\tmpC CF4.tmp MD5: 15FF7D8324231381BAD48A052F85DF04) - conhost.exe (PID: 6520 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) - U7Ncg7oAyC.exe (PID: 6568 cmdline:
C:\Users\u ser\Deskto p\U7Ncg7oA yC.exe MD5: 1D2CA2D522F8F4E99609CF7E88E673B4)
- dhcpmon.exe (PID: 5308 cmdline:
"C:\Progra m Files (x 86)\DHCP M onitor\dhc pmon.exe" 0 MD5: 1D2CA2D522F8F4E99609CF7E88E673B4) - powershell.exe (PID: 6944 cmdline:
C:\Windows \System32\ WindowsPow erShell\v1 .0\powersh ell.exe" A dd-MpPrefe rence -Exc lusionPath "C:\Users \user\AppD ata\Roamin g\LYKZypsu gb.exe MD5: DBA3E6449E97D4E3DF64527EF7012A10) - conhost.exe (PID: 6508 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) - schtasks.exe (PID: 1556 cmdline:
C:\Windows \System32\ schtasks.e xe" /Creat e /TN "Upd ates\LYKZy psugb" /XM L "C:\User s\user\App Data\Local \Temp\tmpE 07C.tmp MD5: 15FF7D8324231381BAD48A052F85DF04) - conhost.exe (PID: 6480 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) - dhcpmon.exe (PID: 640 cmdline:
C:\Program Files (x8 6)\DHCP Mo nitor\dhcp mon.exe MD5: 1D2CA2D522F8F4E99609CF7E88E673B4)
- dhcpmon.exe (PID: 5256 cmdline:
"C:\Progra m Files (x 86)\DHCP M onitor\dhc pmon.exe" MD5: 1D2CA2D522F8F4E99609CF7E88E673B4)