File name:

BitcoinMiner.zip

Full analysis: https://app.any.run/tasks/49fe4003-a739-46f3-8987-27427d7f9d07
Verdict: Malicious activity
Analysis date: November 14, 2019, 06:26:40
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/zip
File info: Zip archive data, at least v1.0 to extract
MD5:

4C07C36F4056764C5AEE6227174DE479

SHA1:

0F870BED55006B5FB03050A8749DC34C0774F12B

SHA256:

506534FA0B6EAE3E480CDFFF81357F42739127711C376F7BBC6A042B67A02BB4

SSDEEP:

49152:X+iiv9wTS0M5vkUhqvan3dbJ56ZZb+W2FRerQRlgt65mgcMc:Oii6WJvkUh7n3Dub+W3r4qtGHc

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Loads dropped or rewritten executable

      • SearchProtocolHost.exe (PID: 3416)

    • Application was dropped or rewritten from another process

      • bitcoin miner x2.exe (PID: 1708)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 2392)

  • INFO

    • Manual execution by user

      • bitcoin miner x2.exe (PID: 1708)
      • explorer.exe (PID: 1296)

    • Dropped object may contain Bitcoin addresses

      • WinRAR.exe (PID: 2392)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 10
ZipBitFlag: -
ZipCompression: None
ZipModifyDate: 2019:11:14 14:25:09
ZipCRC: 0x00000000
ZipCompressedSize: -
ZipUncompressedSize: -
ZipFileName: BitcoinMiner/
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
38
Monitored processes
4
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe searchprotocolhost.exe no specs explorer.exe no specs bitcoin miner x2.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1296"C:\Windows\explorer.exe" C:\Windows\explorer.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\explorer.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
1708"C:\Users\admin\Desktop\BitcoinMiner\bitcoin miner x2.exe" C:\Users\admin\Desktop\BitcoinMiner\bitcoin miner x2.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
bitcoin miner x2
Exit code:
0
Version:
1.0.0.0
Modules
Images
c:\users\admin\desktop\bitcoinminer\bitcoin miner x2.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
2392"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\BitcoinMiner.zip"C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.60.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
3416"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe2_ Global\UsGthrCtrlFltPipeMssGthrPipe2 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" C:\Windows\System32\SearchProtocolHost.exeSearchIndexer.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft Windows Search Protocol Host
Exit code:
0
Version:
7.00.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\searchprotocolhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
Total events
811
Read events
790
Write events
21
Delete events
0

Modification events

(PID) Process:(2392) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(2392) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(2392) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\12B\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(2392) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\BitcoinMiner.zip
(PID) Process:(2392) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(2392) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(2392) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(2392) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(2392) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\DialogEditHistory\ExtrPath
Operation:writeName:0
Value:
C:\Users\admin\Desktop
(PID) Process:(2392) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\MainWin
Operation:writeName:Placement
Value:
2C0000000000000001000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF42000000420000000204000037020000
Executable files
6
Suspicious files
0
Text files
1
Unknown types
1

Dropped files

PID
Process
Filename
Type
2392WinRAR.exeC:\Users\admin\Desktop\BitcoinMiner\System.Security.Cryptography.Algorithms.dllexecutable
MD5:82BBB4AB9A6A775D34BBBC93C2BD4EBB
SHA256:F14DF3A548A8C43CFE7F60D325AC5E95D92C605F482BBEE17A39F98BCFCC7216
2392WinRAR.exeC:\Users\admin\Desktop\BitcoinMiner\bitcoin miner x2.exeexecutable
MD5:EADAD7FF6541DF604374E6197AACFE21
SHA256:4F650A09DC85A3FFA223A0FE0600A1F99B5C96A09E02ECCD349C5398AD5D7FC1
2392WinRAR.exeC:\Users\admin\Desktop\BitcoinMiner\bitcoin miner x2.pdbpdb
MD5:BB2C914087EE621B8495E069BF9345F2
SHA256:A4D7F842CCC6D402FAEB80E84ADF6312562BF5511CEDF24B7A967CB5A7504863
2392WinRAR.exeC:\Users\admin\Desktop\BitcoinMiner\System.Security.Cryptography.X509Certificates.dllexecutable
MD5:480CA4042FF3CBB3CDBB14EF0643C14D
SHA256:132AE80C89F38750D1ADE43BD1E588F4D0971EA813B4DF5DCA5AF3C113E9E713
2392WinRAR.exeC:\Users\admin\Desktop\BitcoinMiner\System.Security.Cryptography.Encoding.dllexecutable
MD5:5F859D35CA74D84CCE62533E086DC27F
SHA256:91C7C02D46F754193B3988C28050135C804E47DC3456D0C3DDE028AC0341FBE2
2392WinRAR.exeC:\Users\admin\Desktop\BitcoinMiner\Zen.Barcode.Core.dllexecutable
MD5:0F3DB3622B545C57153CA9F4A9D52E62
SHA256:F559B524AD802FFAEC6A81A6155BF0CA6796A8F2968990AEA9B65A7157C94B6A
2392WinRAR.exeC:\Users\admin\Desktop\BitcoinMiner\System.Security.Cryptography.Primitives.dllexecutable
MD5:ECAC83E551B639409899919D47CD7588
SHA256:5A6C8F69A8DEA8A775331273AAAE707EEE2A2743FB1498C3CC4DBAB679125D11
2392WinRAR.exeC:\Users\admin\Desktop\BitcoinMiner\bitcoin miner x2.exe.configxml
MD5:7B32E1417D368F9361A2DEDA7F0BCFAB
SHA256:D4D800C424B0E226D35F3595CBB0FA470EB44228780E7DFB2AF1A11B93AB6BFB
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

No data

DNS requests

No data

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
BitcoinMiner.zip