analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

1C_U25355369126978-2018.scr

Full analysis: https://app.any.run/tasks/da0c1c7a-368f-4166-9428-c513802f87d9
Verdict: Malicious activity
Analysis date: December 06, 2018, 08:01:55
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
installer
miner
xmrig
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

15CE37527CD6F8018C221149DC0B31D2

SHA1:

154D9BA302EECC68DFA72B4660BE868E58970432

SHA256:

5292364263C59302A900C05ECB64D68A62D206396EC123466F79A9443AE6F454

SSDEEP:

12288:B1DYrQh2At0T+uCqsWwOUH7Gt7Cg85gY9tISeCdmHQ2egus:BdYMBUHsW+HvZ5LISeCwQ2ehs

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Application was dropped or rewritten from another process

      • bmcon.exe (PID: 3440)
      • sender.exe (PID: 2976)
      • bm-xmrig-x32.exe (PID: 2768)
      • bmstart.exe (PID: 2940)
    • Changes settings of System certificates

      • bmcon.exe (PID: 3440)
    • Changes the autorun value in the registry

      • bmcon.exe (PID: 3440)
    • Runs PING.EXE for delay simulation

      • cmd.exe (PID: 3444)
    • Connects to CnC server

      • bm-xmrig-x32.exe (PID: 2768)
    • MINER was detected

      • bm-xmrig-x32.exe (PID: 2768)
  • SUSPICIOUS

    • Starts CMD.EXE for commands execution

      • 1C_U25355369126978-2018.scr (PID: 3536)
      • cmd.exe (PID: 3444)
    • Starts Microsoft Office Application

      • 1C_U25355369126978-2018.scr (PID: 3536)
    • Executable content was dropped or overwritten

      • 1C_U25355369126978-2018.scr (PID: 3536)
      • bmcon.exe (PID: 3440)
    • Uses REG.EXE to modify Windows registry

      • cmd.exe (PID: 3444)
    • Application launched itself

      • cmd.exe (PID: 3444)
    • Uses ATTRIB.EXE to modify file attributes

      • cmd.exe (PID: 3444)
    • Adds / modifies Windows certificates

      • bmcon.exe (PID: 3440)
    • Uses WMIC.EXE to obtain a list of video controllers

      • cmd.exe (PID: 2612)
    • Connects to SMTP port

      • sender.exe (PID: 2976)
    • Connects to unusual port

      • bm-xmrig-x32.exe (PID: 2768)
  • INFO

    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 2892)
    • Creates files in the user directory

      • WINWORD.EXE (PID: 2892)
    • Drop XMRig executable file

      • bmcon.exe (PID: 3440)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | InstallShield setup (49.2)
.exe | Win32 Executable Delphi generic (16.2)
.scr | Windows screen saver (14.9)
.dll | Win32 Dynamic Link Library (generic) (7.5)
.exe | Win32 Executable (generic) (5.1)

EXIF

EXE

LegalCopyright: 07.15.03.15
FileVersion: 10.12.03.6346
FileDescription: 11.19.23.6343.324 10.12.03.6346 Installation
CompanyName: 07.15.03.15
Comments: -
CharacterSet: Windows, Latin1
LanguageCode: English (U.S.)
FileSubtype: -
ObjectFileType: Executable application
FileOS: Win32
FileFlags: (none)
FileFlagsMask: 0x003f
ProductVersionNumber: 0.0.0.0
FileVersionNumber: 10.12.3.6346
Subsystem: Windows GUI
SubsystemVersion: 4
ImageVersion: -
OSVersion: 4
EntryPoint: 0x17de0
UninitializedDataSize: -
InitializedDataSize: 37888
CodeSize: 94208
LinkerVersion: 2.25
PEType: PE32
TimeStamp: 1992:06:20 00:22:17+02:00
MachineType: Intel 386 or later, and compatibles

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 19-Jun-1992 22:22:17
Detected languages:
  • English - United States
  • Russian - Russia
Comments: -
CompanyName: 07.15.03.15
FileDescription: 11.19.23.6343.324 10.12.03.6346 Installation
FileVersion: 10.12.03.6346
LegalCopyright: 07.15.03.15

DOS Header

Magic number: MZ
Bytes on last page of file: 0x0050
Pages in file: 0x0002
Relocations: 0x0000
Size of header: 0x0004
Min extra paragraphs: 0x000F
Max extra paragraphs: 0xFFFF
Initial SS value: 0x0000
Initial SP value: 0x00B8
Checksum: 0x0000
Initial IP value: 0x0000
Initial CS value: 0x0000
Overlay number: 0x001A
OEM identifier: 0x0000
OEM information: 0x0000
Address of NE header: 0x00000100

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
Number of sections: 8
Time date stamp: 19-Jun-1992 22:22:17
Pointer to Symbol Table: 0x00000000
Number of symbols: 0
Size of Optional Header: 0x00E0
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_BYTES_REVERSED_HI
  • IMAGE_FILE_BYTES_REVERSED_LO
  • IMAGE_FILE_EXECUTABLE_IMAGE
  • IMAGE_FILE_LINE_NUMS_STRIPPED
  • IMAGE_FILE_LOCAL_SYMS_STRIPPED

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
CODE
0x00001000
0x00016E44
0x00017000
IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
6.45163
DATA
0x00018000
0x00000700
0x00000800
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
3.1907
BSS
0x00019000
0x000008AD
0x00000000
IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
0
.idata
0x0001A000
0x000014D0
0x00001600
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
4.78715
.tls
0x0001C000
0x00000008
0x00000000
IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
0
.rdata
0x0001D000
0x00000018
0x00000200
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_SHARED
0.204488
.reloc
0x0001E000
0x000011C4
0x00001200
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_SHARED
6.69814
.rsrc
0x00020000
0x000061AC
0x00006200
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_SHARED
5.73965

Resources

Title
Entropy
Size
Codepage
Language
Type
1
4.88266
944
UNKNOWN
Russian - Russia
RT_MANIFEST
50
2.94679
744
UNKNOWN
UNKNOWN
RT_ICON
51
2.97546
296
UNKNOWN
UNKNOWN
RT_ICON
52
6.16612
3752
UNKNOWN
UNKNOWN
RT_ICON
53
6.43409
2216
UNKNOWN
UNKNOWN
RT_ICON
54
5.17975
9640
UNKNOWN
UNKNOWN
RT_ICON
55
5.36891
4264
UNKNOWN
UNKNOWN
RT_ICON
56
5.31405
1128
UNKNOWN
UNKNOWN
RT_ICON
DVCLAL
4
16
UNKNOWN
UNKNOWN
RT_RCDATA
PACKAGEINFO
5.19786
248
UNKNOWN
UNKNOWN
RT_RCDATA

Imports

advapi32.dll
cabinet.dll
comctl32.dll
gdi32.dll
kernel32.dll
ole32.dll
oleaut32.dll
shell32.dll
user32.dll
winmm.dll
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
63
Monitored processes
24
Malicious processes
4
Suspicious processes
1

Behavior graph

Click at the process to see the details
drop and start start drop and start 1c_u25355369126978-2018.scr no specs 1c_u25355369126978-2018.scr winword.exe no specs cmd.exe no specs reg.exe no specs powercfg.exe no specs powercfg.exe no specs bmcon.exe powercfg.exe no specs powercfg.exe no specs attrib.exe no specs attrib.exe no specs cmd.exe no specs cmd.exe no specs wmic.exe no specs findstr.exe no specs cmd.exe no specs wmic.exe no specs find.exe no specs sender.exe bmstart.exe no specs #MINER bm-xmrig-x32.exe attrib.exe no specs ping.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3092"C:\Users\admin\AppData\Local\Temp\1C_U25355369126978-2018.scr" /SC:\Users\admin\AppData\Local\Temp\1C_U25355369126978-2018.screxplorer.exe
User:
admin
Company:
07.15.03.15
Integrity Level:
MEDIUM
Description:
11.19.23.6343.324 10.12.03.6346 Installation
Exit code:
3221226540
Version:
10.12.03.6346
3536"C:\Users\admin\AppData\Local\Temp\1C_U25355369126978-2018.scr" /SC:\Users\admin\AppData\Local\Temp\1C_U25355369126978-2018.scr
explorer.exe
User:
admin
Company:
07.15.03.15
Integrity Level:
HIGH
Description:
11.19.23.6343.324 10.12.03.6346 Installation
Exit code:
0
Version:
10.12.03.6346
2892"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Intel\1C_N94395369126978-2018.doc"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE1C_U25355369126978-2018.scr
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft Word
Version:
14.0.6024.1000
3444cmd /c ""C:\Intel\enable.cmd" "C:\Windows\system32\cmd.exe1C_U25355369126978-2018.scr
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2572reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "ê¡ΓÑúα¿α«óá¡¡δÑ_ñαá⌐óÑαá" /fC:\Windows\system32\reg.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Registry Console Tool
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3112powercfg -setacvalueindex SCHEME_CURRENT 4f971e89-eebd-4455-a8de-9e59040e7347 5ca83367-6e45-459f-a27b-476b1d01c936 0C:\Windows\system32\powercfg.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Power Settings Command-Line Tool
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3972powercfg -change -standby-timeout-ac 0C:\Windows\system32\powercfg.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Power Settings Command-Line Tool
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3440"C:\Intel\bmcon.exe" C:\Intel\bmcon.exe
1C_U25355369126978-2018.scr
User:
admin
Integrity Level:
HIGH
Exit code:
0
4008powercfg -change -hibernate-timeout-ac 0C:\Windows\system32\powercfg.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Power Settings Command-Line Tool
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2208powercfg -h offC:\Windows\system32\powercfg.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Power Settings Command-Line Tool
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
1 071
Read events
662
Write events
0
Delete events
0

Modification events

No data
Executable files
11
Suspicious files
3
Text files
15
Unknown types
2

Dropped files

PID
Process
Filename
Type
35361C_U25355369126978-2018.scrC:\Users\admin\AppData\Local\Temp\$inst\temp_0.tmp
MD5:
SHA256:
2892WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVRAD1C.tmp.cvr
MD5:
SHA256:
35361C_U25355369126978-2018.scrC:\Intel\iglhxa32.vpini
MD5:7FEF5563D091D8A44B96DD4EBE0350AA
SHA256:9A785572225997EDCF3791A7DE3AF98FDAF8D5544F38B9795113B365AC655937
35361C_U25355369126978-2018.scrC:\Intel\bmcon.exeexecutable
MD5:2731697E36FC09A4D8B4568DFFA42EFD
SHA256:40883E27922D357F0A3F15544ED9623475C9F430435F918D57A212F5BD11DA34
35361C_U25355369126978-2018.scrC:\Intel\IntcDAuC.dllexecutable
MD5:5059A182143DFA122278A331976BACCB
SHA256:1AB212EE9E6E28B847EEE0080969279C09068FCA3E2F5A34DB60286EA453E878
35361C_U25355369126978-2018.scrC:\Intel\enable.cmdtext
MD5:D41FDBC0DF2C5C7338403A2D0B0AEE2B
SHA256:5525E7E98E0492B1EB7295AC24D87B7A28F88CF3770A8B5D6567DF59EEEEF689
35361C_U25355369126978-2018.scrC:\Intel\bmcon\bm-xmrig.jsontext
MD5:A901ABFEA4D188090EECEC950196B28A
SHA256:C73D333324CF1E95FF0D561F7CC599EF481CF1AEF4D9A3BDBDD242A8927D537A
3440bmcon.exeC:\Intel\bmcon\apps.jsontext
MD5:27442889B1E97D0ECA51E116D7A288F3
SHA256:35DC4D2287B8C5E6B85036B4B81924F1568B50D9A78D2EB8033548A9734BC250
35361C_U25355369126978-2018.scrC:\Intel\mup.xmlxml
MD5:753B5A3D0663017CE7B9C4A7969D25CA
SHA256:A5BB55567DC02398046F4B6D66830FDB1C4A5A556CB12FCD28A1BA471A047224
35361C_U25355369126978-2018.scrC:\Intel\bmcon.jsontext
MD5:8514B69D7637C7909F54FD3F11C86205
SHA256:F9C44EDA210BE2027210A5D15E32B59301C957FA267F8B808C47CA36A2CB45E1
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
4
DNS requests
4
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2976
sender.exe
185.182.57.35:587
smtp.8680541.store
Astralus B.V.
NL
unknown
2768
bm-xmrig-x32.exe
88.198.117.171:4444
pool.bmnr.pw
Hetzner Online GmbH
DE
malicious
3440
bmcon.exe
88.99.38.225:443
dl.browsermine.com
Hetzner Online GmbH
DE
unknown

DNS requests

Domain
IP
Reputation
dl.browsermine.com
  • 88.99.38.225
unknown
smtp.8680541.store
  • 185.182.57.35
unknown
8680541.store
  • 185.182.57.35
unknown
pool.bmnr.pw
  • 88.198.117.171
  • 159.69.189.115
malicious

Threats

PID
Process
Class
Message
3440
bmcon.exe
unknown
SURICATA TCPv4 invalid checksum
2976
sender.exe
Generic Protocol Command Decode
SURICATA Applayer Detect protocol only one direction
2768
bm-xmrig-x32.exe
Potential Corporate Privacy Violation
ET POLICY Cryptocurrency Miner Checkin
2768
bm-xmrig-x32.exe
Misc activity
MINER [PTsecurity] Riskware/CoinMiner JSON_RPC Response
2768
bm-xmrig-x32.exe
Misc activity
MINER [PTsecurity] Risktool.W32.coinminer!c
2768
bm-xmrig-x32.exe
Misc activity
MINER [PTsecurity] CoinMiner CryptoNight algo JSON_RPC server Response
2768
bm-xmrig-x32.exe
Misc activity
MINER [PTsecurity] Riskware/CoinMiner JSON_RPC Response
2768
bm-xmrig-x32.exe
Misc activity
MINER [PTsecurity] Risktool.W32.coinminer!c
2768
bm-xmrig-x32.exe
Misc activity
MINER [PTsecurity] CoinMiner CryptoNight algo JSON_RPC server Response
No debug info