analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
URL:

https://coinhive.com/

Full analysis: https://app.any.run/tasks/0ef146de-88af-4fe6-b6f2-1b5a93074119
Verdict: Malicious activity
Threats:

Trojans are a group of malicious programs distinguished by their ability to masquerade as benign software. Depending on their type, trojans possess a variety of capabilities, ranging from maintaining full remote control over the victim’s machine to stealing data and files, as well as dropping other malware. At the same time, the main functionality of each trojan family can differ significantly depending on its type. The most common trojan infection chain starts with a phishing email.

Analysis date: May 21, 2022, 11:08:30
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
coinhive
trojan
Indicators:
MD5:

614E4A9FAAD53DED1B71BF7B8E7EF481

SHA1:

5B6D904DA4344842F5C4344A9793483160872F63

SHA256:

6958269DA37284B2678B1F796A7DE754E907213BFE7A4DB6CA288F932E304A46

SSDEEP:

3:N8XWSE3:2M

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    No malicious indicators.
  • SUSPICIOUS

    • Reads Microsoft Outlook installation path

      • iexplore.exe (PID: 888)
  • INFO

    • Checks supported languages

      • iexplore.exe (PID: 2584)
      • iexplore.exe (PID: 888)
    • Reads the computer name

      • iexplore.exe (PID: 888)
      • iexplore.exe (PID: 2584)
    • Application launched itself

      • iexplore.exe (PID: 2584)
    • Changes internet zones settings

      • iexplore.exe (PID: 2584)
    • Checks Windows Trust Settings

      • iexplore.exe (PID: 2584)
      • iexplore.exe (PID: 888)
    • Reads settings of System Certificates

      • iexplore.exe (PID: 2584)
      • iexplore.exe (PID: 888)
    • Reads internet explorer settings

      • iexplore.exe (PID: 888)
    • Creates files in the user directory

      • iexplore.exe (PID: 888)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
35
Monitored processes
2
Malicious processes
0
Suspicious processes
0

Behavior graph

Click at the process to see the details
start iexplore.exe iexplore.exe

Process information

PID
CMD
Path
Indicators
Parent process
2584"C:\Program Files\Internet Explorer\iexplore.exe" "https://coinhive.com/"C:\Program Files\Internet Explorer\iexplore.exe
Explorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\api-ms-win-downlevel-version-l1-1-0.dll
888"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2584 CREDAT:267521 /prefetch:2C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\api-ms-win-downlevel-version-l1-1-0.dll
c:\windows\system32\rpcrt4.dll
Total events
16 669
Read events
16 478
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
24
Text files
85
Unknown types
27

Dropped files

PID
Process
Filename
Type
888iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157binary
MD5:090142FC7AEC901307359FF08290C68C
SHA256:D52AC44E8A0271666297E7D55B51CB208321FA26DA7C11AF28B8B059059860C8
888iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27der
MD5:47020B685E77ECD74ABC9ADCE105AD13
SHA256:558C89968EE2679A433CC03190339A000DEDD32D1E7A21B9929DD7631C4211BD
2584iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_711ED44619924BA6DC33E69F97E7FF63der
MD5:AC4726FEE26B5D7F5BC731F03E7D7E34
SHA256:990F044CAB696ED00BBC2CB11C62BA52EE6D61F33AAFD5F78CD35EA3513D9C01
888iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\MFAQUS6V\main.min[1].csstext
MD5:885EA493A7F52B571A3DBE3D7B7D74D5
SHA256:0CA584423385387F7FD16AE6C62079F43D381881DF869C02E9228C46EC203583
888iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27binary
MD5:D321D130A22D5627FCC3403CA5717278
SHA256:7D66362952963F440A4D1BE4655CF93A4125F6672B81BA8D56996AD8FB5DD426
888iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\5IWPIAR9\cards.min[1].csstext
MD5:68DD49021EE6D7818C2E1E2E64ED89AA
SHA256:E078C7F2333231376567AF00407F22F166A32B0B39C1932DE5F151462F26732F
888iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\DY534W2X\RT9298UY.htmhtml
MD5:471F34ED0CD82F79FDD935E6787D001E
SHA256:0CD9A980A4AF13B643A47919411056CD9B8B4C2A1BBAE2F770E0611EDDBA0D17
888iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\MFAQUS6V\i-now-own-the-coinhive-domain-heres-how-im-fighting-cryptojacking-and-doing-good-things-with-content-security-policies[1].htmhtml
MD5:B8FBE0748F2BDC0B231DEFF98F1E13AC
SHA256:72CC318F6CC7F2153FAE3DFB87403C95EAD666BAE8FD129344C9EE213279EEE2
888iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\DY534W2X\cards.min[1].jstext
MD5:16D84278BB517D1765F9D6471D902DC2
SHA256:857DCF021006F18DF5E72E87501221D5B2F40C7F99C23EF75FA582CCA9B49900
888iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\MFAQUS6V\font-awesome.min[1].csstext
MD5:269550530CC127B6AA5A35925A7DE6CE
SHA256:799AEB25CC0373FDEE0E1B1DB7AD6C2F6A0E058DFADAA3379689F583213190BD
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
23
TCP/UDP connections
88
DNS requests
40
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
888
iexplore.exe
GET
200
142.250.185.99:80
http://ocsp.pki.goog/gsr1/MFEwTzBNMEswSTAJBgUrDgMCGgUABBS3V7W2nAf4FiMTjpDJKg6%2BMgGqMQQUYHtmGkUNl8qJUC99BM00qP%2F8%2FUsCEHe9DWzbNvka6iEPxPBY0w0%3D
US
der
1.41 Kb
whitelisted
888
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEAo3h2ReX7SMIk79G%2B0UDDw%3D
US
der
1.47 Kb
whitelisted
888
iexplore.exe
GET
200
142.250.185.99:80
http://ocsp.pki.goog/gts1c3/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBTHLnmK3f9hNLO67UdCuLvGwCQHYwQUinR%2Fr4XN7pXNPZzQ4kYU83E1HScCEQDExSUZ712qmxLhqE9UUaDV
US
der
472 b
whitelisted
888
iexplore.exe
GET
142.250.185.99:80
http://ocsp.pki.goog/gts1c3/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTHLnmK3f9hNLO67UdCuLvGwCQHYwQUinR%2Fr4XN7pXNPZzQ4kYU83E1HScCEG3aTvFLTYzNCmxS2fUJutw%3D
US
whitelisted
2584
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA8Ull8gIGmZT9XHrHiJQeI%3D
US
der
1.47 Kb
whitelisted
888
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAbY2QTVWENG9oovp1QifsQ%3D
US
der
471 b
whitelisted
888
iexplore.exe
GET
200
142.250.185.99:80
http://ocsp.pki.goog/gtsr1/ME4wTDBKMEgwRjAJBgUrDgMCGgUABBQwkcLWD4LqGJ7bE7B1XZsEbmfwUAQU5K8rJnEaK0gnhS9SZizv8IkTcT4CDQIDvFNZazTHGPUBUGY%3D
US
der
724 b
whitelisted
888
iexplore.exe
GET
200
65.9.58.231:80
http://o.ss2.us//MEowSDBGMEQwQjAJBgUrDgMCGgUABBSLwZ6EW5gdYc9UaSEaaLjjETNtkAQUv1%2B30c7dH4b0W1Ws3NcQwg6piOcCCQCnDkpMNIK3fw%3D%3D
US
der
1.70 Kb
whitelisted
888
iexplore.exe
GET
200
142.250.185.142:80
http://crls.pki.goog/gts1c3/moVDfISia2k.crl
US
der
11.3 Kb
whitelisted
888
iexplore.exe
GET
200
172.64.155.188:80
http://crl.comodoca.com/AAACertificateServices.crl
US
der
506 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2584
iexplore.exe
204.79.197.200:443
www.bing.com
Microsoft Corporation
US
whitelisted
888
iexplore.exe
23.216.77.69:80
ctldl.windowsupdate.com
NTT DOCOMO, INC.
US
suspicious
888
iexplore.exe
188.114.96.10:443
coinhive.com
Cloudflare Inc
US
malicious
2584
iexplore.exe
93.184.220.29:80
ocsp.digicert.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
2584
iexplore.exe
23.216.77.69:80
ctldl.windowsupdate.com
NTT DOCOMO, INC.
US
suspicious
888
iexplore.exe
23.216.77.80:80
ctldl.windowsupdate.com
NTT DOCOMO, INC.
US
suspicious
888
iexplore.exe
188.114.97.10:443
coinhive.com
Cloudflare Inc
US
malicious
888
iexplore.exe
142.250.184.202:443
fonts.googleapis.com
Google Inc.
US
whitelisted
888
iexplore.exe
93.184.220.29:80
ocsp.digicert.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
888
iexplore.exe
104.17.24.14:443
cdnjs.cloudflare.com
Cloudflare Inc
US
suspicious

DNS requests

Domain
IP
Reputation
coinhive.com
  • 188.114.97.10
  • 188.114.96.10
whitelisted
api.bing.com
  • 13.107.5.80
whitelisted
www.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted
ctldl.windowsupdate.com
  • 23.216.77.69
  • 23.216.77.80
whitelisted
ocsp.digicert.com
  • 93.184.220.29
whitelisted
www.troyhunt.com
  • 172.67.221.245
  • 104.21.46.6
suspicious
fonts.googleapis.com
  • 142.250.184.202
whitelisted
cdnjs.cloudflare.com
  • 104.17.24.14
  • 104.17.25.14
whitelisted
unpkg.com
  • 104.16.126.175
  • 104.16.124.175
  • 104.16.125.175
  • 104.16.123.175
  • 104.16.122.175
whitelisted
platform.twitter.com
  • 93.184.220.66
whitelisted

Threats

Found threats are available for the paid subscriptions
2 ETPRO signatures available at the full report
No debug info