File name: | CoinMine.exe |
Full analysis: | https://app.any.run/tasks/ab085a6b-ebcd-4ea4-bce2-c3937550a435 |
Verdict: | Malicious activity |
Analysis date: | April 01, 2023, 11:11:36 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | application/x-dosexec |
File info: | PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed |
MD5: | 49F6BDCF34BC0BE593A9E7DD64AA6E62 |
SHA1: | CD523DDA29635FD2F159457C485C055D2920033B |
SHA256: | 7D2E4A096CFB9DA6EF9B1757B36C6FB462B39ADBF927FECC4D10EF8D6A6DCCB1 |
SSDEEP: | 24576:BO/yiVlOzZoncHBbqjDlnGacRBk17ti1BeNBrx2m97Mj59iM9rG:BHOyocRq1nGP6iWNBrxnlMj59iwrG |
.exe | | | UPX compressed Win32 Executable (38.2) |
---|---|---|
.exe | | | Win32 EXE Yoda's Crypter (37.5) |
.dll | | | Win32 Dynamic Link Library (generic) (9.2) |
.exe | | | Win32 Executable (generic) (6.3) |
.exe | | | Win16/32 Executable Delphi generic (2.9) |
ProductVersion: | 1.0.0.0 |
---|---|
FileVersion: | 1.0.0.0 |
CharacterSet: | Windows, Latin1 |
LanguageCode: | English (U.S.) |
FileSubtype: | - |
ObjectFileType: | Executable application |
FileOS: | Win32 |
FileFlags: | (none) |
FileFlagsMask: | 0x003f |
ProductVersionNumber: | 1.0.0.0 |
FileVersionNumber: | 1.0.0.0 |
Subsystem: | Windows GUI |
SubsystemVersion: | 5 |
ImageVersion: | - |
OSVersion: | 5 |
EntryPoint: | 0x3b0160 |
UninitializedDataSize: | 2650112 |
InitializedDataSize: | 20480 |
CodeSize: | 1216512 |
LinkerVersion: | 2.25 |
PEType: | PE32 |
ImageFileCharacteristics: | No relocs, Executable, No line numbers, No symbols, Bytes reversed lo, 32-bit, Bytes reversed hi |
TimeStamp: | 2016:07:08 05:36:35+00:00 |
MachineType: | Intel 386 or later, and compatibles |
Architecture: | IMAGE_FILE_MACHINE_I386 |
---|---|
Subsystem: | IMAGE_SUBSYSTEM_WINDOWS_GUI |
Compilation Date: | 08-Jul-2016 05:36:35 |
Detected languages: |
|
FileVersion: | 1.0.0.0 |
ProductVersion: | 1.0.0.0 |
Magic number: | MZ |
---|---|
Bytes on last page of file: | 0x0050 |
Pages in file: | 0x0002 |
Relocations: | 0x0000 |
Size of header: | 0x0004 |
Min extra paragraphs: | 0x000F |
Max extra paragraphs: | 0xFFFF |
Initial SS value: | 0x0000 |
Initial SP value: | 0x00B8 |
Checksum: | 0x0000 |
Initial IP value: | 0x0000 |
Initial CS value: | 0x0000 |
Overlay number: | 0x001A |
OEM identifier: | 0x0000 |
OEM information: | 0x0000 |
Address of NE header: | 0x00000100 |
Signature: | PE |
---|---|
Machine: | IMAGE_FILE_MACHINE_I386 |
Number of sections: | 3 |
Time date stamp: | 08-Jul-2016 05:36:35 |
Pointer to Symbol Table: | 0x00000000 |
Number of symbols: | 0 |
Size of Optional Header: | 0x00E0 |
Characteristics: |
|
Name | Virtual Address | Virtual Size | Raw Size | Charateristics | Entropy |
---|---|---|---|---|---|
UPX0 | 0x00001000 | 0x00287000 | 0x00000000 | IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 0 |
UPX1 | 0x00288000 | 0x00129000 | 0x00128400 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 7.92589 |
.rsrc | 0x003B1000 | 0x00005000 | 0x00004400 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 5.36489 |
Title | Entropy | Size | Codepage | Language | Type |
---|---|---|---|---|---|
1 | 4.86531 | 714 | UNKNOWN | English - United States | RT_MANIFEST |
2 | 7.21422 | 308 | UNKNOWN | English - United States | RT_CURSOR |
3 | 6.92854 | 308 | UNKNOWN | English - United States | RT_CURSOR |
4 | 7.09594 | 308 | UNKNOWN | English - United States | RT_CURSOR |
5 | 7.20732 | 308 | UNKNOWN | English - United States | RT_CURSOR |
6 | 7.04739 | 308 | UNKNOWN | English - United States | RT_CURSOR |
7 | 7.13266 | 308 | UNKNOWN | English - United States | RT_CURSOR |
3682 | 5.76431 | 76 | UNKNOWN | UNKNOWN | RT_STRING |
3683 | 6.76654 | 170 | UNKNOWN | UNKNOWN | RT_STRING |
3684 | 7.24462 | 390 | UNKNOWN | UNKNOWN | RT_STRING |
KERNEL32.DLL |
advapi32.dll |
comctl32.dll |
comdlg32.dll |
gdi32.dll |
msvcrt.dll |
ole32.dll |
oleaut32.dll |
shell32.dll |
user32.dll |
PID | CMD | Path | Indicators | Parent process | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
1900 | "C:\Users\admin\AppData\Local\Temp\CoinMine.exe" | C:\Users\admin\AppData\Local\Temp\CoinMine.exe | — | explorer.exe | |||||||||||
User: admin Integrity Level: MEDIUM Exit code: 0 Version: 1.0.0.0 Modules
| |||||||||||||||
2724 | "C:\Windows\system32\taskmgr.exe" | C:\Windows\System32\taskmgr.exe | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Task Manager Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
2900 | "taskhost.exe" | C:\Windows\System32\taskhost.exe | services.exe | ||||||||||||
User: Administrator Company: Microsoft Corporation Integrity Level: HIGH Description: Host Process for Windows Tasks Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
3492 | C:\Windows\system32\sipnotify.exe -LogonOrUnlock | C:\Windows\System32\sipnotify.exe | taskeng.exe | ||||||||||||
User: Administrator Company: Microsoft Corporation Integrity Level: HIGH Description: sipnotify Exit code: 0 Version: 6.1.7602.20480 (win7sp1_ldr_escrow.191010-1716) Modules
| |||||||||||||||
3868 | "C:\Windows\System32\ie4uinit.exe" -UserConfig | C:\Windows\System32\ie4uinit.exe | — | explorer.exe | |||||||||||
User: Administrator Company: Microsoft Corporation Integrity Level: HIGH Description: IE Per-User Initialization Utility Exit code: 0 Version: 11.00.9600.16428 (winblue_gdr.131013-1700) Modules
| |||||||||||||||
1792 | C:\Windows\System32\ie4uinit.exe -ClearIconCache | C:\Windows\System32\ie4uinit.exe | — | ie4uinit.exe | |||||||||||
User: Administrator Company: Microsoft Corporation Integrity Level: HIGH Description: IE Per-User Initialization Utility Exit code: 0 Version: 11.00.9600.16428 (winblue_gdr.131013-1700) Modules
| |||||||||||||||
1272 | C:\Windows\System32\rundll32 advpack.dll,LaunchINFSectionEx C:\Windows\system32\ieuinit.inf,Install,,36 | C:\Windows\System32\rundll32.exe | — | ie4uinit.exe | |||||||||||
User: Administrator Company: Microsoft Corporation Integrity Level: HIGH Description: Windows host process (Rundll32) Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
2412 | C:\Windows\System32\rundll32 C:\Windows\system32\migration\WininetPlugin.dll,MigrateCacheForUser /m | C:\Windows\System32\rundll32.exe | — | ie4uinit.exe | |||||||||||
User: Administrator Company: Microsoft Corporation Integrity Level: HIGH Description: Windows host process (Rundll32) Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
3264 | C:\Windows\system32\RunDll32.exe C:\Windows\system32\migration\WininetPlugin.dll,MigrateCacheForUser /m /0 | C:\Windows\System32\rundll32.exe | — | rundll32.exe | |||||||||||
User: Administrator Company: Microsoft Corporation Integrity Level: LOW Description: Windows host process (Rundll32) Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
2012 | C:\Windows\system32\RunDll32.exe C:\Windows\system32\migration\WininetPlugin.dll,MigrateCacheForUser /m /0 | C:\Windows\System32\rundll32.exe | — | rundll32.exe | |||||||||||
User: Administrator Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows host process (Rundll32) Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
|
(PID) Process: | (3868) ie4uinit.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\ShellFolder |
Operation: | write | Name: | Attributes |
Value: 0 | |||
(PID) Process: | (3868) ie4uinit.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Active Setup\Installed Components\>{26923b43-4d38-484f-9b9e-de460746276c} |
Operation: | delete key | Name: | (default) |
Value: | |||
(PID) Process: | (3868) ie4uinit.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\International\Scripts\3 |
Operation: | write | Name: | IEPropFontName |
Value: Times New Roman | |||
(PID) Process: | (3868) ie4uinit.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\International\Scripts\3 |
Operation: | write | Name: | IEFixedFontName |
Value: Courier New | |||
(PID) Process: | (3868) ie4uinit.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\International\Scripts\4 |
Operation: | write | Name: | IEPropFontName |
Value: Times New Roman | |||
(PID) Process: | (3868) ie4uinit.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\International\Scripts\4 |
Operation: | write | Name: | IEFixedFontName |
Value: Courier New | |||
(PID) Process: | (3868) ie4uinit.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\International\Scripts\5 |
Operation: | write | Name: | IEPropFontName |
Value: Times New Roman | |||
(PID) Process: | (3868) ie4uinit.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\International\Scripts\5 |
Operation: | write | Name: | IEFixedFontName |
Value: Courier New | |||
(PID) Process: | (3868) ie4uinit.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\International\Scripts\6 |
Operation: | write | Name: | IEPropFontName |
Value: Times New Roman | |||
(PID) Process: | (3868) ie4uinit.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\International\Scripts\6 |
Operation: | write | Name: | IEFixedFontName |
Value: Courier New |
PID | Process | Filename | Type | |
---|---|---|---|---|
2012 | rundll32.exe | C:\Users\Administrator\AppData\Local\Microsoft\Feeds Cache\E3EJU7ZL\fwlink[1] | — | |
MD5:— | SHA256:— | |||
2012 | rundll32.exe | C:\Users\Administrator\AppData\Local\Microsoft\Feeds Cache\4TD0KH3X\fwlink[1] | — | |
MD5:— | SHA256:— | |||
2012 | rundll32.exe | C:\Users\Administrator\AppData\Local\Microsoft\Feeds Cache\2HM2BW7R\fwlink[1] | — | |
MD5:— | SHA256:— | |||
2012 | rundll32.exe | C:\Users\Administrator\AppData\Local\Microsoft\Feeds Cache\EK4BLZQC\fwlink[1] | — | |
MD5:— | SHA256:— | |||
2012 | rundll32.exe | C:\Users\Administrator\AppData\Local\Microsoft\Feeds Cache\E3EJU7ZL\fwlink[2] | — | |
MD5:— | SHA256:— | |||
2012 | rundll32.exe | C:\Users\Administrator\AppData\Local\Microsoft\Feeds Cache\4TD0KH3X\fwlink[2] | — | |
MD5:— | SHA256:— | |||
2900 | taskhost.exe | C:\Users\Administrator\AppData\Local\Microsoft\Windows\WebCache\V01tmp.log | binary | |
MD5:25219F63DACA6EA2714AEAB4895B91AE | SHA256:3848CA23994428C76C07460FB36B062AF9A2A3E06DD3EA51F33F05B2A600E95C | |||
3868 | ie4uinit.exe | C:\Windows\INF\setupapi.app.log | ini | |
MD5:A165925E182B307F7B9934DB4F104465 | SHA256:D17C20426320E1CA174F19BABB027B63594F7C91D689401C610420072DB8B4D6 | |||
2900 | taskhost.exe | C:\Users\Administrator\AppData\Local\Microsoft\Windows\WebCache\V01.log | binary | |
MD5:25219F63DACA6EA2714AEAB4895B91AE | SHA256:3848CA23994428C76C07460FB36B062AF9A2A3E06DD3EA51F33F05B2A600E95C | |||
3868 | ie4uinit.exe | C:\Users\ADMINI~1\AppData\Local\Temp\RGIAA8.tmp | ini | |
MD5:31CB7778F65DF8D02353E6C7B2B2CFFC | SHA256:647A8C7F316EF325F73C2037E8883854F9287584904C977C81D1662DB6471A58 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
860 | svchost.exe | HEAD | 200 | 34.104.35.123:80 | http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/dl6iudcrkm7tlleep5b7sio2si_2937/jflookgnkcckhobaglndicnbbgbonegd_2937_all_n6dma56ie7wmbezc4aw6zyp2jq.crx3 | US | — | — | whitelisted |
3492 | sipnotify.exe | HEAD | 200 | 23.212.215.38:80 | http://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE2JgkA?v=133248247726360000 | AU | — | — | whitelisted |
3956 | chrome.exe | GET | 301 | 140.82.121.4:80 | http://github.com/endermanch | US | — | — | shared |
860 | svchost.exe | GET | 206 | 34.104.35.123:80 | http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/dl6iudcrkm7tlleep5b7sio2si_2937/jflookgnkcckhobaglndicnbbgbonegd_2937_all_n6dma56ie7wmbezc4aw6zyp2jq.crx3 | US | binary | 9.30 Kb | whitelisted |
860 | svchost.exe | GET | 206 | 34.104.35.123:80 | http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/dl6iudcrkm7tlleep5b7sio2si_2937/jflookgnkcckhobaglndicnbbgbonegd_2937_all_n6dma56ie7wmbezc4aw6zyp2jq.crx3 | US | binary | 12.4 Kb | whitelisted |
860 | svchost.exe | GET | 206 | 34.104.35.123:80 | http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/dl6iudcrkm7tlleep5b7sio2si_2937/jflookgnkcckhobaglndicnbbgbonegd_2937_all_n6dma56ie7wmbezc4aw6zyp2jq.crx3 | US | binary | 18.2 Kb | whitelisted |
860 | svchost.exe | HEAD | 200 | 34.104.35.123:80 | http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/cxpsjblnoxgjoqggdsbvujtof4_58/khaoiebndkojlmppeemjhbpbandiljpe_58_win_advr4ucepztwtigvw3fduftsvbeq.crx3 | US | binary | 18.2 Kb | whitelisted |
860 | svchost.exe | GET | 206 | 34.104.35.123:80 | http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/dl6iudcrkm7tlleep5b7sio2si_2937/jflookgnkcckhobaglndicnbbgbonegd_2937_all_n6dma56ie7wmbezc4aw6zyp2jq.crx3 | US | binary | 9.19 Kb | whitelisted |
3956 | chrome.exe | GET | 200 | 209.197.3.8:80 | http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?69e69a7d99462110 | US | compressed | 61.1 Kb | whitelisted |
1240 | YouAreAnIdiot.exe | POST | 200 | 192.229.221.95:80 | http://ocsp.digicert.com/ | US | der | 471 b | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3956 | chrome.exe | 172.217.16.195:443 | clientservices.googleapis.com | GOOGLE | US | whitelisted |
3956 | chrome.exe | 172.217.16.196:443 | www.google.com | GOOGLE | US | whitelisted |
3956 | chrome.exe | 142.250.186.110:443 | clients2.google.com | GOOGLE | US | whitelisted |
3956 | chrome.exe | 142.250.185.163:443 | ssl.gstatic.com | GOOGLE | US | whitelisted |
3956 | chrome.exe | 142.250.74.193:443 | clients2.googleusercontent.com | GOOGLE | US | whitelisted |
3956 | chrome.exe | 173.194.187.170:443 | r5---sn-4g5e6nz7.gvt1.com | GOOGLE | US | whitelisted |
3956 | chrome.exe | 172.217.23.106:443 | www.googleapis.com | GOOGLE | US | whitelisted |
3956 | chrome.exe | 142.250.186.45:443 | accounts.google.com | GOOGLE | US | suspicious |
3492 | sipnotify.exe | 23.212.215.38:80 | query.prod.cms.rt.microsoft.com | AKAMAI-AS | AU | unknown |
3956 | chrome.exe | 142.250.181.238:443 | redirector.gvt1.com | GOOGLE | US | whitelisted |
Domain | IP | Reputation |
---|---|---|
query.prod.cms.rt.microsoft.com |
| whitelisted |
accounts.google.com |
| shared |
clients2.google.com |
| whitelisted |
redirector.gvt1.com |
| whitelisted |
r5---sn-4g5e6nz7.gvt1.com |
| whitelisted |
clients2.googleusercontent.com |
| whitelisted |
clientservices.googleapis.com |
| whitelisted |
ssl.gstatic.com |
| whitelisted |
www.googleapis.com |
| whitelisted |
www.google.com |
| whitelisted |
PID | Process | Class | Message |
---|---|---|---|
3956 | chrome.exe | Generic Protocol Command Decode | SURICATA HTTP unable to match response to request |