analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

9f1066d4050002fca75ba67623b2357f

Full analysis: https://app.any.run/tasks/d813fd11-1bc0-42ab-85c2-16ded576d3b4
Verdict: Malicious activity
Analysis date: December 06, 2018, 10:15:33
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
miner
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

9F1066D4050002FCA75BA67623B2357F

SHA1:

45E451375AC28E24E852DFAF20BF675EBBE1322C

SHA256:

92B2868FAF705742CD341439E278835B0F6BC0D43009BECDF614E897F491F0A8

SSDEEP:

49152:Y62yx6HtToANn1nzwaahdBlnodsOXKddPAZV3xJNfB:V6Njt9zhahdzoOOXEdPYVhTfB

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Application was dropped or rewritten from another process

      • svchost.exe (PID: 2320)
      • wininit.exe (PID: 3592)
      • csrss.exe (PID: 2868)
    • MINER was detected

      • svchost.exe (PID: 2320)
    • Connects to CnC server

      • svchost.exe (PID: 2320)
    • Looks like application has launched a miner

      • cmd.exe (PID: 3696)
    • Loads the Task Scheduler COM API

      • mmc.exe (PID: 3632)
  • SUSPICIOUS

    • Creates files in the user directory

      • 9f1066d4050002fca75ba67623b2357f.exe (PID: 3088)
    • Starts CMD.EXE for commands execution

      • csrss.exe (PID: 2868)
      • wininit.exe (PID: 3592)
    • Uses ATTRIB.EXE to modify file attributes

      • cmd.exe (PID: 1904)
    • Creates executable files which already exist in Windows

      • 9f1066d4050002fca75ba67623b2357f.exe (PID: 3088)
    • Executable content was dropped or overwritten

      • 9f1066d4050002fca75ba67623b2357f.exe (PID: 3088)
    • Connects to unusual port

      • svchost.exe (PID: 2320)
  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (64.6)
.dll | Win32 Dynamic Link Library (generic) (15.4)
.exe | Win32 Executable (generic) (10.5)
.exe | Generic Win/DOS Executable (4.6)
.exe | DOS Executable Generic (4.6)

EXIF

EXE

Subsystem: Windows GUI
SubsystemVersion: 5.1
ImageVersion: -
OSVersion: 5.1
EntryPoint: 0x1d4f9
UninitializedDataSize: -
InitializedDataSize: 238080
CodeSize: 190464
LinkerVersion: 14
PEType: PE32
TimeStamp: 2018:06:04 19:48:26+02:00
MachineType: Intel 386 or later, and compatibles

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 04-Jun-2018 17:48:26
Detected languages:
  • English - United States
Debug artifacts:
  • D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb

DOS Header

Magic number: MZ
Bytes on last page of file: 0x0090
Pages in file: 0x0003
Relocations: 0x0000
Size of header: 0x0004
Min extra paragraphs: 0x0000
Max extra paragraphs: 0xFFFF
Initial SS value: 0x0000
Initial SP value: 0x00B8
Checksum: 0x0000
Initial IP value: 0x0000
Initial CS value: 0x0000
Overlay number: 0x0000
OEM identifier: 0x0000
OEM information: 0x0000
Address of NE header: 0x00000108

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
Number of sections: 6
Time date stamp: 04-Jun-2018 17:48:26
Pointer to Symbol Table: 0x00000000
Number of symbols: 0
Size of Optional Header: 0x00E0
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_EXECUTABLE_IMAGE

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
.text
0x00001000
0x0002E7E4
0x0002E800
IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
6.70246
.rdata
0x00030000
0x00009A8C
0x00009C00
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
5.12942
.data
0x0003A000
0x000203A0
0x00000C00
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
3.23928
.gfids
0x0005B000
0x000000E8
0x00000200
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
2.0785
.rsrc
0x0005C000
0x0000DFD0
0x0000E000
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
6.63675
.reloc
0x0006A000
0x00001FD0
0x00002000
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
6.68222

Resources

Title
Entropy
Size
Codepage
Language
Type
1
5.25329
1875
UNKNOWN
English - United States
RT_MANIFEST
2
5.10026
2216
UNKNOWN
English - United States
RT_ICON
3
5.25868
3752
UNKNOWN
English - United States
RT_ICON
4
5.02609
1128
UNKNOWN
English - United States
RT_ICON
5
5.18109
4264
UNKNOWN
English - United States
RT_ICON
6
5.04307
9640
UNKNOWN
English - United States
RT_ICON
7
3.1586
482
UNKNOWN
English - United States
RT_STRING
8
3.11685
460
UNKNOWN
English - United States
RT_STRING
9
3.15447
494
UNKNOWN
English - United States
RT_STRING
10
2.99727
326
UNKNOWN
English - United States
RT_STRING

Imports

KERNEL32.dll
USER32.dll (delay-loaded)
gdiplus.dll
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
54
Monitored processes
14
Malicious processes
4
Suspicious processes
0

Behavior graph

Click at the process to see the details
drop and start drop and start start 9f1066d4050002fca75ba67623b2357f.exe csrss.exe no specs wininit.exe no specs cmd.exe no specs cmd.exe no specs #MINER svchost.exe attrib.exe no specs attrib.exe no specs attrib.exe no specs verclsid.exe no specs notepad.exe no specs Shell Security Editor no specs mmc.exe no specs mmc.exe

Process information

PID
CMD
Path
Indicators
Parent process
3088"C:\Users\admin\AppData\Local\Temp\9f1066d4050002fca75ba67623b2357f.exe" C:\Users\admin\AppData\Local\Temp\9f1066d4050002fca75ba67623b2357f.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
2868"C:\Users\admin\AppData\Roaming\csrss.exe" C:\Users\admin\AppData\Roaming\csrss.exe9f1066d4050002fca75ba67623b2357f.exe
User:
admin
Integrity Level:
MEDIUM
3592"C:\Users\admin\AppData\Roaming\wininit.exe" C:\Users\admin\AppData\Roaming\wininit.exe9f1066d4050002fca75ba67623b2357f.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
3696"C:\Windows\System32\cmd.exe" /c "C:\Users\admin\AppData\Local\Temp\AC8F.tmp\csrss.bat "C:\Users\admin\AppData\Roaming\csrss.exe""C:\Windows\System32\cmd.execsrss.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
1904"C:\Windows\System32\cmd.exe" /c "C:\Users\admin\AppData\Local\Temp\ACED.tmp\wininit.bat "C:\Users\admin\AppData\Roaming\wininit.exe""C:\Windows\System32\cmd.exewininit.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2320svchost -a cryptonight -o xmr.pool.minergate.com:45700 -u [email protected] -p x -t 1 --donate-level 1 --max-cpu-usage 80C:\Users\admin\AppData\Roaming\svchost.exe
cmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Processo de Host para Serviços do Windows
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3280attrib +s +h svchost.exeC:\Windows\system32\attrib.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Attribute Utility
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
4060attrib +s +h csrss.exeC:\Windows\system32\attrib.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Attribute Utility
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2688attrib +s +h wininit.exeC:\Windows\system32\attrib.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Attribute Utility
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2824"C:\Windows\system32\verclsid.exe" /S /C {0B2C9183-C9FA-4C53-AE21-C900B0C39965} /I {0C733A8A-2A1C-11CE-ADE5-00AA0044773D} /X 0x401C:\Windows\system32\verclsid.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Extension CLSID Verification Host
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
617
Read events
595
Write events
21
Delete events
1

Modification events

(PID) Process:(3088) 9f1066d4050002fca75ba67623b2357f.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
0
(PID) Process:(3088) 9f1066d4050002fca75ba67623b2357f.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
1
(PID) Process:(2868) csrss.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
0
(PID) Process:(2868) csrss.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
1
(PID) Process:(3592) wininit.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
0
(PID) Process:(3592) wininit.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
1
(PID) Process:Key:HKEY_CURRENT_USER\Software\Microsoft\Notepad
Operation:writeName:iWindowPosX
Value:
132
(PID) Process:Key:HKEY_CURRENT_USER\Software\Microsoft\Notepad
Operation:writeName:iWindowPosY
Value:
132
(PID) Process:Key:HKEY_CURRENT_USER\Software\Microsoft\Notepad
Operation:writeName:iWindowPosDX
Value:
960
(PID) Process:Key:HKEY_CURRENT_USER\Software\Microsoft\Notepad
Operation:writeName:iWindowPosDY
Value:
501
Executable files
3
Suspicious files
0
Text files
3
Unknown types
0

Dropped files

PID
Process
Filename
Type
3592wininit.exeC:\Users\admin\AppData\Local\Temp\ACED.tmp\wininit.battext
MD5:11E075E84E296EC3F517BF726AAAA3C0
SHA256:797E37FECE7A142718FA17468B0AAC44D063F45575E8328082668DEAB0A0CAE0
30889f1066d4050002fca75ba67623b2357f.exeC:\Users\admin\AppData\Roaming\csrss.exeexecutable
MD5:BFADFE42A01C7309C92D671DAAE5CD9A
SHA256:E1552E7B7E55E49AD10A71424EAE121F86B8CCA02FBBD256F82F137964EC06EE
30889f1066d4050002fca75ba67623b2357f.exeC:\Users\admin\AppData\Roaming\svchost.exeexecutable
MD5:55D66E08205B2F973553A8E630465544
SHA256:B38865DBE7269D0EE1D67F2816391082AAC5EF35F2E8D01048539711E1A9FDD9
30889f1066d4050002fca75ba67623b2357f.exeC:\Users\admin\AppData\Roaming\wininit.exeexecutable
MD5:9A18FFFDC06D095FA0A0278EDCD2C422
SHA256:0DB294716FBA233912CD8225F98C1844AFD77989841F6A8C1BF0B711599DAEDA
2868csrss.exeC:\Users\admin\AppData\Local\Temp\AC8F.tmp\csrss.battext
MD5:5896215F5B98CFAE422137E77A9743A5
SHA256:DA54C5BEFBF101F43439F564C5CA37B9B0971C61701BC6D0817760160BA8554E
3632mmc.exeC:\Users\admin\AppData\Roaming\Microsoft\MMC\taskschdxml
MD5:28ED6FD5149BE035ECF224D0B2127F51
SHA256:D5E6D25F2ADBD164534B44636B2A5BE959A362FAF3E4ED967A3B18C79AD84200
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
5
DNS requests
1
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2320
svchost.exe
176.9.147.178:45700
xmr.pool.minergate.com
Hetzner Online GmbH
DE
suspicious
2320
svchost.exe
94.130.9.194:45700
xmr.pool.minergate.com
Hetzner Online GmbH
DE
suspicious
2320
svchost.exe
136.243.94.27:45700
xmr.pool.minergate.com
Hetzner Online GmbH
DE
suspicious

DNS requests

Domain
IP
Reputation
xmr.pool.minergate.com
  • 94.130.9.194
  • 176.9.147.178
  • 136.243.102.157
  • 78.46.23.253
  • 136.243.94.27
  • 94.130.48.154
  • 94.130.64.225
  • 136.243.88.145
  • 78.46.49.212
  • 46.4.119.208
suspicious

Threats

PID
Process
Class
Message
A Network Trojan was detected
ET POLICY Monero Mining Pool DNS Lookup
2320
svchost.exe
Potential Corporate Privacy Violation
ET POLICY Cryptocurrency Miner Checkin
2320
svchost.exe
Misc activity
MINER [PTsecurity] CoinMiner CryptoNight XMRig JSON_RPC Client Login
2320
svchost.exe
Potential Corporate Privacy Violation
ET POLICY Cryptocurrency Miner Checkin
2320
svchost.exe
Misc activity
MINER [PTsecurity] CoinMiner CryptoNight XMRig JSON_RPC Client Login
2320
svchost.exe
Potential Corporate Privacy Violation
ET POLICY Cryptocurrency Miner Checkin
2320
svchost.exe
Misc activity
MINER [PTsecurity] CoinMiner CryptoNight XMRig JSON_RPC Client Login
2320
svchost.exe
Potential Corporate Privacy Violation
ET POLICY Cryptocurrency Miner Checkin
2320
svchost.exe
Misc activity
MINER [PTsecurity] CoinMiner CryptoNight XMRig JSON_RPC Client Login
2320
svchost.exe
Potential Corporate Privacy Violation
ET POLICY Cryptocurrency Miner Checkin
4 ETPRO signatures available at the full report
Process
Message
mmc.exe
Constructor: Microsoft.TaskScheduler.SnapIn.TaskSchedulerSnapIn
mmc.exe
OnInitialize: Microsoft.TaskScheduler.SnapIn.TaskSchedulerSnapIn
mmc.exe
AddIcons: Microsoft.TaskScheduler.SnapIn.TaskSchedulerSnapIn
mmc.exe
ProcessCommandLineArguments: Microsoft.TaskScheduler.SnapIn.TaskSchedulerSnapIn