| File name: | a6ce588a83f2c77c794e3584e8ac44e472d26cf301bb2bf0468bcabae55070bc |
| Full analysis: | https://app.any.run/tasks/f0189d11-c01d-4dc5-a882-d6572aa1b3b2 |
| Verdict: | Malicious activity |
| Threats: | Crypto mining malware is a resource-intensive threat that infiltrates computers with the purpose of mining cryptocurrencies. This type of threat can be deployed either on an infected machine or a compromised website. In both cases the miner will utilize the computing power of the device and its network bandwidth. |
| Analysis date: | November 18, 2024, 17:16:40 |
| OS: | Windows 10 Professional (build: 19045, 64 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/vnd.microsoft.portable-executable |
| File info: | PE32+ executable (GUI) x86-64, for MS Windows, 8 sections |
| MD5: | C9A04BF748D1EE29A43AC3F0DDACE478 |
| SHA1: | 891BD4E634A9C5FEC1A3DE80BFF55C665236B58D |
| SHA256: | A6CE588A83F2C77C794E3584E8AC44E472D26CF301BB2BF0468BCABAE55070BC |
| SSDEEP: | 49152:ybQ+p9UJkdNaeuRgsJ9pddphet67LGZvTuD/jhLD/6dUJBrb9IqepaBK:1+QJkwgsLDdpg5ZqrhLDSdUJBrRI1 |
MALICIOUS
Adds extension to the Windows Defender exclusion list
- a6ce588a83f2c77c794e3584e8ac44e472d26cf301bb2bf0468bcabae55070bc.exe (PID: 3020)
- zrgqfbcavrkx.exe (PID: 5788)
Uninstalls Malicious Software Removal Tool (MRT)
- cmd.exe (PID: 1712)
Connects to the CnC server
- svchost.exe (PID: 5196)
MINER has been detected (SURICATA)
- svchost.exe (PID: 5196)
- svchost.exe (PID: 2172)
XMRIG has been detected (YARA)
- svchost.exe (PID: 5196)
SUSPICIOUS
Starts process via Powershell
- powershell.exe (PID: 764)
Starts POWERSHELL.EXE for commands execution
- a6ce588a83f2c77c794e3584e8ac44e472d26cf301bb2bf0468bcabae55070bc.exe (PID: 5580)
- a6ce588a83f2c77c794e3584e8ac44e472d26cf301bb2bf0468bcabae55070bc.exe (PID: 3020)
- zrgqfbcavrkx.exe (PID: 5788)
Script adds exclusion extension to Windows Defender
- a6ce588a83f2c77c794e3584e8ac44e472d26cf301bb2bf0468bcabae55070bc.exe (PID: 3020)
- zrgqfbcavrkx.exe (PID: 5788)
Script adds exclusion path to Windows Defender
- a6ce588a83f2c77c794e3584e8ac44e472d26cf301bb2bf0468bcabae55070bc.exe (PID: 3020)
- zrgqfbcavrkx.exe (PID: 5788)
Manipulates environment variables
- powershell.exe (PID: 4208)
- powershell.exe (PID: 7052)
Uses powercfg.exe to modify the power settings
- a6ce588a83f2c77c794e3584e8ac44e472d26cf301bb2bf0468bcabae55070bc.exe (PID: 3020)
- zrgqfbcavrkx.exe (PID: 5788)
Starts CMD.EXE for commands execution
- a6ce588a83f2c77c794e3584e8ac44e472d26cf301bb2bf0468bcabae55070bc.exe (PID: 3020)
- zrgqfbcavrkx.exe (PID: 5788)
Executes as Windows Service
- zrgqfbcavrkx.exe (PID: 5788)
Process uninstalls Windows update
- wusa.exe (PID: 692)
- wusa.exe (PID: 4032)
Executable content was dropped or overwritten
- a6ce588a83f2c77c794e3584e8ac44e472d26cf301bb2bf0468bcabae55070bc.exe (PID: 3020)
- zrgqfbcavrkx.exe (PID: 5788)
Starts SC.EXE for service management
- a6ce588a83f2c77c794e3584e8ac44e472d26cf301bb2bf0468bcabae55070bc.exe (PID: 3020)
- zrgqfbcavrkx.exe (PID: 5788)
Drops a system driver (possible attempt to evade defenses)
- zrgqfbcavrkx.exe (PID: 5788)
Crypto Currency Mining Activity Detected
- svchost.exe (PID: 2172)
- svchost.exe (PID: 5196)
Potential Corporate Privacy Violation
- svchost.exe (PID: 5196)
INFO
Checks supported languages
- a6ce588a83f2c77c794e3584e8ac44e472d26cf301bb2bf0468bcabae55070bc.exe (PID: 5580)
UPX packer has been detected
- svchost.exe (PID: 5196)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .exe | | | Generic Win/DOS Executable (50) |
|---|---|---|
| .exe | | | DOS Executable Generic (49.9) |
EXIF
EXE
| MachineType: | AMD AMD64 |
|---|---|
| TimeStamp: | 2024:03:27 14:50:23+00:00 |
| ImageFileCharacteristics: | Executable, Large address aware |
| PEType: | PE32+ |
| LinkerVersion: | 14 |
| CodeSize: | 37888 |
| InitializedDataSize: | 2621952 |
| UninitializedDataSize: | - |
| EntryPoint: | 0x1140 |
| OSVersion: | 6 |
| ImageVersion: | - |
| SubsystemVersion: | 6 |
| Subsystem: | Windows GUI |
| FileVersionNumber: | 70.0.3538.110 |
| ProductVersionNumber: | 70.0.3538.110 |
| FileFlagsMask: | 0x0000 |
| FileFlags: | (none) |
| FileOS: | Unknown (0) |
| ObjectFileType: | Unknown |
| FileSubtype: | - |
| LanguageCode: | English (U.S.) |
| CharacterSet: | Windows, Latin1 |
| CompanyName: | Google Inc. |
| FileTitle: | chrome.exe |
| FileDescription: | Google Chrome |
| FileVersion: | 70,0,3538,110 |
| LegalCopyright: | Copyright 2017 Google Inc. All rights reserved. |
| LegalTrademark: | - |
| ProductName: | Google Chrome |
| ProductVersion: | 70,0,3538,110 |
Total processes
184
Monitored processes
62
Malicious processes
6
Suspicious processes
1
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 692 | wusa /uninstall /kb:890830 /quiet /norestart | C:\Windows\System32\wusa.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows Update Standalone Installer Exit code: 87 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 764 | C:\WINDOWS\system32\WindowsPowerShell\v1.0\powershell.exe Start-Process "C:\Users\admin\Desktop\a6ce588a83f2c77c794e3584e8ac44e472d26cf301bb2bf0468bcabae55070bc.exe" -Verb runAs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | — | a6ce588a83f2c77c794e3584e8ac44e472d26cf301bb2bf0468bcabae55070bc.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 948 | C:\WINDOWS\system32\sc.exe delete "RLNALEWN" | C:\Windows\System32\sc.exe | — | a6ce588a83f2c77c794e3584e8ac44e472d26cf301bb2bf0468bcabae55070bc.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Service Control Manager Configuration Tool Exit code: 1060 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 1084 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Console Window Host Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 1196 | C:\WINDOWS\system32\sc.exe stop WaaSMedicSvc | C:\Windows\System32\sc.exe | — | zrgqfbcavrkx.exe | |||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Service Control Manager Configuration Tool Exit code: 1062 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 1248 | C:\WINDOWS\system32\sc.exe stop bits | C:\Windows\System32\sc.exe | — | a6ce588a83f2c77c794e3584e8ac44e472d26cf301bb2bf0468bcabae55070bc.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Service Control Manager Configuration Tool Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 1372 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | powercfg.exe | |||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Console Window Host Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 1452 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | sc.exe | |||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Console Window Host Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 1700 | C:\WINDOWS\system32\sc.exe stop eventlog | C:\Windows\System32\sc.exe | — | a6ce588a83f2c77c794e3584e8ac44e472d26cf301bb2bf0468bcabae55070bc.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Service Control Manager Configuration Tool Exit code: 1051 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 1712 | C:\WINDOWS\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart | C:\Windows\System32\cmd.exe | — | zrgqfbcavrkx.exe | |||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Windows Command Processor Exit code: 87 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
Total events
18 289
Read events
18 287
Write events
2
Delete events
0
Modification events
| (PID) Process: | (3020) a6ce588a83f2c77c794e3584e8ac44e472d26cf301bb2bf0468bcabae55070bc.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MRT |
| Operation: | write | Name: | DontOfferThroughWUAU |
Value: 1 | |||
| (PID) Process: | (5788) zrgqfbcavrkx.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MRT |
| Operation: | write | Name: | DontOfferThroughWUAU |
Value: 1 | |||
Executable files
2
Suspicious files
2
Text files
9
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 7052 | powershell.exe | C:\Windows\Temp\__PSScriptPolicyTest_x2cmt4iw.zno.psm1 | text | |
MD5:D17FE0A3F47BE24A6453E9EF58C94641 | SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7 | |||
| 4208 | powershell.exe | C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_vxz4ovy5.hs2.ps1 | text | |
MD5:D17FE0A3F47BE24A6453E9EF58C94641 | SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7 | |||
| 4208 | powershell.exe | C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_cydiyqw4.0vl.psm1 | text | |
MD5:D17FE0A3F47BE24A6453E9EF58C94641 | SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7 | |||
| 764 | powershell.exe | C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_0syu2mdc.cru.ps1 | text | |
MD5:D17FE0A3F47BE24A6453E9EF58C94641 | SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7 | |||
| 7052 | powershell.exe | C:\Windows\Temp\__PSScriptPolicyTest_z3yzywtt.kfr.ps1 | text | |
MD5:D17FE0A3F47BE24A6453E9EF58C94641 | SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7 | |||
| 3020 | a6ce588a83f2c77c794e3584e8ac44e472d26cf301bb2bf0468bcabae55070bc.exe | C:\Windows\System32\drivers\etc\hosts | text | |
MD5:A148CD6307FA4C410930388A4F0FED3F | SHA256:4648F861EA093F3CF24F2136B7A04D9AE17A254FA9CA291B1536CA3D9D591DCC | |||
| 764 | powershell.exe | C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_er5qjphg.idh.psm1 | text | |
MD5:D17FE0A3F47BE24A6453E9EF58C94641 | SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7 | |||
| 764 | powershell.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | binary | |
MD5:234F7BCB340068D6E0D88FDB71212C31 | SHA256:F05AFBD7DC96F87AD1ADD142B3A9329B007F67904C4A6BB660126ECCB45B6769 | |||
| 7052 | powershell.exe | C:\Windows\Temp\__PSScriptPolicyTest_ckwisnrx.at2.ps1 | text | |
MD5:D17FE0A3F47BE24A6453E9EF58C94641 | SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7 | |||
| 7052 | powershell.exe | C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | binary | |
MD5:8C2ED23ABFF53BE8A4F243093B115A37 | SHA256:FD85C47AC65A3540997B247FDFE0206033803E3E6FCD5E9DD1671EA943BCEED6 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
6
TCP/UDP connections
26
DNS requests
7
Threats
12
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
6944 | svchost.exe | GET | 200 | 2.19.126.146:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | whitelisted |
5488 | MoUsoCoreWorker.exe | GET | 200 | 2.19.126.146:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | whitelisted |
5640 | RUXIMICS.exe | GET | 200 | 2.19.126.146:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | whitelisted |
5640 | RUXIMICS.exe | GET | 200 | 88.221.169.152:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | whitelisted |
6944 | svchost.exe | GET | 200 | 88.221.169.152:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | whitelisted |
5488 | MoUsoCoreWorker.exe | GET | 200 | 88.221.169.152:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | whitelisted |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
6944 | svchost.exe | 20.73.194.208:443 | — | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
5640 | RUXIMICS.exe | 20.73.194.208:443 | — | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
5488 | MoUsoCoreWorker.exe | 20.73.194.208:443 | — | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
6944 | svchost.exe | 2.19.126.146:80 | crl.microsoft.com | Akamai International B.V. | DE | whitelisted |
5640 | RUXIMICS.exe | 2.19.126.146:80 | crl.microsoft.com | Akamai International B.V. | DE | whitelisted |
5488 | MoUsoCoreWorker.exe | 2.19.126.146:80 | crl.microsoft.com | Akamai International B.V. | DE | whitelisted |
5640 | RUXIMICS.exe | 88.221.169.152:80 | www.microsoft.com | AKAMAI-AS | DE | whitelisted |
6944 | svchost.exe | 88.221.169.152:80 | www.microsoft.com | AKAMAI-AS | DE | whitelisted |
DNS requests
Domain | IP | Reputation |
|---|---|---|
google.com |
| whitelisted |
crl.microsoft.com |
| whitelisted |
www.microsoft.com |
| whitelisted |
settings-win.data.microsoft.com |
| whitelisted |
pool.hashvault.pro |
| whitelisted |
self.events.data.microsoft.com |
| whitelisted |
Threats
PID | Process | Class | Message |
|---|---|---|---|
2172 | svchost.exe | Crypto Currency Mining Activity Detected | ET COINMINER CoinMiner Domain in DNS Lookup (pool .hashvault .pro) |
5196 | svchost.exe | Potential Corporate Privacy Violation | ET POLICY Cryptocurrency Miner Checkin |
5196 | svchost.exe | Potential Corporate Privacy Violation | ET POLICY Cryptocurrency Miner Checkin |
5196 | svchost.exe | Potential Corporate Privacy Violation | ET POLICY Cryptocurrency Miner Checkin |
5196 | svchost.exe | Potential Corporate Privacy Violation | ET POLICY Cryptocurrency Miner Checkin |
5196 | svchost.exe | Potential Corporate Privacy Violation | ET POLICY Cryptocurrency Miner Checkin |
5196 | svchost.exe | Potential Corporate Privacy Violation | ET POLICY Cryptocurrency Miner Checkin |
5196 | svchost.exe | Potential Corporate Privacy Violation | ET POLICY Cryptocurrency Miner Checkin |
5196 | svchost.exe | Potential Corporate Privacy Violation | ET POLICY Cryptocurrency Miner Checkin |
5196 | svchost.exe | Potential Corporate Privacy Violation | ET POLICY Cryptocurrency Miner Checkin |
1 ETPRO signatures available at the full report