Play interactive tour

Edit tour

Analysis Report SearchIndexer.exe

Overview

General Information

Sample Name:	SearchIndexer.exe
Analysis ID:	364394
MD5:	2ed1055a1ae02de09730550c1a1abbbd
SHA1:	42871f98dc93635013808b762a6157ddf770226a
SHA256:	adb64ebd3e30421457e2908995a524885e194182e4deae5b137ccad2d2a05aa3
Infos:
Most interesting Screenshot:

Detection

Xmrig

Score:	80
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected Xmrig cryptocurrency miner

Contains functionality to registers a callback to get notified when the system is suspended or resumed (often done by Miners)

Found strings related to Crypto-Mining

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Detected potential crypto function

Extensive use of GetProcAddress (often used to hide API calls)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

PE file contains sections with non-standard names

PE file contains strange resources

Program does not show much activity (idle)

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Startup

System is w10x64

SearchIndexer.exe (PID: 5884 cmdline: 'C:\Users\user\Desktop\SearchIndexer.exe' MD5: 2ED1055A1AE02DE09730550C1A1ABBBD)

conhost.exe (PID: 2432 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.196463114.00007FF60C671000.00000040.00020000.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
Process Memory Space: SearchIndexer.exe PID: 5884	CoinMiner_Strings	Detects mining pool protocol string in Executable	Florian Roth	0x5da1:$s1: stratum+tcp:// 0x32c92:$s1: stratum+tcp:// 0x32dff:$s1: stratum+tcp://
Process Memory Space: SearchIndexer.exe PID: 5884	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.SearchIndexer.exe.7ff60c670000.0.unpack	MAL_XMR_Miner_May19_1	Detects Monero Crypto Coin Miner	Florian Roth	0xdc479:$x2: * COMMANDS 'h' hashrate, 'p' pause, 'r' resume 0xdbdf8:$s1: [%s] login error code: %d
0.2.SearchIndexer.exe.7ff60c670000.0.unpack	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Antivirus / Scanner detection for submitted sample

Show sources

Source: SearchIndexer.exe

Avira: detected

Multi AV Scanner detection for submitted file

Show sources

Source: SearchIndexer.exe	Virustotal: Detection: 57%	Perma Link
Source: SearchIndexer.exe	Metadefender: Detection: 16%	Perma Link
Source: SearchIndexer.exe	ReversingLabs: Detection: 75%

Bitcoin Miner:

Yara detected Xmrig cryptocurrency miner

Show sources

Source: Yara match	File source: 00000000.00000002.196463114.00007FF60C671000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SearchIndexer.exe PID: 5884, type: MEMORY
Source: Yara match	File source: 0.2.SearchIndexer.exe.7ff60c670000.0.unpack, type: UNPACKEDPE

Contains functionality to registers a callback to get notified when the system is suspended or resumed (often done by Miners)

Show sources

Source: C:\Users\user\Desktop\SearchIndexer.exe

Code function: 0_2_00007FF60C6E9BA0 GetModuleHandleA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetLastError,GetLastError,GetLastError,GetLastError,GetLastError,GetLastError,GetLastError,GetLastError,GetLastError,GetLastError,

0_2_00007FF60C6E9BA0

Found strings related to Crypto-Mining

Show sources

Source: SearchIndexer.exe	String found in binary or memory: stratum+tcp://
Source: SearchIndexer.exe	String found in binary or memory: { "algo": "cryptonight-upx/2", "api": { "port": 0, "access-token": null, "worker-id": null, "ipv6": false, "restricted": true },
Source: SearchIndexer.exe	String found in binary or memory: stratum+tcp://

Compliance:

Contains modern PE file flags such as dynamic base (ASLR) or NX

Show sources

Source: SearchIndexer.exe

Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA

Spreading:

Source: C:\Users\user\Desktop\SearchIndexer.exe	Code function: 0_2_00007FF60C6E38C7 GetFileAttributesW,FindFirstFileW,GetLastError,GetLastError,	0_2_00007FF60C6E38C7
Source: C:\Users\user\Desktop\SearchIndexer.exe	Code function: 0_2_00007FF60C73A2F0 FindFirstFileW,	0_2_00007FF60C73A2F0
Source: C:\Users\user\Desktop\SearchIndexer.exe	Code function: 0_2_00007FF60C73A4A8 RtlAllocateHeap,GetTimeZoneInformation,FindFirstFileExW,	0_2_00007FF60C73A4A8

Networking:

Source: C:\Users\user\Desktop\SearchIndexer.exe

Code function: 0_2_00007FF60C6E4FC0 WSARecv,GetLastError,WSAGetLastError,WSAGetLastError,WSAGetLastError,RegisterWaitForSingleObject,GetLastError,GetLastError,GetLastError,

0_2_00007FF60C6E4FC0

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: 0.2.SearchIndexer.exe.7ff60c670000.0.unpack, type: UNPACKEDPE

Matched rule: Detects Monero Crypto Coin Miner Author: Florian Roth

Source: C:\Users\user\Desktop\SearchIndexer.exe

Code function: 0_2_00007FF60C6E00E0: DeviceIoControl,SetLastError,

0_2_00007FF60C6E00E0

Source: C:\Users\user\Desktop\SearchIndexer.exe	Code function: 0_2_00007FF60C717CF0	0_2_00007FF60C717CF0
Source: C:\Users\user\Desktop\SearchIndexer.exe	Code function: 0_2_00007FF60C72E5F0	0_2_00007FF60C72E5F0
Source: C:\Users\user\Desktop\SearchIndexer.exe	Code function: 0_2_00007FF60C72D880	0_2_00007FF60C72D880
Source: C:\Users\user\Desktop\SearchIndexer.exe	Code function: 0_2_00007FF60C67CDB0	0_2_00007FF60C67CDB0
Source: C:\Users\user\Desktop\SearchIndexer.exe	Code function: 0_2_00007FF60C681DB0	0_2_00007FF60C681DB0
Source: C:\Users\user\Desktop\SearchIndexer.exe	Code function: 0_2_00007FF60C71CDD0	0_2_00007FF60C71CDD0
Source: C:\Users\user\Desktop\SearchIndexer.exe	Code function: 0_2_00007FF60C6C7E30	0_2_00007FF60C6C7E30
Source: C:\Users\user\Desktop\SearchIndexer.exe	Code function: 0_2_00007FF60C6A1E30	0_2_00007FF60C6A1E30
Source: C:\Users\user\Desktop\SearchIndexer.exe	Code function: 0_2_00007FF60C699E30	0_2_00007FF60C699E30
Source: C:\Users\user\Desktop\SearchIndexer.exe	Code function: 0_2_00007FF60C6BBE20	0_2_00007FF60C6BBE20
Source: C:\Users\user\Desktop\SearchIndexer.exe	Code function: 0_2_00007FF60C6C3E20	0_2_00007FF60C6C3E20
Source: C:\Users\user\Desktop\SearchIndexer.exe	Code function: 0_2_00007FF60C70CD50	0_2_00007FF60C70CD50
Source: C:\Users\user\Desktop\SearchIndexer.exe	Code function: 0_2_00007FF60C6ADE00	0_2_00007FF60C6ADE00
Source: C:\Users\user\Desktop\SearchIndexer.exe	Code function: 0_2_00007FF60C6B3DF0	0_2_00007FF60C6B3DF0
Source: C:\Users\user\Desktop\SearchIndexer.exe	Code function: 0_2_00007FF60C6DDDE0	0_2_00007FF60C6DDDE0
Source: C:\Users\user\Desktop\SearchIndexer.exe	Code function: 0_2_00007FF60C6C9E90	0_2_00007FF60C6C9E90
Source: C:\Users\user\Desktop\SearchIndexer.exe	Code function: 0_2_00007FF60C67DE50	0_2_00007FF60C67DE50
Source: C:\Users\user\Desktop\SearchIndexer.exe	Code function: 0_2_00007FF60C67FF20	0_2_00007FF60C67FF20
Source: C:\Users\user\Desktop\SearchIndexer.exe	Code function: 0_2_00007FF60C71AEB0	0_2_00007FF60C71AEB0
Source: C:\Users\user\Desktop\SearchIndexer.exe	Code function: 0_2_00007FF60C680EC0	0_2_00007FF60C680EC0
Source: C:\Users\user\Desktop\SearchIndexer.exe	Code function: 0_2_00007FF60C6D9F90	0_2_00007FF60C6D9F90
Source: C:\Users\user\Desktop\SearchIndexer.exe	Code function: 0_2_00007FF60C6F6F68	0_2_00007FF60C6F6F68
Source: C:\Users\user\Desktop\SearchIndexer.exe	Code function: 0_2_00007FF60C6A5F60	0_2_00007FF60C6A5F60
Source: C:\Users\user\Desktop\SearchIndexer.exe	Code function: 0_2_00007FF60C6E9F50	0_2_00007FF60C6E9F50
Source: C:\Users\user\Desktop\SearchIndexer.exe	Code function: 0_2_00007FF60C687000	0_2_00007FF60C687000
Source: C:\Users\user\Desktop\SearchIndexer.exe	Code function: 0_2_00007FF60C71DF80	0_2_00007FF60C71DF80
Source: C:\Users\user\Desktop\SearchIndexer.exe	Code function: 0_2_00007FF60C69C080	0_2_00007FF60C69C080
Source: C:\Users\user\Desktop\SearchIndexer.exe	Code function: 0_2_00007FF60C6BE070	0_2_00007FF60C6BE070
Source: C:\Users\user\Desktop\SearchIndexer.exe	Code function: 0_2_00007FF60C6F106C	0_2_00007FF60C6F106C
Source: C:\Users\user\Desktop\SearchIndexer.exe	Code function: 0_2_00007FF60C684060	0_2_00007FF60C684060
Source: C:\Users\user\Desktop\SearchIndexer.exe	Code function: 0_2_00007FF60C699050	0_2_00007FF60C699050
Source: C:\Users\user\Desktop\SearchIndexer.exe	Code function: 0_2_00007FF60C6BB040	0_2_00007FF60C6BB040
Source: C:\Users\user\Desktop\SearchIndexer.exe	Code function: 0_2_00007FF60C720130	0_2_00007FF60C720130
Source: C:\Users\user\Desktop\SearchIndexer.exe	Code function: 0_2_00007FF60C680130	0_2_00007FF60C680130
Source: C:\Users\user\Desktop\SearchIndexer.exe	Code function: 0_2_00007FF60C686110	0_2_00007FF60C686110
Source: C:\Users\user\Desktop\SearchIndexer.exe	Code function: 0_2_00007FF60C6A00F0	0_2_00007FF60C6A00F0
Source: C:\Users\user\Desktop\SearchIndexer.exe	Code function: 0_2_00007FF60C6C20E0	0_2_00007FF60C6C20E0
Source: C:\Users\user\Desktop\SearchIndexer.exe	Code function: 0_2_00007FF60C67B0D0	0_2_00007FF60C67B0D0
Source: C:\Users\user\Desktop\SearchIndexer.exe	Code function: 0_2_00007FF60C6769A0	0_2_00007FF60C6769A0
Source: C:\Users\user\Desktop\SearchIndexer.exe	Code function: 0_2_00007FF60C7209F0	0_2_00007FF60C7209F0
Source: C:\Users\user\Desktop\SearchIndexer.exe	Code function: 0_2_00007FF60C704974	0_2_00007FF60C704974
Source: C:\Users\user\Desktop\SearchIndexer.exe	Code function: 0_2_00007FF60C68A950	0_2_00007FF60C68A950
Source: C:\Users\user\Desktop\SearchIndexer.exe	Code function: 0_2_00007FF60C727A30	0_2_00007FF60C727A30
Source: C:\Users\user\Desktop\SearchIndexer.exe	Code function: 0_2_00007FF60C719950	0_2_00007FF60C719950
Source: C:\Users\user\Desktop\SearchIndexer.exe	Code function: 0_2_00007FF60C6A0A10	0_2_00007FF60C6A0A10
Source: C:\Users\user\Desktop\SearchIndexer.exe	Code function: 0_2_00007FF60C701A10	0_2_00007FF60C701A10
Source: C:\Users\user\Desktop\SearchIndexer.exe	Code function: 0_2_00007FF60C6C2A00	0_2_00007FF60C6C2A00
Source: C:\Users\user\Desktop\SearchIndexer.exe	Code function: 0_2_00007FF60C6CAA00	0_2_00007FF60C6CAA00
Source: C:\Users\user\Desktop\SearchIndexer.exe	Code function: 0_2_00007FF60C68B9F0	0_2_00007FF60C68B9F0
Source: C:\Users\user\Desktop\SearchIndexer.exe	Code function: 0_2_00007FF60C6A69F0	0_2_00007FF60C6A69F0
Source: C:\Users\user\Desktop\SearchIndexer.exe	Code function: 0_2_00007FF60C68F9E0	0_2_00007FF60C68F9E0
Source: C:\Users\user\Desktop\SearchIndexer.exe	Code function: 0_2_00007FF60C6989E0	0_2_00007FF60C6989E0
Source: C:\Users\user\Desktop\SearchIndexer.exe	Code function: 0_2_00007FF60C6BA9D0	0_2_00007FF60C6BA9D0
Source: C:\Users\user\Desktop\SearchIndexer.exe	Code function: 0_2_00007FF60C6949D0	0_2_00007FF60C6949D0
Source: C:\Users\user\Desktop\SearchIndexer.exe	Code function: 0_2_00007FF60C7319A0	0_2_00007FF60C7319A0
Source: C:\Users\user\Desktop\SearchIndexer.exe	Code function: 0_2_00007FF60C6FDA98	0_2_00007FF60C6FDA98
Source: C:\Users\user\Desktop\SearchIndexer.exe	Code function: 0_2_00007FF60C6B3A90	0_2_00007FF60C6B3A90
Source: C:\Users\user\Desktop\SearchIndexer.exe	Code function: 0_2_00007FF60C685A90	0_2_00007FF60C685A90
Source: C:\Users\user\Desktop\SearchIndexer.exe	Code function: 0_2_00007FF60C687A70	0_2_00007FF60C687A70
Source: C:\Users\user\Desktop\SearchIndexer.exe	Code function: 0_2_00007FF60C729A40	0_2_00007FF60C729A40
Source: C:\Users\user\Desktop\SearchIndexer.exe	Code function: 0_2_00007FF60C6EAB1C	0_2_00007FF60C6EAB1C
Source: C:\Users\user\Desktop\SearchIndexer.exe	Code function: 0_2_00007FF60C6B5AF0	0_2_00007FF60C6B5AF0
Source: C:\Users\user\Desktop\SearchIndexer.exe	Code function: 0_2_00007FF60C70EAB0	0_2_00007FF60C70EAB0
Source: C:\Users\user\Desktop\SearchIndexer.exe	Code function: 0_2_00007FF60C6A7BB0	0_2_00007FF60C6A7BB0
Source: C:\Users\user\Desktop\SearchIndexer.exe	Code function: 0_2_00007FF60C6D9B70	0_2_00007FF60C6D9B70
Source: C:\Users\user\Desktop\SearchIndexer.exe	Code function: 0_2_00007FF60C691B40	0_2_00007FF60C691B40
Source: C:\Users\user\Desktop\SearchIndexer.exe	Code function: 0_2_00007FF60C69FC30	0_2_00007FF60C69FC30
Source: C:\Users\user\Desktop\SearchIndexer.exe	Code function: 0_2_00007FF60C6C1C20	0_2_00007FF60C6C1C20
Source: C:\Users\user\Desktop\SearchIndexer.exe	Code function: 0_2_00007FF60C721B50	0_2_00007FF60C721B50
Source: C:\Users\user\Desktop\SearchIndexer.exe	Code function: 0_2_00007FF60C690C10	0_2_00007FF60C690C10
Source: C:\Users\user\Desktop\SearchIndexer.exe	Code function: 0_2_00007FF60C68FCB0	0_2_00007FF60C68FCB0
Source: C:\Users\user\Desktop\SearchIndexer.exe	Code function: 0_2_00007FF60C693CB0	0_2_00007FF60C693CB0
Source: C:\Users\user\Desktop\SearchIndexer.exe	Code function: 0_2_00007FF60C6ACC90	0_2_00007FF60C6ACC90
Source: C:\Users\user\Desktop\SearchIndexer.exe	Code function: 0_2_00007FF60C6A2C60	0_2_00007FF60C6A2C60
Source: C:\Users\user\Desktop\SearchIndexer.exe	Code function: 0_2_00007FF60C6C4C50	0_2_00007FF60C6C4C50
Source: C:\Users\user\Desktop\SearchIndexer.exe	Code function: 0_2_00007FF60C69CD30	0_2_00007FF60C69CD30
Source: C:\Users\user\Desktop\SearchIndexer.exe	Code function: 0_2_00007FF60C6BED20	0_2_00007FF60C6BED20
Source: C:\Users\user\Desktop\SearchIndexer.exe	Code function: 0_2_00007FF60C71BC50	0_2_00007FF60C71BC50
Source: C:\Users\user\Desktop\SearchIndexer.exe	Code function: 0_2_00007FF60C68ACE0	0_2_00007FF60C68ACE0
Source: C:\Users\user\Desktop\SearchIndexer.exe	Code function: 0_2_00007FF60C695CE0	0_2_00007FF60C695CE0
Source: C:\Users\user\Desktop\SearchIndexer.exe	Code function: 0_2_00007FF60C68CCC0	0_2_00007FF60C68CCC0
Source: C:\Users\user\Desktop\SearchIndexer.exe	Code function: 0_2_00007FF60C6C8CC0	0_2_00007FF60C6C8CC0
Source: C:\Users\user\Desktop\SearchIndexer.exe	Code function: 0_2_00007FF60C722CB0	0_2_00007FF60C722CB0
Source: C:\Users\user\Desktop\SearchIndexer.exe	Code function: 0_2_00007FF60C6C15B0	0_2_00007FF60C6C15B0
Source: C:\Users\user\Desktop\SearchIndexer.exe	Code function: 0_2_00007FF60C7315C0	0_2_00007FF60C7315C0
Source: C:\Users\user\Desktop\SearchIndexer.exe	Code function: 0_2_00007FF60C6935A0	0_2_00007FF60C6935A0
Source: C:\Users\user\Desktop\SearchIndexer.exe	Code function: 0_2_00007FF60C6DF584	0_2_00007FF60C6DF584
Source: C:\Users\user\Desktop\SearchIndexer.exe	Code function: 0_2_00007FF60C67C570	0_2_00007FF60C67C570
Source: C:\Users\user\Desktop\SearchIndexer.exe	Code function: 0_2_00007FF60C6F1558	0_2_00007FF60C6F1558
Source: C:\Users\user\Desktop\SearchIndexer.exe	Code function: 0_2_00007FF60C697550	0_2_00007FF60C697550
Source: C:\Users\user\Desktop\SearchIndexer.exe	Code function: 0_2_00007FF60C681550	0_2_00007FF60C681550
Source: C:\Users\user\Desktop\SearchIndexer.exe	Code function: 0_2_00007FF60C692630	0_2_00007FF60C692630
Source: C:\Users\user\Desktop\SearchIndexer.exe	Code function: 0_2_00007FF60C71F550	0_2_00007FF60C71F550
Source: C:\Users\user\Desktop\SearchIndexer.exe	Code function: 0_2_00007FF60C723560	0_2_00007FF60C723560
Source: C:\Users\user\Desktop\SearchIndexer.exe	Code function: 0_2_00007FF60C6C95E0	0_2_00007FF60C6C95E0
Source: C:\Users\user\Desktop\SearchIndexer.exe	Code function: 0_2_00007FF60C68A5D0	0_2_00007FF60C68A5D0
Source: C:\Users\user\Desktop\SearchIndexer.exe	Code function: 0_2_00007FF60C69F5C0	0_2_00007FF60C69F5C0
Source: C:\Users\user\Desktop\SearchIndexer.exe	Code function: 0_2_00007FF60C690680	0_2_00007FF60C690680
Source: C:\Users\user\Desktop\SearchIndexer.exe	Code function: 0_2_00007FF60C698680	0_2_00007FF60C698680
Source: C:\Users\user\Desktop\SearchIndexer.exe	Code function: 0_2_00007FF60C6BA670	0_2_00007FF60C6BA670
Source: C:\Users\user\Desktop\SearchIndexer.exe	Code function: 0_2_00007FF60C71B700	0_2_00007FF60C71B700
Source: C:\Users\user\Desktop\SearchIndexer.exe	Code function: 0_2_00007FF60C6B6660	0_2_00007FF60C6B6660
Source: C:\Users\user\Desktop\SearchIndexer.exe	Code function: 0_2_00007FF60C6A9640	0_2_00007FF60C6A9640
Source: C:\Users\user\Desktop\SearchIndexer.exe	Code function: 0_2_00007FF60C685700	0_2_00007FF60C685700
Source: C:\Users\user\Desktop\SearchIndexer.exe	Code function: 0_2_00007FF60C69A6E0	0_2_00007FF60C69A6E0
Source: C:\Users\user\Desktop\SearchIndexer.exe	Code function: 0_2_00007FF60C6BC6D0	0_2_00007FF60C6BC6D0
Source: C:\Users\user\Desktop\SearchIndexer.exe	Code function: 0_2_00007FF60C7196A0	0_2_00007FF60C7196A0
Source: C:\Users\user\Desktop\SearchIndexer.exe	Code function: 0_2_00007FF60C67E6D0	0_2_00007FF60C67E6D0
Source: C:\Users\user\Desktop\SearchIndexer.exe	Code function: 0_2_00007FF60C71D6B0	0_2_00007FF60C71D6B0
Source: C:\Users\user\Desktop\SearchIndexer.exe	Code function: 0_2_00007FF60C6E17A0	0_2_00007FF60C6E17A0
Source: C:\Users\user\Desktop\SearchIndexer.exe	Code function: 0_2_00007FF60C67D7A0	0_2_00007FF60C67D7A0
Source: C:\Users\user\Desktop\SearchIndexer.exe	Code function: 0_2_00007FF60C6867A0	0_2_00007FF60C6867A0
Source: C:\Users\user\Desktop\SearchIndexer.exe	Code function: 0_2_00007FF60C696790	0_2_00007FF60C696790
Source: C:\Users\user\Desktop\SearchIndexer.exe	Code function: 0_2_00007FF60C6AE780	0_2_00007FF60C6AE780
Source: C:\Users\user\Desktop\SearchIndexer.exe	Code function: 0_2_00007FF60C6A8770	0_2_00007FF60C6A8770
Source: C:\Users\user\Desktop\SearchIndexer.exe	Code function: 0_2_00007FF60C68D760	0_2_00007FF60C68D760
Source: C:\Users\user\Desktop\SearchIndexer.exe	Code function: 0_2_00007FF60C68F760	0_2_00007FF60C68F760
Source: C:\Users\user\Desktop\SearchIndexer.exe	Code function: 0_2_00007FF60C724810	0_2_00007FF60C724810
Source: C:\Users\user\Desktop\SearchIndexer.exe	Code function: 0_2_00007FF60C6CB830	0_2_00007FF60C6CB830
Source: C:\Users\user\Desktop\SearchIndexer.exe	Code function: 0_2_00007FF60C682820	0_2_00007FF60C682820
Source: C:\Users\user\Desktop\SearchIndexer.exe	Code function: 0_2_00007FF60C6C8800	0_2_00007FF60C6C8800
Source: C:\Users\user\Desktop\SearchIndexer.exe	Code function: 0_2_00007FF60C70E790	0_2_00007FF60C70E790
Source: C:\Users\user\Desktop\SearchIndexer.exe	Code function: 0_2_00007FF60C6F87D0	0_2_00007FF60C6F87D0
Source: C:\Users\user\Desktop\SearchIndexer.exe	Code function: 0_2_00007FF60C71E7A0	0_2_00007FF60C71E7A0
Source: C:\Users\user\Desktop\SearchIndexer.exe	Code function: 0_2_00007FF60C71A8F0	0_2_00007FF60C71A8F0
Source: C:\Users\user\Desktop\SearchIndexer.exe	Code function: 0_2_00007FF60C680840	0_2_00007FF60C680840
Source: C:\Users\user\Desktop\SearchIndexer.exe	Code function: 0_2_00007FF60C67C840	0_2_00007FF60C67C840
Source: C:\Users\user\Desktop\SearchIndexer.exe	Code function: 0_2_00007FF60C6B4920	0_2_00007FF60C6B4920
Source: C:\Users\user\Desktop\SearchIndexer.exe	Code function: 0_2_00007FF60C693920	0_2_00007FF60C693920
Source: C:\Users\user\Desktop\SearchIndexer.exe	Code function: 0_2_00007FF60C6AC910	0_2_00007FF60C6AC910
Source: C:\Users\user\Desktop\SearchIndexer.exe	Code function: 0_2_00007FF60C6A3910	0_2_00007FF60C6A3910
Source: C:\Users\user\Desktop\SearchIndexer.exe	Code function: 0_2_00007FF60C6C5900	0_2_00007FF60C6C5900
Source: C:\Users\user\Desktop\SearchIndexer.exe	Code function: 0_2_00007FF60C6C8190	0_2_00007FF60C6C8190
Source: C:\Users\user\Desktop\SearchIndexer.exe	Code function: 0_2_00007FF60C685170	0_2_00007FF60C685170
Source: C:\Users\user\Desktop\SearchIndexer.exe	Code function: 0_2_00007FF60C6B8140	0_2_00007FF60C6B8140
Source: C:\Users\user\Desktop\SearchIndexer.exe	Code function: 0_2_00007FF60C6B1230	0_2_00007FF60C6B1230
Source: C:\Users\user\Desktop\SearchIndexer.exe	Code function: 0_2_00007FF60C719140	0_2_00007FF60C719140
Source: C:\Users\user\Desktop\SearchIndexer.exe	Code function: 0_2_00007FF60C690220	0_2_00007FF60C690220
Source: C:\Users\user\Desktop\SearchIndexer.exe	Code function: 0_2_00007FF60C67D210	0_2_00007FF60C67D210
Source: C:\Users\user\Desktop\SearchIndexer.exe	Code function: 0_2_00007FF60C67F1C0	0_2_00007FF60C67F1C0
Source: C:\Users\user\Desktop\SearchIndexer.exe	Code function: 0_2_00007FF60C6C32B0	0_2_00007FF60C6C32B0
Source: C:\Users\user\Desktop\SearchIndexer.exe	Code function: 0_2_00007FF60C6892B0	0_2_00007FF60C6892B0
Source: C:\Users\user\Desktop\SearchIndexer.exe	Code function: 0_2_00007FF60C6A62B0	0_2_00007FF60C6A62B0
Source: C:\Users\user\Desktop\SearchIndexer.exe	Code function: 0_2_00007FF60C69F260	0_2_00007FF60C69F260
Source: C:\Users\user\Desktop\SearchIndexer.exe	Code function: 0_2_00007FF60C6C1250	0_2_00007FF60C6C1250
Source: C:\Users\user\Desktop\SearchIndexer.exe	Code function: 0_2_00007FF60C695250	0_2_00007FF60C695250
Source: C:\Users\user\Desktop\SearchIndexer.exe	Code function: 0_2_00007FF60C68C250	0_2_00007FF60C68C250
Source: C:\Users\user\Desktop\SearchIndexer.exe	Code function: 0_2_00007FF60C69B250	0_2_00007FF60C69B250
Source: C:\Users\user\Desktop\SearchIndexer.exe	Code function: 0_2_00007FF60C6B5240	0_2_00007FF60C6B5240
Source: C:\Users\user\Desktop\SearchIndexer.exe	Code function: 0_2_00007FF60C6BD240	0_2_00007FF60C6BD240
Source: C:\Users\user\Desktop\SearchIndexer.exe	Code function: 0_2_00007FF60C694330	0_2_00007FF60C694330
Source: C:\Users\user\Desktop\SearchIndexer.exe	Code function: 0_2_00007FF60C6E1320	0_2_00007FF60C6E1320
Source: C:\Users\user\Desktop\SearchIndexer.exe	Code function: 0_2_00007FF60C6A72F0	0_2_00007FF60C6A72F0
Source: C:\Users\user\Desktop\SearchIndexer.exe	Code function: 0_2_00007FF60C6F12F0	0_2_00007FF60C6F12F0
Source: C:\Users\user\Desktop\SearchIndexer.exe	Code function: 0_2_00007FF60C728280	0_2_00007FF60C728280
Source: C:\Users\user\Desktop\SearchIndexer.exe	Code function: 0_2_00007FF60C67C2F0	0_2_00007FF60C67C2F0
Source: C:\Users\user\Desktop\SearchIndexer.exe	Code function: 0_2_00007FF60C6AA2E0	0_2_00007FF60C6AA2E0
Source: C:\Users\user\Desktop\SearchIndexer.exe	Code function: 0_2_00007FF60C6DE2E0	0_2_00007FF60C6DE2E0
Source: C:\Users\user\Desktop\SearchIndexer.exe	Code function: 0_2_00007FF60C7212A0	0_2_00007FF60C7212A0
Source: C:\Users\user\Desktop\SearchIndexer.exe	Code function: 0_2_00007FF60C6912C0	0_2_00007FF60C6912C0
Source: C:\Users\user\Desktop\SearchIndexer.exe	Code function: 0_2_00007FF60C6A12C0	0_2_00007FF60C6A12C0
Source: C:\Users\user\Desktop\SearchIndexer.exe	Code function: 0_2_00007FF60C6832C0	0_2_00007FF60C6832C0
Source: C:\Users\user\Desktop\SearchIndexer.exe	Code function: 0_2_00007FF60C6DD3A0	0_2_00007FF60C6DD3A0
Source: C:\Users\user\Desktop\SearchIndexer.exe	Code function: 0_2_00007FF60C693390	0_2_00007FF60C693390
Source: C:\Users\user\Desktop\SearchIndexer.exe	Code function: 0_2_00007FF60C7193F0	0_2_00007FF60C7193F0
Source: C:\Users\user\Desktop\SearchIndexer.exe	Code function: 0_2_00007FF60C685380	0_2_00007FF60C685380
Source: C:\Users\user\Desktop\SearchIndexer.exe	Code function: 0_2_00007FF60C722400	0_2_00007FF60C722400
Source: C:\Users\user\Desktop\SearchIndexer.exe	Code function: 0_2_00007FF60C68B360	0_2_00007FF60C68B360
Source: C:\Users\user\Desktop\SearchIndexer.exe	Code function: 0_2_00007FF60C6FC3FC	0_2_00007FF60C6FC3FC
Source: C:\Users\user\Desktop\SearchIndexer.exe	Code function: 0_2_00007FF60C68A3C0	0_2_00007FF60C68A3C0
Source: C:\Users\user\Desktop\SearchIndexer.exe	Code function: 0_2_00007FF60C6804B0	0_2_00007FF60C6804B0
Source: C:\Users\user\Desktop\SearchIndexer.exe	Code function: 0_2_00007FF60C6B7490	0_2_00007FF60C6B7490
Source: C:\Users\user\Desktop\SearchIndexer.exe	Code function: 0_2_00007FF60C6AD480	0_2_00007FF60C6AD480
Source: C:\Users\user\Desktop\SearchIndexer.exe	Code function: 0_2_00007FF60C6AF480	0_2_00007FF60C6AF480
Source: C:\Users\user\Desktop\SearchIndexer.exe	Code function: 0_2_00007FF60C6B4460	0_2_00007FF60C6B4460
Source: C:\Users\user\Desktop\SearchIndexer.exe	Code function: 0_2_00007FF60C71C510	0_2_00007FF60C71C510
Source: C:\Users\user\Desktop\SearchIndexer.exe	Code function: 0_2_00007FF60C688510	0_2_00007FF60C688510
Source: C:\Users\user\Desktop\SearchIndexer.exe	Code function: 0_2_00007FF60C699510	0_2_00007FF60C699510
Source: C:\Users\user\Desktop\SearchIndexer.exe	Code function: 0_2_00007FF60C6BB500	0_2_00007FF60C6BB500
Source: C:\Users\user\Desktop\SearchIndexer.exe	Code function: 0_2_00007FF60C68E500	0_2_00007FF60C68E500
Source: C:\Users\user\Desktop\SearchIndexer.exe	Code function: 0_2_00007FF60C6CC4E0	0_2_00007FF60C6CC4E0
Source: C:\Users\user\Desktop\SearchIndexer.exe	Code function: 0_2_00007FF60C6B04C0	0_2_00007FF60C6B04C0

Source: C:\Users\user\Desktop\SearchIndexer.exe	Code function: String function: 00007FF60C6E9530 appears 49 times
Source: C:\Users\user\Desktop\SearchIndexer.exe	Code function: String function: 00007FF60C73A108 appears 56 times

Source: SearchIndexer.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: SearchIndexer.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: SearchIndexer.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: Process Memory Space: SearchIndexer.exe PID: 5884, type: MEMORY	Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://minergate.com/faq/what-pool-address
Source: 0.2.SearchIndexer.exe.7ff60c670000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc

Source: classification engine

Classification label: mal80.mine.winEXE@2/0@0/0

Source: C:\Users\user\Desktop\SearchIndexer.exe	Code function: 0_2_00007FF60C73A010 AdjustTokenPrivileges,SetStdHandle,		0_2_00007FF60C73A010
Source: C:\Users\user\Desktop\SearchIndexer.exe	Code function: 0_2_00007FF60C72E2D0 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,		0_2_00007FF60C72E2D0

Source: C:\Users\user\Desktop\SearchIndexer.exe

Code function: 0_2_00007FF60C6E2CF0 GetDiskFreeSpaceW,GetLastError,GetFullPathNameW,GetDiskFreeSpaceW,

0_2_00007FF60C6E2CF0

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2432:120:WilError_01

Source: C:\Users\user\Desktop\SearchIndexer.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: SearchIndexer.exe	Virustotal: Detection: 57%
Source: SearchIndexer.exe	Metadefender: Detection: 16%
Source: SearchIndexer.exe	ReversingLabs: Detection: 75%

Source: SearchIndexer.exe	String found in binary or memory: --help
Source: SearchIndexer.exe	String found in binary or memory: --help

Source: unknown	Process created: C:\Users\user\Desktop\SearchIndexer.exe 'C:\Users\user\Desktop\SearchIndexer.exe'
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Source: SearchIndexer.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: SearchIndexer.exe

Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA

Data Obfuscation:

Source: C:\Users\user\Desktop\SearchIndexer.exe

0_2_00007FF60C6E9BA0

Source: SearchIndexer.exe

Static PE information: section name: UPX2

Source: C:\Users\user\Desktop\SearchIndexer.exe	Code function: 0_2_00007FF60C6D4A20 push rsp; iretd	0_2_00007FF60C6D4A22
Source: C:\Users\user\Desktop\SearchIndexer.exe	Code function: 0_2_00007FF60C6D4A75 push rsp; iretd	0_2_00007FF60C6D4A77
Source: C:\Users\user\Desktop\SearchIndexer.exe	Code function: 0_2_00007FF60C6D4B35 push rsp; iretd	0_2_00007FF60C6D4B37
Source: C:\Users\user\Desktop\SearchIndexer.exe	Code function: 0_2_00007FF60C6D4AD3 push rsp; iretd	0_2_00007FF60C6D4AD5
Source: C:\Users\user\Desktop\SearchIndexer.exe	Code function: 0_2_00007FF60C6D4B93 push rsp; iretd	0_2_00007FF60C6D4B95
Source: C:\Users\user\Desktop\SearchIndexer.exe	Code function: 0_2_00007FF60C6D4BF3 push rsp; iretd	0_2_00007FF60C6D4BF5
Source: C:\Users\user\Desktop\SearchIndexer.exe	Code function: 0_2_00007FF60C6D4C50 push rsp; iretd	0_2_00007FF60C6D4C56

Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1

Hooking and other Techniques for Hiding and Protection:

Source: C:\Users\user\Desktop\SearchIndexer.exe

Code function: 0_2_00007FF60C6EAB1C GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_00007FF60C6EAB1C

Malware Analysis System Evasion:

Source: C:\Users\user\Desktop\SearchIndexer.exe

Code function: 0_2_00007FF60C6EA2C4 rdtsc

0_2_00007FF60C6EA2C4

Source: C:\Users\user\Desktop\SearchIndexer.exe

API coverage: 1.2 %

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\SearchIndexer.exe	Code function: 0_2_00007FF60C6E38C7 GetFileAttributesW,FindFirstFileW,GetLastError,GetLastError,	0_2_00007FF60C6E38C7
Source: C:\Users\user\Desktop\SearchIndexer.exe	Code function: 0_2_00007FF60C73A2F0 FindFirstFileW,	0_2_00007FF60C73A2F0
Source: C:\Users\user\Desktop\SearchIndexer.exe	Code function: 0_2_00007FF60C73A4A8 RtlAllocateHeap,GetTimeZoneInformation,FindFirstFileExW,	0_2_00007FF60C73A4A8

Source: C:\Users\user\Desktop\SearchIndexer.exe

Code function: 0_2_00007FF60C72E5F0 GetSystemInfo,

0_2_00007FF60C72E5F0

Anti Debugging:

Source: C:\Users\user\Desktop\SearchIndexer.exe

Code function: 0_2_00007FF60C6EA2C4 rdtsc

0_2_00007FF60C6EA2C4

Source: C:\Users\user\Desktop\SearchIndexer.exe

Code function: 0_2_00007FF60C6F2A4C RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00007FF60C6F2A4C

Source: C:\Users\user\Desktop\SearchIndexer.exe

0_2_00007FF60C6E9BA0

Source: C:\Users\user\Desktop\SearchIndexer.exe

Code function: 0_2_00007FF60C73A4E0 GetOEMCP,GetProcessHeap,

0_2_00007FF60C73A4E0

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\SearchIndexer.exe	Code function: 0_2_00007FF60C6EB610 SetUnhandledExceptionFilter,_invalid_parameter_noinfo,	0_2_00007FF60C6EB610
Source: C:\Users\user\Desktop\SearchIndexer.exe	Code function: 0_2_00007FF60C6EBE1C SetUnhandledExceptionFilter,SetUnhandledExceptionFilter,	0_2_00007FF60C6EBE1C
Source: C:\Users\user\Desktop\SearchIndexer.exe	Code function: 0_2_00007FF60C6F2A4C RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00007FF60C6F2A4C
Source: C:\Users\user\Desktop\SearchIndexer.exe	Code function: 0_2_00007FF60C6EBC74 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00007FF60C6EBC74
Source: C:\Users\user\Desktop\SearchIndexer.exe	Code function: 0_2_00007FF60C6EB7BC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,TerminateProcess,	0_2_00007FF60C6EB7BC

Language, Device and Operating System Detection:

Source: C:\Users\user\Desktop\SearchIndexer.exe

Code function: 0_2_00007FF60C6EA2A0 cpuid

0_2_00007FF60C6EA2A0

Source: C:\Users\user\Desktop\SearchIndexer.exe

Code function: 0_2_00007FF60C6E7140 CreateNamedPipeW,CreateIoCompletionPort,GetLastError,FlushFileBuffers,PostQueuedCompletionStatus,GetLastError,

0_2_00007FF60C6E7140

Source: C:\Users\user\Desktop\SearchIndexer.exe

Code function: 0_2_00007FF60C6E0DF0 CloseHandle,CreateFileMappingA,GetLastError,CloseHandle,MapViewOfFile,GetLastError,FlushViewOfFile,GetLastError,UnmapViewOfFile,UnmapViewOfFile,GetSystemTimeAsFileTime,SetFileTime,

0_2_00007FF60C6E0DF0

Source: C:\Users\user\Desktop\SearchIndexer.exe

Code function: 0_2_00007FF60C73A4A8 RtlAllocateHeap,GetTimeZoneInformation,FindFirstFileExW,

0_2_00007FF60C73A4A8

Remote Access Functionality:

Source: C:\Users\user\Desktop\SearchIndexer.exe

Code function: 0_2_00007FF60C6E4BE0 socket,WSAGetLastError,closesocket,setsockopt,bind,WSAGetLastError,

0_2_00007FF60C6E4BE0

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Command and Scripting Interpreter2	Application Shimming1	Access Token Manipulation1	Access Token Manipulation1	OS Credential Dumping	System Time Discovery2	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Native API1	Boot or Logon Initialization Scripts	Process Injection2	Process Injection2	LSASS Memory	Security Software Discovery3	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Ingress Tool Transfer1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Application Shimming1	Deobfuscate/Decode Files or Information1	Security Account Manager	File and Directory Discovery1	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Obfuscated Files or Information21	NTDS	System Information Discovery14	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Software Packing1	LSA Secrets	Remote System Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
SearchIndexer.exe	58%	Virustotal		Browse
SearchIndexer.exe	22%	Metadefender		Browse
SearchIndexer.exe	76%	ReversingLabs	Win64.Trojan.Miner
SearchIndexer.exe	100%	Avira	HEUR/AGEN.1120937

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

Contacted IPs

No contacted IP infos

General Information

Joe Sandbox Version:	31.0.0 Emerald
Analysis ID:	364394
Start date:	08.03.2021
Start time:	04:36:30
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 2m 56s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	SearchIndexer.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	3
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal80.mine.winEXE@2/0@0/0
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 20.6% (good quality ratio 15.5%) Quality average: 48.5% Quality standard deviation: 35.2%
HCA Information:	Failed
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe Stop behavior analysis, all processes terminated
Warnings:	Show All Exclude process from analysis (whitelisted): svchost.exe Report size exceeded maximum capacity and may have missing disassembly code.

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

No created / dropped files found

Static File Info

General
File type:	PE32+ executable (console) x86-64, for MS Windows
Entropy (8bit):	7.816430515285655
TrID:	Win64 Executable Console (202006/5) 81.26% UPX compressed Win32 Executable (30571/9) 12.30% Win64 Executable (generic) (12005/4) 4.83% Generic Win/DOS Executable (2004/3) 0.81% DOS Executable Generic (2002/1) 0.81%
File name:	SearchIndexer.exe
File size:	415744
MD5:	2ed1055a1ae02de09730550c1a1abbbd
SHA1:	42871f98dc93635013808b762a6157ddf770226a
SHA256:	adb64ebd3e30421457e2908995a524885e194182e4deae5b137ccad2d2a05aa3
SHA512:	e3828fc4a6215955249f66db8aa35cdbf67e0779e1ea7616b7ac72b4bb73b631a2e28962b127fa2edfef0fac79612486bc0082beffd1a79d15760301970a72df
SSDEEP:	6144:N5Wj/bK5hZneFnzOLm1zPqq64/t3fA2Ke3Mhzc6K+rkR10efUK:LW7bKxIzQUbDFvMI+Qztf
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........{....S...S...S...R...S...R...S...R ..S.k.S...S...R...S...R...S...R...S...R...S...S...S3..R...S3..R...S3..S...S...S...S3..R...

File Icon


Icon Hash:	00f070f092ebf830

Static PE Info

General
Entrypoint:	0x140397880
Entrypoint Section:	UPX1
Digitally signed:	false
Imagebase:	0x140000000
Subsystem:	windows cui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
Time Stamp:	0x6029827B [Sun Feb 14 20:05:15 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	e4290fa6afc89d56616f34ebbd0b1f2c

Entrypoint Preview

Instruction
push ebx
push esi
push edi
push ebp
dec eax
lea esi, dword ptr [FFFB0775h]
dec eax
lea edi, dword ptr [esi-00347000h]
push edi
xor ebx, ebx
xor ecx, ecx
dec eax
or ebp, FFFFFFFFh
call 00007FEDDC466B75h
add ebx, ebx
je 00007FEDDC466B24h
rep ret
mov ebx, dword ptr [esi]
dec eax
sub esi, FFFFFFFCh
adc ebx, ebx
mov dl, byte ptr [esi]
rep ret
dec eax
lea eax, dword ptr [edi+ebp]
cmp ecx, 05h
mov dl, byte ptr [eax]
jbe 00007FEDDC466B43h
dec eax
cmp ebp, FFFFFFFCh
jnbe 00007FEDDC466B3Dh
sub ecx, 04h
mov edx, dword ptr [eax]
dec eax
add eax, 04h
sub ecx, 04h
mov dword ptr [edi], edx
dec eax
lea edi, dword ptr [edi+04h]
jnc 00007FEDDC466B11h
add ecx, 04h
mov dl, byte ptr [eax]
je 00007FEDDC466B32h
dec eax
inc eax
mov byte ptr [edi], dl
sub ecx, 01h
mov dl, byte ptr [eax]
dec eax
lea edi, dword ptr [edi+01h]
jne 00007FEDDC466B12h
rep ret
cld
inc ecx
pop ebx
jmp 00007FEDDC466B2Ah
dec eax
inc esi
mov byte ptr [edi], dl
dec eax
inc edi
mov dl, byte ptr [esi]
add ebx, ebx
jne 00007FEDDC466B2Ch
mov ebx, dword ptr [esi]
dec eax
sub esi, FFFFFFFCh
adc ebx, ebx
mov dl, byte ptr [esi]
jc 00007FEDDC466B08h
lea eax, dword ptr [ecx+01h]
jmp 00007FEDDC466B29h
dec eax
inc ecx
call ebx
adc eax, eax
inc ecx
call ebx
adc eax, eax
add ebx, ebx
jne 00007FEDDC466B2Ch
mov ebx, dword ptr [esi]
dec eax
sub esi, FFFFFFFCh
adc ebx, ebx
mov dl, byte ptr [esi]
jnc 00007FEDDC466B06h
sub eax, 03h
jc 00007FEDDC466B3Bh
shl eax, 08h
movzx edx, dl
or eax, edx
dec eax
inc esi
xor eax, FFFFFFFFh
je 00007FEDDC466B7Ah
sar eax, 1

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x398000	0x140	UPX2
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x399000	0x15242	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x388000	0x5bc8	UPX1
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x398140	0x14	UPX2
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x397af8	0x28	UPX1
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x397b28	0x100	UPX1
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
UPX0	0x1000	0x347000	0x0	unknown	unknown	unknown	unknown	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ
UPX1	0x348000	0x50000	0x4fe00	False	0.976030663146	data	7.92506275506	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
UPX2	0x398000	0x1000	0x200	False	0.388671875	data	2.87105394311	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x399000	0x15242	0x15400	False	0.788269761029	data	7.04582779269	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_ICON	0x399370	0x668	data
RT_ICON	0x3999d8	0x2e8	dBase IV DBT of @.DBF, block length 512, next free block index 40, next free block 28808, next used block 0
RT_ICON	0x399cc0	0x1e8	data
RT_ICON	0x399ea8	0x128	GLS_BINARY_LSB_FIRST
RT_ICON	0x399fd0	0xea8	data
RT_ICON	0x39ae78	0x8a8	dBase IV DBT of @.DBF, block length 1024, next free block index 40, next free block 0, next used block 0
RT_ICON	0x39b720	0x6c8	data
RT_ICON	0x39bde8	0x568	GLS_BINARY_LSB_FIRST
RT_ICON	0x39c350	0xd2d5	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced
RT_ICON	0x3a9628	0x25a8	data
RT_ICON	0x3abbd0	0x10a8	data
RT_ICON	0x3acc78	0x988	data
RT_ICON	0x3ad600	0x468	GLS_BINARY_LSB_FIRST
RT_GROUP_ICON	0x3ada68	0xbc	data
RT_VERSION	0x3adb24	0x38c	PGP symmetric key encrypted data - Plaintext or unencrypted data	English	United States
RT_MANIFEST	0x3adeb0	0x392	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States

Imports

DLL	Import
ADVAPI32.dll	LsaClose
KERNEL32.DLL	LoadLibraryA, ExitProcess, GetProcAddress, VirtualProtect
USER32.dll	ShowWindow
WS2_32.dll	htons

Version Infos

Description	Data
LegalCopyright	Microsoft Corporation. All rights reserved.
InternalName	SearchIndexer.exe
FileVersion	7.0.19041.34 (WinBuild.160101.0800)
CompanyName	Microsoft Corporation
ProductName	Windows Search
ProductVersion	7.0.19041.34
FileDescription	Microsoft Windows Search Indexer
OriginalFilename	SearchIndexer.exe
Translation	0x0409 0x04b0

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

No network behavior found

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

Behavior

Click to jump to process

System Behavior

Analysis Process: SearchIndexer.exe PID: 5884 Parent PID: 5544

General

Start time:	04:37:14
Start date:	08/03/2021
Path:	C:\Users\user\Desktop\SearchIndexer.exe
Wow64 process (32bit):	false
Commandline:	'C:\Users\user\Desktop\SearchIndexer.exe'
Imagebase:	0x7ff60c670000
File size:	415744 bytes
MD5 hash:	2ED1055A1AE02DE09730550C1A1ABBBD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000000.00000002.196463114.00007FF60C671000.00000040.00020000.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Analysis Process: conhost.exe PID: 2432 Parent PID: 5884

General

Start time:	04:37:15
Start date:	08/03/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6b2800000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Disassembly

Code Analysis

Reset < >

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report SearchIndexer.exe

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

Signature Overview

AV Detection:

Bitcoin Miner:

Compliance:

Spreading:

Networking:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

Language, Device and Operating System Detection:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted IPs

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Possible Origin

Network Behavior

Code Manipulations

Statistics

CPU Usage

Memory Usage

Behavior

System Behavior

Analysis Process: SearchIndexer.exe PID: 5884 Parent PID: 5544

General

Chronological Activities

Analysis Process: conhost.exe PID: 2432 Parent PID: 5884

General

Chronological Activities