Windows Analysis Report UNMNPURyLk.exe
Overview
General Information
Detection
Phantom Miner
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Found malware configuration
Multi AV Scanner detection for submitted file
Antivirus / Scanner detection for submitted sample
Yara detected Phantom Miner
Antivirus detection for dropped file
Multi AV Scanner detection for dropped file
Sigma detected: Suspicious Script Execution From Temp Folder
Found strings related to Crypto-Mining
Protects its processes via BreakOnTermination flag
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected Costura Assembly Loader
Machine Learning detection for sample
.NET source code contains potential unpacker
Machine Learning detection for dropped file
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Queries the volume information (name, serial number etc) of a device
Yara signature match
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
PE file does not import any functions
Sample file is different than original file name gathered from version info
Drops PE files
Detected TCP or UDP traffic on non-standard ports
Checks if the current process is being debugged
Binary contains a suspicious time stamp
Creates a window with clipboard capturing capabilities
Dropped file seen in connection with other malware
Creates a process in suspended mode (likely to inject code)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Classification
Process Tree |
---|
|
Malware Configuration |
---|
Threatname: PhantomMiner |
---|
{"Version": "v2.0", "MinerMarker": "FAGPSIVY6PE991JD", "ForceUAC": "true", "Hosts": ["localhost", "185.215.113.62"], "Ports": ["6606", "8808", "30881"], "Mutex": "PhantomMutex-Z3LKHP4A", "Critical": "true", "Anti VM": "true", "Anti Sandbox": "true", "Anti Emulation": "true", "Enable Grabber": "true", "Grab MXR": "49y9zNEnMmjgjMcbJCpSF3A317tnmHUx49QtkAawZJPXj6k6FUSEdSPNcP49Kxi2hHTo25XyzTj7VUKuq7R7NBjn5G6P92U", "Grab BTC": "1P9ztqcYG2Csq9Z4a1juDEntusbE3ZqdiM", "Grab ETH": "0xbabCAD94d0a9709E459600ea967E528643f885cD", "Grab LTC": "LfLGvHh5rHpJaQ6W6vFieGrR5yokdoHnYi", "Install": "true", "Registry": "WindowsUpdate", "File Name": "Win32Update.exe", "Folder Name": "Folder Name", "Drop Location": "C:\\Users\\Administrator\\AppData\\Local\\Temp\\2\\", "Certificate": "MIIE4DCCAsigAwIBAgIQAMEERr8Hh6aTSMO4CnYpWTANBgkqhkiG9w0BAQ0FADARMQ8wDQYDVQQDDAZHb0dhbWUwIBcNMjEwOTEyMTQyMzU0WhgPOTk5OTEyMzEyMzU5NTlaMBExDzANBgNVBAMMBkdvR2FtZTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAKh1yyqY4Ui2qO0iRzjRexqjm1YNq+pgEtL6b2YbjZ0SYfSkf7CN/29xflc7tqIwKb4Opcd7SwWtLNh0AX5aVlaIDDL0mRsQ8GS8nt9mw2ui7n8gJx65/s43rYoenkJlCRa7/LS1ReSh4ZH/83AYE3pF+2qWFW/2c+Kjf+CEE6HRGTrG3D7FGcUj+9AcGevrupTptHErJQ5nNVbTScdaxtbn2gdgxegfmdVOaEojhmqZPmHKI2BCUyqE5mINJX8Uz0ft1jJRlh944hpT3Psubp/Q5Bq1+lAykJ892PHznBJ9Xr2iWNVbUze1hYiSVd61tb8XthQ28XHkCDrGOTGaYdUQ8iwpyRhhfbeyXhQQrAKUq1T9H29Rf8hcwpOHbs3nFfWC8SoL4FhYHn1Mc3UkHLm2ltNbyoAMK98Csx1Ytsu1WCS5fbMVMwoHKGlv7Z2T1aCF42LFKRhM7H6Oi9P0XC6YNauC7BsSfClyNAILBOmp2SZoWxGfulN+nxSogQuiTA0V1f4R0gheGEwD53NJMPB/fc6I8ONAzXp73Mz0Qz+bzC3jnHKgpLTlmI4Kgvpu3b+2qCTKMXks8CGhfldB3YISnzo1T0HLaaBZGDHpUFUhCkB+i2LUUhxxBatUjOimSlgbbou3gAYgnTk2eaE946kdfLRqRLrakOIR940vcXHTAgMBAAGjMjAwMB0GA1UdDgQWBBTqPjwiE/cuyOMLA9r8ZTtbNtnp1DAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBDQUAA4ICAQAGI+K7LoGW3yVjtGuJmQHJ+un2Sak8GbxaRJjhNOgULi4qKlVPSG8CwzKMdg6SSjg1D5J12cPDo7kG60pdYD2+LIFyNF2A/7Ld/LRT1t6Av2/EZ7YCXymA6MruLxXA/P9KtrCF1H20EGjYlHswm0qbK53RLUI6Lx3t4GfjksY6p2bIXtoWvXwqWzE8OPPBlrC1F0VPbmbJVYnHUfFoRzhKa8q3qA86/FEKkIs7e1gVU/cpgrq8pQT2d+gMJWaTQDCH6IHlbbl0+xqY7UHaXvkRmNV4CAPKofHienUpURhdrau7n0fCjW4VhOeIsZ65ZHT7/afNksrvbNpaxNenbhT6TKCjAroDqc0Rs+yIKl+PgpYsRRHWwVK2eDN39JkX/H5WHja/RRwrh8VY6MEYttwUfBBSAtO48B3DBEE9lspdc9+g7/8XxVKUjTh72sh1D9werw7Ze4AyBV9a+OCf1R28zFbej0YiFR+u1CSbSqNDajF2OKjbAvQZZwE4xocZX1qsVePq4mPGry0qlDLDSYg4vLz02qZX21rfpU3WDwtvLS61KLPT5RV7Cr1zEUhGa0FR0O+MlajlmHQJy1sIIU2upu3eMjQZeIblmjuisbIylwb8h79itR2sxXwCd0AriGkbYPAJ8HVGq/Fv+5b0VmYKHXlC7JBWdyjYm1QEF7QuOw==", "Server Signature": "R1Nj/NJp/zAkpRcfFsv3vl1GvSlvvNNNc1HQ+CF+Aecb7W+p39BRe3obni3sqlb6XlSJjjD/SCKipwtX4SrpH4Hfr6+78/X1HwEhmxXBEnBoHKKrKOlpPG3aQEjjPW0FMziFT+x2xU0Y+g3597rDz3a7PJVJLOPxJ9Qv7Sm9skPirWkFcQOB5gGXlOY9xggooPPKEzecxiGKeQiev22KWnw3MWxVTdI7/oddde5XjkFRb4UEcoaNO7bUo8RbhkbQrFxx+XK3ey94koDwdYeGFtCrcfqOFKbTTnPOyRw315Q4JSUYQ+Ji53r4eqjSJUvPR+N1ZxlySnZCXeZ/9B1sAVTRPrOE+W04fOOZuMAia3CnBsCbn2Jk3pJEOFn1nk9HL6cnu1DxTSCETujmsn/lql5gwXUrqshYkY1AgONuDKtD80QiJuzbC9RACwVeqHhCX9yqLorp1JLeuJyl/e/+jHkG/hiDjJ5AziJDLq+6jDezx0aSr4cn7kJHjudNTisa3nhKECuhJ1eeIln0OXGz93n+J+qOgyBMfZSh1NZAXHWJiSHBmQFLM35dtg6Apfh74ho93IGIcWyOEJrvkgUsrZvxacNgaghJU9qiFYeqB5m+WvnB6z/wvobTyRQ+8QK60+zbjk9AbJpFr+7g5m4gIH/sbEbdfypihN/TMrK6Bcc="}
Yara Overview |
---|
Initial Sample |
---|
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_PhantomMiner | Yara detected Phantom Miner | Joe Security | ||
JoeSecurity_CosturaAssemblyLoader | Yara detected Costura Assembly Loader | Joe Security |
Dropped Files |
---|
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_PhantomMiner | Yara detected Phantom Miner | Joe Security | ||
JoeSecurity_CosturaAssemblyLoader | Yara detected Costura Assembly Loader | Joe Security |
Memory Dumps |
---|
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_PhantomMiner | Yara detected Phantom Miner | Joe Security | ||
JoeSecurity_CosturaAssemblyLoader | Yara detected Costura Assembly Loader | Joe Security | ||
JoeSecurity_PhantomMiner | Yara detected Phantom Miner | Joe Security | ||
JoeSecurity_CosturaAssemblyLoader | Yara detected Costura Assembly Loader | Joe Security | ||
JoeSecurity_PhantomMiner | Yara detected Phantom Miner | Joe Security | ||
Click to see the 21 entries |
Unpacked PEs |
---|
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_PhantomMiner | Yara detected Phantom Miner | Joe Security | ||
JoeSecurity_CosturaAssemblyLoader | Yara detected Costura Assembly Loader | Joe Security | ||
JoeSecurity_PhantomMiner | Yara detected Phantom Miner | Joe Security | ||
JoeSecurity_CosturaAssemblyLoader | Yara detected Costura Assembly Loader | Joe Security | ||
JoeSecurity_PhantomMiner | Yara detected Phantom Miner | Joe Security | ||
Click to see the 11 entries |
Sigma Overview |
---|
System Summary: |
---|
Sigma detected: Suspicious Script Execution From Temp Folder | Show sources |
Source: | Author: Florian Roth, Max Altgelt: |
Sigma detected: Non Interactive PowerShell | Show sources |
Source: | Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): |
Sigma detected: T1086 PowerShell Execution | Show sources |
Source: | Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): |
Jbx Signature Overview |
---|
Click to jump to signature section
Show All Signature Results
AV Detection: |
---|
Found malware configuration | Show sources |
Source: | Malware Configuration Extractor: |