Analysis Date2018-02-15 13:16:10
MD51ed9337e0aec20df7e6f89a7c7c7e761
SHA166120ea675052692841723883a0e2d922dbf96c4

Static Details:

File typePE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
PEhash
AVArcabit (arcavir)Gen:Heur.MSIL.Krypt.6
AVAuthentiumW32/A-520088ff!Eldorado
AVGrisoft (avg)CoinMiner.RUH.dropper
AVAvira (antivir)TR/Dropper.Gen
AVAlwil (avast)No Virus
AVAd-AwareGen:Heur.MSIL.Krypt.6
AVBitDefenderGen:Heur.MSIL.Krypt.6
AVBullGuardGen:Heur.MSIL.Krypt.6
AVClamAVNo Virus
AVDr. WebTrojan.DownLoader26.12714
AVEmsisoftGen:Heur.MSIL.Krypt.6
AVMicroWorld (escan)Gen:Heur.MSIL.Krypt.6
AVCA (E-Trust Ino)Gen:Heur.MSIL.Krypt.6
AVFortinetMSIL/Injector.B!tr
AVFrisk (f-prot)No Virus
AVF-SecureGen:Heur.MSIL.Krypt.6
AVIkarusPUA.CoinMiner
AVK7No Virus
AVKasperskyHEUR:RiskTool.Win32.BitCoinMiner.gen
AVKasperskyHEUR:RiskTool.Win32.BitMiner.gen
AVKasperskyTrojan.Win32.Generic
AVMalwareBytesNo Virus
AVMcafeeGenericRXDW-TV!1ED9337E0AEC
AVMicrosoft Security EssentialsTrojan:Win32/CoinMiner!bit
AVNANONo Virus
AVEset (nod32)MSIL/CoinMiner.AJW
AVPadvishTrojan.Win32.Bitcoin.S
AVCAT (quickheal)No Virus
AVRisingNo Virus
AV360 SafeNo Virus
AVSUPERAntiSpywareNo Virus
AVSymantecPUA.Bitcoinminer
AVTrend MicroNo Virus
AVTwisterNo Virus
AVVirusBlokAda (vba32)No Virus
AVWindows DefenderTrojan:Win32/CoinMiner!bit
AVZillya!No Virus

Runtime Details:

Screenshot

Process
↳ C:\Windows\System32\lsass.exe

Process
↳ C:\Users\THX1138\AppData\Local\Temp\66120ea675052692841723883a0e2d922dbf96c4.exe

Creates Mutex
Creates Mutex
Creates Mutex
Creates Mutex
Creates Mutexx_m_r|f_o_r|l_i_f_e
Creates FileC:\Windows\Microsoft.NET\Framework\v1.0.3705\clr.dll
Creates FileC:\Windows\Microsoft.NET\Framework\v1.0.3705\mscorwks.dll
Creates FileC:\Windows\Microsoft.NET\Framework\v1.1.4322\clr.dll
Creates FileC:\Windows\Microsoft.NET\Framework\v1.1.4322\mscorwks.dll
Creates FileC:\Windows\Microsoft.NET\Framework\v2.0.50727\clr.dll
Creates FileC:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorwks.dll
Creates FileC:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll
Creates FileC:\Users\THX1138\AppData\Local\Temp\66120ea675052692841723883a0e2d922dbf96c4.exe.config
Creates FileC:\Users\THX1138\AppData\Local\Temp\66120ea675052692841723883a0e2d922dbf96c4.exe
Creates FileC:\Users\THX1138\AppData\Local\Temp\66120ea675052692841723883a0e2d922dbf96c4.exe
Creates FileC:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll
Creates FileC:\Users\THX1138\AppData\Local\Temp\66120ea675052692841723883a0e2d922dbf96c4.exe.config
Creates FileC:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config
Creates FileC:\Windows\Globalization\Sorting\sortdefault.nls
Creates FileC:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\225759bb87c854c0fff27b1d84858c21\mscorlib.ni.dll.aux
Creates FileC:\Users\THX1138\AppData\Local\Temp\66120ea675052692841723883a0e2d922dbf96c4.exe
Creates FileC:\Windows\assembly\pubpol4.dat
Creates FileC:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config
Creates FileC:\Windows\assembly\NativeImages_v4.0.30319_32\System.Windows.Forms\5aac750b35b27770dccb1a43f83cced7\System.Windows.Forms.ni.dll.aux
Creates FileC:\Windows\assembly\NativeImages_v4.0.30319_32\System\52cca48930e580e3189eac47158c20be\System.ni.dll.aux
Creates FileC:\Windows\assembly\NativeImages_v4.0.30319_32\System.Drawing\646b4b01cb29986f8e076aa65c9e9753\System.Drawing.ni.dll.aux
Creates FileC:\Users\THX1138\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\miner.exe.url
Creates FileC:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.V9921e851#\7ca6a7b9413844e82108a9d62f88a2d9\Microsoft.VisualBasic.ni.dll.aux
Creates FileC:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\55560c2014611e9119f99923c9ebdeef\System.Core.ni.dll.aux

Process
↳ C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Creates MutexMYMUTEXNAME_XMRIG
Creates FileC:\Windows\System32\wship6.dll
Creates FileC:\Windows\System32\wship6.dll
Creates FileC:\Windows\System32\wship6.dll
Creates FileC:\Windows\System32\wshqos.dll
Creates FileC:\Windows\System32\wshqos.dll
Creates FileC:\Windows\System32\wshqos.dll
Creates FileC:\Windows\System32\wshqos.dll

Network Details:


Raw Pcap
0x00000000 (00000)   47455420 2f6e6373 692e7478 74204854   GET /ncsi.txt HT
0x00000010 (00016)   54502f31 2e310d0a 436f6e6e 65637469   TP/1.1..Connecti
0x00000020 (00032)   6f6e3a20 436c6f73 650d0a55 7365722d   on: Close..User-
0x00000030 (00048)   4167656e 743a204d 6963726f 736f6674   Agent: Microsoft
0x00000040 (00064)   204e4353 490d0a48 6f73743a 20777777    NCSI..Host: www
0x00000050 (00080)   2e6d7366 746e6373 692e636f 6d0d0a0d   .msftncsi.com...
0x00000060 (00096)   0a                                    .

0x00000000 (00000)   47455420 2f6e6373 692e7478 74204854   GET /ncsi.txt HT
0x00000010 (00016)   54502f31 2e310d0a 436f6e6e 65637469   TP/1.1..Connecti
0x00000020 (00032)   6f6e3a20 436c6f73 650d0a55 7365722d   on: Close..User-
0x00000030 (00048)   4167656e 743a204d 6963726f 736f6674   Agent: Microsoft
0x00000040 (00064)   204e4353 490d0a48 6f73743a 20777777    NCSI..Host: www
0x00000050 (00080)   2e6d7366 746e6373 692e636f 6d0d0a0d   .msftncsi.com...
0x00000060 (00096)   0a                                    .


Strings