Analysis Date2018-02-14 14:44:27
MD59b6f7da1edf1ac04e1f886d0bec21a64
SHA1fb3a9f57101b05460e5ea0440c21952bfb061650

Static Details:

File typePE32 executable (GUI) Intel 80386, for MS Windows
PEhash
AVArcabit (arcavir)Gen:Variant.Symmi.25939
AVAuthentiumW32/CoinMiner.O.gen!Eldorado
AVGrisoft (avg)Win32/DH{TA?}
AVAvira (antivir)TR/Dropper.Gen9
AVAlwil (avast)Malware-gen
AVAlwil (avast)Win32:Malware-gen
AVAd-AwareError Scanning File
AVBitDefenderGen:Variant.Symmi.25939
AVBullGuardGen:Variant.Symmi.25939
AVClamAVError Scanning File
AVDr. WebTool.BtcMine.1145
AVDr. WebTrojan.BtcMine.1759
AVEmsisoftGen:Variant.Symmi.25939
AVMicroWorld (escan)Gen:Variant.Symmi.25939
AVCA (E-Trust Ino)Error Scanning File
AVFortinetW32/Agent.OJQ!tr.spy
AVFrisk (f-prot)W32/CoinMiner.O.gen!Eldorado
AVF-SecureGen:Variant.Symmi.25939
AVIkarusError Scanning File
AVK7Adware ( 005070c51 )
AVKasperskyHEUR:RiskTool.Win32.BitCoinMiner.gen
AVKasperskyHEUR:RiskTool.Win32.BitMiner.gen
AVKasperskyTrojan.Win32.Generic
AVMalwareBytesNo Virus
AVMcafeeNo Virus
AVMicrosoft Security EssentialsNo Virus
AVNANORiskware.Win32.BitMiner.ewvndj
AVEset (nod32)No Virus
AVPadvishTrojan.Win32.Bitcoin.S
AVCAT (quickheal)No Virus
AVRisingNo Virus
AV360 SafeNo Virus
AVSUPERAntiSpywareNo Virus
AVSymantecTrojan.Gen
AVTrend MicroNo Virus
AVTwisterW64.CoinMiner.CZ.gcqr
AVVirusBlokAda (vba32)Win32.Trojan.Dropper.Heur
AVWindows DefenderNo Virus
AVZillya!No Virus

Runtime Details:

Screenshot

Process
↳ C:\Windows\System32\lsass.exe

Process
↳ C:\Users\THX1138\AppData\Local\Temp\fb3a9f57101b05460e5ea0440c21952bfb061650.exe

RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA ➝
0
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\svchost ➝
C:\Users\THX1138\AppData\Local\Temp\fb3a9f57101b05460e5ea0440c21952bfb061650.exe
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\Run ➝
C:\Users\THX1138\AppData\Local\Temp\fb3a9f57101b05460e5ea0440c21952bfb061650.exe
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\Load ➝
C:\Users\THX1138\AppData\Local\Temp\fb3a9f57101b05460e5ea0440c21952bfb061650.exe
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Taskmgr.exe\Debugger ➝
C:\Users\THX1138\AppData\Local\Temp\fb3a9f57101b05460e5ea0440c21952bfb061650.exe
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ZhuDongFangYu.exe\Debugger ➝
C:\Users\THX1138\AppData\Local\Temp\fb3a9f57101b05460e5ea0440c21952bfb061650.exe
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\QQPCTray.exe\Debugger ➝
C:\Users\THX1138\AppData\Local\Temp\fb3a9f57101b05460e5ea0440c21952bfb061650.exe
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360Safe.exe\Debugger ➝
C:\Users\THX1138\AppData\Local\Temp\fb3a9f57101b05460e5ea0440c21952bfb061650.exe
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360Tray.exe\Debugger ➝
C:\Users\THX1138\AppData\Local\Temp\fb3a9f57101b05460e5ea0440c21952bfb061650.exe
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\Debugger ➝
C:\Users\THX1138\AppData\Local\Temp\fb3a9f57101b05460e5ea0440c21952bfb061650.exe
Creates FileC:\Windows\config.json
Creates FileC:\Windows\svchost.exe
Creates FileC:\Windows\Globalization\Sorting\sortdefault.nls
Creates FileC:\Users\THX1138\AppData\Local\Temp\fb3a9f57101b05460e5ea0440c21952bfb061650.exe
Creates FileC:\Program Files\Common Files\Microsoft Shared\ink\ConvertInkStore.exe
Creates FileC:\Program Files\Common Files\Microsoft Shared\ink\ConvertInkStore.exe
Creates FileC:\Users\THX1138\AppData\Local\Temp\fb3a9f57101b05460e5ea0440c21952bfb061650.exe
Creates FileC:\Program Files\Common Files\Microsoft Shared\ink\FlickLearningWizard.exe
Creates FileC:\Program Files\Common Files\Microsoft Shared\ink\FlickLearningWizard.exe
Creates FileC:\Users\THX1138\AppData\Local\Temp\fb3a9f57101b05460e5ea0440c21952bfb061650.exe
Creates FileC:\Program Files\Common Files\Microsoft Shared\ink\InkWatson.exe
Creates FileC:\Program Files\Common Files\Microsoft Shared\ink\InkWatson.exe
Creates FileC:\Users\THX1138\AppData\Local\Temp\fb3a9f57101b05460e5ea0440c21952bfb061650.exe
Creates FileC:\Program Files\Common Files\Microsoft Shared\ink\InputPersonalization.exe
Creates FileC:\Program Files\Common Files\Microsoft Shared\ink\InputPersonalization.exe
Creates FileC:\Users\THX1138\AppData\Local\Temp\fb3a9f57101b05460e5ea0440c21952bfb061650.exe
Creates FileC:\Program Files\Common Files\Microsoft Shared\ink\mip.exe
Creates FileC:\Program Files\Common Files\Microsoft Shared\ink\mip.exe
Creates FileC:\Users\THX1138\AppData\Local\Temp\fb3a9f57101b05460e5ea0440c21952bfb061650.exe
Creates FileC:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.exe
Creates FileC:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.exe
Creates FileC:\Users\THX1138\AppData\Local\Temp\fb3a9f57101b05460e5ea0440c21952bfb061650.exe
Creates FileC:\Program Files\Common Files\Microsoft Shared\ink\TabTip.exe
Creates FileC:\Program Files\Common Files\Microsoft Shared\ink\TabTip.exe
Creates FileC:\Users\THX1138\AppData\Local\Temp\fb3a9f57101b05460e5ea0440c21952bfb061650.exe
Creates FileC:\Program Files\Common Files\Microsoft Shared\MSInfo\msinfo32.exe
Creates FileC:\Program Files\Common Files\Microsoft Shared\MSInfo\msinfo32.exe
Creates FileC:\Users\THX1138\AppData\Local\Temp\fb3a9f57101b05460e5ea0440c21952bfb061650.exe
Creates FileC:\Program Files\DVD Maker\DVDMaker.exe
Creates FileC:\Program Files\DVD Maker\DVDMaker.exe
Creates FileC:\Users\THX1138\AppData\Local\Temp\fb3a9f57101b05460e5ea0440c21952bfb061650.exe
Creates FileC:\Program Files\Internet Explorer\ieinstal.exe
Creates FileC:\Program Files\Internet Explorer\ieinstal.exe
Creates FileC:\Users\THX1138\AppData\Local\Temp\fb3a9f57101b05460e5ea0440c21952bfb061650.exe
Creates FileC:\Program Files\Internet Explorer\ielowutil.exe
Creates FileC:\Program Files\Internet Explorer\ielowutil.exe
Creates FileC:\Users\THX1138\AppData\Local\Temp\fb3a9f57101b05460e5ea0440c21952bfb061650.exe
Creates FileC:\Program Files\Internet Explorer\iexplore.exe
Creates FileC:\Program Files\Internet Explorer\iexplore.exe
Creates FileC:\Users\THX1138\AppData\Local\Temp\fb3a9f57101b05460e5ea0440c21952bfb061650.exe
Creates Mutex
Creates Mutex

Process
↳ C:\Windows\svchost.exe

Creates Mutex
Creates Mutex
Creates FileC:\Windows\System32\wship6.dll
Creates FileC:\Windows\System32\wship6.dll
Creates FileC:\Windows\System32\wship6.dll
Creates FileC:\Windows\System32\wshqos.dll
Creates FileC:\Windows\System32\wshqos.dll
Creates FileC:\Windows\System32\wshqos.dll
Creates FileC:\Windows\System32\wshqos.dll
Creates FileC:\Windows\config.json

Network Details:


Raw Pcap
0x00000000 (00000)   47455420 2f6e6373 692e7478 74204854   GET /ncsi.txt HT
0x00000010 (00016)   54502f31 2e310d0a 436f6e6e 65637469   TP/1.1..Connecti
0x00000020 (00032)   6f6e3a20 436c6f73 650d0a55 7365722d   on: Close..User-
0x00000030 (00048)   4167656e 743a204d 6963726f 736f6674   Agent: Microsoft
0x00000040 (00064)   204e4353 490d0a48 6f73743a 20777777    NCSI..Host: www
0x00000050 (00080)   2e6d7366 746e6373 692e636f 6d0d0a0d   .msftncsi.com...
0x00000060 (00096)   0a                                    .

0x00000000 (00000)   47455420 2f6e6373 692e7478 74204854   GET /ncsi.txt HT
0x00000010 (00016)   54502f31 2e310d0a 436f6e6e 65637469   TP/1.1..Connecti
0x00000020 (00032)   6f6e3a20 436c6f73 650d0a55 7365722d   on: Close..User-
0x00000030 (00048)   4167656e 743a204d 6963726f 736f6674   Agent: Microsoft
0x00000040 (00064)   204e4353 490d0a48 6f73743a 20777777    NCSI..Host: www
0x00000050 (00080)   2e6d7366 746e6373 692e636f 6d0d0a0d   .msftncsi.com...
0x00000060 (00096)   0a                                    .

0x00000000 (00000)   47455420 2f6e6373 692e7478 74204854   GET /ncsi.txt HT
0x00000010 (00016)   54502f31 2e310d0a 436f6e6e 65637469   TP/1.1..Connecti
0x00000020 (00032)   6f6e3a20 436c6f73 650d0a55 7365722d   on: Close..User-
0x00000030 (00048)   4167656e 743a204d 6963726f 736f6674   Agent: Microsoft
0x00000040 (00064)   204e4353 490d0a48 6f73743a 20777777    NCSI..Host: www
0x00000050 (00080)   2e6d7366 746e6373 692e636f 6d0d0a0d   .msftncsi.com...
0x00000060 (00096)   0a                                    .


Strings