Malware analysis stub1.exe Malicious activity | ANY.RUN - Malware Sandbox Online (2024)

Table of Contents
stub1.exe 672D0046FB5827A8FBAA036983FEC2E0 CFFAA448F6AC4FEF65004CA272F3CD95DE734BD5 192:jIw0EdSazJVrUjOQoHnHzU2jrYAfIMWSQc:jIpaDVVJQoHnHzU2jr1f/WSH MALICIOUS SUSPICIOUS INFO TRiD EXIF Summary DOS Header PE Headers Sections Resources Imports Behavior graph Process information Modification events Dropped files HTTP requests Connections DNS requests Threats

File name:

stub1.exe

Full analysis: https://app.any.run/tasks/f6b5b5e3-8073-423f-8030-65afd1614441
Verdict: Malicious activity
Threats:

Trojans are a group of malicious programs distinguished by their ability to masquerade as benign software. Depending on their type, trojans possess a variety of capabilities, ranging from maintaining full remote control over the victim’s machine to stealing data and files, as well as dropping other malware. At the same time, the main functionality of each trojan family can differ significantly depending on its type. The most common trojan infection chain starts with a phishing email.

Malware Trends Tracker>>>

Analysis date: February 01, 2019, 13:17:22
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:

miner

trojan

Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5:

672D0046FB5827A8FBAA036983FEC2E0

SHA1:

CFFAA448F6AC4FEF65004CA272F3CD95DE734BD5

SHA256:
SSDEEP:

192:jIw0EdSazJVrUjOQoHnHzU2jrYAfIMWSQc:jIpaDVVJQoHnHzU2jr1f/WSH

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • corona1.exe (PID: 2556)
      • corona1.exe (PID: 1524)
      • Cortana.exe (PID: 3148)
      • ActionUriServer.exe (PID: 684)
      • corona1.exe (PID: 2600)
      • corona1.exe (PID: 3316)
      • Cortana.exe (PID: 2640)
      • Cortana.exe (PID: 1268)
      • corona1.exe (PID: 2340)
      • ActionUriServer.exe (PID: 3608)
      • corona1.exe (PID: 3956)
      • ActionUriServer.exe (PID: 3008)

    • Changes the autorun value in the registry

      • stub1.exe (PID: 2852)

    • Looks like application has launched a miner

      • Cortana.exe (PID: 3148)
      • Cortana.exe (PID: 2640)
      • Cortana.exe (PID: 1268)

    • Uses SVCHOST.EXE for hidden code execution

      • corona1.exe (PID: 1524)
      • corona1.exe (PID: 2600)
      • corona1.exe (PID: 3956)

    • MINER was detected

      • ActionUriServer.exe (PID: 684)
      • ActionUriServer.exe (PID: 3608)

    • Runs PING.EXE for delay simulation

      • cmd.exe (PID: 3844)
      • cmd.exe (PID: 3336)
      • cmd.exe (PID: 2688)

    • Connects to CnC server

      • ActionUriServer.exe (PID: 684)
      • ActionUriServer.exe (PID: 3608)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • Windows Audio Driver.exe (PID: 3364)
      • corona1.exe (PID: 2556)
      • stub1.exe (PID: 2852)
      • Cortana.exe (PID: 3148)
      • corona1.exe (PID: 3316)
      • Cortana.exe (PID: 2640)

    • Starts itself from another location

      • stub1.exe (PID: 2852)

    • Creates or modifies windows services

      • corona1.exe (PID: 2556)
      • corona1.exe (PID: 3316)
      • corona1.exe (PID: 2340)

    • Creates a software uninstall entry

      • corona1.exe (PID: 1524)
      • corona1.exe (PID: 2600)
      • corona1.exe (PID: 3956)

    • Starts CMD.EXE for commands execution

      • corona1.exe (PID: 2556)
      • corona1.exe (PID: 3316)
      • corona1.exe (PID: 2340)

    • Creates files in the program directory

      • corona1.exe (PID: 2556)
      • Cortana.exe (PID: 3148)
      • corona1.exe (PID: 3316)
      • Cortana.exe (PID: 2640)
      • Cortana.exe (PID: 1268)
      • corona1.exe (PID: 2340)

    • Searches for installed software

      • DllHost.exe (PID: 3836)

    • Connects to unusual port

      • ActionUriServer.exe (PID: 684)
      • ActionUriServer.exe (PID: 3608)

  • INFO

    No info indicators.

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the

full report

No Malware configuration.

TRiD

.exe | Generic CIL Executable (.NET, Mono, etc.) (82.9)
.dll | Win32 Dynamic Link Library (generic) (7.4)
.exe | Win32 Executable (generic) (5.1)
.exe | Generic Win/DOS Executable (2.2)
.exe | DOS Executable Generic (2.2)

EXIF

EXE

AssemblyVersion: 1.0.0.0
ProductVersion: 1.0.0.0
ProductName: Direct Downloader Stub
OriginalFileName: Direct Downloader Stub.exe
LegalTrademarks: -
LegalCopyright: Copyright © Microsoft 2018
InternalName: Direct Downloader Stub.exe
FileVersion: 1.0.0.0
FileDescription: Direct Downloader Stub
CompanyName: Microsoft
Comments: -
CharacterSet: Unicode
LanguageCode: Neutral
FileSubtype: -
ObjectFileType: Executable application
FileOS: Win32
FileFlags: (none)
FileFlagsMask: 0x003f
ProductVersionNumber: 1.0.0.0
FileVersionNumber: 1.0.0.0
Subsystem: Windows GUI
SubsystemVersion: 6
ImageVersion: -
OSVersion: 4
EntryPoint: 0x3a92
UninitializedDataSize: -
InitializedDataSize: 2560
CodeSize: 7168
LinkerVersion: 48
PEType: PE32
TimeStamp: 2084:03:03 08:16:40+01:00
MachineType: Intel 386 or later, and compatibles

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 27-Jan-1948 00:48:24
Debug artifacts:
  • C:\Users\john\source\repos\Direct Downloader Stub\Direct Downloader Stub\obj\Debug\Direct Downloader Stub.pdb
Comments: -
CompanyName: Microsoft
FileDescription: Direct Downloader Stub
FileVersion: 1.0.0.0
InternalName: Direct Downloader Stub.exe
LegalCopyright: Copyright © Microsoft 2018
LegalTrademarks: -
OriginalFilename: Direct Downloader Stub.exe
ProductName: Direct Downloader Stub
ProductVersion: 1.0.0.0
Assembly Version: 1.0.0.0

DOS Header

Magic number: MZ
Bytes on last page of file: 0x0090
Pages in file: 0x0003
Relocations: 0x0000
Size of header: 0x0004
Min extra paragraphs: 0x0000
Max extra paragraphs: 0xFFFF
Initial SS value: 0x0000
Initial SP value: 0x00B8
Checksum: 0x0000
Initial IP value: 0x0000
Initial CS value: 0x0000
Overlay number: 0x0000
OEM identifier: 0x0000
OEM information: 0x0000
Address of NE header: 0x00000080

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
Number of sections: 3
Time date stamp: 27-Jan-1948 00:48:24
Pointer to Symbol Table: 0x00000000
Number of symbols: 0
Size of Optional Header: 0x00E0
Characteristics:
  • IMAGE_FILE_EXECUTABLE_IMAGE
  • IMAGE_FILE_LARGE_ADDRESS_AWARE

Sections

Name

Virtual Address

Virtual Size

Raw Size

Charateristics

Entropy

.text

0x00002000

0x00001A98

0x00001C00

IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

5.37871

.rsrc

0x00004000

0x00000640

0x00000800

IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

3.48363

.reloc

0x00006000

0x0000000C

0x00000200

IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

0.0815394

Resources

Title

Entropy

Size

Codepage

Language

Type

1

5.00112

490

UNKNOWN

UNKNOWN

RT_MANIFEST

See Also
Intel Xeon 6766E/6780E Sierra Forest vs. Ampere Altra Performance & Power Efficiency Review

Imports

mscoree.dll

No data.

Malware analysis stub1.exe Malicious activity | ANY.RUN - Malware Sandbox Online (1)Malware analysis stub1.exe Malicious activity | ANY.RUN - Malware Sandbox Online (2)

All screenshots are available in the full report

All screenshots are available in the

full report

Total processes

62

Monitored processes

24

Malicious processes

13

Suspicious processes

2

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

2852"C:\Users\admin\AppData\Local\Temp\stub1.exe" C:\Users\admin\AppData\Local\Temp\stub1.exeexplorer.exe

User:

admin

Company:

Microsoft

Integrity Level:

MEDIUM

Description:

Direct Downloader Stub

Exit code:

Version:

1.0.0.0

3364"C:\Users\admin\AppData\Local\Temp\Windows Audio Driver.exe" C:\Users\admin\AppData\Local\Temp\Windows Audio Driver.exestub1.exe

User:

admin

Company:

Microsoft

Integrity Level:

MEDIUM

Description:

Direct Downloader Stub

Version:

1.0.0.0

1524"C:\Users\admin\AppData\Local\Temp\corona1.exe" C:\Users\admin\AppData\Local\Temp\corona1.exeWindows Audio Driver.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Settings

Exit code:

Version:

10.0.17134.112 (WinBuild.160101.0800)

3348"C:\Windows\system32\svchost.exe"C:\Windows\system32\svchost.execorona1.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Host Process for Windows Services

Exit code:

1

Version:

6.1.7600.16385 (win7_rtm.090713-1255)

3836C:\Windows\system32\DllHost.exe /Processid:{FCC74B77-EC3E-4DD8-A80B-008A702075A9}C:\Windows\system32\DllHost.exesvchost.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

COM Surrogate

Version:

6.1.7600.16385 (win7_rtm.090713-1255)

2556"C:\Users\admin\AppData\Local\Temp\corona1.exe" BypassUacC:\Users\admin\AppData\Local\Temp\corona1.exeDllHost.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Settings

Exit code:

Version:

10.0.17134.112 (WinBuild.160101.0800)

3148C:\ProgramData\WinTcpAutoProxySvc\Cortana.exeC:\ProgramData\WinTcpAutoProxySvc\Cortana.exeservices.exe

User:

SYSTEM

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Settings

Exit code:

Version:

10.0.17134.112 (WinBuild.160101.0800)

3844C:\Windows\system32\cmd.exe /c @ping -n 15 127.0.0.1&del C:\Users\admin\AppData\Local\Temp\corona1.exe > nulC:\Windows\system32\cmd.execorona1.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Windows Command Processor

Exit code:

Version:

6.1.7601.17514 (win7sp1_rtm.101119-1850)

684 -o xmr.pool.minergate.com:45700 -u [emailprotected] -p xC:\ProgramData\Microsoft\WinTcpAutoProxySvc\ActionUriServer.exeCortana.exe

User:

SYSTEM

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Client Server Runtime Process

Exit code:

Version:

6.1.7600.16385 (win7_rtm.090713-1255)

3132ping -n 15 127.0.0.1C:\Windows\system32\PING.EXEcmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

TCP/IP Ping Command

Exit code:

Version:

6.1.7600.16385 (win7_rtm.090713-1255)

Total events

847

Read events

806

Write events

37

Delete events

4

Modification events

(PID) Process:(2852)stub1.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:svhost

Value:

C:\Users\admin\AppData\Local\Temp\Windows Audio Driver.exe

(PID) Process:(2852)stub1.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet

Value:

(PID) Process:(2852)stub1.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect

Value:

1

(PID) Process:(3364)Windows Audio Driver.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Windows Audio Driver_RASAPI32
Operation:writeName:EnableFileTracing

Value:

(PID) Process:(3364)Windows Audio Driver.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Windows Audio Driver_RASAPI32
Operation:writeName:EnableConsoleTracing

Value:

(PID) Process:(3364)Windows Audio Driver.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Windows Audio Driver_RASAPI32
Operation:writeName:FileTracingMask

Value:

4294901760

(PID) Process:(3364)Windows Audio Driver.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Windows Audio Driver_RASAPI32
Operation:writeName:ConsoleTracingMask

Value:

4294901760

(PID) Process:(3364)Windows Audio Driver.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Windows Audio Driver_RASAPI32
Operation:writeName:MaxFileSize

Value:

1048576

(PID) Process:(3364)Windows Audio Driver.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Windows Audio Driver_RASAPI32
Operation:writeName:FileDirectory

Value:

%windir%\tracing

(PID) Process:(3364)Windows Audio Driver.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Windows Audio Driver_RASMANCS
Operation:writeName:EnableFileTracing

Value:

Executable files

6

Suspicious files

Text files

Unknown types

Dropped files

PID

Process

Filename

Type

3364Windows Audio Driver.exeC:\Users\admin\AppData\Local\Temp\corona1.exeexecutable

MD5:5BF229B3FE85DA1F89A140F51977F39E

SHA256:678F4F847D2CC8A7A0F79E98564025CAF7B86BB6C99588215DB0912033D53B79

2556corona1.exeC:\ProgramData\WinTcpAutoProxySvc\Cortana.exeexecutable

MD5:5BF229B3FE85DA1F89A140F51977F39E

SHA256:678F4F847D2CC8A7A0F79E98564025CAF7B86BB6C99588215DB0912033D53B79

3316corona1.exeC:\ProgramData\WinTcpAutoProxySvc\Cortana.exeexecutable

MD5:5BF229B3FE85DA1F89A140F51977F39E

SHA256:678F4F847D2CC8A7A0F79E98564025CAF7B86BB6C99588215DB0912033D53B79

3148Cortana.exeC:\ProgramData\Microsoft\WinTcpAutoProxySvc\ActionUriServer.exeexecutable

MD5:BAD99C9E2801FB8E3C10B0DF57DD79AE

SHA256:773C8FF8E05E3FF7C217206F9B70373BE0F33B0E2847DDDB60DD659C00E54D87

2852stub1.exeC:\Users\admin\AppData\Local\Temp\Windows Audio Driver.exeexecutable

MD5:672D0046FB5827A8FBAA036983FEC2E0

SHA256:EF15D7CE200FE65CA4414F9D111BDE158A27DADC4F70CF17DBCCE131DDE1A2FB

2640Cortana.exeC:\ProgramData\Microsoft\WinTcpAutoProxySvc\ActionUriServer.exeexecutable

MD5:BAD99C9E2801FB8E3C10B0DF57DD79AE

SHA256:773C8FF8E05E3FF7C217206F9B70373BE0F33B0E2847DDDB60DD659C00E54D87

Download PCAP, analyze network streams, HTTP content and a lot more at the

full report

HTTP(S) requests

TCP/UDP connections

6

DNS requests

3

Threats

HTTP requests

No HTTP requests

Download PCAP, analyze network streams, HTTP content and a lot more at the

full report

Connections

PID

Process

IP

Domain

ASN

CN

Reputation

3364

Windows Audio Driver.exe

104.31.91.111:443

lucas.services

Cloudflare Inc

US

shared

3608

ActionUriServer.exe

136.243.94.27:45700

xmr.pool.minergate.com

Hetzner Online GmbH

DE

suspicious

684

ActionUriServer.exe

94.130.64.225:45700

xmr.pool.minergate.com

Hetzner Online GmbH

DE

suspicious

3364

Windows Audio Driver.exe

104.20.208.21:443

pastebin.com

Cloudflare Inc

US

shared

136.243.94.27:45700

xmr.pool.minergate.com

Hetzner Online GmbH

DE

suspicious

DNS requests

Domain

IP

Reputation

pastebin.com

  • 104.20.208.21
  • 104.20.209.21

shared

lucas.services

  • 104.31.91.111
  • 104.31.90.111

unknown

xmr.pool.minergate.com

  • 46.4.119.208
  • 136.243.88.145
  • 136.243.94.27
  • 176.9.147.178
  • 136.243.102.157
  • 94.130.64.225
  • 94.130.9.194
  • 94.130.48.154
  • 78.46.23.253
  • 78.46.49.212

suspicious

Threats

PID

Process

Class

Message

A Network Trojan was detected

ET POLICY Monero Mining Pool DNS Lookup

684

ActionUriServer.exe

Potential Corporate Privacy Violation

ET POLICY Cryptocurrency Miner Checkin

684

ActionUriServer.exe

Misc activity

MINER [PTsecurity] CoinMiner CryptoNight XMRig JSON_RPC Client Login

684

ActionUriServer.exe

Misc activity

MINER [PTsecurity] Riskware/CoinMiner JSON_RPC Response

684

ActionUriServer.exe

Misc activity

MINER [PTsecurity] Risktool.W32.coinminer!c

684

ActionUriServer.exe

Misc activity

MINER [PTsecurity] Riskware/CoinMiner JSON_RPC Response

684

ActionUriServer.exe

Misc activity

MINER [PTsecurity] Risktool.W32.coinminer!c

684

ActionUriServer.exe

Misc activity

MINER [PTsecurity] CoinMiner CryptoNight XMRig JSON_RPC Client Login

3608

ActionUriServer.exe

Potential Corporate Privacy Violation

ET POLICY Cryptocurrency Miner Checkin

3608

ActionUriServer.exe

Misc activity

MINER [PTsecurity] CoinMiner CryptoNight XMRig JSON_RPC Client Login

4 ETPRO signatures available at the

full report

No debug info

Malware analysis stub1.exe Malicious activity | ANY.RUN - Malware Sandbox Online (2024)
Top Articles
8 Best Golf Simulators for Sports Bars | Reviews & Guide
SCAG CHEETAH II ZERO-TURN LAWN MOWER - 38 HP KOHLER EFI - 61" BLACKOUT - farm & garden - by dealer - sale - craigslist
Legoland Deutschland Resort - tickets, prijzen, kortingen, tijden, wat te verwachten
LEGOLAND Duitsland | Tips & Aanbiedingen
Missing 2023 Showtimes Near Emagine Hartland
Deepwoken Legion Centurion
Michael B. Jordan, Lori Harvey’s Relationship Timeline
What Steve Harvey Thinks About His Daughter Dating Michael B. Jordan
Winston Salem Nc Craigslist
Mls Matrix Okcmar
Craigslist Rooms For Rent Charlotte North Carolina
ZIP File Password Recovery Online
Latest Posts
'The Greatest Social Media Site Is Craigslist' - Slashdot
Best Protein Bars for Golf
Article information

Author: Kieth Sipes

Last Updated:

Views: 6159

Rating: 4.7 / 5 (67 voted)

Reviews: 82% of readers found this page helpful

Author information

Name: Kieth Sipes

Birthday: 2001-04-14

Address: Suite 492 62479 Champlin Loop, South Catrice, MS 57271

Phone: +9663362133320

Job: District Sales Analyst

Hobby: Digital arts, Dance, Ghost hunting, Worldbuilding, Kayaking, Table tennis, 3D printing

Introduction: My name is Kieth Sipes, I am a zany, rich, courageous, powerful, faithful, jolly, excited person who loves writing and wants to share my knowledge and understanding with you.