File name: | stub1.exe |
Full analysis: | https://app.any.run/tasks/f6b5b5e3-8073-423f-8030-65afd1614441 |
Verdict: | Malicious activity |
Threats: | Trojans are a group of malicious programs distinguished by their ability to masquerade as benign software. Depending on their type, trojans possess a variety of capabilities, ranging from maintaining full remote control over the victim’s machine to stealing data and files, as well as dropping other malware. At the same time, the main functionality of each trojan family can differ significantly depending on its type. The most common trojan infection chain starts with a phishing email. Malware Trends Tracker>>> |
Analysis date: | February 01, 2019, 13:17:22 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | miner trojan |
Indicators: | |
MIME: | application/x-dosexec |
File info: | PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows |
MD5: | 672D0046FB5827A8FBAA036983FEC2E0 |
SHA1: | CFFAA448F6AC4FEF65004CA272F3CD95DE734BD5 |
SHA256: | |
SSDEEP: | 192:jIw0EdSazJVrUjOQoHnHzU2jrYAfIMWSQc:jIpaDVVJQoHnHzU2jr1f/WSH |
ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
MALICIOUS
Application was dropped or rewritten from another process
- corona1.exe (PID: 2556)
- corona1.exe (PID: 1524)
- Cortana.exe (PID: 3148)
- ActionUriServer.exe (PID: 684)
- corona1.exe (PID: 2600)
- corona1.exe (PID: 3316)
- Cortana.exe (PID: 2640)
- Cortana.exe (PID: 1268)
- corona1.exe (PID: 2340)
- ActionUriServer.exe (PID: 3608)
- corona1.exe (PID: 3956)
- ActionUriServer.exe (PID: 3008)
Changes the autorun value in the registry
- stub1.exe (PID: 2852)
Looks like application has launched a miner
- Cortana.exe (PID: 3148)
- Cortana.exe (PID: 2640)
- Cortana.exe (PID: 1268)
Uses SVCHOST.EXE for hidden code execution
- corona1.exe (PID: 1524)
- corona1.exe (PID: 2600)
- corona1.exe (PID: 3956)
MINER was detected
- ActionUriServer.exe (PID: 684)
- ActionUriServer.exe (PID: 3608)
Runs PING.EXE for delay simulation
- cmd.exe (PID: 3844)
- cmd.exe (PID: 3336)
- cmd.exe (PID: 2688)
Connects to CnC server
- ActionUriServer.exe (PID: 684)
- ActionUriServer.exe (PID: 3608)
SUSPICIOUS
Executable content was dropped or overwritten
- Windows Audio Driver.exe (PID: 3364)
- corona1.exe (PID: 2556)
- stub1.exe (PID: 2852)
- Cortana.exe (PID: 3148)
- corona1.exe (PID: 3316)
- Cortana.exe (PID: 2640)
Starts itself from another location
- stub1.exe (PID: 2852)
Creates or modifies windows services
- corona1.exe (PID: 2556)
- corona1.exe (PID: 3316)
- corona1.exe (PID: 2340)
Creates a software uninstall entry
- corona1.exe (PID: 1524)
- corona1.exe (PID: 2600)
- corona1.exe (PID: 3956)
Starts CMD.EXE for commands execution
- corona1.exe (PID: 2556)
- corona1.exe (PID: 3316)
- corona1.exe (PID: 2340)
Creates files in the program directory
- corona1.exe (PID: 2556)
- Cortana.exe (PID: 3148)
- corona1.exe (PID: 3316)
- Cortana.exe (PID: 2640)
- Cortana.exe (PID: 1268)
- corona1.exe (PID: 2340)
Searches for installed software
- DllHost.exe (PID: 3836)
Connects to unusual port
- ActionUriServer.exe (PID: 684)
- ActionUriServer.exe (PID: 3608)
INFO
No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the
full reportNo Malware configuration.
TRiD
.exe | | | Generic CIL Executable (.NET, Mono, etc.) (82.9) |
---|---|---|
.dll | | | Win32 Dynamic Link Library (generic) (7.4) |
.exe | | | Win32 Executable (generic) (5.1) |
.exe | | | Generic Win/DOS Executable (2.2) |
.exe | | | DOS Executable Generic (2.2) |
EXIF
EXE
AssemblyVersion: | 1.0.0.0 |
---|---|
ProductVersion: | 1.0.0.0 |
ProductName: | Direct Downloader Stub |
OriginalFileName: | Direct Downloader Stub.exe |
LegalTrademarks: | - |
LegalCopyright: | Copyright © Microsoft 2018 |
InternalName: | Direct Downloader Stub.exe |
FileVersion: | 1.0.0.0 |
FileDescription: | Direct Downloader Stub |
CompanyName: | Microsoft |
Comments: | - |
CharacterSet: | Unicode |
LanguageCode: | Neutral |
FileSubtype: | - |
ObjectFileType: | Executable application |
FileOS: | Win32 |
FileFlags: | (none) |
FileFlagsMask: | 0x003f |
ProductVersionNumber: | 1.0.0.0 |
FileVersionNumber: | 1.0.0.0 |
Subsystem: | Windows GUI |
SubsystemVersion: | 6 |
ImageVersion: | - |
OSVersion: | 4 |
EntryPoint: | 0x3a92 |
UninitializedDataSize: | - |
InitializedDataSize: | 2560 |
CodeSize: | 7168 |
LinkerVersion: | 48 |
PEType: | PE32 |
TimeStamp: | 2084:03:03 08:16:40+01:00 |
MachineType: | Intel 386 or later, and compatibles |
Summary
Architecture: | IMAGE_FILE_MACHINE_I386 |
---|---|
Subsystem: | IMAGE_SUBSYSTEM_WINDOWS_GUI |
Compilation Date: | 27-Jan-1948 00:48:24 |
Debug artifacts: |
|
Comments: | - |
CompanyName: | Microsoft |
FileDescription: | Direct Downloader Stub |
FileVersion: | 1.0.0.0 |
InternalName: | Direct Downloader Stub.exe |
LegalCopyright: | Copyright © Microsoft 2018 |
LegalTrademarks: | - |
OriginalFilename: | Direct Downloader Stub.exe |
ProductName: | Direct Downloader Stub |
ProductVersion: | 1.0.0.0 |
Assembly Version: | 1.0.0.0 |
DOS Header
Magic number: | MZ |
---|---|
Bytes on last page of file: | 0x0090 |
Pages in file: | 0x0003 |
Relocations: | 0x0000 |
Size of header: | 0x0004 |
Min extra paragraphs: | 0x0000 |
Max extra paragraphs: | 0xFFFF |
Initial SS value: | 0x0000 |
Initial SP value: | 0x00B8 |
Checksum: | 0x0000 |
Initial IP value: | 0x0000 |
Initial CS value: | 0x0000 |
Overlay number: | 0x0000 |
OEM identifier: | 0x0000 |
OEM information: | 0x0000 |
Address of NE header: | 0x00000080 |
PE Headers
Signature: | PE |
---|---|
Machine: | IMAGE_FILE_MACHINE_I386 |
Number of sections: | 3 |
Time date stamp: | 27-Jan-1948 00:48:24 |
Pointer to Symbol Table: | 0x00000000 |
Number of symbols: | 0 |
Size of Optional Header: | 0x00E0 |
Characteristics: |
|
Sections
Name | Virtual Address | Virtual Size | Raw Size | Charateristics | Entropy |
---|---|---|---|---|---|
.text | 0x00002000 | 0x00001A98 | 0x00001C00 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ | 5.37871 |
.rsrc | 0x00004000 | 0x00000640 | 0x00000800 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 3.48363 |
.reloc | 0x00006000 | 0x0000000C | 0x00000200 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ | 0.0815394 |
Resources
Title | Entropy | Size | Codepage | Language | Type |
---|---|---|---|---|---|
1 | 5.00112 | 490 | UNKNOWN | UNKNOWN | RT_MANIFEST |
Imports
mscoree.dll |
No data.
Total processes
62
Monitored processes
24
Malicious processes
13
Suspicious processes
2
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2852 | "C:\Users\admin\AppData\Local\Temp\stub1.exe" | C:\Users\admin\AppData\Local\Temp\stub1.exe | explorer.exe | |
User: admin Company: Microsoft Integrity Level: MEDIUM Description: Direct Downloader Stub Exit code: Version: 1.0.0.0 | ||||
3364 | "C:\Users\admin\AppData\Local\Temp\Windows Audio Driver.exe" | C:\Users\admin\AppData\Local\Temp\Windows Audio Driver.exe | stub1.exe | |
User: admin Company: Microsoft Integrity Level: MEDIUM Description: Direct Downloader Stub Version: 1.0.0.0 | ||||
1524 | "C:\Users\admin\AppData\Local\Temp\corona1.exe" | C:\Users\admin\AppData\Local\Temp\corona1.exe | — | Windows Audio Driver.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Settings Exit code: Version: 10.0.17134.112 (WinBuild.160101.0800) | ||||
3348 | "C:\Windows\system32\svchost.exe" | C:\Windows\system32\svchost.exe | — | corona1.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Host Process for Windows Services Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3836 | C:\Windows\system32\DllHost.exe /Processid:{FCC74B77-EC3E-4DD8-A80B-008A702075A9} | C:\Windows\system32\DllHost.exe | — | svchost.exe |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: COM Surrogate Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2556 | "C:\Users\admin\AppData\Local\Temp\corona1.exe" BypassUac | C:\Users\admin\AppData\Local\Temp\corona1.exe | DllHost.exe | |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Settings Exit code: Version: 10.0.17134.112 (WinBuild.160101.0800) | ||||
3148 | C:\ProgramData\WinTcpAutoProxySvc\Cortana.exe | C:\ProgramData\WinTcpAutoProxySvc\Cortana.exe | services.exe | |
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Settings Exit code: Version: 10.0.17134.112 (WinBuild.160101.0800) | ||||
3844 | C:\Windows\system32\cmd.exe /c @ping -n 15 127.0.0.1&del C:\Users\admin\AppData\Local\Temp\corona1.exe > nul | C:\Windows\system32\cmd.exe | — | corona1.exe |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows Command Processor Exit code: Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
684 | -o xmr.pool.minergate.com:45700 -u [emailprotected] -p x | C:\ProgramData\Microsoft\WinTcpAutoProxySvc\ActionUriServer.exe | Cortana.exe | |
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Client Server Runtime Process Exit code: Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3132 | ping -n 15 127.0.0.1 | C:\Windows\system32\PING.EXE | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: TCP/IP Ping Command Exit code: Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
Total events
847
Read events
806
Write events
37
Delete events
4
Modification events
(PID) Process: | (2852)stub1.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run |
Operation: | write | Name: | svhost |
Value: C:\Users\admin\AppData\Local\Temp\Windows Audio Driver.exe | |||
(PID) Process: | (2852)stub1.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | UNCAsIntranet |
Value: | |||
(PID) Process: | (2852)stub1.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | AutoDetect |
Value: 1 | |||
(PID) Process: | (3364)Windows Audio Driver.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Windows Audio Driver_RASAPI32 |
Operation: | write | Name: | EnableFileTracing |
Value: | |||
(PID) Process: | (3364)Windows Audio Driver.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Windows Audio Driver_RASAPI32 |
Operation: | write | Name: | EnableConsoleTracing |
Value: | |||
(PID) Process: | (3364)Windows Audio Driver.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Windows Audio Driver_RASAPI32 |
Operation: | write | Name: | FileTracingMask |
Value: 4294901760 | |||
(PID) Process: | (3364)Windows Audio Driver.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Windows Audio Driver_RASAPI32 |
Operation: | write | Name: | ConsoleTracingMask |
Value: 4294901760 | |||
(PID) Process: | (3364)Windows Audio Driver.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Windows Audio Driver_RASAPI32 |
Operation: | write | Name: | MaxFileSize |
Value: 1048576 | |||
(PID) Process: | (3364)Windows Audio Driver.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Windows Audio Driver_RASAPI32 |
Operation: | write | Name: | FileDirectory |
Value: %windir%\tracing | |||
(PID) Process: | (3364)Windows Audio Driver.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Windows Audio Driver_RASMANCS |
Operation: | write | Name: | EnableFileTracing |
Value: |
Executable files
6
Suspicious files
Text files
Unknown types
Dropped files
PID | Process | Filename | Type | |
---|---|---|---|---|
3364 | Windows Audio Driver.exe | C:\Users\admin\AppData\Local\Temp\corona1.exe | executable | |
MD5:5BF229B3FE85DA1F89A140F51977F39E | SHA256:678F4F847D2CC8A7A0F79E98564025CAF7B86BB6C99588215DB0912033D53B79 | |||
2556 | corona1.exe | C:\ProgramData\WinTcpAutoProxySvc\Cortana.exe | executable | |
MD5:5BF229B3FE85DA1F89A140F51977F39E | SHA256:678F4F847D2CC8A7A0F79E98564025CAF7B86BB6C99588215DB0912033D53B79 | |||
3316 | corona1.exe | C:\ProgramData\WinTcpAutoProxySvc\Cortana.exe | executable | |
MD5:5BF229B3FE85DA1F89A140F51977F39E | SHA256:678F4F847D2CC8A7A0F79E98564025CAF7B86BB6C99588215DB0912033D53B79 | |||
3148 | Cortana.exe | C:\ProgramData\Microsoft\WinTcpAutoProxySvc\ActionUriServer.exe | executable | |
MD5:BAD99C9E2801FB8E3C10B0DF57DD79AE | SHA256:773C8FF8E05E3FF7C217206F9B70373BE0F33B0E2847DDDB60DD659C00E54D87 | |||
2852 | stub1.exe | C:\Users\admin\AppData\Local\Temp\Windows Audio Driver.exe | executable | |
MD5:672D0046FB5827A8FBAA036983FEC2E0 | SHA256:EF15D7CE200FE65CA4414F9D111BDE158A27DADC4F70CF17DBCCE131DDE1A2FB | |||
2640 | Cortana.exe | C:\ProgramData\Microsoft\WinTcpAutoProxySvc\ActionUriServer.exe | executable | |
MD5:BAD99C9E2801FB8E3C10B0DF57DD79AE | SHA256:773C8FF8E05E3FF7C217206F9B70373BE0F33B0E2847DDDB60DD659C00E54D87 |
Download PCAP, analyze network streams, HTTP content and a lot more at the
full reportHTTP(S) requests
TCP/UDP connections
6
DNS requests
3
Threats
HTTP requests
No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the
full reportConnections
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3364 | Windows Audio Driver.exe | 104.31.91.111:443 | lucas.services | Cloudflare Inc | US | shared |
3608 | ActionUriServer.exe | 136.243.94.27:45700 | xmr.pool.minergate.com | Hetzner Online GmbH | DE | suspicious |
684 | ActionUriServer.exe | 94.130.64.225:45700 | xmr.pool.minergate.com | Hetzner Online GmbH | DE | suspicious |
3364 | Windows Audio Driver.exe | 104.20.208.21:443 | pastebin.com | Cloudflare Inc | US | shared |
— | — | 136.243.94.27:45700 | xmr.pool.minergate.com | Hetzner Online GmbH | DE | suspicious |
DNS requests
Domain | IP | Reputation |
---|---|---|
pastebin.com |
| shared |
lucas.services |
| unknown |
xmr.pool.minergate.com |
| suspicious |
Threats
PID | Process | Class | Message |
---|---|---|---|
— | — | A Network Trojan was detected | ET POLICY Monero Mining Pool DNS Lookup |
684 | ActionUriServer.exe | Potential Corporate Privacy Violation | ET POLICY Cryptocurrency Miner Checkin |
684 | ActionUriServer.exe | Misc activity | MINER [PTsecurity] CoinMiner CryptoNight XMRig JSON_RPC Client Login |
684 | ActionUriServer.exe | Misc activity | MINER [PTsecurity] Riskware/CoinMiner JSON_RPC Response |
684 | ActionUriServer.exe | Misc activity | MINER [PTsecurity] Risktool.W32.coinminer!c |
684 | ActionUriServer.exe | Misc activity | MINER [PTsecurity] Riskware/CoinMiner JSON_RPC Response |
684 | ActionUriServer.exe | Misc activity | MINER [PTsecurity] Risktool.W32.coinminer!c |
684 | ActionUriServer.exe | Misc activity | MINER [PTsecurity] CoinMiner CryptoNight XMRig JSON_RPC Client Login |
3608 | ActionUriServer.exe | Potential Corporate Privacy Violation | ET POLICY Cryptocurrency Miner Checkin |
3608 | ActionUriServer.exe | Misc activity | MINER [PTsecurity] CoinMiner CryptoNight XMRig JSON_RPC Client Login |
4 ETPRO signatures available at the
full reportNo debug info