Infosec Binary Analisys b.exe MalFamily: Miner MalScore: 100 File type: PE32 executable (GUI) Intel 80386, for MS Windows File size: 297.61 KB (304750 bytes) Compile time: 2018-09-30 20:01:44 MD5: 41b6655aa0e36a375b0f840595248c2c SHA1: 2c3cdfd05356bb7955f5bf1f013e65f58d041cca Import hash: 00be6e6c4f9e287672c8301b72bdabf3 Submitted: 2019-01-19 04:06:05 URL(s) file hosting http://78.142.29.110/b.exe Antivirus Report Report date Detection Ratio Permalink 2019-01-16 22:33:42 46/70 Import library KERNEL32.dll gdiplus.dll 8 Behaviors detected by system signatures Uses suspicious command line tools or Windows utilities Page 1 Date: 2021-09-25 18:50:51 Infosec Binary Analisys - command: taskkill /f /im help.exe /im doc001.exe /im dhelllllper.exe /im DOC001.exe /im dhelper.exe /im conime.exe /im a.exe /im docv8.exe /im king.exe /im name.exe /im doc.exe /im wodCmdTerm.exe /im win1ogins.exe.exe /im win1ogins.exe.exe /im lsaus.exe /im lsars.exe /im lsacs.exe /im regedit.exe /im lsmsm.exe /im v5.exe /im anydesk.exe /im sqler.exe /im sqlservr.exe /im NsCpuCNMiner64.exe /im NsCpuCNMiner32.exe /im tlscntr.exe /im eter.exe /im lsmo.exe /im lsarr.exe /im convert.exe /im WinSCV.exe im ctfmonc.exe /im lsmose.exe /im svhost.exe - command: cacls "C:\Program Files\RemoteDesk\*.exe" /e /d everyone - command: cacls "C:\Program Files\RemoteDesk\*.exe" /e /d system - command: cacls "C:\Program Files\Microsoft SQL Server\110\Shared\*.exe" /e /d everyone - command: cacls "C:\Program Files\Microsoft SQL Server\110\Shared\*.exe" /e /d system - command: cacls "C:\Program Files\autodesk\*.exe" /e /d everyone - command: cacls "C:\Program Files\autodesk\*.exe" /e /d system - command: cacls "C:\Program Files\anyDesk\*.exe" /e /d everyone - command: cacls "C:\Program Files\anyDesk\*.exe" /e /d system - command: cacls "C:\Program Files (x86)\RemoteDesk\*.exe" /e /d everyone - command: cacls "C:\Program Files (x86)\RemoteDesk\*.exe" /e /d system - command: cacls "C:\Program Files (x86)\Microsoft SQL Server\110\Shared\*.exe" /e /d everyone - command: cacls "C:\Program Files (x86)\Microsoft SQL Server\110\Shared\*.exe" /e /d system - command: cacls "C:\Program Files (x86)\autodesk\*.exe" /e /d everyone - command: cacls "C:\Program Files (x86)\autodesk\*.exe" /e /d system - command: cacls "C:\Program Files (x86)\anydesk\*.exe" /e /d system - command: cacls "C:\Program Files (x86)\anydesk\*.exe" /e /d everyone - command: cacls C:\Windows\debug\WIA\*.exe /e /d everyone - command: cacls C:\Users\asp\AppData\Roaming\Tempo\*.exe /e /d everyone - command: cacls C:\Users\administrator\AppData\Roaming\Tempo /e /d everyone - command: cacls C:\Users\asp\AppData\Roaming\Tempo\*.exe /e /d system - command: cacls C:\Users\Default\AppData\Roaming\Tempo\*.exe /e /d everyone - command: cacls C:\Users\administrator\AppData\Roaming\Tempo /e /d system - command: cacls C:\Users\Default\AppData\Roaming\Tempo /e /d system - command: cacls C:\Users\Default\AppData\Roaming\Tempo /e /d everyone - command: cacls C:\Users\Default\AppData\Roaming\Tempo\*.exe /e /d system - command: cacls C:\Users\asp\AppData\Roaming\*.exe /e /g everyone:f - command: cacls C:\Users\administrator\AppData\Roaming /e /g everyone:f - command: cacls C:\Users\asp\AppData\Local\Temp /e /g system:f - command: cacls C:\Users\asp\AppData\Local\Temp /e /g everyone:f - command: cacls C:\Users\administrator\AppData\Local\Temp /e /g system:f - command: cacls C:\Users\administrator\AppData\Local\Temp /e /g everyone:f - command: cacls C:\Users\Default\AppData\Local\Temp /e /g everyone:f - command: cacls C:\Users\Default\AppData\Roaming /e /g everyone:f - command: cacls C:\Users\Default\AppData\Roaming /e /g system:f - command: cacls C:\Users\Default\AppData\Local\Temp\*.exe /e /g everyone:f - command: cacls C:\Users\Default\AppData\Roaming\*.exe /e /g everyone:f - command: cacls C:\Users\Default\AppData\Roaming\*.exe /e /g system:f - command: cacls C:\SysData\install.exe /e /d system - command: cacls C:\Msupdate /e /d system - command: cacls C:\windows\xcecg /e /d system - command: cacls C:\windows\ccm /e /d system - command: cacls c:\windows\smss.exe /e /d system - command: cacls "C:\Program Files\Common Files\Services\*.exe" /e /d system - command: cacls C:\Windows\System32\a.exe /e /d system - command: cacls C:\Windows\security\*.exe /e /d system - command: cacls C:\Windows\security\*.exe /e /d everyone - command: cacls C:\Windows\Resources\*.exe /e /d system - command: cacls C:\Windows\Resources\*.exe /e /d everyone - command: cacls C:\Windows\Resources\Themes\*.exe /e /d system - command: cacls C:\Windows\Resources\Themes\*.exe /e /d everyone - command: cacls C:\WINDOWS\system\lsmsm.exe /e /d system - command: cacls C:\ProgramData\homegroup\*.exe /e /d system - command: cacls C:\ProgramData\diskdata\*.exe /e /d system - command: cacls "C:\Program Files\Microsoft Updates" /e /d system - command: cacls c:\windows\system32\servwdrv.dll /e /d system - command: cacls c:\windows\system32\servwdrv.dll /e /d everyone Page 2 Date: 2021-09-25 18:50:51 Infosec Binary Analisys - command: cacls c:\windows\system32\servwdrvx.dll /e /d system - command: cacls c:\windows\system32\servwdrvx.dll /e /d everyone - command: cacls c:\windows\system32\serwwdrv.dll /e /d system - command: cacls c:\windows\system32\serwwdrv.dll /e /d everyone - command: cacls c:\windows\svchost.exe /e /d system - command: cacls C:\ProgramData\WmiAppSrv\svchost.exe /e /d system - command: cacls C:\Windows\Help\taskhost.exe /e /d system - command: cacls C:\Windows\Web\wininit.exe /e /d system - command: cacls C:\ProgramData\Microsoft\WmiAppSrv\csrss.exe /e /d system - command: cacls C:\Progra~1\Common~1\svshpst.exe /e /d system - command: cacls C:\Windows\fonts\system32\svchost.exe /e /d system - command: cacls C:\Windows\fonts\*.exe /e /d system - command: cacls C:\Windows\Fonts\Microsoft /e /d system - command: cacls "C:\WINDOWS\Temp\32p.zip \xc3\x81\xe2\x94\x80\xe2\x94\xb4\xe2\x94\x98\xe2\x95\xa9\xe2\x96\x92\xe2\x94\x80\xe2\x94\x90\xe 2\x94\xac\xe2\x95\x9d 1\*.*" /e /d system - command: cacls "C:\WINDOWS\fonts\*.exe" /e /d system - command: cacls c:\windows\taskmgrs.exe /e /d system - command: cacls C:\Windows\security\IIS /e /d system - command: cacls C:\Progra~1\Common~1\System\*.exe /e /d system - command: cacls C:\Progra~1\dll /e /d system - command: cacls C:\Windows\Fonts\*.exe /e /d system - command: cacls C:\Progra~1\Common~1\Services /e /d system - command: cacls C:\Progra~1\Common~1\SpeechEngines\*.exe /e /d system - command: cacls C:\Windows\Fonts\system32 /e /d system - command: cacls C:\Windows\SpeechsTracing /e /d system - command: cacls "C:\Program Files (x86)\Microsoft SvidiaTen" /e /d system - command: C:\Windows\system32\cacls.exe cacLS C:\Progra~1\Common~1\Micros~1\*.exe /e /d system - command: cacls C:\System /e /d system - command: cacls C:\windows\1 /e /d system - command: cacls c:\users\public\*.exe /e /d system - command: cacls "C:\Program Files\Common Files\conime.exe" /e /d system - command: cacls "C:\Program Files (x86)\Common Files\conime.exe" /e /d system - command: cacls C:\Progra~1\test\*.exe /e /d everyone - command: cacls C:\Windows\Fonts\help\*.exe /e /d system - command: cacls C:\Windows\web\*.exe /e /d system - command: cacls C:\ProgramData\diskdata /e /d system Detected script timer window indicative of sleep style evasion - Window: WSH-Timer Dynamic (imported) function loading detected - DynamicLoader: kernel32.dll/InitializeCriticalSectionEx - DynamicLoader: kernel32.dll/FlsAlloc - DynamicLoader: kernel32.dll/FlsSetValue - DynamicLoader: kernel32.dll/InitializeCriticalSectionEx - DynamicLoader: kernel32.dll/FlsAlloc - DynamicLoader: kernel32.dll/FlsGetValue - DynamicLoader: kernel32.dll/FlsSetValue - DynamicLoader: kernel32.dll/LCMapStringEx - DynamicLoader: kernel32.dll/SetDllDirectoryW - DynamicLoader: kernel32.dll/SetDefaultDllDirectories - DynamicLoader: kernel32.dll/SortGetHandle - DynamicLoader: kernel32.dll/SortCloseHandle - DynamicLoader: ole32.dll/OleInitialize - DynamicLoader: CRYPTBASE.dll/SystemFunction036 - DynamicLoader: UXTheme.dll/ThemeInitApiHook - DynamicLoader: USER32.dll/IsProcessDPIAware - DynamicLoader: COMCTL32.dll/InitCommonControlsEx - DynamicLoader: kernel32.dll/IsProcessorFeaturePresent - DynamicLoader: USER32.dll/GetWindowInfo Page 3 Date: 2021-09-25 18:50:51 Infosec Binary Analisys - DynamicLoader: USER32.dll/GetAncestor - DynamicLoader: USER32.dll/GetMonitorInfoA - DynamicLoader: USER32.dll/EnumDisplayMonitors - DynamicLoader: USER32.dll/EnumDisplayDevicesA - DynamicLoader: GDI32.dll/ExtTextOutW - DynamicLoader: GDI32.dll/GdiIsMetaPrintDC - DynamicLoader: SHELL32.dll/SHGetMalloc - DynamicLoader: ole32.dll/CoGetMalloc - DynamicLoader: USER32.dll/LoadIconW - DynamicLoader: USER32.dll/LoadBitmapW - DynamicLoader: ole32.dll/CreateStreamOnHGlobal - DynamicLoader: WindowsCodecs.dll/DllGetClassObject - DynamicLoader: kernel32.dll/WerRegisterMemoryBlock - DynamicLoader: GDI32.dll/GetObjectW - DynamicLoader: USER32.dll/GetDC - DynamicLoader: GDI32.dll/GetDeviceCaps - DynamicLoader: USER32.dll/ReleaseDC - DynamicLoader: USER32.dll/DialogBoxParamW - DynamicLoader: dwmapi.dll/DwmIsCompositionEnabled - DynamicLoader: COMCTL32.dll/RegisterClassNameW - DynamicLoader: UXTheme.dll/EnableThemeDialogTexture - DynamicLoader: COMCTL32.dll/RegisterClassNameW - DynamicLoader: UXTheme.dll/OpenThemeData - DynamicLoader: UXTheme.dll/IsThemePartDefined - DynamicLoader: UXTheme.dll/GetThemeMargins - DynamicLoader: UXTheme.dll/GetThemeBool - DynamicLoader: UXTheme.dll/GetThemeInt - DynamicLoader: COMCTL32.dll/RegisterClassNameW