Windows Analysis Report https://github.com/nicehash/NHM_MinerPluginsDownloads/releases/download/v16.x/CryptoDredge_v16.0_mptoolkitV1_e294f620-94eb-11ea-a64d-17be303ea466.zip

Overview

General Information

Sample URL: https://github.com/nicehash/NHM_MinerPluginsDownloads/releases/download/v16.x/CryptoDredge_v16.0_mptoolkitV1_e294f620-94eb-11ea-a64d-17be303ea466.zip
Analysis ID: 479875
Infos:

Most interesting Screenshot:

Detection

Score: 48
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for dropped file
Found inlined nop instructions (likely shell or obfuscated code)
PE file does not import any functions
Drops PE files
May sleep (evasive loops) to hinder dynamic analysis
Binary contains a suspicious time stamp
Detected potential crypto function
Found dropped PE file which has not been started or loaded
Creates a process in suspended mode (likely to inject code)
Contains long sleeps (>= 3 min)

Classification

AV Detection:

barindex
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\hee0gukh.eki\MP.CryptoDredge.dll Virustotal: Detection: 28% Perma Link
Source: C:\Users\user\AppData\Local\Temp\hee0gukh.eki\MP.CryptoDredge.dll Metadefender: Detection: 17% Perma Link
Source: C:\Users\user\AppData\Local\Temp\hee0gukh.eki\MP.CryptoDredge.dll ReversingLabs: Detection: 37%
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Directory created: C:\Program Files\Google\Chrome\Application\Dictionaries Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Directory created: C:\Program Files\Google\Chrome\Application\Dictionaries\en-US-9-0.bdic Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll Jump to behavior
Source: Binary string: C:\Programming\nicehash\NiceHashMiner\src\Miners\CryptoDredge\obj\Release\netstandard2.0\MP.CryptoDredge.pdb source: MP.CryptoDredge.dll.6.dr
Source: Binary string: C:\Programming\nicehash\NiceHashMiner\src\Miners\CryptoDredge\obj\Release\netstandard2.0\MP.CryptoDredge.pdbSHA256 source: MP.CryptoDredge.dll.6.dr

Software Vulnerabilities:

barindex
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Windows\SysWOW64\unarchiver.exe Code function: 4x nop then jmp 04B4099Bh 5_2_04B402A8
Source: C:\Windows\SysWOW64\unarchiver.exe Code function: 4x nop then jmp 04B4099Ah 5_2_04B402A8
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown Network traffic detected: HTTP traffic on port 49758 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49751
Source: unknown Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49751 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49758
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49745
Source: Ruleset Data.0.dr String found in binary or memory: www.facebook.com equals www.facebook.com (Facebook)
Source: Ruleset Data.0.dr String found in binary or memory: www.facebook.com/ajax/ads/ equals www.facebook.com (Facebook)
Source: manifest.json0.0.dr, 43a58191-4e79-4070-8703-44dfe9c58b35.tmp.1.dr, f101569a-bf7d-4a06-bec9-b8cb74a95d8f.tmp.1.dr String found in binary or memory: https://accounts.google.com
Source: manifest.json0.0.dr, 43a58191-4e79-4070-8703-44dfe9c58b35.tmp.1.dr, f101569a-bf7d-4a06-bec9-b8cb74a95d8f.tmp.1.dr String found in binary or memory: https://apis.google.com
Source: 43a58191-4e79-4070-8703-44dfe9c58b35.tmp.1.dr, f101569a-bf7d-4a06-bec9-b8cb74a95d8f.tmp.1.dr String found in binary or memory: https://clients2.google.com
Source: manifest.json1.0.dr String found in binary or memory: https://clients2.google.com/service/update2/crx
Source: 43a58191-4e79-4070-8703-44dfe9c58b35.tmp.1.dr, f101569a-bf7d-4a06-bec9-b8cb74a95d8f.tmp.1.dr String found in binary or memory: https://clients2.googleusercontent.com
Source: manifest.json0.0.dr String found in binary or memory: https://content.googleapis.com
Source: Reporting and NEL.1.dr String found in binary or memory: https://csp.withgoogle.com/csp/report-to/IdentityListAccountsHttp/external
Source: 894ab119-5f77-4d31-87bf-3f3e83eed5ff.tmp.1.dr, fa216826-8e74-4cfb-b79b-be68cbbf5cd7.tmp.1.dr, 43a58191-4e79-4070-8703-44dfe9c58b35.tmp.1.dr, f101569a-bf7d-4a06-bec9-b8cb74a95d8f.tmp.1.dr String found in binary or memory: https://dns.google
Source: manifest.json0.0.dr String found in binary or memory: https://feedback.googleusercontent.com
Source: 43a58191-4e79-4070-8703-44dfe9c58b35.tmp.1.dr, f101569a-bf7d-4a06-bec9-b8cb74a95d8f.tmp.1.dr String found in binary or memory: https://fonts.googleapis.com
Source: manifest.json0.0.dr String found in binary or memory: https://fonts.googleapis.com;
Source: 43a58191-4e79-4070-8703-44dfe9c58b35.tmp.1.dr, f101569a-bf7d-4a06-bec9-b8cb74a95d8f.tmp.1.dr String found in binary or memory: https://fonts.gstatic.com
Source: manifest.json0.0.dr String found in binary or memory: https://fonts.gstatic.com;
Source: 000003.log3.0.dr, CryptoDredge_v16.0_mptoolkitV1_e294f620-94eb-11ea-a64d-17be303ea466.zip_Zone.Identifier.4.dr String found in binary or memory: https://github-releases.githubusercontent.com/195045184/49908900-9c5e-11eb-9897-9484750f4979?X-Amz-A
Source: History.0.dr String found in binary or memory: https://github.com/nicehash/NHM_MinerPluginsDownloads/releases/download/v16.x/CryptoDredge_v16.0_mpt
Source: MP.CryptoDredge.dll.6.dr String found in binary or memory: https://github.com/technobyl/CryptoDredge/releases/download/v0.26.0/CryptoDredge_0.26.0_cuda_11.2_wi
Source: manifest.json0.0.dr String found in binary or memory: https://hangouts.google.com/
Source: 43a58191-4e79-4070-8703-44dfe9c58b35.tmp.1.dr, f101569a-bf7d-4a06-bec9-b8cb74a95d8f.tmp.1.dr String found in binary or memory: https://ogs.google.com
Source: manifest.json1.0.dr String found in binary or memory: https://payments.google.com/payments/v4/js/integrator.js
Source: 43a58191-4e79-4070-8703-44dfe9c58b35.tmp.1.dr String found in binary or memory: https://r1---sn-5hnekn7s.gvt1.com
Source: 43a58191-4e79-4070-8703-44dfe9c58b35.tmp.1.dr String found in binary or memory: https://redirector.gvt1.com
Source: manifest.json1.0.dr String found in binary or memory: https://sandbox.google.com/payments/v4/js/integrator.js
Source: 43a58191-4e79-4070-8703-44dfe9c58b35.tmp.1.dr, f101569a-bf7d-4a06-bec9-b8cb74a95d8f.tmp.1.dr String found in binary or memory: https://ssl.gstatic.com
Source: messages.json41.0.dr String found in binary or memory: https://support.google.com/chromecast/answer/2998456
Source: messages.json41.0.dr String found in binary or memory: https://support.google.com/chromecast/troubleshooter/2995236
Source: manifest.json0.0.dr, 43a58191-4e79-4070-8703-44dfe9c58b35.tmp.1.dr, f101569a-bf7d-4a06-bec9-b8cb74a95d8f.tmp.1.dr String found in binary or memory: https://www.google.com
Source: manifest.json1.0.dr String found in binary or memory: https://www.google.com/
Source: manifest.json0.0.dr String found in binary or memory: https://www.google.com;
Source: 43a58191-4e79-4070-8703-44dfe9c58b35.tmp.1.dr, f101569a-bf7d-4a06-bec9-b8cb74a95d8f.tmp.1.dr String found in binary or memory: https://www.googleapis.com
Source: manifest.json1.0.dr String found in binary or memory: https://www.googleapis.com/
Source: manifest.json0.0.dr String found in binary or memory: https://www.googleapis.com/auth/calendar.readonly
Source: manifest.json0.0.dr String found in binary or memory: https://www.googleapis.com/auth/cast-edu-messaging
Source: manifest.json1.0.dr String found in binary or memory: https://www.googleapis.com/auth/chromewebstore
Source: manifest.json1.0.dr String found in binary or memory: https://www.googleapis.com/auth/chromewebstore.readonly
Source: manifest.json0.0.dr String found in binary or memory: https://www.googleapis.com/auth/clouddevices
Source: manifest.json0.0.dr String found in binary or memory: https://www.googleapis.com/auth/hangouts
Source: manifest.json0.0.dr String found in binary or memory: https://www.googleapis.com/auth/hangouts.readonly
Source: manifest.json0.0.dr String found in binary or memory: https://www.googleapis.com/auth/meetings
Source: manifest.json0.0.dr String found in binary or memory: https://www.googleapis.com/auth/plus.peopleapi.readwrite
Source: manifest.json1.0.dr String found in binary or memory: https://www.googleapis.com/auth/sierra
Source: manifest.json1.0.dr String found in binary or memory: https://www.googleapis.com/auth/sierrasandbox
Source: manifest.json0.0.dr String found in binary or memory: https://www.googleapis.com/auth/userinfo.email
Source: 43a58191-4e79-4070-8703-44dfe9c58b35.tmp.1.dr, f101569a-bf7d-4a06-bec9-b8cb74a95d8f.tmp.1.dr String found in binary or memory: https://www.gstatic.com
Source: manifest.json0.0.dr String found in binary or memory: https://www.gstatic.com;
Source: unknown HTTP traffic detected: POST /ListAccounts?gpsia=1&source=ChromiumBrowser&json=standard HTTP/1.1Host: accounts.google.comConnection: keep-aliveContent-Length: 1Origin: https://www.google.comContent-Type: application/x-www-form-urlencodedSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: unknown DNS traffic detected: queries for: github.com
Source: global traffic HTTP traffic detected: GET /nicehash/NHM_MinerPluginsDownloads/releases/download/v16.x/CryptoDredge_v16.0_mptoolkitV1_e294f620-94eb-11ea-a64d-17be303ea466.zip HTTP/1.1Host: github.comConnection: keep-aliveUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /service/update2/crx?os=win&arch=x64&os_arch=x86_64&nacl_arch=x86-64&prod=chromecrx&prodchannel=&prodversion=85.0.4183.121&lang=en-US&acceptformat=crx3&x=id%3Dnmmhkkegccagdldgiimedpiccmgmieda%26v%3D0.0.0.0%26installedby%3Dother%26uc%26ping%3Dr%253D-1%2526e%253D1&x=id%3Dpkedcjkdefgpdelpbcmbmeomcjbeemfm%26v%3D0.0.0.0%26installedby%3Dother%26uc%26ping%3Dr%253D-1%2526e%253D1 HTTP/1.1Host: clients2.google.comConnection: keep-aliveX-Goog-Update-Interactivity: fgX-Goog-Update-AppId: nmmhkkegccagdldgiimedpiccmgmieda,pkedcjkdefgpdelpbcmbmeomcjbeemfmX-Goog-Update-Updater: chromecrx-85.0.4183.121Sec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /195045184/49908900-9c5e-11eb-9897-9484750f4979?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAIWNJYAX4CSVEH53A%2F20210908%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20210908T134658Z&X-Amz-Expires=300&X-Amz-Signature=091b604827ca9250a0758b5a479d50b8598f2606cf741abe791905c7afbbc61f&X-Amz-SignedHeaders=host&actor_id=0&key_id=0&repo_id=195045184&response-content-disposition=attachment%3B%20filename%3DCryptoDredge_v16.0_mptoolkitV1_e294f620-94eb-11ea-a64d-17be303ea466.zip&response-content-type=application%2Foctet-stream HTTP/1.1Host: github-releases.githubusercontent.comConnection: keep-aliveUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /crx/blobs/Acy1k0bLIjHsvnKaKN_oRpVaYYvFs25d7GKYF1WXrT6yizCMksBO0c_ggE0B6tx6HPRHe6q1GOEe3_NcIbSiGG8kXeLMUY0sAKVvC6R89zvKM13s5VqoAMZSmuUgjQL5vlygJuArQghXXE_qTL7NlQ/extension_8520_615_0_5.crx HTTP/1.1Host: clients2.googleusercontent.comConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9

System Summary:

barindex
PE file does not import any functions
Source: MP.CryptoDredge.dll.6.dr Static PE information: No import functions for PE file found
Detected potential crypto function
Source: C:\Windows\SysWOW64\unarchiver.exe Code function: 5_2_04B402A8 5_2_04B402A8
Source: C:\Windows\SysWOW64\unarchiver.exe Code function: 5_2_04B40299 5_2_04B40299
Source: C:\Windows\SysWOW64\unarchiver.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp Jump to behavior
Source: unknown Process created: C:\Program Files\Google\Chrome\Application\chrome.exe 'C:\Program Files\Google\Chrome\Application\chrome.exe' --start-maximized --enable-automation 'https://github.com/nicehash/NHM_MinerPluginsDownloads/releases/download/v16.x/CryptoDredge_v16.0_mptoolkitV1_e294f620-94eb-11ea-a64d-17be303ea466.zip'
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe 'C:\Program Files\Google\Chrome\Application\chrome.exe' --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1616,11712432474224128058,11765405648561526018,131072 --lang=en-US --service-sandbox-type=network --enable-audio-service-sandbox --mojo-platform-channel-handle=1712 /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe 'C:\Program Files\Google\Chrome\Application\chrome.exe' --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1616,11712432474224128058,11765405648561526018,131072 --lang=en-US --service-sandbox-type=none --enable-audio-service-sandbox --mojo-platform-channel-handle=4852 /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Windows\SysWOW64\unarchiver.exe 'C:\Windows\SysWOW64\unarchiver.exe' 'C:\Users\user\Downloads\CryptoDredge_v16.0_mptoolkitV1_e294f620-94eb-11ea-a64d-17be303ea466.zip'
Source: C:\Windows\SysWOW64\unarchiver.exe Process created: C:\Windows\SysWOW64\7za.exe 'C:\Windows\System32\7za.exe' x -pinfected -y -o'C:\Users\user\AppData\Local\Temp\hee0gukh.eki' 'C:\Users\user\Downloads\CryptoDredge_v16.0_mptoolkitV1_e294f620-94eb-11ea-a64d-17be303ea466.zip'
Source: C:\Windows\SysWOW64\7za.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe 'C:\Program Files\Google\Chrome\Application\chrome.exe' --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1616,11712432474224128058,11765405648561526018,131072 --lang=en-US --service-sandbox-type=network --enable-audio-service-sandbox --mojo-platform-channel-handle=1712 /prefetch:8 Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe 'C:\Program Files\Google\Chrome\Application\chrome.exe' --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1616,11712432474224128058,11765405648561526018,131072 --lang=en-US --service-sandbox-type=none --enable-audio-service-sandbox --mojo-platform-channel-handle=4852 /prefetch:8 Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Windows\SysWOW64\unarchiver.exe 'C:\Windows\SysWOW64\unarchiver.exe' 'C:\Users\user\Downloads\CryptoDredge_v16.0_mptoolkitV1_e294f620-94eb-11ea-a64d-17be303ea466.zip' Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Process created: C:\Windows\SysWOW64\7za.exe 'C:\Windows\System32\7za.exe' x -pinfected -y -o'C:\Users\user\AppData\Local\Temp\hee0gukh.eki' 'C:\Users\user\Downloads\CryptoDredge_v16.0_mptoolkitV1_e294f620-94eb-11ea-a64d-17be303ea466.zip' Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5988:120:WilError_01
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File created: C:\Program Files\Google\Chrome\Application\Dictionaries Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\BrowserMetrics\BrowserMetrics-61393D5C-1600.pma Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File created: C:\Users\user~1\AppData\Local\Temp\3e3f8d37-5341-46a8-acb7-375f529408a6.tmp Jump to behavior
Source: classification engine Classification label: mal48.win@47/279@5/8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Directory created: C:\Program Files\Google\Chrome\Application\Dictionaries Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Directory created: C:\Program Files\Google\Chrome\Application\Dictionaries\en-US-9-0.bdic Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll Jump to behavior
Source: Binary string: C:\Programming\nicehash\NiceHashMiner\src\Miners\CryptoDredge\obj\Release\netstandard2.0\MP.CryptoDredge.pdb source: MP.CryptoDredge.dll.6.dr
Source: Binary string: C:\Programming\nicehash\NiceHashMiner\src\Miners\CryptoDredge\obj\Release\netstandard2.0\MP.CryptoDredge.pdbSHA256 source: MP.CryptoDredge.dll.6.dr

Data Obfuscation:

barindex
Binary contains a suspicious time stamp
Source: MP.CryptoDredge.dll.6.dr Static PE information: 0xE9E63BD3 [Sat May 8 17:58:43 2094 UTC]

Persistence and Installation Behavior:

barindex
Drops PE files
Source: C:\Windows\SysWOW64\7za.exe File created: C:\Users\user\AppData\Local\Temp\hee0gukh.eki\MP.CryptoDredge.dll Jump to dropped file
Source: C:\Windows\SysWOW64\unarchiver.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\SysWOW64\unarchiver.exe TID: 384 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Found dropped PE file which has not been started or loaded
Source: C:\Windows\SysWOW64\7za.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\hee0gukh.eki\MP.CryptoDredge.dll Jump to dropped file
Contains long sleeps (>= 3 min)
Source: C:\Windows\SysWOW64\unarchiver.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Code function: 5_2_00A5B0F2 GetSystemInfo, 5_2_00A5B0F2
Source: C:\Windows\SysWOW64\unarchiver.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\SysWOW64\unarchiver.exe Process created: C:\Windows\SysWOW64\7za.exe 'C:\Windows\System32\7za.exe' x -pinfected -y -o'C:\Users\user\AppData\Local\Temp\hee0gukh.eki' 'C:\Users\user\Downloads\CryptoDredge_v16.0_mptoolkitV1_e294f620-94eb-11ea-a64d-17be303ea466.zip' Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs