notavirus.RiskTool.Win32.BitCoinMiner.lrc_87bdba0778

Dynamic Analysis

Payload

No specific payload has been found.

Process activity

The not-a-virus creates the following process(es):

%original file name%.exe:1660
nircmd.exe:1620
nircmd.exe:1084
reg.exe:228
attrib.exe:1956
system.exe:484

The not-a-virus injects its code into the following process(es):No processes have been created.

File activity

The process %original file name%.exe:1660 makes changes in the file system.

The not-a-virus creates and/or writes to the following file(s):

%WinDir%\syso\critical\libcurl-4.dll (245795 bytes)
%WinDir%\syso\critical\zlib1.dll (100864 bytes)
%WinDir%\syso\critical\pthreadGC2.dll (119888 bytes)
%WinDir%\syso\critical\antivirus.bat (129 bytes)
%WinDir%\syso\critical\sys.bat (337 bytes)
%WinDir%\syso\critical\system.exe (187904 bytes)
%WinDir%\syso\critical\nircmd.exe (43520 bytes)

The not-a-virus deletes the following file(s):

%WinDir%\syso\critical\__tmp_rar_sfx_access_check_7045609 (0 bytes)

Registry activity

The process %original file name%.exe:1660 makes changes in the system registry.

The not-a-virus creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "91 2E 68 B1 E6 B8 96 F5 7F 59 CD 25 FA 75 76 A1"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\Windows\syso\critical]
"sys.bat" = "sys"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Документы"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Рабочий стол"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{91167d45-103d-11db-8c91-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{d8c0d8da-77bd-11e0-bb02-000c293bc0fd}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{91167d42-103d-11db-8c91-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Рабочий стол"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\Мои документы"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{ebcf8d94-66db-11de-b228-806d6172696f}]
"BaseClass" = "Drive"

The not-a-virus modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The not-a-virus modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

The not-a-virus modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The process nircmd.exe:1620 makes changes in the system registry.

The not-a-virus creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "2A 6D BA D7 F8 1B 0D A4 C5 36 FA BD 5B D1 8E 6A"

The process nircmd.exe:1084 makes changes in the system registry.

The not-a-virus creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E1 94 8E 47 73 15 66 57 08 A4 EA 1F DC 93 2E AA"

The process reg.exe:228 makes changes in the system registry.

The not-a-virus creates and/or sets the following values in system registry:

To automatically run itself each time Windows is booted, the not-a-virus adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Update" = "C:\Windows\syso\critical\antivirus.bat"

The process attrib.exe:1956 makes changes in the system registry.

The not-a-virus creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "EF 6B 29 58 34 74 1C 4D 61 8B B9 0B 23 AA BB 6C"

The process system.exe:484 makes changes in the system registry.

The not-a-virus creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "5D 4B F5 FF 26 D0 AF 15 99 EB DB 90 C0 6C 3B E0"

Network activity (URLs)

No activity has been detected.

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

Removals

Remove it with Ad-Aware

1. Click (here) to download and install Ad-Aware Free Antivirus.
2. Update the definition files.
3. Run a full scan of your computer.

Manual removal*

1. Terminate malicious process(es) (How to End a Process With the Task Manager):

   %original file name%.exe:1660
   nircmd.exe:1620
   nircmd.exe:1084
   reg.exe:228
   attrib.exe:1956
   system.exe:484

2. Delete the original not-a-virus file.
   
3. Delete or disinfect the following files created/modified by the not-a-virus:

   %WinDir%\syso\critical\libcurl-4.dll (245795 bytes)
   %WinDir%\syso\critical\zlib1.dll (100864 bytes)
   %WinDir%\syso\critical\pthreadGC2.dll (119888 bytes)
   %WinDir%\syso\critical\antivirus.bat (129 bytes)
   %WinDir%\syso\critical\sys.bat (337 bytes)
   %WinDir%\syso\critical\system.exe (187904 bytes)
   %WinDir%\syso\critical\nircmd.exe (43520 bytes)

4. Delete the following value(s) in the autorun key (How to Work with System Registry):

   [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   "Windows Update" = "C:\Windows\syso\critical\antivirus.bat"

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Static Analysis

Network Activity

Map

Strings from Dumps