Home / malwarePDF  


First posted on 09 February 2018.
Source: Microsoft

Aliases :

There are no other names known for Trojan:PowerShell/WannaMine.

Explanation :

This threat is a form of a fileless malware attack which involves invoking Windows Management Instrumentation (WMI) objects and scheduling clean-up tasks through PowerShell without your consent.


We have observed this threat being distributed through EternalBlue exploit and Mimikatz.

This threat registers permanent events, to persist in your PC, relating instances with the following event filters named:

  • DSMEventLog
  • DCMEventLog

This threat also creates the Thread Mutex, MMLOLSacnner after a succesful connection to port

WMI Object values:
  • i17 – network scanning information
  • ipsu – network scanning information
  • funs – EternalBlue exploit distrubution
  • mimi – Mimikatz malware distribution
  • mon – Monero CPU minner
  • sc – yastcat scheduled task (clean-up %system%\temp\y1.bat)
  • vcp – downloads msvcp120.dll
  • vcr – downloads msvcr120.dll


Connects to a remote host

We have seen this threat connect to a remote host, including the following IPs:
  • 93[.]174[.]93[.]73
  • 195[.]22[.]129[.]157
In this case, this threat downloads the following information from the following port:
  • /info3.ps1 (port: 8000)
  • /api.php?data= (port: 8000)

Malware connects to a remote host to allow backdoor access and control of and send stolen information from your PC to the malicious hacker or cybercriminal.

Allows backdoor access and control

This threat can give a malicious hacker access and control of your PC. They can then perform a number of different actions, such as:
  • Downloading and uploading files
  • Enumerating running processes
  • Executing arbitrary commands
  • Gathering system information such as IP address and computer name
  • Changing some of your device settings

This analysis was published using the following file SHA1: F5493BF0C7F0CEE670BEB455D2C3B0BBEDE9F3DC692BC32F2138B6A3379DA952

Last update 09 February 2018