Overview

overview

10

Static

static

7

gemme ya b...01.exe

windows7-x64

8

gemme ya b...01.exe

windows10-2004-x64

8

$PLUGINSDI...os.dll

windows7-x64

3

$PLUGINSDI...os.dll

windows10-2004-x64

3

$PLUGINSDIR/inetc.dll

windows7-x64

3

$PLUGINSDIR/inetc.dll

windows10-2004-x64

3

$R9/NsCpuC...32.exe

windows7-x64

7

$R9/NsCpuC...32.exe

windows10-2004-x64

7

$R9/NsCpuC...64.exe

windows7-x64

7

$R9/NsCpuC...64.exe

windows10-2004-x64

7

$R9/Plugin...os.dll

windows7-x64

3

$R9/Plugin...os.dll

windows10-2004-x64

3

$R9/Plugins/inetc.dll

windows7-x64

3

$R9/Plugins/inetc.dll

windows10-2004-x64

3

info.vbe

windows7-x64

8

info.vbe

windows10-2004-x64

8

$R9/Plugins/tftp.exe

windows7-x64

8

$R9/Plugins/tftp.exe

windows10-2004-x64

10

$R9/Stubs/bzip2.exe

windows7-x64

3

$R9/Stubs/bzip2.exe

windows10-2004-x64

3

$R9/Stubs/...id.exe

windows7-x64

3

$R9/Stubs/...id.exe

windows10-2004-x64

3

$R9/Stubs/lzma.exe

windows7-x64

3

$R9/Stubs/lzma.exe

windows10-2004-x64

3

$R9/Stubs/zlib.exe

windows7-x64

3

$R9/Stubs/zlib.exe

windows10-2004-x64

3

$R9/makensis.exe

windows7-x64

1

$R9/makensis.exe

windows10-2004-x64

1

$TEMP/tftp.exe

windows7-x64

10

$TEMP/tftp.exe

windows10-2004-x64

10

gemme ya booty/c.sh

windows7-x64

3

gemme ya booty/c.sh

windows10-2004-x64

3

Resubmissions

11-04-2024 05:25

240411-f4bm4agc8t 10

11-04-2024 01:54

240411-cbjw8acd6x 10

Analysis

  • max time kernel
    150s
  • max time network
    154s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    11-04-2024 05:25

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    gemme ya booty/IMG001.exe

  • Size

    3.4MB

  • MD5

    908bb37015af1c863e8e73bb76fdb127

  • SHA1

    da3c0542e7223d9a1caf327164a1d54597afa59b

  • SHA256

    ff2787534a0da486583ac6aabed1f30b9af3d0c7ac2390771c167a60f2dd266c

  • SHA512

    e96de2faa86c70361a9e15397e01b73e1126f6f97c195fa06d1ad491f874376f0a1b3a45518639e8eb594640048126bc73b924b8f2dce961dabf364dabad0155

  • SSDEEP

    98304:MmVPnq1y5tQOM33ZNqCtBixHl54Oyjes1bof:zVPq1yLanrqTr43eSQ

Score
8/10
discoverypersistence

Malware Config

Signatures

  • Contacts a large (888) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • Drops startup file 1 IoCs
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 9 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 1 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • NSIS installer 2 IoCs
    installer
  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Kills process with taskkill 2 IoCs
    evasion
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\gemme ya booty\IMG001.exe
    "C:\Users\Admin\AppData\Local\Temp\gemme ya booty\IMG001.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:2016
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c taskkill /f /im tftp.exe & tskill tftp.exe
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2760
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /f /im tftp.exe
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:1296
    • C:\Users\Admin\AppData\Local\Temp\tftp.exe
      "C:\Users\Admin\AppData\Local\Temp\tftp.exe"
      2⤵
      • Executes dropped EXE
      PID:2768
    • C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe
      "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe"
      2⤵
      • Drops startup file
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Enumerates connected drives
      • Suspicious use of WriteProcessMemory
      PID:2572
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe" /c taskkill /f /im tftp.exe & tskill tftp.exe
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2420
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /f /im tftp.exe
          4⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:2480
      • C:\Users\Admin\AppData\Local\Temp\tftp.exe
        "C:\Users\Admin\AppData\Local\Temp\tftp.exe"
        3⤵
        • Executes dropped EXE
        PID:592
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe" /c reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "" /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" /t REG_SZ
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1104
        • C:\Windows\SysWOW64\reg.exe
          reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "" /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" /t REG_SZ
          4⤵
          • Adds Run key to start application
          PID:2752
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe" /c schtasks /create /tn "UAC" /SC ONLOGON /F /RL HIGHEST /TR "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:908
        • C:\Windows\SysWOW64\schtasks.exe
          schtasks /create /tn "UAC" /SC ONLOGON /F /RL HIGHEST /TR "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe"
          4⤵
          • Creates scheduled task(s)
          PID:2164
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe" /c schtasks /create /tn "UAC" /RU "SYSTEM" /SC ONLOGON /F /V1 /RL HIGHEST /TR "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:876
        • C:\Windows\SysWOW64\schtasks.exe
          schtasks /create /tn "UAC" /RU "SYSTEM" /SC ONLOGON /F /V1 /RL HIGHEST /TR "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe"
          4⤵
          • Drops file in Windows directory
          • Creates scheduled task(s)
          PID:1800
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe" /c powercfg /CHANGE -standby-timeout-ac 0 & powercfg /CHANGE -hibernate-timeout-ac 0 & Powercfg -SetAcValueIndex 381b4222-f694-41f0-9685-ff5bb260df2e 4f971e89-eebd-4455-a8de-9e59040e7347 5ca83367-6e45-459f-a27b-476b1d01c936 000
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2464
        • C:\Windows\SysWOW64\powercfg.exe
          powercfg /CHANGE -standby-timeout-ac 0
          4⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:1944
        • C:\Windows\SysWOW64\powercfg.exe
          powercfg /CHANGE -hibernate-timeout-ac 0
          4⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:1816
        • C:\Windows\SysWOW64\powercfg.exe
          Powercfg -SetAcValueIndex 381b4222-f694-41f0-9685-ff5bb260df2e 4f971e89-eebd-4455-a8de-9e59040e7347 5ca83367-6e45-459f-a27b-476b1d01c936 000
          4⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:1716

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\.htaccess
    Filesize

    114B

    MD5

    1cd7834fb975e468fccc8f027f69a528

    SHA1

    56275eef952e6559b86a2cba0b9d45b0307f9dae

    SHA256

    72e847a89d6a5e9e779ea2f6347b8780c0c0d72969f43777aa7ceb431bd3b024

    SHA512

    14e5fdc4ee4d961f1da2272847d31ddd1559a36415f00a032ae71400956d897dbd88fd8c8d03aadad29888e729d5c5077d8620aec8e179440b0d5dce511f3338

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\info.zip
    Filesize

    1KB

    MD5

    8604e0f263922501f749cfca447b041a

    SHA1

    85c712bdeaceb78e2785e1f63811b0c4a50f952d

    SHA256

    52ec3ba075a507e62bb6e3272fb13b30a8ddc0f62c4ea194311d558b338eb5ed

    SHA512

    496d7a1b8b55d28387dad3f1c43e164bb567259c4cac21dd632ccd450dfbf28d431330c27ea72a5a8034979c325d19ff3fd8a3f7fc12b1122f67ef595630d5b2

    Download Submit

  • C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe
    Filesize

    3.4MB

    MD5

    908bb37015af1c863e8e73bb76fdb127

    SHA1

    da3c0542e7223d9a1caf327164a1d54597afa59b

    SHA256

    ff2787534a0da486583ac6aabed1f30b9af3d0c7ac2390771c167a60f2dd266c

    SHA512

    e96de2faa86c70361a9e15397e01b73e1126f6f97c195fa06d1ad491f874376f0a1b3a45518639e8eb594640048126bc73b924b8f2dce961dabf364dabad0155

    Download Submit

  • \Users\Admin\AppData\Local\Temp\nsoB08C.tmp\inetc.dll
    Filesize

    21KB

    MD5

    d7a3fa6a6c738b4a3c40d5602af20b08

    SHA1

    34fc75d97f640609cb6cadb001da2cb2c0b3538a

    SHA256

    67eff17c53a78c8ec9a28f392b9bb93df3e74f96f6ecd87a333a482c36546b3e

    SHA512

    75cf123448567806be5f852ebf70f398da881e89994b82442a1f4bc6799894e799f979f5ab1cc9ba12617e48620e6c34f71e23259da498da37354e5fd3c0f934

    Download Submit

  • \Users\Admin\AppData\Local\Temp\tftp.exe
    Filesize

    92KB

    MD5

    c9869112b8ea084c76f34dbba826f828

    SHA1

    e209c404bb404ec87b0b1cfd4577999f0064eb25

    SHA256

    bd2a4c80801303a763c0ed0ca329744fa4d514ecedd635703108c034a62a6cea

    SHA512

    474c113a2bb7c544027fe6fc433bbeae9616098248af4a62a1e470daa54ec97b023e72ed2cdc2eddcfbd967525b44b57f9508ec8543892bed9ab0982d2491bdc

    Download Submit

  • memory/592-40-0x0000000000400000-0x0000000000421000-memory.dmp

    Filesize

    132KB

    Download

  • memory/592-41-0x0000000000400000-0x0000000000421000-memory.dmp

    Filesize

    132KB

    Download

  • memory/2768-19-0x0000000000400000-0x0000000000421000-memory.dmp

    Filesize

    132KB

    Download