chinese_generic_botnet | 8742e2911a8e806f16708950b4acb35ff6a1e3f8e2182d28d23ef4c419faaa6a

Analysis

max time kernel
134s
max time network
153s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
13-09-2024 04:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8742e2911a8e806f16708950b4acb35ff6a1e3f8e2182d28d23ef4c419faaa6a.exe
Size

11.9MB
MD5

e6d06c8ea516c2fbfff8ddaf9c73146f
SHA1

5f109145628a5435c92f7a7e1c142220ae5252ef
SHA256

8742e2911a8e806f16708950b4acb35ff6a1e3f8e2182d28d23ef4c419faaa6a
SHA512

de0412dacc341a527fc7996612f1b278c332b66047bca8d036fa729709f531fdb8169c021255b18c6f57e5ef4d8d2099e075c20708e1f3f217011b895dc70e06
SSDEEP

196608:tOVnUTQnOFDKpxOET0hmk00nSJdziGYhU0jatCTNX+wnRtF8WbAHV:UUz8pxrT0kHJdqi0e81xRtGWy

Score

10^/10

chinese_generic_botnet botnet discovery persistence vmprotect

Malware Config

Signatures

Generic Chinese Botnet
A botnet originating from China which is currently unnamed publicly.
botnet chinese_generic_botnet

Chinese Botnet payload 1 IoCs

botnet

resource	yara_rule
behavioral1/memory/2832-56-0x0000000010000000-0x0000000010018000-memory.dmp	unk_chinese_botnet

Executes dropped EXE 16 IoCs

pid	Process
2704	startqidong.exe
2832	startup.exe
2604	Nvidiaup.exe
2196	nbminer.exe
2912	nbminer.exe
1516	nbminer.exe
1960	nbminer.exe
1712	Frmbcmv.exe
1684	nbminer.exe
2088	nbminer.exe
2160	nbminer.exe
2108	nbminer.exe
944	nbminer.exe
1700	nbminer.exe
1316	nbminer.exe
2868	nbminer.exe

Loads dropped DLL 6 IoCs

pid	Process
2256	8742e2911a8e806f16708950b4acb35ff6a1e3f8e2182d28d23ef4c419faaa6a.exe
2256	8742e2911a8e806f16708950b4acb35ff6a1e3f8e2182d28d23ef4c419faaa6a.exe
2256	8742e2911a8e806f16708950b4acb35ff6a1e3f8e2182d28d23ef4c419faaa6a.exe
2256	8742e2911a8e806f16708950b4acb35ff6a1e3f8e2182d28d23ef4c419faaa6a.exe
2256	8742e2911a8e806f16708950b4acb35ff6a1e3f8e2182d28d23ef4c419faaa6a.exe
1672	cmd.exe

VMProtect packed file 5 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
behavioral1/files/0x000500000001866f-69.dat	vmprotect
behavioral1/memory/2196-81-0x0000000140000000-0x0000000141B46000-memory.dmp	vmprotect
behavioral1/memory/2912-97-0x0000000140000000-0x0000000141B46000-memory.dmp	vmprotect
behavioral1/memory/1516-113-0x0000000140000000-0x0000000141B46000-memory.dmp	vmprotect
behavioral1/memory/1960-128-0x0000000140000000-0x0000000141B46000-memory.dmp	vmprotect

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Nvidiaup = "C:\\Windows86\\Nvidiaup.exe"	8742e2911a8e806f16708950b4acb35ff6a1e3f8e2182d28d23ef4c419faaa6a.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\qidongxiang3 = "C:\\windows86\\Nvidiaup.exe"	startqidong.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\qidongxiang4 = "C:\\windows86\\Nvidiaup.exe"	startqidong.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	Frmbcmv.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 12 IoCs

pid	Process
2196	nbminer.exe
2912	nbminer.exe
1516	nbminer.exe
1960	nbminer.exe
1684	nbminer.exe
2088	nbminer.exe
2160	nbminer.exe
2108	nbminer.exe
944	nbminer.exe
1700	nbminer.exe
1316	nbminer.exe
2868	nbminer.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Frmbcmv.exe	startup.exe
File opened for modification	C:\Program Files (x86)\Frmbcmv.exe	startup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	startqidong.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	startup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nvidiaup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Frmbcmv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8742e2911a8e806f16708950b4acb35ff6a1e3f8e2182d28d23ef4c419faaa6a.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe

Modifies data under HKEY_USERS 24 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{6D88FA27-30B8-44A0-B262-07A4EE938D4F}\WpadNetworkName = "Network 3"	Frmbcmv.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{6D88FA27-30B8-44A0-B262-07A4EE938D4F}\8e-76-61-e5-f2-b0	Frmbcmv.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	Frmbcmv.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{6D88FA27-30B8-44A0-B262-07A4EE938D4F}	Frmbcmv.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{6D88FA27-30B8-44A0-B262-07A4EE938D4F}\WpadDecisionReason = "1"	Frmbcmv.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{6D88FA27-30B8-44A0-B262-07A4EE938D4F}\WpadDecision = "0"	Frmbcmv.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	Frmbcmv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	Frmbcmv.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00c4000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	Frmbcmv.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{6D88FA27-30B8-44A0-B262-07A4EE938D4F}\WpadDecisionTime = 805e46dc9905db01	Frmbcmv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	Frmbcmv.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	Frmbcmv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	Frmbcmv.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	Frmbcmv.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\8e-76-61-e5-f2-b0	Frmbcmv.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\8e-76-61-e5-f2-b0\WpadDecisionReason = "1"	Frmbcmv.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\8e-76-61-e5-f2-b0\WpadDecisionTime = 805e46dc9905db01	Frmbcmv.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	Frmbcmv.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	Frmbcmv.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\8e-76-61-e5-f2-b0\WpadDecision = "0"	Frmbcmv.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	Frmbcmv.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	Frmbcmv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	Frmbcmv.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	Frmbcmv.exe

Suspicious behavior: EnumeratesProcesses 11 IoCs

pid	Process
2196	nbminer.exe
2912	nbminer.exe
1516	nbminer.exe
1960	nbminer.exe
1684	nbminer.exe
2088	nbminer.exe
2160	nbminer.exe
2108	nbminer.exe
944	nbminer.exe
1700	nbminer.exe
1316	nbminer.exe

Suspicious use of SetWindowsHookEx 57 IoCs

pid	Process
2256	8742e2911a8e806f16708950b4acb35ff6a1e3f8e2182d28d23ef4c419faaa6a.exe
2256	8742e2911a8e806f16708950b4acb35ff6a1e3f8e2182d28d23ef4c419faaa6a.exe
2604	Nvidiaup.exe
2604	Nvidiaup.exe
2196	nbminer.exe
2196	nbminer.exe
2196	nbminer.exe
2912	nbminer.exe
2912	nbminer.exe
2912	nbminer.exe
2912	nbminer.exe
2912	nbminer.exe
1516	nbminer.exe
1516	nbminer.exe
1516	nbminer.exe
1516	nbminer.exe
1516	nbminer.exe
1960	nbminer.exe
1960	nbminer.exe
1960	nbminer.exe
1960	nbminer.exe
1960	nbminer.exe
1684	nbminer.exe
1684	nbminer.exe
1684	nbminer.exe
1684	nbminer.exe
1684	nbminer.exe
2088	nbminer.exe
2088	nbminer.exe
2088	nbminer.exe
2088	nbminer.exe
2088	nbminer.exe
2160	nbminer.exe
2160	nbminer.exe
2160	nbminer.exe
2160	nbminer.exe
2160	nbminer.exe
2108	nbminer.exe
2108	nbminer.exe
2108	nbminer.exe
2108	nbminer.exe
2108	nbminer.exe
944	nbminer.exe
944	nbminer.exe
944	nbminer.exe
944	nbminer.exe
944	nbminer.exe
1700	nbminer.exe
1700	nbminer.exe
1700	nbminer.exe
1700	nbminer.exe
1700	nbminer.exe
1316	nbminer.exe
1316	nbminer.exe
1316	nbminer.exe
1316	nbminer.exe
1316	nbminer.exe

Suspicious use of WriteProcessMemory 61 IoCs

description	pid	Process	procid_target
PID 2256 wrote to memory of 2704	2256	8742e2911a8e806f16708950b4acb35ff6a1e3f8e2182d28d23ef4c419faaa6a.exe	29
PID 2256 wrote to memory of 2704	2256	8742e2911a8e806f16708950b4acb35ff6a1e3f8e2182d28d23ef4c419faaa6a.exe	29
PID 2256 wrote to memory of 2704	2256	8742e2911a8e806f16708950b4acb35ff6a1e3f8e2182d28d23ef4c419faaa6a.exe	29
PID 2256 wrote to memory of 2704	2256	8742e2911a8e806f16708950b4acb35ff6a1e3f8e2182d28d23ef4c419faaa6a.exe	29
PID 2256 wrote to memory of 2832	2256	8742e2911a8e806f16708950b4acb35ff6a1e3f8e2182d28d23ef4c419faaa6a.exe	30
PID 2256 wrote to memory of 2832	2256	8742e2911a8e806f16708950b4acb35ff6a1e3f8e2182d28d23ef4c419faaa6a.exe	30
PID 2256 wrote to memory of 2832	2256	8742e2911a8e806f16708950b4acb35ff6a1e3f8e2182d28d23ef4c419faaa6a.exe	30
PID 2256 wrote to memory of 2832	2256	8742e2911a8e806f16708950b4acb35ff6a1e3f8e2182d28d23ef4c419faaa6a.exe	30
PID 2256 wrote to memory of 2604	2256	8742e2911a8e806f16708950b4acb35ff6a1e3f8e2182d28d23ef4c419faaa6a.exe	31
PID 2256 wrote to memory of 2604	2256	8742e2911a8e806f16708950b4acb35ff6a1e3f8e2182d28d23ef4c419faaa6a.exe	31
PID 2256 wrote to memory of 2604	2256	8742e2911a8e806f16708950b4acb35ff6a1e3f8e2182d28d23ef4c419faaa6a.exe	31
PID 2256 wrote to memory of 2604	2256	8742e2911a8e806f16708950b4acb35ff6a1e3f8e2182d28d23ef4c419faaa6a.exe	31
PID 2604 wrote to memory of 3052	2604	Nvidiaup.exe	32
PID 2604 wrote to memory of 3052	2604	Nvidiaup.exe	32
PID 2604 wrote to memory of 3052	2604	Nvidiaup.exe	32
PID 2604 wrote to memory of 3052	2604	Nvidiaup.exe	32
PID 3052 wrote to memory of 948	3052	cmd.exe	34
PID 3052 wrote to memory of 948	3052	cmd.exe	34
PID 3052 wrote to memory of 948	3052	cmd.exe	34
PID 3052 wrote to memory of 948	3052	cmd.exe	34
PID 948 wrote to memory of 1672	948	mshta.exe	35
PID 948 wrote to memory of 1672	948	mshta.exe	35
PID 948 wrote to memory of 1672	948	mshta.exe	35
PID 948 wrote to memory of 1672	948	mshta.exe	35
PID 1672 wrote to memory of 2196	1672	cmd.exe	37
PID 1672 wrote to memory of 2196	1672	cmd.exe	37
PID 1672 wrote to memory of 2196	1672	cmd.exe	37
PID 1672 wrote to memory of 2196	1672	cmd.exe	37
PID 2196 wrote to memory of 2912	2196	nbminer.exe	39
PID 2196 wrote to memory of 2912	2196	nbminer.exe	39
PID 2196 wrote to memory of 2912	2196	nbminer.exe	39
PID 2196 wrote to memory of 1516	2196	nbminer.exe	40
PID 2196 wrote to memory of 1516	2196	nbminer.exe	40
PID 2196 wrote to memory of 1516	2196	nbminer.exe	40
PID 2196 wrote to memory of 1960	2196	nbminer.exe	41
PID 2196 wrote to memory of 1960	2196	nbminer.exe	41
PID 2196 wrote to memory of 1960	2196	nbminer.exe	41
PID 2196 wrote to memory of 1684	2196	nbminer.exe	43
PID 2196 wrote to memory of 1684	2196	nbminer.exe	43
PID 2196 wrote to memory of 1684	2196	nbminer.exe	43
PID 2196 wrote to memory of 2088	2196	nbminer.exe	44
PID 2196 wrote to memory of 2088	2196	nbminer.exe	44
PID 2196 wrote to memory of 2088	2196	nbminer.exe	44
PID 2196 wrote to memory of 2160	2196	nbminer.exe	45
PID 2196 wrote to memory of 2160	2196	nbminer.exe	45
PID 2196 wrote to memory of 2160	2196	nbminer.exe	45
PID 2196 wrote to memory of 2108	2196	nbminer.exe	46
PID 2196 wrote to memory of 2108	2196	nbminer.exe	46
PID 2196 wrote to memory of 2108	2196	nbminer.exe	46
PID 2196 wrote to memory of 944	2196	nbminer.exe	47
PID 2196 wrote to memory of 944	2196	nbminer.exe	47
PID 2196 wrote to memory of 944	2196	nbminer.exe	47
PID 2196 wrote to memory of 1700	2196	nbminer.exe	48
PID 2196 wrote to memory of 1700	2196	nbminer.exe	48
PID 2196 wrote to memory of 1700	2196	nbminer.exe	48
PID 2196 wrote to memory of 1316	2196	nbminer.exe	49
PID 2196 wrote to memory of 1316	2196	nbminer.exe	49
PID 2196 wrote to memory of 1316	2196	nbminer.exe	49
PID 2196 wrote to memory of 2868	2196	nbminer.exe	50
PID 2196 wrote to memory of 2868	2196	nbminer.exe	50
PID 2196 wrote to memory of 2868	2196	nbminer.exe	50

C:\Users\Admin\AppData\Local\Temp\8742e2911a8e806f16708950b4acb35ff6a1e3f8e2182d28d23ef4c419faaa6a.exe
"C:\Users\Admin\AppData\Local\Temp\8742e2911a8e806f16708950b4acb35ff6a1e3f8e2182d28d23ef4c419faaa6a.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2256
- C:\windows86\startqidong.exe
  C:\windows86\startqidong.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:2704
- C:\windows86\startup.exe
  C:\windows86\startup.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  PID:2832
- C:\Windows86\Nvidiaup.exe
  C:\Windows86\Nvidiaup.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2604
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\windows86\start.bat
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3052
  - - C:\Windows\SysWOW64\mshta.exe
      mshta vbscript:createobject("wscript.shell").run("""start.bat"" h",0)(window.close)
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of WriteProcessMemory
      PID:948
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\windows86\start.bat" h"
        5⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1672
      - C:\Windows86\nbminer.exe
        
        nbminer -a ethash -o stratum+tcp://eth-pool.beepool.org:9530 -u mtnb.Wouosvrd -log
        6⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2196
        
        C:\Windows86\nbminer.exe
        
        nbminer -a ethash -o stratum+tcp://eth-pool.beepool.org:9530 -u mtnb.Wouosvrd -log -RUN -reboot-times 0
        7⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2912
        
        C:\Windows86\nbminer.exe
        
        nbminer -a ethash -o stratum+tcp://eth-pool.beepool.org:9530 -u mtnb.Wouosvrd -log -RUN -reboot-times 1
        7⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1516
        
        C:\Windows86\nbminer.exe
        
        nbminer -a ethash -o stratum+tcp://eth-pool.beepool.org:9530 -u mtnb.Wouosvrd -log -RUN -reboot-times 2
        7⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1960
        
        C:\Windows86\nbminer.exe
        
        nbminer -a ethash -o stratum+tcp://eth-pool.beepool.org:9530 -u mtnb.Wouosvrd -log -RUN -reboot-times 3
        7⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1684
        
        C:\Windows86\nbminer.exe
        
        nbminer -a ethash -o stratum+tcp://eth-pool.beepool.org:9530 -u mtnb.Wouosvrd -log -RUN -reboot-times 4
        7⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2088
        
        C:\Windows86\nbminer.exe
        
        nbminer -a ethash -o stratum+tcp://eth-pool.beepool.org:9530 -u mtnb.Wouosvrd -log -RUN -reboot-times 5
        7⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2160
        
        C:\Windows86\nbminer.exe
        
        nbminer -a ethash -o stratum+tcp://eth-pool.beepool.org:9530 -u mtnb.Wouosvrd -log -RUN -reboot-times 6
        7⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2108
        
        C:\Windows86\nbminer.exe
        
        nbminer -a ethash -o stratum+tcp://eth-pool.beepool.org:9530 -u mtnb.Wouosvrd -log -RUN -reboot-times 7
        7⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:944
        
        C:\Windows86\nbminer.exe
        
        nbminer -a ethash -o stratum+tcp://eth-pool.beepool.org:9530 -u mtnb.Wouosvrd -log -RUN -reboot-times 8
        7⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1700
        
        C:\Windows86\nbminer.exe
        
        nbminer -a ethash -o stratum+tcp://eth-pool.beepool.org:9530 -u mtnb.Wouosvrd -log -RUN -reboot-times 9
        7⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1316
        
        C:\Windows86\nbminer.exe
        
        nbminer -a ethash -o stratum+tcp://eth-pool.beepool.org:9530 -u mtnb.Wouosvrd -log -RUN -reboot-times 10
        7⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:2868

C:\Program Files (x86)\Frmbcmv.exe
"C:\Program Files (x86)\Frmbcmv.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:1712

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\windows86\nbminer.exe

Filesize
11.1MB

MD5
de16330e2a66a4d98476b4ee77f46951

SHA1
f43da757600798f16492dede18d4138301f79c12

SHA256
eaba5c460b9e45f14bdc0900ae376174059ab79396ff333a92c1cdd232a7cab7

SHA512
f33114f2ade3de0cce334e54c8895969f7bd34b805cf9c3db523367ffbe44f11dbb771e176cef93116c8cb1035750c258d2bed3d27d287275ce619a2088f0059

Download Submit
C:\windows86\start.bat

Filesize
215B

MD5
8dd8448045236ea519ba87236e0f994b

SHA1
1d72238acd68bb01fe95321c4ce7e4819679e40e

SHA256
1afa8f0034893c322919e39e06db96d18e3c17bce2ac5b36ce2b3d6e0149ed8c

SHA512
d281ba9f09d9656a60c71a53225e76fee689c55ff97ebd29c798262de02f6b9271bc1ed26df582456184b65a81fb893d5edd29db121bd778f860680a32600315

Download Submit
\windows86\nvidiaup.exe

Filesize
796KB

MD5
27d26f4be25faebe74dc73e37955fb68

SHA1
926a1197872cddcefb35de1f7a505b5c9c993601

SHA256
41ee68beeb85b57fb05fb2a7d72baa14fb4285d7ab2bde35050a128f2831cfef

SHA512
ea0cbf6320f1bffbb3d875c7e69934a24c932278b168d029b5e003c5cd5b7130a2f386147916e002a06b9d6dc28929a61f04dc1c02bbf670522be6fcbb89dde5

Download Submit
\windows86\startqidong.exe

Filesize
141KB

MD5
a116fd21486afbc67b4541331ed8c0c9

SHA1
593b9081ee25a80acb36eade8665f0e207b22ae0

SHA256
db574d55dbe5a4c7ed8a3bd9bd67d1a09ec452c00495d15451272ac6b9c5a341

SHA512
9bc905d404264311dc8866830bb17af784c60e24510a63244074d1e2503e2705af0591e1a1070f9478ccc42dfc08eb18ec7bcbe044624cedea7ba25e936347d1

Download Submit
\windows86\startup.exe

Filesize
376KB

MD5
f69c2079fa1a0655f45dfb20bc2775ad

SHA1
d1f4094fc9f74e998548441dceb2bfb1dc383f4e

SHA256
5bcc763f0bca9735f391544e33ddeb9f18733132f0a7afcfddd87738f31a2f2d

SHA512
c8415414425093a96b0f847532d8183af2fcc69e76c44e0bac3c9d3ee280aee82b6294ae4b5b6fe103fe347f99d0f2ba3fbbc593a13a0ad27c44a359407de015

Download Submit
memory/1516-113-0x0000000140000000-0x0000000141B46000-memory.dmp

Filesize
27.3MB

Download
memory/1960-128-0x0000000140000000-0x0000000141B46000-memory.dmp

Filesize
27.3MB

Download
memory/2196-81-0x0000000140000000-0x0000000141B46000-memory.dmp

Filesize
27.3MB

Download
memory/2196-76-0x0000000077880000-0x0000000077882000-memory.dmp

Filesize
8KB

Download
memory/2196-73-0x0000000077870000-0x0000000077872000-memory.dmp

Filesize
8KB

Download
memory/2196-75-0x0000000077870000-0x0000000077872000-memory.dmp

Filesize
8KB

Download
memory/2196-71-0x0000000077870000-0x0000000077872000-memory.dmp

Filesize
8KB

Download
memory/2196-80-0x0000000077880000-0x0000000077882000-memory.dmp

Filesize
8KB

Download
memory/2196-78-0x0000000077880000-0x0000000077882000-memory.dmp

Filesize
8KB

Download
memory/2704-54-0x00000000744F0000-0x0000000074BDE000-memory.dmp

Filesize
6.9MB

Download
memory/2704-100-0x00000000744FE000-0x00000000744FF000-memory.dmp

Filesize
4KB

Download
memory/2704-101-0x00000000744F0000-0x0000000074BDE000-memory.dmp

Filesize
6.9MB

Download
memory/2704-46-0x0000000000AC0000-0x0000000000AEA000-memory.dmp

Filesize
168KB

Download
memory/2704-45-0x00000000744FE000-0x00000000744FF000-memory.dmp

Filesize
4KB

Download
memory/2832-56-0x0000000010000000-0x0000000010018000-memory.dmp

Filesize
96KB

Download
memory/2912-97-0x0000000140000000-0x0000000141B46000-memory.dmp

Filesize
27.3MB

Download