20389c7d417ec512e18bb246a693ce37e041390b6cf1cdd5dca0728b709f910d

Analysis

max time kernel
149s
max time network
138s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
20-11-2024 10:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

images.exe
Size

4.5MB
MD5

32f21ab8cf9b96e8ba86395a0edc2e4f
SHA1

2a5b3c07e32b3b2b0c1ef33a10685027703440ec
SHA256

20389c7d417ec512e18bb246a693ce37e041390b6cf1cdd5dca0728b709f910d
SHA512

d7fc84e52ad671f55f07bd46a06ea3b881606f21c457e21d50bc45e08339926d13890792503d3bca46edc866f7a739cf7b845f0182ed18bcdb70bca1db011f6c
SSDEEP

98304:DMUaI9OMzejqikpYbAI7XLyhq6IvorAJKn6kD801cgl0+BhV1C8q0DBAvD:I8Oxy61y6g38ScglnBh20FMD

Score

7^/10

discovery persistence vmprotect

Malware Config

Signatures

Drops startup file 1 IoCs

Processes:

image.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\image.lnk image.exe
Executes dropped EXE 4 IoCs

Processes:

image.exeNsCpuCNMiner64.exeload.exeNsGpuCNMiner.exe

pid process

2848 image.exe
2820 NsCpuCNMiner64.exe
1948 load.exe
2112 NsGpuCNMiner.exe
Loads dropped DLL 11 IoCs

Processes:

images.exeimage.exeload.exe

pid process

2100 images.exe
2100 images.exe
2848 image.exe
2848 image.exe
2848 image.exe
2848 image.exe
2848 image.exe
1948 load.exe
2288
1688
2848 image.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\image.lnk	image.exe

pid	process
2848	image.exe
2820	NsCpuCNMiner64.exe
1948	load.exe
2112	NsGpuCNMiner.exe

pid	process
2100	images.exe
2100	images.exe
2848	image.exe
2848	image.exe
2848	image.exe
2848	image.exe
2848	image.exe
1948	load.exe
2288
1688
2848	image.exe

VMProtect packed file 7 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
\Users\Admin\AppData\Roaming\Images\NsCpuCNMiner64.exe	vmprotect
\Users\Admin\AppData\Roaming\Images\NsGpuCNMiner.exe	vmprotect
behavioral1/memory/2820-75-0x000000013F0A0000-0x000000013F44D000-memory.dmp	vmprotect
behavioral1/memory/2848-64-0x0000000003460000-0x000000000380D000-memory.dmp	vmprotect
behavioral1/memory/2112-86-0x000000013FF30000-0x00000001402EC000-memory.dmp	vmprotect
behavioral1/memory/2820-89-0x000000013F0A0000-0x000000013F44D000-memory.dmp	vmprotect
behavioral1/memory/2820-108-0x000000013F0A0000-0x000000013F44D000-memory.dmp	vmprotect

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

image.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\Coin = "C:\\Users\\Admin\\AppData\\Roaming\\Images\\image.exe"	image.exe

Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.

Query Registry
T1012

Peripheral Device Discovery
T1120

System Information Discovery
T1082

Processes:

image.exe

description ioc process

File opened (read-only) \??\E: image.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

NsCpuCNMiner64.exe

pid process

2820 NsCpuCNMiner64.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	ioc	process
File opened (read-only)	\??\E:	image.exe

pid	process
2820	NsCpuCNMiner64.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

images.exeimage.exeload.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	images.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	image.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	load.exe

NSIS installer 4 IoCs

installer

Processes:

resource	yara_rule
\Users\Admin\AppData\Roaming\Images\image.exe	nsis_installer_1
\Users\Admin\AppData\Roaming\Images\image.exe	nsis_installer_2
\Users\Admin\AppData\Roaming\Images\load.exe	nsis_installer_1
\Users\Admin\AppData\Roaming\Images\load.exe	nsis_installer_2

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

images.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	images.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	images.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

NsCpuCNMiner64.exe

description pid process

Token: SeLockMemoryPrivilege 2820 NsCpuCNMiner64.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

image.exe

pid process

2848 image.exe
Suspicious use of SendNotifyMessage 1 IoCs

Processes:

image.exe

pid process

2848 image.exe

description	pid	process
Token: SeLockMemoryPrivilege	2820	NsCpuCNMiner64.exe

pid	process
2848	image.exe

pid	process
2848	image.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

images.exeimage.exe

description	pid	process	target process
PID 2100 wrote to memory of 2848	2100	images.exe	image.exe
PID 2100 wrote to memory of 2848	2100	images.exe	image.exe
PID 2100 wrote to memory of 2848	2100	images.exe	image.exe
PID 2100 wrote to memory of 2848	2100	images.exe	image.exe
PID 2848 wrote to memory of 2820	2848	image.exe	NsCpuCNMiner64.exe
PID 2848 wrote to memory of 2820	2848	image.exe	NsCpuCNMiner64.exe
PID 2848 wrote to memory of 2820	2848	image.exe	NsCpuCNMiner64.exe
PID 2848 wrote to memory of 2820	2848	image.exe	NsCpuCNMiner64.exe
PID 2848 wrote to memory of 2112	2848	image.exe	NsGpuCNMiner.exe
PID 2848 wrote to memory of 2112	2848	image.exe	NsGpuCNMiner.exe
PID 2848 wrote to memory of 2112	2848	image.exe	NsGpuCNMiner.exe
PID 2848 wrote to memory of 2112	2848	image.exe	NsGpuCNMiner.exe
PID 2848 wrote to memory of 1948	2848	image.exe	load.exe
PID 2848 wrote to memory of 1948	2848	image.exe	load.exe
PID 2848 wrote to memory of 1948	2848	image.exe	load.exe
PID 2848 wrote to memory of 1948	2848	image.exe	load.exe

C:\Users\Admin\AppData\Local\Temp\images.exe
"C:\Users\Admin\AppData\Local\Temp\images.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:2100
- C:\Users\Admin\AppData\Roaming\Images\image.exe
  "C:\Users\Admin\AppData\Roaming\Images\image.exe" SW_HIDE
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Enumerates connected drives
  - System Location Discovery: System Language Discovery
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:2848
- - C:\Users\Admin\AppData\Roaming\Images\NsCpuCNMiner64.exe
    "C:\Users\Admin\AppData\Roaming\Images\NsCpuCNMiner64.exe" -dbg -1 -o stratum+tcp://mine.moneropool.com:3333 -u 43f2365syasJKRGGL9H5fdiS2NfEnvn6Yd2vB8HxcqbMhXWgrmQK48EbsnHUL5rknSUGiGET9DkNS1n81MmUWYTQUuHdhbV -p x
    3⤵
    - Executes dropped EXE
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious use of AdjustPrivilegeToken
    PID:2820
- - C:\Users\Admin\AppData\Roaming\Images\NsGpuCNMiner.exe
    "C:\Users\Admin\AppData\Roaming\Images\NsGpuCNMiner.exe" -dbg -1 -o stratum+tcp://mine.moneropool.com:3333 -u 43f2365syasJKRGGL9H5fdiS2NfEnvn6Yd2vB8HxcqbMhXWgrmQK48EbsnHUL5rknSUGiGET9DkNS1n81MmUWYTQUuHdhbV -p x
    3⤵
    - Executes dropped EXE
    PID:2112
- - C:\Users\Admin\AppData\Roaming\Images\load.exe
    "C:\Users\Admin\AppData\Roaming\Images\load.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:1948

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751

Filesize
717B

MD5
822467b728b7a66b081c91795373789a

SHA1
d8f2f02e1eef62485a9feffd59ce837511749865

SHA256
af2343382b88335eea72251ad84949e244ff54b6995063e24459a7216e9576b9

SHA512
bacea07d92c32078ca6a0161549b4e18edab745dd44947e5f181d28cc24468e07769d6835816cdfb944fd3d0099bde5e21b48f4966824c5c16c1801712303eb6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7067C2300B3C5B8750D4DEF7C03F30B0

Filesize
345B

MD5
1a2fcc2b961beda04d8f8d4135759a4c

SHA1
25dc5eee0333533aa0476fbe9d35ecc77f48a460

SHA256
ac6b6025fd3a31beb1cb8f4b9bcad7b941312b12ac8a74aa1219fff35f865171

SHA512
426970f0f185ddd71c7767b19a56a46007ee76db9ecb2546f3ff1da46f19828327dc294fb81ba350fcf1df7c64778acbbb521fa9ebf12bd597d74df90bfd4b06

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751

Filesize
192B

MD5
c1a8b28c217162124acb924b0e517f05

SHA1
28e9ff0f110f87e4d37133aa19af8d0a2f9f31c1

SHA256
6739a673d693087a579be3437fe7bd7c6e79964efc7f0ec1202bcc5ce44325dd

SHA512
ff57eae71b5fceb791a0c9239f90b9af96326eda99cc4c4ab64579938d5ba319c3ae3333da3e3607ccca5b21ffc256cf47f71964671d6d666bb8c5526b6d2fc2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7067C2300B3C5B8750D4DEF7C03F30B0

Filesize
544B

MD5
6a28311dcfac7e8c3627edf07f23fa47

SHA1
a8582aa0e4e71e6fd319b3f953df07e23acd5061

SHA256
ac7b9d9960b459ce142c25c8dcdb9685b9a07e56d7cb86603b1df94ff8a77cb5

SHA512
07c3f26d38e603cf4abd4a897e94dd82833aef7eaf78b02ffadb487cd742c3adbd86fffb9e87be63ad66a5cd8d0919d0b8c427bbb74d70c71da931c400b7c1be

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab965.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarB33C.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Roaming\Images\pools.txt

Filesize
160B

MD5
7dc8fd6041f1fd72d9ca2140d0973e5f

SHA1
f51572e60f541044672256c1f2aab74736d78c33

SHA256
b209b7af96ab8da92860bda8856a4b5632e142011489de12cac9487fc22c652d

SHA512
9abc1a281287665378544d1766ac86a1cb217ba0daf1ed27e05d58bfd4e048237292e531b13e9c1bf3349dfcd9bada23dadd482a4ae267a58a97809f8c03774a

Download Submit
\Users\Admin\AppData\Local\Temp\nsjE090.tmp\inetc.dll

Filesize
21KB

MD5
d7a3fa6a6c738b4a3c40d5602af20b08

SHA1
34fc75d97f640609cb6cadb001da2cb2c0b3538a

SHA256
67eff17c53a78c8ec9a28f392b9bb93df3e74f96f6ecd87a333a482c36546b3e

SHA512
75cf123448567806be5f852ebf70f398da881e89994b82442a1f4bc6799894e799f979f5ab1cc9ba12617e48620e6c34f71e23259da498da37354e5fd3c0f934

Download Submit
\Users\Admin\AppData\Local\Temp\nsz4E2.tmp\System.dll

Filesize
11KB

MD5
c17103ae9072a06da581dec998343fc1

SHA1
b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

SHA256
dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

SHA512
d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

Download Submit
\Users\Admin\AppData\Roaming\Images\NsCpuCNMiner64.exe

Filesize
1.5MB

MD5
eedb9d86ae8abc65fa7ac7c6323d4e8f

SHA1
ce1fbf382e89146ea5a22ae551b68198c45f40e4

SHA256
d0326f0ddce4c00f93682e3a6f55a3125f6387e959e9ed6c5e5584e78e737078

SHA512
9de3390197a02965feed6acdc77a292c0ef160e466fbfc9500fa7de17b0225a935127da71029cb8006bc7a5f4b5457319362b7a7caf4c0bf92174d139ed52ab5

Download Submit
\Users\Admin\AppData\Roaming\Images\NsGpuCNMiner.exe

Filesize
1.5MB

MD5
35d2c42b6ee0acbce9dfe8cc418fe5d8

SHA1
66b965d1ee4013c80f7e0e27725e43f3d316325a

SHA256
7a2a860bb344526e8546acd172522b4d276a4647f43dd4720281d40e390b283e

SHA512
00d89a686995d7b2415f6de5786a175232606cb962744149129ed329fcbf0d4ee076e9bc1125adcaa58571ade5f22372b0bef2d2af78dd12378654e6e23b5ebf

Download Submit
\Users\Admin\AppData\Roaming\Images\image.exe

Filesize
4.5MB

MD5
32f21ab8cf9b96e8ba86395a0edc2e4f

SHA1
2a5b3c07e32b3b2b0c1ef33a10685027703440ec

SHA256
20389c7d417ec512e18bb246a693ce37e041390b6cf1cdd5dca0728b709f910d

SHA512
d7fc84e52ad671f55f07bd46a06ea3b881606f21c457e21d50bc45e08339926d13890792503d3bca46edc866f7a739cf7b845f0182ed18bcdb70bca1db011f6c

Download Submit
\Users\Admin\AppData\Roaming\Images\load.exe

Filesize
44KB

MD5
bc6db57b6f9118ecb27625cb7646688a

SHA1
0f864d398c98f3bde6304145b3f65fa65e62d320

SHA256
115d327daa7b69fac688a274f18629d3a0dbc92726413af45ab71e51bd03df28

SHA512
815d2195c8e8e0e4a9d922f9c6e17259be78ceda370968c2aa1a8fbc82717cdc7d255dbfa9f95e8dab931c18f03d08eef3fb0e3231a8f01cb0bfda64eb53d754

Download Submit
memory/2112-86-0x000000013FF30000-0x00000001402EC000-memory.dmp

Filesize
3.7MB

Download
memory/2820-89-0x000000013F0A0000-0x000000013F44D000-memory.dmp

Filesize
3.7MB

Download
memory/2820-75-0x000000013F0A0000-0x000000013F44D000-memory.dmp

Filesize
3.7MB

Download
memory/2820-108-0x000000013F0A0000-0x000000013F44D000-memory.dmp

Filesize
3.7MB

Download
memory/2848-64-0x0000000003460000-0x000000000380D000-memory.dmp

Filesize
3.7MB

Download
memory/2848-84-0x0000000003460000-0x000000000381C000-memory.dmp

Filesize
3.7MB

Download
memory/2848-107-0x0000000003460000-0x000000000380D000-memory.dmp

Filesize
3.7MB

Download
memory/2848-114-0x0000000003460000-0x000000000381C000-memory.dmp

Filesize
3.7MB

Download