loaderbot | 956ed3d65647e3c2ef5d8d2c765cc5b6af731fc921572a1a52cbff17e40bacb2

Analysis

max time kernel
111s
max time network
140s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
18/04/2022, 19:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

956ed3d65647e3c2ef5d8d2c765cc5b6af731fc921572a1a52cbff17e40bacb2.exe
Size

5.2MB
MD5

9b23553f7d72ad29c16700674f7ec980
SHA1

95430ab8181b01887fee0f3091e00cdad4fa8a07
SHA256

956ed3d65647e3c2ef5d8d2c765cc5b6af731fc921572a1a52cbff17e40bacb2
SHA512

bc5f818d7209dc5ad37669d10568c496ad59a1d5ea65c937fbccc47f2f6aa56a872f6f0feaeae8d246b0e17a75326efd5c07844ba727755cf6f33f983841c94a

Score

10^/10

loaderbot loader miner persistence

Malware Config

Signatures

LoaderBot
LoaderBot is a loader written in .NET downloading and executing miners.
loader miner loaderbot
Detected Stratum cryptominer command
Looks to be attempting to contact Stratum mining pool.
miner

LoaderBot executable 4 IoCs

resource	yara_rule
behavioral2/files/0x00060000000231ec-140.dat	loaderbot
behavioral2/files/0x00060000000231ec-141.dat	loaderbot
behavioral2/memory/3048-142-0x00000000003D0000-0x00000000007CE000-memory.dmp	loaderbot
behavioral2/memory/4600-148-0x0000000000000000-0x0000000010000000-memory.dmp	loaderbot

Executes dropped EXE 3 IoCs

pid	Process
4016	CDS.exe
3048	crypted.exe
4600	Driver.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	CDS.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	crypted.exe

Cryptocurrency Miner
Makes network request to known mining pool URL.
miner

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Driver.url	crypted.exe

Loads dropped DLL 1 IoCs

pid	Process
4016	CDS.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Driver = "C:\\Users\\Admin\\AppData\\Roaming\\Sysfiles\\crypted.exe"	crypted.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	956ed3d65647e3c2ef5d8d2c765cc5b6af731fc921572a1a52cbff17e40bacb2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	956ed3d65647e3c2ef5d8d2c765cc5b6af731fc921572a1a52cbff17e40bacb2.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3048	crypted.exe
3048	crypted.exe
3048	crypted.exe
3048	crypted.exe
3048	crypted.exe
3048	crypted.exe
4016	CDS.exe
4016	CDS.exe
3048	crypted.exe
3048	crypted.exe
3048	crypted.exe
3048	crypted.exe
3048	crypted.exe
3048	crypted.exe
3048	crypted.exe
3048	crypted.exe
3048	crypted.exe
3048	crypted.exe
3048	crypted.exe
3048	crypted.exe
3048	crypted.exe
3048	crypted.exe
3048	crypted.exe
3048	crypted.exe
3048	crypted.exe
3048	crypted.exe
3048	crypted.exe
3048	crypted.exe
3048	crypted.exe
3048	crypted.exe
3048	crypted.exe
3048	crypted.exe
3048	crypted.exe
3048	crypted.exe
3048	crypted.exe
3048	crypted.exe
3048	crypted.exe
3048	crypted.exe
3048	crypted.exe
3048	crypted.exe
3048	crypted.exe
3048	crypted.exe
3048	crypted.exe
3048	crypted.exe
3048	crypted.exe
3048	crypted.exe
3048	crypted.exe
3048	crypted.exe
3048	crypted.exe
3048	crypted.exe
3048	crypted.exe
3048	crypted.exe
3048	crypted.exe
3048	crypted.exe
3048	crypted.exe
3048	crypted.exe
3048	crypted.exe
3048	crypted.exe
3048	crypted.exe
3048	crypted.exe
3048	crypted.exe
3048	crypted.exe
3048	crypted.exe
3048	crypted.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
656	Process not Found

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: 33	3972	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	3972	AUDIODG.EXE
Token: SeDebugPrivilege	3048	crypted.exe
Token: SeLockMemoryPrivilege	4600	Driver.exe
Token: SeLockMemoryPrivilege	4600	Driver.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4016	CDS.exe
4016	CDS.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2336 wrote to memory of 4016	2336	956ed3d65647e3c2ef5d8d2c765cc5b6af731fc921572a1a52cbff17e40bacb2.exe	79
PID 2336 wrote to memory of 4016	2336	956ed3d65647e3c2ef5d8d2c765cc5b6af731fc921572a1a52cbff17e40bacb2.exe	79
PID 2336 wrote to memory of 4016	2336	956ed3d65647e3c2ef5d8d2c765cc5b6af731fc921572a1a52cbff17e40bacb2.exe	79
PID 4016 wrote to memory of 3048	4016	CDS.exe	81
PID 4016 wrote to memory of 3048	4016	CDS.exe	81
PID 4016 wrote to memory of 3048	4016	CDS.exe	81
PID 3048 wrote to memory of 4600	3048	crypted.exe	85
PID 3048 wrote to memory of 4600	3048	crypted.exe	85

C:\Users\Admin\AppData\Local\Temp\956ed3d65647e3c2ef5d8d2c765cc5b6af731fc921572a1a52cbff17e40bacb2.exe
"C:\Users\Admin\AppData\Local\Temp\956ed3d65647e3c2ef5d8d2c765cc5b6af731fc921572a1a52cbff17e40bacb2.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2336
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.exe
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4016
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\crypted.exe
    "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\crypted.exe"
    3⤵
    - Executes dropped EXE
    - Checks computer location settings
    - Drops startup file
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3048
  - - C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
      "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o stratum+tcp://xmr.pool.minergate.com:45700 -u [email protected] -p x -k -v=0 --donate-level=1 -t 1
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:4600

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x508 0x4a0
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3972

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\630_10.png

Filesize
2KB

MD5
340b294efc691d1b20c64175d565ebc7

SHA1
81cb9649bd1c9a62ae79e781818fc24d15c29ce7

SHA256
72566894059452101ea836bbff9ede5069141eeb52022ab55baa24e1666825c9

SHA512
1395a8e175c63a1a1ff459a9dac437156c74299272e020e7e078a087969251a8534f17244a529acbc1b6800a97d4c0abfa3c88f6fcb88423f56dfaae9b49fc3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.cdd

Filesize
13KB

MD5
3e7ecaeb51c2812d13b07ec852d74aaf

SHA1
e9bdab93596ffb0f7f8c65243c579180939acb26

SHA256
e7e942993864e8b18780ef10a415f7b93924c6378248c52f0c96895735222b96

SHA512
635cd5173b595f1905af9eeea65037601cf8496d519c506b6d082662d438c26a1bfe653eaf6edcb117ccf8767975c37ab0238ca4c77574e2706f9b238a15ad4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.exe

Filesize
6.1MB

MD5
424bf196deaeb4ddcafb78e137fa560a

SHA1
007738e9486c904a3115daa6e8ba2ee692af58c8

SHA256
0963cef2f742a31b2604fe975f4471ae6a76641490fe60805db744fef9bdd5d2

SHA512
a9be6dd5b2ed84baea34e0f1b1e8f5388ce3662c5dcb6a80c2d175be95f9598312837420c07b52cdfaa9e94bcffd8c7a2b9db2b551dfac171bce4b92f466e797

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.exe

Filesize
6.1MB

MD5
424bf196deaeb4ddcafb78e137fa560a

SHA1
007738e9486c904a3115daa6e8ba2ee692af58c8

SHA256
0963cef2f742a31b2604fe975f4471ae6a76641490fe60805db744fef9bdd5d2

SHA512
a9be6dd5b2ed84baea34e0f1b1e8f5388ce3662c5dcb6a80c2d175be95f9598312837420c07b52cdfaa9e94bcffd8c7a2b9db2b551dfac171bce4b92f466e797

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\c.dat

Filesize
4.0MB

MD5
b2ee98fed68aa4abe6a49354b76464e1

SHA1
e449190e1f26d956d0826c12452995683611a6de

SHA256
61275846dcf5df8a772001ca520fc3f3d8ca74c2f797b484a99f32954db2a9b2

SHA512
975c5b9e97a11796e06a89e205234a0785fb7727915772c1e9ed5fcb0a84942948f98cc9e6ec5cd149b922776257b4311f8b2226e6ea578aa3292c83c82122cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\crypted.exe

Filesize
4.0MB

MD5
e8a55751de9f1c1267f8eecde1f5b6b1

SHA1
45feee9c1eb8e2bd4aed5422bccc03482f762220

SHA256
a35610c6018264da8f99043ad701e330d2ee21f244e08f93ca470a660a1df298

SHA512
fe9848e45555dc939a63c891d07231e98cfc5291603767f585ec4602caf7808a4aba71a6c14eafdc9d67d01bcf816a9904813636c6ef31f74f3a56cd6bb3aa62

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\crypted.exe

Filesize
4.0MB

MD5
e8a55751de9f1c1267f8eecde1f5b6b1

SHA1
45feee9c1eb8e2bd4aed5422bccc03482f762220

SHA256
a35610c6018264da8f99043ad701e330d2ee21f244e08f93ca470a660a1df298

SHA512
fe9848e45555dc939a63c891d07231e98cfc5291603767f585ec4602caf7808a4aba71a6c14eafdc9d67d01bcf816a9904813636c6ef31f74f3a56cd6bb3aa62

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\fs.settings

Filesize
5B

MD5
68934a3e9455fa72420237eb05902327

SHA1
7cb6efb98ba5972a9b5090dc2e517fe14d12cb04

SHA256
fcbcf165908dd18a9e49f7ff27810176db8e9f63b4352213741664245224f8aa

SHA512
719fa67eef49c4b2a2b83f0c62bddd88c106aaadb7e21ae057c8802b700e36f81fe3f144812d8b05d66dc663d908b25645e153262cf6d457aa34e684af9e328d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lua5.1.dll

Filesize
322KB

MD5
c3256800dce47c14acc83ccca4c3e2ac

SHA1
9d126818c66991dbc3813a65eddb88bbcf77f30a

SHA256
f26f4f66022acc96d0319c09814ebeda60f4ab96b63b6262045dc786dc7c5866

SHA512
6865a98ad8a6bd02d1ba35a28b36b6306af393f5e9ad767cd6da027bb021f7399d629423f510c44436ac3e4603b6c606493edf8b14d21fabf3eab16d37bd0d25

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lua5.1.dll

Filesize
322KB

MD5
c3256800dce47c14acc83ccca4c3e2ac

SHA1
9d126818c66991dbc3813a65eddb88bbcf77f30a

SHA256
f26f4f66022acc96d0319c09814ebeda60f4ab96b63b6262045dc786dc7c5866

SHA512
6865a98ad8a6bd02d1ba35a28b36b6306af393f5e9ad767cd6da027bb021f7399d629423f510c44436ac3e4603b6c606493edf8b14d21fabf3eab16d37bd0d25

Download Submit
C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe

Filesize
3.9MB

MD5
02569a7a91a71133d4a1023bf32aa6f4

SHA1
0f16bcb3f3f085d3d3be912195558e9f9680d574

SHA256
8d6abba9b216172cfc64b8802db0d20a1c634c96e1049f451eddba2363966bf0

SHA512
534be1fe93ee556a14cfd8fad5377f57fb056ab4cd2bca14e4f376f4a25d3d4d270917d68a90b3c40d8a8daaeba6f592fa095ecff478332ba23405d1df728322

Download Submit
C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe

Filesize
3.9MB

MD5
02569a7a91a71133d4a1023bf32aa6f4

SHA1
0f16bcb3f3f085d3d3be912195558e9f9680d574

SHA256
8d6abba9b216172cfc64b8802db0d20a1c634c96e1049f451eddba2363966bf0

SHA512
534be1fe93ee556a14cfd8fad5377f57fb056ab4cd2bca14e4f376f4a25d3d4d270917d68a90b3c40d8a8daaeba6f592fa095ecff478332ba23405d1df728322

Download Submit
memory/3048-143-0x0000000005300000-0x0000000005366000-memory.dmp

Filesize
408KB

Download
memory/3048-142-0x00000000003D0000-0x00000000007CE000-memory.dmp

Filesize
4.0MB

Download
memory/4600-147-0x00000000001D0000-0x00000000001E4000-memory.dmp

Filesize
80KB

Download
memory/4600-148-0x0000000000000000-0x0000000010000000-memory.dmp

Filesize
256.0MB

Download
memory/4600-149-0x0000000000000000-0x0000000010000000-memory.dmp

Filesize
256.0MB

Download