loaderbot | 1754d64016c758a65cb85df328ffd502a7255a6855d976e3bdeb497f95201848

Analysis

max time kernel
151s
max time network
155s
platform
windows7_x64
resource
win7-20220414-en
submitted
08-06-2022 21:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1754d64016c758a65cb85df328ffd502a7255a6855d976e3bdeb497f95201848.exe
Size

663KB
MD5

259716fa526d79543988edace76417a7
SHA1

d932ebd91d7ce77bb7be00abbb308c1cb3961d2b
SHA256

1754d64016c758a65cb85df328ffd502a7255a6855d976e3bdeb497f95201848
SHA512

e639e7c73f8e78f1cc01801673245c303943195f2d39aa0da00104bfba4c69dfaea35d733824f73776beb8691421c207f8e314609942ff502f7c2c52377b5820
SSDEEP

12288:HPSEujS44WCfXXQIhA+NlM5Chr9rNLP1PCZK099CAYVZ:HMS4/0Xvh/lM54N7CZKC9CBz

Score

10^/10

loaderbot xmrig loader miner persistence suricata

Malware Config

Extracted

Family

loaderbot

http://179.43.147.227/mine/cmd.php

Signatures

LoaderBot
LoaderBot is a loader written in .NET downloading and executing miners.
loader miner loaderbot
suricata: ET MALWARE CerberTear Ransomware CnC Checkin
suricata: ET MALWARE CerberTear Ransomware CnC Checkin
suricata
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

LoaderBot executable 5 IoCs

resource	yara_rule
behavioral1/memory/1508-56-0x0000000000400000-0x000000000049A000-memory.dmp	loaderbot
behavioral1/memory/1860-59-0x0000000000C90000-0x0000000000D26000-memory.dmp	loaderbot
behavioral1/memory/1508-60-0x0000000000400000-0x000000000049A000-memory.dmp	loaderbot
behavioral1/memory/1508-57-0x0000000000494FEE-mapping.dmp	loaderbot
behavioral1/memory/1508-62-0x0000000000400000-0x000000000049A000-memory.dmp	loaderbot

XMRig Miner payload 7 IoCs

miner

resource	yara_rule
behavioral1/memory/1508-56-0x0000000000400000-0x000000000049A000-memory.dmp	xmrig
behavioral1/memory/1860-59-0x0000000000C90000-0x0000000000D26000-memory.dmp	xmrig
behavioral1/memory/1508-60-0x0000000000400000-0x000000000049A000-memory.dmp	xmrig
behavioral1/memory/1508-57-0x0000000000494FEE-mapping.dmp	xmrig
behavioral1/memory/1508-62-0x0000000000400000-0x000000000049A000-memory.dmp	xmrig
behavioral1/files/0x000a0000000122f7-66.dat	xmrig
behavioral1/files/0x000a0000000122f7-68.dat	xmrig

Executes dropped EXE 1 IoCs

pid	Process
1656	AudioDriver.exe

Cryptocurrency Miner
Makes network request to known mining pool URL.
miner

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AudioDriver.url	1754d64016c758a65cb85df328ffd502a7255a6855d976e3bdeb497f95201848.exe

Loads dropped DLL 1 IoCs

pid	Process
1508	1754d64016c758a65cb85df328ffd502a7255a6855d976e3bdeb497f95201848.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Windows\CurrentVersion\Run\AudioDriver = "C:\\Users\\Admin\\AppData\\Roaming\\Sysfiles\\1754d64016c758a65cb85df328ffd502a7255a6855d976e3bdeb497f95201848.exe"	1754d64016c758a65cb85df328ffd502a7255a6855d976e3bdeb497f95201848.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1860 set thread context of 1508	1860	1754d64016c758a65cb85df328ffd502a7255a6855d976e3bdeb497f95201848.exe	27

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1508	1754d64016c758a65cb85df328ffd502a7255a6855d976e3bdeb497f95201848.exe
1508	1754d64016c758a65cb85df328ffd502a7255a6855d976e3bdeb497f95201848.exe
1508	1754d64016c758a65cb85df328ffd502a7255a6855d976e3bdeb497f95201848.exe
1508	1754d64016c758a65cb85df328ffd502a7255a6855d976e3bdeb497f95201848.exe
1508	1754d64016c758a65cb85df328ffd502a7255a6855d976e3bdeb497f95201848.exe
1508	1754d64016c758a65cb85df328ffd502a7255a6855d976e3bdeb497f95201848.exe
1508	1754d64016c758a65cb85df328ffd502a7255a6855d976e3bdeb497f95201848.exe
1508	1754d64016c758a65cb85df328ffd502a7255a6855d976e3bdeb497f95201848.exe
1508	1754d64016c758a65cb85df328ffd502a7255a6855d976e3bdeb497f95201848.exe
1508	1754d64016c758a65cb85df328ffd502a7255a6855d976e3bdeb497f95201848.exe
1508	1754d64016c758a65cb85df328ffd502a7255a6855d976e3bdeb497f95201848.exe
1508	1754d64016c758a65cb85df328ffd502a7255a6855d976e3bdeb497f95201848.exe
1508	1754d64016c758a65cb85df328ffd502a7255a6855d976e3bdeb497f95201848.exe
1508	1754d64016c758a65cb85df328ffd502a7255a6855d976e3bdeb497f95201848.exe
1508	1754d64016c758a65cb85df328ffd502a7255a6855d976e3bdeb497f95201848.exe
1508	1754d64016c758a65cb85df328ffd502a7255a6855d976e3bdeb497f95201848.exe
1508	1754d64016c758a65cb85df328ffd502a7255a6855d976e3bdeb497f95201848.exe
1508	1754d64016c758a65cb85df328ffd502a7255a6855d976e3bdeb497f95201848.exe
1508	1754d64016c758a65cb85df328ffd502a7255a6855d976e3bdeb497f95201848.exe
1508	1754d64016c758a65cb85df328ffd502a7255a6855d976e3bdeb497f95201848.exe
1508	1754d64016c758a65cb85df328ffd502a7255a6855d976e3bdeb497f95201848.exe
1508	1754d64016c758a65cb85df328ffd502a7255a6855d976e3bdeb497f95201848.exe
1508	1754d64016c758a65cb85df328ffd502a7255a6855d976e3bdeb497f95201848.exe
1508	1754d64016c758a65cb85df328ffd502a7255a6855d976e3bdeb497f95201848.exe
1508	1754d64016c758a65cb85df328ffd502a7255a6855d976e3bdeb497f95201848.exe
1508	1754d64016c758a65cb85df328ffd502a7255a6855d976e3bdeb497f95201848.exe
1508	1754d64016c758a65cb85df328ffd502a7255a6855d976e3bdeb497f95201848.exe
1508	1754d64016c758a65cb85df328ffd502a7255a6855d976e3bdeb497f95201848.exe
1508	1754d64016c758a65cb85df328ffd502a7255a6855d976e3bdeb497f95201848.exe
1508	1754d64016c758a65cb85df328ffd502a7255a6855d976e3bdeb497f95201848.exe
1508	1754d64016c758a65cb85df328ffd502a7255a6855d976e3bdeb497f95201848.exe
1508	1754d64016c758a65cb85df328ffd502a7255a6855d976e3bdeb497f95201848.exe
1508	1754d64016c758a65cb85df328ffd502a7255a6855d976e3bdeb497f95201848.exe
1508	1754d64016c758a65cb85df328ffd502a7255a6855d976e3bdeb497f95201848.exe
1508	1754d64016c758a65cb85df328ffd502a7255a6855d976e3bdeb497f95201848.exe
1508	1754d64016c758a65cb85df328ffd502a7255a6855d976e3bdeb497f95201848.exe
1508	1754d64016c758a65cb85df328ffd502a7255a6855d976e3bdeb497f95201848.exe
1508	1754d64016c758a65cb85df328ffd502a7255a6855d976e3bdeb497f95201848.exe
1508	1754d64016c758a65cb85df328ffd502a7255a6855d976e3bdeb497f95201848.exe
1508	1754d64016c758a65cb85df328ffd502a7255a6855d976e3bdeb497f95201848.exe
1508	1754d64016c758a65cb85df328ffd502a7255a6855d976e3bdeb497f95201848.exe
1508	1754d64016c758a65cb85df328ffd502a7255a6855d976e3bdeb497f95201848.exe
1508	1754d64016c758a65cb85df328ffd502a7255a6855d976e3bdeb497f95201848.exe
1508	1754d64016c758a65cb85df328ffd502a7255a6855d976e3bdeb497f95201848.exe
1508	1754d64016c758a65cb85df328ffd502a7255a6855d976e3bdeb497f95201848.exe
1508	1754d64016c758a65cb85df328ffd502a7255a6855d976e3bdeb497f95201848.exe
1508	1754d64016c758a65cb85df328ffd502a7255a6855d976e3bdeb497f95201848.exe
1508	1754d64016c758a65cb85df328ffd502a7255a6855d976e3bdeb497f95201848.exe
1508	1754d64016c758a65cb85df328ffd502a7255a6855d976e3bdeb497f95201848.exe
1508	1754d64016c758a65cb85df328ffd502a7255a6855d976e3bdeb497f95201848.exe
1508	1754d64016c758a65cb85df328ffd502a7255a6855d976e3bdeb497f95201848.exe
1508	1754d64016c758a65cb85df328ffd502a7255a6855d976e3bdeb497f95201848.exe
1508	1754d64016c758a65cb85df328ffd502a7255a6855d976e3bdeb497f95201848.exe
1508	1754d64016c758a65cb85df328ffd502a7255a6855d976e3bdeb497f95201848.exe
1508	1754d64016c758a65cb85df328ffd502a7255a6855d976e3bdeb497f95201848.exe
1508	1754d64016c758a65cb85df328ffd502a7255a6855d976e3bdeb497f95201848.exe
1508	1754d64016c758a65cb85df328ffd502a7255a6855d976e3bdeb497f95201848.exe
1508	1754d64016c758a65cb85df328ffd502a7255a6855d976e3bdeb497f95201848.exe
1508	1754d64016c758a65cb85df328ffd502a7255a6855d976e3bdeb497f95201848.exe
1508	1754d64016c758a65cb85df328ffd502a7255a6855d976e3bdeb497f95201848.exe
1508	1754d64016c758a65cb85df328ffd502a7255a6855d976e3bdeb497f95201848.exe
1508	1754d64016c758a65cb85df328ffd502a7255a6855d976e3bdeb497f95201848.exe
1508	1754d64016c758a65cb85df328ffd502a7255a6855d976e3bdeb497f95201848.exe
1508	1754d64016c758a65cb85df328ffd502a7255a6855d976e3bdeb497f95201848.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1508	1754d64016c758a65cb85df328ffd502a7255a6855d976e3bdeb497f95201848.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1508	1754d64016c758a65cb85df328ffd502a7255a6855d976e3bdeb497f95201848.exe
Token: SeLockMemoryPrivilege	1656	AudioDriver.exe
Token: SeLockMemoryPrivilege	1656	AudioDriver.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 1860 wrote to memory of 1508	1860	1754d64016c758a65cb85df328ffd502a7255a6855d976e3bdeb497f95201848.exe	27
PID 1860 wrote to memory of 1508	1860	1754d64016c758a65cb85df328ffd502a7255a6855d976e3bdeb497f95201848.exe	27
PID 1860 wrote to memory of 1508	1860	1754d64016c758a65cb85df328ffd502a7255a6855d976e3bdeb497f95201848.exe	27
PID 1860 wrote to memory of 1508	1860	1754d64016c758a65cb85df328ffd502a7255a6855d976e3bdeb497f95201848.exe	27
PID 1860 wrote to memory of 1508	1860	1754d64016c758a65cb85df328ffd502a7255a6855d976e3bdeb497f95201848.exe	27
PID 1860 wrote to memory of 1508	1860	1754d64016c758a65cb85df328ffd502a7255a6855d976e3bdeb497f95201848.exe	27
PID 1860 wrote to memory of 1508	1860	1754d64016c758a65cb85df328ffd502a7255a6855d976e3bdeb497f95201848.exe	27
PID 1860 wrote to memory of 1508	1860	1754d64016c758a65cb85df328ffd502a7255a6855d976e3bdeb497f95201848.exe	27
PID 1860 wrote to memory of 1508	1860	1754d64016c758a65cb85df328ffd502a7255a6855d976e3bdeb497f95201848.exe	27
PID 1508 wrote to memory of 1656	1508	1754d64016c758a65cb85df328ffd502a7255a6855d976e3bdeb497f95201848.exe	29
PID 1508 wrote to memory of 1656	1508	1754d64016c758a65cb85df328ffd502a7255a6855d976e3bdeb497f95201848.exe	29
PID 1508 wrote to memory of 1656	1508	1754d64016c758a65cb85df328ffd502a7255a6855d976e3bdeb497f95201848.exe	29
PID 1508 wrote to memory of 1656	1508	1754d64016c758a65cb85df328ffd502a7255a6855d976e3bdeb497f95201848.exe	29

C:\Users\Admin\AppData\Local\Temp\1754d64016c758a65cb85df328ffd502a7255a6855d976e3bdeb497f95201848.exe
"C:\Users\Admin\AppData\Local\Temp\1754d64016c758a65cb85df328ffd502a7255a6855d976e3bdeb497f95201848.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1860
- C:\Users\Admin\AppData\Local\Temp\1754d64016c758a65cb85df328ffd502a7255a6855d976e3bdeb497f95201848.exe
  "C:\Users\Admin\AppData\Local\Temp\1754d64016c758a65cb85df328ffd502a7255a6855d976e3bdeb497f95201848.exe"
  2⤵
  - Drops startup file
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: RenamesItself
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1508
- - C:\Users\Admin\AppData\Roaming\Sysfiles\AudioDriver.exe
    "C:\Users\Admin\AppData\Roaming\Sysfiles\AudioDriver.exe" -o stratum+tcp://xmr.pool.minergate.com:45560 -u [email protected] -p x -k -v=0 --donate-level=1 -t 1
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:1656

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Sysfiles\AudioDriver.exe

Filesize
576KB

MD5
8f7e699ceed3fd1ae22b55edcf246596

SHA1
1a1b2a2a18651f0ae79b34a8707f8f6ece5cbe2b

SHA256
6fe91d487876165347db6c5bd084101d32704755325b3648099c7b4d02b315a2

SHA512
859e4ede427b20d76ee472575df7e076639f73aa9686aa71969b66b8eb4efc837c03a8d93351059a849b33c081372028a42be55a37360cb155bdce78e3301eec

Download Submit
\Users\Admin\AppData\Roaming\Sysfiles\AudioDriver.exe

Filesize
576KB

MD5
8f7e699ceed3fd1ae22b55edcf246596

SHA1
1a1b2a2a18651f0ae79b34a8707f8f6ece5cbe2b

SHA256
6fe91d487876165347db6c5bd084101d32704755325b3648099c7b4d02b315a2

SHA512
859e4ede427b20d76ee472575df7e076639f73aa9686aa71969b66b8eb4efc837c03a8d93351059a849b33c081372028a42be55a37360cb155bdce78e3301eec

Download Submit
memory/1508-69-0x0000000074370000-0x000000007491B000-memory.dmp

Filesize
5.7MB

Download
memory/1508-56-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/1508-60-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/1508-62-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/1508-65-0x0000000074370000-0x000000007491B000-memory.dmp

Filesize
5.7MB

Download
memory/1860-59-0x0000000000C90000-0x0000000000D26000-memory.dmp

Filesize
600KB

Download
memory/1860-63-0x00000000740A0000-0x000000007464B000-memory.dmp

Filesize
5.7MB

Download
memory/1860-54-0x0000000075E41000-0x0000000075E43000-memory.dmp

Filesize
8KB

Download
memory/1860-55-0x00000000740A0000-0x000000007464B000-memory.dmp

Filesize
5.7MB

Download