Analysis
-
max time kernel
151s -
max time network
157s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
12-06-2022 16:31
General
-
Target
1fd9ff46da9bc4bfdc2fb4d990068500e9c68293eb9509ea5164832f4b2bebf7.exe
-
Size
16KB
-
MD5
b62ad5096a4d3d518728bd35daf2eaf0
-
SHA1
4f8fceb017f26cecdc109563b41f8118c64db7dd
-
SHA256
1fd9ff46da9bc4bfdc2fb4d990068500e9c68293eb9509ea5164832f4b2bebf7
-
SHA512
e4eaa6726d6f34364e206d991a6e7c730e4301c6e1de2d58523ca5819f598a92c64f39fa54b2a0afd6684288c640356722a412433ad912ae944a1002f732bec5
-
SSDEEP
384:yKBvkPHxH19GTXjdh5luujYcV6AUwJFZb:yYeRV9AhzfYcV6Dw9b
Score
10/10
Malware Config
Extracted
Family
loaderbot
C2
http://user79913.7ci.ru/cmd.php
Signatures
-
LoaderBot
LoaderBot is a loader written in .NET downloading and executing miners.
-
LoaderBot executable 1 IoCs
-
Drops startup file 1 IoCs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious behavior: RenamesItself 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of WriteProcessMemory 20 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\1fd9ff46da9bc4bfdc2fb4d990068500e9c68293eb9509ea5164832f4b2bebf7.exe"C:\Users\Admin\AppData\Local\Temp\1fd9ff46da9bc4bfdc2fb4d990068500e9c68293eb9509ea5164832f4b2bebf7.exe"1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"cmd" /C schtasks /create /tn \System\SecurityServiceUpdate /tr %userprofile%\AppData\Roaming\Windows\1fd9ff46da9bc4bfdc2fb4d990068500e9c68293eb9509ea5164832f4b2bebf7.exe /st 00:00 /du 9999:59 /sc daily /ri 5 /f2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn \System\SecurityServiceUpdate /tr C:\Users\Admin\AppData\Roaming\Windows\1fd9ff46da9bc4bfdc2fb4d990068500e9c68293eb9509ea5164832f4b2bebf7.exe /st 00:00 /du 9999:59 /sc daily /ri 5 /f3⤵
- Creates scheduled task(s)
-
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {1DAD03DC-87F2-462D-8790-AD2E9A390D37} S-1-5-21-1083475884-596052423-1669053738-1000:WYZSGDWS\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Windows\1fd9ff46da9bc4bfdc2fb4d990068500e9c68293eb9509ea5164832f4b2bebf7.exeC:\Users\Admin\AppData\Roaming\Windows\1fd9ff46da9bc4bfdc2fb4d990068500e9c68293eb9509ea5164832f4b2bebf7.exe2⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"cmd" /C schtasks /create /tn \System\SecurityServiceUpdate /tr %userprofile%\AppData\Roaming\Windows\1fd9ff46da9bc4bfdc2fb4d990068500e9c68293eb9509ea5164832f4b2bebf7.exe /st 00:00 /du 9999:59 /sc daily /ri 5 /f3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn \System\SecurityServiceUpdate /tr C:\Users\Admin\AppData\Roaming\Windows\1fd9ff46da9bc4bfdc2fb4d990068500e9c68293eb9509ea5164832f4b2bebf7.exe /st 00:00 /du 9999:59 /sc daily /ri 5 /f4⤵
- Creates scheduled task(s)
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
40KB
-
Filesize
8KB