loaderbot | 1fd9ff46da9bc4bfdc2fb4d990068500e9c68293eb9509ea5164832f4b2bebf7 | Triage

Analysis

max time kernel
153s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
12/06/2022, 16:31 UTC

Sharing

Report Analysis Logs

General

Target

1fd9ff46da9bc4bfdc2fb4d990068500e9c68293eb9509ea5164832f4b2bebf7.exe
Size

16KB
MD5

b62ad5096a4d3d518728bd35daf2eaf0
SHA1

4f8fceb017f26cecdc109563b41f8118c64db7dd
SHA256

1fd9ff46da9bc4bfdc2fb4d990068500e9c68293eb9509ea5164832f4b2bebf7
SHA512

e4eaa6726d6f34364e206d991a6e7c730e4301c6e1de2d58523ca5819f598a92c64f39fa54b2a0afd6684288c640356722a412433ad912ae944a1002f732bec5
SSDEEP

384:yKBvkPHxH19GTXjdh5luujYcV6AUwJFZb:yYeRV9AhzfYcV6Dw9b

Score

10^/10

loaderbot loader miner persistence

Malware Config

Extracted

Family

loaderbot

C2

http://user79913.7ci.ru/cmd.php

Signatures

LoaderBot
LoaderBot is a loader written in .NET downloading and executing miners.
loader miner loaderbot

LoaderBot executable 1 IoCs

resource	yara_rule
behavioral2/memory/3648-130-0x0000000000AC0000-0x0000000000ACA000-memory.dmp	loaderbot

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Webhost.url	1fd9ff46da9bc4bfdc2fb4d990068500e9c68293eb9509ea5164832f4b2bebf7.exe

Adds Run key to start application 2 TTPs 2 IoCs

Registry Run Keys / Startup Folder

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Webhost = "C:\\Users\\Admin\\AppData\\Roaming\\Windows\\1fd9ff46da9bc4bfdc2fb4d990068500e9c68293eb9509ea5164832f4b2bebf7.exe"	1fd9ff46da9bc4bfdc2fb4d990068500e9c68293eb9509ea5164832f4b2bebf7.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Webhost = "C:\\Users\\Admin\\AppData\\Roaming\\Windows\\1fd9ff46da9bc4bfdc2fb4d990068500e9c68293eb9509ea5164832f4b2bebf7.exe"	1fd9ff46da9bc4bfdc2fb4d990068500e9c68293eb9509ea5164832f4b2bebf7.exe

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

Scheduled Task

pid	Process
2424	schtasks.exe
4480	schtasks.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3648	1fd9ff46da9bc4bfdc2fb4d990068500e9c68293eb9509ea5164832f4b2bebf7.exe
4428	1fd9ff46da9bc4bfdc2fb4d990068500e9c68293eb9509ea5164832f4b2bebf7.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
3648	1fd9ff46da9bc4bfdc2fb4d990068500e9c68293eb9509ea5164832f4b2bebf7.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3648	1fd9ff46da9bc4bfdc2fb4d990068500e9c68293eb9509ea5164832f4b2bebf7.exe
Token: SeDebugPrivilege	4428	1fd9ff46da9bc4bfdc2fb4d990068500e9c68293eb9509ea5164832f4b2bebf7.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3648 wrote to memory of 3376	3648	1fd9ff46da9bc4bfdc2fb4d990068500e9c68293eb9509ea5164832f4b2bebf7.exe	77
PID 3648 wrote to memory of 3376	3648	1fd9ff46da9bc4bfdc2fb4d990068500e9c68293eb9509ea5164832f4b2bebf7.exe	77
PID 3648 wrote to memory of 3376	3648	1fd9ff46da9bc4bfdc2fb4d990068500e9c68293eb9509ea5164832f4b2bebf7.exe	77
PID 3376 wrote to memory of 2424	3376	cmd.exe	79
PID 3376 wrote to memory of 2424	3376	cmd.exe	79
PID 3376 wrote to memory of 2424	3376	cmd.exe	79
PID 4428 wrote to memory of 1944	4428	1fd9ff46da9bc4bfdc2fb4d990068500e9c68293eb9509ea5164832f4b2bebf7.exe	86
PID 4428 wrote to memory of 1944	4428	1fd9ff46da9bc4bfdc2fb4d990068500e9c68293eb9509ea5164832f4b2bebf7.exe	86
PID 4428 wrote to memory of 1944	4428	1fd9ff46da9bc4bfdc2fb4d990068500e9c68293eb9509ea5164832f4b2bebf7.exe	86
PID 1944 wrote to memory of 4480	1944	cmd.exe	88
PID 1944 wrote to memory of 4480	1944	cmd.exe	88
PID 1944 wrote to memory of 4480	1944	cmd.exe	88

C:\Users\Admin\AppData\Local\Temp\1fd9ff46da9bc4bfdc2fb4d990068500e9c68293eb9509ea5164832f4b2bebf7.exe
"C:\Users\Admin\AppData\Local\Temp\1fd9ff46da9bc4bfdc2fb4d990068500e9c68293eb9509ea5164832f4b2bebf7.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3648
- C:\Windows\SysWOW64\cmd.exe
  "cmd" /C schtasks /create /tn \System\SecurityServiceUpdate /tr %userprofile%\AppData\Roaming\Windows\1fd9ff46da9bc4bfdc2fb4d990068500e9c68293eb9509ea5164832f4b2bebf7.exe /st 00:00 /du 9999:59 /sc daily /ri 5 /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3376
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /tn \System\SecurityServiceUpdate /tr C:\Users\Admin\AppData\Roaming\Windows\1fd9ff46da9bc4bfdc2fb4d990068500e9c68293eb9509ea5164832f4b2bebf7.exe /st 00:00 /du 9999:59 /sc daily /ri 5 /f
    3⤵
    - Creates scheduled task(s)
    PID:2424

C:\Users\Admin\AppData\Roaming\Windows\1fd9ff46da9bc4bfdc2fb4d990068500e9c68293eb9509ea5164832f4b2bebf7.exe
C:\Users\Admin\AppData\Roaming\Windows\1fd9ff46da9bc4bfdc2fb4d990068500e9c68293eb9509ea5164832f4b2bebf7.exe
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4428
- C:\Windows\SysWOW64\cmd.exe
  "cmd" /C schtasks /create /tn \System\SecurityServiceUpdate /tr %userprofile%\AppData\Roaming\Windows\1fd9ff46da9bc4bfdc2fb4d990068500e9c68293eb9509ea5164832f4b2bebf7.exe /st 00:00 /du 9999:59 /sc daily /ri 5 /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1944
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /tn \System\SecurityServiceUpdate /tr C:\Users\Admin\AppData\Roaming\Windows\1fd9ff46da9bc4bfdc2fb4d990068500e9c68293eb9509ea5164832f4b2bebf7.exe /st 00:00 /du 9999:59 /sc daily /ri 5 /f
    3⤵
    - Creates scheduled task(s)
    PID:4480

Network

DNS

user79913.7ci.ru

1fd9ff46da9bc4bfdc2fb4d990068500e9c68293eb9509ea5164832f4b2bebf7.exe

Remote address:

8.8.8.8:53

Request

user79913.7ci.ru

IN A

Response
DNS

user79913.7ci.ru

1fd9ff46da9bc4bfdc2fb4d990068500e9c68293eb9509ea5164832f4b2bebf7.exe

Remote address:

8.8.8.8:53

Request

user79913.7ci.ru

IN A

Response
DNS

user79913.7ci.ru

1fd9ff46da9bc4bfdc2fb4d990068500e9c68293eb9509ea5164832f4b2bebf7.exe

Remote address:

8.8.8.8:53

Request

user79913.7ci.ru

IN A

Response
DNS

user79913.7ci.ru

1fd9ff46da9bc4bfdc2fb4d990068500e9c68293eb9509ea5164832f4b2bebf7.exe

Remote address:

8.8.8.8:53

Request

user79913.7ci.ru

IN A

Response
DNS

user79913.7ci.ru

1fd9ff46da9bc4bfdc2fb4d990068500e9c68293eb9509ea5164832f4b2bebf7.exe

Remote address:

8.8.8.8:53

Request

user79913.7ci.ru

IN A

Response
DNS

user79913.7ci.ru

1fd9ff46da9bc4bfdc2fb4d990068500e9c68293eb9509ea5164832f4b2bebf7.exe

Remote address:

8.8.8.8:53

Request

user79913.7ci.ru

IN A

Response
DNS

user79913.7ci.ru

1fd9ff46da9bc4bfdc2fb4d990068500e9c68293eb9509ea5164832f4b2bebf7.exe

Remote address:

8.8.8.8:53

Request

user79913.7ci.ru

IN A

Response
DNS

user79913.7ci.ru

1fd9ff46da9bc4bfdc2fb4d990068500e9c68293eb9509ea5164832f4b2bebf7.exe

Remote address:

8.8.8.8:53

Request

user79913.7ci.ru

IN A

Response
DNS

user79913.7ci.ru

1fd9ff46da9bc4bfdc2fb4d990068500e9c68293eb9509ea5164832f4b2bebf7.exe

Remote address:

8.8.8.8:53

Request

user79913.7ci.ru

IN A

Response
DNS

user79913.7ci.ru

1fd9ff46da9bc4bfdc2fb4d990068500e9c68293eb9509ea5164832f4b2bebf7.exe

Remote address:

8.8.8.8:53

Request

user79913.7ci.ru

IN A

Response
DNS

user79913.7ci.ru

1fd9ff46da9bc4bfdc2fb4d990068500e9c68293eb9509ea5164832f4b2bebf7.exe

Remote address:

8.8.8.8:53

Request

user79913.7ci.ru

IN A

Response
DNS

user79913.7ci.ru

1fd9ff46da9bc4bfdc2fb4d990068500e9c68293eb9509ea5164832f4b2bebf7.exe

Remote address:

8.8.8.8:53

Request

user79913.7ci.ru

IN A

Response
DNS

226.101.242.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

226.101.242.52.in-addr.arpa

IN PTR

Response
DNS

user79913.7ci.ru

1fd9ff46da9bc4bfdc2fb4d990068500e9c68293eb9509ea5164832f4b2bebf7.exe

Remote address:

8.8.8.8:53

Request

user79913.7ci.ru

IN A

Response
DNS

user79913.7ci.ru

1fd9ff46da9bc4bfdc2fb4d990068500e9c68293eb9509ea5164832f4b2bebf7.exe

Remote address:

8.8.8.8:53

Request

user79913.7ci.ru

IN A

Response
DNS

user79913.7ci.ru

1fd9ff46da9bc4bfdc2fb4d990068500e9c68293eb9509ea5164832f4b2bebf7.exe

Remote address:

8.8.8.8:53

Request

user79913.7ci.ru

IN A

Response
DNS

user79913.7ci.ru

1fd9ff46da9bc4bfdc2fb4d990068500e9c68293eb9509ea5164832f4b2bebf7.exe

Remote address:

8.8.8.8:53

Request

user79913.7ci.ru

IN A

Response
DNS

user79913.7ci.ru

1fd9ff46da9bc4bfdc2fb4d990068500e9c68293eb9509ea5164832f4b2bebf7.exe

Remote address:

8.8.8.8:53

Request

user79913.7ci.ru

IN A

Response
DNS

user79913.7ci.ru

1fd9ff46da9bc4bfdc2fb4d990068500e9c68293eb9509ea5164832f4b2bebf7.exe

Remote address:

8.8.8.8:53

Request

user79913.7ci.ru

IN A

Response
DNS

user79913.7ci.ru

1fd9ff46da9bc4bfdc2fb4d990068500e9c68293eb9509ea5164832f4b2bebf7.exe

Remote address:

8.8.8.8:53

Request

user79913.7ci.ru

IN A

Response
DNS

user79913.7ci.ru

1fd9ff46da9bc4bfdc2fb4d990068500e9c68293eb9509ea5164832f4b2bebf7.exe

Remote address:

8.8.8.8:53

Request

user79913.7ci.ru

IN A

Response
DNS

user79913.7ci.ru

1fd9ff46da9bc4bfdc2fb4d990068500e9c68293eb9509ea5164832f4b2bebf7.exe

Remote address:

8.8.8.8:53

Request

user79913.7ci.ru

IN A

Response
DNS

user79913.7ci.ru

1fd9ff46da9bc4bfdc2fb4d990068500e9c68293eb9509ea5164832f4b2bebf7.exe

Remote address:

8.8.8.8:53

Request

user79913.7ci.ru

IN A

Response
DNS

user79913.7ci.ru

1fd9ff46da9bc4bfdc2fb4d990068500e9c68293eb9509ea5164832f4b2bebf7.exe

Remote address:

8.8.8.8:53

Request

user79913.7ci.ru

IN A

Response
DNS

user79913.7ci.ru

1fd9ff46da9bc4bfdc2fb4d990068500e9c68293eb9509ea5164832f4b2bebf7.exe

Remote address:

8.8.8.8:53

Request

user79913.7ci.ru

IN A
DNS

user79913.7ci.ru

1fd9ff46da9bc4bfdc2fb4d990068500e9c68293eb9509ea5164832f4b2bebf7.exe

Remote address:

8.8.8.8:53

Request

user79913.7ci.ru

IN A

Response
DNS

user79913.7ci.ru

1fd9ff46da9bc4bfdc2fb4d990068500e9c68293eb9509ea5164832f4b2bebf7.exe

Remote address:

8.8.8.8:53

Request

user79913.7ci.ru

IN A

Response
DNS

user79913.7ci.ru

1fd9ff46da9bc4bfdc2fb4d990068500e9c68293eb9509ea5164832f4b2bebf7.exe

Remote address:

8.8.8.8:53

Request

user79913.7ci.ru

IN A

Response
DNS

user79913.7ci.ru

1fd9ff46da9bc4bfdc2fb4d990068500e9c68293eb9509ea5164832f4b2bebf7.exe

Remote address:

8.8.8.8:53

Request

user79913.7ci.ru

IN A

Response
DNS

user79913.7ci.ru

1fd9ff46da9bc4bfdc2fb4d990068500e9c68293eb9509ea5164832f4b2bebf7.exe

Remote address:

8.8.8.8:53

Request

user79913.7ci.ru

IN A

Response

13.107.21.200:443

www.bing.com

tls, https

2.8kB
8.4kB
19
15
209.197.3.8:80

322 B
7
209.197.3.8:80

322 B
7
209.197.3.8:80

322 B
7

8.8.8.8:53

user79913.7ci.ru

dns

1fd9ff46da9bc4bfdc2fb4d990068500e9c68293eb9509ea5164832f4b2bebf7.exe

62 B
62 B
1
1

DNS Request

user79913.7ci.ru
8.8.8.8:53

user79913.7ci.ru

dns

1fd9ff46da9bc4bfdc2fb4d990068500e9c68293eb9509ea5164832f4b2bebf7.exe

62 B
62 B
1
1

DNS Request

user79913.7ci.ru
8.8.8.8:53

user79913.7ci.ru

dns

1fd9ff46da9bc4bfdc2fb4d990068500e9c68293eb9509ea5164832f4b2bebf7.exe

62 B
62 B
1
1

DNS Request

user79913.7ci.ru
8.8.8.8:53

user79913.7ci.ru

dns

1fd9ff46da9bc4bfdc2fb4d990068500e9c68293eb9509ea5164832f4b2bebf7.exe

62 B
62 B
1
1

DNS Request

user79913.7ci.ru
8.8.8.8:53

user79913.7ci.ru

dns

1fd9ff46da9bc4bfdc2fb4d990068500e9c68293eb9509ea5164832f4b2bebf7.exe

62 B
62 B
1
1

DNS Request

user79913.7ci.ru
8.8.8.8:53

user79913.7ci.ru

dns

1fd9ff46da9bc4bfdc2fb4d990068500e9c68293eb9509ea5164832f4b2bebf7.exe

62 B
62 B
1
1

DNS Request

user79913.7ci.ru
8.8.8.8:53

user79913.7ci.ru

dns

1fd9ff46da9bc4bfdc2fb4d990068500e9c68293eb9509ea5164832f4b2bebf7.exe

62 B
62 B
1
1

DNS Request

user79913.7ci.ru
8.8.8.8:53

user79913.7ci.ru

dns

1fd9ff46da9bc4bfdc2fb4d990068500e9c68293eb9509ea5164832f4b2bebf7.exe

62 B
62 B
1
1

DNS Request

user79913.7ci.ru
8.8.8.8:53

user79913.7ci.ru

dns

1fd9ff46da9bc4bfdc2fb4d990068500e9c68293eb9509ea5164832f4b2bebf7.exe

62 B
62 B
1
1

DNS Request

user79913.7ci.ru
8.8.8.8:53

user79913.7ci.ru

dns

1fd9ff46da9bc4bfdc2fb4d990068500e9c68293eb9509ea5164832f4b2bebf7.exe

62 B
62 B
1
1

DNS Request

user79913.7ci.ru
8.8.8.8:53

user79913.7ci.ru

dns

1fd9ff46da9bc4bfdc2fb4d990068500e9c68293eb9509ea5164832f4b2bebf7.exe

62 B
62 B
1
1

DNS Request

user79913.7ci.ru
8.8.8.8:53

user79913.7ci.ru

dns

1fd9ff46da9bc4bfdc2fb4d990068500e9c68293eb9509ea5164832f4b2bebf7.exe

62 B
62 B
1
1

DNS Request

user79913.7ci.ru
8.8.8.8:53

226.101.242.52.in-addr.arpa

dns

73 B
147 B
1
1

DNS Request

226.101.242.52.in-addr.arpa
8.8.8.8:53

user79913.7ci.ru

dns

1fd9ff46da9bc4bfdc2fb4d990068500e9c68293eb9509ea5164832f4b2bebf7.exe

62 B
62 B
1
1

DNS Request

user79913.7ci.ru
8.8.8.8:53

user79913.7ci.ru

dns

1fd9ff46da9bc4bfdc2fb4d990068500e9c68293eb9509ea5164832f4b2bebf7.exe

62 B
62 B
1
1

DNS Request

user79913.7ci.ru
8.8.8.8:53

user79913.7ci.ru

dns

1fd9ff46da9bc4bfdc2fb4d990068500e9c68293eb9509ea5164832f4b2bebf7.exe

62 B
62 B
1
1

DNS Request

user79913.7ci.ru
8.8.8.8:53

user79913.7ci.ru

dns

1fd9ff46da9bc4bfdc2fb4d990068500e9c68293eb9509ea5164832f4b2bebf7.exe

62 B
62 B
1
1

DNS Request

user79913.7ci.ru
8.8.8.8:53

user79913.7ci.ru

dns

1fd9ff46da9bc4bfdc2fb4d990068500e9c68293eb9509ea5164832f4b2bebf7.exe

62 B
62 B
1
1

DNS Request

user79913.7ci.ru
8.8.8.8:53

user79913.7ci.ru

dns

1fd9ff46da9bc4bfdc2fb4d990068500e9c68293eb9509ea5164832f4b2bebf7.exe

62 B
62 B
1
1

DNS Request

user79913.7ci.ru
8.8.8.8:53

user79913.7ci.ru

dns

1fd9ff46da9bc4bfdc2fb4d990068500e9c68293eb9509ea5164832f4b2bebf7.exe

62 B
62 B
1
1

DNS Request

user79913.7ci.ru
8.8.8.8:53

user79913.7ci.ru

dns

1fd9ff46da9bc4bfdc2fb4d990068500e9c68293eb9509ea5164832f4b2bebf7.exe

62 B
62 B
1
1

DNS Request

user79913.7ci.ru
8.8.8.8:53

user79913.7ci.ru

dns

1fd9ff46da9bc4bfdc2fb4d990068500e9c68293eb9509ea5164832f4b2bebf7.exe

62 B
62 B
1
1

DNS Request

user79913.7ci.ru
8.8.8.8:53

user79913.7ci.ru

dns

1fd9ff46da9bc4bfdc2fb4d990068500e9c68293eb9509ea5164832f4b2bebf7.exe

62 B
62 B
1
1

DNS Request

user79913.7ci.ru
8.8.8.8:53

user79913.7ci.ru

dns

1fd9ff46da9bc4bfdc2fb4d990068500e9c68293eb9509ea5164832f4b2bebf7.exe

124 B
62 B
2
1

DNS Request

user79913.7ci.ru

DNS Request

user79913.7ci.ru
8.8.8.8:53

user79913.7ci.ru

dns

1fd9ff46da9bc4bfdc2fb4d990068500e9c68293eb9509ea5164832f4b2bebf7.exe

62 B
62 B
1
1

DNS Request

user79913.7ci.ru
8.8.8.8:53

user79913.7ci.ru

dns

1fd9ff46da9bc4bfdc2fb4d990068500e9c68293eb9509ea5164832f4b2bebf7.exe

62 B
62 B
1
1

DNS Request

user79913.7ci.ru
8.8.8.8:53

user79913.7ci.ru

dns

1fd9ff46da9bc4bfdc2fb4d990068500e9c68293eb9509ea5164832f4b2bebf7.exe

62 B
62 B
1
1

DNS Request

user79913.7ci.ru
8.8.8.8:53

user79913.7ci.ru

dns

1fd9ff46da9bc4bfdc2fb4d990068500e9c68293eb9509ea5164832f4b2bebf7.exe

62 B
62 B
1
1

DNS Request

user79913.7ci.ru
8.8.8.8:53

user79913.7ci.ru

dns

1fd9ff46da9bc4bfdc2fb4d990068500e9c68293eb9509ea5164832f4b2bebf7.exe

62 B
62 B
1
1

DNS Request

user79913.7ci.ru

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

Persistence

Registry Run Keys / Startup Folder

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3648-130-0x0000000000AC0000-0x0000000000ACA000-memory.dmp

Filesize
40KB

Download
memory/3648-133-0x00000000056C0000-0x0000000005726000-memory.dmp

Filesize
408KB

Download