Overview

overview

10

Static

static

31266b2b81...2e.exe

windows7_x64

10

31266b2b81...2e.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    187s
  • max time network
    186s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    21-06-2022 00:15

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    31266b2b81192e3794cbbc3340545f10d57c4a327814cfdff35c1560de352c2e.exe

  • Size

    2.7MB

  • MD5

    5af6f9cfc9e093a49b9120cfa4ad66f3

  • SHA1

    75dab6481ac8d41fdb02d1c88bdc0636b68accea

  • SHA256

    31266b2b81192e3794cbbc3340545f10d57c4a327814cfdff35c1560de352c2e

  • SHA512

    8340c80b61c18b06b3c8ae02b9e96df99ae77a40634679490ee0b7a6a597d73659808c66d64fe63aa3f48de52b9689519684ae27ab2cc668d6a26fbde32b4348

Score
10/10
loaderbotxmrigloaderminerpersistence

Malware Config

Signatures

  • LoaderBot

    LoaderBot is a loader written in .NET downloading and executing miners.

    loaderminerloaderbot
  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

    minerxmrig
  • Detected Stratum cryptominer command 1 IoCs

    Looks to be attempting to contact Stratum mining pool.

    miner
  • LoaderBot executable 4 IoCs
  • XMRig Miner Payload 2 IoCs
    miner
  • Executes dropped EXE 1 IoCs
  • Cryptocurrency Miner

    Makes network request to known mining pool URL.

    miner
  • Drops startup file 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of NtSetInformationThreadHideFromDebugger 10 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\31266b2b81192e3794cbbc3340545f10d57c4a327814cfdff35c1560de352c2e.exe
    "C:\Users\Admin\AppData\Local\Temp\31266b2b81192e3794cbbc3340545f10d57c4a327814cfdff35c1560de352c2e.exe"
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Adds Run key to start application
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: RenamesItself
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1852
    • C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
      "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o stratum+tcp://xmr.pool.minergate.com:45700 -u tawervladislav@mail.ru -p x -k -v=0 --donate-level=1 -t 1
      2⤵
      • Detected Stratum cryptominer command
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:1660

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
    Filesize

    3.5MB

    MD5

    cf36d20a96903fb4d0e92eb4fe873ab8

    SHA1

    c789a22bd215bfc2a698fda1295f295745f34d35

    SHA256

    d38ee5052fa13de8b3db050fe84fb89e7946446e2cd5b826fbd31792e406aae2

    SHA512

    d117cecf9ef9d1f2aab1bd80f6947872c8cc8e18a36ce41f1cb25b1fac008e9c5fae7f0f0093f78835b3967582f7556fd626fd8c8c1fa32d41359ef0206e9535

    Download Submit
  • \Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
    Filesize

    3.5MB

    MD5

    cf36d20a96903fb4d0e92eb4fe873ab8

    SHA1

    c789a22bd215bfc2a698fda1295f295745f34d35

    SHA256

    d38ee5052fa13de8b3db050fe84fb89e7946446e2cd5b826fbd31792e406aae2

    SHA512

    d117cecf9ef9d1f2aab1bd80f6947872c8cc8e18a36ce41f1cb25b1fac008e9c5fae7f0f0093f78835b3967582f7556fd626fd8c8c1fa32d41359ef0206e9535

    Download Submit
  • memory/1660-63-0x00000000004B0000-0x00000000004B4000-memory.dmp
    Filesize

    16KB

    Download
  • memory/1660-58-0x0000000000000000-mapping.dmp
    Download
  • memory/1660-61-0x0000000140000000-0x00000001404AB000-memory.dmp
    Filesize

    4.7MB

    Download
  • memory/1660-62-0x00000000004A0000-0x00000000004B0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/1660-66-0x0000000140000000-0x00000001404AB000-memory.dmp
    Filesize

    4.7MB

    Download
  • memory/1852-56-0x0000000000AF0000-0x000000000120A000-memory.dmp
    Filesize

    7.1MB

    Download
  • memory/1852-55-0x0000000000AF0000-0x0000000000AF2000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1852-60-0x0000000007BE0000-0x000000000808B000-memory.dmp
    Filesize

    4.7MB

    Download
  • memory/1852-54-0x0000000075FB1000-0x0000000075FB3000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1852-64-0x0000000000AF0000-0x000000000120A000-memory.dmp
    Filesize

    7.1MB

    Download
  • memory/1852-65-0x0000000007BE0000-0x000000000808B000-memory.dmp
    Filesize

    4.7MB

    Download