loaderbot | 4e88eee64d28ad2a8147d4c2dace3f47811f7fc3eea0e43b29a73473025a978f

General

Target

4e88eee64d28ad2a8147d4c2dace3f47811f7fc3eea0e43b29a73473025a978f.exe
Size

16KB
MD5

8cf4757166d5ee6296aba9e94ed88577
SHA1

aa7d02b4bd307fe30f1b154ba4d840a05a28cebc
SHA256

4e88eee64d28ad2a8147d4c2dace3f47811f7fc3eea0e43b29a73473025a978f
SHA512

93475f842cf9f973a34878c46334b8dd1c83d14f26fc672c99d3f33e4fc3ddc18c77cf2251f0b3c2081d4a3d8ace10beb2e71cee1057e2bab8837d0488d1a002
SSDEEP

384:WWxvd9PWblH19GTXjdh0luujYcV6AUwJFZb:WUfeV9AhofYcV6Dw9b

Score

10^/10

loaderbot loader miner persistence

Malware Config

Extracted

Family

loaderbot

C2

http://user80172.7ci.ru/cmd.php

Signatures

LoaderBot
LoaderBot is a loader written in .NET downloading and executing miners.
loader miner loaderbot

LoaderBot executable 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1480-54-0x0000000000F30000-0x0000000000F3A000-memory.dmp	loaderbot

Drops startup file 1 IoCs

Processes:

4e88eee64d28ad2a8147d4c2dace3f47811f7fc3eea0e43b29a73473025a978f.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Webhost.url	4e88eee64d28ad2a8147d4c2dace3f47811f7fc3eea0e43b29a73473025a978f.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

4e88eee64d28ad2a8147d4c2dace3f47811f7fc3eea0e43b29a73473025a978f.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Windows\CurrentVersion\Run\Webhost = "C:\\Users\\Admin\\AppData\\Roaming\\Windows\\4e88eee64d28ad2a8147d4c2dace3f47811f7fc3eea0e43b29a73473025a978f.exe"	4e88eee64d28ad2a8147d4c2dace3f47811f7fc3eea0e43b29a73473025a978f.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1488 schtasks.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

4e88eee64d28ad2a8147d4c2dace3f47811f7fc3eea0e43b29a73473025a978f.exe

pid process

1480 4e88eee64d28ad2a8147d4c2dace3f47811f7fc3eea0e43b29a73473025a978f.exe
Suspicious behavior: RenamesItself 1 IoCs

Processes:

4e88eee64d28ad2a8147d4c2dace3f47811f7fc3eea0e43b29a73473025a978f.exe

pid process

1480 4e88eee64d28ad2a8147d4c2dace3f47811f7fc3eea0e43b29a73473025a978f.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

4e88eee64d28ad2a8147d4c2dace3f47811f7fc3eea0e43b29a73473025a978f.exe

description pid process

Token: SeDebugPrivilege 1480 4e88eee64d28ad2a8147d4c2dace3f47811f7fc3eea0e43b29a73473025a978f.exe

pid	process
1488	schtasks.exe

pid	process
1480	4e88eee64d28ad2a8147d4c2dace3f47811f7fc3eea0e43b29a73473025a978f.exe

pid	process
1480	4e88eee64d28ad2a8147d4c2dace3f47811f7fc3eea0e43b29a73473025a978f.exe

description	pid	process
Token: SeDebugPrivilege	1480	4e88eee64d28ad2a8147d4c2dace3f47811f7fc3eea0e43b29a73473025a978f.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

4e88eee64d28ad2a8147d4c2dace3f47811f7fc3eea0e43b29a73473025a978f.execmd.exe

description	pid	process	target process
PID 1480 wrote to memory of 2044	1480	4e88eee64d28ad2a8147d4c2dace3f47811f7fc3eea0e43b29a73473025a978f.exe	cmd.exe
PID 1480 wrote to memory of 2044	1480	4e88eee64d28ad2a8147d4c2dace3f47811f7fc3eea0e43b29a73473025a978f.exe	cmd.exe
PID 1480 wrote to memory of 2044	1480	4e88eee64d28ad2a8147d4c2dace3f47811f7fc3eea0e43b29a73473025a978f.exe	cmd.exe
PID 1480 wrote to memory of 2044	1480	4e88eee64d28ad2a8147d4c2dace3f47811f7fc3eea0e43b29a73473025a978f.exe	cmd.exe
PID 2044 wrote to memory of 1488	2044	cmd.exe	schtasks.exe
PID 2044 wrote to memory of 1488	2044	cmd.exe	schtasks.exe
PID 2044 wrote to memory of 1488	2044	cmd.exe	schtasks.exe
PID 2044 wrote to memory of 1488	2044	cmd.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\4e88eee64d28ad2a8147d4c2dace3f47811f7fc3eea0e43b29a73473025a978f.exe
"C:\Users\Admin\AppData\Local\Temp\4e88eee64d28ad2a8147d4c2dace3f47811f7fc3eea0e43b29a73473025a978f.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1480
- C:\Windows\SysWOW64\cmd.exe
  "cmd" /C schtasks /create /tn \System\SecurityServiceUpdate /tr %userprofile%\AppData\Roaming\Windows\4e88eee64d28ad2a8147d4c2dace3f47811f7fc3eea0e43b29a73473025a978f.exe /st 00:00 /du 9999:59 /sc daily /ri 5 /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2044
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /tn \System\SecurityServiceUpdate /tr C:\Users\Admin\AppData\Roaming\Windows\4e88eee64d28ad2a8147d4c2dace3f47811f7fc3eea0e43b29a73473025a978f.exe /st 00:00 /du 9999:59 /sc daily /ri 5 /f
    3⤵
    - Creates scheduled task(s)
    PID:1488

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Registry Run Keys / Startup Folder

Scheduled Task

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1480-54-0x0000000000F30000-0x0000000000F3A000-memory.dmp

Filesize
40KB

Download
memory/1480-56-0x0000000075A61000-0x0000000075A63000-memory.dmp

Filesize
8KB

Download
memory/1488-57-0x0000000000000000-mapping.dmp

Download
memory/2044-55-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads