loaderbot | 4e88eee64d28ad2a8147d4c2dace3f47811f7fc3eea0e43b29a73473025a978f

General

Target

4e88eee64d28ad2a8147d4c2dace3f47811f7fc3eea0e43b29a73473025a978f.exe
Size

16KB
MD5

8cf4757166d5ee6296aba9e94ed88577
SHA1

aa7d02b4bd307fe30f1b154ba4d840a05a28cebc
SHA256

4e88eee64d28ad2a8147d4c2dace3f47811f7fc3eea0e43b29a73473025a978f
SHA512

93475f842cf9f973a34878c46334b8dd1c83d14f26fc672c99d3f33e4fc3ddc18c77cf2251f0b3c2081d4a3d8ace10beb2e71cee1057e2bab8837d0488d1a002
SSDEEP

384:WWxvd9PWblH19GTXjdh0luujYcV6AUwJFZb:WUfeV9AhofYcV6Dw9b

Score

10^/10

loaderbot loader miner persistence

Malware Config

Extracted

Family

loaderbot

C2

http://user80172.7ci.ru/cmd.php

Signatures

LoaderBot
LoaderBot is a loader written in .NET downloading and executing miners.
loader miner loaderbot

LoaderBot executable 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3924-130-0x00000000000D0000-0x00000000000DA000-memory.dmp	loaderbot

Drops startup file 1 IoCs

Processes:

4e88eee64d28ad2a8147d4c2dace3f47811f7fc3eea0e43b29a73473025a978f.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Webhost.url	4e88eee64d28ad2a8147d4c2dace3f47811f7fc3eea0e43b29a73473025a978f.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

4e88eee64d28ad2a8147d4c2dace3f47811f7fc3eea0e43b29a73473025a978f.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1178428168-2939480073-3055857545-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Webhost = "C:\\Users\\Admin\\AppData\\Roaming\\Windows\\4e88eee64d28ad2a8147d4c2dace3f47811f7fc3eea0e43b29a73473025a978f.exe"	4e88eee64d28ad2a8147d4c2dace3f47811f7fc3eea0e43b29a73473025a978f.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

2592 schtasks.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

4e88eee64d28ad2a8147d4c2dace3f47811f7fc3eea0e43b29a73473025a978f.exe

pid process

3924 4e88eee64d28ad2a8147d4c2dace3f47811f7fc3eea0e43b29a73473025a978f.exe
Suspicious behavior: RenamesItself 1 IoCs

Processes:

4e88eee64d28ad2a8147d4c2dace3f47811f7fc3eea0e43b29a73473025a978f.exe

pid process

3924 4e88eee64d28ad2a8147d4c2dace3f47811f7fc3eea0e43b29a73473025a978f.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

4e88eee64d28ad2a8147d4c2dace3f47811f7fc3eea0e43b29a73473025a978f.exe

description pid process

Token: SeDebugPrivilege 3924 4e88eee64d28ad2a8147d4c2dace3f47811f7fc3eea0e43b29a73473025a978f.exe

pid	process
2592	schtasks.exe

pid	process
3924	4e88eee64d28ad2a8147d4c2dace3f47811f7fc3eea0e43b29a73473025a978f.exe

pid	process
3924	4e88eee64d28ad2a8147d4c2dace3f47811f7fc3eea0e43b29a73473025a978f.exe

description	pid	process
Token: SeDebugPrivilege	3924	4e88eee64d28ad2a8147d4c2dace3f47811f7fc3eea0e43b29a73473025a978f.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

4e88eee64d28ad2a8147d4c2dace3f47811f7fc3eea0e43b29a73473025a978f.execmd.exe

description	pid	process	target process
PID 3924 wrote to memory of 4852	3924	4e88eee64d28ad2a8147d4c2dace3f47811f7fc3eea0e43b29a73473025a978f.exe	cmd.exe
PID 3924 wrote to memory of 4852	3924	4e88eee64d28ad2a8147d4c2dace3f47811f7fc3eea0e43b29a73473025a978f.exe	cmd.exe
PID 3924 wrote to memory of 4852	3924	4e88eee64d28ad2a8147d4c2dace3f47811f7fc3eea0e43b29a73473025a978f.exe	cmd.exe
PID 4852 wrote to memory of 2592	4852	cmd.exe	schtasks.exe
PID 4852 wrote to memory of 2592	4852	cmd.exe	schtasks.exe
PID 4852 wrote to memory of 2592	4852	cmd.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\4e88eee64d28ad2a8147d4c2dace3f47811f7fc3eea0e43b29a73473025a978f.exe
"C:\Users\Admin\AppData\Local\Temp\4e88eee64d28ad2a8147d4c2dace3f47811f7fc3eea0e43b29a73473025a978f.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3924
- C:\Windows\SysWOW64\cmd.exe
  "cmd" /C schtasks /create /tn \System\SecurityServiceUpdate /tr %userprofile%\AppData\Roaming\Windows\4e88eee64d28ad2a8147d4c2dace3f47811f7fc3eea0e43b29a73473025a978f.exe /st 00:00 /du 9999:59 /sc daily /ri 5 /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4852
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /tn \System\SecurityServiceUpdate /tr C:\Users\Admin\AppData\Roaming\Windows\4e88eee64d28ad2a8147d4c2dace3f47811f7fc3eea0e43b29a73473025a978f.exe /st 00:00 /du 9999:59 /sc daily /ri 5 /f
    3⤵
    - Creates scheduled task(s)
    PID:2592

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Registry Run Keys / Startup Folder

Scheduled Task

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

Web Service

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2592-132-0x0000000000000000-mapping.dmp

Download
memory/3924-130-0x00000000000D0000-0x00000000000DA000-memory.dmp

Filesize
40KB

Download
memory/3924-133-0x0000000004E10000-0x0000000004E76000-memory.dmp

Filesize
408KB

Download
memory/4852-131-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads