loaderbot | c9146e423c92744eb2960112b45bdbd59f2cbd2ac99d388ab1cafd78181f028d

General

Target

c9146e423c92744eb2960112b45bdbd59f2cbd2ac99d388ab1cafd78181f028d.exe
Size

16KB
MD5

6bd58a85b177f63258c7e23abc6857a0
SHA1

4b72403d1fb6cd8b685e6453f8734e8a74b2568b
SHA256

c9146e423c92744eb2960112b45bdbd59f2cbd2ac99d388ab1cafd78181f028d
SHA512

cd3dc83bce9bb634a0dfdbf2c074df1d9e1a12773c412cfab765694f4e7873527675b40a271fa751879baf0ea8eb7bc8a071a8a90ff1290bb96f3eca2b39705a
SSDEEP

384:DWxvd9PWblH19GTXjdh9mnuujYcV6AUwJFZb:DUfeV9AhEfYcV6Dw9b

Score

10^/10

loaderbot loader miner persistence

Malware Config

Extracted

Family

loaderbot

C2

http://user79675.7ci.ru/cmd.php

Signatures

LoaderBot
LoaderBot is a loader written in .NET downloading and executing miners.
loader miner loaderbot

LoaderBot executable 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1412-54-0x0000000000830000-0x000000000083A000-memory.dmp	loaderbot

Drops startup file 1 IoCs

Processes:

c9146e423c92744eb2960112b45bdbd59f2cbd2ac99d388ab1cafd78181f028d.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Webhost.url	c9146e423c92744eb2960112b45bdbd59f2cbd2ac99d388ab1cafd78181f028d.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

c9146e423c92744eb2960112b45bdbd59f2cbd2ac99d388ab1cafd78181f028d.exec9146e423c92744eb2960112b45bdbd59f2cbd2ac99d388ab1cafd78181f028d.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Windows\CurrentVersion\Run\Webhost = "C:\\Users\\Admin\\AppData\\Roaming\\Windows\\c9146e423c92744eb2960112b45bdbd59f2cbd2ac99d388ab1cafd78181f028d.exe"	c9146e423c92744eb2960112b45bdbd59f2cbd2ac99d388ab1cafd78181f028d.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4084403625-2215941253-1760665084-1000\Software\Microsoft\Windows\CurrentVersion\Run\Webhost = "C:\\Users\\Admin\\AppData\\Roaming\\Windows\\c9146e423c92744eb2960112b45bdbd59f2cbd2ac99d388ab1cafd78181f028d.exe"	c9146e423c92744eb2960112b45bdbd59f2cbd2ac99d388ab1cafd78181f028d.exe

Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

1520 schtasks.exe
1588 schtasks.exe

pid	process
1520	schtasks.exe
1588	schtasks.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

c9146e423c92744eb2960112b45bdbd59f2cbd2ac99d388ab1cafd78181f028d.exec9146e423c92744eb2960112b45bdbd59f2cbd2ac99d388ab1cafd78181f028d.exe

pid	process
1412	c9146e423c92744eb2960112b45bdbd59f2cbd2ac99d388ab1cafd78181f028d.exe
1356	c9146e423c92744eb2960112b45bdbd59f2cbd2ac99d388ab1cafd78181f028d.exe

Suspicious behavior: RenamesItself 1 IoCs

Processes:

c9146e423c92744eb2960112b45bdbd59f2cbd2ac99d388ab1cafd78181f028d.exe

pid process

1412 c9146e423c92744eb2960112b45bdbd59f2cbd2ac99d388ab1cafd78181f028d.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

c9146e423c92744eb2960112b45bdbd59f2cbd2ac99d388ab1cafd78181f028d.exec9146e423c92744eb2960112b45bdbd59f2cbd2ac99d388ab1cafd78181f028d.exe

description	pid	process
Token: SeDebugPrivilege	1412	c9146e423c92744eb2960112b45bdbd59f2cbd2ac99d388ab1cafd78181f028d.exe
Token: SeDebugPrivilege	1356	c9146e423c92744eb2960112b45bdbd59f2cbd2ac99d388ab1cafd78181f028d.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

c9146e423c92744eb2960112b45bdbd59f2cbd2ac99d388ab1cafd78181f028d.execmd.exetaskeng.exec9146e423c92744eb2960112b45bdbd59f2cbd2ac99d388ab1cafd78181f028d.execmd.exe

description	pid	process	target process
PID 1412 wrote to memory of 1544	1412	c9146e423c92744eb2960112b45bdbd59f2cbd2ac99d388ab1cafd78181f028d.exe	cmd.exe
PID 1412 wrote to memory of 1544	1412	c9146e423c92744eb2960112b45bdbd59f2cbd2ac99d388ab1cafd78181f028d.exe	cmd.exe
PID 1412 wrote to memory of 1544	1412	c9146e423c92744eb2960112b45bdbd59f2cbd2ac99d388ab1cafd78181f028d.exe	cmd.exe
PID 1412 wrote to memory of 1544	1412	c9146e423c92744eb2960112b45bdbd59f2cbd2ac99d388ab1cafd78181f028d.exe	cmd.exe
PID 1544 wrote to memory of 1520	1544	cmd.exe	schtasks.exe
PID 1544 wrote to memory of 1520	1544	cmd.exe	schtasks.exe
PID 1544 wrote to memory of 1520	1544	cmd.exe	schtasks.exe
PID 1544 wrote to memory of 1520	1544	cmd.exe	schtasks.exe
PID 1528 wrote to memory of 1356	1528	taskeng.exe	c9146e423c92744eb2960112b45bdbd59f2cbd2ac99d388ab1cafd78181f028d.exe
PID 1528 wrote to memory of 1356	1528	taskeng.exe	c9146e423c92744eb2960112b45bdbd59f2cbd2ac99d388ab1cafd78181f028d.exe
PID 1528 wrote to memory of 1356	1528	taskeng.exe	c9146e423c92744eb2960112b45bdbd59f2cbd2ac99d388ab1cafd78181f028d.exe
PID 1528 wrote to memory of 1356	1528	taskeng.exe	c9146e423c92744eb2960112b45bdbd59f2cbd2ac99d388ab1cafd78181f028d.exe
PID 1356 wrote to memory of 1512	1356	c9146e423c92744eb2960112b45bdbd59f2cbd2ac99d388ab1cafd78181f028d.exe	cmd.exe
PID 1356 wrote to memory of 1512	1356	c9146e423c92744eb2960112b45bdbd59f2cbd2ac99d388ab1cafd78181f028d.exe	cmd.exe
PID 1356 wrote to memory of 1512	1356	c9146e423c92744eb2960112b45bdbd59f2cbd2ac99d388ab1cafd78181f028d.exe	cmd.exe
PID 1356 wrote to memory of 1512	1356	c9146e423c92744eb2960112b45bdbd59f2cbd2ac99d388ab1cafd78181f028d.exe	cmd.exe
PID 1512 wrote to memory of 1588	1512	cmd.exe	schtasks.exe
PID 1512 wrote to memory of 1588	1512	cmd.exe	schtasks.exe
PID 1512 wrote to memory of 1588	1512	cmd.exe	schtasks.exe
PID 1512 wrote to memory of 1588	1512	cmd.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\c9146e423c92744eb2960112b45bdbd59f2cbd2ac99d388ab1cafd78181f028d.exe
"C:\Users\Admin\AppData\Local\Temp\c9146e423c92744eb2960112b45bdbd59f2cbd2ac99d388ab1cafd78181f028d.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1412
- C:\Windows\SysWOW64\cmd.exe
  "cmd" /C schtasks /create /tn \System\SecurityServiceUpdate /tr %userprofile%\AppData\Roaming\Windows\c9146e423c92744eb2960112b45bdbd59f2cbd2ac99d388ab1cafd78181f028d.exe /st 00:00 /du 9999:59 /sc daily /ri 5 /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1544
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /tn \System\SecurityServiceUpdate /tr C:\Users\Admin\AppData\Roaming\Windows\c9146e423c92744eb2960112b45bdbd59f2cbd2ac99d388ab1cafd78181f028d.exe /st 00:00 /du 9999:59 /sc daily /ri 5 /f
    3⤵
    - Creates scheduled task(s)
    PID:1520

C:\Windows\system32\taskeng.exe
taskeng.exe {5469654B-1B2D-48E0-BB64-1B4A62A5DFAB} S-1-5-21-4084403625-2215941253-1760665084-1000:LDLTPJLN\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:1528
- C:\Users\Admin\AppData\Roaming\Windows\c9146e423c92744eb2960112b45bdbd59f2cbd2ac99d388ab1cafd78181f028d.exe
  C:\Users\Admin\AppData\Roaming\Windows\c9146e423c92744eb2960112b45bdbd59f2cbd2ac99d388ab1cafd78181f028d.exe
  2⤵
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1356
- - C:\Windows\SysWOW64\cmd.exe
    "cmd" /C schtasks /create /tn \System\SecurityServiceUpdate /tr %userprofile%\AppData\Roaming\Windows\c9146e423c92744eb2960112b45bdbd59f2cbd2ac99d388ab1cafd78181f028d.exe /st 00:00 /du 9999:59 /sc daily /ri 5 /f
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1512
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /tn \System\SecurityServiceUpdate /tr C:\Users\Admin\AppData\Roaming\Windows\c9146e423c92744eb2960112b45bdbd59f2cbd2ac99d388ab1cafd78181f028d.exe /st 00:00 /du 9999:59 /sc daily /ri 5 /f
      4⤵
      Creates scheduled task(s)
      PID:1588

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Registry Run Keys / Startup Folder

Scheduled Task

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1356-58-0x0000000000000000-mapping.dmp

Download
memory/1412-54-0x0000000000830000-0x000000000083A000-memory.dmp

Filesize
40KB

Download
memory/1412-56-0x0000000075761000-0x0000000075763000-memory.dmp

Filesize
8KB

Download
memory/1512-59-0x0000000000000000-mapping.dmp

Download
memory/1520-57-0x0000000000000000-mapping.dmp

Download
memory/1544-55-0x0000000000000000-mapping.dmp

Download
memory/1588-61-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads