loaderbot | c9146e423c92744eb2960112b45bdbd59f2cbd2ac99d388ab1cafd78181f028d

General

Target

c9146e423c92744eb2960112b45bdbd59f2cbd2ac99d388ab1cafd78181f028d.exe
Size

16KB
MD5

6bd58a85b177f63258c7e23abc6857a0
SHA1

4b72403d1fb6cd8b685e6453f8734e8a74b2568b
SHA256

c9146e423c92744eb2960112b45bdbd59f2cbd2ac99d388ab1cafd78181f028d
SHA512

cd3dc83bce9bb634a0dfdbf2c074df1d9e1a12773c412cfab765694f4e7873527675b40a271fa751879baf0ea8eb7bc8a071a8a90ff1290bb96f3eca2b39705a
SSDEEP

384:DWxvd9PWblH19GTXjdh9mnuujYcV6AUwJFZb:DUfeV9AhEfYcV6Dw9b

Score

10^/10

loaderbot loader miner persistence

Malware Config

Extracted

Family

loaderbot

C2

http://user79675.7ci.ru/cmd.php

Signatures

LoaderBot
LoaderBot is a loader written in .NET downloading and executing miners.
loader miner loaderbot

LoaderBot executable 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2016-130-0x00000000000A0000-0x00000000000AA000-memory.dmp	loaderbot

Drops startup file 1 IoCs

Processes:

c9146e423c92744eb2960112b45bdbd59f2cbd2ac99d388ab1cafd78181f028d.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Webhost.url	c9146e423c92744eb2960112b45bdbd59f2cbd2ac99d388ab1cafd78181f028d.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

c9146e423c92744eb2960112b45bdbd59f2cbd2ac99d388ab1cafd78181f028d.exec9146e423c92744eb2960112b45bdbd59f2cbd2ac99d388ab1cafd78181f028d.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Webhost = "C:\\Users\\Admin\\AppData\\Roaming\\Windows\\c9146e423c92744eb2960112b45bdbd59f2cbd2ac99d388ab1cafd78181f028d.exe"	c9146e423c92744eb2960112b45bdbd59f2cbd2ac99d388ab1cafd78181f028d.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Webhost = "C:\\Users\\Admin\\AppData\\Roaming\\Windows\\c9146e423c92744eb2960112b45bdbd59f2cbd2ac99d388ab1cafd78181f028d.exe"	c9146e423c92744eb2960112b45bdbd59f2cbd2ac99d388ab1cafd78181f028d.exe

Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

4340 schtasks.exe
1832 schtasks.exe

pid	process
4340	schtasks.exe
1832	schtasks.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

c9146e423c92744eb2960112b45bdbd59f2cbd2ac99d388ab1cafd78181f028d.exec9146e423c92744eb2960112b45bdbd59f2cbd2ac99d388ab1cafd78181f028d.exe

pid	process
2016	c9146e423c92744eb2960112b45bdbd59f2cbd2ac99d388ab1cafd78181f028d.exe
4392	c9146e423c92744eb2960112b45bdbd59f2cbd2ac99d388ab1cafd78181f028d.exe

Suspicious behavior: RenamesItself 1 IoCs

Processes:

c9146e423c92744eb2960112b45bdbd59f2cbd2ac99d388ab1cafd78181f028d.exe

pid process

2016 c9146e423c92744eb2960112b45bdbd59f2cbd2ac99d388ab1cafd78181f028d.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

c9146e423c92744eb2960112b45bdbd59f2cbd2ac99d388ab1cafd78181f028d.exec9146e423c92744eb2960112b45bdbd59f2cbd2ac99d388ab1cafd78181f028d.exe

description	pid	process
Token: SeDebugPrivilege	2016	c9146e423c92744eb2960112b45bdbd59f2cbd2ac99d388ab1cafd78181f028d.exe
Token: SeDebugPrivilege	4392	c9146e423c92744eb2960112b45bdbd59f2cbd2ac99d388ab1cafd78181f028d.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

c9146e423c92744eb2960112b45bdbd59f2cbd2ac99d388ab1cafd78181f028d.execmd.exec9146e423c92744eb2960112b45bdbd59f2cbd2ac99d388ab1cafd78181f028d.execmd.exe

description	pid	process	target process
PID 2016 wrote to memory of 2060	2016	c9146e423c92744eb2960112b45bdbd59f2cbd2ac99d388ab1cafd78181f028d.exe	cmd.exe
PID 2016 wrote to memory of 2060	2016	c9146e423c92744eb2960112b45bdbd59f2cbd2ac99d388ab1cafd78181f028d.exe	cmd.exe
PID 2016 wrote to memory of 2060	2016	c9146e423c92744eb2960112b45bdbd59f2cbd2ac99d388ab1cafd78181f028d.exe	cmd.exe
PID 2060 wrote to memory of 4340	2060	cmd.exe	schtasks.exe
PID 2060 wrote to memory of 4340	2060	cmd.exe	schtasks.exe
PID 2060 wrote to memory of 4340	2060	cmd.exe	schtasks.exe
PID 4392 wrote to memory of 1176	4392	c9146e423c92744eb2960112b45bdbd59f2cbd2ac99d388ab1cafd78181f028d.exe	cmd.exe
PID 4392 wrote to memory of 1176	4392	c9146e423c92744eb2960112b45bdbd59f2cbd2ac99d388ab1cafd78181f028d.exe	cmd.exe
PID 4392 wrote to memory of 1176	4392	c9146e423c92744eb2960112b45bdbd59f2cbd2ac99d388ab1cafd78181f028d.exe	cmd.exe
PID 1176 wrote to memory of 1832	1176	cmd.exe	schtasks.exe
PID 1176 wrote to memory of 1832	1176	cmd.exe	schtasks.exe
PID 1176 wrote to memory of 1832	1176	cmd.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\c9146e423c92744eb2960112b45bdbd59f2cbd2ac99d388ab1cafd78181f028d.exe
"C:\Users\Admin\AppData\Local\Temp\c9146e423c92744eb2960112b45bdbd59f2cbd2ac99d388ab1cafd78181f028d.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2016

C:\Windows\SysWOW64\cmd.exe
"cmd" /C schtasks /create /tn \System\SecurityServiceUpdate /tr %userprofile%\AppData\Roaming\Windows\c9146e423c92744eb2960112b45bdbd59f2cbd2ac99d388ab1cafd78181f028d.exe /st 00:00 /du 9999:59 /sc daily /ri 5 /f
2⤵
- Suspicious use of WriteProcessMemory
PID:2060

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn \System\SecurityServiceUpdate /tr C:\Users\Admin\AppData\Roaming\Windows\c9146e423c92744eb2960112b45bdbd59f2cbd2ac99d388ab1cafd78181f028d.exe /st 00:00 /du 9999:59 /sc daily /ri 5 /f
3⤵
- Creates scheduled task(s)
PID:4340

C:\Users\Admin\AppData\Roaming\Windows\c9146e423c92744eb2960112b45bdbd59f2cbd2ac99d388ab1cafd78181f028d.exe
C:\Users\Admin\AppData\Roaming\Windows\c9146e423c92744eb2960112b45bdbd59f2cbd2ac99d388ab1cafd78181f028d.exe
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4392

C:\Windows\SysWOW64\cmd.exe
"cmd" /C schtasks /create /tn \System\SecurityServiceUpdate /tr %userprofile%\AppData\Roaming\Windows\c9146e423c92744eb2960112b45bdbd59f2cbd2ac99d388ab1cafd78181f028d.exe /st 00:00 /du 9999:59 /sc daily /ri 5 /f
2⤵
- Suspicious use of WriteProcessMemory
PID:1176

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn \System\SecurityServiceUpdate /tr C:\Users\Admin\AppData\Roaming\Windows\c9146e423c92744eb2960112b45bdbd59f2cbd2ac99d388ab1cafd78181f028d.exe /st 00:00 /du 9999:59 /sc daily /ri 5 /f
3⤵
- Creates scheduled task(s)
PID:1832

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Registry Run Keys / Startup Folder

1

T1060

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1176-134-0x0000000000000000-mapping.dmp

Download
memory/1832-135-0x0000000000000000-mapping.dmp

Download
memory/2016-130-0x00000000000A0000-0x00000000000AA000-memory.dmp

Filesize
40KB

Download
memory/2016-132-0x0000000004DF0000-0x0000000004E56000-memory.dmp

Filesize
408KB

Download
memory/2060-131-0x0000000000000000-mapping.dmp

Download
memory/4340-133-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads