Overview

overview

10

Static

static

F53A85E706...47.exe

windows7-x64

10

F53A85E706...47.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    131s
  • max time network
    163s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30-11-2022 16:01

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    F53A85E706B1BF9D2C496436CB3B8047.exe

  • Size

    4.0MB

  • MD5

    f53a85e706b1bf9d2c496436cb3b8047

  • SHA1

    031de0ff90f329b9c2c0ac7eb1810f798bd06f77

  • SHA256

    19561969de9f77cf014c808177cbc5113576d07573d16706226e32c2277374b7

  • SHA512

    3c01f2aa1718f0cccda3e38c4dee76178b7cd13fde3dde5c8de724b8dc94d157ebb65d9e904a29a00d7de97140cedebdf7db3557e4c38674a4c9af4032ca70dc

  • SSDEEP

    98304:w/yQCRfeF3sI6cXEJgw+MC23YMCXlO/f9t3m:wqHRfw3sI6WILrCwHX

Score
10/10
loaderbotxmrigloaderminerpersistence

Malware Config

Extracted

Family

loaderbot

C2

http://alexxmn6.beget.tech/cmd.php

Signatures

  • LoaderBot

    LoaderBot is a loader written in .NET downloading and executing miners.

    loaderminerloaderbot
  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

    minerxmrig
  • LoaderBot executable 3 IoCs
  • XMRig Miner payload 3 IoCs
    miner
  • Executes dropped EXE 3 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: LoadsDriver 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\F53A85E706B1BF9D2C496436CB3B8047.exe
    "C:\Users\Admin\AppData\Local\Temp\F53A85E706B1BF9D2C496436CB3B8047.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:1268
    • C:\Users\Admin\AppData\Local\Temp\new.exe
      "C:\Users\Admin\AppData\Local\Temp\new.exe"
      2⤵
      • Executes dropped EXE
      • Checks computer location settings
      • Drops startup file
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2672
      • C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
        "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 49MREnLAPKPfTGTNDVPxPjQb6eUo3S8GwbKPx43MJzoaP6JqzPQL761ceLWS9MwszJcrnME7G1uaLFj1wT7a9MzBTok7pE9 -p x -k -v=0 --donate-level=1 -t 1
        3⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:2244
        • C:\Windows\system32\WerFault.exe
          C:\Windows\system32\WerFault.exe -u -p 2244 -s 760
          4⤵
          • Program crash
          PID:1624
      • C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
        "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 49MREnLAPKPfTGTNDVPxPjQb6eUo3S8GwbKPx43MJzoaP6JqzPQL761ceLWS9MwszJcrnME7G1uaLFj1wT7a9MzBTok7pE9 -p x -k -v=0 --donate-level=1 -t 1
        3⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:3224
  • C:\Windows\system32\WerFault.exe
    C:\Windows\system32\WerFault.exe -pss -s 444 -p 2244 -ip 2244
    1⤵
      PID:2592

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\new.exe
      Filesize

      4.0MB

      MD5

      c54ef625ca15567bc887e5e16db9b111

      SHA1

      ce6f752b76cb2fabf1086015df5447febcbf9bc0

      SHA256

      34d94fb77a1a47bf6f01b34123b89bf841ed3a1dedbdcc054a990d889206a5a8

      SHA512

      e35b92192fb34e416275266819ac0609acbdc03cdfd635b3d6825d4499229834cc41d1aa2a81355839ca4751a07b776ecce53be8b9d9968fa45a1b50ee9eccea

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\new.exe
      Filesize

      4.0MB

      MD5

      c54ef625ca15567bc887e5e16db9b111

      SHA1

      ce6f752b76cb2fabf1086015df5447febcbf9bc0

      SHA256

      34d94fb77a1a47bf6f01b34123b89bf841ed3a1dedbdcc054a990d889206a5a8

      SHA512

      e35b92192fb34e416275266819ac0609acbdc03cdfd635b3d6825d4499229834cc41d1aa2a81355839ca4751a07b776ecce53be8b9d9968fa45a1b50ee9eccea

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
      Filesize

      3.9MB

      MD5

      02569a7a91a71133d4a1023bf32aa6f4

      SHA1

      0f16bcb3f3f085d3d3be912195558e9f9680d574

      SHA256

      8d6abba9b216172cfc64b8802db0d20a1c634c96e1049f451eddba2363966bf0

      SHA512

      534be1fe93ee556a14cfd8fad5377f57fb056ab4cd2bca14e4f376f4a25d3d4d270917d68a90b3c40d8a8daaeba6f592fa095ecff478332ba23405d1df728322

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
      Filesize

      3.9MB

      MD5

      02569a7a91a71133d4a1023bf32aa6f4

      SHA1

      0f16bcb3f3f085d3d3be912195558e9f9680d574

      SHA256

      8d6abba9b216172cfc64b8802db0d20a1c634c96e1049f451eddba2363966bf0

      SHA512

      534be1fe93ee556a14cfd8fad5377f57fb056ab4cd2bca14e4f376f4a25d3d4d270917d68a90b3c40d8a8daaeba6f592fa095ecff478332ba23405d1df728322

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
      Filesize

      3.9MB

      MD5

      02569a7a91a71133d4a1023bf32aa6f4

      SHA1

      0f16bcb3f3f085d3d3be912195558e9f9680d574

      SHA256

      8d6abba9b216172cfc64b8802db0d20a1c634c96e1049f451eddba2363966bf0

      SHA512

      534be1fe93ee556a14cfd8fad5377f57fb056ab4cd2bca14e4f376f4a25d3d4d270917d68a90b3c40d8a8daaeba6f592fa095ecff478332ba23405d1df728322

      Download Submit

    • memory/1268-132-0x0000000000D00000-0x0000000001102000-memory.dmp

      Filesize

      4.0MB

      Download

    • memory/1268-134-0x00007FFC5DC30000-0x00007FFC5E6F1000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/1268-133-0x00007FFC5DC30000-0x00007FFC5E6F1000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/1268-138-0x00007FFC5DC30000-0x00007FFC5E6F1000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/2244-147-0x0000000140000000-0x0000000140B75000-memory.dmp

      Filesize

      11.5MB

      Download

    • memory/2244-144-0x0000000140000000-0x0000000140B75000-memory.dmp

      Filesize

      11.5MB

      Download

    • memory/2244-145-0x00000000001D0000-0x00000000001E4000-memory.dmp

      Filesize

      80KB

      Download

    • memory/2244-146-0x0000000140000000-0x0000000140B75000-memory.dmp

      Filesize

      11.5MB

      Download

    • memory/2672-140-0x0000000005300000-0x0000000005366000-memory.dmp

      Filesize

      408KB

      Download

    • memory/2672-139-0x00000000002C0000-0x00000000006BE000-memory.dmp

      Filesize

      4.0MB

      Download

    • memory/3224-150-0x0000000140000000-0x0000000140B75000-memory.dmp

      Filesize

      11.5MB

      Download

    • memory/3224-152-0x0000000140000000-0x0000000140B75000-memory.dmp

      Filesize

      11.5MB

      Download