Overview

overview

10

Static

static

3

file.exe

windows7-x64

1

file.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13-05-2023 17:29

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    file.exe

  • Size

    2.7MB

  • MD5

    bd83b22d90836c81047b081dcbacb63d

  • SHA1

    ce52554f5bbd0e26332309166a2912609797f8b6

  • SHA256

    5bc457579941e276a1ad34f285a12d4a40febb92cafd37ac0ab8c476c240912a

  • SHA512

    8025ca796c9273fe5e6fb3e1e1481d63bce796462ebae24857d8aae01bc74c9634bdb509c4f57f23c0523005f89f8eb78f827e34a65cce8502c994494aa5b1c0

  • SSDEEP

    49152:TFS3NYgv3IsJks7JFsaaq7VZbAMS9IeD/P/sXZYkZ4jh+:TYbv3Isms1kq7DMFNTkqkZQh+

Score
10/10
loaderbotxmrigloaderminerpersistence

Malware Config

Extracted

Family

loaderbot

C2

https://sh4453464.c.had.su/cmd.php

Signatures

  • LoaderBot

    LoaderBot is a loader written in .NET downloading and executing miners.

    loaderminerloaderbot
  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

    minerxmrig
  • LoaderBot executable 1 IoCs
  • XMRig Miner payload 14 IoCs
    miner
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 1 IoCs
  • Executes dropped EXE 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: LoadsDriver 2 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\file.exe
    "C:\Users\Admin\AppData\Local\Temp\file.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1596
    • C:\Users\Admin\AppData\Local\Temp\file.exe
      "{path}"
      2⤵
        PID:1440
      • C:\Users\Admin\AppData\Local\Temp\file.exe
        "{path}"
        2⤵
        • Checks computer location settings
        • Drops startup file
        • Adds Run key to start application
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: RenamesItself
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1708
        • C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
          "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 4935xbCqwWU1Kskmfu796NjQVuLDZAR4xdvf7fe2p9w3XVkqbRHPR5ELemPeGJJhVWGxjeLuvZqf8ZVFPabUB5CTNSBG2RV -p x -k -v=0 --donate-level=1 -t 2
          3⤵
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          PID:1572
          • C:\Windows\system32\WerFault.exe
            C:\Windows\system32\WerFault.exe -u -p 1572 -s 760
            4⤵
            • Program crash
            PID:5052
        • C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
          "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 4935xbCqwWU1Kskmfu796NjQVuLDZAR4xdvf7fe2p9w3XVkqbRHPR5ELemPeGJJhVWGxjeLuvZqf8ZVFPabUB5CTNSBG2RV -p x -k -v=0 --donate-level=1 -t 2
          3⤵
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          PID:2992
          • C:\Windows\system32\WerFault.exe
            C:\Windows\system32\WerFault.exe -u -p 2992 -s 548
            4⤵
            • Program crash
            PID:2192
        • C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
          "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 4935xbCqwWU1Kskmfu796NjQVuLDZAR4xdvf7fe2p9w3XVkqbRHPR5ELemPeGJJhVWGxjeLuvZqf8ZVFPabUB5CTNSBG2RV -p x -k -v=0 --donate-level=1 -t 2
          3⤵
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          PID:1872
    • C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -pss -s 432 -p 1572 -ip 1572
      1⤵
        PID:888
      • C:\Windows\system32\WerFault.exe
        C:\Windows\system32\WerFault.exe -pss -s 536 -p 2992 -ip 2992
        1⤵
          PID:1488

        Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\file.exe.log
          Filesize

          1KB

          MD5

          3ae5fa36d6c5cf135fb14702c5777bc0

          SHA1

          86a5aa45d96748084ace87493debdf3d329cd521

          SHA256

          1f05b6335396291c2e7a378aa96b741374541807a1dbd94b74025f43984e917c

          SHA512

          7fe99728c09b6d832b9b06c60a962437ffc7f6175efe047b2a1c1f830b01469558055e3a032aa8c92e9e026f07efcc02e00236f9b9e02461908bcfce9272daa3

          Download Submit

        • C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
          Filesize

          3.9MB

          MD5

          02569a7a91a71133d4a1023bf32aa6f4

          SHA1

          0f16bcb3f3f085d3d3be912195558e9f9680d574

          SHA256

          8d6abba9b216172cfc64b8802db0d20a1c634c96e1049f451eddba2363966bf0

          SHA512

          534be1fe93ee556a14cfd8fad5377f57fb056ab4cd2bca14e4f376f4a25d3d4d270917d68a90b3c40d8a8daaeba6f592fa095ecff478332ba23405d1df728322

          Download Submit

        • C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
          Filesize

          3.9MB

          MD5

          02569a7a91a71133d4a1023bf32aa6f4

          SHA1

          0f16bcb3f3f085d3d3be912195558e9f9680d574

          SHA256

          8d6abba9b216172cfc64b8802db0d20a1c634c96e1049f451eddba2363966bf0

          SHA512

          534be1fe93ee556a14cfd8fad5377f57fb056ab4cd2bca14e4f376f4a25d3d4d270917d68a90b3c40d8a8daaeba6f592fa095ecff478332ba23405d1df728322

          Download Submit

        • C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
          Filesize

          3.9MB

          MD5

          02569a7a91a71133d4a1023bf32aa6f4

          SHA1

          0f16bcb3f3f085d3d3be912195558e9f9680d574

          SHA256

          8d6abba9b216172cfc64b8802db0d20a1c634c96e1049f451eddba2363966bf0

          SHA512

          534be1fe93ee556a14cfd8fad5377f57fb056ab4cd2bca14e4f376f4a25d3d4d270917d68a90b3c40d8a8daaeba6f592fa095ecff478332ba23405d1df728322

          Download Submit

        • C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
          Filesize

          3.9MB

          MD5

          02569a7a91a71133d4a1023bf32aa6f4

          SHA1

          0f16bcb3f3f085d3d3be912195558e9f9680d574

          SHA256

          8d6abba9b216172cfc64b8802db0d20a1c634c96e1049f451eddba2363966bf0

          SHA512

          534be1fe93ee556a14cfd8fad5377f57fb056ab4cd2bca14e4f376f4a25d3d4d270917d68a90b3c40d8a8daaeba6f592fa095ecff478332ba23405d1df728322

          Download Submit

        • C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
          Filesize

          3.9MB

          MD5

          02569a7a91a71133d4a1023bf32aa6f4

          SHA1

          0f16bcb3f3f085d3d3be912195558e9f9680d574

          SHA256

          8d6abba9b216172cfc64b8802db0d20a1c634c96e1049f451eddba2363966bf0

          SHA512

          534be1fe93ee556a14cfd8fad5377f57fb056ab4cd2bca14e4f376f4a25d3d4d270917d68a90b3c40d8a8daaeba6f592fa095ecff478332ba23405d1df728322

          Download Submit

        • memory/1572-162-0x0000000140000000-0x0000000140B75000-memory.dmp

          Filesize

          11.5MB

          Download

        • memory/1572-161-0x0000000000400000-0x0000000000414000-memory.dmp

          Filesize

          80KB

          Download

        • memory/1596-143-0x0000000005390000-0x00000000053A0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/1596-136-0x00000000051D0000-0x0000000005262000-memory.dmp

          Filesize

          584KB

          Download

        • memory/1596-133-0x0000000000490000-0x000000000074A000-memory.dmp

          Filesize

          2.7MB

          Download

        • memory/1596-134-0x0000000005130000-0x00000000051CC000-memory.dmp

          Filesize

          624KB

          Download

        • memory/1596-141-0x00000000081B0000-0x00000000081EC000-memory.dmp

          Filesize

          240KB

          Download

        • memory/1596-142-0x0000000005390000-0x00000000053A0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/1596-140-0x0000000005390000-0x00000000053A0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/1596-135-0x0000000005780000-0x0000000005D24000-memory.dmp

          Filesize

          5.6MB

          Download

        • memory/1596-139-0x0000000005390000-0x00000000053A0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/1596-138-0x0000000005400000-0x0000000005456000-memory.dmp

          Filesize

          344KB

          Download

        • memory/1596-137-0x00000000050F0000-0x00000000050FA000-memory.dmp

          Filesize

          40KB

          Download

        • memory/1708-149-0x0000000005660000-0x00000000056C6000-memory.dmp

          Filesize

          408KB

          Download

        • memory/1708-157-0x0000000002FF0000-0x0000000003000000-memory.dmp

          Filesize

          64KB

          Download

        • memory/1708-168-0x0000000002FF0000-0x0000000003000000-memory.dmp

          Filesize

          64KB

          Download

        • memory/1708-144-0x0000000000400000-0x00000000007FE000-memory.dmp

          Filesize

          4.0MB

          Download

        • memory/1872-188-0x0000000140000000-0x0000000140B75000-memory.dmp

          Filesize

          11.5MB

          Download

        • memory/1872-187-0x0000000140000000-0x0000000140B75000-memory.dmp

          Filesize

          11.5MB

          Download

        • memory/2992-170-0x0000000140000000-0x0000000140B75000-memory.dmp

          Filesize

          11.5MB

          Download

        • memory/2992-179-0x0000000140000000-0x0000000140B75000-memory.dmp

          Filesize

          11.5MB

          Download

        • memory/2992-172-0x0000000001FE0000-0x0000000002000000-memory.dmp

          Filesize

          128KB

          Download

        • memory/2992-173-0x0000000140000000-0x0000000140B75000-memory.dmp

          Filesize

          11.5MB

          Download

        • memory/2992-175-0x0000000001FE0000-0x0000000002000000-memory.dmp

          Filesize

          128KB

          Download

        • memory/2992-174-0x0000000000440000-0x0000000000460000-memory.dmp

          Filesize

          128KB

          Download

        • memory/2992-176-0x0000000140000000-0x0000000140B75000-memory.dmp

          Filesize

          11.5MB

          Download

        • memory/2992-177-0x0000000140000000-0x0000000140B75000-memory.dmp

          Filesize

          11.5MB

          Download

        • memory/2992-178-0x0000000140000000-0x0000000140B75000-memory.dmp

          Filesize

          11.5MB

          Download

        • memory/2992-171-0x0000000000440000-0x0000000000460000-memory.dmp

          Filesize

          128KB

          Download

        • memory/2992-180-0x0000000140000000-0x0000000140B75000-memory.dmp

          Filesize

          11.5MB

          Download

        • memory/2992-181-0x0000000140000000-0x0000000140B75000-memory.dmp

          Filesize

          11.5MB

          Download

        • memory/2992-182-0x0000000140000000-0x0000000140B75000-memory.dmp

          Filesize

          11.5MB

          Download

        • memory/2992-183-0x0000000000440000-0x0000000000460000-memory.dmp

          Filesize

          128KB

          Download

        • memory/2992-184-0x0000000001FE0000-0x0000000002000000-memory.dmp

          Filesize

          128KB

          Download

        • memory/2992-169-0x0000000140000000-0x0000000140B75000-memory.dmp

          Filesize

          11.5MB

          Download

        • memory/2992-167-0x0000000000420000-0x0000000000440000-memory.dmp

          Filesize

          128KB

          Download

        • memory/2992-166-0x0000000140000000-0x0000000140B75000-memory.dmp

          Filesize

          11.5MB

          Download