Analysis
-
max time kernel
64s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
-
submitted
23-05-2023 05:34
General
-
Target
wdagad.exe
-
Size
2.1MB
-
MD5
79931719ae9c21e1d8c5f1a419e85f71
-
SHA1
d4c5bdc3d4a0f2e9ca5f6e9407b837dea75c8edd
-
SHA256
f1e4bb232f6e5e0bcfb68627aea7b09b114e8f6d15a57a6e2e938db455d768bb
-
SHA512
e71ee3950f025f4aa0727a52b4493d9c57671bd73b3ae9309983229071c1812d2b9801067a0e80fa04dddc5e13e3dfdb223f07c75ab7757f296f79db7bad986f
-
SSDEEP
49152:ABRj0wlUtbZqxNwv6MitufUjzmTL7oG34n0FBhlT:at0wlUxgGqzULEGgi
Malware Config
Signatures
-
LoaderBot
LoaderBot is a loader written in .NET downloading and executing miners.
-
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
-
LoaderBot executable 4 IoCs
-
XMRig Miner payload 17 IoCs
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
-
Drops startup file 1 IoCs
-
Executes dropped EXE 4 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: LoadsDriver 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 5 IoCs
-
Suspicious use of WriteProcessMemory 13 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\wdagad.exe"C:\Users\Admin\AppData\Local\Temp\wdagad.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.bat" "2⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\work.exework.exe -priverdD3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\RarSFX1\fesa.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX1\fesa.exe"4⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 427X8guX5JRRGk4v7gRcwK85MwpjCAN7djGqBAbCETdqc5biVY27pePT3Ctx43QMLAdKAaRDF4KW4HiozmdQ7EHrNczdnfM -p x -k -v=0 --donate-level=1 -t 25⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2100 -s 7606⤵
- Program crash
-
-
-
C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 427X8guX5JRRGk4v7gRcwK85MwpjCAN7djGqBAbCETdqc5biVY27pePT3Ctx43QMLAdKAaRDF4KW4HiozmdQ7EHrNczdnfM -p x -k -v=0 --donate-level=1 -t 25⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 460 -p 2100 -ip 21001⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"1⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x11c,0x120,0x124,0xfc,0x128,0x7ffb45229758,0x7ffb45229768,0x7ffb452297782⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1796 --field-trial-handle=1936,i,10846141539979833206,11506494022436687247,131072 /prefetch:22⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2076 --field-trial-handle=1936,i,10846141539979833206,11506494022436687247,131072 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1392 --field-trial-handle=1936,i,10846141539979833206,11506494022436687247,131072 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3100 --field-trial-handle=1936,i,10846141539979833206,11506494022436687247,131072 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3320 --field-trial-handle=1936,i,10846141539979833206,11506494022436687247,131072 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4508 --field-trial-handle=1936,i,10846141539979833206,11506494022436687247,131072 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4676 --field-trial-handle=1936,i,10846141539979833206,11506494022436687247,131072 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4728 --field-trial-handle=1936,i,10846141539979833206,11506494022436687247,131072 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4992 --field-trial-handle=1936,i,10846141539979833206,11506494022436687247,131072 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=5164 --field-trial-handle=1936,i,10846141539979833206,11506494022436687247,131072 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5952 --field-trial-handle=1936,i,10846141539979833206,11506494022436687247,131072 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5456 --field-trial-handle=1936,i,10846141539979833206,11506494022436687247,131072 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
240B
MD5c88c50e9a43f15f00e9d2d2a3998826f
SHA152a503395b7e6e204c0ebc5a5cc8914a80c84318
SHA2562170ce5e8e548c34d3760dca1972dfaa53f2efc4b1bb51c1ba2548b26ed8be1a
SHA5123b27e87b62fcc0c92a341da2a46ecb77d99557c34584b9207d1fdf0cfef55b2f29d6c51153aa26fd7736827c57a0ed550183c94d4d3874511517980e704e3ba9
-
Filesize
539B
MD5fd3725507954a9906ded9d1e6e3d0463
SHA16514ccaabdfb14aac894764a3aa3aafe843f2ca7
SHA25671096373196fa18206b8d02f3e76cfbf6ea962961d93fdce9c1aa67462c6ff11
SHA51213c2f5a737bcc9c750388c7351f557430d8a8933369b78c4c9462c4ad18d020bffef039f50c8575469ac4e66d3d5d57ca9bf9d198531235f5c0618a908e73f60
-
Filesize
539B
MD551e12b6c837f3c52c1e8ea98e7434bc9
SHA11641e7e0c931f44e0c81fa1875b418fb31136fe2
SHA256f56e659066b87ccae81f77ac256a411360488c476acc2996c1217a10c7ded42c
SHA512acf37e149ba9b4d088bce0a632857d4119108c4a7782f6274eedfe446f47c5144f2bb3380e1e94eee19cdb16398668e5d83c7cfb77653ef25fa57e60126af1d0
-
Filesize
5KB
MD567c2284df4425b1ad449ba70dc8f80a9
SHA17d80a68d7af2595a8bb8bad35313ba247ce36475
SHA2561fe49394f36103eab866ab52531b274af7c5209ca7b0dd869e6b37073f656994
SHA512fff510444ded105557d3e134b82b80369c4b0ec5e1c2961fc4de2b3fa9972cf9be2fd12171d1dfc42b28a36dfd5836cff93c2b31a0c8aa14565a331c4a00749b
-
Filesize
5KB
MD59a9ac0aa676c470b66c11b5a0c855f0b
SHA1a9da19ffd9d36197cec73e4133daf011f2c34b6d
SHA256376b0593d17f5e8fde7168a372e8918367d4cccf90bab2627455aa9590695e25
SHA51270d7ca8138316191147ac5590c544d9db492005dea9e2fe0efb03a073fe30ea396ea7b21755bc3e05e64c8df8e7b4491c7fa928fc42e36e2842873292bfb2615
-
Filesize
151KB
MD5a0a7fbaaf77eabc6ebafe30bc60dd1db
SHA1a442ea9a1886cc7b388c751a7fe6a2f50a69be5b
SHA256a92aa6502b2244828fa6862927beff22e78d1493f9f1577a130b508f0b873fca
SHA512a7e98371b8a2182d3d42ecd9801edd611723fb86bed5b38e87ceb91d0b33ccd9cb6f36595746a2907095203bcd883e0e976fd782008f50a5b798aaf50bd479a0
-
Filesize
2B
MD599914b932bd37a50b983c5e7c90ae93b
SHA1bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f
SHA25644136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a
SHA51227c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd
-
Filesize
35B
MD5ff59d999beb970447667695ce3273f75
SHA1316fa09f467ba90ac34a054daf2e92e6e2854ff8
SHA256065d2b17ad499587dc9de7ee9ecda4938b45da1df388bc72e6627dff220f64d2
SHA512d5ac72cb065a3cd3cb118a69a2f356314eeed24dcb4880751e1a3683895e66cedc62607967e29f77a0c27adf1c9fe0efd86e804f693f0a63a5b51b0bf0056b5d
-
Filesize
1.9MB
MD5636373768d83d47a8469e19e7c364cba
SHA19a0af5c6a5af766c45d2d318727843f4909bf35f
SHA2560af038a51b667ec95cac7ebd4a4c04b5011c451e211c34cb1c918891e955268a
SHA5121f8d81b4463a0533d1e264cd946f5de8c7e5c584c9ac2ff63f23e3bd7c235abdc3f4a547059e71d362540bfbcedfb35bbcd558d83baa1daa675be059d34140f6
-
Filesize
1.9MB
MD5636373768d83d47a8469e19e7c364cba
SHA19a0af5c6a5af766c45d2d318727843f4909bf35f
SHA2560af038a51b667ec95cac7ebd4a4c04b5011c451e211c34cb1c918891e955268a
SHA5121f8d81b4463a0533d1e264cd946f5de8c7e5c584c9ac2ff63f23e3bd7c235abdc3f4a547059e71d362540bfbcedfb35bbcd558d83baa1daa675be059d34140f6
-
Filesize
4.0MB
MD533b4baef7b0a6ad57a7d30af324c4efd
SHA1b169a559615a8448d7ed7da56d36a6850d2092e2
SHA2563a48d4a5106dd9ba74e5fccfe58bf65581ee894d7f3ca1b15e6680fc912cd150
SHA512739759d92a9e48e41b0366104ac9edf469cd8f323bbef0b507e3351cf081869ed069b88927fa70329d655012702385a74686df921a62dba95d7ec138a1e46690
-
Filesize
4.0MB
MD533b4baef7b0a6ad57a7d30af324c4efd
SHA1b169a559615a8448d7ed7da56d36a6850d2092e2
SHA2563a48d4a5106dd9ba74e5fccfe58bf65581ee894d7f3ca1b15e6680fc912cd150
SHA512739759d92a9e48e41b0366104ac9edf469cd8f323bbef0b507e3351cf081869ed069b88927fa70329d655012702385a74686df921a62dba95d7ec138a1e46690
-
Filesize
4.0MB
MD533b4baef7b0a6ad57a7d30af324c4efd
SHA1b169a559615a8448d7ed7da56d36a6850d2092e2
SHA2563a48d4a5106dd9ba74e5fccfe58bf65581ee894d7f3ca1b15e6680fc912cd150
SHA512739759d92a9e48e41b0366104ac9edf469cd8f323bbef0b507e3351cf081869ed069b88927fa70329d655012702385a74686df921a62dba95d7ec138a1e46690
-
Filesize
3.9MB
MD502569a7a91a71133d4a1023bf32aa6f4
SHA10f16bcb3f3f085d3d3be912195558e9f9680d574
SHA2568d6abba9b216172cfc64b8802db0d20a1c634c96e1049f451eddba2363966bf0
SHA512534be1fe93ee556a14cfd8fad5377f57fb056ab4cd2bca14e4f376f4a25d3d4d270917d68a90b3c40d8a8daaeba6f592fa095ecff478332ba23405d1df728322
-
Filesize
3.9MB
MD502569a7a91a71133d4a1023bf32aa6f4
SHA10f16bcb3f3f085d3d3be912195558e9f9680d574
SHA2568d6abba9b216172cfc64b8802db0d20a1c634c96e1049f451eddba2363966bf0
SHA512534be1fe93ee556a14cfd8fad5377f57fb056ab4cd2bca14e4f376f4a25d3d4d270917d68a90b3c40d8a8daaeba6f592fa095ecff478332ba23405d1df728322
-
Filesize
3.9MB
MD502569a7a91a71133d4a1023bf32aa6f4
SHA10f16bcb3f3f085d3d3be912195558e9f9680d574
SHA2568d6abba9b216172cfc64b8802db0d20a1c634c96e1049f451eddba2363966bf0
SHA512534be1fe93ee556a14cfd8fad5377f57fb056ab4cd2bca14e4f376f4a25d3d4d270917d68a90b3c40d8a8daaeba6f592fa095ecff478332ba23405d1df728322
-
Filesize
3.9MB
MD502569a7a91a71133d4a1023bf32aa6f4
SHA10f16bcb3f3f085d3d3be912195558e9f9680d574
SHA2568d6abba9b216172cfc64b8802db0d20a1c634c96e1049f451eddba2363966bf0
SHA512534be1fe93ee556a14cfd8fad5377f57fb056ab4cd2bca14e4f376f4a25d3d4d270917d68a90b3c40d8a8daaeba6f592fa095ecff478332ba23405d1df728322
-
Filesize
11.5MB
-
Filesize
11.5MB
-
Filesize
80KB
-
Filesize
11.5MB
-
Filesize
11.5MB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
11.5MB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
11.5MB
-
Filesize
11.5MB
-
Filesize
11.5MB
-
Filesize
11.5MB
-
Filesize
11.5MB
-
Filesize
11.5MB
-
Filesize
11.5MB
-
Filesize
128KB
-
Filesize
11.5MB
-
Filesize
11.5MB
-
Filesize
11.5MB
-
Filesize
11.5MB
-
Filesize
11.5MB
-
Filesize
408KB
-
Filesize
4.0MB
-
Filesize
64KB
-
Filesize
64KB