Overview

overview

10

Static

static

3

NEAS.b1f7d...20.exe

windows7-x64

10

NEAS.b1f7d...20.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    92s
  • max time network
    162s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231020-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21-10-2023 21:29

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    NEAS.b1f7d94305e0f729964239a69bffe320.exe

  • Size

    501KB

  • MD5

    b1f7d94305e0f729964239a69bffe320

  • SHA1

    2fb02ffda0ce1fc5d719b9b79f2cdc2a0ead863a

  • SHA256

    99bba4b98096259772dc0c12f0ebb3b3ff275f4babf75caa380e94e3dbed90c9

  • SHA512

    3d6089b7b0f430020bb3a21e21aedbff81c28e8e97bb44c8b0fd6af1ea4bf6356a34b9bdf56bcdf51533dab48fa6446b825e1dbaa8ed38b380222f81bca03a45

  • SSDEEP

    12288:VFTTWyVmRw8r6+y3QqBZAnYanJ252Wjx1ZP2BJ4iP:VFxVn8m+y3QqBZ6RK11Zw4q

Score
10/10
loaderbotxmrigdiscoveryevasionloaderminerpersistencespywarestealerthemidatrojan

Malware Config

Signatures

  • LoaderBot

    LoaderBot is a loader written in .NET downloading and executing miners.

    loaderminerloaderbot
  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

    minerxmrig
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
    evasion
  • LoaderBot executable 1 IoCs
  • XMRig Miner payload 11 IoCs
    miner
  • Downloads MZ/PE file
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 1 IoCs
  • Executes dropped EXE 3 IoCs
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Themida packer 3 IoCs

    Detects Themida, an advanced Windows software protection system.

    themida
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: LoadsDriver 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\NEAS.b1f7d94305e0f729964239a69bffe320.exe
    "C:\Users\Admin\AppData\Local\Temp\NEAS.b1f7d94305e0f729964239a69bffe320.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2720
    • C:\Users\Admin\AppData\Local\Temp\chmxrtlvssjb.exe
      "C:\Users\Admin\AppData\Local\Temp\chmxrtlvssjb.exe"
      2⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Checks BIOS information in registry
      • Checks computer location settings
      • Drops startup file
      • Executes dropped EXE
      • Adds Run key to start application
      • Checks whether UAC is enabled
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4252
      • C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
        "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 42K92y1uNN7PxEp57QZPiLQogD8pGGRjWQnqEemCTsXMSnqrhagsVujaeBc38hqrX88YL8Wh9pNQHRzTN7GBw8SqQkGBwg7 -p x -k -v=0 --donate-level=1 -t 4
        3⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:3684
      • C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
        "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 42K92y1uNN7PxEp57QZPiLQogD8pGGRjWQnqEemCTsXMSnqrhagsVujaeBc38hqrX88YL8Wh9pNQHRzTN7GBw8SqQkGBwg7 -p x -k -v=0 --donate-level=1 -t 4
        3⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:3556

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\chmxrtlvssjb.exe
    Filesize

    3.4MB

    MD5

    65af1033a01110ec64468bacbe3a7607

    SHA1

    9d1f8c17ce63803245c02a0e679ccde3fafcd48a

    SHA256

    2531116b30534eb043a27f83fb4abdec24d212cf58673c117850256510f21264

    SHA512

    9cd3932957dbf748793b9529e1f051532503c4cdef81f67cf86679b8415b92f90fbcae6f2473fb6c125de570dca0e501d11fca37ce4a9b8f554c8e22db322e54

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\chmxrtlvssjb.exe
    Filesize

    3.4MB

    MD5

    65af1033a01110ec64468bacbe3a7607

    SHA1

    9d1f8c17ce63803245c02a0e679ccde3fafcd48a

    SHA256

    2531116b30534eb043a27f83fb4abdec24d212cf58673c117850256510f21264

    SHA512

    9cd3932957dbf748793b9529e1f051532503c4cdef81f67cf86679b8415b92f90fbcae6f2473fb6c125de570dca0e501d11fca37ce4a9b8f554c8e22db322e54

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
    Filesize

    3.9MB

    MD5

    02569a7a91a71133d4a1023bf32aa6f4

    SHA1

    0f16bcb3f3f085d3d3be912195558e9f9680d574

    SHA256

    8d6abba9b216172cfc64b8802db0d20a1c634c96e1049f451eddba2363966bf0

    SHA512

    534be1fe93ee556a14cfd8fad5377f57fb056ab4cd2bca14e4f376f4a25d3d4d270917d68a90b3c40d8a8daaeba6f592fa095ecff478332ba23405d1df728322

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
    Filesize

    3.9MB

    MD5

    02569a7a91a71133d4a1023bf32aa6f4

    SHA1

    0f16bcb3f3f085d3d3be912195558e9f9680d574

    SHA256

    8d6abba9b216172cfc64b8802db0d20a1c634c96e1049f451eddba2363966bf0

    SHA512

    534be1fe93ee556a14cfd8fad5377f57fb056ab4cd2bca14e4f376f4a25d3d4d270917d68a90b3c40d8a8daaeba6f592fa095ecff478332ba23405d1df728322

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
    Filesize

    3.9MB

    MD5

    02569a7a91a71133d4a1023bf32aa6f4

    SHA1

    0f16bcb3f3f085d3d3be912195558e9f9680d574

    SHA256

    8d6abba9b216172cfc64b8802db0d20a1c634c96e1049f451eddba2363966bf0

    SHA512

    534be1fe93ee556a14cfd8fad5377f57fb056ab4cd2bca14e4f376f4a25d3d4d270917d68a90b3c40d8a8daaeba6f592fa095ecff478332ba23405d1df728322

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
    Filesize

    3.9MB

    MD5

    02569a7a91a71133d4a1023bf32aa6f4

    SHA1

    0f16bcb3f3f085d3d3be912195558e9f9680d574

    SHA256

    8d6abba9b216172cfc64b8802db0d20a1c634c96e1049f451eddba2363966bf0

    SHA512

    534be1fe93ee556a14cfd8fad5377f57fb056ab4cd2bca14e4f376f4a25d3d4d270917d68a90b3c40d8a8daaeba6f592fa095ecff478332ba23405d1df728322

    Download Submit

  • memory/3556-52-0x0000000002250000-0x0000000002270000-memory.dmp

    Filesize

    128KB

    Download

  • memory/3556-46-0x00000000021F0000-0x0000000002210000-memory.dmp

    Filesize

    128KB

    Download

  • memory/3556-64-0x0000000140000000-0x0000000140B75000-memory.dmp

    Filesize

    11.5MB

    Download

  • memory/3556-63-0x0000000140000000-0x0000000140B75000-memory.dmp

    Filesize

    11.5MB

    Download

  • memory/3556-62-0x0000000140000000-0x0000000140B75000-memory.dmp

    Filesize

    11.5MB

    Download

  • memory/3556-61-0x0000000140000000-0x0000000140B75000-memory.dmp

    Filesize

    11.5MB

    Download

  • memory/3556-60-0x0000000140000000-0x0000000140B75000-memory.dmp

    Filesize

    11.5MB

    Download

  • memory/3556-59-0x0000000140000000-0x0000000140B75000-memory.dmp

    Filesize

    11.5MB

    Download

  • memory/3556-58-0x00000000137F0000-0x0000000013810000-memory.dmp

    Filesize

    128KB

    Download

  • memory/3556-57-0x0000000002250000-0x0000000002270000-memory.dmp

    Filesize

    128KB

    Download

  • memory/3556-56-0x0000000002230000-0x0000000002250000-memory.dmp

    Filesize

    128KB

    Download

  • memory/3556-55-0x0000000002210000-0x0000000002230000-memory.dmp

    Filesize

    128KB

    Download

  • memory/3556-54-0x0000000140000000-0x0000000140B75000-memory.dmp

    Filesize

    11.5MB

    Download

  • memory/3556-53-0x00000000137F0000-0x0000000013810000-memory.dmp

    Filesize

    128KB

    Download

  • memory/3556-51-0x0000000002230000-0x0000000002250000-memory.dmp

    Filesize

    128KB

    Download

  • memory/3556-50-0x0000000002210000-0x0000000002230000-memory.dmp

    Filesize

    128KB

    Download

  • memory/3556-49-0x0000000140000000-0x0000000140B75000-memory.dmp

    Filesize

    11.5MB

    Download

  • memory/3556-48-0x0000000140000000-0x0000000140B75000-memory.dmp

    Filesize

    11.5MB

    Download

  • memory/3556-47-0x0000000140000000-0x0000000140B75000-memory.dmp

    Filesize

    11.5MB

    Download

  • memory/3684-41-0x0000000000440000-0x0000000000454000-memory.dmp

    Filesize

    80KB

    Download

  • memory/3684-43-0x0000000140000000-0x0000000140B75000-memory.dmp

    Filesize

    11.5MB

    Download

  • memory/3684-42-0x0000000140000000-0x0000000140B75000-memory.dmp

    Filesize

    11.5MB

    Download

  • memory/4252-4-0x0000000000490000-0x0000000000EC4000-memory.dmp

    Filesize

    10.2MB

    Download

  • memory/4252-23-0x00000000768D0000-0x00000000769C0000-memory.dmp

    Filesize

    960KB

    Download

  • memory/4252-7-0x00000000768D0000-0x00000000769C0000-memory.dmp

    Filesize

    960KB

    Download

  • memory/4252-8-0x00000000768D0000-0x00000000769C0000-memory.dmp

    Filesize

    960KB

    Download

  • memory/4252-9-0x00000000768D0000-0x00000000769C0000-memory.dmp

    Filesize

    960KB

    Download

  • memory/4252-30-0x0000000005B40000-0x0000000005BA6000-memory.dmp

    Filesize

    408KB

    Download

  • memory/4252-27-0x00000000768D0000-0x00000000769C0000-memory.dmp

    Filesize

    960KB

    Download

  • memory/4252-26-0x00000000768D0000-0x00000000769C0000-memory.dmp

    Filesize

    960KB

    Download

  • memory/4252-11-0x00000000768D0000-0x00000000769C0000-memory.dmp

    Filesize

    960KB

    Download

  • memory/4252-25-0x00000000768D0000-0x00000000769C0000-memory.dmp

    Filesize

    960KB

    Download

  • memory/4252-22-0x00000000768D0000-0x00000000769C0000-memory.dmp

    Filesize

    960KB

    Download

  • memory/4252-6-0x00000000768D0000-0x00000000769C0000-memory.dmp

    Filesize

    960KB

    Download

  • memory/4252-24-0x00000000768D0000-0x00000000769C0000-memory.dmp

    Filesize

    960KB

    Download

  • memory/4252-21-0x00000000768D0000-0x00000000769C0000-memory.dmp

    Filesize

    960KB

    Download

  • memory/4252-19-0x00000000768D0000-0x00000000769C0000-memory.dmp

    Filesize

    960KB

    Download

  • memory/4252-18-0x0000000000490000-0x0000000000EC4000-memory.dmp

    Filesize

    10.2MB

    Download

  • memory/4252-15-0x0000000077354000-0x0000000077356000-memory.dmp

    Filesize

    8KB

    Download

  • memory/4252-14-0x0000000000490000-0x0000000000EC4000-memory.dmp

    Filesize

    10.2MB

    Download

  • memory/4252-13-0x00000000768D0000-0x00000000769C0000-memory.dmp

    Filesize

    960KB

    Download

  • memory/4252-12-0x00000000768D0000-0x00000000769C0000-memory.dmp

    Filesize

    960KB

    Download

  • memory/4252-10-0x00000000768D0000-0x00000000769C0000-memory.dmp

    Filesize

    960KB

    Download