Overview

overview

10

Static

static

3

b1f7d94305...20.exe

windows7-x64

10

b1f7d94305...20.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    87s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231020-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22-10-2023 12:51

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b1f7d94305e0f729964239a69bffe320.exe

  • Size

    501KB

  • MD5

    b1f7d94305e0f729964239a69bffe320

  • SHA1

    2fb02ffda0ce1fc5d719b9b79f2cdc2a0ead863a

  • SHA256

    99bba4b98096259772dc0c12f0ebb3b3ff275f4babf75caa380e94e3dbed90c9

  • SHA512

    3d6089b7b0f430020bb3a21e21aedbff81c28e8e97bb44c8b0fd6af1ea4bf6356a34b9bdf56bcdf51533dab48fa6446b825e1dbaa8ed38b380222f81bca03a45

  • SSDEEP

    12288:VFTTWyVmRw8r6+y3QqBZAnYanJ252Wjx1ZP2BJ4iP:VFxVn8m+y3QqBZ6RK11Zw4q

Score
10/10
loaderbotxmrigdiscoveryevasionloaderminerpersistencespywarestealerthemidatrojan

Malware Config

Signatures

  • LoaderBot

    LoaderBot is a loader written in .NET downloading and executing miners.

    loaderminerloaderbot
  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

    minerxmrig
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
    evasion
  • LoaderBot executable 1 IoCs
  • XMRig Miner payload 14 IoCs
    miner
  • Downloads MZ/PE file
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Themida packer 3 IoCs

    Detects Themida, an advanced Windows software protection system.

    themida
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: LoadsDriver 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b1f7d94305e0f729964239a69bffe320.exe
    "C:\Users\Admin\AppData\Local\Temp\b1f7d94305e0f729964239a69bffe320.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:3240
    • C:\Users\Admin\AppData\Local\Temp\sacubpvoqssabvrgemg.exe
      "C:\Users\Admin\AppData\Local\Temp\sacubpvoqssabvrgemg.exe"
      2⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Checks BIOS information in registry
      • Checks computer location settings
      • Drops startup file
      • Executes dropped EXE
      • Adds Run key to start application
      • Checks whether UAC is enabled
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1700
      • C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
        "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 42K92y1uNN7PxEp57QZPiLQogD8pGGRjWQnqEemCTsXMSnqrhagsVujaeBc38hqrX88YL8Wh9pNQHRzTN7GBw8SqQkGBwg7 -p x -k -v=0 --donate-level=1 -t 4
        3⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:2612
      • C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
        "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 42K92y1uNN7PxEp57QZPiLQogD8pGGRjWQnqEemCTsXMSnqrhagsVujaeBc38hqrX88YL8Wh9pNQHRzTN7GBw8SqQkGBwg7 -p x -k -v=0 --donate-level=1 -t 4
        3⤵
          PID:2572

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\sacubpvoqssabvrgemg.exe
      Filesize

      3.4MB

      MD5

      65af1033a01110ec64468bacbe3a7607

      SHA1

      9d1f8c17ce63803245c02a0e679ccde3fafcd48a

      SHA256

      2531116b30534eb043a27f83fb4abdec24d212cf58673c117850256510f21264

      SHA512

      9cd3932957dbf748793b9529e1f051532503c4cdef81f67cf86679b8415b92f90fbcae6f2473fb6c125de570dca0e501d11fca37ce4a9b8f554c8e22db322e54

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\sacubpvoqssabvrgemg.exe
      Filesize

      3.4MB

      MD5

      65af1033a01110ec64468bacbe3a7607

      SHA1

      9d1f8c17ce63803245c02a0e679ccde3fafcd48a

      SHA256

      2531116b30534eb043a27f83fb4abdec24d212cf58673c117850256510f21264

      SHA512

      9cd3932957dbf748793b9529e1f051532503c4cdef81f67cf86679b8415b92f90fbcae6f2473fb6c125de570dca0e501d11fca37ce4a9b8f554c8e22db322e54

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
      Filesize

      3.9MB

      MD5

      02569a7a91a71133d4a1023bf32aa6f4

      SHA1

      0f16bcb3f3f085d3d3be912195558e9f9680d574

      SHA256

      8d6abba9b216172cfc64b8802db0d20a1c634c96e1049f451eddba2363966bf0

      SHA512

      534be1fe93ee556a14cfd8fad5377f57fb056ab4cd2bca14e4f376f4a25d3d4d270917d68a90b3c40d8a8daaeba6f592fa095ecff478332ba23405d1df728322

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
      Filesize

      3.9MB

      MD5

      02569a7a91a71133d4a1023bf32aa6f4

      SHA1

      0f16bcb3f3f085d3d3be912195558e9f9680d574

      SHA256

      8d6abba9b216172cfc64b8802db0d20a1c634c96e1049f451eddba2363966bf0

      SHA512

      534be1fe93ee556a14cfd8fad5377f57fb056ab4cd2bca14e4f376f4a25d3d4d270917d68a90b3c40d8a8daaeba6f592fa095ecff478332ba23405d1df728322

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
      Filesize

      3.9MB

      MD5

      02569a7a91a71133d4a1023bf32aa6f4

      SHA1

      0f16bcb3f3f085d3d3be912195558e9f9680d574

      SHA256

      8d6abba9b216172cfc64b8802db0d20a1c634c96e1049f451eddba2363966bf0

      SHA512

      534be1fe93ee556a14cfd8fad5377f57fb056ab4cd2bca14e4f376f4a25d3d4d270917d68a90b3c40d8a8daaeba6f592fa095ecff478332ba23405d1df728322

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
      Filesize

      3.9MB

      MD5

      02569a7a91a71133d4a1023bf32aa6f4

      SHA1

      0f16bcb3f3f085d3d3be912195558e9f9680d574

      SHA256

      8d6abba9b216172cfc64b8802db0d20a1c634c96e1049f451eddba2363966bf0

      SHA512

      534be1fe93ee556a14cfd8fad5377f57fb056ab4cd2bca14e4f376f4a25d3d4d270917d68a90b3c40d8a8daaeba6f592fa095ecff478332ba23405d1df728322

      Download Submit

    • memory/1700-23-0x00000000768D0000-0x00000000769C0000-memory.dmp

      Filesize

      960KB

      Download

    • memory/1700-6-0x00000000768D0000-0x00000000769C0000-memory.dmp

      Filesize

      960KB

      Download

    • memory/1700-10-0x00000000768D0000-0x00000000769C0000-memory.dmp

      Filesize

      960KB

      Download

    • memory/1700-11-0x00000000768D0000-0x00000000769C0000-memory.dmp

      Filesize

      960KB

      Download

    • memory/1700-12-0x0000000077354000-0x0000000077356000-memory.dmp

      Filesize

      8KB

      Download

    • memory/1700-15-0x0000000000AC0000-0x00000000014F4000-memory.dmp

      Filesize

      10.2MB

      Download

    • memory/1700-18-0x00000000768D0000-0x00000000769C0000-memory.dmp

      Filesize

      960KB

      Download

    • memory/1700-17-0x0000000000AC0000-0x00000000014F4000-memory.dmp

      Filesize

      10.2MB

      Download

    • memory/1700-19-0x00000000768D0000-0x00000000769C0000-memory.dmp

      Filesize

      960KB

      Download

    • memory/1700-20-0x00000000768D0000-0x00000000769C0000-memory.dmp

      Filesize

      960KB

      Download

    • memory/1700-21-0x00000000768D0000-0x00000000769C0000-memory.dmp

      Filesize

      960KB

      Download

    • memory/1700-22-0x00000000768D0000-0x00000000769C0000-memory.dmp

      Filesize

      960KB

      Download

    • memory/1700-8-0x00000000768D0000-0x00000000769C0000-memory.dmp

      Filesize

      960KB

      Download

    • memory/1700-25-0x0000000005F20000-0x0000000005F86000-memory.dmp

      Filesize

      408KB

      Download

    • memory/1700-7-0x00000000768D0000-0x00000000769C0000-memory.dmp

      Filesize

      960KB

      Download

    • memory/1700-9-0x00000000768D0000-0x00000000769C0000-memory.dmp

      Filesize

      960KB

      Download

    • memory/1700-4-0x0000000000AC0000-0x00000000014F4000-memory.dmp

      Filesize

      10.2MB

      Download

    • memory/1700-5-0x00000000768D0000-0x00000000769C0000-memory.dmp

      Filesize

      960KB

      Download

    • memory/2572-74-0x0000000140000000-0x0000000140B75000-memory.dmp

      Filesize

      11.5MB

      Download

    • memory/2572-73-0x0000000140000000-0x0000000140B75000-memory.dmp

      Filesize

      11.5MB

      Download

    • memory/2572-71-0x00000000135B0000-0x00000000135D0000-memory.dmp

      Filesize

      128KB

      Download

    • memory/2572-70-0x0000000002030000-0x0000000002050000-memory.dmp

      Filesize

      128KB

      Download

    • memory/2572-69-0x0000000002010000-0x0000000002030000-memory.dmp

      Filesize

      128KB

      Download

    • memory/2572-68-0x0000000140000000-0x0000000140B75000-memory.dmp

      Filesize

      11.5MB

      Download

    • memory/2572-72-0x00000000137E0000-0x0000000013800000-memory.dmp

      Filesize

      128KB

      Download

    • memory/2572-67-0x00000000137E0000-0x0000000013800000-memory.dmp

      Filesize

      128KB

      Download

    • memory/2572-64-0x0000000002010000-0x0000000002030000-memory.dmp

      Filesize

      128KB

      Download

    • memory/2572-65-0x0000000002030000-0x0000000002050000-memory.dmp

      Filesize

      128KB

      Download

    • memory/2572-66-0x00000000135B0000-0x00000000135D0000-memory.dmp

      Filesize

      128KB

      Download

    • memory/2572-63-0x0000000140000000-0x0000000140B75000-memory.dmp

      Filesize

      11.5MB

      Download

    • memory/2572-62-0x0000000140000000-0x0000000140B75000-memory.dmp

      Filesize

      11.5MB

      Download

    • memory/2572-61-0x0000000140000000-0x0000000140B75000-memory.dmp

      Filesize

      11.5MB

      Download

    • memory/2612-43-0x0000000000480000-0x00000000004A0000-memory.dmp

      Filesize

      128KB

      Download

    • memory/2612-52-0x0000000140000000-0x0000000140B75000-memory.dmp

      Filesize

      11.5MB

      Download

    • memory/2612-53-0x0000000140000000-0x0000000140B75000-memory.dmp

      Filesize

      11.5MB

      Download

    • memory/2612-54-0x0000000140000000-0x0000000140B75000-memory.dmp

      Filesize

      11.5MB

      Download

    • memory/2612-55-0x0000000000480000-0x00000000004A0000-memory.dmp

      Filesize

      128KB

      Download

    • memory/2612-56-0x0000000002020000-0x0000000002040000-memory.dmp

      Filesize

      128KB

      Download

    • memory/2612-57-0x0000000002040000-0x0000000002060000-memory.dmp

      Filesize

      128KB

      Download

    • memory/2612-58-0x0000000002060000-0x0000000002080000-memory.dmp

      Filesize

      128KB

      Download

    • memory/2612-51-0x0000000002060000-0x0000000002080000-memory.dmp

      Filesize

      128KB

      Download

    • memory/2612-50-0x0000000002040000-0x0000000002060000-memory.dmp

      Filesize

      128KB

      Download

    • memory/2612-49-0x0000000002020000-0x0000000002040000-memory.dmp

      Filesize

      128KB

      Download

    • memory/2612-48-0x0000000000480000-0x00000000004A0000-memory.dmp

      Filesize

      128KB

      Download

    • memory/2612-47-0x0000000140000000-0x0000000140B75000-memory.dmp

      Filesize

      11.5MB

      Download

    • memory/2612-46-0x0000000002060000-0x0000000002080000-memory.dmp

      Filesize

      128KB

      Download

    • memory/2612-45-0x0000000002040000-0x0000000002060000-memory.dmp

      Filesize

      128KB

      Download

    • memory/2612-44-0x0000000002020000-0x0000000002040000-memory.dmp

      Filesize

      128KB

      Download

    • memory/2612-42-0x0000000140000000-0x0000000140B75000-memory.dmp

      Filesize

      11.5MB

      Download

    • memory/2612-41-0x0000000140000000-0x0000000140B75000-memory.dmp

      Filesize

      11.5MB

      Download

    • memory/2612-40-0x0000000140000000-0x0000000140B75000-memory.dmp

      Filesize

      11.5MB

      Download

    • memory/2612-39-0x0000000140000000-0x0000000140B75000-memory.dmp

      Filesize

      11.5MB

      Download

    • memory/2612-38-0x0000000000460000-0x0000000000480000-memory.dmp

      Filesize

      128KB

      Download

    • memory/2612-37-0x0000000000440000-0x0000000000454000-memory.dmp

      Filesize

      80KB

      Download

    • memory/2612-35-0x0000000140000000-0x0000000140B75000-memory.dmp

      Filesize

      11.5MB

      Download