Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20231025-en -
resource tags
-
submitted
27-10-2023 08:07
General
-
Target
tmp.exe
-
Size
72KB
-
MD5
ca24ecfb4ed0c1d4f6e2f9451943aa81
-
SHA1
82efc58779cf1ba0736ecbffd35798e58e9658c3
-
SHA256
87af3f03355baa7ed121958ee760ca52dbde2671532b582cc927f31eba6612ea
-
SHA512
1522c4e421f98303e39d103a2d30a6ade398e2c804d6cd22a5e23b7abc23b4ffa8e340c5f2664e02dca18d809bb62d67c8ad60e15ce30a7bf5d8a23d59b39bcb
-
SSDEEP
1536:0h168mCWXWnz3Fu/JzVTjhy4D/i4i+wpsTa+Cq45ijI3BBxfZ:SLmCWmnZuxzVxye/iIa+Cqu3Bh
Malware Config
Extracted
loaderbot
http://185.236.76.77/cmd.php
Signatures
-
LoaderBot
LoaderBot is a loader written in .NET downloading and executing miners.
-
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
-
LoaderBot executable 1 IoCs
-
XMRig Miner payload 17 IoCs
-
Downloads MZ/PE file
-
Drops startup file 1 IoCs
-
Executes dropped EXE 4 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: LoadsDriver 3 IoCs
-
Suspicious use of AdjustPrivilegeToken 10 IoCs
-
Suspicious use of WriteProcessMemory 16 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"2⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 8Aa4eUo7y4pY2AmYtKfjKgQGhbyotQR1TC8xFpA6YJXAKaLgVec7XCtWxvXxmKzFSP7J1CHPSoa2AgwX2yKQrpQmBaiii5r -p x -k -v=0 --donate-level=0 -t 43⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 8Aa4eUo7y4pY2AmYtKfjKgQGhbyotQR1TC8xFpA6YJXAKaLgVec7XCtWxvXxmKzFSP7J1CHPSoa2AgwX2yKQrpQmBaiii5r -p x -k -v=0 --donate-level=0 -t 43⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 8Aa4eUo7y4pY2AmYtKfjKgQGhbyotQR1TC8xFpA6YJXAKaLgVec7XCtWxvXxmKzFSP7J1CHPSoa2AgwX2yKQrpQmBaiii5r -p x -k -v=0 --donate-level=0 -t 43⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 8Aa4eUo7y4pY2AmYtKfjKgQGhbyotQR1TC8xFpA6YJXAKaLgVec7XCtWxvXxmKzFSP7J1CHPSoa2AgwX2yKQrpQmBaiii5r -p x -k -v=0 --donate-level=0 -t 43⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.9MB
MD502569a7a91a71133d4a1023bf32aa6f4
SHA10f16bcb3f3f085d3d3be912195558e9f9680d574
SHA2568d6abba9b216172cfc64b8802db0d20a1c634c96e1049f451eddba2363966bf0
SHA512534be1fe93ee556a14cfd8fad5377f57fb056ab4cd2bca14e4f376f4a25d3d4d270917d68a90b3c40d8a8daaeba6f592fa095ecff478332ba23405d1df728322
-
Filesize
3.9MB
MD502569a7a91a71133d4a1023bf32aa6f4
SHA10f16bcb3f3f085d3d3be912195558e9f9680d574
SHA2568d6abba9b216172cfc64b8802db0d20a1c634c96e1049f451eddba2363966bf0
SHA512534be1fe93ee556a14cfd8fad5377f57fb056ab4cd2bca14e4f376f4a25d3d4d270917d68a90b3c40d8a8daaeba6f592fa095ecff478332ba23405d1df728322
-
Filesize
3.9MB
MD502569a7a91a71133d4a1023bf32aa6f4
SHA10f16bcb3f3f085d3d3be912195558e9f9680d574
SHA2568d6abba9b216172cfc64b8802db0d20a1c634c96e1049f451eddba2363966bf0
SHA512534be1fe93ee556a14cfd8fad5377f57fb056ab4cd2bca14e4f376f4a25d3d4d270917d68a90b3c40d8a8daaeba6f592fa095ecff478332ba23405d1df728322
-
Filesize
3.9MB
MD502569a7a91a71133d4a1023bf32aa6f4
SHA10f16bcb3f3f085d3d3be912195558e9f9680d574
SHA2568d6abba9b216172cfc64b8802db0d20a1c634c96e1049f451eddba2363966bf0
SHA512534be1fe93ee556a14cfd8fad5377f57fb056ab4cd2bca14e4f376f4a25d3d4d270917d68a90b3c40d8a8daaeba6f592fa095ecff478332ba23405d1df728322
-
Filesize
3.9MB
MD502569a7a91a71133d4a1023bf32aa6f4
SHA10f16bcb3f3f085d3d3be912195558e9f9680d574
SHA2568d6abba9b216172cfc64b8802db0d20a1c634c96e1049f451eddba2363966bf0
SHA512534be1fe93ee556a14cfd8fad5377f57fb056ab4cd2bca14e4f376f4a25d3d4d270917d68a90b3c40d8a8daaeba6f592fa095ecff478332ba23405d1df728322
-
Filesize
3.9MB
MD502569a7a91a71133d4a1023bf32aa6f4
SHA10f16bcb3f3f085d3d3be912195558e9f9680d574
SHA2568d6abba9b216172cfc64b8802db0d20a1c634c96e1049f451eddba2363966bf0
SHA512534be1fe93ee556a14cfd8fad5377f57fb056ab4cd2bca14e4f376f4a25d3d4d270917d68a90b3c40d8a8daaeba6f592fa095ecff478332ba23405d1df728322
-
Filesize
10.8MB
-
Filesize
88KB
-
Filesize
64KB
-
Filesize
10.8MB
-
Filesize
40KB
-
Filesize
11.5MB
-
Filesize
11.5MB
-
Filesize
80KB
-
Filesize
128KB
-
Filesize
11.5MB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
11.5MB
-
Filesize
11.5MB
-
Filesize
11.5MB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
11.5MB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
11.5MB
-
Filesize
11.5MB
-
Filesize
11.5MB
-
Filesize
11.5MB
-
Filesize
11.5MB
-
Filesize
11.5MB
-
Filesize
128KB
-
Filesize
408KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
4.0MB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
11.5MB
-
Filesize
11.5MB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
11.5MB
-
Filesize
11.5MB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
11.5MB