Analysis
-
max time kernel
53s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
-
submitted
19-12-2023 17:59
General
-
Target
707ba8dca9b7d9c717d33e102cd80cae.exe
-
Size
4.3MB
-
MD5
707ba8dca9b7d9c717d33e102cd80cae
-
SHA1
cf6edd3ae5df41a07c6df335836a292028739b98
-
SHA256
25f1d3238d50fcbe2c26b743197e2ae319bf61fc927ca5e5cf3c009ba35512d9
-
SHA512
945c3481c7388e814210a5d1fa42cbb5c9e8833f30c3089991f309171c563f1d036b0bb8cf067d28862747179334be5c283e4c8586a92c1ce2f82af498456b3f
-
SSDEEP
98304:kNNaf55cH3Bj1JkxjOejrq8lVwOro1bbyOFb0hjB4+81TC:kNNa4HxDe/GDhFb0lB4+
Malware Config
Extracted
loaderbot
http://jokerkqc.beget.tech/cmd.php
Signatures
-
LoaderBot
LoaderBot is a loader written in .NET downloading and executing miners.
-
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
-
LoaderBot executable 1 IoCs
-
XMRig Miner payload 15 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Drops startup file 1 IoCs
-
Executes dropped EXE 1 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: LoadsDriver 1 IoCs
-
Suspicious behavior: RenamesItself 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of WriteProcessMemory 2 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\707ba8dca9b7d9c717d33e102cd80cae.exe"C:\Users\Admin\AppData\Local\Temp\707ba8dca9b7d9c717d33e102cd80cae.exe"1⤵
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 49YFQi8yvD2aPA6d5yT5FVbzQoG8uzYN8CnXnYc5Rnu4MyAVN3MtWMUVa5d5un4nAoE1wsUxEGKKdds1mN6UV1zd1zxNKUi -p x -k -v=0 --donate-level=1 -t 42⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
221KB
MD5e7ddd01601a94118919fbf8653b94b12
SHA19b66899155478733bd7289919faf300564d83ee0
SHA256ec17554c54bcd9b4f647ef9c52fc1d2107505f20203bce32f96c34efe6e38aad
SHA512bfe0a680bcd48c2b35a00edcac45245d6e9bbc6e870b8ff96e815a7ef367226bfa4a8fd8f62c6d848830c41d8e0af55db4510a3a54804eec88a8d502a539d4a0
-
Filesize
1KB
MD5dd555522ad7254ea9515d877d258fa2d
SHA1a494ecd224e256c5c33b53e3e9cdaa3c11243ed0
SHA256f747073c5b58200fe2ec2dcf173abdc2d8a38e5ff2c5b0b0aaab68a480e47bdd
SHA51205023d2f3da3c12f1e89ee0c9d66a8913190db20344179b403d677e775e4ad80a7c2058dac80db24c163c4121da8a2a5afbfc563cbd8e9dc6730756e50022f61
-
Filesize
12.6MB
-
Filesize
12.6MB
-
Filesize
12.6MB
-
Filesize
12.6MB
-
Filesize
12.6MB
-
Filesize
80KB
-
Filesize
12.6MB
-
Filesize
12.6MB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
12.6MB
-
Filesize
12.6MB
-
Filesize
12.6MB
-
Filesize
12.6MB
-
Filesize
256KB
-
Filesize
12.6MB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
12.6MB
-
Filesize
12.6MB
-
Filesize
12.6MB
-
Filesize
12.6MB
-
Filesize
7.7MB
-
Filesize
408KB
-
Filesize
7.7MB
-
Filesize
4.4MB
-
Filesize
64KB
-
Filesize
64KB