Overview

overview

10

Static

static

1

c1c8343106...d2.exe

windows7-x64

10

c1c8343106...d2.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    65s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11-03-2024 22:37

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c1c83431067ad5f303a53e552808f9d2.exe

  • Size

    1.9MB

  • MD5

    c1c83431067ad5f303a53e552808f9d2

  • SHA1

    f095b539cb596cd1ab22c8a8ac5debf32fd4f957

  • SHA256

    f68ce7141201ab26841498cf062755f2fdd31e6cf66655a2c3aa3ef70ca0a668

  • SHA512

    4cb736146314af22b60866a2cde96947b7f1b80bd7e24048f098ee28bd7e92383daeab2b6b20ba3043a9a3173eea6464d5023469aed5e35901d6027754ab9b37

  • SSDEEP

    49152:pgM2OSAUhB0ETI++BrpMLdDQXWb+FPWRH:aM2DD5IhBrpCFQXk+FPWR

Score
10/10
loaderbotxmrigloaderminerpersistence

Malware Config

Signatures

  • LoaderBot

    LoaderBot is a loader written in .NET downloading and executing miners.

    loaderminerloaderbot
  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

    minerxmrig
  • LoaderBot executable 1 IoCs
  • XMRig Miner payload 14 IoCs
    miner
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: LoadsDriver 1 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c1c83431067ad5f303a53e552808f9d2.exe
    "C:\Users\Admin\AppData\Local\Temp\c1c83431067ad5f303a53e552808f9d2.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2064
    • C:\Users\Admin\AppData\Local\Temp\c1c83431067ad5f303a53e552808f9d2.exe
      C:\Users\Admin\AppData\Local\Temp\c1c83431067ad5f303a53e552808f9d2.exe
      2⤵
        PID:3180
      • C:\Users\Admin\AppData\Local\Temp\c1c83431067ad5f303a53e552808f9d2.exe
        C:\Users\Admin\AppData\Local\Temp\c1c83431067ad5f303a53e552808f9d2.exe
        2⤵
        • Checks computer location settings
        • Drops startup file
        • Adds Run key to start application
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: RenamesItself
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:3840
        • C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
          "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.hashvault.pro:3333 -u 49ciCfWrkhQWz6LYXux4LV1P5eAFMfox1H2y3k6VSn7Jb39nDYDUiC6JFCUBDDf63GQqpKc5ZQQ8vCHwgzesAKHtJwB9o2i -p x -k -v=0 --donate-level=1 -t 4
          3⤵
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          PID:2080
        • C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
          "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.hashvault.pro:3333 -u 49ciCfWrkhQWz6LYXux4LV1P5eAFMfox1H2y3k6VSn7Jb39nDYDUiC6JFCUBDDf63GQqpKc5ZQQ8vCHwgzesAKHtJwB9o2i -p x -k -v=0 --donate-level=1 -t 4
          3⤵
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          PID:4792
        • C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
          "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.hashvault.pro:3333 -u 49ciCfWrkhQWz6LYXux4LV1P5eAFMfox1H2y3k6VSn7Jb39nDYDUiC6JFCUBDDf63GQqpKc5ZQQ8vCHwgzesAKHtJwB9o2i -p x -k -v=0 --donate-level=1 -t 4
          3⤵
            PID:804

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\c1c83431067ad5f303a53e552808f9d2.exe.log
        Filesize

        605B

        MD5

        3654bd2c6957761095206ffdf92b0cb9

        SHA1

        6f10f7b5867877de7629afcff644c265e79b4ad3

        SHA256

        c2a4be94cf4ed33d698d9838f4ffb47047da796e733ec11562463a1621212ab4

        SHA512

        e2a81248cca7732ce098088d5237897493fd3629e28d66bc13e5f9191f72cd52893f4a53905906af12d5c6de475738b6c7f6b718a32869e9ee0deb3a54672f79

        Download Submit

      • C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
        Filesize

        3.1MB

        MD5

        718bc427bc25215f7d228a89d6e6daa3

        SHA1

        381dd48d7096fb4829e5a3c871c66fbd56fb1a70

        SHA256

        5ffefe67e2f75a7ed15e330bef17ae34e5a7541863ee89f9f45d0da2848938ba

        SHA512

        4f8b3ff34316c7e5856dc901e365ceeda7af378a40f332dad0b4f667c41ef02f571b94022dcf2f02b3c824bd2911eb374b1db84669cda81426a17d263c970f92

        Download Submit

      • C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
        Filesize

        681KB

        MD5

        69cc38022352e6f20ec2fe22b8d49b0d

        SHA1

        383b59325beb48502bef7dc2c9ac8ed9bdb9129e

        SHA256

        cea8c9aba1340d33295730b87c254590d56d5228c4f5cec3405de6e825dded6f

        SHA512

        21499e54a1e18a81e4f9d7bab8f760264f5610d44a54ebc2d586d7e258a742ac9ab4522d4df31147e7efe121b20e707f612915631cad164e2c82355283f841f0

        Download Submit

      • C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
        Filesize

        365KB

        MD5

        eb12880106d4f5c8334898a93bf1e3d6

        SHA1

        2f283b6c35e1e070a5ac665a9e41e6b9a97e9db1

        SHA256

        e8a3518e8143d1a5002e2e45b8e8cb09c5fa136e97a9c2e565c0fb8c53de0721

        SHA512

        430422260621f9c82ff758cc1ba9fbada876b7c1be46591d4f99e8048fc7115e85b712640b43383cfc76868f39746b49e5e58a97ad12284fb7891aaac74394aa

        Download Submit

      • C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
        Filesize

        3.9MB

        MD5

        02569a7a91a71133d4a1023bf32aa6f4

        SHA1

        0f16bcb3f3f085d3d3be912195558e9f9680d574

        SHA256

        8d6abba9b216172cfc64b8802db0d20a1c634c96e1049f451eddba2363966bf0

        SHA512

        534be1fe93ee556a14cfd8fad5377f57fb056ab4cd2bca14e4f376f4a25d3d4d270917d68a90b3c40d8a8daaeba6f592fa095ecff478332ba23405d1df728322

        Download Submit

      • memory/804-53-0x0000000140000000-0x0000000140B75000-memory.dmp

        Filesize

        11.5MB

        Download

      • memory/804-52-0x0000000140000000-0x0000000140B75000-memory.dmp

        Filesize

        11.5MB

        Download

      • memory/804-65-0x0000000001F50000-0x0000000001F70000-memory.dmp

        Filesize

        128KB

        Download

      • memory/804-64-0x0000000001F30000-0x0000000001F50000-memory.dmp

        Filesize

        128KB

        Download

      • memory/804-63-0x0000000140000000-0x0000000140B75000-memory.dmp

        Filesize

        11.5MB

        Download

      • memory/804-62-0x0000000001F10000-0x0000000001F30000-memory.dmp

        Filesize

        128KB

        Download

      • memory/804-61-0x0000000001EF0000-0x0000000001F10000-memory.dmp

        Filesize

        128KB

        Download

      • memory/804-59-0x0000000140000000-0x0000000140B75000-memory.dmp

        Filesize

        11.5MB

        Download

      • memory/804-58-0x0000000140000000-0x0000000140B75000-memory.dmp

        Filesize

        11.5MB

        Download

      • memory/804-57-0x0000000001F50000-0x0000000001F70000-memory.dmp

        Filesize

        128KB

        Download

      • memory/804-56-0x0000000001F30000-0x0000000001F50000-memory.dmp

        Filesize

        128KB

        Download

      • memory/804-55-0x0000000001F10000-0x0000000001F30000-memory.dmp

        Filesize

        128KB

        Download

      • memory/804-54-0x0000000001EF0000-0x0000000001F10000-memory.dmp

        Filesize

        128KB

        Download

      • memory/804-60-0x0000000140000000-0x0000000140B75000-memory.dmp

        Filesize

        11.5MB

        Download

      • memory/2064-4-0x00000000051A0000-0x0000000005216000-memory.dmp

        Filesize

        472KB

        Download

      • memory/2064-5-0x0000000005120000-0x000000000513E000-memory.dmp

        Filesize

        120KB

        Download

      • memory/2064-10-0x0000000075140000-0x00000000758F0000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/2064-1-0x0000000075140000-0x00000000758F0000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/2064-2-0x0000000005190000-0x00000000051A0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2064-0-0x00000000006B0000-0x00000000008A0000-memory.dmp

        Filesize

        1.9MB

        Download

      • memory/2064-3-0x00000000050C0000-0x00000000050E0000-memory.dmp

        Filesize

        128KB

        Download

      • memory/2080-26-0x0000000000510000-0x0000000000524000-memory.dmp

        Filesize

        80KB

        Download

      • memory/2080-25-0x0000000140000000-0x0000000140B75000-memory.dmp

        Filesize

        11.5MB

        Download

      • memory/2080-27-0x0000000140000000-0x0000000140B75000-memory.dmp

        Filesize

        11.5MB

        Download

      • memory/3840-36-0x00000000030C0000-0x00000000030D0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3840-14-0x00000000030C0000-0x00000000030D0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3840-13-0x0000000005B70000-0x0000000005BD6000-memory.dmp

        Filesize

        408KB

        Download

      • memory/3840-6-0x0000000000400000-0x00000000007FE000-memory.dmp

        Filesize

        4.0MB

        Download

      • memory/3840-33-0x0000000075140000-0x00000000758F0000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/3840-9-0x0000000075140000-0x00000000758F0000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/4792-30-0x0000000000530000-0x0000000000550000-memory.dmp

        Filesize

        128KB

        Download

      • memory/4792-48-0x0000000002140000-0x0000000002160000-memory.dmp

        Filesize

        128KB

        Download

      • memory/4792-40-0x0000000140000000-0x0000000140B75000-memory.dmp

        Filesize

        11.5MB

        Download

      • memory/4792-49-0x0000000002160000-0x0000000002180000-memory.dmp

        Filesize

        128KB

        Download

      • memory/4792-32-0x0000000140000000-0x0000000140B75000-memory.dmp

        Filesize

        11.5MB

        Download

      • memory/4792-44-0x0000000002120000-0x0000000002140000-memory.dmp

        Filesize

        128KB

        Download

      • memory/4792-43-0x0000000000550000-0x0000000000570000-memory.dmp

        Filesize

        128KB

        Download

      • memory/4792-42-0x0000000140000000-0x0000000140B75000-memory.dmp

        Filesize

        11.5MB

        Download

      • memory/4792-41-0x0000000140000000-0x0000000140B75000-memory.dmp

        Filesize

        11.5MB

        Download

      • memory/4792-34-0x0000000000550000-0x0000000000570000-memory.dmp

        Filesize

        128KB

        Download

      • memory/4792-38-0x0000000002160000-0x0000000002180000-memory.dmp

        Filesize

        128KB

        Download

      • memory/4792-37-0x0000000002140000-0x0000000002160000-memory.dmp

        Filesize

        128KB

        Download

      • memory/4792-39-0x0000000140000000-0x0000000140B75000-memory.dmp

        Filesize

        11.5MB

        Download

      • memory/4792-35-0x0000000002120000-0x0000000002140000-memory.dmp

        Filesize

        128KB

        Download

      • memory/4792-46-0x0000000000550000-0x0000000000570000-memory.dmp

        Filesize

        128KB

        Download

      • memory/4792-47-0x0000000002120000-0x0000000002140000-memory.dmp

        Filesize

        128KB

        Download

      • memory/4792-45-0x0000000140000000-0x0000000140B75000-memory.dmp

        Filesize

        11.5MB

        Download

      • memory/4792-31-0x0000000140000000-0x0000000140B75000-memory.dmp

        Filesize

        11.5MB

        Download