loaderbot | 176402f749dfb2bf03b9dc1131b7340de63bf204490c6df9e7cb5dcfbf4270ee

Analysis

max time kernel
18s
max time network
41s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
18/05/2024, 21:05 UTC

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

56c8c048e10d2922c2130aab4509e0aa_JaffaCakes118.exe
Size

1.8MB
MD5

56c8c048e10d2922c2130aab4509e0aa
SHA1

8082a9a6050e497ed4613e352d440b186fd19796
SHA256

176402f749dfb2bf03b9dc1131b7340de63bf204490c6df9e7cb5dcfbf4270ee
SHA512

387f86e764065fcc455eed2c5c2a81b93befe53568147a2e3a56d6cbefad7bdd77c56dba7f04ba711a0eb7d52a267dd26ea99b660b0e2a1433a9c5bd3eb4385a
SSDEEP

49152:HkSQoVCh6f19ne81HbOQDP3D5rtAVBjovA0P9S7w:HkzoQ698YH60NpADjovA0Mc

Score

10^/10

loaderbot xmrig loader miner persistence

Malware Config

Signatures

LoaderBot
LoaderBot is a loader written in .NET downloading and executing miners.
loader miner loaderbot
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

LoaderBot executable 2 IoCs

resource	yara_rule
behavioral2/files/0x0008000000023412-20.dat	loaderbot
behavioral2/memory/1620-26-0x0000000000460000-0x00000000007F2000-memory.dmp	loaderbot

XMRig Miner payload 2 IoCs

miner

resource	yara_rule
behavioral2/memory/3624-68-0x0000000140000000-0x00000001404AB000-memory.dmp	xmrig
behavioral2/memory/3624-86-0x0000000140000000-0x00000001404AB000-memory.dmp	xmrig

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	sdfadgfbfsga.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	svchost.exe

Cryptocurrency Miner
Makes network request to known mining pool URL.
miner

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Driver.url	svchost.exe

Executes dropped EXE 4 IoCs

pid	Process
1048	sdfadgfbfsga.exe
1572	svshost.exe
1620	svchost.exe
3624	Driver.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Driver = "C:\\Users\\Admin\\AppData\\Roaming\\Sysfiles\\svchost.exe"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Time Manager = "C:\\ProgramData\\TimeManager.exe"	Explorer.EXE

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Tasks\SA.DAT	svchost.exe
File opened for modification	C:\Windows\Tasks\SA.DAT	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Explorer.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	Explorer.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
4660	svchost.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1572	svshost.exe
1572	svshost.exe
1620	svchost.exe
1620	svchost.exe
1620	svchost.exe
1620	svchost.exe
1620	svchost.exe
1620	svchost.exe
1620	svchost.exe
1620	svchost.exe
1620	svchost.exe
1620	svchost.exe
1620	svchost.exe
1620	svchost.exe
1620	svchost.exe
1620	svchost.exe
1620	svchost.exe
1620	svchost.exe
1620	svchost.exe
1620	svchost.exe
1620	svchost.exe
1620	svchost.exe
1620	svchost.exe
1620	svchost.exe
1620	svchost.exe
1620	svchost.exe
1620	svchost.exe
1620	svchost.exe
1620	svchost.exe
1620	svchost.exe
1620	svchost.exe
1620	svchost.exe
1620	svchost.exe
1620	svchost.exe
1620	svchost.exe
1620	svchost.exe
1620	svchost.exe
1620	svchost.exe
1620	svchost.exe
1620	svchost.exe
1620	svchost.exe
1620	svchost.exe
1620	svchost.exe
1620	svchost.exe
1620	svchost.exe
1620	svchost.exe
1620	svchost.exe
1620	svchost.exe
1620	svchost.exe
1620	svchost.exe
1620	svchost.exe
1620	svchost.exe
1620	svchost.exe
1620	svchost.exe
1620	svchost.exe
1620	svchost.exe
1620	svchost.exe
1620	svchost.exe
1620	svchost.exe
1620	svchost.exe
1620	svchost.exe
1620	svchost.exe
1620	svchost.exe
1620	svchost.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeDebugPrivilege	1572	svshost.exe
Token: SeDebugPrivilege	1620	svchost.exe
Token: SeLockMemoryPrivilege	3624	Driver.exe
Token: SeLockMemoryPrivilege	3624	Driver.exe
Token: SeAuditPrivilege	4524	svchost.exe
Token: SeAuditPrivilege	872	svchost.exe
Token: SeShutdownPrivilege	3392	Explorer.EXE
Token: SeCreatePagefilePrivilege	3392	Explorer.EXE
Token: SeShutdownPrivilege	3392	Explorer.EXE
Token: SeCreatePagefilePrivilege	3392	Explorer.EXE
Token: SeAuditPrivilege	4364	svchost.exe
Token: SeAuditPrivilege	3060	svchost.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
3392	Explorer.EXE
3392	Explorer.EXE

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
3392	Explorer.EXE
3392	Explorer.EXE

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 2984 wrote to memory of 1048	2984	56c8c048e10d2922c2130aab4509e0aa_JaffaCakes118.exe	82
PID 2984 wrote to memory of 1048	2984	56c8c048e10d2922c2130aab4509e0aa_JaffaCakes118.exe	82
PID 2984 wrote to memory of 1048	2984	56c8c048e10d2922c2130aab4509e0aa_JaffaCakes118.exe	82
PID 1048 wrote to memory of 1572	1048	sdfadgfbfsga.exe	83
PID 1048 wrote to memory of 1572	1048	sdfadgfbfsga.exe	83
PID 1048 wrote to memory of 1572	1048	sdfadgfbfsga.exe	83
PID 1048 wrote to memory of 1620	1048	sdfadgfbfsga.exe	85
PID 1048 wrote to memory of 1620	1048	sdfadgfbfsga.exe	85
PID 1048 wrote to memory of 1620	1048	sdfadgfbfsga.exe	85
PID 1572 wrote to memory of 3392	1572	svshost.exe	56
PID 1572 wrote to memory of 3392	1572	svshost.exe	56
PID 1572 wrote to memory of 3392	1572	svshost.exe	56
PID 1572 wrote to memory of 3392	1572	svshost.exe	56
PID 1572 wrote to memory of 3392	1572	svshost.exe	56
PID 1572 wrote to memory of 3392	1572	svshost.exe	56
PID 1572 wrote to memory of 3392	1572	svshost.exe	56
PID 1572 wrote to memory of 3392	1572	svshost.exe	56
PID 1572 wrote to memory of 3392	1572	svshost.exe	56
PID 1572 wrote to memory of 3392	1572	svshost.exe	56
PID 1572 wrote to memory of 3392	1572	svshost.exe	56
PID 1620 wrote to memory of 3624	1620	svchost.exe	92
PID 1620 wrote to memory of 3624	1620	svchost.exe	92

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Adds Run key to start application
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3392
- C:\Users\Admin\AppData\Local\Temp\56c8c048e10d2922c2130aab4509e0aa_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\56c8c048e10d2922c2130aab4509e0aa_JaffaCakes118.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2984
- - C:\Users\Admin\AppData\Roaming\sdfadgfbfsga.exe
    "C:\Users\Admin\AppData\Roaming\sdfadgfbfsga.exe" -s -p6dv8vdadv6z8vzdvasfav
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1048
  - - C:\Users\Admin\AppData\Roaming\svshost.exe
      "C:\Users\Admin\AppData\Roaming\svshost.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1572
  - - C:\Users\Admin\AppData\Roaming\svchost.exe
      "C:\Users\Admin\AppData\Roaming\svchost.exe"
      4⤵
      Checks computer location settings
      Drops startup file
      Executes dropped EXE
      Adds Run key to start application
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1620
    - - C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
        
        "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o stratum+tcp://xmr.pool.minergate.com:45700 -u Lobsterkiller184@gmail.com -p x -k -v=0 --donate-level=1 -t 4
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3624

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
1⤵
PID:2828

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:2340

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
- Suspicious behavior: AddClipboardFormatListener
PID:4660

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:872

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4524

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
1⤵
PID:3120

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
1⤵
PID:1280

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4364

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
1⤵
PID:844

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3060

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
PID:4676

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
1⤵
PID:4396

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
1⤵
PID:1776

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
PID:3952

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
1⤵
PID:1944

Network

DNS

google-public-dns-b.google.com

svshost.exe

Remote address:

8.8.8.8:53

Request

google-public-dns-b.google.com

IN A

Response

google-public-dns-b.google.com

IN A

8.8.4.4
DNS

183.142.211.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

183.142.211.20.in-addr.arpa

IN PTR

Response
DNS

0.204.248.87.in-addr.arpa

Remote address:

8.8.8.8:53

Request

0.204.248.87.in-addr.arpa

IN PTR

Response

0.204.248.87.in-addr.arpa

IN PTR

https-87-248-204-0lhrllnwnet
DNS

g.bing.com

Remote address:

8.8.8.8:53

Request

g.bing.com

IN A

Response

g.bing.com

IN CNAME

g-bing-com.dual-a-0034.a-msedge.net

g-bing-com.dual-a-0034.a-msedge.net

IN CNAME

dual-a-0034.a-msedge.net

dual-a-0034.a-msedge.net

IN A

204.79.197.237

dual-a-0034.a-msedge.net

IN A

13.107.21.237
GET

https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De82tdFCNivUIowq14-7zzRTTVUCUzAzkfsIM5ksG3B91N41hH1gzQFM-xU9Lyyiv4zb3x2AoarFs3oTwJZEAjcJj3zpSSlBlbNsd-ejShol_o5oELpaX_emhI7C0Xp2RivsfWWGP7bFn8XqmxvR9aBazWuq0uJjuKZ0QAkMhddM03OK0db%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3Df54b9e317e9c1cde4894f81ad692239b&TIME=20240426T131214Z&CID=530628298&EID=530628298&tids=15000&adUnitId=11730597&localId=w:B64DD8ED-0874-6C05-824A-19614CB097A6&deviceId=6825828828100984&muid=B64DD8ED08746C05824A19614CB097A6

Remote address:

204.79.197.237:443

Request

GET /neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De82tdFCNivUIowq14-7zzRTTVUCUzAzkfsIM5ksG3B91N41hH1gzQFM-xU9Lyyiv4zb3x2AoarFs3oTwJZEAjcJj3zpSSlBlbNsd-ejShol_o5oELpaX_emhI7C0Xp2RivsfWWGP7bFn8XqmxvR9aBazWuq0uJjuKZ0QAkMhddM03OK0db%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3Df54b9e317e9c1cde4894f81ad692239b&TIME=20240426T131214Z&CID=530628298&EID=530628298&tids=15000&adUnitId=11730597&localId=w:B64DD8ED-0874-6C05-824A-19614CB097A6&deviceId=6825828828100984&muid=B64DD8ED08746C05824A19614CB097A6 HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)

Response

HTTP/2.0 204

cache-control: no-cache, must-revalidate
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
set-cookie: MUID=37C1836B82306B1F2F5697E883D06A55; domain=.bing.com; expires=Thu, 12-Jun-2025 21:05:21 GMT; path=/; SameSite=None; Secure; Priority=High;
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 962D737A3B444866A56D4E2AEF7CC176 Ref B: LON04EDGE1014 Ref C: 2024-05-18T21:05:21Z
date: Sat, 18 May 2024 21:05:21 GMT
GET

https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De82tdFCNivUIowq14-7zzRTTVUCUzAzkfsIM5ksG3B91N41hH1gzQFM-xU9Lyyiv4zb3x2AoarFs3oTwJZEAjcJj3zpSSlBlbNsd-ejShol_o5oELpaX_emhI7C0Xp2RivsfWWGP7bFn8XqmxvR9aBazWuq0uJjuKZ0QAkMhddM03OK0db%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3Df54b9e317e9c1cde4894f81ad692239b&TIME=20240426T131214Z&CID=530628298&EID=&tids=15000&adUnitId=11730597&localId=w:B64DD8ED-0874-6C05-824A-19614CB097A6&deviceId=6825828828100984&muid=B64DD8ED08746C05824A19614CB097A6

Remote address:

204.79.197.237:443

Request

GET /neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De82tdFCNivUIowq14-7zzRTTVUCUzAzkfsIM5ksG3B91N41hH1gzQFM-xU9Lyyiv4zb3x2AoarFs3oTwJZEAjcJj3zpSSlBlbNsd-ejShol_o5oELpaX_emhI7C0Xp2RivsfWWGP7bFn8XqmxvR9aBazWuq0uJjuKZ0QAkMhddM03OK0db%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3Df54b9e317e9c1cde4894f81ad692239b&TIME=20240426T131214Z&CID=530628298&EID=&tids=15000&adUnitId=11730597&localId=w:B64DD8ED-0874-6C05-824A-19614CB097A6&deviceId=6825828828100984&muid=B64DD8ED08746C05824A19614CB097A6 HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
cookie: MUID=37C1836B82306B1F2F5697E883D06A55; _EDGE_S=SID=361913FBC314687F005D0778C24369FA

Response

HTTP/2.0 204

cache-control: no-cache, must-revalidate
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
set-cookie: MSPTC=obCJo1kHh8gGuVFpEHEB0LtFpP6bPhpvcV9qmhTYoAQ; domain=.bing.com; expires=Thu, 12-Jun-2025 21:05:22 GMT; path=/; Partitioned; secure; SameSite=None
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 994D409B00E64DDEA51C41C15DA67C3D Ref B: LON04EDGE1014 Ref C: 2024-05-18T21:05:22Z
date: Sat, 18 May 2024 21:05:22 GMT
GET

https://www.bing.com/aes/c.gif?RG=78db10e17ef64e31b5586337470e4836&med=10&pubId=251978541&tids=15000&type=mv&reqver=1.0&TIME=20240426T131214Z&adUnitId=11730597&localId=w:B64DD8ED-0874-6C05-824A-19614CB097A6&deviceId=6825828828100984

Remote address:

23.62.61.97:443

Request

GET /aes/c.gif?RG=78db10e17ef64e31b5586337470e4836&med=10&pubId=251978541&tids=15000&type=mv&reqver=1.0&TIME=20240426T131214Z&adUnitId=11730597&localId=w:B64DD8ED-0874-6C05-824A-19614CB097A6&deviceId=6825828828100984 HTTP/2.0
host: www.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
cookie: MUID=37C1836B82306B1F2F5697E883D06A55

Response

HTTP/2.0 200

cache-control: private,no-store
pragma: no-cache
vary: Origin
p3p: CP=BUS CUR CONo FIN IVDo ONL OUR PHY SAMo TELo
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 9FDEF5C282604445A950A3755189DEAC Ref B: AMS04EDGE1106 Ref C: 2024-05-18T21:05:22Z
content-length: 0
date: Sat, 18 May 2024 21:05:22 GMT
set-cookie: _EDGE_S=SID=361913FBC314687F005D0778C24369FA; path=/; httponly; domain=bing.com
set-cookie: MUIDB=37C1836B82306B1F2F5697E883D06A55; path=/; httponly; expires=Thu, 12-Jun-2025 21:05:22 GMT
alt-svc: h3=":443"; ma=93600
x-cdn-traceid: 0.5d3d3e17.1716066322.a41250d
DNS

237.197.79.204.in-addr.arpa

Remote address:

8.8.8.8:53

Request

237.197.79.204.in-addr.arpa

IN PTR

Response
DNS

74.32.126.40.in-addr.arpa

Remote address:

8.8.8.8:53

Request

74.32.126.40.in-addr.arpa

IN PTR

Response
DNS

95.221.229.192.in-addr.arpa

Remote address:

8.8.8.8:53

Request

95.221.229.192.in-addr.arpa

IN PTR

Response
DNS

97.61.62.23.in-addr.arpa

Remote address:

8.8.8.8:53

Request

97.61.62.23.in-addr.arpa

IN PTR

Response

97.61.62.23.in-addr.arpa

IN PTR

a23-62-61-97deploystaticakamaitechnologiescom
DNS

58.55.71.13.in-addr.arpa

Remote address:

8.8.8.8:53

Request

58.55.71.13.in-addr.arpa

IN PTR

Response
DNS

xmr.pool.minergate.com

Driver.exe

Remote address:

8.8.8.8:53

Request

xmr.pool.minergate.com

IN A

Response

xmr.pool.minergate.com

IN CNAME

pool.minergate.com

pool.minergate.com

IN A

49.12.80.40

pool.minergate.com

IN A

49.12.80.38

pool.minergate.com

IN A

49.12.80.39
DNS

57.169.31.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

57.169.31.20.in-addr.arpa

IN PTR

Response
GET

https://www.bing.com/th?id=OADD2.10239356736264_1E1NQW5LZ8SVSGPEK&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90

Remote address:

23.62.61.97:443

Request

GET /th?id=OADD2.10239356736264_1E1NQW5LZ8SVSGPEK&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90 HTTP/2.0
host: www.bing.com
accept: */*
cookie: MUID=37C1836B82306B1F2F5697E883D06A55; _EDGE_S=SID=361913FBC314687F005D0778C24369FA; MSPTC=obCJo1kHh8gGuVFpEHEB0LtFpP6bPhpvcV9qmhTYoAQ; MUIDB=37C1836B82306B1F2F5697E883D06A55
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-type: image/png
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
content-length: 999
date: Sat, 18 May 2024 21:05:26 GMT
alt-svc: h3=":443"; ma=93600
x-cdn-traceid: 0.5d3d3e17.1716066326.a41378e
DNS

xmr.pool.minergate.com

Driver.exe

Remote address:

8.8.8.8:53

Request

xmr.pool.minergate.com

IN A

Response

xmr.pool.minergate.com

IN CNAME

pool.minergate.com

pool.minergate.com

IN A

49.12.80.39

pool.minergate.com

IN A

49.12.80.38

pool.minergate.com

IN A

49.12.80.40
DNS

97.17.167.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

97.17.167.52.in-addr.arpa

IN PTR

Response
DNS

xmr.pool.minergate.com

Driver.exe

Remote address:

8.8.8.8:53

Request

xmr.pool.minergate.com

IN A

Response

xmr.pool.minergate.com

IN CNAME

pool.minergate.com

pool.minergate.com

IN A

49.12.80.38

pool.minergate.com

IN A

49.12.80.40

pool.minergate.com

IN A

49.12.80.39

204.79.197.237:443

https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De82tdFCNivUIowq14-7zzRTTVUCUzAzkfsIM5ksG3B91N41hH1gzQFM-xU9Lyyiv4zb3x2AoarFs3oTwJZEAjcJj3zpSSlBlbNsd-ejShol_o5oELpaX_emhI7C0Xp2RivsfWWGP7bFn8XqmxvR9aBazWuq0uJjuKZ0QAkMhddM03OK0db%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3Df54b9e317e9c1cde4894f81ad692239b&TIME=20240426T131214Z&CID=530628298&EID=&tids=15000&adUnitId=11730597&localId=w:B64DD8ED-0874-6C05-824A-19614CB097A6&deviceId=6825828828100984&muid=B64DD8ED08746C05824A19614CB097A6

tls, http2

2.5kB
9.0kB
19
17

HTTP Request

GET https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De82tdFCNivUIowq14-7zzRTTVUCUzAzkfsIM5ksG3B91N41hH1gzQFM-xU9Lyyiv4zb3x2AoarFs3oTwJZEAjcJj3zpSSlBlbNsd-ejShol_o5oELpaX_emhI7C0Xp2RivsfWWGP7bFn8XqmxvR9aBazWuq0uJjuKZ0QAkMhddM03OK0db%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3Df54b9e317e9c1cde4894f81ad692239b&TIME=20240426T131214Z&CID=530628298&EID=530628298&tids=15000&adUnitId=11730597&localId=w:B64DD8ED-0874-6C05-824A-19614CB097A6&deviceId=6825828828100984&muid=B64DD8ED08746C05824A19614CB097A6

HTTP Response

204

HTTP Request

GET https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De82tdFCNivUIowq14-7zzRTTVUCUzAzkfsIM5ksG3B91N41hH1gzQFM-xU9Lyyiv4zb3x2AoarFs3oTwJZEAjcJj3zpSSlBlbNsd-ejShol_o5oELpaX_emhI7C0Xp2RivsfWWGP7bFn8XqmxvR9aBazWuq0uJjuKZ0QAkMhddM03OK0db%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3Df54b9e317e9c1cde4894f81ad692239b&TIME=20240426T131214Z&CID=530628298&EID=&tids=15000&adUnitId=11730597&localId=w:B64DD8ED-0874-6C05-824A-19614CB097A6&deviceId=6825828828100984&muid=B64DD8ED08746C05824A19614CB097A6

HTTP Response

204
23.62.61.97:443

https://www.bing.com/aes/c.gif?RG=78db10e17ef64e31b5586337470e4836&med=10&pubId=251978541&tids=15000&type=mv&reqver=1.0&TIME=20240426T131214Z&adUnitId=11730597&localId=w:B64DD8ED-0874-6C05-824A-19614CB097A6&deviceId=6825828828100984

tls, http2

1.5kB
5.4kB
17
12

HTTP Request

GET https://www.bing.com/aes/c.gif?RG=78db10e17ef64e31b5586337470e4836&med=10&pubId=251978541&tids=15000&type=mv&reqver=1.0&TIME=20240426T131214Z&adUnitId=11730597&localId=w:B64DD8ED-0874-6C05-824A-19614CB097A6&deviceId=6825828828100984

HTTP Response

200
49.12.80.38:45700

xmr.pool.minergate.com

Driver.exe

260 B
200 B
5
5
23.62.61.97:443

https://www.bing.com/th?id=OADD2.10239356736264_1E1NQW5LZ8SVSGPEK&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90

tls, http2

1.6kB
6.3kB
17
12

HTTP Request

GET https://www.bing.com/th?id=OADD2.10239356736264_1E1NQW5LZ8SVSGPEK&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90

HTTP Response

200
49.12.80.38:45700

xmr.pool.minergate.com

Driver.exe

260 B
200 B
5
5
178.21.11.90:25998

Explorer.EXE

260 B
200 B
5
5
49.12.80.38:45700

xmr.pool.minergate.com

260 B
200 B
5
5
178.21.11.90:25998

156 B
120 B
3
3
49.12.80.40:45700

xmr.pool.minergate.com

52 B
208 B
1
4

8.8.8.8:53

google-public-dns-b.google.com

dns

svshost.exe

76 B
92 B
1
1

DNS Request

google-public-dns-b.google.com

DNS Response

8.8.4.4
8.8.8.8:53

183.142.211.20.in-addr.arpa

dns

73 B
159 B
1
1

DNS Request

183.142.211.20.in-addr.arpa
8.8.8.8:53

0.204.248.87.in-addr.arpa

dns

71 B
116 B
1
1

DNS Request

0.204.248.87.in-addr.arpa
8.8.8.8:53

g.bing.com

dns

56 B
151 B
1
1

DNS Request

g.bing.com

DNS Response

204.79.197.237

13.107.21.237
8.8.8.8:53

237.197.79.204.in-addr.arpa

dns

73 B
143 B
1
1

DNS Request

237.197.79.204.in-addr.arpa
8.8.8.8:53

74.32.126.40.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

74.32.126.40.in-addr.arpa
8.8.8.8:53

95.221.229.192.in-addr.arpa

dns

73 B
144 B
1
1

DNS Request

95.221.229.192.in-addr.arpa
8.8.8.8:53

97.61.62.23.in-addr.arpa

dns

70 B
133 B
1
1

DNS Request

97.61.62.23.in-addr.arpa
8.8.8.8:53

58.55.71.13.in-addr.arpa

dns

70 B
144 B
1
1

DNS Request

58.55.71.13.in-addr.arpa
8.8.8.8:53

xmr.pool.minergate.com

dns

Driver.exe

68 B
130 B
1
1

DNS Request

xmr.pool.minergate.com

DNS Response

49.12.80.40

49.12.80.38

49.12.80.39
8.8.8.8:53

57.169.31.20.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

57.169.31.20.in-addr.arpa
8.8.8.8:53

xmr.pool.minergate.com

dns

Driver.exe

68 B
130 B
1
1

DNS Request

xmr.pool.minergate.com

DNS Response

49.12.80.39

49.12.80.38

49.12.80.40
8.8.8.8:53

97.17.167.52.in-addr.arpa

dns

71 B
145 B
1
1

DNS Request

97.17.167.52.in-addr.arpa
8.8.8.8:53

xmr.pool.minergate.com

dns

Driver.exe

68 B
130 B
1
1

DNS Request

xmr.pool.minergate.com

DNS Response

49.12.80.38

49.12.80.40

49.12.80.39

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\TimeManager.exe

Filesize
240KB

MD5
21c580fec61c0ae44a7b99cea7ea697d

SHA1
c0cdccf33c0d72dbd00dc84d74cdc9e7afd6bd54

SHA256
e9095540ae0b91af9908f5a80ccfbffc2dfa27de015a78e66a42fe11e7803668

SHA512
3fae960dbe784d22adaa126c70bbcbbde43d38bb406db6d666234dc007db9d2adb8fe6ba3c459362b62ad6f3a49e0948c4728198be15a1f3c55b2a5fdddec2a9

Download Submit
C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe

Filesize
3.5MB

MD5
cf36d20a96903fb4d0e92eb4fe873ab8

SHA1
c789a22bd215bfc2a698fda1295f295745f34d35

SHA256
d38ee5052fa13de8b3db050fe84fb89e7946446e2cd5b826fbd31792e406aae2

SHA512
d117cecf9ef9d1f2aab1bd80f6947872c8cc8e18a36ce41f1cb25b1fac008e9c5fae7f0f0093f78835b3967582f7556fd626fd8c8c1fa32d41359ef0206e9535

Download Submit
C:\Users\Admin\AppData\Roaming\sdfadgfbfsga.exe

Filesize
1.9MB

MD5
eff8e6a7ebcbd89040e76016b05f39aa

SHA1
6bc64b0e081d171596c1a774ba56e7d3180de4e8

SHA256
68ccc794872d16dcda0be4cbe98483bab0f9d69c63c4094e278085fbd4b046e4

SHA512
0ee9c9b33f1d576a4b090a359fb5ea2613f437c5eaa309d99ab1551edce3aaa3361b6ccf580e7eb448af60ef3b5e0ece6cf0b2cc3efa46cee476264097a25dcc

Download Submit
C:\Users\Admin\AppData\Roaming\svchost.exe

Filesize
3.6MB

MD5
2b393ba5e5ad8a75f4dad72877bacd70

SHA1
cb3fef3f8a761892567eb064f29a24625dfea6f5

SHA256
381f70e51d18dbb18ac3e280085f8c43bceed7d67a0f71c13b10ec622c648c3b

SHA512
8a93d77366c8a3c0d28b61c4440829ecae70fe845f4410eefcee1ef369071ec3789de2ac48f301c42bde31db79054a0d2928055490b7b9fc22ffd9a1d5268a6b

Download Submit
C:\Users\Admin\AppData\Roaming\svshost.exe

Filesize
240KB

MD5
e1d65b4deb9cf804673247f96da16754

SHA1
b529ee84ae305713de91a83aa822012b20cb00f1

SHA256
e4a936c2d6c3a168fdd3fa394007d237af82cdd7cefabc8c275e2b9d4b59e640

SHA512
2c04ab097df684c5b2b7c6228a383eb80434fa3979de556f6448aa603d22ca61815c8246302309416480016c2b591568654d578dd7941cef455bd1436df9ff40

Download Submit
C:\Windows\Tasks\SA.DAT

Filesize
6B

MD5
f1a6cd5adaab953a6764ea364e17bfb8

SHA1
c99a1eb2d8974a667d2e0bc2dc1efcbe0ef23387

SHA256
12dc5ccd7fecafe070976a1916e9672e3d53085633c86957aee305ccc584184c

SHA512
da8cc20e0c0f48a975f97fc133ba4e99de6771163465d03f1cc0e3019fedfe0afa99799b9e343610a941218b19c9117b12e4ab86911d04c2908b6db44523e84c

Download Submit
memory/1572-25-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/1572-30-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1572-19-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1620-26-0x0000000000460000-0x00000000007F2000-memory.dmp

Filesize
3.6MB

Download
memory/1620-43-0x0000000005B90000-0x0000000005BF6000-memory.dmp

Filesize
408KB

Download
memory/2828-56-0x000001E528B30000-0x000001E528B40000-memory.dmp

Filesize
64KB

Download
memory/2828-62-0x000001E528B90000-0x000001E528BA0000-memory.dmp

Filesize
64KB

Download
memory/3392-40-0x0000000002BA0000-0x0000000002BBA000-memory.dmp

Filesize
104KB

Download
memory/3392-38-0x0000000002BA0000-0x0000000002BBA000-memory.dmp

Filesize
104KB

Download
memory/3392-39-0x0000000002BA0000-0x0000000002BBA000-memory.dmp

Filesize
104KB

Download
memory/3392-32-0x0000000002BA0000-0x0000000002BBA000-memory.dmp

Filesize
104KB

Download
memory/3392-28-0x0000000002BA0000-0x0000000002BBA000-memory.dmp

Filesize
104KB

Download
memory/3624-53-0x0000000140000000-0x00000001404AB000-memory.dmp

Filesize
4.7MB

Download
memory/3624-55-0x0000000000520000-0x0000000000530000-memory.dmp

Filesize
64KB

Download
memory/3624-68-0x0000000140000000-0x00000001404AB000-memory.dmp

Filesize
4.7MB

Download
memory/3624-86-0x0000000140000000-0x00000001404AB000-memory.dmp

Filesize
4.7MB

Download

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Response

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.