Overview

overview

10

Static

static

3

cryptolaemus

windows10-2004-x64

10

cryptolaemus

windows11-21h2-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    143s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240611-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-06-2024 09:34

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    9a4c96b227213b7049f851572487d42c994220bbf584f631bf347a507b684c1a.exe

  • Size

    4.8MB

  • MD5

    1fecbc51b5620e578c48a12ebeb19bc2

  • SHA1

    94fe551f4fb3ff76a0be99a962dc20fc2656453e

  • SHA256

    9a4c96b227213b7049f851572487d42c994220bbf584f631bf347a507b684c1a

  • SHA512

    ede6f39946562e253fcafe225292db32ba30f9476557304ae1769830e3a46c660920c304ca42d52544411e41acfc1bf206c829c98d61948cb595b1fa0105e2d7

  • SSDEEP

    98304:6qwWqwfM8jZlts7Dnfg+u5NIg1GbnBH9Ltl4NFA0kA8X1KpWQMg:6qwWqw0v7DnZu5NnobnDtl4TjZ8X1/Qf

Score
10/10
loaderbotxmrigloaderminerpersistence

Malware Config

Extracted

Family

loaderbot

C2

https://cv99160.tw1.ru/cmd.php

Signatures

  • LoaderBot

    LoaderBot is a loader written in .NET downloading and executing miners.

    loaderminerloaderbot
  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

    minerxmrig
  • LoaderBot executable 2 IoCs
  • XMRig Miner payload 16 IoCs
    miner
  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 1 IoCs
  • Executes dropped EXE 5 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of WriteProcessMemory 13 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\9a4c96b227213b7049f851572487d42c994220bbf584f631bf347a507b684c1a.exe
    "C:\Users\Admin\AppData\Local\Temp\9a4c96b227213b7049f851572487d42c994220bbf584f631bf347a507b684c1a.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:320
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.bat" "
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2300
      • C:\Users\Admin\AppData\Local\Temp\RarSFX0\rolex.exe
        rolex.exe -priverdD
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:2452
        • C:\Users\Admin\AppData\Local\Temp\RarSFX1\yondex.exe
          "C:\Users\Admin\AppData\Local\Temp\RarSFX1\yondex.exe"
          4⤵
          • Checks computer location settings
          • Drops startup file
          • Executes dropped EXE
          • Adds Run key to start application
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:3404
          • C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
            "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 49P3pcAzUyQGZCctcW2i6KGBfC5noZALZ4wryTdxqn8YRbZJnB4f2ee6F7vGGFwqgQEb5QdAe3oWW72bsbnBcPetADGCrmw -p x -k -v=0 --donate-level=0 -t 4
            5⤵
            • Executes dropped EXE
            • Suspicious use of AdjustPrivilegeToken
            PID:4932
          • C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
            "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 49P3pcAzUyQGZCctcW2i6KGBfC5noZALZ4wryTdxqn8YRbZJnB4f2ee6F7vGGFwqgQEb5QdAe3oWW72bsbnBcPetADGCrmw -p x -k -v=0 --donate-level=0 -t 4
            5⤵
            • Executes dropped EXE
            PID:2168
          • C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
            "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 49P3pcAzUyQGZCctcW2i6KGBfC5noZALZ4wryTdxqn8YRbZJnB4f2ee6F7vGGFwqgQEb5QdAe3oWW72bsbnBcPetADGCrmw -p x -k -v=0 --donate-level=0 -t 4
            5⤵
            • Executes dropped EXE
            • Suspicious use of AdjustPrivilegeToken
            PID:1984

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.bat
    Filesize

    36B

    MD5

    ce32eea7c273547d3fb75f8e4191e25a

    SHA1

    07d0edd1f64c799b01da4e670126b4b2c5091dde

    SHA256

    940d3c2d3a6665d5017c0bf64120a71b2ce61106ae015399282ae8f4656cb91f

    SHA512

    56da0be9e79b98fb276a6d5a26b2fe06035d46e299fc6e6cb4e04bb396d119204881518e93f2184a68aa34ff024f81281f131ff0f98cf39541cf857c96da95d4

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\rolex.exe
    Filesize

    4.4MB

    MD5

    8866d677a3309a0ad903f37557c5941b

    SHA1

    2b03d0c6cb74defedfc31154c57b073c889ea11a

    SHA256

    ecbccacd00cdf38870bea7d203909da1ea2261477125ff7e0bdcef5f3fc4d17d

    SHA512

    15535e08a5e224941610c90f0ba3921bb3a1911380889d393aedbc2e4806910171c81005cda27d23466292daec606abcb94d0fbf546430d70ea21de15cfe406e

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\RarSFX1\yondex.exe
    Filesize

    4.0MB

    MD5

    bd2413c32e34d0031f7881d51ae731ff

    SHA1

    8771733c460f22adc0e1865f0b3f2ac19e9c1001

    SHA256

    277e5a809506398685fe20ba674b7f3f75b2e04a34c2b150a84088b266138894

    SHA512

    612c8b9f86308b13342cef00b9166084bf36f44addd139a0123f84cf9711fb2f03e15e4a0b3d95a6deaafb60bca1cc1436514b2b96f4aaf18b094534c94974cf

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
    Filesize

    3.9MB

    MD5

    02569a7a91a71133d4a1023bf32aa6f4

    SHA1

    0f16bcb3f3f085d3d3be912195558e9f9680d574

    SHA256

    8d6abba9b216172cfc64b8802db0d20a1c634c96e1049f451eddba2363966bf0

    SHA512

    534be1fe93ee556a14cfd8fad5377f57fb056ab4cd2bca14e4f376f4a25d3d4d270917d68a90b3c40d8a8daaeba6f592fa095ecff478332ba23405d1df728322

    Download Submit

  • memory/1984-54-0x0000000140000000-0x0000000140B75000-memory.dmp

    Filesize

    11.5MB

    Download

  • memory/1984-53-0x0000000140000000-0x0000000140B75000-memory.dmp

    Filesize

    11.5MB

    Download

  • memory/1984-59-0x0000000140000000-0x0000000140B75000-memory.dmp

    Filesize

    11.5MB

    Download

  • memory/1984-58-0x0000000140000000-0x0000000140B75000-memory.dmp

    Filesize

    11.5MB

    Download

  • memory/1984-57-0x0000000140000000-0x0000000140B75000-memory.dmp

    Filesize

    11.5MB

    Download

  • memory/1984-56-0x0000000140000000-0x0000000140B75000-memory.dmp

    Filesize

    11.5MB

    Download

  • memory/1984-46-0x0000000140000000-0x0000000140B75000-memory.dmp

    Filesize

    11.5MB

    Download

  • memory/1984-47-0x0000000140000000-0x0000000140B75000-memory.dmp

    Filesize

    11.5MB

    Download

  • memory/1984-48-0x0000000140000000-0x0000000140B75000-memory.dmp

    Filesize

    11.5MB

    Download

  • memory/1984-49-0x0000000140000000-0x0000000140B75000-memory.dmp

    Filesize

    11.5MB

    Download

  • memory/1984-50-0x0000000140000000-0x0000000140B75000-memory.dmp

    Filesize

    11.5MB

    Download

  • memory/1984-51-0x0000000140000000-0x0000000140B75000-memory.dmp

    Filesize

    11.5MB

    Download

  • memory/1984-52-0x0000000140000000-0x0000000140B75000-memory.dmp

    Filesize

    11.5MB

    Download

  • memory/1984-55-0x0000000140000000-0x0000000140B75000-memory.dmp

    Filesize

    11.5MB

    Download

  • memory/2168-43-0x0000000140000000-0x0000000140B75000-memory.dmp

    Filesize

    11.5MB

    Download

  • memory/3404-22-0x0000000000020000-0x000000000041E000-memory.dmp

    Filesize

    4.0MB

    Download

  • memory/3404-25-0x00000000050B0000-0x0000000005116000-memory.dmp

    Filesize

    408KB

    Download

  • memory/4932-39-0x0000000140000000-0x0000000140B75000-memory.dmp

    Filesize

    11.5MB

    Download

  • memory/4932-37-0x0000000001FB0000-0x0000000001FC4000-memory.dmp

    Filesize

    80KB

    Download

  • memory/4932-36-0x0000000140000000-0x0000000140B75000-memory.dmp

    Filesize

    11.5MB

    Download