loaderbot | db0c5e3400f28450267c71c812c3b95d63d3a9a467508c7b3b387f5f7c0c6820

Analysis

max time kernel
158s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20220310-en
submitted
14-03-2022 01:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

db0c5e3400f28450267c71c812c3b95d63d3a9a467508c7b3b387f5f7c0c6820.exe
Size

1.6MB
MD5

4017606e11e4713b64376e2370e2af1b
SHA1

008767b820c9b20f1f372649c037529b5639c163
SHA256

db0c5e3400f28450267c71c812c3b95d63d3a9a467508c7b3b387f5f7c0c6820
SHA512

0892083dc4d8c4e0678575a50fec988128fc4cb6cf9406557abab6283c04ed38e37d04b16c0acf3321a2c584c782a48295031dd395008de6e8c6c93cec3e0715

Score

10^/10

loaderbot discovery loader miner persistence

Malware Config

Signatures

LoaderBot
LoaderBot is a loader written in .NET downloading and executing miners.
loader miner loaderbot
Detected Stratum cryptominer command
Looks to be attempting to contact Stratum mining pool.
miner

LoaderBot executable 3 IoCs

resource	yara_rule
behavioral2/files/0x000300000002061f-137.dat	loaderbot
behavioral2/files/0x000300000002061f-138.dat	loaderbot
behavioral2/memory/4756-140-0x00000000009A0000-0x0000000000D9E000-memory.dmp	loaderbot

Nirsoft 2 IoCs

resource	yara_rule
behavioral2/files/0x000300000002061e-136.dat	Nirsoft
behavioral2/files/0x000300000002061e-135.dat	Nirsoft

Executes dropped EXE 4 IoCs

pid	Process
1500	LastActivityView.exe
4756	Mini.exe
4716	Driver.exe
3520	Driver.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Control Panel\International\Geo\Nation	db0c5e3400f28450267c71c812c3b95d63d3a9a467508c7b3b387f5f7c0c6820.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Control Panel\International\Geo\Nation	Mini.exe

Cryptocurrency Miner
Makes network request to known mining pool URL.
miner

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Driver.url	Mini.exe

Loads dropped DLL 1 IoCs

pid	Process
1712	db0c5e3400f28450267c71c812c3b95d63d3a9a467508c7b3b387f5f7c0c6820.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Driver = "C:\\Users\\Admin\\AppData\\Roaming\\Sysfiles\\Mini.exe"	Mini.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
876	4716	WerFault.exe	89

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4756	Mini.exe
4756	Mini.exe
4756	Mini.exe
4756	Mini.exe
4756	Mini.exe
4756	Mini.exe
4756	Mini.exe
4756	Mini.exe
4756	Mini.exe
4756	Mini.exe
4756	Mini.exe
4756	Mini.exe
4756	Mini.exe
4756	Mini.exe
4756	Mini.exe
4756	Mini.exe
4756	Mini.exe
4756	Mini.exe
4756	Mini.exe
4756	Mini.exe
4756	Mini.exe
4756	Mini.exe
4756	Mini.exe
4756	Mini.exe
4756	Mini.exe
4756	Mini.exe
4756	Mini.exe
4756	Mini.exe
4756	Mini.exe
4756	Mini.exe
4756	Mini.exe
4756	Mini.exe
4756	Mini.exe
4756	Mini.exe
4756	Mini.exe
4756	Mini.exe
4756	Mini.exe
4756	Mini.exe
4756	Mini.exe
4756	Mini.exe
4756	Mini.exe
4756	Mini.exe
4756	Mini.exe
4756	Mini.exe
4756	Mini.exe
4756	Mini.exe
4756	Mini.exe
4756	Mini.exe
4756	Mini.exe
4756	Mini.exe
4756	Mini.exe
4756	Mini.exe
4756	Mini.exe
4756	Mini.exe
4756	Mini.exe
4756	Mini.exe
4756	Mini.exe
4756	Mini.exe
4756	Mini.exe
4756	Mini.exe
4756	Mini.exe
4756	Mini.exe
4756	Mini.exe
4756	Mini.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1500	LastActivityView.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
652	Process not Found
652	Process not Found

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4756	Mini.exe
Token: SeBackupPrivilege	1500	LastActivityView.exe
Token: SeSecurityPrivilege	1500	LastActivityView.exe
Token: SeSecurityPrivilege	1500	LastActivityView.exe
Token: SeSecurityPrivilege	1500	LastActivityView.exe
Token: SeSecurityPrivilege	1500	LastActivityView.exe
Token: SeSecurityPrivilege	1500	LastActivityView.exe
Token: SeBackupPrivilege	1500	LastActivityView.exe
Token: SeSecurityPrivilege	1500	LastActivityView.exe
Token: SeSecurityPrivilege	1500	LastActivityView.exe
Token: SeSecurityPrivilege	1500	LastActivityView.exe
Token: SeSecurityPrivilege	1500	LastActivityView.exe
Token: SeSecurityPrivilege	1500	LastActivityView.exe
Token: SeSecurityPrivilege	1500	LastActivityView.exe
Token: SeSecurityPrivilege	1500	LastActivityView.exe
Token: SeSecurityPrivilege	1500	LastActivityView.exe
Token: SeSecurityPrivilege	1500	LastActivityView.exe
Token: SeSecurityPrivilege	1500	LastActivityView.exe
Token: SeSecurityPrivilege	1500	LastActivityView.exe
Token: SeBackupPrivilege	1500	LastActivityView.exe
Token: SeSecurityPrivilege	1500	LastActivityView.exe
Token: SeSecurityPrivilege	1500	LastActivityView.exe
Token: SeSecurityPrivilege	1500	LastActivityView.exe
Token: SeSecurityPrivilege	1500	LastActivityView.exe
Token: SeSecurityPrivilege	1500	LastActivityView.exe
Token: SeSecurityPrivilege	1500	LastActivityView.exe
Token: SeSecurityPrivilege	1500	LastActivityView.exe
Token: SeSecurityPrivilege	1500	LastActivityView.exe
Token: SeSecurityPrivilege	1500	LastActivityView.exe
Token: SeSecurityPrivilege	1500	LastActivityView.exe
Token: SeSecurityPrivilege	1500	LastActivityView.exe
Token: SeSecurityPrivilege	1500	LastActivityView.exe
Token: SeSecurityPrivilege	1500	LastActivityView.exe
Token: SeSecurityPrivilege	1500	LastActivityView.exe
Token: SeSecurityPrivilege	1500	LastActivityView.exe
Token: SeSecurityPrivilege	1500	LastActivityView.exe
Token: SeSecurityPrivilege	1500	LastActivityView.exe
Token: SeSecurityPrivilege	1500	LastActivityView.exe
Token: SeSecurityPrivilege	1500	LastActivityView.exe
Token: SeSecurityPrivilege	1500	LastActivityView.exe
Token: SeSecurityPrivilege	1500	LastActivityView.exe
Token: SeSecurityPrivilege	1500	LastActivityView.exe
Token: SeSecurityPrivilege	1500	LastActivityView.exe
Token: SeSecurityPrivilege	1500	LastActivityView.exe
Token: SeSecurityPrivilege	1500	LastActivityView.exe
Token: SeSecurityPrivilege	1500	LastActivityView.exe
Token: SeSecurityPrivilege	1500	LastActivityView.exe
Token: SeSecurityPrivilege	1500	LastActivityView.exe
Token: SeSecurityPrivilege	1500	LastActivityView.exe
Token: SeSecurityPrivilege	1500	LastActivityView.exe
Token: SeSecurityPrivilege	1500	LastActivityView.exe
Token: SeSecurityPrivilege	1500	LastActivityView.exe
Token: SeSecurityPrivilege	1500	LastActivityView.exe
Token: SeSecurityPrivilege	1500	LastActivityView.exe
Token: SeSecurityPrivilege	1500	LastActivityView.exe
Token: SeSecurityPrivilege	1500	LastActivityView.exe
Token: SeSecurityPrivilege	1500	LastActivityView.exe
Token: SeSecurityPrivilege	1500	LastActivityView.exe
Token: SeSecurityPrivilege	1500	LastActivityView.exe
Token: SeSecurityPrivilege	1500	LastActivityView.exe
Token: SeSecurityPrivilege	1500	LastActivityView.exe
Token: SeSecurityPrivilege	1500	LastActivityView.exe
Token: SeSecurityPrivilege	1500	LastActivityView.exe
Token: SeSecurityPrivilege	1500	LastActivityView.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 1712 wrote to memory of 1500	1712	db0c5e3400f28450267c71c812c3b95d63d3a9a467508c7b3b387f5f7c0c6820.exe	81
PID 1712 wrote to memory of 1500	1712	db0c5e3400f28450267c71c812c3b95d63d3a9a467508c7b3b387f5f7c0c6820.exe	81
PID 1712 wrote to memory of 1500	1712	db0c5e3400f28450267c71c812c3b95d63d3a9a467508c7b3b387f5f7c0c6820.exe	81
PID 1712 wrote to memory of 4756	1712	db0c5e3400f28450267c71c812c3b95d63d3a9a467508c7b3b387f5f7c0c6820.exe	82
PID 1712 wrote to memory of 4756	1712	db0c5e3400f28450267c71c812c3b95d63d3a9a467508c7b3b387f5f7c0c6820.exe	82
PID 1712 wrote to memory of 4756	1712	db0c5e3400f28450267c71c812c3b95d63d3a9a467508c7b3b387f5f7c0c6820.exe	82
PID 4756 wrote to memory of 4716	4756	Mini.exe	89
PID 4756 wrote to memory of 4716	4756	Mini.exe	89
PID 4756 wrote to memory of 3520	4756	Mini.exe	94
PID 4756 wrote to memory of 3520	4756	Mini.exe	94

C:\Users\Admin\AppData\Local\Temp\db0c5e3400f28450267c71c812c3b95d63d3a9a467508c7b3b387f5f7c0c6820.exe
"C:\Users\Admin\AppData\Local\Temp\db0c5e3400f28450267c71c812c3b95d63d3a9a467508c7b3b387f5f7c0c6820.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1712
- C:\Users\Admin\AppData\Roaming\1337\LastActivityView.exe
  "C:\Users\Admin\AppData\Roaming\1337\LastActivityView.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  PID:1500
- C:\Users\Admin\AppData\Roaming\1337\Mini.exe
  "C:\Users\Admin\AppData\Roaming\1337\Mini.exe"
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Drops startup file
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4756
- - C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
    "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o stratum+tcp://xmr.pool.minergate.com:45700 -u [email protected] -p x -k -v=0 --donate-level=1 -t 1
    3⤵
    - Executes dropped EXE
    PID:4716
  - - C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 4716 -s 908
      4⤵
      Program crash
      PID:876
- - C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
    "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o stratum+tcp://xmr.pool.minergate.com:45700 -u [email protected] -p x -k -v=0 --donate-level=1 -t 1
    3⤵
    - Executes dropped EXE
    PID:3520

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 184 -p 4716 -ip 4716
1⤵
PID:636

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3520-150-0x00000000004F0000-0x0000000000510000-memory.dmp

Filesize
128KB

Download
memory/4716-146-0x00000000004D0000-0x00000000004F0000-memory.dmp

Filesize
128KB

Download
memory/4716-145-0x00000000001D0000-0x00000000001E4000-memory.dmp

Filesize
80KB

Download
memory/4716-147-0x00000000004F0000-0x0000000000510000-memory.dmp

Filesize
128KB

Download
memory/4756-142-0x00000000059F0000-0x0000000005A56000-memory.dmp

Filesize
408KB

Download
memory/4756-141-0x00000000057D0000-0x00000000057D1000-memory.dmp

Filesize
4KB

Download
memory/4756-140-0x00000000009A0000-0x0000000000D9E000-memory.dmp

Filesize
4.0MB

Download
memory/4756-139-0x0000000075190000-0x0000000075940000-memory.dmp

Filesize
7.7MB

Download