loaderbot | 9c1239bb4fe8eec6acbe9c05ffccfcb21b80a8d47f4dc450dd397a8ad929a0f5

Analysis

max time kernel
72s
max time network
97s
platform
windows10-2004_x64
resource
win10v2004-20220331-en
submitted
27-03-2022 21:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9c1239bb4fe8eec6acbe9c05ffccfcb21b80a8d47f4dc450dd397a8ad929a0f5.exe
Size

3.2MB
MD5

97c8be4ed9625e74a216dfb8d19d324c
SHA1

f52348e8024c80003fe1d8b9472c0e0f7faa1afc
SHA256

9c1239bb4fe8eec6acbe9c05ffccfcb21b80a8d47f4dc450dd397a8ad929a0f5
SHA512

ae01815e0b3facdccd8f122afb7123e3e2b6e64c0d353744426794ef47823beda4e51dfab4f0553e3197f880a3afecac9860d4d3074928bb12465d0d492db970

Score

10^/10

loaderbot loader miner persistence

Malware Config

Signatures

LoaderBot
LoaderBot is a loader written in .NET downloading and executing miners.
loader miner loaderbot
Detected Stratum cryptominer command
Looks to be attempting to contact Stratum mining pool.
miner

LoaderBot executable 1 IoCs

resource	yara_rule
behavioral2/memory/5116-132-0x00000000000F0000-0x0000000000852000-memory.dmp	loaderbot

Executes dropped EXE 4 IoCs

pid	Process
3452	MinerS_protected.sfx.exe
5116	MinerS_protected.exe
3424	Driver.exe
2028	Driver.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-157025953-3125636059-437143553-1000\Control Panel\International\Geo\Nation	9c1239bb4fe8eec6acbe9c05ffccfcb21b80a8d47f4dc450dd397a8ad929a0f5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-157025953-3125636059-437143553-1000\Control Panel\International\Geo\Nation	MinerS_protected.sfx.exe
Key value queried	\REGISTRY\USER\S-1-5-21-157025953-3125636059-437143553-1000\Control Panel\International\Geo\Nation	MinerS_protected.exe

Cryptocurrency Miner
Makes network request to known mining pool URL.
miner

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Driver.url	MinerS_protected.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-157025953-3125636059-437143553-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Driver = "C:\\Users\\Admin\\AppData\\Roaming\\Sysfiles\\MinerS_protected.exe"	MinerS_protected.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 7 IoCs

pid	Process
5116	MinerS_protected.exe
5116	MinerS_protected.exe
5116	MinerS_protected.exe
5116	MinerS_protected.exe
5116	MinerS_protected.exe
5116	MinerS_protected.exe
5116	MinerS_protected.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1180	3424	WerFault.exe	82

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
5116	MinerS_protected.exe
5116	MinerS_protected.exe
5116	MinerS_protected.exe
5116	MinerS_protected.exe
5116	MinerS_protected.exe
5116	MinerS_protected.exe
5116	MinerS_protected.exe
5116	MinerS_protected.exe
5116	MinerS_protected.exe
5116	MinerS_protected.exe
5116	MinerS_protected.exe
5116	MinerS_protected.exe
5116	MinerS_protected.exe
5116	MinerS_protected.exe
5116	MinerS_protected.exe
5116	MinerS_protected.exe
5116	MinerS_protected.exe
5116	MinerS_protected.exe
5116	MinerS_protected.exe
5116	MinerS_protected.exe
5116	MinerS_protected.exe
5116	MinerS_protected.exe
5116	MinerS_protected.exe
5116	MinerS_protected.exe
5116	MinerS_protected.exe
5116	MinerS_protected.exe
5116	MinerS_protected.exe
5116	MinerS_protected.exe
5116	MinerS_protected.exe
5116	MinerS_protected.exe
5116	MinerS_protected.exe
5116	MinerS_protected.exe
5116	MinerS_protected.exe
5116	MinerS_protected.exe
5116	MinerS_protected.exe
5116	MinerS_protected.exe
5116	MinerS_protected.exe
5116	MinerS_protected.exe
5116	MinerS_protected.exe
5116	MinerS_protected.exe
5116	MinerS_protected.exe
5116	MinerS_protected.exe
5116	MinerS_protected.exe
5116	MinerS_protected.exe
5116	MinerS_protected.exe
5116	MinerS_protected.exe
5116	MinerS_protected.exe
5116	MinerS_protected.exe
5116	MinerS_protected.exe
5116	MinerS_protected.exe
5116	MinerS_protected.exe
5116	MinerS_protected.exe
5116	MinerS_protected.exe
5116	MinerS_protected.exe
5116	MinerS_protected.exe
5116	MinerS_protected.exe
5116	MinerS_protected.exe
5116	MinerS_protected.exe
5116	MinerS_protected.exe
5116	MinerS_protected.exe
5116	MinerS_protected.exe
5116	MinerS_protected.exe
5116	MinerS_protected.exe
5116	MinerS_protected.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
652	Process not Found

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	5116	MinerS_protected.exe
Token: SeLockMemoryPrivilege	3424	Driver.exe
Token: SeLockMemoryPrivilege	3424	Driver.exe
Token: SeLockMemoryPrivilege	2028	Driver.exe
Token: SeLockMemoryPrivilege	2028	Driver.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
5116	MinerS_protected.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 1608 wrote to memory of 2796	1608	9c1239bb4fe8eec6acbe9c05ffccfcb21b80a8d47f4dc450dd397a8ad929a0f5.exe	77
PID 1608 wrote to memory of 2796	1608	9c1239bb4fe8eec6acbe9c05ffccfcb21b80a8d47f4dc450dd397a8ad929a0f5.exe	77
PID 1608 wrote to memory of 2796	1608	9c1239bb4fe8eec6acbe9c05ffccfcb21b80a8d47f4dc450dd397a8ad929a0f5.exe	77
PID 2796 wrote to memory of 3452	2796	cmd.exe	80
PID 2796 wrote to memory of 3452	2796	cmd.exe	80
PID 2796 wrote to memory of 3452	2796	cmd.exe	80
PID 3452 wrote to memory of 5116	3452	MinerS_protected.sfx.exe	81
PID 3452 wrote to memory of 5116	3452	MinerS_protected.sfx.exe	81
PID 3452 wrote to memory of 5116	3452	MinerS_protected.sfx.exe	81
PID 5116 wrote to memory of 3424	5116	MinerS_protected.exe	82
PID 5116 wrote to memory of 3424	5116	MinerS_protected.exe	82
PID 5116 wrote to memory of 2028	5116	MinerS_protected.exe	88
PID 5116 wrote to memory of 2028	5116	MinerS_protected.exe	88

C:\Users\Admin\AppData\Local\Temp\9c1239bb4fe8eec6acbe9c05ffccfcb21b80a8d47f4dc450dd397a8ad929a0f5.exe
"C:\Users\Admin\AppData\Local\Temp\9c1239bb4fe8eec6acbe9c05ffccfcb21b80a8d47f4dc450dd397a8ad929a0f5.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1608
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\start.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2796
- - C:\MinerS_protected.sfx.exe
    MinerS_protected.sfx -pdsfoj345325onsndgnjs4012 -dc : \
    3⤵
    - Executes dropped EXE
    - Checks computer location settings
    - Suspicious use of WriteProcessMemory
    PID:3452
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\MinerS_protected.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX0\MinerS_protected.exe"
      4⤵
      Executes dropped EXE
      Checks computer location settings
      Drops startup file
      Adds Run key to start application
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:5116
    - - C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
        
        "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o stratum+tcp://xmr.pool.minergate.com:45700 -u [email protected] -p x -k -v=0 --donate-level=1 -t 1
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3424
      - C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 3424 -s 764
        6⤵
        Program crash
        
        PID:1180
    - - C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
        
        "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o stratum+tcp://xmr.pool.minergate.com:45700 -u [email protected] -p x -k -v=0 --donate-level=1 -t 1
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2028

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 456 -p 3424 -ip 3424
1⤵
PID:4260

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MinerS_protected.sfx.exe

Filesize
3.0MB

MD5
051e2a5bbe7b16a80baba44d6e15437e

SHA1
7f3f679c6ecdaddf951ea4ff801abcfbf5f57597

SHA256
b7ec4115cf563c6e830f4b3cdcc9672c03cbe217ea280a55d7fee01ef9019a2f

SHA512
eab379360255f684bc0963cc23d729c1d50fa513af016d7b12b0f48fbc0f96de5d14e96833732a9ca39d736115db8845e5e55d7bf3f54449caa5e4d8bf70f967

Download Submit
C:\MinerS_protected.sfx.exe

Filesize
3.0MB

MD5
051e2a5bbe7b16a80baba44d6e15437e

SHA1
7f3f679c6ecdaddf951ea4ff801abcfbf5f57597

SHA256
b7ec4115cf563c6e830f4b3cdcc9672c03cbe217ea280a55d7fee01ef9019a2f

SHA512
eab379360255f684bc0963cc23d729c1d50fa513af016d7b12b0f48fbc0f96de5d14e96833732a9ca39d736115db8845e5e55d7bf3f54449caa5e4d8bf70f967

Download Submit
C:\Start.bat

Filesize
68B

MD5
9c55f6f34c08cd715c69493700246405

SHA1
a1233d99e35b83120e472ec904f87b8e5a45eb5b

SHA256
c480e717fbb2c05dc36e638447a545948d4fe88e3ce3ee4fa617e21343bf621c

SHA512
821ade3986c77cbf51c1b18eaed89f87ccc92b78899a6253bbed16337babaad89ae7863d0c5eea0e86a9cf587f6c8342609bf58e5f168ef60181a1bc161f03f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\MinerS_protected.exe

Filesize
2.7MB

MD5
dcc71a00f44b307cd19ccef614017f30

SHA1
a3c531827740cab7894f0064d17ac46fa16fe9e7

SHA256
2c6a664ecae6a357ff62e932aeaf7f94e416336d91e4ec5ad2a89414f41f25a4

SHA512
743f7e231252c2ccdb6a0347ea0ad96ab491da3d1670ab05267853ee3d6d4c62277a8c00f33e5dc1af0323deba14767b585a1c137da095b6452afe2af7e0595d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\MinerS_protected.exe

Filesize
2.7MB

MD5
dcc71a00f44b307cd19ccef614017f30

SHA1
a3c531827740cab7894f0064d17ac46fa16fe9e7

SHA256
2c6a664ecae6a357ff62e932aeaf7f94e416336d91e4ec5ad2a89414f41f25a4

SHA512
743f7e231252c2ccdb6a0347ea0ad96ab491da3d1670ab05267853ee3d6d4c62277a8c00f33e5dc1af0323deba14767b585a1c137da095b6452afe2af7e0595d

Download Submit
C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe

Filesize
3.9MB

MD5
02569a7a91a71133d4a1023bf32aa6f4

SHA1
0f16bcb3f3f085d3d3be912195558e9f9680d574

SHA256
8d6abba9b216172cfc64b8802db0d20a1c634c96e1049f451eddba2363966bf0

SHA512
534be1fe93ee556a14cfd8fad5377f57fb056ab4cd2bca14e4f376f4a25d3d4d270917d68a90b3c40d8a8daaeba6f592fa095ecff478332ba23405d1df728322

Download Submit
C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe

Filesize
3.9MB

MD5
02569a7a91a71133d4a1023bf32aa6f4

SHA1
0f16bcb3f3f085d3d3be912195558e9f9680d574

SHA256
8d6abba9b216172cfc64b8802db0d20a1c634c96e1049f451eddba2363966bf0

SHA512
534be1fe93ee556a14cfd8fad5377f57fb056ab4cd2bca14e4f376f4a25d3d4d270917d68a90b3c40d8a8daaeba6f592fa095ecff478332ba23405d1df728322

Download Submit
C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe

Filesize
3.9MB

MD5
02569a7a91a71133d4a1023bf32aa6f4

SHA1
0f16bcb3f3f085d3d3be912195558e9f9680d574

SHA256
8d6abba9b216172cfc64b8802db0d20a1c634c96e1049f451eddba2363966bf0

SHA512
534be1fe93ee556a14cfd8fad5377f57fb056ab4cd2bca14e4f376f4a25d3d4d270917d68a90b3c40d8a8daaeba6f592fa095ecff478332ba23405d1df728322

Download Submit
memory/3424-137-0x00000000001D0000-0x00000000001E4000-memory.dmp

Filesize
80KB

Download
memory/5116-132-0x00000000000F0000-0x0000000000852000-memory.dmp

Filesize
7.4MB

Download
memory/5116-133-0x0000000005AE0000-0x0000000005B46000-memory.dmp

Filesize
408KB

Download