loaderbot | 2d41a65258d56299212d4231b2d3031e19cd63b518c8f4d4fc7b08fd433a1a64

General

Target

2d41a65258d56299212d4231b2d3031e19cd63b518c8f4d4fc7b08fd433a1a64.exe
Size

16KB
MD5

978de46e32cba8baa8eadf99fabd889e
SHA1

3cf666057debfef38b39947f0ea94f7c3336c062
SHA256

2d41a65258d56299212d4231b2d3031e19cd63b518c8f4d4fc7b08fd433a1a64
SHA512

110a001ae26fd335a1de11579f07bf5b33402c372a00c656c83cd7bdb8b8b8c4c02daa7a65f7041ccd7c4fe441c3a968707e243bb9786fc45559a25633b1594d

Score

10^/10

loaderbot loader miner persistence

Malware Config

Signatures

LoaderBot
LoaderBot is a loader written in .NET downloading and executing miners.
loader miner loaderbot

LoaderBot executable 1 IoCs

resource	yara_rule
behavioral1/memory/1704-54-0x0000000000800000-0x000000000080A000-memory.dmp	loaderbot

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Webhost.url	2d41a65258d56299212d4231b2d3031e19cd63b518c8f4d4fc7b08fd433a1a64.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Windows\CurrentVersion\Run\Webhost = "C:\\Users\\Admin\\AppData\\Roaming\\Windows\\2d41a65258d56299212d4231b2d3031e19cd63b518c8f4d4fc7b08fd433a1a64.exe"	2d41a65258d56299212d4231b2d3031e19cd63b518c8f4d4fc7b08fd433a1a64.exe

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1900	schtasks.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1704	2d41a65258d56299212d4231b2d3031e19cd63b518c8f4d4fc7b08fd433a1a64.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1704	2d41a65258d56299212d4231b2d3031e19cd63b518c8f4d4fc7b08fd433a1a64.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1704	2d41a65258d56299212d4231b2d3031e19cd63b518c8f4d4fc7b08fd433a1a64.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1704 wrote to memory of 1108	1704	2d41a65258d56299212d4231b2d3031e19cd63b518c8f4d4fc7b08fd433a1a64.exe	27
PID 1704 wrote to memory of 1108	1704	2d41a65258d56299212d4231b2d3031e19cd63b518c8f4d4fc7b08fd433a1a64.exe	27
PID 1704 wrote to memory of 1108	1704	2d41a65258d56299212d4231b2d3031e19cd63b518c8f4d4fc7b08fd433a1a64.exe	27
PID 1704 wrote to memory of 1108	1704	2d41a65258d56299212d4231b2d3031e19cd63b518c8f4d4fc7b08fd433a1a64.exe	27
PID 1108 wrote to memory of 1900	1108	cmd.exe	29
PID 1108 wrote to memory of 1900	1108	cmd.exe	29
PID 1108 wrote to memory of 1900	1108	cmd.exe	29
PID 1108 wrote to memory of 1900	1108	cmd.exe	29

C:\Users\Admin\AppData\Local\Temp\2d41a65258d56299212d4231b2d3031e19cd63b518c8f4d4fc7b08fd433a1a64.exe
"C:\Users\Admin\AppData\Local\Temp\2d41a65258d56299212d4231b2d3031e19cd63b518c8f4d4fc7b08fd433a1a64.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1704
- C:\Windows\SysWOW64\cmd.exe
  "cmd" /C schtasks /create /tn \System\SecurityServiceUpdate /tr %userprofile%\AppData\Roaming\Windows\2d41a65258d56299212d4231b2d3031e19cd63b518c8f4d4fc7b08fd433a1a64.exe /st 00:00 /du 9999:59 /sc daily /ri 5 /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1108
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /tn \System\SecurityServiceUpdate /tr C:\Users\Admin\AppData\Roaming\Windows\2d41a65258d56299212d4231b2d3031e19cd63b518c8f4d4fc7b08fd433a1a64.exe /st 00:00 /du 9999:59 /sc daily /ri 5 /f
    3⤵
    - Creates scheduled task(s)
    PID:1900

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Registry Run Keys / Startup Folder

Scheduled Task

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1704-54-0x0000000000800000-0x000000000080A000-memory.dmp

Filesize
40KB

Download
memory/1704-57-0x00000000755B1000-0x00000000755B3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads