loaderbot | 2d41a65258d56299212d4231b2d3031e19cd63b518c8f4d4fc7b08fd433a1a64

General

Target

2d41a65258d56299212d4231b2d3031e19cd63b518c8f4d4fc7b08fd433a1a64.exe
Size

16KB
MD5

978de46e32cba8baa8eadf99fabd889e
SHA1

3cf666057debfef38b39947f0ea94f7c3336c062
SHA256

2d41a65258d56299212d4231b2d3031e19cd63b518c8f4d4fc7b08fd433a1a64
SHA512

110a001ae26fd335a1de11579f07bf5b33402c372a00c656c83cd7bdb8b8b8c4c02daa7a65f7041ccd7c4fe441c3a968707e243bb9786fc45559a25633b1594d

Score

10^/10

loaderbot loader miner persistence

Malware Config

Signatures

LoaderBot
LoaderBot is a loader written in .NET downloading and executing miners.
loader miner loaderbot

LoaderBot executable 1 IoCs

resource	yara_rule
behavioral2/memory/1536-130-0x0000000000930000-0x000000000093A000-memory.dmp	loaderbot

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Webhost.url	2d41a65258d56299212d4231b2d3031e19cd63b518c8f4d4fc7b08fd433a1a64.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Webhost = "C:\\Users\\Admin\\AppData\\Roaming\\Windows\\2d41a65258d56299212d4231b2d3031e19cd63b518c8f4d4fc7b08fd433a1a64.exe"	2d41a65258d56299212d4231b2d3031e19cd63b518c8f4d4fc7b08fd433a1a64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Webhost = "C:\\Users\\Admin\\AppData\\Roaming\\Windows\\2d41a65258d56299212d4231b2d3031e19cd63b518c8f4d4fc7b08fd433a1a64.exe"	2d41a65258d56299212d4231b2d3031e19cd63b518c8f4d4fc7b08fd433a1a64.exe

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1648	schtasks.exe
3836	schtasks.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1536	2d41a65258d56299212d4231b2d3031e19cd63b518c8f4d4fc7b08fd433a1a64.exe
5076	2d41a65258d56299212d4231b2d3031e19cd63b518c8f4d4fc7b08fd433a1a64.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1536	2d41a65258d56299212d4231b2d3031e19cd63b518c8f4d4fc7b08fd433a1a64.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1536	2d41a65258d56299212d4231b2d3031e19cd63b518c8f4d4fc7b08fd433a1a64.exe
Token: SeDebugPrivilege	5076	2d41a65258d56299212d4231b2d3031e19cd63b518c8f4d4fc7b08fd433a1a64.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1536 wrote to memory of 2204	1536	2d41a65258d56299212d4231b2d3031e19cd63b518c8f4d4fc7b08fd433a1a64.exe	81
PID 1536 wrote to memory of 2204	1536	2d41a65258d56299212d4231b2d3031e19cd63b518c8f4d4fc7b08fd433a1a64.exe	81
PID 1536 wrote to memory of 2204	1536	2d41a65258d56299212d4231b2d3031e19cd63b518c8f4d4fc7b08fd433a1a64.exe	81
PID 2204 wrote to memory of 1648	2204	cmd.exe	83
PID 2204 wrote to memory of 1648	2204	cmd.exe	83
PID 2204 wrote to memory of 1648	2204	cmd.exe	83
PID 5076 wrote to memory of 4576	5076	2d41a65258d56299212d4231b2d3031e19cd63b518c8f4d4fc7b08fd433a1a64.exe	93
PID 5076 wrote to memory of 4576	5076	2d41a65258d56299212d4231b2d3031e19cd63b518c8f4d4fc7b08fd433a1a64.exe	93
PID 5076 wrote to memory of 4576	5076	2d41a65258d56299212d4231b2d3031e19cd63b518c8f4d4fc7b08fd433a1a64.exe	93
PID 4576 wrote to memory of 3836	4576	cmd.exe	95
PID 4576 wrote to memory of 3836	4576	cmd.exe	95
PID 4576 wrote to memory of 3836	4576	cmd.exe	95

C:\Users\Admin\AppData\Local\Temp\2d41a65258d56299212d4231b2d3031e19cd63b518c8f4d4fc7b08fd433a1a64.exe
"C:\Users\Admin\AppData\Local\Temp\2d41a65258d56299212d4231b2d3031e19cd63b518c8f4d4fc7b08fd433a1a64.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1536
- C:\Windows\SysWOW64\cmd.exe
  "cmd" /C schtasks /create /tn \System\SecurityServiceUpdate /tr %userprofile%\AppData\Roaming\Windows\2d41a65258d56299212d4231b2d3031e19cd63b518c8f4d4fc7b08fd433a1a64.exe /st 00:00 /du 9999:59 /sc daily /ri 5 /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2204
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /tn \System\SecurityServiceUpdate /tr C:\Users\Admin\AppData\Roaming\Windows\2d41a65258d56299212d4231b2d3031e19cd63b518c8f4d4fc7b08fd433a1a64.exe /st 00:00 /du 9999:59 /sc daily /ri 5 /f
    3⤵
    - Creates scheduled task(s)
    PID:1648

C:\Users\Admin\AppData\Roaming\Windows\2d41a65258d56299212d4231b2d3031e19cd63b518c8f4d4fc7b08fd433a1a64.exe
C:\Users\Admin\AppData\Roaming\Windows\2d41a65258d56299212d4231b2d3031e19cd63b518c8f4d4fc7b08fd433a1a64.exe
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5076
- C:\Windows\SysWOW64\cmd.exe
  "cmd" /C schtasks /create /tn \System\SecurityServiceUpdate /tr %userprofile%\AppData\Roaming\Windows\2d41a65258d56299212d4231b2d3031e19cd63b518c8f4d4fc7b08fd433a1a64.exe /st 00:00 /du 9999:59 /sc daily /ri 5 /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4576
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /tn \System\SecurityServiceUpdate /tr C:\Users\Admin\AppData\Roaming\Windows\2d41a65258d56299212d4231b2d3031e19cd63b518c8f4d4fc7b08fd433a1a64.exe /st 00:00 /du 9999:59 /sc daily /ri 5 /f
    3⤵
    - Creates scheduled task(s)
    PID:3836

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Registry Run Keys / Startup Folder

Scheduled Task

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1536-130-0x0000000000930000-0x000000000093A000-memory.dmp

Filesize
40KB

Download
memory/1536-133-0x00000000056A0000-0x0000000005706000-memory.dmp

Filesize
408KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads