loaderbot | 2b9df917c6efd68e0b700634a4e551950b86a730bd316690668e4e43b31d09ee

Analysis

max time kernel
113s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
12-01-2024 18:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

572f91333f0ef870aa2a3ab21fdef3ee.exe
Size

2.1MB
MD5

572f91333f0ef870aa2a3ab21fdef3ee
SHA1

6e3de75d0ef2d51040714517b27fd67abb143e3d
SHA256

2b9df917c6efd68e0b700634a4e551950b86a730bd316690668e4e43b31d09ee
SHA512

7d90723b77a1e8e65be666940b05f18197f0ed91fc7ab6b4b639ad81b36d65fae2a1b3869a5255258d74499eaeed647852c79298f4f783523bafd3251db91131
SSDEEP

49152:AWM2OSAUhB0ETI++BrpMLdDQXWb+FPWRtr8HJ:XM2DD5IhBrpCFQXk+FPWf0J

Score

10^/10

loaderbot xmrig loader miner persistence

Malware Config

Signatures

LoaderBot
LoaderBot is a loader written in .NET downloading and executing miners.
loader miner loaderbot
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

LoaderBot executable 1 IoCs

resource	yara_rule
behavioral2/memory/4484-7-0x0000000000400000-0x00000000007FE000-memory.dmp	loaderbot

XMRig Miner payload 15 IoCs

miner

resource	yara_rule
behavioral2/memory/792-28-0x0000000140000000-0x0000000140B75000-memory.dmp	xmrig
behavioral2/memory/3064-32-0x0000000140000000-0x0000000140B75000-memory.dmp	xmrig
behavioral2/memory/3064-33-0x0000000140000000-0x0000000140B75000-memory.dmp	xmrig
behavioral2/memory/3064-40-0x0000000140000000-0x0000000140B75000-memory.dmp	xmrig
behavioral2/memory/3064-41-0x0000000140000000-0x0000000140B75000-memory.dmp	xmrig
behavioral2/memory/3064-42-0x0000000140000000-0x0000000140B75000-memory.dmp	xmrig
behavioral2/memory/3064-47-0x0000000140000000-0x0000000140B75000-memory.dmp	xmrig
behavioral2/memory/3064-48-0x0000000140000000-0x0000000140B75000-memory.dmp	xmrig
behavioral2/memory/3064-49-0x0000000140000000-0x0000000140B75000-memory.dmp	xmrig
behavioral2/memory/3064-50-0x0000000140000000-0x0000000140B75000-memory.dmp	xmrig
behavioral2/memory/3064-51-0x0000000140000000-0x0000000140B75000-memory.dmp	xmrig
behavioral2/memory/4812-58-0x0000000140000000-0x0000000140B75000-memory.dmp	xmrig
behavioral2/memory/4812-63-0x0000000140000000-0x0000000140B75000-memory.dmp	xmrig
behavioral2/memory/4812-64-0x0000000140000000-0x0000000140B75000-memory.dmp	xmrig
behavioral2/memory/4812-65-0x0000000140000000-0x0000000140B75000-memory.dmp	xmrig

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation	572f91333f0ef870aa2a3ab21fdef3ee.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Driver.url	572f91333f0ef870aa2a3ab21fdef3ee.exe

Executes dropped EXE 3 IoCs

pid	Process
792	Driver.exe
3064	Driver.exe
4812	Driver.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Driver = "C:\\Users\\Admin\\AppData\\Roaming\\Sysfiles\\572f91333f0ef870aa2a3ab21fdef3ee.exe"	572f91333f0ef870aa2a3ab21fdef3ee.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2212 set thread context of 4484	2212	572f91333f0ef870aa2a3ab21fdef3ee.exe	102

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4484	572f91333f0ef870aa2a3ab21fdef3ee.exe
4484	572f91333f0ef870aa2a3ab21fdef3ee.exe
4484	572f91333f0ef870aa2a3ab21fdef3ee.exe
4484	572f91333f0ef870aa2a3ab21fdef3ee.exe
4484	572f91333f0ef870aa2a3ab21fdef3ee.exe
4484	572f91333f0ef870aa2a3ab21fdef3ee.exe
4484	572f91333f0ef870aa2a3ab21fdef3ee.exe
4484	572f91333f0ef870aa2a3ab21fdef3ee.exe
4484	572f91333f0ef870aa2a3ab21fdef3ee.exe
4484	572f91333f0ef870aa2a3ab21fdef3ee.exe
4484	572f91333f0ef870aa2a3ab21fdef3ee.exe
4484	572f91333f0ef870aa2a3ab21fdef3ee.exe
4484	572f91333f0ef870aa2a3ab21fdef3ee.exe
4484	572f91333f0ef870aa2a3ab21fdef3ee.exe
4484	572f91333f0ef870aa2a3ab21fdef3ee.exe
4484	572f91333f0ef870aa2a3ab21fdef3ee.exe
4484	572f91333f0ef870aa2a3ab21fdef3ee.exe
4484	572f91333f0ef870aa2a3ab21fdef3ee.exe
4484	572f91333f0ef870aa2a3ab21fdef3ee.exe
4484	572f91333f0ef870aa2a3ab21fdef3ee.exe
4484	572f91333f0ef870aa2a3ab21fdef3ee.exe
4484	572f91333f0ef870aa2a3ab21fdef3ee.exe
4484	572f91333f0ef870aa2a3ab21fdef3ee.exe
4484	572f91333f0ef870aa2a3ab21fdef3ee.exe
4484	572f91333f0ef870aa2a3ab21fdef3ee.exe
4484	572f91333f0ef870aa2a3ab21fdef3ee.exe
4484	572f91333f0ef870aa2a3ab21fdef3ee.exe
4484	572f91333f0ef870aa2a3ab21fdef3ee.exe
4484	572f91333f0ef870aa2a3ab21fdef3ee.exe
4484	572f91333f0ef870aa2a3ab21fdef3ee.exe
4484	572f91333f0ef870aa2a3ab21fdef3ee.exe
4484	572f91333f0ef870aa2a3ab21fdef3ee.exe
4484	572f91333f0ef870aa2a3ab21fdef3ee.exe
4484	572f91333f0ef870aa2a3ab21fdef3ee.exe
4484	572f91333f0ef870aa2a3ab21fdef3ee.exe
4484	572f91333f0ef870aa2a3ab21fdef3ee.exe
4484	572f91333f0ef870aa2a3ab21fdef3ee.exe
4484	572f91333f0ef870aa2a3ab21fdef3ee.exe
4484	572f91333f0ef870aa2a3ab21fdef3ee.exe
4484	572f91333f0ef870aa2a3ab21fdef3ee.exe
4484	572f91333f0ef870aa2a3ab21fdef3ee.exe
4484	572f91333f0ef870aa2a3ab21fdef3ee.exe
4484	572f91333f0ef870aa2a3ab21fdef3ee.exe
4484	572f91333f0ef870aa2a3ab21fdef3ee.exe
4484	572f91333f0ef870aa2a3ab21fdef3ee.exe
4484	572f91333f0ef870aa2a3ab21fdef3ee.exe
4484	572f91333f0ef870aa2a3ab21fdef3ee.exe
4484	572f91333f0ef870aa2a3ab21fdef3ee.exe
4484	572f91333f0ef870aa2a3ab21fdef3ee.exe
4484	572f91333f0ef870aa2a3ab21fdef3ee.exe
4484	572f91333f0ef870aa2a3ab21fdef3ee.exe
4484	572f91333f0ef870aa2a3ab21fdef3ee.exe
4484	572f91333f0ef870aa2a3ab21fdef3ee.exe
4484	572f91333f0ef870aa2a3ab21fdef3ee.exe
4484	572f91333f0ef870aa2a3ab21fdef3ee.exe
4484	572f91333f0ef870aa2a3ab21fdef3ee.exe
4484	572f91333f0ef870aa2a3ab21fdef3ee.exe
4484	572f91333f0ef870aa2a3ab21fdef3ee.exe
4484	572f91333f0ef870aa2a3ab21fdef3ee.exe
4484	572f91333f0ef870aa2a3ab21fdef3ee.exe
4484	572f91333f0ef870aa2a3ab21fdef3ee.exe
4484	572f91333f0ef870aa2a3ab21fdef3ee.exe
4484	572f91333f0ef870aa2a3ab21fdef3ee.exe
4484	572f91333f0ef870aa2a3ab21fdef3ee.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
4484	572f91333f0ef870aa2a3ab21fdef3ee.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeDebugPrivilege	2212	572f91333f0ef870aa2a3ab21fdef3ee.exe
Token: SeDebugPrivilege	4484	572f91333f0ef870aa2a3ab21fdef3ee.exe
Token: SeLockMemoryPrivilege	792	Driver.exe
Token: SeLockMemoryPrivilege	792	Driver.exe
Token: SeLockMemoryPrivilege	3064	Driver.exe
Token: SeLockMemoryPrivilege	3064	Driver.exe
Token: SeLockMemoryPrivilege	4812	Driver.exe
Token: SeLockMemoryPrivilege	4812	Driver.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 2212 wrote to memory of 4484	2212	572f91333f0ef870aa2a3ab21fdef3ee.exe	102
PID 2212 wrote to memory of 4484	2212	572f91333f0ef870aa2a3ab21fdef3ee.exe	102
PID 2212 wrote to memory of 4484	2212	572f91333f0ef870aa2a3ab21fdef3ee.exe	102
PID 2212 wrote to memory of 4484	2212	572f91333f0ef870aa2a3ab21fdef3ee.exe	102
PID 2212 wrote to memory of 4484	2212	572f91333f0ef870aa2a3ab21fdef3ee.exe	102
PID 2212 wrote to memory of 4484	2212	572f91333f0ef870aa2a3ab21fdef3ee.exe	102
PID 2212 wrote to memory of 4484	2212	572f91333f0ef870aa2a3ab21fdef3ee.exe	102
PID 2212 wrote to memory of 4484	2212	572f91333f0ef870aa2a3ab21fdef3ee.exe	102
PID 4484 wrote to memory of 792	4484	572f91333f0ef870aa2a3ab21fdef3ee.exe	103
PID 4484 wrote to memory of 792	4484	572f91333f0ef870aa2a3ab21fdef3ee.exe	103
PID 4484 wrote to memory of 3064	4484	572f91333f0ef870aa2a3ab21fdef3ee.exe	109
PID 4484 wrote to memory of 3064	4484	572f91333f0ef870aa2a3ab21fdef3ee.exe	109
PID 4484 wrote to memory of 4812	4484	572f91333f0ef870aa2a3ab21fdef3ee.exe	115
PID 4484 wrote to memory of 4812	4484	572f91333f0ef870aa2a3ab21fdef3ee.exe	115

C:\Users\Admin\AppData\Local\Temp\572f91333f0ef870aa2a3ab21fdef3ee.exe
"C:\Users\Admin\AppData\Local\Temp\572f91333f0ef870aa2a3ab21fdef3ee.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2212
- C:\Users\Admin\AppData\Local\Temp\572f91333f0ef870aa2a3ab21fdef3ee.exe
  C:\Users\Admin\AppData\Local\Temp\572f91333f0ef870aa2a3ab21fdef3ee.exe
  2⤵
  - Checks computer location settings
  - Drops startup file
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: RenamesItself
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4484
- - C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
    "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.hashvault.pro:3333 -u 49ciCfWrkhQWz6LYXux4LV1P5eAFMfox1H2y3k6VSn7Jb39nDYDUiC6JFCUBDDf63GQqpKc5ZQQ8vCHwgzesAKHtJwB9o2i -p x -k -v=0 --donate-level=1 -t 4
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:792
- - C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
    "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.hashvault.pro:3333 -u 49ciCfWrkhQWz6LYXux4LV1P5eAFMfox1H2y3k6VSn7Jb39nDYDUiC6JFCUBDDf63GQqpKc5ZQQ8vCHwgzesAKHtJwB9o2i -p x -k -v=0 --donate-level=1 -t 4
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:3064
- - C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
    "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.hashvault.pro:3333 -u 49ciCfWrkhQWz6LYXux4LV1P5eAFMfox1H2y3k6VSn7Jb39nDYDUiC6JFCUBDDf63GQqpKc5ZQQ8vCHwgzesAKHtJwB9o2i -p x -k -v=0 --donate-level=1 -t 4
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:4812

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\572f91333f0ef870aa2a3ab21fdef3ee.exe.log

Filesize
605B

MD5
3654bd2c6957761095206ffdf92b0cb9

SHA1
6f10f7b5867877de7629afcff644c265e79b4ad3

SHA256
c2a4be94cf4ed33d698d9838f4ffb47047da796e733ec11562463a1621212ab4

SHA512
e2a81248cca7732ce098088d5237897493fd3629e28d66bc13e5f9191f72cd52893f4a53905906af12d5c6de475738b6c7f6b718a32869e9ee0deb3a54672f79

Download Submit
C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe

Filesize
1.3MB

MD5
4abdf1a0212a622b9cbdbd3cb77bbf21

SHA1
9bc45f66dfabba277f0d7b7e028d8cfb2fce8d37

SHA256
4b76dd1361374f91a48bcc0b83f371dca0efc67d184066a6ea99667c5ad2bad0

SHA512
fc1bd6c53f051e06e2336e93158e6e2119f5b1190e82f7dc340f839f02b9312a26a27c45bb3239f2ccd222903c51a3a454303726a0c9ef1a81645c0dfc183806

Download Submit
C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe

Filesize
382KB

MD5
665ff3560d288fc8e9bc30985b8ff2d7

SHA1
65124d9277406151f7dd2d55a93aea144ab0962e

SHA256
f0c28c3e9e6e3e6f6d19634c7d562001eabaeb2af6a17cf58aad5be98db739cc

SHA512
9d06b0b9bc0c2de2256286e24db83d93a901a42ad29a79d6fb96dc7cab4b8c9452e10787ee48dd93d196e0fe491e4476277d940c331e59c2647a7e9725ceee65

Download Submit
C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe

Filesize
348KB

MD5
a5d1a345894ac5b4af771575a5fbe9bf

SHA1
a837a69566edc121577173a0dc54a8b2bc8ca862

SHA256
2aa67254e16b4ad7981dfcc8b876809db83f3bb32b3292d93bbff02c344956a7

SHA512
3997523ec2860b8831c6ee2c6f06b98f5adb701c0687dfc46992680ad3ff7fb41ed0e2943ad7040d76fa66949344d33fff665784144a1e9f731158432ef4e9cb

Download Submit
memory/792-27-0x0000000001FE0000-0x0000000001FF4000-memory.dmp

Filesize
80KB

Download
memory/792-28-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/792-26-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/2212-6-0x00000000058C0000-0x00000000058DE000-memory.dmp

Filesize
120KB

Download
memory/2212-5-0x0000000005930000-0x00000000059A6000-memory.dmp

Filesize
472KB

Download
memory/2212-10-0x0000000074800000-0x0000000074FB0000-memory.dmp

Filesize
7.7MB

Download
memory/2212-1-0x0000000074800000-0x0000000074FB0000-memory.dmp

Filesize
7.7MB

Download
memory/2212-4-0x0000000005830000-0x0000000005850000-memory.dmp

Filesize
128KB

Download
memory/2212-2-0x0000000005850000-0x0000000005860000-memory.dmp

Filesize
64KB

Download
memory/2212-3-0x0000000005760000-0x0000000005761000-memory.dmp

Filesize
4KB

Download
memory/2212-0-0x0000000000C40000-0x0000000000E54000-memory.dmp

Filesize
2.1MB

Download
memory/3064-40-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/3064-47-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/3064-53-0x0000000002020000-0x0000000002040000-memory.dmp

Filesize
128KB

Download
memory/3064-31-0x0000000000460000-0x0000000000480000-memory.dmp

Filesize
128KB

Download
memory/3064-32-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/3064-33-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/3064-34-0x0000000002000000-0x0000000002020000-memory.dmp

Filesize
128KB

Download
memory/3064-55-0x0000000002170000-0x0000000002190000-memory.dmp

Filesize
128KB

Download
memory/3064-37-0x0000000002040000-0x0000000002060000-memory.dmp

Filesize
128KB

Download
memory/3064-38-0x0000000002170000-0x0000000002190000-memory.dmp

Filesize
128KB

Download
memory/3064-36-0x0000000002020000-0x0000000002040000-memory.dmp

Filesize
128KB

Download
memory/3064-54-0x0000000002040000-0x0000000002060000-memory.dmp

Filesize
128KB

Download
memory/3064-52-0x0000000002000000-0x0000000002020000-memory.dmp

Filesize
128KB

Download
memory/3064-41-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/3064-42-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/3064-43-0x0000000002000000-0x0000000002020000-memory.dmp

Filesize
128KB

Download
memory/3064-45-0x0000000002040000-0x0000000002060000-memory.dmp

Filesize
128KB

Download
memory/3064-44-0x0000000002020000-0x0000000002040000-memory.dmp

Filesize
128KB

Download
memory/3064-46-0x0000000002170000-0x0000000002190000-memory.dmp

Filesize
128KB

Download
memory/3064-51-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/3064-48-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/3064-49-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/3064-50-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/4484-14-0x00000000056E0000-0x0000000005746000-memory.dmp

Filesize
408KB

Download
memory/4484-12-0x0000000074800000-0x0000000074FB0000-memory.dmp

Filesize
7.7MB

Download
memory/4484-39-0x0000000002C90000-0x0000000002CA0000-memory.dmp

Filesize
64KB

Download
memory/4484-35-0x0000000074800000-0x0000000074FB0000-memory.dmp

Filesize
7.7MB

Download
memory/4484-15-0x0000000002C90000-0x0000000002CA0000-memory.dmp

Filesize
64KB

Download
memory/4484-7-0x0000000000400000-0x00000000007FE000-memory.dmp

Filesize
4.0MB

Download
memory/4812-58-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/4812-59-0x0000000001EF0000-0x0000000001F10000-memory.dmp

Filesize
128KB

Download
memory/4812-60-0x0000000001F30000-0x0000000001F50000-memory.dmp

Filesize
128KB

Download
memory/4812-61-0x0000000001F50000-0x0000000001F70000-memory.dmp

Filesize
128KB

Download
memory/4812-62-0x0000000001F70000-0x0000000001F90000-memory.dmp

Filesize
128KB

Download
memory/4812-63-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/4812-64-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/4812-65-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/4812-66-0x0000000001EF0000-0x0000000001F10000-memory.dmp

Filesize
128KB

Download