Overview

overview

10

Static

static

10

W1nnerFree CS2.exe

windows10-2004-x64

10

W1nnerFree CS2.exe

windows11-21h2-x64

10

$1/1337/Ex...er.exe

windows10-2004-x64

7

$1/1337/Ex...er.exe

windows11-21h2-x64

7

$1/1337/MinerMega.exe

windows10-2004-x64

10

$1/1337/MinerMega.exe

windows11-21h2-x64

10

$PLUGINSDI...em.dll

windows10-2004-x64

3

$PLUGINSDI...em.dll

windows11-21h2-x64

3

Analysis

  • max time kernel
    65s
  • max time network
    186s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240214-en
  • resource tags

    arch:x64arch:x86image:win11-20240214-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    19-02-2024 09:00

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    $1/1337/MinerMega.exe

  • Size

    4.0MB

  • MD5

    d1f8ccf271359d1d1840075b3065cdaa

  • SHA1

    5b316201fb5d9705e20398ded7d0441962e2b183

  • SHA256

    5817eb190e2adfb6b1a8488df5e83cda619969a4ea5cccca282a348ef35d09ad

  • SHA512

    5fb53f967b940f76b9c98d09773bea69c6ccbfd2469b9eb64868042f2ee56860d8a000b469ce941a2241adbe261ace43273c9a6cef9821ff6eabeb8f63b81e07

  • SSDEEP

    49152:ENDFFPJu8fBsVE6ij+RNg+UKpBvtqB3m1RC3:SzP88fBsnZTgOtqB3m1RC3

Score
10/10
loaderbotxmrigloaderminerpersistence

Malware Config

Signatures

  • LoaderBot

    LoaderBot is a loader written in .NET downloading and executing miners.

    loaderminerloaderbot
  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

    minerxmrig
  • LoaderBot executable 1 IoCs
  • XMRig Miner payload 1 IoCs
    miner
  • Drops startup file 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\$1\1337\MinerMega.exe
    "C:\Users\Admin\AppData\Local\Temp\$1\1337\MinerMega.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: RenamesItself
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3256
    • C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
      "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.hashvault.pro:3333 -u 84EUKYR2H11atFNVAkBBeN2ms43rYAvFBbYJjA37BKULYfBZ7TptXP2aw6mPcBAg9yM6w27ntDcuDMq3iHJbUYPBTbuT74U -p x -k -v=0 --donate-level=1 -t 4
      2⤵
      • Executes dropped EXE
      PID:2708

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
    Filesize

    3.9MB

    MD5

    02569a7a91a71133d4a1023bf32aa6f4

    SHA1

    0f16bcb3f3f085d3d3be912195558e9f9680d574

    SHA256

    8d6abba9b216172cfc64b8802db0d20a1c634c96e1049f451eddba2363966bf0

    SHA512

    534be1fe93ee556a14cfd8fad5377f57fb056ab4cd2bca14e4f376f4a25d3d4d270917d68a90b3c40d8a8daaeba6f592fa095ecff478332ba23405d1df728322

    Download Submit

  • memory/2708-23-0x0000000003590000-0x0000000003904000-memory.dmp

    Filesize

    3.5MB

    Download

  • memory/2708-31-0x0000000005190000-0x0000000005504000-memory.dmp

    Filesize

    3.5MB

    Download

  • memory/2708-25-0x0000000003C90000-0x0000000004004000-memory.dmp

    Filesize

    3.5MB

    Download

  • memory/2708-26-0x0000000004010000-0x0000000004384000-memory.dmp

    Filesize

    3.5MB

    Download

  • memory/2708-15-0x0000000140000000-0x0000000140B75000-memory.dmp

    Filesize

    11.5MB

    Download

  • memory/2708-17-0x0000000001F20000-0x0000000001F34000-memory.dmp

    Filesize

    80KB

    Download

  • memory/2708-18-0x0000000140000000-0x0000000140B75000-memory.dmp

    Filesize

    11.5MB

    Download

  • memory/2708-19-0x0000000002790000-0x0000000002B04000-memory.dmp

    Filesize

    3.5MB

    Download

  • memory/2708-20-0x0000000002B10000-0x0000000002E84000-memory.dmp

    Filesize

    3.5MB

    Download

  • memory/2708-21-0x0000000002E90000-0x0000000003204000-memory.dmp

    Filesize

    3.5MB

    Download

  • memory/2708-22-0x0000000003210000-0x0000000003584000-memory.dmp

    Filesize

    3.5MB

    Download

  • memory/2708-24-0x0000000003910000-0x0000000003C84000-memory.dmp

    Filesize

    3.5MB

    Download

  • memory/2708-35-0x0000000005F90000-0x0000000006304000-memory.dmp

    Filesize

    3.5MB

    Download

  • memory/2708-34-0x0000000005C10000-0x0000000005F84000-memory.dmp

    Filesize

    3.5MB

    Download

  • memory/2708-33-0x0000000005890000-0x0000000005C04000-memory.dmp

    Filesize

    3.5MB

    Download

  • memory/2708-27-0x0000000004390000-0x0000000004704000-memory.dmp

    Filesize

    3.5MB

    Download

  • memory/2708-28-0x0000000004710000-0x0000000004A84000-memory.dmp

    Filesize

    3.5MB

    Download

  • memory/2708-29-0x0000000004A90000-0x0000000004E04000-memory.dmp

    Filesize

    3.5MB

    Download

  • memory/2708-30-0x0000000004E10000-0x0000000005184000-memory.dmp

    Filesize

    3.5MB

    Download

  • memory/2708-32-0x0000000005510000-0x0000000005884000-memory.dmp

    Filesize

    3.5MB

    Download

  • memory/3256-4-0x00000000058C0000-0x0000000005926000-memory.dmp

    Filesize

    408KB

    Download

  • memory/3256-0-0x00000000750F0000-0x00000000758A1000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/3256-5-0x0000000005650000-0x0000000005660000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3256-55-0x0000000005650000-0x0000000005660000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3256-36-0x00000000750F0000-0x00000000758A1000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/3256-1-0x0000000000780000-0x0000000000B7E000-memory.dmp

    Filesize

    4.0MB

    Download