loaderbot | 0fa48a6368effe6c9373dd34f9f26bf7f0a2050aab330cefc5acc6de5030ecb6

Analysis

max time kernel
150s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
19-02-2024 09:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

$1/1337/MinerMega.exe
Size

4.0MB
MD5

d1f8ccf271359d1d1840075b3065cdaa
SHA1

5b316201fb5d9705e20398ded7d0441962e2b183
SHA256

5817eb190e2adfb6b1a8488df5e83cda619969a4ea5cccca282a348ef35d09ad
SHA512

5fb53f967b940f76b9c98d09773bea69c6ccbfd2469b9eb64868042f2ee56860d8a000b469ce941a2241adbe261ace43273c9a6cef9821ff6eabeb8f63b81e07
SSDEEP

49152:ENDFFPJu8fBsVE6ij+RNg+UKpBvtqB3m1RC3:SzP88fBsnZTgOtqB3m1RC3

Score

10^/10

loaderbot xmrig loader miner persistence

Malware Config

Signatures

LoaderBot
LoaderBot is a loader written in .NET downloading and executing miners.
loader miner loaderbot
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

LoaderBot executable 1 IoCs

resource	yara_rule
behavioral6/memory/376-1-0x0000000000860000-0x0000000000C5E000-memory.dmp	loaderbot

XMRig Miner payload 18 IoCs

miner

resource	yara_rule
behavioral6/memory/1464-18-0x0000000140000000-0x0000000140B75000-memory.dmp	xmrig
behavioral6/memory/4076-22-0x0000000140000000-0x0000000140B75000-memory.dmp	xmrig
behavioral6/memory/4076-25-0x0000000140000000-0x0000000140B75000-memory.dmp	xmrig
behavioral6/memory/3408-33-0x0000000140000000-0x0000000140B75000-memory.dmp	xmrig
behavioral6/memory/3408-38-0x0000000140000000-0x0000000140B75000-memory.dmp	xmrig
behavioral6/memory/3408-39-0x0000000140000000-0x0000000140B75000-memory.dmp	xmrig
behavioral6/memory/3408-40-0x0000000140000000-0x0000000140B75000-memory.dmp	xmrig
behavioral6/memory/3408-44-0x0000000140000000-0x0000000140B75000-memory.dmp	xmrig
behavioral6/memory/3408-46-0x0000000140000000-0x0000000140B75000-memory.dmp	xmrig
behavioral6/memory/3408-47-0x0000000140000000-0x0000000140B75000-memory.dmp	xmrig
behavioral6/memory/3408-48-0x0000000140000000-0x0000000140B75000-memory.dmp	xmrig
behavioral6/memory/3540-55-0x0000000140000000-0x0000000140B75000-memory.dmp	xmrig
behavioral6/memory/3540-59-0x0000000140000000-0x0000000140B75000-memory.dmp	xmrig
behavioral6/memory/4304-65-0x0000000140000000-0x0000000140B75000-memory.dmp	xmrig
behavioral6/memory/4304-69-0x0000000140000000-0x0000000140B75000-memory.dmp	xmrig
behavioral6/memory/3108-75-0x0000000140000000-0x0000000140B75000-memory.dmp	xmrig
behavioral6/memory/3108-80-0x0000000140000000-0x0000000140B75000-memory.dmp	xmrig
behavioral6/memory/3108-81-0x0000000140000000-0x0000000140B75000-memory.dmp	xmrig

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation	MinerMega.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Driver.url	MinerMega.exe

Executes dropped EXE 6 IoCs

pid	Process
1464	Driver.exe
4076	Driver.exe
3408	Driver.exe
3540	Driver.exe
4304	Driver.exe
3108	Driver.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Driver = "C:\\Users\\Admin\\AppData\\Roaming\\Sysfiles\\MinerMega.exe"	MinerMega.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
376	MinerMega.exe
376	MinerMega.exe
376	MinerMega.exe
376	MinerMega.exe
376	MinerMega.exe
376	MinerMega.exe
376	MinerMega.exe
376	MinerMega.exe
376	MinerMega.exe
376	MinerMega.exe
376	MinerMega.exe
376	MinerMega.exe
376	MinerMega.exe
376	MinerMega.exe
376	MinerMega.exe
376	MinerMega.exe
376	MinerMega.exe
376	MinerMega.exe
376	MinerMega.exe
376	MinerMega.exe
376	MinerMega.exe
376	MinerMega.exe
376	MinerMega.exe
376	MinerMega.exe
376	MinerMega.exe
376	MinerMega.exe
376	MinerMega.exe
376	MinerMega.exe
376	MinerMega.exe
376	MinerMega.exe
376	MinerMega.exe
376	MinerMega.exe
376	MinerMega.exe
376	MinerMega.exe
376	MinerMega.exe
376	MinerMega.exe
376	MinerMega.exe
376	MinerMega.exe
376	MinerMega.exe
376	MinerMega.exe
376	MinerMega.exe
376	MinerMega.exe
376	MinerMega.exe
376	MinerMega.exe
376	MinerMega.exe
376	MinerMega.exe
376	MinerMega.exe
376	MinerMega.exe
376	MinerMega.exe
376	MinerMega.exe
376	MinerMega.exe
376	MinerMega.exe
376	MinerMega.exe
376	MinerMega.exe
376	MinerMega.exe
376	MinerMega.exe
376	MinerMega.exe
376	MinerMega.exe
376	MinerMega.exe
376	MinerMega.exe
376	MinerMega.exe
376	MinerMega.exe
376	MinerMega.exe
376	MinerMega.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
376	MinerMega.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

description	pid	Process
Token: SeDebugPrivilege	376	MinerMega.exe
Token: SeLockMemoryPrivilege	1464	Driver.exe
Token: SeLockMemoryPrivilege	1464	Driver.exe
Token: SeLockMemoryPrivilege	4076	Driver.exe
Token: SeLockMemoryPrivilege	4076	Driver.exe
Token: SeLockMemoryPrivilege	3408	Driver.exe
Token: SeLockMemoryPrivilege	3408	Driver.exe
Token: SeLockMemoryPrivilege	3540	Driver.exe
Token: SeLockMemoryPrivilege	3540	Driver.exe
Token: SeLockMemoryPrivilege	4304	Driver.exe
Token: SeLockMemoryPrivilege	4304	Driver.exe
Token: SeLockMemoryPrivilege	3108	Driver.exe
Token: SeLockMemoryPrivilege	3108	Driver.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 376 wrote to memory of 1464	376	MinerMega.exe	86
PID 376 wrote to memory of 1464	376	MinerMega.exe	86
PID 376 wrote to memory of 4076	376	MinerMega.exe	91
PID 376 wrote to memory of 4076	376	MinerMega.exe	91
PID 376 wrote to memory of 3408	376	MinerMega.exe	95
PID 376 wrote to memory of 3408	376	MinerMega.exe	95
PID 376 wrote to memory of 3540	376	MinerMega.exe	104
PID 376 wrote to memory of 3540	376	MinerMega.exe	104
PID 376 wrote to memory of 4304	376	MinerMega.exe	106
PID 376 wrote to memory of 4304	376	MinerMega.exe	106
PID 376 wrote to memory of 3108	376	MinerMega.exe	108
PID 376 wrote to memory of 3108	376	MinerMega.exe	108

C:\Users\Admin\AppData\Local\Temp\$1\1337\MinerMega.exe
"C:\Users\Admin\AppData\Local\Temp\$1\1337\MinerMega.exe"
1⤵
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:376
- C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
  "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.hashvault.pro:3333 -u 84EUKYR2H11atFNVAkBBeN2ms43rYAvFBbYJjA37BKULYfBZ7TptXP2aw6mPcBAg9yM6w27ntDcuDMq3iHJbUYPBTbuT74U -p x -k -v=0 --donate-level=1 -t 4
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1464
- C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
  "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.hashvault.pro:3333 -u 84EUKYR2H11atFNVAkBBeN2ms43rYAvFBbYJjA37BKULYfBZ7TptXP2aw6mPcBAg9yM6w27ntDcuDMq3iHJbUYPBTbuT74U -p x -k -v=0 --donate-level=1 -t 4
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:4076
- C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
  "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.hashvault.pro:3333 -u 84EUKYR2H11atFNVAkBBeN2ms43rYAvFBbYJjA37BKULYfBZ7TptXP2aw6mPcBAg9yM6w27ntDcuDMq3iHJbUYPBTbuT74U -p x -k -v=0 --donate-level=1 -t 4
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:3408
- C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
  "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.hashvault.pro:3333 -u 84EUKYR2H11atFNVAkBBeN2ms43rYAvFBbYJjA37BKULYfBZ7TptXP2aw6mPcBAg9yM6w27ntDcuDMq3iHJbUYPBTbuT74U -p x -k -v=0 --donate-level=1 -t 4
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:3540
- C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
  "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.hashvault.pro:3333 -u 84EUKYR2H11atFNVAkBBeN2ms43rYAvFBbYJjA37BKULYfBZ7TptXP2aw6mPcBAg9yM6w27ntDcuDMq3iHJbUYPBTbuT74U -p x -k -v=0 --donate-level=1 -t 4
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:4304
- C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
  "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.hashvault.pro:3333 -u 84EUKYR2H11atFNVAkBBeN2ms43rYAvFBbYJjA37BKULYfBZ7TptXP2aw6mPcBAg9yM6w27ntDcuDMq3iHJbUYPBTbuT74U -p x -k -v=0 --donate-level=1 -t 4
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:3108

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe

Filesize
3.9MB

MD5
02569a7a91a71133d4a1023bf32aa6f4

SHA1
0f16bcb3f3f085d3d3be912195558e9f9680d574

SHA256
8d6abba9b216172cfc64b8802db0d20a1c634c96e1049f451eddba2363966bf0

SHA512
534be1fe93ee556a14cfd8fad5377f57fb056ab4cd2bca14e4f376f4a25d3d4d270917d68a90b3c40d8a8daaeba6f592fa095ecff478332ba23405d1df728322

Download Submit
C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe

Filesize
193KB

MD5
1d07d0cdde4691b3286459ba3fd74768

SHA1
d2c5af8f3ee9f17c40c4667ae0eb9afe581deb14

SHA256
88118b936e53586b1a6183a71dd7ad0001987cfc9cf19d24e88a7073ce2481d1

SHA512
cbc14fb1239e2690506e1ae695ab1d67d285e5af634389b90fddf262364f75749f7cfaefe4ec592c72ae633a2d3bd20756be745d4b84a4d50c4ab757cee2e0e9

Download Submit
memory/376-26-0x0000000075210000-0x00000000759C0000-memory.dmp

Filesize
7.7MB

Download
memory/376-1-0x0000000000860000-0x0000000000C5E000-memory.dmp

Filesize
4.0MB

Download
memory/376-4-0x00000000058E0000-0x0000000005946000-memory.dmp

Filesize
408KB

Download
memory/376-5-0x00000000056B0000-0x00000000056C0000-memory.dmp

Filesize
64KB

Download
memory/376-0-0x0000000075210000-0x00000000759C0000-memory.dmp

Filesize
7.7MB

Download
memory/376-32-0x00000000056B0000-0x00000000056C0000-memory.dmp

Filesize
64KB

Download
memory/1464-16-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/1464-17-0x0000000001EB0000-0x0000000001EC4000-memory.dmp

Filesize
80KB

Download
memory/1464-18-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/3108-82-0x0000000002210000-0x0000000002230000-memory.dmp

Filesize
128KB

Download
memory/3108-79-0x0000000002270000-0x0000000002290000-memory.dmp

Filesize
128KB

Download
memory/3108-80-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/3108-78-0x0000000002250000-0x0000000002270000-memory.dmp

Filesize
128KB

Download
memory/3108-77-0x0000000002230000-0x0000000002250000-memory.dmp

Filesize
128KB

Download
memory/3108-76-0x0000000002210000-0x0000000002230000-memory.dmp

Filesize
128KB

Download
memory/3108-75-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/3108-81-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/3408-38-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/3408-43-0x0000000002060000-0x0000000002080000-memory.dmp

Filesize
128KB

Download
memory/3408-35-0x0000000002040000-0x0000000002060000-memory.dmp

Filesize
128KB

Download
memory/3408-36-0x0000000002060000-0x0000000002080000-memory.dmp

Filesize
128KB

Download
memory/3408-37-0x0000000002080000-0x00000000020A0000-memory.dmp

Filesize
128KB

Download
memory/3408-33-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/3408-39-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/3408-40-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/3408-41-0x0000000002020000-0x0000000002040000-memory.dmp

Filesize
128KB

Download
memory/3408-34-0x0000000002020000-0x0000000002040000-memory.dmp

Filesize
128KB

Download
memory/3408-42-0x0000000002040000-0x0000000002060000-memory.dmp

Filesize
128KB

Download
memory/3408-44-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/3408-45-0x0000000002080000-0x00000000020A0000-memory.dmp

Filesize
128KB

Download
memory/3408-46-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/3408-47-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/3408-48-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/3408-50-0x0000000002040000-0x0000000002060000-memory.dmp

Filesize
128KB

Download
memory/3408-49-0x0000000002020000-0x0000000002040000-memory.dmp

Filesize
128KB

Download
memory/3408-51-0x0000000002060000-0x0000000002080000-memory.dmp

Filesize
128KB

Download
memory/3408-52-0x0000000002080000-0x00000000020A0000-memory.dmp

Filesize
128KB

Download
memory/3540-61-0x0000000002120000-0x0000000002140000-memory.dmp

Filesize
128KB

Download
memory/3540-56-0x0000000002100000-0x0000000002120000-memory.dmp

Filesize
128KB

Download
memory/3540-57-0x0000000002120000-0x0000000002140000-memory.dmp

Filesize
128KB

Download
memory/3540-58-0x0000000002140000-0x0000000002160000-memory.dmp

Filesize
128KB

Download
memory/3540-59-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/3540-60-0x0000000002100000-0x0000000002120000-memory.dmp

Filesize
128KB

Download
memory/3540-55-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/3540-62-0x0000000002140000-0x0000000002160000-memory.dmp

Filesize
128KB

Download
memory/4076-28-0x0000000000550000-0x0000000000570000-memory.dmp

Filesize
128KB

Download
memory/4076-29-0x0000000002010000-0x0000000002030000-memory.dmp

Filesize
128KB

Download
memory/4076-21-0x0000000000530000-0x0000000000550000-memory.dmp

Filesize
128KB

Download
memory/4076-22-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/4076-23-0x0000000000550000-0x0000000000570000-memory.dmp

Filesize
128KB

Download
memory/4076-24-0x0000000002010000-0x0000000002030000-memory.dmp

Filesize
128KB

Download
memory/4076-25-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/4076-27-0x0000000002030000-0x0000000002050000-memory.dmp

Filesize
128KB

Download
memory/4304-69-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/4304-65-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/4304-71-0x0000000002030000-0x0000000002050000-memory.dmp

Filesize
128KB

Download
memory/4304-72-0x0000000002050000-0x0000000002070000-memory.dmp

Filesize
128KB

Download
memory/4304-70-0x0000000002010000-0x0000000002030000-memory.dmp

Filesize
128KB

Download
memory/4304-66-0x0000000002010000-0x0000000002030000-memory.dmp

Filesize
128KB

Download
memory/4304-68-0x0000000002050000-0x0000000002070000-memory.dmp

Filesize
128KB

Download
memory/4304-67-0x0000000002030000-0x0000000002050000-memory.dmp

Filesize
128KB

Download