loaderbot | 69bef682277aa8ed7ffdb645a8e41d1f1d279380cc799256132d0cac50582890

Analysis

max time kernel
127s
max time network
121s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
20-02-2024 01:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

$1/1337/MinerMega.exe
Size

4.0MB
MD5

d1f8ccf271359d1d1840075b3065cdaa
SHA1

5b316201fb5d9705e20398ded7d0441962e2b183
SHA256

5817eb190e2adfb6b1a8488df5e83cda619969a4ea5cccca282a348ef35d09ad
SHA512

5fb53f967b940f76b9c98d09773bea69c6ccbfd2469b9eb64868042f2ee56860d8a000b469ce941a2241adbe261ace43273c9a6cef9821ff6eabeb8f63b81e07
SSDEEP

49152:ENDFFPJu8fBsVE6ij+RNg+UKpBvtqB3m1RC3:SzP88fBsnZTgOtqB3m1RC3

Score

10^/10

loaderbot xmrig loader miner persistence

Malware Config

Signatures

LoaderBot
LoaderBot is a loader written in .NET downloading and executing miners.
loader miner loaderbot
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

LoaderBot executable 1 IoCs

resource	yara_rule
behavioral6/memory/3644-1-0x0000000000D30000-0x000000000112E000-memory.dmp	loaderbot

XMRig Miner payload 13 IoCs

miner

resource	yara_rule
behavioral6/memory/4440-18-0x0000000140000000-0x0000000140B75000-memory.dmp	xmrig
behavioral6/memory/4820-22-0x0000000140000000-0x0000000140B75000-memory.dmp	xmrig
behavioral6/memory/4820-29-0x0000000140000000-0x0000000140B75000-memory.dmp	xmrig
behavioral6/memory/4820-30-0x0000000140000000-0x0000000140B75000-memory.dmp	xmrig
behavioral6/memory/4820-33-0x0000000140000000-0x0000000140B75000-memory.dmp	xmrig
behavioral6/memory/4820-36-0x0000000140000000-0x0000000140B75000-memory.dmp	xmrig
behavioral6/memory/4820-37-0x0000000140000000-0x0000000140B75000-memory.dmp	xmrig
behavioral6/memory/4820-38-0x0000000140000000-0x0000000140B75000-memory.dmp	xmrig
behavioral6/memory/4820-39-0x0000000140000000-0x0000000140B75000-memory.dmp	xmrig
behavioral6/memory/4820-40-0x0000000140000000-0x0000000140B75000-memory.dmp	xmrig
behavioral6/memory/4820-41-0x0000000140000000-0x0000000140B75000-memory.dmp	xmrig
behavioral6/memory/2752-48-0x0000000140000000-0x0000000140B75000-memory.dmp	xmrig
behavioral6/memory/2752-53-0x0000000140000000-0x0000000140B75000-memory.dmp	xmrig

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation	MinerMega.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Driver.url	MinerMega.exe

Executes dropped EXE 3 IoCs

pid	Process
4440	Driver.exe
4820	Driver.exe
2752	Driver.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Driver = "C:\\Users\\Admin\\AppData\\Roaming\\Sysfiles\\MinerMega.exe"	MinerMega.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3644	MinerMega.exe
3644	MinerMega.exe
3644	MinerMega.exe
3644	MinerMega.exe
3644	MinerMega.exe
3644	MinerMega.exe
3644	MinerMega.exe
3644	MinerMega.exe
3644	MinerMega.exe
3644	MinerMega.exe
3644	MinerMega.exe
3644	MinerMega.exe
3644	MinerMega.exe
3644	MinerMega.exe
3644	MinerMega.exe
3644	MinerMega.exe
3644	MinerMega.exe
3644	MinerMega.exe
3644	MinerMega.exe
3644	MinerMega.exe
3644	MinerMega.exe
3644	MinerMega.exe
3644	MinerMega.exe
3644	MinerMega.exe
3644	MinerMega.exe
3644	MinerMega.exe
3644	MinerMega.exe
3644	MinerMega.exe
3644	MinerMega.exe
3644	MinerMega.exe
3644	MinerMega.exe
3644	MinerMega.exe
3644	MinerMega.exe
3644	MinerMega.exe
3644	MinerMega.exe
3644	MinerMega.exe
3644	MinerMega.exe
3644	MinerMega.exe
3644	MinerMega.exe
3644	MinerMega.exe
3644	MinerMega.exe
3644	MinerMega.exe
3644	MinerMega.exe
3644	MinerMega.exe
3644	MinerMega.exe
3644	MinerMega.exe
3644	MinerMega.exe
3644	MinerMega.exe
3644	MinerMega.exe
3644	MinerMega.exe
3644	MinerMega.exe
3644	MinerMega.exe
3644	MinerMega.exe
3644	MinerMega.exe
3644	MinerMega.exe
3644	MinerMega.exe
3644	MinerMega.exe
3644	MinerMega.exe
3644	MinerMega.exe
3644	MinerMega.exe
3644	MinerMega.exe
3644	MinerMega.exe
3644	MinerMega.exe
3644	MinerMega.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
3644	MinerMega.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeDebugPrivilege	3644	MinerMega.exe
Token: SeLockMemoryPrivilege	4440	Driver.exe
Token: SeLockMemoryPrivilege	4440	Driver.exe
Token: SeLockMemoryPrivilege	4820	Driver.exe
Token: SeLockMemoryPrivilege	4820	Driver.exe
Token: SeLockMemoryPrivilege	2752	Driver.exe
Token: SeLockMemoryPrivilege	2752	Driver.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3644 wrote to memory of 4440	3644	MinerMega.exe	85
PID 3644 wrote to memory of 4440	3644	MinerMega.exe	85
PID 3644 wrote to memory of 4820	3644	MinerMega.exe	91
PID 3644 wrote to memory of 4820	3644	MinerMega.exe	91
PID 3644 wrote to memory of 2752	3644	MinerMega.exe	101
PID 3644 wrote to memory of 2752	3644	MinerMega.exe	101

C:\Users\Admin\AppData\Local\Temp\$1\1337\MinerMega.exe
"C:\Users\Admin\AppData\Local\Temp\$1\1337\MinerMega.exe"
1⤵
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3644
- C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
  "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.hashvault.pro:3333 -u 84EUKYR2H11atFNVAkBBeN2ms43rYAvFBbYJjA37BKULYfBZ7TptXP2aw6mPcBAg9yM6w27ntDcuDMq3iHJbUYPBTbuT74U -p x -k -v=0 --donate-level=1 -t 4
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:4440
- C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
  "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.hashvault.pro:3333 -u 84EUKYR2H11atFNVAkBBeN2ms43rYAvFBbYJjA37BKULYfBZ7TptXP2aw6mPcBAg9yM6w27ntDcuDMq3iHJbUYPBTbuT74U -p x -k -v=0 --donate-level=1 -t 4
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:4820
- C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
  "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.hashvault.pro:3333 -u 84EUKYR2H11atFNVAkBBeN2ms43rYAvFBbYJjA37BKULYfBZ7TptXP2aw6mPcBAg9yM6w27ntDcuDMq3iHJbUYPBTbuT74U -p x -k -v=0 --donate-level=1 -t 4
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2752

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe

Filesize
1.8MB

MD5
05424b21d1bdef7ed1cb37e7c2bf1a81

SHA1
7ca5f462526301c8daea8b138cb4c347293c5cdc

SHA256
71d198f7322e8291a717ed3b252b45eaa19bfc430673a0a8f15db203550d343e

SHA512
6a0456a1859d4bd66196795db87091b171f18c92f3b51a7ca7869b0d77ba49a949fb2483d05eef4b8f48f871ea677d8a4c4f5c40cea0a0c359f887728e16df17

Download Submit
C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe

Filesize
1.6MB

MD5
dcdebca4f3af204eeb2e544286f850a7

SHA1
9dc3cd4c1473f2bf5417378d155b1abfd4836f7b

SHA256
489afaaa5722d097c1c4b16d53b4c45b4a08dcb7e1465cff878860276b504db6

SHA512
871b75337c27820e780dfc9345c68aab0f10ec36fb07c8ca4af413882f33f79a823b9e5e14b4454c91f5f7d59a7154164823c0bd42efd722127b6b0674185164

Download Submit
C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe

Filesize
1.8MB

MD5
1ffc7715397cf1839ea903e3bc80a1ed

SHA1
e2ceae47abc8c2745226cdcb52485be2d1059548

SHA256
f6078fb2de024920dea674895e70373f23f44d986d43766952a3c1e28229a373

SHA512
eabb51a70b06f16167da49b2c35c8f54f6b28ce1534dd7756dca1c2147b7a7f41d1c74e6930d3fcb250d3b67417d76f8bbef5e49624772c34fc617773ec847cf

Download Submit
C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe

Filesize
3.9MB

MD5
02569a7a91a71133d4a1023bf32aa6f4

SHA1
0f16bcb3f3f085d3d3be912195558e9f9680d574

SHA256
8d6abba9b216172cfc64b8802db0d20a1c634c96e1049f451eddba2363966bf0

SHA512
534be1fe93ee556a14cfd8fad5377f57fb056ab4cd2bca14e4f376f4a25d3d4d270917d68a90b3c40d8a8daaeba6f592fa095ecff478332ba23405d1df728322

Download Submit
C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe

Filesize
2.1MB

MD5
946d861514412cfb9a074b7aea6e49f5

SHA1
181bd221b09293193e5996230eac309ff185e490

SHA256
2a9e8df2eaa1037f59ad2ff136ed6bdee12f28af09894d6e93f019bd3b17f235

SHA512
2bac7c70139859f2a1b97fd0e78118da5e384ecb8dd5cf36527a68260c6bade6152e5368465b28eaef51789306918fb0734a65c4c639fd34b275851dab97d0fb

Download Submit
memory/2752-53-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/2752-48-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/2752-49-0x0000000002220000-0x0000000002240000-memory.dmp

Filesize
128KB

Download
memory/2752-50-0x0000000013190000-0x00000000131B0000-memory.dmp

Filesize
128KB

Download
memory/2752-51-0x00000000134C0000-0x00000000134E0000-memory.dmp

Filesize
128KB

Download
memory/2752-52-0x00000000137F0000-0x0000000013810000-memory.dmp

Filesize
128KB

Download
memory/3644-25-0x0000000074A20000-0x00000000751D0000-memory.dmp

Filesize
7.7MB

Download
memory/3644-0-0x0000000074A20000-0x00000000751D0000-memory.dmp

Filesize
7.7MB

Download
memory/3644-5-0x0000000005A50000-0x0000000005A60000-memory.dmp

Filesize
64KB

Download
memory/3644-1-0x0000000000D30000-0x000000000112E000-memory.dmp

Filesize
4.0MB

Download
memory/3644-28-0x0000000005A50000-0x0000000005A60000-memory.dmp

Filesize
64KB

Download
memory/3644-4-0x0000000005DC0000-0x0000000005E26000-memory.dmp

Filesize
408KB

Download
memory/4440-18-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/4440-17-0x0000000001FC0000-0x0000000001FD4000-memory.dmp

Filesize
80KB

Download
memory/4440-16-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/4820-30-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/4820-41-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/4820-32-0x0000000001F10000-0x0000000001F30000-memory.dmp

Filesize
128KB

Download
memory/4820-33-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/4820-34-0x0000000002140000-0x0000000002160000-memory.dmp

Filesize
128KB

Download
memory/4820-35-0x00000000137D0000-0x00000000137F0000-memory.dmp

Filesize
128KB

Download
memory/4820-36-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/4820-37-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/4820-38-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/4820-39-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/4820-40-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/4820-31-0x0000000001EF0000-0x0000000001F10000-memory.dmp

Filesize
128KB

Download
memory/4820-42-0x0000000001EF0000-0x0000000001F10000-memory.dmp

Filesize
128KB

Download
memory/4820-43-0x0000000001F10000-0x0000000001F30000-memory.dmp

Filesize
128KB

Download
memory/4820-44-0x0000000002140000-0x0000000002160000-memory.dmp

Filesize
128KB

Download
memory/4820-45-0x00000000137D0000-0x00000000137F0000-memory.dmp

Filesize
128KB

Download
memory/4820-29-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/4820-27-0x00000000137D0000-0x00000000137F0000-memory.dmp

Filesize
128KB

Download
memory/4820-26-0x0000000002140000-0x0000000002160000-memory.dmp

Filesize
128KB

Download
memory/4820-24-0x0000000001F10000-0x0000000001F30000-memory.dmp

Filesize
128KB

Download
memory/4820-23-0x0000000001EF0000-0x0000000001F10000-memory.dmp

Filesize
128KB

Download
memory/4820-22-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/4820-21-0x0000000001ED0000-0x0000000001EF0000-memory.dmp

Filesize
128KB

Download