xmrig | b6f5f0f36a96d45dcc8e44915c848a61cca777a1a8c9332480301418ecf9bed4

Analysis

max time kernel
86s
max time network
90s
platform
windows7_x64
resource
win7v20210408
submitted
05-05-2021 02:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b6f5f0f36a96d45dcc8e44915c848a61cca777a1a8c9332480301418ecf9bed4.exe
Size

4.5MB
MD5

969a140499adeb56b0786e347b0ac24b
SHA1

785c81c1138e1ef34c0d4661cc6771368b590481
SHA256

b6f5f0f36a96d45dcc8e44915c848a61cca777a1a8c9332480301418ecf9bed4
SHA512

c1ec5997e3ec962fd68f0652a993334208ae0ace96c3520d9cf6f091beda2f95cf66a788006c1f9fbd9b431a2bd85710ef39d061a5de7e2f73105cc596c37765

Score

10^/10

xmrig miner upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner Payload 11 IoCs

miner

Processes:

resource	yara_rule
\Windows\system\ZgflFJG.exe	xmrig
C:\Windows\system\ZgflFJG.exe	xmrig
\Windows\system\qNBZNQI.exe	xmrig
C:\Windows\system\qNBZNQI.exe	xmrig
\Windows\system\tRKJTLy.exe	xmrig
C:\Windows\system\tRKJTLy.exe	xmrig
C:\Windows\system\SpttMUM.exe	xmrig
\Windows\system\SpttMUM.exe	xmrig
\Windows\system\wNBRMsA.exe	xmrig
C:\Windows\system\wNBRMsA.exe	xmrig
\Windows\system\exukkAz.exe	xmrig

Executes dropped EXE 5 IoCs

Processes:

ZgflFJG.exeqNBZNQI.exetRKJTLy.exeSpttMUM.exewNBRMsA.exe

pid process

1912 ZgflFJG.exe
1944 qNBZNQI.exe
1240 tRKJTLy.exe
1900 SpttMUM.exe
1856 wNBRMsA.exe

pid	process
1912	ZgflFJG.exe
1944	qNBZNQI.exe
1240	tRKJTLy.exe
1900	SpttMUM.exe
1856	wNBRMsA.exe

UPX packed file 11 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Windows\system\ZgflFJG.exe	upx
C:\Windows\system\ZgflFJG.exe	upx
\Windows\system\qNBZNQI.exe	upx
C:\Windows\system\qNBZNQI.exe	upx
\Windows\system\tRKJTLy.exe	upx
C:\Windows\system\tRKJTLy.exe	upx
C:\Windows\system\SpttMUM.exe	upx
\Windows\system\SpttMUM.exe	upx
\Windows\system\wNBRMsA.exe	upx
C:\Windows\system\wNBRMsA.exe	upx
\Windows\system\exukkAz.exe	upx

Loads dropped DLL 6 IoCs

Processes:

b6f5f0f36a96d45dcc8e44915c848a61cca777a1a8c9332480301418ecf9bed4.exe

pid	process
1640	b6f5f0f36a96d45dcc8e44915c848a61cca777a1a8c9332480301418ecf9bed4.exe
1640	b6f5f0f36a96d45dcc8e44915c848a61cca777a1a8c9332480301418ecf9bed4.exe
1640	b6f5f0f36a96d45dcc8e44915c848a61cca777a1a8c9332480301418ecf9bed4.exe
1640	b6f5f0f36a96d45dcc8e44915c848a61cca777a1a8c9332480301418ecf9bed4.exe
1640	b6f5f0f36a96d45dcc8e44915c848a61cca777a1a8c9332480301418ecf9bed4.exe
1640	b6f5f0f36a96d45dcc8e44915c848a61cca777a1a8c9332480301418ecf9bed4.exe

Drops file in Windows directory 6 IoCs

Processes:

b6f5f0f36a96d45dcc8e44915c848a61cca777a1a8c9332480301418ecf9bed4.exe

description	ioc	process
File created	C:\Windows\System\ZgflFJG.exe	b6f5f0f36a96d45dcc8e44915c848a61cca777a1a8c9332480301418ecf9bed4.exe
File created	C:\Windows\System\qNBZNQI.exe	b6f5f0f36a96d45dcc8e44915c848a61cca777a1a8c9332480301418ecf9bed4.exe
File created	C:\Windows\System\tRKJTLy.exe	b6f5f0f36a96d45dcc8e44915c848a61cca777a1a8c9332480301418ecf9bed4.exe
File created	C:\Windows\System\SpttMUM.exe	b6f5f0f36a96d45dcc8e44915c848a61cca777a1a8c9332480301418ecf9bed4.exe
File created	C:\Windows\System\wNBRMsA.exe	b6f5f0f36a96d45dcc8e44915c848a61cca777a1a8c9332480301418ecf9bed4.exe
File created	C:\Windows\System\exukkAz.exe	b6f5f0f36a96d45dcc8e44915c848a61cca777a1a8c9332480301418ecf9bed4.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

b6f5f0f36a96d45dcc8e44915c848a61cca777a1a8c9332480301418ecf9bed4.exe

description	pid	process	target process
PID 1640 wrote to memory of 1912	1640	b6f5f0f36a96d45dcc8e44915c848a61cca777a1a8c9332480301418ecf9bed4.exe	ZgflFJG.exe
PID 1640 wrote to memory of 1912	1640	b6f5f0f36a96d45dcc8e44915c848a61cca777a1a8c9332480301418ecf9bed4.exe	ZgflFJG.exe
PID 1640 wrote to memory of 1912	1640	b6f5f0f36a96d45dcc8e44915c848a61cca777a1a8c9332480301418ecf9bed4.exe	ZgflFJG.exe
PID 1640 wrote to memory of 1944	1640	b6f5f0f36a96d45dcc8e44915c848a61cca777a1a8c9332480301418ecf9bed4.exe	qNBZNQI.exe
PID 1640 wrote to memory of 1944	1640	b6f5f0f36a96d45dcc8e44915c848a61cca777a1a8c9332480301418ecf9bed4.exe	qNBZNQI.exe
PID 1640 wrote to memory of 1944	1640	b6f5f0f36a96d45dcc8e44915c848a61cca777a1a8c9332480301418ecf9bed4.exe	qNBZNQI.exe
PID 1640 wrote to memory of 1240	1640	b6f5f0f36a96d45dcc8e44915c848a61cca777a1a8c9332480301418ecf9bed4.exe	tRKJTLy.exe
PID 1640 wrote to memory of 1240	1640	b6f5f0f36a96d45dcc8e44915c848a61cca777a1a8c9332480301418ecf9bed4.exe	tRKJTLy.exe
PID 1640 wrote to memory of 1240	1640	b6f5f0f36a96d45dcc8e44915c848a61cca777a1a8c9332480301418ecf9bed4.exe	tRKJTLy.exe
PID 1640 wrote to memory of 1900	1640	b6f5f0f36a96d45dcc8e44915c848a61cca777a1a8c9332480301418ecf9bed4.exe	SpttMUM.exe
PID 1640 wrote to memory of 1900	1640	b6f5f0f36a96d45dcc8e44915c848a61cca777a1a8c9332480301418ecf9bed4.exe	SpttMUM.exe
PID 1640 wrote to memory of 1900	1640	b6f5f0f36a96d45dcc8e44915c848a61cca777a1a8c9332480301418ecf9bed4.exe	SpttMUM.exe
PID 1640 wrote to memory of 1856	1640	b6f5f0f36a96d45dcc8e44915c848a61cca777a1a8c9332480301418ecf9bed4.exe	wNBRMsA.exe
PID 1640 wrote to memory of 1856	1640	b6f5f0f36a96d45dcc8e44915c848a61cca777a1a8c9332480301418ecf9bed4.exe	wNBRMsA.exe
PID 1640 wrote to memory of 1856	1640	b6f5f0f36a96d45dcc8e44915c848a61cca777a1a8c9332480301418ecf9bed4.exe	wNBRMsA.exe
PID 1640 wrote to memory of 1616	1640	b6f5f0f36a96d45dcc8e44915c848a61cca777a1a8c9332480301418ecf9bed4.exe	exukkAz.exe
PID 1640 wrote to memory of 1616	1640	b6f5f0f36a96d45dcc8e44915c848a61cca777a1a8c9332480301418ecf9bed4.exe	exukkAz.exe
PID 1640 wrote to memory of 1616	1640	b6f5f0f36a96d45dcc8e44915c848a61cca777a1a8c9332480301418ecf9bed4.exe	exukkAz.exe

C:\Users\Admin\AppData\Local\Temp\b6f5f0f36a96d45dcc8e44915c848a61cca777a1a8c9332480301418ecf9bed4.exe
"C:\Users\Admin\AppData\Local\Temp\b6f5f0f36a96d45dcc8e44915c848a61cca777a1a8c9332480301418ecf9bed4.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1640

C:\Windows\System\ZgflFJG.exe
C:\Windows\System\ZgflFJG.exe
2⤵
- Executes dropped EXE
PID:1912

C:\Windows\System\qNBZNQI.exe
C:\Windows\System\qNBZNQI.exe
2⤵
- Executes dropped EXE
PID:1944

C:\Windows\System\tRKJTLy.exe
C:\Windows\System\tRKJTLy.exe
2⤵
- Executes dropped EXE
PID:1240

C:\Windows\System\SpttMUM.exe
C:\Windows\System\SpttMUM.exe
2⤵
- Executes dropped EXE
PID:1900

C:\Windows\System\wNBRMsA.exe
C:\Windows\System\wNBRMsA.exe
2⤵
- Executes dropped EXE
PID:1856

C:\Windows\System\exukkAz.exe
C:\Windows\System\exukkAz.exe
2⤵
PID:1616

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\system\SpttMUM.exe
MD5
8700620e060d2440ce5e3b78fb56ce5a

SHA1
43178b509707dde837e051a6341acce823b0c8cf

SHA256
6e07eb89c9b3f342dc08c13d0028f61bf0f5167f51a797ba0b8685fa7f26fca9

SHA512
c20c2dec9a98a9a48c6e812d72c264df9618d36918b611d1046c77599ba9b1a8da59bb62bc4ce2cddf5bdf7d34f988060318176be24c0f5fbf6b146dac957004

Download Submit
C:\Windows\system\ZgflFJG.exe
MD5
ffc930237c6824ed23aada24fb6361b0

SHA1
61c45c9a4378cd6889e47e814ed3e2ed2531c69d

SHA256
da6ef38b139909f246e46be4a2b533bf4325a83d2f0d35c90a668a3d2cd92c3b

SHA512
bd2d57454a8c4d5620c2fa26040f409ae67c8982fe4707c94f6f5dfddbdff4b7945c9f2ccc181b289d20e79ff4e5207d601a8380cfa101cf113f56b4c6864f23

Download Submit
C:\Windows\system\qNBZNQI.exe
MD5
4d4104d3a228d9309fc120e5fa597fc7

SHA1
6a8f9576b707dc85b4ea913385f065b727053cb1

SHA256
6593f09af89c8e5b2d09456d099648776d8fa3e6c14b5eff601369e702a99be6

SHA512
ef4c2584b36d5e2bc643689936a31e0448b180d98e46d807c465db145313623c42db22b621f94f1d9aea75c798fb434620a50cf7da002d96d4ffded08572a464

Download Submit
C:\Windows\system\tRKJTLy.exe
MD5
863929ce1a795f00533e634764807f9f

SHA1
6e709fdd40c0226050301a68aaa0a25705d67154

SHA256
473b053ed87b001bc76262e19f5e981bfadf72f59bd75e98af1a37242b18d8b2

SHA512
29ec75e8b4af5d8d1ecba82a4c834a2a37224db4bba3d8c573ae941e399ef05ee3eee6dfcff585ee0a23397d3867284286b8e005e4fd7025631922741775504e

Download Submit
C:\Windows\system\wNBRMsA.exe
MD5
21285e14e0f169eb51c9b945e95d11b4

SHA1
5f9b917c83b66e67156d75a966b94a4470c03c47

SHA256
f64c08b39c8d0c9e66cac52807649369f43eb8473fda5a9f775550f2c7b03574

SHA512
f51ae267e398b2970b1b6e2abcc223b22af41422e0709c8f992157c40924a9732dec60d642de4564759322e93498e3064f4d3a73328455fb0742f2e3af00774c

Download Submit
\Windows\system\SpttMUM.exe
MD5
8700620e060d2440ce5e3b78fb56ce5a

SHA1
43178b509707dde837e051a6341acce823b0c8cf

SHA256
6e07eb89c9b3f342dc08c13d0028f61bf0f5167f51a797ba0b8685fa7f26fca9

SHA512
c20c2dec9a98a9a48c6e812d72c264df9618d36918b611d1046c77599ba9b1a8da59bb62bc4ce2cddf5bdf7d34f988060318176be24c0f5fbf6b146dac957004

Download Submit
\Windows\system\ZgflFJG.exe
MD5
ffc930237c6824ed23aada24fb6361b0

SHA1
61c45c9a4378cd6889e47e814ed3e2ed2531c69d

SHA256
da6ef38b139909f246e46be4a2b533bf4325a83d2f0d35c90a668a3d2cd92c3b

SHA512
bd2d57454a8c4d5620c2fa26040f409ae67c8982fe4707c94f6f5dfddbdff4b7945c9f2ccc181b289d20e79ff4e5207d601a8380cfa101cf113f56b4c6864f23

Download Submit
\Windows\system\exukkAz.exe
MD5
1d4bfaa276e0a910c08f5b96fe795ec3

SHA1
1db85d0905e61af02a3e297e7014034f31007d69

SHA256
c0c44615ed3247314d3be796b0790863391fac08cff44c9adbcb6ca251051094

SHA512
80c99fc69c7d0f4cc8a5d82d64feb08ded2db1fb63530f8ea28ab2ac391b18944a2c12f5185a6e391aa2b09cfa01b653232acb03b7e03fda79fc4eea30ed1f1c

Download Submit
\Windows\system\qNBZNQI.exe
MD5
4d4104d3a228d9309fc120e5fa597fc7

SHA1
6a8f9576b707dc85b4ea913385f065b727053cb1

SHA256
6593f09af89c8e5b2d09456d099648776d8fa3e6c14b5eff601369e702a99be6

SHA512
ef4c2584b36d5e2bc643689936a31e0448b180d98e46d807c465db145313623c42db22b621f94f1d9aea75c798fb434620a50cf7da002d96d4ffded08572a464

Download Submit
\Windows\system\tRKJTLy.exe
MD5
863929ce1a795f00533e634764807f9f

SHA1
6e709fdd40c0226050301a68aaa0a25705d67154

SHA256
473b053ed87b001bc76262e19f5e981bfadf72f59bd75e98af1a37242b18d8b2

SHA512
29ec75e8b4af5d8d1ecba82a4c834a2a37224db4bba3d8c573ae941e399ef05ee3eee6dfcff585ee0a23397d3867284286b8e005e4fd7025631922741775504e

Download Submit
\Windows\system\wNBRMsA.exe
MD5
21285e14e0f169eb51c9b945e95d11b4

SHA1
5f9b917c83b66e67156d75a966b94a4470c03c47

SHA256
f64c08b39c8d0c9e66cac52807649369f43eb8473fda5a9f775550f2c7b03574

SHA512
f51ae267e398b2970b1b6e2abcc223b22af41422e0709c8f992157c40924a9732dec60d642de4564759322e93498e3064f4d3a73328455fb0742f2e3af00774c

Download Submit
memory/1240-69-0x0000000000000000-mapping.dmp

Download
memory/1616-82-0x0000000000000000-mapping.dmp

Download
memory/1640-60-0x0000000000080000-0x0000000000090000-memory.dmp

Filesize
64KB

Download
memory/1856-77-0x0000000000000000-mapping.dmp

Download
memory/1900-73-0x0000000000000000-mapping.dmp

Download
memory/1912-62-0x0000000000000000-mapping.dmp

Download
memory/1944-66-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads