xmrig | 86e2ac0e14b88bad1ffca8ab8d5f1839a555fe578378e3f18b83e030c4c2659b

Analysis

max time kernel
43s
max time network
141s
platform
windows7_x64
resource
win7v20210410
submitted
05-05-2021 09:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

00d310d1_by_Libranalysis.exe
Size

1.2MB
MD5

00d310d1d1490dfe59b341e224d8de03
SHA1

ab53babe1b118c832c6e0a36c3a04ce531d7c1ff
SHA256

86e2ac0e14b88bad1ffca8ab8d5f1839a555fe578378e3f18b83e030c4c2659b
SHA512

d54bb1e80c7396221111e81f15f4bbc3894703b197d6a55bfdb3eff8600b8446ba61ec4b7ea5904bdc42bb0b82dc4ded662a01fed3eeaf59a489f776957488f8

Score

10^/10

xmrig miner upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner Payload 15 IoCs

miner

Processes:

resource	yara_rule
\Windows\system\NDzMPFO.exe	xmrig
C:\Windows\system\NDzMPFO.exe	xmrig
\Windows\system\HzmCrbC.exe	xmrig
\Windows\system\FSNOsOE.exe	xmrig
C:\Windows\system\FSNOsOE.exe	xmrig
\Windows\system\wXKFpBi.exe	xmrig
C:\Windows\system\wXKFpBi.exe	xmrig
C:\Windows\system\HzmCrbC.exe	xmrig
C:\Windows\system\gQJLOxq.exe	xmrig
\Windows\system\gQJLOxq.exe	xmrig
\Windows\system\kHJlcRi.exe	xmrig
\Windows\system\bpYAjRW.exe	xmrig
C:\Windows\system\kHJlcRi.exe	xmrig
C:\Windows\system\bpYAjRW.exe	xmrig
\Windows\system\dCIyRIx.exe	xmrig

Executes dropped EXE 7 IoCs

Processes:

NDzMPFO.exeFSNOsOE.exeHzmCrbC.exewXKFpBi.exegQJLOxq.exekHJlcRi.exebpYAjRW.exe

pid process

1500 NDzMPFO.exe
1740 FSNOsOE.exe
1908 HzmCrbC.exe
1812 wXKFpBi.exe
1696 gQJLOxq.exe
852 kHJlcRi.exe
836 bpYAjRW.exe

pid	process
1500	NDzMPFO.exe
1740	FSNOsOE.exe
1908	HzmCrbC.exe
1812	wXKFpBi.exe
1696	gQJLOxq.exe
852	kHJlcRi.exe
836	bpYAjRW.exe

UPX packed file 15 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Windows\system\NDzMPFO.exe	upx
C:\Windows\system\NDzMPFO.exe	upx
\Windows\system\HzmCrbC.exe	upx
\Windows\system\FSNOsOE.exe	upx
C:\Windows\system\FSNOsOE.exe	upx
\Windows\system\wXKFpBi.exe	upx
C:\Windows\system\wXKFpBi.exe	upx
C:\Windows\system\HzmCrbC.exe	upx
C:\Windows\system\gQJLOxq.exe	upx
\Windows\system\gQJLOxq.exe	upx
\Windows\system\kHJlcRi.exe	upx
\Windows\system\bpYAjRW.exe	upx
C:\Windows\system\kHJlcRi.exe	upx
C:\Windows\system\bpYAjRW.exe	upx
\Windows\system\dCIyRIx.exe	upx

Loads dropped DLL 8 IoCs

Processes:

00d310d1_by_Libranalysis.exe

pid	process
1084	00d310d1_by_Libranalysis.exe
1084	00d310d1_by_Libranalysis.exe
1084	00d310d1_by_Libranalysis.exe
1084	00d310d1_by_Libranalysis.exe
1084	00d310d1_by_Libranalysis.exe
1084	00d310d1_by_Libranalysis.exe
1084	00d310d1_by_Libranalysis.exe
1084	00d310d1_by_Libranalysis.exe

Drops file in Windows directory 8 IoCs

Processes:

00d310d1_by_Libranalysis.exe

description	ioc	process
File created	C:\Windows\System\gQJLOxq.exe	00d310d1_by_Libranalysis.exe
File created	C:\Windows\System\kHJlcRi.exe	00d310d1_by_Libranalysis.exe
File created	C:\Windows\System\bpYAjRW.exe	00d310d1_by_Libranalysis.exe
File created	C:\Windows\System\dCIyRIx.exe	00d310d1_by_Libranalysis.exe
File created	C:\Windows\System\NDzMPFO.exe	00d310d1_by_Libranalysis.exe
File created	C:\Windows\System\HzmCrbC.exe	00d310d1_by_Libranalysis.exe
File created	C:\Windows\System\FSNOsOE.exe	00d310d1_by_Libranalysis.exe
File created	C:\Windows\System\wXKFpBi.exe	00d310d1_by_Libranalysis.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

00d310d1_by_Libranalysis.exe

description	pid	process	target process
PID 1084 wrote to memory of 1500	1084	00d310d1_by_Libranalysis.exe	NDzMPFO.exe
PID 1084 wrote to memory of 1500	1084	00d310d1_by_Libranalysis.exe	NDzMPFO.exe
PID 1084 wrote to memory of 1500	1084	00d310d1_by_Libranalysis.exe	NDzMPFO.exe
PID 1084 wrote to memory of 1908	1084	00d310d1_by_Libranalysis.exe	HzmCrbC.exe
PID 1084 wrote to memory of 1908	1084	00d310d1_by_Libranalysis.exe	HzmCrbC.exe
PID 1084 wrote to memory of 1908	1084	00d310d1_by_Libranalysis.exe	HzmCrbC.exe
PID 1084 wrote to memory of 1740	1084	00d310d1_by_Libranalysis.exe	FSNOsOE.exe
PID 1084 wrote to memory of 1740	1084	00d310d1_by_Libranalysis.exe	FSNOsOE.exe
PID 1084 wrote to memory of 1740	1084	00d310d1_by_Libranalysis.exe	FSNOsOE.exe
PID 1084 wrote to memory of 1812	1084	00d310d1_by_Libranalysis.exe	wXKFpBi.exe
PID 1084 wrote to memory of 1812	1084	00d310d1_by_Libranalysis.exe	wXKFpBi.exe
PID 1084 wrote to memory of 1812	1084	00d310d1_by_Libranalysis.exe	wXKFpBi.exe
PID 1084 wrote to memory of 1696	1084	00d310d1_by_Libranalysis.exe	gQJLOxq.exe
PID 1084 wrote to memory of 1696	1084	00d310d1_by_Libranalysis.exe	gQJLOxq.exe
PID 1084 wrote to memory of 1696	1084	00d310d1_by_Libranalysis.exe	gQJLOxq.exe
PID 1084 wrote to memory of 852	1084	00d310d1_by_Libranalysis.exe	kHJlcRi.exe
PID 1084 wrote to memory of 852	1084	00d310d1_by_Libranalysis.exe	kHJlcRi.exe
PID 1084 wrote to memory of 852	1084	00d310d1_by_Libranalysis.exe	kHJlcRi.exe
PID 1084 wrote to memory of 836	1084	00d310d1_by_Libranalysis.exe	bpYAjRW.exe
PID 1084 wrote to memory of 836	1084	00d310d1_by_Libranalysis.exe	bpYAjRW.exe
PID 1084 wrote to memory of 836	1084	00d310d1_by_Libranalysis.exe	bpYAjRW.exe
PID 1084 wrote to memory of 1668	1084	00d310d1_by_Libranalysis.exe	dCIyRIx.exe
PID 1084 wrote to memory of 1668	1084	00d310d1_by_Libranalysis.exe	dCIyRIx.exe
PID 1084 wrote to memory of 1668	1084	00d310d1_by_Libranalysis.exe	dCIyRIx.exe

C:\Users\Admin\AppData\Local\Temp\00d310d1_by_Libranalysis.exe
"C:\Users\Admin\AppData\Local\Temp\00d310d1_by_Libranalysis.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1084

C:\Windows\System\NDzMPFO.exe
C:\Windows\System\NDzMPFO.exe
2⤵
- Executes dropped EXE
PID:1500

C:\Windows\System\HzmCrbC.exe
C:\Windows\System\HzmCrbC.exe
2⤵
- Executes dropped EXE
PID:1908

C:\Windows\System\FSNOsOE.exe
C:\Windows\System\FSNOsOE.exe
2⤵
- Executes dropped EXE
PID:1740

C:\Windows\System\wXKFpBi.exe
C:\Windows\System\wXKFpBi.exe
2⤵
- Executes dropped EXE
PID:1812

C:\Windows\System\gQJLOxq.exe
C:\Windows\System\gQJLOxq.exe
2⤵
- Executes dropped EXE
PID:1696

C:\Windows\System\kHJlcRi.exe
C:\Windows\System\kHJlcRi.exe
2⤵
- Executes dropped EXE
PID:852

C:\Windows\System\bpYAjRW.exe
C:\Windows\System\bpYAjRW.exe
2⤵
- Executes dropped EXE
PID:836

C:\Windows\System\dCIyRIx.exe
C:\Windows\System\dCIyRIx.exe
2⤵
PID:1668

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\system\FSNOsOE.exe
MD5
48c87799c0b15b040db23fdec2012c50

SHA1
a439cb0d1b886c9c83d97b1cbe888707640ddd4d

SHA256
9eadc69a082c2b4f0fc909cbc4374a7e4feff9bf4e928a1c0a91f961ef224ad1

SHA512
d101917d6b20b5b231fe1c0c6717d2bcbc6b7c71fc51305908901aeec8611f7de2c1b0311838b13597bd9fa7557f6ee1a0049e31bcb5ee3ceca9e3c725584ee2

Download Submit
C:\Windows\system\HzmCrbC.exe
MD5
35c4b30e9bfa6f605581000643e49d73

SHA1
c3e44887cff0482e141f12842d0db796536b7c45

SHA256
dfe89b9cf71b682c7ed0eb2506b4d53eca028bfd1202f58c6ebf6a88fe7176a3

SHA512
22dc866adf78d092148da2b5e282c80913dc1a2982f97d68c8d3fff79710171e7b07cd16d524fb103696b39af3f3a1c55bdeb4bcf0607168a76b9216c6634084

Download Submit
C:\Windows\system\NDzMPFO.exe
MD5
d412d96d3bd664e1ad27d15c7cd20c31

SHA1
d762ad09f4aec81228eb5d96419c0ec095e4f682

SHA256
5dd0792b29be98c3077208ae1bb1f94e5c5fee2c46723c93437c663eb5b6508d

SHA512
ed5f69cd663e0c0c6558a0fcca6c26f3914349d4fee04c72c99e74afff43e17fed53beaf2ad66b86193561ffe837e74405fdfa27c5a427b761b52b0c41d59a92

Download Submit
C:\Windows\system\bpYAjRW.exe
MD5
fec3a22102b23db126c3cf2ed169c7a2

SHA1
f7f9958c0cd1c73a1adf17bb4bf642743061b5d7

SHA256
2e546232289dc8898ee583234fc2d8b7792c653ffdd9c6cfd81682711c846791

SHA512
c9bb39f7e48ad01e49bbe9d4b35af474c5348d21f38886ae05318782817969748fa5f0488b183dc47c14ab3301a7b8f633c4719c14ce3cb76859ffed4fda7ff6

Download Submit
C:\Windows\system\gQJLOxq.exe
MD5
429c6ef76e18dbefb54dd1c470101eb4

SHA1
8d8b1e352315110579917effad6dcbf2c08bac37

SHA256
aa0f9fadd03e24897c954bb6c8b01f5575cb60591c7247dbf85009539a4c997e

SHA512
bd007e61cfb02ecb003ea26ece5eaa24bc0dae83d064656b389949e6d0c9cb1ea7af529427b9af66e2744b36a45d24074cde83f627467e3287156d5e3bc7e7ed

Download Submit
C:\Windows\system\kHJlcRi.exe
MD5
d1e7676daf45cfc45ac8bd44aa61b644

SHA1
84a219ca40945a1223d15233775aa1d0d4db0871

SHA256
3c076537f79332a2cc4cc581cfc33b2f24df2dcd61ff4fcd6f7690cf05aa7ae0

SHA512
a986a29e6f18fabdbe9e6757492fbee65137957bf1d5c2de0c1f5423613c499b41e43e449de282dd8f04433c4a4cf77b80abd8b4b1d9e7d0d108877553f7e3c3

Download Submit
C:\Windows\system\wXKFpBi.exe
MD5
b22f877078172b493e6369610e8fce5d

SHA1
196e6c07ac8de000aa9eafdfc2e5a30dc4b0c12b

SHA256
f2c67ddfada13cec0f9bfc33ec21fcac510d48bc23a02995a5d9ee7d414805f1

SHA512
8d75fdb5c2748be791074678ff0e4910229bb0f5273ea9faa04bdf8199a0bff0f6ce8068b8470b53f66324301de2e8bff009b915ae3a565d1b25603f1146238d

Download Submit
\Windows\system\FSNOsOE.exe
MD5
48c87799c0b15b040db23fdec2012c50

SHA1
a439cb0d1b886c9c83d97b1cbe888707640ddd4d

SHA256
9eadc69a082c2b4f0fc909cbc4374a7e4feff9bf4e928a1c0a91f961ef224ad1

SHA512
d101917d6b20b5b231fe1c0c6717d2bcbc6b7c71fc51305908901aeec8611f7de2c1b0311838b13597bd9fa7557f6ee1a0049e31bcb5ee3ceca9e3c725584ee2

Download Submit
\Windows\system\HzmCrbC.exe
MD5
35c4b30e9bfa6f605581000643e49d73

SHA1
c3e44887cff0482e141f12842d0db796536b7c45

SHA256
dfe89b9cf71b682c7ed0eb2506b4d53eca028bfd1202f58c6ebf6a88fe7176a3

SHA512
22dc866adf78d092148da2b5e282c80913dc1a2982f97d68c8d3fff79710171e7b07cd16d524fb103696b39af3f3a1c55bdeb4bcf0607168a76b9216c6634084

Download Submit
\Windows\system\NDzMPFO.exe
MD5
d412d96d3bd664e1ad27d15c7cd20c31

SHA1
d762ad09f4aec81228eb5d96419c0ec095e4f682

SHA256
5dd0792b29be98c3077208ae1bb1f94e5c5fee2c46723c93437c663eb5b6508d

SHA512
ed5f69cd663e0c0c6558a0fcca6c26f3914349d4fee04c72c99e74afff43e17fed53beaf2ad66b86193561ffe837e74405fdfa27c5a427b761b52b0c41d59a92

Download Submit
\Windows\system\bpYAjRW.exe
MD5
fec3a22102b23db126c3cf2ed169c7a2

SHA1
f7f9958c0cd1c73a1adf17bb4bf642743061b5d7

SHA256
2e546232289dc8898ee583234fc2d8b7792c653ffdd9c6cfd81682711c846791

SHA512
c9bb39f7e48ad01e49bbe9d4b35af474c5348d21f38886ae05318782817969748fa5f0488b183dc47c14ab3301a7b8f633c4719c14ce3cb76859ffed4fda7ff6

Download Submit
\Windows\system\dCIyRIx.exe
MD5
b1672304adeb01274f8bbdf028834e09

SHA1
2787f659f8fee2c5de3f484e1892308bfe8878a1

SHA256
d612d92af9a7b70df4491cf9dab21ce9205d050c20c86a526cd7244b4928d6e7

SHA512
e3dbe7c3a7e79dc2aee649d9159c98ad29dd5c97cb1f655a0f922d227cb750a4f09d85f3cb97f5b21e47f0e5847129310d0971aaa74c169df3ae7c5de38fadbb

Download Submit
\Windows\system\gQJLOxq.exe
MD5
429c6ef76e18dbefb54dd1c470101eb4

SHA1
8d8b1e352315110579917effad6dcbf2c08bac37

SHA256
aa0f9fadd03e24897c954bb6c8b01f5575cb60591c7247dbf85009539a4c997e

SHA512
bd007e61cfb02ecb003ea26ece5eaa24bc0dae83d064656b389949e6d0c9cb1ea7af529427b9af66e2744b36a45d24074cde83f627467e3287156d5e3bc7e7ed

Download Submit
\Windows\system\kHJlcRi.exe
MD5
d1e7676daf45cfc45ac8bd44aa61b644

SHA1
84a219ca40945a1223d15233775aa1d0d4db0871

SHA256
3c076537f79332a2cc4cc581cfc33b2f24df2dcd61ff4fcd6f7690cf05aa7ae0

SHA512
a986a29e6f18fabdbe9e6757492fbee65137957bf1d5c2de0c1f5423613c499b41e43e449de282dd8f04433c4a4cf77b80abd8b4b1d9e7d0d108877553f7e3c3

Download Submit
\Windows\system\wXKFpBi.exe
MD5
b22f877078172b493e6369610e8fce5d

SHA1
196e6c07ac8de000aa9eafdfc2e5a30dc4b0c12b

SHA256
f2c67ddfada13cec0f9bfc33ec21fcac510d48bc23a02995a5d9ee7d414805f1

SHA512
8d75fdb5c2748be791074678ff0e4910229bb0f5273ea9faa04bdf8199a0bff0f6ce8068b8470b53f66324301de2e8bff009b915ae3a565d1b25603f1146238d

Download Submit
memory/836-84-0x0000000000000000-mapping.dmp

Download
memory/852-80-0x0000000000000000-mapping.dmp

Download
memory/1084-60-0x0000000000080000-0x0000000000090000-memory.dmp

Filesize
64KB

Download
memory/1500-62-0x0000000000000000-mapping.dmp

Download
memory/1668-88-0x0000000000000000-mapping.dmp

Download
memory/1696-76-0x0000000000000000-mapping.dmp

Download
memory/1740-67-0x0000000000000000-mapping.dmp

Download
memory/1812-72-0x0000000000000000-mapping.dmp

Download
memory/1908-65-0x0000000000000000-mapping.dmp

Download