xmrig | 27326b33b811a151d7832f9b081eb05594b438266a7ba71511e54b4a2d723b7e

Analysis

max time kernel
142s
max time network
130s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
02/10/2023, 11:43

Target

806062d87954556a9b9ba3eebd5f1f19c216a1cef0e6661c75c22e252f0eef8c.exe
Size

755KB
MD5

ba77c5ae2b2494e98c6997a98d266b14
SHA1

302460f8f27e54c043fdb07594a0e49342252874
SHA256

806062d87954556a9b9ba3eebd5f1f19c216a1cef0e6661c75c22e252f0eef8c
SHA512

abb170e2d4874a2d0b4b3e7209649db5bc12b07e4bd0dd0a3e880343acf1ba5c5f4cf59fb3ae3d44c74fa0cd1f1fb89d996761e2d5f7765ae7d9e5e1a38e880e
SSDEEP

12288:c6VScNQ2JPPILK50EvIfc/MSMK5z1iKXzdkHjKN5TQA25OysQD963hoSdu:c6VSyvP5hvIe1iYpgjOR25Oys33

Score

10^/10

xmrig miner upx

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 1 IoCs

miner

resource	yara_rule
behavioral1/memory/2572-1-0x0000000000D20000-0x0000000000F6A000-memory.dmp	xmrig

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

resource	yara_rule
behavioral1/memory/2572-0-0x0000000000D20000-0x0000000000F6A000-memory.dmp	upx
behavioral1/memory/2572-1-0x0000000000D20000-0x0000000000F6A000-memory.dmp	upx

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2676	2572	WerFault.exe	14

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2572 wrote to memory of 2676	2572	806062d87954556a9b9ba3eebd5f1f19c216a1cef0e6661c75c22e252f0eef8c.exe	28
PID 2572 wrote to memory of 2676	2572	806062d87954556a9b9ba3eebd5f1f19c216a1cef0e6661c75c22e252f0eef8c.exe	28
PID 2572 wrote to memory of 2676	2572	806062d87954556a9b9ba3eebd5f1f19c216a1cef0e6661c75c22e252f0eef8c.exe	28
PID 2572 wrote to memory of 2676	2572	806062d87954556a9b9ba3eebd5f1f19c216a1cef0e6661c75c22e252f0eef8c.exe	28

C:\Users\Admin\AppData\Local\Temp\806062d87954556a9b9ba3eebd5f1f19c216a1cef0e6661c75c22e252f0eef8c.exe
"C:\Users\Admin\AppData\Local\Temp\806062d87954556a9b9ba3eebd5f1f19c216a1cef0e6661c75c22e252f0eef8c.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2572
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2572 -s 116
  2⤵
  - Program crash
  PID:2676

memory/2572-0-0x0000000000D20000-0x0000000000F6A000-memory.dmp

Filesize
2.3MB

Download
memory/2572-1-0x0000000000D20000-0x0000000000F6A000-memory.dmp

Filesize
2.3MB

Download