xmrig | 5512711385ded81cd8262b740d611c60675db5f4356b44f1e3d6680d286274d4

Analysis

max time kernel
1s
max time network
3s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
21-10-2023 21:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.b7129903e26507dbef8999729e339af0.exe
Size

1.8MB
MD5

b7129903e26507dbef8999729e339af0
SHA1

6fdaa5277c4cfce89cbb6fd5d93da6cd970239a0
SHA256

5512711385ded81cd8262b740d611c60675db5f4356b44f1e3d6680d286274d4
SHA512

9386d8489add3c835cd0a6f2fd413e363937c6542048e76dc653137bdc52dc8b9f1513380409eaa1466866bb101b5fbae36fd9d0095143a5bfe63e5e33400773
SSDEEP

49152:GezaTF8FcNkNdfE0pZ9oztFwIRMmSdbbUGsy/m:GemTLkNdfE0pZa3

Score

10^/10

xmrig miner

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 5 IoCs

miner

resource	yara_rule
behavioral1/files/0x000b000000012021-2.dat	xmrig
behavioral1/files/0x000b000000012021-5.dat	xmrig
behavioral1/files/0x000d0000000139f7-6.dat	xmrig
behavioral1/files/0x000d0000000139f7-9.dat	xmrig
behavioral1/files/0x0034000000016c2b-10.dat	xmrig

Executes dropped EXE 1 IoCs

pid	Process
2952	VVgkDCk.exe

Loads dropped DLL 2 IoCs

pid	Process
2752	NEAS.b7129903e26507dbef8999729e339af0.exe
2752	NEAS.b7129903e26507dbef8999729e339af0.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\System\VVgkDCk.exe	NEAS.b7129903e26507dbef8999729e339af0.exe
File created	C:\Windows\System\dMskZRj.exe	NEAS.b7129903e26507dbef8999729e339af0.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 2752 wrote to memory of 2952	2752	NEAS.b7129903e26507dbef8999729e339af0.exe	29
PID 2752 wrote to memory of 2952	2752	NEAS.b7129903e26507dbef8999729e339af0.exe	29
PID 2752 wrote to memory of 2952	2752	NEAS.b7129903e26507dbef8999729e339af0.exe	29
PID 2752 wrote to memory of 2528	2752	NEAS.b7129903e26507dbef8999729e339af0.exe	30
PID 2752 wrote to memory of 2528	2752	NEAS.b7129903e26507dbef8999729e339af0.exe	30

C:\Users\Admin\AppData\Local\Temp\NEAS.b7129903e26507dbef8999729e339af0.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.b7129903e26507dbef8999729e339af0.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2752
- C:\Windows\System\VVgkDCk.exe
  C:\Windows\System\VVgkDCk.exe
  2⤵
  - Executes dropped EXE
  PID:2952
- C:\Windows\System\dMskZRj.exe
  C:\Windows\System\dMskZRj.exe
  2⤵
  PID:2528
- C:\Windows\System\mUGYFmI.exe
  C:\Windows\System\mUGYFmI.exe
  2⤵
  PID:2636
- C:\Windows\System\YCGZlKJ.exe
  C:\Windows\System\YCGZlKJ.exe
  2⤵
  PID:2656
- C:\Windows\System\MowldZo.exe
  C:\Windows\System\MowldZo.exe
  2⤵
  PID:2596

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\system\MowldZo.exe

Filesize
192KB

MD5
f5f99d02ed8b56e8586d8d7891deb679

SHA1
38c4b1d6d37ed0a27dafb1c4ee6efcac34e5fb2b

SHA256
1f594701d1665a3ab0201fe69c8f988fb8a3862ad86d26b41024528cdd278cee

SHA512
921d53332816f4eb969344fa9f51d12abf7536129d0363f14fad1731d232fa19f009089bb4f9cfd1af866b26771cdcfac5b0ffcbca5b5566a77db963719ae2b1

Download Submit
C:\Windows\system\VVgkDCk.exe

Filesize
1.8MB

MD5
5872a9ada7ef3605d4034678a1e563d5

SHA1
46997ba359175af641f24ed51f8527824fda187c

SHA256
4146b698da3c9ab29dc7dd0af0bfb06f087c459cc76b9e45688a47be271a7e32

SHA512
850832d4c71ee44fa817681f59babea7376aeb27907fd13d440e73ec5beb52161e6ceb455c25ddb8b6458048066db54b7159724cddb0415f64b800aaacfa9012

Download Submit
C:\Windows\system\YCGZlKJ.exe

Filesize
128KB

MD5
a1307cf3385032ad126c6d0b477066b0

SHA1
cd75e7594dab159031b0dd1cf66a9bc29d3f6f10

SHA256
5f1996d387c2de315bb359de53c91f6dfdb6f5bc82749b498694df075c5983a8

SHA512
ae6296033bfe718203cd10ab707e2a6cbba7140f93d02cc6e7f5cca22a5526ac220a835b3bbc2fd007ce24c2e5b49d978732b33f9f88b13b3b3a3df090791129

Download Submit
C:\Windows\system\dMskZRj.exe

Filesize
1.1MB

MD5
79fc9a1c6d47098a27dfa7a349b5483c

SHA1
b597212f51ef87f9c5b161012c779db583e4dda1

SHA256
a313d831babd5e4a5811a764e135c6798b9931db7eb8f488463196ebd8466b4b

SHA512
694d4896dcf17207925c169fb95cee8682436d0d6510cd1e6736ad3b0d0fac287de8fe3d7b8e083eead033e5e961443eed0728ccd6bb3cbfa5d6f3b41bd9a08b

Download Submit
C:\Windows\system\mUGYFmI.exe

Filesize
640KB

MD5
6db50870de881e152623c8f51cf3fda6

SHA1
691c842a07ffb062e5ceaea5720b849f02b9ad0e

SHA256
af187b78fa29d4ed39b4d395efb7ee4fa99cc3e6ee76dfc935b721dd40170c31

SHA512
cb1cce69d018cc51978e6ab7fb73961605d2907c4c3729f381f1462708894bf2ca7695d2b6caa58936edf9c11dfcace30f96913fb6cb68cd146a65e2d6daffdd

Download Submit
C:\Windows\system\mUGYFmI.exe

Filesize
384KB

MD5
e99e6eba5db019d2967838b22e1c9017

SHA1
9475507426650fe68cb223e5a8b442cbb4ba1991

SHA256
b6d77f27d6e94dad3e0f94ea0f3d476321c166fc8ef6ab08a38631ebb4daa45a

SHA512
077a2f4c2678137e97168599fad7cd29edb689493531e80f0a2e4bc680bcc0a5fd8c0c61e31b0fb1d93a03fd6a73f284880fb73d93dd80e4cd7a4bae8de2677f

Download Submit
\Windows\system\MowldZo.exe

Filesize
192KB

MD5
f5f99d02ed8b56e8586d8d7891deb679

SHA1
38c4b1d6d37ed0a27dafb1c4ee6efcac34e5fb2b

SHA256
1f594701d1665a3ab0201fe69c8f988fb8a3862ad86d26b41024528cdd278cee

SHA512
921d53332816f4eb969344fa9f51d12abf7536129d0363f14fad1731d232fa19f009089bb4f9cfd1af866b26771cdcfac5b0ffcbca5b5566a77db963719ae2b1

Download Submit
\Windows\system\VVgkDCk.exe

Filesize
1.8MB

MD5
5872a9ada7ef3605d4034678a1e563d5

SHA1
46997ba359175af641f24ed51f8527824fda187c

SHA256
4146b698da3c9ab29dc7dd0af0bfb06f087c459cc76b9e45688a47be271a7e32

SHA512
850832d4c71ee44fa817681f59babea7376aeb27907fd13d440e73ec5beb52161e6ceb455c25ddb8b6458048066db54b7159724cddb0415f64b800aaacfa9012

Download Submit
\Windows\system\dMskZRj.exe

Filesize
1.4MB

MD5
9c60d08c6152f3075f2ae81e2aecf8db

SHA1
2d81f1124159d0f1ce4eec6876df9fd442832cf8

SHA256
747bd6a67648e6d7b648a51c0f59d08367fd73c3616ffa9e431897bc1583638e

SHA512
c11471da7e16a047a94aa2359241f83e93dab9e5500d237bbd824929214e22eeb9df7f3455932343cf6f86ca4319c00e239eb9bedf919e99a36fe98acc65a7b5

Download Submit
\Windows\system\mUGYFmI.exe

Filesize
704KB

MD5
ceddbf81a64b95e4ad425b4642bcf259

SHA1
2196a20236b9abc2121773ce1326159839a78b15

SHA256
bcfb7b5a9f825fc718ebb859f6bde279d251a4a370aac79692d5c3da6ed6b606

SHA512
ad01087ec45555c009e963a6225d6a2890a87f77d648812cb7b3105135c45a67a5c33bed64096b965228cf5cd0437f7e9ad2b58b7dd0d28120c713c838978cea

Download Submit
memory/2752-0-0x00000000003F0000-0x0000000000400000-memory.dmp

Filesize
64KB

Download