xmrig | c76761203652bae65246f24fb687aa1cccd1dafdd68f14f1c85f5f3dbb6d3a8b

Analysis

max time kernel
5s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
21/10/2023, 21:18

Target

NEAS.43724ef404d5b55547b56b4db096b170.exe
Size

2.7MB
MD5

43724ef404d5b55547b56b4db096b170
SHA1

f4dda4eb73190e35274950d08513bd2490c72344
SHA256

c76761203652bae65246f24fb687aa1cccd1dafdd68f14f1c85f5f3dbb6d3a8b
SHA512

3abd99c86ea3a56830c997b5aecf918c3c126b73338803da2cc48b23b391673bc676a26d4334c53d004d84cae53f3519ab13279afd8835f5f474d1169ea59778
SSDEEP

49152:BezaTF8FcNkNdfE0pZ9ozt4wIQ56uL3pgrCEdTKUHiCGakOnfa+hQI8:BemTLkNdfE0pZrQ56utgm

Score

10^/10

xmrig miner upx

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 3 IoCs

miner

resource	yara_rule
behavioral2/memory/4884-0-0x00007FF6C0350000-0x00007FF6C06A4000-memory.dmp	xmrig
behavioral2/files/0x0008000000023074-6.dat	xmrig
behavioral2/files/0x0008000000023074-4.dat	xmrig

Executes dropped EXE 1 IoCs

pid	Process
2852	KXOedQr.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

resource	yara_rule
behavioral2/memory/4884-0-0x00007FF6C0350000-0x00007FF6C06A4000-memory.dmp	upx
behavioral2/files/0x0008000000023074-6.dat	upx
behavioral2/memory/2852-8-0x00007FF6B7690000-0x00007FF6B79E4000-memory.dmp	upx
behavioral2/files/0x0008000000023074-4.dat	upx

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\System\KXOedQr.exe	NEAS.43724ef404d5b55547b56b4db096b170.exe
File created	C:\Windows\System\gfZmemP.exe	NEAS.43724ef404d5b55547b56b4db096b170.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 4884 wrote to memory of 2852	4884	NEAS.43724ef404d5b55547b56b4db096b170.exe	84
PID 4884 wrote to memory of 2852	4884	NEAS.43724ef404d5b55547b56b4db096b170.exe	84

C:\Users\Admin\AppData\Local\Temp\NEAS.43724ef404d5b55547b56b4db096b170.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.43724ef404d5b55547b56b4db096b170.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4884
- C:\Windows\System\KXOedQr.exe
  C:\Windows\System\KXOedQr.exe
  2⤵
  - Executes dropped EXE
  PID:2852

C:\Windows\System\KXOedQr.exe

Filesize
1.1MB

MD5
3b11b6e286058a350462f1881ffc13b0

SHA1
078ada47b5f6240626cef7f2c3c4019ff8ed75e5

SHA256
9a484aff833f02ba960094334ea6971d8bc39770bb94fa239d8fdaf266479ee6

SHA512
e0c9122598caa0a556f3e314d7a17d40ee648d54571be10f641894fd094f2652cf175ca6cdadbe2fdb959d8d780f238a397c41a8d2b26d7b9f129b19ea03795e

Download Submit
C:\Windows\System\KXOedQr.exe

Filesize
1.3MB

MD5
d9ecb374867b2c01c7ae6d1c7d357a2e

SHA1
60b67dbedb12329921c4e8b5978205c792e9c99f

SHA256
e9c6dcd9786cc38860edc3f36156540c646725e24f480eadfc5f01bba915fad9

SHA512
bd15f03326ba68a2914d10e7a85445171147644c6c4a1cd96008ec3a1f937403c284efe2f3d9a11e7d1395a092ae6fd326c9cd657e5034a7a43052f7f138634b

Download Submit
memory/2852-8-0x00007FF6B7690000-0x00007FF6B79E4000-memory.dmp

Filesize
3.3MB

Download
memory/4884-0-0x00007FF6C0350000-0x00007FF6C06A4000-memory.dmp

Filesize
3.3MB

Download
memory/4884-1-0x000001FAF9FE0000-0x000001FAF9FF0000-memory.dmp

Filesize
64KB

Download