xmrig | 41a02f3e0bbc8e84d6f1f2117ff848dd4a285c7066545713c2cf3043c16a2486

Analysis

max time kernel
150s
max time network
138s
platform
windows7_x64
resource
win7-20231020-en
resource tags

arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
submitted
06-11-2023 02:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.83822cdc824ce51c4fa0d571864677c0.exe
Size

1.6MB
MD5

83822cdc824ce51c4fa0d571864677c0
SHA1

f0f2d3731b3bb89affb1a162999544732505bea1
SHA256

41a02f3e0bbc8e84d6f1f2117ff848dd4a285c7066545713c2cf3043c16a2486
SHA512

2f3ef5e1b77f15372ecd435b36d9ce56230d62295212e7ff1b8b49e52491bf523224c6842653c4ea548dbd4fbef82e9b3520215f45c23c43a68a2d58a338616b
SSDEEP

49152:wXt17+Rfj3ppdpZjoNcUT93rADmMvRkvuYZ7+rCs:waVjDhUNc299Cu+

Score

10^/10

xmrig miner upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 15 IoCs

miner

resource	yara_rule
behavioral1/memory/1220-4-0x000000013FE80000-0x00000001405C5000-memory.dmp	xmrig
behavioral1/memory/1220-5-0x000000013FE80000-0x00000001405C5000-memory.dmp	xmrig
behavioral1/memory/1220-8-0x000000013FE80000-0x00000001405C5000-memory.dmp	xmrig
behavioral1/memory/1220-9-0x000000013FE80000-0x00000001405C5000-memory.dmp	xmrig
behavioral1/memory/1220-10-0x000000013FE80000-0x00000001405C5000-memory.dmp	xmrig
behavioral1/memory/1220-11-0x000000013FE80000-0x00000001405C5000-memory.dmp	xmrig
behavioral1/memory/1220-12-0x000000013FE80000-0x00000001405C5000-memory.dmp	xmrig
behavioral1/memory/1220-13-0x000000013FE80000-0x00000001405C5000-memory.dmp	xmrig
behavioral1/memory/1220-14-0x000000013FE80000-0x00000001405C5000-memory.dmp	xmrig
behavioral1/memory/1220-15-0x000000013FE80000-0x00000001405C5000-memory.dmp	xmrig
behavioral1/memory/1220-16-0x000000013FE80000-0x00000001405C5000-memory.dmp	xmrig
behavioral1/memory/1220-17-0x000000013FE80000-0x00000001405C5000-memory.dmp	xmrig
behavioral1/memory/1220-18-0x000000013FE80000-0x00000001405C5000-memory.dmp	xmrig
behavioral1/memory/1220-19-0x000000013FE80000-0x00000001405C5000-memory.dmp	xmrig
behavioral1/memory/1220-20-0x000000013FE80000-0x00000001405C5000-memory.dmp	xmrig

UPX packed file 16 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1220-1-0x000000013FE80000-0x00000001405C5000-memory.dmp	upx
behavioral1/memory/1220-4-0x000000013FE80000-0x00000001405C5000-memory.dmp	upx
behavioral1/memory/1220-5-0x000000013FE80000-0x00000001405C5000-memory.dmp	upx
behavioral1/memory/1220-8-0x000000013FE80000-0x00000001405C5000-memory.dmp	upx
behavioral1/memory/1220-9-0x000000013FE80000-0x00000001405C5000-memory.dmp	upx
behavioral1/memory/1220-10-0x000000013FE80000-0x00000001405C5000-memory.dmp	upx
behavioral1/memory/1220-11-0x000000013FE80000-0x00000001405C5000-memory.dmp	upx
behavioral1/memory/1220-12-0x000000013FE80000-0x00000001405C5000-memory.dmp	upx
behavioral1/memory/1220-13-0x000000013FE80000-0x00000001405C5000-memory.dmp	upx
behavioral1/memory/1220-14-0x000000013FE80000-0x00000001405C5000-memory.dmp	upx
behavioral1/memory/1220-15-0x000000013FE80000-0x00000001405C5000-memory.dmp	upx
behavioral1/memory/1220-16-0x000000013FE80000-0x00000001405C5000-memory.dmp	upx
behavioral1/memory/1220-17-0x000000013FE80000-0x00000001405C5000-memory.dmp	upx
behavioral1/memory/1220-18-0x000000013FE80000-0x00000001405C5000-memory.dmp	upx
behavioral1/memory/1220-19-0x000000013FE80000-0x00000001405C5000-memory.dmp	upx
behavioral1/memory/1220-20-0x000000013FE80000-0x00000001405C5000-memory.dmp	upx

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1220	NEAS.83822cdc824ce51c4fa0d571864677c0.exe
1220	NEAS.83822cdc824ce51c4fa0d571864677c0.exe
1220	NEAS.83822cdc824ce51c4fa0d571864677c0.exe
1220	NEAS.83822cdc824ce51c4fa0d571864677c0.exe
1220	NEAS.83822cdc824ce51c4fa0d571864677c0.exe
1220	NEAS.83822cdc824ce51c4fa0d571864677c0.exe
1220	NEAS.83822cdc824ce51c4fa0d571864677c0.exe
1220	NEAS.83822cdc824ce51c4fa0d571864677c0.exe
1220	NEAS.83822cdc824ce51c4fa0d571864677c0.exe
1220	NEAS.83822cdc824ce51c4fa0d571864677c0.exe
1220	NEAS.83822cdc824ce51c4fa0d571864677c0.exe
1220	NEAS.83822cdc824ce51c4fa0d571864677c0.exe
1220	NEAS.83822cdc824ce51c4fa0d571864677c0.exe
1220	NEAS.83822cdc824ce51c4fa0d571864677c0.exe
1220	NEAS.83822cdc824ce51c4fa0d571864677c0.exe
1220	NEAS.83822cdc824ce51c4fa0d571864677c0.exe
1220	NEAS.83822cdc824ce51c4fa0d571864677c0.exe
1220	NEAS.83822cdc824ce51c4fa0d571864677c0.exe
1220	NEAS.83822cdc824ce51c4fa0d571864677c0.exe
1220	NEAS.83822cdc824ce51c4fa0d571864677c0.exe
1220	NEAS.83822cdc824ce51c4fa0d571864677c0.exe
1220	NEAS.83822cdc824ce51c4fa0d571864677c0.exe
1220	NEAS.83822cdc824ce51c4fa0d571864677c0.exe
1220	NEAS.83822cdc824ce51c4fa0d571864677c0.exe
1220	NEAS.83822cdc824ce51c4fa0d571864677c0.exe
1220	NEAS.83822cdc824ce51c4fa0d571864677c0.exe
1220	NEAS.83822cdc824ce51c4fa0d571864677c0.exe
1220	NEAS.83822cdc824ce51c4fa0d571864677c0.exe
1220	NEAS.83822cdc824ce51c4fa0d571864677c0.exe
1220	NEAS.83822cdc824ce51c4fa0d571864677c0.exe
1220	NEAS.83822cdc824ce51c4fa0d571864677c0.exe
1220	NEAS.83822cdc824ce51c4fa0d571864677c0.exe
1220	NEAS.83822cdc824ce51c4fa0d571864677c0.exe
1220	NEAS.83822cdc824ce51c4fa0d571864677c0.exe
1220	NEAS.83822cdc824ce51c4fa0d571864677c0.exe
1220	NEAS.83822cdc824ce51c4fa0d571864677c0.exe
1220	NEAS.83822cdc824ce51c4fa0d571864677c0.exe
1220	NEAS.83822cdc824ce51c4fa0d571864677c0.exe
1220	NEAS.83822cdc824ce51c4fa0d571864677c0.exe
1220	NEAS.83822cdc824ce51c4fa0d571864677c0.exe
1220	NEAS.83822cdc824ce51c4fa0d571864677c0.exe
1220	NEAS.83822cdc824ce51c4fa0d571864677c0.exe
1220	NEAS.83822cdc824ce51c4fa0d571864677c0.exe
1220	NEAS.83822cdc824ce51c4fa0d571864677c0.exe
1220	NEAS.83822cdc824ce51c4fa0d571864677c0.exe
1220	NEAS.83822cdc824ce51c4fa0d571864677c0.exe
1220	NEAS.83822cdc824ce51c4fa0d571864677c0.exe
1220	NEAS.83822cdc824ce51c4fa0d571864677c0.exe
1220	NEAS.83822cdc824ce51c4fa0d571864677c0.exe
1220	NEAS.83822cdc824ce51c4fa0d571864677c0.exe
1220	NEAS.83822cdc824ce51c4fa0d571864677c0.exe
1220	NEAS.83822cdc824ce51c4fa0d571864677c0.exe
1220	NEAS.83822cdc824ce51c4fa0d571864677c0.exe
1220	NEAS.83822cdc824ce51c4fa0d571864677c0.exe
1220	NEAS.83822cdc824ce51c4fa0d571864677c0.exe
1220	NEAS.83822cdc824ce51c4fa0d571864677c0.exe
1220	NEAS.83822cdc824ce51c4fa0d571864677c0.exe
1220	NEAS.83822cdc824ce51c4fa0d571864677c0.exe
1220	NEAS.83822cdc824ce51c4fa0d571864677c0.exe
1220	NEAS.83822cdc824ce51c4fa0d571864677c0.exe
1220	NEAS.83822cdc824ce51c4fa0d571864677c0.exe
1220	NEAS.83822cdc824ce51c4fa0d571864677c0.exe
1220	NEAS.83822cdc824ce51c4fa0d571864677c0.exe
1220	NEAS.83822cdc824ce51c4fa0d571864677c0.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
464	Process not Found

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	1220	NEAS.83822cdc824ce51c4fa0d571864677c0.exe
Token: SeLockMemoryPrivilege	1220	NEAS.83822cdc824ce51c4fa0d571864677c0.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1220	NEAS.83822cdc824ce51c4fa0d571864677c0.exe

C:\Users\Admin\AppData\Local\Temp\NEAS.83822cdc824ce51c4fa0d571864677c0.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.83822cdc824ce51c4fa0d571864677c0.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1220

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1220-0-0x0000000000070000-0x0000000000090000-memory.dmp

Filesize
128KB

Download
memory/1220-1-0x000000013FE80000-0x00000001405C5000-memory.dmp

Filesize
7.3MB

Download
memory/1220-3-0x0000000001E20000-0x0000000001E40000-memory.dmp

Filesize
128KB

Download
memory/1220-2-0x00000000003E0000-0x0000000000400000-memory.dmp

Filesize
128KB

Download
memory/1220-4-0x000000013FE80000-0x00000001405C5000-memory.dmp

Filesize
7.3MB

Download
memory/1220-5-0x000000013FE80000-0x00000001405C5000-memory.dmp

Filesize
7.3MB

Download
memory/1220-6-0x00000000003E0000-0x0000000000400000-memory.dmp

Filesize
128KB

Download
memory/1220-7-0x0000000001E20000-0x0000000001E40000-memory.dmp

Filesize
128KB

Download
memory/1220-8-0x000000013FE80000-0x00000001405C5000-memory.dmp

Filesize
7.3MB

Download
memory/1220-9-0x000000013FE80000-0x00000001405C5000-memory.dmp

Filesize
7.3MB

Download
memory/1220-10-0x000000013FE80000-0x00000001405C5000-memory.dmp

Filesize
7.3MB

Download
memory/1220-11-0x000000013FE80000-0x00000001405C5000-memory.dmp

Filesize
7.3MB

Download
memory/1220-12-0x000000013FE80000-0x00000001405C5000-memory.dmp

Filesize
7.3MB

Download
memory/1220-13-0x000000013FE80000-0x00000001405C5000-memory.dmp

Filesize
7.3MB

Download
memory/1220-14-0x000000013FE80000-0x00000001405C5000-memory.dmp

Filesize
7.3MB

Download
memory/1220-15-0x000000013FE80000-0x00000001405C5000-memory.dmp

Filesize
7.3MB

Download
memory/1220-16-0x000000013FE80000-0x00000001405C5000-memory.dmp

Filesize
7.3MB

Download
memory/1220-17-0x000000013FE80000-0x00000001405C5000-memory.dmp

Filesize
7.3MB

Download
memory/1220-18-0x000000013FE80000-0x00000001405C5000-memory.dmp

Filesize
7.3MB

Download
memory/1220-19-0x000000013FE80000-0x00000001405C5000-memory.dmp

Filesize
7.3MB

Download
memory/1220-20-0x000000013FE80000-0x00000001405C5000-memory.dmp

Filesize
7.3MB

Download