xmrig | 6edca96202a9c5f01a654f197c76e399d722304f1966dc79242ae94e0a432e6c

Analysis

max time kernel
86s
max time network
19s
platform
windows7_x64
resource
win7-20231020-en
resource tags

arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
submitted
14/11/2023, 02:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

89fb203850a4b6cfe89fc74d9d122270.exe
Size

1.9MB
MD5

89fb203850a4b6cfe89fc74d9d122270
SHA1

03ad3f56398d70b0c00bfc219f1821642428c06f
SHA256

6edca96202a9c5f01a654f197c76e399d722304f1966dc79242ae94e0a432e6c
SHA512

86a4f888ea376894621d79a5b8d85303bafd4ff6f63f3d1d8288ee908fc8c985a44f33f85ff52f1c2aee414c3072337676215a826faabb35c4d4b858cc56f3c4
SSDEEP

49152:BezaTF8FcNkNdfE0pZ9ozt4wIC5aIwC+AjE+vhJUt7:BemTLkNdfE0pZrx

Score

10^/10

xmrig miner upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 7 IoCs

miner

resource	yara_rule
behavioral1/memory/2248-0-0x000000013FEA0000-0x00000001401F4000-memory.dmp	xmrig
behavioral1/files/0x000900000001201b-3.dat	xmrig
behavioral1/files/0x000b0000000122f6-23.dat	xmrig
behavioral1/files/0x0007000000015c32-33.dat	xmrig
behavioral1/files/0x0008000000015613-28.dat	xmrig
behavioral1/memory/2736-291-0x000000013F700000-0x000000013FA54000-memory.dmp	xmrig
behavioral1/memory/2772-307-0x000000013F970000-0x000000013FCC4000-memory.dmp	xmrig

Executes dropped EXE 1 IoCs

pid	Process
1484	nprHgIL.exe

Loads dropped DLL 1 IoCs

pid	Process
2248	89fb203850a4b6cfe89fc74d9d122270.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2248-0-0x000000013FEA0000-0x00000001401F4000-memory.dmp	upx
behavioral1/files/0x000900000001201b-3.dat	upx
behavioral1/files/0x000b0000000122f6-23.dat	upx
behavioral1/files/0x0007000000015c32-33.dat	upx
behavioral1/files/0x0008000000015613-28.dat	upx
behavioral1/memory/2736-291-0x000000013F700000-0x000000013FA54000-memory.dmp	upx
behavioral1/memory/2772-307-0x000000013F970000-0x000000013FCC4000-memory.dmp	upx

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\System\nprHgIL.exe	89fb203850a4b6cfe89fc74d9d122270.exe
File created	C:\Windows\System\FQINPEG.exe	89fb203850a4b6cfe89fc74d9d122270.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2248 wrote to memory of 1484	2248	89fb203850a4b6cfe89fc74d9d122270.exe	29
PID 2248 wrote to memory of 1484	2248	89fb203850a4b6cfe89fc74d9d122270.exe	29
PID 2248 wrote to memory of 1484	2248	89fb203850a4b6cfe89fc74d9d122270.exe	29

C:\Users\Admin\AppData\Local\Temp\89fb203850a4b6cfe89fc74d9d122270.exe
"C:\Users\Admin\AppData\Local\Temp\89fb203850a4b6cfe89fc74d9d122270.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2248
- C:\Windows\System\nprHgIL.exe
  C:\Windows\System\nprHgIL.exe
  2⤵
  - Executes dropped EXE
  PID:1484
- C:\Windows\System\FQINPEG.exe
  C:\Windows\System\FQINPEG.exe
  2⤵
  PID:2004
- C:\Windows\System\JAixkzt.exe
  C:\Windows\System\JAixkzt.exe
  2⤵
  PID:2908
- C:\Windows\System\jZBPbfJ.exe
  C:\Windows\System\jZBPbfJ.exe
  2⤵
  PID:2260
- C:\Windows\System\BlTYPnP.exe
  C:\Windows\System\BlTYPnP.exe
  2⤵
  PID:672
- C:\Windows\System\OpbtxtO.exe
  C:\Windows\System\OpbtxtO.exe
  2⤵
  PID:2800
- C:\Windows\System\DtFsJpw.exe
  C:\Windows\System\DtFsJpw.exe
  2⤵
  PID:1612
- C:\Windows\System\tRmdtSd.exe
  C:\Windows\System\tRmdtSd.exe
  2⤵
  PID:1868
- C:\Windows\System\gPFflxl.exe
  C:\Windows\System\gPFflxl.exe
  2⤵
  PID:1048
- C:\Windows\System\iaEMVwe.exe
  C:\Windows\System\iaEMVwe.exe
  2⤵
  PID:2652
- C:\Windows\System\tQDgEzw.exe
  C:\Windows\System\tQDgEzw.exe
  2⤵
  PID:1092
- C:\Windows\System\gOTswKR.exe
  C:\Windows\System\gOTswKR.exe
  2⤵
  PID:2036
- C:\Windows\System\SVhOnZD.exe
  C:\Windows\System\SVhOnZD.exe
  2⤵
  PID:1280
- C:\Windows\System\QyUDxFb.exe
  C:\Windows\System\QyUDxFb.exe
  2⤵
  PID:1652
- C:\Windows\System\phpwAUu.exe
  C:\Windows\System\phpwAUu.exe
  2⤵
  PID:2708
- C:\Windows\System\DnGhato.exe
  C:\Windows\System\DnGhato.exe
  2⤵
  PID:2860
- C:\Windows\System\zwarWIG.exe
  C:\Windows\System\zwarWIG.exe
  2⤵
  PID:1984
- C:\Windows\System\aANEFPO.exe
  C:\Windows\System\aANEFPO.exe
  2⤵
  PID:2880
- C:\Windows\System\LaKwZTT.exe
  C:\Windows\System\LaKwZTT.exe
  2⤵
  PID:3348
- C:\Windows\System\fluZJzf.exe
  C:\Windows\System\fluZJzf.exe
  2⤵
  PID:4268
- C:\Windows\System\eUujASs.exe
  C:\Windows\System\eUujASs.exe
  2⤵
  PID:4476
- C:\Windows\System\hslPDHk.exe
  C:\Windows\System\hslPDHk.exe
  2⤵
  PID:4504
- C:\Windows\System\kBwNWiL.exe
  C:\Windows\System\kBwNWiL.exe
  2⤵
  PID:4804
- C:\Windows\System\rqCqgZH.exe
  C:\Windows\System\rqCqgZH.exe
  2⤵
  PID:5048
- C:\Windows\System\WvROXPn.exe
  C:\Windows\System\WvROXPn.exe
  2⤵
  PID:4652
- C:\Windows\System\ICUTkqU.exe
  C:\Windows\System\ICUTkqU.exe
  2⤵
  PID:4552
- C:\Windows\System\ksCobKW.exe
  C:\Windows\System\ksCobKW.exe
  2⤵
  PID:5184
- C:\Windows\System\GjZxbLm.exe
  C:\Windows\System\GjZxbLm.exe
  2⤵
  PID:5168
- C:\Windows\System\gfjdEuS.exe
  C:\Windows\System\gfjdEuS.exe
  2⤵
  PID:5684
- C:\Windows\System\cfJayEu.exe
  C:\Windows\System\cfJayEu.exe
  2⤵
  PID:5668
- C:\Windows\System\pgAJvxJ.exe
  C:\Windows\System\pgAJvxJ.exe
  2⤵
  PID:6068
- C:\Windows\System\WTDjDas.exe
  C:\Windows\System\WTDjDas.exe
  2⤵
  PID:6052
- C:\Windows\System\HfsGALH.exe
  C:\Windows\System\HfsGALH.exe
  2⤵
  PID:6036
- C:\Windows\System\xeqtPeC.exe
  C:\Windows\System\xeqtPeC.exe
  2⤵
  PID:6232
- C:\Windows\System\ACxdBNv.exe
  C:\Windows\System\ACxdBNv.exe
  2⤵
  PID:7556
- C:\Windows\System\BJSsHgK.exe
  C:\Windows\System\BJSsHgK.exe
  2⤵
  PID:7160
- C:\Windows\System\oaolYpw.exe
  C:\Windows\System\oaolYpw.exe
  2⤵
  PID:6752
- C:\Windows\System\ZdNVVbb.exe
  C:\Windows\System\ZdNVVbb.exe
  2⤵
  PID:7564
- C:\Windows\System\OfLdYvP.exe
  C:\Windows\System\OfLdYvP.exe
  2⤵
  PID:6436
- C:\Windows\System\ytyXxUg.exe
  C:\Windows\System\ytyXxUg.exe
  2⤵
  PID:8688
- C:\Windows\System\cqPDTTi.exe
  C:\Windows\System\cqPDTTi.exe
  2⤵
  PID:8672
- C:\Windows\System\VokaWjE.exe
  C:\Windows\System\VokaWjE.exe
  2⤵
  PID:8656
- C:\Windows\System\dxjZRfy.exe
  C:\Windows\System\dxjZRfy.exe
  2⤵
  PID:8640
- C:\Windows\System\NVubXWn.exe
  C:\Windows\System\NVubXWn.exe
  2⤵
  PID:8928
- C:\Windows\System\JdCwUsu.exe
  C:\Windows\System\JdCwUsu.exe
  2⤵
  PID:9312
- C:\Windows\System\qBMgAof.exe
  C:\Windows\System\qBMgAof.exe
  2⤵
  PID:9296
- C:\Windows\System\dqeCwff.exe
  C:\Windows\System\dqeCwff.exe
  2⤵
  PID:8936
- C:\Windows\System\GnCFGai.exe
  C:\Windows\System\GnCFGai.exe
  2⤵
  PID:11152
- C:\Windows\System\hLolYNP.exe
  C:\Windows\System\hLolYNP.exe
  2⤵
  PID:10440
- C:\Windows\System\tPjCThH.exe
  C:\Windows\System\tPjCThH.exe
  2⤵
  PID:12016
- C:\Windows\System\aKFjsTg.exe
  C:\Windows\System\aKFjsTg.exe
  2⤵
  PID:12000
- C:\Windows\System\PCaHVyQ.exe
  C:\Windows\System\PCaHVyQ.exe
  2⤵
  PID:10376
- C:\Windows\System\TMnEERM.exe
  C:\Windows\System\TMnEERM.exe
  2⤵
  PID:8664
- C:\Windows\System\DkSZuxd.exe
  C:\Windows\System\DkSZuxd.exe
  2⤵
  PID:11292
- C:\Windows\System\ZRiflBU.exe
  C:\Windows\System\ZRiflBU.exe
  2⤵
  PID:12952
- C:\Windows\System\clqPQdo.exe
  C:\Windows\System\clqPQdo.exe
  2⤵
  PID:12936
- C:\Windows\System\IwdnBvs.exe
  C:\Windows\System\IwdnBvs.exe
  2⤵
  PID:13288
- C:\Windows\System\AZamJMq.exe
  C:\Windows\System\AZamJMq.exe
  2⤵
  PID:13272
- C:\Windows\System\vQFqukv.exe
  C:\Windows\System\vQFqukv.exe
  2⤵
  PID:12692
- C:\Windows\System\HNWYSRV.exe
  C:\Windows\System\HNWYSRV.exe
  2⤵
  PID:12640
- C:\Windows\System\GXjMEYN.exe
  C:\Windows\System\GXjMEYN.exe
  2⤵
  PID:12628
- C:\Windows\System\dIzkPCs.exe
  C:\Windows\System\dIzkPCs.exe
  2⤵
  PID:13104
- C:\Windows\System\kaIZgCC.exe
  C:\Windows\System\kaIZgCC.exe
  2⤵
  PID:13928
- C:\Windows\System\rPbWRsj.exe
  C:\Windows\System\rPbWRsj.exe
  2⤵
  PID:13912
- C:\Windows\System\ItAzoKx.exe
  C:\Windows\System\ItAzoKx.exe
  2⤵
  PID:13784
- C:\Windows\System\CRKdvly.exe
  C:\Windows\System\CRKdvly.exe
  2⤵
  PID:13720
- C:\Windows\System\pyBdiLU.exe
  C:\Windows\System\pyBdiLU.exe
  2⤵
  PID:13280
- C:\Windows\System\ogGbhHF.exe
  C:\Windows\System\ogGbhHF.exe
  2⤵
  PID:12864
- C:\Windows\System\DvOdnnM.exe
  C:\Windows\System\DvOdnnM.exe
  2⤵
  PID:8584
- C:\Windows\System\yrHceFq.exe
  C:\Windows\System\yrHceFq.exe
  2⤵
  PID:13624
- C:\Windows\System\pyJnEOJ.exe
  C:\Windows\System\pyJnEOJ.exe
  2⤵
  PID:13560
- C:\Windows\System\wXSDLMZ.exe
  C:\Windows\System\wXSDLMZ.exe
  2⤵
  PID:13496
- C:\Windows\System\RuHlEvT.exe
  C:\Windows\System\RuHlEvT.exe
  2⤵
  PID:10788
- C:\Windows\System\MuBonGK.exe
  C:\Windows\System\MuBonGK.exe
  2⤵
  PID:10276
- C:\Windows\System\ItkpBWd.exe
  C:\Windows\System\ItkpBWd.exe
  2⤵
  PID:13368
- C:\Windows\System\qbykuzs.exe
  C:\Windows\System\qbykuzs.exe
  2⤵
  PID:12720
- C:\Windows\System\CicruMi.exe
  C:\Windows\System\CicruMi.exe
  2⤵
  PID:9340
- C:\Windows\System\XeuVvBD.exe
  C:\Windows\System\XeuVvBD.exe
  2⤵
  PID:12996
- C:\Windows\System\vTDByCb.exe
  C:\Windows\System\vTDByCb.exe
  2⤵
  PID:12772
- C:\Windows\System\smslERT.exe
  C:\Windows\System\smslERT.exe
  2⤵
  PID:14332
- C:\Windows\System\BwtifpR.exe
  C:\Windows\System\BwtifpR.exe
  2⤵
  PID:14316
- C:\Windows\System\evqfbUn.exe
  C:\Windows\System\evqfbUn.exe
  2⤵
  PID:14300
- C:\Windows\System\BluryPI.exe
  C:\Windows\System\BluryPI.exe
  2⤵
  PID:14284
- C:\Windows\System\TOxZexP.exe
  C:\Windows\System\TOxZexP.exe
  2⤵
  PID:14268
- C:\Windows\System\GTyFBRj.exe
  C:\Windows\System\GTyFBRj.exe
  2⤵
  PID:14252
- C:\Windows\System\mmZhqXy.exe
  C:\Windows\System\mmZhqXy.exe
  2⤵
  PID:14236
- C:\Windows\System\dDVovtJ.exe
  C:\Windows\System\dDVovtJ.exe
  2⤵
  PID:14220
- C:\Windows\System\IRDXWyW.exe
  C:\Windows\System\IRDXWyW.exe
  2⤵
  PID:14204
- C:\Windows\System\NKkzawi.exe
  C:\Windows\System\NKkzawi.exe
  2⤵
  PID:14188
- C:\Windows\System\tzTVvAL.exe
  C:\Windows\System\tzTVvAL.exe
  2⤵
  PID:14172
- C:\Windows\System\jXEfvwP.exe
  C:\Windows\System\jXEfvwP.exe
  2⤵
  PID:14156
- C:\Windows\System\WfyRUwn.exe
  C:\Windows\System\WfyRUwn.exe
  2⤵
  PID:14140
- C:\Windows\System\XdgZdnB.exe
  C:\Windows\System\XdgZdnB.exe
  2⤵
  PID:14124
- C:\Windows\System\QUaEHkZ.exe
  C:\Windows\System\QUaEHkZ.exe
  2⤵
  PID:14108
- C:\Windows\System\VFjoEsO.exe
  C:\Windows\System\VFjoEsO.exe
  2⤵
  PID:14092
- C:\Windows\System\xcTjCpY.exe
  C:\Windows\System\xcTjCpY.exe
  2⤵
  PID:14076
- C:\Windows\System\piguNrV.exe
  C:\Windows\System\piguNrV.exe
  2⤵
  PID:14060
- C:\Windows\System\twCRXwT.exe
  C:\Windows\System\twCRXwT.exe
  2⤵
  PID:14044
- C:\Windows\System\MxNmFNV.exe
  C:\Windows\System\MxNmFNV.exe
  2⤵
  PID:14028
- C:\Windows\System\ZRaOrzM.exe
  C:\Windows\System\ZRaOrzM.exe
  2⤵
  PID:13872
- C:\Windows\System\kDMoxTf.exe
  C:\Windows\System\kDMoxTf.exe
  2⤵
  PID:13856
- C:\Windows\System\bEDsdgY.exe
  C:\Windows\System\bEDsdgY.exe
  2⤵
  PID:13840
- C:\Windows\System\lDXnzws.exe
  C:\Windows\System\lDXnzws.exe
  2⤵
  PID:13824
- C:\Windows\System\GUjjyaA.exe
  C:\Windows\System\GUjjyaA.exe
  2⤵
  PID:13808
- C:\Windows\System\yVmtUhF.exe
  C:\Windows\System\yVmtUhF.exe
  2⤵
  PID:13792
- C:\Windows\System\qCOEKQn.exe
  C:\Windows\System\qCOEKQn.exe
  2⤵
  PID:13776
- C:\Windows\System\fhKpUyh.exe
  C:\Windows\System\fhKpUyh.exe
  2⤵
  PID:13760
- C:\Windows\System\kzpqzba.exe
  C:\Windows\System\kzpqzba.exe
  2⤵
  PID:13744
- C:\Windows\System\XurRcQd.exe
  C:\Windows\System\XurRcQd.exe
  2⤵
  PID:13728
- C:\Windows\System\BhhhUez.exe
  C:\Windows\System\BhhhUez.exe
  2⤵
  PID:13712
- C:\Windows\System\DMfXhbr.exe
  C:\Windows\System\DMfXhbr.exe
  2⤵
  PID:13696

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\system\XXgklsV.exe

Filesize
1.9MB

MD5
d41bf792e6af1f0ec60f836da2f0fbea

SHA1
e8c53e3b30e16603cf3c037893f0be0b07534e47

SHA256
a2abb7da4456c781152d9b767bfdb4961e255d15d29d4e090543059f259bc934

SHA512
5236db64f2fe4abccd7f898fdd9ca18984b2bbe4f27960e660a976e9088cae8ff767ff7d88eaf121521d435ee11580c5736e542b3f3c5ab49e5d691e387e5edf

Download Submit
C:\Windows\system\voJLCsY.exe

Filesize
1.9MB

MD5
85148eca654cc42f509d179c1f32f24a

SHA1
2f5696b57f02d1d96ef88fd56e5843308be99741

SHA256
77a9b005ea07caf47aed56cfb0c8ee75b37f27f19af9159fed4d5001e64020c3

SHA512
80470e6e5bb05e88a88109d1c6eebb2f20303dd085f9d4d68038e1465c348ad887a5dedf415ccad3445b9050a9bfa2242b7cb6aac5d39f1a6d368d6be9de26ea

Download Submit
\Windows\system\mvNySRH.exe

Filesize
1.9MB

MD5
a28758af2afa95e7199ead4eda1bf5bb

SHA1
e6b561d4c5227ff7d21565b56f90216d4c0f11c2

SHA256
d23b38d72c7b436fe827a8f3e4e1f7c53a0e0610872ffeb18a912d1838b9305d

SHA512
5c671caf2b480698210c565aaefeb8f43b6a86a4081600fcf04e386da1348ebcd98e01a4f843888fab72eb6894e3a9af49c649625cc178a6cf28953396056e81

Download Submit
\Windows\system\nprHgIL.exe

Filesize
1.9MB

MD5
1c02b13c56a7c72f8c0d3952911e6043

SHA1
838982f5f5133f57439e9d25199eef3e78258d4c

SHA256
d0e1406614b1943f36babcd1b342a0a6251c5262211563971e57b2de46182758

SHA512
67d445e07634e80f616dabd571b483b97b33586750adedeaec42b31e5f0e082f11d4dd4552927c9c3c0dc6264b139c72eb62acb4e5e9f89a439cd7629e5c2223

Download Submit
memory/2248-0-0x000000013FEA0000-0x00000001401F4000-memory.dmp

Filesize
3.3MB

Download
memory/2248-1-0x00000000000F0000-0x0000000000100000-memory.dmp

Filesize
64KB

Download
memory/2248-323-0x000000013F280000-0x000000013F5D4000-memory.dmp

Filesize
3.3MB

Download
memory/2736-291-0x000000013F700000-0x000000013FA54000-memory.dmp

Filesize
3.3MB

Download
memory/2772-307-0x000000013F970000-0x000000013FCC4000-memory.dmp

Filesize
3.3MB

Download