xmrig | 486042a0171c3b45784fd7947023feb5df886b58f820257016a61d142b4f333a

Analysis

max time kernel
138s
max time network
159s
platform
windows10-2004_x64
resource
win10v2004-20231020-en
resource tags

arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
submitted
16/11/2023, 23:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.4c6feb346be5fc24d70a78f09222af60.exe
Size

784KB
MD5

4c6feb346be5fc24d70a78f09222af60
SHA1

8e6ae7a003d3b37153b199783d01f138b21c7632
SHA256

486042a0171c3b45784fd7947023feb5df886b58f820257016a61d142b4f333a
SHA512

e120c642e657f591bc7ca991a809d8c91c42399b37c226d0316acf03b37b964df7cacfeb8c7cc52538136b7a11fa04aea4f33002d0a65078ac49f5f5a8c65be3
SSDEEP

12288:SO6C7pqv4CKNdJE/CNE9lJOqwTjmQkUrNXUVnGQiB7OzR/uJJ/ZhorU3IY/7:v7oCpO+rNAQB6l+BZhorU31/

Score

10^/10

xmrig miner upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 6 IoCs

miner

resource	yara_rule
behavioral2/memory/4044-2-0x0000000000400000-0x0000000000593000-memory.dmp	xmrig
behavioral2/memory/4044-12-0x0000000000400000-0x0000000000593000-memory.dmp	xmrig
behavioral2/memory/3960-15-0x0000000000400000-0x0000000000593000-memory.dmp	xmrig
behavioral2/memory/3960-20-0x00000000054E0000-0x0000000005673000-memory.dmp	xmrig
behavioral2/memory/3960-21-0x0000000000400000-0x0000000000587000-memory.dmp	xmrig
behavioral2/memory/3960-30-0x0000000000400000-0x0000000000587000-memory.dmp	xmrig

Deletes itself 1 IoCs

pid	Process
3960	NEAS.4c6feb346be5fc24d70a78f09222af60.exe

Executes dropped EXE 1 IoCs

pid	Process
3960	NEAS.4c6feb346be5fc24d70a78f09222af60.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4044-0-0x0000000000400000-0x0000000000712000-memory.dmp	upx
behavioral2/files/0x0008000000022e38-11.dat	upx
behavioral2/memory/3960-13-0x0000000000400000-0x0000000000712000-memory.dmp	upx

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
4044	NEAS.4c6feb346be5fc24d70a78f09222af60.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
4044	NEAS.4c6feb346be5fc24d70a78f09222af60.exe
3960	NEAS.4c6feb346be5fc24d70a78f09222af60.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4044 wrote to memory of 3960	4044	NEAS.4c6feb346be5fc24d70a78f09222af60.exe	87
PID 4044 wrote to memory of 3960	4044	NEAS.4c6feb346be5fc24d70a78f09222af60.exe	87
PID 4044 wrote to memory of 3960	4044	NEAS.4c6feb346be5fc24d70a78f09222af60.exe	87

C:\Users\Admin\AppData\Local\Temp\NEAS.4c6feb346be5fc24d70a78f09222af60.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.4c6feb346be5fc24d70a78f09222af60.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:4044
- C:\Users\Admin\AppData\Local\Temp\NEAS.4c6feb346be5fc24d70a78f09222af60.exe
  C:\Users\Admin\AppData\Local\Temp\NEAS.4c6feb346be5fc24d70a78f09222af60.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:3960

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\NEAS.4c6feb346be5fc24d70a78f09222af60.exe

Filesize
784KB

MD5
34d7ae97475253041778ca54f1cd4d16

SHA1
6629217d7d7d8a6241247a47398471045fa69dbc

SHA256
3829f638819b363a0f5bb561e5c495012b024a323d5984d6bb2425635f47d70a

SHA512
0e5e70f4877c85a15069c6d7f8edfa7a5f55f23d3e4f126f598ceaafbd92b0e4c7eff2740d1f23d1a4635b4338c3b6a541d9fde75cdeef25c4e9730ab9c78dd5

Download Submit
memory/3960-13-0x0000000000400000-0x0000000000712000-memory.dmp

Filesize
3.1MB

Download
memory/3960-15-0x0000000000400000-0x0000000000593000-memory.dmp

Filesize
1.6MB

Download
memory/3960-14-0x00000000018E0000-0x00000000019A4000-memory.dmp

Filesize
784KB

Download
memory/3960-20-0x00000000054E0000-0x0000000005673000-memory.dmp

Filesize
1.6MB

Download
memory/3960-21-0x0000000000400000-0x0000000000587000-memory.dmp

Filesize
1.5MB

Download
memory/3960-30-0x0000000000400000-0x0000000000587000-memory.dmp

Filesize
1.5MB

Download
memory/4044-0-0x0000000000400000-0x0000000000712000-memory.dmp

Filesize
3.1MB

Download
memory/4044-1-0x0000000001720000-0x00000000017E4000-memory.dmp

Filesize
784KB

Download
memory/4044-2-0x0000000000400000-0x0000000000593000-memory.dmp

Filesize
1.6MB

Download
memory/4044-12-0x0000000000400000-0x0000000000593000-memory.dmp

Filesize
1.6MB

Download