xmrig | a032a8fe41816cb3b2d932e7219e116cb86d932867a984684f29530b98509690

Analysis

max time kernel
117s
max time network
120s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
19-12-2023 10:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

08d8036da2cfcdf8b1883d589e37c152.exe
Size

3.1MB
MD5

08d8036da2cfcdf8b1883d589e37c152
SHA1

7013d97b566c9fd324d5fd6aec7e2c82f706d58a
SHA256

a032a8fe41816cb3b2d932e7219e116cb86d932867a984684f29530b98509690
SHA512

2de770e8e0b03c1d39bcddc27048a472d269e4ab4a832a5acedfc00a158e16a37c032094aa618ed1d422c7b376c4c30f21cb743e6fba1720336385002872af7f
SSDEEP

98304:ez5djsBQ3huE8hZhbPPeiQtx550oFJyRCKI4RoI/K:coBQRMZhbOR9qgJyHaY

Score

10^/10

xmrig miner upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 7 IoCs

miner

resource	yara_rule
behavioral1/memory/2956-1-0x0000000000400000-0x0000000000593000-memory.dmp	xmrig
behavioral1/memory/2956-14-0x0000000000400000-0x0000000000593000-memory.dmp	xmrig
behavioral1/memory/2744-19-0x0000000000400000-0x0000000000593000-memory.dmp	xmrig
behavioral1/memory/2744-24-0x0000000003050000-0x00000000031E3000-memory.dmp	xmrig
behavioral1/memory/2744-25-0x0000000000400000-0x0000000000587000-memory.dmp	xmrig
behavioral1/memory/2744-35-0x0000000000400000-0x0000000000587000-memory.dmp	xmrig
behavioral1/memory/2744-34-0x00000000005A0000-0x000000000071F000-memory.dmp	xmrig

Deletes itself 1 IoCs

pid	Process
2744	08d8036da2cfcdf8b1883d589e37c152.exe

Executes dropped EXE 1 IoCs

pid	Process
2744	08d8036da2cfcdf8b1883d589e37c152.exe

Loads dropped DLL 1 IoCs

pid	Process
2956	08d8036da2cfcdf8b1883d589e37c152.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2956-0-0x0000000000400000-0x0000000000712000-memory.dmp	upx
behavioral1/files/0x000b000000012223-10.dat	upx
behavioral1/memory/2956-15-0x0000000003760000-0x0000000003A72000-memory.dmp	upx
behavioral1/files/0x000b000000012223-16.dat	upx
behavioral1/memory/2744-17-0x0000000000400000-0x0000000000712000-memory.dmp	upx

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2956	08d8036da2cfcdf8b1883d589e37c152.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2956	08d8036da2cfcdf8b1883d589e37c152.exe
2744	08d8036da2cfcdf8b1883d589e37c152.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2956 wrote to memory of 2744	2956	08d8036da2cfcdf8b1883d589e37c152.exe	29
PID 2956 wrote to memory of 2744	2956	08d8036da2cfcdf8b1883d589e37c152.exe	29
PID 2956 wrote to memory of 2744	2956	08d8036da2cfcdf8b1883d589e37c152.exe	29
PID 2956 wrote to memory of 2744	2956	08d8036da2cfcdf8b1883d589e37c152.exe	29

C:\Users\Admin\AppData\Local\Temp\08d8036da2cfcdf8b1883d589e37c152.exe
"C:\Users\Admin\AppData\Local\Temp\08d8036da2cfcdf8b1883d589e37c152.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2956
- C:\Users\Admin\AppData\Local\Temp\08d8036da2cfcdf8b1883d589e37c152.exe
  C:\Users\Admin\AppData\Local\Temp\08d8036da2cfcdf8b1883d589e37c152.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:2744

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\08d8036da2cfcdf8b1883d589e37c152.exe

Filesize
784KB

MD5
417561401d0ff0a50cd5883cde191212

SHA1
5c30281de05719708a674dd92de28acc4b889211

SHA256
65c54d9eb0debea64f2d05c8971f0efc1dff2ae47be36208d4acba1eab3a710f

SHA512
b7e8c5878bb54e7a2ece1b48fecad21921fecff4621d8ff69a2ba42bbccc66906aa870532081828327cb183bee2a7ca15f4f79df74964d8c5f17ed551d8ba144

Download Submit
\Users\Admin\AppData\Local\Temp\08d8036da2cfcdf8b1883d589e37c152.exe

Filesize
543KB

MD5
a7b32807a480a5112a9c6dd2db66ac5e

SHA1
754166ef172f46d4d3af096c55559610839afd55

SHA256
c427c2701ee650b3bf80f21d5126e6e79a29e086e72cbe32f7b5a58c0545ab7c

SHA512
7588f05651297585670bb9746fdd5f92efafc56fd6de6d024ef849bcf49a147b6e29541d56227da8ca80f6c6b3c983d46c69d10aeb549d918c93f6f8d82d4dfb

Download Submit
memory/2744-17-0x0000000000400000-0x0000000000712000-memory.dmp

Filesize
3.1MB

Download
memory/2744-18-0x0000000001720000-0x00000000017E4000-memory.dmp

Filesize
784KB

Download
memory/2744-19-0x0000000000400000-0x0000000000593000-memory.dmp

Filesize
1.6MB

Download
memory/2744-24-0x0000000003050000-0x00000000031E3000-memory.dmp

Filesize
1.6MB

Download
memory/2744-25-0x0000000000400000-0x0000000000587000-memory.dmp

Filesize
1.5MB

Download
memory/2744-35-0x0000000000400000-0x0000000000587000-memory.dmp

Filesize
1.5MB

Download
memory/2744-34-0x00000000005A0000-0x000000000071F000-memory.dmp

Filesize
1.5MB

Download
memory/2956-1-0x0000000000400000-0x0000000000593000-memory.dmp

Filesize
1.6MB

Download
memory/2956-0-0x0000000000400000-0x0000000000712000-memory.dmp

Filesize
3.1MB

Download
memory/2956-15-0x0000000003760000-0x0000000003A72000-memory.dmp

Filesize
3.1MB

Download
memory/2956-14-0x0000000000400000-0x0000000000593000-memory.dmp

Filesize
1.6MB

Download
memory/2956-2-0x00000000018B0000-0x0000000001974000-memory.dmp

Filesize
784KB

Download