xmrig | 5cd11a13766ffda59b1f3d4f68117fd1e1bd97b6be479d73487352bd69636e26

Analysis

max time kernel
143s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
19-12-2023 10:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0a99ec7f4d3b17e183a7951c9c482097.exe
Size

784KB
MD5

0a99ec7f4d3b17e183a7951c9c482097
SHA1

053779e4e3d9ccbfac1d1776c35b8e565c3779c4
SHA256

5cd11a13766ffda59b1f3d4f68117fd1e1bd97b6be479d73487352bd69636e26
SHA512

39a97c10fc8ed19a4bee587f83923de7d56c83b6798ef9b722b530eb511ba98c60e0bbe9a9b1bbe6e8cd01ae9ea7832fe81986e61da2f566215067c9b9d76600
SSDEEP

24576:3Mc66uYjBf57jAymRW17Vcp7A+X3H6klR3:3Mv6uYVRQl6kl

Score

10^/10

xmrig miner upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 7 IoCs

miner

resource	yara_rule
behavioral2/memory/1880-2-0x0000000000400000-0x0000000000593000-memory.dmp	xmrig
behavioral2/memory/1880-12-0x0000000000400000-0x0000000000593000-memory.dmp	xmrig
behavioral2/memory/1152-15-0x0000000000400000-0x0000000000593000-memory.dmp	xmrig
behavioral2/memory/1152-20-0x0000000005350000-0x00000000054E3000-memory.dmp	xmrig
behavioral2/memory/1152-21-0x0000000000400000-0x0000000000587000-memory.dmp	xmrig
behavioral2/memory/1152-30-0x00000000005A0000-0x000000000071F000-memory.dmp	xmrig
behavioral2/memory/1152-31-0x0000000000400000-0x0000000000587000-memory.dmp	xmrig

Deletes itself 1 IoCs

pid	Process
1152	0a99ec7f4d3b17e183a7951c9c482097.exe

Executes dropped EXE 1 IoCs

pid	Process
1152	0a99ec7f4d3b17e183a7951c9c482097.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1880-0-0x0000000000400000-0x0000000000712000-memory.dmp	upx
behavioral2/files/0x0007000000023244-11.dat	upx
behavioral2/memory/1152-13-0x0000000000400000-0x0000000000712000-memory.dmp	upx

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1880	0a99ec7f4d3b17e183a7951c9c482097.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
1880	0a99ec7f4d3b17e183a7951c9c482097.exe
1152	0a99ec7f4d3b17e183a7951c9c482097.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1880 wrote to memory of 1152	1880	0a99ec7f4d3b17e183a7951c9c482097.exe	89
PID 1880 wrote to memory of 1152	1880	0a99ec7f4d3b17e183a7951c9c482097.exe	89
PID 1880 wrote to memory of 1152	1880	0a99ec7f4d3b17e183a7951c9c482097.exe	89

C:\Users\Admin\AppData\Local\Temp\0a99ec7f4d3b17e183a7951c9c482097.exe
"C:\Users\Admin\AppData\Local\Temp\0a99ec7f4d3b17e183a7951c9c482097.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1880
- C:\Users\Admin\AppData\Local\Temp\0a99ec7f4d3b17e183a7951c9c482097.exe
  C:\Users\Admin\AppData\Local\Temp\0a99ec7f4d3b17e183a7951c9c482097.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:1152

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\0a99ec7f4d3b17e183a7951c9c482097.exe

Filesize
547KB

MD5
7138af01b9749f91ac65fed64221f9a3

SHA1
1649377b7eb2303a3f6059bb53134d8ae0f9fde2

SHA256
8da02734113715f9167f2a5dab88e8d344f9da8bfd5e126d39ccc93f073a03b8

SHA512
ff4ac6ccd0d2f5c27f0e90d20be84ce53fee46bb54a0af22a3044c782d0af1dbe2e23ef35f8964cbb789aa206ed7e5bc65f672c51729fdf729eaa0b495d925c7

Download Submit
memory/1152-13-0x0000000000400000-0x0000000000712000-memory.dmp

Filesize
3.1MB

Download
memory/1152-15-0x0000000000400000-0x0000000000593000-memory.dmp

Filesize
1.6MB

Download
memory/1152-14-0x0000000001AE0000-0x0000000001BA4000-memory.dmp

Filesize
784KB

Download
memory/1152-20-0x0000000005350000-0x00000000054E3000-memory.dmp

Filesize
1.6MB

Download
memory/1152-21-0x0000000000400000-0x0000000000587000-memory.dmp

Filesize
1.5MB

Download
memory/1152-30-0x00000000005A0000-0x000000000071F000-memory.dmp

Filesize
1.5MB

Download
memory/1152-31-0x0000000000400000-0x0000000000587000-memory.dmp

Filesize
1.5MB

Download
memory/1880-0-0x0000000000400000-0x0000000000712000-memory.dmp

Filesize
3.1MB

Download
memory/1880-1-0x0000000001A00000-0x0000000001AC4000-memory.dmp

Filesize
784KB

Download
memory/1880-2-0x0000000000400000-0x0000000000593000-memory.dmp

Filesize
1.6MB

Download
memory/1880-12-0x0000000000400000-0x0000000000593000-memory.dmp

Filesize
1.6MB

Download