Analysis
-
max time kernel
118s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
19-12-2023 12:19
Behavioral task
behavioral1
Sample
1f0124e2b834b7f3043d348093443320.exe
Resource
win7-20231215-en
General
-
Target
1f0124e2b834b7f3043d348093443320.exe
-
Size
784KB
-
MD5
1f0124e2b834b7f3043d348093443320
-
SHA1
43fde5c4122ee58416f14b0c224854c6c28b5669
-
SHA256
bf0844e0f26c5c60d630729cfb76d326cab5c746c6b939ff297b5fcbd63b938d
-
SHA512
a39da64b655796afb163485f08cbc58929ded3687d3a78070d18471c5ed83e4a52eedd7148b6ad515f73391a1ebf8fcf532a94514982eef460ed49db569365fd
-
SSDEEP
24576:/LEWZEY+j3068imHt4oh7x1C2T2e+w0ChV:/LEfYyLj2bvC2q40I
Malware Config
Signatures
-
XMRig Miner payload 6 IoCs
resource yara_rule behavioral1/memory/2532-1-0x0000000000400000-0x0000000000593000-memory.dmp xmrig behavioral1/memory/2532-15-0x0000000000400000-0x0000000000593000-memory.dmp xmrig behavioral1/memory/2096-17-0x0000000000400000-0x0000000000593000-memory.dmp xmrig behavioral1/memory/2096-23-0x0000000000400000-0x0000000000587000-memory.dmp xmrig behavioral1/memory/2096-25-0x0000000003220000-0x00000000033B3000-memory.dmp xmrig behavioral1/memory/2096-33-0x0000000000400000-0x0000000000587000-memory.dmp xmrig -
Deletes itself 1 IoCs
pid Process 2096 1f0124e2b834b7f3043d348093443320.exe -
Executes dropped EXE 1 IoCs
pid Process 2096 1f0124e2b834b7f3043d348093443320.exe -
Loads dropped DLL 1 IoCs
pid Process 2532 1f0124e2b834b7f3043d348093443320.exe -
resource yara_rule behavioral1/memory/2532-0-0x0000000000400000-0x0000000000712000-memory.dmp upx behavioral1/files/0x000a00000001225a-10.dat upx behavioral1/memory/2096-16-0x0000000000400000-0x0000000000712000-memory.dmp upx -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 2532 1f0124e2b834b7f3043d348093443320.exe -
Suspicious use of UnmapMainImage 2 IoCs
pid Process 2532 1f0124e2b834b7f3043d348093443320.exe 2096 1f0124e2b834b7f3043d348093443320.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2532 wrote to memory of 2096 2532 1f0124e2b834b7f3043d348093443320.exe 29 PID 2532 wrote to memory of 2096 2532 1f0124e2b834b7f3043d348093443320.exe 29 PID 2532 wrote to memory of 2096 2532 1f0124e2b834b7f3043d348093443320.exe 29 PID 2532 wrote to memory of 2096 2532 1f0124e2b834b7f3043d348093443320.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\1f0124e2b834b7f3043d348093443320.exe"C:\Users\Admin\AppData\Local\Temp\1f0124e2b834b7f3043d348093443320.exe"1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2532 -
C:\Users\Admin\AppData\Local\Temp\1f0124e2b834b7f3043d348093443320.exeC:\Users\Admin\AppData\Local\Temp\1f0124e2b834b7f3043d348093443320.exe2⤵
- Deletes itself
- Executes dropped EXE
- Suspicious use of UnmapMainImage
PID:2096
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
784KB
MD50fae33e395055ad3816177fd7f262105
SHA173bced67224372190a0fb6fc27af54b7b71f2cdb
SHA25615d734eed2a5f2859df7de6d1fd492ef6d7bb88284b657ad8508d4c869fe0ef9
SHA512b04e8a05a4b4cdc922841a0a1bf25af18eba93077b5f49d4892fceb017b407ea81c95dc7d8dc6e8e2e434646ce6b3f4adee251d131cf57f4e790a3fa76734fda