xmrig | 29999c677977cdc7354fca30e486b7df869c80da9ac94c663eebf73b6a5e0449

Analysis

max time kernel
118s
max time network
122s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
19/12/2023, 14:16

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

40429a9fc181d7a51f7a6503ac8f6617.exe
Size

784KB
MD5

40429a9fc181d7a51f7a6503ac8f6617
SHA1

0e1e180f6ce561c9c23a3ceb8b5c63fe4ad04e99
SHA256

29999c677977cdc7354fca30e486b7df869c80da9ac94c663eebf73b6a5e0449
SHA512

bb9e408e009a1d47c7e5e195cb88f13e31f90c5102c0619e8cafafa0f1ea2495c78932bc82d967baab36f5fc47a216b85fc0ddee4830682d5b8f818bbe69f97b
SSDEEP

24576:HNIYNX3KYCpcKkIXlwGaB8ZTPWaA216cv:HNIY5zkcKNXlwGG8ZTPWaA

Score

10^/10

xmrig miner upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 7 IoCs

miner

resource	yara_rule
behavioral1/memory/2880-1-0x0000000000400000-0x0000000000593000-memory.dmp	xmrig
behavioral1/memory/2880-14-0x0000000000400000-0x0000000000593000-memory.dmp	xmrig
behavioral1/memory/2440-18-0x0000000000400000-0x0000000000593000-memory.dmp	xmrig
behavioral1/memory/2440-24-0x0000000003030000-0x00000000031C3000-memory.dmp	xmrig
behavioral1/memory/2440-25-0x0000000000400000-0x0000000000587000-memory.dmp	xmrig
behavioral1/memory/2440-34-0x00000000005A0000-0x000000000071F000-memory.dmp	xmrig
behavioral1/memory/2440-35-0x0000000000400000-0x0000000000587000-memory.dmp	xmrig

Deletes itself 1 IoCs

pid	Process
2440	40429a9fc181d7a51f7a6503ac8f6617.exe

Executes dropped EXE 1 IoCs

pid	Process
2440	40429a9fc181d7a51f7a6503ac8f6617.exe

Loads dropped DLL 1 IoCs

pid	Process
2880	40429a9fc181d7a51f7a6503ac8f6617.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2880-0-0x0000000000400000-0x0000000000712000-memory.dmp	upx
behavioral1/files/0x0008000000012255-10.dat	upx
behavioral1/memory/2880-15-0x0000000003290000-0x00000000035A2000-memory.dmp	upx
behavioral1/files/0x0008000000012255-16.dat	upx
behavioral1/memory/2440-17-0x0000000000400000-0x0000000000712000-memory.dmp	upx

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2880	40429a9fc181d7a51f7a6503ac8f6617.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2880	40429a9fc181d7a51f7a6503ac8f6617.exe
2440	40429a9fc181d7a51f7a6503ac8f6617.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2880 wrote to memory of 2440	2880	40429a9fc181d7a51f7a6503ac8f6617.exe	29
PID 2880 wrote to memory of 2440	2880	40429a9fc181d7a51f7a6503ac8f6617.exe	29
PID 2880 wrote to memory of 2440	2880	40429a9fc181d7a51f7a6503ac8f6617.exe	29
PID 2880 wrote to memory of 2440	2880	40429a9fc181d7a51f7a6503ac8f6617.exe	29

C:\Users\Admin\AppData\Local\Temp\40429a9fc181d7a51f7a6503ac8f6617.exe
"C:\Users\Admin\AppData\Local\Temp\40429a9fc181d7a51f7a6503ac8f6617.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2880
- C:\Users\Admin\AppData\Local\Temp\40429a9fc181d7a51f7a6503ac8f6617.exe
  C:\Users\Admin\AppData\Local\Temp\40429a9fc181d7a51f7a6503ac8f6617.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:2440

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\40429a9fc181d7a51f7a6503ac8f6617.exe

Filesize
768KB

MD5
fc232b003bf94c1d3d5fd003c86f8327

SHA1
406af7f83c7cc4a77af1bf2254c8a7ed6bf622d1

SHA256
28f693318c43ad52945ad98e275c4858ed809dc49843d43968ab1655f8ec97be

SHA512
1f803232f7959779e894519cbbe0e26dc9d8955179a7f5ba661bba02e81946e16fc9cc24d27bccfe0aff129c9242f58959f346d981c5c3b3ecab3e37bd6a6100

Download Submit
\Users\Admin\AppData\Local\Temp\40429a9fc181d7a51f7a6503ac8f6617.exe

Filesize
784KB

MD5
6f2226071b61506f6b13505034636b13

SHA1
8b94fce5fba8c1624793d4e9eaf5a87725040110

SHA256
f28472e32738a637f0d38b03492d4b4c2fe34f3e13bbe2dd17638e5c44cb3d5b

SHA512
b89464d2b80e29aecc4ab7e90b9d881b436a0828215183ccaa5140a62e7e6747a2578d3271d75cd0bf5056ba462f25250ba5ddf665584a6e5773dd5133620910

Download Submit
memory/2440-22-0x0000000000300000-0x00000000003C4000-memory.dmp

Filesize
784KB

Download
memory/2440-17-0x0000000000400000-0x0000000000712000-memory.dmp

Filesize
3.1MB

Download
memory/2440-18-0x0000000000400000-0x0000000000593000-memory.dmp

Filesize
1.6MB

Download
memory/2440-24-0x0000000003030000-0x00000000031C3000-memory.dmp

Filesize
1.6MB

Download
memory/2440-25-0x0000000000400000-0x0000000000587000-memory.dmp

Filesize
1.5MB

Download
memory/2440-34-0x00000000005A0000-0x000000000071F000-memory.dmp

Filesize
1.5MB

Download
memory/2440-35-0x0000000000400000-0x0000000000587000-memory.dmp

Filesize
1.5MB

Download
memory/2880-3-0x0000000000120000-0x00000000001E4000-memory.dmp

Filesize
784KB

Download
memory/2880-15-0x0000000003290000-0x00000000035A2000-memory.dmp

Filesize
3.1MB

Download
memory/2880-1-0x0000000000400000-0x0000000000593000-memory.dmp

Filesize
1.6MB

Download
memory/2880-14-0x0000000000400000-0x0000000000593000-memory.dmp

Filesize
1.6MB

Download
memory/2880-0-0x0000000000400000-0x0000000000712000-memory.dmp

Filesize
3.1MB

Download