xmrig | 45f1a0fc4238292a75e0aca55b363e87868128e2316fc805c45ce2ddc91e9200

Analysis

max time kernel
119s
max time network
122s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
22/12/2023, 03:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5983c4e38bb4987fea0d481a76ec5f50.exe
Size

784KB
MD5

5983c4e38bb4987fea0d481a76ec5f50
SHA1

4a7bbf2de2ae037081153349377191bd5912162f
SHA256

45f1a0fc4238292a75e0aca55b363e87868128e2316fc805c45ce2ddc91e9200
SHA512

068b28c4255728578dab0a96329d87adfc059cbeb87197b1742228ee59b8c0d2ff7d2fa7f2aea4a3f16bdc14bafc35c67815a1423966c95c35b6164d4c90c610
SSDEEP

24576:/4C/YiokSIwnVi1TTzy6KMj4p+0vpAoFD:/4MYiZXUVi1SFUIptF

Score

10^/10

xmrig miner upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 7 IoCs

miner

resource	yara_rule
behavioral1/memory/2072-1-0x0000000000400000-0x0000000000593000-memory.dmp	xmrig
behavioral1/memory/2072-17-0x0000000000400000-0x0000000000593000-memory.dmp	xmrig
behavioral1/memory/2084-19-0x0000000000400000-0x0000000000593000-memory.dmp	xmrig
behavioral1/memory/2084-26-0x00000000030F0000-0x0000000003283000-memory.dmp	xmrig
behavioral1/memory/2084-25-0x0000000000400000-0x0000000000587000-memory.dmp	xmrig
behavioral1/memory/2084-36-0x0000000000400000-0x0000000000587000-memory.dmp	xmrig
behavioral1/memory/2084-35-0x00000000005A0000-0x000000000071F000-memory.dmp	xmrig

Deletes itself 1 IoCs

pid	Process
2084	5983c4e38bb4987fea0d481a76ec5f50.exe

Executes dropped EXE 1 IoCs

pid	Process
2084	5983c4e38bb4987fea0d481a76ec5f50.exe

Loads dropped DLL 1 IoCs

pid	Process
2072	5983c4e38bb4987fea0d481a76ec5f50.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2072-0-0x0000000000400000-0x0000000000712000-memory.dmp	upx
behavioral1/files/0x0007000000012284-10.dat	upx
behavioral1/memory/2072-15-0x0000000003230000-0x0000000003542000-memory.dmp	upx
behavioral1/files/0x0007000000012284-16.dat	upx
behavioral1/memory/2084-18-0x0000000000400000-0x0000000000712000-memory.dmp	upx

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2072	5983c4e38bb4987fea0d481a76ec5f50.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2072	5983c4e38bb4987fea0d481a76ec5f50.exe
2084	5983c4e38bb4987fea0d481a76ec5f50.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2072 wrote to memory of 2084	2072	5983c4e38bb4987fea0d481a76ec5f50.exe	29
PID 2072 wrote to memory of 2084	2072	5983c4e38bb4987fea0d481a76ec5f50.exe	29
PID 2072 wrote to memory of 2084	2072	5983c4e38bb4987fea0d481a76ec5f50.exe	29
PID 2072 wrote to memory of 2084	2072	5983c4e38bb4987fea0d481a76ec5f50.exe	29

C:\Users\Admin\AppData\Local\Temp\5983c4e38bb4987fea0d481a76ec5f50.exe
"C:\Users\Admin\AppData\Local\Temp\5983c4e38bb4987fea0d481a76ec5f50.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2072
- C:\Users\Admin\AppData\Local\Temp\5983c4e38bb4987fea0d481a76ec5f50.exe
  C:\Users\Admin\AppData\Local\Temp\5983c4e38bb4987fea0d481a76ec5f50.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:2084

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\5983c4e38bb4987fea0d481a76ec5f50.exe

Filesize
640KB

MD5
ce320afc08c29a29a0351aa663b969fa

SHA1
545728688e41d696185fe34ba4d7a961613d62e4

SHA256
127f4b68f3cfd07777934c61319469746c74cf216cbc74b11d70a25cc7a51d70

SHA512
4189ab94a9e1425c39c9a663d71538f33d01ad45ef074ffc1f8ccd012454c51c9af18812979e8ecd6caaa6379e014e577fd4399a8245c562372dabe88a606ad5

Download Submit
\Users\Admin\AppData\Local\Temp\5983c4e38bb4987fea0d481a76ec5f50.exe

Filesize
784KB

MD5
d15e70289f2f0a6c0a95f45e68d0dbad

SHA1
9ca3554877d9d0060d08f7ef23c2f794ae79e9e0

SHA256
ded1ad19a2aa2d7e520fddd350f544437291943b0c1ed96e9928063a579fc85b

SHA512
0a4065f473cede6f2524691624fc855081d75660181ab5622be52358c331c34ca3ea623921f692af83c62dd44cdef330631ad06f336ba5655ad03d315dad49e6

Download Submit
memory/2072-17-0x0000000000400000-0x0000000000593000-memory.dmp

Filesize
1.6MB

Download
memory/2072-2-0x0000000000120000-0x00000000001E4000-memory.dmp

Filesize
784KB

Download
memory/2072-1-0x0000000000400000-0x0000000000593000-memory.dmp

Filesize
1.6MB

Download
memory/2072-15-0x0000000003230000-0x0000000003542000-memory.dmp

Filesize
3.1MB

Download
memory/2072-0-0x0000000000400000-0x0000000000712000-memory.dmp

Filesize
3.1MB

Download
memory/2084-18-0x0000000000400000-0x0000000000712000-memory.dmp

Filesize
3.1MB

Download
memory/2084-21-0x0000000000120000-0x00000000001E4000-memory.dmp

Filesize
784KB

Download
memory/2084-19-0x0000000000400000-0x0000000000593000-memory.dmp

Filesize
1.6MB

Download
memory/2084-26-0x00000000030F0000-0x0000000003283000-memory.dmp

Filesize
1.6MB

Download
memory/2084-25-0x0000000000400000-0x0000000000587000-memory.dmp

Filesize
1.5MB

Download
memory/2084-36-0x0000000000400000-0x0000000000587000-memory.dmp

Filesize
1.5MB

Download
memory/2084-35-0x00000000005A0000-0x000000000071F000-memory.dmp

Filesize
1.5MB

Download