xmrig | 236efdff8783641d62f14e95a0704514a5e68c5dc8a1d2949193208d953299e6

Analysis

max time kernel
118s
max time network
132s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
22-12-2023 04:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

64676be1e84ce6fda28403022184377f.exe
Size

784KB
MD5

64676be1e84ce6fda28403022184377f
SHA1

d5138f887a75ac6e200e4d075740ea5040b1affc
SHA256

236efdff8783641d62f14e95a0704514a5e68c5dc8a1d2949193208d953299e6
SHA512

0d598d113017fa76f06f164c39b2ee5fa1ca24c8d43c3c9cc30958139972b542e5c4e7809ad0d4f1ff9f30e6563771b7dd4ec51e901423ba713d900b9012cc7a
SSDEEP

24576:FQH9a2sZctuuLXNZCCwvT44V1P/dQuJ6:FG02svYCxvUEPCu

Score

10^/10

xmrig miner upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 7 IoCs

miner

resource	yara_rule
behavioral1/memory/2648-1-0x0000000000400000-0x0000000000593000-memory.dmp	xmrig
behavioral1/memory/2648-14-0x0000000000400000-0x0000000000593000-memory.dmp	xmrig
behavioral1/memory/2776-18-0x0000000000400000-0x0000000000593000-memory.dmp	xmrig
behavioral1/memory/2776-24-0x0000000002FD0000-0x0000000003163000-memory.dmp	xmrig
behavioral1/memory/2776-25-0x0000000000400000-0x0000000000587000-memory.dmp	xmrig
behavioral1/memory/2776-35-0x0000000000400000-0x0000000000587000-memory.dmp	xmrig
behavioral1/memory/2776-34-0x00000000005A0000-0x000000000071F000-memory.dmp	xmrig

Deletes itself 1 IoCs

pid	Process
2776	64676be1e84ce6fda28403022184377f.exe

Executes dropped EXE 1 IoCs

pid	Process
2776	64676be1e84ce6fda28403022184377f.exe

Loads dropped DLL 1 IoCs

pid	Process
2648	64676be1e84ce6fda28403022184377f.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2648-0-0x0000000000400000-0x0000000000712000-memory.dmp	upx
behavioral1/files/0x000b000000014ab3-10.dat	upx
behavioral1/memory/2648-15-0x0000000003140000-0x0000000003452000-memory.dmp	upx
behavioral1/files/0x000b000000014ab3-16.dat	upx
behavioral1/memory/2776-17-0x0000000000400000-0x0000000000712000-memory.dmp	upx

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2648	64676be1e84ce6fda28403022184377f.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2648	64676be1e84ce6fda28403022184377f.exe
2776	64676be1e84ce6fda28403022184377f.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2648 wrote to memory of 2776	2648	64676be1e84ce6fda28403022184377f.exe	28
PID 2648 wrote to memory of 2776	2648	64676be1e84ce6fda28403022184377f.exe	28
PID 2648 wrote to memory of 2776	2648	64676be1e84ce6fda28403022184377f.exe	28
PID 2648 wrote to memory of 2776	2648	64676be1e84ce6fda28403022184377f.exe	28

C:\Users\Admin\AppData\Local\Temp\64676be1e84ce6fda28403022184377f.exe
"C:\Users\Admin\AppData\Local\Temp\64676be1e84ce6fda28403022184377f.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2648
- C:\Users\Admin\AppData\Local\Temp\64676be1e84ce6fda28403022184377f.exe
  C:\Users\Admin\AppData\Local\Temp\64676be1e84ce6fda28403022184377f.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:2776

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\64676be1e84ce6fda28403022184377f.exe

Filesize
581KB

MD5
d915cf3f7862bd9fd5daa137e1ca4a03

SHA1
a3f838feeafd2e4e78d410393e2f6cb7d5ee10f7

SHA256
80f7c90ad82421b26532b1e7ed79968b755de1ce33404deb6bb6ab758044fa1a

SHA512
18f389410b03cd214ac5f2925fadb6b2ea8de272f0a35fc8f1b832a47f5b8dff1c5e50618c89ac92e181ca5b91bf5ce7bf8632d294de1535a7a8e968afd34b0b

Download Submit
\Users\Admin\AppData\Local\Temp\64676be1e84ce6fda28403022184377f.exe

Filesize
128KB

MD5
0c53fef4f6f21d9dfbdbf219d1fa8d1e

SHA1
bca769fd13cbf88ec14a56ea31e880e27194c50e

SHA256
cb7afe483ab1aefb85ac18b5c3e4480c19e85512582517ca83d034d7a7b08eec

SHA512
42c1b4ccf2a20dbaab856362c5c4f2b10f1cde670c11fb1c0c0abf2d174d548098c924940f06d7aa8f35753ea10cf41b4c10a4533d00b98a9f0f808f0245768b

Download Submit
memory/2648-1-0x0000000000400000-0x0000000000593000-memory.dmp

Filesize
1.6MB

Download
memory/2648-0-0x0000000000400000-0x0000000000712000-memory.dmp

Filesize
3.1MB

Download
memory/2648-14-0x0000000000400000-0x0000000000593000-memory.dmp

Filesize
1.6MB

Download
memory/2648-15-0x0000000003140000-0x0000000003452000-memory.dmp

Filesize
3.1MB

Download
memory/2648-2-0x0000000001720000-0x00000000017E4000-memory.dmp

Filesize
784KB

Download
memory/2776-17-0x0000000000400000-0x0000000000712000-memory.dmp

Filesize
3.1MB

Download
memory/2776-19-0x0000000000310000-0x00000000003D4000-memory.dmp

Filesize
784KB

Download
memory/2776-18-0x0000000000400000-0x0000000000593000-memory.dmp

Filesize
1.6MB

Download
memory/2776-24-0x0000000002FD0000-0x0000000003163000-memory.dmp

Filesize
1.6MB

Download
memory/2776-25-0x0000000000400000-0x0000000000587000-memory.dmp

Filesize
1.5MB

Download
memory/2776-35-0x0000000000400000-0x0000000000587000-memory.dmp

Filesize
1.5MB

Download
memory/2776-34-0x00000000005A0000-0x000000000071F000-memory.dmp

Filesize
1.5MB

Download