xmrig | bb7b43ee84e3cc6a207e29fe4b22f4f3e36279929d235686bc2ef478c3d11c69

Analysis

max time kernel
119s
max time network
134s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
22/12/2023, 04:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

654d9e242c96ba63095c21dc6b6ceeb8.exe
Size

784KB
MD5

654d9e242c96ba63095c21dc6b6ceeb8
SHA1

6731c50eebe766111c5de083c5abeb83612cf346
SHA256

bb7b43ee84e3cc6a207e29fe4b22f4f3e36279929d235686bc2ef478c3d11c69
SHA512

1a457e4e384d9de1960fe9071fef781124effb9e27d61a10b5a912f9cfa92a268af1178dd8f9a0bdd2a919ae2918c2d60f2d187973c82603c95034da29bf7122
SSDEEP

24576:rCnX2rlFDkBuwT1Wfhm1TceFXz12HeROh/:E2LQBuwopYceFJc8+

Score

10^/10

xmrig miner upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 8 IoCs

miner

resource	yara_rule
behavioral1/memory/2772-1-0x0000000000400000-0x0000000000593000-memory.dmp	xmrig
behavioral1/memory/2772-15-0x0000000000400000-0x0000000000593000-memory.dmp	xmrig
behavioral1/memory/2772-14-0x0000000003210000-0x0000000003522000-memory.dmp	xmrig
behavioral1/memory/2780-19-0x0000000000400000-0x0000000000593000-memory.dmp	xmrig
behavioral1/memory/2780-25-0x0000000002FD0000-0x0000000003163000-memory.dmp	xmrig
behavioral1/memory/2780-24-0x0000000000400000-0x0000000000587000-memory.dmp	xmrig
behavioral1/memory/2780-34-0x00000000005A0000-0x000000000071F000-memory.dmp	xmrig
behavioral1/memory/2780-35-0x0000000000400000-0x0000000000587000-memory.dmp	xmrig

Deletes itself 1 IoCs

pid	Process
2780	654d9e242c96ba63095c21dc6b6ceeb8.exe

Executes dropped EXE 1 IoCs

pid	Process
2780	654d9e242c96ba63095c21dc6b6ceeb8.exe

Loads dropped DLL 1 IoCs

pid	Process
2772	654d9e242c96ba63095c21dc6b6ceeb8.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2772-0-0x0000000000400000-0x0000000000712000-memory.dmp	upx
behavioral1/files/0x000c000000016c1a-10.dat	upx
behavioral1/files/0x000c000000016c1a-16.dat	upx
behavioral1/memory/2780-17-0x0000000000400000-0x0000000000712000-memory.dmp	upx

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2772	654d9e242c96ba63095c21dc6b6ceeb8.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2772	654d9e242c96ba63095c21dc6b6ceeb8.exe
2780	654d9e242c96ba63095c21dc6b6ceeb8.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2772 wrote to memory of 2780	2772	654d9e242c96ba63095c21dc6b6ceeb8.exe	28
PID 2772 wrote to memory of 2780	2772	654d9e242c96ba63095c21dc6b6ceeb8.exe	28
PID 2772 wrote to memory of 2780	2772	654d9e242c96ba63095c21dc6b6ceeb8.exe	28
PID 2772 wrote to memory of 2780	2772	654d9e242c96ba63095c21dc6b6ceeb8.exe	28

C:\Users\Admin\AppData\Local\Temp\654d9e242c96ba63095c21dc6b6ceeb8.exe
"C:\Users\Admin\AppData\Local\Temp\654d9e242c96ba63095c21dc6b6ceeb8.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2772
- C:\Users\Admin\AppData\Local\Temp\654d9e242c96ba63095c21dc6b6ceeb8.exe
  C:\Users\Admin\AppData\Local\Temp\654d9e242c96ba63095c21dc6b6ceeb8.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:2780

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\654d9e242c96ba63095c21dc6b6ceeb8.exe

Filesize
245KB

MD5
9a22c3db854a1672f434162bac64b6b6

SHA1
28968d1b2598575e076f8de2a5909d928bd25b86

SHA256
15fd2d876015be1c0c592b50573c2270f19131ed1bf38605bec9586eb22cb389

SHA512
c5fe33fd8b8dfa3d393e651b7e10194d2fb818085f0cf59830e39ecb4d2987bd81371251c394a2518cef1b1a1c4d3e2018cc9cdf73720db0b518085d27ffacf7

Download Submit
\Users\Admin\AppData\Local\Temp\654d9e242c96ba63095c21dc6b6ceeb8.exe

Filesize
251KB

MD5
f34684b39de0eaadc60d48ec9e8fb73b

SHA1
b3389036b49d791e54a947635419fb024cc81b74

SHA256
cdc5365abb3d5ab538f1ffb1c8830db565445b603f4e15ba3632325ea2189a45

SHA512
e1dffaa963c990167e1445f7e4250263c4a89e7e0965d2c914ecc2007d58305274f535a491d8881ef8538542022bef7feedef454861c5aa78815c0dea21ca5e6

Download Submit
memory/2772-14-0x0000000003210000-0x0000000003522000-memory.dmp

Filesize
3.1MB

Download
memory/2772-1-0x0000000000400000-0x0000000000593000-memory.dmp

Filesize
1.6MB

Download
memory/2772-2-0x0000000000120000-0x00000000001E4000-memory.dmp

Filesize
784KB

Download
memory/2772-15-0x0000000000400000-0x0000000000593000-memory.dmp

Filesize
1.6MB

Download
memory/2772-0-0x0000000000400000-0x0000000000712000-memory.dmp

Filesize
3.1MB

Download
memory/2780-17-0x0000000000400000-0x0000000000712000-memory.dmp

Filesize
3.1MB

Download
memory/2780-19-0x0000000000400000-0x0000000000593000-memory.dmp

Filesize
1.6MB

Download
memory/2780-25-0x0000000002FD0000-0x0000000003163000-memory.dmp

Filesize
1.6MB

Download
memory/2780-24-0x0000000000400000-0x0000000000587000-memory.dmp

Filesize
1.5MB

Download
memory/2780-18-0x0000000000320000-0x00000000003E4000-memory.dmp

Filesize
784KB

Download
memory/2780-34-0x00000000005A0000-0x000000000071F000-memory.dmp

Filesize
1.5MB

Download
memory/2780-35-0x0000000000400000-0x0000000000587000-memory.dmp

Filesize
1.5MB

Download