xmrig | b6f9ee8ed6dedb6065ffaf2f7afc1c692928a2ff45b40f7b1ec6b60649be04dc

Analysis

max time kernel
119s
max time network
123s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
22-12-2023 04:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

60628588180a4c8a5078318376b077b8.exe
Size

784KB
MD5

60628588180a4c8a5078318376b077b8
SHA1

6b58cdd87f2768cbabf5150d78ab358ebf39541f
SHA256

b6f9ee8ed6dedb6065ffaf2f7afc1c692928a2ff45b40f7b1ec6b60649be04dc
SHA512

21a57eaab56cf2082c3fe816d2c15f76c22a42c4a79b76082c6d5f6e77b85a5e0d5bf10226f8dc24face3d9de7e7bec039aaabfdd248c681511ac2eb6d95a466
SSDEEP

12288:GMJee1kMt5cytIDqcSGmHxSGsFAKI9LlobFqD3/2D21/JNqWtmzQ04neXnvXD:Gwu6KwIDqc/mHsNHGl0Fqr/ThPTms+n

Score

10^/10

xmrig miner upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 8 IoCs

miner

resource	yara_rule
behavioral1/memory/2044-1-0x0000000000400000-0x0000000000593000-memory.dmp	xmrig
behavioral1/memory/2044-15-0x0000000003260000-0x0000000003572000-memory.dmp	xmrig
behavioral1/memory/2044-14-0x0000000000400000-0x0000000000593000-memory.dmp	xmrig
behavioral1/memory/1956-18-0x0000000000400000-0x0000000000593000-memory.dmp	xmrig
behavioral1/memory/1956-25-0x0000000002FD0000-0x0000000003163000-memory.dmp	xmrig
behavioral1/memory/1956-24-0x0000000000400000-0x0000000000587000-memory.dmp	xmrig
behavioral1/memory/1956-34-0x00000000005A0000-0x000000000071F000-memory.dmp	xmrig
behavioral1/memory/1956-35-0x0000000000400000-0x0000000000587000-memory.dmp	xmrig

Deletes itself 1 IoCs

pid	Process
1956	60628588180a4c8a5078318376b077b8.exe

Executes dropped EXE 1 IoCs

pid	Process
1956	60628588180a4c8a5078318376b077b8.exe

Loads dropped DLL 1 IoCs

pid	Process
2044	60628588180a4c8a5078318376b077b8.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2044-0-0x0000000000400000-0x0000000000712000-memory.dmp	upx
behavioral1/files/0x000b00000001225c-16.dat	upx
behavioral1/memory/1956-17-0x0000000000400000-0x0000000000712000-memory.dmp	upx
behavioral1/files/0x000b00000001225c-10.dat	upx

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2044	60628588180a4c8a5078318376b077b8.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2044	60628588180a4c8a5078318376b077b8.exe
1956	60628588180a4c8a5078318376b077b8.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2044 wrote to memory of 1956	2044	60628588180a4c8a5078318376b077b8.exe	29
PID 2044 wrote to memory of 1956	2044	60628588180a4c8a5078318376b077b8.exe	29
PID 2044 wrote to memory of 1956	2044	60628588180a4c8a5078318376b077b8.exe	29
PID 2044 wrote to memory of 1956	2044	60628588180a4c8a5078318376b077b8.exe	29

C:\Users\Admin\AppData\Local\Temp\60628588180a4c8a5078318376b077b8.exe
"C:\Users\Admin\AppData\Local\Temp\60628588180a4c8a5078318376b077b8.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2044
- C:\Users\Admin\AppData\Local\Temp\60628588180a4c8a5078318376b077b8.exe
  C:\Users\Admin\AppData\Local\Temp\60628588180a4c8a5078318376b077b8.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:1956

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\60628588180a4c8a5078318376b077b8.exe

Filesize
63KB

MD5
58cc70466266ca8f4ca1d0826f11dc76

SHA1
95239907f43c415a99d0414a65957a7aa1807802

SHA256
4616c5eb0f7403b3f088715bc5bfdee47154864b6bb78cf40310b244d9817241

SHA512
736467b32d71a643e4dcf8d1a0d4024d49be89fbabd2e8b2183908b87a021c56cc47be8d9d32afd08ae591a6279aaf5e6f06de7babec10ea4cfaba9e4d68e56f

Download Submit
\Users\Admin\AppData\Local\Temp\60628588180a4c8a5078318376b077b8.exe

Filesize
73KB

MD5
3d0dc5c388418f75a8819b8308255582

SHA1
55021c29afb626f124d821c27a5d624e9c40d19e

SHA256
38e9a561ac872c38c5562da5ce584a5f7dd202513c00c92de6d0f1c89e682838

SHA512
22851d21a2bb1b8aacc9cd22368af3b176fd0cb5d0d3d394a07c3b75163e433099f137a61b7a057f928c0e969517d7b2a0f4c30fd89d285d56e42d18b0cb4f07

Download Submit
memory/1956-18-0x0000000000400000-0x0000000000593000-memory.dmp

Filesize
1.6MB

Download
memory/1956-17-0x0000000000400000-0x0000000000712000-memory.dmp

Filesize
3.1MB

Download
memory/1956-19-0x00000000002C0000-0x0000000000384000-memory.dmp

Filesize
784KB

Download
memory/1956-25-0x0000000002FD0000-0x0000000003163000-memory.dmp

Filesize
1.6MB

Download
memory/1956-24-0x0000000000400000-0x0000000000587000-memory.dmp

Filesize
1.5MB

Download
memory/1956-34-0x00000000005A0000-0x000000000071F000-memory.dmp

Filesize
1.5MB

Download
memory/1956-35-0x0000000000400000-0x0000000000587000-memory.dmp

Filesize
1.5MB

Download
memory/2044-1-0x0000000000400000-0x0000000000593000-memory.dmp

Filesize
1.6MB

Download
memory/2044-15-0x0000000003260000-0x0000000003572000-memory.dmp

Filesize
3.1MB

Download
memory/2044-14-0x0000000000400000-0x0000000000593000-memory.dmp

Filesize
1.6MB

Download
memory/2044-2-0x0000000001720000-0x00000000017E4000-memory.dmp

Filesize
784KB

Download
memory/2044-0-0x0000000000400000-0x0000000000712000-memory.dmp

Filesize
3.1MB

Download