xmrig | 1c0206b20d8d8f70b94163e42cfa121fe5adfc19081125accdee0edd5a6ae1d0

Analysis

max time kernel
122s
max time network
126s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
22/12/2023, 05:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

71843df978d8aca0de1d4ccb7f60d4ed.exe
Size

784KB
MD5

71843df978d8aca0de1d4ccb7f60d4ed
SHA1

406df69f52d3e23c7d260b92cde96440dc1d3ddf
SHA256

1c0206b20d8d8f70b94163e42cfa121fe5adfc19081125accdee0edd5a6ae1d0
SHA512

a7c0f8faa623304da5c0295eded7974d76151a5860195a0c808f5e85246bf0f1a2d0521e2a3af74899884f6dd01afd82b2ae83ee4044084956a0a360db786f03
SSDEEP

24576:ZMGQrExrQN+mG4gVw/w2zmkBilUw8vPo/9X:qGQw54NgVwZFBiVUPo/h

Score

10^/10

xmrig miner upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 8 IoCs

miner

resource	yara_rule
behavioral1/memory/2300-1-0x0000000000400000-0x0000000000593000-memory.dmp	xmrig
behavioral1/memory/2300-15-0x0000000003250000-0x0000000003562000-memory.dmp	xmrig
behavioral1/memory/2668-18-0x0000000000400000-0x0000000000593000-memory.dmp	xmrig
behavioral1/memory/2668-25-0x00000000030A0000-0x0000000003233000-memory.dmp	xmrig
behavioral1/memory/2668-24-0x0000000000400000-0x0000000000587000-memory.dmp	xmrig
behavioral1/memory/2300-14-0x0000000000400000-0x0000000000593000-memory.dmp	xmrig
behavioral1/memory/2668-35-0x0000000000400000-0x0000000000587000-memory.dmp	xmrig
behavioral1/memory/2668-34-0x00000000005A0000-0x000000000071F000-memory.dmp	xmrig

Deletes itself 1 IoCs

pid	Process
2668	71843df978d8aca0de1d4ccb7f60d4ed.exe

Executes dropped EXE 1 IoCs

pid	Process
2668	71843df978d8aca0de1d4ccb7f60d4ed.exe

Loads dropped DLL 1 IoCs

pid	Process
2300	71843df978d8aca0de1d4ccb7f60d4ed.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2300-0-0x0000000000400000-0x0000000000712000-memory.dmp	upx
behavioral1/files/0x000800000001223f-10.dat	upx
behavioral1/memory/2668-17-0x0000000000400000-0x0000000000712000-memory.dmp	upx
behavioral1/files/0x000800000001223f-16.dat	upx

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2300	71843df978d8aca0de1d4ccb7f60d4ed.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2300	71843df978d8aca0de1d4ccb7f60d4ed.exe
2668	71843df978d8aca0de1d4ccb7f60d4ed.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2300 wrote to memory of 2668	2300	71843df978d8aca0de1d4ccb7f60d4ed.exe	19
PID 2300 wrote to memory of 2668	2300	71843df978d8aca0de1d4ccb7f60d4ed.exe	19
PID 2300 wrote to memory of 2668	2300	71843df978d8aca0de1d4ccb7f60d4ed.exe	19
PID 2300 wrote to memory of 2668	2300	71843df978d8aca0de1d4ccb7f60d4ed.exe	19

C:\Users\Admin\AppData\Local\Temp\71843df978d8aca0de1d4ccb7f60d4ed.exe
"C:\Users\Admin\AppData\Local\Temp\71843df978d8aca0de1d4ccb7f60d4ed.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2300
- C:\Users\Admin\AppData\Local\Temp\71843df978d8aca0de1d4ccb7f60d4ed.exe
  C:\Users\Admin\AppData\Local\Temp\71843df978d8aca0de1d4ccb7f60d4ed.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:2668

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\71843df978d8aca0de1d4ccb7f60d4ed.exe

Filesize
8KB

MD5
5b74717feee42f613c1791c677b46bda

SHA1
4fa9edfa1b357ce1ec07216cc61c5d0296ebf85b

SHA256
9cb52e444feb1adcc3a7bc721407a4cf2f3c71e3b05ff9e75ac5b1cb3c5c5d19

SHA512
cac7e92f0e800af4653de6c2b333dcb04a58371ae5fc2092cd0ca3a52b524618a81b688a16a48a75258e4caa6c2d57d080ad1e4c5b9d967e071adbf36a0e62c7

Download Submit
\Users\Admin\AppData\Local\Temp\71843df978d8aca0de1d4ccb7f60d4ed.exe

Filesize
39KB

MD5
b0b53fcd4d7865ed666fe8fa199218c9

SHA1
16ae4be6f42b8ed8e86a33217a17ecac5b8c7f99

SHA256
af9cc30a5b0e957d4d4b4dd5c6687844cbd701f2b7aea081899f3b6990bade44

SHA512
35bccaeb0bda016a251e05cda04f3806f228c061dbbc880bb872cd3be6e819b8c7f965c68c591caa3c3de70744f7f950fe4b6c7b16b23c364f709bc158acbeb8

Download Submit
memory/2300-15-0x0000000003250000-0x0000000003562000-memory.dmp

Filesize
3.1MB

Download
memory/2300-1-0x0000000000400000-0x0000000000593000-memory.dmp

Filesize
1.6MB

Download
memory/2300-2-0x0000000001720000-0x00000000017E4000-memory.dmp

Filesize
784KB

Download
memory/2300-0-0x0000000000400000-0x0000000000712000-memory.dmp

Filesize
3.1MB

Download
memory/2300-14-0x0000000000400000-0x0000000000593000-memory.dmp

Filesize
1.6MB

Download
memory/2668-17-0x0000000000400000-0x0000000000712000-memory.dmp

Filesize
3.1MB

Download
memory/2668-20-0x00000000018B0000-0x0000000001974000-memory.dmp

Filesize
784KB

Download
memory/2668-18-0x0000000000400000-0x0000000000593000-memory.dmp

Filesize
1.6MB

Download
memory/2668-25-0x00000000030A0000-0x0000000003233000-memory.dmp

Filesize
1.6MB

Download
memory/2668-24-0x0000000000400000-0x0000000000587000-memory.dmp

Filesize
1.5MB

Download
memory/2668-35-0x0000000000400000-0x0000000000587000-memory.dmp

Filesize
1.5MB

Download
memory/2668-34-0x00000000005A0000-0x000000000071F000-memory.dmp

Filesize
1.5MB

Download