xmrig | a0033b02da9818aef33dcf8a531b3e8ca27ce77e7edfdf5be378fce965122b48

Analysis

max time kernel
90s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
22-12-2023 04:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6a8fb6330ed0db0c109488ca30d11611.exe
Size

2.3MB
MD5

6a8fb6330ed0db0c109488ca30d11611
SHA1

369e83f59a46b30031489fdc5e1011d18cf6a52b
SHA256

a0033b02da9818aef33dcf8a531b3e8ca27ce77e7edfdf5be378fce965122b48
SHA512

1392c2adb64f0a51d15af01a3b28cd56464e19181967642f67e3a8878c69ab4d84e2cb77408d3ab3d7a6cec9ef7c2c8a9384790fccda7035bc93bb9d867fce1a
SSDEEP

49152:XSy/0ejz7T9RW88nPyzN5DZI5AuoaKz2p6WWin8418bM5ze1vFpL:XSy/DTjH8nqN5DZsAumJWAhbMQpFp

Score

10^/10

xmrig miner upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 6 IoCs

miner

resource	yara_rule
behavioral2/memory/5112-2-0x0000000000400000-0x0000000000593000-memory.dmp	xmrig
behavioral2/memory/5112-12-0x0000000000400000-0x0000000000593000-memory.dmp	xmrig
behavioral2/memory/3844-15-0x0000000000400000-0x0000000000593000-memory.dmp	xmrig
behavioral2/memory/3844-21-0x0000000005370000-0x0000000005503000-memory.dmp	xmrig
behavioral2/memory/3844-20-0x0000000000400000-0x0000000000587000-memory.dmp	xmrig
behavioral2/memory/3844-30-0x0000000000400000-0x0000000000587000-memory.dmp	xmrig

Deletes itself 1 IoCs

pid	Process
3844	6a8fb6330ed0db0c109488ca30d11611.exe

Executes dropped EXE 1 IoCs

pid	Process
3844	6a8fb6330ed0db0c109488ca30d11611.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/5112-0-0x0000000000400000-0x0000000000712000-memory.dmp	upx
behavioral2/files/0x00090000000231fb-11.dat	upx
behavioral2/memory/3844-13-0x0000000000400000-0x0000000000712000-memory.dmp	upx

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
5112	6a8fb6330ed0db0c109488ca30d11611.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
5112	6a8fb6330ed0db0c109488ca30d11611.exe
3844	6a8fb6330ed0db0c109488ca30d11611.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 5112 wrote to memory of 3844	5112	6a8fb6330ed0db0c109488ca30d11611.exe	19
PID 5112 wrote to memory of 3844	5112	6a8fb6330ed0db0c109488ca30d11611.exe	19
PID 5112 wrote to memory of 3844	5112	6a8fb6330ed0db0c109488ca30d11611.exe	19

C:\Users\Admin\AppData\Local\Temp\6a8fb6330ed0db0c109488ca30d11611.exe
"C:\Users\Admin\AppData\Local\Temp\6a8fb6330ed0db0c109488ca30d11611.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:5112
- C:\Users\Admin\AppData\Local\Temp\6a8fb6330ed0db0c109488ca30d11611.exe
  C:\Users\Admin\AppData\Local\Temp\6a8fb6330ed0db0c109488ca30d11611.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:3844

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\6a8fb6330ed0db0c109488ca30d11611.exe

Filesize
64KB

MD5
906c76f3099f979c92b83f0a5560499d

SHA1
e7fe5a08cd6b167aae83e66efc29da206560e2b1

SHA256
fcc946db0490ea12b698afd60e98db80dcc45e0291f36115dd33f7255090731b

SHA512
3718ccbed2b2f0a96ed2ad4019a9d2092060f97d3d91009a030bdc2f131e71949968bf90bab04e524f2521770af3deaaf3b64e62e9eb21aac5c87dc19c8454bc

Download Submit
memory/3844-13-0x0000000000400000-0x0000000000712000-memory.dmp

Filesize
3.1MB

Download
memory/3844-14-0x0000000001980000-0x0000000001A44000-memory.dmp

Filesize
784KB

Download
memory/3844-15-0x0000000000400000-0x0000000000593000-memory.dmp

Filesize
1.6MB

Download
memory/3844-21-0x0000000005370000-0x0000000005503000-memory.dmp

Filesize
1.6MB

Download
memory/3844-20-0x0000000000400000-0x0000000000587000-memory.dmp

Filesize
1.5MB

Download
memory/3844-30-0x0000000000400000-0x0000000000587000-memory.dmp

Filesize
1.5MB

Download
memory/5112-0-0x0000000000400000-0x0000000000712000-memory.dmp

Filesize
3.1MB

Download
memory/5112-1-0x0000000001B30000-0x0000000001BF4000-memory.dmp

Filesize
784KB

Download
memory/5112-2-0x0000000000400000-0x0000000000593000-memory.dmp

Filesize
1.6MB

Download
memory/5112-12-0x0000000000400000-0x0000000000593000-memory.dmp

Filesize
1.6MB

Download