xmrig | fd0d6e34fab3121d5cedb02efa25a7fa2ffeab063d7cbdf749e22b1d59834692

Analysis

max time kernel
122s
max time network
123s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
22/12/2023, 05:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6e9d09321ced5043eb740f4206716b56.exe
Size

784KB
MD5

6e9d09321ced5043eb740f4206716b56
SHA1

7b3039542073be9618c66a20f736054d148dad2c
SHA256

fd0d6e34fab3121d5cedb02efa25a7fa2ffeab063d7cbdf749e22b1d59834692
SHA512

9dcf03adbe454601d9dd0b1d47153980c59c21950c19c0d8463b8716824993d0d5eadf24e639e59669f248cf2c9a0afeea07126a40bb9bc576c3dbe72040b1bc
SSDEEP

24576:cnoVTSAacAgb2m3M5vAlZS7g5DxISX88:dQ1Hex3IAy7g5DxIAP

Score

10^/10

xmrig miner upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 8 IoCs

miner

resource	yara_rule
behavioral1/memory/2924-1-0x0000000000400000-0x0000000000593000-memory.dmp	xmrig
behavioral1/memory/2924-16-0x0000000003190000-0x00000000034A2000-memory.dmp	xmrig
behavioral1/memory/3064-18-0x0000000000400000-0x0000000000593000-memory.dmp	xmrig
behavioral1/memory/3064-27-0x0000000002FD0000-0x0000000003163000-memory.dmp	xmrig
behavioral1/memory/3064-24-0x0000000000400000-0x0000000000587000-memory.dmp	xmrig
behavioral1/memory/3064-35-0x0000000000400000-0x0000000000587000-memory.dmp	xmrig
behavioral1/memory/3064-34-0x00000000005A0000-0x000000000071F000-memory.dmp	xmrig
behavioral1/memory/2924-15-0x0000000000400000-0x0000000000593000-memory.dmp	xmrig

Deletes itself 1 IoCs

pid	Process
3064	6e9d09321ced5043eb740f4206716b56.exe

Executes dropped EXE 1 IoCs

pid	Process
3064	6e9d09321ced5043eb740f4206716b56.exe

Loads dropped DLL 1 IoCs

pid	Process
2924	6e9d09321ced5043eb740f4206716b56.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0009000000015c46-10.dat	upx
behavioral1/memory/2924-0-0x0000000000400000-0x0000000000712000-memory.dmp	upx
behavioral1/memory/3064-17-0x0000000000400000-0x0000000000712000-memory.dmp	upx
behavioral1/files/0x0009000000015c46-14.dat	upx

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2924	6e9d09321ced5043eb740f4206716b56.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2924	6e9d09321ced5043eb740f4206716b56.exe
3064	6e9d09321ced5043eb740f4206716b56.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2924 wrote to memory of 3064	2924	6e9d09321ced5043eb740f4206716b56.exe	17
PID 2924 wrote to memory of 3064	2924	6e9d09321ced5043eb740f4206716b56.exe	17
PID 2924 wrote to memory of 3064	2924	6e9d09321ced5043eb740f4206716b56.exe	17
PID 2924 wrote to memory of 3064	2924	6e9d09321ced5043eb740f4206716b56.exe	17

C:\Users\Admin\AppData\Local\Temp\6e9d09321ced5043eb740f4206716b56.exe
"C:\Users\Admin\AppData\Local\Temp\6e9d09321ced5043eb740f4206716b56.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2924
- C:\Users\Admin\AppData\Local\Temp\6e9d09321ced5043eb740f4206716b56.exe
  C:\Users\Admin\AppData\Local\Temp\6e9d09321ced5043eb740f4206716b56.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:3064

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\6e9d09321ced5043eb740f4206716b56.exe

Filesize
68KB

MD5
c7f17156532afe2737ca18931d8fc6ff

SHA1
b77063f0447a1a6e557b3bf8253906509e4df54c

SHA256
a7880179fb3f5657fd974da1e51406c1a67562feee02aeaeafc85ee755e2d984

SHA512
dcb0af5de668806e8c96a1ef9b9ff3e934f1579d23ebb20d1bbbe728a9529c6fa091bd97c692080c3f45e2b83f1b7fc9e02d679dcdace87bface1023f04c9880

Download Submit
\Users\Admin\AppData\Local\Temp\6e9d09321ced5043eb740f4206716b56.exe

Filesize
64KB

MD5
edcdc5649a0ce8dc3fc5a04c5533c7a6

SHA1
88a67f06a4e9d855d0c0b69c529f1c3afa58da6a

SHA256
11a130649b956cb060e465b06e6ab782bb461ccb301d904a3909b45f22eab357

SHA512
c6ae05b2a8df3e363d0896deb2a3d57815316bea4f9d025af5e347de839c7ffdbb5cc59dc702edae3349637190c521d2116a61f5ee7f8d275f18aa609913689a

Download Submit
memory/2924-15-0x0000000000400000-0x0000000000593000-memory.dmp

Filesize
1.6MB

Download
memory/2924-3-0x0000000001720000-0x00000000017E4000-memory.dmp

Filesize
784KB

Download
memory/2924-0-0x0000000000400000-0x0000000000712000-memory.dmp

Filesize
3.1MB

Download
memory/2924-16-0x0000000003190000-0x00000000034A2000-memory.dmp

Filesize
3.1MB

Download
memory/2924-1-0x0000000000400000-0x0000000000593000-memory.dmp

Filesize
1.6MB

Download
memory/3064-18-0x0000000000400000-0x0000000000593000-memory.dmp

Filesize
1.6MB

Download
memory/3064-24-0x0000000000400000-0x0000000000587000-memory.dmp

Filesize
1.5MB

Download
memory/3064-35-0x0000000000400000-0x0000000000587000-memory.dmp

Filesize
1.5MB

Download
memory/3064-34-0x00000000005A0000-0x000000000071F000-memory.dmp

Filesize
1.5MB

Download
memory/3064-21-0x0000000000200000-0x00000000002C4000-memory.dmp

Filesize
784KB

Download
memory/3064-27-0x0000000002FD0000-0x0000000003163000-memory.dmp

Filesize
1.6MB

Download
memory/3064-17-0x0000000000400000-0x0000000000712000-memory.dmp

Filesize
3.1MB

Download