xmrig | 5e286da2f213145ceaab951c1d3b69791d7aa1f07e5be7ffde278835cc38144e

Analysis

max time kernel
118s
max time network
119s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
22/12/2023, 07:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

78ecee4dc4157d64a3abb64c57a08b63.exe
Size

784KB
MD5

78ecee4dc4157d64a3abb64c57a08b63
SHA1

9a39c2f03fa4076d8a51ef0f2434c536551d56b9
SHA256

5e286da2f213145ceaab951c1d3b69791d7aa1f07e5be7ffde278835cc38144e
SHA512

c624fe40a2a1ba676d6a784327aa83588fc5d5cc0c8a140ff0bcffb4774ee62452b281e8fc8cc74fecb3127c98caa29ec18ba707a486466654cfec88b5bb1eda
SSDEEP

12288:CHO6t6Ii/AVl6hj/Pjvu7yyoGvfBR8rGfZZDESjeYFc8++60eG6yQKimdFFwkE:2iFzyoGvJRsGf7DDd+VrVADbwkE

Score

10^/10

xmrig miner upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 8 IoCs

miner

resource	yara_rule
behavioral1/memory/2768-1-0x0000000000400000-0x0000000000593000-memory.dmp	xmrig
behavioral1/memory/2804-25-0x0000000003090000-0x0000000003223000-memory.dmp	xmrig
behavioral1/memory/2804-34-0x00000000005A0000-0x000000000071F000-memory.dmp	xmrig
behavioral1/memory/2804-35-0x0000000000400000-0x0000000000587000-memory.dmp	xmrig
behavioral1/memory/2804-24-0x0000000000400000-0x0000000000587000-memory.dmp	xmrig
behavioral1/memory/2804-18-0x0000000000400000-0x0000000000593000-memory.dmp	xmrig
behavioral1/memory/2768-16-0x0000000003220000-0x0000000003532000-memory.dmp	xmrig
behavioral1/memory/2768-15-0x0000000000400000-0x0000000000593000-memory.dmp	xmrig

Deletes itself 1 IoCs

pid	Process
2804	78ecee4dc4157d64a3abb64c57a08b63.exe

Executes dropped EXE 1 IoCs

pid	Process
2804	78ecee4dc4157d64a3abb64c57a08b63.exe

Loads dropped DLL 1 IoCs

pid	Process
2768	78ecee4dc4157d64a3abb64c57a08b63.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2768-0-0x0000000000400000-0x0000000000712000-memory.dmp	upx
behavioral1/files/0x00070000000122c9-10.dat	upx
behavioral1/files/0x00070000000122c9-14.dat	upx
behavioral1/memory/2804-17-0x0000000000400000-0x0000000000712000-memory.dmp	upx

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2768	78ecee4dc4157d64a3abb64c57a08b63.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2768	78ecee4dc4157d64a3abb64c57a08b63.exe
2804	78ecee4dc4157d64a3abb64c57a08b63.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2768 wrote to memory of 2804	2768	78ecee4dc4157d64a3abb64c57a08b63.exe	15
PID 2768 wrote to memory of 2804	2768	78ecee4dc4157d64a3abb64c57a08b63.exe	15
PID 2768 wrote to memory of 2804	2768	78ecee4dc4157d64a3abb64c57a08b63.exe	15
PID 2768 wrote to memory of 2804	2768	78ecee4dc4157d64a3abb64c57a08b63.exe	15

C:\Users\Admin\AppData\Local\Temp\78ecee4dc4157d64a3abb64c57a08b63.exe
C:\Users\Admin\AppData\Local\Temp\78ecee4dc4157d64a3abb64c57a08b63.exe
1⤵
- Deletes itself
- Executes dropped EXE
- Suspicious use of UnmapMainImage
PID:2804

C:\Users\Admin\AppData\Local\Temp\78ecee4dc4157d64a3abb64c57a08b63.exe
"C:\Users\Admin\AppData\Local\Temp\78ecee4dc4157d64a3abb64c57a08b63.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2768

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\78ecee4dc4157d64a3abb64c57a08b63.exe

Filesize
34KB

MD5
d3c1d8d6ec89c76663e6e327112eccb3

SHA1
7bee5ae6a69ef1fb20845b4eb4d724591c7c62ca

SHA256
14f6bcba24b14098b8339c5987a418b89a6b08bccb862d746c267d49a08bf60e

SHA512
e9ebe6e8a01dc09fbecff17cc1ab02f35b63cb535d5b0ced6be72499d226405b0de50170ad8ca04586a1dffaabea8bb870da3370227632157d289b03f30fc415

Download Submit
\Users\Admin\AppData\Local\Temp\78ecee4dc4157d64a3abb64c57a08b63.exe

Filesize
90KB

MD5
0d4c90711b52ceaa0fd2e5e420497666

SHA1
68fa0bd84b215e245452dce0be909837c4cd2c66

SHA256
56b86d6ed2d1b85c985f2e7c1e032b8ffc7982c030cfd272c82d2a9213ecd09b

SHA512
b967b94e033185c4921df6e1e5743235fc1173a838d88e3e63dcf4e6191d897982fe381899b276d663a58bca87a95fb49a39acf9b7de7c01987c7c9a28cc19bd

Download Submit
memory/2768-16-0x0000000003220000-0x0000000003532000-memory.dmp

Filesize
3.1MB

Download
memory/2768-2-0x00000000018B0000-0x0000000001974000-memory.dmp

Filesize
784KB

Download
memory/2768-1-0x0000000000400000-0x0000000000593000-memory.dmp

Filesize
1.6MB

Download
memory/2768-15-0x0000000000400000-0x0000000000593000-memory.dmp

Filesize
1.6MB

Download
memory/2768-0-0x0000000000400000-0x0000000000712000-memory.dmp

Filesize
3.1MB

Download
memory/2804-25-0x0000000003090000-0x0000000003223000-memory.dmp

Filesize
1.6MB

Download
memory/2804-35-0x0000000000400000-0x0000000000587000-memory.dmp

Filesize
1.5MB

Download
memory/2804-24-0x0000000000400000-0x0000000000587000-memory.dmp

Filesize
1.5MB

Download
memory/2804-18-0x0000000000400000-0x0000000000593000-memory.dmp

Filesize
1.6MB

Download
memory/2804-17-0x0000000000400000-0x0000000000712000-memory.dmp

Filesize
3.1MB

Download
memory/2804-34-0x00000000005A0000-0x000000000071F000-memory.dmp

Filesize
1.5MB

Download
memory/2804-19-0x0000000001720000-0x00000000017E4000-memory.dmp

Filesize
784KB

Download