xmrig | 57077c8949fbdf3b8d6165fae9d00bf6fab54acf1987a3388c07edcf5eff91ab

General

Target

7766c0556c13d02448982c5fd1088c77.exe
Size

1.5MB
MD5

7766c0556c13d02448982c5fd1088c77
SHA1

ac4f61c45db457c7796738bbfbc959adab2bdfb0
SHA256

57077c8949fbdf3b8d6165fae9d00bf6fab54acf1987a3388c07edcf5eff91ab
SHA512

2feeb622f8563cfe497270888f8ebce64db35f294b243f0eaa5085a5df9b3829a9a3a2fc380e402a5005f9db642d85b5e43da780803315cb4decea29b52adb03
SSDEEP

49152:wZildEkBYwfAlfhtr6UBuy9Y5p2XfwVTIynyjc+rGc/l:wZildjYwYvtr6s8QXCIyyjc+qk

Score

10^/10

xmrig miner upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 8 IoCs

miner

resource	yara_rule
behavioral1/memory/1848-1-0x0000000000400000-0x0000000000593000-memory.dmp	xmrig
behavioral1/memory/1848-15-0x00000000033E0000-0x00000000036F2000-memory.dmp	xmrig
behavioral1/memory/1848-14-0x0000000000400000-0x0000000000593000-memory.dmp	xmrig
behavioral1/memory/2792-18-0x0000000000400000-0x0000000000593000-memory.dmp	xmrig
behavioral1/memory/2792-24-0x0000000000400000-0x0000000000587000-memory.dmp	xmrig
behavioral1/memory/2792-25-0x0000000003100000-0x0000000003293000-memory.dmp	xmrig
behavioral1/memory/2792-34-0x00000000005A0000-0x000000000071F000-memory.dmp	xmrig
behavioral1/memory/2792-35-0x0000000000400000-0x0000000000587000-memory.dmp	xmrig

Deletes itself 1 IoCs

pid	Process
2792	7766c0556c13d02448982c5fd1088c77.exe

Executes dropped EXE 1 IoCs

pid	Process
2792	7766c0556c13d02448982c5fd1088c77.exe

Loads dropped DLL 1 IoCs

pid	Process
1848	7766c0556c13d02448982c5fd1088c77.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1848-0-0x0000000000400000-0x0000000000712000-memory.dmp	upx
behavioral1/files/0x0009000000012258-10.dat	upx
behavioral1/files/0x0009000000012258-12.dat	upx
behavioral1/files/0x0009000000012258-16.dat	upx
behavioral1/memory/2792-17-0x0000000000400000-0x0000000000712000-memory.dmp	upx

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1848	7766c0556c13d02448982c5fd1088c77.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
1848	7766c0556c13d02448982c5fd1088c77.exe
2792	7766c0556c13d02448982c5fd1088c77.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1848 wrote to memory of 2792	1848	7766c0556c13d02448982c5fd1088c77.exe	29
PID 1848 wrote to memory of 2792	1848	7766c0556c13d02448982c5fd1088c77.exe	29
PID 1848 wrote to memory of 2792	1848	7766c0556c13d02448982c5fd1088c77.exe	29
PID 1848 wrote to memory of 2792	1848	7766c0556c13d02448982c5fd1088c77.exe	29

C:\Users\Admin\AppData\Local\Temp\7766c0556c13d02448982c5fd1088c77.exe
"C:\Users\Admin\AppData\Local\Temp\7766c0556c13d02448982c5fd1088c77.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1848
- C:\Users\Admin\AppData\Local\Temp\7766c0556c13d02448982c5fd1088c77.exe
  C:\Users\Admin\AppData\Local\Temp\7766c0556c13d02448982c5fd1088c77.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:2792

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7766c0556c13d02448982c5fd1088c77.exe

Filesize
623KB

MD5
27af07dd8e626ce7f6ee1d1ebb060f4e

SHA1
37bb2369a2d6e10e7dcb4580623d64a525a020b3

SHA256
beb71ac4255dff5d6c5e2c12f0334059ea19921bc032e5301f7be64594c35183

SHA512
297215cd3d7f94d6d222c5861739fecdd358c73e5c8f1dfcc16110bfee37651ba9b0afbdc72df7165744ae0a27760479c77cc45f375d443f256902c8734a23cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\7766c0556c13d02448982c5fd1088c77.exe

Filesize
327KB

MD5
99d364fdddf8bf1805db6fe13ea150e4

SHA1
f5473ac48f85eec9bfda4d6137637c12a22e133c

SHA256
e616a5c22ecb515abd0c710b8ee8952fb169fc135d9a45dda05ae83ff09acb2c

SHA512
fea6a2c4d9439d3ce055b01b66a7b6d88bfe1b180fabf87a9049de1c236796d27ac3f98242652afa63fac0d6d4b6a5b3ff8d935630537258b47075bb57e640d3

Download Submit
\Users\Admin\AppData\Local\Temp\7766c0556c13d02448982c5fd1088c77.exe

Filesize
626KB

MD5
f890c2c9e07182a6644ad13d6be907ef

SHA1
6492e37ed7c8d7264213729182c3e5e8013cac2a

SHA256
ee9817417a9c8d46a7f5378adb8daf6144c85739640d5f9e39aa6cb9aa305ee4

SHA512
ba46530dbb959827497a900334c3568d95d6850abbde56ed60d9aef9f4e67593742f4072e90f826b18bdda28ea088b05974e2fb49e0dc4ecd4324f93dec7f4f6

Download Submit
memory/1848-15-0x00000000033E0000-0x00000000036F2000-memory.dmp

Filesize
3.1MB

Download
memory/1848-2-0x00000000018B0000-0x0000000001974000-memory.dmp

Filesize
784KB

Download
memory/1848-1-0x0000000000400000-0x0000000000593000-memory.dmp

Filesize
1.6MB

Download
memory/1848-0-0x0000000000400000-0x0000000000712000-memory.dmp

Filesize
3.1MB

Download
memory/1848-14-0x0000000000400000-0x0000000000593000-memory.dmp

Filesize
1.6MB

Download
memory/2792-17-0x0000000000400000-0x0000000000712000-memory.dmp

Filesize
3.1MB

Download
memory/2792-19-0x0000000000120000-0x00000000001E4000-memory.dmp

Filesize
784KB

Download
memory/2792-18-0x0000000000400000-0x0000000000593000-memory.dmp

Filesize
1.6MB

Download
memory/2792-24-0x0000000000400000-0x0000000000587000-memory.dmp

Filesize
1.5MB

Download
memory/2792-25-0x0000000003100000-0x0000000003293000-memory.dmp

Filesize
1.6MB

Download
memory/2792-34-0x00000000005A0000-0x000000000071F000-memory.dmp

Filesize
1.5MB

Download
memory/2792-35-0x0000000000400000-0x0000000000587000-memory.dmp

Filesize
1.5MB

Download

Analysis

Sharing