xmrig | 0e63be888098618dee0dde46c3605b6d980b3f79f9cfd88819bb80befe770104

Analysis

max time kernel
121s
max time network
121s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
22-12-2023 07:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7aabdf8557cd7c9d074d1c3e49648b0f.exe
Size

784KB
MD5

7aabdf8557cd7c9d074d1c3e49648b0f
SHA1

540e7cde063f412abd52f6307dc38351aa67f8eb
SHA256

0e63be888098618dee0dde46c3605b6d980b3f79f9cfd88819bb80befe770104
SHA512

d7220a199165fda1836c932220c1b56573c5f81d70fdaeded85dacb2efab805d211da99bbc5c9123d5bbb0e4ad8f8b07fb33151665cba2da94a538f490736bd6
SSDEEP

12288:Wdy55mmJUkmR0YaucLVOEIpF10mWQwAMosWACcwhBLATU3TVR1P7v681Z/ZyibTq:755mmCh565OhpFaQWozPxAIx/uoXTq

Score

10^/10

xmrig miner upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 9 IoCs

miner

resource	yara_rule
behavioral1/memory/1680-1-0x0000000000400000-0x0000000000593000-memory.dmp	xmrig
behavioral1/memory/1680-16-0x00000000030E0000-0x00000000033F2000-memory.dmp	xmrig
behavioral1/memory/2296-17-0x0000000000400000-0x0000000000593000-memory.dmp	xmrig
behavioral1/memory/2296-18-0x0000000000400000-0x0000000000712000-memory.dmp	xmrig
behavioral1/memory/1680-15-0x0000000000400000-0x0000000000593000-memory.dmp	xmrig
behavioral1/memory/2296-26-0x0000000003110000-0x00000000032A3000-memory.dmp	xmrig
behavioral1/memory/2296-24-0x0000000000400000-0x0000000000587000-memory.dmp	xmrig
behavioral1/memory/2296-35-0x0000000000400000-0x0000000000587000-memory.dmp	xmrig
behavioral1/memory/2296-34-0x00000000005A0000-0x000000000071F000-memory.dmp	xmrig

Deletes itself 1 IoCs

pid	Process
2296	7aabdf8557cd7c9d074d1c3e49648b0f.exe

Executes dropped EXE 1 IoCs

pid	Process
2296	7aabdf8557cd7c9d074d1c3e49648b0f.exe

Loads dropped DLL 1 IoCs

pid	Process
1680	7aabdf8557cd7c9d074d1c3e49648b0f.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1680-0-0x0000000000400000-0x0000000000712000-memory.dmp	upx
behavioral1/files/0x000900000001447e-10.dat	upx
behavioral1/files/0x000900000001447e-14.dat	upx

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1680	7aabdf8557cd7c9d074d1c3e49648b0f.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
1680	7aabdf8557cd7c9d074d1c3e49648b0f.exe
2296	7aabdf8557cd7c9d074d1c3e49648b0f.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1680 wrote to memory of 2296	1680	7aabdf8557cd7c9d074d1c3e49648b0f.exe	17
PID 1680 wrote to memory of 2296	1680	7aabdf8557cd7c9d074d1c3e49648b0f.exe	17
PID 1680 wrote to memory of 2296	1680	7aabdf8557cd7c9d074d1c3e49648b0f.exe	17
PID 1680 wrote to memory of 2296	1680	7aabdf8557cd7c9d074d1c3e49648b0f.exe	17

C:\Users\Admin\AppData\Local\Temp\7aabdf8557cd7c9d074d1c3e49648b0f.exe
"C:\Users\Admin\AppData\Local\Temp\7aabdf8557cd7c9d074d1c3e49648b0f.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1680
- C:\Users\Admin\AppData\Local\Temp\7aabdf8557cd7c9d074d1c3e49648b0f.exe
  C:\Users\Admin\AppData\Local\Temp\7aabdf8557cd7c9d074d1c3e49648b0f.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:2296

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7aabdf8557cd7c9d074d1c3e49648b0f.exe

Filesize
72KB

MD5
d0b36828c7575a8c7739088657e0b8c5

SHA1
6c3d0eda4ed149b2e4acc09f4e1e03bf3c7faa45

SHA256
3f99fb001d811d68f0886e5f82ce64fae7cb128665fe404ea757f15871801af5

SHA512
9070e46179e0e1140bfdd769c3adcde9bdac628d436349e447df89e807b262c049379a2fff6cf860d95d63e109eb3cd1618ca6e0ccf0372dc79289560006e1e1

Download Submit
\Users\Admin\AppData\Local\Temp\7aabdf8557cd7c9d074d1c3e49648b0f.exe

Filesize
64KB

MD5
df55b316fda1d7e5decbc82fb9cdbfeb

SHA1
d35211a4ef31700fc1a562ed64bad6eca480f305

SHA256
71e3d3703a90a5921691be1ab7dad2efbe31620e81dd50481fded3a33ca6ae2a

SHA512
6bff0bf983cd816261d706439b1db0a6e514bbfc943c55b857ac70866ef3c6c3f23ed7d10feee863adf0f6d444535c2460821b7bad411f5054b475f1fdd59d1f

Download Submit
memory/1680-3-0x0000000000320000-0x00000000003E4000-memory.dmp

Filesize
784KB

Download
memory/1680-0-0x0000000000400000-0x0000000000712000-memory.dmp

Filesize
3.1MB

Download
memory/1680-16-0x00000000030E0000-0x00000000033F2000-memory.dmp

Filesize
3.1MB

Download
memory/1680-15-0x0000000000400000-0x0000000000593000-memory.dmp

Filesize
1.6MB

Download
memory/1680-1-0x0000000000400000-0x0000000000593000-memory.dmp

Filesize
1.6MB

Download
memory/2296-17-0x0000000000400000-0x0000000000593000-memory.dmp

Filesize
1.6MB

Download
memory/2296-18-0x0000000000400000-0x0000000000712000-memory.dmp

Filesize
3.1MB

Download
memory/2296-20-0x0000000000120000-0x00000000001E4000-memory.dmp

Filesize
784KB

Download
memory/2296-26-0x0000000003110000-0x00000000032A3000-memory.dmp

Filesize
1.6MB

Download
memory/2296-24-0x0000000000400000-0x0000000000587000-memory.dmp

Filesize
1.5MB

Download
memory/2296-35-0x0000000000400000-0x0000000000587000-memory.dmp

Filesize
1.5MB

Download
memory/2296-34-0x00000000005A0000-0x000000000071F000-memory.dmp

Filesize
1.5MB

Download