xmrig | 4c816c73d6a7c7d26218fae24b2818cdfa35654610ce2010694e009f1d7a481c

Analysis

max time kernel
143s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
22/12/2023, 08:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7f646010cccf3cdf408106a375b5de06.exe
Size

784KB
MD5

7f646010cccf3cdf408106a375b5de06
SHA1

e85cfd659005bbcfd55c228d1dbb3ebe5ed19d19
SHA256

4c816c73d6a7c7d26218fae24b2818cdfa35654610ce2010694e009f1d7a481c
SHA512

c11fef0169d15badfddb820da8174472bf9ba3241c2c362b3faa4fb69a459285dccb8cb341c56e275073b93250e3211d809a047a67b8320023760e3da28b69a0
SSDEEP

12288:br2nZB99zBuTU2gZawcVZPpUJ/YScaI4ic3Bbym5W3yRKAQM4EYEMbpAmrjGld8f:baZ3aR5Zk3rHEy5YEEbQ8kaea

Score

10^/10

xmrig miner upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 6 IoCs

miner

resource	yara_rule
behavioral2/memory/3128-2-0x0000000000400000-0x0000000000593000-memory.dmp	xmrig
behavioral2/memory/3128-12-0x0000000000400000-0x0000000000593000-memory.dmp	xmrig
behavioral2/memory/1064-14-0x0000000000400000-0x0000000000593000-memory.dmp	xmrig
behavioral2/memory/1064-20-0x0000000005400000-0x0000000005593000-memory.dmp	xmrig
behavioral2/memory/1064-21-0x0000000000400000-0x0000000000587000-memory.dmp	xmrig
behavioral2/memory/1064-30-0x0000000000400000-0x0000000000587000-memory.dmp	xmrig

Deletes itself 1 IoCs

pid	Process
1064	7f646010cccf3cdf408106a375b5de06.exe

Executes dropped EXE 1 IoCs

pid	Process
1064	7f646010cccf3cdf408106a375b5de06.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3128-0-0x0000000000400000-0x0000000000712000-memory.dmp	upx
behavioral2/files/0x000700000002320a-11.dat	upx
behavioral2/memory/1064-13-0x0000000000400000-0x0000000000712000-memory.dmp	upx

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
3128	7f646010cccf3cdf408106a375b5de06.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
3128	7f646010cccf3cdf408106a375b5de06.exe
1064	7f646010cccf3cdf408106a375b5de06.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3128 wrote to memory of 1064	3128	7f646010cccf3cdf408106a375b5de06.exe	90
PID 3128 wrote to memory of 1064	3128	7f646010cccf3cdf408106a375b5de06.exe	90
PID 3128 wrote to memory of 1064	3128	7f646010cccf3cdf408106a375b5de06.exe	90

C:\Users\Admin\AppData\Local\Temp\7f646010cccf3cdf408106a375b5de06.exe
"C:\Users\Admin\AppData\Local\Temp\7f646010cccf3cdf408106a375b5de06.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3128
- C:\Users\Admin\AppData\Local\Temp\7f646010cccf3cdf408106a375b5de06.exe
  C:\Users\Admin\AppData\Local\Temp\7f646010cccf3cdf408106a375b5de06.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:1064

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7f646010cccf3cdf408106a375b5de06.exe

Filesize
784KB

MD5
facb5954fbf64869d392c8ec3b79b467

SHA1
ee3753b5786f30e8b736438c84ea0ffaaf1055ef

SHA256
41fda729f1bd830458cb6c3022d9b6717f0ee03dc53ddf9106642287fba6d701

SHA512
0c6fc303724680242049f2120fbf982be4d0451bef3728de5aadf83e815698ab87d714415761205dc960f36a6f93f158a8f1ffab032af0e25b984c0b15c5f5cd

Download Submit
memory/1064-13-0x0000000000400000-0x0000000000712000-memory.dmp

Filesize
3.1MB

Download
memory/1064-15-0x0000000001720000-0x00000000017E4000-memory.dmp

Filesize
784KB

Download
memory/1064-14-0x0000000000400000-0x0000000000593000-memory.dmp

Filesize
1.6MB

Download
memory/1064-20-0x0000000005400000-0x0000000005593000-memory.dmp

Filesize
1.6MB

Download
memory/1064-21-0x0000000000400000-0x0000000000587000-memory.dmp

Filesize
1.5MB

Download
memory/1064-30-0x0000000000400000-0x0000000000587000-memory.dmp

Filesize
1.5MB

Download
memory/3128-0-0x0000000000400000-0x0000000000712000-memory.dmp

Filesize
3.1MB

Download
memory/3128-1-0x00000000019C0000-0x0000000001A84000-memory.dmp

Filesize
784KB

Download
memory/3128-2-0x0000000000400000-0x0000000000593000-memory.dmp

Filesize
1.6MB

Download
memory/3128-12-0x0000000000400000-0x0000000000593000-memory.dmp

Filesize
1.6MB

Download