xmrig | 27942005c57acec1d224a698bf9617b147ebd3d7c4d0bbabe0c492bc443b09cf

Analysis

max time kernel
122s
max time network
134s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
22-12-2023 09:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

80df06dff255c5ea40bf70ecc0a6abc8.exe
Size

784KB
MD5

80df06dff255c5ea40bf70ecc0a6abc8
SHA1

512d845c800d20dca1f3b80dafe368bcd2bd02d2
SHA256

27942005c57acec1d224a698bf9617b147ebd3d7c4d0bbabe0c492bc443b09cf
SHA512

8ab076e027908c232fff27a2b3d947b38249f841888ede1ad7c81a80802d64ed735056bcaa39d52830f9253b9eb8748eaa592a182cff69252b6fa95a18e8ab02
SSDEEP

24576:QrW+tnf7vfXW8mza33wdnE9rmFykf2HmYyYzFKUthCxYF:SRbX7mza33UWlVz57CSF

Score

10^/10

xmrig miner upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 7 IoCs

miner

resource	yara_rule
behavioral1/memory/2896-1-0x0000000000400000-0x0000000000593000-memory.dmp	xmrig
behavioral1/memory/2896-15-0x00000000032C0000-0x00000000035D2000-memory.dmp	xmrig
behavioral1/memory/2896-14-0x0000000000400000-0x0000000000593000-memory.dmp	xmrig
behavioral1/memory/2772-18-0x0000000000400000-0x0000000000593000-memory.dmp	xmrig
behavioral1/memory/2772-26-0x0000000003150000-0x00000000032E3000-memory.dmp	xmrig
behavioral1/memory/2772-24-0x0000000000400000-0x0000000000587000-memory.dmp	xmrig
behavioral1/memory/2772-34-0x0000000000400000-0x0000000000587000-memory.dmp	xmrig

Deletes itself 1 IoCs

pid	Process
2772	80df06dff255c5ea40bf70ecc0a6abc8.exe

Executes dropped EXE 1 IoCs

pid	Process
2772	80df06dff255c5ea40bf70ecc0a6abc8.exe

Loads dropped DLL 1 IoCs

pid	Process
2896	80df06dff255c5ea40bf70ecc0a6abc8.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2896-0-0x0000000000400000-0x0000000000712000-memory.dmp	upx
behavioral1/files/0x0008000000012262-10.dat	upx
behavioral1/memory/2896-15-0x00000000032C0000-0x00000000035D2000-memory.dmp	upx
behavioral1/files/0x0008000000012262-16.dat	upx
behavioral1/memory/2772-17-0x0000000000400000-0x0000000000712000-memory.dmp	upx

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2896	80df06dff255c5ea40bf70ecc0a6abc8.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2896	80df06dff255c5ea40bf70ecc0a6abc8.exe
2772	80df06dff255c5ea40bf70ecc0a6abc8.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2896 wrote to memory of 2772	2896	80df06dff255c5ea40bf70ecc0a6abc8.exe	28
PID 2896 wrote to memory of 2772	2896	80df06dff255c5ea40bf70ecc0a6abc8.exe	28
PID 2896 wrote to memory of 2772	2896	80df06dff255c5ea40bf70ecc0a6abc8.exe	28
PID 2896 wrote to memory of 2772	2896	80df06dff255c5ea40bf70ecc0a6abc8.exe	28

C:\Users\Admin\AppData\Local\Temp\80df06dff255c5ea40bf70ecc0a6abc8.exe
"C:\Users\Admin\AppData\Local\Temp\80df06dff255c5ea40bf70ecc0a6abc8.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2896
- C:\Users\Admin\AppData\Local\Temp\80df06dff255c5ea40bf70ecc0a6abc8.exe
  C:\Users\Admin\AppData\Local\Temp\80df06dff255c5ea40bf70ecc0a6abc8.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:2772

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\80df06dff255c5ea40bf70ecc0a6abc8.exe

Filesize
223KB

MD5
33422cff112d466ab67d0c519a501071

SHA1
20fbf28a1ad1a9f6c0bb4f2f1f37f4c74861eb6f

SHA256
7ba4d8d987025eb44b9496fea3585047bc47896a20d83e412d6e7a99cd71a0ef

SHA512
4fb504c5bbcf4c802fedd79a03fe3385658319b02fee836e52b0b93924a823ceaa1726d1097d271692a51cb655b9c6e96f474d8664be493f84312bd8b6d1743b

Download Submit
\Users\Admin\AppData\Local\Temp\80df06dff255c5ea40bf70ecc0a6abc8.exe

Filesize
178KB

MD5
6d4abb7e5a84f2723ce2214504d1554b

SHA1
bcb8b0d379028066e11b802b8ad13a82d78855ca

SHA256
98753ad8a1d777ada513646e97018aca885620e2a536d424bb496c41afbecaac

SHA512
8ad7363af44dc16dae86dbad85c472d67b3dd4d3914ecb41ac4932286a4681cc8da2a5b2cb2bc16db17d86d3c11b1adae79f9a2663e595b420fb601977b49a37

Download Submit
memory/2772-17-0x0000000000400000-0x0000000000712000-memory.dmp

Filesize
3.1MB

Download
memory/2772-20-0x0000000000310000-0x00000000003D4000-memory.dmp

Filesize
784KB

Download
memory/2772-18-0x0000000000400000-0x0000000000593000-memory.dmp

Filesize
1.6MB

Download
memory/2772-26-0x0000000003150000-0x00000000032E3000-memory.dmp

Filesize
1.6MB

Download
memory/2772-24-0x0000000000400000-0x0000000000587000-memory.dmp

Filesize
1.5MB

Download
memory/2772-34-0x0000000000400000-0x0000000000587000-memory.dmp

Filesize
1.5MB

Download
memory/2896-1-0x0000000000400000-0x0000000000593000-memory.dmp

Filesize
1.6MB

Download
memory/2896-15-0x00000000032C0000-0x00000000035D2000-memory.dmp

Filesize
3.1MB

Download
memory/2896-2-0x00000000018B0000-0x0000000001974000-memory.dmp

Filesize
784KB

Download
memory/2896-0-0x0000000000400000-0x0000000000712000-memory.dmp

Filesize
3.1MB

Download
memory/2896-14-0x0000000000400000-0x0000000000593000-memory.dmp

Filesize
1.6MB

Download