Analysis
-
max time kernel
100s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
22-12-2023 13:55
Behavioral task
behavioral1
Sample
b1f20f5c28ff64c61beac6407d81e042.exe
Resource
win7-20231215-en
General
-
Target
b1f20f5c28ff64c61beac6407d81e042.exe
-
Size
784KB
-
MD5
b1f20f5c28ff64c61beac6407d81e042
-
SHA1
cc9a593cfe7506dee005e62de38fc1cf5d7b27c7
-
SHA256
7e3d5d9636c72349d16ccb32de9deeba3bf254c7c04e78a70e8c73dd5edc397f
-
SHA512
866679c75dc20cb8312bd21cc3c34eb931311dc81ea160eb300798805a2a3c0c134b939274b57257d4c5a3809feee4f7878266a9a3bdbac69abdebdfabb19c4a
-
SSDEEP
24576:i/N2ZhZDVS7q0+/HGhS4mLgQ06Rg5G9iq5LgmN1R:aNIxSEaBYgcRg54i8r
Malware Config
Signatures
-
XMRig Miner payload 6 IoCs
resource yara_rule behavioral2/memory/2848-2-0x0000000000400000-0x0000000000593000-memory.dmp xmrig behavioral2/memory/2848-12-0x0000000000400000-0x0000000000593000-memory.dmp xmrig behavioral2/memory/2444-14-0x0000000000400000-0x0000000000593000-memory.dmp xmrig behavioral2/memory/2444-20-0x0000000005430000-0x00000000055C3000-memory.dmp xmrig behavioral2/memory/2444-21-0x0000000000400000-0x0000000000587000-memory.dmp xmrig behavioral2/memory/2444-30-0x0000000000400000-0x0000000000587000-memory.dmp xmrig -
Deletes itself 1 IoCs
pid Process 2444 b1f20f5c28ff64c61beac6407d81e042.exe -
Executes dropped EXE 1 IoCs
pid Process 2444 b1f20f5c28ff64c61beac6407d81e042.exe -
resource yara_rule behavioral2/memory/2848-0-0x0000000000400000-0x0000000000712000-memory.dmp upx behavioral2/memory/2444-13-0x0000000000400000-0x0000000000712000-memory.dmp upx behavioral2/files/0x0007000000023204-11.dat upx -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 2848 b1f20f5c28ff64c61beac6407d81e042.exe -
Suspicious use of UnmapMainImage 2 IoCs
pid Process 2848 b1f20f5c28ff64c61beac6407d81e042.exe 2444 b1f20f5c28ff64c61beac6407d81e042.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2848 wrote to memory of 2444 2848 b1f20f5c28ff64c61beac6407d81e042.exe 42 PID 2848 wrote to memory of 2444 2848 b1f20f5c28ff64c61beac6407d81e042.exe 42 PID 2848 wrote to memory of 2444 2848 b1f20f5c28ff64c61beac6407d81e042.exe 42
Processes
-
C:\Users\Admin\AppData\Local\Temp\b1f20f5c28ff64c61beac6407d81e042.exe"C:\Users\Admin\AppData\Local\Temp\b1f20f5c28ff64c61beac6407d81e042.exe"1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2848 -
C:\Users\Admin\AppData\Local\Temp\b1f20f5c28ff64c61beac6407d81e042.exeC:\Users\Admin\AppData\Local\Temp\b1f20f5c28ff64c61beac6407d81e042.exe2⤵
- Deletes itself
- Executes dropped EXE
- Suspicious use of UnmapMainImage
PID:2444
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
92KB
MD539eee6a281af5ad0b19af7ca8c5c77f5
SHA1fad0556d443e862603fbeb50760dbb20dfc23238
SHA2564c8cf39666a203210f9e5c75a12f1a29e654e47c754ef72f3f853bbc09a5ecdd
SHA5126b32ff80ffe9f8c8dfd300817ed8a1ba1f9ca2830acc34b5f29144fb38142e8e0db21a27901366d5b3f0c3498c1f6f814148d30b5fa95f4c371fed6b2f6c382e