xmrig | 8791615d7ecd6515e6a0295a2d86638609aa2be21e7a1d2c5f526a3f36830880

Analysis

max time kernel
118s
max time network
121s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
22/12/2023, 13:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9b7138bcb616413a4d4e2b70da8cc64b.exe
Size

1.5MB
MD5

9b7138bcb616413a4d4e2b70da8cc64b
SHA1

70b6542b9a2e9ee344e0dd8668f853f3997962db
SHA256

8791615d7ecd6515e6a0295a2d86638609aa2be21e7a1d2c5f526a3f36830880
SHA512

3c135e80221bec26a03fe109da91367a8be1f092c4ea61fb7dd492ff772dd8a55257e857128f762167165e6b6aa0fc8306971dc43764b95947151acd2eb5f5cd
SSDEEP

24576:v3JlEZC7LOYQ0jyaWF9hftPFGtv27M+NEgt/LfIAaiN9Diwr5hTSaLoJGCtN0E+s:BF7aQyaCh1PFGtvwM+1LPNBiw1jM

Score

10^/10

xmrig miner upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 6 IoCs

miner

resource	yara_rule
behavioral1/memory/1680-1-0x0000000000400000-0x0000000000593000-memory.dmp	xmrig
behavioral1/memory/1680-15-0x0000000000400000-0x0000000000593000-memory.dmp	xmrig
behavioral1/memory/2712-17-0x0000000000400000-0x0000000000593000-memory.dmp	xmrig
behavioral1/memory/2712-24-0x0000000003150000-0x00000000032E3000-memory.dmp	xmrig
behavioral1/memory/2712-23-0x0000000000400000-0x0000000000587000-memory.dmp	xmrig
behavioral1/memory/2712-33-0x0000000000400000-0x0000000000587000-memory.dmp	xmrig

Deletes itself 1 IoCs

pid	Process
2712	9b7138bcb616413a4d4e2b70da8cc64b.exe

Executes dropped EXE 1 IoCs

pid	Process
2712	9b7138bcb616413a4d4e2b70da8cc64b.exe

Loads dropped DLL 1 IoCs

pid	Process
1680	9b7138bcb616413a4d4e2b70da8cc64b.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1680-0-0x0000000000400000-0x0000000000712000-memory.dmp	upx
behavioral1/files/0x000b00000001224e-10.dat	upx
behavioral1/memory/2712-16-0x0000000000400000-0x0000000000712000-memory.dmp	upx
behavioral1/files/0x000b00000001224e-14.dat	upx

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1680	9b7138bcb616413a4d4e2b70da8cc64b.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
1680	9b7138bcb616413a4d4e2b70da8cc64b.exe
2712	9b7138bcb616413a4d4e2b70da8cc64b.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1680 wrote to memory of 2712	1680	9b7138bcb616413a4d4e2b70da8cc64b.exe	29
PID 1680 wrote to memory of 2712	1680	9b7138bcb616413a4d4e2b70da8cc64b.exe	29
PID 1680 wrote to memory of 2712	1680	9b7138bcb616413a4d4e2b70da8cc64b.exe	29
PID 1680 wrote to memory of 2712	1680	9b7138bcb616413a4d4e2b70da8cc64b.exe	29

C:\Users\Admin\AppData\Local\Temp\9b7138bcb616413a4d4e2b70da8cc64b.exe
"C:\Users\Admin\AppData\Local\Temp\9b7138bcb616413a4d4e2b70da8cc64b.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1680
- C:\Users\Admin\AppData\Local\Temp\9b7138bcb616413a4d4e2b70da8cc64b.exe
  C:\Users\Admin\AppData\Local\Temp\9b7138bcb616413a4d4e2b70da8cc64b.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:2712

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\9b7138bcb616413a4d4e2b70da8cc64b.exe

Filesize
226KB

MD5
d3ef123d392c14d02ab37c154b8c654c

SHA1
6b85c580e904f608e43be67cd96fce1de52f4727

SHA256
a878f7f28f806d98ceae86f106df2a69d554b33a8dd5ec7f445a88f195206213

SHA512
536b8a6c2b7f20901487ff2a13f83b6c848a9cc8d3170dcc5d1d6cb434d111f64052630db3e4ac0f1b89caa789b76db03eccae727b9f17036a49262ffedaa83e

Download Submit
\Users\Admin\AppData\Local\Temp\9b7138bcb616413a4d4e2b70da8cc64b.exe

Filesize
138KB

MD5
d73ac1f5a724f2e0f602d6b19bff535b

SHA1
52b27004a8ccf4de2ecf14cbddbe3113d5645a75

SHA256
04c39f46256be4ead8cbe8982ced8a6977f72d4b979a78b5289f9a8863b33aa7

SHA512
f01672fa5da02bb0401107c0dca396ae25a25c6af0b5692af622fd9cb5eb51f8a68d5e96075d86fe9578d6ca3bb292e281ad060ae14fc8f9cef293cae316ba64

Download Submit
memory/1680-0-0x0000000000400000-0x0000000000712000-memory.dmp

Filesize
3.1MB

Download
memory/1680-3-0x00000000018B0000-0x0000000001974000-memory.dmp

Filesize
784KB

Download
memory/1680-1-0x0000000000400000-0x0000000000593000-memory.dmp

Filesize
1.6MB

Download
memory/1680-15-0x0000000000400000-0x0000000000593000-memory.dmp

Filesize
1.6MB

Download
memory/2712-16-0x0000000000400000-0x0000000000712000-memory.dmp

Filesize
3.1MB

Download
memory/2712-19-0x0000000000210000-0x00000000002D4000-memory.dmp

Filesize
784KB

Download
memory/2712-17-0x0000000000400000-0x0000000000593000-memory.dmp

Filesize
1.6MB

Download
memory/2712-24-0x0000000003150000-0x00000000032E3000-memory.dmp

Filesize
1.6MB

Download
memory/2712-23-0x0000000000400000-0x0000000000587000-memory.dmp

Filesize
1.5MB

Download
memory/2712-33-0x0000000000400000-0x0000000000587000-memory.dmp

Filesize
1.5MB

Download