xmrig | 92973275d72ba0df71f520fa045546117b21db008754f76e1fb2da2e06e70a77

General

Target

a9dd3c8efbe8aaf91cc6aedab6312a75.exe
Size

784KB
MD5

a9dd3c8efbe8aaf91cc6aedab6312a75
SHA1

45bff35683739538ce513ea7d912c23fc5fefe4a
SHA256

92973275d72ba0df71f520fa045546117b21db008754f76e1fb2da2e06e70a77
SHA512

c841c51fe6cd45eabb6418b61ad32fd6c8839521ed60dc394db629dcb896fabfe36d96c5a6b6947fe9687d3ae5fa525597ad87698ea49d196471a85d48d80e02
SSDEEP

24576:DsTtZkgKPJEyEnM9N6ekciVBmTw/4AbVxN:Ixm9aFM9NSc+k0/4Ap

Score

10^/10

xmrig miner upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 8 IoCs

miner

resource	yara_rule
behavioral1/memory/2400-1-0x0000000000400000-0x0000000000593000-memory.dmp	xmrig
behavioral1/memory/2400-15-0x0000000000400000-0x0000000000593000-memory.dmp	xmrig
behavioral1/memory/2400-14-0x00000000031F0000-0x0000000003502000-memory.dmp	xmrig
behavioral1/memory/2348-19-0x0000000000400000-0x0000000000593000-memory.dmp	xmrig
behavioral1/memory/2348-25-0x0000000000400000-0x0000000000587000-memory.dmp	xmrig
behavioral1/memory/2348-24-0x0000000003120000-0x00000000032B3000-memory.dmp	xmrig
behavioral1/memory/2348-35-0x0000000000400000-0x0000000000587000-memory.dmp	xmrig
behavioral1/memory/2348-34-0x00000000005A0000-0x000000000071F000-memory.dmp	xmrig

Deletes itself 1 IoCs

pid	Process
2348	a9dd3c8efbe8aaf91cc6aedab6312a75.exe

Executes dropped EXE 1 IoCs

pid	Process
2348	a9dd3c8efbe8aaf91cc6aedab6312a75.exe

Loads dropped DLL 1 IoCs

pid	Process
2400	a9dd3c8efbe8aaf91cc6aedab6312a75.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2400-0-0x0000000000400000-0x0000000000712000-memory.dmp	upx
behavioral1/files/0x00080000000120f8-10.dat	upx
behavioral1/files/0x00080000000120f8-12.dat	upx
behavioral1/files/0x00080000000120f8-16.dat	upx
behavioral1/memory/2348-17-0x0000000000400000-0x0000000000712000-memory.dmp	upx
behavioral1/memory/2400-14-0x00000000031F0000-0x0000000003502000-memory.dmp	upx

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2400	a9dd3c8efbe8aaf91cc6aedab6312a75.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2400	a9dd3c8efbe8aaf91cc6aedab6312a75.exe
2348	a9dd3c8efbe8aaf91cc6aedab6312a75.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2400 wrote to memory of 2348	2400	a9dd3c8efbe8aaf91cc6aedab6312a75.exe	29
PID 2400 wrote to memory of 2348	2400	a9dd3c8efbe8aaf91cc6aedab6312a75.exe	29
PID 2400 wrote to memory of 2348	2400	a9dd3c8efbe8aaf91cc6aedab6312a75.exe	29
PID 2400 wrote to memory of 2348	2400	a9dd3c8efbe8aaf91cc6aedab6312a75.exe	29

C:\Users\Admin\AppData\Local\Temp\a9dd3c8efbe8aaf91cc6aedab6312a75.exe
"C:\Users\Admin\AppData\Local\Temp\a9dd3c8efbe8aaf91cc6aedab6312a75.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2400
- C:\Users\Admin\AppData\Local\Temp\a9dd3c8efbe8aaf91cc6aedab6312a75.exe
  C:\Users\Admin\AppData\Local\Temp\a9dd3c8efbe8aaf91cc6aedab6312a75.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:2348

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\a9dd3c8efbe8aaf91cc6aedab6312a75.exe

Filesize
331KB

MD5
0018da7ee8d682654afef56f9e1a1b76

SHA1
30c11c0c3870111ab55c720b91bbbc91e982a315

SHA256
5e3b67b8a966ee29c1cbc87033a2ec67078133b221d5eeaba98c9ee8a18644a5

SHA512
937ecad63c28e801251a27f9a60a0dc937d3f7786f2fc68fad23e5db427f76568b182ff180c8661e397bb0aff83cc397aa9190b13284343d5e5011f3d333c746

Download Submit
C:\Users\Admin\AppData\Local\Temp\a9dd3c8efbe8aaf91cc6aedab6312a75.exe

Filesize
174KB

MD5
25af81a3414dc70627ed53c88509c5a5

SHA1
d31c0e5c748dc2c479af985a6670ede8747df7bf

SHA256
7fa3cbd52737bf83f5433641a9d0229ae11e7474bd2f602607fefe4de28732f4

SHA512
8c52295da5dab2f5b52d153dadc25f3292faf6a6d9d5978bad446b13543fecedb3ecebed7d0118aab1183bad0a136952a1215bca048615c342df004cb25c171e

Download Submit
\Users\Admin\AppData\Local\Temp\a9dd3c8efbe8aaf91cc6aedab6312a75.exe

Filesize
503KB

MD5
235b2ae26105fd31609551300419e6de

SHA1
fb0697a8eb9b599d686476aac703afb4224f26b0

SHA256
e88c69ec55d0a5cb0762dc1867d42da7629f4f6a88257dffcf48a2bbc740c54d

SHA512
826d1e20a1b34219bea99161cc32a15fac7b5af8d5436be8e66e6e2d8a16cb1095266d27bdcd5fc3c6b20c4ee4b32e5368a61b8fe4cc4ae85627c76884b828ee

Download Submit
memory/2348-18-0x0000000000120000-0x00000000001E4000-memory.dmp

Filesize
784KB

Download
memory/2348-17-0x0000000000400000-0x0000000000712000-memory.dmp

Filesize
3.1MB

Download
memory/2348-19-0x0000000000400000-0x0000000000593000-memory.dmp

Filesize
1.6MB

Download
memory/2348-25-0x0000000000400000-0x0000000000587000-memory.dmp

Filesize
1.5MB

Download
memory/2348-24-0x0000000003120000-0x00000000032B3000-memory.dmp

Filesize
1.6MB

Download
memory/2348-35-0x0000000000400000-0x0000000000587000-memory.dmp

Filesize
1.5MB

Download
memory/2348-34-0x00000000005A0000-0x000000000071F000-memory.dmp

Filesize
1.5MB

Download
memory/2400-2-0x00000000002C0000-0x0000000000384000-memory.dmp

Filesize
784KB

Download
memory/2400-1-0x0000000000400000-0x0000000000593000-memory.dmp

Filesize
1.6MB

Download
memory/2400-15-0x0000000000400000-0x0000000000593000-memory.dmp

Filesize
1.6MB

Download
memory/2400-14-0x00000000031F0000-0x0000000003502000-memory.dmp

Filesize
3.1MB

Download
memory/2400-0-0x0000000000400000-0x0000000000712000-memory.dmp

Filesize
3.1MB

Download

Analysis

Sharing