xmrig | dbe14f98040ccc1eda0ccb607c5cc1d6bb1d01a766a0fe8a171b68f4249b985a

General

Target

c8974384b01927de8b4651ecb5d2ae5f.exe
Size

784KB
MD5

c8974384b01927de8b4651ecb5d2ae5f
SHA1

a74d8a621e3914a2b31b72a428b918be429bfaf3
SHA256

dbe14f98040ccc1eda0ccb607c5cc1d6bb1d01a766a0fe8a171b68f4249b985a
SHA512

ecc675feab234942973081d349a1569731dc796dc533ca66abac3c91476bf8cce73df1c9412988854386dacafd87be1f8978374779eb9b7a2ab3f5ea808dad2b
SSDEEP

24576:+y2ouCchBAaBwV6jnHzWwGmccHUMY1TMk0h:+y9uZNs6zHyne0MY5Mk0

Score

10^/10

xmrig miner upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 7 IoCs

miner

resource	yara_rule
behavioral1/memory/1916-1-0x0000000000400000-0x0000000000593000-memory.dmp	xmrig
behavioral1/memory/2240-24-0x0000000000400000-0x0000000000587000-memory.dmp	xmrig
behavioral1/memory/2240-18-0x0000000000400000-0x0000000000593000-memory.dmp	xmrig
behavioral1/memory/2240-27-0x0000000003260000-0x00000000033F3000-memory.dmp	xmrig
behavioral1/memory/1916-14-0x0000000000400000-0x0000000000593000-memory.dmp	xmrig
behavioral1/memory/2240-35-0x0000000000400000-0x0000000000587000-memory.dmp	xmrig
behavioral1/memory/2240-34-0x00000000005A0000-0x000000000071F000-memory.dmp	xmrig

Deletes itself 1 IoCs

pid	Process
2240	c8974384b01927de8b4651ecb5d2ae5f.exe

Executes dropped EXE 1 IoCs

pid	Process
2240	c8974384b01927de8b4651ecb5d2ae5f.exe

Loads dropped DLL 1 IoCs

pid	Process
1916	c8974384b01927de8b4651ecb5d2ae5f.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1916-0-0x0000000000400000-0x0000000000712000-memory.dmp	upx
behavioral1/files/0x0007000000012281-10.dat	upx
behavioral1/files/0x0007000000012281-12.dat	upx
behavioral1/files/0x0007000000012281-16.dat	upx
behavioral1/memory/2240-17-0x0000000000400000-0x0000000000712000-memory.dmp	upx
behavioral1/memory/1916-15-0x00000000030E0000-0x00000000033F2000-memory.dmp	upx

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1916	c8974384b01927de8b4651ecb5d2ae5f.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
1916	c8974384b01927de8b4651ecb5d2ae5f.exe
2240	c8974384b01927de8b4651ecb5d2ae5f.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1916 wrote to memory of 2240	1916	c8974384b01927de8b4651ecb5d2ae5f.exe	29
PID 1916 wrote to memory of 2240	1916	c8974384b01927de8b4651ecb5d2ae5f.exe	29
PID 1916 wrote to memory of 2240	1916	c8974384b01927de8b4651ecb5d2ae5f.exe	29
PID 1916 wrote to memory of 2240	1916	c8974384b01927de8b4651ecb5d2ae5f.exe	29

C:\Users\Admin\AppData\Local\Temp\c8974384b01927de8b4651ecb5d2ae5f.exe
"C:\Users\Admin\AppData\Local\Temp\c8974384b01927de8b4651ecb5d2ae5f.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1916
- C:\Users\Admin\AppData\Local\Temp\c8974384b01927de8b4651ecb5d2ae5f.exe
  C:\Users\Admin\AppData\Local\Temp\c8974384b01927de8b4651ecb5d2ae5f.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:2240

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\c8974384b01927de8b4651ecb5d2ae5f.exe

Filesize
370KB

MD5
f6d30a03c67bd7f0cfef89d1c3845b5f

SHA1
1b4eec23c909bb21b6f216a9f9b12b257b0db2d5

SHA256
cd2293f8454ab6f933430ca3e920d77005d482f1374c9dcf468aacbbeddc2268

SHA512
8737b223c2973bab1a46b2cf65a010d44fa64653545941d32778bb09c3237b12a951c6d0cffc49ec2d7f58915d25ad7b45d1fa3c1353a9aad60c531351ad3d90

Download Submit
C:\Users\Admin\AppData\Local\Temp\c8974384b01927de8b4651ecb5d2ae5f.exe

Filesize
143KB

MD5
b29832e22ecc81d031bccb4795708831

SHA1
17cced0701e7d3e0085ff24b9298d47ac8c1493b

SHA256
00debf0359f397127d54066cc2a7387a8c80ae5e533e0a8a45d1d9c80ba39e23

SHA512
8747a6a94b4638a5857ef00f5c115095b21c8bd885a989d89ca691bb0cc28cdcf1c43d484d6056dace4d4b535f125365eb49e9d981ff0b9a1f3852deb1960f53

Download Submit
\Users\Admin\AppData\Local\Temp\c8974384b01927de8b4651ecb5d2ae5f.exe

Filesize
400KB

MD5
afdac28e5b24f727d706769d00d56633

SHA1
8ddc8e6d0609e559abd66dab8a1fe81a59ede1c7

SHA256
37babfcb566000f5d89219d8e257bb353f62d06f6a9e00a19f11c193f19e7b40

SHA512
ecca17b74b673a7b7041cd28481a287ac2827db63d3938478e8fff74ea860429c7891178c722bdddc64c002df5fc332ba3ad6820427b413d7454f624730b6055

Download Submit
memory/1916-15-0x00000000030E0000-0x00000000033F2000-memory.dmp

Filesize
3.1MB

Download
memory/1916-2-0x0000000000320000-0x00000000003E4000-memory.dmp

Filesize
784KB

Download
memory/1916-1-0x0000000000400000-0x0000000000593000-memory.dmp

Filesize
1.6MB

Download
memory/1916-0-0x0000000000400000-0x0000000000712000-memory.dmp

Filesize
3.1MB

Download
memory/1916-14-0x0000000000400000-0x0000000000593000-memory.dmp

Filesize
1.6MB

Download
memory/2240-17-0x0000000000400000-0x0000000000712000-memory.dmp

Filesize
3.1MB

Download
memory/2240-18-0x0000000000400000-0x0000000000593000-memory.dmp

Filesize
1.6MB

Download
memory/2240-27-0x0000000003260000-0x00000000033F3000-memory.dmp

Filesize
1.6MB

Download
memory/2240-24-0x0000000000400000-0x0000000000587000-memory.dmp

Filesize
1.5MB

Download
memory/2240-19-0x0000000000120000-0x00000000001E4000-memory.dmp

Filesize
784KB

Download
memory/2240-35-0x0000000000400000-0x0000000000587000-memory.dmp

Filesize
1.5MB

Download
memory/2240-34-0x00000000005A0000-0x000000000071F000-memory.dmp

Filesize
1.5MB

Download

Analysis

Sharing