xmrig | dbe14f98040ccc1eda0ccb607c5cc1d6bb1d01a766a0fe8a171b68f4249b985a

Analysis

max time kernel
91s
max time network
120s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
22/12/2023, 14:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c8974384b01927de8b4651ecb5d2ae5f.exe
Size

784KB
MD5

c8974384b01927de8b4651ecb5d2ae5f
SHA1

a74d8a621e3914a2b31b72a428b918be429bfaf3
SHA256

dbe14f98040ccc1eda0ccb607c5cc1d6bb1d01a766a0fe8a171b68f4249b985a
SHA512

ecc675feab234942973081d349a1569731dc796dc533ca66abac3c91476bf8cce73df1c9412988854386dacafd87be1f8978374779eb9b7a2ab3f5ea808dad2b
SSDEEP

24576:+y2ouCchBAaBwV6jnHzWwGmccHUMY1TMk0h:+y9uZNs6zHyne0MY5Mk0

Score

10^/10

xmrig miner upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 6 IoCs

miner

resource	yara_rule
behavioral2/memory/3880-2-0x0000000000400000-0x0000000000593000-memory.dmp	xmrig
behavioral2/memory/3880-12-0x0000000000400000-0x0000000000593000-memory.dmp	xmrig
behavioral2/memory/668-14-0x0000000000400000-0x0000000000593000-memory.dmp	xmrig
behavioral2/memory/668-20-0x0000000000400000-0x0000000000587000-memory.dmp	xmrig
behavioral2/memory/668-22-0x0000000005570000-0x0000000005703000-memory.dmp	xmrig
behavioral2/memory/668-30-0x0000000000400000-0x0000000000587000-memory.dmp	xmrig

Deletes itself 1 IoCs

pid	Process
668	c8974384b01927de8b4651ecb5d2ae5f.exe

Executes dropped EXE 1 IoCs

pid	Process
668	c8974384b01927de8b4651ecb5d2ae5f.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3880-0-0x0000000000400000-0x0000000000712000-memory.dmp	upx
behavioral2/files/0x00080000000231f0-11.dat	upx
behavioral2/memory/668-13-0x0000000000400000-0x0000000000712000-memory.dmp	upx

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
3880	c8974384b01927de8b4651ecb5d2ae5f.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
3880	c8974384b01927de8b4651ecb5d2ae5f.exe
668	c8974384b01927de8b4651ecb5d2ae5f.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3880 wrote to memory of 668	3880	c8974384b01927de8b4651ecb5d2ae5f.exe	89
PID 3880 wrote to memory of 668	3880	c8974384b01927de8b4651ecb5d2ae5f.exe	89
PID 3880 wrote to memory of 668	3880	c8974384b01927de8b4651ecb5d2ae5f.exe	89

C:\Users\Admin\AppData\Local\Temp\c8974384b01927de8b4651ecb5d2ae5f.exe
"C:\Users\Admin\AppData\Local\Temp\c8974384b01927de8b4651ecb5d2ae5f.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3880
- C:\Users\Admin\AppData\Local\Temp\c8974384b01927de8b4651ecb5d2ae5f.exe
  C:\Users\Admin\AppData\Local\Temp\c8974384b01927de8b4651ecb5d2ae5f.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:668

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\c8974384b01927de8b4651ecb5d2ae5f.exe

Filesize
429KB

MD5
595c9ad434993870d7fabec152f4fa77

SHA1
ca9b4563aa5acce02219ab642fdb4dfb6f5e2cb6

SHA256
2b95c29cb6bc0f8d8d2fc690737f16288fdd4dd1e97773ccc9af9b90060a601a

SHA512
4b83ae009f2ccd90b230c01d1a57d40d972224cb76966c8e33b68296866f12caa68510960e693cf45169d377aced07f8d5e38733d1582c35056439ae1df589c4

Download Submit
memory/668-13-0x0000000000400000-0x0000000000712000-memory.dmp

Filesize
3.1MB

Download
memory/668-17-0x0000000001720000-0x00000000017E4000-memory.dmp

Filesize
784KB

Download
memory/668-14-0x0000000000400000-0x0000000000593000-memory.dmp

Filesize
1.6MB

Download
memory/668-20-0x0000000000400000-0x0000000000587000-memory.dmp

Filesize
1.5MB

Download
memory/668-22-0x0000000005570000-0x0000000005703000-memory.dmp

Filesize
1.6MB

Download
memory/668-30-0x0000000000400000-0x0000000000587000-memory.dmp

Filesize
1.5MB

Download
memory/3880-0-0x0000000000400000-0x0000000000712000-memory.dmp

Filesize
3.1MB

Download
memory/3880-1-0x0000000001720000-0x00000000017E4000-memory.dmp

Filesize
784KB

Download
memory/3880-2-0x0000000000400000-0x0000000000593000-memory.dmp

Filesize
1.6MB

Download
memory/3880-12-0x0000000000400000-0x0000000000593000-memory.dmp

Filesize
1.6MB

Download