xmrig | 9e5f091aa8f2b09aa78741f007f895adc2d99a83a29a64cba4479a289cbde447

Analysis

max time kernel
122s
max time network
123s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
22/12/2023, 14:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bd1c36706cfc47d8240c8e7a257c166a.exe
Size

784KB
MD5

bd1c36706cfc47d8240c8e7a257c166a
SHA1

aea961de8f20b475de061b081458b839d635af1a
SHA256

9e5f091aa8f2b09aa78741f007f895adc2d99a83a29a64cba4479a289cbde447
SHA512

3c2ffb43f37bad2225c0460771854437e5721abfb557b62dbaec3c18ef280b92457044ea08d439c565d64b06346272d632de1ac42ebc389a84517c6da87e6554
SSDEEP

12288:BhBtgPOIBMOTF2Af2VNY0ZWLQmF0pynUQifM70UNTsei1yrjGwX3c5OG5a:PQFDjau0GEpZ2VNIwPG15OG

Score

10^/10

xmrig miner upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 9 IoCs

miner

resource	yara_rule
behavioral1/memory/1668-1-0x0000000000400000-0x0000000000593000-memory.dmp	xmrig
behavioral1/memory/1668-16-0x00000000030F0000-0x0000000003402000-memory.dmp	xmrig
behavioral1/memory/2656-17-0x0000000000400000-0x0000000000593000-memory.dmp	xmrig
behavioral1/memory/2656-18-0x0000000000400000-0x0000000000712000-memory.dmp	xmrig
behavioral1/memory/1668-15-0x0000000000400000-0x0000000000593000-memory.dmp	xmrig
behavioral1/memory/2656-26-0x0000000002FD0000-0x0000000003163000-memory.dmp	xmrig
behavioral1/memory/2656-24-0x0000000000400000-0x0000000000587000-memory.dmp	xmrig
behavioral1/memory/2656-35-0x0000000000400000-0x0000000000587000-memory.dmp	xmrig
behavioral1/memory/2656-34-0x00000000005A0000-0x000000000071F000-memory.dmp	xmrig

Deletes itself 1 IoCs

pid	Process
2656	bd1c36706cfc47d8240c8e7a257c166a.exe

Executes dropped EXE 1 IoCs

pid	Process
2656	bd1c36706cfc47d8240c8e7a257c166a.exe

Loads dropped DLL 1 IoCs

pid	Process
1668	bd1c36706cfc47d8240c8e7a257c166a.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1668-0-0x0000000000400000-0x0000000000712000-memory.dmp	upx
behavioral1/files/0x00070000000122c9-10.dat	upx
behavioral1/files/0x00070000000122c9-14.dat	upx

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1668	bd1c36706cfc47d8240c8e7a257c166a.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
1668	bd1c36706cfc47d8240c8e7a257c166a.exe
2656	bd1c36706cfc47d8240c8e7a257c166a.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1668 wrote to memory of 2656	1668	bd1c36706cfc47d8240c8e7a257c166a.exe	29
PID 1668 wrote to memory of 2656	1668	bd1c36706cfc47d8240c8e7a257c166a.exe	29
PID 1668 wrote to memory of 2656	1668	bd1c36706cfc47d8240c8e7a257c166a.exe	29
PID 1668 wrote to memory of 2656	1668	bd1c36706cfc47d8240c8e7a257c166a.exe	29

C:\Users\Admin\AppData\Local\Temp\bd1c36706cfc47d8240c8e7a257c166a.exe
"C:\Users\Admin\AppData\Local\Temp\bd1c36706cfc47d8240c8e7a257c166a.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1668
- C:\Users\Admin\AppData\Local\Temp\bd1c36706cfc47d8240c8e7a257c166a.exe
  C:\Users\Admin\AppData\Local\Temp\bd1c36706cfc47d8240c8e7a257c166a.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:2656

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\bd1c36706cfc47d8240c8e7a257c166a.exe

Filesize
784KB

MD5
514dca436a6b2b51c424d1f94b0ead3f

SHA1
619ab43e6f9bc67461efc61fa191a921bd8da98e

SHA256
a5d46551658371f6f76717cd3ca8f832aa9d5846fd36a0b58b26da8cb58aba0b

SHA512
3d9d716be15dd20297e6f666f716a2d902d4094b17ddcf45aa9afdbaf29369a5e89312d2c7a0527a32b275b2cbf721882c0d983d11c5bf4272a4f884d20eaea6

Download Submit
\Users\Admin\AppData\Local\Temp\bd1c36706cfc47d8240c8e7a257c166a.exe

Filesize
64KB

MD5
ec01f79eab506c22aa3237dcb7bbab22

SHA1
b1b9754b9b69e2fbdd8fb0053381e2313ca11fbb

SHA256
ea2923cdeea7690f16640728e8e75cddfa964dd14f9e4db44117037f18707861

SHA512
e428b4377435d494b6f0cceff84590a6b4dd8179ef062283d04c912d2e23b021b63868106f9d3231cbc596b15d0592e566edf7797ca5060a1834011960d56fd7

Download Submit
memory/1668-3-0x0000000000120000-0x00000000001E4000-memory.dmp

Filesize
784KB

Download
memory/1668-0-0x0000000000400000-0x0000000000712000-memory.dmp

Filesize
3.1MB

Download
memory/1668-16-0x00000000030F0000-0x0000000003402000-memory.dmp

Filesize
3.1MB

Download
memory/1668-15-0x0000000000400000-0x0000000000593000-memory.dmp

Filesize
1.6MB

Download
memory/1668-1-0x0000000000400000-0x0000000000593000-memory.dmp

Filesize
1.6MB

Download
memory/2656-17-0x0000000000400000-0x0000000000593000-memory.dmp

Filesize
1.6MB

Download
memory/2656-18-0x0000000000400000-0x0000000000712000-memory.dmp

Filesize
3.1MB

Download
memory/2656-20-0x0000000000320000-0x00000000003E4000-memory.dmp

Filesize
784KB

Download
memory/2656-26-0x0000000002FD0000-0x0000000003163000-memory.dmp

Filesize
1.6MB

Download
memory/2656-24-0x0000000000400000-0x0000000000587000-memory.dmp

Filesize
1.5MB

Download
memory/2656-35-0x0000000000400000-0x0000000000587000-memory.dmp

Filesize
1.5MB

Download
memory/2656-34-0x00000000005A0000-0x000000000071F000-memory.dmp

Filesize
1.5MB

Download