xmrig | 9cb86dc9d1e9b019372c24a5584e0beae34a0eada2391c2a14b2d7f4bc3d378b

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
22/12/2023, 14:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c6a9a50cd834e9c44aee30cafaabbdc8.exe
Size

784KB
MD5

c6a9a50cd834e9c44aee30cafaabbdc8
SHA1

3fe490e6aa55e65d4ad79b50a1df740fd2bf1e26
SHA256

9cb86dc9d1e9b019372c24a5584e0beae34a0eada2391c2a14b2d7f4bc3d378b
SHA512

c39a653aa6c87c1904facca5be04db9097dda0b34bc6a76f8c5a2def7b1893cd8053a802d77a63438d7eed5e2e8ec542019d652fe872bb5a8af3b6f96896fdd8
SSDEEP

24576:pe+8J7mq/IH2FtJKCIqAwbf5UdbdpnHx4M:pcAH2FqHw75unHm

Score

10^/10

xmrig miner upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 8 IoCs

miner

resource	yara_rule
behavioral1/memory/2040-1-0x0000000000400000-0x0000000000593000-memory.dmp	xmrig
behavioral1/memory/1988-27-0x00000000030A0000-0x0000000003233000-memory.dmp	xmrig
behavioral1/memory/1988-35-0x0000000000400000-0x0000000000587000-memory.dmp	xmrig
behavioral1/memory/1988-34-0x00000000005A0000-0x000000000071F000-memory.dmp	xmrig
behavioral1/memory/1988-24-0x0000000000400000-0x0000000000587000-memory.dmp	xmrig
behavioral1/memory/1988-18-0x0000000000400000-0x0000000000593000-memory.dmp	xmrig
behavioral1/memory/2040-15-0x0000000003250000-0x0000000003562000-memory.dmp	xmrig
behavioral1/memory/2040-14-0x0000000000400000-0x0000000000593000-memory.dmp	xmrig

Deletes itself 1 IoCs

pid	Process
1988	c6a9a50cd834e9c44aee30cafaabbdc8.exe

Executes dropped EXE 1 IoCs

pid	Process
1988	c6a9a50cd834e9c44aee30cafaabbdc8.exe

Loads dropped DLL 1 IoCs

pid	Process
2040	c6a9a50cd834e9c44aee30cafaabbdc8.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2040-0-0x0000000000400000-0x0000000000712000-memory.dmp	upx
behavioral1/files/0x000b0000000139e0-10.dat	upx
behavioral1/memory/1988-17-0x0000000000400000-0x0000000000712000-memory.dmp	upx
behavioral1/files/0x000b0000000139e0-16.dat	upx

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2040	c6a9a50cd834e9c44aee30cafaabbdc8.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2040	c6a9a50cd834e9c44aee30cafaabbdc8.exe
1988	c6a9a50cd834e9c44aee30cafaabbdc8.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2040 wrote to memory of 1988	2040	c6a9a50cd834e9c44aee30cafaabbdc8.exe	29
PID 2040 wrote to memory of 1988	2040	c6a9a50cd834e9c44aee30cafaabbdc8.exe	29
PID 2040 wrote to memory of 1988	2040	c6a9a50cd834e9c44aee30cafaabbdc8.exe	29
PID 2040 wrote to memory of 1988	2040	c6a9a50cd834e9c44aee30cafaabbdc8.exe	29

C:\Users\Admin\AppData\Local\Temp\c6a9a50cd834e9c44aee30cafaabbdc8.exe
"C:\Users\Admin\AppData\Local\Temp\c6a9a50cd834e9c44aee30cafaabbdc8.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2040
- C:\Users\Admin\AppData\Local\Temp\c6a9a50cd834e9c44aee30cafaabbdc8.exe
  C:\Users\Admin\AppData\Local\Temp\c6a9a50cd834e9c44aee30cafaabbdc8.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:1988

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\c6a9a50cd834e9c44aee30cafaabbdc8.exe

Filesize
96KB

MD5
56dbfb791ab0cb4576520a46dfd72eaf

SHA1
c8069aaf75df11050fe0a2b93f9e4d606a4eabcd

SHA256
0fc8f63c304c2eeb09122402cb95e032a6ae2a8e64e35caa79af1d49a1371c0c

SHA512
411e2282ad2509df9da27030dca3b0eb593e8acf62ff268b93dc2e0a065fb90854a1205057363d757ce0ce4fd1f036f44d5103f6928f1c9d2346085d828bac1f

Download Submit
\Users\Admin\AppData\Local\Temp\c6a9a50cd834e9c44aee30cafaabbdc8.exe

Filesize
784KB

MD5
dbdabe165fae9315c65badd1e159e78a

SHA1
3a5d5633331159e062a2d1c3afb38ee29fee2eda

SHA256
a8899bccade8614742d868dbc6f9d5f3191a4f1c2f13f8b9272ecbbaeab641e8

SHA512
20d434abe9091dc9fe733379b70fc15563f4148974fa4e5809f7fefc3ea4bc8a179403d0f0826cc279839b3254e69d333cb851dd615e93138e0844aa24546683

Download Submit
memory/1988-27-0x00000000030A0000-0x0000000003233000-memory.dmp

Filesize
1.6MB

Download
memory/1988-17-0x0000000000400000-0x0000000000712000-memory.dmp

Filesize
3.1MB

Download
memory/1988-19-0x00000000018B0000-0x0000000001974000-memory.dmp

Filesize
784KB

Download
memory/1988-35-0x0000000000400000-0x0000000000587000-memory.dmp

Filesize
1.5MB

Download
memory/1988-34-0x00000000005A0000-0x000000000071F000-memory.dmp

Filesize
1.5MB

Download
memory/1988-24-0x0000000000400000-0x0000000000587000-memory.dmp

Filesize
1.5MB

Download
memory/1988-18-0x0000000000400000-0x0000000000593000-memory.dmp

Filesize
1.6MB

Download
memory/2040-3-0x0000000000120000-0x00000000001E4000-memory.dmp

Filesize
784KB

Download
memory/2040-0-0x0000000000400000-0x0000000000712000-memory.dmp

Filesize
3.1MB

Download
memory/2040-1-0x0000000000400000-0x0000000000593000-memory.dmp

Filesize
1.6MB

Download
memory/2040-15-0x0000000003250000-0x0000000003562000-memory.dmp

Filesize
3.1MB

Download
memory/2040-14-0x0000000000400000-0x0000000000593000-memory.dmp

Filesize
1.6MB

Download