xmrig | 9d3eca512f54ed0ebae6d5fe72500e9aeff40f4df269a8287e55145155d05ff5

General

Target

d39514b639aebbad6285b51f86ff9392.exe
Size

784KB
MD5

d39514b639aebbad6285b51f86ff9392
SHA1

b96d9b1342d5f2f45c193e2e8b5b160f6276d10b
SHA256

9d3eca512f54ed0ebae6d5fe72500e9aeff40f4df269a8287e55145155d05ff5
SHA512

9c3bcf42468ca99061376125de67b4f57e2c68230d88dde777492fdbf1a961351dfd482f8dd6ab07b3d75c87f209799c550018dfedf670d2b80646e618a10c19
SSDEEP

12288:gS49QwjtNNJFFCG3C1Yq2oNVLH6/WPI9a0v21YL/cv4AlKR5vQcOs/fABna:glDNbcYqp3LLPI97v7LEv4wjs/fABn

Score

10^/10

xmrig miner upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 7 IoCs

miner

resource	yara_rule
behavioral1/memory/1396-1-0x0000000000400000-0x0000000000593000-memory.dmp	xmrig
behavioral1/memory/1396-15-0x00000000031E0000-0x00000000034F2000-memory.dmp	xmrig
behavioral1/memory/1396-14-0x0000000000400000-0x0000000000593000-memory.dmp	xmrig
behavioral1/memory/2732-19-0x0000000000400000-0x0000000000593000-memory.dmp	xmrig
behavioral1/memory/2732-25-0x00000000032A0000-0x0000000003433000-memory.dmp	xmrig
behavioral1/memory/2732-24-0x0000000000400000-0x0000000000587000-memory.dmp	xmrig
behavioral1/memory/2732-34-0x0000000000400000-0x0000000000587000-memory.dmp	xmrig

Deletes itself 1 IoCs

pid	Process
2732	d39514b639aebbad6285b51f86ff9392.exe

Executes dropped EXE 1 IoCs

pid	Process
2732	d39514b639aebbad6285b51f86ff9392.exe

Loads dropped DLL 1 IoCs

pid	Process
1396	d39514b639aebbad6285b51f86ff9392.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1396-0-0x0000000000400000-0x0000000000712000-memory.dmp	upx
behavioral1/files/0x00080000000120f8-16.dat	upx
behavioral1/memory/2732-17-0x0000000000400000-0x0000000000712000-memory.dmp	upx
behavioral1/files/0x00080000000120f8-12.dat	upx
behavioral1/files/0x00080000000120f8-10.dat	upx

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1396	d39514b639aebbad6285b51f86ff9392.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
1396	d39514b639aebbad6285b51f86ff9392.exe
2732	d39514b639aebbad6285b51f86ff9392.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1396 wrote to memory of 2732	1396	d39514b639aebbad6285b51f86ff9392.exe	29
PID 1396 wrote to memory of 2732	1396	d39514b639aebbad6285b51f86ff9392.exe	29
PID 1396 wrote to memory of 2732	1396	d39514b639aebbad6285b51f86ff9392.exe	29
PID 1396 wrote to memory of 2732	1396	d39514b639aebbad6285b51f86ff9392.exe	29

C:\Users\Admin\AppData\Local\Temp\d39514b639aebbad6285b51f86ff9392.exe
"C:\Users\Admin\AppData\Local\Temp\d39514b639aebbad6285b51f86ff9392.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1396
- C:\Users\Admin\AppData\Local\Temp\d39514b639aebbad6285b51f86ff9392.exe
  C:\Users\Admin\AppData\Local\Temp\d39514b639aebbad6285b51f86ff9392.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:2732

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\d39514b639aebbad6285b51f86ff9392.exe

Filesize
576KB

MD5
d8709df19f650f622e52056c54c4ea7a

SHA1
6a82b2d4d9f3d799400374c3d304392f8d0034c6

SHA256
75b237fd9d7685c406f4142f12c4c50a2a3813b1e549ecba08b17c7961184804

SHA512
9848d84ae3f47d797b96dfd0c1e203698ff14a6cd365fc3c578a8fbf0a231bb86903e51fac7f431d78170ea331a3b39ef95e672b28b0a5a466dca1376b85f5f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\d39514b639aebbad6285b51f86ff9392.exe

Filesize
314KB

MD5
5f8e2c9197c558b64d652e21bedd52b6

SHA1
949b526b3638cbd3b2d167243a96bd118e514bd5

SHA256
3f9b4ce7dd5dc92acfba83086f3603a4bd2cfacf44c0e63fab103d43b0d6b936

SHA512
4612b029fac4e7e838c47822590f5aae332a01690b30866f72ba20a1a4e67cd81e6e76f2aa11e3e359ef3a072c2172ea427c2b5d61fbbace92ec78218c1d8223

Download Submit
\Users\Admin\AppData\Local\Temp\d39514b639aebbad6285b51f86ff9392.exe

Filesize
75KB

MD5
577c9f829fdbcd1f26beee1f85b419d3

SHA1
eaaf0d5c6d23c943fd669771ea8571494da20005

SHA256
72b208ea978ae2c07864f45ff434eb79b9abf6633c8702fb800444bbb7cb0c9c

SHA512
ec21b8a4ba3fe069e6bc6fbd1aa61c524728073c3e6e2d5d05ae8e9ddd1691d962556054ed3418702b9066646718fcb4934ae55a2fd4124c59aa9b5dc67277e3

Download Submit
memory/1396-14-0x0000000000400000-0x0000000000593000-memory.dmp

Filesize
1.6MB

Download
memory/1396-15-0x00000000031E0000-0x00000000034F2000-memory.dmp

Filesize
3.1MB

Download
memory/1396-0-0x0000000000400000-0x0000000000712000-memory.dmp

Filesize
3.1MB

Download
memory/1396-1-0x0000000000400000-0x0000000000593000-memory.dmp

Filesize
1.6MB

Download
memory/1396-2-0x0000000000120000-0x00000000001E4000-memory.dmp

Filesize
784KB

Download
memory/2732-17-0x0000000000400000-0x0000000000712000-memory.dmp

Filesize
3.1MB

Download
memory/2732-18-0x0000000000120000-0x00000000001E4000-memory.dmp

Filesize
784KB

Download
memory/2732-19-0x0000000000400000-0x0000000000593000-memory.dmp

Filesize
1.6MB

Download
memory/2732-25-0x00000000032A0000-0x0000000003433000-memory.dmp

Filesize
1.6MB

Download
memory/2732-24-0x0000000000400000-0x0000000000587000-memory.dmp

Filesize
1.5MB

Download
memory/2732-34-0x0000000000400000-0x0000000000587000-memory.dmp

Filesize
1.5MB

Download

Analysis

Sharing