xmrig | eb7541b78ac01427b8837e69721e55fb6b90b96ae749e3fb65daf6c7fd2ba4f8

Analysis

max time kernel
118s
max time network
119s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
22/12/2023, 16:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f41ca1c3626acb7b6c20fa4518d9357a.exe
Size

1.5MB
MD5

f41ca1c3626acb7b6c20fa4518d9357a
SHA1

b84f2db0672692f62e11e01446e2db80bb452692
SHA256

eb7541b78ac01427b8837e69721e55fb6b90b96ae749e3fb65daf6c7fd2ba4f8
SHA512

75c158e7373fc0cf92c3978ef70621e789814bff7f9ff64ec3172b6f18e04c87f7d22f3d9e78fac075e6ca13f77636df76188c9ceaa129e741662bacdf71f071
SSDEEP

49152:YvJi5gYhZ0gAf3js3P22fN5jWOka21LWPe0:YJkgubajs3P1FmVW1

Score

10^/10

xmrig miner upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 7 IoCs

miner

resource	yara_rule
behavioral1/memory/2540-1-0x0000000000400000-0x0000000000593000-memory.dmp	xmrig
behavioral1/memory/2540-15-0x0000000000400000-0x0000000000593000-memory.dmp	xmrig
behavioral1/memory/2064-25-0x0000000003010000-0x00000000031A3000-memory.dmp	xmrig
behavioral1/memory/2064-23-0x0000000000400000-0x0000000000587000-memory.dmp	xmrig
behavioral1/memory/2064-34-0x0000000000400000-0x0000000000587000-memory.dmp	xmrig
behavioral1/memory/2064-33-0x00000000005A0000-0x000000000071F000-memory.dmp	xmrig
behavioral1/memory/2064-17-0x0000000000400000-0x0000000000593000-memory.dmp	xmrig

Deletes itself 1 IoCs

pid	Process
2064	f41ca1c3626acb7b6c20fa4518d9357a.exe

Executes dropped EXE 1 IoCs

pid	Process
2064	f41ca1c3626acb7b6c20fa4518d9357a.exe

Loads dropped DLL 1 IoCs

pid	Process
2540	f41ca1c3626acb7b6c20fa4518d9357a.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2540-0-0x0000000000400000-0x0000000000712000-memory.dmp	upx
behavioral1/memory/2064-16-0x0000000000400000-0x0000000000712000-memory.dmp	upx
behavioral1/files/0x000c000000012242-14.dat	upx
behavioral1/files/0x000c000000012242-10.dat	upx

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2540	f41ca1c3626acb7b6c20fa4518d9357a.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2540	f41ca1c3626acb7b6c20fa4518d9357a.exe
2064	f41ca1c3626acb7b6c20fa4518d9357a.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2540 wrote to memory of 2064	2540	f41ca1c3626acb7b6c20fa4518d9357a.exe	29
PID 2540 wrote to memory of 2064	2540	f41ca1c3626acb7b6c20fa4518d9357a.exe	29
PID 2540 wrote to memory of 2064	2540	f41ca1c3626acb7b6c20fa4518d9357a.exe	29
PID 2540 wrote to memory of 2064	2540	f41ca1c3626acb7b6c20fa4518d9357a.exe	29

C:\Users\Admin\AppData\Local\Temp\f41ca1c3626acb7b6c20fa4518d9357a.exe
"C:\Users\Admin\AppData\Local\Temp\f41ca1c3626acb7b6c20fa4518d9357a.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2540
- C:\Users\Admin\AppData\Local\Temp\f41ca1c3626acb7b6c20fa4518d9357a.exe
  C:\Users\Admin\AppData\Local\Temp\f41ca1c3626acb7b6c20fa4518d9357a.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:2064

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\f41ca1c3626acb7b6c20fa4518d9357a.exe

Filesize
92KB

MD5
197e19c6a5af3595107815791fd858b4

SHA1
5027f8d069568617c4a9bb9e05669e100091e78d

SHA256
dcd96a000287be612a83445580e3c336df451d226be97afe2a1eaec4c2f0aad1

SHA512
571eb689a4c0a3f3ca88a84972383878670f2330bcc0d2a9196f0e7c8f5c49b69932969ddb2bca8fdb84eed7e0fb6800a57834ce7c8567523f91774d5d3598c5

Download Submit
\Users\Admin\AppData\Local\Temp\f41ca1c3626acb7b6c20fa4518d9357a.exe

Filesize
384KB

MD5
9a40cbaacee0ade6a87202d22c0bebf6

SHA1
bf614bad169f69f434090454990bef037ea6ec1a

SHA256
c718fab2ed2998ad5549ce41c9a46bcb3c24281ead719c98d77c0cabfb64106c

SHA512
518962ffdeb93f52bfd16030880cc099f267ffc8a67c06cf4d692062c8408bbbedac4e706e710ff18f5ea77c2692bc04ae95e822fe9aa053cdda3ef7160fab8f

Download Submit
memory/2064-33-0x00000000005A0000-0x000000000071F000-memory.dmp

Filesize
1.5MB

Download
memory/2064-16-0x0000000000400000-0x0000000000712000-memory.dmp

Filesize
3.1MB

Download
memory/2064-19-0x0000000000310000-0x00000000003D4000-memory.dmp

Filesize
784KB

Download
memory/2064-25-0x0000000003010000-0x00000000031A3000-memory.dmp

Filesize
1.6MB

Download
memory/2064-23-0x0000000000400000-0x0000000000587000-memory.dmp

Filesize
1.5MB

Download
memory/2064-34-0x0000000000400000-0x0000000000587000-memory.dmp

Filesize
1.5MB

Download
memory/2064-17-0x0000000000400000-0x0000000000593000-memory.dmp

Filesize
1.6MB

Download
memory/2540-15-0x0000000000400000-0x0000000000593000-memory.dmp

Filesize
1.6MB

Download
memory/2540-0-0x0000000000400000-0x0000000000712000-memory.dmp

Filesize
3.1MB

Download
memory/2540-1-0x0000000000400000-0x0000000000593000-memory.dmp

Filesize
1.6MB

Download
memory/2540-2-0x00000000018B0000-0x0000000001974000-memory.dmp

Filesize
784KB

Download