xmrig | 8054eab77fad80702eba59a803bcacc374e8d9f3c61721aa0df96f716c81c29f

Analysis

max time kernel
134s
max time network
162s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
22/12/2023, 16:34

Target

f39008ed86c32cfbe327e621069c38d2.exe
Size

784KB
MD5

f39008ed86c32cfbe327e621069c38d2
SHA1

9cbaf4f55d719d314d9c6a5d401f19b1662b321d
SHA256

8054eab77fad80702eba59a803bcacc374e8d9f3c61721aa0df96f716c81c29f
SHA512

a50d5eaac82e29172f07acd47daab95bcfa910e74c1ab5b9bd28428a295fe5657c42f2c0961a8cdbbe1dec8872e3958178caded2d0eb4a984ab51c3bff625081
SSDEEP

24576:9EQGKMEaf47bkLNoxXPhF0UEkFZmZcp/:WZKMXmkLNoxXzmkFZmZcp/

Score

10^/10

xmrig miner upx

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 6 IoCs

miner

resource	yara_rule
behavioral2/memory/2976-2-0x0000000000400000-0x0000000000593000-memory.dmp	xmrig
behavioral2/memory/2976-12-0x0000000000400000-0x0000000000593000-memory.dmp	xmrig
behavioral2/memory/2968-14-0x0000000000400000-0x0000000000593000-memory.dmp	xmrig
behavioral2/memory/2968-21-0x0000000005390000-0x0000000005523000-memory.dmp	xmrig
behavioral2/memory/2968-20-0x0000000000400000-0x0000000000587000-memory.dmp	xmrig
behavioral2/memory/2968-30-0x0000000000400000-0x0000000000587000-memory.dmp	xmrig

Deletes itself 1 IoCs

pid	Process
2968	f39008ed86c32cfbe327e621069c38d2.exe

Executes dropped EXE 1 IoCs

pid	Process
2968	f39008ed86c32cfbe327e621069c38d2.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

resource	yara_rule
behavioral2/memory/2976-0-0x0000000000400000-0x0000000000712000-memory.dmp	upx
behavioral2/files/0x0006000000023213-11.dat	upx
behavioral2/memory/2968-13-0x0000000000400000-0x0000000000712000-memory.dmp	upx

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2976	f39008ed86c32cfbe327e621069c38d2.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2976	f39008ed86c32cfbe327e621069c38d2.exe
2968	f39008ed86c32cfbe327e621069c38d2.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2976 wrote to memory of 2968	2976	f39008ed86c32cfbe327e621069c38d2.exe	90
PID 2976 wrote to memory of 2968	2976	f39008ed86c32cfbe327e621069c38d2.exe	90
PID 2976 wrote to memory of 2968	2976	f39008ed86c32cfbe327e621069c38d2.exe	90

C:\Users\Admin\AppData\Local\Temp\f39008ed86c32cfbe327e621069c38d2.exe

Filesize
729KB

MD5
794329fb4bcf74a18ccb23fc6c516dff

SHA1
eb153b9a06a5f98d906d1f40b192d6382c2c5af7

SHA256
8b62c719d749c7183eca660ace83c2eba49e7da32c1d1645ee7032b10d88b187

SHA512
5b768f9078a96131da4bc6351174d154c0513725af94558172618a02e94b35792a48a0fae048d92e643c3010bd520f50179806382973d536971b3cc711530831

Download Submit
memory/2968-13-0x0000000000400000-0x0000000000712000-memory.dmp

Filesize
3.1MB

Download
memory/2968-14-0x0000000000400000-0x0000000000593000-memory.dmp

Filesize
1.6MB

Download
memory/2968-21-0x0000000005390000-0x0000000005523000-memory.dmp

Filesize
1.6MB

Download
memory/2968-20-0x0000000000400000-0x0000000000587000-memory.dmp

Filesize
1.5MB

Download
memory/2968-15-0x00000000017F0000-0x00000000018B4000-memory.dmp

Filesize
784KB

Download
memory/2968-30-0x0000000000400000-0x0000000000587000-memory.dmp

Filesize
1.5MB

Download
memory/2976-0-0x0000000000400000-0x0000000000712000-memory.dmp

Filesize
3.1MB

Download
memory/2976-1-0x0000000001720000-0x00000000017E4000-memory.dmp

Filesize
784KB

Download
memory/2976-2-0x0000000000400000-0x0000000000593000-memory.dmp

Filesize
1.6MB

Download
memory/2976-12-0x0000000000400000-0x0000000000593000-memory.dmp

Filesize
1.6MB

Download