xmrig | d7bdebfcbffa24faafb940a468d3f5eb8229b414a7d12da1800b62e3ca05245a

Analysis

max time kernel
119s
max time network
144s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
22/12/2023, 16:38

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

f5526b8d40386b96e8c6669cf466d04a.exe
Size

784KB
MD5

f5526b8d40386b96e8c6669cf466d04a
SHA1

17afc28cf1ff725600f88972952e3944741c4614
SHA256

d7bdebfcbffa24faafb940a468d3f5eb8229b414a7d12da1800b62e3ca05245a
SHA512

d0d0c83a5bccefc8d901d9ad2815fede78d3fc600284bf6e3000568cec14b93a0d138a164c95fa4c877d83f94fcfa7642ca6aa0917cb6ec4cd6995ebfebb4694
SSDEEP

24576:hPqBJMy6p62Ya6QDNU7zf87aS+e+v0kCJ:0Bvq6O27zf8+S+bvc

Score

10^/10

xmrig miner upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 7 IoCs

miner

resource	yara_rule
behavioral1/memory/2132-1-0x0000000000400000-0x0000000000593000-memory.dmp	xmrig
behavioral1/memory/2132-14-0x0000000000400000-0x0000000000593000-memory.dmp	xmrig
behavioral1/memory/824-18-0x0000000000400000-0x0000000000593000-memory.dmp	xmrig
behavioral1/memory/824-25-0x0000000003080000-0x0000000003213000-memory.dmp	xmrig
behavioral1/memory/824-24-0x0000000000400000-0x0000000000587000-memory.dmp	xmrig
behavioral1/memory/824-35-0x0000000000400000-0x0000000000587000-memory.dmp	xmrig
behavioral1/memory/824-34-0x00000000005A0000-0x000000000071F000-memory.dmp	xmrig

Deletes itself 1 IoCs

pid	Process
824	f5526b8d40386b96e8c6669cf466d04a.exe

Executes dropped EXE 1 IoCs

pid	Process
824	f5526b8d40386b96e8c6669cf466d04a.exe

Loads dropped DLL 1 IoCs

pid	Process
2132	f5526b8d40386b96e8c6669cf466d04a.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2132-0-0x0000000000400000-0x0000000000712000-memory.dmp	upx
behavioral1/files/0x000800000001223a-10.dat	upx
behavioral1/files/0x000800000001223a-16.dat	upx
behavioral1/memory/824-17-0x0000000000400000-0x0000000000712000-memory.dmp	upx
behavioral1/memory/2132-15-0x00000000030E0000-0x00000000033F2000-memory.dmp	upx

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2132	f5526b8d40386b96e8c6669cf466d04a.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2132	f5526b8d40386b96e8c6669cf466d04a.exe
824	f5526b8d40386b96e8c6669cf466d04a.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2132 wrote to memory of 824	2132	f5526b8d40386b96e8c6669cf466d04a.exe	29
PID 2132 wrote to memory of 824	2132	f5526b8d40386b96e8c6669cf466d04a.exe	29
PID 2132 wrote to memory of 824	2132	f5526b8d40386b96e8c6669cf466d04a.exe	29
PID 2132 wrote to memory of 824	2132	f5526b8d40386b96e8c6669cf466d04a.exe	29

C:\Users\Admin\AppData\Local\Temp\f5526b8d40386b96e8c6669cf466d04a.exe
"C:\Users\Admin\AppData\Local\Temp\f5526b8d40386b96e8c6669cf466d04a.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2132
- C:\Users\Admin\AppData\Local\Temp\f5526b8d40386b96e8c6669cf466d04a.exe
  C:\Users\Admin\AppData\Local\Temp\f5526b8d40386b96e8c6669cf466d04a.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:824

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\f5526b8d40386b96e8c6669cf466d04a.exe

Filesize
86KB

MD5
59df99969b76827b5e381bee7048ecc6

SHA1
af75101806f856bcb4858bde02e4a94e566ed614

SHA256
accba15a980d501e1421d28c3f8b9770260f34246374e9d490d0da0c6b9b1862

SHA512
881ed043200c0492f753d929729a2999f681acd952a406497703b5f0b1c4847bf7c8821d8d2ea3efa0e27fe38ca85c159f6b05ede4f7c7888b260d57a46cd76e

Download Submit
\Users\Admin\AppData\Local\Temp\f5526b8d40386b96e8c6669cf466d04a.exe

Filesize
101KB

MD5
217ca16903ee9f7b6e6b977417965442

SHA1
00b3e79f58d9d5990787bde41e34c2d1b765e9f6

SHA256
f84cda25a3098595aed15a4a6f9817a05901e5016c5b6244aec83196fb985a1c

SHA512
7064b36e989128002d725c820fbd596d8122b3b376d31295de9754f3daa79dfddb0da0635b1aa1118997503c10cabc3c6890b73bbef1614b871ca141bb33ad3b

Download Submit
memory/824-18-0x0000000000400000-0x0000000000593000-memory.dmp

Filesize
1.6MB

Download
memory/824-17-0x0000000000400000-0x0000000000712000-memory.dmp

Filesize
3.1MB

Download
memory/824-19-0x0000000001720000-0x00000000017E4000-memory.dmp

Filesize
784KB

Download
memory/824-25-0x0000000003080000-0x0000000003213000-memory.dmp

Filesize
1.6MB

Download
memory/824-24-0x0000000000400000-0x0000000000587000-memory.dmp

Filesize
1.5MB

Download
memory/824-35-0x0000000000400000-0x0000000000587000-memory.dmp

Filesize
1.5MB

Download
memory/824-34-0x00000000005A0000-0x000000000071F000-memory.dmp

Filesize
1.5MB

Download
memory/2132-2-0x0000000000200000-0x00000000002C4000-memory.dmp

Filesize
784KB

Download
memory/2132-1-0x0000000000400000-0x0000000000593000-memory.dmp

Filesize
1.6MB

Download
memory/2132-15-0x00000000030E0000-0x00000000033F2000-memory.dmp

Filesize
3.1MB

Download
memory/2132-14-0x0000000000400000-0x0000000000593000-memory.dmp

Filesize
1.6MB

Download
memory/2132-0-0x0000000000400000-0x0000000000712000-memory.dmp

Filesize
3.1MB

Download