xmrig | d7bdebfcbffa24faafb940a468d3f5eb8229b414a7d12da1800b62e3ca05245a

Analysis

max time kernel
126s
max time network
173s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
22/12/2023, 16:38

Target

f5526b8d40386b96e8c6669cf466d04a.exe
Size

784KB
MD5

f5526b8d40386b96e8c6669cf466d04a
SHA1

17afc28cf1ff725600f88972952e3944741c4614
SHA256

d7bdebfcbffa24faafb940a468d3f5eb8229b414a7d12da1800b62e3ca05245a
SHA512

d0d0c83a5bccefc8d901d9ad2815fede78d3fc600284bf6e3000568cec14b93a0d138a164c95fa4c877d83f94fcfa7642ca6aa0917cb6ec4cd6995ebfebb4694
SSDEEP

24576:hPqBJMy6p62Ya6QDNU7zf87aS+e+v0kCJ:0Bvq6O27zf8+S+bvc

Score

10^/10

xmrig miner upx

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 6 IoCs

miner

resource	yara_rule
behavioral2/memory/2508-2-0x0000000000400000-0x0000000000593000-memory.dmp	xmrig
behavioral2/memory/2508-13-0x0000000000400000-0x0000000000593000-memory.dmp	xmrig
behavioral2/memory/3396-14-0x0000000000400000-0x0000000000593000-memory.dmp	xmrig
behavioral2/memory/3396-20-0x00000000053B0000-0x0000000005543000-memory.dmp	xmrig
behavioral2/memory/3396-21-0x0000000000400000-0x0000000000587000-memory.dmp	xmrig
behavioral2/memory/3396-30-0x0000000000400000-0x0000000000587000-memory.dmp	xmrig

Deletes itself 1 IoCs

pid	Process
3396	f5526b8d40386b96e8c6669cf466d04a.exe

Executes dropped EXE 1 IoCs

pid	Process
3396	f5526b8d40386b96e8c6669cf466d04a.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

resource	yara_rule
behavioral2/memory/2508-0-0x0000000000400000-0x0000000000712000-memory.dmp	upx
behavioral2/memory/3396-12-0x0000000000400000-0x0000000000712000-memory.dmp	upx
behavioral2/files/0x0007000000023215-11.dat	upx

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2508	f5526b8d40386b96e8c6669cf466d04a.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2508	f5526b8d40386b96e8c6669cf466d04a.exe
3396	f5526b8d40386b96e8c6669cf466d04a.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2508 wrote to memory of 3396	2508	f5526b8d40386b96e8c6669cf466d04a.exe	93
PID 2508 wrote to memory of 3396	2508	f5526b8d40386b96e8c6669cf466d04a.exe	93
PID 2508 wrote to memory of 3396	2508	f5526b8d40386b96e8c6669cf466d04a.exe	93

C:\Users\Admin\AppData\Local\Temp\f5526b8d40386b96e8c6669cf466d04a.exe

Filesize
337KB

MD5
fe7e798ff29d3206df62c904d4b21eb9

SHA1
b4825d24a15c6b6bdbaf5f50cfc7c12111280609

SHA256
e7236de6a3b2a32c70d7c12c5a62ad466b46b5ac45e34842385817a2357a6d14

SHA512
9265f04df75c7a69336d04b85959dca847c68f1ed0f4e429e17d8bdc9f1af4110cc9e185c2821d3f8ab6487fcc4c9dc2cce912908572fc4453aab552aa09f5a0

Download Submit
memory/2508-0-0x0000000000400000-0x0000000000712000-memory.dmp

Filesize
3.1MB

Download
memory/2508-1-0x0000000001A80000-0x0000000001B44000-memory.dmp

Filesize
784KB

Download
memory/2508-2-0x0000000000400000-0x0000000000593000-memory.dmp

Filesize
1.6MB

Download
memory/2508-13-0x0000000000400000-0x0000000000593000-memory.dmp

Filesize
1.6MB

Download
memory/3396-12-0x0000000000400000-0x0000000000712000-memory.dmp

Filesize
3.1MB

Download
memory/3396-15-0x00000000019C0000-0x0000000001A84000-memory.dmp

Filesize
784KB

Download
memory/3396-14-0x0000000000400000-0x0000000000593000-memory.dmp

Filesize
1.6MB

Download
memory/3396-20-0x00000000053B0000-0x0000000005543000-memory.dmp

Filesize
1.6MB

Download
memory/3396-21-0x0000000000400000-0x0000000000587000-memory.dmp

Filesize
1.5MB

Download
memory/3396-30-0x0000000000400000-0x0000000000587000-memory.dmp

Filesize
1.5MB

Download