xmrig | 8e8f57464c7ac021bb950632abef63de0119428742a9fa32ba3626e0415923bc

Analysis

max time kernel
118s
max time network
139s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
22/12/2023, 16:28

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

f00efb46dcdc92a79d6e32385369abe2.exe
Size

784KB
MD5

f00efb46dcdc92a79d6e32385369abe2
SHA1

e8d1204c527862347d2dc60621dc68199e5d68a0
SHA256

8e8f57464c7ac021bb950632abef63de0119428742a9fa32ba3626e0415923bc
SHA512

cbc0394940eaeb011ce210a75599a83cf75aeda031cbab0456f9b111ccbc3520c036f2ee0cf5104f6d2bb6ec1dd9dc894fa696f10dc66e9dcb71156a2dd7df50
SSDEEP

24576:8EsrT2MEQiPtcxp0Fm4+kErHxU20757XNUD:uL2tMpIm4zms57dUD

Score

10^/10

xmrig miner upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 8 IoCs

miner

resource	yara_rule
behavioral1/memory/2864-1-0x0000000000400000-0x0000000000593000-memory.dmp	xmrig
behavioral1/memory/2864-15-0x0000000003220000-0x0000000003532000-memory.dmp	xmrig
behavioral1/memory/2864-17-0x0000000000400000-0x0000000000593000-memory.dmp	xmrig
behavioral1/memory/2772-19-0x0000000000400000-0x0000000000593000-memory.dmp	xmrig
behavioral1/memory/2772-26-0x00000000030A0000-0x0000000003233000-memory.dmp	xmrig
behavioral1/memory/2772-25-0x0000000000400000-0x0000000000587000-memory.dmp	xmrig
behavioral1/memory/2772-36-0x0000000000400000-0x0000000000587000-memory.dmp	xmrig
behavioral1/memory/2772-35-0x00000000005A0000-0x000000000071F000-memory.dmp	xmrig

Deletes itself 1 IoCs

pid	Process
2772	f00efb46dcdc92a79d6e32385369abe2.exe

Executes dropped EXE 1 IoCs

pid	Process
2772	f00efb46dcdc92a79d6e32385369abe2.exe

Loads dropped DLL 1 IoCs

pid	Process
2864	f00efb46dcdc92a79d6e32385369abe2.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2864-0-0x0000000000400000-0x0000000000712000-memory.dmp	upx
behavioral1/files/0x000a00000001223b-10.dat	upx
behavioral1/memory/2864-15-0x0000000003220000-0x0000000003532000-memory.dmp	upx
behavioral1/files/0x000a00000001223b-16.dat	upx
behavioral1/memory/2772-18-0x0000000000400000-0x0000000000712000-memory.dmp	upx

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2864	f00efb46dcdc92a79d6e32385369abe2.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2864	f00efb46dcdc92a79d6e32385369abe2.exe
2772	f00efb46dcdc92a79d6e32385369abe2.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2864 wrote to memory of 2772	2864	f00efb46dcdc92a79d6e32385369abe2.exe	29
PID 2864 wrote to memory of 2772	2864	f00efb46dcdc92a79d6e32385369abe2.exe	29
PID 2864 wrote to memory of 2772	2864	f00efb46dcdc92a79d6e32385369abe2.exe	29
PID 2864 wrote to memory of 2772	2864	f00efb46dcdc92a79d6e32385369abe2.exe	29

C:\Users\Admin\AppData\Local\Temp\f00efb46dcdc92a79d6e32385369abe2.exe
"C:\Users\Admin\AppData\Local\Temp\f00efb46dcdc92a79d6e32385369abe2.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2864
- C:\Users\Admin\AppData\Local\Temp\f00efb46dcdc92a79d6e32385369abe2.exe
  C:\Users\Admin\AppData\Local\Temp\f00efb46dcdc92a79d6e32385369abe2.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:2772

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\f00efb46dcdc92a79d6e32385369abe2.exe

Filesize
135KB

MD5
ca7e76330c5b047d9350e165f5ff5427

SHA1
e9fc5087a18c4cb736b231c8a3d399f209f37772

SHA256
aed858bc839a4be8d2de5a252dfc1e8b11131b3a78feb5287ae04fbfe7a29dc9

SHA512
755e6d7defa77ab52580c8350241c9d1920b6ea93b73f7691755d16dccc40858ff702bddda4c1f7f33a11de9355ec39c29cd445a1e0bbc888a2bb6c56d46ad58

Download Submit
\Users\Admin\AppData\Local\Temp\f00efb46dcdc92a79d6e32385369abe2.exe

Filesize
65KB

MD5
ee491ea558c03aac9177338b4ad406de

SHA1
34c9d2017a114821888502847a0652771675e161

SHA256
51eac84cda3f0ef89ec1d7eea066108c2b5b8c68cbe2aa9e87994f3f1ec3fa84

SHA512
5a576e7d9336123794b63fafb147014b2a2739d28c4313372a77efaa9144622b74848271d1ca05966131d784cae19ddb7a2c8593d48b1d77dc11e158e380a83e

Download Submit
memory/2772-18-0x0000000000400000-0x0000000000712000-memory.dmp

Filesize
3.1MB

Download
memory/2772-19-0x0000000000400000-0x0000000000593000-memory.dmp

Filesize
1.6MB

Download
memory/2772-24-0x00000000018B0000-0x0000000001974000-memory.dmp

Filesize
784KB

Download
memory/2772-26-0x00000000030A0000-0x0000000003233000-memory.dmp

Filesize
1.6MB

Download
memory/2772-25-0x0000000000400000-0x0000000000587000-memory.dmp

Filesize
1.5MB

Download
memory/2772-36-0x0000000000400000-0x0000000000587000-memory.dmp

Filesize
1.5MB

Download
memory/2772-35-0x00000000005A0000-0x000000000071F000-memory.dmp

Filesize
1.5MB

Download
memory/2864-3-0x0000000000120000-0x00000000001E4000-memory.dmp

Filesize
784KB

Download
memory/2864-15-0x0000000003220000-0x0000000003532000-memory.dmp

Filesize
3.1MB

Download
memory/2864-1-0x0000000000400000-0x0000000000593000-memory.dmp

Filesize
1.6MB

Download
memory/2864-0-0x0000000000400000-0x0000000000712000-memory.dmp

Filesize
3.1MB

Download
memory/2864-17-0x0000000000400000-0x0000000000593000-memory.dmp

Filesize
1.6MB

Download