Analysis
-
max time kernel
121s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
22/12/2023, 16:46
Behavioral task
behavioral1
Sample
f7cb0e8c6e055469803c76d59a6f77d8.exe
Resource
win7-20231215-en
General
-
Target
f7cb0e8c6e055469803c76d59a6f77d8.exe
-
Size
784KB
-
MD5
f7cb0e8c6e055469803c76d59a6f77d8
-
SHA1
b992e6d9ad0ad93e3ca62a9df09e70e8e08928d0
-
SHA256
d601d3cbae466945df780bf0d48d6800d54ef58ab2330ce866df585cd8e6d063
-
SHA512
9f3cd460ce22b537737633dd27dce4f63fb46608f1cc711444466a2613affcd80cbf24c6bb1b8ab7cafe151b380f3b4b47b6cc0dae85bd5ceff54e2d8df9aeb9
-
SSDEEP
12288:4w9roMj2kwtMus9MjRC+h/6DpfWVqjs/ev2QDFk8V0dG6hwfXlAdGl2nuF56sPo7:4MjSJ9CcwvwTQDaZdG6gknuFlPo5ATq
Malware Config
Signatures
-
XMRig Miner payload 7 IoCs
resource yara_rule behavioral1/memory/1360-1-0x0000000000400000-0x0000000000593000-memory.dmp xmrig behavioral1/memory/1360-14-0x0000000000400000-0x0000000000593000-memory.dmp xmrig behavioral1/memory/3048-18-0x0000000000400000-0x0000000000593000-memory.dmp xmrig behavioral1/memory/3048-25-0x0000000003130000-0x00000000032C3000-memory.dmp xmrig behavioral1/memory/3048-24-0x0000000000400000-0x0000000000587000-memory.dmp xmrig behavioral1/memory/3048-35-0x0000000000400000-0x0000000000587000-memory.dmp xmrig behavioral1/memory/3048-34-0x00000000005A0000-0x000000000071F000-memory.dmp xmrig -
Deletes itself 1 IoCs
pid Process 3048 f7cb0e8c6e055469803c76d59a6f77d8.exe -
Executes dropped EXE 1 IoCs
pid Process 3048 f7cb0e8c6e055469803c76d59a6f77d8.exe -
Loads dropped DLL 1 IoCs
pid Process 1360 f7cb0e8c6e055469803c76d59a6f77d8.exe -
resource yara_rule behavioral1/memory/1360-0-0x0000000000400000-0x0000000000712000-memory.dmp upx behavioral1/files/0x000c00000001225c-10.dat upx behavioral1/memory/1360-15-0x00000000031B0000-0x00000000034C2000-memory.dmp upx behavioral1/files/0x000c00000001225c-16.dat upx behavioral1/memory/3048-17-0x0000000000400000-0x0000000000712000-memory.dmp upx -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 1360 f7cb0e8c6e055469803c76d59a6f77d8.exe -
Suspicious use of UnmapMainImage 2 IoCs
pid Process 1360 f7cb0e8c6e055469803c76d59a6f77d8.exe 3048 f7cb0e8c6e055469803c76d59a6f77d8.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1360 wrote to memory of 3048 1360 f7cb0e8c6e055469803c76d59a6f77d8.exe 29 PID 1360 wrote to memory of 3048 1360 f7cb0e8c6e055469803c76d59a6f77d8.exe 29 PID 1360 wrote to memory of 3048 1360 f7cb0e8c6e055469803c76d59a6f77d8.exe 29 PID 1360 wrote to memory of 3048 1360 f7cb0e8c6e055469803c76d59a6f77d8.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\f7cb0e8c6e055469803c76d59a6f77d8.exe"C:\Users\Admin\AppData\Local\Temp\f7cb0e8c6e055469803c76d59a6f77d8.exe"1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1360 -
C:\Users\Admin\AppData\Local\Temp\f7cb0e8c6e055469803c76d59a6f77d8.exeC:\Users\Admin\AppData\Local\Temp\f7cb0e8c6e055469803c76d59a6f77d8.exe2⤵
- Deletes itself
- Executes dropped EXE
- Suspicious use of UnmapMainImage
PID:3048
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
55KB
MD513eafdb7db937000e8db469ce7381d57
SHA1e409cf31397977c77f0c856f1e0a1603cfc224d0
SHA256dca4d62550b1cb54dcf42ecd22f33b53202d9ccdf905e58481cb059b4092501f
SHA51264cafb937544f73bdfada40be74a87355fb4c9bd81b16ad0ae028da93c03a0711596cea3df2d46d723348581336f9cf6263695e69337f4b0978de587f1074671
-
Filesize
73KB
MD5aa419206d5611b61b3fa61599af7db8d
SHA1fba67e4f4b2eeb09eb847b6460f0e105e33b6aba
SHA2561b60a1722afcad4f0a994c452c8a6e222123960cf10065f9dcd7d9db00d32967
SHA51286e86d3e35231d35e74274e75d96506f94c6b5a7913ff6391150590ac4ce29f088427573394940bc027188d05b1af648d9288eb2dc3a4c5b0b58d36fbbca2967