xmrig | 0bb0242b16e0a664844b63c464a335e76e5348c85ac0182cd1899da41ac8a5bb

Analysis

max time kernel
122s
max time network
123s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
22/12/2023, 16:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f8d0f6647913538df2bf39a24740065f.exe
Size

784KB
MD5

f8d0f6647913538df2bf39a24740065f
SHA1

144b292a2045828b5eddc94b16b48b41b92bcb65
SHA256

0bb0242b16e0a664844b63c464a335e76e5348c85ac0182cd1899da41ac8a5bb
SHA512

c5fd231120088c4842994ccc293210759fb86f0845e21f67ffc19e33eaba33c7ac8c5f1bee154510a5ca15d524c240577c4322599a640377c39f1de19939278f
SSDEEP

24576:QgXYSQ9OH1QjhPNBtRo1wwwsewPN74LS6R6Q:ZZWjtRZNc4L7

Score

10^/10

xmrig miner upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 8 IoCs

miner

resource	yara_rule
behavioral1/memory/1720-1-0x0000000000400000-0x0000000000593000-memory.dmp	xmrig
behavioral1/memory/1720-16-0x00000000031F0000-0x0000000003502000-memory.dmp	xmrig
behavioral1/memory/1720-15-0x0000000000400000-0x0000000000593000-memory.dmp	xmrig
behavioral1/memory/2948-18-0x0000000000400000-0x0000000000593000-memory.dmp	xmrig
behavioral1/memory/2948-26-0x00000000030F0000-0x0000000003283000-memory.dmp	xmrig
behavioral1/memory/2948-24-0x0000000000400000-0x0000000000587000-memory.dmp	xmrig
behavioral1/memory/2948-35-0x0000000000400000-0x0000000000587000-memory.dmp	xmrig
behavioral1/memory/2948-34-0x00000000005A0000-0x000000000071F000-memory.dmp	xmrig

Deletes itself 1 IoCs

pid	Process
2948	f8d0f6647913538df2bf39a24740065f.exe

Executes dropped EXE 1 IoCs

pid	Process
2948	f8d0f6647913538df2bf39a24740065f.exe

Loads dropped DLL 1 IoCs

pid	Process
1720	f8d0f6647913538df2bf39a24740065f.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1720-0-0x0000000000400000-0x0000000000712000-memory.dmp	upx
behavioral1/files/0x000900000001447e-10.dat	upx
behavioral1/memory/2948-17-0x0000000000400000-0x0000000000712000-memory.dmp	upx
behavioral1/files/0x000900000001447e-14.dat	upx

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1720	f8d0f6647913538df2bf39a24740065f.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
1720	f8d0f6647913538df2bf39a24740065f.exe
2948	f8d0f6647913538df2bf39a24740065f.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1720 wrote to memory of 2948	1720	f8d0f6647913538df2bf39a24740065f.exe	29
PID 1720 wrote to memory of 2948	1720	f8d0f6647913538df2bf39a24740065f.exe	29
PID 1720 wrote to memory of 2948	1720	f8d0f6647913538df2bf39a24740065f.exe	29
PID 1720 wrote to memory of 2948	1720	f8d0f6647913538df2bf39a24740065f.exe	29

C:\Users\Admin\AppData\Local\Temp\f8d0f6647913538df2bf39a24740065f.exe
"C:\Users\Admin\AppData\Local\Temp\f8d0f6647913538df2bf39a24740065f.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1720
- C:\Users\Admin\AppData\Local\Temp\f8d0f6647913538df2bf39a24740065f.exe
  C:\Users\Admin\AppData\Local\Temp\f8d0f6647913538df2bf39a24740065f.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:2948

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\f8d0f6647913538df2bf39a24740065f.exe

Filesize
251KB

MD5
7cf0b93090fefd602bada8fcf72c8a67

SHA1
5adc2e0cc20cd262de18c107a5f521d563dd6d66

SHA256
0b4bcef6d1515c481e3c748c9f6e9f9a0ca32fb812317a839c61db8b583d486a

SHA512
89529555d08757ec750dea45ae77b6fed4d73ecf6270d65f3227a6355bfec58528291f3b6cbae66da28bddb009a523beb27b6929780bdb57aa42fc582f5f066b

Download Submit
\Users\Admin\AppData\Local\Temp\f8d0f6647913538df2bf39a24740065f.exe

Filesize
64KB

MD5
8d4a575dce1d182382f73ebaf1fc92d4

SHA1
355785352c0298d20be91e60eb226bb95d8807b4

SHA256
eb951a77488571978b74fa385c9c638954ab18e2380000c45d19bb566abbefd8

SHA512
85d07a4d2e7aafa28fd6cda387ab4e1cc58c25cfd70d5388a5322de94a3bdcb8ce1188af7047cb598a7e911932ec355a90a40cbca23356a73eef36bd72aae43a

Download Submit
memory/1720-15-0x0000000000400000-0x0000000000593000-memory.dmp

Filesize
1.6MB

Download
memory/1720-1-0x0000000000400000-0x0000000000593000-memory.dmp

Filesize
1.6MB

Download
memory/1720-16-0x00000000031F0000-0x0000000003502000-memory.dmp

Filesize
3.1MB

Download
memory/1720-0-0x0000000000400000-0x0000000000712000-memory.dmp

Filesize
3.1MB

Download
memory/1720-2-0x0000000000200000-0x00000000002C4000-memory.dmp

Filesize
784KB

Download
memory/2948-17-0x0000000000400000-0x0000000000712000-memory.dmp

Filesize
3.1MB

Download
memory/2948-18-0x0000000000400000-0x0000000000593000-memory.dmp

Filesize
1.6MB

Download
memory/2948-21-0x0000000000120000-0x00000000001E4000-memory.dmp

Filesize
784KB

Download
memory/2948-26-0x00000000030F0000-0x0000000003283000-memory.dmp

Filesize
1.6MB

Download
memory/2948-24-0x0000000000400000-0x0000000000587000-memory.dmp

Filesize
1.5MB

Download
memory/2948-35-0x0000000000400000-0x0000000000587000-memory.dmp

Filesize
1.5MB

Download
memory/2948-34-0x00000000005A0000-0x000000000071F000-memory.dmp

Filesize
1.5MB

Download