xmrig | 66c676db63026f9ece18a0213d9609febce4d7df5ab1c4b5c1e5b29d37d2cdcd

Analysis

max time kernel
140s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
22/12/2023, 17:12

Target

fc4cecef5684ae291bafc481c83a9dce.exe
Size

784KB
MD5

fc4cecef5684ae291bafc481c83a9dce
SHA1

3dbb2d97b86a83d8d49ee08372165a38dd4bd1a3
SHA256

66c676db63026f9ece18a0213d9609febce4d7df5ab1c4b5c1e5b29d37d2cdcd
SHA512

8890bb6d36973668ba901c8514ee8b54de9ec40043b23d74957d19f0656394499167bc4a929f49eccbd24ca3ac603d9b9838546ab625fa908d494181e0aa6dc0
SSDEEP

12288:Ym/qF/fzU9p5mRr5e604eFVcZa69ZKEzkIHrCHFW/iee965MY2GOp7:Ym/W/fSo15e658+9ZnkAWHFXDYta

Score

10^/10

xmrig miner upx

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 6 IoCs

miner

resource	yara_rule
behavioral2/memory/3092-2-0x0000000000400000-0x0000000000593000-memory.dmp	xmrig
behavioral2/memory/2348-21-0x0000000000400000-0x0000000000587000-memory.dmp	xmrig
behavioral2/memory/2348-20-0x0000000005420000-0x00000000055B3000-memory.dmp	xmrig
behavioral2/memory/2348-30-0x0000000000400000-0x0000000000587000-memory.dmp	xmrig
behavioral2/memory/2348-14-0x0000000000400000-0x0000000000593000-memory.dmp	xmrig
behavioral2/memory/3092-12-0x0000000000400000-0x0000000000593000-memory.dmp	xmrig

Deletes itself 1 IoCs

pid	Process
2348	fc4cecef5684ae291bafc481c83a9dce.exe

Executes dropped EXE 1 IoCs

pid	Process
2348	fc4cecef5684ae291bafc481c83a9dce.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

resource	yara_rule
behavioral2/memory/3092-0-0x0000000000400000-0x0000000000712000-memory.dmp	upx
behavioral2/files/0x00080000000231d9-11.dat	upx
behavioral2/memory/2348-13-0x0000000000400000-0x0000000000712000-memory.dmp	upx

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
3092	fc4cecef5684ae291bafc481c83a9dce.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
3092	fc4cecef5684ae291bafc481c83a9dce.exe
2348	fc4cecef5684ae291bafc481c83a9dce.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3092 wrote to memory of 2348	3092	fc4cecef5684ae291bafc481c83a9dce.exe	93
PID 3092 wrote to memory of 2348	3092	fc4cecef5684ae291bafc481c83a9dce.exe	93
PID 3092 wrote to memory of 2348	3092	fc4cecef5684ae291bafc481c83a9dce.exe	93

C:\Users\Admin\AppData\Local\Temp\fc4cecef5684ae291bafc481c83a9dce.exe

Filesize
382KB

MD5
f6cf2f8b54c2e2f301698b8e07d958b0

SHA1
eec58c915f61e68f56efcd7348f87c146b42334a

SHA256
ec89b2bf8a19b9b45c71117466be3defcba46254f8a9c105289f1ba3930ccf29

SHA512
ee0bdbe18debbf43f4b36d4793706c8fb9ddce499668e0e0ddd0ad58cb666b1303107c3d13444b841b1af57ef6be5159216bf57915f651965df3e0a298c9a2fe

Download Submit
memory/2348-13-0x0000000000400000-0x0000000000712000-memory.dmp

Filesize
3.1MB

Download
memory/2348-15-0x0000000001A30000-0x0000000001AF4000-memory.dmp

Filesize
784KB

Download
memory/2348-21-0x0000000000400000-0x0000000000587000-memory.dmp

Filesize
1.5MB

Download
memory/2348-20-0x0000000005420000-0x00000000055B3000-memory.dmp

Filesize
1.6MB

Download
memory/2348-30-0x0000000000400000-0x0000000000587000-memory.dmp

Filesize
1.5MB

Download
memory/2348-14-0x0000000000400000-0x0000000000593000-memory.dmp

Filesize
1.6MB

Download
memory/3092-0-0x0000000000400000-0x0000000000712000-memory.dmp

Filesize
3.1MB

Download
memory/3092-1-0x00000000019D0000-0x0000000001A94000-memory.dmp

Filesize
784KB

Download
memory/3092-2-0x0000000000400000-0x0000000000593000-memory.dmp

Filesize
1.6MB

Download
memory/3092-12-0x0000000000400000-0x0000000000593000-memory.dmp

Filesize
1.6MB

Download