xmrig | 039d12ce894ce489e3919969fa64e7b5cfb910e9ee64ce08f6294f6f3ab5e8dc

Analysis

max time kernel
122s
max time network
124s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
25/12/2023, 18:17

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

33e1db497dc7561f337b285057682e87.exe
Size

1.6MB
MD5

33e1db497dc7561f337b285057682e87
SHA1

dc2a401adfb4b68b6734e4d8a1a091b9790401e8
SHA256

039d12ce894ce489e3919969fa64e7b5cfb910e9ee64ce08f6294f6f3ab5e8dc
SHA512

fafa66a7a247e90ec052d2580c3a1cfe879dc18c842c55c3ce1980bab2748fd1a41625dd3f9960efbbe97017d81727009711c19021cde58fd93a35b228e8009e
SSDEEP

49152:VM3kfpHAmX5y+1ckMwFDtdmt9U3Z/SV1U:V7pHAmV1rMw8tK3Z/AS

Score

10^/10

xmrig miner upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 9 IoCs

miner

resource	yara_rule
behavioral1/memory/1212-1-0x0000000000400000-0x0000000000593000-memory.dmp	xmrig
behavioral1/memory/2284-21-0x0000000000400000-0x0000000000A7A000-memory.dmp	xmrig
behavioral1/memory/2284-30-0x0000000023690000-0x0000000023823000-memory.dmp	xmrig
behavioral1/memory/2284-35-0x00000000239B0000-0x0000000023B32000-memory.dmp	xmrig
behavioral1/memory/2284-42-0x0000000000400000-0x000000000057C000-memory.dmp	xmrig
behavioral1/memory/2284-32-0x0000000000400000-0x000000000057C000-memory.dmp	xmrig
behavioral1/memory/2284-26-0x0000000000400000-0x0000000000582000-memory.dmp	xmrig
behavioral1/memory/1212-16-0x0000000000400000-0x0000000000593000-memory.dmp	xmrig
behavioral1/memory/1212-43-0x00000000234B0000-0x0000000023B2A000-memory.dmp	xmrig

Deletes itself 1 IoCs

pid	Process
2284	33e1db497dc7561f337b285057682e87.exe

Executes dropped EXE 1 IoCs

pid	Process
2284	33e1db497dc7561f337b285057682e87.exe

Loads dropped DLL 1 IoCs

pid	Process
1212	33e1db497dc7561f337b285057682e87.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000a000000012232-11.dat	upx
behavioral1/memory/1212-0-0x0000000000400000-0x0000000000A7A000-memory.dmp	upx
behavioral1/files/0x000a000000012232-15.dat	upx

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1212	33e1db497dc7561f337b285057682e87.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
1212	33e1db497dc7561f337b285057682e87.exe
2284	33e1db497dc7561f337b285057682e87.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1212 wrote to memory of 2284	1212	33e1db497dc7561f337b285057682e87.exe	16
PID 1212 wrote to memory of 2284	1212	33e1db497dc7561f337b285057682e87.exe	16
PID 1212 wrote to memory of 2284	1212	33e1db497dc7561f337b285057682e87.exe	16
PID 1212 wrote to memory of 2284	1212	33e1db497dc7561f337b285057682e87.exe	16

C:\Users\Admin\AppData\Local\Temp\33e1db497dc7561f337b285057682e87.exe
C:\Users\Admin\AppData\Local\Temp\33e1db497dc7561f337b285057682e87.exe
1⤵
- Deletes itself
- Executes dropped EXE
- Suspicious use of UnmapMainImage
PID:2284

C:\Users\Admin\AppData\Local\Temp\33e1db497dc7561f337b285057682e87.exe
"C:\Users\Admin\AppData\Local\Temp\33e1db497dc7561f337b285057682e87.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1212

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\33e1db497dc7561f337b285057682e87.exe

Filesize
893KB

MD5
4f19e3d8a12d394af1e596dc28ba8ca0

SHA1
6f7fec6f5b7a506189ac4771417b3d66dd7db69f

SHA256
dc42df19bb19090d3e5a0f00828e65b670e19de0246fdc5da04aabbe054f1ada

SHA512
0dfd122feed8455d7dc6231f8aaf70539c93903a3e73d21e69deaf943c461df3fee894cb8db68c5efad222d12928665b8d9cc7656edb1e88015730f76fa15d9d

Download Submit
\Users\Admin\AppData\Local\Temp\33e1db497dc7561f337b285057682e87.exe

Filesize
86KB

MD5
9a05a1d56cc7b7ffbc6b5ff5c0cb9107

SHA1
64f3fc78e84e708e3331e96663f537054a42a44e

SHA256
cc88a64dc6be2a3bcb723426682d5adb410f15765974198818eec00d5b6ce9c6

SHA512
2f7e3e3d61e9678a7d15b6dc501fc780c5ed356ff6f647669ddf2027cc7171cbadf26cc866ce2e376a8a3f279b6e5ae6b8fa5631300b1ed060b1255316e47312

Download Submit
memory/1212-16-0x0000000000400000-0x0000000000593000-memory.dmp

Filesize
1.6MB

Download
memory/1212-3-0x0000000021D60000-0x0000000021EFE000-memory.dmp

Filesize
1.6MB

Download
memory/1212-0-0x0000000000400000-0x0000000000A7A000-memory.dmp

Filesize
6.5MB

Download
memory/1212-19-0x00000000234B0000-0x0000000023B2A000-memory.dmp

Filesize
6.5MB

Download
memory/1212-43-0x00000000234B0000-0x0000000023B2A000-memory.dmp

Filesize
6.5MB

Download
memory/1212-1-0x0000000000400000-0x0000000000593000-memory.dmp

Filesize
1.6MB

Download
memory/2284-21-0x0000000000400000-0x0000000000A7A000-memory.dmp

Filesize
6.5MB

Download
memory/2284-42-0x0000000000400000-0x000000000057C000-memory.dmp

Filesize
1.5MB

Download
memory/2284-32-0x0000000000400000-0x000000000057C000-memory.dmp

Filesize
1.5MB

Download
memory/2284-26-0x0000000000400000-0x0000000000582000-memory.dmp

Filesize
1.5MB

Download
memory/2284-35-0x00000000239B0000-0x0000000023B32000-memory.dmp

Filesize
1.5MB

Download
memory/2284-30-0x0000000023690000-0x0000000023823000-memory.dmp

Filesize
1.6MB

Download
memory/2284-17-0x0000000021CC0000-0x0000000021E5E000-memory.dmp

Filesize
1.6MB

Download