xmrig | 2427f201a679e337e5c6363123b388c3ce25b789032338a6aab1e2b65eb79c9f

General

Target

048ba9c56e430b58f984a4e40a4745e5.exe
Size

1.5MB
MD5

048ba9c56e430b58f984a4e40a4745e5
SHA1

946c9bb2551afbcc57b21407f1f9da5731395be7
SHA256

2427f201a679e337e5c6363123b388c3ce25b789032338a6aab1e2b65eb79c9f
SHA512

2309a260b632afdc164324507bc8c2fc7759030f475bb2f5b85b7c966f56fa5b5c423a606040ad76e65db7d406b2ba0f9767d3bd8732bc7b31c4c735040762f3
SSDEEP

49152:OaS7ahGPNKahlYF6ITM+wb12Q1hjnoOk5:XuME86S/g26jnoOk

Score

10^/10

xmrig miner upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 7 IoCs

miner

resource	yara_rule
behavioral1/memory/1636-1-0x0000000000400000-0x0000000000593000-memory.dmp	xmrig
behavioral1/memory/1636-15-0x0000000000400000-0x0000000000593000-memory.dmp	xmrig
behavioral1/memory/2512-18-0x0000000000400000-0x0000000000593000-memory.dmp	xmrig
behavioral1/memory/2512-24-0x0000000000400000-0x0000000000587000-memory.dmp	xmrig
behavioral1/memory/2512-25-0x00000000030E0000-0x0000000003273000-memory.dmp	xmrig
behavioral1/memory/2512-34-0x00000000005A0000-0x000000000071F000-memory.dmp	xmrig
behavioral1/memory/2512-35-0x0000000000400000-0x0000000000587000-memory.dmp	xmrig

Deletes itself 1 IoCs

pid	Process
2512	048ba9c56e430b58f984a4e40a4745e5.exe

Executes dropped EXE 1 IoCs

pid	Process
2512	048ba9c56e430b58f984a4e40a4745e5.exe

Loads dropped DLL 1 IoCs

pid	Process
1636	048ba9c56e430b58f984a4e40a4745e5.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1636-0-0x0000000000400000-0x0000000000712000-memory.dmp	upx
behavioral1/files/0x0007000000012270-10.dat	upx
behavioral1/memory/2512-17-0x0000000000400000-0x0000000000712000-memory.dmp	upx
behavioral1/memory/1636-14-0x00000000035F0000-0x0000000003902000-memory.dmp	upx
behavioral1/files/0x0007000000012270-13.dat	upx
behavioral1/files/0x0007000000012270-16.dat	upx

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1636	048ba9c56e430b58f984a4e40a4745e5.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
1636	048ba9c56e430b58f984a4e40a4745e5.exe
2512	048ba9c56e430b58f984a4e40a4745e5.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1636 wrote to memory of 2512	1636	048ba9c56e430b58f984a4e40a4745e5.exe	29
PID 1636 wrote to memory of 2512	1636	048ba9c56e430b58f984a4e40a4745e5.exe	29
PID 1636 wrote to memory of 2512	1636	048ba9c56e430b58f984a4e40a4745e5.exe	29
PID 1636 wrote to memory of 2512	1636	048ba9c56e430b58f984a4e40a4745e5.exe	29

C:\Users\Admin\AppData\Local\Temp\048ba9c56e430b58f984a4e40a4745e5.exe
"C:\Users\Admin\AppData\Local\Temp\048ba9c56e430b58f984a4e40a4745e5.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1636
- C:\Users\Admin\AppData\Local\Temp\048ba9c56e430b58f984a4e40a4745e5.exe
  C:\Users\Admin\AppData\Local\Temp\048ba9c56e430b58f984a4e40a4745e5.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:2512

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\048ba9c56e430b58f984a4e40a4745e5.exe

Filesize
402KB

MD5
6a784ffa83d347685cbac3ccb8f795b8

SHA1
392cc364865512e735c1c8860291cb2379e73bfe

SHA256
aec21d6a30a795f42b50f6de63316f3bc68d7b9bcca1975a3808f1900a8d877d

SHA512
2f679d06c5f19f2a196c4b58585ff46919570bb68b2d205dea75aa72d988c9f38e6f9b31c0237ddfa712dbe755bf34f499987e6d416a876045de4028994f4417

Download Submit
C:\Users\Admin\AppData\Local\Temp\048ba9c56e430b58f984a4e40a4745e5.exe

Filesize
607KB

MD5
705bb29df4d9731845325938bf07cc6b

SHA1
604f8b162c32837a1469024c2ec3707be9d94ab9

SHA256
afff1bbe5b19e14599467497e872476e176614dbdbd045e007676b9d5fd71699

SHA512
883427b975d8a9bae73d329e04f6a57bd08390cbec982c35d17b1cec915c8eb142214d68d94acb6a60d4e04d09e3964c972d7e9abc98aca38dc710222e23323a

Download Submit
\Users\Admin\AppData\Local\Temp\048ba9c56e430b58f984a4e40a4745e5.exe

Filesize
252KB

MD5
b252818480e9dda499181d814f462e44

SHA1
1f30653c1b09e8c9b0ca76eb7ea145fd0c1f8abc

SHA256
3556a140927c6818f682c07965994b94e328edad39b2336c711d80edf74e6b2e

SHA512
87ea58095aaf6c14eb619f0e260b618a73d003dedcdf6fa98cfa251bdcc24f6fff9aea71e23a8f81479ed85e572df0ddec1cd200dd7de7cabb8e28e226537a3e

Download Submit
memory/1636-36-0x00000000035F0000-0x0000000003902000-memory.dmp

Filesize
3.1MB

Download
memory/1636-2-0x0000000000120000-0x00000000001E4000-memory.dmp

Filesize
784KB

Download
memory/1636-1-0x0000000000400000-0x0000000000593000-memory.dmp

Filesize
1.6MB

Download
memory/1636-0-0x0000000000400000-0x0000000000712000-memory.dmp

Filesize
3.1MB

Download
memory/1636-15-0x0000000000400000-0x0000000000593000-memory.dmp

Filesize
1.6MB

Download
memory/1636-14-0x00000000035F0000-0x0000000003902000-memory.dmp

Filesize
3.1MB

Download
memory/2512-17-0x0000000000400000-0x0000000000712000-memory.dmp

Filesize
3.1MB

Download
memory/2512-20-0x00000000018B0000-0x0000000001974000-memory.dmp

Filesize
784KB

Download
memory/2512-24-0x0000000000400000-0x0000000000587000-memory.dmp

Filesize
1.5MB

Download
memory/2512-25-0x00000000030E0000-0x0000000003273000-memory.dmp

Filesize
1.6MB

Download
memory/2512-34-0x00000000005A0000-0x000000000071F000-memory.dmp

Filesize
1.5MB

Download
memory/2512-35-0x0000000000400000-0x0000000000587000-memory.dmp

Filesize
1.5MB

Download
memory/2512-18-0x0000000000400000-0x0000000000593000-memory.dmp

Filesize
1.6MB

Download

Analysis

Sharing