xmrig | 749524122994231f1b6404cce7e7b19d96d16977f461df3ad14dc4cce121d42f

Analysis

max time kernel
146s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
30/12/2023, 21:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1cfc11b577cb8b6fceb1219b2cabb8a2.exe
Size

784KB
MD5

1cfc11b577cb8b6fceb1219b2cabb8a2
SHA1

45ac93a99558a05df36acc4d163514ce0df7d411
SHA256

749524122994231f1b6404cce7e7b19d96d16977f461df3ad14dc4cce121d42f
SHA512

9f4718d45ed33d102842e9ee922da32a7c6e70d8f4bd34000dbde1acca3820eb50138edb57f6c87b5b1881ee0a798b0dc6ff19272e6c0660cb25a637b01f858e
SSDEEP

12288:f3f2t2w8zsKuGLvNi2AlzfxzllnG0EM3wRXtAm+ryeIB46Ti8NECRmqdwK:fPpwoQlbxbnEowWrR6ld

Score

10^/10

xmrig miner upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 6 IoCs

miner

resource	yara_rule
behavioral2/memory/5040-2-0x0000000000400000-0x0000000000593000-memory.dmp	xmrig
behavioral2/memory/5040-12-0x0000000000400000-0x0000000000593000-memory.dmp	xmrig
behavioral2/memory/4408-14-0x0000000000400000-0x0000000000593000-memory.dmp	xmrig
behavioral2/memory/4408-20-0x0000000005460000-0x00000000055F3000-memory.dmp	xmrig
behavioral2/memory/4408-21-0x0000000000400000-0x0000000000587000-memory.dmp	xmrig
behavioral2/memory/4408-30-0x0000000000400000-0x0000000000587000-memory.dmp	xmrig

Deletes itself 1 IoCs

pid	Process
4408	1cfc11b577cb8b6fceb1219b2cabb8a2.exe

Executes dropped EXE 1 IoCs

pid	Process
4408	1cfc11b577cb8b6fceb1219b2cabb8a2.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/5040-0-0x0000000000400000-0x0000000000712000-memory.dmp	upx
behavioral2/memory/4408-13-0x0000000000400000-0x0000000000712000-memory.dmp	upx
behavioral2/files/0x000600000002321c-11.dat	upx

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
5040	1cfc11b577cb8b6fceb1219b2cabb8a2.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
5040	1cfc11b577cb8b6fceb1219b2cabb8a2.exe
4408	1cfc11b577cb8b6fceb1219b2cabb8a2.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 5040 wrote to memory of 4408	5040	1cfc11b577cb8b6fceb1219b2cabb8a2.exe	91
PID 5040 wrote to memory of 4408	5040	1cfc11b577cb8b6fceb1219b2cabb8a2.exe	91
PID 5040 wrote to memory of 4408	5040	1cfc11b577cb8b6fceb1219b2cabb8a2.exe	91

C:\Users\Admin\AppData\Local\Temp\1cfc11b577cb8b6fceb1219b2cabb8a2.exe
"C:\Users\Admin\AppData\Local\Temp\1cfc11b577cb8b6fceb1219b2cabb8a2.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:5040
- C:\Users\Admin\AppData\Local\Temp\1cfc11b577cb8b6fceb1219b2cabb8a2.exe
  C:\Users\Admin\AppData\Local\Temp\1cfc11b577cb8b6fceb1219b2cabb8a2.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:4408

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1cfc11b577cb8b6fceb1219b2cabb8a2.exe

Filesize
382KB

MD5
b51f55716b20976d6811136087e536e3

SHA1
d1b9584e5bb5c17fdd2601d170044a7151b833ff

SHA256
0a69c0e748eea28e7eb26fa7cc1fa78e7b255a35076b4f2e4e3a8801974ec38a

SHA512
f59cd643737b330c2c33d65a73f8a0bc776d08d768a95566eaec64192ea7b5db5f58840e6e6daa89754aedc68c6ff2ee612788e19afb76c6744d709564bdde78

Download Submit
memory/4408-13-0x0000000000400000-0x0000000000712000-memory.dmp

Filesize
3.1MB

Download
memory/4408-15-0x0000000001A70000-0x0000000001B34000-memory.dmp

Filesize
784KB

Download
memory/4408-14-0x0000000000400000-0x0000000000593000-memory.dmp

Filesize
1.6MB

Download
memory/4408-20-0x0000000005460000-0x00000000055F3000-memory.dmp

Filesize
1.6MB

Download
memory/4408-21-0x0000000000400000-0x0000000000587000-memory.dmp

Filesize
1.5MB

Download
memory/4408-30-0x0000000000400000-0x0000000000587000-memory.dmp

Filesize
1.5MB

Download
memory/5040-0-0x0000000000400000-0x0000000000712000-memory.dmp

Filesize
3.1MB

Download
memory/5040-1-0x0000000001B40000-0x0000000001C04000-memory.dmp

Filesize
784KB

Download
memory/5040-2-0x0000000000400000-0x0000000000593000-memory.dmp

Filesize
1.6MB

Download
memory/5040-12-0x0000000000400000-0x0000000000593000-memory.dmp

Filesize
1.6MB

Download