xmrig | 857d705f7d3e487cda56d0c0dd3ebf2da1255b6f5cd2468115d62466f3d40c66

Analysis

max time kernel
118s
max time network
120s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
30-12-2023 02:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0b11149c96f3b20121c14d295e4427c9.exe
Size

784KB
MD5

0b11149c96f3b20121c14d295e4427c9
SHA1

ae3b1ee8e037c41d27f246f18ba52af6e3c3c507
SHA256

857d705f7d3e487cda56d0c0dd3ebf2da1255b6f5cd2468115d62466f3d40c66
SHA512

81a99cd0f25717fe37f7b418c242bef091b58271737a40ea70ea521aa38e996521e65cd16a0fef14c736ae2b757ee115fc82b14bb14297032a9036bb4a349562
SSDEEP

24576:NFW8i6iTeQmXPj0PjXxzA/Xh0p/xiOLDfcq:q8i6TXfAPmhKpid

Score

10^/10

xmrig miner upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 9 IoCs

miner

resource	yara_rule
behavioral1/memory/2968-1-0x0000000000400000-0x0000000000593000-memory.dmp	xmrig
behavioral1/memory/3008-19-0x0000000000400000-0x0000000000712000-memory.dmp	xmrig
behavioral1/memory/3008-26-0x00000000030A0000-0x0000000003233000-memory.dmp	xmrig
behavioral1/memory/3008-24-0x0000000000400000-0x0000000000587000-memory.dmp	xmrig
behavioral1/memory/3008-35-0x0000000000400000-0x0000000000587000-memory.dmp	xmrig
behavioral1/memory/3008-34-0x00000000005A0000-0x000000000071F000-memory.dmp	xmrig
behavioral1/memory/3008-17-0x0000000000400000-0x0000000000593000-memory.dmp	xmrig
behavioral1/memory/2968-16-0x0000000003100000-0x0000000003412000-memory.dmp	xmrig
behavioral1/memory/2968-15-0x0000000000400000-0x0000000000593000-memory.dmp	xmrig

Deletes itself 1 IoCs

pid	Process
3008	0b11149c96f3b20121c14d295e4427c9.exe

Executes dropped EXE 1 IoCs

pid	Process
3008	0b11149c96f3b20121c14d295e4427c9.exe

Loads dropped DLL 1 IoCs

pid	Process
2968	0b11149c96f3b20121c14d295e4427c9.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2968-0-0x0000000000400000-0x0000000000712000-memory.dmp	upx
behavioral1/files/0x000c0000000122c4-10.dat	upx
behavioral1/files/0x000c0000000122c4-14.dat	upx

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2968	0b11149c96f3b20121c14d295e4427c9.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2968	0b11149c96f3b20121c14d295e4427c9.exe
3008	0b11149c96f3b20121c14d295e4427c9.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2968 wrote to memory of 3008	2968	0b11149c96f3b20121c14d295e4427c9.exe	17
PID 2968 wrote to memory of 3008	2968	0b11149c96f3b20121c14d295e4427c9.exe	17
PID 2968 wrote to memory of 3008	2968	0b11149c96f3b20121c14d295e4427c9.exe	17
PID 2968 wrote to memory of 3008	2968	0b11149c96f3b20121c14d295e4427c9.exe	17

C:\Users\Admin\AppData\Local\Temp\0b11149c96f3b20121c14d295e4427c9.exe
"C:\Users\Admin\AppData\Local\Temp\0b11149c96f3b20121c14d295e4427c9.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2968
- C:\Users\Admin\AppData\Local\Temp\0b11149c96f3b20121c14d295e4427c9.exe
  C:\Users\Admin\AppData\Local\Temp\0b11149c96f3b20121c14d295e4427c9.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:3008

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\0b11149c96f3b20121c14d295e4427c9.exe

Filesize
92KB

MD5
25f8afa4865febbfa5633e18d3c374f2

SHA1
34f07e4e19672e90c94a29cb3df88e743675334b

SHA256
27552f1fb4e9c38019d2f4a71e0a744c13e3fb1b0f0ba9478b75f4b432040be4

SHA512
da86913611219e29c6ebaa22679356dcbf5773012436d62f33def16d630507f2b75d36c0579d2c607f0e6afcf4d3095e6a802f8f6c017755ef22d1f760a290c7

Download Submit
memory/2968-16-0x0000000003100000-0x0000000003412000-memory.dmp

Filesize
3.1MB

Download
memory/2968-2-0x0000000000210000-0x00000000002D4000-memory.dmp

Filesize
784KB

Download
memory/2968-1-0x0000000000400000-0x0000000000593000-memory.dmp

Filesize
1.6MB

Download
memory/2968-15-0x0000000000400000-0x0000000000593000-memory.dmp

Filesize
1.6MB

Download
memory/2968-0-0x0000000000400000-0x0000000000712000-memory.dmp

Filesize
3.1MB

Download
memory/3008-21-0x00000000018B0000-0x0000000001974000-memory.dmp

Filesize
784KB

Download
memory/3008-24-0x0000000000400000-0x0000000000587000-memory.dmp

Filesize
1.5MB

Download
memory/3008-35-0x0000000000400000-0x0000000000587000-memory.dmp

Filesize
1.5MB

Download
memory/3008-34-0x00000000005A0000-0x000000000071F000-memory.dmp

Filesize
1.5MB

Download
memory/3008-17-0x0000000000400000-0x0000000000593000-memory.dmp

Filesize
1.6MB

Download
memory/3008-26-0x00000000030A0000-0x0000000003233000-memory.dmp

Filesize
1.6MB

Download
memory/3008-19-0x0000000000400000-0x0000000000712000-memory.dmp

Filesize
3.1MB

Download