xmrig | 857d705f7d3e487cda56d0c0dd3ebf2da1255b6f5cd2468115d62466f3d40c66

Analysis

max time kernel
122s
max time network
132s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
30/12/2023, 02:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0b11149c96f3b20121c14d295e4427c9.exe
Size

784KB
MD5

0b11149c96f3b20121c14d295e4427c9
SHA1

ae3b1ee8e037c41d27f246f18ba52af6e3c3c507
SHA256

857d705f7d3e487cda56d0c0dd3ebf2da1255b6f5cd2468115d62466f3d40c66
SHA512

81a99cd0f25717fe37f7b418c242bef091b58271737a40ea70ea521aa38e996521e65cd16a0fef14c736ae2b757ee115fc82b14bb14297032a9036bb4a349562
SSDEEP

24576:NFW8i6iTeQmXPj0PjXxzA/Xh0p/xiOLDfcq:q8i6TXfAPmhKpid

Score

10^/10

xmrig miner upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 7 IoCs

miner

resource	yara_rule
behavioral2/memory/2156-2-0x0000000000400000-0x0000000000593000-memory.dmp	xmrig
behavioral2/memory/2156-12-0x0000000000400000-0x0000000000593000-memory.dmp	xmrig
behavioral2/memory/3600-14-0x0000000000400000-0x0000000000593000-memory.dmp	xmrig
behavioral2/memory/3600-20-0x0000000000400000-0x0000000000587000-memory.dmp	xmrig
behavioral2/memory/3600-31-0x0000000000400000-0x0000000000587000-memory.dmp	xmrig
behavioral2/memory/3600-30-0x00000000005A0000-0x000000000071F000-memory.dmp	xmrig
behavioral2/memory/3600-21-0x0000000005360000-0x00000000054F3000-memory.dmp	xmrig

Deletes itself 1 IoCs

pid	Process
3600	0b11149c96f3b20121c14d295e4427c9.exe

Executes dropped EXE 1 IoCs

pid	Process
3600	0b11149c96f3b20121c14d295e4427c9.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2156-0-0x0000000000400000-0x0000000000712000-memory.dmp	upx
behavioral2/files/0x000700000002322f-11.dat	upx
behavioral2/memory/3600-13-0x0000000000400000-0x0000000000712000-memory.dmp	upx

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2156	0b11149c96f3b20121c14d295e4427c9.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2156	0b11149c96f3b20121c14d295e4427c9.exe
3600	0b11149c96f3b20121c14d295e4427c9.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2156 wrote to memory of 3600	2156	0b11149c96f3b20121c14d295e4427c9.exe	24
PID 2156 wrote to memory of 3600	2156	0b11149c96f3b20121c14d295e4427c9.exe	24
PID 2156 wrote to memory of 3600	2156	0b11149c96f3b20121c14d295e4427c9.exe	24

C:\Users\Admin\AppData\Local\Temp\0b11149c96f3b20121c14d295e4427c9.exe
"C:\Users\Admin\AppData\Local\Temp\0b11149c96f3b20121c14d295e4427c9.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2156
- C:\Users\Admin\AppData\Local\Temp\0b11149c96f3b20121c14d295e4427c9.exe
  C:\Users\Admin\AppData\Local\Temp\0b11149c96f3b20121c14d295e4427c9.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:3600

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\0b11149c96f3b20121c14d295e4427c9.exe

Filesize
11KB

MD5
8f82549d69526f6244545542f5555750

SHA1
83747d7704c20758c31ae78396717d6296ddfa48

SHA256
138ae5fc6cd8469537295b106132275ecfde90507745484f6323f772b10ff23c

SHA512
77ea7a74067dd2d26a7d9065450eef93631604e3378161e7d057445a666b5e68eec67e27817957ebc701ce327a3b655e9a42fc7750f2997a5f6ddc623ac73bfc

Download Submit
memory/2156-0-0x0000000000400000-0x0000000000712000-memory.dmp

Filesize
3.1MB

Download
memory/2156-2-0x0000000000400000-0x0000000000593000-memory.dmp

Filesize
1.6MB

Download
memory/2156-1-0x0000000001720000-0x00000000017E4000-memory.dmp

Filesize
784KB

Download
memory/2156-12-0x0000000000400000-0x0000000000593000-memory.dmp

Filesize
1.6MB

Download
memory/3600-13-0x0000000000400000-0x0000000000712000-memory.dmp

Filesize
3.1MB

Download
memory/3600-14-0x0000000000400000-0x0000000000593000-memory.dmp

Filesize
1.6MB

Download
memory/3600-16-0x0000000001AF0000-0x0000000001BB4000-memory.dmp

Filesize
784KB

Download
memory/3600-20-0x0000000000400000-0x0000000000587000-memory.dmp

Filesize
1.5MB

Download
memory/3600-31-0x0000000000400000-0x0000000000587000-memory.dmp

Filesize
1.5MB

Download
memory/3600-30-0x00000000005A0000-0x000000000071F000-memory.dmp

Filesize
1.5MB

Download
memory/3600-21-0x0000000005360000-0x00000000054F3000-memory.dmp

Filesize
1.6MB

Download