xmrig | e0b0603f2ba213355ab784126019fcf2cfba8c665a4b5248ecab42aacaea9e80

Analysis

max time kernel
148s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
30/12/2023, 03:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0d449a8d368d0ba74c15cb48ad0a5952.exe
Size

784KB
MD5

0d449a8d368d0ba74c15cb48ad0a5952
SHA1

d3d3934733bd35fbf78eb983e6be4a207a9f171d
SHA256

e0b0603f2ba213355ab784126019fcf2cfba8c665a4b5248ecab42aacaea9e80
SHA512

94cff82faba4f79e77191452a3ea6446fcd661bb63fb1958978643836506ece7ff08a9e3479e79d267dc572ddb094e95431f453f9c0e48bedc84d712bd148c1c
SSDEEP

24576:pq9zytYPAy2ZCT8qJ37zYd6kFKdKW9cQcdIphB1:pGHP2QT8pd3KgMdb

Score

10^/10

xmrig miner upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 6 IoCs

miner

resource	yara_rule
behavioral2/memory/4528-2-0x0000000000400000-0x0000000000593000-memory.dmp	xmrig
behavioral2/memory/2712-14-0x0000000000400000-0x0000000000593000-memory.dmp	xmrig
behavioral2/memory/2712-22-0x0000000005400000-0x0000000005593000-memory.dmp	xmrig
behavioral2/memory/2712-30-0x0000000000400000-0x0000000000587000-memory.dmp	xmrig
behavioral2/memory/2712-20-0x0000000000400000-0x0000000000587000-memory.dmp	xmrig
behavioral2/memory/4528-12-0x0000000000400000-0x0000000000593000-memory.dmp	xmrig

Deletes itself 1 IoCs

pid	Process
2712	0d449a8d368d0ba74c15cb48ad0a5952.exe

Executes dropped EXE 1 IoCs

pid	Process
2712	0d449a8d368d0ba74c15cb48ad0a5952.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4528-0-0x0000000000400000-0x0000000000712000-memory.dmp	upx
behavioral2/memory/2712-13-0x0000000000400000-0x0000000000712000-memory.dmp	upx
behavioral2/files/0x000700000002323c-11.dat	upx

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
4528	0d449a8d368d0ba74c15cb48ad0a5952.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
4528	0d449a8d368d0ba74c15cb48ad0a5952.exe
2712	0d449a8d368d0ba74c15cb48ad0a5952.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4528 wrote to memory of 2712	4528	0d449a8d368d0ba74c15cb48ad0a5952.exe	22
PID 4528 wrote to memory of 2712	4528	0d449a8d368d0ba74c15cb48ad0a5952.exe	22
PID 4528 wrote to memory of 2712	4528	0d449a8d368d0ba74c15cb48ad0a5952.exe	22

C:\Users\Admin\AppData\Local\Temp\0d449a8d368d0ba74c15cb48ad0a5952.exe
"C:\Users\Admin\AppData\Local\Temp\0d449a8d368d0ba74c15cb48ad0a5952.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:4528
- C:\Users\Admin\AppData\Local\Temp\0d449a8d368d0ba74c15cb48ad0a5952.exe
  C:\Users\Admin\AppData\Local\Temp\0d449a8d368d0ba74c15cb48ad0a5952.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:2712

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2712-13-0x0000000000400000-0x0000000000712000-memory.dmp

Filesize
3.1MB

Download
memory/2712-14-0x0000000000400000-0x0000000000593000-memory.dmp

Filesize
1.6MB

Download
memory/2712-16-0x0000000001A10000-0x0000000001AD4000-memory.dmp

Filesize
784KB

Download
memory/2712-22-0x0000000005400000-0x0000000005593000-memory.dmp

Filesize
1.6MB

Download
memory/2712-30-0x0000000000400000-0x0000000000587000-memory.dmp

Filesize
1.5MB

Download
memory/2712-20-0x0000000000400000-0x0000000000587000-memory.dmp

Filesize
1.5MB

Download
memory/4528-0-0x0000000000400000-0x0000000000712000-memory.dmp

Filesize
3.1MB

Download
memory/4528-2-0x0000000000400000-0x0000000000593000-memory.dmp

Filesize
1.6MB

Download
memory/4528-12-0x0000000000400000-0x0000000000593000-memory.dmp

Filesize
1.6MB

Download
memory/4528-1-0x0000000001A20000-0x0000000001AE4000-memory.dmp

Filesize
784KB

Download