xmrig | defffc256fb98f20fb720a9b566aa32cfc560d2ef3b6d715f0e511b8a367cb83

Analysis

max time kernel
120s
max time network
123s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
30/12/2023, 05:34

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

101c0fbd15cef2bd384853992bf49b03.exe
Size

784KB
MD5

101c0fbd15cef2bd384853992bf49b03
SHA1

0eb0dc48c8674d4d73fdd4b80ef5327ae838261a
SHA256

defffc256fb98f20fb720a9b566aa32cfc560d2ef3b6d715f0e511b8a367cb83
SHA512

52eafd2f0d1c20d9a9e4c8eb4a0c487198ad22e13c213e1f33d0a4d65d32b5c4a0605a5db9473f71ae9d490d9d42b6e1a843e04ab91c40aaa8ef28e81e7c420e
SSDEEP

12288:XHRCeJEm8PAxjCDfhG9ZPjaA3Ipzxth7NNCk2RFMcvl6Q7Bu/DkBg3X2H/mn6uvh:cm8PAVME9xayIltKkajvp7tJe6ijjVZ

Score

10^/10

xmrig miner upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 7 IoCs

miner

resource	yara_rule
behavioral1/memory/2220-1-0x0000000000400000-0x0000000000593000-memory.dmp	xmrig
behavioral1/memory/2220-15-0x0000000000400000-0x0000000000593000-memory.dmp	xmrig
behavioral1/memory/2056-18-0x0000000000400000-0x0000000000593000-memory.dmp	xmrig
behavioral1/memory/2056-26-0x00000000030B0000-0x0000000003243000-memory.dmp	xmrig
behavioral1/memory/2056-24-0x0000000000400000-0x0000000000587000-memory.dmp	xmrig
behavioral1/memory/2056-34-0x00000000005A0000-0x000000000071F000-memory.dmp	xmrig
behavioral1/memory/2056-35-0x0000000000400000-0x0000000000587000-memory.dmp	xmrig

Deletes itself 1 IoCs

pid	Process
2056	101c0fbd15cef2bd384853992bf49b03.exe

Executes dropped EXE 1 IoCs

pid	Process
2056	101c0fbd15cef2bd384853992bf49b03.exe

Loads dropped DLL 1 IoCs

pid	Process
2220	101c0fbd15cef2bd384853992bf49b03.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2220-0-0x0000000000400000-0x0000000000712000-memory.dmp	upx
behavioral1/files/0x0009000000012270-10.dat	upx
behavioral1/files/0x0009000000012270-16.dat	upx
behavioral1/memory/2056-17-0x0000000000400000-0x0000000000712000-memory.dmp	upx
behavioral1/memory/2220-14-0x00000000031F0000-0x0000000003502000-memory.dmp	upx

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2220	101c0fbd15cef2bd384853992bf49b03.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2220	101c0fbd15cef2bd384853992bf49b03.exe
2056	101c0fbd15cef2bd384853992bf49b03.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2220 wrote to memory of 2056	2220	101c0fbd15cef2bd384853992bf49b03.exe	29
PID 2220 wrote to memory of 2056	2220	101c0fbd15cef2bd384853992bf49b03.exe	29
PID 2220 wrote to memory of 2056	2220	101c0fbd15cef2bd384853992bf49b03.exe	29
PID 2220 wrote to memory of 2056	2220	101c0fbd15cef2bd384853992bf49b03.exe	29

C:\Users\Admin\AppData\Local\Temp\101c0fbd15cef2bd384853992bf49b03.exe
"C:\Users\Admin\AppData\Local\Temp\101c0fbd15cef2bd384853992bf49b03.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2220
- C:\Users\Admin\AppData\Local\Temp\101c0fbd15cef2bd384853992bf49b03.exe
  C:\Users\Admin\AppData\Local\Temp\101c0fbd15cef2bd384853992bf49b03.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:2056

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\101c0fbd15cef2bd384853992bf49b03.exe

Filesize
398KB

MD5
d0289559633585c6792bf20b69894ed2

SHA1
bfeed4c8c746061114969388873d02758145d778

SHA256
1768e7014e85eadb5a6eda0584f26251b32308aa6c03bc636a07c8f2bdb9fc55

SHA512
603f2403c296a3f938bc2b35a1f34930d61b538ec8cd5adcd9019e10aa7d9b068163849988bff7ed8f40594f6491245563c6fc5633b8f42a373660624f2f9ecd

Download Submit
\Users\Admin\AppData\Local\Temp\101c0fbd15cef2bd384853992bf49b03.exe

Filesize
357KB

MD5
b99c51cef45716924e549e970b601aec

SHA1
9d99eed9eeb014a96f2ff853028c87a871962186

SHA256
a13a4ffcaad26d303d1f272db121a649502795b677222b8790d798cbb5fc383c

SHA512
4eea4144993f9eccebd232f1b2f401969aecf92ff8e84be9ba7e4ec031cc0afbfe98b62a12a4e33b425fb9944378b66f1fea9b237e8b89b8bd81ea85f14f21bf

Download Submit
memory/2056-17-0x0000000000400000-0x0000000000712000-memory.dmp

Filesize
3.1MB

Download
memory/2056-19-0x0000000001720000-0x00000000017E4000-memory.dmp

Filesize
784KB

Download
memory/2056-18-0x0000000000400000-0x0000000000593000-memory.dmp

Filesize
1.6MB

Download
memory/2056-26-0x00000000030B0000-0x0000000003243000-memory.dmp

Filesize
1.6MB

Download
memory/2056-24-0x0000000000400000-0x0000000000587000-memory.dmp

Filesize
1.5MB

Download
memory/2056-34-0x00000000005A0000-0x000000000071F000-memory.dmp

Filesize
1.5MB

Download
memory/2056-35-0x0000000000400000-0x0000000000587000-memory.dmp

Filesize
1.5MB

Download
memory/2220-3-0x0000000000300000-0x00000000003C4000-memory.dmp

Filesize
784KB

Download
memory/2220-15-0x0000000000400000-0x0000000000593000-memory.dmp

Filesize
1.6MB

Download
memory/2220-1-0x0000000000400000-0x0000000000593000-memory.dmp

Filesize
1.6MB

Download
memory/2220-0-0x0000000000400000-0x0000000000712000-memory.dmp

Filesize
3.1MB

Download
memory/2220-14-0x00000000031F0000-0x0000000003502000-memory.dmp

Filesize
3.1MB

Download