xmrig | cfde56e0d190ad796f4a73dacc8b31e24cdda5992f7472f4f4fb0642d6777bdd

Analysis

max time kernel
143s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
30/12/2023, 11:13

Target

16e6379e3e1bb98fd66cd27a79c00e1d.exe
Size

784KB
MD5

16e6379e3e1bb98fd66cd27a79c00e1d
SHA1

e167595454018611f718e39eb724a8b6ae06ab43
SHA256

cfde56e0d190ad796f4a73dacc8b31e24cdda5992f7472f4f4fb0642d6777bdd
SHA512

fd0bd3f38e01f79d4c29535be33a10a29c93b789a5c48e89247a09fcde4c7dd6e8f062124640e8d8e179a8d7d889693b8b585e00f9bfd07556ed62b850dff0b1
SSDEEP

12288:vuhNDDXR2NcSRaYBNIOMKNGbPT0EZYLQMBODPLok5GoOILB2kaBrh2lP:o91EaY8OMKNGDT07kMgPLo4OJkaBrQB

Score

10^/10

xmrig miner upx

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 6 IoCs

miner

resource	yara_rule
behavioral2/memory/4672-2-0x0000000000400000-0x0000000000593000-memory.dmp	xmrig
behavioral2/memory/4672-12-0x0000000000400000-0x0000000000593000-memory.dmp	xmrig
behavioral2/memory/2808-15-0x0000000000400000-0x0000000000593000-memory.dmp	xmrig
behavioral2/memory/2808-20-0x0000000000400000-0x0000000000587000-memory.dmp	xmrig
behavioral2/memory/2808-21-0x0000000005400000-0x0000000005593000-memory.dmp	xmrig
behavioral2/memory/2808-30-0x0000000000400000-0x0000000000587000-memory.dmp	xmrig

Deletes itself 1 IoCs

pid	Process
2808	16e6379e3e1bb98fd66cd27a79c00e1d.exe

Executes dropped EXE 1 IoCs

pid	Process
2808	16e6379e3e1bb98fd66cd27a79c00e1d.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

resource	yara_rule
behavioral2/memory/4672-0-0x0000000000400000-0x0000000000712000-memory.dmp	upx
behavioral2/memory/2808-13-0x0000000000400000-0x0000000000712000-memory.dmp	upx
behavioral2/files/0x000c000000023177-11.dat	upx

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
4672	16e6379e3e1bb98fd66cd27a79c00e1d.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
4672	16e6379e3e1bb98fd66cd27a79c00e1d.exe
2808	16e6379e3e1bb98fd66cd27a79c00e1d.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4672 wrote to memory of 2808	4672	16e6379e3e1bb98fd66cd27a79c00e1d.exe	22
PID 4672 wrote to memory of 2808	4672	16e6379e3e1bb98fd66cd27a79c00e1d.exe	22
PID 4672 wrote to memory of 2808	4672	16e6379e3e1bb98fd66cd27a79c00e1d.exe	22

C:\Users\Admin\AppData\Local\Temp\16e6379e3e1bb98fd66cd27a79c00e1d.exe

Filesize
382KB

MD5
baa61fb59527edd1b213986a3fa79a0c

SHA1
2a33b69c4fe0d20e39fc75209bc76811b3d0804e

SHA256
d373033da47f4d76bb54fa9a796bcac6b901d895c1501430023baffca8f2fcaf

SHA512
0fcf405e666d2f7b2984298e4b0481246dae7843ad36e59389ad1cf7563d9e3571ae0fe79fb5a1bf83c86274e3ea3dc1153e8e8348c600c2733fdb10d32421a7

Download Submit
memory/2808-13-0x0000000000400000-0x0000000000712000-memory.dmp

Filesize
3.1MB

Download
memory/2808-15-0x0000000000400000-0x0000000000593000-memory.dmp

Filesize
1.6MB

Download
memory/2808-20-0x0000000000400000-0x0000000000587000-memory.dmp

Filesize
1.5MB

Download
memory/2808-21-0x0000000005400000-0x0000000005593000-memory.dmp

Filesize
1.6MB

Download
memory/2808-30-0x0000000000400000-0x0000000000587000-memory.dmp

Filesize
1.5MB

Download
memory/2808-14-0x0000000001720000-0x00000000017E4000-memory.dmp

Filesize
784KB

Download
memory/4672-0-0x0000000000400000-0x0000000000712000-memory.dmp

Filesize
3.1MB

Download
memory/4672-1-0x00000000017F0000-0x00000000018B4000-memory.dmp

Filesize
784KB

Download
memory/4672-2-0x0000000000400000-0x0000000000593000-memory.dmp

Filesize
1.6MB

Download
memory/4672-12-0x0000000000400000-0x0000000000593000-memory.dmp

Filesize
1.6MB

Download