xmrig | affbe8c3e556f8fc779cbad4aebf070eda15c99de8488f0c6f642c987d2ab001

Analysis

max time kernel
122s
max time network
127s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
30-12-2023 12:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1869546076ed8a3aca31f42d6e86c15e.exe
Size

784KB
MD5

1869546076ed8a3aca31f42d6e86c15e
SHA1

ec2caf510cf74634d778d0f6494bc0c2461ef9ee
SHA256

affbe8c3e556f8fc779cbad4aebf070eda15c99de8488f0c6f642c987d2ab001
SHA512

98578cc87e3ec3950de566c7a5524e378e1245fedc89daa562012fa8d917ef825d0da5c524311cf193a7701bc69093973fff2d8f2f513a37b73cd36730a48737
SSDEEP

12288:clUzEsuKAGsuWARoYN9FVSkyZarcXNrH3g1ZRZjbnRNkFHhx09XlOtXNRt9CFiJr:5upKoYNVSvZage1ZRhzROaXgtrtQna

Score

10^/10

xmrig miner upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 8 IoCs

miner

resource	yara_rule
behavioral1/memory/2088-1-0x0000000000400000-0x0000000000593000-memory.dmp	xmrig
behavioral1/memory/2088-15-0x0000000003270000-0x0000000003582000-memory.dmp	xmrig
behavioral1/memory/2088-14-0x0000000000400000-0x0000000000593000-memory.dmp	xmrig
behavioral1/memory/1768-18-0x0000000000400000-0x0000000000593000-memory.dmp	xmrig
behavioral1/memory/1768-25-0x0000000000400000-0x0000000000587000-memory.dmp	xmrig
behavioral1/memory/1768-24-0x00000000032A0000-0x0000000003433000-memory.dmp	xmrig
behavioral1/memory/1768-34-0x00000000005A0000-0x000000000071F000-memory.dmp	xmrig
behavioral1/memory/1768-35-0x0000000000400000-0x0000000000587000-memory.dmp	xmrig

Deletes itself 1 IoCs

pid	Process
1768	1869546076ed8a3aca31f42d6e86c15e.exe

Executes dropped EXE 1 IoCs

pid	Process
1768	1869546076ed8a3aca31f42d6e86c15e.exe

Loads dropped DLL 1 IoCs

pid	Process
2088	1869546076ed8a3aca31f42d6e86c15e.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2088-0-0x0000000000400000-0x0000000000712000-memory.dmp	upx
behavioral1/files/0x000b000000012243-16.dat	upx
behavioral1/memory/1768-17-0x0000000000400000-0x0000000000712000-memory.dmp	upx
behavioral1/files/0x000b000000012243-12.dat	upx

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2088	1869546076ed8a3aca31f42d6e86c15e.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2088	1869546076ed8a3aca31f42d6e86c15e.exe
1768	1869546076ed8a3aca31f42d6e86c15e.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2088 wrote to memory of 1768	2088	1869546076ed8a3aca31f42d6e86c15e.exe	29
PID 2088 wrote to memory of 1768	2088	1869546076ed8a3aca31f42d6e86c15e.exe	29
PID 2088 wrote to memory of 1768	2088	1869546076ed8a3aca31f42d6e86c15e.exe	29
PID 2088 wrote to memory of 1768	2088	1869546076ed8a3aca31f42d6e86c15e.exe	29

C:\Users\Admin\AppData\Local\Temp\1869546076ed8a3aca31f42d6e86c15e.exe
"C:\Users\Admin\AppData\Local\Temp\1869546076ed8a3aca31f42d6e86c15e.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2088
- C:\Users\Admin\AppData\Local\Temp\1869546076ed8a3aca31f42d6e86c15e.exe
  C:\Users\Admin\AppData\Local\Temp\1869546076ed8a3aca31f42d6e86c15e.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:1768

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1869546076ed8a3aca31f42d6e86c15e.exe

Filesize
320KB

MD5
67acfd62307ce3aa17f6560506f25368

SHA1
c1b242767885eb0894da006b37236beaef5ca1d6

SHA256
3fc9c01f83f2493dbe35f497f22d5cd210c23ec7063d4732349d65aecd78124c

SHA512
a83f7375ee42076352c72856d56cda8ca149bd614c3836536d5fa5ee8e5a9506cf1df44aa4e6cbe9e5cd80896b5fbf7b42a7d322f4487dc5298e1ac0a1550305

Download Submit
C:\Users\Admin\AppData\Local\Temp\1869546076ed8a3aca31f42d6e86c15e.exe

Filesize
784KB

MD5
a8a0de8db25400c7520de94bf7542d98

SHA1
db9a46cb272bf8a7ebac4e311c4e7fc0b1d0d740

SHA256
b50c827b5136c8ef5a2e2d7afa0e0fbaef4efba71c4f8fe94dabc02e33bd7e78

SHA512
e0f5ce777b7e563cacb37eacd4a38b20fe280ceaf45f1c3873905fefefef538504c6c3ddff33fa401161e392fbaf9cb439ffc42e52017e8cf9d2e9ff3395d38f

Download Submit
memory/1768-20-0x0000000000120000-0x00000000001E4000-memory.dmp

Filesize
784KB

Download
memory/1768-17-0x0000000000400000-0x0000000000712000-memory.dmp

Filesize
3.1MB

Download
memory/1768-18-0x0000000000400000-0x0000000000593000-memory.dmp

Filesize
1.6MB

Download
memory/1768-25-0x0000000000400000-0x0000000000587000-memory.dmp

Filesize
1.5MB

Download
memory/1768-24-0x00000000032A0000-0x0000000003433000-memory.dmp

Filesize
1.6MB

Download
memory/1768-34-0x00000000005A0000-0x000000000071F000-memory.dmp

Filesize
1.5MB

Download
memory/1768-35-0x0000000000400000-0x0000000000587000-memory.dmp

Filesize
1.5MB

Download
memory/2088-1-0x0000000000400000-0x0000000000593000-memory.dmp

Filesize
1.6MB

Download
memory/2088-15-0x0000000003270000-0x0000000003582000-memory.dmp

Filesize
3.1MB

Download
memory/2088-14-0x0000000000400000-0x0000000000593000-memory.dmp

Filesize
1.6MB

Download
memory/2088-2-0x0000000000120000-0x00000000001E4000-memory.dmp

Filesize
784KB

Download
memory/2088-0-0x0000000000400000-0x0000000000712000-memory.dmp

Filesize
3.1MB

Download