xmrig | b731a8f332382470531ae0c1a1c351296a24b86322c2f8c44b677268c5c32d72

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
31/12/2023, 00:45

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

222866c859c1cff9cb4ddaa1ac17e435.exe
Size

1.5MB
MD5

222866c859c1cff9cb4ddaa1ac17e435
SHA1

1a304d1d7557f81352022fb885c5497c952b1e3a
SHA256

b731a8f332382470531ae0c1a1c351296a24b86322c2f8c44b677268c5c32d72
SHA512

eae4b83011bce5e2960970affb79d4b89dc3897c8ade54268a015f2853c82753caa12e4f75bff1ef72b3ccdfbcfa29635d76d628442a0bb4d2ac0225a89534fc
SSDEEP

49152:eyxB0UKT3bvsBnbYZej7G5AFDKcMaU/FZNiN:eyTHKTotbnuuaaY7Ns

Score

10^/10

xmrig miner upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 9 IoCs

miner

resource	yara_rule
behavioral1/memory/2496-1-0x0000000000400000-0x0000000000593000-memory.dmp	xmrig
behavioral1/memory/2496-15-0x0000000000400000-0x0000000000593000-memory.dmp	xmrig
behavioral1/memory/2700-17-0x0000000000400000-0x0000000000593000-memory.dmp	xmrig
behavioral1/memory/2700-18-0x0000000000400000-0x0000000000712000-memory.dmp	xmrig
behavioral1/memory/2496-16-0x0000000003380000-0x0000000003692000-memory.dmp	xmrig
behavioral1/memory/2700-24-0x0000000000400000-0x0000000000587000-memory.dmp	xmrig
behavioral1/memory/2700-27-0x0000000003030000-0x00000000031C3000-memory.dmp	xmrig
behavioral1/memory/2700-35-0x0000000000400000-0x0000000000587000-memory.dmp	xmrig
behavioral1/memory/2700-34-0x00000000005A0000-0x000000000071F000-memory.dmp	xmrig

Deletes itself 1 IoCs

pid	Process
2700	222866c859c1cff9cb4ddaa1ac17e435.exe

Executes dropped EXE 1 IoCs

pid	Process
2700	222866c859c1cff9cb4ddaa1ac17e435.exe

Loads dropped DLL 1 IoCs

pid	Process
2496	222866c859c1cff9cb4ddaa1ac17e435.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2496-0-0x0000000000400000-0x0000000000712000-memory.dmp	upx
behavioral1/files/0x000c000000012321-10.dat	upx
behavioral1/files/0x000c000000012321-14.dat	upx

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2496	222866c859c1cff9cb4ddaa1ac17e435.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2496	222866c859c1cff9cb4ddaa1ac17e435.exe
2700	222866c859c1cff9cb4ddaa1ac17e435.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2496 wrote to memory of 2700	2496	222866c859c1cff9cb4ddaa1ac17e435.exe	26
PID 2496 wrote to memory of 2700	2496	222866c859c1cff9cb4ddaa1ac17e435.exe	26
PID 2496 wrote to memory of 2700	2496	222866c859c1cff9cb4ddaa1ac17e435.exe	26
PID 2496 wrote to memory of 2700	2496	222866c859c1cff9cb4ddaa1ac17e435.exe	26

C:\Users\Admin\AppData\Local\Temp\222866c859c1cff9cb4ddaa1ac17e435.exe
"C:\Users\Admin\AppData\Local\Temp\222866c859c1cff9cb4ddaa1ac17e435.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2496
- C:\Users\Admin\AppData\Local\Temp\222866c859c1cff9cb4ddaa1ac17e435.exe
  C:\Users\Admin\AppData\Local\Temp\222866c859c1cff9cb4ddaa1ac17e435.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:2700

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\222866c859c1cff9cb4ddaa1ac17e435.exe

Filesize
356KB

MD5
5968f7322f859af884177e6e4389f328

SHA1
c3349cf439264bcc7d4e973efda50b81dd6fb3e3

SHA256
a1094193893bab1080358f646ffdd2536f08fab865d767c255e6e8de600de2c8

SHA512
dcf7d4f786eb6e2e0b365a1f5c83e4bf37be16e84e569d347dc6c9d3c9f039d5ba94e4a06ca45376febe78152af687850fd53707bde37db3b2626d62ced8af96

Download Submit
\Users\Admin\AppData\Local\Temp\222866c859c1cff9cb4ddaa1ac17e435.exe

Filesize
136KB

MD5
1a0e982382cabeb43123949e08b62baf

SHA1
fe064bb97473e24c591c0a4df22dc16caba7f539

SHA256
dba2d4ef00cb58beb604ff7e95a414e25d6207c129639a336160f0f79b8e6fd8

SHA512
985aaeed3357908156b0c6a3ee4d8bb6f7b4793693e50e013eabc63418fc9c16a9de5d0755ea447f1427f31a9182afcfd3f582396d04dd31026e682666f1dd63

Download Submit
memory/2496-16-0x0000000003380000-0x0000000003692000-memory.dmp

Filesize
3.1MB

Download
memory/2496-1-0x0000000000400000-0x0000000000593000-memory.dmp

Filesize
1.6MB

Download
memory/2496-4-0x0000000001720000-0x00000000017E4000-memory.dmp

Filesize
784KB

Download
memory/2496-15-0x0000000000400000-0x0000000000593000-memory.dmp

Filesize
1.6MB

Download
memory/2496-0-0x0000000000400000-0x0000000000712000-memory.dmp

Filesize
3.1MB

Download
memory/2700-18-0x0000000000400000-0x0000000000712000-memory.dmp

Filesize
3.1MB

Download
memory/2700-20-0x0000000001720000-0x00000000017E4000-memory.dmp

Filesize
784KB

Download
memory/2700-24-0x0000000000400000-0x0000000000587000-memory.dmp

Filesize
1.5MB

Download
memory/2700-27-0x0000000003030000-0x00000000031C3000-memory.dmp

Filesize
1.6MB

Download
memory/2700-35-0x0000000000400000-0x0000000000587000-memory.dmp

Filesize
1.5MB

Download
memory/2700-34-0x00000000005A0000-0x000000000071F000-memory.dmp

Filesize
1.5MB

Download
memory/2700-17-0x0000000000400000-0x0000000000593000-memory.dmp

Filesize
1.6MB

Download