xmrig | 99cac1b4e16e1945e2e1abd221881f9fc92129c34ba35c9c7a8d7277cb5ba37d

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
31/12/2023, 01:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

22c9a3ad39956c615db2e3d93ebe169f.exe
Size

784KB
MD5

22c9a3ad39956c615db2e3d93ebe169f
SHA1

30974d46ed6cb14b10240c2e2d8364839cdc4ad4
SHA256

99cac1b4e16e1945e2e1abd221881f9fc92129c34ba35c9c7a8d7277cb5ba37d
SHA512

d71266b42f4925692ad8040ef9532e144c6a952fd978f998c6295e7898f3fb4e43a95979942f31f6945cf0b2cef2473be2d5e79bd7257dfd341b83ff49818ab5
SSDEEP

12288:kHbhmhF/iLAvq0ra6/xIlUEMrtuFCFPcYw/Wm8EOj1jAyZV/d2R8M9hXQ6LJb:kdMwLAS9kSOEM1cgm8N1jAyZVrGhHL

Score

10^/10

xmrig miner upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 7 IoCs

miner

resource	yara_rule
behavioral1/memory/1940-1-0x0000000000400000-0x0000000000593000-memory.dmp	xmrig
behavioral1/memory/2004-18-0x0000000000400000-0x0000000000593000-memory.dmp	xmrig
behavioral1/memory/2004-24-0x0000000000400000-0x0000000000587000-memory.dmp	xmrig
behavioral1/memory/2004-26-0x0000000003150000-0x00000000032E3000-memory.dmp	xmrig
behavioral1/memory/2004-34-0x0000000000400000-0x0000000000587000-memory.dmp	xmrig
behavioral1/memory/1940-16-0x00000000031F0000-0x0000000003502000-memory.dmp	xmrig
behavioral1/memory/1940-15-0x0000000000400000-0x0000000000593000-memory.dmp	xmrig

Deletes itself 1 IoCs

pid	Process
2004	22c9a3ad39956c615db2e3d93ebe169f.exe

Executes dropped EXE 1 IoCs

pid	Process
2004	22c9a3ad39956c615db2e3d93ebe169f.exe

Loads dropped DLL 1 IoCs

pid	Process
1940	22c9a3ad39956c615db2e3d93ebe169f.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1940-0-0x0000000000400000-0x0000000000712000-memory.dmp	upx
behavioral1/files/0x000b000000012234-10.dat	upx
behavioral1/files/0x000b000000012234-14.dat	upx
behavioral1/memory/2004-17-0x0000000000400000-0x0000000000712000-memory.dmp	upx

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1940	22c9a3ad39956c615db2e3d93ebe169f.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
1940	22c9a3ad39956c615db2e3d93ebe169f.exe
2004	22c9a3ad39956c615db2e3d93ebe169f.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1940 wrote to memory of 2004	1940	22c9a3ad39956c615db2e3d93ebe169f.exe	17
PID 1940 wrote to memory of 2004	1940	22c9a3ad39956c615db2e3d93ebe169f.exe	17
PID 1940 wrote to memory of 2004	1940	22c9a3ad39956c615db2e3d93ebe169f.exe	17
PID 1940 wrote to memory of 2004	1940	22c9a3ad39956c615db2e3d93ebe169f.exe	17

C:\Users\Admin\AppData\Local\Temp\22c9a3ad39956c615db2e3d93ebe169f.exe
C:\Users\Admin\AppData\Local\Temp\22c9a3ad39956c615db2e3d93ebe169f.exe
1⤵
- Deletes itself
- Executes dropped EXE
- Suspicious use of UnmapMainImage
PID:2004

C:\Users\Admin\AppData\Local\Temp\22c9a3ad39956c615db2e3d93ebe169f.exe
"C:\Users\Admin\AppData\Local\Temp\22c9a3ad39956c615db2e3d93ebe169f.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1940

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\22c9a3ad39956c615db2e3d93ebe169f.exe

Filesize
381KB

MD5
7b46a7af024cb7c9cef7c7046a2602d7

SHA1
a29c1ae6c2f9d5f4245136c4ab36e95ce0f0dd04

SHA256
0dc42c13a9a5b0b65053454065dc1cf75732799d7f8e180e367933727ef52e0a

SHA512
0df91cee290f95b53d4022695d11260beab75b58460a575984e385d2b312f892cf6f42c876a5fa8f360aead9a0e704a92e716eaa70f76a1d898e73500bba00c3

Download Submit
\Users\Admin\AppData\Local\Temp\22c9a3ad39956c615db2e3d93ebe169f.exe

Filesize
382KB

MD5
719ad16c1e80f9b2a5ac0be6eb215e8b

SHA1
028ac2be997e846f38e5c448f9cc48d518074e1d

SHA256
ef18741cf80e8300303a61204cf2b8f42c4729058ccb293cbfbe1c6363493621

SHA512
4bd693f9e89847262ad41b5ac689976a44d661711d1357e26e041559d236686603cca1ec40d6d7d5f3b599315696f6f8e3268a1cd46d6355cfdc7f2182565185

Download Submit
memory/1940-16-0x00000000031F0000-0x0000000003502000-memory.dmp

Filesize
3.1MB

Download
memory/1940-3-0x00000000002E0000-0x00000000003A4000-memory.dmp

Filesize
784KB

Download
memory/1940-1-0x0000000000400000-0x0000000000593000-memory.dmp

Filesize
1.6MB

Download
memory/1940-35-0x00000000031F0000-0x0000000003502000-memory.dmp

Filesize
3.1MB

Download
memory/1940-0-0x0000000000400000-0x0000000000712000-memory.dmp

Filesize
3.1MB

Download
memory/1940-15-0x0000000000400000-0x0000000000593000-memory.dmp

Filesize
1.6MB

Download
memory/2004-24-0x0000000000400000-0x0000000000587000-memory.dmp

Filesize
1.5MB

Download
memory/2004-19-0x0000000000320000-0x00000000003E4000-memory.dmp

Filesize
784KB

Download
memory/2004-17-0x0000000000400000-0x0000000000712000-memory.dmp

Filesize
3.1MB

Download
memory/2004-34-0x0000000000400000-0x0000000000587000-memory.dmp

Filesize
1.5MB

Download
memory/2004-26-0x0000000003150000-0x00000000032E3000-memory.dmp

Filesize
1.6MB

Download
memory/2004-18-0x0000000000400000-0x0000000000593000-memory.dmp

Filesize
1.6MB

Download