xmrig | 75d2d1ae6d7355c1a46cef071205580205d3e5121d476665c2c45eee5cbe8fa8

Analysis

max time kernel
122s
max time network
126s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
31-12-2023 04:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

284a0d9f549bd05a5bcd42c98d0e6e07.exe
Size

784KB
MD5

284a0d9f549bd05a5bcd42c98d0e6e07
SHA1

f9e01d0c320d84bd88f1cf9ae86c145977822b94
SHA256

75d2d1ae6d7355c1a46cef071205580205d3e5121d476665c2c45eee5cbe8fa8
SHA512

211cdf441e213bf79d81a83ffdfc35f64dcc5bdad04e546c4b455c983448f620650495a8f47271bc005fe859a53f067734fa811a2189a6755163334161a6ea4a
SSDEEP

24576:YC8zu48c6CvNXuvCs9FPtvSpvPDrz7VmSxSZFo:Y5F8fCv14CMXv6Xz7IVZC

Score

10^/10

xmrig miner upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 8 IoCs

miner

resource	yara_rule
behavioral1/memory/3068-1-0x0000000000400000-0x0000000000593000-memory.dmp	xmrig
behavioral1/memory/3068-15-0x00000000032C0000-0x00000000035D2000-memory.dmp	xmrig
behavioral1/memory/3068-14-0x0000000000400000-0x0000000000593000-memory.dmp	xmrig
behavioral1/memory/2128-18-0x0000000000400000-0x0000000000593000-memory.dmp	xmrig
behavioral1/memory/2128-24-0x0000000000400000-0x0000000000587000-memory.dmp	xmrig
behavioral1/memory/2128-27-0x00000000030C0000-0x0000000003253000-memory.dmp	xmrig
behavioral1/memory/2128-35-0x0000000000400000-0x0000000000587000-memory.dmp	xmrig
behavioral1/memory/2128-34-0x00000000005A0000-0x000000000071F000-memory.dmp	xmrig

Deletes itself 1 IoCs

pid	Process
2128	284a0d9f549bd05a5bcd42c98d0e6e07.exe

Executes dropped EXE 1 IoCs

pid	Process
2128	284a0d9f549bd05a5bcd42c98d0e6e07.exe

Loads dropped DLL 1 IoCs

pid	Process
3068	284a0d9f549bd05a5bcd42c98d0e6e07.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/3068-0-0x0000000000400000-0x0000000000712000-memory.dmp	upx
behavioral1/files/0x0009000000012252-10.dat	upx
behavioral1/files/0x0009000000012252-16.dat	upx
behavioral1/memory/2128-17-0x0000000000400000-0x0000000000712000-memory.dmp	upx

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
3068	284a0d9f549bd05a5bcd42c98d0e6e07.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
3068	284a0d9f549bd05a5bcd42c98d0e6e07.exe
2128	284a0d9f549bd05a5bcd42c98d0e6e07.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3068 wrote to memory of 2128	3068	284a0d9f549bd05a5bcd42c98d0e6e07.exe	29
PID 3068 wrote to memory of 2128	3068	284a0d9f549bd05a5bcd42c98d0e6e07.exe	29
PID 3068 wrote to memory of 2128	3068	284a0d9f549bd05a5bcd42c98d0e6e07.exe	29
PID 3068 wrote to memory of 2128	3068	284a0d9f549bd05a5bcd42c98d0e6e07.exe	29

C:\Users\Admin\AppData\Local\Temp\284a0d9f549bd05a5bcd42c98d0e6e07.exe
"C:\Users\Admin\AppData\Local\Temp\284a0d9f549bd05a5bcd42c98d0e6e07.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3068
- C:\Users\Admin\AppData\Local\Temp\284a0d9f549bd05a5bcd42c98d0e6e07.exe
  C:\Users\Admin\AppData\Local\Temp\284a0d9f549bd05a5bcd42c98d0e6e07.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:2128

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\284a0d9f549bd05a5bcd42c98d0e6e07.exe

Filesize
180KB

MD5
c69a06b373a16488f1803fea0ba76739

SHA1
f3592f93fcf73c9b699dd08182ff83be7f593d54

SHA256
cf4247e6f25837d0c0c3cac8da68f2c6599fce494e21a0577271ad01e1b0c51b

SHA512
fe3850e9db2b1c2a575b1466f3dda25f0a07e0e10331667aa86fcef0955c0ff34686841aba14ee1f33b525868115d41b0c102e1179d9866235e395997ef2eca8

Download Submit
\Users\Admin\AppData\Local\Temp\284a0d9f549bd05a5bcd42c98d0e6e07.exe

Filesize
232KB

MD5
ffd5068c8377f23586ef9299f6739a6a

SHA1
dbc363603e3217d9159730ccec781287c1653198

SHA256
e84f320936ff73793bfa1593f912f83efe1db53591c4017f0e9e8ba0b1a7c1f6

SHA512
0d0bd75d4f2a9f3907bac9c4fd0f2e3849f61fadb51b7abb155c9c96f815e697c1bfa1fc0ba93bab53ffc6831194a38a9a6f748fddf779fbfbef088782a6d32d

Download Submit
memory/2128-18-0x0000000000400000-0x0000000000593000-memory.dmp

Filesize
1.6MB

Download
memory/2128-17-0x0000000000400000-0x0000000000712000-memory.dmp

Filesize
3.1MB

Download
memory/2128-20-0x00000000018B0000-0x0000000001974000-memory.dmp

Filesize
784KB

Download
memory/2128-24-0x0000000000400000-0x0000000000587000-memory.dmp

Filesize
1.5MB

Download
memory/2128-27-0x00000000030C0000-0x0000000003253000-memory.dmp

Filesize
1.6MB

Download
memory/2128-35-0x0000000000400000-0x0000000000587000-memory.dmp

Filesize
1.5MB

Download
memory/2128-34-0x00000000005A0000-0x000000000071F000-memory.dmp

Filesize
1.5MB

Download
memory/3068-1-0x0000000000400000-0x0000000000593000-memory.dmp

Filesize
1.6MB

Download
memory/3068-2-0x00000000018B0000-0x0000000001974000-memory.dmp

Filesize
784KB

Download
memory/3068-15-0x00000000032C0000-0x00000000035D2000-memory.dmp

Filesize
3.1MB

Download
memory/3068-14-0x0000000000400000-0x0000000000593000-memory.dmp

Filesize
1.6MB

Download
memory/3068-0-0x0000000000400000-0x0000000000712000-memory.dmp

Filesize
3.1MB

Download