xmrig | d75d8dc21d766af45d4843dfeb5c04871b96f05b0f44c8add5c26f8077d1b04d

General

Target

27b6472d92855c2fe6452e1f5a85bb4d.exe
Size

784KB
MD5

27b6472d92855c2fe6452e1f5a85bb4d
SHA1

55aa9bde0eb77ee08c0e8655fb839ac0e284289c
SHA256

d75d8dc21d766af45d4843dfeb5c04871b96f05b0f44c8add5c26f8077d1b04d
SHA512

6b1ad7832b46c07cd100c3ee7c762d32fa7d90649f72a1c32b4db1ee6bc56356697a703586f48c5fc9a094ac07c05d03aa4114d44b1fca4c9a63236ff54b32c1
SSDEEP

12288:EArllIw7vpm1dKFNfAWoyKnV0v2sKJlQ+oz2Us56ns0R3QtqjcONqaAh0jWT:TlIw7i2NIW6VAalcpQ6+tEzNdCx

Score

10^/10

xmrig miner upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 7 IoCs

miner

resource	yara_rule
behavioral1/memory/1384-1-0x0000000000400000-0x0000000000593000-memory.dmp	xmrig
behavioral1/memory/1384-15-0x0000000000400000-0x0000000000593000-memory.dmp	xmrig
behavioral1/memory/2684-17-0x0000000000400000-0x0000000000593000-memory.dmp	xmrig
behavioral1/memory/2684-24-0x0000000003110000-0x00000000032A3000-memory.dmp	xmrig
behavioral1/memory/2684-23-0x0000000000400000-0x0000000000587000-memory.dmp	xmrig
behavioral1/memory/2684-33-0x00000000005A0000-0x000000000071F000-memory.dmp	xmrig
behavioral1/memory/2684-34-0x0000000000400000-0x0000000000587000-memory.dmp	xmrig

Deletes itself 1 IoCs

pid	Process
2684	27b6472d92855c2fe6452e1f5a85bb4d.exe

Executes dropped EXE 1 IoCs

pid	Process
2684	27b6472d92855c2fe6452e1f5a85bb4d.exe

Loads dropped DLL 1 IoCs

pid	Process
1384	27b6472d92855c2fe6452e1f5a85bb4d.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1384-0-0x0000000000400000-0x0000000000712000-memory.dmp	upx
behavioral1/files/0x000b000000014131-10.dat	upx
behavioral1/files/0x000b000000014131-14.dat	upx
behavioral1/files/0x000b000000014131-12.dat	upx
behavioral1/memory/2684-16-0x0000000000400000-0x0000000000712000-memory.dmp	upx

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1384	27b6472d92855c2fe6452e1f5a85bb4d.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
1384	27b6472d92855c2fe6452e1f5a85bb4d.exe
2684	27b6472d92855c2fe6452e1f5a85bb4d.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1384 wrote to memory of 2684	1384	27b6472d92855c2fe6452e1f5a85bb4d.exe	23
PID 1384 wrote to memory of 2684	1384	27b6472d92855c2fe6452e1f5a85bb4d.exe	23
PID 1384 wrote to memory of 2684	1384	27b6472d92855c2fe6452e1f5a85bb4d.exe	23
PID 1384 wrote to memory of 2684	1384	27b6472d92855c2fe6452e1f5a85bb4d.exe	23

C:\Users\Admin\AppData\Local\Temp\27b6472d92855c2fe6452e1f5a85bb4d.exe
"C:\Users\Admin\AppData\Local\Temp\27b6472d92855c2fe6452e1f5a85bb4d.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1384
- C:\Users\Admin\AppData\Local\Temp\27b6472d92855c2fe6452e1f5a85bb4d.exe
  C:\Users\Admin\AppData\Local\Temp\27b6472d92855c2fe6452e1f5a85bb4d.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:2684

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\27b6472d92855c2fe6452e1f5a85bb4d.exe

Filesize
127KB

MD5
71da14eb382d73ee27510d06a172c24f

SHA1
20bb96eb57e1ec34c6e2cfd397dd80c44e864ab3

SHA256
6a71e1d5d9a1df8bb63b73373ec8d303905a176f1caa6eb01b972edff286610c

SHA512
53b14e734bdceeeedd7a877bd6c6eabe2ffd9f63579caeaed4298a540f75401959f2a7347d2eb2dc191a35d07aab10afb0200a1a4eb10b1f99b22c54bdc5da8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\27b6472d92855c2fe6452e1f5a85bb4d.exe

Filesize
268KB

MD5
df87f61255a305900cb61364d25718d8

SHA1
a3b5f5f17993de0151c59ef81b2ebcb9db3841b1

SHA256
024666b7db84a65c93ce1d82c14e3b8d18d86a48b5cd243b0129aedd9b0cfdef

SHA512
f80c3811750c283f285d4ed6e5ed9ef217a910d0aa9173fac61b485b5b1aac56808ed4a641bcfd14c7c6374659ef18ff4a66537a85602d086dbacf6f764aa438

Download Submit
\Users\Admin\AppData\Local\Temp\27b6472d92855c2fe6452e1f5a85bb4d.exe

Filesize
204KB

MD5
91929a3991234b3d868a53b4b23c75c3

SHA1
7ad1554b760572fa64136949b2bbe80e8e6fb5f9

SHA256
b14b5156f844d8a1ba51293f6ede4ccfedd7f97d9c1d297d3ee42d2f52179894

SHA512
054892fd019ae01f1437b570cbc015af1941b3191bca1c330ccc8388e1517fc8afaf78922bd8d8206a3ec50bd1aa809368fe09a2285cf335a588eb33e828af6c

Download Submit
memory/1384-15-0x0000000000400000-0x0000000000593000-memory.dmp

Filesize
1.6MB

Download
memory/1384-1-0x0000000000400000-0x0000000000593000-memory.dmp

Filesize
1.6MB

Download
memory/1384-2-0x0000000000120000-0x00000000001E4000-memory.dmp

Filesize
784KB

Download
memory/1384-0-0x0000000000400000-0x0000000000712000-memory.dmp

Filesize
3.1MB

Download
memory/2684-16-0x0000000000400000-0x0000000000712000-memory.dmp

Filesize
3.1MB

Download
memory/2684-18-0x0000000000120000-0x00000000001E4000-memory.dmp

Filesize
784KB

Download
memory/2684-17-0x0000000000400000-0x0000000000593000-memory.dmp

Filesize
1.6MB

Download
memory/2684-24-0x0000000003110000-0x00000000032A3000-memory.dmp

Filesize
1.6MB

Download
memory/2684-23-0x0000000000400000-0x0000000000587000-memory.dmp

Filesize
1.5MB

Download
memory/2684-33-0x00000000005A0000-0x000000000071F000-memory.dmp

Filesize
1.5MB

Download
memory/2684-34-0x0000000000400000-0x0000000000587000-memory.dmp

Filesize
1.5MB

Download

Analysis

Sharing