xmrig | 3c1657296dbc0b00d33f5670e7bbb2cb924dba9dc57432b924ea29fa811b36f1

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
31/12/2023, 05:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2a21009e2ec33a21b342e44263a267a2.exe
Size

784KB
MD5

2a21009e2ec33a21b342e44263a267a2
SHA1

c0c325169e99a463dc31911a10019cb21fc730bd
SHA256

3c1657296dbc0b00d33f5670e7bbb2cb924dba9dc57432b924ea29fa811b36f1
SHA512

bdec5401b4e56f9c3e8736a8415258e6e549b2e47c46a93f8285870df89e41bfc293f8b24db9381c72ed0f81dba70aee6ab8016358faa384c888960f925f2413
SSDEEP

12288:57Ldx/eQSkFEof+TfDfIBWR4M5F1z1qTHqTLncs7ZvzfNwWxFQT2bhTbSQDLvFl7:5bp+Tf8G4UF918HqTzcs7Zpvnrnn

Score

10^/10

xmrig miner upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 8 IoCs

miner

resource	yara_rule
behavioral1/memory/2380-1-0x0000000000400000-0x0000000000593000-memory.dmp	xmrig
behavioral1/memory/3052-17-0x0000000000400000-0x0000000000593000-memory.dmp	xmrig
behavioral1/memory/3052-19-0x0000000000400000-0x0000000000712000-memory.dmp	xmrig
behavioral1/memory/2380-16-0x00000000030E0000-0x00000000033F2000-memory.dmp	xmrig
behavioral1/memory/3052-25-0x0000000003220000-0x00000000033B3000-memory.dmp	xmrig
behavioral1/memory/3052-24-0x0000000000400000-0x0000000000587000-memory.dmp	xmrig
behavioral1/memory/3052-35-0x0000000000400000-0x0000000000587000-memory.dmp	xmrig
behavioral1/memory/2380-15-0x0000000000400000-0x0000000000593000-memory.dmp	xmrig

Deletes itself 1 IoCs

pid	Process
3052	2a21009e2ec33a21b342e44263a267a2.exe

Executes dropped EXE 1 IoCs

pid	Process
3052	2a21009e2ec33a21b342e44263a267a2.exe

Loads dropped DLL 1 IoCs

pid	Process
2380	2a21009e2ec33a21b342e44263a267a2.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2380-0-0x0000000000400000-0x0000000000712000-memory.dmp	upx
behavioral1/files/0x0009000000015c33-10.dat	upx
behavioral1/files/0x0009000000015c33-14.dat	upx

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2380	2a21009e2ec33a21b342e44263a267a2.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2380	2a21009e2ec33a21b342e44263a267a2.exe
3052	2a21009e2ec33a21b342e44263a267a2.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2380 wrote to memory of 3052	2380	2a21009e2ec33a21b342e44263a267a2.exe	17
PID 2380 wrote to memory of 3052	2380	2a21009e2ec33a21b342e44263a267a2.exe	17
PID 2380 wrote to memory of 3052	2380	2a21009e2ec33a21b342e44263a267a2.exe	17
PID 2380 wrote to memory of 3052	2380	2a21009e2ec33a21b342e44263a267a2.exe	17

C:\Users\Admin\AppData\Local\Temp\2a21009e2ec33a21b342e44263a267a2.exe
"C:\Users\Admin\AppData\Local\Temp\2a21009e2ec33a21b342e44263a267a2.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2380
- C:\Users\Admin\AppData\Local\Temp\2a21009e2ec33a21b342e44263a267a2.exe
  C:\Users\Admin\AppData\Local\Temp\2a21009e2ec33a21b342e44263a267a2.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:3052

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2a21009e2ec33a21b342e44263a267a2.exe

Filesize
381KB

MD5
9abdaf631810961923b7e8136ce6f6ec

SHA1
fbe5e7bf5458dfa41300201665f41ad9bf9fb52d

SHA256
0849af78dc8c4e52c9b93cb0402d50776ee60a392512b5a7987562d06b95dfd5

SHA512
b5ee848bd2667aecd1ca4bb975f1cf464c847ede502f3f6909a6d1a892c8aba312a907929855b665d3630d068643580344b50780e22bf99dc037ee158b5be298

Download Submit
\Users\Admin\AppData\Local\Temp\2a21009e2ec33a21b342e44263a267a2.exe

Filesize
92KB

MD5
d8698276285936becb24c1ab19bfdd6c

SHA1
848fdf3ec0c95f40abebc3b91407159982f3e8bd

SHA256
79911cdbcd46fe288b56f25588e6bb719e285467b980f12edb9eeb5f21c69ee7

SHA512
98bb59e020407ba9ad1055ce6849d83aa6627b8d45d9a095c44b35b5a0dee6a94fc22d825e75f04ae448dbcb81fbecf6013cb97b7b5ea95ae6bc80c7f3056032

Download Submit
memory/2380-16-0x00000000030E0000-0x00000000033F2000-memory.dmp

Filesize
3.1MB

Download
memory/2380-1-0x0000000000400000-0x0000000000593000-memory.dmp

Filesize
1.6MB

Download
memory/2380-4-0x0000000000330000-0x00000000003F4000-memory.dmp

Filesize
784KB

Download
memory/2380-15-0x0000000000400000-0x0000000000593000-memory.dmp

Filesize
1.6MB

Download
memory/2380-0-0x0000000000400000-0x0000000000712000-memory.dmp

Filesize
3.1MB

Download
memory/3052-21-0x00000000018B0000-0x0000000001974000-memory.dmp

Filesize
784KB

Download
memory/3052-25-0x0000000003220000-0x00000000033B3000-memory.dmp

Filesize
1.6MB

Download
memory/3052-24-0x0000000000400000-0x0000000000587000-memory.dmp

Filesize
1.5MB

Download
memory/3052-35-0x0000000000400000-0x0000000000587000-memory.dmp

Filesize
1.5MB

Download
memory/3052-19-0x0000000000400000-0x0000000000712000-memory.dmp

Filesize
3.1MB

Download
memory/3052-17-0x0000000000400000-0x0000000000593000-memory.dmp

Filesize
1.6MB

Download