xmrig | b6d80ed493487fcf4801f4e1087b54ed618e195e3d968ec8fcee6d2c4faac10a

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
31/12/2023, 05:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2a6bd8248c77c755443ff72beb8d7caf.exe
Size

784KB
MD5

2a6bd8248c77c755443ff72beb8d7caf
SHA1

9e0b8f521a512d9f2c0a371bfc0427aeadb8a89d
SHA256

b6d80ed493487fcf4801f4e1087b54ed618e195e3d968ec8fcee6d2c4faac10a
SHA512

0a06622c68e79272ba0343d6957cf5b49814d4aa37560329f1cbfeec94f256724939738c20477c9876f25efc4ce08b6686a922a6a93221d358e2e0fc3bbf4a8f
SSDEEP

12288:LB16Cp19VnIvyaxz/KgejIvbpSgH4/19i0MIvp9z4fxbp6Pifg+aCs5NCxFM:tUCeyO2gQIjsgHEzi0MIvjKI5YM

Score

10^/10

xmrig miner upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 6 IoCs

miner

resource	yara_rule
behavioral2/memory/3888-2-0x0000000000400000-0x0000000000593000-memory.dmp	xmrig
behavioral2/memory/3888-12-0x0000000000400000-0x0000000000593000-memory.dmp	xmrig
behavioral2/memory/372-21-0x0000000000400000-0x0000000000587000-memory.dmp	xmrig
behavioral2/memory/372-30-0x0000000000400000-0x0000000000587000-memory.dmp	xmrig
behavioral2/memory/372-20-0x0000000005530000-0x00000000056C3000-memory.dmp	xmrig
behavioral2/memory/372-15-0x0000000000400000-0x0000000000593000-memory.dmp	xmrig

Deletes itself 1 IoCs

pid	Process
372	2a6bd8248c77c755443ff72beb8d7caf.exe

Executes dropped EXE 1 IoCs

pid	Process
372	2a6bd8248c77c755443ff72beb8d7caf.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3888-0-0x0000000000400000-0x0000000000712000-memory.dmp	upx
behavioral2/files/0x000d00000002315f-11.dat	upx
behavioral2/memory/372-13-0x0000000000400000-0x0000000000712000-memory.dmp	upx

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
3888	2a6bd8248c77c755443ff72beb8d7caf.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
3888	2a6bd8248c77c755443ff72beb8d7caf.exe
372	2a6bd8248c77c755443ff72beb8d7caf.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3888 wrote to memory of 372	3888	2a6bd8248c77c755443ff72beb8d7caf.exe	20
PID 3888 wrote to memory of 372	3888	2a6bd8248c77c755443ff72beb8d7caf.exe	20
PID 3888 wrote to memory of 372	3888	2a6bd8248c77c755443ff72beb8d7caf.exe	20

C:\Users\Admin\AppData\Local\Temp\2a6bd8248c77c755443ff72beb8d7caf.exe
"C:\Users\Admin\AppData\Local\Temp\2a6bd8248c77c755443ff72beb8d7caf.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3888
- C:\Users\Admin\AppData\Local\Temp\2a6bd8248c77c755443ff72beb8d7caf.exe
  C:\Users\Admin\AppData\Local\Temp\2a6bd8248c77c755443ff72beb8d7caf.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:372

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2a6bd8248c77c755443ff72beb8d7caf.exe

Filesize
381KB

MD5
9e7153157dc36fd1302236aa931448e8

SHA1
7f861ca46def01fb570dd91bbb0ad45746569f9c

SHA256
0e31b7658fc6ca07d93e2a78bfc298f86481529b71ca70bae407684460e2f126

SHA512
1fbf34759a01fc1a7eee5cffa059b4f4efc81896164f303175b7fa7e461aecfb0a7fa9c9a17092a459bd1b4181475891ffa534e28f338fb5b193f74d58335d9d

Download Submit
memory/372-13-0x0000000000400000-0x0000000000712000-memory.dmp

Filesize
3.1MB

Download
memory/372-14-0x0000000001720000-0x00000000017E4000-memory.dmp

Filesize
784KB

Download
memory/372-21-0x0000000000400000-0x0000000000587000-memory.dmp

Filesize
1.5MB

Download
memory/372-30-0x0000000000400000-0x0000000000587000-memory.dmp

Filesize
1.5MB

Download
memory/372-20-0x0000000005530000-0x00000000056C3000-memory.dmp

Filesize
1.6MB

Download
memory/372-15-0x0000000000400000-0x0000000000593000-memory.dmp

Filesize
1.6MB

Download
memory/3888-0-0x0000000000400000-0x0000000000712000-memory.dmp

Filesize
3.1MB

Download
memory/3888-2-0x0000000000400000-0x0000000000593000-memory.dmp

Filesize
1.6MB

Download
memory/3888-1-0x00000000019F0000-0x0000000001AB4000-memory.dmp

Filesize
784KB

Download
memory/3888-12-0x0000000000400000-0x0000000000593000-memory.dmp

Filesize
1.6MB

Download