xmrig | 95f2d8d7153e8f0399b17c539dea7ee45f8b58652beb2577e7df75488b676a1e

Analysis

max time kernel
117s
max time network
117s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
05-01-2024 01:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

425edaec6b35b3a12852e136409d42b2.exe
Size

784KB
MD5

425edaec6b35b3a12852e136409d42b2
SHA1

4f7c2c06fb80ab04decaba26d961bd86fefaa20c
SHA256

95f2d8d7153e8f0399b17c539dea7ee45f8b58652beb2577e7df75488b676a1e
SHA512

0c6e5e34819889eb993fd1c2f682c193fe79259cf37fed2fd3039861d615c40ddbfa04b220938d2062bd220e1893a24abfd7b2398636d66d27bbc9ccb76ef211
SSDEEP

12288:OJuWOscseGxPmmaYeJGcoSXO4GaR8oOhBEAod5Mv4pgix2fQ1GHMff7c79z8S:O4DbG0txoSXuThbo8wefQHffw7K

Score

10^/10

xmrig miner upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 8 IoCs

miner

resource	yara_rule
behavioral1/memory/2968-2-0x0000000000400000-0x0000000000593000-memory.dmp	xmrig
behavioral1/memory/2160-18-0x0000000000400000-0x0000000000593000-memory.dmp	xmrig
behavioral1/memory/2160-25-0x0000000003090000-0x0000000003223000-memory.dmp	xmrig
behavioral1/memory/2160-34-0x00000000005A0000-0x000000000071F000-memory.dmp	xmrig
behavioral1/memory/2160-35-0x0000000000400000-0x0000000000587000-memory.dmp	xmrig
behavioral1/memory/2160-24-0x0000000000400000-0x0000000000587000-memory.dmp	xmrig
behavioral1/memory/2968-15-0x0000000003100000-0x0000000003412000-memory.dmp	xmrig
behavioral1/memory/2968-14-0x0000000000400000-0x0000000000593000-memory.dmp	xmrig

Deletes itself 1 IoCs

pid	Process
2160	425edaec6b35b3a12852e136409d42b2.exe

Executes dropped EXE 1 IoCs

pid	Process
2160	425edaec6b35b3a12852e136409d42b2.exe

Loads dropped DLL 1 IoCs

pid	Process
2968	425edaec6b35b3a12852e136409d42b2.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2968-0-0x0000000000400000-0x0000000000712000-memory.dmp	upx
behavioral1/files/0x0009000000014395-10.dat	upx
behavioral1/memory/2160-17-0x0000000000400000-0x0000000000712000-memory.dmp	upx
behavioral1/files/0x0009000000014395-16.dat	upx

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2968	425edaec6b35b3a12852e136409d42b2.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2968	425edaec6b35b3a12852e136409d42b2.exe
2160	425edaec6b35b3a12852e136409d42b2.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2968 wrote to memory of 2160	2968	425edaec6b35b3a12852e136409d42b2.exe	19
PID 2968 wrote to memory of 2160	2968	425edaec6b35b3a12852e136409d42b2.exe	19
PID 2968 wrote to memory of 2160	2968	425edaec6b35b3a12852e136409d42b2.exe	19
PID 2968 wrote to memory of 2160	2968	425edaec6b35b3a12852e136409d42b2.exe	19

C:\Users\Admin\AppData\Local\Temp\425edaec6b35b3a12852e136409d42b2.exe
"C:\Users\Admin\AppData\Local\Temp\425edaec6b35b3a12852e136409d42b2.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2968
- C:\Users\Admin\AppData\Local\Temp\425edaec6b35b3a12852e136409d42b2.exe
  C:\Users\Admin\AppData\Local\Temp\425edaec6b35b3a12852e136409d42b2.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:2160

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\425edaec6b35b3a12852e136409d42b2.exe

Filesize
149KB

MD5
44be5ff88c28f30a37908634dfcd8e83

SHA1
d4b92757e9870594dcbfcb1d641a6e8e218a215a

SHA256
827aa5d86387ed2e4974f4029df1fb9262a44b80005bf0130ebad3b02a10ed07

SHA512
c509d74a560ac1b3f9725f9b9e3be416af1a45c987be375910910b92dc0f3c5c7b8979d634a8b5ce6a6b02464b252c1d2381a7b73b4dc2045c5e4baeb38d1110

Download Submit
\Users\Admin\AppData\Local\Temp\425edaec6b35b3a12852e136409d42b2.exe

Filesize
161KB

MD5
f7e02b38c2007db6642b5ffc2e0d1bf7

SHA1
0d58f2bd47db7a15e7c036136b11ccfb055f83d0

SHA256
9bc5ef4e751b723e388cc03c5d75e673794fd1a536b844fededda71fe881d1c5

SHA512
9af5ff0e798662725fbf2a605c638a5a1e440721d98f554c02b0dbb3d61cb8650abef8a0db7e28d3426204d3128d4ff31a972ced0911bce101dea11ccc08cf39

Download Submit
memory/2160-25-0x0000000003090000-0x0000000003223000-memory.dmp

Filesize
1.6MB

Download
memory/2160-17-0x0000000000400000-0x0000000000712000-memory.dmp

Filesize
3.1MB

Download
memory/2160-18-0x0000000000400000-0x0000000000593000-memory.dmp

Filesize
1.6MB

Download
memory/2160-34-0x00000000005A0000-0x000000000071F000-memory.dmp

Filesize
1.5MB

Download
memory/2160-35-0x0000000000400000-0x0000000000587000-memory.dmp

Filesize
1.5MB

Download
memory/2160-24-0x0000000000400000-0x0000000000587000-memory.dmp

Filesize
1.5MB

Download
memory/2160-21-0x0000000001720000-0x00000000017E4000-memory.dmp

Filesize
784KB

Download
memory/2968-1-0x0000000000120000-0x00000000001E4000-memory.dmp

Filesize
784KB

Download
memory/2968-0-0x0000000000400000-0x0000000000712000-memory.dmp

Filesize
3.1MB

Download
memory/2968-2-0x0000000000400000-0x0000000000593000-memory.dmp

Filesize
1.6MB

Download
memory/2968-15-0x0000000003100000-0x0000000003412000-memory.dmp

Filesize
3.1MB

Download
memory/2968-14-0x0000000000400000-0x0000000000593000-memory.dmp

Filesize
1.6MB

Download