xmrig | bedc0fe25e56787175fd22d5c81dca23b4162f6e139299de4ad320aab2ee77fa

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
07/01/2024, 11:26

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

48d7fc99773c97a0f03364e3a4afc723.exe
Size

784KB
MD5

48d7fc99773c97a0f03364e3a4afc723
SHA1

21b484e007050664f9cfec09768a926dd580acd5
SHA256

bedc0fe25e56787175fd22d5c81dca23b4162f6e139299de4ad320aab2ee77fa
SHA512

25aa9e90fdaab4ed6fa25c1adac14cbaeec626492565ac4d694f69ec7ec253ae600431e4a85b35bad3cbf0af70f97e7736cef85046d349806de54381bbdd8c3a
SSDEEP

12288:CHO6t6Ii/AVl6hj/Pjvu7yyoGvfBR8rGfZZDESjeYFc8++60eG6yQKimdFFwkE:2iFzyoGvJRsGf7DDd+VrVADbwkE

Score

10^/10

xmrig miner upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 8 IoCs

miner

resource	yara_rule
behavioral1/memory/2664-1-0x0000000000400000-0x0000000000593000-memory.dmp	xmrig
behavioral1/memory/2084-18-0x0000000000400000-0x0000000000593000-memory.dmp	xmrig
behavioral1/memory/2084-24-0x0000000000400000-0x0000000000587000-memory.dmp	xmrig
behavioral1/memory/2084-26-0x0000000003060000-0x00000000031F3000-memory.dmp	xmrig
behavioral1/memory/2084-35-0x0000000000400000-0x0000000000587000-memory.dmp	xmrig
behavioral1/memory/2084-34-0x00000000005A0000-0x000000000071F000-memory.dmp	xmrig
behavioral1/memory/2664-15-0x0000000003230000-0x0000000003542000-memory.dmp	xmrig
behavioral1/memory/2664-14-0x0000000000400000-0x0000000000593000-memory.dmp	xmrig

Deletes itself 1 IoCs

pid	Process
2084	48d7fc99773c97a0f03364e3a4afc723.exe

Executes dropped EXE 1 IoCs

pid	Process
2084	48d7fc99773c97a0f03364e3a4afc723.exe

Loads dropped DLL 1 IoCs

pid	Process
2664	48d7fc99773c97a0f03364e3a4afc723.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2664-0-0x0000000000400000-0x0000000000712000-memory.dmp	upx
behavioral1/files/0x000c00000001225c-10.dat	upx
behavioral1/memory/2084-17-0x0000000000400000-0x0000000000712000-memory.dmp	upx
behavioral1/files/0x000c00000001225c-16.dat	upx
behavioral1/files/0x000c00000001225c-12.dat	upx

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2664	48d7fc99773c97a0f03364e3a4afc723.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2664	48d7fc99773c97a0f03364e3a4afc723.exe
2084	48d7fc99773c97a0f03364e3a4afc723.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2664 wrote to memory of 2084	2664	48d7fc99773c97a0f03364e3a4afc723.exe	29
PID 2664 wrote to memory of 2084	2664	48d7fc99773c97a0f03364e3a4afc723.exe	29
PID 2664 wrote to memory of 2084	2664	48d7fc99773c97a0f03364e3a4afc723.exe	29
PID 2664 wrote to memory of 2084	2664	48d7fc99773c97a0f03364e3a4afc723.exe	29

C:\Users\Admin\AppData\Local\Temp\48d7fc99773c97a0f03364e3a4afc723.exe
"C:\Users\Admin\AppData\Local\Temp\48d7fc99773c97a0f03364e3a4afc723.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2664
- C:\Users\Admin\AppData\Local\Temp\48d7fc99773c97a0f03364e3a4afc723.exe
  C:\Users\Admin\AppData\Local\Temp\48d7fc99773c97a0f03364e3a4afc723.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:2084

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\48d7fc99773c97a0f03364e3a4afc723.exe

Filesize
784KB

MD5
275bcd4238cdffbd3b74c5e3fc496071

SHA1
3b6dd8c31e116536c2d4e850e7136a051cb51af7

SHA256
814400bf46c776d585bce11a3ffa499735e5772825c84bdbe08f3fd9e0e23032

SHA512
b790deec0e63f9e974135646f671eefa363fa184d331e335d138ee7118f9ed5644ef3f853d81fbc92b7d7dd69b3e9886ef9a3992fb7d2af371b3d5121a13848a

Download Submit
\Users\Admin\AppData\Local\Temp\48d7fc99773c97a0f03364e3a4afc723.exe

Filesize
560KB

MD5
0c6d4302eb163d23138ffd04ec896813

SHA1
d03d1f1220984843695dccc835ac99f4fcb1d034

SHA256
510f84f12dd8d8d45f4b380a6a57d3e0476edc66fcdbb0ede469dbe7019a258c

SHA512
a0920b413dc2aa75c2e4358029bafdb8cc1615f5e88d94e703657fe4943da483056a88163af52985ba8d259627a5a9698dc599eb55490ab27b1a31e71ce071a2

Download Submit
memory/2084-20-0x0000000001720000-0x00000000017E4000-memory.dmp

Filesize
784KB

Download
memory/2084-18-0x0000000000400000-0x0000000000593000-memory.dmp

Filesize
1.6MB

Download
memory/2084-24-0x0000000000400000-0x0000000000587000-memory.dmp

Filesize
1.5MB

Download
memory/2084-26-0x0000000003060000-0x00000000031F3000-memory.dmp

Filesize
1.6MB

Download
memory/2084-35-0x0000000000400000-0x0000000000587000-memory.dmp

Filesize
1.5MB

Download
memory/2084-34-0x00000000005A0000-0x000000000071F000-memory.dmp

Filesize
1.5MB

Download
memory/2084-17-0x0000000000400000-0x0000000000712000-memory.dmp

Filesize
3.1MB

Download
memory/2664-0-0x0000000000400000-0x0000000000712000-memory.dmp

Filesize
3.1MB

Download
memory/2664-1-0x0000000000400000-0x0000000000593000-memory.dmp

Filesize
1.6MB

Download
memory/2664-15-0x0000000003230000-0x0000000003542000-memory.dmp

Filesize
3.1MB

Download
memory/2664-14-0x0000000000400000-0x0000000000593000-memory.dmp

Filesize
1.6MB

Download
memory/2664-2-0x0000000000120000-0x00000000001E4000-memory.dmp

Filesize
784KB

Download