Analysis
-
max time kernel
122s -
max time network
127s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
07/01/2024, 19:35
Behavioral task
behavioral1
Sample
498acda1f6c76fdf266e156aa4673b80.exe
Resource
win7-20231215-en
General
-
Target
498acda1f6c76fdf266e156aa4673b80.exe
-
Size
784KB
-
MD5
498acda1f6c76fdf266e156aa4673b80
-
SHA1
aeef68dea0b96c9707e0b9dc6a749fc0e951ad20
-
SHA256
d65a813ac95b9bb0bf2433082129061b930b29d0c037db265c4464e3bef9eab2
-
SHA512
b1e9d5e7432f8200284c5a1d8769f90e607c1b4b82d775eb0a2a5f574e30627fdda3a5d225087328df1b154163edf59c3470c1ef2ee9c1943ef90aba5f8fc88d
-
SSDEEP
24576:b5QSwZ8mTeg0/QsD/rBVsMYMAwIaCCFdm7:b5QSe8Qe2ArstII7odm7
Malware Config
Signatures
-
XMRig Miner payload 8 IoCs
resource yara_rule behavioral1/memory/1180-1-0x0000000000400000-0x0000000000593000-memory.dmp xmrig behavioral1/memory/1180-15-0x00000000031F0000-0x0000000003502000-memory.dmp xmrig behavioral1/memory/1180-14-0x0000000000400000-0x0000000000593000-memory.dmp xmrig behavioral1/memory/3052-19-0x0000000000400000-0x0000000000593000-memory.dmp xmrig behavioral1/memory/3052-25-0x0000000000400000-0x0000000000587000-memory.dmp xmrig behavioral1/memory/3052-24-0x0000000003150000-0x00000000032E3000-memory.dmp xmrig behavioral1/memory/3052-34-0x0000000000400000-0x0000000000587000-memory.dmp xmrig behavioral1/memory/1180-35-0x00000000031F0000-0x0000000003502000-memory.dmp xmrig -
Deletes itself 1 IoCs
pid Process 3052 498acda1f6c76fdf266e156aa4673b80.exe -
Executes dropped EXE 1 IoCs
pid Process 3052 498acda1f6c76fdf266e156aa4673b80.exe -
Loads dropped DLL 1 IoCs
pid Process 1180 498acda1f6c76fdf266e156aa4673b80.exe -
resource yara_rule behavioral1/memory/1180-0-0x0000000000400000-0x0000000000712000-memory.dmp upx behavioral1/files/0x000b000000012243-16.dat upx behavioral1/memory/3052-17-0x0000000000400000-0x0000000000712000-memory.dmp upx -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 1180 498acda1f6c76fdf266e156aa4673b80.exe -
Suspicious use of UnmapMainImage 2 IoCs
pid Process 1180 498acda1f6c76fdf266e156aa4673b80.exe 3052 498acda1f6c76fdf266e156aa4673b80.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1180 wrote to memory of 3052 1180 498acda1f6c76fdf266e156aa4673b80.exe 29 PID 1180 wrote to memory of 3052 1180 498acda1f6c76fdf266e156aa4673b80.exe 29 PID 1180 wrote to memory of 3052 1180 498acda1f6c76fdf266e156aa4673b80.exe 29 PID 1180 wrote to memory of 3052 1180 498acda1f6c76fdf266e156aa4673b80.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\498acda1f6c76fdf266e156aa4673b80.exe"C:\Users\Admin\AppData\Local\Temp\498acda1f6c76fdf266e156aa4673b80.exe"1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1180 -
C:\Users\Admin\AppData\Local\Temp\498acda1f6c76fdf266e156aa4673b80.exeC:\Users\Admin\AppData\Local\Temp\498acda1f6c76fdf266e156aa4673b80.exe2⤵
- Deletes itself
- Executes dropped EXE
- Suspicious use of UnmapMainImage
PID:3052
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
784KB
MD56df2f9799879c4fb16bc4172d84deb5c
SHA12b6131e180d9ddd500029fb3b41f4a100ae94ca8
SHA2567031ff1bc6ceb0cf88f9549fda98e88f3c834b45b77e78b526ee423b9c5ee247
SHA512bca2f4b11d4429cf3d7ddd87a74077edc10e6dd3f7cfde8a3d1e89a2c6d979ffbdeba9b203619354872699a96ce676d107526cfb0c52b58aa1dbc2f27435a020