Analysis
-
max time kernel
146s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20231222-en -
resource tags
arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system -
submitted
07/01/2024, 19:35
Behavioral task
behavioral1
Sample
498acda1f6c76fdf266e156aa4673b80.exe
Resource
win7-20231215-en
9 signatures
150 seconds
General
-
Target
498acda1f6c76fdf266e156aa4673b80.exe
-
Size
784KB
-
MD5
498acda1f6c76fdf266e156aa4673b80
-
SHA1
aeef68dea0b96c9707e0b9dc6a749fc0e951ad20
-
SHA256
d65a813ac95b9bb0bf2433082129061b930b29d0c037db265c4464e3bef9eab2
-
SHA512
b1e9d5e7432f8200284c5a1d8769f90e607c1b4b82d775eb0a2a5f574e30627fdda3a5d225087328df1b154163edf59c3470c1ef2ee9c1943ef90aba5f8fc88d
-
SSDEEP
24576:b5QSwZ8mTeg0/QsD/rBVsMYMAwIaCCFdm7:b5QSe8Qe2ArstII7odm7
Malware Config
Signatures
-
XMRig Miner payload 7 IoCs
resource yara_rule behavioral2/memory/4364-2-0x0000000000400000-0x0000000000593000-memory.dmp xmrig behavioral2/memory/1476-21-0x0000000005370000-0x0000000005503000-memory.dmp xmrig behavioral2/memory/1476-31-0x0000000000400000-0x0000000000587000-memory.dmp xmrig behavioral2/memory/1476-30-0x00000000005A0000-0x000000000071F000-memory.dmp xmrig behavioral2/memory/1476-20-0x0000000000400000-0x0000000000587000-memory.dmp xmrig behavioral2/memory/1476-14-0x0000000000400000-0x0000000000593000-memory.dmp xmrig behavioral2/memory/4364-12-0x0000000000400000-0x0000000000593000-memory.dmp xmrig -
Deletes itself 1 IoCs
pid Process 1476 498acda1f6c76fdf266e156aa4673b80.exe -
Executes dropped EXE 1 IoCs
pid Process 1476 498acda1f6c76fdf266e156aa4673b80.exe -
resource yara_rule behavioral2/memory/4364-0-0x0000000000400000-0x0000000000712000-memory.dmp upx behavioral2/memory/1476-13-0x0000000000400000-0x0000000000712000-memory.dmp upx -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 4364 498acda1f6c76fdf266e156aa4673b80.exe -
Suspicious use of UnmapMainImage 2 IoCs
pid Process 4364 498acda1f6c76fdf266e156aa4673b80.exe 1476 498acda1f6c76fdf266e156aa4673b80.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 4364 wrote to memory of 1476 4364 498acda1f6c76fdf266e156aa4673b80.exe 20 PID 4364 wrote to memory of 1476 4364 498acda1f6c76fdf266e156aa4673b80.exe 20 PID 4364 wrote to memory of 1476 4364 498acda1f6c76fdf266e156aa4673b80.exe 20
Processes
-
C:\Users\Admin\AppData\Local\Temp\498acda1f6c76fdf266e156aa4673b80.exe"C:\Users\Admin\AppData\Local\Temp\498acda1f6c76fdf266e156aa4673b80.exe"1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:4364 -
C:\Users\Admin\AppData\Local\Temp\498acda1f6c76fdf266e156aa4673b80.exeC:\Users\Admin\AppData\Local\Temp\498acda1f6c76fdf266e156aa4673b80.exe2⤵
- Deletes itself
- Executes dropped EXE
- Suspicious use of UnmapMainImage
PID:1476
-