xmrig | 11258761317ee65ff3e92262d5213f06fc3295b50049429b68a65fc56212ab15

Analysis

max time kernel
118s
max time network
121s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
08/01/2024, 19:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4c3a7a4d7c4a8cdc241c7e87ca5dbbe9.exe
Size

784KB
MD5

4c3a7a4d7c4a8cdc241c7e87ca5dbbe9
SHA1

0e94751e25e3e2f88fda34c5614ca13dccf9db18
SHA256

11258761317ee65ff3e92262d5213f06fc3295b50049429b68a65fc56212ab15
SHA512

baf6174c6441e5b283fe95b4b081c40360b3f009a9d45e01a9b1bc605a000a1e5d58fa3a088a1fab1bbfe2b64815dbed498c77ecd4209b6b60906c573b288441
SSDEEP

12288:fUESicZCd5olKz0Azbkl1TVCswWNSVb1m++nnDqgZu5WS6cggsF2y8:QhZCPaungl6swWN+1m++DqrWS6cggx

Score

10^/10

xmrig miner upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 8 IoCs

miner

resource	yara_rule
behavioral1/memory/1872-1-0x0000000000400000-0x0000000000593000-memory.dmp	xmrig
behavioral1/memory/1872-15-0x0000000003180000-0x0000000003492000-memory.dmp	xmrig
behavioral1/memory/1872-14-0x0000000000400000-0x0000000000593000-memory.dmp	xmrig
behavioral1/memory/3060-18-0x0000000000400000-0x0000000000593000-memory.dmp	xmrig
behavioral1/memory/3060-25-0x0000000003130000-0x00000000032C3000-memory.dmp	xmrig
behavioral1/memory/3060-24-0x0000000000400000-0x0000000000587000-memory.dmp	xmrig
behavioral1/memory/3060-35-0x0000000000400000-0x0000000000587000-memory.dmp	xmrig
behavioral1/memory/3060-34-0x00000000005A0000-0x000000000071F000-memory.dmp	xmrig

Deletes itself 1 IoCs

pid	Process
3060	4c3a7a4d7c4a8cdc241c7e87ca5dbbe9.exe

Executes dropped EXE 1 IoCs

pid	Process
3060	4c3a7a4d7c4a8cdc241c7e87ca5dbbe9.exe

Loads dropped DLL 1 IoCs

pid	Process
1872	4c3a7a4d7c4a8cdc241c7e87ca5dbbe9.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1872-0-0x0000000000400000-0x0000000000712000-memory.dmp	upx
behavioral1/files/0x00080000000120f8-10.dat	upx
behavioral1/files/0x00080000000120f8-16.dat	upx
behavioral1/memory/3060-17-0x0000000000400000-0x0000000000712000-memory.dmp	upx
behavioral1/memory/1872-15-0x0000000003180000-0x0000000003492000-memory.dmp	upx

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1872	4c3a7a4d7c4a8cdc241c7e87ca5dbbe9.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
1872	4c3a7a4d7c4a8cdc241c7e87ca5dbbe9.exe
3060	4c3a7a4d7c4a8cdc241c7e87ca5dbbe9.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1872 wrote to memory of 3060	1872	4c3a7a4d7c4a8cdc241c7e87ca5dbbe9.exe	29
PID 1872 wrote to memory of 3060	1872	4c3a7a4d7c4a8cdc241c7e87ca5dbbe9.exe	29
PID 1872 wrote to memory of 3060	1872	4c3a7a4d7c4a8cdc241c7e87ca5dbbe9.exe	29
PID 1872 wrote to memory of 3060	1872	4c3a7a4d7c4a8cdc241c7e87ca5dbbe9.exe	29

C:\Users\Admin\AppData\Local\Temp\4c3a7a4d7c4a8cdc241c7e87ca5dbbe9.exe
"C:\Users\Admin\AppData\Local\Temp\4c3a7a4d7c4a8cdc241c7e87ca5dbbe9.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1872
- C:\Users\Admin\AppData\Local\Temp\4c3a7a4d7c4a8cdc241c7e87ca5dbbe9.exe
  C:\Users\Admin\AppData\Local\Temp\4c3a7a4d7c4a8cdc241c7e87ca5dbbe9.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:3060

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\4c3a7a4d7c4a8cdc241c7e87ca5dbbe9.exe

Filesize
49KB

MD5
219ffc78e3fccf4d1ac3a5c1c74f2ff2

SHA1
4ccd4aa22201e9e82171338e8dc4f6a08fe73c4b

SHA256
34a31a33d6d9de6f871d7c394dd43f7e0d87efff7a3d496af0dc23f31c80a0ca

SHA512
33b95cb7f00a9e97a5e641e0d7248863bc6bafd4f17993e7495dcf7d0f8c3a5a6b1cea83f8c050f1e9fe0aa663b8f7b5c03a39f5664e85820cb1f73327623c82

Download Submit
\Users\Admin\AppData\Local\Temp\4c3a7a4d7c4a8cdc241c7e87ca5dbbe9.exe

Filesize
61KB

MD5
be10cd02e301964fb5a3aa174d41d3d0

SHA1
b79363f76e32f6aa49bec83ed544069d8a98f6b3

SHA256
5fb4baea324d956c8d70b88eff5c7359a8a0162b7df7f2c21813196ef9a44e5d

SHA512
2c47f2af227b7ffdb9315b1af2009b3b290b4a2a77be7e5e74cce07515c1f602211a38c0ab34c28f5cb9d8bd05cd691776b1e9144c0c351330e763e973f41883

Download Submit
memory/1872-15-0x0000000003180000-0x0000000003492000-memory.dmp

Filesize
3.1MB

Download
memory/1872-1-0x0000000000400000-0x0000000000593000-memory.dmp

Filesize
1.6MB

Download
memory/1872-2-0x0000000001720000-0x00000000017E4000-memory.dmp

Filesize
784KB

Download
memory/1872-0-0x0000000000400000-0x0000000000712000-memory.dmp

Filesize
3.1MB

Download
memory/1872-14-0x0000000000400000-0x0000000000593000-memory.dmp

Filesize
1.6MB

Download
memory/3060-17-0x0000000000400000-0x0000000000712000-memory.dmp

Filesize
3.1MB

Download
memory/3060-19-0x0000000000120000-0x00000000001E4000-memory.dmp

Filesize
784KB

Download
memory/3060-18-0x0000000000400000-0x0000000000593000-memory.dmp

Filesize
1.6MB

Download
memory/3060-25-0x0000000003130000-0x00000000032C3000-memory.dmp

Filesize
1.6MB

Download
memory/3060-24-0x0000000000400000-0x0000000000587000-memory.dmp

Filesize
1.5MB

Download
memory/3060-35-0x0000000000400000-0x0000000000587000-memory.dmp

Filesize
1.5MB

Download
memory/3060-34-0x00000000005A0000-0x000000000071F000-memory.dmp

Filesize
1.5MB

Download