xmrig | ae8f5ea140ab23cc49c178b572ace22efdc94725b506004340d1b5e503e43a40

General

Target

376ee934cb113e4c4428e3a0e804ff7f.exe
Size

784KB
MD5

376ee934cb113e4c4428e3a0e804ff7f
SHA1

deec05f0e8c14d6459d59e17d599b9819354f73b
SHA256

ae8f5ea140ab23cc49c178b572ace22efdc94725b506004340d1b5e503e43a40
SHA512

a05c15dd87c9b5012f8bfe4691485d88e776e4373b8b1e3ec8c259a66791b7203b0bebefa1e32d2f844e2ba96c47491091b39b432cc898dce80c9b0d767cda37
SSDEEP

24576:wR9uqULUIazOkBdR0nm5hHOQ2OoS2pG4e3VbYNKT:37LUIaPRcGhuQ334aON

Score

10^/10

xmrig miner upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 8 IoCs

miner

resource	yara_rule
behavioral1/memory/2708-1-0x0000000000400000-0x0000000000593000-memory.dmp	xmrig
behavioral1/memory/2708-15-0x00000000031F0000-0x0000000003502000-memory.dmp	xmrig
behavioral1/memory/2708-14-0x0000000000400000-0x0000000000593000-memory.dmp	xmrig
behavioral1/memory/3012-18-0x0000000000400000-0x0000000000593000-memory.dmp	xmrig
behavioral1/memory/3012-24-0x00000000031B0000-0x0000000003343000-memory.dmp	xmrig
behavioral1/memory/3012-25-0x0000000000400000-0x0000000000587000-memory.dmp	xmrig
behavioral1/memory/3012-34-0x0000000000400000-0x0000000000587000-memory.dmp	xmrig
behavioral1/memory/2708-35-0x00000000031F0000-0x0000000003502000-memory.dmp	xmrig

Deletes itself 1 IoCs

pid	Process
3012	376ee934cb113e4c4428e3a0e804ff7f.exe

Executes dropped EXE 1 IoCs

pid	Process
3012	376ee934cb113e4c4428e3a0e804ff7f.exe

Loads dropped DLL 1 IoCs

pid	Process
2708	376ee934cb113e4c4428e3a0e804ff7f.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2708-0-0x0000000000400000-0x0000000000712000-memory.dmp	upx
behavioral1/files/0x0008000000012267-10.dat	upx
behavioral1/files/0x0008000000012267-13.dat	upx
behavioral1/files/0x0008000000012267-16.dat	upx
behavioral1/memory/3012-17-0x0000000000400000-0x0000000000712000-memory.dmp	upx

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2708	376ee934cb113e4c4428e3a0e804ff7f.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2708	376ee934cb113e4c4428e3a0e804ff7f.exe
3012	376ee934cb113e4c4428e3a0e804ff7f.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2708 wrote to memory of 3012	2708	376ee934cb113e4c4428e3a0e804ff7f.exe	28
PID 2708 wrote to memory of 3012	2708	376ee934cb113e4c4428e3a0e804ff7f.exe	28
PID 2708 wrote to memory of 3012	2708	376ee934cb113e4c4428e3a0e804ff7f.exe	28
PID 2708 wrote to memory of 3012	2708	376ee934cb113e4c4428e3a0e804ff7f.exe	28

C:\Users\Admin\AppData\Local\Temp\376ee934cb113e4c4428e3a0e804ff7f.exe
"C:\Users\Admin\AppData\Local\Temp\376ee934cb113e4c4428e3a0e804ff7f.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2708
- C:\Users\Admin\AppData\Local\Temp\376ee934cb113e4c4428e3a0e804ff7f.exe
  C:\Users\Admin\AppData\Local\Temp\376ee934cb113e4c4428e3a0e804ff7f.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:3012

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\376ee934cb113e4c4428e3a0e804ff7f.exe

Filesize
64KB

MD5
0262cb2716ddd7b45e52da8289132fc2

SHA1
9e93d5da3d981b0b732751f5f385004f67d4dd21

SHA256
6ca30f516c1b6ed4735b0322a483c36870737395ce972901c1960086bfee6f3f

SHA512
4aff9b72f1a2b392c8319fb8c978e3b95cff894e659f83ad0102c381a405fbd9c2a85755013443b343c145744d97bb4e5ce4aad3c7863c238935119e3db8b7e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\376ee934cb113e4c4428e3a0e804ff7f.exe

Filesize
257KB

MD5
113823203a06f257fa601c6bb63a9b48

SHA1
8950ffddb75eb5c9b199453409ffd12fe3c9732e

SHA256
43cb5b728bd608d88604c9c30c9aea87afdd7a7c1ce40f4ee1bf220d35f05ada

SHA512
e20c7d404a43058fe90bdffc9a501139959480962b617448b3724b32ae959ce94d1798a870aa8f40054ba19cf762c58efb85ac1c64d54918b1ab912576c618d5

Download Submit
\Users\Admin\AppData\Local\Temp\376ee934cb113e4c4428e3a0e804ff7f.exe

Filesize
448KB

MD5
0137429158a927933108f8212277efbd

SHA1
778ea07cf6f792955ee6fe1c596f83dbbb1c7784

SHA256
586c92d58a35bca199ab1877b6f24bcb6e2e19e08f1648d2e02c2020f4906bb4

SHA512
f72bae9cfff884a184de020bd8dfeaa7cdb54f061cf5f6ef9a87939937678765cf0832c8333b4707f51a9109eb9b4c6b9ae2807f42e1ab5a34e74773600336a3

Download Submit
memory/2708-0-0x0000000000400000-0x0000000000712000-memory.dmp

Filesize
3.1MB

Download
memory/2708-15-0x00000000031F0000-0x0000000003502000-memory.dmp

Filesize
3.1MB

Download
memory/2708-14-0x0000000000400000-0x0000000000593000-memory.dmp

Filesize
1.6MB

Download
memory/2708-1-0x0000000000400000-0x0000000000593000-memory.dmp

Filesize
1.6MB

Download
memory/2708-2-0x0000000000120000-0x00000000001E4000-memory.dmp

Filesize
784KB

Download
memory/2708-35-0x00000000031F0000-0x0000000003502000-memory.dmp

Filesize
3.1MB

Download
memory/3012-17-0x0000000000400000-0x0000000000712000-memory.dmp

Filesize
3.1MB

Download
memory/3012-18-0x0000000000400000-0x0000000000593000-memory.dmp

Filesize
1.6MB

Download
memory/3012-20-0x0000000001720000-0x00000000017E4000-memory.dmp

Filesize
784KB

Download
memory/3012-24-0x00000000031B0000-0x0000000003343000-memory.dmp

Filesize
1.6MB

Download
memory/3012-25-0x0000000000400000-0x0000000000587000-memory.dmp

Filesize
1.5MB

Download
memory/3012-34-0x0000000000400000-0x0000000000587000-memory.dmp

Filesize
1.5MB

Download

Analysis

Sharing