xmrig | 68f837ddc39dcb2bf6f73b768eeb24cf562dde7d811647689085005c0e02aa7f

Analysis

max time kernel
144s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
13-01-2024 22:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

599b3147d07d7e3fd4c4206fa1d64cfa.exe
Size

784KB
MD5

599b3147d07d7e3fd4c4206fa1d64cfa
SHA1

17a4a99a8bc7af7c8186c1af5415c14e01d324c0
SHA256

68f837ddc39dcb2bf6f73b768eeb24cf562dde7d811647689085005c0e02aa7f
SHA512

b249b85a5b73257352c95dc6dbb96de37c1b48439f74dcdc6bd557df2c3ba5387d4b39cd19340840e37370938dd0ed9ae6db6230a80b76a3f24c286f7fe0c447
SSDEEP

12288:o1og3eu5bZWRkxK+kjQfJC92XVMWkpic6cR6/1ACX4Zu/IrFZ5/PGyxkw:o153eudZWRkbrgLWv/1p4+IRvvxP

Score

10^/10

xmrig miner upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 6 IoCs

miner

resource	yara_rule
behavioral2/memory/4492-2-0x0000000000400000-0x0000000000593000-memory.dmp	xmrig
behavioral2/memory/4492-12-0x0000000000400000-0x0000000000593000-memory.dmp	xmrig
behavioral2/memory/4980-15-0x0000000000400000-0x0000000000593000-memory.dmp	xmrig
behavioral2/memory/4980-21-0x0000000000400000-0x0000000000587000-memory.dmp	xmrig
behavioral2/memory/4980-20-0x00000000053B0000-0x0000000005543000-memory.dmp	xmrig
behavioral2/memory/4980-30-0x0000000000400000-0x0000000000587000-memory.dmp	xmrig

Deletes itself 1 IoCs

pid	Process
4980	599b3147d07d7e3fd4c4206fa1d64cfa.exe

Executes dropped EXE 1 IoCs

pid	Process
4980	599b3147d07d7e3fd4c4206fa1d64cfa.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4492-0-0x0000000000400000-0x0000000000712000-memory.dmp	upx
behavioral2/files/0x000a00000002312d-11.dat	upx
behavioral2/memory/4980-13-0x0000000000400000-0x0000000000712000-memory.dmp	upx

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
4492	599b3147d07d7e3fd4c4206fa1d64cfa.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
4492	599b3147d07d7e3fd4c4206fa1d64cfa.exe
4980	599b3147d07d7e3fd4c4206fa1d64cfa.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4492 wrote to memory of 4980	4492	599b3147d07d7e3fd4c4206fa1d64cfa.exe	43
PID 4492 wrote to memory of 4980	4492	599b3147d07d7e3fd4c4206fa1d64cfa.exe	43
PID 4492 wrote to memory of 4980	4492	599b3147d07d7e3fd4c4206fa1d64cfa.exe	43

C:\Users\Admin\AppData\Local\Temp\599b3147d07d7e3fd4c4206fa1d64cfa.exe
"C:\Users\Admin\AppData\Local\Temp\599b3147d07d7e3fd4c4206fa1d64cfa.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:4492
- C:\Users\Admin\AppData\Local\Temp\599b3147d07d7e3fd4c4206fa1d64cfa.exe
  C:\Users\Admin\AppData\Local\Temp\599b3147d07d7e3fd4c4206fa1d64cfa.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:4980

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\599b3147d07d7e3fd4c4206fa1d64cfa.exe

Filesize
89KB

MD5
b155d34c691ed346039db7978c92538f

SHA1
ff62ff8e77b9afbb00e830d6da7fb32c53a4b61d

SHA256
dafeace967c9a2586d1e339e7393494b43080bc80a7933c2568bb89dcc65b4b6

SHA512
97c3f62d4836bb622794a639b58deaabf21e7a420186419e1b2d778a0f0beb5b410348d09c70932b6608924544c577a619e272f89e07c15b17f7e74e250173e3

Download Submit
memory/4492-0-0x0000000000400000-0x0000000000712000-memory.dmp

Filesize
3.1MB

Download
memory/4492-1-0x0000000001A60000-0x0000000001B24000-memory.dmp

Filesize
784KB

Download
memory/4492-2-0x0000000000400000-0x0000000000593000-memory.dmp

Filesize
1.6MB

Download
memory/4492-12-0x0000000000400000-0x0000000000593000-memory.dmp

Filesize
1.6MB

Download
memory/4980-13-0x0000000000400000-0x0000000000712000-memory.dmp

Filesize
3.1MB

Download
memory/4980-15-0x0000000000400000-0x0000000000593000-memory.dmp

Filesize
1.6MB

Download
memory/4980-14-0x00000000019C0000-0x0000000001A84000-memory.dmp

Filesize
784KB

Download
memory/4980-21-0x0000000000400000-0x0000000000587000-memory.dmp

Filesize
1.5MB

Download
memory/4980-20-0x00000000053B0000-0x0000000005543000-memory.dmp

Filesize
1.6MB

Download
memory/4980-30-0x0000000000400000-0x0000000000587000-memory.dmp

Filesize
1.5MB

Download