xmrig | cba456b8210d0b899af786076a0de5ab23efae02de4d831d1f8bacd0b72a171a

Analysis

max time kernel
118s
max time network
118s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
18/01/2024, 03:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

644e8e8e6ad41a273356cf99df310391.exe
Size

784KB
MD5

644e8e8e6ad41a273356cf99df310391
SHA1

e36e05efd57abe4d3a41948d3f815201ac0ba414
SHA256

cba456b8210d0b899af786076a0de5ab23efae02de4d831d1f8bacd0b72a171a
SHA512

880c0d719f0c702ee58c82ce8eb185e50c7af80c0a06a495554ea3575188ae60142687b0b93999439456216c5c7060199649b3517fc4a1709e7c9b1d41c8909b
SSDEEP

24576:aQNWf9S/gMTP9NXpx2IOaZvOZhO7lw1LZAg:aQMf93MTPPL9BChuAh

Score

10^/10

xmrig miner upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 9 IoCs

miner

resource	yara_rule
behavioral1/memory/1948-1-0x0000000000400000-0x0000000000593000-memory.dmp	xmrig
behavioral1/memory/1948-16-0x00000000030E0000-0x00000000033F2000-memory.dmp	xmrig
behavioral1/memory/3048-17-0x0000000000400000-0x0000000000593000-memory.dmp	xmrig
behavioral1/memory/1948-19-0x0000000000400000-0x0000000000593000-memory.dmp	xmrig
behavioral1/memory/3048-18-0x0000000000400000-0x0000000000712000-memory.dmp	xmrig
behavioral1/memory/3048-29-0x00000000030A0000-0x0000000003233000-memory.dmp	xmrig
behavioral1/memory/3048-25-0x0000000000400000-0x0000000000587000-memory.dmp	xmrig
behavioral1/memory/3048-36-0x0000000000400000-0x0000000000587000-memory.dmp	xmrig
behavioral1/memory/3048-35-0x00000000005A0000-0x000000000071F000-memory.dmp	xmrig

Deletes itself 1 IoCs

pid	Process
3048	644e8e8e6ad41a273356cf99df310391.exe

Executes dropped EXE 1 IoCs

pid	Process
3048	644e8e8e6ad41a273356cf99df310391.exe

Loads dropped DLL 1 IoCs

pid	Process
1948	644e8e8e6ad41a273356cf99df310391.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1948-0-0x0000000000400000-0x0000000000712000-memory.dmp	upx
behavioral1/files/0x00090000000122c9-10.dat	upx
behavioral1/files/0x00090000000122c9-15.dat	upx

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1948	644e8e8e6ad41a273356cf99df310391.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
1948	644e8e8e6ad41a273356cf99df310391.exe
3048	644e8e8e6ad41a273356cf99df310391.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1948 wrote to memory of 3048	1948	644e8e8e6ad41a273356cf99df310391.exe	29
PID 1948 wrote to memory of 3048	1948	644e8e8e6ad41a273356cf99df310391.exe	29
PID 1948 wrote to memory of 3048	1948	644e8e8e6ad41a273356cf99df310391.exe	29
PID 1948 wrote to memory of 3048	1948	644e8e8e6ad41a273356cf99df310391.exe	29

C:\Users\Admin\AppData\Local\Temp\644e8e8e6ad41a273356cf99df310391.exe
"C:\Users\Admin\AppData\Local\Temp\644e8e8e6ad41a273356cf99df310391.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1948
- C:\Users\Admin\AppData\Local\Temp\644e8e8e6ad41a273356cf99df310391.exe
  C:\Users\Admin\AppData\Local\Temp\644e8e8e6ad41a273356cf99df310391.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:3048

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\644e8e8e6ad41a273356cf99df310391.exe

Filesize
304KB

MD5
157e1dd505d52d4ff14de3f814200f11

SHA1
efb4e7396f6450ba2f25db2e89b6a8f5164a0654

SHA256
031343253dc2f324d2694eb24918f9fecf58eaeeeab5ac726fc9e8a4368f96a2

SHA512
cf02f6e7d9be2a430d7c86aad7d8b4970813ae0819cdb4a4918e5ca0bb3b616d9737ce2f3c9a1a65f29c4ca2a7d6f8a32de48ec0050d968364cb1e789ddc42c8

Download Submit
\Users\Admin\AppData\Local\Temp\644e8e8e6ad41a273356cf99df310391.exe

Filesize
387KB

MD5
fd3b85c6b7d61563ba1a557dfa621023

SHA1
376de214b94decf3dfff284169b99d92bda066ba

SHA256
28168b40875db003c2d0881a0ff91e478bda1f925873e6f7d55a74e5c669b984

SHA512
6cdf8ad31e2101892ff4b5ffb33ec4151406dc8cb51a2c2177e618cc56ab6b43f03ae4c9c514a8dce2393c38182dca169639c679ec0fd79463e70679e52d7170

Download Submit
memory/1948-1-0x0000000000400000-0x0000000000593000-memory.dmp

Filesize
1.6MB

Download
memory/1948-0-0x0000000000400000-0x0000000000712000-memory.dmp

Filesize
3.1MB

Download
memory/1948-14-0x0000000000610000-0x0000000000711000-memory.dmp

Filesize
1.0MB

Download
memory/1948-16-0x00000000030E0000-0x00000000033F2000-memory.dmp

Filesize
3.1MB

Download
memory/1948-2-0x00000000002E0000-0x00000000003A4000-memory.dmp

Filesize
784KB

Download
memory/1948-19-0x0000000000400000-0x0000000000593000-memory.dmp

Filesize
1.6MB

Download
memory/3048-18-0x0000000000400000-0x0000000000712000-memory.dmp

Filesize
3.1MB

Download
memory/3048-17-0x0000000000400000-0x0000000000593000-memory.dmp

Filesize
1.6MB

Download
memory/3048-21-0x00000000018B0000-0x0000000001974000-memory.dmp

Filesize
784KB

Download
memory/3048-29-0x00000000030A0000-0x0000000003233000-memory.dmp

Filesize
1.6MB

Download
memory/3048-25-0x0000000000400000-0x0000000000587000-memory.dmp

Filesize
1.5MB

Download
memory/3048-36-0x0000000000400000-0x0000000000587000-memory.dmp

Filesize
1.5MB

Download
memory/3048-35-0x00000000005A0000-0x000000000071F000-memory.dmp

Filesize
1.5MB

Download