xmrig | 17d596da882046a3e342c9cac40febff9ce88e5a82bfb217a3aa965594f47d94

Analysis

max time kernel
134s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
19/01/2024, 06:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

66edd7c524799d74f7dba3e99d9d4d62.exe
Size

784KB
MD5

66edd7c524799d74f7dba3e99d9d4d62
SHA1

34d5f8a62fc82d641ba80a6f34f2b90930740100
SHA256

17d596da882046a3e342c9cac40febff9ce88e5a82bfb217a3aa965594f47d94
SHA512

6062f9b202a97f723ee2dbc73fddfbd605050434c50a1c0b5548af766958fc0afde5e84e4e4769306898ab156028d009bc6ce85a50770021ea779561137ee039
SSDEEP

24576:j4gSQnJRAuYwlJ/vfdG5swME50wZNjmiYSbu+:8gSQoudZQ5xME9jmR

Score

10^/10

xmrig miner upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 6 IoCs

miner

resource	yara_rule
behavioral2/memory/1376-2-0x0000000000400000-0x0000000000593000-memory.dmp	xmrig
behavioral2/memory/1376-12-0x0000000000400000-0x0000000000593000-memory.dmp	xmrig
behavioral2/memory/968-14-0x0000000000400000-0x0000000000593000-memory.dmp	xmrig
behavioral2/memory/968-21-0x0000000005450000-0x00000000055E3000-memory.dmp	xmrig
behavioral2/memory/968-20-0x0000000000400000-0x0000000000587000-memory.dmp	xmrig
behavioral2/memory/968-30-0x0000000000400000-0x0000000000587000-memory.dmp	xmrig

Deletes itself 1 IoCs

pid	Process
968	66edd7c524799d74f7dba3e99d9d4d62.exe

Executes dropped EXE 1 IoCs

pid	Process
968	66edd7c524799d74f7dba3e99d9d4d62.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1376-0-0x0000000000400000-0x0000000000712000-memory.dmp	upx
behavioral2/files/0x000a000000023146-11.dat	upx
behavioral2/memory/968-13-0x0000000000400000-0x0000000000712000-memory.dmp	upx

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1376	66edd7c524799d74f7dba3e99d9d4d62.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeManageVolumePrivilege	1796	svchost.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
1376	66edd7c524799d74f7dba3e99d9d4d62.exe
968	66edd7c524799d74f7dba3e99d9d4d62.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1376 wrote to memory of 968	1376	66edd7c524799d74f7dba3e99d9d4d62.exe	89
PID 1376 wrote to memory of 968	1376	66edd7c524799d74f7dba3e99d9d4d62.exe	89
PID 1376 wrote to memory of 968	1376	66edd7c524799d74f7dba3e99d9d4d62.exe	89

C:\Users\Admin\AppData\Local\Temp\66edd7c524799d74f7dba3e99d9d4d62.exe
"C:\Users\Admin\AppData\Local\Temp\66edd7c524799d74f7dba3e99d9d4d62.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1376
- C:\Users\Admin\AppData\Local\Temp\66edd7c524799d74f7dba3e99d9d4d62.exe
  C:\Users\Admin\AppData\Local\Temp\66edd7c524799d74f7dba3e99d9d4d62.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:968

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe
1⤵
PID:1240

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k UnistackSvcGroup
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1796

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\66edd7c524799d74f7dba3e99d9d4d62.exe

Filesize
430KB

MD5
5eb23fcc79f9e8d1436d42c425c215cd

SHA1
547e6e62a7e0775211ea739a9a5f18e642f7f781

SHA256
47904b586f9d703af8107867c97324c80a4464458d05cc5d4177b3231e0b0482

SHA512
a516b6e31adc53e6d8b42893494b914927a607accd4a1680589ce5205f52dafabc00051a695b49794ff7af03dde27f742b26ca7c9b6ec8a266f1af352e58b995

Download Submit
memory/968-16-0x0000000001720000-0x00000000017E4000-memory.dmp

Filesize
784KB

Download
memory/968-30-0x0000000000400000-0x0000000000587000-memory.dmp

Filesize
1.5MB

Download
memory/968-20-0x0000000000400000-0x0000000000587000-memory.dmp

Filesize
1.5MB

Download
memory/968-21-0x0000000005450000-0x00000000055E3000-memory.dmp

Filesize
1.6MB

Download
memory/968-13-0x0000000000400000-0x0000000000712000-memory.dmp

Filesize
3.1MB

Download
memory/968-14-0x0000000000400000-0x0000000000593000-memory.dmp

Filesize
1.6MB

Download
memory/1376-12-0x0000000000400000-0x0000000000593000-memory.dmp

Filesize
1.6MB

Download
memory/1376-0-0x0000000000400000-0x0000000000712000-memory.dmp

Filesize
3.1MB

Download
memory/1376-2-0x0000000000400000-0x0000000000593000-memory.dmp

Filesize
1.6MB

Download
memory/1376-1-0x00000000018C0000-0x0000000001984000-memory.dmp

Filesize
784KB

Download
memory/1796-31-0x000002415F290000-0x000002415F2A0000-memory.dmp

Filesize
64KB

Download
memory/1796-47-0x000002415F390000-0x000002415F3A0000-memory.dmp

Filesize
64KB

Download
memory/1796-63-0x0000024167700000-0x0000024167701000-memory.dmp

Filesize
4KB

Download
memory/1796-65-0x0000024167730000-0x0000024167731000-memory.dmp

Filesize
4KB

Download
memory/1796-66-0x0000024167730000-0x0000024167731000-memory.dmp

Filesize
4KB

Download
memory/1796-67-0x0000024167840000-0x0000024167841000-memory.dmp

Filesize
4KB

Download