xmrig | a6ec206eea7b857bd87e00ad0d66ff5f82d14953984c578bb6a3de0ca3631e75

Analysis

max time kernel
122s
max time network
125s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
19/01/2024, 12:43

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

67a724067571a1a716ebc5e9a14a4243.exe
Size

784KB
MD5

67a724067571a1a716ebc5e9a14a4243
SHA1

584e1bf60f0826c6ce7a2552e4322ec7874eebb6
SHA256

a6ec206eea7b857bd87e00ad0d66ff5f82d14953984c578bb6a3de0ca3631e75
SHA512

e6f6e83712864e546cc17d135f112124ddbcd4ad5a98fa6b18467477da7122ac14ac0616cc33be624ccab4c7da66fc7b32e5124f523b5796d65373d3c3a1c5ec
SSDEEP

12288:VkWLkT2kMoA/Bfum/8q4+5E8OiyD1rEgnjJald1G1zshb5mZfYT5+7IBRPZO1/RZ:fLki7odg8mE79FLc01zsCGtz2/YB

Score

10^/10

xmrig miner upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 7 IoCs

miner

resource	yara_rule
behavioral1/memory/2444-1-0x0000000000400000-0x0000000000593000-memory.dmp	xmrig
behavioral1/memory/2444-14-0x0000000000400000-0x0000000000593000-memory.dmp	xmrig
behavioral1/memory/2444-15-0x00000000031F0000-0x0000000003502000-memory.dmp	xmrig
behavioral1/memory/2348-19-0x0000000000400000-0x0000000000593000-memory.dmp	xmrig
behavioral1/memory/2348-25-0x0000000003150000-0x00000000032E3000-memory.dmp	xmrig
behavioral1/memory/2348-24-0x0000000000400000-0x0000000000587000-memory.dmp	xmrig
behavioral1/memory/2348-34-0x0000000000400000-0x0000000000587000-memory.dmp	xmrig

Deletes itself 1 IoCs

pid	Process
2348	67a724067571a1a716ebc5e9a14a4243.exe

Executes dropped EXE 1 IoCs

pid	Process
2348	67a724067571a1a716ebc5e9a14a4243.exe

Loads dropped DLL 1 IoCs

pid	Process
2444	67a724067571a1a716ebc5e9a14a4243.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2444-0-0x0000000000400000-0x0000000000712000-memory.dmp	upx
behavioral1/files/0x000a000000012243-10.dat	upx
behavioral1/memory/2444-15-0x00000000031F0000-0x0000000003502000-memory.dmp	upx
behavioral1/files/0x000a000000012243-16.dat	upx
behavioral1/memory/2348-17-0x0000000000400000-0x0000000000712000-memory.dmp	upx

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2444	67a724067571a1a716ebc5e9a14a4243.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2444	67a724067571a1a716ebc5e9a14a4243.exe
2348	67a724067571a1a716ebc5e9a14a4243.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2444 wrote to memory of 2348	2444	67a724067571a1a716ebc5e9a14a4243.exe	29
PID 2444 wrote to memory of 2348	2444	67a724067571a1a716ebc5e9a14a4243.exe	29
PID 2444 wrote to memory of 2348	2444	67a724067571a1a716ebc5e9a14a4243.exe	29
PID 2444 wrote to memory of 2348	2444	67a724067571a1a716ebc5e9a14a4243.exe	29

C:\Users\Admin\AppData\Local\Temp\67a724067571a1a716ebc5e9a14a4243.exe
"C:\Users\Admin\AppData\Local\Temp\67a724067571a1a716ebc5e9a14a4243.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2444
- C:\Users\Admin\AppData\Local\Temp\67a724067571a1a716ebc5e9a14a4243.exe
  C:\Users\Admin\AppData\Local\Temp\67a724067571a1a716ebc5e9a14a4243.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:2348

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\67a724067571a1a716ebc5e9a14a4243.exe

Filesize
784KB

MD5
1a5486337929378347a91078c6156f66

SHA1
445aa0149c5655bf85f569bb4da612a4f3c19ebd

SHA256
31da0b7ca695d2913e6a3e412651516f396dd2538ff812f1baf1fe46091e9ea4

SHA512
ca3f06309da8b2272cec8862b2a66dd57980e398efa1942d365b3a79ad41a983a689014ed394e031417d2b3c1cf8b24a5d0dd68ab03207630bd7c20322e0710b

Download Submit
\Users\Admin\AppData\Local\Temp\67a724067571a1a716ebc5e9a14a4243.exe

Filesize
704KB

MD5
b757770f1215eadfd689471d3bf0cb0f

SHA1
fe3fd0aaab52f241ae04b593d7cc480e992cfff0

SHA256
aed26fa85dee690ec4c91b35e933f5c4bdeeb7bfbc33d9da0d73a9d4f15008c7

SHA512
80d3795c1117069f146d220982c931a594b1c3a33e7b33dbbeb4da4d31206840227ade721770ac8d1f55bb7210708dcdf8dc170940f955c6bce9032d097c9341

Download Submit
memory/2348-17-0x0000000000400000-0x0000000000712000-memory.dmp

Filesize
3.1MB

Download
memory/2348-18-0x0000000000320000-0x00000000003E4000-memory.dmp

Filesize
784KB

Download
memory/2348-19-0x0000000000400000-0x0000000000593000-memory.dmp

Filesize
1.6MB

Download
memory/2348-25-0x0000000003150000-0x00000000032E3000-memory.dmp

Filesize
1.6MB

Download
memory/2348-24-0x0000000000400000-0x0000000000587000-memory.dmp

Filesize
1.5MB

Download
memory/2348-34-0x0000000000400000-0x0000000000587000-memory.dmp

Filesize
1.5MB

Download
memory/2444-1-0x0000000000400000-0x0000000000593000-memory.dmp

Filesize
1.6MB

Download
memory/2444-0-0x0000000000400000-0x0000000000712000-memory.dmp

Filesize
3.1MB

Download
memory/2444-14-0x0000000000400000-0x0000000000593000-memory.dmp

Filesize
1.6MB

Download
memory/2444-15-0x00000000031F0000-0x0000000003502000-memory.dmp

Filesize
3.1MB

Download
memory/2444-2-0x0000000000330000-0x00000000003F4000-memory.dmp

Filesize
784KB

Download