xmrig | d82267cb3c93b0d2a3bf98728b37d94081d4b5b7b00c412da977bcd6424802a5

Analysis

max time kernel
118s
max time network
119s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
28/01/2024, 07:55

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

7c9236948ec393d2da24500f0be2621d.exe
Size

784KB
MD5

7c9236948ec393d2da24500f0be2621d
SHA1

b6a660c060509e2b5929332b080d72d598b5b676
SHA256

d82267cb3c93b0d2a3bf98728b37d94081d4b5b7b00c412da977bcd6424802a5
SHA512

5452fc5f42cba99c4577e3ba5804098e8b46c05d53ce4ca39963143965599d03b036cec12d66850f2ea721c63bf8d15fbcdfe087bf536af139209a907d77b9ed
SSDEEP

24576:W3anqokP83Bt2IewnJCB0vPIhqnpGVn7Mmp7b3:WECD8JLInnomR

Score

10^/10

xmrig miner upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 9 IoCs

miner

resource	yara_rule
behavioral1/memory/2532-1-0x0000000000400000-0x0000000000593000-memory.dmp	xmrig
behavioral1/memory/2356-17-0x0000000000400000-0x0000000000593000-memory.dmp	xmrig
behavioral1/memory/2356-18-0x0000000000400000-0x0000000000712000-memory.dmp	xmrig
behavioral1/memory/2532-16-0x0000000003080000-0x0000000003392000-memory.dmp	xmrig
behavioral1/memory/2532-15-0x0000000000400000-0x0000000000593000-memory.dmp	xmrig
behavioral1/memory/2356-25-0x0000000003110000-0x00000000032A3000-memory.dmp	xmrig
behavioral1/memory/2356-24-0x0000000000400000-0x0000000000587000-memory.dmp	xmrig
behavioral1/memory/2356-35-0x0000000000400000-0x0000000000587000-memory.dmp	xmrig
behavioral1/memory/2356-34-0x00000000005A0000-0x000000000071F000-memory.dmp	xmrig

Deletes itself 1 IoCs

pid	Process
2356	7c9236948ec393d2da24500f0be2621d.exe

Executes dropped EXE 1 IoCs

pid	Process
2356	7c9236948ec393d2da24500f0be2621d.exe

Loads dropped DLL 1 IoCs

pid	Process
2532	7c9236948ec393d2da24500f0be2621d.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2532-0-0x0000000000400000-0x0000000000712000-memory.dmp	upx
behavioral1/files/0x000a00000001225c-10.dat	upx
behavioral1/files/0x000a00000001225c-14.dat	upx

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2532	7c9236948ec393d2da24500f0be2621d.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2532	7c9236948ec393d2da24500f0be2621d.exe
2356	7c9236948ec393d2da24500f0be2621d.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2532 wrote to memory of 2356	2532	7c9236948ec393d2da24500f0be2621d.exe	29
PID 2532 wrote to memory of 2356	2532	7c9236948ec393d2da24500f0be2621d.exe	29
PID 2532 wrote to memory of 2356	2532	7c9236948ec393d2da24500f0be2621d.exe	29
PID 2532 wrote to memory of 2356	2532	7c9236948ec393d2da24500f0be2621d.exe	29

C:\Users\Admin\AppData\Local\Temp\7c9236948ec393d2da24500f0be2621d.exe
"C:\Users\Admin\AppData\Local\Temp\7c9236948ec393d2da24500f0be2621d.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2532
- C:\Users\Admin\AppData\Local\Temp\7c9236948ec393d2da24500f0be2621d.exe
  C:\Users\Admin\AppData\Local\Temp\7c9236948ec393d2da24500f0be2621d.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:2356

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7c9236948ec393d2da24500f0be2621d.exe

Filesize
352KB

MD5
6d66317669dd2faef3b2f426422dc407

SHA1
54cc5c9225c0af50b841b99a8b2ac146ec25b761

SHA256
78b4601f0566d74623fc0786fecd9b1940872c8f421907f327b3a69848306b03

SHA512
7335e020c9036d215fcd4dfada98bb739f82b60746784e33c7e3c0f41637573f8bb619ed32585ffd0e5990c8b7bfd5799ede611ea6bb63a9fac29dbb211df1a8

Download Submit
\Users\Admin\AppData\Local\Temp\7c9236948ec393d2da24500f0be2621d.exe

Filesize
365KB

MD5
8edb7cc5b06c5baba05b2b8cc84932c2

SHA1
ddddb0eb60a8840d456bde685b1b63a1847c2368

SHA256
01e92978ed47f5a5e760883a0c8575a5840875b22b02e01efe73dff7478f3c0c

SHA512
3d3b1e1750f87df5d9c3a719319273fa615c2d5268a42525a6ad8e892dfd1a25446189f29568a898393ca811fe7d4655a06db9b0effa3b9abd723209caba284d

Download Submit
memory/2356-17-0x0000000000400000-0x0000000000593000-memory.dmp

Filesize
1.6MB

Download
memory/2356-18-0x0000000000400000-0x0000000000712000-memory.dmp

Filesize
3.1MB

Download
memory/2356-20-0x0000000000120000-0x00000000001E4000-memory.dmp

Filesize
784KB

Download
memory/2356-25-0x0000000003110000-0x00000000032A3000-memory.dmp

Filesize
1.6MB

Download
memory/2356-24-0x0000000000400000-0x0000000000587000-memory.dmp

Filesize
1.5MB

Download
memory/2356-35-0x0000000000400000-0x0000000000587000-memory.dmp

Filesize
1.5MB

Download
memory/2356-34-0x00000000005A0000-0x000000000071F000-memory.dmp

Filesize
1.5MB

Download
memory/2532-3-0x0000000000120000-0x00000000001E4000-memory.dmp

Filesize
784KB

Download
memory/2532-0-0x0000000000400000-0x0000000000712000-memory.dmp

Filesize
3.1MB

Download
memory/2532-16-0x0000000003080000-0x0000000003392000-memory.dmp

Filesize
3.1MB

Download
memory/2532-15-0x0000000000400000-0x0000000000593000-memory.dmp

Filesize
1.6MB

Download
memory/2532-1-0x0000000000400000-0x0000000000593000-memory.dmp

Filesize
1.6MB

Download