xmrig | d82267cb3c93b0d2a3bf98728b37d94081d4b5b7b00c412da977bcd6424802a5

Analysis

max time kernel
91s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
28-01-2024 07:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7c9236948ec393d2da24500f0be2621d.exe
Size

784KB
MD5

7c9236948ec393d2da24500f0be2621d
SHA1

b6a660c060509e2b5929332b080d72d598b5b676
SHA256

d82267cb3c93b0d2a3bf98728b37d94081d4b5b7b00c412da977bcd6424802a5
SHA512

5452fc5f42cba99c4577e3ba5804098e8b46c05d53ce4ca39963143965599d03b036cec12d66850f2ea721c63bf8d15fbcdfe087bf536af139209a907d77b9ed
SSDEEP

24576:W3anqokP83Bt2IewnJCB0vPIhqnpGVn7Mmp7b3:WECD8JLInnomR

Score

10^/10

xmrig miner upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 6 IoCs

miner

resource	yara_rule
behavioral2/memory/1800-2-0x0000000000400000-0x0000000000593000-memory.dmp	xmrig
behavioral2/memory/1800-12-0x0000000000400000-0x0000000000593000-memory.dmp	xmrig
behavioral2/memory/3012-14-0x0000000000400000-0x0000000000593000-memory.dmp	xmrig
behavioral2/memory/3012-21-0x0000000005370000-0x0000000005503000-memory.dmp	xmrig
behavioral2/memory/3012-20-0x0000000000400000-0x0000000000587000-memory.dmp	xmrig
behavioral2/memory/3012-30-0x0000000000400000-0x0000000000587000-memory.dmp	xmrig

Deletes itself 1 IoCs

pid	Process
3012	7c9236948ec393d2da24500f0be2621d.exe

Executes dropped EXE 1 IoCs

pid	Process
3012	7c9236948ec393d2da24500f0be2621d.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1800-0-0x0000000000400000-0x0000000000712000-memory.dmp	upx
behavioral2/files/0x0009000000023212-11.dat	upx
behavioral2/memory/3012-13-0x0000000000400000-0x0000000000712000-memory.dmp	upx

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1800	7c9236948ec393d2da24500f0be2621d.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
1800	7c9236948ec393d2da24500f0be2621d.exe
3012	7c9236948ec393d2da24500f0be2621d.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1800 wrote to memory of 3012	1800	7c9236948ec393d2da24500f0be2621d.exe	89
PID 1800 wrote to memory of 3012	1800	7c9236948ec393d2da24500f0be2621d.exe	89
PID 1800 wrote to memory of 3012	1800	7c9236948ec393d2da24500f0be2621d.exe	89

C:\Users\Admin\AppData\Local\Temp\7c9236948ec393d2da24500f0be2621d.exe
"C:\Users\Admin\AppData\Local\Temp\7c9236948ec393d2da24500f0be2621d.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1800
- C:\Users\Admin\AppData\Local\Temp\7c9236948ec393d2da24500f0be2621d.exe
  C:\Users\Admin\AppData\Local\Temp\7c9236948ec393d2da24500f0be2621d.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:3012

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7c9236948ec393d2da24500f0be2621d.exe

Filesize
299KB

MD5
afda0ab78eb8bdde15b63a48afebd396

SHA1
446a4e355bf4fd8ee32bea8db21aec8e6b6e4ba9

SHA256
159b8ec16acfd6a4cf0dc3e6cf5085b5c941fff68debe048d36633b1aaa2f1e4

SHA512
deea47583f6753c083ed1bb8b98dce496977753c260a997c40cccdc8389354486590f115642520edd460bfc2a095d4d6bb079d5ad1fb5a9566de5d6c47d0e5db

Download Submit
memory/1800-0-0x0000000000400000-0x0000000000712000-memory.dmp

Filesize
3.1MB

Download
memory/1800-2-0x0000000000400000-0x0000000000593000-memory.dmp

Filesize
1.6MB

Download
memory/1800-1-0x0000000001AE0000-0x0000000001BA4000-memory.dmp

Filesize
784KB

Download
memory/1800-12-0x0000000000400000-0x0000000000593000-memory.dmp

Filesize
1.6MB

Download
memory/3012-13-0x0000000000400000-0x0000000000712000-memory.dmp

Filesize
3.1MB

Download
memory/3012-14-0x0000000000400000-0x0000000000593000-memory.dmp

Filesize
1.6MB

Download
memory/3012-15-0x0000000001980000-0x0000000001A44000-memory.dmp

Filesize
784KB

Download
memory/3012-21-0x0000000005370000-0x0000000005503000-memory.dmp

Filesize
1.6MB

Download
memory/3012-20-0x0000000000400000-0x0000000000587000-memory.dmp

Filesize
1.5MB

Download
memory/3012-30-0x0000000000400000-0x0000000000587000-memory.dmp

Filesize
1.5MB

Download