xmrig | 15623c33785507a082a25846321c2592eac4f6f4b2205853c0460e46cf5cf3d5

Analysis

max time kernel
117s
max time network
117s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
03/02/2024, 00:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8ae7e34678179db6c0c58fd57af9e643.exe
Size

784KB
MD5

8ae7e34678179db6c0c58fd57af9e643
SHA1

f6af949692f4dc09f21546223c2d065c32f2cccf
SHA256

15623c33785507a082a25846321c2592eac4f6f4b2205853c0460e46cf5cf3d5
SHA512

abf03125234c92cda114e04001475903c4e568c1436c385fa22fa3348a54b47292e7cecc31e2d2521756a9587bfac6c09d3a8978e42dad888080f6cf08209ebb
SSDEEP

12288:bJxIF1sO9llCmo3dQiMdGzfDtvV2tSLvrxhCZUrPREmfyvb8+l0L8aRGv0:H0s2lCmfiMdGzfDtvcm9HExd6Qagv0

Score

10^/10

xmrig miner upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 8 IoCs

miner

resource	yara_rule
behavioral1/memory/2896-1-0x0000000000400000-0x0000000000593000-memory.dmp	xmrig
behavioral1/memory/2896-16-0x0000000003220000-0x0000000003532000-memory.dmp	xmrig
behavioral1/memory/2896-15-0x0000000000400000-0x0000000000593000-memory.dmp	xmrig
behavioral1/memory/3040-18-0x0000000000400000-0x0000000000593000-memory.dmp	xmrig
behavioral1/memory/3040-26-0x0000000003070000-0x0000000003203000-memory.dmp	xmrig
behavioral1/memory/3040-24-0x0000000000400000-0x0000000000587000-memory.dmp	xmrig
behavioral1/memory/3040-35-0x0000000000400000-0x0000000000587000-memory.dmp	xmrig
behavioral1/memory/3040-34-0x00000000005A0000-0x000000000071F000-memory.dmp	xmrig

Deletes itself 1 IoCs

pid	Process
3040	8ae7e34678179db6c0c58fd57af9e643.exe

Executes dropped EXE 1 IoCs

pid	Process
3040	8ae7e34678179db6c0c58fd57af9e643.exe

Loads dropped DLL 1 IoCs

pid	Process
2896	8ae7e34678179db6c0c58fd57af9e643.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2896-0-0x0000000000400000-0x0000000000712000-memory.dmp	upx
behavioral1/files/0x000c000000012251-10.dat	upx
behavioral1/files/0x000c000000012251-14.dat	upx
behavioral1/memory/3040-17-0x0000000000400000-0x0000000000712000-memory.dmp	upx

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2896	8ae7e34678179db6c0c58fd57af9e643.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2896	8ae7e34678179db6c0c58fd57af9e643.exe
3040	8ae7e34678179db6c0c58fd57af9e643.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2896 wrote to memory of 3040	2896	8ae7e34678179db6c0c58fd57af9e643.exe	29
PID 2896 wrote to memory of 3040	2896	8ae7e34678179db6c0c58fd57af9e643.exe	29
PID 2896 wrote to memory of 3040	2896	8ae7e34678179db6c0c58fd57af9e643.exe	29
PID 2896 wrote to memory of 3040	2896	8ae7e34678179db6c0c58fd57af9e643.exe	29

C:\Users\Admin\AppData\Local\Temp\8ae7e34678179db6c0c58fd57af9e643.exe
"C:\Users\Admin\AppData\Local\Temp\8ae7e34678179db6c0c58fd57af9e643.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2896
- C:\Users\Admin\AppData\Local\Temp\8ae7e34678179db6c0c58fd57af9e643.exe
  C:\Users\Admin\AppData\Local\Temp\8ae7e34678179db6c0c58fd57af9e643.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:3040

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\8ae7e34678179db6c0c58fd57af9e643.exe

Filesize
523KB

MD5
b747820337da5991659756903d2d2e81

SHA1
0123e729ba6ccbdb3146e951eb273bdc4d44dbc2

SHA256
e332fd85f86dbded7cfccab37d28e02196bf7e8d85e3409be229fd4db13cf586

SHA512
03d93b0e429c535da1fa65476f667162ab594dcf430d03cf03c60b53a3f45b2805a34bd838f40f1e658721b0fd1a0cd309bbb7febe4fc147853d083006a4f55c

Download Submit
\Users\Admin\AppData\Local\Temp\8ae7e34678179db6c0c58fd57af9e643.exe

Filesize
472KB

MD5
820d49d20b708b270d4a079b538d0cc3

SHA1
175f5407ba8270422e40937120e7ea4c7b2e4429

SHA256
151c6918376d89810a19a6b86eb942d2cb586d2906917e258f4a2d1a367ca7ed

SHA512
f979a89c282a929df174009f9e72a5ce1e1444c4a4c2660a587d393ba3e302d8165235856857a7bd7e3bdc7982ad183a255b319573de62c4800a2ce23366c677

Download Submit
memory/2896-3-0x0000000000120000-0x00000000001E4000-memory.dmp

Filesize
784KB

Download
memory/2896-0-0x0000000000400000-0x0000000000712000-memory.dmp

Filesize
3.1MB

Download
memory/2896-16-0x0000000003220000-0x0000000003532000-memory.dmp

Filesize
3.1MB

Download
memory/2896-15-0x0000000000400000-0x0000000000593000-memory.dmp

Filesize
1.6MB

Download
memory/2896-1-0x0000000000400000-0x0000000000593000-memory.dmp

Filesize
1.6MB

Download
memory/2896-36-0x0000000003220000-0x0000000003532000-memory.dmp

Filesize
3.1MB

Download
memory/3040-19-0x0000000001720000-0x00000000017E4000-memory.dmp

Filesize
784KB

Download
memory/3040-17-0x0000000000400000-0x0000000000712000-memory.dmp

Filesize
3.1MB

Download
memory/3040-26-0x0000000003070000-0x0000000003203000-memory.dmp

Filesize
1.6MB

Download
memory/3040-24-0x0000000000400000-0x0000000000587000-memory.dmp

Filesize
1.5MB

Download
memory/3040-35-0x0000000000400000-0x0000000000587000-memory.dmp

Filesize
1.5MB

Download
memory/3040-34-0x00000000005A0000-0x000000000071F000-memory.dmp

Filesize
1.5MB

Download
memory/3040-18-0x0000000000400000-0x0000000000593000-memory.dmp

Filesize
1.6MB

Download