xmrig | ecadccae02436c20e7a3297ffd0ddb4024e46192f0e1577c42cc1d9f1526b04d

Analysis

max time kernel
119s
max time network
122s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
03/02/2024, 16:30

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

8cce0f9afa920130f77a9afdfe8013bd.exe
Size

784KB
MD5

8cce0f9afa920130f77a9afdfe8013bd
SHA1

6c9f3be2cdc9889e1c3a2feaff3f7cb9c2f866e0
SHA256

ecadccae02436c20e7a3297ffd0ddb4024e46192f0e1577c42cc1d9f1526b04d
SHA512

01b3f62976a6384a8c96eb49e38e52812a1899e01eaaa07ad942398d827418e4590e2984d1ca8d3e5a73dba23f5a2204eb8d551ddb18e0b0597bfb0daff9be20
SSDEEP

24576:+iMx1H2ajI7UzyIHzc8j0QNLoYsU/CPp1IUDD8Uzg:+b2aj+UHw8j0QNLD/C/vV

Score

10^/10

xmrig miner upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 6 IoCs

miner

resource	yara_rule
behavioral1/memory/2132-1-0x0000000000400000-0x0000000000593000-memory.dmp	xmrig
behavioral1/memory/2132-15-0x0000000000400000-0x0000000000593000-memory.dmp	xmrig
behavioral1/memory/2264-18-0x0000000000400000-0x0000000000593000-memory.dmp	xmrig
behavioral1/memory/2264-25-0x00000000031D0000-0x0000000003363000-memory.dmp	xmrig
behavioral1/memory/2264-24-0x0000000000400000-0x0000000000587000-memory.dmp	xmrig
behavioral1/memory/2264-34-0x0000000000400000-0x0000000000587000-memory.dmp	xmrig

Deletes itself 1 IoCs

pid	Process
2264	8cce0f9afa920130f77a9afdfe8013bd.exe

Executes dropped EXE 1 IoCs

pid	Process
2264	8cce0f9afa920130f77a9afdfe8013bd.exe

Loads dropped DLL 1 IoCs

pid	Process
2132	8cce0f9afa920130f77a9afdfe8013bd.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2132-0-0x0000000000400000-0x0000000000712000-memory.dmp	upx
behavioral1/files/0x000b00000001225c-10.dat	upx
behavioral1/files/0x000b00000001225c-16.dat	upx
behavioral1/memory/2132-14-0x0000000003080000-0x0000000003392000-memory.dmp	upx
behavioral1/files/0x000b00000001225c-13.dat	upx
behavioral1/memory/2264-17-0x0000000000400000-0x0000000000712000-memory.dmp	upx

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2132	8cce0f9afa920130f77a9afdfe8013bd.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2132	8cce0f9afa920130f77a9afdfe8013bd.exe
2264	8cce0f9afa920130f77a9afdfe8013bd.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2132 wrote to memory of 2264	2132	8cce0f9afa920130f77a9afdfe8013bd.exe	29
PID 2132 wrote to memory of 2264	2132	8cce0f9afa920130f77a9afdfe8013bd.exe	29
PID 2132 wrote to memory of 2264	2132	8cce0f9afa920130f77a9afdfe8013bd.exe	29
PID 2132 wrote to memory of 2264	2132	8cce0f9afa920130f77a9afdfe8013bd.exe	29

C:\Users\Admin\AppData\Local\Temp\8cce0f9afa920130f77a9afdfe8013bd.exe
"C:\Users\Admin\AppData\Local\Temp\8cce0f9afa920130f77a9afdfe8013bd.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2132
- C:\Users\Admin\AppData\Local\Temp\8cce0f9afa920130f77a9afdfe8013bd.exe
  C:\Users\Admin\AppData\Local\Temp\8cce0f9afa920130f77a9afdfe8013bd.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:2264

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\8cce0f9afa920130f77a9afdfe8013bd.exe

Filesize
256KB

MD5
4fcbf1f27f8c55a5dc320d9c584da67c

SHA1
ca3a6fb1ceb91978101d319e2a19d9324eaadd67

SHA256
0c4d90536bea64457e107275a621b4a131e6b885429823b6eeccf1ffac8794ec

SHA512
cfffe0b3fa04ad9594d3483233b7b0ece56b59594447fce30282b5dbdeb108a038c4399015beb422a95a8ba1505f62cefa3acca43939220af1b167a7d0538e46

Download Submit
C:\Users\Admin\AppData\Local\Temp\8cce0f9afa920130f77a9afdfe8013bd.exe

Filesize
239KB

MD5
aeac23e64ed6ed6387304760494f9134

SHA1
d976b8782c7c3278febd32ae3be1151680b6ab17

SHA256
db979b0fcdcab76e195461a98d3af66d856fbd39b1c29050928b9c4e36e562ff

SHA512
1d6fd9c7dac299a8d82eeda41048e1f85b8c5bc76c23fa85685d439ce5e91d7c2c160be6550b51bedea202caa77044e73320e4539895a9e654b45ec046206556

Download Submit
\Users\Admin\AppData\Local\Temp\8cce0f9afa920130f77a9afdfe8013bd.exe

Filesize
285KB

MD5
d10e1d53b04f638b6c7233a25c578f36

SHA1
4b48794fe7a4ff4ce06ce1d4e64c46325e58b27d

SHA256
8b1efaaa3e976f20b0382e9955023c031404808310907fc97a747bff7a889387

SHA512
ee6da28d5e10209e46b93615d2cc6d8a97c7d16d02e4c49733d2716f958988c9992e6a3d592432b6a69258f49a225ac44c7363012a31e946721aa142d749a37d

Download Submit
memory/2132-14-0x0000000003080000-0x0000000003392000-memory.dmp

Filesize
3.1MB

Download
memory/2132-15-0x0000000000400000-0x0000000000593000-memory.dmp

Filesize
1.6MB

Download
memory/2132-1-0x0000000000400000-0x0000000000593000-memory.dmp

Filesize
1.6MB

Download
memory/2132-0-0x0000000000400000-0x0000000000712000-memory.dmp

Filesize
3.1MB

Download
memory/2132-2-0x0000000000120000-0x00000000001E4000-memory.dmp

Filesize
784KB

Download
memory/2264-17-0x0000000000400000-0x0000000000712000-memory.dmp

Filesize
3.1MB

Download
memory/2264-19-0x0000000001720000-0x00000000017E4000-memory.dmp

Filesize
784KB

Download
memory/2264-18-0x0000000000400000-0x0000000000593000-memory.dmp

Filesize
1.6MB

Download
memory/2264-25-0x00000000031D0000-0x0000000003363000-memory.dmp

Filesize
1.6MB

Download
memory/2264-24-0x0000000000400000-0x0000000000587000-memory.dmp

Filesize
1.5MB

Download
memory/2264-34-0x0000000000400000-0x0000000000587000-memory.dmp

Filesize
1.5MB

Download