xmrig | d8f53fe4f5750927b473b9a5996f105ebb4242aa002caa24acc099970e0855d6

Analysis

max time kernel
117s
max time network
122s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
13-02-2024 22:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9a18886d87ea8a855a4b97c1903951c9.exe
Size

784KB
MD5

9a18886d87ea8a855a4b97c1903951c9
SHA1

146499a1cabae6f2e59a9b18a647b977432a90a1
SHA256

d8f53fe4f5750927b473b9a5996f105ebb4242aa002caa24acc099970e0855d6
SHA512

427a14a434ad175006a821d243a67257d570094b3d69032f903654f637ab7a1eed21f09e42c76e3b359a1a34f5989a325fa0c11cb4a6bf7193fa6fcc16b95545
SSDEEP

12288:bhHbZHYUXmNTyycKlKFcyzzIk2B61Jl8hVrxWGQ+xO5bhAymOPbNA3F:1lHYUXO+ylwWyHI1iqtxKXbZG1

Score

10^/10

xmrig miner upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 8 IoCs

miner

resource	yara_rule
behavioral1/memory/1744-1-0x0000000000400000-0x0000000000593000-memory.dmp	xmrig
behavioral1/memory/1744-15-0x0000000003220000-0x0000000003532000-memory.dmp	xmrig
behavioral1/memory/1744-14-0x0000000000400000-0x0000000000593000-memory.dmp	xmrig
behavioral1/memory/1852-18-0x0000000000400000-0x0000000000593000-memory.dmp	xmrig
behavioral1/memory/1852-25-0x0000000003110000-0x00000000032A3000-memory.dmp	xmrig
behavioral1/memory/1852-24-0x0000000000400000-0x0000000000587000-memory.dmp	xmrig
behavioral1/memory/1852-35-0x0000000000400000-0x0000000000587000-memory.dmp	xmrig
behavioral1/memory/1852-34-0x00000000005A0000-0x000000000071F000-memory.dmp	xmrig

Deletes itself 1 IoCs

pid	Process
1852	9a18886d87ea8a855a4b97c1903951c9.exe

Executes dropped EXE 1 IoCs

pid	Process
1852	9a18886d87ea8a855a4b97c1903951c9.exe

Loads dropped DLL 1 IoCs

pid	Process
1744	9a18886d87ea8a855a4b97c1903951c9.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1744-0-0x0000000000400000-0x0000000000712000-memory.dmp	upx
behavioral1/files/0x0009000000012261-16.dat	upx
behavioral1/files/0x0009000000012261-12.dat	upx
behavioral1/memory/1852-17-0x0000000000400000-0x0000000000712000-memory.dmp	upx

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1744	9a18886d87ea8a855a4b97c1903951c9.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
1744	9a18886d87ea8a855a4b97c1903951c9.exe
1852	9a18886d87ea8a855a4b97c1903951c9.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1744 wrote to memory of 1852	1744	9a18886d87ea8a855a4b97c1903951c9.exe	29
PID 1744 wrote to memory of 1852	1744	9a18886d87ea8a855a4b97c1903951c9.exe	29
PID 1744 wrote to memory of 1852	1744	9a18886d87ea8a855a4b97c1903951c9.exe	29
PID 1744 wrote to memory of 1852	1744	9a18886d87ea8a855a4b97c1903951c9.exe	29

C:\Users\Admin\AppData\Local\Temp\9a18886d87ea8a855a4b97c1903951c9.exe
"C:\Users\Admin\AppData\Local\Temp\9a18886d87ea8a855a4b97c1903951c9.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1744
- C:\Users\Admin\AppData\Local\Temp\9a18886d87ea8a855a4b97c1903951c9.exe
  C:\Users\Admin\AppData\Local\Temp\9a18886d87ea8a855a4b97c1903951c9.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:1852

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\9a18886d87ea8a855a4b97c1903951c9.exe

Filesize
192KB

MD5
c596e18a56d0c15d7281424a10b2312b

SHA1
8787ad6150af7a135c8f0a3a315eb3cdb1e11cca

SHA256
4e81b44a7e40f8a00cdec43c4454a3d3bf8efe7eac536962c948844d22dc5259

SHA512
3b3e3eb1ddbdedf34ccad97986e4e1ade91fcb75e28f1dcf445d282f549212c5d24d422a06014af2b05c06c4051218ba89525b6806e20551d7493837a3424d01

Download Submit
C:\Users\Admin\AppData\Local\Temp\9a18886d87ea8a855a4b97c1903951c9.exe

Filesize
784KB

MD5
073da7d9c0cc6c0c9df79f9c31ef74ef

SHA1
a86ffe00c31ab8953be4674e35da0acc62a583c6

SHA256
a2cb5e4167340ecc97457b2eeacc7d59434e5bd5b44b7bd21e255df928c815fd

SHA512
975bed11458414efbd59dad869a22c75bded1407c486db27f01801beb1166188e3ca05beafc86ccd9f4d3b6ae61b61a115dddddd91f03a6bce9a8f32910b1a40

Download Submit
memory/1744-3-0x0000000000120000-0x00000000001E4000-memory.dmp

Filesize
784KB

Download
memory/1744-0-0x0000000000400000-0x0000000000712000-memory.dmp

Filesize
3.1MB

Download
memory/1744-15-0x0000000003220000-0x0000000003532000-memory.dmp

Filesize
3.1MB

Download
memory/1744-14-0x0000000000400000-0x0000000000593000-memory.dmp

Filesize
1.6MB

Download
memory/1744-1-0x0000000000400000-0x0000000000593000-memory.dmp

Filesize
1.6MB

Download
memory/1852-17-0x0000000000400000-0x0000000000712000-memory.dmp

Filesize
3.1MB

Download
memory/1852-18-0x0000000000400000-0x0000000000593000-memory.dmp

Filesize
1.6MB

Download
memory/1852-19-0x00000000018B0000-0x0000000001974000-memory.dmp

Filesize
784KB

Download
memory/1852-25-0x0000000003110000-0x00000000032A3000-memory.dmp

Filesize
1.6MB

Download
memory/1852-24-0x0000000000400000-0x0000000000587000-memory.dmp

Filesize
1.5MB

Download
memory/1852-35-0x0000000000400000-0x0000000000587000-memory.dmp

Filesize
1.5MB

Download
memory/1852-34-0x00000000005A0000-0x000000000071F000-memory.dmp

Filesize
1.5MB

Download