xmrig | c8eaed9aba7faa9d6beffb516566d4ab2e040710cc83235bdc709cd271b6dcd6

Analysis

max time kernel
117s
max time network
122s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
13/02/2024, 03:57

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

986ae8da2ef6fb82e630c3bd1351b955.exe
Size

784KB
MD5

986ae8da2ef6fb82e630c3bd1351b955
SHA1

1ae85f8c16466319f3c85c421539fe8297a6e6ab
SHA256

c8eaed9aba7faa9d6beffb516566d4ab2e040710cc83235bdc709cd271b6dcd6
SHA512

99692fb945adb31c4c78051c2c1ec5c5cf91698fd805151c9668a49a2d34d39dd309923864e73b58cac1e54991980267ed6e7b561f5357f60b418ddb2802a849
SSDEEP

12288:LOq9gCT47760Q6TPr361MpnWUQyqbdz/tbwa0RDjTk/ripOrPI:LngCT47jDHZxhgz/tIDjTk/EO

Score

10^/10

xmrig miner upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 8 IoCs

miner

resource	yara_rule
behavioral1/memory/3000-1-0x0000000000400000-0x0000000000593000-memory.dmp	xmrig
behavioral1/memory/3000-15-0x0000000003230000-0x0000000003542000-memory.dmp	xmrig
behavioral1/memory/3000-14-0x0000000000400000-0x0000000000593000-memory.dmp	xmrig
behavioral1/memory/2380-19-0x0000000000400000-0x0000000000593000-memory.dmp	xmrig
behavioral1/memory/2380-25-0x0000000000400000-0x0000000000587000-memory.dmp	xmrig
behavioral1/memory/2380-24-0x0000000003090000-0x0000000003223000-memory.dmp	xmrig
behavioral1/memory/2380-35-0x0000000000400000-0x0000000000587000-memory.dmp	xmrig
behavioral1/memory/2380-34-0x00000000005A0000-0x000000000071F000-memory.dmp	xmrig

Deletes itself 1 IoCs

pid	Process
2380	986ae8da2ef6fb82e630c3bd1351b955.exe

Executes dropped EXE 1 IoCs

pid	Process
2380	986ae8da2ef6fb82e630c3bd1351b955.exe

Loads dropped DLL 1 IoCs

pid	Process
3000	986ae8da2ef6fb82e630c3bd1351b955.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/3000-0-0x0000000000400000-0x0000000000712000-memory.dmp	upx
behavioral1/files/0x000a000000012232-10.dat	upx
behavioral1/files/0x000a000000012232-16.dat	upx
behavioral1/files/0x000a000000012232-13.dat	upx
behavioral1/memory/2380-17-0x0000000000400000-0x0000000000712000-memory.dmp	upx

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
3000	986ae8da2ef6fb82e630c3bd1351b955.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
3000	986ae8da2ef6fb82e630c3bd1351b955.exe
2380	986ae8da2ef6fb82e630c3bd1351b955.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3000 wrote to memory of 2380	3000	986ae8da2ef6fb82e630c3bd1351b955.exe	29
PID 3000 wrote to memory of 2380	3000	986ae8da2ef6fb82e630c3bd1351b955.exe	29
PID 3000 wrote to memory of 2380	3000	986ae8da2ef6fb82e630c3bd1351b955.exe	29
PID 3000 wrote to memory of 2380	3000	986ae8da2ef6fb82e630c3bd1351b955.exe	29

C:\Users\Admin\AppData\Local\Temp\986ae8da2ef6fb82e630c3bd1351b955.exe
"C:\Users\Admin\AppData\Local\Temp\986ae8da2ef6fb82e630c3bd1351b955.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3000
- C:\Users\Admin\AppData\Local\Temp\986ae8da2ef6fb82e630c3bd1351b955.exe
  C:\Users\Admin\AppData\Local\Temp\986ae8da2ef6fb82e630c3bd1351b955.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:2380

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\986ae8da2ef6fb82e630c3bd1351b955.exe

Filesize
64KB

MD5
fbb54a6386df378aaa3a688da8fb2b52

SHA1
edc6e7ed9b3c4c1c97f500d78e92d5f790a6c874

SHA256
1c937642ae0da04f2a11a164ffa5a12463347fe889a3525b816d93eab88b48a9

SHA512
3d21b72df79bd658d9a92bc04886793bab005d8d4fd4fe4a69b9b5a3db9ebe0740b175cef590f2a51198ca330cb88848fd5b22c912b1682a96094b4793176d73

Download Submit
\Users\Admin\AppData\Local\Temp\986ae8da2ef6fb82e630c3bd1351b955.exe

Filesize
256KB

MD5
d6f1485768eac7d9c81681038665a587

SHA1
37dea6929caa5b3654c2a209be2193dc54303167

SHA256
c722340ccf63f0aa9e12d05c3a6b28db3ed8f022882b8233981095887f12b616

SHA512
0fe271ce897b19621a21c3970f656bd1504eab708d02dbd8c2dc7c1364915097ab9206a7fce1ab1b07637b99c609a92c0c3173b13315e82ac81c9aba9f7c9311

Download Submit
memory/2380-19-0x0000000000400000-0x0000000000593000-memory.dmp

Filesize
1.6MB

Download
memory/2380-17-0x0000000000400000-0x0000000000712000-memory.dmp

Filesize
3.1MB

Download
memory/2380-18-0x0000000001720000-0x00000000017E4000-memory.dmp

Filesize
784KB

Download
memory/2380-25-0x0000000000400000-0x0000000000587000-memory.dmp

Filesize
1.5MB

Download
memory/2380-24-0x0000000003090000-0x0000000003223000-memory.dmp

Filesize
1.6MB

Download
memory/2380-35-0x0000000000400000-0x0000000000587000-memory.dmp

Filesize
1.5MB

Download
memory/2380-34-0x00000000005A0000-0x000000000071F000-memory.dmp

Filesize
1.5MB

Download
memory/3000-15-0x0000000003230000-0x0000000003542000-memory.dmp

Filesize
3.1MB

Download
memory/3000-2-0x0000000000120000-0x00000000001E4000-memory.dmp

Filesize
784KB

Download
memory/3000-14-0x0000000000400000-0x0000000000593000-memory.dmp

Filesize
1.6MB

Download
memory/3000-1-0x0000000000400000-0x0000000000593000-memory.dmp

Filesize
1.6MB

Download
memory/3000-0-0x0000000000400000-0x0000000000712000-memory.dmp

Filesize
3.1MB

Download