xmrig | f88ea2cd47890b6dddde081e92623cfb785171daa14e25fcd2786873014b9644

General

Target

9986f82d2019bc52ad5b9e9b19be8526.exe
Size

1.5MB
MD5

9986f82d2019bc52ad5b9e9b19be8526
SHA1

48de6f9e7f32add970818c253f48df3fcaf539e5
SHA256

f88ea2cd47890b6dddde081e92623cfb785171daa14e25fcd2786873014b9644
SHA512

7d238e2880db95dbfb98ec8520df1cec416eaffdf1619de6103cbe4740cb449525791c105b6ab7a3042b17d2076a63d8adba7d07ec71131644f869a51eb507c6
SSDEEP

49152:z7Mw0FXUXNyGBAOFe6ESMNz50oa1bndQTh8epimZz:kw0FXmyEFe6EjGoa1bOTNpi8

Score

10^/10

xmrig miner upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 7 IoCs

miner

resource	yara_rule
behavioral1/memory/2344-1-0x0000000000400000-0x0000000000593000-memory.dmp	xmrig
behavioral1/memory/2344-15-0x0000000003720000-0x0000000003A32000-memory.dmp	xmrig
behavioral1/memory/2344-14-0x0000000000400000-0x0000000000593000-memory.dmp	xmrig
behavioral1/memory/2720-18-0x0000000000400000-0x0000000000593000-memory.dmp	xmrig
behavioral1/memory/2720-24-0x0000000003280000-0x0000000003413000-memory.dmp	xmrig
behavioral1/memory/2720-25-0x0000000000400000-0x0000000000587000-memory.dmp	xmrig
behavioral1/memory/2720-34-0x0000000000400000-0x0000000000587000-memory.dmp	xmrig

Deletes itself 1 IoCs

pid	Process
2720	9986f82d2019bc52ad5b9e9b19be8526.exe

Executes dropped EXE 1 IoCs

pid	Process
2720	9986f82d2019bc52ad5b9e9b19be8526.exe

Loads dropped DLL 1 IoCs

pid	Process
2344	9986f82d2019bc52ad5b9e9b19be8526.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2344-0-0x0000000000400000-0x0000000000712000-memory.dmp	upx
behavioral1/files/0x000b00000001226e-16.dat	upx
behavioral1/memory/2720-17-0x0000000000400000-0x0000000000712000-memory.dmp	upx
behavioral1/files/0x000b00000001226e-13.dat	upx
behavioral1/files/0x000b00000001226e-10.dat	upx

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2344	9986f82d2019bc52ad5b9e9b19be8526.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2344	9986f82d2019bc52ad5b9e9b19be8526.exe
2720	9986f82d2019bc52ad5b9e9b19be8526.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2344 wrote to memory of 2720	2344	9986f82d2019bc52ad5b9e9b19be8526.exe	29
PID 2344 wrote to memory of 2720	2344	9986f82d2019bc52ad5b9e9b19be8526.exe	29
PID 2344 wrote to memory of 2720	2344	9986f82d2019bc52ad5b9e9b19be8526.exe	29
PID 2344 wrote to memory of 2720	2344	9986f82d2019bc52ad5b9e9b19be8526.exe	29

C:\Users\Admin\AppData\Local\Temp\9986f82d2019bc52ad5b9e9b19be8526.exe
"C:\Users\Admin\AppData\Local\Temp\9986f82d2019bc52ad5b9e9b19be8526.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2344
- C:\Users\Admin\AppData\Local\Temp\9986f82d2019bc52ad5b9e9b19be8526.exe
  C:\Users\Admin\AppData\Local\Temp\9986f82d2019bc52ad5b9e9b19be8526.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:2720

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\9986f82d2019bc52ad5b9e9b19be8526.exe

Filesize
273KB

MD5
c583c08e4c6f5f9d595416313b27f714

SHA1
d30c0553353933e4682c945fe7a3590ae2c27526

SHA256
922340dc679b1f5a620af3121aebb0a8bb7a80b7f46103af4f97ca2e078183b7

SHA512
b2daf4aced63d23d89e6881e7828000fe26b7b60dca012369c41d7b79a29695aafb21b17c2025e181ec9854e73da372887f292fc999277f1b9a48c9d6a3ee8e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\9986f82d2019bc52ad5b9e9b19be8526.exe

Filesize
640KB

MD5
0517ddea1e7f3db642e1d3788a981257

SHA1
bcd6eb66205554e44d2e9ad885b1e04c66bfad71

SHA256
8fadba4311eb37181e66881fc21092f6f7d8d8e41fe4f460e4c67dad8bf8119a

SHA512
399b9c8909deeff6c7797258f27a607a1f61dc02100ad1ac7813b938ef4bba09432000f838a4d84b80d912ad9276ae5118c1fc31ee301e26fba29223ab5c5dca

Download Submit
\Users\Admin\AppData\Local\Temp\9986f82d2019bc52ad5b9e9b19be8526.exe

Filesize
784KB

MD5
6715483978dfa81421c93ba4a6589bf0

SHA1
1bbf46330e0a88d1e46ad9c804dd7503c75d9d2d

SHA256
abf8d59057a7884cc99e352c55a81c102239e325347a79bf93336dbe6edf0b09

SHA512
f7eaa7d7b84475f863319943eb6e76ee88f3e94a6065cf821d3ea8a133f339f942632d33bd61b3b323ac53533cf0f862fdb52cdc8ec1de477a3f52d8805e35d0

Download Submit
memory/2344-14-0x0000000000400000-0x0000000000593000-memory.dmp

Filesize
1.6MB

Download
memory/2344-15-0x0000000003720000-0x0000000003A32000-memory.dmp

Filesize
3.1MB

Download
memory/2344-0-0x0000000000400000-0x0000000000712000-memory.dmp

Filesize
3.1MB

Download
memory/2344-1-0x0000000000400000-0x0000000000593000-memory.dmp

Filesize
1.6MB

Download
memory/2344-2-0x0000000000120000-0x00000000001E4000-memory.dmp

Filesize
784KB

Download
memory/2720-17-0x0000000000400000-0x0000000000712000-memory.dmp

Filesize
3.1MB

Download
memory/2720-18-0x0000000000400000-0x0000000000593000-memory.dmp

Filesize
1.6MB

Download
memory/2720-20-0x0000000000120000-0x00000000001E4000-memory.dmp

Filesize
784KB

Download
memory/2720-24-0x0000000003280000-0x0000000003413000-memory.dmp

Filesize
1.6MB

Download
memory/2720-25-0x0000000000400000-0x0000000000587000-memory.dmp

Filesize
1.5MB

Download
memory/2720-34-0x0000000000400000-0x0000000000587000-memory.dmp

Filesize
1.5MB

Download

Analysis

Sharing