xmrig | c9f1ee0f5e08b6bae2ce0b443c3d4763b3d15067a8b33ab476c2af0d98114978

Analysis

max time kernel
13s
max time network
28s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
06/03/2024, 01:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c9f1ee0f5e08b6bae2ce0b443c3d4763b3d15067a8b33ab476c2af0d98114978.exe
Size

1.8MB
MD5

22187055b3393de106ffa2dd8d5410b0
SHA1

0fad769e260003d3ef09f636269257990032a6ad
SHA256

c9f1ee0f5e08b6bae2ce0b443c3d4763b3d15067a8b33ab476c2af0d98114978
SHA512

bedc432814c0910e3638490175d69ded46497c931ee7ab500b2d8e00ad2d2baf3e9c747775586eac1064bb1ffa97c1fd74022290ad06b041d1390428dfed4226
SSDEEP

49152:BezaTF8FcNkNdfE0pZ9ozt4wIlMmiQl77PhN/:BemTLkNdfE0pZrR

Score

10^/10

xmrig miner upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

UPX dump on OEP (original entry point) 9 IoCs

resource	yara_rule
behavioral2/memory/3844-0-0x00007FF70F450000-0x00007FF70F7A4000-memory.dmp	UPX
behavioral2/files/0x000300000001e9a0-5.dat	UPX
behavioral2/files/0x000a00000002316b-7.dat	UPX
behavioral2/files/0x00070000000231f2-77.dat	UPX
behavioral2/files/0x00070000000231ef-51.dat	UPX
behavioral2/files/0x00070000000231f0-26.dat	UPX
behavioral2/files/0x00070000000231ee-18.dat	UPX
behavioral2/files/0x0007000000023201-109.dat	UPX
behavioral2/files/0x00070000000231fc-94.dat	UPX

XMRig Miner payload 16 IoCs

miner

resource	yara_rule
behavioral2/memory/3844-0-0x00007FF70F450000-0x00007FF70F7A4000-memory.dmp	xmrig
behavioral2/files/0x000300000001e9a0-5.dat	xmrig
behavioral2/files/0x000a00000002316b-7.dat	xmrig
behavioral2/files/0x00070000000231f3-52.dat	xmrig
behavioral2/files/0x00070000000231f2-77.dat	xmrig
behavioral2/files/0x00070000000231ef-51.dat	xmrig
behavioral2/files/0x00070000000231ee-40.dat	xmrig
behavioral2/files/0x000a00000002316b-23.dat	xmrig
behavioral2/memory/844-27-0x00007FF615560000-0x00007FF6158B4000-memory.dmp	xmrig
behavioral2/files/0x00070000000231f0-26.dat	xmrig
behavioral2/files/0x00070000000231ee-18.dat	xmrig
behavioral2/memory/3732-12-0x00007FF6A9170000-0x00007FF6A94C4000-memory.dmp	xmrig
behavioral2/files/0x0007000000023201-109.dat	xmrig
behavioral2/memory/220-59-0x00007FF6C7130000-0x00007FF6C7484000-memory.dmp	xmrig
behavioral2/files/0x00070000000231fc-94.dat	xmrig
behavioral2/memory/2924-695-0x00007FF726280000-0x00007FF7265D4000-memory.dmp	xmrig

Executes dropped EXE 1 IoCs

pid	Process
3732	HJvxguG.exe

UPX packed file 20 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3844-0-0x00007FF70F450000-0x00007FF70F7A4000-memory.dmp	upx
behavioral2/files/0x000300000001e9a0-5.dat	upx
behavioral2/files/0x000a00000002316b-7.dat	upx
behavioral2/files/0x00070000000231f3-52.dat	upx
behavioral2/files/0x00070000000231f2-77.dat	upx
behavioral2/files/0x00070000000231ef-51.dat	upx
behavioral2/files/0x00070000000231ee-40.dat	upx
behavioral2/files/0x000a00000002316b-23.dat	upx
behavioral2/memory/844-27-0x00007FF615560000-0x00007FF6158B4000-memory.dmp	upx
behavioral2/files/0x00070000000231f0-26.dat	upx
behavioral2/files/0x00070000000231ee-18.dat	upx
behavioral2/memory/3732-12-0x00007FF6A9170000-0x00007FF6A94C4000-memory.dmp	upx
behavioral2/files/0x0007000000023201-109.dat	upx
behavioral2/memory/220-59-0x00007FF6C7130000-0x00007FF6C7484000-memory.dmp	upx
behavioral2/files/0x00070000000231fc-94.dat	upx
behavioral2/memory/4516-458-0x00007FF683810000-0x00007FF683B64000-memory.dmp	upx
behavioral2/memory/3236-638-0x00007FF7D54D0000-0x00007FF7D5824000-memory.dmp	upx
behavioral2/memory/3904-692-0x00007FF63B500000-0x00007FF63B854000-memory.dmp	upx
behavioral2/memory/2924-695-0x00007FF726280000-0x00007FF7265D4000-memory.dmp	upx
behavioral2/memory/3124-698-0x00007FF72D890000-0x00007FF72DBE4000-memory.dmp	upx

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\System\HJvxguG.exe	c9f1ee0f5e08b6bae2ce0b443c3d4763b3d15067a8b33ab476c2af0d98114978.exe
File created	C:\Windows\System\NPrFdKE.exe	c9f1ee0f5e08b6bae2ce0b443c3d4763b3d15067a8b33ab476c2af0d98114978.exe
File created	C:\Windows\System\ZyKLOlJ.exe	c9f1ee0f5e08b6bae2ce0b443c3d4763b3d15067a8b33ab476c2af0d98114978.exe
File created	C:\Windows\System\jNTCozd.exe	c9f1ee0f5e08b6bae2ce0b443c3d4763b3d15067a8b33ab476c2af0d98114978.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3844 wrote to memory of 3732	3844	c9f1ee0f5e08b6bae2ce0b443c3d4763b3d15067a8b33ab476c2af0d98114978.exe	90
PID 3844 wrote to memory of 3732	3844	c9f1ee0f5e08b6bae2ce0b443c3d4763b3d15067a8b33ab476c2af0d98114978.exe	90
PID 3844 wrote to memory of 2488	3844	c9f1ee0f5e08b6bae2ce0b443c3d4763b3d15067a8b33ab476c2af0d98114978.exe	91
PID 3844 wrote to memory of 2488	3844	c9f1ee0f5e08b6bae2ce0b443c3d4763b3d15067a8b33ab476c2af0d98114978.exe	91
PID 3844 wrote to memory of 844	3844	c9f1ee0f5e08b6bae2ce0b443c3d4763b3d15067a8b33ab476c2af0d98114978.exe	92
PID 3844 wrote to memory of 844	3844	c9f1ee0f5e08b6bae2ce0b443c3d4763b3d15067a8b33ab476c2af0d98114978.exe	92

C:\Users\Admin\AppData\Local\Temp\c9f1ee0f5e08b6bae2ce0b443c3d4763b3d15067a8b33ab476c2af0d98114978.exe
"C:\Users\Admin\AppData\Local\Temp\c9f1ee0f5e08b6bae2ce0b443c3d4763b3d15067a8b33ab476c2af0d98114978.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3844
- C:\Windows\System\HJvxguG.exe
  C:\Windows\System\HJvxguG.exe
  2⤵
  - Executes dropped EXE
  PID:3732
- C:\Windows\System\NPrFdKE.exe
  C:\Windows\System\NPrFdKE.exe
  2⤵
  PID:2488
- C:\Windows\System\ZyKLOlJ.exe
  C:\Windows\System\ZyKLOlJ.exe
  2⤵
  PID:844
- C:\Windows\System\jNTCozd.exe
  C:\Windows\System\jNTCozd.exe
  2⤵
  PID:220
- C:\Windows\System\NKUVZcm.exe
  C:\Windows\System\NKUVZcm.exe
  2⤵
  PID:4064
- C:\Windows\System\iyAbCoV.exe
  C:\Windows\System\iyAbCoV.exe
  2⤵
  PID:4632
- C:\Windows\System\eSxlzKm.exe
  C:\Windows\System\eSxlzKm.exe
  2⤵
  PID:2536
- C:\Windows\System\zNZnwad.exe
  C:\Windows\System\zNZnwad.exe
  2⤵
  PID:1384
- C:\Windows\System\GeMrJfL.exe
  C:\Windows\System\GeMrJfL.exe
  2⤵
  PID:4380
- C:\Windows\System\wrtIHJS.exe
  C:\Windows\System\wrtIHJS.exe
  2⤵
  PID:4724
- C:\Windows\System\HauteKG.exe
  C:\Windows\System\HauteKG.exe
  2⤵
  PID:560
- C:\Windows\System\QUhzVlb.exe
  C:\Windows\System\QUhzVlb.exe
  2⤵
  PID:3904
- C:\Windows\System\gctAccG.exe
  C:\Windows\System\gctAccG.exe
  2⤵
  PID:4516
- C:\Windows\System\DIVhbdM.exe
  C:\Windows\System\DIVhbdM.exe
  2⤵
  PID:1512
- C:\Windows\System\qjHfhFq.exe
  C:\Windows\System\qjHfhFq.exe
  2⤵
  PID:3236
- C:\Windows\System\GYGAsos.exe
  C:\Windows\System\GYGAsos.exe
  2⤵
  PID:4372
- C:\Windows\System\RqZuMAx.exe
  C:\Windows\System\RqZuMAx.exe
  2⤵
  PID:4248
- C:\Windows\System\xHQgCLV.exe
  C:\Windows\System\xHQgCLV.exe
  2⤵
  PID:4956
- C:\Windows\System\WdizkFs.exe
  C:\Windows\System\WdizkFs.exe
  2⤵
  PID:2924
- C:\Windows\System\VCHfNsu.exe
  C:\Windows\System\VCHfNsu.exe
  2⤵
  PID:4312
- C:\Windows\System\ztuvOFQ.exe
  C:\Windows\System\ztuvOFQ.exe
  2⤵
  PID:460
- C:\Windows\System\eXDTKqt.exe
  C:\Windows\System\eXDTKqt.exe
  2⤵
  PID:2476
- C:\Windows\System\bZlycdV.exe
  C:\Windows\System\bZlycdV.exe
  2⤵
  PID:3124
- C:\Windows\System\optHqAn.exe
  C:\Windows\System\optHqAn.exe
  2⤵
  PID:1436
- C:\Windows\System\sGSnDZk.exe
  C:\Windows\System\sGSnDZk.exe
  2⤵
  PID:4736
- C:\Windows\System\xXuhPjq.exe
  C:\Windows\System\xXuhPjq.exe
  2⤵
  PID:3944
- C:\Windows\System\xbXKBUD.exe
  C:\Windows\System\xbXKBUD.exe
  2⤵
  PID:4140
- C:\Windows\System\jpfbugc.exe
  C:\Windows\System\jpfbugc.exe
  2⤵
  PID:5032
- C:\Windows\System\FLKgsvZ.exe
  C:\Windows\System\FLKgsvZ.exe
  2⤵
  PID:2804
- C:\Windows\System\Vtjjnom.exe
  C:\Windows\System\Vtjjnom.exe
  2⤵
  PID:2276
- C:\Windows\System\olPtCwA.exe
  C:\Windows\System\olPtCwA.exe
  2⤵
  PID:3748
- C:\Windows\System\HqPdmMf.exe
  C:\Windows\System\HqPdmMf.exe
  2⤵
  PID:4368
- C:\Windows\System\qVxMWGk.exe
  C:\Windows\System\qVxMWGk.exe
  2⤵
  PID:2492
- C:\Windows\System\vvHZGly.exe
  C:\Windows\System\vvHZGly.exe
  2⤵
  PID:2336
- C:\Windows\System\owfjmeb.exe
  C:\Windows\System\owfjmeb.exe
  2⤵
  PID:4460
- C:\Windows\System\pXoTbcU.exe
  C:\Windows\System\pXoTbcU.exe
  2⤵
  PID:2472
- C:\Windows\System\PLAoYoC.exe
  C:\Windows\System\PLAoYoC.exe
  2⤵
  PID:4884
- C:\Windows\System\bERGEMS.exe
  C:\Windows\System\bERGEMS.exe
  2⤵
  PID:3108
- C:\Windows\System\eMSWZpr.exe
  C:\Windows\System\eMSWZpr.exe
  2⤵
  PID:2556
- C:\Windows\System\PyzBYSx.exe
  C:\Windows\System\PyzBYSx.exe
  2⤵
  PID:4452
- C:\Windows\System\JPvszep.exe
  C:\Windows\System\JPvszep.exe
  2⤵
  PID:2252
- C:\Windows\System\JKUJrCZ.exe
  C:\Windows\System\JKUJrCZ.exe
  2⤵
  PID:2140
- C:\Windows\System\VvcQmCQ.exe
  C:\Windows\System\VvcQmCQ.exe
  2⤵
  PID:4928
- C:\Windows\System\SIhJeKz.exe
  C:\Windows\System\SIhJeKz.exe
  2⤵
  PID:3348
- C:\Windows\System\lHrkUYB.exe
  C:\Windows\System\lHrkUYB.exe
  2⤵
  PID:1116
- C:\Windows\System\ESAPtrK.exe
  C:\Windows\System\ESAPtrK.exe
  2⤵
  PID:6920
- C:\Windows\System\evXNcsu.exe
  C:\Windows\System\evXNcsu.exe
  2⤵
  PID:8128
- C:\Windows\System\nVNQDII.exe
  C:\Windows\System\nVNQDII.exe
  2⤵
  PID:12836

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\HJvxguG.exe

Filesize
1.2MB

MD5
9b5ffe17eb97d2bdab425be6416dacfa

SHA1
472cea03dcce5e290d0d2f01eca57b477f025b60

SHA256
e6fa1ad449ef0a1fd0005092d5d8bd2ad20af634b89687e60a1cb4a01f050653

SHA512
f12f251e7257c3122b05aafac05fb702c9dd102aa105ce00e0fba58f133d0ece1dd69b4c340870ae93646092c1da8f575641d8c22ce7f538fbf110e4ddfbac64

Download Submit
C:\Windows\System\NKUVZcm.exe

Filesize
768KB

MD5
096410221e55421e5c4c4275c7d21513

SHA1
a9a3350bb5b616aee4d0c922dc225694f8027702

SHA256
1162e04ab5acff6cf895e753ad87619013ecfffc06f47ed477cf1c201c040e66

SHA512
b442b0d589e49e95f8c072f6f97ae946c91e082ea0e6557eeef4f55282d6675cb325a5ba42eb1799fb9bff049919d0eef469abfd200cb35fe59f78974905588c

Download Submit
C:\Windows\System\ZyKLOlJ.exe

Filesize
128KB

MD5
7ce4ba1725e83a50f64ba525f8815dcf

SHA1
b1714a2d23cfc42c18c37e1546ac0908d8252c04

SHA256
9f7e171000696500dfb6a966f2c3ddf12dc1a77b8276ef660f14f7b7188d2908

SHA512
2dff777f276295d96892e5749316e2e8892ba50f8398f9972ecc2f6e5378213e3cdd31c7c6ab8360d3490d1ec9e77be4e73ac137e108b2eddff2feaaf600be19

Download Submit
C:\Windows\System\ZyKLOlJ.exe

Filesize
512KB

MD5
6b5887af4274a78686a788865765637c

SHA1
5afc15e6fcbc11377bbabbda47ff43f6ebedd369

SHA256
ecdfed9bc02368fefbebe0d02090e93826b7e5cc1043e339dd245299c8b23006

SHA512
4f563e539f8ec68bbc27d4cc59c42ea4897bb131085e08433f745cc558ab7a030701a601ddb711cda19dfa6cd9086b458fb74762092be15aaa4190c05134d077

Download Submit
C:\Windows\System\bZlycdV.exe

Filesize
640KB

MD5
469aca0e2abc33bcc5100f89b3196890

SHA1
b77c2be76b0bcd5c1640c82143bf4ae8abf6ed35

SHA256
8e4d419e754f89fae1d30741df9483d06709f6d20541cbce976b97c6b74f264f

SHA512
bb8f27156094a7b200e5c1844466de9827240ad5c62598ca983899918fcfddc76480438ab7ff457f4059655d26f5dee65f9d3ba57dc850a7e0c1c267d7e2bdae

Download Submit
C:\Windows\System\iyAbCoV.exe

Filesize
320KB

MD5
d21590ae8170aaccbcd19e7067ab6994

SHA1
10f350169749c21440531509a3e7295f89c18083

SHA256
46a31c66a5e2b5dc524bccbbcd87f163f058b2fedffe048e3850fee93fbd703a

SHA512
0a218e8b4f06e2867073755e2a8ca9407d373ed70a6cdd1433032aeda4491ab35054bde1767383405cb6459bec67b81063efb85a1f210d8040c877770e4e047f

Download Submit
C:\Windows\System\jNTCozd.exe

Filesize
192KB

MD5
4a486a2a371d8db348dc0ad03e9fd9f0

SHA1
edd912c5d606628022dc3216eaf2db7c93554ff7

SHA256
93ebf2ea35e05e71e9c9884bcb76799c1b9f2b81bf8decfe1ec83807b911916b

SHA512
deb1d7cb48c961fa18e748db8dfc9769c6fcedd4b7a26b044181e535fbdb31d7ead7b8ae69fab463473bcf0bbda0affdeecb9deffc51a89c74001f68a98bf60b

Download Submit
C:\Windows\System\jNTCozd.exe

Filesize
64KB

MD5
51e4020b90426a266032ae5bcb74e5b3

SHA1
242fa8dc7d05d7b78f629fe2652627274810a122

SHA256
5984cb4794a67b4fd33c39a8582f294030d387db17fdb4933391142fb7f614c6

SHA512
5acda5a7b0ce962164cbb0c2fe75fb43a2d35d269fbb33e0eda06f3daf5a3cc37b11c0b76c58b3b3846604a879813821c87b0ead541065090905bfc897125758

Download Submit
C:\Windows\System\xHQgCLV.exe

Filesize
1.1MB

MD5
05bf681124c1b38420ef851726a67bd8

SHA1
6837db54d84cb95ab0e13aee0a59c34aabda48e0

SHA256
bc5ecb27d5fe9b9f7204a5c2706409a325012a54a6507b4ee0ba16a449a028e2

SHA512
47339f5160b58c849b508c0f011fe62579ee60fdf5b03bf58eb09b7936c8ae28dbe2ba62e4f7289e1a506c1c48ffe2666946a4a3d61a1af1640eeb930bd8b7ad

Download Submit
C:\Windows\System\zNZnwad.exe

Filesize
704KB

MD5
27f1ae58c0e7ea96c463a8f0329d13e3

SHA1
a5352f33f2a7ec676e07aa36bd587f2a910b1502

SHA256
570ef729e78067f9e824a09ee84a0b44c24671dfe07947eaca970f453f235334

SHA512
51c2e61154a9cf7b8c51728bee23d084e40467a64fc74544ed07917de5c42cd2c4f093dc4dba57e475be140334b7f9d2f8c2784d353f9bec4fe5fc6098f5ad70

Download Submit
memory/220-59-0x00007FF6C7130000-0x00007FF6C7484000-memory.dmp

Filesize
3.3MB

Download
memory/844-27-0x00007FF615560000-0x00007FF6158B4000-memory.dmp

Filesize
3.3MB

Download
memory/2924-695-0x00007FF726280000-0x00007FF7265D4000-memory.dmp

Filesize
3.3MB

Download
memory/3124-698-0x00007FF72D890000-0x00007FF72DBE4000-memory.dmp

Filesize
3.3MB

Download
memory/3236-638-0x00007FF7D54D0000-0x00007FF7D5824000-memory.dmp

Filesize
3.3MB

Download
memory/3732-12-0x00007FF6A9170000-0x00007FF6A94C4000-memory.dmp

Filesize
3.3MB

Download
memory/3844-1-0x0000018859660000-0x0000018859670000-memory.dmp

Filesize
64KB

Download
memory/3844-0-0x00007FF70F450000-0x00007FF70F7A4000-memory.dmp

Filesize
3.3MB

Download
memory/3904-692-0x00007FF63B500000-0x00007FF63B854000-memory.dmp

Filesize
3.3MB

Download
memory/4140-1177-0x00007FF609050000-0x00007FF6093A4000-memory.dmp

Filesize
3.3MB

Download
memory/4516-458-0x00007FF683810000-0x00007FF683B64000-memory.dmp

Filesize
3.3MB

Download