Analysis
-
max time kernel
120s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
08-03-2024 09:08
Behavioral task
behavioral1
Sample
badd9eb088b53d871a973cd7d70d79c2.exe
Resource
win7-20231129-en
General
-
Target
badd9eb088b53d871a973cd7d70d79c2.exe
-
Size
2.3MB
-
MD5
badd9eb088b53d871a973cd7d70d79c2
-
SHA1
1d54bab28ed6b02892fd6494f0b0dea764db268b
-
SHA256
4a6473b1726fe36d7f514f072307ed5aa5fce899b03388d5f8b78684a2cb3bc5
-
SHA512
2efdff027c7e220d23cee0223b925e4410fdce1fa84f0c55732b54732675c8fd0828cd766a9f63ece444faa76b863874c9c3e58e1cb10823bb1074a33f56a997
-
SSDEEP
49152:S6iQI2zzPdlzjbsuhRQHQxbHWTmD1SM0FfBbnROV8uzyMt8kx:xirozFlNhuHujm8S1fBDcV8uGax
Malware Config
Signatures
-
XMRig Miner payload 7 IoCs
resource yara_rule behavioral1/memory/2392-1-0x0000000000400000-0x0000000000593000-memory.dmp xmrig behavioral1/memory/2392-14-0x0000000000400000-0x0000000000593000-memory.dmp xmrig behavioral1/memory/3052-19-0x0000000000400000-0x0000000000593000-memory.dmp xmrig behavioral1/memory/3052-24-0x0000000000400000-0x0000000000587000-memory.dmp xmrig behavioral1/memory/3052-26-0x0000000003120000-0x00000000032B3000-memory.dmp xmrig behavioral1/memory/3052-34-0x00000000005A0000-0x000000000071F000-memory.dmp xmrig behavioral1/memory/3052-35-0x0000000000400000-0x0000000000587000-memory.dmp xmrig -
Deletes itself 1 IoCs
pid Process 3052 badd9eb088b53d871a973cd7d70d79c2.exe -
Executes dropped EXE 1 IoCs
pid Process 3052 badd9eb088b53d871a973cd7d70d79c2.exe -
Loads dropped DLL 1 IoCs
pid Process 2392 badd9eb088b53d871a973cd7d70d79c2.exe -
resource yara_rule behavioral1/memory/2392-0-0x0000000000400000-0x0000000000712000-memory.dmp upx behavioral1/files/0x000a000000013a71-10.dat upx behavioral1/memory/2392-15-0x0000000003510000-0x0000000003822000-memory.dmp upx behavioral1/memory/3052-17-0x0000000000400000-0x0000000000712000-memory.dmp upx -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 2392 badd9eb088b53d871a973cd7d70d79c2.exe -
Suspicious use of UnmapMainImage 2 IoCs
pid Process 2392 badd9eb088b53d871a973cd7d70d79c2.exe 3052 badd9eb088b53d871a973cd7d70d79c2.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2392 wrote to memory of 3052 2392 badd9eb088b53d871a973cd7d70d79c2.exe 29 PID 2392 wrote to memory of 3052 2392 badd9eb088b53d871a973cd7d70d79c2.exe 29 PID 2392 wrote to memory of 3052 2392 badd9eb088b53d871a973cd7d70d79c2.exe 29 PID 2392 wrote to memory of 3052 2392 badd9eb088b53d871a973cd7d70d79c2.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\badd9eb088b53d871a973cd7d70d79c2.exe"C:\Users\Admin\AppData\Local\Temp\badd9eb088b53d871a973cd7d70d79c2.exe"1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2392 -
C:\Users\Admin\AppData\Local\Temp\badd9eb088b53d871a973cd7d70d79c2.exeC:\Users\Admin\AppData\Local\Temp\badd9eb088b53d871a973cd7d70d79c2.exe2⤵
- Deletes itself
- Executes dropped EXE
- Suspicious use of UnmapMainImage
PID:3052
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
784KB
MD521e1e73d626e713b983b0f3ba7ad504b
SHA162927e285ba206a36334111efa0e63dd8f15f6ba
SHA2565285511792416917426fb4d7771fd0a66428920d9f3ef191222c1610101cfb03
SHA512ce0b2361da442dde2ce9653772b95374d6c86302da66a34d3e92e32961e4d257b5a2689fa5200e49e5d359a89b7a0882714e5e3d6d588ea3b2215e60a4e10e99