Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
08-03-2024 09:08
Behavioral task
behavioral1
Sample
badd9eb088b53d871a973cd7d70d79c2.exe
Resource
win7-20231129-en
General
-
Target
badd9eb088b53d871a973cd7d70d79c2.exe
-
Size
2.3MB
-
MD5
badd9eb088b53d871a973cd7d70d79c2
-
SHA1
1d54bab28ed6b02892fd6494f0b0dea764db268b
-
SHA256
4a6473b1726fe36d7f514f072307ed5aa5fce899b03388d5f8b78684a2cb3bc5
-
SHA512
2efdff027c7e220d23cee0223b925e4410fdce1fa84f0c55732b54732675c8fd0828cd766a9f63ece444faa76b863874c9c3e58e1cb10823bb1074a33f56a997
-
SSDEEP
49152:S6iQI2zzPdlzjbsuhRQHQxbHWTmD1SM0FfBbnROV8uzyMt8kx:xirozFlNhuHujm8S1fBDcV8uGax
Malware Config
Signatures
-
XMRig Miner payload 6 IoCs
resource yara_rule behavioral2/memory/3108-2-0x0000000000400000-0x0000000000593000-memory.dmp xmrig behavioral2/memory/3108-12-0x0000000000400000-0x0000000000593000-memory.dmp xmrig behavioral2/memory/1380-14-0x0000000000400000-0x0000000000593000-memory.dmp xmrig behavioral2/memory/1380-20-0x0000000005580000-0x0000000005713000-memory.dmp xmrig behavioral2/memory/1380-21-0x0000000000400000-0x0000000000587000-memory.dmp xmrig behavioral2/memory/1380-30-0x0000000000400000-0x0000000000587000-memory.dmp xmrig -
Deletes itself 1 IoCs
pid Process 1380 badd9eb088b53d871a973cd7d70d79c2.exe -
Executes dropped EXE 1 IoCs
pid Process 1380 badd9eb088b53d871a973cd7d70d79c2.exe -
resource yara_rule behavioral2/memory/3108-0-0x0000000000400000-0x0000000000712000-memory.dmp upx behavioral2/files/0x0011000000023148-11.dat upx behavioral2/memory/1380-13-0x0000000000400000-0x0000000000712000-memory.dmp upx -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 3108 badd9eb088b53d871a973cd7d70d79c2.exe -
Suspicious use of UnmapMainImage 2 IoCs
pid Process 3108 badd9eb088b53d871a973cd7d70d79c2.exe 1380 badd9eb088b53d871a973cd7d70d79c2.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 3108 wrote to memory of 1380 3108 badd9eb088b53d871a973cd7d70d79c2.exe 90 PID 3108 wrote to memory of 1380 3108 badd9eb088b53d871a973cd7d70d79c2.exe 90 PID 3108 wrote to memory of 1380 3108 badd9eb088b53d871a973cd7d70d79c2.exe 90
Processes
-
C:\Users\Admin\AppData\Local\Temp\badd9eb088b53d871a973cd7d70d79c2.exe"C:\Users\Admin\AppData\Local\Temp\badd9eb088b53d871a973cd7d70d79c2.exe"1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3108 -
C:\Users\Admin\AppData\Local\Temp\badd9eb088b53d871a973cd7d70d79c2.exeC:\Users\Admin\AppData\Local\Temp\badd9eb088b53d871a973cd7d70d79c2.exe2⤵
- Deletes itself
- Executes dropped EXE
- Suspicious use of UnmapMainImage
PID:1380
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
784KB
MD5fab29b8c4429f4f26df27de28d6f3072
SHA1ad768ebb3dc805f905b8a5a3cdcc8611e06790e2
SHA256a6f90ff4c9592c3c1a76553947266b8f879ad5c9850bda9d0d633d1843bb819f
SHA512f786b6e5eafac2e9745b2787f010ea650f5a4a35e9f498e393fa2d7873b5d91c2c133e6f0da6125d9b8a7da88ab02d5ab18094edc5a456f89222371eb26941c1