xmrig | 0d62f293cf36c210dc96a9afc5d95763dddf230c7db9f49b21f1e95d7a7cbc15

Analysis

max time kernel
150s
max time network
160s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
10/03/2024, 12:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

be9d07211fa86e1fa1a9889549cbd113.exe
Size

784KB
MD5

be9d07211fa86e1fa1a9889549cbd113
SHA1

b51b6f4a534a0e328460a5c49b0e3b2fccfca4d1
SHA256

0d62f293cf36c210dc96a9afc5d95763dddf230c7db9f49b21f1e95d7a7cbc15
SHA512

7f05b697359efc233e5026f7b454cbb67e6e1b891f47ccb7cfcfea1ce6079d400e066bcfa5b133c358daacc3946417cf6a456392f7ab7995dc1e5fa9ec6a5df5
SSDEEP

12288:txPJNlkIfzwAE6+7ulD7olLhm2jBYwaqN73t1PACISm218a2oUtCSpF+cE:t1lkwdmusdm2jBNbPOSmU/2AsF9E

Score

10^/10

xmrig miner upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 6 IoCs

miner

resource	yara_rule
behavioral2/memory/2616-2-0x0000000000400000-0x0000000000593000-memory.dmp	xmrig
behavioral2/memory/2616-12-0x0000000000400000-0x0000000000593000-memory.dmp	xmrig
behavioral2/memory/4820-15-0x0000000000400000-0x0000000000593000-memory.dmp	xmrig
behavioral2/memory/4820-20-0x0000000005440000-0x00000000055D3000-memory.dmp	xmrig
behavioral2/memory/4820-21-0x0000000000400000-0x0000000000587000-memory.dmp	xmrig
behavioral2/memory/4820-30-0x0000000000400000-0x0000000000587000-memory.dmp	xmrig

Deletes itself 1 IoCs

pid	Process
4820	be9d07211fa86e1fa1a9889549cbd113.exe

Executes dropped EXE 1 IoCs

pid	Process
4820	be9d07211fa86e1fa1a9889549cbd113.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2616-0-0x0000000000400000-0x0000000000712000-memory.dmp	upx
behavioral2/files/0x000a0000000231f0-11.dat	upx
behavioral2/memory/4820-13-0x0000000000400000-0x0000000000712000-memory.dmp	upx

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2616	be9d07211fa86e1fa1a9889549cbd113.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2616	be9d07211fa86e1fa1a9889549cbd113.exe
4820	be9d07211fa86e1fa1a9889549cbd113.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2616 wrote to memory of 4820	2616	be9d07211fa86e1fa1a9889549cbd113.exe	89
PID 2616 wrote to memory of 4820	2616	be9d07211fa86e1fa1a9889549cbd113.exe	89
PID 2616 wrote to memory of 4820	2616	be9d07211fa86e1fa1a9889549cbd113.exe	89

C:\Users\Admin\AppData\Local\Temp\be9d07211fa86e1fa1a9889549cbd113.exe
"C:\Users\Admin\AppData\Local\Temp\be9d07211fa86e1fa1a9889549cbd113.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2616
- C:\Users\Admin\AppData\Local\Temp\be9d07211fa86e1fa1a9889549cbd113.exe
  C:\Users\Admin\AppData\Local\Temp\be9d07211fa86e1fa1a9889549cbd113.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:4820

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\be9d07211fa86e1fa1a9889549cbd113.exe

Filesize
102KB

MD5
66f4d4f9cee886485b32d228780965d6

SHA1
bc08eb9970a2a0f62cb5f65ffa9dbba9fef8d195

SHA256
523a21a3fcfdab7d3f728155d0727973cd5296fe18eac03839ceea09e272b7ba

SHA512
3a41d95896695d8b8d2b2d389f0fa727937b8fecdad1c8f71cec09be1cb95abd002b2f972a94250d15a2b915a12af8e4272dfbd6837907fbff85a58a6362a292

Download Submit
memory/2616-0-0x0000000000400000-0x0000000000712000-memory.dmp

Filesize
3.1MB

Download
memory/2616-1-0x0000000001980000-0x0000000001A44000-memory.dmp

Filesize
784KB

Download
memory/2616-2-0x0000000000400000-0x0000000000593000-memory.dmp

Filesize
1.6MB

Download
memory/2616-12-0x0000000000400000-0x0000000000593000-memory.dmp

Filesize
1.6MB

Download
memory/4820-13-0x0000000000400000-0x0000000000712000-memory.dmp

Filesize
3.1MB

Download
memory/4820-14-0x0000000001720000-0x00000000017E4000-memory.dmp

Filesize
784KB

Download
memory/4820-15-0x0000000000400000-0x0000000000593000-memory.dmp

Filesize
1.6MB

Download
memory/4820-20-0x0000000005440000-0x00000000055D3000-memory.dmp

Filesize
1.6MB

Download
memory/4820-21-0x0000000000400000-0x0000000000587000-memory.dmp

Filesize
1.5MB

Download
memory/4820-30-0x0000000000400000-0x0000000000587000-memory.dmp

Filesize
1.5MB

Download