xmrig | a5a79a8b6c39c9c534929b0066b0028455f24f7449d5c07f856029afdb41ec82

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
10-03-2024 15:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bee7ed86375757cbee1572286fa8df67.exe
Size

784KB
MD5

bee7ed86375757cbee1572286fa8df67
SHA1

77835c7c289298ee7b1b48edea53ffe72a83a0c5
SHA256

a5a79a8b6c39c9c534929b0066b0028455f24f7449d5c07f856029afdb41ec82
SHA512

f64af548ab3a5a705be801c2f6e48cca375aac376ab5c19211e63ac2c2bec4704f4f9b0b5ec333a8387abf6ab73c0e38d1c710a05d1ff95bbe061156daf810d6
SSDEEP

12288:n+8D3gNnsLWvDI7XdZwCoHhBFRICe7dAuNK+Sc7f02VkB+4eVTSkJv:+zYRboDFRIrAuuig+4L6

Score

10^/10

xmrig miner upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 8 IoCs

miner

resource	yara_rule
behavioral1/memory/1888-1-0x0000000000400000-0x0000000000593000-memory.dmp	xmrig
behavioral1/memory/1888-15-0x0000000000400000-0x0000000000593000-memory.dmp	xmrig
behavioral1/memory/2380-18-0x0000000000400000-0x0000000000712000-memory.dmp	xmrig
behavioral1/memory/2380-17-0x0000000000400000-0x0000000000593000-memory.dmp	xmrig
behavioral1/memory/2380-24-0x0000000003290000-0x0000000003423000-memory.dmp	xmrig
behavioral1/memory/2380-25-0x0000000000400000-0x0000000000587000-memory.dmp	xmrig
behavioral1/memory/2380-34-0x00000000005A0000-0x000000000071F000-memory.dmp	xmrig
behavioral1/memory/2380-35-0x0000000000400000-0x0000000000587000-memory.dmp	xmrig

Deletes itself 1 IoCs

pid	Process
2380	bee7ed86375757cbee1572286fa8df67.exe

Executes dropped EXE 1 IoCs

pid	Process
2380	bee7ed86375757cbee1572286fa8df67.exe

Loads dropped DLL 1 IoCs

pid	Process
1888	bee7ed86375757cbee1572286fa8df67.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1888-0-0x0000000000400000-0x0000000000712000-memory.dmp	upx
behavioral1/files/0x000c000000012257-10.dat	upx
behavioral1/files/0x000c000000012257-16.dat	upx
behavioral1/memory/1888-14-0x00000000031B0000-0x00000000034C2000-memory.dmp	upx

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1888	bee7ed86375757cbee1572286fa8df67.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
1888	bee7ed86375757cbee1572286fa8df67.exe
2380	bee7ed86375757cbee1572286fa8df67.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1888 wrote to memory of 2380	1888	bee7ed86375757cbee1572286fa8df67.exe	29
PID 1888 wrote to memory of 2380	1888	bee7ed86375757cbee1572286fa8df67.exe	29
PID 1888 wrote to memory of 2380	1888	bee7ed86375757cbee1572286fa8df67.exe	29
PID 1888 wrote to memory of 2380	1888	bee7ed86375757cbee1572286fa8df67.exe	29

C:\Users\Admin\AppData\Local\Temp\bee7ed86375757cbee1572286fa8df67.exe
"C:\Users\Admin\AppData\Local\Temp\bee7ed86375757cbee1572286fa8df67.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1888
- C:\Users\Admin\AppData\Local\Temp\bee7ed86375757cbee1572286fa8df67.exe
  C:\Users\Admin\AppData\Local\Temp\bee7ed86375757cbee1572286fa8df67.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:2380

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\bee7ed86375757cbee1572286fa8df67.exe

Filesize
784KB

MD5
e64cf1483ed826b42f5c1cd1277d20fb

SHA1
fa54aae6f56bb956edd85743e399389652c775b5

SHA256
4865cf7e873473d7b99b06b781d97631515d2e1ca27bcb6526a673c0118c228d

SHA512
0dbb1364f2e527a7a0f5ba2f91fbd63affac279861891cf28b1ccfad27b4b4542e7662125a55ffa39c3a62b2f2611f0ca85b08aa59830285d20cee4e164c19fc

Download Submit
\Users\Admin\AppData\Local\Temp\bee7ed86375757cbee1572286fa8df67.exe

Filesize
256KB

MD5
0581e4278a284f9eb7b0651d1df0fadb

SHA1
cad252539fca0e91e0044313f12537cb9d3b95ea

SHA256
d0bb7b8666541af5646a1017c5035e43c211964c0835282b4fe460d28384e601

SHA512
feaafbd509995513954004ab376b8f4b0c5049f22ed059813573edaf2b472927c53eda57e562ae117146b778b2c4f2539679afa49f026db1217a1f13ba4471e9

Download Submit
memory/1888-14-0x00000000031B0000-0x00000000034C2000-memory.dmp

Filesize
3.1MB

Download
memory/1888-0-0x0000000000400000-0x0000000000712000-memory.dmp

Filesize
3.1MB

Download
memory/1888-15-0x0000000000400000-0x0000000000593000-memory.dmp

Filesize
1.6MB

Download
memory/1888-3-0x00000000018B0000-0x0000000001974000-memory.dmp

Filesize
784KB

Download
memory/1888-1-0x0000000000400000-0x0000000000593000-memory.dmp

Filesize
1.6MB

Download
memory/2380-18-0x0000000000400000-0x0000000000712000-memory.dmp

Filesize
3.1MB

Download
memory/2380-19-0x0000000000120000-0x00000000001E4000-memory.dmp

Filesize
784KB

Download
memory/2380-17-0x0000000000400000-0x0000000000593000-memory.dmp

Filesize
1.6MB

Download
memory/2380-24-0x0000000003290000-0x0000000003423000-memory.dmp

Filesize
1.6MB

Download
memory/2380-25-0x0000000000400000-0x0000000000587000-memory.dmp

Filesize
1.5MB

Download
memory/2380-34-0x00000000005A0000-0x000000000071F000-memory.dmp

Filesize
1.5MB

Download
memory/2380-35-0x0000000000400000-0x0000000000587000-memory.dmp

Filesize
1.5MB

Download