xmrig | 3ac0ec8c052e4f7f0048cfb8a5df2ab6d14257b5daa5bdd07c45427c42b01ada

Analysis

max time kernel
121s
max time network
125s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
11/03/2024, 15:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c0fcc17cfb79bf673ecd0ec63d597032.exe
Size

784KB
MD5

c0fcc17cfb79bf673ecd0ec63d597032
SHA1

f666571f5ef37729c9406fbd018fcacd1be5838e
SHA256

3ac0ec8c052e4f7f0048cfb8a5df2ab6d14257b5daa5bdd07c45427c42b01ada
SHA512

c566b8b2085597d56fdaff1bef8f90c1785cbaeaea276df2a63aa238b91b5b282ac51d1cf8382d8cd9b27f95b9f44a12e5f4aaf21d3ea3a702b3f4cb70cf2185
SSDEEP

24576:ZG8fLfizPnca9JTdoKmUG20fu/hCVik3S9rNsvU:U0qrcwJTdojUGS/0UGS/s

Score

10^/10

xmrig miner upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 7 IoCs

miner

resource	yara_rule
behavioral1/memory/2488-1-0x0000000000400000-0x0000000000593000-memory.dmp	xmrig
behavioral1/memory/2488-15-0x0000000003170000-0x0000000003482000-memory.dmp	xmrig
behavioral1/memory/2488-14-0x0000000000400000-0x0000000000593000-memory.dmp	xmrig
behavioral1/memory/3032-19-0x0000000000400000-0x0000000000593000-memory.dmp	xmrig
behavioral1/memory/3032-25-0x0000000003150000-0x00000000032E3000-memory.dmp	xmrig
behavioral1/memory/3032-24-0x0000000000400000-0x0000000000587000-memory.dmp	xmrig
behavioral1/memory/3032-34-0x0000000000400000-0x0000000000587000-memory.dmp	xmrig

Deletes itself 1 IoCs

pid	Process
3032	c0fcc17cfb79bf673ecd0ec63d597032.exe

Executes dropped EXE 1 IoCs

pid	Process
3032	c0fcc17cfb79bf673ecd0ec63d597032.exe

Loads dropped DLL 1 IoCs

pid	Process
2488	c0fcc17cfb79bf673ecd0ec63d597032.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2488-0-0x0000000000400000-0x0000000000712000-memory.dmp	upx
behavioral1/files/0x000d00000001223a-16.dat	upx
behavioral1/files/0x000d00000001223a-12.dat	upx
behavioral1/memory/3032-17-0x0000000000400000-0x0000000000712000-memory.dmp	upx

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2488	c0fcc17cfb79bf673ecd0ec63d597032.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2488	c0fcc17cfb79bf673ecd0ec63d597032.exe
3032	c0fcc17cfb79bf673ecd0ec63d597032.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2488 wrote to memory of 3032	2488	c0fcc17cfb79bf673ecd0ec63d597032.exe	29
PID 2488 wrote to memory of 3032	2488	c0fcc17cfb79bf673ecd0ec63d597032.exe	29
PID 2488 wrote to memory of 3032	2488	c0fcc17cfb79bf673ecd0ec63d597032.exe	29
PID 2488 wrote to memory of 3032	2488	c0fcc17cfb79bf673ecd0ec63d597032.exe	29

C:\Users\Admin\AppData\Local\Temp\c0fcc17cfb79bf673ecd0ec63d597032.exe
"C:\Users\Admin\AppData\Local\Temp\c0fcc17cfb79bf673ecd0ec63d597032.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2488
- C:\Users\Admin\AppData\Local\Temp\c0fcc17cfb79bf673ecd0ec63d597032.exe
  C:\Users\Admin\AppData\Local\Temp\c0fcc17cfb79bf673ecd0ec63d597032.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:3032

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\c0fcc17cfb79bf673ecd0ec63d597032.exe

Filesize
192KB

MD5
ad9cc6a8f45a4897248028e843b1b505

SHA1
5b6dfc9b77247173792c8a09254395e2e043ba05

SHA256
2670016e05a8b29700969c8f97f7948dfdcc24a7494fbe007fbe0674116bb89d

SHA512
e7224052634117d610ad29157453353d611810aa0473cdc2009db9acdc6e36820442acd5c7147846f8cb59d166f291d0c45864feb22a5ea244344a821b89dff2

Download Submit
C:\Users\Admin\AppData\Local\Temp\c0fcc17cfb79bf673ecd0ec63d597032.exe

Filesize
145KB

MD5
1621223f7b3cc106f9d45f46f0e44e23

SHA1
3289af933afa41544a1f735f752442f2cb4c0e1b

SHA256
0af00997ff6b4cb4746f56283adc5c21599134fea04fe25947c08ec52674e31e

SHA512
ca013a566b56df042fc5bdb18520b938a3025f574c252f3d51b256743614635c1fd682d152c5cba0799be894560bbb295dd6b23baf5ed511816f55f8bdb95954

Download Submit
memory/2488-1-0x0000000000400000-0x0000000000593000-memory.dmp

Filesize
1.6MB

Download
memory/2488-0-0x0000000000400000-0x0000000000712000-memory.dmp

Filesize
3.1MB

Download
memory/2488-15-0x0000000003170000-0x0000000003482000-memory.dmp

Filesize
3.1MB

Download
memory/2488-14-0x0000000000400000-0x0000000000593000-memory.dmp

Filesize
1.6MB

Download
memory/2488-2-0x0000000001720000-0x00000000017E4000-memory.dmp

Filesize
784KB

Download
memory/3032-17-0x0000000000400000-0x0000000000712000-memory.dmp

Filesize
3.1MB

Download
memory/3032-18-0x0000000000210000-0x00000000002D4000-memory.dmp

Filesize
784KB

Download
memory/3032-19-0x0000000000400000-0x0000000000593000-memory.dmp

Filesize
1.6MB

Download
memory/3032-25-0x0000000003150000-0x00000000032E3000-memory.dmp

Filesize
1.6MB

Download
memory/3032-24-0x0000000000400000-0x0000000000587000-memory.dmp

Filesize
1.5MB

Download
memory/3032-34-0x0000000000400000-0x0000000000587000-memory.dmp

Filesize
1.5MB

Download