xmrig | 3a31b108dcc057cb7b8a5de8a89903ad6a67abaac5038510745959fdebb7e9b9

Analysis

max time kernel
122s
max time network
125s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
13/03/2024, 07:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c5586063f004179bdfd5beb62f728e76.exe
Size

784KB
MD5

c5586063f004179bdfd5beb62f728e76
SHA1

655b17e62bb2a738811eadb06558b6896ac11601
SHA256

3a31b108dcc057cb7b8a5de8a89903ad6a67abaac5038510745959fdebb7e9b9
SHA512

f602786fc5bb41d0dccb4f4d75405ca5ed3bd18727d595fa543f10bb726118a70d4b08e5609717abdc5bd5e6371a2cbec17c5c3468c7805df061aa7577106a8e
SSDEEP

24576:Ow8KGlYNuE/1wSnztlh89g0ZYqkv1FTtE:O2Gliu76ztrfuYqkvHJE

Score

10^/10

xmrig miner upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 7 IoCs

miner

resource	yara_rule
behavioral1/memory/2200-1-0x0000000000400000-0x0000000000593000-memory.dmp	xmrig
behavioral1/memory/2200-14-0x0000000000400000-0x0000000000593000-memory.dmp	xmrig
behavioral1/memory/1204-19-0x0000000000400000-0x0000000000593000-memory.dmp	xmrig
behavioral1/memory/1204-24-0x0000000000400000-0x0000000000587000-memory.dmp	xmrig
behavioral1/memory/1204-25-0x0000000003070000-0x0000000003203000-memory.dmp	xmrig
behavioral1/memory/1204-34-0x00000000005A0000-0x000000000071F000-memory.dmp	xmrig
behavioral1/memory/1204-35-0x0000000000400000-0x0000000000587000-memory.dmp	xmrig

Deletes itself 1 IoCs

pid	Process
1204	c5586063f004179bdfd5beb62f728e76.exe

Executes dropped EXE 1 IoCs

pid	Process
1204	c5586063f004179bdfd5beb62f728e76.exe

Loads dropped DLL 1 IoCs

pid	Process
2200	c5586063f004179bdfd5beb62f728e76.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2200-0-0x0000000000400000-0x0000000000712000-memory.dmp	upx
behavioral1/files/0x000a00000001225c-10.dat	upx
behavioral1/memory/2200-15-0x00000000031B0000-0x00000000034C2000-memory.dmp	upx
behavioral1/files/0x000a00000001225c-16.dat	upx
behavioral1/memory/1204-17-0x0000000000400000-0x0000000000712000-memory.dmp	upx

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2200	c5586063f004179bdfd5beb62f728e76.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2200	c5586063f004179bdfd5beb62f728e76.exe
1204	c5586063f004179bdfd5beb62f728e76.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2200 wrote to memory of 1204	2200	c5586063f004179bdfd5beb62f728e76.exe	29
PID 2200 wrote to memory of 1204	2200	c5586063f004179bdfd5beb62f728e76.exe	29
PID 2200 wrote to memory of 1204	2200	c5586063f004179bdfd5beb62f728e76.exe	29
PID 2200 wrote to memory of 1204	2200	c5586063f004179bdfd5beb62f728e76.exe	29

C:\Users\Admin\AppData\Local\Temp\c5586063f004179bdfd5beb62f728e76.exe
"C:\Users\Admin\AppData\Local\Temp\c5586063f004179bdfd5beb62f728e76.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2200
- C:\Users\Admin\AppData\Local\Temp\c5586063f004179bdfd5beb62f728e76.exe
  C:\Users\Admin\AppData\Local\Temp\c5586063f004179bdfd5beb62f728e76.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:1204

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\c5586063f004179bdfd5beb62f728e76.exe

Filesize
768KB

MD5
3ed349196d2aef8ed41c0a15a0a4ecec

SHA1
d86c64cff737309afd507faafe263df1d52e354e

SHA256
5a57c8d70c2b630d9de454605d798f7a2c9e2a69946694fb43c389b3dee4e0a8

SHA512
284413452e4e5be10506f0e7a4d1e867aae402bcbb3906e7ff22a554000eb55d8ac00be7089eb00567e6d21f0c0b71bc65fde45a885b1b8ea65be880814fff73

Download Submit
\Users\Admin\AppData\Local\Temp\c5586063f004179bdfd5beb62f728e76.exe

Filesize
784KB

MD5
e8c7ca3e0de80bd37161e2573b2c25a9

SHA1
7237d22b86c554a7e382417ee23a31c80bbe38ad

SHA256
1a3ef33fc966aeeb9733ee1fc78ad405afe1ad352508c533f62390862a76b681

SHA512
f98970f48e087e11e28d8e81a25d711907ed18995117dc9fd8cdad1ba37a0b77315b2dbd268e9cd7c867cd0769cd42ff6192548ad07a376919866fa1bc0bbcde

Download Submit
memory/1204-17-0x0000000000400000-0x0000000000712000-memory.dmp

Filesize
3.1MB

Download
memory/1204-18-0x0000000001720000-0x00000000017E4000-memory.dmp

Filesize
784KB

Download
memory/1204-19-0x0000000000400000-0x0000000000593000-memory.dmp

Filesize
1.6MB

Download
memory/1204-24-0x0000000000400000-0x0000000000587000-memory.dmp

Filesize
1.5MB

Download
memory/1204-25-0x0000000003070000-0x0000000003203000-memory.dmp

Filesize
1.6MB

Download
memory/1204-34-0x00000000005A0000-0x000000000071F000-memory.dmp

Filesize
1.5MB

Download
memory/1204-35-0x0000000000400000-0x0000000000587000-memory.dmp

Filesize
1.5MB

Download
memory/2200-1-0x0000000000400000-0x0000000000593000-memory.dmp

Filesize
1.6MB

Download
memory/2200-0-0x0000000000400000-0x0000000000712000-memory.dmp

Filesize
3.1MB

Download
memory/2200-14-0x0000000000400000-0x0000000000593000-memory.dmp

Filesize
1.6MB

Download
memory/2200-15-0x00000000031B0000-0x00000000034C2000-memory.dmp

Filesize
3.1MB

Download
memory/2200-2-0x00000000018B0000-0x0000000001974000-memory.dmp

Filesize
784KB

Download