xmrig | a806958a1a67659f180291da9dd4cdae780a0adb4bc3e3ceb7bba68b5e6f0c6e

Analysis

max time kernel
137s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
13/03/2024, 08:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c56c2504cec4ddb879c2dcff1aff4c00.exe
Size

784KB
MD5

c56c2504cec4ddb879c2dcff1aff4c00
SHA1

a5787f84653ceb6c2d334ec6a27e730b37e726d0
SHA256

a806958a1a67659f180291da9dd4cdae780a0adb4bc3e3ceb7bba68b5e6f0c6e
SHA512

1cc9f8e803b8170e8ead03397d2cb7aed46abe35ca6ab7c4bac14e6c4f65b7f451352e9dfa67791d04615725f1158900cc308628f1930c3d248fc6f785acff9a
SSDEEP

12288:VRdHTmKVstkr+uvp83O22Dft5dG0e0oBBEN4TLDEDkqTIj/4IokoNi9m:d66sOrNv23O2Af1a0oBBE8LIDkvkIRo

Score

10^/10

xmrig miner upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 6 IoCs

miner

resource	yara_rule
behavioral2/memory/3280-2-0x0000000000400000-0x0000000000593000-memory.dmp	xmrig
behavioral2/memory/3280-12-0x0000000000400000-0x0000000000593000-memory.dmp	xmrig
behavioral2/memory/2404-15-0x0000000000400000-0x0000000000593000-memory.dmp	xmrig
behavioral2/memory/2404-20-0x0000000005420000-0x00000000055B3000-memory.dmp	xmrig
behavioral2/memory/2404-21-0x0000000000400000-0x0000000000587000-memory.dmp	xmrig
behavioral2/memory/2404-30-0x0000000000400000-0x0000000000587000-memory.dmp	xmrig

Deletes itself 1 IoCs

pid	Process
2404	c56c2504cec4ddb879c2dcff1aff4c00.exe

Executes dropped EXE 1 IoCs

pid	Process
2404	c56c2504cec4ddb879c2dcff1aff4c00.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3280-0-0x0000000000400000-0x0000000000712000-memory.dmp	upx
behavioral2/files/0x000400000002271f-11.dat	upx
behavioral2/memory/2404-13-0x0000000000400000-0x0000000000712000-memory.dmp	upx

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
3280	c56c2504cec4ddb879c2dcff1aff4c00.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
3280	c56c2504cec4ddb879c2dcff1aff4c00.exe
2404	c56c2504cec4ddb879c2dcff1aff4c00.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3280 wrote to memory of 2404	3280	c56c2504cec4ddb879c2dcff1aff4c00.exe	98
PID 3280 wrote to memory of 2404	3280	c56c2504cec4ddb879c2dcff1aff4c00.exe	98
PID 3280 wrote to memory of 2404	3280	c56c2504cec4ddb879c2dcff1aff4c00.exe	98

C:\Users\Admin\AppData\Local\Temp\c56c2504cec4ddb879c2dcff1aff4c00.exe
"C:\Users\Admin\AppData\Local\Temp\c56c2504cec4ddb879c2dcff1aff4c00.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3280
- C:\Users\Admin\AppData\Local\Temp\c56c2504cec4ddb879c2dcff1aff4c00.exe
  C:\Users\Admin\AppData\Local\Temp\c56c2504cec4ddb879c2dcff1aff4c00.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:2404

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=2384 --field-trial-handle=3084,i,4016110471176367543,14287608422419064331,262144 --variations-seed-version /prefetch:8
1⤵
PID:1092

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\c56c2504cec4ddb879c2dcff1aff4c00.exe

Filesize
305KB

MD5
72fcf29cc8dd61a16ff681bf26b90552

SHA1
ebf8687ab96ee06df6c8403f8a966cb3bf64f8ba

SHA256
04a24a49057ab978a23ad1d179124ba78869083cfe241109d8997f59f39ed59c

SHA512
ac1df9236d36a13362cea82fb389b9592551f0e9d4a2e96761bdaa5d351aeef6943748a7120efa8076a06e5c4db49f038b2935a57fed48147c6b3ea3cc7ea155

Download Submit
memory/2404-13-0x0000000000400000-0x0000000000712000-memory.dmp

Filesize
3.1MB

Download
memory/2404-14-0x0000000001A30000-0x0000000001AF4000-memory.dmp

Filesize
784KB

Download
memory/2404-15-0x0000000000400000-0x0000000000593000-memory.dmp

Filesize
1.6MB

Download
memory/2404-20-0x0000000005420000-0x00000000055B3000-memory.dmp

Filesize
1.6MB

Download
memory/2404-21-0x0000000000400000-0x0000000000587000-memory.dmp

Filesize
1.5MB

Download
memory/2404-30-0x0000000000400000-0x0000000000587000-memory.dmp

Filesize
1.5MB

Download
memory/3280-0-0x0000000000400000-0x0000000000712000-memory.dmp

Filesize
3.1MB

Download
memory/3280-1-0x0000000001720000-0x00000000017E4000-memory.dmp

Filesize
784KB

Download
memory/3280-2-0x0000000000400000-0x0000000000593000-memory.dmp

Filesize
1.6MB

Download
memory/3280-12-0x0000000000400000-0x0000000000593000-memory.dmp

Filesize
1.6MB

Download