xmrig | 877d6e27c1c7d6bf28ae440eb87656f3f0ff96215cf0c152eda47927fafed9e6

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
13/03/2024, 09:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c595728fc636bc9d562cdc875a73935c.exe
Size

784KB
MD5

c595728fc636bc9d562cdc875a73935c
SHA1

2eff242dc08d9cd546435a2a6f6387132442542e
SHA256

877d6e27c1c7d6bf28ae440eb87656f3f0ff96215cf0c152eda47927fafed9e6
SHA512

b25946721f6358075c4267c57aefd509b07f1a80c5d3366038477ab3cb0adbe17497faf17fd33dcb18261ff68cf304d2572ee561e8de97fd34c907e89a95de0e
SSDEEP

12288:FZOC/QBxMRm+Zel45esUOgSx1lDzw7x1UgLrZoMv239UIEbyQpOuyQCdX:FZOCo0m+MOX1zw7HfWMu2hyQizd

Score

10^/10

xmrig miner upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 6 IoCs

miner

resource	yara_rule
behavioral2/memory/1284-2-0x0000000000400000-0x0000000000593000-memory.dmp	xmrig
behavioral2/memory/1284-12-0x0000000000400000-0x0000000000593000-memory.dmp	xmrig
behavioral2/memory/4948-14-0x0000000000400000-0x0000000000593000-memory.dmp	xmrig
behavioral2/memory/4948-20-0x0000000000400000-0x0000000000587000-memory.dmp	xmrig
behavioral2/memory/4948-22-0x00000000053D0000-0x0000000005563000-memory.dmp	xmrig
behavioral2/memory/4948-30-0x0000000000400000-0x0000000000587000-memory.dmp	xmrig

Deletes itself 1 IoCs

pid	Process
4948	c595728fc636bc9d562cdc875a73935c.exe

Executes dropped EXE 1 IoCs

pid	Process
4948	c595728fc636bc9d562cdc875a73935c.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1284-0-0x0000000000400000-0x0000000000712000-memory.dmp	upx
behavioral2/files/0x000700000001e59e-11.dat	upx
behavioral2/memory/4948-13-0x0000000000400000-0x0000000000712000-memory.dmp	upx

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1284	c595728fc636bc9d562cdc875a73935c.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
1284	c595728fc636bc9d562cdc875a73935c.exe
4948	c595728fc636bc9d562cdc875a73935c.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1284 wrote to memory of 4948	1284	c595728fc636bc9d562cdc875a73935c.exe	91
PID 1284 wrote to memory of 4948	1284	c595728fc636bc9d562cdc875a73935c.exe	91
PID 1284 wrote to memory of 4948	1284	c595728fc636bc9d562cdc875a73935c.exe	91

C:\Users\Admin\AppData\Local\Temp\c595728fc636bc9d562cdc875a73935c.exe
"C:\Users\Admin\AppData\Local\Temp\c595728fc636bc9d562cdc875a73935c.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1284
- C:\Users\Admin\AppData\Local\Temp\c595728fc636bc9d562cdc875a73935c.exe
  C:\Users\Admin\AppData\Local\Temp\c595728fc636bc9d562cdc875a73935c.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:4948

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\c595728fc636bc9d562cdc875a73935c.exe

Filesize
784KB

MD5
228bd4e062c04275754a90608c7d3554

SHA1
998b7c14c3b8878c6f01cb596d34380dd3e692fd

SHA256
04c971e53ac5042ebf6b69b5ff4fccefe18b6bc430208be83bd4206745fe9eee

SHA512
29bcb41780465dad423c9c6e477caf521fabeb90385c96e80d923dd339fdf96059738e61477cc32134869dd58250cd2f505d9873d7f1ece35197b54072e5cd3e

Download Submit
memory/1284-0-0x0000000000400000-0x0000000000712000-memory.dmp

Filesize
3.1MB

Download
memory/1284-1-0x0000000001A80000-0x0000000001B44000-memory.dmp

Filesize
784KB

Download
memory/1284-2-0x0000000000400000-0x0000000000593000-memory.dmp

Filesize
1.6MB

Download
memory/1284-12-0x0000000000400000-0x0000000000593000-memory.dmp

Filesize
1.6MB

Download
memory/4948-13-0x0000000000400000-0x0000000000712000-memory.dmp

Filesize
3.1MB

Download
memory/4948-14-0x0000000000400000-0x0000000000593000-memory.dmp

Filesize
1.6MB

Download
memory/4948-16-0x0000000001720000-0x00000000017E4000-memory.dmp

Filesize
784KB

Download
memory/4948-20-0x0000000000400000-0x0000000000587000-memory.dmp

Filesize
1.5MB

Download
memory/4948-22-0x00000000053D0000-0x0000000005563000-memory.dmp

Filesize
1.6MB

Download
memory/4948-30-0x0000000000400000-0x0000000000587000-memory.dmp

Filesize
1.5MB

Download