xmrig | 0659699cabe5f93df9a1e98866de715a54720d42af95064e90a44949a684bcb8

Analysis

max time kernel
132s
max time network
127s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
13-03-2024 10:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c5a255f0acc3b3b49b2e656a38ce0022.exe
Size

784KB
MD5

c5a255f0acc3b3b49b2e656a38ce0022
SHA1

f420813b6650d5e8dd44c97ddc6efab0f01beff0
SHA256

0659699cabe5f93df9a1e98866de715a54720d42af95064e90a44949a684bcb8
SHA512

2e0b383806959222f8866e2687f56092de0731d349068c75d51cdbfa8a239ee61a0b038909f215c133853424f2756e8b812dedb64b49f1e2698946413dbd10ce
SSDEEP

24576:biQBKeyDJJXdzaqXfJNeMix3WO8O95/mmcnL3C:GQBKH7dfNr389xmm4

Score

10^/10

xmrig miner upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 6 IoCs

miner

resource	yara_rule
behavioral2/memory/1076-2-0x0000000000400000-0x0000000000593000-memory.dmp	xmrig
behavioral2/memory/1076-12-0x0000000000400000-0x0000000000593000-memory.dmp	xmrig
behavioral2/memory/3908-15-0x0000000000400000-0x0000000000593000-memory.dmp	xmrig
behavioral2/memory/3908-22-0x0000000005390000-0x0000000005523000-memory.dmp	xmrig
behavioral2/memory/3908-20-0x0000000000400000-0x0000000000587000-memory.dmp	xmrig
behavioral2/memory/3908-30-0x0000000000400000-0x0000000000587000-memory.dmp	xmrig

Deletes itself 1 IoCs

pid	Process
3908	c5a255f0acc3b3b49b2e656a38ce0022.exe

Executes dropped EXE 1 IoCs

pid	Process
3908	c5a255f0acc3b3b49b2e656a38ce0022.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1076-0-0x0000000000400000-0x0000000000712000-memory.dmp	upx
behavioral2/files/0x0008000000023212-11.dat	upx
behavioral2/memory/3908-13-0x0000000000400000-0x0000000000712000-memory.dmp	upx

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1076	c5a255f0acc3b3b49b2e656a38ce0022.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
1076	c5a255f0acc3b3b49b2e656a38ce0022.exe
3908	c5a255f0acc3b3b49b2e656a38ce0022.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1076 wrote to memory of 3908	1076	c5a255f0acc3b3b49b2e656a38ce0022.exe	92
PID 1076 wrote to memory of 3908	1076	c5a255f0acc3b3b49b2e656a38ce0022.exe	92
PID 1076 wrote to memory of 3908	1076	c5a255f0acc3b3b49b2e656a38ce0022.exe	92

C:\Users\Admin\AppData\Local\Temp\c5a255f0acc3b3b49b2e656a38ce0022.exe
"C:\Users\Admin\AppData\Local\Temp\c5a255f0acc3b3b49b2e656a38ce0022.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1076
- C:\Users\Admin\AppData\Local\Temp\c5a255f0acc3b3b49b2e656a38ce0022.exe
  C:\Users\Admin\AppData\Local\Temp\c5a255f0acc3b3b49b2e656a38ce0022.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:3908

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\c5a255f0acc3b3b49b2e656a38ce0022.exe

Filesize
784KB

MD5
528c05594fe1f761ec5ff63e9df21a8a

SHA1
2a10b687196a0cbad8e6b6b566d47d8483671325

SHA256
5aa234759b61b40302a96ec424b58e13b3780b00198b0a900e9fb694787a442d

SHA512
332b949e6e3c6144eaf4810674e23b38f2e0cc9fd9c8110a4ee340bc736b2aa7ab5365ca8121870cfe7d9e78be65e3513c0e0b20784ce42e5c27be5decbf13c4

Download Submit
memory/1076-0-0x0000000000400000-0x0000000000712000-memory.dmp

Filesize
3.1MB

Download
memory/1076-1-0x0000000001B10000-0x0000000001BD4000-memory.dmp

Filesize
784KB

Download
memory/1076-2-0x0000000000400000-0x0000000000593000-memory.dmp

Filesize
1.6MB

Download
memory/1076-12-0x0000000000400000-0x0000000000593000-memory.dmp

Filesize
1.6MB

Download
memory/3908-13-0x0000000000400000-0x0000000000712000-memory.dmp

Filesize
3.1MB

Download
memory/3908-15-0x0000000000400000-0x0000000000593000-memory.dmp

Filesize
1.6MB

Download
memory/3908-14-0x00000000017F0000-0x00000000018B4000-memory.dmp

Filesize
784KB

Download
memory/3908-22-0x0000000005390000-0x0000000005523000-memory.dmp

Filesize
1.6MB

Download
memory/3908-20-0x0000000000400000-0x0000000000587000-memory.dmp

Filesize
1.5MB

Download
memory/3908-30-0x0000000000400000-0x0000000000587000-memory.dmp

Filesize
1.5MB

Download