xmrig | 36b4e898644086f013b7164f597617b4cfeddce154c469e410604124ce714e31

Analysis

max time kernel
118s
max time network
126s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
14-03-2024 21:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c9a1b06c5775b7977ab39a113ce1417e.exe
Size

784KB
MD5

c9a1b06c5775b7977ab39a113ce1417e
SHA1

2c6dfed30063eec35c67d519d52a0c3bda827667
SHA256

36b4e898644086f013b7164f597617b4cfeddce154c469e410604124ce714e31
SHA512

2b91c7b002be9573cb65c206524d59ca0ac6a64e153ccec2f9b66746b9d4caea23a7c824676d19b2c3ec14e5273f0a6f95181a736120b80bec95fe1fe2dc1671
SSDEEP

24576:yCaW18sL5S2emj86US0GO4duWXsUhWOTT:5f8s82emj87V4duWcyWOT

Score

10^/10

xmrig miner upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 7 IoCs

miner

resource	yara_rule
behavioral1/memory/1488-1-0x0000000000400000-0x0000000000593000-memory.dmp	xmrig
behavioral1/memory/1488-15-0x0000000003130000-0x0000000003442000-memory.dmp	xmrig
behavioral1/memory/1488-14-0x0000000000400000-0x0000000000593000-memory.dmp	xmrig
behavioral1/memory/2088-19-0x0000000000400000-0x0000000000593000-memory.dmp	xmrig
behavioral1/memory/2088-25-0x0000000003150000-0x00000000032E3000-memory.dmp	xmrig
behavioral1/memory/2088-24-0x0000000000400000-0x0000000000587000-memory.dmp	xmrig
behavioral1/memory/2088-34-0x0000000000400000-0x0000000000587000-memory.dmp	xmrig

Deletes itself 1 IoCs

pid	Process
2088	c9a1b06c5775b7977ab39a113ce1417e.exe

Executes dropped EXE 1 IoCs

pid	Process
2088	c9a1b06c5775b7977ab39a113ce1417e.exe

Loads dropped DLL 1 IoCs

pid	Process
1488	c9a1b06c5775b7977ab39a113ce1417e.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1488-0-0x0000000000400000-0x0000000000712000-memory.dmp	upx
behavioral1/files/0x000900000001225c-16.dat	upx
behavioral1/memory/2088-17-0x0000000000400000-0x0000000000712000-memory.dmp	upx

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1488	c9a1b06c5775b7977ab39a113ce1417e.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
1488	c9a1b06c5775b7977ab39a113ce1417e.exe
2088	c9a1b06c5775b7977ab39a113ce1417e.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1488 wrote to memory of 2088	1488	c9a1b06c5775b7977ab39a113ce1417e.exe	29
PID 1488 wrote to memory of 2088	1488	c9a1b06c5775b7977ab39a113ce1417e.exe	29
PID 1488 wrote to memory of 2088	1488	c9a1b06c5775b7977ab39a113ce1417e.exe	29
PID 1488 wrote to memory of 2088	1488	c9a1b06c5775b7977ab39a113ce1417e.exe	29

C:\Users\Admin\AppData\Local\Temp\c9a1b06c5775b7977ab39a113ce1417e.exe
"C:\Users\Admin\AppData\Local\Temp\c9a1b06c5775b7977ab39a113ce1417e.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1488
- C:\Users\Admin\AppData\Local\Temp\c9a1b06c5775b7977ab39a113ce1417e.exe
  C:\Users\Admin\AppData\Local\Temp\c9a1b06c5775b7977ab39a113ce1417e.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:2088

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\c9a1b06c5775b7977ab39a113ce1417e.exe

Filesize
784KB

MD5
be4f2674b3e4a0b245dc9aa6b7f1bdfd

SHA1
267eabaebaafd068cf25a724d6f18cd19fed04bc

SHA256
91722f213c3da0337794e75cb7a734a037c741bd6bfccf8796cbea3c96ca8396

SHA512
26d7d87e558e6748e11c8063a9f7d9f6b4f0870208e2bf797bcebeb5a91c117479d75e7a5ad0f4e4ae23d6020e6d0f8abe1d77375308f743723420deb10d51e6

Download Submit
memory/1488-0-0x0000000000400000-0x0000000000712000-memory.dmp

Filesize
3.1MB

Download
memory/1488-2-0x0000000000330000-0x00000000003F4000-memory.dmp

Filesize
784KB

Download
memory/1488-1-0x0000000000400000-0x0000000000593000-memory.dmp

Filesize
1.6MB

Download
memory/1488-15-0x0000000003130000-0x0000000003442000-memory.dmp

Filesize
3.1MB

Download
memory/1488-14-0x0000000000400000-0x0000000000593000-memory.dmp

Filesize
1.6MB

Download
memory/2088-17-0x0000000000400000-0x0000000000712000-memory.dmp

Filesize
3.1MB

Download
memory/2088-19-0x0000000000400000-0x0000000000593000-memory.dmp

Filesize
1.6MB

Download
memory/2088-18-0x0000000000330000-0x00000000003F4000-memory.dmp

Filesize
784KB

Download
memory/2088-25-0x0000000003150000-0x00000000032E3000-memory.dmp

Filesize
1.6MB

Download
memory/2088-24-0x0000000000400000-0x0000000000587000-memory.dmp

Filesize
1.5MB

Download
memory/2088-34-0x0000000000400000-0x0000000000587000-memory.dmp

Filesize
1.5MB

Download