xmrig | ec249d08bab2aeca5bfd59ecdcaf7f744cce2c21db349763e882b5940243391b

Analysis

max time kernel
121s
max time network
123s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
15/03/2024, 16:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cbe0a0d69e86c9dec68483382bc59018.exe
Size

784KB
MD5

cbe0a0d69e86c9dec68483382bc59018
SHA1

7cb2d3f1d8d4796a874a6636464b4e3b528e263b
SHA256

ec249d08bab2aeca5bfd59ecdcaf7f744cce2c21db349763e882b5940243391b
SHA512

f0316902a905bdc190213079e20bdd9303ffba32415b993bd3da4cb700c5d9cea357677c29058e0cff85b59299f53d29882b3299788907aa866887d47b674349
SSDEEP

24576:aThNLZX+zLM47gFY1ReqWfGebLEHeFKExhFTFL:klEg21QOeQIK2hFZL

Score

10^/10

xmrig miner upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 6 IoCs

miner

resource	yara_rule
behavioral1/memory/2952-1-0x0000000000400000-0x0000000000593000-memory.dmp	xmrig
behavioral1/memory/2952-14-0x0000000000400000-0x0000000000593000-memory.dmp	xmrig
behavioral1/memory/2976-19-0x0000000000400000-0x0000000000593000-memory.dmp	xmrig
behavioral1/memory/2976-24-0x0000000000400000-0x0000000000587000-memory.dmp	xmrig
behavioral1/memory/2976-26-0x0000000003150000-0x00000000032E3000-memory.dmp	xmrig
behavioral1/memory/2976-34-0x0000000000400000-0x0000000000587000-memory.dmp	xmrig

Deletes itself 1 IoCs

pid	Process
2976	cbe0a0d69e86c9dec68483382bc59018.exe

Executes dropped EXE 1 IoCs

pid	Process
2976	cbe0a0d69e86c9dec68483382bc59018.exe

Loads dropped DLL 1 IoCs

pid	Process
2952	cbe0a0d69e86c9dec68483382bc59018.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2952-0-0x0000000000400000-0x0000000000712000-memory.dmp	upx
behavioral1/files/0x000c000000012339-10.dat	upx
behavioral1/memory/2952-15-0x0000000003230000-0x0000000003542000-memory.dmp	upx
behavioral1/memory/2976-17-0x0000000000400000-0x0000000000712000-memory.dmp	upx

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2952	cbe0a0d69e86c9dec68483382bc59018.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2952	cbe0a0d69e86c9dec68483382bc59018.exe
2976	cbe0a0d69e86c9dec68483382bc59018.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2952 wrote to memory of 2976	2952	cbe0a0d69e86c9dec68483382bc59018.exe	29
PID 2952 wrote to memory of 2976	2952	cbe0a0d69e86c9dec68483382bc59018.exe	29
PID 2952 wrote to memory of 2976	2952	cbe0a0d69e86c9dec68483382bc59018.exe	29
PID 2952 wrote to memory of 2976	2952	cbe0a0d69e86c9dec68483382bc59018.exe	29

C:\Users\Admin\AppData\Local\Temp\cbe0a0d69e86c9dec68483382bc59018.exe
"C:\Users\Admin\AppData\Local\Temp\cbe0a0d69e86c9dec68483382bc59018.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2952
- C:\Users\Admin\AppData\Local\Temp\cbe0a0d69e86c9dec68483382bc59018.exe
  C:\Users\Admin\AppData\Local\Temp\cbe0a0d69e86c9dec68483382bc59018.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:2976

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\cbe0a0d69e86c9dec68483382bc59018.exe

Filesize
784KB

MD5
0e637f1b274d2a25c942711b83f73157

SHA1
0f79f244d777c0bf2a080f44db5846703984fba2

SHA256
c336b25365f9b2b6104e325435c7d6936c605f004a3b621865c7f7139a6de1f6

SHA512
7c31675f953f0d359a8fe5c1c19939535badd9eed6ea5ddca8e8d477e90bd763492d3cf1e31706b43bd0e7719578fd63ae1e9e801f74465bbe26401124c94cdf

Download Submit
memory/2952-0-0x0000000000400000-0x0000000000712000-memory.dmp

Filesize
3.1MB

Download
memory/2952-2-0x0000000000120000-0x00000000001E4000-memory.dmp

Filesize
784KB

Download
memory/2952-1-0x0000000000400000-0x0000000000593000-memory.dmp

Filesize
1.6MB

Download
memory/2952-15-0x0000000003230000-0x0000000003542000-memory.dmp

Filesize
3.1MB

Download
memory/2952-14-0x0000000000400000-0x0000000000593000-memory.dmp

Filesize
1.6MB

Download
memory/2976-17-0x0000000000400000-0x0000000000712000-memory.dmp

Filesize
3.1MB

Download
memory/2976-18-0x0000000000300000-0x00000000003C4000-memory.dmp

Filesize
784KB

Download
memory/2976-19-0x0000000000400000-0x0000000000593000-memory.dmp

Filesize
1.6MB

Download
memory/2976-24-0x0000000000400000-0x0000000000587000-memory.dmp

Filesize
1.5MB

Download
memory/2976-26-0x0000000003150000-0x00000000032E3000-memory.dmp

Filesize
1.6MB

Download
memory/2976-34-0x0000000000400000-0x0000000000587000-memory.dmp

Filesize
1.5MB

Download