xmrig | fc7e736c5813af5f71d4ffad2e697d5a8d3a949af49721cd315701f7cdfdd72e

Analysis

max time kernel
122s
max time network
123s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
19/03/2024, 00:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d4b98bde5515f0d2bfa49b136850824e.exe
Size

784KB
MD5

d4b98bde5515f0d2bfa49b136850824e
SHA1

c925102e833d0a69a3cac196ccce5094ab655dfb
SHA256

fc7e736c5813af5f71d4ffad2e697d5a8d3a949af49721cd315701f7cdfdd72e
SHA512

48d2161bc260fd3cea01b2ca820c61fa4b6955db421de3a05129045670acbbc33213716ffb4dd938a0b4a6c497d4b2af4ee5441f5b22b39642105a31ceec32cb
SSDEEP

24576:BfSPKoWX+pUiVC6NVRB6wKT2MSJd0VkJmp/m:B8DTV99rhdmWmp/

Score

10^/10

xmrig miner upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 7 IoCs

miner

resource	yara_rule
behavioral1/memory/2092-1-0x0000000000400000-0x0000000000593000-memory.dmp	xmrig
behavioral1/memory/2092-15-0x0000000000400000-0x0000000000593000-memory.dmp	xmrig
behavioral1/memory/2544-16-0x0000000000400000-0x0000000000593000-memory.dmp	xmrig
behavioral1/memory/2544-25-0x0000000003230000-0x00000000033C3000-memory.dmp	xmrig
behavioral1/memory/2544-23-0x0000000000400000-0x0000000000587000-memory.dmp	xmrig
behavioral1/memory/2544-34-0x0000000000400000-0x0000000000587000-memory.dmp	xmrig
behavioral1/memory/2544-33-0x00000000005A0000-0x000000000071F000-memory.dmp	xmrig

Deletes itself 1 IoCs

pid	Process
2544	d4b98bde5515f0d2bfa49b136850824e.exe

Executes dropped EXE 1 IoCs

pid	Process
2544	d4b98bde5515f0d2bfa49b136850824e.exe

Loads dropped DLL 1 IoCs

pid	Process
2092	d4b98bde5515f0d2bfa49b136850824e.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2092-0-0x0000000000400000-0x0000000000712000-memory.dmp	upx
behavioral1/files/0x0009000000012251-14.dat	upx
behavioral1/memory/2544-17-0x0000000000400000-0x0000000000712000-memory.dmp	upx
behavioral1/files/0x0009000000012251-10.dat	upx

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2092	d4b98bde5515f0d2bfa49b136850824e.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2092	d4b98bde5515f0d2bfa49b136850824e.exe
2544	d4b98bde5515f0d2bfa49b136850824e.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2092 wrote to memory of 2544	2092	d4b98bde5515f0d2bfa49b136850824e.exe	29
PID 2092 wrote to memory of 2544	2092	d4b98bde5515f0d2bfa49b136850824e.exe	29
PID 2092 wrote to memory of 2544	2092	d4b98bde5515f0d2bfa49b136850824e.exe	29
PID 2092 wrote to memory of 2544	2092	d4b98bde5515f0d2bfa49b136850824e.exe	29

C:\Users\Admin\AppData\Local\Temp\d4b98bde5515f0d2bfa49b136850824e.exe
"C:\Users\Admin\AppData\Local\Temp\d4b98bde5515f0d2bfa49b136850824e.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2092
- C:\Users\Admin\AppData\Local\Temp\d4b98bde5515f0d2bfa49b136850824e.exe
  C:\Users\Admin\AppData\Local\Temp\d4b98bde5515f0d2bfa49b136850824e.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:2544

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\d4b98bde5515f0d2bfa49b136850824e.exe

Filesize
550KB

MD5
3640160e11bbbc2631d81bae1472083a

SHA1
204fdea2128fec7535df1e9706924e0802993def

SHA256
12c7ebb702bb3d36673dc93b5d241e296b5871411c960adaf5a7b4c735370afe

SHA512
799c2213de276876334739b83c367de4b58348198cfedf796d3c6187e967ed529b3fd4585becfbfd823783c9b47e95a92a465e4f645f44d73219797c786bf6ec

Download Submit
\Users\Admin\AppData\Local\Temp\d4b98bde5515f0d2bfa49b136850824e.exe

Filesize
732KB

MD5
bdcd1cd7e55795d6b8b572d5227f5aa5

SHA1
08a5311e96efe5f2e26bedf794183bb9ff1219e3

SHA256
f0f4363871424a91d8bb7c7a300a3fa9ad828a59a071bbd8dcb3ab84d2d70104

SHA512
289cfbec01ec4d0dc1973bac18dc65a40deb47ee63664afd657f25b331cc66b909d857f860b693f8cdb39274273c0a1b981ba8173e986d29b5ceeceab2a457b0

Download Submit
memory/2092-0-0x0000000000400000-0x0000000000712000-memory.dmp

Filesize
3.1MB

Download
memory/2092-2-0x0000000000310000-0x00000000003D4000-memory.dmp

Filesize
784KB

Download
memory/2092-1-0x0000000000400000-0x0000000000593000-memory.dmp

Filesize
1.6MB

Download
memory/2092-15-0x0000000000400000-0x0000000000593000-memory.dmp

Filesize
1.6MB

Download
memory/2544-18-0x00000000018B0000-0x0000000001974000-memory.dmp

Filesize
784KB

Download
memory/2544-17-0x0000000000400000-0x0000000000712000-memory.dmp

Filesize
3.1MB

Download
memory/2544-16-0x0000000000400000-0x0000000000593000-memory.dmp

Filesize
1.6MB

Download
memory/2544-25-0x0000000003230000-0x00000000033C3000-memory.dmp

Filesize
1.6MB

Download
memory/2544-23-0x0000000000400000-0x0000000000587000-memory.dmp

Filesize
1.5MB

Download
memory/2544-34-0x0000000000400000-0x0000000000587000-memory.dmp

Filesize
1.5MB

Download
memory/2544-33-0x00000000005A0000-0x000000000071F000-memory.dmp

Filesize
1.5MB

Download