Analysis
-
max time kernel
122s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
19/03/2024, 00:14
Behavioral task
behavioral1
Sample
d4b98bde5515f0d2bfa49b136850824e.exe
Resource
win7-20240220-en
General
-
Target
d4b98bde5515f0d2bfa49b136850824e.exe
-
Size
784KB
-
MD5
d4b98bde5515f0d2bfa49b136850824e
-
SHA1
c925102e833d0a69a3cac196ccce5094ab655dfb
-
SHA256
fc7e736c5813af5f71d4ffad2e697d5a8d3a949af49721cd315701f7cdfdd72e
-
SHA512
48d2161bc260fd3cea01b2ca820c61fa4b6955db421de3a05129045670acbbc33213716ffb4dd938a0b4a6c497d4b2af4ee5441f5b22b39642105a31ceec32cb
-
SSDEEP
24576:BfSPKoWX+pUiVC6NVRB6wKT2MSJd0VkJmp/m:B8DTV99rhdmWmp/
Malware Config
Signatures
-
XMRig Miner payload 7 IoCs
resource yara_rule behavioral1/memory/2092-1-0x0000000000400000-0x0000000000593000-memory.dmp xmrig behavioral1/memory/2092-15-0x0000000000400000-0x0000000000593000-memory.dmp xmrig behavioral1/memory/2544-16-0x0000000000400000-0x0000000000593000-memory.dmp xmrig behavioral1/memory/2544-25-0x0000000003230000-0x00000000033C3000-memory.dmp xmrig behavioral1/memory/2544-23-0x0000000000400000-0x0000000000587000-memory.dmp xmrig behavioral1/memory/2544-34-0x0000000000400000-0x0000000000587000-memory.dmp xmrig behavioral1/memory/2544-33-0x00000000005A0000-0x000000000071F000-memory.dmp xmrig -
Deletes itself 1 IoCs
pid Process 2544 d4b98bde5515f0d2bfa49b136850824e.exe -
Executes dropped EXE 1 IoCs
pid Process 2544 d4b98bde5515f0d2bfa49b136850824e.exe -
Loads dropped DLL 1 IoCs
pid Process 2092 d4b98bde5515f0d2bfa49b136850824e.exe -
resource yara_rule behavioral1/memory/2092-0-0x0000000000400000-0x0000000000712000-memory.dmp upx behavioral1/files/0x0009000000012251-14.dat upx behavioral1/memory/2544-17-0x0000000000400000-0x0000000000712000-memory.dmp upx behavioral1/files/0x0009000000012251-10.dat upx -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 2092 d4b98bde5515f0d2bfa49b136850824e.exe -
Suspicious use of UnmapMainImage 2 IoCs
pid Process 2092 d4b98bde5515f0d2bfa49b136850824e.exe 2544 d4b98bde5515f0d2bfa49b136850824e.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2092 wrote to memory of 2544 2092 d4b98bde5515f0d2bfa49b136850824e.exe 29 PID 2092 wrote to memory of 2544 2092 d4b98bde5515f0d2bfa49b136850824e.exe 29 PID 2092 wrote to memory of 2544 2092 d4b98bde5515f0d2bfa49b136850824e.exe 29 PID 2092 wrote to memory of 2544 2092 d4b98bde5515f0d2bfa49b136850824e.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\d4b98bde5515f0d2bfa49b136850824e.exe"C:\Users\Admin\AppData\Local\Temp\d4b98bde5515f0d2bfa49b136850824e.exe"1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2092 -
C:\Users\Admin\AppData\Local\Temp\d4b98bde5515f0d2bfa49b136850824e.exeC:\Users\Admin\AppData\Local\Temp\d4b98bde5515f0d2bfa49b136850824e.exe2⤵
- Deletes itself
- Executes dropped EXE
- Suspicious use of UnmapMainImage
PID:2544
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
550KB
MD53640160e11bbbc2631d81bae1472083a
SHA1204fdea2128fec7535df1e9706924e0802993def
SHA25612c7ebb702bb3d36673dc93b5d241e296b5871411c960adaf5a7b4c735370afe
SHA512799c2213de276876334739b83c367de4b58348198cfedf796d3c6187e967ed529b3fd4585becfbfd823783c9b47e95a92a465e4f645f44d73219797c786bf6ec
-
Filesize
732KB
MD5bdcd1cd7e55795d6b8b572d5227f5aa5
SHA108a5311e96efe5f2e26bedf794183bb9ff1219e3
SHA256f0f4363871424a91d8bb7c7a300a3fa9ad828a59a071bbd8dcb3ab84d2d70104
SHA512289cfbec01ec4d0dc1973bac18dc65a40deb47ee63664afd657f25b331cc66b909d857f860b693f8cdb39274273c0a1b981ba8173e986d29b5ceeceab2a457b0