xmrig | fc7e736c5813af5f71d4ffad2e697d5a8d3a949af49721cd315701f7cdfdd72e

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
19/03/2024, 00:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d4b98bde5515f0d2bfa49b136850824e.exe
Size

784KB
MD5

d4b98bde5515f0d2bfa49b136850824e
SHA1

c925102e833d0a69a3cac196ccce5094ab655dfb
SHA256

fc7e736c5813af5f71d4ffad2e697d5a8d3a949af49721cd315701f7cdfdd72e
SHA512

48d2161bc260fd3cea01b2ca820c61fa4b6955db421de3a05129045670acbbc33213716ffb4dd938a0b4a6c497d4b2af4ee5441f5b22b39642105a31ceec32cb
SSDEEP

24576:BfSPKoWX+pUiVC6NVRB6wKT2MSJd0VkJmp/m:B8DTV99rhdmWmp/

Score

10^/10

xmrig miner upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 6 IoCs

miner

resource	yara_rule
behavioral2/memory/3528-2-0x0000000000400000-0x0000000000593000-memory.dmp	xmrig
behavioral2/memory/3528-12-0x0000000000400000-0x0000000000593000-memory.dmp	xmrig
behavioral2/memory/1652-14-0x0000000000400000-0x0000000000593000-memory.dmp	xmrig
behavioral2/memory/1652-20-0x00000000053A0000-0x0000000005533000-memory.dmp	xmrig
behavioral2/memory/1652-21-0x0000000000400000-0x0000000000587000-memory.dmp	xmrig
behavioral2/memory/1652-30-0x0000000000400000-0x0000000000587000-memory.dmp	xmrig

Deletes itself 1 IoCs

pid	Process
1652	d4b98bde5515f0d2bfa49b136850824e.exe

Executes dropped EXE 1 IoCs

pid	Process
1652	d4b98bde5515f0d2bfa49b136850824e.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3528-0-0x0000000000400000-0x0000000000712000-memory.dmp	upx
behavioral2/memory/1652-13-0x0000000000400000-0x0000000000712000-memory.dmp	upx
behavioral2/files/0x0008000000023241-11.dat	upx

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
3528	d4b98bde5515f0d2bfa49b136850824e.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
3528	d4b98bde5515f0d2bfa49b136850824e.exe
1652	d4b98bde5515f0d2bfa49b136850824e.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3528 wrote to memory of 1652	3528	d4b98bde5515f0d2bfa49b136850824e.exe	97
PID 3528 wrote to memory of 1652	3528	d4b98bde5515f0d2bfa49b136850824e.exe	97
PID 3528 wrote to memory of 1652	3528	d4b98bde5515f0d2bfa49b136850824e.exe	97

C:\Users\Admin\AppData\Local\Temp\d4b98bde5515f0d2bfa49b136850824e.exe
"C:\Users\Admin\AppData\Local\Temp\d4b98bde5515f0d2bfa49b136850824e.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3528
- C:\Users\Admin\AppData\Local\Temp\d4b98bde5515f0d2bfa49b136850824e.exe
  C:\Users\Admin\AppData\Local\Temp\d4b98bde5515f0d2bfa49b136850824e.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:1652

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1416 --field-trial-handle=2280,i,716736634476467098,11449718822158202904,262144 --variations-seed-version /prefetch:8
1⤵
PID:4964

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\d4b98bde5515f0d2bfa49b136850824e.exe

Filesize
419KB

MD5
b37889960f05cc6136ffc8ccfc2b3444

SHA1
81d6956ada13a0ed393ce3eede3e3f13c5e8f436

SHA256
b982fe7a4c459c5e0b5bda43dc1335808fa2eb84687f601f73e2ed8d7d91ae1e

SHA512
04830bbd8cf5d0cca0d216ec3e169b5fd7df7dc86e3f4f1db21307ee901244c9dc9ea76a011b735c2eac52a853c5679aceef793f53dcb495b5cd97c82957ea31

Download Submit
memory/1652-13-0x0000000000400000-0x0000000000712000-memory.dmp

Filesize
3.1MB

Download
memory/1652-15-0x0000000001720000-0x00000000017E4000-memory.dmp

Filesize
784KB

Download
memory/1652-14-0x0000000000400000-0x0000000000593000-memory.dmp

Filesize
1.6MB

Download
memory/1652-20-0x00000000053A0000-0x0000000005533000-memory.dmp

Filesize
1.6MB

Download
memory/1652-21-0x0000000000400000-0x0000000000587000-memory.dmp

Filesize
1.5MB

Download
memory/1652-30-0x0000000000400000-0x0000000000587000-memory.dmp

Filesize
1.5MB

Download
memory/3528-0-0x0000000000400000-0x0000000000712000-memory.dmp

Filesize
3.1MB

Download
memory/3528-1-0x00000000017F0000-0x00000000018B4000-memory.dmp

Filesize
784KB

Download
memory/3528-2-0x0000000000400000-0x0000000000593000-memory.dmp

Filesize
1.6MB

Download
memory/3528-12-0x0000000000400000-0x0000000000593000-memory.dmp

Filesize
1.6MB

Download