xmrig | 71750fa04f4c636e74cddc56627f8a3d410652864e8350957b5bff175f10716a

Analysis

max time kernel
118s
max time network
118s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
26/03/2024, 08:55

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

dec5ddbe002eafffd28f6e9ea13d4c9a.exe
Size

3.1MB
MD5

dec5ddbe002eafffd28f6e9ea13d4c9a
SHA1

a3b46f339833b223bf973fd2fc94f17638404e82
SHA256

71750fa04f4c636e74cddc56627f8a3d410652864e8350957b5bff175f10716a
SHA512

20a2b8acf56a4b4599a10b73ee618cdc2d2dd0b8e4ef24637935503527a226d77aa1db99365c13ca8ef5d38e174d286e494bc3e7416b3eb04117b4368ffe8a2e
SSDEEP

49152:gk3k7oGVWjbiSe+2YL/RsKAS8DH2k7mcn9Zqrd9sDGI/pqPJ+TNdJGp4GwBfc483:PGVWjpeKLJAm6Mot/QB+TNDGp4G948j

Score

10^/10

xmrig miner upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 8 IoCs

miner

resource	yara_rule
behavioral1/memory/2172-1-0x0000000000400000-0x0000000000593000-memory.dmp	xmrig
behavioral1/memory/2108-17-0x0000000000400000-0x0000000000593000-memory.dmp	xmrig
behavioral1/memory/2108-18-0x0000000000400000-0x0000000000712000-memory.dmp	xmrig
behavioral1/memory/2172-15-0x0000000000400000-0x0000000000593000-memory.dmp	xmrig
behavioral1/memory/2108-25-0x0000000003220000-0x00000000033B3000-memory.dmp	xmrig
behavioral1/memory/2108-24-0x0000000000400000-0x0000000000587000-memory.dmp	xmrig
behavioral1/memory/2108-34-0x0000000000400000-0x0000000000587000-memory.dmp	xmrig
behavioral1/memory/2172-35-0x0000000003630000-0x0000000003942000-memory.dmp	xmrig

Deletes itself 1 IoCs

pid	Process
2108	dec5ddbe002eafffd28f6e9ea13d4c9a.exe

Executes dropped EXE 1 IoCs

pid	Process
2108	dec5ddbe002eafffd28f6e9ea13d4c9a.exe

Loads dropped DLL 1 IoCs

pid	Process
2172	dec5ddbe002eafffd28f6e9ea13d4c9a.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2172-0-0x0000000000400000-0x0000000000712000-memory.dmp	upx
behavioral1/files/0x000d00000001224f-10.dat	upx
behavioral1/files/0x000d00000001224f-16.dat	upx
behavioral1/memory/2172-14-0x0000000003630000-0x0000000003942000-memory.dmp	upx

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2172	dec5ddbe002eafffd28f6e9ea13d4c9a.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2172	dec5ddbe002eafffd28f6e9ea13d4c9a.exe
2108	dec5ddbe002eafffd28f6e9ea13d4c9a.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2172 wrote to memory of 2108	2172	dec5ddbe002eafffd28f6e9ea13d4c9a.exe	29
PID 2172 wrote to memory of 2108	2172	dec5ddbe002eafffd28f6e9ea13d4c9a.exe	29
PID 2172 wrote to memory of 2108	2172	dec5ddbe002eafffd28f6e9ea13d4c9a.exe	29
PID 2172 wrote to memory of 2108	2172	dec5ddbe002eafffd28f6e9ea13d4c9a.exe	29

C:\Users\Admin\AppData\Local\Temp\dec5ddbe002eafffd28f6e9ea13d4c9a.exe
"C:\Users\Admin\AppData\Local\Temp\dec5ddbe002eafffd28f6e9ea13d4c9a.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2172
- C:\Users\Admin\AppData\Local\Temp\dec5ddbe002eafffd28f6e9ea13d4c9a.exe
  C:\Users\Admin\AppData\Local\Temp\dec5ddbe002eafffd28f6e9ea13d4c9a.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:2108

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\dec5ddbe002eafffd28f6e9ea13d4c9a.exe

Filesize
784KB

MD5
2906843a77f003b6db338da5422abd7d

SHA1
92bf0c8f7b56d9d94fce6e80086bfa07ee18a834

SHA256
2dd48a6baf3e002500c7c2acb4d69af4f877cd18d47e0ad6fd8728bc2f2e48d1

SHA512
7445f31243a7be43742f4a86b7af78697ad79d11967c4d3e7a4b33d16a7889f07a3b3f89b1ea7e01b6d750a6debfbf0c73c2606b2d89487833ee4db7afca8df5

Download Submit
\Users\Admin\AppData\Local\Temp\dec5ddbe002eafffd28f6e9ea13d4c9a.exe

Filesize
448KB

MD5
a5ebb17339dacf9ba3dbb98c1b55236f

SHA1
8427b5fc585a02fdc6975d7fd1e3db4bc7c0cbcb

SHA256
a2e146c5ea8fd03ff92120dd2052f40b7d66cda523c0c02efb7fe2ebb30f207b

SHA512
e3276ce57f3fd10874484c0e963aa628bf81c4baa41e195ed7b3db801c035819a47032b1b547e84503d25714185b2edfa1ba9b02c31c603520789edd5309ed1e

Download Submit
memory/2108-20-0x00000000018B0000-0x0000000001974000-memory.dmp

Filesize
784KB

Download
memory/2108-17-0x0000000000400000-0x0000000000593000-memory.dmp

Filesize
1.6MB

Download
memory/2108-18-0x0000000000400000-0x0000000000712000-memory.dmp

Filesize
3.1MB

Download
memory/2108-25-0x0000000003220000-0x00000000033B3000-memory.dmp

Filesize
1.6MB

Download
memory/2108-24-0x0000000000400000-0x0000000000587000-memory.dmp

Filesize
1.5MB

Download
memory/2108-34-0x0000000000400000-0x0000000000587000-memory.dmp

Filesize
1.5MB

Download
memory/2172-0-0x0000000000400000-0x0000000000712000-memory.dmp

Filesize
3.1MB

Download
memory/2172-1-0x0000000000400000-0x0000000000593000-memory.dmp

Filesize
1.6MB

Download
memory/2172-3-0x0000000000200000-0x00000000002C4000-memory.dmp

Filesize
784KB

Download
memory/2172-15-0x0000000000400000-0x0000000000593000-memory.dmp

Filesize
1.6MB

Download
memory/2172-14-0x0000000003630000-0x0000000003942000-memory.dmp

Filesize
3.1MB

Download
memory/2172-35-0x0000000003630000-0x0000000003942000-memory.dmp

Filesize
3.1MB

Download