xmrig | d2fa8f50f3fbfc6be4d2d3839c17b2c77ccef1955e75753e03412a3b489bdb19

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
26/03/2024, 19:58

Target

dff8fe3ca30ac2071289e87ac8415d97.exe
Size

784KB
MD5

dff8fe3ca30ac2071289e87ac8415d97
SHA1

a51ae1b80239e953fdc15cc6969d57ac6a2eb930
SHA256

d2fa8f50f3fbfc6be4d2d3839c17b2c77ccef1955e75753e03412a3b489bdb19
SHA512

7dc30cfb2c78ba3ea55e8751429df455fa7413bf2580c3a834d92a62a9d59f0d5f2f711d514c793d0d35ec70ce47f04eca2e1f90ce9053f545a265c70a0a1e31
SSDEEP

12288:OUdnSWhHet9sfaeSX8c5rQV3nmJZ+beUzCM+iK72TVBIhqtdVVO3pN1lQG0:vSWhHeboi0VgE/zCxik2/I8BM3pN1+

Score

10^/10

xmrig miner upx

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 6 IoCs

miner

resource	yara_rule
behavioral2/memory/3216-2-0x0000000000400000-0x0000000000593000-memory.dmp	xmrig
behavioral2/memory/3216-12-0x0000000000400000-0x0000000000593000-memory.dmp	xmrig
behavioral2/memory/4092-14-0x0000000000400000-0x0000000000593000-memory.dmp	xmrig
behavioral2/memory/4092-20-0x0000000005410000-0x00000000055A3000-memory.dmp	xmrig
behavioral2/memory/4092-21-0x0000000000400000-0x0000000000587000-memory.dmp	xmrig
behavioral2/memory/4092-30-0x0000000000400000-0x0000000000587000-memory.dmp	xmrig

Deletes itself 1 IoCs

pid	Process
4092	dff8fe3ca30ac2071289e87ac8415d97.exe

Executes dropped EXE 1 IoCs

pid	Process
4092	dff8fe3ca30ac2071289e87ac8415d97.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

resource	yara_rule
behavioral2/memory/3216-0-0x0000000000400000-0x0000000000712000-memory.dmp	upx
behavioral2/files/0x000700000001ebc7-11.dat	upx
behavioral2/memory/4092-13-0x0000000000400000-0x0000000000712000-memory.dmp	upx

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
3216	dff8fe3ca30ac2071289e87ac8415d97.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
3216	dff8fe3ca30ac2071289e87ac8415d97.exe
4092	dff8fe3ca30ac2071289e87ac8415d97.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3216 wrote to memory of 4092	3216	dff8fe3ca30ac2071289e87ac8415d97.exe	92
PID 3216 wrote to memory of 4092	3216	dff8fe3ca30ac2071289e87ac8415d97.exe	92
PID 3216 wrote to memory of 4092	3216	dff8fe3ca30ac2071289e87ac8415d97.exe	92

C:\Users\Admin\AppData\Local\Temp\dff8fe3ca30ac2071289e87ac8415d97.exe

Filesize
784KB

MD5
d742299ff80710699796dea1c818292c

SHA1
b0119989c4bed59e689454fad2852609afb01159

SHA256
d5a8f66fb6b1ee55f54e14d03820df0037cc9de2ce3e6d471d0e6f123cbdba47

SHA512
80d120bb17f9e9d19c4c4866235486b0472cbbcd10d73a416825c5122f094fee392c52d0a4ba748c2b34a775b530cc408c56758f97df7b71a247148839e242d5

Download Submit
memory/3216-0-0x0000000000400000-0x0000000000712000-memory.dmp

Filesize
3.1MB

Download
memory/3216-1-0x0000000001720000-0x00000000017E4000-memory.dmp

Filesize
784KB

Download
memory/3216-2-0x0000000000400000-0x0000000000593000-memory.dmp

Filesize
1.6MB

Download
memory/3216-12-0x0000000000400000-0x0000000000593000-memory.dmp

Filesize
1.6MB

Download
memory/4092-16-0x0000000001720000-0x00000000017E4000-memory.dmp

Filesize
784KB

Download
memory/4092-14-0x0000000000400000-0x0000000000593000-memory.dmp

Filesize
1.6MB

Download
memory/4092-13-0x0000000000400000-0x0000000000712000-memory.dmp

Filesize
3.1MB

Download
memory/4092-20-0x0000000005410000-0x00000000055A3000-memory.dmp

Filesize
1.6MB

Download
memory/4092-21-0x0000000000400000-0x0000000000587000-memory.dmp

Filesize
1.5MB

Download
memory/4092-30-0x0000000000400000-0x0000000000587000-memory.dmp

Filesize
1.5MB

Download