Malware Analysis Report

2025-08-10 14:49

Sample ID 241025-23k12axcnp
Target 6e0703855e6a70cc576b5155b25d22155e24d1076ceefb1f6f2d06f5ee16aad2N
SHA256 6e0703855e6a70cc576b5155b25d22155e24d1076ceefb1f6f2d06f5ee16aad2
Tags
upx xmrig discovery miner
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

6e0703855e6a70cc576b5155b25d22155e24d1076ceefb1f6f2d06f5ee16aad2

Threat Level: Known bad

The file 6e0703855e6a70cc576b5155b25d22155e24d1076ceefb1f6f2d06f5ee16aad2N was found to be: Known bad.

Malicious Activity Summary

upx xmrig discovery miner

Xmrig family

xmrig

XMRig Miner payload

Deletes itself

Executes dropped EXE

Loads dropped DLL

UPX packed file

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious behavior: RenamesItself

Suspicious use of UnmapMainImage

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-25 23:06

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-25 23:06

Reported

2024-10-25 23:08

Platform

win7-20241023-en

Max time kernel

119s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6e0703855e6a70cc576b5155b25d22155e24d1076ceefb1f6f2d06f5ee16aad2N.exe"

Signatures

Xmrig family

xmrig

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\6e0703855e6a70cc576b5155b25d22155e24d1076ceefb1f6f2d06f5ee16aad2N.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\6e0703855e6a70cc576b5155b25d22155e24d1076ceefb1f6f2d06f5ee16aad2N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\6e0703855e6a70cc576b5155b25d22155e24d1076ceefb1f6f2d06f5ee16aad2N.exe N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\6e0703855e6a70cc576b5155b25d22155e24d1076ceefb1f6f2d06f5ee16aad2N.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\6e0703855e6a70cc576b5155b25d22155e24d1076ceefb1f6f2d06f5ee16aad2N.exe

"C:\Users\Admin\AppData\Local\Temp\6e0703855e6a70cc576b5155b25d22155e24d1076ceefb1f6f2d06f5ee16aad2N.exe"

C:\Users\Admin\AppData\Local\Temp\6e0703855e6a70cc576b5155b25d22155e24d1076ceefb1f6f2d06f5ee16aad2N.exe

C:\Users\Admin\AppData\Local\Temp\6e0703855e6a70cc576b5155b25d22155e24d1076ceefb1f6f2d06f5ee16aad2N.exe

Network

N/A

Files

memory/2836-0-0x0000000000400000-0x0000000000712000-memory.dmp

memory/2836-2-0x0000000000400000-0x0000000000593000-memory.dmp

\Users\Admin\AppData\Local\Temp\6e0703855e6a70cc576b5155b25d22155e24d1076ceefb1f6f2d06f5ee16aad2N.exe

MD5 b78883a847e0d1a68eced8d48ee9138f
SHA1 da5f0d6e6fec0260c2d55ece0813ff0fbbd630cc
SHA256 57359f14a66cc41afa3b530319b9c3fabe690e645242d20d21ef88e2b79755c1
SHA512 9df132a1a0aa3156658cc53a0f7273d35a96c993ce42b7af8894c842a937c588503e6553b9210ebdbc06f8ccc51b085a40e4f1802190ae4962793886c34158c0

memory/2836-4-0x00000000018B0000-0x0000000001974000-memory.dmp

memory/2884-17-0x0000000000400000-0x0000000000712000-memory.dmp

memory/2836-16-0x0000000003220000-0x0000000003532000-memory.dmp

memory/2884-18-0x00000000018B0000-0x0000000001974000-memory.dmp

memory/2836-14-0x0000000000400000-0x0000000000593000-memory.dmp

memory/2884-19-0x0000000000400000-0x0000000000593000-memory.dmp

memory/2884-34-0x0000000000710000-0x0000000000720000-memory.dmp

memory/2884-35-0x0000000000400000-0x0000000000587000-memory.dmp

memory/2884-33-0x0000000003220000-0x00000000033B3000-memory.dmp

memory/2884-24-0x0000000000400000-0x0000000000587000-memory.dmp

memory/2836-36-0x0000000003220000-0x0000000003532000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-25 23:06

Reported

2024-10-25 23:08

Platform

win10v2004-20241007-en

Max time kernel

103s

Max time network

106s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6e0703855e6a70cc576b5155b25d22155e24d1076ceefb1f6f2d06f5ee16aad2N.exe"

Signatures

Xmrig family

xmrig

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\6e0703855e6a70cc576b5155b25d22155e24d1076ceefb1f6f2d06f5ee16aad2N.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\6e0703855e6a70cc576b5155b25d22155e24d1076ceefb1f6f2d06f5ee16aad2N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\6e0703855e6a70cc576b5155b25d22155e24d1076ceefb1f6f2d06f5ee16aad2N.exe N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\6e0703855e6a70cc576b5155b25d22155e24d1076ceefb1f6f2d06f5ee16aad2N.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\6e0703855e6a70cc576b5155b25d22155e24d1076ceefb1f6f2d06f5ee16aad2N.exe

"C:\Users\Admin\AppData\Local\Temp\6e0703855e6a70cc576b5155b25d22155e24d1076ceefb1f6f2d06f5ee16aad2N.exe"

C:\Users\Admin\AppData\Local\Temp\6e0703855e6a70cc576b5155b25d22155e24d1076ceefb1f6f2d06f5ee16aad2N.exe

C:\Users\Admin\AppData\Local\Temp\6e0703855e6a70cc576b5155b25d22155e24d1076ceefb1f6f2d06f5ee16aad2N.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 226.108.222.173.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 104.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp

Files

memory/2692-0-0x0000000000400000-0x0000000000712000-memory.dmp

memory/2692-1-0x0000000001720000-0x00000000017E4000-memory.dmp

memory/2692-2-0x0000000000400000-0x0000000000593000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\6e0703855e6a70cc576b5155b25d22155e24d1076ceefb1f6f2d06f5ee16aad2N.exe

MD5 b5d48fd4471212200999a52352433f16
SHA1 321e857e69386d99413e723a4d3a5e63bc520a92
SHA256 b65f1a2dcb8088cdd755716b7372bb49d4120837c451c8c924e4332e5f6d525e
SHA512 87b2866c2112b684da5580cf75bd105274b9af9f1e6c913da88f0c303bccc032507dacb74a7a62de7cbd5504611dc8c52c53c9f399b13b9d83b019b73e3e0e78

memory/2972-13-0x0000000000400000-0x0000000000712000-memory.dmp

memory/2692-12-0x0000000000400000-0x0000000000593000-memory.dmp

memory/2972-14-0x0000000001720000-0x00000000017E4000-memory.dmp

memory/2972-16-0x0000000000400000-0x0000000000593000-memory.dmp

memory/2972-20-0x00000000055A0000-0x0000000005733000-memory.dmp

memory/2972-22-0x0000000000400000-0x0000000000587000-memory.dmp

memory/2972-30-0x0000000000400000-0x0000000000587000-memory.dmp