Analysis Overview
SHA256
6e0703855e6a70cc576b5155b25d22155e24d1076ceefb1f6f2d06f5ee16aad2
Threat Level: Known bad
The file 6e0703855e6a70cc576b5155b25d22155e24d1076ceefb1f6f2d06f5ee16aad2N was found to be: Known bad.
Malicious Activity Summary
Xmrig family
xmrig
XMRig Miner payload
Deletes itself
Executes dropped EXE
Loads dropped DLL
UPX packed file
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious behavior: RenamesItself
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-25 23:06
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-25 23:06
Reported
2024-10-25 23:08
Platform
win7-20241023-en
Max time kernel
119s
Max time network
119s
Command Line
Signatures
Xmrig family
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6e0703855e6a70cc576b5155b25d22155e24d1076ceefb1f6f2d06f5ee16aad2N.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6e0703855e6a70cc576b5155b25d22155e24d1076ceefb1f6f2d06f5ee16aad2N.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6e0703855e6a70cc576b5155b25d22155e24d1076ceefb1f6f2d06f5ee16aad2N.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\6e0703855e6a70cc576b5155b25d22155e24d1076ceefb1f6f2d06f5ee16aad2N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\6e0703855e6a70cc576b5155b25d22155e24d1076ceefb1f6f2d06f5ee16aad2N.exe | N/A |
Suspicious behavior: RenamesItself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6e0703855e6a70cc576b5155b25d22155e24d1076ceefb1f6f2d06f5ee16aad2N.exe | N/A |
Suspicious use of UnmapMainImage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6e0703855e6a70cc576b5155b25d22155e24d1076ceefb1f6f2d06f5ee16aad2N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6e0703855e6a70cc576b5155b25d22155e24d1076ceefb1f6f2d06f5ee16aad2N.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\6e0703855e6a70cc576b5155b25d22155e24d1076ceefb1f6f2d06f5ee16aad2N.exe
"C:\Users\Admin\AppData\Local\Temp\6e0703855e6a70cc576b5155b25d22155e24d1076ceefb1f6f2d06f5ee16aad2N.exe"
C:\Users\Admin\AppData\Local\Temp\6e0703855e6a70cc576b5155b25d22155e24d1076ceefb1f6f2d06f5ee16aad2N.exe
C:\Users\Admin\AppData\Local\Temp\6e0703855e6a70cc576b5155b25d22155e24d1076ceefb1f6f2d06f5ee16aad2N.exe
Network
Files
memory/2836-0-0x0000000000400000-0x0000000000712000-memory.dmp
memory/2836-2-0x0000000000400000-0x0000000000593000-memory.dmp
\Users\Admin\AppData\Local\Temp\6e0703855e6a70cc576b5155b25d22155e24d1076ceefb1f6f2d06f5ee16aad2N.exe
| MD5 | b78883a847e0d1a68eced8d48ee9138f |
| SHA1 | da5f0d6e6fec0260c2d55ece0813ff0fbbd630cc |
| SHA256 | 57359f14a66cc41afa3b530319b9c3fabe690e645242d20d21ef88e2b79755c1 |
| SHA512 | 9df132a1a0aa3156658cc53a0f7273d35a96c993ce42b7af8894c842a937c588503e6553b9210ebdbc06f8ccc51b085a40e4f1802190ae4962793886c34158c0 |
memory/2836-4-0x00000000018B0000-0x0000000001974000-memory.dmp
memory/2884-17-0x0000000000400000-0x0000000000712000-memory.dmp
memory/2836-16-0x0000000003220000-0x0000000003532000-memory.dmp
memory/2884-18-0x00000000018B0000-0x0000000001974000-memory.dmp
memory/2836-14-0x0000000000400000-0x0000000000593000-memory.dmp
memory/2884-19-0x0000000000400000-0x0000000000593000-memory.dmp
memory/2884-34-0x0000000000710000-0x0000000000720000-memory.dmp
memory/2884-35-0x0000000000400000-0x0000000000587000-memory.dmp
memory/2884-33-0x0000000003220000-0x00000000033B3000-memory.dmp
memory/2884-24-0x0000000000400000-0x0000000000587000-memory.dmp
memory/2836-36-0x0000000003220000-0x0000000003532000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-25 23:06
Reported
2024-10-25 23:08
Platform
win10v2004-20241007-en
Max time kernel
103s
Max time network
106s
Command Line
Signatures
Xmrig family
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6e0703855e6a70cc576b5155b25d22155e24d1076ceefb1f6f2d06f5ee16aad2N.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6e0703855e6a70cc576b5155b25d22155e24d1076ceefb1f6f2d06f5ee16aad2N.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\6e0703855e6a70cc576b5155b25d22155e24d1076ceefb1f6f2d06f5ee16aad2N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\6e0703855e6a70cc576b5155b25d22155e24d1076ceefb1f6f2d06f5ee16aad2N.exe | N/A |
Suspicious behavior: RenamesItself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6e0703855e6a70cc576b5155b25d22155e24d1076ceefb1f6f2d06f5ee16aad2N.exe | N/A |
Suspicious use of UnmapMainImage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6e0703855e6a70cc576b5155b25d22155e24d1076ceefb1f6f2d06f5ee16aad2N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6e0703855e6a70cc576b5155b25d22155e24d1076ceefb1f6f2d06f5ee16aad2N.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\6e0703855e6a70cc576b5155b25d22155e24d1076ceefb1f6f2d06f5ee16aad2N.exe
"C:\Users\Admin\AppData\Local\Temp\6e0703855e6a70cc576b5155b25d22155e24d1076ceefb1f6f2d06f5ee16aad2N.exe"
C:\Users\Admin\AppData\Local\Temp\6e0703855e6a70cc576b5155b25d22155e24d1076ceefb1f6f2d06f5ee16aad2N.exe
C:\Users\Admin\AppData\Local\Temp\6e0703855e6a70cc576b5155b25d22155e24d1076ceefb1f6f2d06f5ee16aad2N.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 226.108.222.173.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 74.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
Files
memory/2692-0-0x0000000000400000-0x0000000000712000-memory.dmp
memory/2692-1-0x0000000001720000-0x00000000017E4000-memory.dmp
memory/2692-2-0x0000000000400000-0x0000000000593000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\6e0703855e6a70cc576b5155b25d22155e24d1076ceefb1f6f2d06f5ee16aad2N.exe
| MD5 | b5d48fd4471212200999a52352433f16 |
| SHA1 | 321e857e69386d99413e723a4d3a5e63bc520a92 |
| SHA256 | b65f1a2dcb8088cdd755716b7372bb49d4120837c451c8c924e4332e5f6d525e |
| SHA512 | 87b2866c2112b684da5580cf75bd105274b9af9f1e6c913da88f0c303bccc032507dacb74a7a62de7cbd5504611dc8c52c53c9f399b13b9d83b019b73e3e0e78 |
memory/2972-13-0x0000000000400000-0x0000000000712000-memory.dmp
memory/2692-12-0x0000000000400000-0x0000000000593000-memory.dmp
memory/2972-14-0x0000000001720000-0x00000000017E4000-memory.dmp
memory/2972-16-0x0000000000400000-0x0000000000593000-memory.dmp
memory/2972-20-0x00000000055A0000-0x0000000005733000-memory.dmp
memory/2972-22-0x0000000000400000-0x0000000000587000-memory.dmp
memory/2972-30-0x0000000000400000-0x0000000000587000-memory.dmp