Malware Analysis Report

2025-08-10 14:49

Sample ID 241025-3k618atmen
Target 3eca9c6319c11f8a20be1ced21aec41dd2927207703f672a7ce83cde11f1b147N
SHA256 3eca9c6319c11f8a20be1ced21aec41dd2927207703f672a7ce83cde11f1b147
Tags
upx xmrig discovery miner
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

3eca9c6319c11f8a20be1ced21aec41dd2927207703f672a7ce83cde11f1b147

Threat Level: Known bad

The file 3eca9c6319c11f8a20be1ced21aec41dd2927207703f672a7ce83cde11f1b147N was found to be: Known bad.

Malicious Activity Summary

upx xmrig discovery miner

Xmrig family

xmrig

XMRig Miner payload

Deletes itself

Loads dropped DLL

Executes dropped EXE

UPX packed file

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious behavior: RenamesItself

Suspicious use of UnmapMainImage

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-25 23:35

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-25 23:35

Reported

2024-10-25 23:37

Platform

win7-20240903-en

Max time kernel

16s

Max time network

17s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3eca9c6319c11f8a20be1ced21aec41dd2927207703f672a7ce83cde11f1b147N.exe"

Signatures

Xmrig family

xmrig

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\3eca9c6319c11f8a20be1ced21aec41dd2927207703f672a7ce83cde11f1b147N.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\3eca9c6319c11f8a20be1ced21aec41dd2927207703f672a7ce83cde11f1b147N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\3eca9c6319c11f8a20be1ced21aec41dd2927207703f672a7ce83cde11f1b147N.exe N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\3eca9c6319c11f8a20be1ced21aec41dd2927207703f672a7ce83cde11f1b147N.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\3eca9c6319c11f8a20be1ced21aec41dd2927207703f672a7ce83cde11f1b147N.exe

"C:\Users\Admin\AppData\Local\Temp\3eca9c6319c11f8a20be1ced21aec41dd2927207703f672a7ce83cde11f1b147N.exe"

C:\Users\Admin\AppData\Local\Temp\3eca9c6319c11f8a20be1ced21aec41dd2927207703f672a7ce83cde11f1b147N.exe

C:\Users\Admin\AppData\Local\Temp\3eca9c6319c11f8a20be1ced21aec41dd2927207703f672a7ce83cde11f1b147N.exe

Network

N/A

Files

memory/2368-0-0x0000000000400000-0x0000000000712000-memory.dmp

memory/2368-3-0x0000000001720000-0x00000000017E4000-memory.dmp

memory/2368-1-0x0000000000400000-0x0000000000593000-memory.dmp

\Users\Admin\AppData\Local\Temp\3eca9c6319c11f8a20be1ced21aec41dd2927207703f672a7ce83cde11f1b147N.exe

MD5 5af859e957871c21f5bbdf8d61ca0bfe
SHA1 868778fd72f07c8b7d1a3ddf5e57f9b7c3d03e8d
SHA256 45396636de25b7cffaca85280cb5550a37dbeb21da15e5807b83a8c1b4da8bae
SHA512 a1a727a00c61486590deb671fa49a6ed0fd3cdf892bd1d96e89bb2725186b69f1bf346d16a698f8a04052208806a08a38d28f76fca7184764ffab93efbc5b793

memory/2368-14-0x0000000000400000-0x0000000000593000-memory.dmp

memory/2016-17-0x0000000000400000-0x0000000000712000-memory.dmp

memory/2368-15-0x0000000003140000-0x0000000003452000-memory.dmp

memory/2016-18-0x00000000018B0000-0x0000000001974000-memory.dmp

memory/2016-19-0x0000000000400000-0x0000000000593000-memory.dmp

memory/2016-33-0x0000000003220000-0x00000000033B3000-memory.dmp

memory/2016-24-0x0000000000400000-0x0000000000587000-memory.dmp

memory/2016-34-0x0000000000400000-0x0000000000587000-memory.dmp

memory/2368-35-0x0000000003140000-0x0000000003452000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-25 23:35

Reported

2024-10-25 23:37

Platform

win10v2004-20241007-en

Max time kernel

102s

Max time network

104s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3eca9c6319c11f8a20be1ced21aec41dd2927207703f672a7ce83cde11f1b147N.exe"

Signatures

Xmrig family

xmrig

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\3eca9c6319c11f8a20be1ced21aec41dd2927207703f672a7ce83cde11f1b147N.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\3eca9c6319c11f8a20be1ced21aec41dd2927207703f672a7ce83cde11f1b147N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\3eca9c6319c11f8a20be1ced21aec41dd2927207703f672a7ce83cde11f1b147N.exe N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\3eca9c6319c11f8a20be1ced21aec41dd2927207703f672a7ce83cde11f1b147N.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\3eca9c6319c11f8a20be1ced21aec41dd2927207703f672a7ce83cde11f1b147N.exe

"C:\Users\Admin\AppData\Local\Temp\3eca9c6319c11f8a20be1ced21aec41dd2927207703f672a7ce83cde11f1b147N.exe"

C:\Users\Admin\AppData\Local\Temp\3eca9c6319c11f8a20be1ced21aec41dd2927207703f672a7ce83cde11f1b147N.exe

C:\Users\Admin\AppData\Local\Temp\3eca9c6319c11f8a20be1ced21aec41dd2927207703f672a7ce83cde11f1b147N.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 110.11.19.2.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp

Files

memory/1016-0-0x0000000000400000-0x0000000000712000-memory.dmp

memory/1016-1-0x0000000001720000-0x00000000017E4000-memory.dmp

memory/1016-3-0x0000000000400000-0x0000000000593000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\3eca9c6319c11f8a20be1ced21aec41dd2927207703f672a7ce83cde11f1b147N.exe

MD5 0fda4cc4d6cd01bd8b32415c9b841447
SHA1 934c91e65485399eb5f28fe81f33df8adf094db0
SHA256 0de033784957bc76afb2e60f5ad83fa296461e8e3cca1d62d6e82f5185133c2a
SHA512 e398b11b0678a626155664b52e85fdd373b6a08e8833b8349d2ca122397d01c0b2838611e48edcd0bf70634a4e8fdf005c3ce2c1d417fb5c87968d5c6de0e869

memory/952-13-0x0000000000400000-0x0000000000712000-memory.dmp

memory/1016-12-0x0000000000400000-0x0000000000593000-memory.dmp

memory/952-14-0x0000000001720000-0x00000000017E4000-memory.dmp

memory/952-15-0x0000000000400000-0x0000000000593000-memory.dmp

memory/952-20-0x0000000000400000-0x0000000000587000-memory.dmp

memory/952-29-0x00000000053E0000-0x0000000005573000-memory.dmp

memory/952-30-0x0000000000400000-0x0000000000587000-memory.dmp