Malware Analysis Report

2025-08-06 02:05

Sample ID 241027-lhfmtatrdy
Target 6eaf207ee25a98617758595f75fa80680ae250911c4f0a96c2f8907901ba8611N
SHA256 6eaf207ee25a98617758595f75fa80680ae250911c4f0a96c2f8907901ba8611
Tags
xmrig discovery miner upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

6eaf207ee25a98617758595f75fa80680ae250911c4f0a96c2f8907901ba8611

Threat Level: Known bad

The file 6eaf207ee25a98617758595f75fa80680ae250911c4f0a96c2f8907901ba8611N was found to be: Known bad.

Malicious Activity Summary

xmrig discovery miner upx

Xmrig family

xmrig

XMRig Miner payload

Loads dropped DLL

Executes dropped EXE

Deletes itself

UPX packed file

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious use of WriteProcessMemory

Suspicious behavior: RenamesItself

Suspicious use of UnmapMainImage

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-27 09:31

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-27 09:31

Reported

2024-10-27 09:33

Platform

win10v2004-20241007-en

Max time kernel

99s

Max time network

101s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6eaf207ee25a98617758595f75fa80680ae250911c4f0a96c2f8907901ba8611N.exe"

Signatures

Xmrig family

xmrig

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\6eaf207ee25a98617758595f75fa80680ae250911c4f0a96c2f8907901ba8611N.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\6eaf207ee25a98617758595f75fa80680ae250911c4f0a96c2f8907901ba8611N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\6eaf207ee25a98617758595f75fa80680ae250911c4f0a96c2f8907901ba8611N.exe N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\6eaf207ee25a98617758595f75fa80680ae250911c4f0a96c2f8907901ba8611N.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\6eaf207ee25a98617758595f75fa80680ae250911c4f0a96c2f8907901ba8611N.exe

"C:\Users\Admin\AppData\Local\Temp\6eaf207ee25a98617758595f75fa80680ae250911c4f0a96c2f8907901ba8611N.exe"

C:\Users\Admin\AppData\Local\Temp\6eaf207ee25a98617758595f75fa80680ae250911c4f0a96c2f8907901ba8611N.exe

C:\Users\Admin\AppData\Local\Temp\6eaf207ee25a98617758595f75fa80680ae250911c4f0a96c2f8907901ba8611N.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 99.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp

Files

memory/4396-0-0x0000000000400000-0x0000000000712000-memory.dmp

memory/4396-1-0x00000000018F0000-0x00000000019B4000-memory.dmp

memory/4396-2-0x0000000000400000-0x0000000000593000-memory.dmp

memory/4848-13-0x0000000000400000-0x0000000000712000-memory.dmp

memory/4396-12-0x0000000000400000-0x0000000000593000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\6eaf207ee25a98617758595f75fa80680ae250911c4f0a96c2f8907901ba8611N.exe

MD5 d919729fb55a01e8799195f2a80929d4
SHA1 216d0933e72f02ebb6678acb99513a37c46a8bd6
SHA256 ecad16be86f76d3f96b2565480f5fcc33a913c81c826f979e20f1cc9e2dbf6f9
SHA512 11ec3492a5c8b9c3b212a83f398d96c57804478b83f44f00c732f767a0ad3e82af14733512d6d471f4f370b26805281e0f1eb9a101b1c8c760262bdd3ee4896b

memory/4848-14-0x0000000001A90000-0x0000000001B54000-memory.dmp

memory/4848-15-0x0000000000400000-0x0000000000593000-memory.dmp

memory/4848-20-0x0000000005480000-0x0000000005613000-memory.dmp

memory/4848-21-0x0000000000400000-0x0000000000587000-memory.dmp

memory/4848-31-0x0000000000400000-0x0000000000587000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-27 09:31

Reported

2024-10-27 09:33

Platform

win7-20241010-en

Max time kernel

64s

Max time network

19s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6eaf207ee25a98617758595f75fa80680ae250911c4f0a96c2f8907901ba8611N.exe"

Signatures

Xmrig family

xmrig

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\6eaf207ee25a98617758595f75fa80680ae250911c4f0a96c2f8907901ba8611N.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\6eaf207ee25a98617758595f75fa80680ae250911c4f0a96c2f8907901ba8611N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\6eaf207ee25a98617758595f75fa80680ae250911c4f0a96c2f8907901ba8611N.exe N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\6eaf207ee25a98617758595f75fa80680ae250911c4f0a96c2f8907901ba8611N.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\6eaf207ee25a98617758595f75fa80680ae250911c4f0a96c2f8907901ba8611N.exe

"C:\Users\Admin\AppData\Local\Temp\6eaf207ee25a98617758595f75fa80680ae250911c4f0a96c2f8907901ba8611N.exe"

C:\Users\Admin\AppData\Local\Temp\6eaf207ee25a98617758595f75fa80680ae250911c4f0a96c2f8907901ba8611N.exe

C:\Users\Admin\AppData\Local\Temp\6eaf207ee25a98617758595f75fa80680ae250911c4f0a96c2f8907901ba8611N.exe

Network

N/A

Files

memory/3064-0-0x0000000000400000-0x0000000000712000-memory.dmp

memory/3064-1-0x0000000000120000-0x00000000001E4000-memory.dmp

memory/3064-2-0x0000000000400000-0x0000000000593000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\6eaf207ee25a98617758595f75fa80680ae250911c4f0a96c2f8907901ba8611N.exe

MD5 d0afcb8a3b799b96e701dc33f6dfb1f1
SHA1 2aa61bd2f0ba5b69a6dbe109b39a1b06c921a4fa
SHA256 746b1dc4b7e78ce69f483288e924dd94ec47ac4cc6e0a949fce312ee126cacb0
SHA512 e3ec221f377152b9519c48427405e962cc1c6f9b9421a551c601a2f2ceaa096ad6d69f8b4c92bd8a8f6b9d6962be5102790836d96f1e166eb58ee27bafd26d6a

memory/3064-14-0x0000000000400000-0x0000000000593000-memory.dmp

memory/2788-17-0x0000000000400000-0x0000000000712000-memory.dmp

memory/3064-16-0x0000000003250000-0x0000000003562000-memory.dmp

memory/2788-18-0x0000000000120000-0x00000000001E4000-memory.dmp

memory/2788-19-0x0000000000400000-0x0000000000593000-memory.dmp

memory/2788-24-0x0000000003160000-0x00000000032F3000-memory.dmp

memory/2788-25-0x0000000000400000-0x0000000000587000-memory.dmp

memory/2788-35-0x0000000000400000-0x0000000000587000-memory.dmp

memory/2788-34-0x00000000005A0000-0x000000000071F000-memory.dmp

memory/3064-36-0x0000000003250000-0x0000000003562000-memory.dmp