Analysis

  • max time kernel
    15s
  • max time network
    16s
  • platform
    windows7_x64
  • resource
    win7-20241023-en
  • resource tags

    arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
  • submitted
    27/10/2024, 14:01

General

  • Target

    78ff0c941f7082d0d9b761994c894805fe5c056466a46057718e3c8ea9dc5165N.exe

  • Size

    784KB

  • MD5

    df7640853bdebbf07e75982fbaae9380

  • SHA1

    7d3d7ff33c05a78a568a2d7e16fceb79f3c93ac6

  • SHA256

    78ff0c941f7082d0d9b761994c894805fe5c056466a46057718e3c8ea9dc5165

  • SHA512

    175005f460036ffeb7a494acae330b5ee30d2cbd59963bcd9297c560e0db6d4d848b554398807369c8a1ba518c18228f7e92682908b3c16cd2a8fac77e8eb7c5

  • SSDEEP

    24576:zmQq1PwUDdqVAfgjQZxeUA+an6ihZlb8eq0L495DQ6:q1PKjQZxt9an6kR8eq0E9

Malware Config

Signatures

  • Xmrig family
  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

  • XMRig Miner payload 7 IoCs
  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of UnmapMainImage 2 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\78ff0c941f7082d0d9b761994c894805fe5c056466a46057718e3c8ea9dc5165N.exe
    "C:\Users\Admin\AppData\Local\Temp\78ff0c941f7082d0d9b761994c894805fe5c056466a46057718e3c8ea9dc5165N.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: RenamesItself
    • Suspicious use of UnmapMainImage
    • Suspicious use of WriteProcessMemory
    PID:2160
    • C:\Users\Admin\AppData\Local\Temp\78ff0c941f7082d0d9b761994c894805fe5c056466a46057718e3c8ea9dc5165N.exe
      C:\Users\Admin\AppData\Local\Temp\78ff0c941f7082d0d9b761994c894805fe5c056466a46057718e3c8ea9dc5165N.exe
      2⤵
      • Deletes itself
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of UnmapMainImage
      PID:2476

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\78ff0c941f7082d0d9b761994c894805fe5c056466a46057718e3c8ea9dc5165N.exe

          Filesize

          784KB

          MD5

          92271f4a695cee1fa3e792c5f99595bd

          SHA1

          15c774ba7b56d2230e3c1ea207508d1e90f71abd

          SHA256

          ea7c53daad6f0d39611270c9b72dddcd4f38907a2a71e58f735ad8b75521dfb0

          SHA512

          394d5115f2c9a72ed37f6a75a868ec34af11b5ef877668988c1156f62d208b179c4be6692ab3c677fc2f0a34df0d7140ac3e2d9e6d6ba15ee5551f56a5aca4cf

        • memory/2160-0-0x0000000000400000-0x0000000000712000-memory.dmp

          Filesize

          3.1MB

        • memory/2160-1-0x0000000000400000-0x0000000000593000-memory.dmp

          Filesize

          1.6MB

        • memory/2160-3-0x00000000018B0000-0x0000000001974000-memory.dmp

          Filesize

          784KB

        • memory/2160-15-0x0000000000400000-0x0000000000593000-memory.dmp

          Filesize

          1.6MB

        • memory/2160-14-0x00000000032C0000-0x00000000035D2000-memory.dmp

          Filesize

          3.1MB

        • memory/2476-17-0x0000000000330000-0x00000000003F4000-memory.dmp

          Filesize

          784KB

        • memory/2476-18-0x0000000000400000-0x0000000000593000-memory.dmp

          Filesize

          1.6MB

        • memory/2476-33-0x00000000005A0000-0x000000000071F000-memory.dmp

          Filesize

          1.5MB

        • memory/2476-34-0x0000000000400000-0x0000000000587000-memory.dmp

          Filesize

          1.5MB

        • memory/2476-23-0x0000000000400000-0x0000000000587000-memory.dmp

          Filesize

          1.5MB

        • memory/2476-32-0x0000000003000000-0x0000000003193000-memory.dmp

          Filesize

          1.6MB