xmrig | a512d79eee205de9e2d33d7b2575e7963e3c7e0bee307a7b9efbcb6efb4a9ddb

General

Target

a512d79eee205de9e2d33d7b2575e7963e3c7e0bee307a7b9efbcb6efb4a9ddb.exe
Size

1.8MB
MD5

2385a24df15426bb0edaf7d39230ad7e
SHA1

12b4010dd473c74105f90342a06cd0d309eb4e15
SHA256

a512d79eee205de9e2d33d7b2575e7963e3c7e0bee307a7b9efbcb6efb4a9ddb
SHA512

d1e6a02321248029d595c9294d35e94754ec300c5245df0171584d030252ee0e2da10aef2392df25d4126f8f6efe0ea0fa90e4e7b744a19a677fb7404f3e2977
SSDEEP

49152:2SuVX/lDfU+P6AozqJH8a7+H+XNKw9p5JfmkUAch/Kn:VuFxfU+SrqJH8aoqsw9p5JfmkUAchCn

Score

10^/10

xmrig discovery miner upx

Malware Config

Signatures

Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 9 IoCs

miner

resource	yara_rule
behavioral1/memory/1724-1-0x0000000000400000-0x0000000000593000-memory.dmp	xmrig
behavioral1/memory/1724-17-0x0000000023610000-0x0000000023C8A000-memory.dmp	xmrig
behavioral1/memory/1724-15-0x0000000000400000-0x0000000000593000-memory.dmp	xmrig
behavioral1/memory/2352-42-0x0000000000400000-0x000000000057C000-memory.dmp	xmrig
behavioral1/memory/2352-41-0x0000000023880000-0x0000000023A02000-memory.dmp	xmrig
behavioral1/memory/2352-40-0x00000000008C0000-0x0000000000A53000-memory.dmp	xmrig
behavioral1/memory/2352-31-0x0000000000400000-0x000000000057C000-memory.dmp	xmrig
behavioral1/memory/2352-26-0x0000000000400000-0x0000000000582000-memory.dmp	xmrig
behavioral1/memory/1724-43-0x0000000023610000-0x0000000023C8A000-memory.dmp	xmrig

Deletes itself 1 IoCs

pid	Process
2352	a512d79eee205de9e2d33d7b2575e7963e3c7e0bee307a7b9efbcb6efb4a9ddb.exe

Executes dropped EXE 1 IoCs

pid	Process
2352	a512d79eee205de9e2d33d7b2575e7963e3c7e0bee307a7b9efbcb6efb4a9ddb.exe

Loads dropped DLL 1 IoCs

pid	Process
1724	a512d79eee205de9e2d33d7b2575e7963e3c7e0bee307a7b9efbcb6efb4a9ddb.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1724-0-0x0000000000400000-0x0000000000A7A000-memory.dmp	upx
behavioral1/memory/2352-21-0x0000000000400000-0x0000000000A7A000-memory.dmp	upx
behavioral1/memory/1724-17-0x0000000023610000-0x0000000023C8A000-memory.dmp	upx
behavioral1/files/0x000c000000012277-16.dat	upx

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a512d79eee205de9e2d33d7b2575e7963e3c7e0bee307a7b9efbcb6efb4a9ddb.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1724	a512d79eee205de9e2d33d7b2575e7963e3c7e0bee307a7b9efbcb6efb4a9ddb.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
1724	a512d79eee205de9e2d33d7b2575e7963e3c7e0bee307a7b9efbcb6efb4a9ddb.exe
2352	a512d79eee205de9e2d33d7b2575e7963e3c7e0bee307a7b9efbcb6efb4a9ddb.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1724 wrote to memory of 2352	1724	a512d79eee205de9e2d33d7b2575e7963e3c7e0bee307a7b9efbcb6efb4a9ddb.exe	31
PID 1724 wrote to memory of 2352	1724	a512d79eee205de9e2d33d7b2575e7963e3c7e0bee307a7b9efbcb6efb4a9ddb.exe	31
PID 1724 wrote to memory of 2352	1724	a512d79eee205de9e2d33d7b2575e7963e3c7e0bee307a7b9efbcb6efb4a9ddb.exe	31
PID 1724 wrote to memory of 2352	1724	a512d79eee205de9e2d33d7b2575e7963e3c7e0bee307a7b9efbcb6efb4a9ddb.exe	31

C:\Users\Admin\AppData\Local\Temp\a512d79eee205de9e2d33d7b2575e7963e3c7e0bee307a7b9efbcb6efb4a9ddb.exe
"C:\Users\Admin\AppData\Local\Temp\a512d79eee205de9e2d33d7b2575e7963e3c7e0bee307a7b9efbcb6efb4a9ddb.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1724
- C:\Users\Admin\AppData\Local\Temp\a512d79eee205de9e2d33d7b2575e7963e3c7e0bee307a7b9efbcb6efb4a9ddb.exe
  C:\Users\Admin\AppData\Local\Temp\a512d79eee205de9e2d33d7b2575e7963e3c7e0bee307a7b9efbcb6efb4a9ddb.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:2352

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\a512d79eee205de9e2d33d7b2575e7963e3c7e0bee307a7b9efbcb6efb4a9ddb.exe

Filesize
1.8MB

MD5
a54de1694f0d611b69eec7151d817e06

SHA1
bb8c1b3fcd4b7d99c621c9d5e027ed5dabbd63d4

SHA256
b9e694561acef1543fd3eeeffee6784fdc8d8147113aa55602881898f69534ca

SHA512
1a522bae165d82f968675a7529c4189a7598cff9cb2d886a58329c5ab6e458280d6c6704a9d26ac2131afaed795bf7d28198a16f17ee5f19ae0ebb75ab6ad0fe

Download Submit
memory/1724-43-0x0000000023610000-0x0000000023C8A000-memory.dmp

Filesize
6.5MB

Download
memory/1724-7-0x0000000021CB0000-0x0000000021E4E000-memory.dmp

Filesize
1.6MB

Download
memory/1724-1-0x0000000000400000-0x0000000000593000-memory.dmp

Filesize
1.6MB

Download
memory/1724-0-0x0000000000400000-0x0000000000A7A000-memory.dmp

Filesize
6.5MB

Download
memory/1724-17-0x0000000023610000-0x0000000023C8A000-memory.dmp

Filesize
6.5MB

Download
memory/1724-15-0x0000000000400000-0x0000000000593000-memory.dmp

Filesize
1.6MB

Download
memory/2352-21-0x0000000000400000-0x0000000000A7A000-memory.dmp

Filesize
6.5MB

Download
memory/2352-42-0x0000000000400000-0x000000000057C000-memory.dmp

Filesize
1.5MB

Download
memory/2352-41-0x0000000023880000-0x0000000023A02000-memory.dmp

Filesize
1.5MB

Download
memory/2352-40-0x00000000008C0000-0x0000000000A53000-memory.dmp

Filesize
1.6MB

Download
memory/2352-31-0x0000000000400000-0x000000000057C000-memory.dmp

Filesize
1.5MB

Download
memory/2352-26-0x0000000000400000-0x0000000000582000-memory.dmp

Filesize
1.5MB

Download
memory/2352-25-0x0000000021D30000-0x0000000021ECE000-memory.dmp

Filesize
1.6MB

Download

Analysis

Sharing