xmrig | 12cf679adfc86ffc3bfe4937b776bf7e066507e3c146cf166c5689d3d6ee519e

Analysis

max time kernel
117s
max time network
118s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
25-12-2024 14:28

Target

2024-12-25_ff5c813925666cdcb853e9cd88bed9f0_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.7MB
MD5

ff5c813925666cdcb853e9cd88bed9f0
SHA1

1794ffaf2ce5891ddb4c2b818c7ec140ec345979
SHA256

12cf679adfc86ffc3bfe4937b776bf7e066507e3c146cf166c5689d3d6ee519e
SHA512

1b6545389c4268a4383c6f62886e23994551d78a2c391077a1e5973bb5303aa21dc16fc08a6f97a12590b836e157fc55f3fcfc77d38a33faae83e75eb00b9980
SSDEEP

98304:hemTLkNdfE0pZaN56utgpPFotBER/mQ32lUx:w+156utgpPF8u/7x

Score

10^/10

xmrig miner

Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 1 IoCs

miner

resource	yara_rule
behavioral1/memory/2644-0-0x000000013FE10000-0x000000014015D000-memory.dmp	xmrig

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2644 wrote to memory of 2784	2644	2024-12-25_ff5c813925666cdcb853e9cd88bed9f0_cobalt-strike_cobaltstrike_poet-rat.exe	31
PID 2644 wrote to memory of 2784	2644	2024-12-25_ff5c813925666cdcb853e9cd88bed9f0_cobalt-strike_cobaltstrike_poet-rat.exe	31
PID 2644 wrote to memory of 2784	2644	2024-12-25_ff5c813925666cdcb853e9cd88bed9f0_cobalt-strike_cobaltstrike_poet-rat.exe	31

C:\Users\Admin\AppData\Local\Temp\2024-12-25_ff5c813925666cdcb853e9cd88bed9f0_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-12-25_ff5c813925666cdcb853e9cd88bed9f0_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2644
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2644 -s 72
  2⤵
  PID:2784

memory/2644-0-0x000000013FE10000-0x000000014015D000-memory.dmp

Filesize
3.3MB

Download