xmrig | e9e7ed116f774a7f08fe89350590429c0263b20f93913d052bab90c9346a2ecb

Analysis

max time kernel
118s
max time network
109s
platform
windows10-2004_x64
resource
win10v2004-20250129-en
resource tags

arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system
submitted
02-02-2025 08:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e9e7ed116f774a7f08fe89350590429c0263b20f93913d052bab90c9346a2ecbN.exe
Size

2.5MB
MD5

16adb0b69abf6631ec37eeb664591ee0
SHA1

eab734f229e199f3ae254601272cc33b1a53e325
SHA256

e9e7ed116f774a7f08fe89350590429c0263b20f93913d052bab90c9346a2ecb
SHA512

318b73a8715fac95c1a2428ea246216f283a5e96542a398978d1a71696ab67b3e0ea0f3760319be504711fd770c7e889e26704b29a27be4c7f1b991120dbc472
SSDEEP

49152:saM0yt78D1qgEX8rs5e1+9dZkoIeATy//8NoGLbLTsgNpdVY/WE:pk8DRe8r6YOdZkoViE/bGLjLu

Score

10^/10

xmrig miner upx

Malware Config

Signatures

Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 11 IoCs

miner

resource	yara_rule
behavioral2/memory/864-7-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/864-6-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/864-10-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/864-12-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/864-13-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/864-11-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/864-9-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/864-14-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/864-17-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/864-18-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/864-19-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3224 set thread context of 864	3224	e9e7ed116f774a7f08fe89350590429c0263b20f93913d052bab90c9346a2ecbN.exe	86

UPX packed file 16 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/864-1-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/864-3-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/864-2-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/864-4-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/864-5-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/864-7-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/864-6-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/864-10-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/864-12-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/864-13-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/864-11-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/864-9-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/864-14-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/864-17-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/864-18-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/864-19-0x0000000140000000-0x0000000140848000-memory.dmp	upx

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3224	e9e7ed116f774a7f08fe89350590429c0263b20f93913d052bab90c9346a2ecbN.exe
864	nslookup.exe
864	nslookup.exe
864	nslookup.exe
864	nslookup.exe
864	nslookup.exe
864	nslookup.exe
864	nslookup.exe
864	nslookup.exe
864	nslookup.exe
864	nslookup.exe
864	nslookup.exe
864	nslookup.exe
864	nslookup.exe
864	nslookup.exe
864	nslookup.exe
864	nslookup.exe
864	nslookup.exe
864	nslookup.exe
864	nslookup.exe
864	nslookup.exe
864	nslookup.exe
864	nslookup.exe
864	nslookup.exe
864	nslookup.exe
864	nslookup.exe
864	nslookup.exe
864	nslookup.exe
864	nslookup.exe
864	nslookup.exe
864	nslookup.exe
864	nslookup.exe
864	nslookup.exe
864	nslookup.exe
864	nslookup.exe
864	nslookup.exe
864	nslookup.exe
864	nslookup.exe
864	nslookup.exe
864	nslookup.exe
864	nslookup.exe
864	nslookup.exe
864	nslookup.exe
864	nslookup.exe
864	nslookup.exe
864	nslookup.exe
864	nslookup.exe
864	nslookup.exe
864	nslookup.exe
864	nslookup.exe
864	nslookup.exe
864	nslookup.exe
864	nslookup.exe
864	nslookup.exe
864	nslookup.exe
864	nslookup.exe
864	nslookup.exe
864	nslookup.exe
864	nslookup.exe
864	nslookup.exe
864	nslookup.exe
864	nslookup.exe
864	nslookup.exe
864	nslookup.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	864	nslookup.exe
Token: SeLockMemoryPrivilege	864	nslookup.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 3224 wrote to memory of 864	3224	e9e7ed116f774a7f08fe89350590429c0263b20f93913d052bab90c9346a2ecbN.exe	86
PID 3224 wrote to memory of 864	3224	e9e7ed116f774a7f08fe89350590429c0263b20f93913d052bab90c9346a2ecbN.exe	86
PID 3224 wrote to memory of 864	3224	e9e7ed116f774a7f08fe89350590429c0263b20f93913d052bab90c9346a2ecbN.exe	86
PID 3224 wrote to memory of 864	3224	e9e7ed116f774a7f08fe89350590429c0263b20f93913d052bab90c9346a2ecbN.exe	86
PID 3224 wrote to memory of 864	3224	e9e7ed116f774a7f08fe89350590429c0263b20f93913d052bab90c9346a2ecbN.exe	86

C:\Users\Admin\AppData\Local\Temp\e9e7ed116f774a7f08fe89350590429c0263b20f93913d052bab90c9346a2ecbN.exe
"C:\Users\Admin\AppData\Local\Temp\e9e7ed116f774a7f08fe89350590429c0263b20f93913d052bab90c9346a2ecbN.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3224
- C:\Windows\system32\nslookup.exe
  nslookup.exe
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:864

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/864-1-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/864-3-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/864-2-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/864-4-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/864-5-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/864-7-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/864-8-0x0000029901610000-0x0000029901630000-memory.dmp

Filesize
128KB

Download
memory/864-6-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/864-10-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/864-12-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/864-13-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/864-11-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/864-9-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/864-14-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/864-16-0x0000029902F70000-0x0000029902F90000-memory.dmp

Filesize
128KB

Download
memory/864-17-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/864-18-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/864-19-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/864-22-0x0000029902FB0000-0x0000029902FD0000-memory.dmp

Filesize
128KB

Download
memory/864-21-0x0000029902F90000-0x0000029902FB0000-memory.dmp

Filesize
128KB

Download
memory/864-23-0x0000029902F90000-0x0000029902FB0000-memory.dmp

Filesize
128KB

Download
memory/864-24-0x0000029902FB0000-0x0000029902FD0000-memory.dmp

Filesize
128KB

Download