xmrig | 33136dd64b2b82f5f35d250c41060e70eb9c0028cc9e93f61b4e1d32f0163c3c

General

Target

tmp.exe
Size

10.4MB
MD5

dff762abefd2ac634f87aacd920c8bdc
SHA1

b8ea30c9d631fbb4a1f57c2873ca8aeb64c93643
SHA256

33136dd64b2b82f5f35d250c41060e70eb9c0028cc9e93f61b4e1d32f0163c3c
SHA512

54db97efb4ffcec9bc4122a6e41029c3cd457b631ede685eb883d5884f5a7b90c465dc8ec2212e712af935481073a2b4eb5180431926f03febccb055d9585341
SSDEEP

196608:D2neZjvDa5N5o9LrIbQTsbHu7THe8FhG8ryPzB3SFyFYha:D3/AU9LrIdb+THVFg8uhSYFYha

Score

10^/10

xmrig evasion miner persistence

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 16 IoCs

miner

Processes:

resource	yara_rule
behavioral1/memory/2252-36-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral1/memory/2252-37-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral1/memory/2252-38-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral1/memory/2252-39-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral1/memory/2252-40-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral1/memory/2252-41-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral1/memory/2252-42-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral1/memory/2252-43-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral1/memory/2252-46-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral1/memory/2252-50-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral1/memory/2252-51-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral1/memory/2252-52-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral1/memory/2252-53-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral1/memory/2252-54-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral1/memory/2252-63-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral1/memory/2252-64-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig

Creates new service(s) 1 TTPs
persistence

Windows Service
T1543.003
Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489
Executes dropped EXE 3 IoCs

Processes:

todymdgvwmgb.exetodymdgvwmgb.exe

pid process

464
2988 todymdgvwmgb.exe
1212 todymdgvwmgb.exe
Loads dropped DLL 1 IoCs

Processes:

pid process

464

pid	process
464
2988	todymdgvwmgb.exe
1212	todymdgvwmgb.exe

pid	process
464

Suspicious use of SetThreadContext 2 IoCs

Processes:

todymdgvwmgb.exe

description	pid	process	target process
PID 2988 set thread context of 2384	2988	todymdgvwmgb.exe	conhost.exe
PID 2988 set thread context of 2252	2988	todymdgvwmgb.exe	svchost.exe

Launches sc.exe 4 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exe

pid process

2740 sc.exe
2568 sc.exe
2452 sc.exe
2400 sc.exe

pid	process
2740	sc.exe
2568	sc.exe
2452	sc.exe
2400	sc.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

Processes:

tmp.exetodymdgvwmgb.execonhost.exetodymdgvwmgb.exe

pid	process
1964	tmp.exe
1964	tmp.exe
1964	tmp.exe
1964	tmp.exe
1964	tmp.exe
1964	tmp.exe
1964	tmp.exe
1964	tmp.exe
1964	tmp.exe
2988	todymdgvwmgb.exe
2988	todymdgvwmgb.exe
2988	todymdgvwmgb.exe
2988	todymdgvwmgb.exe
2988	todymdgvwmgb.exe
2988	todymdgvwmgb.exe
2988	todymdgvwmgb.exe
2384	conhost.exe
1212	todymdgvwmgb.exe

Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid process

464

pid	process
464

Suspicious use of AdjustPrivilegeToken 9 IoCs

Processes:

powercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exesvchost.exe

description	pid	process
Token: SeShutdownPrivilege	2616	powercfg.exe
Token: SeShutdownPrivilege	2752	powercfg.exe
Token: SeShutdownPrivilege	2628	powercfg.exe
Token: SeShutdownPrivilege	2500	powercfg.exe
Token: SeShutdownPrivilege	588	powercfg.exe
Token: SeShutdownPrivilege	1112	powercfg.exe
Token: SeShutdownPrivilege	1248	powercfg.exe
Token: SeShutdownPrivilege	1440	powercfg.exe
Token: SeLockMemoryPrivilege	2252	svchost.exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

todymdgvwmgb.exe

description	pid	process	target process
PID 2988 wrote to memory of 2384	2988	todymdgvwmgb.exe	conhost.exe
PID 2988 wrote to memory of 2384	2988	todymdgvwmgb.exe	conhost.exe
PID 2988 wrote to memory of 2384	2988	todymdgvwmgb.exe	conhost.exe
PID 2988 wrote to memory of 2384	2988	todymdgvwmgb.exe	conhost.exe
PID 2988 wrote to memory of 2384	2988	todymdgvwmgb.exe	conhost.exe
PID 2988 wrote to memory of 2384	2988	todymdgvwmgb.exe	conhost.exe
PID 2988 wrote to memory of 2384	2988	todymdgvwmgb.exe	conhost.exe
PID 2988 wrote to memory of 2384	2988	todymdgvwmgb.exe	conhost.exe
PID 2988 wrote to memory of 2384	2988	todymdgvwmgb.exe	conhost.exe
PID 2988 wrote to memory of 2252	2988	todymdgvwmgb.exe	svchost.exe
PID 2988 wrote to memory of 2252	2988	todymdgvwmgb.exe	svchost.exe
PID 2988 wrote to memory of 2252	2988	todymdgvwmgb.exe	svchost.exe
PID 2988 wrote to memory of 2252	2988	todymdgvwmgb.exe	svchost.exe
PID 2988 wrote to memory of 2252	2988	todymdgvwmgb.exe	svchost.exe
PID 2988 wrote to memory of 2252	2988	todymdgvwmgb.exe	svchost.exe
PID 2988 wrote to memory of 2252	2988	todymdgvwmgb.exe	svchost.exe
PID 2988 wrote to memory of 2252	2988	todymdgvwmgb.exe	svchost.exe
PID 2988 wrote to memory of 2252	2988	todymdgvwmgb.exe	svchost.exe
PID 2988 wrote to memory of 2252	2988	todymdgvwmgb.exe	svchost.exe
PID 2988 wrote to memory of 2252	2988	todymdgvwmgb.exe	svchost.exe
PID 2988 wrote to memory of 2252	2988	todymdgvwmgb.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:1964

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2616

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2628

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2752

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2500

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe delete "PHSWJLZY"
2⤵
- Launches sc.exe
PID:2740

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe create "PHSWJLZY" binpath= "C:\ProgramData\jndraacsywhc\todymdgvwmgb.exe" start= "auto"
2⤵
- Launches sc.exe
PID:2568

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop eventlog
2⤵
- Launches sc.exe
PID:2452

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start "PHSWJLZY"
2⤵
- Launches sc.exe
PID:2400

C:\ProgramData\jndraacsywhc\todymdgvwmgb.exe
C:\ProgramData\jndraacsywhc\todymdgvwmgb.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2988

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:588

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1248

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1440

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1112

C:\Windows\system32\conhost.exe
C:\Windows\system32\conhost.exe
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2384

C:\ProgramData\jndraacsywhc\todymdgvwmgb.exe
"C:\ProgramData\jndraacsywhc\todymdgvwmgb.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1212

C:\Windows\system32\svchost.exe
svchost.exe
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2252

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Create or Modify System Process

2

T1543

Windows Service

2

T1543.003

Privilege Escalation

Create or Modify System Process

2

T1543

Windows Service

2

T1543.003

Defense Evasion

Impair Defenses

1

T1562

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Service Stop

1

T1489

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\jndraacsywhc\todymdgvwmgb.exe
Filesize
4.4MB

MD5
d5e74379dbb2b8b1ecb062295acbe01f

SHA1
8bb109bff5ed0b9254d12cb8c9a34998fc92dd77

SHA256
e622fa3c9ced84da3fd17131438d8f6c357fa23858cbc44752e710d7a2d15c53

SHA512
a4cc4513f2ab1373e837383b29c4cf2a2dd546c8482302dff89ea5319f4beb1736c515a15ad48999b9269827d6f2a81137e4199dbe276270073520700f8d575a

Download Submit
C:\ProgramData\jndraacsywhc\todymdgvwmgb.exe
Filesize
6.6MB

MD5
e38e262ce5e1814d76d453c95ee3f03d

SHA1
c9cce8d188a6d906db2e2a4918281a28e5fe9bec

SHA256
952c2d2e3b48819b8fa1c8dc9cd7478b1dedb89e5ae40092b4d4d23fbb67e839

SHA512
fcf61ee80f5b045206ac2d0c5f7b85f780b7fda5afe1b938e86f06ef700d009ac91c6c6db67c2c9a7c65b9439ef437c59f1f35ad2971b4b290c3949edf929359

Download Submit
C:\ProgramData\jndraacsywhc\todymdgvwmgb.exe
Filesize
5.3MB

MD5
64a23104fa03e98c14bcb39b3876c3ed

SHA1
9470ab48cd54482012bb5df18492f0532404e0d3

SHA256
fdc9ea28abf530eaa9614a5c885e5cc17dbcab576e00ffcf9b31d488856129d5

SHA512
9694df45efa76d9fdc8e4d62a2c8acfc37a8b9b1a1217e976454c2cc2e7341dc392c32976c345a69160d2057ffd97c8d1acfb7fc7a7ce20f2776f4166d3240fd

Download Submit
\ProgramData\jndraacsywhc\todymdgvwmgb.exe
Filesize
3.6MB

MD5
1e64937c425097f7e47e327e7f713c3b

SHA1
fb3bb6564321ef74688d71be1037b45d45f75851

SHA256
8835ceecae6f9204c6c3f09681a3dd3233c3e27e60c0bd73d73d6649f27837da

SHA512
acf38a9aefcffff014d983426e074197fc11366c86f6f8ffbdc1995ade1fd90ed390caf3998454b7d0d0faf4f98d87559637e9d3a0a86e032b77e32089e4c98b

Download Submit
\ProgramData\jndraacsywhc\todymdgvwmgb.exe
Filesize
3.7MB

MD5
1061d585214322a5b72c5543fa6d554e

SHA1
87e57f339b3781175bfae2b08b1a88d1da2e67c4

SHA256
e40995e3d4d0312f99a960b61305c34b5f5ad1f436326bf1f2ab365b88b0a483

SHA512
acebbd154a7df1c0e5fe5bbcca9d745cefe8ad0d848e42f639a9bcabc6b5c9bd5ca7ef48c5afe2206bee27b8617585e7d9c46903b875af45d439e59176c0a087

Download Submit
memory/1212-57-0x0000000140000000-0x000000014199B000-memory.dmp

Filesize
25.6MB

Download
memory/1212-61-0x0000000077550000-0x00000000776F9000-memory.dmp

Filesize
1.7MB

Download
memory/1964-8-0x0000000077550000-0x00000000776F9000-memory.dmp

Filesize
1.7MB

Download
memory/1964-12-0x0000000077550000-0x00000000776F9000-memory.dmp

Filesize
1.7MB

Download
memory/1964-10-0x0000000140000000-0x000000014199B000-memory.dmp

Filesize
25.6MB

Download
memory/1964-9-0x0000000140000000-0x000000014199B000-memory.dmp

Filesize
25.6MB

Download
memory/1964-0-0x0000000077700000-0x0000000077702000-memory.dmp

Filesize
8KB

Download
memory/1964-17-0x0000000140000000-0x000000014199B000-memory.dmp

Filesize
25.6MB

Download
memory/1964-4-0x0000000077700000-0x0000000077702000-memory.dmp

Filesize
8KB

Download
memory/1964-5-0x0000000140000000-0x000000014199B000-memory.dmp

Filesize
25.6MB

Download
memory/1964-2-0x0000000077700000-0x0000000077702000-memory.dmp

Filesize
8KB

Download
memory/2252-35-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/2252-52-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/2252-66-0x0000000000390000-0x00000000003B0000-memory.dmp

Filesize
128KB

Download
memory/2252-65-0x0000000000390000-0x00000000003B0000-memory.dmp

Filesize
128KB

Download
memory/2252-64-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/2252-63-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/2252-54-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/2252-36-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/2252-37-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/2252-38-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/2252-39-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/2252-40-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/2252-41-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/2252-42-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/2252-43-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/2252-53-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/2252-46-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/2252-47-0x0000000000040000-0x0000000000060000-memory.dmp

Filesize
128KB

Download
memory/2252-51-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/2252-50-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/2384-28-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/2384-27-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/2384-33-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/2384-31-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/2384-30-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/2384-29-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/2988-49-0x0000000077550000-0x00000000776F9000-memory.dmp

Filesize
1.7MB

Download
memory/2988-48-0x0000000140000000-0x000000014199B000-memory.dmp

Filesize
25.6MB

Download
memory/2988-25-0x0000000140000000-0x000000014199B000-memory.dmp

Filesize
25.6MB

Download
memory/2988-24-0x0000000077550000-0x00000000776F9000-memory.dmp

Filesize
1.7MB

Download
memory/2988-23-0x0000000140000000-0x000000014199B000-memory.dmp

Filesize
25.6MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads