xmrig | 33136dd64b2b82f5f35d250c41060e70eb9c0028cc9e93f61b4e1d32f0163c3c

General

Target

tmp.exe
Size

10.4MB
MD5

dff762abefd2ac634f87aacd920c8bdc
SHA1

b8ea30c9d631fbb4a1f57c2873ca8aeb64c93643
SHA256

33136dd64b2b82f5f35d250c41060e70eb9c0028cc9e93f61b4e1d32f0163c3c
SHA512

54db97efb4ffcec9bc4122a6e41029c3cd457b631ede685eb883d5884f5a7b90c465dc8ec2212e712af935481073a2b4eb5180431926f03febccb055d9585341
SSDEEP

196608:D2neZjvDa5N5o9LrIbQTsbHu7THe8FhG8ryPzB3SFyFYha:D3/AU9LrIdb+THVFg8uhSYFYha

Score

10^/10

xmrig evasion miner persistence

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 16 IoCs

miner

Processes:

resource	yara_rule
behavioral2/memory/1980-22-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral2/memory/1980-21-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral2/memory/1980-23-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral2/memory/1980-24-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral2/memory/1980-25-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral2/memory/1980-26-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral2/memory/1980-27-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral2/memory/1980-28-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral2/memory/1980-30-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral2/memory/1980-32-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral2/memory/1980-33-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral2/memory/1980-35-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral2/memory/1980-36-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral2/memory/1980-37-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral2/memory/1980-39-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral2/memory/1980-40-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig

Creates new service(s) 1 TTPs
persistence

Windows Service
T1543.003
Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489
Executes dropped EXE 1 IoCs

Processes:

todymdgvwmgb.exe

pid process

3396 todymdgvwmgb.exe

pid	process
3396	todymdgvwmgb.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

todymdgvwmgb.exe

description	pid	process	target process
PID 3396 set thread context of 4268	3396	todymdgvwmgb.exe	conhost.exe
PID 3396 set thread context of 1980	3396	todymdgvwmgb.exe	svchost.exe

Launches sc.exe 4 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exe

pid process

964 sc.exe
4804 sc.exe
3512 sc.exe
4812 sc.exe

pid	process
964	sc.exe
4804	sc.exe
3512	sc.exe
4812	sc.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

Processes:

tmp.exetodymdgvwmgb.exe

pid	process
2912	tmp.exe
2912	tmp.exe
2912	tmp.exe
2912	tmp.exe
2912	tmp.exe
2912	tmp.exe
2912	tmp.exe
2912	tmp.exe
2912	tmp.exe
2912	tmp.exe
3396	todymdgvwmgb.exe
3396	todymdgvwmgb.exe
3396	todymdgvwmgb.exe
3396	todymdgvwmgb.exe
3396	todymdgvwmgb.exe
3396	todymdgvwmgb.exe
3396	todymdgvwmgb.exe
3396	todymdgvwmgb.exe

Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid process

656

pid	process
656

Suspicious use of AdjustPrivilegeToken 17 IoCs

Processes:

powercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exesvchost.exe

description	pid	process
Token: SeShutdownPrivilege	4940	powercfg.exe
Token: SeCreatePagefilePrivilege	4940	powercfg.exe
Token: SeShutdownPrivilege	4796	powercfg.exe
Token: SeCreatePagefilePrivilege	4796	powercfg.exe
Token: SeShutdownPrivilege	1604	powercfg.exe
Token: SeCreatePagefilePrivilege	1604	powercfg.exe
Token: SeShutdownPrivilege	3268	powercfg.exe
Token: SeCreatePagefilePrivilege	3268	powercfg.exe
Token: SeShutdownPrivilege	3688	powercfg.exe
Token: SeCreatePagefilePrivilege	3688	powercfg.exe
Token: SeShutdownPrivilege	4788	powercfg.exe
Token: SeCreatePagefilePrivilege	4788	powercfg.exe
Token: SeShutdownPrivilege	5024	powercfg.exe
Token: SeCreatePagefilePrivilege	5024	powercfg.exe
Token: SeShutdownPrivilege	3772	powercfg.exe
Token: SeCreatePagefilePrivilege	3772	powercfg.exe
Token: SeLockMemoryPrivilege	1980	svchost.exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

todymdgvwmgb.exe

description	pid	process	target process
PID 3396 wrote to memory of 4268	3396	todymdgvwmgb.exe	conhost.exe
PID 3396 wrote to memory of 4268	3396	todymdgvwmgb.exe	conhost.exe
PID 3396 wrote to memory of 4268	3396	todymdgvwmgb.exe	conhost.exe
PID 3396 wrote to memory of 4268	3396	todymdgvwmgb.exe	conhost.exe
PID 3396 wrote to memory of 4268	3396	todymdgvwmgb.exe	conhost.exe
PID 3396 wrote to memory of 4268	3396	todymdgvwmgb.exe	conhost.exe
PID 3396 wrote to memory of 4268	3396	todymdgvwmgb.exe	conhost.exe
PID 3396 wrote to memory of 4268	3396	todymdgvwmgb.exe	conhost.exe
PID 3396 wrote to memory of 4268	3396	todymdgvwmgb.exe	conhost.exe
PID 3396 wrote to memory of 1980	3396	todymdgvwmgb.exe	svchost.exe
PID 3396 wrote to memory of 1980	3396	todymdgvwmgb.exe	svchost.exe
PID 3396 wrote to memory of 1980	3396	todymdgvwmgb.exe	svchost.exe
PID 3396 wrote to memory of 1980	3396	todymdgvwmgb.exe	svchost.exe
PID 3396 wrote to memory of 1980	3396	todymdgvwmgb.exe	svchost.exe
PID 3396 wrote to memory of 1980	3396	todymdgvwmgb.exe	svchost.exe
PID 3396 wrote to memory of 1980	3396	todymdgvwmgb.exe	svchost.exe
PID 3396 wrote to memory of 1980	3396	todymdgvwmgb.exe	svchost.exe
PID 3396 wrote to memory of 1980	3396	todymdgvwmgb.exe	svchost.exe
PID 3396 wrote to memory of 1980	3396	todymdgvwmgb.exe	svchost.exe
PID 3396 wrote to memory of 1980	3396	todymdgvwmgb.exe	svchost.exe
PID 3396 wrote to memory of 1980	3396	todymdgvwmgb.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:2912

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4796

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4940

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1604

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3268

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe delete "PHSWJLZY"
2⤵
- Launches sc.exe
PID:964

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe create "PHSWJLZY" binpath= "C:\ProgramData\jndraacsywhc\todymdgvwmgb.exe" start= "auto"
2⤵
- Launches sc.exe
PID:4804

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop eventlog
2⤵
- Launches sc.exe
PID:3512

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start "PHSWJLZY"
2⤵
- Launches sc.exe
PID:4812

C:\ProgramData\jndraacsywhc\todymdgvwmgb.exe
C:\ProgramData\jndraacsywhc\todymdgvwmgb.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3396

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3688

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4788

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:5024

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3772

C:\Windows\system32\conhost.exe
C:\Windows\system32\conhost.exe
2⤵
PID:4268

C:\Windows\system32\svchost.exe
svchost.exe
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1980

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Create or Modify System Process

2

T1543

Windows Service

2

T1543.003

Privilege Escalation

Create or Modify System Process

2

T1543

Windows Service

2

T1543.003

Defense Evasion

Impair Defenses

1

T1562

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Service Stop

1

T1489

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\jndraacsywhc\todymdgvwmgb.exe
Filesize
1.5MB

MD5
728f205386948d8a65dfa6a298e086ed

SHA1
e3f08b3984920954ac4edc06f860d553b4e15589

SHA256
75debc54a0d5c105c3e4bd6b586732efc073566d1b30c3e2a1b2e896d3c78f93

SHA512
f5cab3c1104d3d5fe783467dc136abc4eb77ac145fed855eb62ea8a4bb3323f17c13b7ba0c273a3a3d9e7598c1cb288cdf1a478f5466660f489349da41c8b53b

Download Submit
C:\ProgramData\jndraacsywhc\todymdgvwmgb.exe
Filesize
1.7MB

MD5
a06f96090e8f8a9502e78725873e8474

SHA1
05467d23c2bb33d07cbefc52b4708b8a2ed49815

SHA256
f2ca8ce6d27d65cc65e6e9811e5ac05f36fa1ef121b2d1db84e786bdbd49a3a2

SHA512
76fa2028a30a0f99cef3c86f9ee0b8f0fce3d8bd08d22c618d3354b4a5e5248d9d3cef951a00f01a8f736b910d132c137b8c6aadf3b2c1e1d0d08026c7573d76

Download Submit
memory/1980-32-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/1980-27-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/1980-36-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/1980-25-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/1980-35-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/1980-42-0x0000020878E00000-0x0000020878E20000-memory.dmp

Filesize
128KB

Download
memory/1980-41-0x0000020878E00000-0x0000020878E20000-memory.dmp

Filesize
128KB

Download
memory/1980-26-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/1980-40-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/1980-33-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/1980-39-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/1980-20-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/1980-22-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/1980-37-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/1980-23-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/1980-24-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/1980-31-0x0000020878750000-0x0000020878770000-memory.dmp

Filesize
128KB

Download
memory/1980-38-0x00000208787C0000-0x0000020878800000-memory.dmp

Filesize
256KB

Download
memory/1980-21-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/1980-28-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/1980-30-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/2912-1-0x0000000140000000-0x000000014199B000-memory.dmp

Filesize
25.6MB

Download
memory/2912-0-0x00007FF88F290000-0x00007FF88F292000-memory.dmp

Filesize
8KB

Download
memory/2912-5-0x0000000140000000-0x000000014199B000-memory.dmp

Filesize
25.6MB

Download
memory/2912-2-0x0000000140000000-0x000000014199B000-memory.dmp

Filesize
25.6MB

Download
memory/3396-34-0x0000000140000000-0x000000014199B000-memory.dmp

Filesize
25.6MB

Download
memory/3396-10-0x0000000140000000-0x000000014199B000-memory.dmp

Filesize
25.6MB

Download
memory/4268-16-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/4268-14-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/4268-19-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/4268-15-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/4268-13-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/4268-12-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads