xmrig | 33136dd64b2b82f5f35d250c41060e70eb9c0028cc9e93f61b4e1d32f0163c3c

General

Target

33136dd64b2b82f5f35d250c41060e70eb9c0028cc9e93f61b4e1d32f0163c3c.exe
Size

10.4MB
MD5

dff762abefd2ac634f87aacd920c8bdc
SHA1

b8ea30c9d631fbb4a1f57c2873ca8aeb64c93643
SHA256

33136dd64b2b82f5f35d250c41060e70eb9c0028cc9e93f61b4e1d32f0163c3c
SHA512

54db97efb4ffcec9bc4122a6e41029c3cd457b631ede685eb883d5884f5a7b90c465dc8ec2212e712af935481073a2b4eb5180431926f03febccb055d9585341
SSDEEP

196608:D2neZjvDa5N5o9LrIbQTsbHu7THe8FhG8ryPzB3SFyFYha:D3/AU9LrIdb+THVFg8uhSYFYha

Score

10^/10

xmrig evasion miner persistence

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 16 IoCs

miner

Processes:

resource	yara_rule
behavioral2/memory/3676-21-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral2/memory/3676-22-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral2/memory/3676-23-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral2/memory/3676-24-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral2/memory/3676-25-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral2/memory/3676-26-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral2/memory/3676-27-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral2/memory/3676-28-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral2/memory/3676-30-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral2/memory/3676-33-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral2/memory/3676-34-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral2/memory/3676-35-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral2/memory/3676-36-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral2/memory/3676-37-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral2/memory/3676-41-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral2/memory/3676-42-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig

Creates new service(s) 1 TTPs
persistence

Windows Service
T1543.003
Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489
Executes dropped EXE 1 IoCs

Processes:

todymdgvwmgb.exe

pid process

1072 todymdgvwmgb.exe

pid	process
1072	todymdgvwmgb.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

todymdgvwmgb.exe

description	pid	process	target process
PID 1072 set thread context of 1660	1072	todymdgvwmgb.exe	conhost.exe
PID 1072 set thread context of 3676	1072	todymdgvwmgb.exe	svchost.exe

Launches sc.exe 4 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exe

pid process

2072 sc.exe
3424 sc.exe
3656 sc.exe
3764 sc.exe

pid	process
2072	sc.exe
3424	sc.exe
3656	sc.exe
3764	sc.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

Processes:

33136dd64b2b82f5f35d250c41060e70eb9c0028cc9e93f61b4e1d32f0163c3c.exetodymdgvwmgb.exe

pid	process
4612	33136dd64b2b82f5f35d250c41060e70eb9c0028cc9e93f61b4e1d32f0163c3c.exe
4612	33136dd64b2b82f5f35d250c41060e70eb9c0028cc9e93f61b4e1d32f0163c3c.exe
4612	33136dd64b2b82f5f35d250c41060e70eb9c0028cc9e93f61b4e1d32f0163c3c.exe
4612	33136dd64b2b82f5f35d250c41060e70eb9c0028cc9e93f61b4e1d32f0163c3c.exe
4612	33136dd64b2b82f5f35d250c41060e70eb9c0028cc9e93f61b4e1d32f0163c3c.exe
4612	33136dd64b2b82f5f35d250c41060e70eb9c0028cc9e93f61b4e1d32f0163c3c.exe
4612	33136dd64b2b82f5f35d250c41060e70eb9c0028cc9e93f61b4e1d32f0163c3c.exe
4612	33136dd64b2b82f5f35d250c41060e70eb9c0028cc9e93f61b4e1d32f0163c3c.exe
4612	33136dd64b2b82f5f35d250c41060e70eb9c0028cc9e93f61b4e1d32f0163c3c.exe
4612	33136dd64b2b82f5f35d250c41060e70eb9c0028cc9e93f61b4e1d32f0163c3c.exe
1072	todymdgvwmgb.exe
1072	todymdgvwmgb.exe
1072	todymdgvwmgb.exe
1072	todymdgvwmgb.exe
1072	todymdgvwmgb.exe
1072	todymdgvwmgb.exe
1072	todymdgvwmgb.exe
1072	todymdgvwmgb.exe

Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid process

636

pid	process
636

Suspicious use of AdjustPrivilegeToken 17 IoCs

Processes:

powercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exesvchost.exe

description	pid	process
Token: SeShutdownPrivilege	4124	powercfg.exe
Token: SeCreatePagefilePrivilege	4124	powercfg.exe
Token: SeShutdownPrivilege	1632	powercfg.exe
Token: SeCreatePagefilePrivilege	1632	powercfg.exe
Token: SeShutdownPrivilege	1120	powercfg.exe
Token: SeCreatePagefilePrivilege	1120	powercfg.exe
Token: SeShutdownPrivilege	4344	powercfg.exe
Token: SeCreatePagefilePrivilege	4344	powercfg.exe
Token: SeShutdownPrivilege	3052	powercfg.exe
Token: SeCreatePagefilePrivilege	3052	powercfg.exe
Token: SeShutdownPrivilege	4308	powercfg.exe
Token: SeCreatePagefilePrivilege	4308	powercfg.exe
Token: SeShutdownPrivilege	4860	powercfg.exe
Token: SeCreatePagefilePrivilege	4860	powercfg.exe
Token: SeShutdownPrivilege	2152	powercfg.exe
Token: SeCreatePagefilePrivilege	2152	powercfg.exe
Token: SeLockMemoryPrivilege	3676	svchost.exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

todymdgvwmgb.exe

description	pid	process	target process
PID 1072 wrote to memory of 1660	1072	todymdgvwmgb.exe	conhost.exe
PID 1072 wrote to memory of 1660	1072	todymdgvwmgb.exe	conhost.exe
PID 1072 wrote to memory of 1660	1072	todymdgvwmgb.exe	conhost.exe
PID 1072 wrote to memory of 1660	1072	todymdgvwmgb.exe	conhost.exe
PID 1072 wrote to memory of 1660	1072	todymdgvwmgb.exe	conhost.exe
PID 1072 wrote to memory of 1660	1072	todymdgvwmgb.exe	conhost.exe
PID 1072 wrote to memory of 1660	1072	todymdgvwmgb.exe	conhost.exe
PID 1072 wrote to memory of 1660	1072	todymdgvwmgb.exe	conhost.exe
PID 1072 wrote to memory of 1660	1072	todymdgvwmgb.exe	conhost.exe
PID 1072 wrote to memory of 3676	1072	todymdgvwmgb.exe	svchost.exe
PID 1072 wrote to memory of 3676	1072	todymdgvwmgb.exe	svchost.exe
PID 1072 wrote to memory of 3676	1072	todymdgvwmgb.exe	svchost.exe
PID 1072 wrote to memory of 3676	1072	todymdgvwmgb.exe	svchost.exe
PID 1072 wrote to memory of 3676	1072	todymdgvwmgb.exe	svchost.exe
PID 1072 wrote to memory of 3676	1072	todymdgvwmgb.exe	svchost.exe
PID 1072 wrote to memory of 3676	1072	todymdgvwmgb.exe	svchost.exe
PID 1072 wrote to memory of 3676	1072	todymdgvwmgb.exe	svchost.exe
PID 1072 wrote to memory of 3676	1072	todymdgvwmgb.exe	svchost.exe
PID 1072 wrote to memory of 3676	1072	todymdgvwmgb.exe	svchost.exe
PID 1072 wrote to memory of 3676	1072	todymdgvwmgb.exe	svchost.exe
PID 1072 wrote to memory of 3676	1072	todymdgvwmgb.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\33136dd64b2b82f5f35d250c41060e70eb9c0028cc9e93f61b4e1d32f0163c3c.exe
"C:\Users\Admin\AppData\Local\Temp\33136dd64b2b82f5f35d250c41060e70eb9c0028cc9e93f61b4e1d32f0163c3c.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:4612

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4124

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1632

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4344

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1120

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe delete "PHSWJLZY"
2⤵
- Launches sc.exe
PID:2072

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe create "PHSWJLZY" binpath= "C:\ProgramData\jndraacsywhc\todymdgvwmgb.exe" start= "auto"
2⤵
- Launches sc.exe
PID:3424

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop eventlog
2⤵
- Launches sc.exe
PID:3656

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start "PHSWJLZY"
2⤵
- Launches sc.exe
PID:3764

C:\ProgramData\jndraacsywhc\todymdgvwmgb.exe
C:\ProgramData\jndraacsywhc\todymdgvwmgb.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1072

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3052

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4308

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4860

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2152

C:\Windows\system32\conhost.exe
C:\Windows\system32\conhost.exe
2⤵
PID:1660

C:\Windows\system32\svchost.exe
svchost.exe
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3676

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Create or Modify System Process

2

T1543

Windows Service

2

T1543.003

Privilege Escalation

Create or Modify System Process

2

T1543

Windows Service

2

T1543.003

Defense Evasion

Impair Defenses

1

T1562

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Service Stop

1

T1489

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\jndraacsywhc\todymdgvwmgb.exe
Filesize
9.4MB

MD5
1a812452f8928f73f7dd8f5a82663509

SHA1
5df17717bf4a0ec87c056098afb32c3b2ffdfcbc

SHA256
e458b01f62e0baabaa4fe30a1bdfaa884ed6226e3d846771532e1c3fe98f44e9

SHA512
67a590bfa17cf08b4c4df4afcea3712928a0f3729967c6fd86e6f94661913219d446b2823166c04b0fd4a00a6916ade3bb566016daaf02e85d133596bd16665c

Download Submit
C:\ProgramData\jndraacsywhc\todymdgvwmgb.exe
Filesize
8.0MB

MD5
176d16b0f53a7d6a3d93cd0d62cdf110

SHA1
9207c54d64639fd2d52a9713a47792074c817913

SHA256
f55bc0403fb93e8f4900b39843016fe56a22d22a0f9a642ca23a0caa0f1a1e1a

SHA512
c977868817cfc740aa32f0d2707d88702ad149199296ac595bfc74fe0da3b7872574c9d9e3428ca3427e61e28d88db28912412c3ec4d8bb51f4c1a741f390713

Download Submit
memory/1072-10-0x0000000140000000-0x000000014199B000-memory.dmp

Filesize
25.6MB

Download
memory/1072-32-0x0000000140000000-0x000000014199B000-memory.dmp

Filesize
25.6MB

Download
memory/1072-9-0x0000000140000000-0x000000014199B000-memory.dmp

Filesize
25.6MB

Download
memory/1660-13-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/1660-16-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/1660-12-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/1660-19-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/1660-14-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/1660-15-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/3676-27-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/3676-30-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/3676-20-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/3676-21-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/3676-22-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/3676-23-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/3676-24-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/3676-25-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/3676-26-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/3676-44-0x000001DC6DCC0000-0x000001DC6DCE0000-memory.dmp

Filesize
128KB

Download
memory/3676-28-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/3676-43-0x000001DC6DCC0000-0x000001DC6DCE0000-memory.dmp

Filesize
128KB

Download
memory/3676-31-0x000001DC6DBF0000-0x000001DC6DC10000-memory.dmp

Filesize
128KB

Download
memory/3676-42-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/3676-33-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/3676-34-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/3676-35-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/3676-36-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/3676-37-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/3676-40-0x000001DC6DC80000-0x000001DC6DCC0000-memory.dmp

Filesize
256KB

Download
memory/3676-41-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/4612-2-0x0000000140000000-0x000000014199B000-memory.dmp

Filesize
25.6MB

Download
memory/4612-0-0x00007FFAADAF0000-0x00007FFAADAF2000-memory.dmp

Filesize
8KB

Download
memory/4612-5-0x0000000140000000-0x000000014199B000-memory.dmp

Filesize
25.6MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads