xmrig | 33136dd64b2b82f5f35d250c41060e70eb9c0028cc9e93f61b4e1d32f0163c3c

General

Target

33136dd64b2b82f5f35d250c41060e70eb9c0028cc9e93f61b4e1d32f0163c3c.exe
Size

10.4MB
MD5

dff762abefd2ac634f87aacd920c8bdc
SHA1

b8ea30c9d631fbb4a1f57c2873ca8aeb64c93643
SHA256

33136dd64b2b82f5f35d250c41060e70eb9c0028cc9e93f61b4e1d32f0163c3c
SHA512

54db97efb4ffcec9bc4122a6e41029c3cd457b631ede685eb883d5884f5a7b90c465dc8ec2212e712af935481073a2b4eb5180431926f03febccb055d9585341
SSDEEP

196608:D2neZjvDa5N5o9LrIbQTsbHu7THe8FhG8ryPzB3SFyFYha:D3/AU9LrIdb+THVFg8uhSYFYha

Score

10^/10

xmrig evasion miner persistence

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 16 IoCs

miner

Processes:

resource	yara_rule
behavioral1/memory/324-35-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral1/memory/324-36-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral1/memory/324-37-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral1/memory/324-38-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral1/memory/324-39-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral1/memory/324-40-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral1/memory/324-41-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral1/memory/324-42-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral1/memory/324-44-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral1/memory/324-46-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral1/memory/324-50-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral1/memory/324-47-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral1/memory/324-51-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral1/memory/324-52-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral1/memory/324-53-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral1/memory/324-54-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig

Creates new service(s) 1 TTPs
persistence

Windows Service
T1543.003
Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489
Executes dropped EXE 2 IoCs

Processes:

todymdgvwmgb.exe

pid process

468
2496 todymdgvwmgb.exe
Loads dropped DLL 1 IoCs

Processes:

pid process

468

pid	process
468
2496	todymdgvwmgb.exe

pid	process
468

Suspicious use of SetThreadContext 2 IoCs

Processes:

todymdgvwmgb.exe

description	pid	process	target process
PID 2496 set thread context of 2456	2496	todymdgvwmgb.exe	conhost.exe
PID 2496 set thread context of 324	2496	todymdgvwmgb.exe	svchost.exe

Launches sc.exe 4 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exe

pid process

2536 sc.exe
2548 sc.exe
2512 sc.exe
2884 sc.exe

pid	process
2536	sc.exe
2548	sc.exe
2512	sc.exe
2884	sc.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

Processes:

33136dd64b2b82f5f35d250c41060e70eb9c0028cc9e93f61b4e1d32f0163c3c.exetodymdgvwmgb.exe

pid	process
1152	33136dd64b2b82f5f35d250c41060e70eb9c0028cc9e93f61b4e1d32f0163c3c.exe
1152	33136dd64b2b82f5f35d250c41060e70eb9c0028cc9e93f61b4e1d32f0163c3c.exe
1152	33136dd64b2b82f5f35d250c41060e70eb9c0028cc9e93f61b4e1d32f0163c3c.exe
1152	33136dd64b2b82f5f35d250c41060e70eb9c0028cc9e93f61b4e1d32f0163c3c.exe
1152	33136dd64b2b82f5f35d250c41060e70eb9c0028cc9e93f61b4e1d32f0163c3c.exe
1152	33136dd64b2b82f5f35d250c41060e70eb9c0028cc9e93f61b4e1d32f0163c3c.exe
1152	33136dd64b2b82f5f35d250c41060e70eb9c0028cc9e93f61b4e1d32f0163c3c.exe
1152	33136dd64b2b82f5f35d250c41060e70eb9c0028cc9e93f61b4e1d32f0163c3c.exe
1152	33136dd64b2b82f5f35d250c41060e70eb9c0028cc9e93f61b4e1d32f0163c3c.exe
2496	todymdgvwmgb.exe
2496	todymdgvwmgb.exe
2496	todymdgvwmgb.exe
2496	todymdgvwmgb.exe
2496	todymdgvwmgb.exe
2496	todymdgvwmgb.exe
2496	todymdgvwmgb.exe

Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid process

468

pid	process
468

Suspicious use of AdjustPrivilegeToken 9 IoCs

Processes:

powercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exesvchost.exe

description	pid	process
Token: SeShutdownPrivilege	2952	powercfg.exe
Token: SeShutdownPrivilege	3020	powercfg.exe
Token: SeShutdownPrivilege	2804	powercfg.exe
Token: SeShutdownPrivilege	2716	powercfg.exe
Token: SeShutdownPrivilege	2388	powercfg.exe
Token: SeShutdownPrivilege	2408	powercfg.exe
Token: SeShutdownPrivilege	2424	powercfg.exe
Token: SeShutdownPrivilege	2392	powercfg.exe
Token: SeLockMemoryPrivilege	324	svchost.exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

todymdgvwmgb.exe

description	pid	process	target process
PID 2496 wrote to memory of 2456	2496	todymdgvwmgb.exe	conhost.exe
PID 2496 wrote to memory of 2456	2496	todymdgvwmgb.exe	conhost.exe
PID 2496 wrote to memory of 2456	2496	todymdgvwmgb.exe	conhost.exe
PID 2496 wrote to memory of 2456	2496	todymdgvwmgb.exe	conhost.exe
PID 2496 wrote to memory of 2456	2496	todymdgvwmgb.exe	conhost.exe
PID 2496 wrote to memory of 2456	2496	todymdgvwmgb.exe	conhost.exe
PID 2496 wrote to memory of 2456	2496	todymdgvwmgb.exe	conhost.exe
PID 2496 wrote to memory of 2456	2496	todymdgvwmgb.exe	conhost.exe
PID 2496 wrote to memory of 2456	2496	todymdgvwmgb.exe	conhost.exe
PID 2496 wrote to memory of 324	2496	todymdgvwmgb.exe	svchost.exe
PID 2496 wrote to memory of 324	2496	todymdgvwmgb.exe	svchost.exe
PID 2496 wrote to memory of 324	2496	todymdgvwmgb.exe	svchost.exe
PID 2496 wrote to memory of 324	2496	todymdgvwmgb.exe	svchost.exe
PID 2496 wrote to memory of 324	2496	todymdgvwmgb.exe	svchost.exe
PID 2496 wrote to memory of 324	2496	todymdgvwmgb.exe	svchost.exe
PID 2496 wrote to memory of 324	2496	todymdgvwmgb.exe	svchost.exe
PID 2496 wrote to memory of 324	2496	todymdgvwmgb.exe	svchost.exe
PID 2496 wrote to memory of 324	2496	todymdgvwmgb.exe	svchost.exe
PID 2496 wrote to memory of 324	2496	todymdgvwmgb.exe	svchost.exe
PID 2496 wrote to memory of 324	2496	todymdgvwmgb.exe	svchost.exe
PID 2496 wrote to memory of 324	2496	todymdgvwmgb.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\33136dd64b2b82f5f35d250c41060e70eb9c0028cc9e93f61b4e1d32f0163c3c.exe
"C:\Users\Admin\AppData\Local\Temp\33136dd64b2b82f5f35d250c41060e70eb9c0028cc9e93f61b4e1d32f0163c3c.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:1152

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2716

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2804

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3020

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2952

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe delete "PHSWJLZY"
2⤵
- Launches sc.exe
PID:2536

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe create "PHSWJLZY" binpath= "C:\ProgramData\jndraacsywhc\todymdgvwmgb.exe" start= "auto"
2⤵
- Launches sc.exe
PID:2548

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop eventlog
2⤵
- Launches sc.exe
PID:2884

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start "PHSWJLZY"
2⤵
- Launches sc.exe
PID:2512

C:\ProgramData\jndraacsywhc\todymdgvwmgb.exe
C:\ProgramData\jndraacsywhc\todymdgvwmgb.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2496

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2392

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2388

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2408

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2424

C:\Windows\system32\conhost.exe
C:\Windows\system32\conhost.exe
2⤵
PID:2456

C:\Windows\system32\svchost.exe
svchost.exe
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:324

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Create or Modify System Process

2

T1543

Windows Service

2

T1543.003

Privilege Escalation

Create or Modify System Process

2

T1543

Windows Service

2

T1543.003

Defense Evasion

Impair Defenses

1

T1562

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Service Stop

1

T1489

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\jndraacsywhc\todymdgvwmgb.exe
Filesize
2.6MB

MD5
e592a9ab96c98874102e717b7418a356

SHA1
10f1442e1e8b6aa9966621b2a0c02805924c3915

SHA256
5df1e361d895a62866d0ce7516669fc7bdb210eb344218dc1884c801f7103720

SHA512
86ff42ba0b429a785a6aaffad3f897f59ccc8f1a16b757605e3f860cfeca481db64d917f1d7a61b4b387e39fd8f065eb11e1536b9d12920e30a78f4bcfb6f1f2

Download Submit
C:\ProgramData\jndraacsywhc\todymdgvwmgb.exe
Filesize
1.1MB

MD5
619c27ed43f577eb8656e642eb537912

SHA1
66ae9273300ae7edbf413182ad4f35a5c3deac15

SHA256
dc45788ac1a4e29c2f64712895cc6938c26ec3d0ad166f3fbd95fa151fe71f36

SHA512
48860cbb7b1df580771948b5a8fdac359193a22b047590189bf17a12d7488184dfdc797aa0e05fb3f9cb9ffc56857f2b1b58dfca93abfe095b8ed437548ef2cd

Download Submit
\ProgramData\jndraacsywhc\todymdgvwmgb.exe
Filesize
4.2MB

MD5
605399b81893ccc7ce45e8169e76e6a9

SHA1
c2582cea3a8481dffaf61ca9d1e29168697513d4

SHA256
9a6ace97284429938cc0160bbd49cc17901bbb4f2f52d34728a17d2f9a3da185

SHA512
847fb64feaee4508402824259f9c44bcdfa5c08ff13d043eec6abf337d7396f3c533d9a2e25296ba3d386bab7d8062c5501afa90d5050d5c9ec8f03deee3b158

Download Submit
\ProgramData\jndraacsywhc\todymdgvwmgb.exe
Filesize
4.0MB

MD5
74dd28c718f2f399e321125a77ee4820

SHA1
c52e5fd2e02687cd2619c143b02c71d139834695

SHA256
490bec6eee21219a02c38415bb19b60f63c68c73643eb63f92820d37fea9874e

SHA512
7f0149c85fb0b65e57b3ecea2eb6b1490c9873bfee73df8979d3353898a59dbc0c868e62d5d2ab67e44daa58ce32e889e7ce2aaa1977a991780ee9b8601c7fac

Download Submit
memory/324-44-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/324-46-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/324-56-0x00000000006E0000-0x0000000000700000-memory.dmp

Filesize
128KB

Download
memory/324-35-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/324-54-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/324-53-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/324-52-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/324-36-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/324-47-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/324-50-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/324-45-0x00000000000B0000-0x00000000000D0000-memory.dmp

Filesize
128KB

Download
memory/324-42-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/324-41-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/324-37-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/324-40-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/324-39-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/324-38-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/324-34-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/324-55-0x00000000006E0000-0x0000000000700000-memory.dmp

Filesize
128KB

Download
memory/324-51-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/1152-4-0x0000000076E70000-0x0000000076E72000-memory.dmp

Filesize
8KB

Download
memory/1152-7-0x0000000140000000-0x000000014199B000-memory.dmp

Filesize
25.6MB

Download
memory/1152-9-0x0000000076CC0000-0x0000000076E69000-memory.dmp

Filesize
1.7MB

Download
memory/1152-5-0x0000000140000000-0x000000014199B000-memory.dmp

Filesize
25.6MB

Download
memory/1152-2-0x0000000076E70000-0x0000000076E72000-memory.dmp

Filesize
8KB

Download
memory/1152-16-0x0000000140000000-0x000000014199B000-memory.dmp

Filesize
25.6MB

Download
memory/1152-0-0x0000000076E70000-0x0000000076E72000-memory.dmp

Filesize
8KB

Download
memory/1152-11-0x0000000076CC0000-0x0000000076E69000-memory.dmp

Filesize
1.7MB

Download
memory/2456-27-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/2456-26-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/2456-29-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/2456-30-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/2456-32-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/2456-28-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/2496-49-0x0000000076CC0000-0x0000000076E69000-memory.dmp

Filesize
1.7MB

Download
memory/2496-24-0x0000000076CC0000-0x0000000076E69000-memory.dmp

Filesize
1.7MB

Download
memory/2496-22-0x0000000140000000-0x000000014199B000-memory.dmp

Filesize
25.6MB

Download
memory/2496-48-0x0000000140000000-0x000000014199B000-memory.dmp

Filesize
25.6MB

Download
memory/2496-23-0x0000000140000000-0x000000014199B000-memory.dmp

Filesize
25.6MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads