xmrig | 33136dd64b2b82f5f35d250c41060e70eb9c0028cc9e93f61b4e1d32f0163c3c

General

Target

33136dd64b2b82f5f35d250c41060e70eb9c0028cc9e93f61b4e1d32f0163c3c.exe
Size

10.4MB
MD5

dff762abefd2ac634f87aacd920c8bdc
SHA1

b8ea30c9d631fbb4a1f57c2873ca8aeb64c93643
SHA256

33136dd64b2b82f5f35d250c41060e70eb9c0028cc9e93f61b4e1d32f0163c3c
SHA512

54db97efb4ffcec9bc4122a6e41029c3cd457b631ede685eb883d5884f5a7b90c465dc8ec2212e712af935481073a2b4eb5180431926f03febccb055d9585341
SSDEEP

196608:D2neZjvDa5N5o9LrIbQTsbHu7THe8FhG8ryPzB3SFyFYha:D3/AU9LrIdb+THVFg8uhSYFYha

Score

10^/10

xmrig evasion miner persistence

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 16 IoCs

miner

Processes:

resource	yara_rule
behavioral2/memory/4500-21-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral2/memory/4500-22-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral2/memory/4500-23-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral2/memory/4500-24-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral2/memory/4500-25-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral2/memory/4500-26-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral2/memory/4500-27-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral2/memory/4500-28-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral2/memory/4500-31-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral2/memory/4500-36-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral2/memory/4500-37-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral2/memory/4500-38-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral2/memory/4500-39-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral2/memory/4500-40-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral2/memory/4500-51-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral2/memory/4500-52-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig

Creates new service(s) 1 TTPs
persistence

Windows Service
T1543.003
Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489
Executes dropped EXE 2 IoCs

Processes:

todymdgvwmgb.exetodymdgvwmgb.exe

pid process

2940 todymdgvwmgb.exe
2492 todymdgvwmgb.exe

pid	process
2940	todymdgvwmgb.exe
2492	todymdgvwmgb.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

todymdgvwmgb.exe

description	pid	process	target process
PID 2940 set thread context of 2464	2940	todymdgvwmgb.exe	conhost.exe
PID 2940 set thread context of 4500	2940	todymdgvwmgb.exe	svchost.exe

Launches sc.exe 4 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exe

pid process

940 sc.exe
4416 sc.exe
4360 sc.exe
3740 sc.exe

pid	process
940	sc.exe
4416	sc.exe
4360	sc.exe
3740	sc.exe

Suspicious behavior: EnumeratesProcesses 25 IoCs

Processes:

33136dd64b2b82f5f35d250c41060e70eb9c0028cc9e93f61b4e1d32f0163c3c.exetodymdgvwmgb.execonhost.exetodymdgvwmgb.exe

pid	process
360	33136dd64b2b82f5f35d250c41060e70eb9c0028cc9e93f61b4e1d32f0163c3c.exe
360	33136dd64b2b82f5f35d250c41060e70eb9c0028cc9e93f61b4e1d32f0163c3c.exe
360	33136dd64b2b82f5f35d250c41060e70eb9c0028cc9e93f61b4e1d32f0163c3c.exe
360	33136dd64b2b82f5f35d250c41060e70eb9c0028cc9e93f61b4e1d32f0163c3c.exe
360	33136dd64b2b82f5f35d250c41060e70eb9c0028cc9e93f61b4e1d32f0163c3c.exe
360	33136dd64b2b82f5f35d250c41060e70eb9c0028cc9e93f61b4e1d32f0163c3c.exe
360	33136dd64b2b82f5f35d250c41060e70eb9c0028cc9e93f61b4e1d32f0163c3c.exe
360	33136dd64b2b82f5f35d250c41060e70eb9c0028cc9e93f61b4e1d32f0163c3c.exe
360	33136dd64b2b82f5f35d250c41060e70eb9c0028cc9e93f61b4e1d32f0163c3c.exe
360	33136dd64b2b82f5f35d250c41060e70eb9c0028cc9e93f61b4e1d32f0163c3c.exe
2940	todymdgvwmgb.exe
2940	todymdgvwmgb.exe
2940	todymdgvwmgb.exe
2940	todymdgvwmgb.exe
2940	todymdgvwmgb.exe
2940	todymdgvwmgb.exe
2940	todymdgvwmgb.exe
2940	todymdgvwmgb.exe
2464	conhost.exe
2492	todymdgvwmgb.exe
2492	todymdgvwmgb.exe
2492	todymdgvwmgb.exe
2492	todymdgvwmgb.exe
2492	todymdgvwmgb.exe
2492	todymdgvwmgb.exe

Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid process

632

pid	process
632

Suspicious use of AdjustPrivilegeToken 25 IoCs

Processes:

powercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exesvchost.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exe

description	pid	process
Token: SeShutdownPrivilege	4608	powercfg.exe
Token: SeCreatePagefilePrivilege	4608	powercfg.exe
Token: SeShutdownPrivilege	2268	powercfg.exe
Token: SeCreatePagefilePrivilege	2268	powercfg.exe
Token: SeShutdownPrivilege	3248	powercfg.exe
Token: SeCreatePagefilePrivilege	3248	powercfg.exe
Token: SeShutdownPrivilege	3076	powercfg.exe
Token: SeCreatePagefilePrivilege	3076	powercfg.exe
Token: SeShutdownPrivilege	1452	powercfg.exe
Token: SeCreatePagefilePrivilege	1452	powercfg.exe
Token: SeShutdownPrivilege	3736	powercfg.exe
Token: SeCreatePagefilePrivilege	3736	powercfg.exe
Token: SeShutdownPrivilege	1820	powercfg.exe
Token: SeCreatePagefilePrivilege	1820	powercfg.exe
Token: SeShutdownPrivilege	2612	powercfg.exe
Token: SeCreatePagefilePrivilege	2612	powercfg.exe
Token: SeLockMemoryPrivilege	4500	svchost.exe
Token: SeShutdownPrivilege	3600	powercfg.exe
Token: SeCreatePagefilePrivilege	3600	powercfg.exe
Token: SeShutdownPrivilege	5052	powercfg.exe
Token: SeCreatePagefilePrivilege	5052	powercfg.exe
Token: SeShutdownPrivilege	4108	powercfg.exe
Token: SeCreatePagefilePrivilege	4108	powercfg.exe
Token: SeShutdownPrivilege	3092	powercfg.exe
Token: SeCreatePagefilePrivilege	3092	powercfg.exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

todymdgvwmgb.exe

description	pid	process	target process
PID 2940 wrote to memory of 2464	2940	todymdgvwmgb.exe	conhost.exe
PID 2940 wrote to memory of 2464	2940	todymdgvwmgb.exe	conhost.exe
PID 2940 wrote to memory of 2464	2940	todymdgvwmgb.exe	conhost.exe
PID 2940 wrote to memory of 2464	2940	todymdgvwmgb.exe	conhost.exe
PID 2940 wrote to memory of 2464	2940	todymdgvwmgb.exe	conhost.exe
PID 2940 wrote to memory of 2464	2940	todymdgvwmgb.exe	conhost.exe
PID 2940 wrote to memory of 2464	2940	todymdgvwmgb.exe	conhost.exe
PID 2940 wrote to memory of 2464	2940	todymdgvwmgb.exe	conhost.exe
PID 2940 wrote to memory of 2464	2940	todymdgvwmgb.exe	conhost.exe
PID 2940 wrote to memory of 4500	2940	todymdgvwmgb.exe	svchost.exe
PID 2940 wrote to memory of 4500	2940	todymdgvwmgb.exe	svchost.exe
PID 2940 wrote to memory of 4500	2940	todymdgvwmgb.exe	svchost.exe
PID 2940 wrote to memory of 4500	2940	todymdgvwmgb.exe	svchost.exe
PID 2940 wrote to memory of 4500	2940	todymdgvwmgb.exe	svchost.exe
PID 2940 wrote to memory of 4500	2940	todymdgvwmgb.exe	svchost.exe
PID 2940 wrote to memory of 4500	2940	todymdgvwmgb.exe	svchost.exe
PID 2940 wrote to memory of 4500	2940	todymdgvwmgb.exe	svchost.exe
PID 2940 wrote to memory of 4500	2940	todymdgvwmgb.exe	svchost.exe
PID 2940 wrote to memory of 4500	2940	todymdgvwmgb.exe	svchost.exe
PID 2940 wrote to memory of 4500	2940	todymdgvwmgb.exe	svchost.exe
PID 2940 wrote to memory of 4500	2940	todymdgvwmgb.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\33136dd64b2b82f5f35d250c41060e70eb9c0028cc9e93f61b4e1d32f0163c3c.exe
"C:\Users\Admin\AppData\Local\Temp\33136dd64b2b82f5f35d250c41060e70eb9c0028cc9e93f61b4e1d32f0163c3c.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:360

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2268

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4608

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3248

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3076

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe delete "PHSWJLZY"
2⤵
- Launches sc.exe
PID:3740

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe create "PHSWJLZY" binpath= "C:\ProgramData\jndraacsywhc\todymdgvwmgb.exe" start= "auto"
2⤵
- Launches sc.exe
PID:940

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop eventlog
2⤵
- Launches sc.exe
PID:4416

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start "PHSWJLZY"
2⤵
- Launches sc.exe
PID:4360

C:\ProgramData\jndraacsywhc\todymdgvwmgb.exe
C:\ProgramData\jndraacsywhc\todymdgvwmgb.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2940

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1452

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2612

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3736

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1820

C:\Windows\system32\conhost.exe
C:\Windows\system32\conhost.exe
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2464

C:\ProgramData\jndraacsywhc\todymdgvwmgb.exe
"C:\ProgramData\jndraacsywhc\todymdgvwmgb.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2492

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:3600

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:4108

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:3092

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:5052

C:\Windows\system32\svchost.exe
svchost.exe
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4500

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Create or Modify System Process

2

T1543

Windows Service

2

T1543.003

Privilege Escalation

Create or Modify System Process

2

T1543

Windows Service

2

T1543.003

Defense Evasion

Impair Defenses

1

T1562

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Service Stop

1

T1489

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\jndraacsywhc\todymdgvwmgb.exe
Filesize
303KB

MD5
cf4ebff47e0a1b283955c3704d961df5

SHA1
d5a7ac56ad7ec95c121eb396a5097246dca1aa42

SHA256
a3fd8f42aeeb55a52e4fad319a5cef402c386a8504344d45f4fc8907ebddb4d6

SHA512
dbb3888d7daba969ef55f08dc16179033ae5ef18d89711f43867868a25b6bf7e0f8f53a2cb7f4e4d0feee57f4186bdddfa3471188dd23d2ce4ffaeb6f3cdc6cd

Download Submit
C:\ProgramData\jndraacsywhc\todymdgvwmgb.exe
Filesize
192KB

MD5
2cf68d84c8550b64702bcc2f36e992ee

SHA1
8c7dbaa39764145f46c427a4bf6dbfcf5f945dcb

SHA256
272cce2c399ace924f61d5cb4b8960de9b3a8e13f8896173b158127cd4d866a1

SHA512
5e853665dcda0250e22cd657296a8a80dc8fe4c8a710a5903f89cf5e923fc819720eed6badeef3124a8ea917a0c288e09b74eb4e925a517fcbff3cea7bb8afc6

Download Submit
C:\ProgramData\jndraacsywhc\todymdgvwmgb.exe
Filesize
3.8MB

MD5
be0f8301dd8ef931e0326fdef2e8a8e4

SHA1
1b285789f26538e1644825120ad78b77854e28f3

SHA256
7bbd8e0fb3cda59669faefc6cb3f315256ec2d7bd97837d3c723dcbc9120013b

SHA512
0991371c84ab5b0ce91a88c47f066b836e8d0505f0de33194fe3237444ad0a4076ed84cc34b354accbe4354bd90c3c931512d458eaa9008f2a5bc3b274461d8d

Download Submit
C:\ProgramData\jndraacsywhc\todymdgvwmgb.exe
Filesize
4.9MB

MD5
a50e350fc84f534ac4175873fd4ca11b

SHA1
a678ddc42785e7723a2e5d53e917084dfa2f4218

SHA256
369bed6f50d4c37b984dcdb3fcae8a37ce7196c649f038bd4a5fbc3d4cba8a7b

SHA512
c1d8e73deb5665c76803efc35bc1f031f9ca04395b37c2db59c8905c9f517fbae6b77d68f4b1b8c7b63fa475c581614aabd08f79c4ad05cae8c289696813080c

Download Submit
C:\Windows\TEMP\ilfutfbguvtk.sys
Filesize
14KB

MD5
0c0195c48b6b8582fa6f6373032118da

SHA1
d25340ae8e92a6d29f599fef426a2bc1b5217299

SHA256
11bd2c9f9e2397c9a16e0990e4ed2cf0679498fe0fd418a3dfdac60b5c160ee5

SHA512
ab28e99659f219fec553155a0810de90f0c5b07dc9b66bda86d7686499fb0ec5fddeb7cd7a3c5b77dccb5e865f2715c2d81f4d40df4431c92ac7860c7e01720d

Download Submit
memory/360-0-0x00007FFB681E0000-0x00007FFB681E2000-memory.dmp

Filesize
8KB

Download
memory/360-3-0x0000000140000000-0x000000014199B000-memory.dmp

Filesize
25.6MB

Download
memory/360-5-0x0000000140000000-0x000000014199B000-memory.dmp

Filesize
25.6MB

Download
memory/2464-14-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/2464-15-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/2464-16-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/2464-19-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/2464-13-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/2464-12-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/2492-49-0x0000000140000000-0x000000014199B000-memory.dmp

Filesize
25.6MB

Download
memory/2492-43-0x0000000140000000-0x000000014199B000-memory.dmp

Filesize
25.6MB

Download
memory/2940-10-0x0000000140000000-0x000000014199B000-memory.dmp

Filesize
25.6MB

Download
memory/2940-30-0x0000000140000000-0x000000014199B000-memory.dmp

Filesize
25.6MB

Download
memory/4500-26-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/4500-39-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/4500-28-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/4500-25-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/4500-31-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/4500-32-0x00000144D15A0000-0x00000144D15C0000-memory.dmp

Filesize
128KB

Download
memory/4500-24-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/4500-23-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/4500-36-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/4500-37-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/4500-38-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/4500-27-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/4500-40-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/4500-22-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/4500-21-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/4500-20-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/4500-50-0x00000144D15F0000-0x00000144D1630000-memory.dmp

Filesize
256KB

Download
memory/4500-51-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/4500-52-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/4500-53-0x00000144D1660000-0x00000144D1680000-memory.dmp

Filesize
128KB

Download
memory/4500-54-0x00000144D1660000-0x00000144D1680000-memory.dmp

Filesize
128KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads