xmrig | 33136dd64b2b82f5f35d250c41060e70eb9c0028cc9e93f61b4e1d32f0163c3c

General

Target

tmp.exe
Size

10.4MB
MD5

dff762abefd2ac634f87aacd920c8bdc
SHA1

b8ea30c9d631fbb4a1f57c2873ca8aeb64c93643
SHA256

33136dd64b2b82f5f35d250c41060e70eb9c0028cc9e93f61b4e1d32f0163c3c
SHA512

54db97efb4ffcec9bc4122a6e41029c3cd457b631ede685eb883d5884f5a7b90c465dc8ec2212e712af935481073a2b4eb5180431926f03febccb055d9585341
SSDEEP

196608:D2neZjvDa5N5o9LrIbQTsbHu7THe8FhG8ryPzB3SFyFYha:D3/AU9LrIdb+THVFg8uhSYFYha

Score

10^/10

xmrig evasion miner persistence

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 16 IoCs

miner

Processes:

resource	yara_rule
behavioral1/memory/2044-35-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral1/memory/2044-36-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral1/memory/2044-37-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral1/memory/2044-38-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral1/memory/2044-39-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral1/memory/2044-40-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral1/memory/2044-41-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral1/memory/2044-42-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral1/memory/2044-45-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral1/memory/2044-49-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral1/memory/2044-50-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral1/memory/2044-51-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral1/memory/2044-52-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral1/memory/2044-53-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral1/memory/2044-67-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral1/memory/2044-68-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig

Creates new service(s) 1 TTPs
persistence

Windows Service
T1543.003
Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489
Executes dropped EXE 3 IoCs

Processes:

todymdgvwmgb.exetodymdgvwmgb.exe

pid process

468
2468 todymdgvwmgb.exe
1932 todymdgvwmgb.exe
Loads dropped DLL 1 IoCs

Processes:

pid process

468

pid	process
468
2468	todymdgvwmgb.exe
1932	todymdgvwmgb.exe

pid	process
468

Suspicious use of SetThreadContext 2 IoCs

Processes:

todymdgvwmgb.exe

description	pid	process	target process
PID 2468 set thread context of 560	2468	todymdgvwmgb.exe	conhost.exe
PID 2468 set thread context of 2044	2468	todymdgvwmgb.exe	svchost.exe

Launches sc.exe 4 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exe

pid process

2596 sc.exe
2540 sc.exe
2696 sc.exe
2804 sc.exe

pid	process
2596	sc.exe
2540	sc.exe
2696	sc.exe
2804	sc.exe

Suspicious behavior: EnumeratesProcesses 22 IoCs

Processes:

tmp.exetodymdgvwmgb.execonhost.exetodymdgvwmgb.exe

pid	process
2132	tmp.exe
2132	tmp.exe
2132	tmp.exe
2132	tmp.exe
2132	tmp.exe
2132	tmp.exe
2132	tmp.exe
2132	tmp.exe
2132	tmp.exe
2468	todymdgvwmgb.exe
2468	todymdgvwmgb.exe
2468	todymdgvwmgb.exe
2468	todymdgvwmgb.exe
2468	todymdgvwmgb.exe
2468	todymdgvwmgb.exe
2468	todymdgvwmgb.exe
560	conhost.exe
1932	todymdgvwmgb.exe
1932	todymdgvwmgb.exe
1932	todymdgvwmgb.exe
1932	todymdgvwmgb.exe
1932	todymdgvwmgb.exe

Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid process

468

pid	process
468

Suspicious use of AdjustPrivilegeToken 13 IoCs

Processes:

powercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exesvchost.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exe

description	pid	process
Token: SeShutdownPrivilege	2284	powercfg.exe
Token: SeShutdownPrivilege	2584	powercfg.exe
Token: SeShutdownPrivilege	2624	powercfg.exe
Token: SeShutdownPrivilege	2840	powercfg.exe
Token: SeShutdownPrivilege	2744	powercfg.exe
Token: SeShutdownPrivilege	2512	powercfg.exe
Token: SeShutdownPrivilege	2768	powercfg.exe
Token: SeShutdownPrivilege	1308	powercfg.exe
Token: SeLockMemoryPrivilege	2044	svchost.exe
Token: SeShutdownPrivilege	1904	powercfg.exe
Token: SeShutdownPrivilege	1992	powercfg.exe
Token: SeShutdownPrivilege	2304	powercfg.exe
Token: SeShutdownPrivilege	1984	powercfg.exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

todymdgvwmgb.exe

description	pid	process	target process
PID 2468 wrote to memory of 560	2468	todymdgvwmgb.exe	conhost.exe
PID 2468 wrote to memory of 560	2468	todymdgvwmgb.exe	conhost.exe
PID 2468 wrote to memory of 560	2468	todymdgvwmgb.exe	conhost.exe
PID 2468 wrote to memory of 560	2468	todymdgvwmgb.exe	conhost.exe
PID 2468 wrote to memory of 560	2468	todymdgvwmgb.exe	conhost.exe
PID 2468 wrote to memory of 560	2468	todymdgvwmgb.exe	conhost.exe
PID 2468 wrote to memory of 560	2468	todymdgvwmgb.exe	conhost.exe
PID 2468 wrote to memory of 560	2468	todymdgvwmgb.exe	conhost.exe
PID 2468 wrote to memory of 560	2468	todymdgvwmgb.exe	conhost.exe
PID 2468 wrote to memory of 2044	2468	todymdgvwmgb.exe	svchost.exe
PID 2468 wrote to memory of 2044	2468	todymdgvwmgb.exe	svchost.exe
PID 2468 wrote to memory of 2044	2468	todymdgvwmgb.exe	svchost.exe
PID 2468 wrote to memory of 2044	2468	todymdgvwmgb.exe	svchost.exe
PID 2468 wrote to memory of 2044	2468	todymdgvwmgb.exe	svchost.exe
PID 2468 wrote to memory of 2044	2468	todymdgvwmgb.exe	svchost.exe
PID 2468 wrote to memory of 2044	2468	todymdgvwmgb.exe	svchost.exe
PID 2468 wrote to memory of 2044	2468	todymdgvwmgb.exe	svchost.exe
PID 2468 wrote to memory of 2044	2468	todymdgvwmgb.exe	svchost.exe
PID 2468 wrote to memory of 2044	2468	todymdgvwmgb.exe	svchost.exe
PID 2468 wrote to memory of 2044	2468	todymdgvwmgb.exe	svchost.exe
PID 2468 wrote to memory of 2044	2468	todymdgvwmgb.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:2132

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2624

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2584

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2284

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2840

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe delete "PHSWJLZY"
2⤵
- Launches sc.exe
PID:2696

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe create "PHSWJLZY" binpath= "C:\ProgramData\jndraacsywhc\todymdgvwmgb.exe" start= "auto"
2⤵
- Launches sc.exe
PID:2804

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop eventlog
2⤵
- Launches sc.exe
PID:2596

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start "PHSWJLZY"
2⤵
- Launches sc.exe
PID:2540

C:\ProgramData\jndraacsywhc\todymdgvwmgb.exe
C:\ProgramData\jndraacsywhc\todymdgvwmgb.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2468

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2744

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2768

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1308

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2512

C:\Windows\system32\conhost.exe
C:\Windows\system32\conhost.exe
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:560

C:\ProgramData\jndraacsywhc\todymdgvwmgb.exe
"C:\ProgramData\jndraacsywhc\todymdgvwmgb.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1932

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1904

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2304

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1984

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1992

C:\Windows\system32\svchost.exe
svchost.exe
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2044

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Create or Modify System Process

2

T1543

Windows Service

2

T1543.003

Privilege Escalation

Create or Modify System Process

2

T1543

Windows Service

2

T1543.003

Defense Evasion

Impair Defenses

1

T1562

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Service Stop

1

T1489

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\jndraacsywhc\todymdgvwmgb.exe
Filesize
2.0MB

MD5
1ae428bee44939bbd1807ceefd1ec93b

SHA1
c6504fee64d35a5a84c2ceae6da3e40a8c551f5e

SHA256
0fa3e8f5380942f90baed165fccd8149bba2101738e25e11a1d12bdb62611ddb

SHA512
c12e2f3d9902b1e25b5e01d94009eb75a7dfec688ea0c710e541ba35559e7672e1f917293b1df21262b1c2bae3a1cb382e640a29b78d492a713e1fb91058c6d4

Download Submit
C:\ProgramData\jndraacsywhc\todymdgvwmgb.exe
Filesize
4.4MB

MD5
1a4ae323b8aecb2bc56d63959b531e95

SHA1
4764b18ccc003aba962b31a6090d8182bc3809b7

SHA256
f6af191ceada7fd706b495c7fb3aed01d8fc14180a34e46aee6f8371cb3f67bf

SHA512
42ed4b8f8c7351aaf8cf15ab427bccada101f5713e463136fe12af6bf8682996d01eb1d915d3ce31d3c427f3bf00d1c95da09a5cefade970ff9d89c828a70e97

Download Submit
C:\Windows\TEMP\ilfutfbguvtk.sys
Filesize
14KB

MD5
0c0195c48b6b8582fa6f6373032118da

SHA1
d25340ae8e92a6d29f599fef426a2bc1b5217299

SHA256
11bd2c9f9e2397c9a16e0990e4ed2cf0679498fe0fd418a3dfdac60b5c160ee5

SHA512
ab28e99659f219fec553155a0810de90f0c5b07dc9b66bda86d7686499fb0ec5fddeb7cd7a3c5b77dccb5e865f2715c2d81f4d40df4431c92ac7860c7e01720d

Download Submit
\ProgramData\jndraacsywhc\todymdgvwmgb.exe
Filesize
5.2MB

MD5
716b8af982a9afe2a4c703926947f9fa

SHA1
baff503c4409fbdf2c00d7b8f815427a48b1c315

SHA256
4e9748ee1c9381c262dfe58ce3618e8aa1d28e1761b987208cde79050683e0ad

SHA512
6854183ce7da6410eccb0b8185887f7041a6b5ac6f2277e1c426e0bdde0810608fe5870dd866b38551fa839a8b885aa472924f234a9086bb5ca8cbd9efff206c

Download Submit
\ProgramData\jndraacsywhc\todymdgvwmgb.exe
Filesize
3.3MB

MD5
e1a40c90bb56cbe64e0f4e281e003849

SHA1
6f7270a6093fd74a248a66f0b95002cf780ca1b6

SHA256
5afe08f260151c0c5e09435645dc8e4a4d36a8b0354024243dbc995cf1881285

SHA512
246bfc25e9b89a7ca95f58aa082abeb99599218a6eb01e28a6ec6f304ec708d23060a0b3fa1f132329b6c26aa0aad0f64a3f5e5dfd75fa02873a98dfbd01d06e

Download Submit
memory/560-27-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/560-32-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/560-30-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/560-26-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/560-29-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/560-28-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/1932-58-0x0000000140000000-0x000000014199B000-memory.dmp

Filesize
25.6MB

Download
memory/1932-62-0x00000000776C0000-0x0000000077869000-memory.dmp

Filesize
1.7MB

Download
memory/1932-66-0x00000000776C0000-0x0000000077869000-memory.dmp

Filesize
1.7MB

Download
memory/1932-56-0x0000000140000000-0x000000014199B000-memory.dmp

Filesize
25.6MB

Download
memory/1932-69-0x0000000140000000-0x000000014199B000-memory.dmp

Filesize
25.6MB

Download
memory/2044-52-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/2044-47-0x0000000000230000-0x0000000000250000-memory.dmp

Filesize
128KB

Download
memory/2044-71-0x0000000000C20000-0x0000000000C40000-memory.dmp

Filesize
128KB

Download
memory/2044-34-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/2044-35-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/2044-36-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/2044-37-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/2044-38-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/2044-39-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/2044-40-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/2044-41-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/2044-42-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/2044-70-0x0000000000C20000-0x0000000000C40000-memory.dmp

Filesize
128KB

Download
memory/2044-68-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/2044-45-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/2044-67-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/2044-53-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/2044-49-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/2044-50-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/2044-51-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/2132-0-0x0000000077870000-0x0000000077872000-memory.dmp

Filesize
8KB

Download
memory/2132-15-0x0000000140000000-0x000000014199B000-memory.dmp

Filesize
25.6MB

Download
memory/2132-10-0x00000000776C0000-0x0000000077869000-memory.dmp

Filesize
1.7MB

Download
memory/2132-8-0x00000000776C0000-0x0000000077869000-memory.dmp

Filesize
1.7MB

Download
memory/2132-4-0x0000000077870000-0x0000000077872000-memory.dmp

Filesize
8KB

Download
memory/2132-5-0x0000000140000000-0x000000014199B000-memory.dmp

Filesize
25.6MB

Download
memory/2132-2-0x0000000077870000-0x0000000077872000-memory.dmp

Filesize
8KB

Download
memory/2468-48-0x0000000140000000-0x000000014199B000-memory.dmp

Filesize
25.6MB

Download
memory/2468-24-0x00000000776C0000-0x0000000077869000-memory.dmp

Filesize
1.7MB

Download
memory/2468-46-0x00000000776C0000-0x0000000077869000-memory.dmp

Filesize
1.7MB

Download
memory/2468-19-0x0000000140000000-0x000000014199B000-memory.dmp

Filesize
25.6MB

Download
memory/2468-23-0x0000000140000000-0x000000014199B000-memory.dmp

Filesize
25.6MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads