xmrig | 33136dd64b2b82f5f35d250c41060e70eb9c0028cc9e93f61b4e1d32f0163c3c

General

Target

tmp.exe
Size

10.4MB
MD5

dff762abefd2ac634f87aacd920c8bdc
SHA1

b8ea30c9d631fbb4a1f57c2873ca8aeb64c93643
SHA256

33136dd64b2b82f5f35d250c41060e70eb9c0028cc9e93f61b4e1d32f0163c3c
SHA512

54db97efb4ffcec9bc4122a6e41029c3cd457b631ede685eb883d5884f5a7b90c465dc8ec2212e712af935481073a2b4eb5180431926f03febccb055d9585341
SSDEEP

196608:D2neZjvDa5N5o9LrIbQTsbHu7THe8FhG8ryPzB3SFyFYha:D3/AU9LrIdb+THVFg8uhSYFYha

Score

10^/10

xmrig evasion miner persistence

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 16 IoCs

miner

Processes:

resource	yara_rule
behavioral2/memory/2284-21-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral2/memory/2284-22-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral2/memory/2284-23-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral2/memory/2284-24-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral2/memory/2284-25-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral2/memory/2284-26-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral2/memory/2284-27-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral2/memory/2284-28-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral2/memory/2284-30-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral2/memory/2284-33-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral2/memory/2284-34-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral2/memory/2284-35-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral2/memory/2284-36-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral2/memory/2284-37-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral2/memory/2284-39-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral2/memory/2284-40-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig

Creates new service(s) 1 TTPs
persistence

Windows Service
T1543.003
Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489
Executes dropped EXE 1 IoCs

Processes:

todymdgvwmgb.exe

pid process

400 todymdgvwmgb.exe

pid	process
400	todymdgvwmgb.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

todymdgvwmgb.exe

description	pid	process	target process
PID 400 set thread context of 4840	400	todymdgvwmgb.exe	conhost.exe
PID 400 set thread context of 2284	400	todymdgvwmgb.exe	svchost.exe

Launches sc.exe 4 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exe

pid process

1988 sc.exe
3316 sc.exe
3488 sc.exe
4072 sc.exe

pid	process
1988	sc.exe
3316	sc.exe
3488	sc.exe
4072	sc.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

Processes:

tmp.exetodymdgvwmgb.exe

pid	process
2312	tmp.exe
2312	tmp.exe
2312	tmp.exe
2312	tmp.exe
2312	tmp.exe
2312	tmp.exe
2312	tmp.exe
2312	tmp.exe
2312	tmp.exe
2312	tmp.exe
400	todymdgvwmgb.exe
400	todymdgvwmgb.exe
400	todymdgvwmgb.exe
400	todymdgvwmgb.exe
400	todymdgvwmgb.exe
400	todymdgvwmgb.exe
400	todymdgvwmgb.exe
400	todymdgvwmgb.exe

Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid process

672

pid	process
672

Suspicious use of AdjustPrivilegeToken 17 IoCs

Processes:

powercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exesvchost.exe

description	pid	process
Token: SeShutdownPrivilege	1960	powercfg.exe
Token: SeCreatePagefilePrivilege	1960	powercfg.exe
Token: SeShutdownPrivilege	4252	powercfg.exe
Token: SeCreatePagefilePrivilege	4252	powercfg.exe
Token: SeShutdownPrivilege	3916	powercfg.exe
Token: SeCreatePagefilePrivilege	3916	powercfg.exe
Token: SeShutdownPrivilege	1140	powercfg.exe
Token: SeCreatePagefilePrivilege	1140	powercfg.exe
Token: SeShutdownPrivilege	1508	powercfg.exe
Token: SeCreatePagefilePrivilege	1508	powercfg.exe
Token: SeShutdownPrivilege	2332	powercfg.exe
Token: SeCreatePagefilePrivilege	2332	powercfg.exe
Token: SeShutdownPrivilege	2592	powercfg.exe
Token: SeCreatePagefilePrivilege	2592	powercfg.exe
Token: SeShutdownPrivilege	3676	powercfg.exe
Token: SeCreatePagefilePrivilege	3676	powercfg.exe
Token: SeLockMemoryPrivilege	2284	svchost.exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

todymdgvwmgb.exe

description	pid	process	target process
PID 400 wrote to memory of 4840	400	todymdgvwmgb.exe	conhost.exe
PID 400 wrote to memory of 4840	400	todymdgvwmgb.exe	conhost.exe
PID 400 wrote to memory of 4840	400	todymdgvwmgb.exe	conhost.exe
PID 400 wrote to memory of 4840	400	todymdgvwmgb.exe	conhost.exe
PID 400 wrote to memory of 4840	400	todymdgvwmgb.exe	conhost.exe
PID 400 wrote to memory of 4840	400	todymdgvwmgb.exe	conhost.exe
PID 400 wrote to memory of 4840	400	todymdgvwmgb.exe	conhost.exe
PID 400 wrote to memory of 4840	400	todymdgvwmgb.exe	conhost.exe
PID 400 wrote to memory of 4840	400	todymdgvwmgb.exe	conhost.exe
PID 400 wrote to memory of 2284	400	todymdgvwmgb.exe	svchost.exe
PID 400 wrote to memory of 2284	400	todymdgvwmgb.exe	svchost.exe
PID 400 wrote to memory of 2284	400	todymdgvwmgb.exe	svchost.exe
PID 400 wrote to memory of 2284	400	todymdgvwmgb.exe	svchost.exe
PID 400 wrote to memory of 2284	400	todymdgvwmgb.exe	svchost.exe
PID 400 wrote to memory of 2284	400	todymdgvwmgb.exe	svchost.exe
PID 400 wrote to memory of 2284	400	todymdgvwmgb.exe	svchost.exe
PID 400 wrote to memory of 2284	400	todymdgvwmgb.exe	svchost.exe
PID 400 wrote to memory of 2284	400	todymdgvwmgb.exe	svchost.exe
PID 400 wrote to memory of 2284	400	todymdgvwmgb.exe	svchost.exe
PID 400 wrote to memory of 2284	400	todymdgvwmgb.exe	svchost.exe
PID 400 wrote to memory of 2284	400	todymdgvwmgb.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:2312

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1960

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4252

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3916

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1140

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe delete "PHSWJLZY"
2⤵
- Launches sc.exe
PID:1988

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe create "PHSWJLZY" binpath= "C:\ProgramData\jndraacsywhc\todymdgvwmgb.exe" start= "auto"
2⤵
- Launches sc.exe
PID:3316

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop eventlog
2⤵
- Launches sc.exe
PID:3488

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start "PHSWJLZY"
2⤵
- Launches sc.exe
PID:4072

C:\ProgramData\jndraacsywhc\todymdgvwmgb.exe
C:\ProgramData\jndraacsywhc\todymdgvwmgb.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:400

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1508

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2332

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3676

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2592

C:\Windows\system32\conhost.exe
C:\Windows\system32\conhost.exe
2⤵
PID:4840

C:\Windows\system32\svchost.exe
svchost.exe
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2284

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Create or Modify System Process

2

T1543

Windows Service

2

T1543.003

Privilege Escalation

Create or Modify System Process

2

T1543

Windows Service

2

T1543.003

Defense Evasion

Impair Defenses

1

T1562

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Service Stop

1

T1489

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\jndraacsywhc\todymdgvwmgb.exe
Filesize
4.9MB

MD5
a50e350fc84f534ac4175873fd4ca11b

SHA1
a678ddc42785e7723a2e5d53e917084dfa2f4218

SHA256
369bed6f50d4c37b984dcdb3fcae8a37ce7196c649f038bd4a5fbc3d4cba8a7b

SHA512
c1d8e73deb5665c76803efc35bc1f031f9ca04395b37c2db59c8905c9f517fbae6b77d68f4b1b8c7b63fa475c581614aabd08f79c4ad05cae8c289696813080c

Download Submit
C:\ProgramData\jndraacsywhc\todymdgvwmgb.exe
Filesize
2.9MB

MD5
915ef63254518769ccb67b7263364bd6

SHA1
0ccf97f08caa0b6bef22165f687c34d8c0527f98

SHA256
10a8c1a6f80be08302d2b4327905144ff642175bce0915e82163c2836ff38ead

SHA512
bf0a6e9f9f39b49d15e7436a33c9901755f8e7b0fc25432f943aa2c12ef7c143e1164bd2b0797554fa123b2aaf8ed3038405c9e6e44126ab0cd319e63d65698b

Download Submit
memory/400-31-0x0000000140000000-0x000000014199B000-memory.dmp

Filesize
25.6MB

Download
memory/400-10-0x0000000140000000-0x000000014199B000-memory.dmp

Filesize
25.6MB

Download
memory/400-9-0x0000000140000000-0x000000014199B000-memory.dmp

Filesize
25.6MB

Download
memory/2284-34-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/2284-26-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/2284-42-0x0000022B90500000-0x0000022B90520000-memory.dmp

Filesize
128KB

Download
memory/2284-41-0x0000022B90500000-0x0000022B90520000-memory.dmp

Filesize
128KB

Download
memory/2284-40-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/2284-39-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/2284-38-0x0000022B904C0000-0x0000022B90500000-memory.dmp

Filesize
256KB

Download
memory/2284-37-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/2284-20-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/2284-36-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/2284-21-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/2284-22-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/2284-23-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/2284-24-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/2284-25-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/2284-35-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/2284-27-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/2284-28-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/2284-30-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/2284-33-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/2284-32-0x0000022B90460000-0x0000022B90480000-memory.dmp

Filesize
128KB

Download
memory/2312-2-0x0000000140000000-0x000000014199B000-memory.dmp

Filesize
25.6MB

Download
memory/2312-0-0x00007FF8210F0000-0x00007FF8210F2000-memory.dmp

Filesize
8KB

Download
memory/2312-7-0x0000000140000000-0x000000014199B000-memory.dmp

Filesize
25.6MB

Download
memory/2312-1-0x0000000140000000-0x000000014199B000-memory.dmp

Filesize
25.6MB

Download
memory/4840-19-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/4840-16-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/4840-14-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/4840-15-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/4840-13-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/4840-12-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads