xmrig | 33136dd64b2b82f5f35d250c41060e70eb9c0028cc9e93f61b4e1d32f0163c3c

General

Target

33136dd64b2b82f5f35d250c41060e70eb9c0028cc9e93f61b4e1d32f0163c3c.exe
Size

10.4MB
MD5

dff762abefd2ac634f87aacd920c8bdc
SHA1

b8ea30c9d631fbb4a1f57c2873ca8aeb64c93643
SHA256

33136dd64b2b82f5f35d250c41060e70eb9c0028cc9e93f61b4e1d32f0163c3c
SHA512

54db97efb4ffcec9bc4122a6e41029c3cd457b631ede685eb883d5884f5a7b90c465dc8ec2212e712af935481073a2b4eb5180431926f03febccb055d9585341
SSDEEP

196608:D2neZjvDa5N5o9LrIbQTsbHu7THe8FhG8ryPzB3SFyFYha:D3/AU9LrIdb+THVFg8uhSYFYha

Score

10^/10

xmrig evasion miner persistence

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 16 IoCs

miner

Processes:

resource	yara_rule
behavioral2/memory/3232-21-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral2/memory/3232-22-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral2/memory/3232-23-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral2/memory/3232-24-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral2/memory/3232-25-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral2/memory/3232-26-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral2/memory/3232-27-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral2/memory/3232-28-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral2/memory/3232-30-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral2/memory/3232-33-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral2/memory/3232-34-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral2/memory/3232-35-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral2/memory/3232-36-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral2/memory/3232-37-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral2/memory/3232-41-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral2/memory/3232-42-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig

Creates new service(s) 1 TTPs
persistence

Windows Service
T1543.003
Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489
Executes dropped EXE 1 IoCs

Processes:

todymdgvwmgb.exe

pid process

4208 todymdgvwmgb.exe

pid	process
4208	todymdgvwmgb.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

todymdgvwmgb.exe

description	pid	process	target process
PID 4208 set thread context of 3824	4208	todymdgvwmgb.exe	conhost.exe
PID 4208 set thread context of 3232	4208	todymdgvwmgb.exe	svchost.exe

Launches sc.exe 4 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exe

pid process

524 sc.exe
3816 sc.exe
4180 sc.exe
2336 sc.exe

pid	process
524	sc.exe
3816	sc.exe
4180	sc.exe
2336	sc.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

Processes:

33136dd64b2b82f5f35d250c41060e70eb9c0028cc9e93f61b4e1d32f0163c3c.exetodymdgvwmgb.exe

pid	process
4808	33136dd64b2b82f5f35d250c41060e70eb9c0028cc9e93f61b4e1d32f0163c3c.exe
4808	33136dd64b2b82f5f35d250c41060e70eb9c0028cc9e93f61b4e1d32f0163c3c.exe
4808	33136dd64b2b82f5f35d250c41060e70eb9c0028cc9e93f61b4e1d32f0163c3c.exe
4808	33136dd64b2b82f5f35d250c41060e70eb9c0028cc9e93f61b4e1d32f0163c3c.exe
4808	33136dd64b2b82f5f35d250c41060e70eb9c0028cc9e93f61b4e1d32f0163c3c.exe
4808	33136dd64b2b82f5f35d250c41060e70eb9c0028cc9e93f61b4e1d32f0163c3c.exe
4808	33136dd64b2b82f5f35d250c41060e70eb9c0028cc9e93f61b4e1d32f0163c3c.exe
4808	33136dd64b2b82f5f35d250c41060e70eb9c0028cc9e93f61b4e1d32f0163c3c.exe
4808	33136dd64b2b82f5f35d250c41060e70eb9c0028cc9e93f61b4e1d32f0163c3c.exe
4808	33136dd64b2b82f5f35d250c41060e70eb9c0028cc9e93f61b4e1d32f0163c3c.exe
4208	todymdgvwmgb.exe
4208	todymdgvwmgb.exe
4208	todymdgvwmgb.exe
4208	todymdgvwmgb.exe
4208	todymdgvwmgb.exe
4208	todymdgvwmgb.exe
4208	todymdgvwmgb.exe
4208	todymdgvwmgb.exe

Suspicious use of AdjustPrivilegeToken 17 IoCs

Processes:

powercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exesvchost.exe

description	pid	process
Token: SeShutdownPrivilege	220	powercfg.exe
Token: SeCreatePagefilePrivilege	220	powercfg.exe
Token: SeShutdownPrivilege	5100	powercfg.exe
Token: SeCreatePagefilePrivilege	5100	powercfg.exe
Token: SeShutdownPrivilege	3888	powercfg.exe
Token: SeCreatePagefilePrivilege	3888	powercfg.exe
Token: SeShutdownPrivilege	3112	powercfg.exe
Token: SeCreatePagefilePrivilege	3112	powercfg.exe
Token: SeShutdownPrivilege	1516	powercfg.exe
Token: SeCreatePagefilePrivilege	1516	powercfg.exe
Token: SeShutdownPrivilege	2872	powercfg.exe
Token: SeCreatePagefilePrivilege	2872	powercfg.exe
Token: SeShutdownPrivilege	1472	powercfg.exe
Token: SeCreatePagefilePrivilege	1472	powercfg.exe
Token: SeShutdownPrivilege	1700	powercfg.exe
Token: SeCreatePagefilePrivilege	1700	powercfg.exe
Token: SeLockMemoryPrivilege	3232	svchost.exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

todymdgvwmgb.exe

description	pid	process	target process
PID 4208 wrote to memory of 3824	4208	todymdgvwmgb.exe	conhost.exe
PID 4208 wrote to memory of 3824	4208	todymdgvwmgb.exe	conhost.exe
PID 4208 wrote to memory of 3824	4208	todymdgvwmgb.exe	conhost.exe
PID 4208 wrote to memory of 3824	4208	todymdgvwmgb.exe	conhost.exe
PID 4208 wrote to memory of 3824	4208	todymdgvwmgb.exe	conhost.exe
PID 4208 wrote to memory of 3824	4208	todymdgvwmgb.exe	conhost.exe
PID 4208 wrote to memory of 3824	4208	todymdgvwmgb.exe	conhost.exe
PID 4208 wrote to memory of 3824	4208	todymdgvwmgb.exe	conhost.exe
PID 4208 wrote to memory of 3824	4208	todymdgvwmgb.exe	conhost.exe
PID 4208 wrote to memory of 3232	4208	todymdgvwmgb.exe	svchost.exe
PID 4208 wrote to memory of 3232	4208	todymdgvwmgb.exe	svchost.exe
PID 4208 wrote to memory of 3232	4208	todymdgvwmgb.exe	svchost.exe
PID 4208 wrote to memory of 3232	4208	todymdgvwmgb.exe	svchost.exe
PID 4208 wrote to memory of 3232	4208	todymdgvwmgb.exe	svchost.exe
PID 4208 wrote to memory of 3232	4208	todymdgvwmgb.exe	svchost.exe
PID 4208 wrote to memory of 3232	4208	todymdgvwmgb.exe	svchost.exe
PID 4208 wrote to memory of 3232	4208	todymdgvwmgb.exe	svchost.exe
PID 4208 wrote to memory of 3232	4208	todymdgvwmgb.exe	svchost.exe
PID 4208 wrote to memory of 3232	4208	todymdgvwmgb.exe	svchost.exe
PID 4208 wrote to memory of 3232	4208	todymdgvwmgb.exe	svchost.exe
PID 4208 wrote to memory of 3232	4208	todymdgvwmgb.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\33136dd64b2b82f5f35d250c41060e70eb9c0028cc9e93f61b4e1d32f0163c3c.exe
"C:\Users\Admin\AppData\Local\Temp\33136dd64b2b82f5f35d250c41060e70eb9c0028cc9e93f61b4e1d32f0163c3c.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:4808
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3888
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:5100
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:220
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3112
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe delete "PHSWJLZY"
  2⤵
  - Launches sc.exe
  PID:2336
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe create "PHSWJLZY" binpath= "C:\ProgramData\jndraacsywhc\todymdgvwmgb.exe" start= "auto"
  2⤵
  - Launches sc.exe
  PID:524
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop eventlog
  2⤵
  - Launches sc.exe
  PID:3816
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe start "PHSWJLZY"
  2⤵
  - Launches sc.exe
  PID:4180

C:\ProgramData\jndraacsywhc\todymdgvwmgb.exe
C:\ProgramData\jndraacsywhc\todymdgvwmgb.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4208
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2872
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1516
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1472
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1700
- C:\Windows\system32\conhost.exe
  C:\Windows\system32\conhost.exe
  2⤵
  PID:3824
- C:\Windows\system32\svchost.exe
  svchost.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3232

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

2

T1543

Windows Service

2

T1543.003

Privilege Escalation

Create or Modify System Process

2

T1543

Windows Service

2

T1543.003

Defense Evasion

Impair Defenses

1

T1562

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

1

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\jndraacsywhc\todymdgvwmgb.exe

Filesize
4.1MB

MD5
9d58ff94eb435bfd6b9f60e017e80330

SHA1
a0a4bacc9348b0dabcd104734249ddfcc5425eb8

SHA256
397b806691c0e2e80d3921b3fcd7a07115547c81909ad3960b3977583669bfbf

SHA512
5b54776229e4ad03e163d2c1d3cf9d7935555a6f064d5dc0be65ba2687ecc249f9139d9119fe38a881498cc5e0a3a36f06b5a8213091fc759edb66154013006d

Download Submit
C:\ProgramData\jndraacsywhc\todymdgvwmgb.exe

Filesize
5.8MB

MD5
846aca05beba71dc48102e25ef247669

SHA1
2737f30aafd2925a76c7afbf3d19a7d3cf9d9bb2

SHA256
21d1922a4d11c8fa33e733e8e72a347db0be19fba35e5822e1973bde33ba8b84

SHA512
48d869f05237eb2ed44202602baf521f201e611c84c8b38bed867a7fcfb3924922d015ab7012abc8cd640531e38ec91a04ab97ffe63bfce8abc2c9d21dbb29d5

Download Submit
memory/3232-34-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/3232-36-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/3232-44-0x000001986E880000-0x000001986E8A0000-memory.dmp

Filesize
128KB

Download
memory/3232-43-0x000001986E880000-0x000001986E8A0000-memory.dmp

Filesize
128KB

Download
memory/3232-24-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/3232-42-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/3232-41-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/3232-25-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/3232-40-0x000001986E860000-0x000001986E880000-memory.dmp

Filesize
128KB

Download
memory/3232-26-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/3232-37-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/3232-30-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/3232-20-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/3232-21-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/3232-22-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/3232-23-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/3232-35-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/3232-33-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/3232-31-0x000001986E1B0000-0x000001986E1D0000-memory.dmp

Filesize
128KB

Download
memory/3232-27-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/3232-28-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/3824-12-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/3824-15-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/3824-19-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/3824-16-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/3824-14-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/3824-13-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/4208-32-0x0000000140000000-0x000000014199B000-memory.dmp

Filesize
25.6MB

Download
memory/4208-9-0x0000000140000000-0x000000014199B000-memory.dmp

Filesize
25.6MB

Download
memory/4208-10-0x0000000140000000-0x000000014199B000-memory.dmp

Filesize
25.6MB

Download
memory/4808-5-0x0000000140000000-0x000000014199B000-memory.dmp

Filesize
25.6MB

Download
memory/4808-0-0x00007FFCA3780000-0x00007FFCA3782000-memory.dmp

Filesize
8KB

Download
memory/4808-2-0x0000000140000000-0x000000014199B000-memory.dmp

Filesize
25.6MB

Download
memory/4808-1-0x0000000140000000-0x000000014199B000-memory.dmp

Filesize
25.6MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads