xmrig | 33136dd64b2b82f5f35d250c41060e70eb9c0028cc9e93f61b4e1d32f0163c3c

General

Target

tmp.exe
Size

10.4MB
MD5

dff762abefd2ac634f87aacd920c8bdc
SHA1

b8ea30c9d631fbb4a1f57c2873ca8aeb64c93643
SHA256

33136dd64b2b82f5f35d250c41060e70eb9c0028cc9e93f61b4e1d32f0163c3c
SHA512

54db97efb4ffcec9bc4122a6e41029c3cd457b631ede685eb883d5884f5a7b90c465dc8ec2212e712af935481073a2b4eb5180431926f03febccb055d9585341
SSDEEP

196608:D2neZjvDa5N5o9LrIbQTsbHu7THe8FhG8ryPzB3SFyFYha:D3/AU9LrIdb+THVFg8uhSYFYha

Score

10^/10

xmrig evasion miner persistence

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 16 IoCs

miner

Processes:

resource	yara_rule
behavioral1/memory/1740-35-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral1/memory/1740-36-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral1/memory/1740-37-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral1/memory/1740-38-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral1/memory/1740-39-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral1/memory/1740-40-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral1/memory/1740-41-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral1/memory/1740-42-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral1/memory/1740-44-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral1/memory/1740-48-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral1/memory/1740-49-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral1/memory/1740-51-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral1/memory/1740-50-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral1/memory/1740-52-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral1/memory/1740-53-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral1/memory/1740-54-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig

Creates new service(s) 1 TTPs
persistence

Windows Service
T1543.003
Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489
Executes dropped EXE 2 IoCs

Processes:

todymdgvwmgb.exe

pid process

480
804 todymdgvwmgb.exe
Loads dropped DLL 1 IoCs

Processes:

pid process

480

pid	process
480
804	todymdgvwmgb.exe

pid	process
480

Suspicious use of SetThreadContext 2 IoCs

Processes:

todymdgvwmgb.exe

description	pid	process	target process
PID 804 set thread context of 2492	804	todymdgvwmgb.exe	conhost.exe
PID 804 set thread context of 1740	804	todymdgvwmgb.exe	svchost.exe

Launches sc.exe 4 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exe

pid process

2720 sc.exe
2572 sc.exe
2088 sc.exe
2632 sc.exe

pid	process
2720	sc.exe
2572	sc.exe
2088	sc.exe
2632	sc.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

Processes:

tmp.exetodymdgvwmgb.exe

pid	process
1964	tmp.exe
1964	tmp.exe
1964	tmp.exe
1964	tmp.exe
1964	tmp.exe
1964	tmp.exe
1964	tmp.exe
1964	tmp.exe
1964	tmp.exe
804	todymdgvwmgb.exe
804	todymdgvwmgb.exe
804	todymdgvwmgb.exe
804	todymdgvwmgb.exe
804	todymdgvwmgb.exe
804	todymdgvwmgb.exe
804	todymdgvwmgb.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

Processes:

powercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exesvchost.exe

description	pid	process
Token: SeShutdownPrivilege	1344	powercfg.exe
Token: SeShutdownPrivilege	2836	powercfg.exe
Token: SeShutdownPrivilege	2984	powercfg.exe
Token: SeShutdownPrivilege	2540	powercfg.exe
Token: SeShutdownPrivilege	2512	powercfg.exe
Token: SeShutdownPrivilege	2444	powercfg.exe
Token: SeShutdownPrivilege	2464	powercfg.exe
Token: SeShutdownPrivilege	2480	powercfg.exe
Token: SeLockMemoryPrivilege	1740	svchost.exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

todymdgvwmgb.exe

description	pid	process	target process
PID 804 wrote to memory of 2492	804	todymdgvwmgb.exe	conhost.exe
PID 804 wrote to memory of 2492	804	todymdgvwmgb.exe	conhost.exe
PID 804 wrote to memory of 2492	804	todymdgvwmgb.exe	conhost.exe
PID 804 wrote to memory of 2492	804	todymdgvwmgb.exe	conhost.exe
PID 804 wrote to memory of 2492	804	todymdgvwmgb.exe	conhost.exe
PID 804 wrote to memory of 2492	804	todymdgvwmgb.exe	conhost.exe
PID 804 wrote to memory of 2492	804	todymdgvwmgb.exe	conhost.exe
PID 804 wrote to memory of 2492	804	todymdgvwmgb.exe	conhost.exe
PID 804 wrote to memory of 2492	804	todymdgvwmgb.exe	conhost.exe
PID 804 wrote to memory of 1740	804	todymdgvwmgb.exe	svchost.exe
PID 804 wrote to memory of 1740	804	todymdgvwmgb.exe	svchost.exe
PID 804 wrote to memory of 1740	804	todymdgvwmgb.exe	svchost.exe
PID 804 wrote to memory of 1740	804	todymdgvwmgb.exe	svchost.exe
PID 804 wrote to memory of 1740	804	todymdgvwmgb.exe	svchost.exe
PID 804 wrote to memory of 1740	804	todymdgvwmgb.exe	svchost.exe
PID 804 wrote to memory of 1740	804	todymdgvwmgb.exe	svchost.exe
PID 804 wrote to memory of 1740	804	todymdgvwmgb.exe	svchost.exe
PID 804 wrote to memory of 1740	804	todymdgvwmgb.exe	svchost.exe
PID 804 wrote to memory of 1740	804	todymdgvwmgb.exe	svchost.exe
PID 804 wrote to memory of 1740	804	todymdgvwmgb.exe	svchost.exe
PID 804 wrote to memory of 1740	804	todymdgvwmgb.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:1964

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2836

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2984

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1344

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2540

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe delete "PHSWJLZY"
2⤵
- Launches sc.exe
PID:2720

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe create "PHSWJLZY" binpath= "C:\ProgramData\jndraacsywhc\todymdgvwmgb.exe" start= "auto"
2⤵
- Launches sc.exe
PID:2572

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop eventlog
2⤵
- Launches sc.exe
PID:2632

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start "PHSWJLZY"
2⤵
- Launches sc.exe
PID:2088

C:\ProgramData\jndraacsywhc\todymdgvwmgb.exe
C:\ProgramData\jndraacsywhc\todymdgvwmgb.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:804

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2444

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2464

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2480

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2512

C:\Windows\system32\conhost.exe
C:\Windows\system32\conhost.exe
2⤵
PID:2492

C:\Windows\system32\svchost.exe
svchost.exe
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1740

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Create or Modify System Process

2

T1543

Windows Service

2

T1543.003

Privilege Escalation

Create or Modify System Process

2

T1543

Windows Service

2

T1543.003

Defense Evasion

Impair Defenses

1

T1562

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Service Stop

1

T1489

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\jndraacsywhc\todymdgvwmgb.exe
Filesize
3.6MB

MD5
1e64937c425097f7e47e327e7f713c3b

SHA1
fb3bb6564321ef74688d71be1037b45d45f75851

SHA256
8835ceecae6f9204c6c3f09681a3dd3233c3e27e60c0bd73d73d6649f27837da

SHA512
acf38a9aefcffff014d983426e074197fc11366c86f6f8ffbdc1995ade1fd90ed390caf3998454b7d0d0faf4f98d87559637e9d3a0a86e032b77e32089e4c98b

Download Submit
C:\ProgramData\jndraacsywhc\todymdgvwmgb.exe
Filesize
4.6MB

MD5
41bd52f4e19efbf42c3f95c6389bb0b4

SHA1
3b6ec9d85dce2b25672dffa983b3de305ef95228

SHA256
5c5aa25d11baf57b575a54af880a449a7f1a3ed233a52c5482cf327e1b258e17

SHA512
283eb29dc8b484b6bf8d2d9a0ea97b808bbfe41aefdba8740a2fe3987e552dd393db34756b78084b6884ba2c3791dff3e232d4a5be3980b220569890c160ae93

Download Submit
\ProgramData\jndraacsywhc\todymdgvwmgb.exe
Filesize
4.1MB

MD5
9dfd3f8fd994d860c48749a653f24696

SHA1
ee9cfedb9320ba78f7fc631597ea1496e840c980

SHA256
3d67cda6234ec5476c026d68ca24724cf7756ad542865e30c999dc38444220b0

SHA512
a64aa91f4583bc69aa95d81dcbcd60a9819e34582f4b511320ccc1eab5ba91fd4559a692f8fd60c8e0a5bf3c0e1fb35c252b2801ca8a6de22e4112ad90c88d8f

Download Submit
\ProgramData\jndraacsywhc\todymdgvwmgb.exe
Filesize
3.1MB

MD5
5d1e7be9f08b9817f50bc34f6009ebfd

SHA1
9647ba832fdcaeffe2d347cb3eb8c595a2836ddf

SHA256
46e2e99cc90f9e97ca32f59bf5c1ca523d11e85f1f866e8bb8d1751bdc42c357

SHA512
e41366f6e002a855c8ae83606baa9389cb040de93325a400294e484594f600c7c8463f3246c6ad24ee0c75ece1e7647ab5fa3665be966bd7febf9236febd014d

Download Submit
memory/804-47-0x0000000077A20000-0x0000000077BC9000-memory.dmp

Filesize
1.7MB

Download
memory/804-46-0x0000000140000000-0x000000014199B000-memory.dmp

Filesize
25.6MB

Download
memory/804-24-0x0000000077A20000-0x0000000077BC9000-memory.dmp

Filesize
1.7MB

Download
memory/804-19-0x0000000140000000-0x000000014199B000-memory.dmp

Filesize
25.6MB

Download
memory/1740-45-0x00000000000B0000-0x00000000000D0000-memory.dmp

Filesize
128KB

Download
memory/1740-49-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/1740-56-0x00000000003C0000-0x00000000003E0000-memory.dmp

Filesize
128KB

Download
memory/1740-55-0x00000000003C0000-0x00000000003E0000-memory.dmp

Filesize
128KB

Download
memory/1740-54-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/1740-53-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/1740-52-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/1740-50-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/1740-51-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/1740-48-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/1740-44-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/1740-34-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/1740-35-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/1740-36-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/1740-37-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/1740-38-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/1740-39-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/1740-40-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/1740-41-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/1740-42-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/1964-6-0x0000000077BD0000-0x0000000077BD2000-memory.dmp

Filesize
8KB

Download
memory/1964-2-0x0000000077BD0000-0x0000000077BD2000-memory.dmp

Filesize
8KB

Download
memory/1964-0-0x0000000077BD0000-0x0000000077BD2000-memory.dmp

Filesize
8KB

Download
memory/1964-3-0x0000000140000000-0x000000014199B000-memory.dmp

Filesize
25.6MB

Download
memory/1964-16-0x0000000077A20000-0x0000000077BC9000-memory.dmp

Filesize
1.7MB

Download
memory/1964-15-0x0000000140000000-0x000000014199B000-memory.dmp

Filesize
25.6MB

Download
memory/1964-8-0x0000000077A20000-0x0000000077BC9000-memory.dmp

Filesize
1.7MB

Download
memory/2492-30-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/2492-27-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/2492-28-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/2492-29-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/2492-26-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/2492-32-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads