xmrig | 33136dd64b2b82f5f35d250c41060e70eb9c0028cc9e93f61b4e1d32f0163c3c

General

Target

tmp.exe
Size

10.4MB
MD5

dff762abefd2ac634f87aacd920c8bdc
SHA1

b8ea30c9d631fbb4a1f57c2873ca8aeb64c93643
SHA256

33136dd64b2b82f5f35d250c41060e70eb9c0028cc9e93f61b4e1d32f0163c3c
SHA512

54db97efb4ffcec9bc4122a6e41029c3cd457b631ede685eb883d5884f5a7b90c465dc8ec2212e712af935481073a2b4eb5180431926f03febccb055d9585341
SSDEEP

196608:D2neZjvDa5N5o9LrIbQTsbHu7THe8FhG8ryPzB3SFyFYha:D3/AU9LrIdb+THVFg8uhSYFYha

Score

10^/10

xmrig evasion miner persistence

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 16 IoCs

miner

Processes:

resource	yara_rule
behavioral2/memory/4684-21-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral2/memory/4684-22-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral2/memory/4684-23-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral2/memory/4684-24-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral2/memory/4684-25-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral2/memory/4684-26-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral2/memory/4684-27-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral2/memory/4684-28-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral2/memory/4684-30-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral2/memory/4684-33-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral2/memory/4684-34-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral2/memory/4684-35-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral2/memory/4684-36-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral2/memory/4684-37-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral2/memory/4684-39-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral2/memory/4684-40-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig

Creates new service(s) 1 TTPs
persistence

Windows Service
T1543.003
Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489
Executes dropped EXE 1 IoCs

Processes:

todymdgvwmgb.exe

pid process

2428 todymdgvwmgb.exe

pid	process
2428	todymdgvwmgb.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

todymdgvwmgb.exe

description	pid	process	target process
PID 2428 set thread context of 4756	2428	todymdgvwmgb.exe	conhost.exe
PID 2428 set thread context of 4684	2428	todymdgvwmgb.exe	svchost.exe

Launches sc.exe 4 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exe

pid process

4872 sc.exe
2008 sc.exe
3492 sc.exe
4416 sc.exe

pid	process
4872	sc.exe
2008	sc.exe
3492	sc.exe
4416	sc.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

Processes:

tmp.exetodymdgvwmgb.exe

pid	process
2280	tmp.exe
2280	tmp.exe
2280	tmp.exe
2280	tmp.exe
2280	tmp.exe
2280	tmp.exe
2280	tmp.exe
2280	tmp.exe
2280	tmp.exe
2280	tmp.exe
2428	todymdgvwmgb.exe
2428	todymdgvwmgb.exe
2428	todymdgvwmgb.exe
2428	todymdgvwmgb.exe
2428	todymdgvwmgb.exe
2428	todymdgvwmgb.exe
2428	todymdgvwmgb.exe
2428	todymdgvwmgb.exe

Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid process

668

pid	process
668

Suspicious use of AdjustPrivilegeToken 17 IoCs

Processes:

powercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exesvchost.exe

description	pid	process
Token: SeShutdownPrivilege	2036	powercfg.exe
Token: SeCreatePagefilePrivilege	2036	powercfg.exe
Token: SeShutdownPrivilege	3516	powercfg.exe
Token: SeCreatePagefilePrivilege	3516	powercfg.exe
Token: SeShutdownPrivilege	2480	powercfg.exe
Token: SeCreatePagefilePrivilege	2480	powercfg.exe
Token: SeShutdownPrivilege	1740	powercfg.exe
Token: SeCreatePagefilePrivilege	1740	powercfg.exe
Token: SeShutdownPrivilege	3916	powercfg.exe
Token: SeCreatePagefilePrivilege	3916	powercfg.exe
Token: SeShutdownPrivilege	232	powercfg.exe
Token: SeCreatePagefilePrivilege	232	powercfg.exe
Token: SeShutdownPrivilege	2320	powercfg.exe
Token: SeCreatePagefilePrivilege	2320	powercfg.exe
Token: SeShutdownPrivilege	2344	powercfg.exe
Token: SeCreatePagefilePrivilege	2344	powercfg.exe
Token: SeLockMemoryPrivilege	4684	svchost.exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

todymdgvwmgb.exe

description	pid	process	target process
PID 2428 wrote to memory of 4756	2428	todymdgvwmgb.exe	conhost.exe
PID 2428 wrote to memory of 4756	2428	todymdgvwmgb.exe	conhost.exe
PID 2428 wrote to memory of 4756	2428	todymdgvwmgb.exe	conhost.exe
PID 2428 wrote to memory of 4756	2428	todymdgvwmgb.exe	conhost.exe
PID 2428 wrote to memory of 4756	2428	todymdgvwmgb.exe	conhost.exe
PID 2428 wrote to memory of 4756	2428	todymdgvwmgb.exe	conhost.exe
PID 2428 wrote to memory of 4756	2428	todymdgvwmgb.exe	conhost.exe
PID 2428 wrote to memory of 4756	2428	todymdgvwmgb.exe	conhost.exe
PID 2428 wrote to memory of 4756	2428	todymdgvwmgb.exe	conhost.exe
PID 2428 wrote to memory of 4684	2428	todymdgvwmgb.exe	svchost.exe
PID 2428 wrote to memory of 4684	2428	todymdgvwmgb.exe	svchost.exe
PID 2428 wrote to memory of 4684	2428	todymdgvwmgb.exe	svchost.exe
PID 2428 wrote to memory of 4684	2428	todymdgvwmgb.exe	svchost.exe
PID 2428 wrote to memory of 4684	2428	todymdgvwmgb.exe	svchost.exe
PID 2428 wrote to memory of 4684	2428	todymdgvwmgb.exe	svchost.exe
PID 2428 wrote to memory of 4684	2428	todymdgvwmgb.exe	svchost.exe
PID 2428 wrote to memory of 4684	2428	todymdgvwmgb.exe	svchost.exe
PID 2428 wrote to memory of 4684	2428	todymdgvwmgb.exe	svchost.exe
PID 2428 wrote to memory of 4684	2428	todymdgvwmgb.exe	svchost.exe
PID 2428 wrote to memory of 4684	2428	todymdgvwmgb.exe	svchost.exe
PID 2428 wrote to memory of 4684	2428	todymdgvwmgb.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:2280
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1740
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2036
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2480
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3516
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe delete "PHSWJLZY"
  2⤵
  - Launches sc.exe
  PID:2008
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe create "PHSWJLZY" binpath= "C:\ProgramData\jndraacsywhc\todymdgvwmgb.exe" start= "auto"
  2⤵
  - Launches sc.exe
  PID:3492
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop eventlog
  2⤵
  - Launches sc.exe
  PID:4416
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe start "PHSWJLZY"
  2⤵
  - Launches sc.exe
  PID:4872

C:\ProgramData\jndraacsywhc\todymdgvwmgb.exe
C:\ProgramData\jndraacsywhc\todymdgvwmgb.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2428
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3916
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2320
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2344
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:232
- C:\Windows\system32\conhost.exe
  C:\Windows\system32\conhost.exe
  2⤵
  PID:4756
- C:\Windows\system32\svchost.exe
  svchost.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4684

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

2

T1543

Windows Service

2

T1543.003

Privilege Escalation

Create or Modify System Process

2

T1543

Windows Service

2

T1543.003

Defense Evasion

Impair Defenses

1

T1562

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

1

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\jndraacsywhc\todymdgvwmgb.exe

Filesize
4.8MB

MD5
d3aedf575ee244513fcb029f192b1e18

SHA1
01c5cde42c68aa11944bc713e01d8b70f1454de9

SHA256
adbea15a7cf55107deb7532ea80de4f999ab79f427ea366168fced373f0b4542

SHA512
2733dcdf9f03e1fa9ca90bf2d439d718f078254c582f497d9869ae5f1cd8a65040881d7b5b54ada520da105b4cbd1df4b17dddc37659a7ad72b3eb7c8d162ca5

Download Submit
C:\ProgramData\jndraacsywhc\todymdgvwmgb.exe

Filesize
4.4MB

MD5
d5e74379dbb2b8b1ecb062295acbe01f

SHA1
8bb109bff5ed0b9254d12cb8c9a34998fc92dd77

SHA256
e622fa3c9ced84da3fd17131438d8f6c357fa23858cbc44752e710d7a2d15c53

SHA512
a4cc4513f2ab1373e837383b29c4cf2a2dd546c8482302dff89ea5319f4beb1736c515a15ad48999b9269827d6f2a81137e4199dbe276270073520700f8d575a

Download Submit
memory/2280-0-0x00007FFA22B70000-0x00007FFA22B72000-memory.dmp

Filesize
8KB

Download
memory/2280-2-0x0000000140000000-0x000000014199B000-memory.dmp

Filesize
25.6MB

Download
memory/2280-5-0x0000000140000000-0x000000014199B000-memory.dmp

Filesize
25.6MB

Download
memory/2428-10-0x0000000140000000-0x000000014199B000-memory.dmp

Filesize
25.6MB

Download
memory/2428-9-0x0000000140000000-0x000000014199B000-memory.dmp

Filesize
25.6MB

Download
memory/2428-32-0x0000000140000000-0x000000014199B000-memory.dmp

Filesize
25.6MB

Download
memory/4684-23-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/4684-28-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/4684-42-0x0000020137DE0000-0x0000020137E00000-memory.dmp

Filesize
128KB

Download
memory/4684-41-0x0000020137DE0000-0x0000020137E00000-memory.dmp

Filesize
128KB

Download
memory/4684-20-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/4684-40-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/4684-21-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/4684-22-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/4684-39-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/4684-24-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/4684-25-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/4684-26-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/4684-27-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/4684-38-0x0000020137DA0000-0x0000020137DE0000-memory.dmp

Filesize
256KB

Download
memory/4684-30-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/4684-31-0x0000020137D30000-0x0000020137D50000-memory.dmp

Filesize
128KB

Download
memory/4684-37-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/4684-33-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/4684-34-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/4684-35-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/4684-36-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/4756-12-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/4756-14-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/4756-13-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/4756-19-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/4756-15-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/4756-16-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads