xmrig | 33136dd64b2b82f5f35d250c41060e70eb9c0028cc9e93f61b4e1d32f0163c3c

General

Target

SecuriteInfo.com.Trojan.Siggen27.16296.12545.31206.exe
Size

10.4MB
MD5

dff762abefd2ac634f87aacd920c8bdc
SHA1

b8ea30c9d631fbb4a1f57c2873ca8aeb64c93643
SHA256

33136dd64b2b82f5f35d250c41060e70eb9c0028cc9e93f61b4e1d32f0163c3c
SHA512

54db97efb4ffcec9bc4122a6e41029c3cd457b631ede685eb883d5884f5a7b90c465dc8ec2212e712af935481073a2b4eb5180431926f03febccb055d9585341
SSDEEP

196608:D2neZjvDa5N5o9LrIbQTsbHu7THe8FhG8ryPzB3SFyFYha:D3/AU9LrIdb+THVFg8uhSYFYha

Score

10^/10

xmrig evasion miner persistence

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 16 IoCs

miner

resource	yara_rule
behavioral2/memory/1048-21-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral2/memory/1048-22-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral2/memory/1048-23-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral2/memory/1048-24-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral2/memory/1048-25-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral2/memory/1048-26-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral2/memory/1048-27-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral2/memory/1048-28-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral2/memory/1048-30-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral2/memory/1048-32-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral2/memory/1048-33-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral2/memory/1048-34-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral2/memory/1048-35-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral2/memory/1048-37-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral2/memory/1048-39-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral2/memory/1048-40-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig

Creates new service(s) 1 TTPs
persistence

Windows Service
T1543.003
Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Executes dropped EXE 1 IoCs

pid	Process
1196	todymdgvwmgb.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1196 set thread context of 5116	1196	todymdgvwmgb.exe	123
PID 1196 set thread context of 1048	1196	todymdgvwmgb.exe	128

Launches sc.exe 4 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
4176	sc.exe
2156	sc.exe
1348	sc.exe
2568	sc.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
804	SecuriteInfo.com.Trojan.Siggen27.16296.12545.31206.exe
804	SecuriteInfo.com.Trojan.Siggen27.16296.12545.31206.exe
804	SecuriteInfo.com.Trojan.Siggen27.16296.12545.31206.exe
804	SecuriteInfo.com.Trojan.Siggen27.16296.12545.31206.exe
804	SecuriteInfo.com.Trojan.Siggen27.16296.12545.31206.exe
804	SecuriteInfo.com.Trojan.Siggen27.16296.12545.31206.exe
804	SecuriteInfo.com.Trojan.Siggen27.16296.12545.31206.exe
804	SecuriteInfo.com.Trojan.Siggen27.16296.12545.31206.exe
804	SecuriteInfo.com.Trojan.Siggen27.16296.12545.31206.exe
804	SecuriteInfo.com.Trojan.Siggen27.16296.12545.31206.exe
1196	todymdgvwmgb.exe
1196	todymdgvwmgb.exe
1196	todymdgvwmgb.exe
1196	todymdgvwmgb.exe
1196	todymdgvwmgb.exe
1196	todymdgvwmgb.exe
1196	todymdgvwmgb.exe
1196	todymdgvwmgb.exe

Suspicious use of AdjustPrivilegeToken 17 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3008	powercfg.exe
Token: SeCreatePagefilePrivilege	3008	powercfg.exe
Token: SeShutdownPrivilege	2296	powercfg.exe
Token: SeCreatePagefilePrivilege	2296	powercfg.exe
Token: SeShutdownPrivilege	1772	powercfg.exe
Token: SeCreatePagefilePrivilege	1772	powercfg.exe
Token: SeShutdownPrivilege	3532	powercfg.exe
Token: SeCreatePagefilePrivilege	3532	powercfg.exe
Token: SeShutdownPrivilege	4340	powercfg.exe
Token: SeCreatePagefilePrivilege	4340	powercfg.exe
Token: SeShutdownPrivilege	1632	powercfg.exe
Token: SeCreatePagefilePrivilege	1632	powercfg.exe
Token: SeShutdownPrivilege	4908	powercfg.exe
Token: SeCreatePagefilePrivilege	4908	powercfg.exe
Token: SeShutdownPrivilege	4964	powercfg.exe
Token: SeCreatePagefilePrivilege	4964	powercfg.exe
Token: SeLockMemoryPrivilege	1048	svchost.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 1196 wrote to memory of 5116	1196	todymdgvwmgb.exe	123
PID 1196 wrote to memory of 5116	1196	todymdgvwmgb.exe	123
PID 1196 wrote to memory of 5116	1196	todymdgvwmgb.exe	123
PID 1196 wrote to memory of 5116	1196	todymdgvwmgb.exe	123
PID 1196 wrote to memory of 5116	1196	todymdgvwmgb.exe	123
PID 1196 wrote to memory of 5116	1196	todymdgvwmgb.exe	123
PID 1196 wrote to memory of 5116	1196	todymdgvwmgb.exe	123
PID 1196 wrote to memory of 5116	1196	todymdgvwmgb.exe	123
PID 1196 wrote to memory of 5116	1196	todymdgvwmgb.exe	123
PID 1196 wrote to memory of 1048	1196	todymdgvwmgb.exe	128
PID 1196 wrote to memory of 1048	1196	todymdgvwmgb.exe	128
PID 1196 wrote to memory of 1048	1196	todymdgvwmgb.exe	128
PID 1196 wrote to memory of 1048	1196	todymdgvwmgb.exe	128
PID 1196 wrote to memory of 1048	1196	todymdgvwmgb.exe	128
PID 1196 wrote to memory of 1048	1196	todymdgvwmgb.exe	128
PID 1196 wrote to memory of 1048	1196	todymdgvwmgb.exe	128
PID 1196 wrote to memory of 1048	1196	todymdgvwmgb.exe	128
PID 1196 wrote to memory of 1048	1196	todymdgvwmgb.exe	128
PID 1196 wrote to memory of 1048	1196	todymdgvwmgb.exe	128
PID 1196 wrote to memory of 1048	1196	todymdgvwmgb.exe	128
PID 1196 wrote to memory of 1048	1196	todymdgvwmgb.exe	128

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Siggen27.16296.12545.31206.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Siggen27.16296.12545.31206.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:804
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3008
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3532
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2296
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1772
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe delete "PHSWJLZY"
  2⤵
  - Launches sc.exe
  PID:4176
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe create "PHSWJLZY" binpath= "C:\ProgramData\jndraacsywhc\todymdgvwmgb.exe" start= "auto"
  2⤵
  - Launches sc.exe
  PID:2156
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop eventlog
  2⤵
  - Launches sc.exe
  PID:1348
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe start "PHSWJLZY"
  2⤵
  - Launches sc.exe
  PID:2568

C:\ProgramData\jndraacsywhc\todymdgvwmgb.exe
C:\ProgramData\jndraacsywhc\todymdgvwmgb.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1196
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4340
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1632
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4908
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4964
- C:\Windows\system32\conhost.exe
  C:\Windows\system32\conhost.exe
  2⤵
  PID:5116
- C:\Windows\system32\svchost.exe
  svchost.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1048

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

2

T1543

Windows Service

2

T1543.003

Privilege Escalation

Create or Modify System Process

2

T1543

Windows Service

2

T1543.003

Defense Evasion

Impair Defenses

1

T1562

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

1

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\jndraacsywhc\todymdgvwmgb.exe

Filesize
10.4MB

MD5
dff762abefd2ac634f87aacd920c8bdc

SHA1
b8ea30c9d631fbb4a1f57c2873ca8aeb64c93643

SHA256
33136dd64b2b82f5f35d250c41060e70eb9c0028cc9e93f61b4e1d32f0163c3c

SHA512
54db97efb4ffcec9bc4122a6e41029c3cd457b631ede685eb883d5884f5a7b90c465dc8ec2212e712af935481073a2b4eb5180431926f03febccb055d9585341

Download Submit
memory/804-0-0x00007FFC7A4B0000-0x00007FFC7A4B2000-memory.dmp

Filesize
8KB

Download
memory/804-1-0x0000000140000000-0x000000014199B000-memory.dmp

Filesize
25.6MB

Download
memory/804-2-0x0000000140000000-0x000000014199B000-memory.dmp

Filesize
25.6MB

Download
memory/804-5-0x0000000140000000-0x000000014199B000-memory.dmp

Filesize
25.6MB

Download
memory/1048-32-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/1048-27-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/1048-42-0x00000259C80C0000-0x00000259C80E0000-memory.dmp

Filesize
128KB

Download
memory/1048-41-0x00000259C80C0000-0x00000259C80E0000-memory.dmp

Filesize
128KB

Download
memory/1048-40-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/1048-39-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/1048-38-0x00000259C80A0000-0x00000259C80C0000-memory.dmp

Filesize
128KB

Download
memory/1048-20-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/1048-21-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/1048-22-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/1048-37-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/1048-23-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/1048-24-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/1048-25-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/1048-26-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/1048-35-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/1048-28-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/1048-30-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/1048-31-0x00000259C79D0000-0x00000259C79F0000-memory.dmp

Filesize
128KB

Download
memory/1048-34-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/1048-33-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/1196-9-0x0000000140000000-0x000000014199B000-memory.dmp

Filesize
25.6MB

Download
memory/1196-36-0x0000000140000000-0x000000014199B000-memory.dmp

Filesize
25.6MB

Download
memory/1196-10-0x0000000140000000-0x000000014199B000-memory.dmp

Filesize
25.6MB

Download
memory/5116-18-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/5116-16-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/5116-15-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/5116-14-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/5116-13-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/5116-12-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download

Analysis

Sharing