xmrig | 33136dd64b2b82f5f35d250c41060e70eb9c0028cc9e93f61b4e1d32f0163c3c

General

Target

33136dd64b2b82f5f35d250c41060e70eb9c0028cc9e93f61b4e1d32f0163c3c.exe
Size

10.4MB
MD5

dff762abefd2ac634f87aacd920c8bdc
SHA1

b8ea30c9d631fbb4a1f57c2873ca8aeb64c93643
SHA256

33136dd64b2b82f5f35d250c41060e70eb9c0028cc9e93f61b4e1d32f0163c3c
SHA512

54db97efb4ffcec9bc4122a6e41029c3cd457b631ede685eb883d5884f5a7b90c465dc8ec2212e712af935481073a2b4eb5180431926f03febccb055d9585341
SSDEEP

196608:D2neZjvDa5N5o9LrIbQTsbHu7THe8FhG8ryPzB3SFyFYha:D3/AU9LrIdb+THVFg8uhSYFYha

Score

10^/10

xmrig evasion miner persistence

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 16 IoCs

miner

Processes:

resource	yara_rule
behavioral1/memory/1404-35-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral1/memory/1404-36-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral1/memory/1404-37-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral1/memory/1404-38-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral1/memory/1404-39-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral1/memory/1404-40-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral1/memory/1404-41-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral1/memory/1404-42-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral1/memory/1404-44-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral1/memory/1404-47-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral1/memory/1404-50-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral1/memory/1404-48-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral1/memory/1404-51-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral1/memory/1404-52-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral1/memory/1404-53-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral1/memory/1404-54-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig

Creates new service(s) 1 TTPs
persistence

Windows Service
T1543.003
Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489
Executes dropped EXE 2 IoCs

Processes:

todymdgvwmgb.exe

pid process

476
2436 todymdgvwmgb.exe
Loads dropped DLL 1 IoCs

Processes:

pid process

476

pid	process
476
2436	todymdgvwmgb.exe

pid	process
476

Suspicious use of SetThreadContext 2 IoCs

Processes:

todymdgvwmgb.exe

description	pid	process	target process
PID 2436 set thread context of 724	2436	todymdgvwmgb.exe	conhost.exe
PID 2436 set thread context of 1404	2436	todymdgvwmgb.exe	svchost.exe

Launches sc.exe 4 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exe

pid process

2568 sc.exe
1512 sc.exe
2432 sc.exe
2460 sc.exe

pid	process
2568	sc.exe
1512	sc.exe
2432	sc.exe
2460	sc.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

Processes:

33136dd64b2b82f5f35d250c41060e70eb9c0028cc9e93f61b4e1d32f0163c3c.exetodymdgvwmgb.exe

pid	process
2584	33136dd64b2b82f5f35d250c41060e70eb9c0028cc9e93f61b4e1d32f0163c3c.exe
2584	33136dd64b2b82f5f35d250c41060e70eb9c0028cc9e93f61b4e1d32f0163c3c.exe
2584	33136dd64b2b82f5f35d250c41060e70eb9c0028cc9e93f61b4e1d32f0163c3c.exe
2584	33136dd64b2b82f5f35d250c41060e70eb9c0028cc9e93f61b4e1d32f0163c3c.exe
2584	33136dd64b2b82f5f35d250c41060e70eb9c0028cc9e93f61b4e1d32f0163c3c.exe
2584	33136dd64b2b82f5f35d250c41060e70eb9c0028cc9e93f61b4e1d32f0163c3c.exe
2584	33136dd64b2b82f5f35d250c41060e70eb9c0028cc9e93f61b4e1d32f0163c3c.exe
2584	33136dd64b2b82f5f35d250c41060e70eb9c0028cc9e93f61b4e1d32f0163c3c.exe
2584	33136dd64b2b82f5f35d250c41060e70eb9c0028cc9e93f61b4e1d32f0163c3c.exe
2436	todymdgvwmgb.exe
2436	todymdgvwmgb.exe
2436	todymdgvwmgb.exe
2436	todymdgvwmgb.exe
2436	todymdgvwmgb.exe
2436	todymdgvwmgb.exe
2436	todymdgvwmgb.exe

Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid process

476

pid	process
476

Suspicious use of AdjustPrivilegeToken 9 IoCs

Processes:

powercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exesvchost.exe

description	pid	process
Token: SeShutdownPrivilege	2508	powercfg.exe
Token: SeShutdownPrivilege	2872	powercfg.exe
Token: SeShutdownPrivilege	2556	powercfg.exe
Token: SeShutdownPrivilege	2524	powercfg.exe
Token: SeShutdownPrivilege	1720	powercfg.exe
Token: SeShutdownPrivilege	656	powercfg.exe
Token: SeShutdownPrivilege	2384	powercfg.exe
Token: SeShutdownPrivilege	524	powercfg.exe
Token: SeLockMemoryPrivilege	1404	svchost.exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

todymdgvwmgb.exe

description	pid	process	target process
PID 2436 wrote to memory of 724	2436	todymdgvwmgb.exe	conhost.exe
PID 2436 wrote to memory of 724	2436	todymdgvwmgb.exe	conhost.exe
PID 2436 wrote to memory of 724	2436	todymdgvwmgb.exe	conhost.exe
PID 2436 wrote to memory of 724	2436	todymdgvwmgb.exe	conhost.exe
PID 2436 wrote to memory of 724	2436	todymdgvwmgb.exe	conhost.exe
PID 2436 wrote to memory of 724	2436	todymdgvwmgb.exe	conhost.exe
PID 2436 wrote to memory of 724	2436	todymdgvwmgb.exe	conhost.exe
PID 2436 wrote to memory of 724	2436	todymdgvwmgb.exe	conhost.exe
PID 2436 wrote to memory of 724	2436	todymdgvwmgb.exe	conhost.exe
PID 2436 wrote to memory of 1404	2436	todymdgvwmgb.exe	svchost.exe
PID 2436 wrote to memory of 1404	2436	todymdgvwmgb.exe	svchost.exe
PID 2436 wrote to memory of 1404	2436	todymdgvwmgb.exe	svchost.exe
PID 2436 wrote to memory of 1404	2436	todymdgvwmgb.exe	svchost.exe
PID 2436 wrote to memory of 1404	2436	todymdgvwmgb.exe	svchost.exe
PID 2436 wrote to memory of 1404	2436	todymdgvwmgb.exe	svchost.exe
PID 2436 wrote to memory of 1404	2436	todymdgvwmgb.exe	svchost.exe
PID 2436 wrote to memory of 1404	2436	todymdgvwmgb.exe	svchost.exe
PID 2436 wrote to memory of 1404	2436	todymdgvwmgb.exe	svchost.exe
PID 2436 wrote to memory of 1404	2436	todymdgvwmgb.exe	svchost.exe
PID 2436 wrote to memory of 1404	2436	todymdgvwmgb.exe	svchost.exe
PID 2436 wrote to memory of 1404	2436	todymdgvwmgb.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\33136dd64b2b82f5f35d250c41060e70eb9c0028cc9e93f61b4e1d32f0163c3c.exe
"C:\Users\Admin\AppData\Local\Temp\33136dd64b2b82f5f35d250c41060e70eb9c0028cc9e93f61b4e1d32f0163c3c.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:2584

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2556

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2508

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2872

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2524

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe delete "PHSWJLZY"
2⤵
- Launches sc.exe
PID:1512

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe create "PHSWJLZY" binpath= "C:\ProgramData\jndraacsywhc\todymdgvwmgb.exe" start= "auto"
2⤵
- Launches sc.exe
PID:2432

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop eventlog
2⤵
- Launches sc.exe
PID:2568

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start "PHSWJLZY"
2⤵
- Launches sc.exe
PID:2460

C:\ProgramData\jndraacsywhc\todymdgvwmgb.exe
C:\ProgramData\jndraacsywhc\todymdgvwmgb.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2436

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2384

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1720

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:524

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:656

C:\Windows\system32\conhost.exe
C:\Windows\system32\conhost.exe
2⤵
PID:724

C:\Windows\system32\svchost.exe
svchost.exe
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1404

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Create or Modify System Process

2

T1543

Windows Service

2

T1543.003

Privilege Escalation

Create or Modify System Process

2

T1543

Windows Service

2

T1543.003

Defense Evasion

Impair Defenses

1

T1562

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Service Stop

1

T1489

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\jndraacsywhc\todymdgvwmgb.exe
Filesize
2.3MB

MD5
b26d320801d3853cf7d63f8039194047

SHA1
49722d5601e2b70f1eca85c3415b17e7841d9aca

SHA256
e50b80bb84ec8433e810b141585a2e64521bc40920634a79008da426809d0e82

SHA512
a7f21752325ba8c6b13d4767f5876f3137c7ba6a2771a86360cff4a94a016a70040cd12701c1f7af0ae8f1bbc170c8cf9d590afe1d62a297758581feee7b196d

Download Submit
C:\ProgramData\jndraacsywhc\todymdgvwmgb.exe
Filesize
1.4MB

MD5
1660ce26a513c9efebd9112c45a00294

SHA1
d758ea8f5fb68a2418bb7cb2ec8e187668969554

SHA256
2c0cfe38853c68e468e022f7b8c44878df767022c16e61ffc271ffda1b91d45d

SHA512
38dcc684f6a5e14edb6d03e31a10f47994029256daae87eb525dffbfe602a0562f11b96334c45d1043add812e80757f7e19011777e56f5e20b84cd5956336ed9

Download Submit
\ProgramData\jndraacsywhc\todymdgvwmgb.exe
Filesize
2.6MB

MD5
60a72704c77c460b02d6d3472c1507c0

SHA1
ebef7fb70a4e07033771bf229a8eefbf71e3b69c

SHA256
ad09aab7ef71ef5ae16ca9c05914d8ea7dccea6fa99f11bbc5e1ce80b691f888

SHA512
51b1cf8ec51bdb2bb7197aa58d209f1eb8a93e271702c2f4d0b55edf1063a45034b6ecba4618aa9a4a73dafa6057a57608968c6e78f487f7bfcba7045fdf7bce

Download Submit
\ProgramData\jndraacsywhc\todymdgvwmgb.exe
Filesize
2.4MB

MD5
98aa0232be843565b0116094eb3a92e0

SHA1
309a1237509443e706d18e2657efffd859900422

SHA256
16425873d5e5c67d91c0fd54635ee96ca2cec635ef67935a9958b787afbd15ba

SHA512
57d0de7bd379a5630873a7976e91c66017e145c2dfee5a9f056542a1efc54b703c57cc20ac645abe3e55c586df3f38f028ca4045e4cb683cd9243bff36198e9c

Download Submit
memory/724-27-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/724-32-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/724-30-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/724-29-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/724-28-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/724-26-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/1404-44-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/1404-47-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/1404-56-0x0000000000290000-0x00000000002B0000-memory.dmp

Filesize
128KB

Download
memory/1404-55-0x0000000000290000-0x00000000002B0000-memory.dmp

Filesize
128KB

Download
memory/1404-54-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/1404-53-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/1404-52-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/1404-51-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/1404-48-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/1404-50-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/1404-34-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/1404-35-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/1404-36-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/1404-37-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/1404-38-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/1404-39-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/1404-40-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/1404-41-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/1404-42-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/1404-46-0x00000000000B0000-0x00000000000D0000-memory.dmp

Filesize
128KB

Download
memory/2436-45-0x0000000077C20000-0x0000000077DC9000-memory.dmp

Filesize
1.7MB

Download
memory/2436-20-0x0000000140000000-0x000000014199B000-memory.dmp

Filesize
25.6MB

Download
memory/2436-49-0x0000000140000000-0x000000014199B000-memory.dmp

Filesize
25.6MB

Download
memory/2436-25-0x0000000077C20000-0x0000000077DC9000-memory.dmp

Filesize
1.7MB

Download
memory/2436-23-0x0000000140000000-0x000000014199B000-memory.dmp

Filesize
25.6MB

Download
memory/2584-0-0x0000000077DD0000-0x0000000077DD2000-memory.dmp

Filesize
8KB

Download
memory/2584-2-0x0000000077DD0000-0x0000000077DD2000-memory.dmp

Filesize
8KB

Download
memory/2584-5-0x0000000140000000-0x000000014199B000-memory.dmp

Filesize
25.6MB

Download
memory/2584-7-0x0000000077C20000-0x0000000077DC9000-memory.dmp

Filesize
1.7MB

Download
memory/2584-4-0x0000000077DD0000-0x0000000077DD2000-memory.dmp

Filesize
8KB

Download
memory/2584-14-0x0000000140000000-0x000000014199B000-memory.dmp

Filesize
25.6MB

Download
memory/2584-15-0x0000000077C20000-0x0000000077DC9000-memory.dmp

Filesize
1.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads