xmrig | 33136dd64b2b82f5f35d250c41060e70eb9c0028cc9e93f61b4e1d32f0163c3c

General

Target

33136dd64b2b82f5f35d250c41060e70eb9c0028cc9e93f61b4e1d32f0163c3c.exe
Size

10.4MB
MD5

dff762abefd2ac634f87aacd920c8bdc
SHA1

b8ea30c9d631fbb4a1f57c2873ca8aeb64c93643
SHA256

33136dd64b2b82f5f35d250c41060e70eb9c0028cc9e93f61b4e1d32f0163c3c
SHA512

54db97efb4ffcec9bc4122a6e41029c3cd457b631ede685eb883d5884f5a7b90c465dc8ec2212e712af935481073a2b4eb5180431926f03febccb055d9585341
SSDEEP

196608:D2neZjvDa5N5o9LrIbQTsbHu7THe8FhG8ryPzB3SFyFYha:D3/AU9LrIdb+THVFg8uhSYFYha

Score

10^/10

xmrig evasion miner persistence

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 16 IoCs

miner

Processes:

resource	yara_rule
behavioral2/memory/4288-21-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral2/memory/4288-22-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral2/memory/4288-23-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral2/memory/4288-24-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral2/memory/4288-25-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral2/memory/4288-26-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral2/memory/4288-27-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral2/memory/4288-28-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral2/memory/4288-30-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral2/memory/4288-33-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral2/memory/4288-34-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral2/memory/4288-35-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral2/memory/4288-36-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral2/memory/4288-37-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral2/memory/4288-39-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral2/memory/4288-40-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig

Creates new service(s) 1 TTPs
persistence

Windows Service
T1543.003
Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489
Executes dropped EXE 1 IoCs

Processes:

todymdgvwmgb.exe

pid process

2096 todymdgvwmgb.exe

pid	process
2096	todymdgvwmgb.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

todymdgvwmgb.exe

description	pid	process	target process
PID 2096 set thread context of 1432	2096	todymdgvwmgb.exe	conhost.exe
PID 2096 set thread context of 4288	2096	todymdgvwmgb.exe	svchost.exe

Launches sc.exe 4 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exe

pid process

3152 sc.exe
4648 sc.exe
3716 sc.exe
5052 sc.exe

pid	process
3152	sc.exe
4648	sc.exe
3716	sc.exe
5052	sc.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

Processes:

33136dd64b2b82f5f35d250c41060e70eb9c0028cc9e93f61b4e1d32f0163c3c.exetodymdgvwmgb.exe

pid	process
2836	33136dd64b2b82f5f35d250c41060e70eb9c0028cc9e93f61b4e1d32f0163c3c.exe
2836	33136dd64b2b82f5f35d250c41060e70eb9c0028cc9e93f61b4e1d32f0163c3c.exe
2836	33136dd64b2b82f5f35d250c41060e70eb9c0028cc9e93f61b4e1d32f0163c3c.exe
2836	33136dd64b2b82f5f35d250c41060e70eb9c0028cc9e93f61b4e1d32f0163c3c.exe
2836	33136dd64b2b82f5f35d250c41060e70eb9c0028cc9e93f61b4e1d32f0163c3c.exe
2836	33136dd64b2b82f5f35d250c41060e70eb9c0028cc9e93f61b4e1d32f0163c3c.exe
2836	33136dd64b2b82f5f35d250c41060e70eb9c0028cc9e93f61b4e1d32f0163c3c.exe
2836	33136dd64b2b82f5f35d250c41060e70eb9c0028cc9e93f61b4e1d32f0163c3c.exe
2836	33136dd64b2b82f5f35d250c41060e70eb9c0028cc9e93f61b4e1d32f0163c3c.exe
2836	33136dd64b2b82f5f35d250c41060e70eb9c0028cc9e93f61b4e1d32f0163c3c.exe
2096	todymdgvwmgb.exe
2096	todymdgvwmgb.exe
2096	todymdgvwmgb.exe
2096	todymdgvwmgb.exe
2096	todymdgvwmgb.exe
2096	todymdgvwmgb.exe
2096	todymdgvwmgb.exe
2096	todymdgvwmgb.exe

Suspicious use of AdjustPrivilegeToken 17 IoCs

Processes:

powercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exesvchost.exe

description	pid	process
Token: SeShutdownPrivilege	1260	powercfg.exe
Token: SeCreatePagefilePrivilege	1260	powercfg.exe
Token: SeShutdownPrivilege	780	powercfg.exe
Token: SeCreatePagefilePrivilege	780	powercfg.exe
Token: SeShutdownPrivilege	5104	powercfg.exe
Token: SeCreatePagefilePrivilege	5104	powercfg.exe
Token: SeShutdownPrivilege	2420	powercfg.exe
Token: SeCreatePagefilePrivilege	2420	powercfg.exe
Token: SeShutdownPrivilege	452	powercfg.exe
Token: SeCreatePagefilePrivilege	452	powercfg.exe
Token: SeShutdownPrivilege	3496	powercfg.exe
Token: SeCreatePagefilePrivilege	3496	powercfg.exe
Token: SeShutdownPrivilege	2976	powercfg.exe
Token: SeCreatePagefilePrivilege	2976	powercfg.exe
Token: SeShutdownPrivilege	3080	powercfg.exe
Token: SeCreatePagefilePrivilege	3080	powercfg.exe
Token: SeLockMemoryPrivilege	4288	svchost.exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

todymdgvwmgb.exe

description	pid	process	target process
PID 2096 wrote to memory of 1432	2096	todymdgvwmgb.exe	conhost.exe
PID 2096 wrote to memory of 1432	2096	todymdgvwmgb.exe	conhost.exe
PID 2096 wrote to memory of 1432	2096	todymdgvwmgb.exe	conhost.exe
PID 2096 wrote to memory of 1432	2096	todymdgvwmgb.exe	conhost.exe
PID 2096 wrote to memory of 1432	2096	todymdgvwmgb.exe	conhost.exe
PID 2096 wrote to memory of 1432	2096	todymdgvwmgb.exe	conhost.exe
PID 2096 wrote to memory of 1432	2096	todymdgvwmgb.exe	conhost.exe
PID 2096 wrote to memory of 1432	2096	todymdgvwmgb.exe	conhost.exe
PID 2096 wrote to memory of 1432	2096	todymdgvwmgb.exe	conhost.exe
PID 2096 wrote to memory of 4288	2096	todymdgvwmgb.exe	svchost.exe
PID 2096 wrote to memory of 4288	2096	todymdgvwmgb.exe	svchost.exe
PID 2096 wrote to memory of 4288	2096	todymdgvwmgb.exe	svchost.exe
PID 2096 wrote to memory of 4288	2096	todymdgvwmgb.exe	svchost.exe
PID 2096 wrote to memory of 4288	2096	todymdgvwmgb.exe	svchost.exe
PID 2096 wrote to memory of 4288	2096	todymdgvwmgb.exe	svchost.exe
PID 2096 wrote to memory of 4288	2096	todymdgvwmgb.exe	svchost.exe
PID 2096 wrote to memory of 4288	2096	todymdgvwmgb.exe	svchost.exe
PID 2096 wrote to memory of 4288	2096	todymdgvwmgb.exe	svchost.exe
PID 2096 wrote to memory of 4288	2096	todymdgvwmgb.exe	svchost.exe
PID 2096 wrote to memory of 4288	2096	todymdgvwmgb.exe	svchost.exe
PID 2096 wrote to memory of 4288	2096	todymdgvwmgb.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\33136dd64b2b82f5f35d250c41060e70eb9c0028cc9e93f61b4e1d32f0163c3c.exe
"C:\Users\Admin\AppData\Local\Temp\33136dd64b2b82f5f35d250c41060e70eb9c0028cc9e93f61b4e1d32f0163c3c.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:2836

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:780

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2420

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1260

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:5104

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe delete "PHSWJLZY"
2⤵
- Launches sc.exe
PID:3716

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe create "PHSWJLZY" binpath= "C:\ProgramData\jndraacsywhc\todymdgvwmgb.exe" start= "auto"
2⤵
- Launches sc.exe
PID:5052

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop eventlog
2⤵
- Launches sc.exe
PID:4648

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start "PHSWJLZY"
2⤵
- Launches sc.exe
PID:3152

C:\ProgramData\jndraacsywhc\todymdgvwmgb.exe
C:\ProgramData\jndraacsywhc\todymdgvwmgb.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2096

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2976

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3080

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:452

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3496

C:\Windows\system32\conhost.exe
C:\Windows\system32\conhost.exe
2⤵
PID:1432

C:\Windows\system32\svchost.exe
svchost.exe
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4288

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Create or Modify System Process

2

T1543

Windows Service

2

T1543.003

Privilege Escalation

Create or Modify System Process

2

T1543

Windows Service

2

T1543.003

Defense Evasion

Impair Defenses

1

T1562

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Service Stop

1

T1489

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\jndraacsywhc\todymdgvwmgb.exe
Filesize
4.7MB

MD5
22155c49baf7b6aa795b0c4edff82145

SHA1
fc5438a78bb68f3b8d816361c829620cc9590e7c

SHA256
48edccec43cd0a71835fce04d6cae1dfe253f0469ec1f615abb95d9329e6d658

SHA512
a43614d3c6c56f4159205fa8014b83da5ce785b07d8da4a9755077d6cba0b962ea1bab37f1e91a6d7fdc479f31853e39b1fafc13f7881c3bb07afde3df6bf8d2

Download Submit
C:\ProgramData\jndraacsywhc\todymdgvwmgb.exe
Filesize
5.5MB

MD5
6341fb707d7f9fab0d7e35ffbab13e4e

SHA1
8ad6f52f94082dca30731eff2dec75d1e3808d26

SHA256
13b4bb3ff2b4b86238085e287f4d3dfe5e2ceb9e7ba8857f560f6d02980b5994

SHA512
a8ab900e4a68b8008e0d15f6020899fcc0bf9779a40d83c388300ab1ee12c50bed6b064860a73d68dbdf5e59f04c8b9ed427a6eef44c01492221f4cb8a49aaa8

Download Submit
memory/1432-12-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/1432-19-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/1432-16-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/1432-15-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/1432-13-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/1432-14-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/2096-9-0x0000000140000000-0x000000014199B000-memory.dmp

Filesize
25.6MB

Download
memory/2096-10-0x0000000140000000-0x000000014199B000-memory.dmp

Filesize
25.6MB

Download
memory/2096-32-0x0000000140000000-0x000000014199B000-memory.dmp

Filesize
25.6MB

Download
memory/2836-0-0x00007FFA6BC30000-0x00007FFA6BC32000-memory.dmp

Filesize
8KB

Download
memory/2836-5-0x0000000140000000-0x000000014199B000-memory.dmp

Filesize
25.6MB

Download
memory/2836-2-0x0000000140000000-0x000000014199B000-memory.dmp

Filesize
25.6MB

Download
memory/2836-1-0x0000000140000000-0x000000014199B000-memory.dmp

Filesize
25.6MB

Download
memory/4288-24-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/4288-33-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/4288-23-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/4288-21-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/4288-25-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/4288-26-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/4288-27-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/4288-28-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/4288-30-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/4288-31-0x000002547FB90000-0x000002547FBB0000-memory.dmp

Filesize
128KB

Download
memory/4288-20-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/4288-22-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/4288-34-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/4288-35-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/4288-36-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/4288-37-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/4288-38-0x00000254002A0000-0x00000254002C0000-memory.dmp

Filesize
128KB

Download
memory/4288-39-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/4288-40-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/4288-41-0x00000254002C0000-0x00000254002E0000-memory.dmp

Filesize
128KB

Download
memory/4288-42-0x00000254002C0000-0x00000254002E0000-memory.dmp

Filesize
128KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads